October 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] ELF: fix kernel.randomize_va_space double read
by Gu Bowen 09 Oct '24

09 Oct '24

From: Alexey Dobriyan <adobriyan(a)gmail.com> stable inclusion from stable-v6.6.51 commit 53f17409abf61f66b6f05aff795e938e5ba811d1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NT CVE: CVE-2024-46826 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 2a97388a807b6ab5538aa8f8537b2463c6988bd2 ] ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec. Signed-off-by: Alexey Dobriyan <adobriyan(a)gmail.com> Link: https://lore.kernel.org/r/3329905c-7eb8-400a-8f0a-d87cff979b5b@p183 Signed-off-by: Kees Cook <kees(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- fs/binfmt_elf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 7b3d2d491407..fb2c8d14327a 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1008,7 +1008,8 @@ static int load_elf_binary(struct linux_binprm *bprm) if (elf_read_implies_exec(*elf_ex, executable_stack)) current->personality |= READ_IMPLIES_EXEC; - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) + const int snapshot_randomize_va_space = READ_ONCE(randomize_va_space); + if (!(current->personality & ADDR_NO_RANDOMIZE) && snapshot_randomize_va_space) current->flags |= PF_RANDOMIZE; setup_new_exec(bprm); @@ -1300,7 +1301,7 @@ static int load_elf_binary(struct linux_binprm *bprm) mm->end_data = end_data; mm->start_stack = bprm->p; - if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) { + if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) { /* * For architectures with ELF randomization, when executing * a loader directly (i.e. no interpreter listed in ELF -- 2.25.1

2 1

[PATCH OLK-6.6] drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ
by liwei 09 Oct '24

09 Oct '24

From: Marek Vasut <marex(a)denx.de> mainline inclusion from mainline-v6.11-rc1 commit 162e48cb1d84c2c966b649b8ac5c9d4f75f6d44f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAUAT8 CVE: CVE-2024-46810 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Make sure the connector is fully initialized before signalling any HPD events via drm_kms_helper_hotplug_event(), otherwise this may lead to NULL pointer dereference. Signed-off-by: Marek Vasut <marex(a)denx.de> Reviewed-by: Robert Foss <rfoss(a)kernel.org> Signed-off-by: Robert Foss <rfoss(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20240531203333.277476-1-marex… Signed-off-by: liwei <liwei728(a)huawei.com> --- drivers/gpu/drm/bridge/tc358767.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c index d941c3a0e611..7fd4a5fe03ed 100644 --- a/drivers/gpu/drm/bridge/tc358767.c +++ b/drivers/gpu/drm/bridge/tc358767.c @@ -2034,7 +2034,7 @@ static irqreturn_t tc_irq_handler(int irq, void *arg) dev_err(tc->dev, "syserr %x\n", stat); } - if (tc->hpd_pin >= 0 && tc->bridge.dev) { + if (tc->hpd_pin >= 0 && tc->bridge.dev && tc->aux.drm_dev) { /* * H is triggered when the GPIO goes high. * -- 2.25.1

2 1

[PATCH OLK-5.10] blk-mq: fix lockdep hardirq warning in __blk_mq_tag_idle()
by Yu Kuai 09 Oct '24

09 Oct '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAVONP CVE: NA -------------------------------- commit c6f9c0e2d53d ("blk-mq: allow hardware queue to get more tag while sharing a tag set") started to call blk_mq_tag_idle() from hardirq context. And later commit 1b6433f06bda ("blk-mq: fix potential io hang by wrong 'wake_batch'") add spin_unlock_irq() in blk_mq_tag_idle(), which may enable interrupt in hardirq context, and may trigger AA deadlock. Fixes: 1b6433f06bda ("blk-mq: fix potential io hang by wrong 'wake_batch'") Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> --- block/blk-mq-tag.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c index 73c046bc3d90..dd4f9bdcb8c2 100644 --- a/block/blk-mq-tag.c +++ b/block/blk-mq-tag.c @@ -85,6 +85,7 @@ void __blk_mq_tag_idle(struct blk_mq_hw_ctx *hctx) { struct blk_mq_tags *tags = hctx->tags; unsigned int users; + unsigned long flags; if (blk_mq_is_sbitmap_shared(hctx->flags)) { struct request_queue *q = hctx->queue; @@ -97,10 +98,10 @@ void __blk_mq_tag_idle(struct blk_mq_hw_ctx *hctx) return; } - spin_lock_irq(&tags->lock); + spin_lock_irqsave(&tags->lock, flags); users = atomic_dec_return(&tags->active_queues); blk_mq_update_wake_batch(tags, users); - spin_unlock_irq(&tags->lock); + spin_unlock_irqrestore(&tags->lock, flags); blk_mq_tag_wakeup_all(tags, false); } -- 2.39.2

