January 2024 - Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 13850/21589] arch/arm64/mm/init.c:784:17: error: 'mem_sleep_current' undeclared
by kernel test robot 30 Jan '24

30 Jan '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: ef2982312942ba96fb8217df5d832051bae4afd2 commit: fdda68feeca82610ccbcdcbda7250623a6d187d2 [13850/21589] arm64/ascend: Set mem_sleep_current to PM_SUSPEND_ON for ascend platform :::::: branch date: 12 hours ago :::::: commit date: 3 years, 4 months ago config: arm64-randconfig-002-20240125 (attached as .config) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (attached as reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202401300313.05KTJWfI-lkp@intel.com/ All errors (new ones prefixed by >>): arch/arm64/mm/init.c:469:13: warning: no previous prototype for 'arm64_memblock_init' [-Wmissing-prototypes] 469 | void __init arm64_memblock_init(void) | ^~~~~~~~~~~~~~~~~~~ arch/arm64/mm/init.c: In function 'ascend_enable_setup': >> arch/arm64/mm/init.c:784:17: error: 'mem_sleep_current' undeclared (first use in this function) 784 | mem_sleep_current = PM_SUSPEND_ON; | ^~~~~~~~~~~~~~~~~ arch/arm64/mm/init.c:784:17: note: each undeclared identifier is reported only once for each function it appears in vim +/mem_sleep_current +784 arch/arm64/mm/init.c a7f8de168ace48 Ard Biesheuvel 2016-02-16 770 342049dccae659 Ding Tianhong 2020-08-31 771 #ifdef CONFIG_ASCEND_FEATURES 342049dccae659 Ding Tianhong 2020-08-31 772 static int __init ascend_enable_setup(char *__unused) 342049dccae659 Ding Tianhong 2020-08-31 773 { 342049dccae659 Ding Tianhong 2020-08-31 774 if (IS_ENABLED(CONFIG_ASCEND_DVPP_MMAP)) 0d9400057107e6 Ding Tianhong 2020-09-08 775 enable_mmap_dvpp = 1; 342049dccae659 Ding Tianhong 2020-08-31 776 342049dccae659 Ding Tianhong 2020-08-31 777 if (IS_ENABLED(CONFIG_ASCEND_IOPF_HIPRI)) 342049dccae659 Ding Tianhong 2020-08-31 778 enable_iopf_hipri = 1; 342049dccae659 Ding Tianhong 2020-08-31 779 342049dccae659 Ding Tianhong 2020-08-31 780 if (IS_ENABLED(CONFIG_ASCEND_CHARGE_MIGRATE_HUGEPAGES)) 342049dccae659 Ding Tianhong 2020-08-31 781 enable_charge_mighp = 1; 342049dccae659 Ding Tianhong 2020-08-31 782 fdda68feeca826 Ding Tianhong 2020-09-22 783 if (IS_ENABLED(CONFIG_SUSPEND)) fdda68feeca826 Ding Tianhong 2020-09-22 @784 mem_sleep_current = PM_SUSPEND_ON; fdda68feeca826 Ding Tianhong 2020-09-22 785 342049dccae659 Ding Tianhong 2020-08-31 786 return 1; 342049dccae659 Ding Tianhong 2020-08-31 787 } 342049dccae659 Ding Tianhong 2020-08-31 788 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 5766/21589] arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: incorrect type in argument 1 (different address spaces)
by kernel test robot 30 Jan '24

