April 2024 - Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip
by Xiongfeng Wang 24 Apr '24

24 Apr '24

From: Hsin-Yi Wang <hsinyi(a)chromium.org> mainline inclusion from mainline-v6.9-rc1 commit c958e86e9cc1b48cac004a6e245154dfba8e163b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK5V CVE: CVE-2024-26874 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?i… -------------------------------- It's possible that mtk_crtc->event is NULL in mtk_drm_crtc_finish_page_flip(). pending_needs_vblank value is set by mtk_crtc->event, but in mtk_drm_crtc_atomic_flush(), it's is not guarded by the same lock in mtk_drm_finish_page_flip(), thus a race condition happens. Consider the following case: CPU1 CPU2 step 1: mtk_drm_crtc_atomic_begin() mtk_crtc->event is not null, step 1: mtk_drm_crtc_atomic_flush: mtk_drm_crtc_update_config( !!mtk_crtc->event) step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip: lock mtk_crtc->event set to null, pending_needs_vblank set to false unlock pending_needs_vblank set to true, step 2: mtk_crtc_ddp_irq -> mtk_drm_finish_page_flip called again, pending_needs_vblank is still true //null pointer Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more efficient to just check if mtk_crtc->event is null before use. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Signed-off-by: Hsin-Yi Wang <hsinyi(a)chromium.org> Reviewed-by: CK Hu <ck.hu(a)mediatek.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20240223212404.3709690… Signed-off-by: Chun-Kuang Hu <chunkuang.hu(a)kernel.org> Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> --- drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c index 92ecb9bf982c..42da8bb4b7c3 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c @@ -79,11 +79,13 @@ static void mtk_drm_crtc_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) struct drm_crtc *crtc = &mtk_crtc->base; unsigned long flags; - spin_lock_irqsave(&crtc->dev->event_lock, flags); - drm_crtc_send_vblank_event(crtc, mtk_crtc->event); - drm_crtc_vblank_put(crtc); - mtk_crtc->event = NULL; - spin_unlock_irqrestore(&crtc->dev->event_lock, flags); + if (mtk_crtc->event) { + spin_lock_irqsave(&crtc->dev->event_lock, flags); + drm_crtc_send_vblank_event(crtc, mtk_crtc->event); + drm_crtc_vblank_put(crtc); + mtk_crtc->event = NULL; + spin_unlock_irqrestore(&crtc->dev->event_lock, flags); + } } static void mtk_drm_finish_page_flip(struct mtk_drm_crtc *mtk_crtc) -- 2.20.1

2 1

[PATCH openEuler-1.0-LTS] [Backport] media: rc: bpf attach/detach requires write permission
by Zhenzeng Su 24 Apr '24

