October 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] wifi: ath12k: fix array out-of-bound access in SoC stats
by Chen Zhongjin 30 Oct '24

30 Oct '24

From: Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> stable inclusion from stable-v6.6.55 commit d0e4274d9dc9f8409d56d622cd3ecf7b6fd49e2f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR8S CVE: CVE-2024-49931 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit e106b7ad13c1d246adaa57df73edb8f8b8acb240 ] Currently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process() function access ath12k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath12k_dp_rx_process() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 Signed-off-by: Karthikeyan Periyasamy <quic_periyasa(a)quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo(a)quicinc.com> Link: https://patch.msgid.link/20240704070811.4186543-2-quic_periyasa@quicinc.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- drivers/net/wireless/ath/ath12k/dp_rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c index d9bc07844fb7..70ad035acac7 100644 --- a/drivers/net/wireless/ath/ath12k/dp_rx.c +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c @@ -2670,7 +2670,7 @@ int ath12k_dp_rx_process(struct ath12k_base *ab, int ring_id, if (push_reason != HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION) { dev_kfree_skb_any(msdu); - ab->soc_stats.hal_reo_error[dp->reo_dst_ring[ring_id].ring_id]++; + ab->soc_stats.hal_reo_error[ring_id]++; continue; } -- 2.25.1

2 1

[PATCH OLK-6.6] bpf: Fail verification for sign-extension of packet data/data_end/data_meta
by Chen Zhongjin 30 Oct '24

30 Oct '24

From: Yonghong Song <yonghong.song(a)linux.dev> mainline inclusion from mainline-v6.12-rc1 commit 92de36080c93296ef9005690705cba260b9bd68a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJQ CVE: CVE-2024-47702 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- syzbot reported a kernel crash due to commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses"). The reason is due to sign-extension of 32-bit load for packet data/data_end/data_meta uapi field. The original code looks like: r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */ r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */ r0 = r2 r0 += 8 if r3 > r0 goto +1 ... Note that __sk_buff->data load has 32-bit sign extension. After verification and convert_ctx_accesses(), the final asm code looks like: r2 = *(u64 *)(r1 +208) r2 = (s32)r2 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 ... Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid which may cause runtime failure. Currently, in C code, typically we have void *data = (void *)(long)skb->data; void *data_end = (void *)(long)skb->data_end; ... and it will generate r2 = *(u64 *)(r1 +208) r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 If we allow sign-extension, void *data = (void *)(long)(int)skb->data; void *data_end = (void *)(long)skb->data_end; ... the generated code looks like r2 = *(u64 *)(r1 +208) r2 <<= 32 r2 s>>= 32 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 and this will cause verification failure since "r2 <<= 32" is not allowed as "r2" is a packet pointer. To fix this issue for case r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */ this patch added additional checking in is_valid_access() callback function for packet data/data_end/data_meta access. If those accesses are with sign-extenstion, the verification will fail. [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/ Reported-by: syzbot+ad9ec60c8eaf69e6f99c(a)syzkaller.appspotmail.com Fixes: 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses") Acked-by: Eduard Zingerman <eddyz87(a)gmail.com> Signed-off-by: Yonghong Song <yonghong.song(a)linux.dev> Link: https://lore.kernel.org/r/20240723153439.2429035-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Conflicts: kernel/bpf/verifier.c [patch set:("bpf, lsm: Add check for BPF LSM return value") was not merged] Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- include/linux/bpf.h | 1 + kernel/bpf/verifier.c | 5 +++-- net/core/filter.c | 21 ++++++++++++++++----- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 8c4c2c39a6c1..7de3bcec8607 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -912,6 +912,7 @@ static_assert(__BPF_REG_TYPE_MAX <= BPF_BASE_TYPE_LIMIT); */ struct bpf_insn_access_aux { enum bpf_reg_type reg_type; + bool is_ldsx; union { int ctx_field_size; struct { diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index d1041517a984..82f2be2ddd06 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5549,11 +5549,12 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, /* check access to 'struct bpf_context' fields. Supports fixed offsets only */ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size, enum bpf_access_type t, enum bpf_reg_type *reg_type, - struct btf **btf, u32 *btf_id) + struct btf **btf, u32 *btf_id, bool is_ldsx) { struct bpf_insn_access_aux info = { .reg_type = *reg_type, .log = &env->log, + .is_ldsx = is_ldsx, }; if (env->ops->is_valid_access && @@ -6802,7 +6803,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn return err; err = check_ctx_access(env, insn_idx, off, size, t, &reg_type, &btf, - &btf_id); + &btf_id, is_ldsx); if (err) verbose_linfo(env, insn_idx, "; "); if (!err && t == BPF_READ && value_regno >= 0) { diff --git a/net/core/filter.c b/net/core/filter.c index e16d746c23da..e4f1dc9f222b 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -8601,13 +8601,16 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type if (off + size > offsetofend(struct __sk_buff, cb[4])) return false; break; + case bpf_ctx_range(struct __sk_buff, data): + case bpf_ctx_range(struct __sk_buff, data_meta): + case bpf_ctx_range(struct __sk_buff, data_end): + if (info->is_ldsx || size != size_default) + return false; + break; case bpf_ctx_range_till(struct __sk_buff, remote_ip6[0], remote_ip6[3]): case bpf_ctx_range_till(struct __sk_buff, local_ip6[0], local_ip6[3]): case bpf_ctx_range_till(struct __sk_buff, remote_ip4, remote_ip4): case bpf_ctx_range_till(struct __sk_buff, local_ip4, local_ip4): - case bpf_ctx_range(struct __sk_buff, data): - case bpf_ctx_range(struct __sk_buff, data_meta): - case bpf_ctx_range(struct __sk_buff, data_end): if (size != size_default) return false; break; @@ -9051,6 +9054,14 @@ static bool xdp_is_valid_access(int off, int size, } } return false; + } else { + switch (off) { + case offsetof(struct xdp_md, data_meta): + case offsetof(struct xdp_md, data): + case offsetof(struct xdp_md, data_end): + if (info->is_ldsx) + return false; + } } switch (off) { @@ -9381,12 +9392,12 @@ static bool flow_dissector_is_valid_access(int off, int size, switch (off) { case bpf_ctx_range(struct __sk_buff, data): - if (size != size_default) + if (info->is_ldsx || size != size_default) return false; info->reg_type = PTR_TO_PACKET; return true; case bpf_ctx_range(struct __sk_buff, data_end): - if (size != size_default) + if (info->is_ldsx || size != size_default) return false; info->reg_type = PTR_TO_PACKET_END; return true; -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] drm: omapdrm: Add missing check for alloc_ordered_workqueue
by Liu Chuang 30 Oct '24

