October 2024 - Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] IB/core: Fix ib_cache_setup_one error flow cleanup
by Zhang Changzhong 29 Oct '24

29 Oct '24

From: Patrisious Haddad <phaddad(a)nvidia.com> mainline inclusion from mainline-v6.12-rc1 commit 1403c8b14765eab805377dd3b75e96ace8747aed category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPKR CVE: CVE-2024-47693 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When ib_cache_update return an error, we exit ib_cache_setup_one instantly with no proper cleanup, even though before this we had already successfully done gid_table_setup_one, that results in the kernel WARN below. Do proper cleanup using gid_table_cleanup_one before returning the err in order to fix the issue. WARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0 Modules linked in: CPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:gid_table_release_one+0x181/0x1a0 Code: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41 RSP: 0018:ffffc90002b835b0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527 RDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001 RBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631 R10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001 R13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001 FS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x94/0xa0 ? __warn+0x9e/0x1c0 ? gid_table_release_one+0x181/0x1a0 ? report_bug+0x1f9/0x340 ? gid_table_release_one+0x181/0x1a0 ? handle_bug+0xa2/0x110 ? exc_invalid_op+0x31/0xa0 ? asm_exc_invalid_op+0x16/0x20 ? __warn_printk+0xc7/0x180 ? __warn_printk+0xd4/0x180 ? gid_table_release_one+0x181/0x1a0 ib_device_release+0x71/0xe0 ? __pfx_ib_device_release+0x10/0x10 device_release+0x44/0xd0 kobject_put+0x135/0x3d0 put_device+0x20/0x30 rxe_net_add+0x7d/0xa0 rxe_newlink+0xd7/0x190 nldev_newlink+0x1b0/0x2a0 ? __pfx_nldev_newlink+0x10/0x10 rdma_nl_rcv_msg+0x1ad/0x2e0 rdma_nl_rcv_skb.constprop.0+0x176/0x210 netlink_unicast+0x2de/0x400 netlink_sendmsg+0x306/0x660 __sock_sendmsg+0x110/0x120 ____sys_sendmsg+0x30e/0x390 ___sys_sendmsg+0x9b/0xf0 ? kstrtouint+0x6e/0xa0 ? kstrtouint_from_user+0x7c/0xb0 ? get_pid_task+0xb0/0xd0 ? proc_fail_nth_write+0x5b/0x140 ? __fget_light+0x9a/0x200 ? preempt_count_add+0x47/0xa0 __sys_sendmsg+0x61/0xd0 do_syscall_64+0x50/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: 1901b91f9982 ("IB/core: Fix potential NULL pointer dereference in pkey cache") Signed-off-by: Patrisious Haddad <phaddad(a)nvidia.com> Reviewed-by: Maher Sanalla <msanalla(a)nvidia.com> Link: https://patch.msgid.link/79137687d829899b0b1c9835fcb4b258004c439a.172527335… Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Conflicts: drivers/infiniband/core/cache.c [d58c23c92548 ("IB/core: Only update PKEY and GID caches on respective events") not merged] Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> --- drivers/infiniband/core/cache.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c index 7989b7e..21b405a 100644 --- a/drivers/infiniband/core/cache.c +++ b/drivers/infiniband/core/cache.c @@ -1633,8 +1633,10 @@ int ib_cache_setup_one(struct ib_device *device) rdma_for_each_port (device, p) { err = ib_cache_update(device, p, true); - if (err) + if (err) { + gid_table_cleanup_one(device); return err; + } } return 0; -- 2.9.5

2 1

[openeuler:openEuler-1.0-LTS 15383/23901] fs/proc/etmem_scan.c:823: undefined reference to `kvm_flush_remote_tlbs'
by kernel test robot 29 Oct '24

29 Oct '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 7b2baa68ab7f9f7fc4023e8121ddb050b2e45f30 commit: bad4d8833739acc8eef306e7ad5c7877f9f4f0fb [15383/23901] etmem: add etmem-scan feature config: x86_64-randconfig-072-20241029 (https://download.01.org/0day-ci/archive/20241029/202410291925.OMbLBBuG-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241029/202410291925.OMbLBBuG-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410291925.OMbLBBuG-lkp@intel.com/ All errors (new ones prefixed by >>): ld: warning: arch/x86/lib/csum-copy_64.o: missing .note.GNU-stack section implies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld: warning: arch/x86/lib/csum-copy_64.o: missing .note.GNU-stack section implies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld: warning: .tmp_vmlinux1 has a LOAD segment with RWX permissions ld: fs/proc/etmem_scan.o: in function `page_scan_release': >> fs/proc/etmem_scan.c:823: undefined reference to `kvm_flush_remote_tlbs' vim +823 fs/proc/etmem_scan.c 804 805 static int page_scan_release(struct inode *inode, struct file *file) 806 { 807 struct mm_struct *mm = file->private_data; 808 struct kvm *kvm; 809 int ret = 0; 810 811 if (!mm) { 812 ret = -EBADF; 813 goto out; 814 } 815 816 kvm = mm_kvm(mm); 817 if (!kvm) { 818 ret = -EINVAL; 819 goto out; 820 } 821 #ifdef CONFIG_X86_64 822 spin_lock(&kvm->mmu_lock); > 823 kvm_flush_remote_tlbs(kvm); 824 spin_unlock(&kvm->mmu_lock); 825 #endif 826 827 out: 828 module_put(THIS_MODULE); 829 return ret; 830 } 831 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()
by Li Huafei 29 Oct '24