30 Jan '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: ef2982312942ba96fb8217df5d832051bae4afd2 commit: ca67230a79f23abbf552a5cb3471d46ff8b672c8 [5766/21589] x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation :::::: branch date: 12 hours ago :::::: commit date: 4 years, 1 month ago config: x86_64-randconfig-121-20240125 (attached as .config) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (attached as reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202401300305.gYla1O9J-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression >> arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void const volatile [noderef] __user *ptr @@ got unsigned int [usertype] *__pu_ptr @@ arch/x86/kernel/fpu/signal.c:94:16: sparse: expected void const volatile [noderef] __user *ptr arch/x86/kernel/fpu/signal.c:94:16: sparse: got unsigned int [usertype] *__pu_ptr arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void const volatile [noderef] __user *ptr @@ got unsigned int [usertype] * @@ arch/x86/kernel/fpu/signal.c:101:16: sparse: expected void const volatile [noderef] __user *ptr arch/x86/kernel/fpu/signal.c:101:16: sparse: got unsigned int [usertype] * arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void const volatile [noderef] __user *ptr @@ got unsigned int [usertype] *__pu_ptr @@ arch/x86/kernel/fpu/signal.c:116:16: sparse: expected void const volatile [noderef] __user *ptr arch/x86/kernel/fpu/signal.c:116:16: sparse: got unsigned int [usertype] *__pu_ptr vim +94 arch/x86/kernel/fpu/signal.c b992c660d3b316 Ingo Molnar 2015-04-30 79 b992c660d3b316 Ingo Molnar 2015-04-30 80 static inline int save_xstate_epilog(void __user *buf, int ia32_frame) b992c660d3b316 Ingo Molnar 2015-04-30 81 { c47ada305de380 Ingo Molnar 2015-04-30 82 struct xregs_state __user *x = buf; b992c660d3b316 Ingo Molnar 2015-04-30 83 struct _fpx_sw_bytes *sw_bytes; b992c660d3b316 Ingo Molnar 2015-04-30 84 u32 xfeatures; b992c660d3b316 Ingo Molnar 2015-04-30 85 int err; b992c660d3b316 Ingo Molnar 2015-04-30 86 b992c660d3b316 Ingo Molnar 2015-04-30 87 /* Setup the bytes not touched by the [f]xsave and reserved for SW. */ b992c660d3b316 Ingo Molnar 2015-04-30 88 sw_bytes = ia32_frame ? &fx_sw_reserved_ia32 : &fx_sw_reserved; b992c660d3b316 Ingo Molnar 2015-04-30 89 err = __copy_to_user(&x->i387.sw_reserved, sw_bytes, sizeof(*sw_bytes)); b992c660d3b316 Ingo Molnar 2015-04-30 90 b992c660d3b316 Ingo Molnar 2015-04-30 91 if (!use_xsave()) b992c660d3b316 Ingo Molnar 2015-04-30 92 return err; b992c660d3b316 Ingo Molnar 2015-04-30 93 a1141e0b5ca6ee Fenghua Yu 2016-05-20 @94 err |= __put_user(FP_XSTATE_MAGIC2, a1141e0b5ca6ee Fenghua Yu 2016-05-20 95 (__u32 *)(buf + fpu_user_xstate_size)); b992c660d3b316 Ingo Molnar 2015-04-30 96 b992c660d3b316 Ingo Molnar 2015-04-30 97 /* b992c660d3b316 Ingo Molnar 2015-04-30 98 * Read the xfeatures which we copied (directly from the cpu or b992c660d3b316 Ingo Molnar 2015-04-30 99 * from the state in task struct) to the user buffers. b992c660d3b316 Ingo Molnar 2015-04-30 100 */ b992c660d3b316 Ingo Molnar 2015-04-30 101 err |= __get_user(xfeatures, (__u32 *)&x->header.xfeatures); b992c660d3b316 Ingo Molnar 2015-04-30 102 b992c660d3b316 Ingo Molnar 2015-04-30 103 /* b992c660d3b316 Ingo Molnar 2015-04-30 104 * For legacy compatible, we always set FP/SSE bits in the bit b992c660d3b316 Ingo Molnar 2015-04-30 105 * vector while saving the state to the user context. This will b992c660d3b316 Ingo Molnar 2015-04-30 106 * enable us capturing any changes(during sigreturn) to b992c660d3b316 Ingo Molnar 2015-04-30 107 * the FP/SSE bits by the legacy applications which don't touch b992c660d3b316 Ingo Molnar 2015-04-30 108 * xfeatures in the xsave header. b992c660d3b316 Ingo Molnar 2015-04-30 109 * b992c660d3b316 Ingo Molnar 2015-04-30 110 * xsave aware apps can change the xfeatures in the xsave b992c660d3b316 Ingo Molnar 2015-04-30 111 * header as well as change any contents in the memory layout. b992c660d3b316 Ingo Molnar 2015-04-30 112 * xrestore as part of sigreturn will capture all the changes. b992c660d3b316 Ingo Molnar 2015-04-30 113 */ d91cab78133d33 Dave Hansen 2015-09-02 114 xfeatures |= XFEATURE_MASK_FPSSE; b992c660d3b316 Ingo Molnar 2015-04-30 115 b992c660d3b316 Ingo Molnar 2015-04-30 116 err |= __put_user(xfeatures, (__u32 *)&x->header.xfeatures); b992c660d3b316 Ingo Molnar 2015-04-30 117 b992c660d3b316 Ingo Molnar 2015-04-30 118 return err; b992c660d3b316 Ingo Molnar 2015-04-30 119 } b992c660d3b316 Ingo Molnar 2015-04-30 120 :::::: The code at line 94 was first introduced by commit :::::: a1141e0b5ca6ee3e5e35d5f1a310a5ecb9c96ce5 x86/fpu/xstate: Define and use 'fpu_user_xstate_size' :::::: TO: Fenghua Yu <fenghua.yu(a)intel.com> :::::: CC: Ingo Molnar <mingo(a)kernel.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 0/4] reserve space for arm64 related structures.
by Yuntao Liu 30 Jan '24