30 Oct '24

From: Ma Ke <make24(a)iscas.ac.cn> stable inclusion from stable-v5.10.227 commit 2bda89735199683b03f55b807bd1e31a3857520b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR94 CVE: CVE-2024-49879 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e794b7b9b92977365c693760a259f8eef940c536 upstream. As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue. Cc: stable(a)vger.kernel.org Fixes: 2f95bc6d324a ("drm: omapdrm: Perform initialization/cleanup at probe/remove time") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> Signed-off-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240808061336.2796729-1-make… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/omapdrm/omap_drv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/omapdrm/omap_drv.c b/drivers/gpu/drm/omapdrm/omap_drv.c index 53d5e184ee77..8c664ef0cf62 100644 --- a/drivers/gpu/drm/omapdrm/omap_drv.c +++ b/drivers/gpu/drm/omapdrm/omap_drv.c @@ -600,6 +600,10 @@ static int omapdrm_init(struct omap_drm_private *priv, struct device *dev) soc = soc_device_match(omapdrm_soc_devices); priv->omaprev = soc ? (unsigned int)soc->data : 0; priv->wq = alloc_ordered_workqueue("omapdrm", 0); + if (!priv->wq) { + ret = -ENOMEM; + goto err_alloc_workqueue; + } mutex_init(&priv->list_lock); INIT_LIST_HEAD(&priv->obj_list); @@ -649,6 +653,7 @@ static int omapdrm_init(struct omap_drm_private *priv, struct device *dev) err_gem_deinit: omap_gem_deinit(ddev); destroy_workqueue(priv->wq); +err_alloc_workqueue: omap_disconnect_pipelines(ddev); omap_crtc_pre_uninit(priv); drm_dev_put(ddev); -- 2.34.1

2 1

[OLK-6.6] thermal: core: Reference count the zone in thermal_zone_get_by_id()
by Xiongfeng Wang 30 Oct '24

