May 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] efi/libstub: arm64: Add macro isolation memmap detection code
by Cui GaoSheng 28 May '24

28 May '24

From: Gaosheng Cui <cuigaosheng1(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9K8D1 -------------------------------- Kaslr will randomizes the physical address at which the kernel image is loaded, we will check and skip the memmap reserved memory, add config CONFIG_UEFI_KASLR_SKIP_MEMMAP to isolation memmap detection code. Signed-off-by: Gaosheng Cui <cuigaosheng1(a)huawei.com> --- arch/arm64/Kconfig | 7 +++++++ arch/arm64/configs/openeuler_defconfig | 1 + arch/arm64/kernel/image-vars.h | 2 ++ arch/arm64/lib/strchr.S | 8 ++++++++ drivers/firmware/efi/libstub/arm64-stub.c | 2 ++ drivers/firmware/efi/libstub/efi-stub-helper.c | 2 ++ drivers/firmware/efi/libstub/efi-stub.c | 4 ++++ drivers/firmware/efi/libstub/efistub.h | 6 +----- drivers/firmware/efi/libstub/string.c | 2 ++ 9 files changed, 29 insertions(+), 5 deletions(-) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index eb7334370cfe..c014e4bd182a 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -2111,6 +2111,13 @@ config RANDOMIZE_MODULE_REGION_FULL a limited range that contains the [_stext, _etext] interval of the core kernel, so branch relocations are always in range. +config UEFI_KASLR_SKIP_MEMMAP + bool "Skip the memmap address when randomize the kernel image" + depends on RANDOMIZE_BASE + default n + help + Skip the memmap reserved memory when randomize the kernel image. + config CC_HAVE_STACKPROTECTOR_SYSREG def_bool $(cc-option,-mstack-protector-guard=sysreg -mstack-protector-guard-reg=sp_el0 -mstack-protector-guard-offset=0) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index 1233ce00c72c..1c45bb8694bc 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -548,6 +548,7 @@ CONFIG_ARM64_PSEUDO_NMI=y CONFIG_RELOCATABLE=y CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MODULE_REGION_FULL=y +CONFIG_UEFI_KASLR_SKIP_MEMMAP=y CONFIG_NOKASLR_MEM_RANGE=y CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y CONFIG_STACKPROTECTOR_PER_TASK=y diff --git a/arch/arm64/kernel/image-vars.h b/arch/arm64/kernel/image-vars.h index 3a68772a63fb..dd9d65840333 100644 --- a/arch/arm64/kernel/image-vars.h +++ b/arch/arm64/kernel/image-vars.h @@ -32,7 +32,9 @@ __efistub_strnlen = __pi_strnlen; __efistub_strcmp = __pi_strcmp; __efistub_strncmp = __pi_strncmp; __efistub_strrchr = __pi_strrchr; +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP __efistub_strchr = __pi_strchr; +#endif __efistub___clean_dcache_area_poc = __pi___clean_dcache_area_poc; __efistub__text = _text; diff --git a/arch/arm64/lib/strchr.S b/arch/arm64/lib/strchr.S index 5893ad8d4484..8ef17a69dfe6 100644 --- a/arch/arm64/lib/strchr.S +++ b/arch/arm64/lib/strchr.S @@ -18,7 +18,11 @@ * Returns: * x0 - address of first occurrence of 'c' or 0 */ +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP SYM_FUNC_START_WEAK_PI(strchr) +#else +SYM_FUNC_START_WEAK(strchr) +#endif and w1, w1, #0xff 1: ldrb w2, [x0], #1 cmp w2, w1 @@ -28,5 +32,9 @@ SYM_FUNC_START_WEAK_PI(strchr) cmp w2, w1 csel x0, x0, xzr, eq ret +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP SYM_FUNC_END_PI(strchr) +#else +SYM_FUNC_END(strchr) +#endif