2 1

[PATCH OLK-6.6] drm/amd/display: Check index for aux_rd_interval before using
by Qi Xi 09 Oct '24

09 Oct '24

From: Alex Hung <alex.hung(a)amd.com> mainline inclusion from mainline-v6.11-rc1 commit 9ba2ea6337b4f159aecb177555a6a81da92d302e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARV7O CVE: CVE-2024-46728 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- aux_rd_interval has size of 7 and should be checked. This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity. Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Acked-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Qi Xi <xiqi2(a)huawei.com> --- .../gpu/drm/amd/display/dc/link/protocols/link_dp_training.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c index 16a62e018712..9d1adfc09fb2 100644 --- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c +++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c @@ -914,10 +914,10 @@ static enum dc_status configure_lttpr_mode_non_transparent( /* Driver does not need to train the first hop. Skip DPCD read and clear * AUX_RD_INTERVAL for DPTX-to-DPIA hop. */ - if (link->ep_type == DISPLAY_ENDPOINT_USB4_DPIA) + if (link->ep_type == DISPLAY_ENDPOINT_USB4_DPIA && repeater_cnt > 0 && repeater_cnt < MAX_REPEATER_CNT) link->dpcd_caps.lttpr_caps.aux_rd_interval[--repeater_cnt] = 0; - for (repeater_id = repeater_cnt; repeater_id > 0; repeater_id--) { + for (repeater_id = repeater_cnt; repeater_id > 0 && repeater_id < MAX_REPEATER_CNT; repeater_id--) { aux_interval_address = DP_TRAINING_AUX_RD_INTERVAL_PHY_REPEATER1 + ((DP_REPEATER_CONFIGURATION_AND_STATUS_SIZE) * (repeater_id - 1)); core_link_read_dpcd( -- 2.25.1

2 1

[PATCH OLK-5.10] kprobes: Fix deadlock issue with kmemleak
by Zheng Yejian 09 Oct '24

