November 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 0/2] Fix CVE-2024-47703
by Tengda Wu 01 Nov '24

01 Nov '24

This patchset is going to fix CVE-2024-47703, which may resulting in kernel panic. Tengda Wu (1): bpf, lsm: Add check for BPF LSM return value Xu Kuohai (1): bpf, lsm: Add disabled BPF LSM hook list include/linux/bpf.h | 1 + include/linux/bpf_lsm.h | 8 ++++ include/linux/bpf_verifier.h | 5 +++ kernel/bpf/bpf_lsm.c | 63 ++++++++++++++++++++++++++++-- kernel/bpf/btf.c | 3 ++ kernel/bpf/verifier.c | 74 ++++++++++++++++++++++++++++++++++-- 6 files changed, 147 insertions(+), 7 deletions(-) -- 2.34.1

2 4

[PATCH OLK-5.10] hisilicon/hisi_hbmdev: prevent NULL pointer dereference when corrently
by Zhang Zekun 01 Nov '24

01 Nov '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB18IH ------------------------------------------------ There could have race problem when concurrently online or offline the device. "adev->handler" could be set to NULL when calling hbmdev_check. Let's add lock to prevent the NULL pointer dereference. Fixes: f37b8c99659d ("soc: hisilicon: Setting the demand_offline in sysfs interface") Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/soc/hisilicon/hisi_hbmdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/soc/hisilicon/hisi_hbmdev.c b/drivers/soc/hisilicon/hisi_hbmdev.c index 4c7da1a0eb33..f09388a80009 100644 --- a/drivers/soc/hisilicon/hisi_hbmdev.c +++ b/drivers/soc/hisilicon/hisi_hbmdev.c @@ -85,9 +85,7 @@ static int hbmdev_check(struct acpi_device *adev, void *arg) if (!adev->handler) return 0; - acpi_scan_lock_acquire(); adev->handler->hotplug.demand_offline = true; - acpi_scan_lock_release(); } return 0; @@ -98,7 +96,9 @@ static int memdev_power_off(struct acpi_device *adev) acpi_handle handle = adev->handle; acpi_status status; + acpi_scan_lock_acquire(); acpi_dev_for_each_child(adev, hbmdev_check, NULL); + acpi_scan_lock_release(); status = acpi_evaluate_object(handle, "_OFF", NULL, NULL); if (ACPI_FAILURE(status)) { -- 2.17.1

2 1

[PATCH OLK-6.6 0/1] fix CVE-2024-50041
by Lin Yujun 01 Nov '24

01 Nov '24

Aleksandr Loktionov (1): i40e: Fix macvlan leak by synchronizing access to mac_filter_hash drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 ++ 2 files changed, 3 insertions(+) -- 2.34.1

2 2

[PATCH OLK-6.6 0/1] CVE-2024-49853
by 任敏敏(联通集团联通数字科技有限公司本部) 01 Nov '24

01 Nov '24

From: Ren MinMin <renmm6(a)chinaunicom.cn> CVE-2024-49853 Cristian Marussi (1): firmware: arm_scmi: Fix double free in OPTEE transport drivers/firmware/arm_scmi/optee.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 2.43.0 Èç¹ûÄúŽíÎóœÓÊÕÁËžÃÓÊŒþ£¬ÇëÍš¹ýµç×ÓÓÊŒþÁ¢ŒŽÍšÖªÎÒÃÇ¡£Çë»ØžŽÓÊŒþµœ hqs-spmc@chinaunicom.cn£¬ŒŽ¿ÉÒÔÍË¶©ŽËÓÊŒþ¡£ÎÒÃÇœ«Á¢ŒŽœ«ÄúµÄÐÅÏ¢ŽÓÎÒÃÇµÄ·¢ËÍÄ¿ÂŒÖÐÉŸ³ý¡£ If you have received this email in error please notify us immediately by e-mail. Please reply to hqs-spmc(a)chinaunicom.cn ,you can unsubscribe from this mail. We will immediately remove your information from send catalogue of our.