EXPORT_SYMBOL_NOKASAN(strchr) diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c index d6b48ad59d94..5a8704176c4c 100644 --- a/drivers/firmware/efi/libstub/arm64-stub.c +++ b/drivers/firmware/efi/libstub/arm64-stub.c @@ -15,6 +15,7 @@ #include "efistub.h" +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP #define MAX_MEMMAP_REGIONS 32 struct mem_vector { @@ -103,6 +104,7 @@ void free_avoid_memmap(void) efi_free(mem_avoid[i].size, mem_avoid[i].start); } } +#endif #ifdef CONFIG_NOKASLR_MEM_RANGE #define MAX_MEM_NOKASLR_REGIONS 4 diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index dc3fbd0914f5..cbeac12e6662 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -238,8 +238,10 @@ efi_status_t efi_parse_options(char const *cmdline) } else if (!strcmp(param, "video") && val && strstarts(val, "efifb:")) { efi_parse_option_graphics(val + strlen("efifb:")); +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP } else if (!strcmp(param, "memmap") && val) { efi_parse_option_memmap(val); +#endif } else if (!strcmp(param, "pbha")) { efi_pbha = true; } diff --git a/drivers/firmware/efi/libstub/efi-stub.c b/drivers/firmware/efi/libstub/efi-stub.c index 96129f0fc60e..66f1f9b93b0d 100644 --- a/drivers/firmware/efi/libstub/efi-stub.c +++ b/drivers/firmware/efi/libstub/efi-stub.c @@ -204,7 +204,9 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle, si = setup_graphics(); +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP mem_avoid_memmap(); +#endif status = handle_kernel_image(&image_addr, &image_size, &reserve_addr, @@ -323,7 +325,9 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle, efi_free(image_size, image_addr); efi_free(reserve_size, reserve_addr); fail_free_screeninfo: +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP free_avoid_memmap(); +#endif free_screen_info(si); fail_free_cmdline: efi_bs_call(free_pool, cmdline_ptr); diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h index ee4c57a285e7..8dfd83427d2f 100644 --- a/drivers/firmware/efi/libstub/efistub.h +++ b/drivers/firmware/efi/libstub/efistub.h @@ -828,14 +828,10 @@ efi_status_t efi_parse_options(char const *cmdline); void efi_parse_option_graphics(char *option); -#ifdef CONFIG_ARM64 +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP void efi_parse_option_memmap(const char *str); void mem_avoid_memmap(void); void free_avoid_memmap(void); -#else -static inline void efi_parse_option_memmap(const char *str) { } -static inline void mem_avoid_memmap(void) { } -static inline void free_avoid_memmap(void) { } #endif #if defined(CONFIG_NOKASLR_MEM_RANGE) && defined(CONFIG_ARM64) diff --git a/drivers/firmware/efi/libstub/string.c b/drivers/firmware/efi/libstub/string.c index 006c9f0a8e0c..43cb8ed9f300 100644 --- a/drivers/firmware/efi/libstub/string.c +++ b/drivers/firmware/efi/libstub/string.c @@ -114,6 +114,7 @@ long simple_strtol(const char *cp, char **endp, unsigned int base) return simple_strtoull(cp, endp, base); } +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP #ifndef __HAVE_ARCH_STRCHR /** * strchr - Find the first occurrence of a character in a string @@ -131,3 +132,4 @@ char *strchr(const char *s, int c) return (char *)s; } #endif +#endif -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] HID: usbhid: free raw_report buffers in usbhid_stop
by Zhao Wenhui 28 May '24