30 Oct '24

From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> mainline inclusion from mainline-v6.12-rc3 commit a42a5839f400e929c489bb1b58f54596c4535167 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRF5 CVE: CVE-2024-50028 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- There are places in the thermal netlink code where nothing prevents the thermal zone object from going away while being accessed after it has been returned by thermal_zone_get_by_id(). To address this, make thermal_zone_get_by_id() get a reference on the thermal zone device object to be returned with the help of get_device(), under thermal_list_lock, and adjust all of its callers to this change with the help of the cleanup.h infrastructure. Fixes: 1ce50e7d408e ("thermal: core: genetlink support for events/cmd/sampling") Cc: 6.8+ <stable(a)vger.kernel.org> # 6.8+ Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Reviewed-by: Lukasz Luba <lukasz.luba(a)arm.com> Link: https://patch.msgid.link/6112242.lOV4Wx5bFT@rjwysocki.net Conflicts: drivers/thermal/thermal_core.h drivers/thermal/thermal_netlink.c [wangxiongfeng: fix context conflicts] Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> --- drivers/thermal/thermal_core.c | 1 + drivers/thermal/thermal_core.h | 3 +++ drivers/thermal/thermal_netlink.c | 9 +++------ 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index dee3022539cf..acf74fe64088 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -582,6 +582,7 @@ struct thermal_zone_device *thermal_zone_get_by_id(int id) mutex_lock(&thermal_list_lock); list_for_each_entry(tz, &thermal_tz_list, node) { if (tz->id == id) { + get_device(&tz->device); match = tz; break; } diff --git a/drivers/thermal/thermal_core.h b/drivers/thermal/thermal_core.h index 024e82ebf592..91703b930956 100644 --- a/drivers/thermal/thermal_core.h +++ b/drivers/thermal/thermal_core.h @@ -56,6 +56,9 @@ int for_each_thermal_governor(int (*cb)(struct thermal_governor *, void *), struct thermal_zone_device *thermal_zone_get_by_id(int id); +DEFINE_CLASS(thermal_zone_get_by_id, struct thermal_zone_device *, + if (_T) put_device(&_T->device), thermal_zone_get_by_id(id), int id) + struct thermal_attr { struct device_attribute attr; char name[THERMAL_NAME_LENGTH]; diff --git a/drivers/thermal/thermal_netlink.c b/drivers/thermal/thermal_netlink.c index 08bc46c3ec7b..8d07531d9519 100644 --- a/drivers/thermal/thermal_netlink.c +++ b/drivers/thermal/thermal_netlink.c @@ -450,7 +450,6 @@ static int thermal_genl_cmd_tz_get_id(struct param *p) static int thermal_genl_cmd_tz_get_trip(struct param *p) { struct sk_buff *msg = p->msg; - struct thermal_zone_device *tz; struct nlattr *start_trip; struct thermal_trip trip; int ret, i, id; @@ -460,7 +459,7 @@ static int thermal_genl_cmd_tz_get_trip(struct param *p) id = nla_get_u32(p->attrs[THERMAL_GENL_ATTR_TZ_ID]); - tz = thermal_zone_get_by_id(id); + CLASS(thermal_zone_get_by_id, tz)(id); if (!tz) return -EINVAL; @@ -498,7 +497,6 @@ static int thermal_genl_cmd_tz_get_trip(struct param *p) static int thermal_genl_cmd_tz_get_temp(struct param *p) { struct sk_buff *msg = p->msg; - struct thermal_zone_device *tz; int temp, ret, id; if (!p->attrs[THERMAL_GENL_ATTR_TZ_ID]) @@ -506,7 +504,7 @@ static int thermal_genl_cmd_tz_get_temp(struct param *p) id = nla_get_u32(p->attrs[THERMAL_GENL_ATTR_TZ_ID]); - tz = thermal_zone_get_by_id(id); + CLASS(thermal_zone_get_by_id, tz)(id); if (!tz) return -EINVAL; @@ -524,7 +522,6 @@ static int thermal_genl_cmd_tz_get_temp(struct param *p) static int thermal_genl_cmd_tz_get_gov(struct param *p) { struct sk_buff *msg = p->msg; - struct thermal_zone_device *tz; int id, ret = 0; if (!p->attrs[THERMAL_GENL_ATTR_TZ_ID]) @@ -532,7 +529,7 @@ static int thermal_genl_cmd_tz_get_gov(struct param *p) id = nla_get_u32(p->attrs[THERMAL_GENL_ATTR_TZ_ID]); - tz = thermal_zone_get_by_id(id); + CLASS(thermal_zone_get_by_id, tz)(id); if (!tz) return -EINVAL; -- 2.20.1