2 2

[PATCH openEuler-22.03-LTS-SP1 0/1] CVE-2022-49020
by Yongqiang Liu 01 Nov '24

01 Nov '24

Wang Hai (1): net/9p: Fix a potential socket leak in p9_socket_open net/9p/trans_fd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.25.1

2 2

[PATCH openEuler-1.0-LTS 0/1] CVE-2022-49020
by Yongqiang Liu 01 Nov '24

01 Nov '24

Wang Hai (1): net/9p: Fix a potential socket leak in p9_socket_open net/9p/trans_fd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.25.1

2 2

[PATCH openEuler-22.03-LTS-SP1] drm/shmem-helper: Remove errant put in error path
by Qi Xi 01 Nov '24

01 Nov '24

From: Rob Clark <robdclark(a)chromium.org> mainline inclusion from mainline-v6.1 commit 24013314be6ee4ee456114a671e9fa3461323de8 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYRIR CVE: CVE-2022-48981 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free. Link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d Reported-by: syzbot+c8ae65286134dd1b800d(a)syzkaller.appspotmail.com Fixes: 2194a63a818d ("drm: Add library for shmem backed GEM objects") Cc: stable(a)vger.kernel.org Signed-off-by: Rob Clark <robdclark(a)chromium.org> Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Javier Martinez Canillas <javierm(a)redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20221130185748.357410-2-robdc… Signed-off-by: Qi Xi <xiqi2(a)huawei.com> --- drivers/gpu/drm/drm_gem_shmem_helper.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c index 8d1abf82d2b9..2688009df321 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -621,10 +621,8 @@ int drm_gem_shmem_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma) shmem = to_drm_gem_shmem_obj(obj); ret = drm_gem_shmem_get_pages(shmem); - if (ret) { - drm_gem_vm_close(vma); + if (ret) return ret; - } vma->vm_flags |= VM_MIXEDMAP | VM_DONTEXPAND; vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); -- 2.33.0

2 1

[PATCH openEuler-22.03-LTS-SP1] Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send()
by Qi Xi 01 Nov '24

01 Nov '24

From: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> mainline inclusion from mainline-v6.1-rc8 commit 8c9a59939deb4bfafdc451100c03d1e848b4169b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYRIY CVE: CVE-2022-48995 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a kmemleak when test the raydium_i2c_ts with bpf mock device: unreferenced object 0xffff88812d3675a0 (size 8): comm "python3", pid 349, jiffies 4294741067 (age 95.695s) hex dump (first 8 bytes): 11 0e 10 c0 01 00 04 00 ........ backtrace: [<0000000068427125>] __kmalloc+0x46/0x1b0 [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts] [<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts] [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts] [<00000000a310de16>] i2c_device_probe+0x651/0x680 [<00000000f5a96bf3>] really_probe+0x17c/0x3f0 [<00000000096ba499>] __driver_probe_device+0xe3/0x170 [<00000000c5acb4d9>] driver_probe_device+0x49/0x120 [<00000000264fe082>] __device_attach_driver+0xf7/0x150 [<00000000f919423c>] bus_for_each_drv+0x114/0x180 [<00000000e067feca>] __device_attach+0x1e5/0x2d0 [<0000000054301fc2>] bus_probe_device+0x126/0x140 [<00000000aad93b22>] device_add+0x810/0x1130 [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0 [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110 [<00000000ffec4177>] of_i2c_notify+0x100/0x160 unreferenced object 0xffff88812d3675c8 (size 8): comm "python3", pid 349, jiffies 4294741070 (age 95.692s) hex dump (first 8 bytes): 22 00 36 2d 81 88 ff ff ".6-.... backtrace: [<0000000068427125>] __kmalloc+0x46/0x1b0 [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts] [<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts] [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts] [<00000000a310de16>] i2c_device_probe+0x651/0x680 [<00000000f5a96bf3>] really_probe+0x17c/0x3f0 [<00000000096ba499>] __driver_probe_device+0xe3/0x170 [<00000000c5acb4d9>] driver_probe_device+0x49/0x120 [<00000000264fe082>] __device_attach_driver+0xf7/0x150 [<00000000f919423c>] bus_for_each_drv+0x114/0x180 [<00000000e067feca>] __device_attach+0x1e5/0x2d0 [<0000000054301fc2>] bus_probe_device+0x126/0x140 [<00000000aad93b22>] device_add+0x810/0x1130 [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0 [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110 [<00000000ffec4177>] of_i2c_notify+0x100/0x160 After BANK_SWITCH command from i2c BUS, no matter success or error happened, the tx_buf should be freed. Fixes: 3b384bd6c3f2 ("Input: raydium_ts_i2c - do not split tx transactions") Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> Link: https://lore.kernel.org/r/20221202103412.2120169-1-zhangxiaoxu5@huawei.com Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Qi Xi <xiqi2(a)huawei.com> --- drivers/input/touchscreen/raydium_i2c_ts.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/input/touchscreen/raydium_i2c_ts.c b/drivers/input/touchscreen/raydium_i2c_ts.c index 3a4952935366..3d9c5758d8a4 100644 --- a/drivers/input/touchscreen/raydium_i2c_ts.c +++ b/drivers/input/touchscreen/raydium_i2c_ts.c @@ -211,12 +211,14 @@ static int raydium_i2c_send(struct i2c_client *client, error = raydium_i2c_xfer(client, addr, xfer, ARRAY_SIZE(xfer)); if (likely(!error)) - return 0; + goto out; msleep(RM_RETRY_DELAY_MS); } while (++tries < RM_MAX_RETRIES); dev_err(&client->dev, "%s failed: %d\n", __func__, error); +out: + kfree(tx_buf); return error; } -- 2.33.0