28 May '24

From: Anirudh Rayabharam <mail(a)anirudhrb.com> mainline inclusion from mainline-v5.15-rc1 commit f7744fa16b96da57187dc8e5634152d3b63d72de category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4NP CVE: CVE-2021-47405 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Free the unsent raw_report buffers when the device is removed. Fixes a memory leak reported by syzbot at: https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab… Reported-by: syzbot+47b26cd837ececfc666d(a)syzkaller.appspotmail.com Tested-by: syzbot+47b26cd837ececfc666d(a)syzkaller.appspotmail.com Signed-off-by: Anirudh Rayabharam <mail(a)anirudhrb.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.cz> Signed-off-by: Zhao Wenhui <zhaowenhui8(a)huawei.com> --- drivers/hid/usbhid/hid-core.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c index 2376740ce4d5..0502696b2138 100644 --- a/drivers/hid/usbhid/hid-core.c +++ b/drivers/hid/usbhid/hid-core.c @@ -506,7 +506,7 @@ static void hid_ctrl(struct urb *urb) if (unplug) { usbhid->ctrltail = usbhid->ctrlhead; - } else { + } else if (usbhid->ctrlhead != usbhid->ctrltail) { usbhid->ctrltail = (usbhid->ctrltail + 1) & (HID_CONTROL_FIFO_SIZE - 1); if (usbhid->ctrlhead != usbhid->ctrltail && @@ -1206,9 +1206,20 @@ static void usbhid_stop(struct hid_device *hid) } clear_bit(HID_STARTED, &usbhid->iofl); + spin_lock_irq(&usbhid->lock); /* Sync with error and led handlers */ set_bit(HID_DISCONNECTED, &usbhid->iofl); + while (usbhid->ctrltail != usbhid->ctrlhead) { + if (usbhid->ctrl[usbhid->ctrltail].dir == USB_DIR_OUT) { + kfree(usbhid->ctrl[usbhid->ctrltail].raw_report); + usbhid->ctrl[usbhid->ctrltail].raw_report = NULL; + } + + usbhid->ctrltail = (usbhid->ctrltail + 1) & + (HID_CONTROL_FIFO_SIZE - 1); + } spin_unlock_irq(&usbhid->lock); + usb_kill_urb(usbhid->urbin); usb_kill_urb(usbhid->urbout); usb_kill_urb(usbhid->urbctrl); -- 2.34.1

2 1

[PATCH OLK-5.10] crypto: jitter - change module_init(jent_mod_init) to subsys_initcall(jent_mod_init)
by Cui GaoSheng 28 May '24

28 May '24

From: Gaosheng Cui <cuigaosheng1(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9K8D1 -------------------------------- The ecdh-nist-p256 algorithm will depend on jitterentropy_rng, and when they are build into kernel, the order of registration should be done such that the underlying algorithms are ready before the ones on top are registered. We can enable fips=1 and ecdh, the calltrace like below: alg: ecdh-nist-p256: test failed on vector 2, err=-14 Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode! Call Trace: dump_stack+0x57/0x6e panic+0x109/0x2ca alg_test+0x414/0x420 ? __switch_to_asm+0x3a/0x60 ? __switch_to_asm+0x34/0x60 ? __schedule+0x263/0x640 ? crypto_acomp_scomp_free_ctx+0x30/0x30 cryptomgr_test+0x22/0x40 kthread+0xf9/0x130 ? kthread_park+0x90/0x90 ret_from_fork+0x22/0x30 The module_init(jent_mod_init) is later than subsys_initcall(ecdh_init), so changing module_init(jent_mod_init) to subsys_initcall(jent_mod_init) to fix it. Fixes: c4741b230597 ("crypto: run initcalls for generic implementations earlier") Signed-off-by: Gaosheng Cui <cuigaosheng1(a)huawei.com> --- crypto/jitterentropy-kcapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c index e8a4165a1874..b1d7b5a6e61c 100644 --- a/crypto/jitterentropy-kcapi.c +++ b/crypto/jitterentropy-kcapi.c @@ -214,7 +214,7 @@ static void __exit jent_mod_exit(void) crypto_unregister_rng(&jent_alg); } -module_init(jent_mod_init); +subsys_initcall(jent_mod_init); module_exit(jent_mod_exit); MODULE_LICENSE("Dual BSD/GPL"); -- 2.34.1

2 1

[PATCH OLK-5.10] efi/libstub: arm64: Add macro isolation memmap detection code
by Cui GaoSheng 28 May '24

