hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAA3U5
CVE: NA
--------------------------------
After commit 5e66a5bdad69 ("ftrace: Fix rcu warn in ftrace_location()"),
syzkaller reports following warning:
WARNING: lock held when returning to user space!
4.18.0+ #16 Tainted: G W ---------r- -
------------------------------------------------
modprobe/4255 is leaving the kernel with locks still held!
1 lock held by modprobe/4255:
#0: 0000000012ba3568 (rcu_read_lock){....}, at:
ftrace_location_range+0x292/0x440
BUG: scheduling while atomic: modprobe/4255/0x00000002
=============================
BUG: scheduling while atomic: modprobe/4256/0x00000002
INFO: lockdep is turned off.
Modules linked in:
Kernel panic - not syncing: scheduling while atomic
It seems that rcu_read_lock() is held but rcu_read_unlock() is not
called, this is most likely due to the inconsistent state when calling
in_atomic(). To fix it, use preemt_{disable,enable}_notrace() instead
of rcu_read_{,un}lock().
Fixes: 5e66a5bdad69 ("ftrace: Fix rcu warn in ftrace_location()")
Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com>
---
kernel/trace/ftrace.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index ad4440da5b78..ceb4bab432f1 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1581,12 +1581,7 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
key.ip = start;
key.flags = end; /* overload flags, as it is unsigned long */
- /*
- * It is in atomic context when called from ftrace_int3_handler(),
- * in this case rcu lock is not needed.
- */
- if (!in_atomic())
- rcu_read_lock();
+ preempt_disable_notrace();
for (pg = ftrace_pages_start; pg; pg = pg->next) {
if (pg->index == 0 ||
end < pg->records[0].ip ||
@@ -1600,8 +1595,7 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
break;
}
}
- if (!in_atomic())
- rcu_read_unlock();
+ preempt_enable_notrace();
return ip;
}
--
2.25.1
From: Aleksandr Mishin <amishin(a)t-argos.ru>
stable inclusion
from stable-v6.6.33
commit dcf53e6103b26e7458be71491d0641f49fbd5840
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SEW
CVE: CVE-2024-38548
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 935a92a1c400285545198ca2800a4c6c519c650a ]
In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is
assigned to mhdp_state->current_mode, and there is a dereference of it in
drm_mode_set_name(), which will lead to a NULL pointer dereference on
failure of drm_mode_duplicate().
Fix this bug add a check of mhdp_state->current_mode.
Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP bridge")
Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru>
Reviewed-by: Robert Foss <rfoss(a)kernel.org>
Signed-off-by: Robert Foss <rfoss(a)kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240408125810.21899-1-amishi…
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com>
Signed-off-by: Zheng Zucheng <zhengzucheng(a)huawei.com>
---
drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
index 6af565ac307a..858f5b650849 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
@@ -2057,6 +2057,9 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge,
mhdp_state = to_cdns_mhdp_bridge_state(new_state);
mhdp_state->current_mode = drm_mode_duplicate(bridge->dev, mode);
+ if (!mhdp_state->current_mode)
+ return;
+
drm_mode_set_name(mhdp_state->current_mode);
dev_dbg(mhdp->dev, "%s: Enabling mode %s\n", __func__, mode->name);
--
2.34.1