24 Apr '24

From: Sean Young <sean(a)mess.org> stable inclusion from stable-v5.10.210 commit 93d8109bf182510629bbefc8cd45296d2393987f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJVU CVE: CVE-2023-52642 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 6a9d552483d50953320b9d3b57abdee8d436f23f upstream. Note that bpf attach/detach also requires CAP_NET_ADMIN. Cc: stable(a)vger.kernel.org Signed-off-by: Sean Young <sean(a)mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhenzeng Su <suzhenzeng(a)huawei.com> --- drivers/media/rc/bpf-lirc.c | 6 +++--- drivers/media/rc/lirc_dev.c | 5 ++++- drivers/media/rc/rc-core-priv.h | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c index 8b97fd1f0cea..7a83dc5fed00 100644 --- a/drivers/media/rc/bpf-lirc.c +++ b/drivers/media/rc/bpf-lirc.c @@ -218,7 +218,7 @@ int lirc_prog_attach(const union bpf_attr *attr, struct bpf_prog *prog) if (attr->attach_flags) return -EINVAL; - rcdev = rc_dev_get_from_fd(attr->target_fd); + rcdev = rc_dev_get_from_fd(attr->target_fd, true); if (IS_ERR(rcdev)) return PTR_ERR(rcdev); @@ -243,7 +243,7 @@ int lirc_prog_detach(const union bpf_attr *attr) if (IS_ERR(prog)) return PTR_ERR(prog); - rcdev = rc_dev_get_from_fd(attr->target_fd); + rcdev = rc_dev_get_from_fd(attr->target_fd, true); if (IS_ERR(rcdev)) { bpf_prog_put(prog); return PTR_ERR(rcdev); @@ -268,7 +268,7 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr) if (attr->query.query_flags) return -EINVAL; - rcdev = rc_dev_get_from_fd(attr->query.target_fd); + rcdev = rc_dev_get_from_fd(attr->query.target_fd, false); if (IS_ERR(rcdev)) return PTR_ERR(rcdev); diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c index f862f1b7f996..71a7c7cdb1b8 100644 --- a/drivers/media/rc/lirc_dev.c +++ b/drivers/media/rc/lirc_dev.c @@ -848,7 +848,7 @@ void __exit lirc_dev_exit(void) unregister_chrdev_region(lirc_base_dev, RC_DEV_MAX); } -struct rc_dev *rc_dev_get_from_fd(int fd) +struct rc_dev *rc_dev_get_from_fd(int fd, bool write) { struct fd f = fdget(fd); struct lirc_fh *fh; @@ -862,6 +862,9 @@ struct rc_dev *rc_dev_get_from_fd(int fd) return ERR_PTR(-EINVAL); } + if (write && !(f.file->f_mode & FMODE_WRITE)) + return ERR_PTR(-EPERM); + fh = f.file->private_data; dev = fh->rc; diff --git a/drivers/media/rc/rc-core-priv.h b/drivers/media/rc/rc-core-priv.h index e847bdad5c51..8056be86f55f 100644 --- a/drivers/media/rc/rc-core-priv.h +++ b/drivers/media/rc/rc-core-priv.h @@ -303,7 +303,7 @@ void ir_lirc_raw_event(struct rc_dev *dev, struct ir_raw_event ev); void ir_lirc_scancode_event(struct rc_dev *dev, struct lirc_scancode *lsc); int ir_lirc_register(struct rc_dev *dev); void ir_lirc_unregister(struct rc_dev *dev); -struct rc_dev *rc_dev_get_from_fd(int fd); +struct rc_dev *rc_dev_get_from_fd(int fd, bool write); #else static inline int lirc_dev_init(void) { return 0; } static inline void lirc_dev_exit(void) {} -- 2.25.1

2 1

[PATCH V5 OLK-6.6] mm, fs: Add BPF_READAHEAD build option for bpf readhead
by ZhaoLong Wang 24 Apr '24