28 May '24

From: Gaosheng Cui <cuigaosheng1(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9K8D1 -------------------------------- Kaslr will randomizes the physical address at which the kernel image is loaded, we will check and skip the memmap reserved memory, add config CONFIG_UEFI_KASLR_SKIP_MEMMAP to isolation memmap detection code. Signed-off-by: Gaosheng Cui <cuigaosheng1(a)huawei.com> --- arch/arm64/Kconfig | 7 +++++++ arch/arm64/configs/openeuler_defconfig | 1 + arch/arm64/kernel/image-vars.h | 2 ++ arch/arm64/lib/strchr.S | 8 ++++++++ drivers/firmware/efi/libstub/arm64-stub.c | 2 ++ drivers/firmware/efi/libstub/efi-stub-helper.c | 2 ++ drivers/firmware/efi/libstub/efi-stub.c | 4 ++++ drivers/firmware/efi/libstub/efistub.h | 6 +----- drivers/firmware/efi/libstub/string.c | 2 ++ 9 files changed, 29 insertions(+), 5 deletions(-) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index eb7334370cfe..c014e4bd182a 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -2111,6 +2111,13 @@ config RANDOMIZE_MODULE_REGION_FULL a limited range that contains the [_stext, _etext] interval of the core kernel, so branch relocations are always in range. +config UEFI_KASLR_SKIP_MEMMAP + bool "Skip the memmap address when randomize the kernel image" + depends on RANDOMIZE_BASE + default n + help + Skip the memmap reserved memory when randomize the kernel image. + config CC_HAVE_STACKPROTECTOR_SYSREG def_bool $(cc-option,-mstack-protector-guard=sysreg -mstack-protector-guard-reg=sp_el0 -mstack-protector-guard-offset=0) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index 1233ce00c72c..1c45bb8694bc 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -548,6 +548,7 @@ CONFIG_ARM64_PSEUDO_NMI=y CONFIG_RELOCATABLE=y CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MODULE_REGION_FULL=y +CONFIG_UEFI_KASLR_SKIP_MEMMAP=y CONFIG_NOKASLR_MEM_RANGE=y CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y CONFIG_STACKPROTECTOR_PER_TASK=y diff --git a/arch/arm64/kernel/image-vars.h b/arch/arm64/kernel/image-vars.h index 3a68772a63fb..dd9d65840333 100644 --- a/arch/arm64/kernel/image-vars.h +++ b/arch/arm64/kernel/image-vars.h @@ -32,7 +32,9 @@ __efistub_strnlen = __pi_strnlen; __efistub_strcmp = __pi_strcmp; __efistub_strncmp = __pi_strncmp; __efistub_strrchr = __pi_strrchr; +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP __efistub_strchr = __pi_strchr; +#endif __efistub___clean_dcache_area_poc = __pi___clean_dcache_area_poc; __efistub__text = _text; diff --git a/arch/arm64/lib/strchr.S b/arch/arm64/lib/strchr.S index 5893ad8d4484..8ef17a69dfe6 100644 --- a/arch/arm64/lib/strchr.S +++ b/arch/arm64/lib/strchr.S @@ -18,7 +18,11 @@ * Returns: * x0 - address of first occurrence of 'c' or 0 */ +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP SYM_FUNC_START_WEAK_PI(strchr) +#else +SYM_FUNC_START_WEAK(strchr) +#endif and w1, w1, #0xff 1: ldrb w2, [x0], #1 cmp w2, w1 @@ -28,5 +32,9 @@ SYM_FUNC_START_WEAK_PI(strchr) cmp w2, w1 csel x0, x0, xzr, eq ret +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP SYM_FUNC_END_PI(strchr) +#else +SYM_FUNC_END(strchr) +#endif EXPORT_SYMBOL_NOKASAN(strchr) diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c index d6b48ad59d94..5a8704176c4c 100644 --- a/drivers/firmware/efi/libstub/arm64-stub.c +++ b/drivers/firmware/efi/libstub/arm64-stub.c @@ -15,6 +15,7 @@ #include "efistub.h" +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP #define MAX_MEMMAP_REGIONS 32 struct mem_vector { @@ -103,6 +104,7 @@ void free_avoid_memmap(void) efi_free(mem_avoid[i].size, mem_avoid[i].start); } } +#endif #ifdef CONFIG_NOKASLR_MEM_RANGE #define MAX_MEM_NOKASLR_REGIONS 4 diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index dc3fbd0914f5..cbeac12e6662 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -238,8 +238,10 @@ efi_status_t efi_parse_options(char const *cmdline) } else if (!strcmp(param, "video") && val && strstarts(val, "efifb:")) { efi_parse_option_graphics(val + strlen("efifb:")); +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP } else if (!strcmp(param, "memmap") && val) { efi_parse_option_memmap(val); +#endif } else if (!strcmp(param, "pbha")) { efi_pbha = true; } diff --git a/drivers/firmware/efi/libstub/efi-stub.c b/drivers/firmware/efi/libstub/efi-stub.c index 96129f0fc60e..66f1f9b93b0d 100644 --- a/drivers/firmware/efi/libstub/efi-stub.c +++ b/drivers/firmware/efi/libstub/efi-stub.c @@ -204,7 +204,9 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle, si = setup_graphics(); +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP mem_avoid_memmap(); +#endif status = handle_kernel_image(&image_addr, &image_size, &reserve_addr, @@ -323,7 +325,9 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle, efi_free(image_size, image_addr); efi_free(reserve_size, reserve_addr); fail_free_screeninfo: +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP free_avoid_memmap(); +#endif free_screen_info(si); fail_free_cmdline: efi_bs_call(free_pool, cmdline_ptr); diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h index ee4c57a285e7..8dfd83427d2f 100644 --- a/drivers/firmware/efi/libstub/efistub.h +++ b/drivers/firmware/efi/libstub/efistub.h @@ -828,14 +828,10 @@ efi_status_t efi_parse_options(char const *cmdline); void efi_parse_option_graphics(char *option); -#ifdef CONFIG_ARM64 +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP void efi_parse_option_memmap(const char *str); void mem_avoid_memmap(void); void free_avoid_memmap(void); -#else -static inline void efi_parse_option_memmap(const char *str) { } -static inline void mem_avoid_memmap(void) { } -static inline void free_avoid_memmap(void) { } #endif #if defined(CONFIG_NOKASLR_MEM_RANGE) && defined(CONFIG_ARM64) diff --git a/drivers/firmware/efi/libstub/string.c b/drivers/firmware/efi/libstub/string.c index 006c9f0a8e0c..43cb8ed9f300 100644 --- a/drivers/firmware/efi/libstub/string.c +++ b/drivers/firmware/efi/libstub/string.c @@ -114,6 +114,7 @@ long simple_strtol(const char *cp, char **endp, unsigned int base) return simple_strtoull(cp, endp, base); } +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP #ifndef __HAVE_ARCH_STRCHR /** * strchr - Find the first occurrence of a character in a string @@ -131,3 +132,4 @@ char *strchr(const char *s, int c) return (char *)s; } #endif +#endif -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] ALSA: hda: Fix possible null-ptr-deref when assigning a stream
by Zeng Heng 28 May '24