1 0

[PATCH OLK-5.10] drm: omapdrm: Add missing check for alloc_ordered_workqueue
by Liu Chuang 30 Oct '24

30 Oct '24

From: Ma Ke <make24(a)iscas.ac.cn> stable inclusion from stable-v5.10.227 commit 2bda89735199683b03f55b807bd1e31a3857520b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR94 CVE: CVE-2024-49879 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e794b7b9b92977365c693760a259f8eef940c536 upstream. As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue. Cc: stable(a)vger.kernel.org Fixes: 2f95bc6d324a ("drm: omapdrm: Perform initialization/cleanup at probe/remove time") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> Signed-off-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240808061336.2796729-1-make… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/omapdrm/omap_drv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/omapdrm/omap_drv.c b/drivers/gpu/drm/omapdrm/omap_drv.c index 53d5e184ee77..8c664ef0cf62 100644 --- a/drivers/gpu/drm/omapdrm/omap_drv.c +++ b/drivers/gpu/drm/omapdrm/omap_drv.c @@ -600,6 +600,10 @@ static int omapdrm_init(struct omap_drm_private *priv, struct device *dev) soc = soc_device_match(omapdrm_soc_devices); priv->omaprev = soc ? (unsigned int)soc->data : 0; priv->wq = alloc_ordered_workqueue("omapdrm", 0); + if (!priv->wq) { + ret = -ENOMEM; + goto err_alloc_workqueue; + } mutex_init(&priv->list_lock); INIT_LIST_HEAD(&priv->obj_list); @@ -649,6 +653,7 @@ static int omapdrm_init(struct omap_drm_private *priv, struct device *dev) err_gem_deinit: omap_gem_deinit(ddev); destroy_workqueue(priv->wq); +err_alloc_workqueue: omap_disconnect_pipelines(ddev); omap_crtc_pre_uninit(priv); drm_dev_put(ddev); -- 2.34.1

2 1

[PATCH OLK-6.6] drm: omapdrm: Add missing check for alloc_ordered_workqueue
by Liu Chuang 30 Oct '24

30 Oct '24

From: Ma Ke <make24(a)iscas.ac.cn> stable inclusion from stable-v6.6.55 commit b57b53e8ffcdfda87d954fc4187426a54fe75a3d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR94 CVE: CVE-2024-49879 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e794b7b9b92977365c693760a259f8eef940c536 upstream. As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue. Cc: stable(a)vger.kernel.org Fixes: 2f95bc6d324a ("drm: omapdrm: Perform initialization/cleanup at probe/remove time") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> Signed-off-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240808061336.2796729-1-make… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/omapdrm/omap_drv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/omapdrm/omap_drv.c b/drivers/gpu/drm/omapdrm/omap_drv.c index e000577a95dd..21996b713d1c 100644 --- a/drivers/gpu/drm/omapdrm/omap_drv.c +++ b/drivers/gpu/drm/omapdrm/omap_drv.c @@ -695,6 +695,10 @@ static int omapdrm_init(struct omap_drm_private *priv, struct device *dev) soc = soc_device_match(omapdrm_soc_devices); priv->omaprev = soc ? (uintptr_t)soc->data : 0; priv->wq = alloc_ordered_workqueue("omapdrm", 0); + if (!priv->wq) { + ret = -ENOMEM; + goto err_alloc_workqueue; + } mutex_init(&priv->list_lock); INIT_LIST_HEAD(&priv->obj_list); @@ -753,6 +757,7 @@ static int omapdrm_init(struct omap_drm_private *priv, struct device *dev) drm_mode_config_cleanup(ddev); omap_gem_deinit(ddev); destroy_workqueue(priv->wq); +err_alloc_workqueue: omap_disconnect_pipelines(ddev); drm_dev_put(ddev); return ret; -- 2.34.1

2 1

[PATCH OLK-6.6] btrfs: fix uninitialized pointer free in add_inode_ref()
by Yifan Qiao 30 Oct '24

