August 2024 - Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS] BUILD SUCCESS 5f1e8ffb9191bc7cb8ee31f9f6996e05be5cc228
by kernel test robot 21 Aug '24

21 Aug '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: 5f1e8ffb9191bc7cb8ee31f9f6996e05be5cc228 !10978 CVE-2024-42304 elapsed time: 727m configs tested: 34 configs skipped: 139 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig gcc-14.1.0 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240821 gcc-14.1.0 arm64 randconfig-002-20240821 gcc-14.1.0 arm64 randconfig-003-20240821 gcc-14.1.0 arm64 randconfig-004-20240821 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240820 clang-18 x86_64 buildonly-randconfig-002-20240820 gcc-11 x86_64 buildonly-randconfig-003-20240820 clang-18 x86_64 buildonly-randconfig-004-20240820 clang-18 x86_64 buildonly-randconfig-005-20240820 clang-18 x86_64 buildonly-randconfig-006-20240820 clang-18 x86_64 defconfig gcc-11 x86_64 randconfig-001-20240820 gcc-12 x86_64 randconfig-002-20240820 gcc-12 x86_64 randconfig-003-20240820 clang-18 x86_64 randconfig-004-20240820 gcc-12 x86_64 randconfig-005-20240820 clang-18 x86_64 randconfig-006-20240820 gcc-12 x86_64 randconfig-011-20240820 clang-18 x86_64 randconfig-012-20240820 gcc-12 x86_64 randconfig-013-20240820 clang-18 x86_64 randconfig-014-20240820 clang-18 x86_64 randconfig-015-20240820 gcc-12 x86_64 randconfig-016-20240820 clang-18 x86_64 randconfig-071-20240820 gcc-12 x86_64 randconfig-072-20240820 gcc-12 x86_64 randconfig-073-20240820 gcc-12 x86_64 randconfig-074-20240820 clang-18 x86_64 randconfig-075-20240820 clang-18 x86_64 randconfig-076-20240820 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 3342/13457] crypto/asymmetric_keys/pgp_public_key.c:359: undefined reference to `public_key_subtype'
by kernel test robot 21 Aug '24