09 Oct '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9K8D1 ----------------------------------------- There is following deadlock issue: CPU0 CPU1 ==== ==== kretprobe_trampoline kmem_cache_alloc trampoline_handler kmemleak_alloc __kretprobe_trampoline_handler create_object kretprobe_hash_lock <-- hold kmemleak lock <-- hold kretprobe table lock __link_object recycle_rp_inst stack_trace_save kfree_rcu kvfree_call_rcu ... kmemleak_ignore unwind_next_frame kretprobe_find_ret_addr <-- wait for kmemleak lock kretprobe_hash_lock <-- wait for kretprobe table lock One task on CPU0 hold kretprobe_hash_lock and wait for kmemleak_lock, however, kmemleak_lock was held by other task on CPU1 and that task is waiting for kretprobe_hash_lock, then deadlock happended. To fix it, move kfree_rcu() out of kretprobe table lock area. Fixes: 88fef946364b ("kprobes: Add kretprobe_find_ret_addr() for searching return address") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- kernel/kprobes.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index dacb71214fa1..5d64d97975ba 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1223,7 +1223,7 @@ void kprobes_inc_nmissed_count(struct kprobe *p) } NOKPROBE_SYMBOL(kprobes_inc_nmissed_count); -static void recycle_rp_inst(struct kretprobe_instance *ri) +static void recycle_rp_inst(struct kretprobe_instance *ri, struct hlist_head *head) { struct kretprobe *rp = ri->rp; @@ -1235,7 +1235,7 @@ static void recycle_rp_inst(struct kretprobe_instance *ri) hlist_add_head(&ri->hlist, &rp->free_instances); raw_spin_unlock(&rp->lock); } else - kfree_rcu(ri, rcu); + hlist_add_head(&ri->hlist, head); } NOKPROBE_SYMBOL(recycle_rp_inst); @@ -1326,6 +1326,7 @@ void kprobe_flush_task(struct task_struct *tk) struct hlist_head *head; struct hlist_node *tmp; unsigned long hash, flags = 0; + HLIST_HEAD(empty_rp); if (unlikely(!kprobes_initialized)) /* Early boot. kretprobe_table_locks not yet initialized. */ @@ -1338,10 +1339,16 @@ void kprobe_flush_task(struct task_struct *tk) kretprobe_table_lock(hash, &flags); hlist_for_each_entry_safe(ri, tmp, head, hlist) { if (ri->task == tk) - recycle_rp_inst(ri); + recycle_rp_inst(ri, &empty_rp); } kretprobe_table_unlock(hash, &flags); + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + INIT_HLIST_NODE(&ri->hlist); + kfree_rcu(ri, rcu); + } + kprobe_busy_end(); } NOKPROBE_SYMBOL(kprobe_flush_task); @@ -2014,6 +2021,7 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, unsigned long flags; kprobe_opcode_t *correct_ret_addr = NULL; bool skipped = false; + HLIST_HEAD(empty_rp); kretprobe_hash_lock(current, &head, &flags); @@ -2082,7 +2090,7 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, __this_cpu_write(current_kprobe, prev); } - recycle_rp_inst(ri); + recycle_rp_inst(ri, &empty_rp); if (ri == last) break; @@ -2090,6 +2098,12 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, kretprobe_hash_unlock(current, &flags); + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + INIT_HLIST_NODE(&ri->hlist); + kfree_rcu(ri, rcu); + } + return (unsigned long)correct_ret_addr; } NOKPROBE_SYMBOL(__kretprobe_trampoline_handler) -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] btrfs: clean up our handling of refs == 0 in snapshot delete
by Baokun Li 09 Oct '24

09 Oct '24

From: Josef Bacik <josef(a)toxicpanda.com> stable inclusion from stable-v4.19.322 commit c847b28a799733b04574060ab9d00f215970627d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NE CVE: CVE-2024-46840 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit b8ccef048354074a548f108e51d0557d6adfd3a3 ] In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information. Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> --- fs/btrfs/extent-tree.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index e579e19ebd4b..8207c202e498 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -8400,7 +8400,15 @@ static noinline void reada_walk_down(struct btrfs_trans_handle *trans, /* We don't care about errors in readahead. */ if (ret < 0) continue; - BUG_ON(refs == 0); + + /* + * This could be racey, it's conceivable that we raced and end + * up with a bogus refs count, if that's the case just skip, if + * we are actually corrupt we will notice when we look up + * everything again with our locks. + */ + if (refs == 0) + continue; if (wc->stage == DROP_REFERENCE) { if (refs == 1) @@ -8467,7 +8475,11 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans, BUG_ON(ret == -ENOMEM); if (ret) return ret; - BUG_ON(wc->refs[level] == 0); + if (unlikely(wc->refs[level] == 0)) { + btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0", + eb->start); + return -EUCLEAN; + } } if (wc->stage == DROP_REFERENCE) { @@ -8575,8 +8587,9 @@ static noinline int do_walk_down(struct btrfs_trans_handle *trans, goto out_unlock; if (unlikely(wc->refs[level - 1] == 0)) { - btrfs_err(fs_info, "Missing references."); - ret = -EIO; + btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0", + bytenr); + ret = -EUCLEAN; goto out_unlock; } *lookup_info = 0; @@ -8744,7 +8757,12 @@ static noinline int walk_up_proc(struct btrfs_trans_handle *trans, path->locks[level] = 0; return ret; } - BUG_ON(wc->refs[level] == 0); + if (unlikely(wc->refs[level] == 0)) { + btrfs_tree_unlock_rw(eb, path->locks[level]); + btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0", + eb->start); + return -EUCLEAN; + } if (wc->refs[level] == 1) { btrfs_tree_unlock_rw(eb, path->locks[level]); path->locks[level] = 0; -- 2.31.1