29 Oct '24

From: Elena Salomatkina <esalomatkina(a)ispras.ru> stable inclusion from stable-v6.6.55 commit 0168ab6fbd9e50d20b97486168b604b2ab28a2ca category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB1 CVE: CVE-2024-50000 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f25389e779500cf4a59ef9804534237841bce536 ] In mlx5e_tir_builder_alloc() kvzalloc() may return NULL which is dereferenced on the next line in a reference to the modify field. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: a6696735d694 ("net/mlx5e: Convert TIR to a dedicated object") Signed-off-by: Elena Salomatkina <esalomatkina(a)ispras.ru> Reviewed-by: Simon Horman <horms(a)kernel.org> Reviewed-by: Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> Reviewed-by: Tariq Toukan <tariqt(a)nvidia.com> Reviewed-by: Gal Pressman <gal(a)nvidia.com> Signed-off-by: Saeed Mahameed <saeedm(a)nvidia.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> --- drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c index d4239e3b3c88..11f724ad90db 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c @@ -23,6 +23,9 @@ struct mlx5e_tir_builder *mlx5e_tir_builder_alloc(bool modify) struct mlx5e_tir_builder *builder; builder = kvzalloc(sizeof(*builder), GFP_KERNEL); + if (!builder) + return NULL; + builder->modify = modify; return builder; -- 2.25.1

2 1

[PATCH OLK-6.6] ocfs2: remove unreasonable unlock in ocfs2_read_blocks
by Tong Tiangen 29 Oct '24

29 Oct '24

From: Lizhi Xu <lizhi.xu(a)windriver.com> stable inclusion from stable-v6.6.55 commit 84543da867c967edffd5065fa910ebf56aaae49d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRCH CVE: CVE-2024-49965 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit c03a82b4a0c935774afa01fd6d128b444fd930a1 upstream. Patch series "Misc fixes for ocfs2_read_blocks", v5. This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix the issue reported by syzbot, which detects bad unlock balance in ocfs2_read_blocks(). The second patch fixes an issue reported by Heming Zhao when reviewing above fix. This patch (of 2): There was a lock release before exiting, so remove the unreasonable unlock. Link: https://lkml.kernel.org/r/20240902023636.1843422-1-joseph.qi@linux.alibaba.… Link: https://lkml.kernel.org/r/20240902023636.1843422-2-joseph.qi@linux.alibaba.… Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside") Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reported-by: syzbot+ab134185af9ef88dfed5(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab134185af9ef88dfed5 Tested-by: syzbot+ab134185af9ef88dfed5(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> [4.20+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Tong Tiangen <tongtiangen(a)huawei.com> --- fs/ocfs2/buffer_head_io.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c index 196638a22b48..a71b40065e8b 100644 --- a/fs/ocfs2/buffer_head_io.c +++ b/fs/ocfs2/buffer_head_io.c @@ -235,7 +235,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, if (bhs[i] == NULL) { bhs[i] = sb_getblk(sb, block++); if (bhs[i] == NULL) { - ocfs2_metadata_cache_io_unlock(ci); status = -ENOMEM; mlog_errno(status); /* Don't forget to put previous bh! */ -- 2.25.1

2 1

[PATCH OLK-5.10] ocfs2: remove unreasonable unlock in ocfs2_read_blocks
by Tong Tiangen 29 Oct '24