30 Jan '24

Reserve space for arm64 related structures. Include efi.h, extable.h, fb.h, processor.h Yuntao Liu (4): kabi: reserve space for efi.h kabi: reserve space for extable.h kabi: reserve space for fb.h kabi: reserve space for processor.h arch/arm64/include/asm/extable.h | 3 +++ arch/arm64/include/asm/processor.h | 9 +++++++++ include/linux/efi.h | 3 +++ include/linux/fb.h | 7 +++++++ 4 files changed, 22 insertions(+) -- 2.34.1

1 4

[PATCH openEuler-22.03-LTS-SP2] drm/atomic: Fix potential use-after-free in nonblocking commits
by Guo Mengqi 30 Jan '24

30 Jan '24

From: Daniel Vetter <daniel.vetter(a)ffwll.ch> stable inclusion from stable-v5.10.188 commit f09c0ac142c59495262dd80545f261b2aeeba538 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7V6NJ CVE: CVE-2023-51043 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. This requires a bit of background. Properly done a modeset driver's unload/remove sequence should be drm_dev_unplug(); drm_atomic_helper_shutdown(); drm_dev_put(); The trouble is that the drm_dev_unplugged() checks are by design racy, they do not synchronize against all outstanding ioctl. This is because those ioctl could block forever (both for modeset and for driver specific ioctls), leading to deadlocks in hotunplug. Instead the code sections that touch the hardware need to be annotated with drm_dev_enter/exit, to avoid accessing hardware resources after the unload/remove has finished. To avoid use-after-free issues all the involved userspace visible objects are supposed to hold a reference on the underlying drm_device, like drm_file does. The issue now is that we missed one, the atomic modeset ioctl can be run in a nonblocking fashion, and in that case it cannot rely on the implied drm_device reference provided by the ioctl calling context. This can result in a use-after-free if an nonblocking atomic commit is carefully raced against a driver unload. Fix this by unconditionally grabbing a drm_device reference for any drm_atomic_state structures. Strictly speaking this isn't required for blocking commits and TEST_ONLY calls, but it's the simpler approach. Thanks to shanzhulig for the initial idea of grabbing an unconditional reference, I just added comments, a condensed commit message and fixed a minor potential issue in where exactly we drop the final reference. Reported-by: shanzhulig <shanzhulig(a)gmail.com> Suggested-by: shanzhulig <shanzhulig(a)gmail.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: stable(a)kernel.org Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> Signed-off-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index 98b659981f1a..b10ba5057735 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -98,6 +98,12 @@ drm_atomic_state_init(struct drm_device *dev, struct drm_atomic_state *state) if (!state->planes) goto fail; + /* + * Because drm_atomic_state can be committed asynchronously we need our + * own reference and cannot rely on the on implied by drm_file in the + * ioctl call. + */ + drm_dev_get(dev); state->dev = dev; DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); @@ -257,7 +263,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); void __drm_atomic_state_free(struct kref *ref) { struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); - struct drm_mode_config *config = &state->dev->mode_config; + struct drm_device *dev = state->dev; + struct drm_mode_config *config = &dev->mode_config; drm_atomic_state_clear(state); @@ -269,6 +276,8 @@ void __drm_atomic_state_free(struct kref *ref) drm_atomic_state_default_release(state); kfree(state); } + + drm_dev_put(dev); } EXPORT_SYMBOL(__drm_atomic_state_free); -- 2.17.1