24 Apr '24

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7Y9JD CVE: NA --------------------------- This patch introduces a new configuration option called BPF_READAHEAD, which is designed to optimize the read performance in Spark SQL scenarios using eBPF to implement a programmable kernel. The changes include: - Add CONFIG_BPF_READAHEAD to mm/Kconfig, which depends on CONFIG_TRACEPOINTS. - Add conditional compilation directives to fs/ext4/file.c, fs/read_write.c, fs/xfs/xfs_file.c, and include/linux/fs.h to include tracepoint-related headers and functions only when BPF_READAHEAD is enabled. - Miodify page_cache_sync_ra() in mm/readahead.c to disable forced readahead when BPF_READAHEAD is not enabled. V2: Explicitly set CONFIG_ in openeuler_defconfig. Do not add redundant macros to mm/readahead. V3: Place all macro isolation switches in the .h header file. V4: Change the macro name BPF_READAHEAD_OPTIMIZATION to BPF_READAHEAD V5: Correcting macro name replacement mistakes Signed-off-by: ZhaoLong Wang <wangzhaolong1(a)huawei.com> --- arch/arm64/configs/openeuler_defconfig | 1 + arch/powerpc/configs/openeuler_defconfig | 1 + arch/riscv/configs/openeuler_defconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 + fs/read_write.c | 4 ++-- include/linux/fs.h | 18 +++++++++++++----- include/trace/events/fs.h | 6 ++++++ mm/Kconfig | 9 +++++++++ 8 files changed, 34 insertions(+), 7 deletions(-) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index 9a6ef6175717..f3ab196f00ab 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -1192,6 +1192,7 @@ CONFIG_DYNAMIC_POOL=y CONFIG_ETMEM_SCAN=m CONFIG_ETMEM_SWAP=m CONFIG_ETMEM=y +# CONFIG_BPF_READAHEAD is not set # # Data Access Monitoring diff --git a/arch/powerpc/configs/openeuler_defconfig b/arch/powerpc/configs/openeuler_defconfig index 152b941da1d5..19754209e3c8 100644 --- a/arch/powerpc/configs/openeuler_defconfig +++ b/arch/powerpc/configs/openeuler_defconfig @@ -860,6 +860,7 @@ CONFIG_ARCH_HAS_HUGEPD=y CONFIG_USERFAULTFD=y # CONFIG_LRU_GEN is not set CONFIG_LOCK_MM_AND_FIND_VMA=y +# CONFIG_BPF_READAHEAD is not set # # Data Access Monitoring diff --git a/arch/riscv/configs/openeuler_defconfig b/arch/riscv/configs/openeuler_defconfig index cb132f4576da..90642dc106e2 100644 --- a/arch/riscv/configs/openeuler_defconfig +++ b/arch/riscv/configs/openeuler_defconfig @@ -825,6 +825,7 @@ CONFIG_ARCH_SUPPORTS_PER_VMA_LOCK=y CONFIG_PER_VMA_LOCK=y CONFIG_LOCK_MM_AND_FIND_VMA=y # CONFIG_PAGE_CACHE_LIMIT is not set +# CONFIG_BPF_READAHEAD is not set # # Data Access Monitoring diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index 1d20beb4bb6d..f49fc3ae7713 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -1179,6 +1179,7 @@ CONFIG_DYNAMIC_POOL=y CONFIG_ETMEM_SCAN=m CONFIG_ETMEM_SWAP=m CONFIG_ETMEM=y +# CONFIG_BPF_READAHEAD is not set # # Data Access Monitoring diff --git a/fs/read_write.c b/fs/read_write.c index 3d69fb284d10..dd5c90675f51 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -1721,7 +1721,7 @@ int generic_file_rw_checks(struct file *file_in, struct file *file_out) return 0; } -#ifdef CONFIG_TRACEPOINTS +#ifdef CONFIG_BPF_READAHEAD static void fs_file_read_ctx_init(struct fs_file_read_ctx *ctx, struct file *filp, loff_t pos) { @@ -1752,7 +1752,7 @@ void fs_file_read_update_args_by_trace(struct kiocb *iocb) filp->f_ctl_mode &= ~(ctx.clr_f_mode & FS_FILE_READ_MODE_MASK); } EXPORT_SYMBOL_GPL(fs_file_read_update_args_by_trace); -#endif EXPORT_TRACEPOINT_SYMBOL_GPL(fs_file_read); EXPORT_TRACEPOINT_SYMBOL_GPL(fs_file_release); +#endif diff --git a/include/linux/fs.h b/include/linux/fs.h index d74314a8fa94..55d2844f7fc6 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -43,7 +43,9 @@ #include <linux/cred.h> #include <linux/mnt_idmapping.h> #include <linux/slab.h> +#ifdef CONFIG_BPF_READAHEAD #include <linux/tracepoint-defs.h> +#endif #include <linux/kabi.h> #include <asm/byteorder.h> @@ -190,11 +192,16 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset, /* File supports async nowait buffered writes */ #define FMODE_BUF_WASYNC ((__force fmode_t)0x80000000) +#ifdef CONFIG_BPF_READAHEAD /* File mode control flag, expect random access pattern */ #define FMODE_CTL_RANDOM ((__force fmode_t)0x1000) /* File mode control flag, will try to read head of the file into pagecache */ #define FMODE_CTL_WILLNEED ((__force fmode_t)0x400000) +#else +#define FMODE_CTL_RANDOM 0 +#define FMODE_CTL_WILLNEED 0 +#endif /* * Attribute flags. These should be or-ed together to figure out what @@ -3524,16 +3531,17 @@ struct fs_file_read_ctx { long long index; }; -#ifdef CONFIG_TRACEPOINTS +#ifdef CONFIG_BPF_READAHEAD DECLARE_TRACEPOINT(fs_file_read); extern void fs_file_read_update_args_by_trace(struct kiocb *iocb); -#else -static inline void fs_file_read_update_args_by_trace(struct kiocb *iocb) {} -#endif - static inline void fs_file_read_do_trace(struct kiocb *iocb) { if (tracepoint_enabled(fs_file_read)) fs_file_read_update_args_by_trace(iocb); } +#else +static inline void fs_file_read_update_args_by_trace(struct kiocb *iocb) {} +static inline void fs_file_read_do_trace(struct kiocb *iocb) {} +#endif + #endif /* _LINUX_FS_H */ diff --git a/include/trace/events/fs.h b/include/trace/events/fs.h index ee82dad9d9da..801aad6cb74d 100644 --- a/include/trace/events/fs.h +++ b/include/trace/events/fs.h @@ -1,4 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0 */ +#ifdef CONFIG_BPF_READAHEAD + #undef TRACE_SYSTEM #define TRACE_SYSTEM fs @@ -31,3 +33,7 @@ DECLARE_TRACE(fs_file_release, /* This part must be outside protection */ #include <trace/define_trace.h> +#else +#define trace_fs_file_release(...) +#define trace_fs_file_read(...) +#endif /* CONFIG_BPF_READAHEAD */ diff --git a/mm/Kconfig b/mm/Kconfig index cdbb1ceaa554..45d4139c959c 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -1424,6 +1424,15 @@ config ETMEM high-performance storage media to release memory space and reduce memory costs. +config BPF_READAHEAD + bool "Enable bpf readahead optimization" + select TRACEPOINTS + default n + help + EBPF is used to implement a programmable kernel. The readahead behavior + of the kernel is adjusted based on the application read mode to optimize + the read performance in the Spark SQL scenario, + source "mm/damon/Kconfig" endmenu -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS 0/1] openEuler-22.03-LTS CVE-2024-26908
by Yuntao Liu 24 Apr '24