30 Oct '24

From: Roi Martin <jroi.martin(a)gmail.com> stable inclusion from stable-v6.6.58 commit e11ce03b58743bf1e096c48fcaa7e6f08eb75dfa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB0EMU CVE: CVE-2024-50088 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 66691c6e2f18d2aa4b22ffb624b9bdc97e9979e4 upstream. The add_inode_ref() function does not initialize the "name" struct when it is declared. If any of the following calls to "read_one_inode() returns NULL, dir = read_one_inode(root, parent_objectid); if (!dir) { ret = -ENOENT; goto out; } inode = read_one_inode(root, inode_objectid); if (!inode) { ret = -EIO; goto out; } then "name.name" would be freed on "out" before being initialized. out: ... kfree(name.name); This issue was reported by Coverity with CID 1526744. Fixes: e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs") CC: stable(a)vger.kernel.org # 6.6+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Roi Martin <jroi.martin(a)gmail.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/btrfs/tree-log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index e0037665aa92..9ca55ad589e5 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -1374,7 +1374,7 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans, struct inode *inode = NULL; unsigned long ref_ptr; unsigned long ref_end; - struct fscrypt_str name; + struct fscrypt_str name = { 0 }; int ret; int log_ref_ver = 0; u64 parent_objectid; -- 2.39.2

2 1

[PATCH OLK-6.6 0/1] fix CVE-2024-49924
by Lin Yujun 30 Oct '24

30 Oct '24

Kaixin Wang (1): fbdev: pxafb: Fix possible use after free in pxafb_task() drivers/video/fbdev/pxafb.c | 1 + 1 file changed, 1 insertion(+) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS-SP1] thermal: core: Reference count the zone in thermal_zone_get_by_id()
by Xiongfeng Wang 30 Oct '24

30 Oct '24

From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> mainline inclusion from mainline-v6.12-rc3 commit a42a5839f400e929c489bb1b58f54596c4535167 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRF5 CVE: CVE-2024-50028 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- There are places in the thermal netlink code where nothing prevents the thermal zone object from going away while being accessed after it has been returned by thermal_zone_get_by_id(). To address this, make thermal_zone_get_by_id() get a reference on the thermal zone device object to be returned with the help of get_device(), under thermal_list_lock, and adjust all of its callers to this change with the help of the cleanup.h infrastructure. Fixes: 1ce50e7d408e ("thermal: core: genetlink support for events/cmd/sampling") Cc: 6.8+ <stable(a)vger.kernel.org> # 6.8+ Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Reviewed-by: Lukasz Luba <lukasz.luba(a)arm.com> Link: https://patch.msgid.link/6112242.lOV4Wx5bFT@rjwysocki.net Conflicts: drivers/thermal/thermal_netlink.c [wangxiongfeng: fix conflict because __cleanup() based infrastructure DEFINE_CLASS() is not introduced.] Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> --- drivers/thermal/thermal_core.c | 1 + drivers/thermal/thermal_netlink.c | 24 ++++++++++++++++++------ 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index dd449945e1e5e..ae7feac0892e2 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -760,6 +760,7 @@ struct thermal_zone_device *thermal_zone_get_by_id(int id) mutex_lock(&thermal_list_lock); list_for_each_entry(tz, &thermal_tz_list, node) { if (tz->id == id) { + get_device(&tz->device); match = tz; break; } diff --git a/drivers/thermal/thermal_netlink.c b/drivers/thermal/thermal_netlink.c index dc535831b6609..5a9a6d1ddd03d 100644 --- a/drivers/thermal/thermal_netlink.c +++ b/drivers/thermal/thermal_netlink.c @@ -463,8 +463,10 @@ static int thermal_genl_cmd_tz_get_trip(struct param *p) return -EINVAL; start_trip = nla_nest_start(msg, THERMAL_GENL_ATTR_TZ_TRIP); - if (!start_trip) + if (!start_trip) { + put_device(&tz->device); return -EMSGSIZE; + } mutex_lock(&tz->lock); @@ -489,10 +491,13 @@ static int thermal_genl_cmd_tz_get_trip(struct param *p) nla_nest_end(msg, start_trip); + put_device(&tz->device); + return 0; out_cancel_nest: mutex_unlock(&tz->lock); + put_device(&tz->device); return -EMSGSIZE; } @@ -514,13 +519,17 @@ static int thermal_genl_cmd_tz_get_temp(struct param *p) ret = thermal_zone_get_temp(tz, &temp); if (ret) - return ret; + goto out; if (nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_ID, id) || - nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_TEMP, temp)) - return -EMSGSIZE; + nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_TEMP, temp)) { + ret = -EMSGSIZE; + goto out; + } - return 0; +out: + put_device(&tz->device); + return ret; } static int thermal_genl_cmd_tz_get_gov(struct param *p) @@ -542,10 +551,13 @@ static int thermal_genl_cmd_tz_get_gov(struct param *p) if (nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_ID, id) || nla_put_string(msg, THERMAL_GENL_ATTR_TZ_GOV_NAME, - tz->governor->name)) + tz->governor->name)) { + put_device(&tz->device); ret = -EMSGSIZE; + } mutex_unlock(&tz->lock); + put_device(&tz->device); return ret; } -- 2.20.1