2 1

[PATCH OLK-6.6 0/6] kabi: arch related KABI reserve
by Liao Chen 30 Jan '24

30 Jan '24

Affected files and structs: include/linux/mfd/core.h struct mfd_cell cpuhotplug.h enum cpuhp_state irq_work.h struct irq_work irqdesc.h struct irq_desc irqdomain_defs.h enum irq_domain_bus_token irqdomain.h struct irq_domain Liao Chen (6): kabi: reserve space for enum cpuhp_state kabi: reserve space for struct irq_work kabi: reserve space for struct irq_desc kabi: reserve space for struct irq_domain kabi: reserve space for enum irq_domain_bus_token kabi: reserve space for struct mfd_cell include/linux/cpuhotplug.h | 9 +++++++++ include/linux/irq_work.h | 5 +++++ include/linux/irqdesc.h | 5 +++++ include/linux/irqdomain.h | 5 +++++ include/linux/irqdomain_defs.h | 8 ++++++++ include/linux/mfd/core.h | 6 ++++++ 6 files changed, 38 insertions(+) -- 2.34.1

2 7

[PATCH OLK-6.6 0/4] reserve space for arm64 related structures.
by Yuntao Liu 30 Jan '24

30 Jan '24

Reserve space for arm64 related structures. Include efi.h, extable.h, fb.h, processor.h Yuntao Liu (4): kabi: reserve space for efi.h kabi: reserve space for extable.h kabi: reserve space for fb.h kabi: reserve space for processor.h arch/arm64/include/asm/extable.h | 3 +++ arch/arm64/include/asm/processor.h | 9 +++++++++ include/linux/efi.h | 3 +++ include/linux/fb.h | 7 +++++++ 4 files changed, 22 insertions(+) -- 2.34.1

1 4

[PATCH OLK-6.6 0/4] reserve space for arm64 related structures.
by Yuntao Liu 30 Jan '24

30 Jan '24

Reserve space for arm64 related structures. Include efi.h, extable.h, fb.h, processor.h Jinjie Ruan (4): kabi: reserve space for efi.h kabi: reserve space for extable.h kabi: reserve space for fb.h kabi: reserve space for processor.h arch/arm64/include/asm/extable.h | 3 +++ arch/arm64/include/asm/processor.h | 9 +++++++++ include/linux/efi.h | 3 +++ include/linux/fb.h | 7 +++++++ 4 files changed, 22 insertions(+) -- 2.34.1

2 5

[PATCH openEuler-22.03-LTS-SP1] drm/atomic: Fix potential use-after-free in nonblocking commits
by Guo Mengqi 30 Jan '24