21 Aug '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: a768b922343d9cab29e2e0aaef1d4bdee47cfbb5 commit: 43d4042e06d2bf96adf67d25e8d91653507a4cf9 [3342/13457] KEYS: Provide a function to load keys from a PGP keyring blob config: x86_64-randconfig-006-20240821 (https://download.01.org/0day-ci/archive/20240821/202408210612.lVpJWy3E-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240821/202408210612.lVpJWy3E-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408210612.lVpJWy3E-lkp@intel.com/ All errors (new ones prefixed by >>): ld: vmlinux.o: in function `pgp_key_parse': >> crypto/asymmetric_keys/pgp_public_key.c:359: undefined reference to `public_key_subtype' >> ld: crypto/asymmetric_keys/pgp_public_key.c:359: undefined reference to `public_key_subtype' ld: crypto/asymmetric_keys/pgp_public_key.c:360: undefined reference to `public_key_subtype' >> ld: crypto/asymmetric_keys/pgp_public_key.c:369: undefined reference to `public_key_free' >> ld: crypto/asymmetric_keys/pgp_public_key.c:359: undefined reference to `public_key_subtype' Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for PGP_KEY_PARSER Depends on [n]: CRYPTO [=y] && ASYMMETRIC_KEY_TYPE [=y] && ASYMMETRIC_PUBLIC_KEY_SUBTYPE [=n] Selected by [y]: - PGP_PRELOAD [=y] && CRYPTO [=y] && ASYMMETRIC_KEY_TYPE [=y] vim +359 crypto/asymmetric_keys/pgp_public_key.c 4e59d757dc3f7f Roberto Sassu 2023-09-12 300 4e59d757dc3f7f Roberto Sassu 2023-09-12 301 /* 4e59d757dc3f7f Roberto Sassu 2023-09-12 302 * Attempt to parse the instantiation data blob for a key as a PGP packet 4e59d757dc3f7f Roberto Sassu 2023-09-12 303 * message holding a key. 4e59d757dc3f7f Roberto Sassu 2023-09-12 304 */ 4e59d757dc3f7f Roberto Sassu 2023-09-12 305 static int pgp_key_parse(struct key_preparsed_payload *prep) 4e59d757dc3f7f Roberto Sassu 2023-09-12 306 { 4e59d757dc3f7f Roberto Sassu 2023-09-12 307 struct pgp_key_data_parse_context ctx; 4e59d757dc3f7f Roberto Sassu 2023-09-12 308 int ret; 4e59d757dc3f7f Roberto Sassu 2023-09-12 309 4e59d757dc3f7f Roberto Sassu 2023-09-12 310 kenter(""); 4e59d757dc3f7f Roberto Sassu 2023-09-12 311 4e59d757dc3f7f Roberto Sassu 2023-09-12 312 memset(&ctx, 0, sizeof(ctx)); e8c01f299ab793 David Howells 2023-09-12 313 ctx.pgp.types_of_interest = (1 << PGP_PKT_PUBLIC_KEY) | e8c01f299ab793 David Howells 2023-09-12 314 (1 << PGP_PKT_USER_ID); 4e59d757dc3f7f Roberto Sassu 2023-09-12 315 ctx.pgp.process_packet = pgp_process_public_key; 4e59d757dc3f7f Roberto Sassu 2023-09-12 316 4e59d757dc3f7f Roberto Sassu 2023-09-12 317 ret = pgp_parse_packets(prep->data, prep->datalen, &ctx.pgp); 4e59d757dc3f7f Roberto Sassu 2023-09-12 318 if (ret < 0) 4e59d757dc3f7f Roberto Sassu 2023-09-12 319 goto error; 4e59d757dc3f7f Roberto Sassu 2023-09-12 320 e8c01f299ab793 David Howells 2023-09-12 321 if (!ctx.fingerprint) { e8c01f299ab793 David Howells 2023-09-12 322 ret = -EINVAL; e8c01f299ab793 David Howells 2023-09-12 323 goto error; e8c01f299ab793 David Howells 2023-09-12 324 } e8c01f299ab793 David Howells 2023-09-12 325 e8c01f299ab793 David Howells 2023-09-12 326 if (ctx.user_id && ctx.user_id_len > 0) { e8c01f299ab793 David Howells 2023-09-12 327 /* Propose a description for the key e8c01f299ab793 David Howells 2023-09-12 328 * (user ID without the comment) e8c01f299ab793 David Howells 2023-09-12 329 */ e8c01f299ab793 David Howells 2023-09-12 330 size_t ulen = ctx.user_id_len, flen = ctx.fingerprint_len; e8c01f299ab793 David Howells 2023-09-12 331 const char *p; e8c01f299ab793 David Howells 2023-09-12 332 e8c01f299ab793 David Howells 2023-09-12 333 p = memchr(ctx.user_id, '(', ulen); e8c01f299ab793 David Howells 2023-09-12 334 if (p) { e8c01f299ab793 David Howells 2023-09-12 335 /* Remove the comment */ e8c01f299ab793 David Howells 2023-09-12 336 do { e8c01f299ab793 David Howells 2023-09-12 337 p--; e8c01f299ab793 David Howells 2023-09-12 338 } while (*p == ' ' && p > ctx.user_id); e8c01f299ab793 David Howells 2023-09-12 339 if (*p != ' ') e8c01f299ab793 David Howells 2023-09-12 340 p++; e8c01f299ab793 David Howells 2023-09-12 341 ulen = p - ctx.user_id; e8c01f299ab793 David Howells 2023-09-12 342 } e8c01f299ab793 David Howells 2023-09-12 343 e8c01f299ab793 David Howells 2023-09-12 344 if (ulen > 255 - 9) e8c01f299ab793 David Howells 2023-09-12 345 ulen = 255 - 9; e8c01f299ab793 David Howells 2023-09-12 346 prep->description = kmalloc(ulen + 1 + 8 + 1, GFP_KERNEL); e8c01f299ab793 David Howells 2023-09-12 347 ret = -ENOMEM; e8c01f299ab793 David Howells 2023-09-12 348 if (!prep->description) e8c01f299ab793 David Howells 2023-09-12 349 goto error; e8c01f299ab793 David Howells 2023-09-12 350 memcpy(prep->description, ctx.user_id, ulen); e8c01f299ab793 David Howells 2023-09-12 351 prep->description[ulen] = ' '; e8c01f299ab793 David Howells 2023-09-12 352 memcpy(prep->description + ulen + 1, e8c01f299ab793 David Howells 2023-09-12 353 ctx.fingerprint + flen - 8, 8); e8c01f299ab793 David Howells 2023-09-12 354 prep->description[ulen + 9] = 0; e8c01f299ab793 David Howells 2023-09-12 355 pr_debug("desc '%s'\n", prep->description); e8c01f299ab793 David Howells 2023-09-12 356 } e8c01f299ab793 David Howells 2023-09-12 357 4e59d757dc3f7f Roberto Sassu 2023-09-12 358 /* We're pinning the module by being linked against it */ 4e59d757dc3f7f Roberto Sassu 2023-09-12 @359 __module_get(public_key_subtype.owner); 4e59d757dc3f7f Roberto Sassu 2023-09-12 360 prep->payload.data[asym_subtype] = &public_key_subtype; 4e59d757dc3f7f Roberto Sassu 2023-09-12 361 prep->payload.data[asym_key_ids] = pgp_key_generate_id(&ctx); 4e59d757dc3f7f Roberto Sassu 2023-09-12 362 prep->payload.data[asym_crypto] = ctx.pub; 4e59d757dc3f7f Roberto Sassu 2023-09-12 363 prep->quotalen = 100; 4e59d757dc3f7f Roberto Sassu 2023-09-12 364 kfree(ctx.fingerprint); 4e59d757dc3f7f Roberto Sassu 2023-09-12 365 kfree(ctx.raw_fingerprint); 4e59d757dc3f7f Roberto Sassu 2023-09-12 366 return 0; 4e59d757dc3f7f Roberto Sassu 2023-09-12 367 4e59d757dc3f7f Roberto Sassu 2023-09-12 368 error: 4e59d757dc3f7f Roberto Sassu 2023-09-12 @369 public_key_free(ctx.pub); 4e59d757dc3f7f Roberto Sassu 2023-09-12 370 kfree(ctx.fingerprint); 4e59d757dc3f7f Roberto Sassu 2023-09-12 371 kfree(ctx.raw_fingerprint); 4e59d757dc3f7f Roberto Sassu 2023-09-12 372 return ret; 4e59d757dc3f7f Roberto Sassu 2023-09-12 373 } 4e59d757dc3f7f Roberto Sassu 2023-09-12 374 :::::: The code at line 359 was first introduced by commit :::::: 4e59d757dc3f7f2e2a646a2e3f0f271ae4599eeb KEYS: PGP data parser :::::: TO: Roberto Sassu <roberto.sassu(a)huawei.com> :::::: CC: zgzxx <zhangguangzhi3(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 13309/13457] ld.lld: error: duplicate symbol: psp_register_cmd_notifier
by kernel test robot 21 Aug '24