29 Oct '24

From: Lizhi Xu <lizhi.xu(a)windriver.com> stable inclusion from stable-v5.10.227 commit 3f1ca6ba5452d53c598a45d21267a2c0c221eef3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRCH CVE: CVE-2024-49965 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit c03a82b4a0c935774afa01fd6d128b444fd930a1 upstream. Patch series "Misc fixes for ocfs2_read_blocks", v5. This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix the issue reported by syzbot, which detects bad unlock balance in ocfs2_read_blocks(). The second patch fixes an issue reported by Heming Zhao when reviewing above fix. This patch (of 2): There was a lock release before exiting, so remove the unreasonable unlock. Link: https://lkml.kernel.org/r/20240902023636.1843422-1-joseph.qi@linux.alibaba.… Link: https://lkml.kernel.org/r/20240902023636.1843422-2-joseph.qi@linux.alibaba.… Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside") Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reported-by: syzbot+ab134185af9ef88dfed5(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab134185af9ef88dfed5 Tested-by: syzbot+ab134185af9ef88dfed5(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> [4.20+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Tong Tiangen <tongtiangen(a)huawei.com> --- fs/ocfs2/buffer_head_io.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c index f0b104e483d8..da24e8449f24 100644 --- a/fs/ocfs2/buffer_head_io.c +++ b/fs/ocfs2/buffer_head_io.c @@ -237,7 +237,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, if (bhs[i] == NULL) { bhs[i] = sb_getblk(sb, block++); if (bhs[i] == NULL) { - ocfs2_metadata_cache_io_unlock(ci); status = -ENOMEM; mlog_errno(status); /* Don't forget to put previous bh! */ -- 2.25.1

2 1

[openeuler:OLK-5.10 18685/30000] drivers/ub/urma/uburma/uburma_dev_ops.c:32:6: warning: no previous prototype for 'uburma_release_file'
by kernel test robot 29 Oct '24

29 Oct '24

Hi Yizhen, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 2d902497d466f0e7c448a2c6ad00878b549c2192 commit: cd637a6dded9c0dce5f8d79898bb25be2edb927a [18685/30000] ub: uburma support open/release file ops config: arm64-randconfig-003-20241029 (https://download.01.org/0day-ci/archive/20241029/202410291823.s7QZPUJc-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241029/202410291823.s7QZPUJc-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410291823.s7QZPUJc-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/ub/urma/uburma/uburma_dev_ops.c:32:6: warning: no previous prototype for 'uburma_release_file' [-Wmissing-prototypes] 32 | void uburma_release_file(struct kref *ref) | ^~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/uburma/uburma_dev_ops.c:49:5: warning: no previous prototype for 'uburma_open' [-Wmissing-prototypes] 49 | int uburma_open(struct inode *inode, struct file *filp) | ^~~~~~~~~~~ drivers/ub/urma/uburma/uburma_dev_ops.c: In function 'uburma_open': >> drivers/ub/urma/uburma/uburma_dev_ops.c:66:50: warning: the comparison will always evaluate as 'false' for the address of 'dev_name' will never be NULL [-Waddress] 66 | if (ubc_dev == NULL || ubc_dev->dev_name == NULL) { | ^~ In file included from drivers/ub/urma/uburma/uburma_dev_ops.c:25: include/urma/ubcore_types.h:1589:14: note: 'dev_name' declared here 1589 | char dev_name[UBCORE_MAX_DEV_NAME]; | ^~~~~~~~ drivers/ub/urma/uburma/uburma_dev_ops.c: At top level: >> drivers/ub/urma/uburma/uburma_dev_ops.c:102:5: warning: no previous prototype for 'uburma_close' [-Wmissing-prototypes] 102 | int uburma_close(struct inode *inode, struct file *filp) | ^~~~~~~~~~~~ vim +/uburma_release_file +32 drivers/ub/urma/uburma/uburma_dev_ops.c 31 > 32 void uburma_release_file(struct kref *ref) 33 { 34 struct uburma_file *file = container_of(ref, struct uburma_file, ref); 35 int srcu_idx; 36 37 srcu_idx = srcu_read_lock(&file->ubu_dev->ubc_dev_srcu); 38 srcu_dereference(file->ubu_dev->ubc_dev, &file->ubu_dev->ubc_dev_srcu); 39 40 srcu_read_unlock(&file->ubu_dev->ubc_dev_srcu, srcu_idx); 41 42 if (atomic_dec_and_test(&file->ubu_dev->refcnt)) 43 complete(&file->ubu_dev->comp); 44 45 kobject_put(&file->ubu_dev->kobj); 46 kfree(file); 47 } 48 > 49 int uburma_open(struct inode *inode, struct file *filp) 50 { 51 struct uburma_device *ubu_dev; 52 struct ubcore_device *ubc_dev; 53 struct uburma_file *file; 54 int srcu_idx; 55 int ret; 56 57 ubu_dev = container_of(inode->i_cdev, struct uburma_device, cdev); 58 if (!atomic_inc_not_zero(&ubu_dev->refcnt)) { 59 uburma_log_err("device was not ready.\n"); 60 return -ENXIO; 61 } 62 63 srcu_idx = srcu_read_lock(&ubu_dev->ubc_dev_srcu); 64 mutex_lock(&ubu_dev->lists_mutex); 65 ubc_dev = srcu_dereference(ubu_dev->ubc_dev, &ubu_dev->ubc_dev_srcu); > 66 if (ubc_dev == NULL || ubc_dev->dev_name == NULL) { 67 uburma_log_err("can not find ubcore device.\n"); 68 ret = EIO; 69 goto err; 70 } 71 72 file = kzalloc(sizeof(struct uburma_file), GFP_KERNEL); 73 if (!file) { 74 ret = -ENOMEM; 75 uburma_log_err("can not alloc memory.\n"); 76 goto err; 77 } 78 79 file->ubu_dev = ubu_dev; 80 file->ucontext = NULL; 81 kref_init(&file->ref); 82 mutex_init(&file->mutex); 83 filp->private_data = file; 84 85 list_add_tail(&file->list, &ubu_dev->uburma_file_list); 86 kobject_get(&ubu_dev->kobj); // Increase reference count for file. 87 88 mutex_unlock(&ubu_dev->lists_mutex); 89 srcu_read_unlock(&ubu_dev->ubc_dev_srcu, srcu_idx); 90 91 uburma_log_info("device: %s open succeed.\n", ubc_dev->dev_name); 92 return nonseekable_open(inode, filp); 93 94 err: 95 mutex_unlock(&ubu_dev->lists_mutex); 96 srcu_read_unlock(&ubu_dev->ubc_dev_srcu, srcu_idx); 97 if (atomic_dec_and_test(&ubu_dev->refcnt)) 98 complete(&ubu_dev->comp); 99 return ret; 100 } 101 > 102 int uburma_close(struct inode *inode, struct file *filp) -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] drm/amd/display: Fix index out of bounds in degamma hardware format translation
by Liu Chuang 29 Oct '24