30 Jan '24

From: Daniel Vetter <daniel.vetter(a)ffwll.ch> stable inclusion from stable-v5.10.188 commit f09c0ac142c59495262dd80545f261b2aeeba538 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7V6NJ CVE: CVE-2023-51043 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. This requires a bit of background. Properly done a modeset driver's unload/remove sequence should be drm_dev_unplug(); drm_atomic_helper_shutdown(); drm_dev_put(); The trouble is that the drm_dev_unplugged() checks are by design racy, they do not synchronize against all outstanding ioctl. This is because those ioctl could block forever (both for modeset and for driver specific ioctls), leading to deadlocks in hotunplug. Instead the code sections that touch the hardware need to be annotated with drm_dev_enter/exit, to avoid accessing hardware resources after the unload/remove has finished. To avoid use-after-free issues all the involved userspace visible objects are supposed to hold a reference on the underlying drm_device, like drm_file does. The issue now is that we missed one, the atomic modeset ioctl can be run in a nonblocking fashion, and in that case it cannot rely on the implied drm_device reference provided by the ioctl calling context. This can result in a use-after-free if an nonblocking atomic commit is carefully raced against a driver unload. Fix this by unconditionally grabbing a drm_device reference for any drm_atomic_state structures. Strictly speaking this isn't required for blocking commits and TEST_ONLY calls, but it's the simpler approach. Thanks to shanzhulig for the initial idea of grabbing an unconditional reference, I just added comments, a condensed commit message and fixed a minor potential issue in where exactly we drop the final reference. Reported-by: shanzhulig <shanzhulig(a)gmail.com> Suggested-by: shanzhulig <shanzhulig(a)gmail.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: stable(a)kernel.org Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> Signed-off-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index 58527f151984..23a645a7e439 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -98,6 +98,12 @@ drm_atomic_state_init(struct drm_device *dev, struct drm_atomic_state *state) if (!state->planes) goto fail; + /* + * Because drm_atomic_state can be committed asynchronously we need our + * own reference and cannot rely on the on implied by drm_file in the + * ioctl call. + */ + drm_dev_get(dev); state->dev = dev; DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); @@ -257,7 +263,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); void __drm_atomic_state_free(struct kref *ref) { struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); - struct drm_mode_config *config = &state->dev->mode_config; + struct drm_device *dev = state->dev; + struct drm_mode_config *config = &dev->mode_config; drm_atomic_state_clear(state); @@ -269,6 +276,8 @@ void __drm_atomic_state_free(struct kref *ref) drm_atomic_state_default_release(state); kfree(state); } + + drm_dev_put(dev); } EXPORT_SYMBOL(__drm_atomic_state_free); -- 2.17.1

1 0

[PATCH openEuler-22.03-LTS] drm/atomic: Fix potential use-after-free in nonblocking commits
by Guo Mengqi 30 Jan '24

30 Jan '24

From: Daniel Vetter <daniel.vetter(a)ffwll.ch> stable inclusion from stable-v5.10.188 commit f09c0ac142c59495262dd80545f261b2aeeba538 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7V6NJ CVE: CVE-2023-51043 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. This requires a bit of background. Properly done a modeset driver's unload/remove sequence should be drm_dev_unplug(); drm_atomic_helper_shutdown(); drm_dev_put(); The trouble is that the drm_dev_unplugged() checks are by design racy, they do not synchronize against all outstanding ioctl. This is because those ioctl could block forever (both for modeset and for driver specific ioctls), leading to deadlocks in hotunplug. Instead the code sections that touch the hardware need to be annotated with drm_dev_enter/exit, to avoid accessing hardware resources after the unload/remove has finished. To avoid use-after-free issues all the involved userspace visible objects are supposed to hold a reference on the underlying drm_device, like drm_file does. The issue now is that we missed one, the atomic modeset ioctl can be run in a nonblocking fashion, and in that case it cannot rely on the implied drm_device reference provided by the ioctl calling context. This can result in a use-after-free if an nonblocking atomic commit is carefully raced against a driver unload. Fix this by unconditionally grabbing a drm_device reference for any drm_atomic_state structures. Strictly speaking this isn't required for blocking commits and TEST_ONLY calls, but it's the simpler approach. Thanks to shanzhulig for the initial idea of grabbing an unconditional reference, I just added comments, a condensed commit message and fixed a minor potential issue in where exactly we drop the final reference. Reported-by: shanzhulig <shanzhulig(a)gmail.com> Suggested-by: shanzhulig <shanzhulig(a)gmail.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: stable(a)kernel.org Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> Signed-off-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index 58527f151984..23a645a7e439 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -98,6 +98,12 @@ drm_atomic_state_init(struct drm_device *dev, struct drm_atomic_state *state) if (!state->planes) goto fail; + /* + * Because drm_atomic_state can be committed asynchronously we need our + * own reference and cannot rely on the on implied by drm_file in the + * ioctl call. + */ + drm_dev_get(dev); state->dev = dev; DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); @@ -257,7 +263,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); void __drm_atomic_state_free(struct kref *ref) { struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); - struct drm_mode_config *config = &state->dev->mode_config; + struct drm_device *dev = state->dev; + struct drm_mode_config *config = &dev->mode_config; drm_atomic_state_clear(state); @@ -269,6 +276,8 @@ void __drm_atomic_state_free(struct kref *ref) drm_atomic_state_default_release(state); kfree(state); } + + drm_dev_put(dev); } EXPORT_SYMBOL(__drm_atomic_state_free); -- 2.17.1