28 May '24

From: Cezary Rojewski <cezary.rojewski(a)intel.com> mainline inclusion from mainline-v6.7-rc1 commit f93dc90c2e8ed664985e366aa6459ac83cdab236 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFHM CVE: CVE-2023-52806 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- While AudioDSP drivers assign streams exclusively of HOST or LINK type, nothing blocks a user to attempt to assign a COUPLED stream. As supplied substream instance may be a stub, what is the case when code-loading, such scenario ends with null-ptr-deref. Signed-off-by: Cezary Rojewski <cezary.rojewski(a)intel.com> Link: https://lore.kernel.org/r/20231006102857.749143-2-cezary.rojewski@intel.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Conflicts: sound/hda/hdac_stream.c [The conflict occurs because commit 1465d06a6d85("ALSA: hda: hdac_stream: fix potential locking issue in snd_hdac_stream_assign()") is not merged.] Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- sound/hda/hdac_stream.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c index eee422390d8e..2569f82b6fa0 100644 --- a/sound/hda/hdac_stream.c +++ b/sound/hda/hdac_stream.c @@ -241,8 +241,10 @@ struct hdac_stream *snd_hdac_stream_assign(struct hdac_bus *bus, struct hdac_stream *res = NULL; /* make a non-zero unique key for the substream */ - int key = (substream->pcm->device << 16) | (substream->number << 2) | - (substream->stream + 1); + int key = (substream->number << 2) | (substream->stream + 1); + + if (substream->pcm) + key |= (substream->pcm->device << 16); list_for_each_entry(azx_dev, &bus->stream_list, list) { if (azx_dev->direction != substream->stream) -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS v2] ACPI: video: check for error while searching for backlight device parent
by Yu Liao 28 May '24