21 Aug '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: a768b922343d9cab29e2e0aaef1d4bdee47cfbb5 commit: d0b3a770d8e20d953fe2a74ea8c4b5f4767c4add [13309/13457] crypto: command co-processor: Add another mailbox interrupt support for PSP sending command to X86 config: x86_64-buildonly-randconfig-002-20240821 (https://download.01.org/0day-ci/archive/20240821/202408210406.xQBoe5bW-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240821/202408210406.xQBoe5bW-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408210406.xQBoe5bW-lkp@intel.com/ All errors (new ones prefixed by >>): >> ld.lld: error: duplicate symbol: psp_register_cmd_notifier >>> defined at psp-dev.c >>> drivers/crypto/ccp/psp-dev.o:(psp_register_cmd_notifier) in archive vmlinux.a >>> defined at csv-dev.c >>> drivers/crypto/ccp/hygon/csv-dev.o:(.text+0x0) in archive vmlinux.a -- >> ld.lld: error: duplicate symbol: psp_unregister_cmd_notifier >>> defined at psp-dev.c >>> drivers/crypto/ccp/psp-dev.o:(psp_unregister_cmd_notifier) in archive vmlinux.a >>> defined at csv-dev.c >>> drivers/crypto/ccp/hygon/csv-dev.o:(.text+0x20) in archive vmlinux.a -- >> ld.lld: error: duplicate symbol: psp_register_cmd_notifier >>> defined at psp-dev.c >>> drivers/crypto/ccp/psp-dev.o:(psp_register_cmd_notifier) in archive vmlinux.a >>> defined at ring-buffer.c >>> drivers/crypto/ccp/hygon/ring-buffer.o:(.text+0x0) in archive vmlinux.a -- >> ld.lld: error: duplicate symbol: psp_register_cmd_notifier >>> defined at psp-dev.c >>> drivers/crypto/ccp/psp-dev.o:(psp_register_cmd_notifier) in archive vmlinux.a >>> defined at psp-dev.c >>> drivers/crypto/ccp/hygon/psp-dev.o:(.text+0x0) in archive vmlinux.a -- >> ld.lld: error: duplicate symbol: psp_unregister_cmd_notifier >>> defined at psp-dev.c >>> drivers/crypto/ccp/psp-dev.o:(psp_unregister_cmd_notifier) in archive vmlinux.a >>> defined at ring-buffer.c >>> drivers/crypto/ccp/hygon/ring-buffer.o:(.text+0x20) in archive vmlinux.a -- >> ld.lld: error: duplicate symbol: psp_unregister_cmd_notifier >>> defined at psp-dev.c >>> drivers/crypto/ccp/psp-dev.o:(psp_unregister_cmd_notifier) in archive vmlinux.a >>> defined at psp-dev.c >>> drivers/crypto/ccp/hygon/psp-dev.o:(.text+0x20) in archive vmlinux.a -- >> ld.lld: error: duplicate symbol: psp_register_cmd_notifier >>> defined at psp-dev.c >>> drivers/crypto/ccp/psp-dev.o:(psp_register_cmd_notifier) in archive vmlinux.a >>> defined at sev-dev.c >>> drivers/crypto/ccp/sev-dev.o:(.text+0x0) in archive vmlinux.a -- >> ld.lld: error: duplicate symbol: psp_unregister_cmd_notifier >>> defined at psp-dev.c >>> drivers/crypto/ccp/psp-dev.o:(psp_unregister_cmd_notifier) in archive vmlinux.a >>> defined at sev-dev.c >>> drivers/crypto/ccp/sev-dev.o:(.text+0x20) in archive vmlinux.a -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] nvme-pci: add missing condition check for existence of mapped data
by Li Lingfeng 20 Aug '24

