Kernel June 2024

kernel@openeuler.org

84 participants
1085 discussions

[PATCH openEuler-22.03-LTS] platform/x86: wmi: Fix opening of char device
by Jinjiang Tu 01 Jun '24

01 Jun '24

From: Armin Wolf <W_Armin(a)gmx.de> stable inclusion from stable-v5.10.201 commit d426a2955e45a95b2282764105fcfb110a540453 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFHT CVE: CVE-2023-52864 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit eba9ac7abab91c8f6d351460239108bef5e7a0b6 ] Since commit fa1f68db6ca7 ("drivers: misc: pass miscdevice pointer via file private data"), the miscdevice stores a pointer to itself inside filp->private_data, which means that private_data will not be NULL when wmi_char_open() is called. This might cause memory corruption should wmi_char_open() be unable to find its driver, something which can happen when the associated WMI device is deleted in wmi_free_devices(). Fix the problem by using the miscdevice pointer to retrieve the WMI device data associated with a char device using container_of(). This also avoids wmi_char_open() picking a wrong WMI device bound to a driver with the same name as the original driver. Fixes: 44b6b7661132 ("platform/x86: wmi: create userspace interface for drivers") Signed-off-by: Armin Wolf <W_Armin(a)gmx.de> Link: https://lore.kernel.org/r/20231020211005.38216-5-W_Armin@gmx.de Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/platform/x86/wmi.c [Conflicts due to prior cleanup commit 43aacf838ef7 is not merged.] Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- drivers/platform/x86/wmi.c | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c index 1f80b2628162..f3f8cc827573 100644 --- a/drivers/platform/x86/wmi.c +++ b/drivers/platform/x86/wmi.c @@ -818,21 +818,13 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) } static int wmi_char_open(struct inode *inode, struct file *filp) { - const char *driver_name = filp->f_path.dentry->d_iname; - struct wmi_block *wblock = NULL; - struct wmi_block *next = NULL; - - list_for_each_entry_safe(wblock, next, &wmi_block_list, list) { - if (!wblock->dev.dev.driver) - continue; - if (strcmp(driver_name, wblock->dev.dev.driver->name) == 0) { - filp->private_data = wblock; - break; - } - } + /* + * The miscdevice already stores a pointer to itself + * inside filp->private_data + */ + struct wmi_block *wblock = container_of(filp->private_data, struct wmi_block, char_dev); - if (!filp->private_data) - return -ENODEV; + filp->private_data = wblock; return nonseekable_open(inode, filp); } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] drm/sched: Avoid data corruptions
by felix 01 Jun '24

01 Jun '24

From: Andrey Grodzovsky <andrey.grodzovsky(a)amd.com> stable inclusion from stable-v5.10.51 commit 0687411e2a8858262de2fc4a1d576016fd77292e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4AY CVE: CVE-2021-47354 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 0b10ab80695d61422337ede6ff496552d8ace99d ] Wait for all dependencies of a job to complete before killing it to avoid data corruptions. Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky(a)amd.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Link: https://patchwork.freedesktop.org/patch/msgid/20210519141407.88444-1-andrey… Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpu/drm/scheduler/sched_entity.c [Because 620e762f9a98 not merged, So fix the context] Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- drivers/gpu/drm/scheduler/gpu_scheduler.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/scheduler/gpu_scheduler.c b/drivers/gpu/drm/scheduler/gpu_scheduler.c index 4fc211e19d6e..e7485cb688df 100644 --- a/drivers/gpu/drm/scheduler/gpu_scheduler.c +++ b/drivers/gpu/drm/scheduler/gpu_scheduler.c @@ -309,6 +309,7 @@ void drm_sched_entity_fini(struct drm_sched_entity *entity) */ if (spsc_queue_peek(&entity->job_queue)) { struct drm_sched_job *job; + struct dma_fence *f; int r; /* Park the kernel for a moment to make sure it isn't processing @@ -325,6 +326,10 @@ void drm_sched_entity_fini(struct drm_sched_entity *entity) while ((job = to_drm_sched_job(spsc_queue_pop(&entity->job_queue)))) { struct drm_sched_fence *s_fence = job->s_fence; + /* Wait for all dependencies to avoid data corruptions */ + while ((f = job->sched->ops->dependency(job, entity))) + dma_fence_wait(f, false); + drm_sched_fence_scheduled(s_fence); dma_fence_set_error(&s_fence->finished, -ESRCH); -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] drm/amdgpu: Fix even more out of bound writes from debugfs
by Kaixiong Yu 01 Jun '24