28 May '24

From: Nikita Kiryushin <kiryushin(a)ancud.ru> stable inclusion from stable-v4.19.306 commit 556f02699d33c1f40b1b31bd25828ce08fa165d8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9CJ CVE: CVE-2023-52693 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ccd45faf4973746c4f30ea41eec864e5cf191099 ] If acpi_get_parent() called in acpi_video_dev_register_backlight() fails, for example, because acpi_ut_acquire_mutex() fails inside acpi_get_parent), this can lead to incorrect (uninitialized) acpi_parent handle being passed to acpi_get_pci_dev() for detecting the parent pci device. Check acpi_get_parent() result and set parent device only in case of success. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9661e92c10a9 ("acpi: tie ACPI backlight devices to PCI devices if possible") Signed-off-by: Nikita Kiryushin <kiryushin(a)ancud.ru> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yu Liao <liaoyu15(a)huawei.com> --- drivers/acpi/acpi_video.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c index 1a23e7aa74df..51b39e8c2f8a 100644 --- a/drivers/acpi/acpi_video.c +++ b/drivers/acpi/acpi_video.c @@ -1772,12 +1772,12 @@ static void acpi_video_dev_register_backlight(struct acpi_video_device *device) return; count++; - acpi_get_parent(device->dev->handle, &acpi_parent); - - pdev = acpi_get_pci_dev(acpi_parent); - if (pdev) { - parent = &pdev->dev; - pci_dev_put(pdev); + if (ACPI_SUCCESS(acpi_get_parent(device->dev->handle, &acpi_parent))) { + pdev = acpi_get_pci_dev(acpi_parent); + if (pdev) { + parent = &pdev->dev; + pci_dev_put(pdev); + } } memset(&props, 0, sizeof(struct backlight_properties)); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] ACPI: video: check for error while searching for backlight device parent
by Yu Liao 28 May '24

28 May '24

From: Nikita Kiryushin <kiryushin(a)ancud.ru> stable inclusion from stable-v4.19.195 commit 556f02699d33c1f40b1b31bd25828ce08fa165d8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9CJ CVE: CVE-2023-52693 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ccd45faf4973746c4f30ea41eec864e5cf191099 ] If acpi_get_parent() called in acpi_video_dev_register_backlight() fails, for example, because acpi_ut_acquire_mutex() fails inside acpi_get_parent), this can lead to incorrect (uninitialized) acpi_parent handle being passed to acpi_get_pci_dev() for detecting the parent pci device. Check acpi_get_parent() result and set parent device only in case of success. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9661e92c10a9 ("acpi: tie ACPI backlight devices to PCI devices if possible") Signed-off-by: Nikita Kiryushin <kiryushin(a)ancud.ru> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yu Liao <liaoyu15(a)huawei.com> --- drivers/acpi/acpi_video.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c index 1a23e7aa74df..51b39e8c2f8a 100644 --- a/drivers/acpi/acpi_video.c +++ b/drivers/acpi/acpi_video.c @@ -1772,12 +1772,12 @@ static void acpi_video_dev_register_backlight(struct acpi_video_device *device) return; count++; - acpi_get_parent(device->dev->handle, &acpi_parent); - - pdev = acpi_get_pci_dev(acpi_parent); - if (pdev) { - parent = &pdev->dev; - pci_dev_put(pdev); + if (ACPI_SUCCESS(acpi_get_parent(device->dev->handle, &acpi_parent))) { + pdev = acpi_get_pci_dev(acpi_parent); + if (pdev) { + parent = &pdev->dev; + pci_dev_put(pdev); + } } memset(&props, 0, sizeof(struct backlight_properties)); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] ALSA: hda: Fix possible null-ptr-deref when assigning a stream
by Zeng Heng 28 May '24