29 Oct '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> stable inclusion from stable-v5.10.227 commit c130a3c09e3746c1a09ce26c20d21d449d039b1d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9A CVE: CVE-2024-49894 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit b7e99058eb2e86aabd7a10761e76cae33d22b49f ] Fixes index out of bounds issue in `cm_helper_translate_curve_to_degamma_hw_format` function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c index bd9bc51983fe..da7aeb9c4632 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c @@ -560,6 +560,8 @@ bool cm_helper_translate_curve_to_degamma_hw_format( i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) + return false; rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.34.1

2 1

[PATCH OLK-5.10] drm/amd/display: Fix index out of bounds in degamma hardware format translation
by Liu Chuang 29 Oct '24

29 Oct '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> stable inclusion from stable-v5.10.227 commit c130a3c09e3746c1a09ce26c20d21d449d039b1d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9A CVE: CVE-2024-49894 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit b7e99058eb2e86aabd7a10761e76cae33d22b49f ] Fixes index out of bounds issue in `cm_helper_translate_curve_to_degamma_hw_format` function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c index bd9bc51983fe..da7aeb9c4632 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c @@ -560,6 +560,8 @@ bool cm_helper_translate_curve_to_degamma_hw_format( i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) + return false; rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] drm/amd/display: Fix index out of bounds in degamma hardware format translation
by Liu Chuang 29 Oct '24

29 Oct '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> mainline inclusion from mainline-v6.12-rc1 commit b7e99058eb2e86aabd7a10761e76cae33d22b49f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9A CVE: CVE-2024-49894 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Fixes index out of bounds issue in `cm_helper_translate_curve_to_degamma_hw_format` function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c index 67a3ba49234e..ad4247061344 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c @@ -482,6 +482,8 @@ bool cm_helper_translate_curve_to_degamma_hw_format( i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) + return false; rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.34.1

2 1

[PATCH OLK-5.10] selinux: fix potential counting error in avc_add_xperms_decision()
by Gu Bowen 29 Oct '24

29 Oct '24

From: Zhen Lei <thunder.leizhen(a)huawei.com> stable inclusion from stable-v5.10.225 commit bbcdda4b0d041fc1302d508321720d6d2c42d083 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB0J6P Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 379d9af3f3da2da1bbfa67baf1820c72a080d1f1 upstream. The count increases only when a node is successfully added to the linked list. Cc: stable(a)vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Zhen Lei <thunder.leizhen(a)huawei.com> Acked-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- security/selinux/avc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 884a014ce2b8..ab71d0948205 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -332,12 +332,12 @@ static int avc_add_xperms_decision(struct avc_node *node, { struct avc_xperms_decision_node *dest_xpd; - node->ae.xp_node->xp.len++; dest_xpd = avc_xperms_decision_alloc(src->used); if (!dest_xpd) return -ENOMEM; avc_copy_xperms_decision(&dest_xpd->xpd, src); list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head); + node->ae.xp_node->xp.len++; return 0; } -- 2.25.1

2 1