20 Aug '24

From: Leon Romanovsky <leonro(a)nvidia.com> mainline inclusion from mainline-v6.11-rc1 commit c31fad1470389666ac7169fe43aa65bf5b7e2cfd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKPOL CVE: CVE-2024-42276 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- nvme_map_data() is called when request has physical segments, hence the nvme_unmap_data() should have same condition to avoid dereference. Fixes: 4aedb705437f ("nvme-pci: split metadata handling from nvme_map_data / nvme_unmap_data") Signed-off-by: Leon Romanovsky <leonro(a)nvidia.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Nitesh Shetty <nj.shetty(a)samsung.com> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Conflicts: drivers/nvme/host/pci.c [Commit 62451a2b2e7e ("nvme: separate command prep and issue") separate nvme_map_data/nvme_unmap_data from nvme_queue_rq to nvme_prep_rq.] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/nvme/host/pci.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index c378649b583b..c4a0c1611629 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -947,7 +947,8 @@ static blk_status_t nvme_queue_rq(struct blk_mq_hw_ctx *hctx, nvme_submit_cmd(nvmeq, cmnd, bd->last); return BLK_STS_OK; out_unmap_data: - nvme_unmap_data(dev, req); + if (blk_rq_nr_phys_segments(req)) + nvme_unmap_data(dev, req); out_free_cmd: nvme_cleanup_cmd(req); return ret; -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1] media: mediatek: vcodec: Handle invalid decoder vsi
by Cai Xinchen 20 Aug '24