28 May '24

From: Cezary Rojewski <cezary.rojewski(a)intel.com> mainline inclusion from mainline-v6.7-rc1 commit f93dc90c2e8ed664985e366aa6459ac83cdab236 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFHM CVE: CVE-2023-52806 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- While AudioDSP drivers assign streams exclusively of HOST or LINK type, nothing blocks a user to attempt to assign a COUPLED stream. As supplied substream instance may be a stub, what is the case when code-loading, such scenario ends with null-ptr-deref. Signed-off-by: Cezary Rojewski <cezary.rojewski(a)intel.com> Link: https://lore.kernel.org/r/20231006102857.749143-2-cezary.rojewski@intel.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- sound/hda/hdac_stream.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c index eee422390d8e..2569f82b6fa0 100644 --- a/sound/hda/hdac_stream.c +++ b/sound/hda/hdac_stream.c @@ -241,8 +241,10 @@ struct hdac_stream *snd_hdac_stream_assign(struct hdac_bus *bus, struct hdac_stream *res = NULL; /* make a non-zero unique key for the substream */ - int key = (substream->pcm->device << 16) | (substream->number << 2) | - (substream->stream + 1); + int key = (substream->number << 2) | (substream->stream + 1); + + if (substream->pcm) + key |= (substream->pcm->device << 16); list_for_each_entry(azx_dev, &bus->stream_list, list) { if (azx_dev->direction != substream->stream) -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS 0/3] backport mainline bugfix
by felix 28 May '24

28 May '24

From: Felix Fu <fuzhen5(a)huawei.com> Eric Snowberg (1): KEYS: Create static version of public_key_verify_signature Georgia Garcia (1): apparmor: fix invalid reference on profile->disconnected Xiu Jianfeng (1): audit: correct audit_filter_inodes() definition include/crypto/public_key.h | 9 +++++++++ kernel/audit.h | 2 +- security/apparmor/policy.c | 1 + security/apparmor/policy_unpack.c | 5 +++-- 4 files changed, 14 insertions(+), 3 deletions(-) -- 2.34.1

2 4

[PATCH openEuler-1.0-LTS 1/3] apparmor: fix invalid reference on profile->disconnected
by felix 28 May '24

28 May '24

From: Georgia Garcia <georgia.garcia(a)canonical.com> mainline inclusion from mainline-v6.7-rc1 commit 8884ba07786c718771cf7b78cb3024924b27ec2b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9SY02 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- profile->disconnected was storing an invalid reference to the disconnected path. Fix it by duplicating the string using aa_unpack_strdup and freeing accordingly. Fixes: 72c8a768641d ("apparmor: allow profiles to provide info to disconnected paths") Signed-off-by: Georgia Garcia <georgia.garcia(a)canonical.com> Signed-off-by: John Johansen <john.johansen(a)canonical.com> Conflicts: security/apparmor/policy_unpack.c security/apparmor/policy.c [Because b11e51dd7 not merged, so change aa_unpack_str_dup to unpack_str_dup, it just has been renamed] Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- security/apparmor/policy.c | 1 + security/apparmor/policy_unpack.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 3a4293c46ad5..bc377284945c 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -224,6 +224,7 @@ void aa_free_profile(struct aa_profile *profile) aa_put_ns(profile->ns); kzfree(profile->rename); + kzfree(profile->disconnected); aa_free_file_rules(&profile->file); aa_free_cap_rules(&profile->caps); aa_free_rlimit_rules(&profile->rlimits); diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 36bf9534acf0..6013972f9fa4 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -617,7 +617,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) const char *info = "failed to unpack profile"; size_t ns_len; struct rhashtable_params params = { 0 }; - char *key = NULL; + char *key = NULL, *disconnected = NULL; struct aa_data *data; int i, error = -EPROTO; kernel_cap_t tmpcap; @@ -675,7 +675,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) } /* disconnected attachment string is optional */ - (void) unpack_str(e, &profile->disconnected, "disconnected"); + (void) unpack_strdup(e, &disconnected, "disconnected"); + profile->disconnected = disconnected; /* per profile debug flags (complain, audit) */ if (!unpack_nameX(e, AA_STRUCT, "flags")) { -- 2.34.1

2 4