2 1

[PATCH openEuler-1.0-LTS] drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer
by Jinjiang Tu 01 Nov '24

01 Nov '24

From: Philip Yang <Philip.Yang(a)amd.com> mainline inclusion from mainline-v6.12-rc1 commit c86ad39140bbcb9dc75a10046c2221f657e8083b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB0 CVE: CVE-2024-49991 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Pass pointer reference to amdgpu_bo_unref to clear the correct pointer, otherwise amdgpu_bo_unref clear the local variable, the original pointer not set to NULL, this could cause use-after-free bug. Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> Reviewed-by: Felix Kuehling <felix.kuehling(a)amd.com> Acked-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Conflicts: drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h drivers/gpu/drm/amd/amdkfd/kfd_chardev.c drivers/gpu/drm/amd/amdkfd/kfd_device.c drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c drivers/gpu/drm/amd/amdkfd/kfd_process.c drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c [conflicts due to 5b87245faf57 ("drm/amdkfd: Simplify kfd2kgd interface") isn't merged, and several calls aren't introduced.] Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 +++++++------- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 ++-- drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 2 +- drivers/gpu/drm/amd/include/kgd_kfd_interface.h | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c index 79bd8bd97fae..b0a7c3403f02 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c @@ -342,15 +342,15 @@ int alloc_gtt_mem(struct kgd_dev *kgd, size_t size, return r; } -void free_gtt_mem(struct kgd_dev *kgd, void *mem_obj) +void free_gtt_mem(struct kgd_dev *kgd, void **mem_obj) { - struct amdgpu_bo *bo = (struct amdgpu_bo *) mem_obj; + struct amdgpu_bo **bo = (struct amdgpu_bo **) mem_obj; - amdgpu_bo_reserve(bo, true); - amdgpu_bo_kunmap(bo); - amdgpu_bo_unpin(bo); - amdgpu_bo_unreserve(bo); - amdgpu_bo_unref(&(bo)); + amdgpu_bo_reserve(*bo, true); + amdgpu_bo_kunmap(*bo); + amdgpu_bo_unpin(*bo); + amdgpu_bo_unreserve(*bo); + amdgpu_bo_unref(bo); } void get_local_mem_info(struct kgd_dev *kgd, diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h index cc9aeab5468c..b45a45efcfe9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h @@ -137,7 +137,7 @@ void amdgpu_amdkfd_gpu_reset(struct kgd_dev *kgd); int alloc_gtt_mem(struct kgd_dev *kgd, size_t size, void **mem_obj, uint64_t *gpu_addr, void **cpu_ptr, bool mqd_gfx9); -void free_gtt_mem(struct kgd_dev *kgd, void *mem_obj); +void free_gtt_mem(struct kgd_dev *kgd, void **mem_obj); void get_local_mem_info(struct kgd_dev *kgd, struct kfd_local_mem_info *mem_info); uint64_t get_gpu_clock_counter(struct kgd_dev *kgd); diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c index 9f2eb8cf744a..5777b3fff549 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c @@ -533,7 +533,7 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd, kfd_doorbell_error: kfd_gtt_sa_fini(kfd); kfd_gtt_sa_init_error: - kfd->kfd2kgd->free_gtt_mem(kfd->kgd, kfd->gtt_mem); + kfd->kfd2kgd->free_gtt_mem(kfd->kgd, &kfd->gtt_mem); dev_err(kfd_device, "device %x:%x NOT added due to errors\n", kfd->pdev->vendor, kfd->pdev->device); @@ -550,7 +550,7 @@ void kgd2kfd_device_exit(struct kfd_dev *kfd) kfd_topology_remove_device(kfd); kfd_doorbell_fini(kfd); kfd_gtt_sa_fini(kfd); - kfd->kfd2kgd->free_gtt_mem(kfd->kgd, kfd->gtt_mem); + kfd->kfd2kgd->free_gtt_mem(kfd->kgd, &kfd->gtt_mem); } kfree(kfd); diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c index 985bebde5a34..c1c43c2ea33f 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c @@ -253,7 +253,7 @@ static void uninit_mqd(struct mqd_manager *mm, void *mqd, struct kfd_dev *kfd = mm->dev; if (mqd_mem_obj->gtt_mem) { - kfd->kfd2kgd->free_gtt_mem(kfd->kgd, mqd_mem_obj->gtt_mem); + kfd->kfd2kgd->free_gtt_mem(kfd->kgd, &mqd_mem_obj->gtt_mem); kfree(mqd_mem_obj); } else { kfd_gtt_sa_free(mm->dev, mqd_mem_obj); diff --git a/drivers/gpu/drm/amd/include/kgd_kfd_interface.h b/drivers/gpu/drm/amd/include/kgd_kfd_interface.h index 43b82e14007e..4be8627cc810 100644 --- a/drivers/gpu/drm/amd/include/kgd_kfd_interface.h +++ b/drivers/gpu/drm/amd/include/kgd_kfd_interface.h @@ -294,7 +294,7 @@ struct kfd2kgd_calls { void **mem_obj, uint64_t *gpu_addr, void **cpu_ptr, bool mqd_gfx9); - void (*free_gtt_mem)(struct kgd_dev *kgd, void *mem_obj); + void (*free_gtt_mem)(struct kgd_dev *kgd, void **mem_obj); void (*get_local_mem_info)(struct kgd_dev *kgd, struct kfd_local_mem_info *mem_info); -- 2.34.1