20 Aug '24

From: Irui Wang <irui.wang(a)mediatek.com> mainline inclusion from mainline-v6.11-rc1 commit 59d438f8e02ca641c58d77e1feffa000ff809e9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ2F CVE: CVE-2024-43831 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi is valid for future use. Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Signed-off-by: Irui Wang <irui.wang(a)mediatek.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Sebastian Fricke <sebastian.fricke(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Conflicts: drivers/media/platform/mtk-vcodec/vdec_vpu_if.c [vpu_dec_init is moved from drivers/media/platform/mtk-vcodec/vdec_vpu_if.c to drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c. Using mtk_vcodec_err instead of mtk_vdec_err becuase 0db2fc4eec23e4c92abee357e98d9f97998098b4 is not merged] Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/media/platform/mtk-vcodec/vdec_vpu_if.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c b/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c index 58b0e6fa8fd2..93d40f0e0f79 100644 --- a/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c +++ b/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c @@ -127,6 +127,12 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) mtk_vcodec_debug(vpu, "vdec_inst=%p", vpu); err = vcodec_vpu_send_msg(vpu, (void *)&msg, sizeof(msg)); + + if (IS_ERR_OR_NULL(vpu->vsi)) { + mtk_vcodec_err(vpu, "invalid vdec vsi, status=%d", err); + return -EINVAL; + } + mtk_vcodec_debug(vpu, "- ret=%d", err); return err; } -- 2.34.1

2 1

[PATCH OLK-5.10] media: mediatek: vcodec: Handle invalid decoder vsi
by Cai Xinchen 20 Aug '24

20 Aug '24

From: Irui Wang <irui.wang(a)mediatek.com> mainline inclusion from mainline-v6.11-rc1 commit 59d438f8e02ca641c58d77e1feffa000ff809e9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ2F CVE: CVE-2024-43831 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi is valid for future use. Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Signed-off-by: Irui Wang <irui.wang(a)mediatek.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Sebastian Fricke <sebastian.fricke(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Conflicts: drivers/media/platform/mtk-vcodec/vdec_vpu_if.c [vpu_dec_init is moved from drivers/media/platform/mtk-vcodec/vdec_vpu_if.c to drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c. Using mtk_vcodec_err instead of mtk_vdec_err becuase 0db2fc4eec23e4c92abee357e98d9f97998098b4 is not merged] Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/media/platform/mtk-vcodec/vdec_vpu_if.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c b/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c index 58b0e6fa8fd2..93d40f0e0f79 100644 --- a/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c +++ b/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c @@ -127,6 +127,12 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) mtk_vcodec_debug(vpu, "vdec_inst=%p", vpu); err = vcodec_vpu_send_msg(vpu, (void *)&msg, sizeof(msg)); + + if (IS_ERR_OR_NULL(vpu->vsi)) { + mtk_vcodec_err(vpu, "invalid vdec vsi, status=%d", err); + return -EINVAL; + } + mtk_vcodec_debug(vpu, "- ret=%d", err); return err; } -- 2.34.1

2 1

[PATCH OLK-5.10] hfsplus: fix uninit-value in copy_name
by Wenyu Huang 20 Aug '24