24 Apr '24

fixup CVE-2024-26908 Kunwu Chan (1): x86/xen: Add some null pointer checking to smp.c arch/x86/xen/smp.c | 10 ++++++++++ 1 file changed, 10 insertions(+) -- 2.34.1

2 2

[PATCH OLK-5.10] [Backport] IB/hfi1: Fix a memleak in init_credit_return
by Zhenzeng Su 24 Apr '24

24 Apr '24

From: Zhipeng Lu <alexious(a)zju.edu.cn> stable inclusion from stable-v5.10.211 commit 3fa240bb6b2dbb3e7a3ee1440a4889cbb6207eb7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJPD CVE: CVE-2024-26839 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 809aa64ebff51eb170ee31a95f83b2d21efa32e2 ] When dma_alloc_coherent fails to allocate dd->cr_base[i].va, init_credit_return should deallocate dd->cr_base and dd->cr_base[i] that allocated before. Or those resources would be never freed and a memleak is triggered. Fixes: 7724105686e7 ("IB/hfi1: add driver files") Signed-off-by: Zhipeng Lu <alexious(a)zju.edu.cn> Link: https://lore.kernel.org/r/20240112085523.3731720-1-alexious@zju.edu.cn Acked-by: Dennis Dalessandro <dennis.dalessandro(a)cornelisnetworks.com> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhenzeng Su <suzhenzeng(a)huawei.com> --- drivers/infiniband/hw/hfi1/pio.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/hfi1/pio.c b/drivers/infiniband/hw/hfi1/pio.c index 60eb3a64518f..969004258692 100644 --- a/drivers/infiniband/hw/hfi1/pio.c +++ b/drivers/infiniband/hw/hfi1/pio.c @@ -2131,7 +2131,7 @@ int init_credit_return(struct hfi1_devdata *dd) "Unable to allocate credit return DMA range for NUMA %d\n", i); ret = -ENOMEM; - goto done; + goto free_cr_base; } } set_dev_node(&dd->pcidev->dev, dd->node); @@ -2139,6 +2139,10 @@ int init_credit_return(struct hfi1_devdata *dd) ret = 0; done: return ret; + +free_cr_base: + free_credit_return(dd); + goto done; } void free_credit_return(struct hfi1_devdata *dd) -- 2.25.1