01 Jun '24

From: Patrik Jakobsson <patrik.r.jakobsson(a)gmail.com> stable inclusion from stable-v5.14.16 commit 9eb4bdd554fc31a5ef6bf645a20ff21618ce45a9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RCVW CVE: CVE-2021-47489 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3f4e54bd312d3dafb59daf2b97ffa08abebe60f5 upstream. CVE-2021-42327 was fixed by: commit f23750b5b3d98653b31d4469592935ef6364ad67 Author: Thelford Williams <tdwilliamsiv(a)gmail.com> Date: Wed Oct 13 16:04:13 2021 -0400 drm/amdgpu: fix out of bounds write but amdgpu_dm_debugfs.c contains more of the same issue so fix the remaining ones. v2: * Add missing fix in dp_max_bpc_write (Harry Wentland) Fixes: 918698d5c2b5 ("drm/amd/display: Return the number of bytes parsed than allocated") Signed-off-by: Patrik Jakobsson <pjakobsson(a)suse.de> Reviewed-by: Harry Wentland <harry.wentland(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- .../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c index 32dbd2a27088..6914738f0275 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c @@ -424,7 +424,7 @@ static ssize_t dp_phy_settings_write(struct file *f, const char __user *buf, if (!wr_buf) return -ENOSPC; - if (parse_write_buffer_into_params(wr_buf, size, + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, (long *)param, buf, max_param_num, &param_nums)) { @@ -576,7 +576,7 @@ static ssize_t dp_phy_test_pattern_debugfs_write(struct file *f, const char __us if (!wr_buf) return -ENOSPC; - if (parse_write_buffer_into_params(wr_buf, size, + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, (long *)param, buf, max_param_num, &param_nums)) { @@ -1091,7 +1091,7 @@ static ssize_t dp_trigger_hotplug(struct file *f, const char __user *buf, return -ENOSPC; } - if (parse_write_buffer_into_params(wr_buf, size, + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, (long *)param, buf, max_param_num, &param_nums)) { @@ -1272,7 +1272,7 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf, return -ENOSPC; } - if (parse_write_buffer_into_params(wr_buf, size, + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, (long *)param, buf, max_param_num, &param_nums)) { @@ -1426,7 +1426,7 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf, return -ENOSPC; } - if (parse_write_buffer_into_params(wr_buf, size, + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, (long *)param, buf, max_param_num, &param_nums)) { @@ -1580,7 +1580,7 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf, return -ENOSPC; } - if (parse_write_buffer_into_params(wr_buf, size, + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, (long *)param, buf, max_param_num, &param_nums)) { @@ -1727,7 +1727,7 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu return -ENOSPC; } - if (parse_write_buffer_into_params(wr_buf, size, + if (parse_write_buffer_into_params(wr_buf, wr_buf_size, (long *)param, buf, max_param_num, &param_nums)) { -- 2.25.1

2 1

[PATCH OLK-5.10] drm/amdgpu: Fix even more out of bound writes from debugfs
by Kaixiong Yu 01 Jun '24

01 Jun '24

2 1

[openeuler:openEuler-1.0-LTS 18743/22626] /tmp/ccJZCoWT.s:2346: Error: immediate out of range at operand 3 -- `bic w0,w20,5'
by kernel test robot 01 Jun '24

01 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: d2901c3f0ff7d121adf97d64bd2cc3789821600d commit: bba3f529a3ac03f6c6b8cea750cd48b355548d27 [18743/22626] xen/netback: don't queue unlimited number of packages config: arm64-randconfig-002-20240531 (https://download.01.org/0day-ci/archive/20240601/202406010715.TcWqtXea-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240601/202406010715.TcWqtXea-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406010715.TcWqtXea-lkp@intel.com/ All errors (new ones prefixed by >>): /tmp/ccJZCoWT.s: Assembler messages: >> /tmp/ccJZCoWT.s:2346: Error: immediate out of range at operand 3 -- `bic w0,w20,5' Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for HARDLOCKUP_DETECTOR Depends on [n]: DEBUG_KERNEL [=n] && !S390 && (HAVE_HARDLOCKUP_DETECTOR_PERF [=n] || HAVE_HARDLOCKUP_DETECTOR_ARCH [=y]) Selected by [y]: - SDEI_WATCHDOG [=y] && <choice> && ARM_SDE_INTERFACE [=y] && !HARDLOCKUP_CHECK_TIMESTAMP [=n] -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

Kernel June 2024