20 Aug '24

From: Edward Adam Davis <eadavis(a)qq.com> stable inclusion from stable-v5.10.223 commit 34f8efd2743f2d961e92e8e994de4c7a2f9e74a0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELD CVE: CVE-2024-41059 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 0570730c16307a72f8241df12363f76600baf57d ] [syzbot reported] BUG: KMSAN: uninit-value in sized_strscpy+0xc4/0x160 sized_strscpy+0xc4/0x160 copy_name+0x2af/0x320 fs/hfsplus/xattr.c:411 hfsplus_listxattr+0x11e9/0x1a50 fs/hfsplus/xattr.c:750 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3877 [inline] slab_alloc_node mm/slub.c:3918 [inline] kmalloc_trace+0x57b/0xbe0 mm/slub.c:4065 kmalloc include/linux/slab.h:628 [inline] hfsplus_listxattr+0x4cc/0x1a50 fs/hfsplus/xattr.c:699 vfs_listxattr fs/xattr.c:493 [inline] listxattr+0x1f3/0x6b0 fs/xattr.c:840 path_listxattr fs/xattr.c:864 [inline] __do_sys_listxattr fs/xattr.c:876 [inline] __se_sys_listxattr fs/xattr.c:873 [inline] __x64_sys_listxattr+0x16b/0x2f0 fs/xattr.c:873 x64_sys_call+0x2ba0/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:195 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Fix] When allocating memory to strbuf, initialize memory to 0. Reported-and-tested-by: syzbot+efde959319469ff8d4d7(a)syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Link: https://lore.kernel.org/r/tencent_8BBB6433BC9E1C1B7B4BDF1BF52574BA8808@qq.c… Reported-and-tested-by: syzbot+01ade747b16e9c8030e0(a)syzkaller.appspotmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wenyu Huang <huangwenyu5(a)huawei.com> --- fs/hfsplus/xattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c index bb0b27d88e502..d91f76ef18d9b 100644 --- a/fs/hfsplus/xattr.c +++ b/fs/hfsplus/xattr.c @@ -700,7 +700,7 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size) return err; } - strbuf = kmalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + + strbuf = kzalloc(NLS_MAX_CHARSET_SIZE * HFSPLUS_ATTR_MAX_STRLEN + XATTR_MAC_OSX_PREFIX_LEN + 1, GFP_KERNEL); if (!strbuf) { res = -ENOMEM; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] media: mediatek: vcodec: Handle invalid decoder vsi
by Cai Xinchen 20 Aug '24

20 Aug '24

From: Irui Wang <irui.wang(a)mediatek.com> mainline inclusion from mainline-v6.11-rc1 commit 59d438f8e02ca641c58d77e1feffa000ff809e9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ2F CVE: CVE-2024-43831 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Handle an invalid decoder vsi in vpu_dec_init to ensure the decoder vsi is valid for future use. Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Signed-off-by: Irui Wang <irui.wang(a)mediatek.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Sebastian Fricke <sebastian.fricke(a)collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Conflicts: drivers/media/platform/mtk-vcodec/vdec_vpu_if.c [vpu_dec_init is moved from drivers/media/platform/mtk-vcodec/vdec_vpu_if.c to drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c. Using mtk_vcodec_err instead of mtk_vdec_err becuase 0db2fc4eec23e4c92abee357e98d9f97998098b4 is not merged] Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/media/platform/mtk-vcodec/vdec_vpu_if.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c b/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c index 1abd14e79565..59542139b271 100644 --- a/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c +++ b/drivers/media/platform/mtk-vcodec/vdec_vpu_if.c @@ -124,6 +124,12 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) mtk_vcodec_debug(vpu, "vdec_inst=%p", vpu); err = vcodec_vpu_send_msg(vpu, (void *)&msg, sizeof(msg)); + + if (IS_ERR_OR_NULL(vpu->vsi)) { + mtk_vcodec_err(vpu, "invalid vdec vsi, status=%d", err); + return -EINVAL; + } + mtk_vcodec_debug(vpu, "- ret=%d", err); return err; } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] mm: avoid overflows in dirty throttling logic
by Wupeng Ma 20 Aug '24