1 0

[PATCH openEuler-22.03-SP2] drm/atomic: Fix potential use-after-free in nonblocking commits
by Guo Mengqi 30 Jan '24

30 Jan '24

From: Daniel Vetter <daniel.vetter(a)ffwll.ch> stable inclusion from stable-v5.10.188 commit f09c0ac142c59495262dd80545f261b2aeeba538 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7V6NJ CVE: CVE-2023-51043 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. This requires a bit of background. Properly done a modeset driver's unload/remove sequence should be drm_dev_unplug(); drm_atomic_helper_shutdown(); drm_dev_put(); The trouble is that the drm_dev_unplugged() checks are by design racy, they do not synchronize against all outstanding ioctl. This is because those ioctl could block forever (both for modeset and for driver specific ioctls), leading to deadlocks in hotunplug. Instead the code sections that touch the hardware need to be annotated with drm_dev_enter/exit, to avoid accessing hardware resources after the unload/remove has finished. To avoid use-after-free issues all the involved userspace visible objects are supposed to hold a reference on the underlying drm_device, like drm_file does. The issue now is that we missed one, the atomic modeset ioctl can be run in a nonblocking fashion, and in that case it cannot rely on the implied drm_device reference provided by the ioctl calling context. This can result in a use-after-free if an nonblocking atomic commit is carefully raced against a driver unload. Fix this by unconditionally grabbing a drm_device reference for any drm_atomic_state structures. Strictly speaking this isn't required for blocking commits and TEST_ONLY calls, but it's the simpler approach. Thanks to shanzhulig for the initial idea of grabbing an unconditional reference, I just added comments, a condensed commit message and fixed a minor potential issue in where exactly we drop the final reference. Reported-by: shanzhulig <shanzhulig(a)gmail.com> Suggested-by: shanzhulig <shanzhulig(a)gmail.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: stable(a)kernel.org Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> Signed-off-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index 98b659981f1a..b10ba5057735 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -98,6 +98,12 @@ drm_atomic_state_init(struct drm_device *dev, struct drm_atomic_state *state) if (!state->planes) goto fail; + /* + * Because drm_atomic_state can be committed asynchronously we need our + * own reference and cannot rely on the on implied by drm_file in the + * ioctl call. + */ + drm_dev_get(dev); state->dev = dev; DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); @@ -257,7 +263,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); void __drm_atomic_state_free(struct kref *ref) { struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); - struct drm_mode_config *config = &state->dev->mode_config; + struct drm_device *dev = state->dev; + struct drm_mode_config *config = &dev->mode_config; drm_atomic_state_clear(state); @@ -269,6 +276,8 @@ void __drm_atomic_state_free(struct kref *ref) drm_atomic_state_default_release(state); kfree(state); } + + drm_dev_put(dev); } EXPORT_SYMBOL(__drm_atomic_state_free); -- 2.17.1

1 0