2 1

[PATCH OLK-5.10 0/1] CVE-2024-26896
by Yongqiang Liu 24 Apr '24

24 Apr '24

Jérôme Pouiller (1): wifi: wfx: fix memory leak when starting AP drivers/staging/wfx/sta.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) -- 2.34.1

2 2

[PATCH OLK-5.10] nfc: nci: free rx_data_reassembly skb on NCI device cleanup
by Zheng Yejian 24 Apr '24

24 Apr '24

From: Fedor Pchelkin <pchelkin(a)ispras.ru> stable inclusion from stable-v5.10.210 commit 2f6d16f0520d6505241629ee2f5c131b547d5f9d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJUW CVE: CVE-2024-26825 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c upstream. rx_data_reassembly skb is stored during NCI data exchange for processing fragmented packets. It is dropped only when the last fragment is processed or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received. However, the NCI device may be deallocated before that which leads to skb leak. As by design the rx_data_reassembly skb is bound to the NCI device and nothing prevents the device to be freed before the skb is processed in some way and cleaned, free it on the NCI device cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") Cc: stable(a)vger.kernel.org Reported-by: syzbot+6b7c68d9c21e4ee4251b(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/000000000000f43987060043da7b@google.com/ Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/nfc/nci/core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index 4c931bd1c174..5bfaf06f7be7 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -1197,6 +1197,10 @@ void nci_free_device(struct nci_dev *ndev) { nfc_free_device(ndev->nfc_dev); nci_hci_deallocate(ndev); + + /* drop partial rx data packet if present */ + if (ndev->rx_data_reassembly) + kfree_skb(ndev->rx_data_reassembly); kfree(ndev); } EXPORT_SYMBOL(nci_free_device); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] nfc: nci: free rx_data_reassembly skb on NCI device cleanup
by Zheng Yejian 24 Apr '24

24 Apr '24

From: Fedor Pchelkin <pchelkin(a)ispras.ru> stable inclusion from stable-v4.19.307 commit 7e9a8498658b398bf11b8e388005fa54e40aed81 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJUW CVE: CVE-2024-26825 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c upstream. rx_data_reassembly skb is stored during NCI data exchange for processing fragmented packets. It is dropped only when the last fragment is processed or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received. However, the NCI device may be deallocated before that which leads to skb leak. As by design the rx_data_reassembly skb is bound to the NCI device and nothing prevents the device to be freed before the skb is processed in some way and cleaned, free it on the NCI device cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") Cc: stable(a)vger.kernel.org Reported-by: syzbot+6b7c68d9c21e4ee4251b(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/000000000000f43987060043da7b@google.com/ Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/nfc/nci/core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c index 904102dc3d04..7148bc0af030 100644 --- a/net/nfc/nci/core.c +++ b/net/nfc/nci/core.c @@ -1205,6 +1205,10 @@ void nci_free_device(struct nci_dev *ndev) { nfc_free_device(ndev->nfc_dev); nci_hci_deallocate(ndev); + + /* drop partial rx data packet if present */ + if (ndev->rx_data_reassembly) + kfree_skb(ndev->rx_data_reassembly); kfree(ndev); } EXPORT_SYMBOL(nci_free_device); -- 2.25.1