20 Aug '24

From: Jan Kara <jack(a)suse.cz> stable inclusion from stable-v5.10.222 commit 7a49389771ae7666f4dc3426e2a4594bf23ae290 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGZUU CVE: CVE-2024-42131 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 385d838df280eba6c8680f9777bfa0d0bfe7e8b2 upstream. The dirty throttling logic is interspersed with assumptions that dirty limits in PAGE_SIZE units fit into 32-bit (so that various multiplications fit into 64-bits). If limits end up being larger, we will hit overflows, possible divisions by 0 etc. Fix these problems by never allowing so large dirty limits as they have dubious practical value anyway. For dirty_bytes / dirty_background_bytes interfaces we can just refuse to set so large limits. For dirty_ratio / dirty_background_ratio it isn't so simple as the dirty limit is computed from the amount of available memory which can change due to memory hotplug etc. So when converting dirty limits from ratios to numbers of pages, we just don't allow the result to exceed UINT_MAX. This is root-only triggerable problem which occurs when the operator sets dirty limits to >16 TB. Link: https://lkml.kernel.org/r/20240621144246.11148-2-jack@suse.cz Signed-off-by: Jan Kara <jack(a)suse.cz> Reported-by: Zach O'Keefe <zokeefe(a)google.com> Reviewed-By: Zach O'Keefe <zokeefe(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- mm/page-writeback.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/mm/page-writeback.c b/mm/page-writeback.c index e969667e8d62..0d7cc65c6367 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -427,13 +427,20 @@ static void domain_dirty_limits(struct dirty_throttle_control *dtc) else bg_thresh = (bg_ratio * available_memory) / PAGE_SIZE; - if (bg_thresh >= thresh) - bg_thresh = thresh / 2; tsk = current; if (rt_task(tsk)) { bg_thresh += bg_thresh / 4 + global_wb_domain.dirty_limit / 32; thresh += thresh / 4 + global_wb_domain.dirty_limit / 32; } + /* + * Dirty throttling logic assumes the limits in page units fit into + * 32-bits. This gives 16TB dirty limits max which is hopefully enough. + */ + if (thresh > UINT_MAX) + thresh = UINT_MAX; + /* This makes sure bg_thresh is within 32-bits as well */ + if (bg_thresh >= thresh) + bg_thresh = thresh / 2; dtc->thresh = thresh; dtc->bg_thresh = bg_thresh; @@ -483,7 +490,11 @@ static unsigned long node_dirty_limit(struct pglist_data *pgdat) if (rt_task(tsk)) dirty += dirty / 4; - return dirty; + /* + * Dirty throttling logic assumes the limits in page units fit into + * 32-bits. This gives 16TB dirty limits max which is hopefully enough. + */ + return min_t(unsigned long, dirty, UINT_MAX); } /** @@ -519,10 +530,17 @@ int dirty_background_bytes_handler(struct ctl_table *table, int write, void *buffer, size_t *lenp, loff_t *ppos) { int ret; + unsigned long old_bytes = dirty_background_bytes; ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); - if (ret == 0 && write) + if (ret == 0 && write) { + if (DIV_ROUND_UP(dirty_background_bytes, PAGE_SIZE) > + UINT_MAX) { + dirty_background_bytes = old_bytes; + return -ERANGE; + } dirty_background_ratio = 0; + } return ret; } @@ -548,6 +566,10 @@ int dirty_bytes_handler(struct ctl_table *table, int write, ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); if (ret == 0 && write && vm_dirty_bytes != old_bytes) { + if (DIV_ROUND_UP(vm_dirty_bytes, PAGE_SIZE) > UINT_MAX) { + vm_dirty_bytes = old_bytes; + return -ERANGE; + } writeback_set_ratelimit(); vm_dirty_ratio = 0; } -- 2.25.1

2 1

[PATCH OLK-6.6 0/6] ext4: some bugfixs for large iomap&folio
by Zhihao Cheng 20 Aug '24

20 Aug '24

Darrick J. Wong (1): xfs: hoist multi-fsb allocation unit detection to a helper Zhang Yi (4): xfs: reserve blocks for truncating large realtime inode iomap: don't mark blocks uptodate after partial zeroing iomap: reduce unnecessary state_lock when setting ifs uptodate and dirty bits iomap: optimize setting uptodate bit Zhihao Cheng (1): ext4: ext4_iomap_map_blocks: Fix null pointer deference in nojournal mode fs/ext4/inode.c | 2 +- fs/iomap/buffered-io.c | 44 ++++++++++++++++++++++++++++++++++++++---- fs/xfs/xfs_bmap_util.c | 4 ++-- fs/xfs/xfs_inode.h | 9 +++++++++ fs/xfs/xfs_iops.c | 15 +++++++++++++- 5 files changed, 66 insertions(+), 8 deletions(-) -- 2.31.1

2 7