2 1

[PATCH OLK-5.10] hisilicon/hisi_hbmdev: prevent NULL pointer dereference when corrently
by Zhang Zekun 01 Nov '24

01 Nov '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB18IH ------------------------------------------------ There could have race problem when concurrently online or offline the device. "adev->handler" could be set to NULL when calling hbmdev_check. Let's add lock to prevent the NULL pointer dereference. Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/soc/hisilicon/hisi_hbmdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/soc/hisilicon/hisi_hbmdev.c b/drivers/soc/hisilicon/hisi_hbmdev.c index 4c7da1a0eb33..f09388a80009 100644 --- a/drivers/soc/hisilicon/hisi_hbmdev.c +++ b/drivers/soc/hisilicon/hisi_hbmdev.c @@ -85,9 +85,7 @@ static int hbmdev_check(struct acpi_device *adev, void *arg) if (!adev->handler) return 0; - acpi_scan_lock_acquire(); adev->handler->hotplug.demand_offline = true; - acpi_scan_lock_release(); } return 0; @@ -98,7 +96,9 @@ static int memdev_power_off(struct acpi_device *adev) acpi_handle handle = adev->handle; acpi_status status; + acpi_scan_lock_acquire(); acpi_dev_for_each_child(adev, hbmdev_check, NULL); + acpi_scan_lock_release(); status = acpi_evaluate_object(handle, "_OFF", NULL, NULL); if (ACPI_FAILURE(status)) { -- 2.17.1

2 1

2024

2023

2022

2021

2020

2019

Kernel November 2024