2 1

[openeuler:OLK-5.10 11219/30000] vmlinux.o: warning: objtool: do_syscall_64()+0x46: call to memset() leaves .noinstr.text section
by kernel test robot 09 Oct '24

09 Oct '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 411e7ef551c128efdf5b4e53cc01245ba85b3817 commit: 130620d5878d2348208258965876547a69353f9f [11219/30000] x86/entry: Enable random_kstack_offset support config: x86_64-buildonly-randconfig-006-20241009 (https://download.01.org/0day-ci/archive/20241009/202410091420.7w9TkxwA-lkp@…) compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241009/202410091420.7w9TkxwA-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410091420.7w9TkxwA-lkp@intel.com/ All warnings (new ones prefixed by >>): >> vmlinux.o: warning: objtool: do_syscall_64()+0x46: call to memset() leaves .noinstr.text section vmlinux.o: warning: objtool: fixup_bad_iret()+0x36: call to memset() leaves .noinstr.text section ld.lld: error: undefined symbol: __tsan_memset >>> referenced by do_mounts.c >>> do_mounts.o:(name_to_dev_t) in archive init/built-in.a >>> referenced by do_mounts.c >>> do_mounts.o:(mount_block_root) in archive init/built-in.a >>> referenced by vsyscall_64.c >>> entry/vsyscall/vsyscall_64.o:(trace_event_raw_event_emulate_vsyscall) in archive arch/x86/built-in.a >>> referenced 14932 more times -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

openEuler Kernel SIG双周例会
by openEuler conference 09 Oct '24

09 Oct '24

您好！ Kernel 邀请您参加 2024-10-11 14:00 召开的WeLink会议(自动录制) 会议主题：openEuler Kernel SIG双周例会会议内容： 1. 进展update 2. 议题征集中（新增议题可回复此邮件申报，也可直接填写至会议纪要看板）会议链接：https://meeting.huaweicloud.com:36443/#/j/960499088 会议纪要：https://etherpad.openeuler.org/p/Kernel-meetings 更多资讯尽在：https://www.openeuler.org/zh/ Hello! Kernel invites you to attend the WeLink conference(auto recording) will be held at 2024-10-11 14:00, The subject of the conference is openEuler Kernel SIG双周例会, Summary: 1. 进展update 2. 议题征集中（新增议题可回复此邮件申报，也可直接填写至会议纪要看板） You can join the meeting at https://meeting.huaweicloud.com:36443/#/j/960499088. Add topics at https://etherpad.openeuler.org/p/Kernel-meetings. More information: https://www.openeuler.org/en/

1 0

[PATCH openEuler-1.0-LTS] platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses
by Wupeng Ma 09 Oct '24

