From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com>
stable inclusion
from stable-v6.11.3
commit 65a6fee22d5cfa645cb05489892dc9cd3d142fc2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRAY
CVE: CVE-2024-49914
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 8e4ed3cf1642df0c4456443d865cff61a9598aa8 ]
This commit addresses a null pointer dereference issue in the
`dcn20_program_pipe` function. The issue could occur when
`pipe_ctx->plane_state` is null.
The fix adds a check to ensure `pipe_ctx->plane_state` is not null
before accessing. This prevents a null pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn20/dcn20_hwseq.c:1925 dcn20_program_pipe() error: we previously assumed 'pipe_ctx->plane_state' could be null (see line 1877)
Cc: Tom Chung <chiahsuan.chung(a)amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com>
Cc: Roman Li <roman.li(a)amd.com>
Cc: Alex Hung <alex.hung(a)amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com>
Cc: Harry Wentland <harry.wentland(a)amd.com>
Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com>
Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com>
Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Conflicts:
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c
[The stable version 6.6 is missing patch 65a6fee22d5cfa645cb05489892dc9cd3d142fc2,
which was pulled from 6.11. Manually removed unnecessary code, such as
if (hws->funcs.populate_mcm_luts).
The purpose of this patch is to check if pipe_ctx->plane_state is not
null before using its properties. Other extraneous code from higher
versions is unrelated to the current patch and has been removed.]
Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com>
---
.../drm/amd/display/dc/dcn20/dcn20_hwseq.c | 22 ++++++++++++-------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
index b680742baad7..2861268ccd23 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
@@ -1733,17 +1733,22 @@ static void dcn20_program_pipe(
dc->res_pool->hubbub->funcs->program_det_size(
dc->res_pool->hubbub, pipe_ctx->plane_res.hubp->inst, pipe_ctx->det_buffer_size_kb);
- if (pipe_ctx->update_flags.raw || pipe_ctx->plane_state->update_flags.raw || pipe_ctx->stream->update_flags.raw)
+ if (pipe_ctx->update_flags.raw ||
+ (pipe_ctx->plane_state && pipe_ctx->plane_state->update_flags.raw) ||
+ pipe_ctx->stream->update_flags.raw)
dcn20_update_dchubp_dpp(dc, pipe_ctx, context);
- if (pipe_ctx->update_flags.bits.enable
- || pipe_ctx->plane_state->update_flags.bits.hdr_mult)
+ if (pipe_ctx->update_flags.bits.enable ||
+ (pipe_ctx->plane_state && pipe_ctx->plane_state->update_flags.bits.hdr_mult))
hws->funcs.set_hdr_multiplier(pipe_ctx);
if (pipe_ctx->update_flags.bits.enable ||
- pipe_ctx->plane_state->update_flags.bits.in_transfer_func_change ||
- pipe_ctx->plane_state->update_flags.bits.gamma_change ||
- pipe_ctx->plane_state->update_flags.bits.lut_3d)
+ (pipe_ctx->plane_state &&
+ pipe_ctx->plane_state->update_flags.bits.in_transfer_func_change) ||
+ (pipe_ctx->plane_state &&
+ pipe_ctx->plane_state->update_flags.bits.gamma_change) ||
+ (pipe_ctx->plane_state &&
+ pipe_ctx->plane_state->update_flags.bits.lut_3d))
hws->funcs.set_input_transfer_func(dc, pipe_ctx, pipe_ctx->plane_state);
/* dcn10_translate_regamma_to_hw_format takes 750us to finish
@@ -1753,7 +1758,8 @@ static void dcn20_program_pipe(
if (pipe_ctx->update_flags.bits.enable ||
pipe_ctx->update_flags.bits.plane_changed ||
pipe_ctx->stream->update_flags.bits.out_tf ||
- pipe_ctx->plane_state->update_flags.bits.output_tf_change)
+ (pipe_ctx->plane_state &&
+ pipe_ctx->plane_state->update_flags.bits.output_tf_change))
hws->funcs.set_output_transfer_func(dc, pipe_ctx, pipe_ctx->stream);
/* If the pipe has been enabled or has a different opp, we
@@ -1777,7 +1783,7 @@ static void dcn20_program_pipe(
}
/* Set ABM pipe after other pipe configurations done */
- if (pipe_ctx->plane_state->visible) {
+ if ((pipe_ctx->plane_state && pipe_ctx->plane_state->visible)) {
if (pipe_ctx->stream_res.abm) {
dc->hwss.set_pipe(pipe_ctx);
pipe_ctx->stream_res.abm->funcs->set_abm_level(pipe_ctx->stream_res.abm,
--
2.34.1
From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com>
stable inclusion
from stable-v6.11.3
commit 65a6fee22d5cfa645cb05489892dc9cd3d142fc2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRAY
CVE: CVE-2024-49914
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 8e4ed3cf1642df0c4456443d865cff61a9598aa8 ]
This commit addresses a null pointer dereference issue in the
`dcn20_program_pipe` function. The issue could occur when
`pipe_ctx->plane_state` is null.