2 1

[PATCH OLK-5.10] thermal: core: Reference count the zone in thermal_zone_get_by_id()
by Xiongfeng Wang 30 Oct '24

30 Oct '24

From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> mainline inclusion from mainline-v6.12-rc3 commit a42a5839f400e929c489bb1b58f54596c4535167 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRF5 CVE: CVE-2024-50028 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- There are places in the thermal netlink code where nothing prevents the thermal zone object from going away while being accessed after it has been returned by thermal_zone_get_by_id(). To address this, make thermal_zone_get_by_id() get a reference on the thermal zone device object to be returned with the help of get_device(), under thermal_list_lock, and adjust all of its callers to this change with the help of the cleanup.h infrastructure. Fixes: 1ce50e7d408e ("thermal: core: genetlink support for events/cmd/sampling") Cc: 6.8+ <stable(a)vger.kernel.org> # 6.8+ Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Reviewed-by: Lukasz Luba <lukasz.luba(a)arm.com> Link: https://patch.msgid.link/6112242.lOV4Wx5bFT@rjwysocki.net Conflicts: drivers/thermal/thermal_netlink.c [wangxiongfeng: fix conflict because __cleanup() based infrastructure DEFINE_CLASS() is not introduced.] Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> --- drivers/thermal/thermal_core.c | 1 + drivers/thermal/thermal_netlink.c | 24 ++++++++++++++++++------ 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index 1cf49912dc96c..49e3cb07ae9e8 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -760,6 +760,7 @@ struct thermal_zone_device *thermal_zone_get_by_id(int id) mutex_lock(&thermal_list_lock); list_for_each_entry(tz, &thermal_tz_list, node) { if (tz->id == id) { + get_device(&tz->device); match = tz; break; } diff --git a/drivers/thermal/thermal_netlink.c b/drivers/thermal/thermal_netlink.c index dc535831b6609..5a9a6d1ddd03d 100644 --- a/drivers/thermal/thermal_netlink.c +++ b/drivers/thermal/thermal_netlink.c @@ -463,8 +463,10 @@ static int thermal_genl_cmd_tz_get_trip(struct param *p) return -EINVAL; start_trip = nla_nest_start(msg, THERMAL_GENL_ATTR_TZ_TRIP); - if (!start_trip) + if (!start_trip) { + put_device(&tz->device); return -EMSGSIZE; + } mutex_lock(&tz->lock); @@ -489,10 +491,13 @@ static int thermal_genl_cmd_tz_get_trip(struct param *p) nla_nest_end(msg, start_trip); + put_device(&tz->device); + return 0; out_cancel_nest: mutex_unlock(&tz->lock); + put_device(&tz->device); return -EMSGSIZE; } @@ -514,13 +519,17 @@ static int thermal_genl_cmd_tz_get_temp(struct param *p) ret = thermal_zone_get_temp(tz, &temp); if (ret) - return ret; + goto out; if (nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_ID, id) || - nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_TEMP, temp)) - return -EMSGSIZE; + nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_TEMP, temp)) { + ret = -EMSGSIZE; + goto out; + } - return 0; +out: + put_device(&tz->device); + return ret; } static int thermal_genl_cmd_tz_get_gov(struct param *p) @@ -542,10 +551,13 @@ static int thermal_genl_cmd_tz_get_gov(struct param *p) if (nla_put_u32(msg, THERMAL_GENL_ATTR_TZ_ID, id) || nla_put_string(msg, THERMAL_GENL_ATTR_TZ_GOV_NAME, - tz->governor->name)) + tz->governor->name)) { + put_device(&tz->device); ret = -EMSGSIZE; + } mutex_unlock(&tz->lock); + put_device(&tz->device); return ret; } -- 2.20.1

2 1

2024

2023

2022

2021

2020

2019

Kernel October 2024