09 Oct '24

From: Hans de Goede <hdegoede(a)redhat.com> stable inclusion from stable-v6.6.52 commit 6821a82616f60aa72c5909b3e252ad97fb9f7e2a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAUA6B CVE: CVE-2024-46859 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4 upstream. The panasonic laptop code in various places uses the SINF array with index values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array is big enough. Not all panasonic laptops have this many SINF array entries, for example the Toughbook CF-18 model only has 10 SINF array entries. So it only supports the AC+DC brightness entries and mute. Check that the SINF array has a minimum size which covers all AC+DC brightness entries and refuse to load if the SINF array is smaller. For higher SINF indexes hide the sysfs attributes when the SINF array does not contain an entry for that attribute, avoiding show()/store() accessing the array out of bounds and add bounds checking to the probe() and resume() code accessing these. Fixes: e424fb8cc4e6 ("panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()") Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> Link: https://lore.kernel.org/r/20240909113227.254470-1-hdegoede@redhat.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/platform/x86/panasonic-laptop.c [Ma Wupeng: mode SINF_ECO_MODE, SINF_CUR_BRIGHT do not exist until 5.11] Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- drivers/platform/x86/panasonic-laptop.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c index 8361ad75389a..71e55d90f712 100644 --- a/drivers/platform/x86/panasonic-laptop.c +++ b/drivers/platform/x86/panasonic-laptop.c @@ -429,6 +429,18 @@ static DEVICE_ATTR(lcdtype, S_IRUGO, show_lcdtype, NULL); static DEVICE_ATTR(mute, S_IRUGO, show_mute, NULL); static DEVICE_ATTR(sticky_key, S_IRUGO | S_IWUSR, show_sticky, set_sticky); +static umode_t pcc_sysfs_is_visible(struct kobject *kobj, struct attribute *attr, int idx) +{ + struct device *dev = kobj_to_dev(kobj); + struct acpi_device *acpi = to_acpi_device(dev); + struct pcc_acpi *pcc = acpi_driver_data(acpi); + + if (attr == &dev_attr_mute.attr) + return (pcc->num_sifr > SINF_MUTE) ? attr->mode : 0; + + return attr->mode; +} + static struct attribute *pcc_sysfs_entries[] = { &dev_attr_numbatt.attr, &dev_attr_lcdtype.attr, @@ -438,8 +450,9 @@ static struct attribute *pcc_sysfs_entries[] = { }; static const struct attribute_group pcc_attr_group = { - .name = NULL, /* put in device directory */ - .attrs = pcc_sysfs_entries, + .name = NULL, /* put in device directory */ + .attrs = pcc_sysfs_entries, + .is_visible = pcc_sysfs_is_visible, }; @@ -559,8 +572,12 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) num_sifr = acpi_pcc_get_sqty(device); - if (num_sifr < 0 || num_sifr > 255) { - ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range")); + /* + * pcc->sinf is expected to at least have the AC+DC brightness entries. + * Accesses to higher SINF entries are checked against num_sifr. + */ + if (num_sifr <= SINF_DC_CUR_BRIGHT || num_sifr > 255) { + ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr %d out of range %d - 255\n", num_sifr, SINF_DC_CUR_BRIGHT + 1)); return -ENODEV; } -- 2.25.1

2 1

[PATCH OLK-6.6] usb: gadget: aspeed_udc: validate endpoint index for ast udc
by Gu Bowen 09 Oct '24

09 Oct '24

From: Ma Ke <make24(a)iscas.ac.cn> stable inclusion from stable-v6.6.51 commit b2a50ffdd1a079869a62198a8d1441355c513c7c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9NW CVE: CVE-2024-46836 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ee0d382feb44ec0f445e2ad63786cd7f3f6a8199 ] We should verify the bound of the array to assure that host may not manipulate the index to point past endpoint array. Found by static analysis. Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> Reviewed-by: Andrew Jeffery <andrew(a)codeconstruct.com.au> Acked-by: Andrew Jeffery <andrew(a)codeconstruct.com.au> Link: https://lore.kernel.org/r/20240625022306.2568122-1-make24@iscas.ac.cn Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- drivers/usb/gadget/udc/aspeed_udc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c index fc2ead0fe621..4868286574a1 100644 --- a/drivers/usb/gadget/udc/aspeed_udc.c +++ b/drivers/usb/gadget/udc/aspeed_udc.c @@ -1009,6 +1009,8 @@ static void ast_udc_getstatus(struct ast_udc_dev *udc) break; case USB_RECIP_ENDPOINT: epnum = crq.wIndex & USB_ENDPOINT_NUMBER_MASK; + if (epnum >= AST_UDC_NUM_ENDPOINTS) + goto stall; status = udc->ep[epnum].stopped; break; default: -- 2.25.1

2 1

2024

2023

2022

2021

2020

2019

Kernel October 2024