The fix adds a check to ensure `pipe_ctx->plane_state` is not null
before accessing. This prevents a null pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn20/dcn20_hwseq.c:1925 dcn20_program_pipe() error: we previously assumed 'pipe_ctx->plane_state' could be null (see line 1877)
Cc: Tom Chung <chiahsuan.chung(a)amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com>
Cc: Roman Li <roman.li(a)amd.com>
Cc: Alex Hung <alex.hung(a)amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com>
Cc: Harry Wentland <harry.wentland(a)amd.com>
Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com>
Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com>
Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Conflicts:
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c
[The stable version 5.10 is missing patch 65a6fee22d5cfa645cb05489892dc9cd3d142fc2,
which was pulled from 6.11. Manually removed unnecessary code, such as
if (pipe_ctx->update_flags.bits.det_size),
if (hws->funcs.populate_mcm_luts),
if (pipe_ctx->update_flags.bits.enable),
if ((pipe_ctx->plane_state && pipe_ctx->plane_state->visible)).
The purpose of this patch is to check if pipe_ctx->plane_state is not
null before using its properties. Other extraneous code from higher
versions is unrelated to the current patch and has been removed.]
Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com>
---
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
index 2248473a6a76..9a3462db2484 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
@@ -1601,16 +1601,20 @@ static void dcn20_program_pipe(
dc->res_pool->hubbub->funcs->force_wm_propagate_to_pipes(dc->res_pool->hubbub);
}
- if (pipe_ctx->update_flags.raw || pipe_ctx->plane_state->update_flags.raw || pipe_ctx->stream->update_flags.raw)
+ if (pipe_ctx->update_flags.raw ||
+ (pipe_ctx->plane_state && pipe_ctx->plane_state->update_flags.raw) ||
+ pipe_ctx->stream->update_flags.raw)
dcn20_update_dchubp_dpp(dc, pipe_ctx, context);
- if (pipe_ctx->update_flags.bits.enable
- || pipe_ctx->plane_state->update_flags.bits.hdr_mult)
+ if (pipe_ctx->update_flags.bits.enable ||
+ (pipe_ctx->plane_state && pipe_ctx->plane_state->update_flags.bits.hdr_mult))
hws->funcs.set_hdr_multiplier(pipe_ctx);
if (pipe_ctx->update_flags.bits.enable ||
- pipe_ctx->plane_state->update_flags.bits.in_transfer_func_change ||
- pipe_ctx->plane_state->update_flags.bits.gamma_change)
+ (pipe_ctx->plane_state &&
+ pipe_ctx->plane_state->update_flags.bits.in_transfer_func_change) ||
+ (pipe_ctx->plane_state &&
+ pipe_ctx->plane_state->update_flags.bits.gamma_change))
hws->funcs.set_input_transfer_func(dc, pipe_ctx, pipe_ctx->plane_state);
/* dcn10_translate_regamma_to_hw_format takes 750us to finish
--
2.34.1
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: 9586f809caca17d909e778ce0c1e7c479e094166
commit: 432279e0c75d8281a75ace15d6039cb895a5aa86 [1436/1436] Net: nebula_matrix: fix ci build err
config: x86_64-randconfig-012-20241108 (https://download.01.org/0day-ci/archive/20241109/202411090733.29Mri3oi-lkp@…)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241109/202411090733.29Mri3oi-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202411090733.29Mri3oi-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/net/ethernet/nebula-matrix/nbl/nbl_core/nbl_hwmon.c:120:37: warning: 'nbl_hwmon_chip_info' defined but not used [-Wunused-const-variable=]
120 | static const struct hwmon_chip_info nbl_hwmon_chip_info = {
| ^~~~~~~~~~~~~~~~~~~
vim +/nbl_hwmon_chip_info +120 drivers/net/ethernet/nebula-matrix/nbl/nbl_core/nbl_hwmon.c
bad535d287c9c1 Bennie Yan 2024-09-24 119
bad535d287c9c1 Bennie Yan 2024-09-24 @120 static const struct hwmon_chip_info nbl_hwmon_chip_info = {
bad535d287c9c1 Bennie Yan 2024-09-24 121 .ops = &nbl_hwmon_ops,
bad535d287c9c1 Bennie Yan 2024-09-24 122 .info = nbl_hwmon_info,
bad535d287c9c1 Bennie Yan 2024-09-24 123 };
bad535d287c9c1 Bennie Yan 2024-09-24 124
:::::: The code at line 120 was first introduced by commit
:::::: bad535d287c9c1056d99de3666be7da84de4a8fc Net:nbl_core: Add nbl_core-driver for nebula-matrix S1055AS series smart NIC.