2 1

[PATCH OLK-5.10] md: fix kmemleak of rdev->serial
by Li Nan 24 Apr '24

24 Apr '24

mainline inclusion from mainline-v6.9-rc1 commit 6cf350658736681b9d6b0b6e58c5c76b235bb4c4 category: bugfix bugzilla: 189820, https://gitee.com/src-openeuler/kernel/issues/I9HKBT CVE: CVE-2024-26900 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be alloc not be freed, and kmemleak occurs. unreferenced object 0xffff88815a350000 (size 49152): comm "mdadm", pid 789, jiffies 4294716910 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc f773277a): [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0 [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270 [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f [<00000000f206d60a>] kvmalloc_node+0x74/0x150 [<0000000034bf3363>] rdev_init_serial+0x67/0x170 [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220 [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630 [<0000000073c28560>] md_add_new_disk+0x400/0x9f0 [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10 [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0 [<0000000085086a11>] vfs_ioctl+0x22/0x60 [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0 [<00000000e54e675e>] do_syscall_64+0x71/0x150 [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74 Fixes: 963c555e75b0 ("md: introduce mddev_create/destroy_wb_pool for the change of member device") Signed-off-by: Li Nan <linan122(a)huawei.com> Signed-off-by: Song Liu <song(a)kernel.org> Link: https://lore.kernel.org/r/20240208085556.2412922-1-linan666@huaweicloud.com Conflict: drivers/md/md.c 1. Mainline commit b4128c00a653 ("md: cleanup mddev_create/ destroy_serial_pool()") removed the third param of mddev_destroy_serial_pool(). 2. OLK commit 3bb76c49199e ("[Huawei] md: fix sysfs duplicate file while adding rdev") changed context. Signed-off-by: Li Nan <linan122(a)huawei.com> --- drivers/md/md.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/md/md.c b/drivers/md/md.c index e9c2117d20f5..a7faf6153085 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -2496,6 +2496,7 @@ static int bind_rdev_to_array(struct md_rdev *rdev, struct mddev *mddev) fail: pr_warn("md: failed to register %s for %s\n", b, mdname(mddev)); + mddev_destroy_serial_pool(mddev, rdev, false); return err; } -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] [Backport] IB/hfi1: Fix a memleak in init_credit_return
by Zhenzeng Su 24 Apr '24

24 Apr '24

From: Zhipeng Lu <alexious(a)zju.edu.cn> stable inclusion from stable-v4.19.308 commit 2e4f9f20b32658ef3724aa46f7aef4908d2609e3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJPD CVE: CVE-2024-26839 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 809aa64ebff51eb170ee31a95f83b2d21efa32e2 ] When dma_alloc_coherent fails to allocate dd->cr_base[i].va, init_credit_return should deallocate dd->cr_base and dd->cr_base[i] that allocated before. Or those resources would be never freed and a memleak is triggered. Fixes: 7724105686e7 ("IB/hfi1: add driver files") Signed-off-by: Zhipeng Lu <alexious(a)zju.edu.cn> Link: https://lore.kernel.org/r/20240112085523.3731720-1-alexious@zju.edu.cn Acked-by: Dennis Dalessandro <dennis.dalessandro(a)cornelisnetworks.com> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhenzeng Su <suzhenzeng(a)huawei.com> --- drivers/infiniband/hw/hfi1/pio.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/hfi1/pio.c b/drivers/infiniband/hw/hfi1/pio.c index 752057647f09..d6d18bb94f73 100644 --- a/drivers/infiniband/hw/hfi1/pio.c +++ b/drivers/infiniband/hw/hfi1/pio.c @@ -2117,7 +2117,7 @@ int init_credit_return(struct hfi1_devdata *dd) "Unable to allocate credit return DMA range for NUMA %d\n", i); ret = -ENOMEM; - goto done; + goto free_cr_base; } } set_dev_node(&dd->pcidev->dev, dd->node); @@ -2125,6 +2125,10 @@ int init_credit_return(struct hfi1_devdata *dd) ret = 0; done: return ret; + +free_cr_base: + free_credit_return(dd); + goto done; } void free_credit_return(struct hfi1_devdata *dd) -- 2.25.1

2 1

2024

2023

2022

2021

2020

2019

Kernel April 2024