:::::: TO: Bennie Yan <bennie.yan(a)nebula-matrix.com>
:::::: CC: Bennie Yan <bennie.yan(a)nebula-matrix.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: 9586f809caca17d909e778ce0c1e7c479e094166
commit: 432279e0c75d8281a75ace15d6039cb895a5aa86 [1436/1436] Net: nebula_matrix: fix ci build err
config: x86_64-randconfig-004-20241108 (https://download.01.org/0day-ci/archive/20241109/202411090543.aX5v0JHn-lkp@…)
compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241109/202411090543.aX5v0JHn-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202411090543.aX5v0JHn-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from drivers/net/ethernet/nebula-matrix/nbl/nbl_core/nbl_hwmon.c:7:
In file included from include/linux/pci.h:1669:
In file included from include/linux/dmapool.h:14:
In file included from include/linux/scatterlist.h:8:
In file included from include/linux/mm.h:2247:
include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~ ^
509 | item];
| ~~~~
include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
515 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~ ^
516 | NR_VM_NUMA_EVENT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~~
include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
527 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~ ^
528 | NR_VM_NUMA_EVENT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~~
include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion]
536 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~ ^
537 | NR_VM_NUMA_EVENT_ITEMS +
| ~~~~~~~~~~~~~~~~~~~~~~
>> drivers/net/ethernet/nebula-matrix/nbl/nbl_core/nbl_hwmon.c:120:37: warning: unused variable 'nbl_hwmon_chip_info' [-Wunused-const-variable]
120 | static const struct hwmon_chip_info nbl_hwmon_chip_info = {
| ^~~~~~~~~~~~~~~~~~~
6 warnings generated.
vim +/nbl_hwmon_chip_info +120 drivers/net/ethernet/nebula-matrix/nbl/nbl_core/nbl_hwmon.c
bad535d287c9c1 Bennie Yan 2024-09-24 119
bad535d287c9c1 Bennie Yan 2024-09-24 @120 static const struct hwmon_chip_info nbl_hwmon_chip_info = {
bad535d287c9c1 Bennie Yan 2024-09-24 121 .ops = &nbl_hwmon_ops,
bad535d287c9c1 Bennie Yan 2024-09-24 122 .info = nbl_hwmon_info,
bad535d287c9c1 Bennie Yan 2024-09-24 123 };
bad535d287c9c1 Bennie Yan 2024-09-24 124
:::::: The code at line 120 was first introduced by commit
:::::: bad535d287c9c1056d99de3666be7da84de4a8fc Net:nbl_core: Add nbl_core-driver for nebula-matrix S1055AS series smart NIC.
:::::: TO: Bennie Yan <bennie.yan(a)nebula-matrix.com>
:::::: CC: Bennie Yan <bennie.yan(a)nebula-matrix.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
From: Gui-Dong Han <2045gemini(a)gmail.com>
mainline inclusion
from mainline-v6.8-rc3
commit 30926783a46841c2d1bbf3f74067ba85d304fd0d
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB1MRY
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
In uart_tiocmget():
result = uport->mctrl;
uart_port_lock_irq(uport);
result |= uport->ops->get_mctrl(uport);
uart_port_unlock_irq(uport);
...
return result;
In uart_update_mctrl():
uart_port_lock_irqsave(port, &flags);
...
port->mctrl = (old & ~clear) | set;
...
port->ops->set_mctrl(port, port->mctrl);
...
uart_port_unlock_irqrestore(port, flags);
An atomicity violation is identified due to the concurrent execution of
uart_tiocmget() and uart_update_mctrl(). After assigning
result = uport->mctrl, the mctrl value may change in uart_update_mctrl(),
leading to a mismatch between the value returned by
uport->ops->get_mctrl(uport) and the mctrl value previously read.
This can result in uart_tiocmget() returning an incorrect value.
This possible bug is found by an experimental static analysis tool
developed by our team, BassCheck[1]. This tool analyzes the locking APIs
to extract function pairs that can be concurrently executed, and then
analyzes the instructions in the paired functions to identify possible
concurrency bugs including data races and atomicity violations. The above
possible bug is reported when our tool analyzes the source code of
Linux 5.17.
To address this issue, it is suggested to move the line
result = uport->mctrl inside the uart_port_lock block to ensure atomicity
and prevent the mctrl value from being altered during the execution of
uart_tiocmget(). With this patch applied, our tool no longer reports the
bug, with the kernel configuration allyesconfig for x86_64. Due to the
absence of the requisite hardware, we are unable to conduct runtime
testing of the patch. Therefore, our verification is solely based on code
logic analysis.
[1] https://sites.google.com/view/basscheck/
Fixes: c5f4644e6c8b ("[PATCH] Serial: Adjust serial locking")
Cc: stable(a)vger.kernel.org
Signed-off-by: Gui-Dong Han <2045gemini(a)gmail.com>
Link: https://lore.kernel.org/r/20240112113624.17048-1-2045gemini@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Conflicts:
drivers/tty/serial/serial_core.c
[Commit 559c7ff4e324("serial: core: Use port lock wrappers") not merged,
no functional change.]
Signed-off-by: Yi Yang <yiyang13(a)huawei.com>
---
drivers/tty/serial/serial_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
index 537bcd7c4941..d9d7506a9f6e 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -1078,8 +1078,8 @@ static int uart_tiocmget(struct tty_struct *tty)
goto out;
if (!tty_io_error(tty)) {
- result = uport->mctrl;
spin_lock_irq(&uport->lock);
+ result = uport->mctrl;
result |= uport->ops->get_mctrl(uport);
spin_unlock_irq(&uport->lock);
}
--
2.25.1