From: robelin <robelin(a)nvidia.com>
stable inclusion
from stable-v5.10.226
commit 8ca21e7a27c66b95a4b215edc8e45e5d66679f9f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYAA
CVE: CVE-2024-46798
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit b4a90b543d9f62d3ac34ec1ab97fc5334b048565 upstream.
When using kernel with the following extra config,
- CONFIG_KASAN=y
- CONFIG_KASAN_GENERIC=y
- CONFIG_KASAN_INLINE=y
- CONFIG_KASAN_VMALLOC=y
- CONFIG_FRAME_WARN=4096
kernel detects that snd_pcm_suspend_all() access a freed
'snd_soc_pcm_runtime' object when the system is suspended, which
leads to a use-after-free bug:
[ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
[ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330
[ 52.047785] Call trace:
[ 52.047787] dump_backtrace+0x0/0x3c0
[ 52.047794] show_stack+0x34/0x50
[ 52.047797] dump_stack_lvl+0x68/0x8c
[ 52.047802] print_address_description.constprop.0+0x74/0x2c0
[ 52.047809] kasan_report+0x210/0x230
[ 52.047815] __asan_report_load1_noabort+0x3c/0x50
[ 52.047820] snd_pcm_suspend_all+0x1a8/0x270
[ 52.047824] snd_soc_suspend+0x19c/0x4e0
The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before
making any access. So we need to always set 'substream->runtime' to NULL
everytime we kfree() it.
Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables")
Signed-off-by: robelin <robelin(a)nvidia.com>
Signed-off-by: Sameer Pujar <spujar(a)nvidia.com>
Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.com
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
sound/soc/soc-dapm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 754c1f16ee83..acb46e1f9c0a 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -4014,6 +4014,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w,
case SND_SOC_DAPM_POST_PMD:
kfree(substream->runtime);
+ substream->runtime = NULL;
break;
default:
--
2.25.1
From: robelin <robelin(a)nvidia.com>
stable inclusion
from stable-v5.10.226
commit 8ca21e7a27c66b95a4b215edc8e45e5d66679f9f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYAA
CVE: CVE-2024-46798
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit b4a90b543d9f62d3ac34ec1ab97fc5334b048565 upstream.
When using kernel with the following extra config,
- CONFIG_KASAN=y
- CONFIG_KASAN_GENERIC=y
- CONFIG_KASAN_INLINE=y
- CONFIG_KASAN_VMALLOC=y
- CONFIG_FRAME_WARN=4096
kernel detects that snd_pcm_suspend_all() access a freed
'snd_soc_pcm_runtime' object when the system is suspended, which
leads to a use-after-free bug:
[ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
[ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330
[ 52.047785] Call trace:
[ 52.047787] dump_backtrace+0x0/0x3c0
[ 52.047794] show_stack+0x34/0x50
[ 52.047797] dump_stack_lvl+0x68/0x8c
[ 52.047802] print_address_description.constprop.0+0x74/0x2c0
[ 52.047809] kasan_report+0x210/0x230
[ 52.047815] __asan_report_load1_noabort+0x3c/0x50
[ 52.047820] snd_pcm_suspend_all+0x1a8/0x270
[ 52.047824] snd_soc_suspend+0x19c/0x4e0
The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before
making any access. So we need to always set 'substream->runtime' to NULL
everytime we kfree() it.
Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables")
Signed-off-by: robelin <robelin(a)nvidia.com>
Signed-off-by: Sameer Pujar <spujar(a)nvidia.com>
Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.com
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
sound/soc/soc-dapm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 754c1f16ee83..acb46e1f9c0a 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -4014,6 +4014,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w,
case SND_SOC_DAPM_POST_PMD:
kfree(substream->runtime);
+ substream->runtime = NULL;
break;
default:
--
2.25.1
From: robelin <robelin(a)nvidia.com>
stable inclusion
from stable-v5.10.226
commit 8ca21e7a27c66b95a4b215edc8e45e5d66679f9f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYAA
CVE: CVE-2024-46798
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit b4a90b543d9f62d3ac34ec1ab97fc5334b048565 upstream.
When using kernel with the following extra config,
- CONFIG_KASAN=y
- CONFIG_KASAN_GENERIC=y
- CONFIG_KASAN_INLINE=y
- CONFIG_KASAN_VMALLOC=y
- CONFIG_FRAME_WARN=4096
kernel detects that snd_pcm_suspend_all() access a freed
'snd_soc_pcm_runtime' object when the system is suspended, which
leads to a use-after-free bug:
[ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
[ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330
[ 52.047785] Call trace:
[ 52.047787] dump_backtrace+0x0/0x3c0
[ 52.047794] show_stack+0x34/0x50
[ 52.047797] dump_stack_lvl+0x68/0x8c
[ 52.047802] print_address_description.constprop.0+0x74/0x2c0
[ 52.047809] kasan_report+0x210/0x230
[ 52.047815] __asan_report_load1_noabort+0x3c/0x50
[ 52.047820] snd_pcm_suspend_all+0x1a8/0x270
[ 52.047824] snd_soc_suspend+0x19c/0x4e0
The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before
making any access. So we need to always set 'substream->runtime' to NULL
everytime we kfree() it.
Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables")
Signed-off-by: robelin <robelin(a)nvidia.com>
Signed-off-by: Sameer Pujar <spujar(a)nvidia.com>
Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.com
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
sound/soc/soc-dapm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 85e3bbf7e5f0..7729f8f4d5e6 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -4018,6 +4018,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w,
case SND_SOC_DAPM_POST_PMD:
kfree(substream->runtime);
+ substream->runtime = NULL;
break;
default:
--
2.25.1
tree: https://gitee.com/openeuler/kernel.git OLK-5.10
head: 686352476cd29ec854b93e09a49d57c25a18a32f
commit: 33116132568edcf6565cfd65cfa433f440d90494 [29872/30000] drm/qxl: Add check for drm_cvt_mode
config: x86_64-allyesconfig (https://download.01.org/0day-ci/archive/20240924/202409241604.35w0b2j4-lkp@…)
compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240924/202409241604.35w0b2j4-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409241604.35w0b2j4-lkp@intel.com/
Note: the openeuler/OLK-5.10 HEAD 686352476cd29ec854b93e09a49d57c25a18a32f builds fine.
It only hurts bisectability.
All errors (new ones prefixed by >>):
>> ld.lld: error: duplicate symbol: lld_dev_hold
>>> defined at hifc_lld.c
>>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_hold) in archive drivers/built-in.a
>>> defined at sss_adapter_mgmt.c
>>> net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.o:(.text+0x20) in archive drivers/built-in.a
--
>> ld.lld: error: duplicate symbol: lld_dev_put
>>> defined at hifc_lld.c
>>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_put) in archive drivers/built-in.a
>>> defined at sss_adapter_mgmt.c
>>> net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.o:(.text+0x80) in archive drivers/built-in.a
--
>> ld.lld: error: duplicate symbol: g_uld_mutex
>>> defined at sss_pci_global.c
>>> net/ethernet/3snic/sssnic/hw/sss_pci_global.o:(g_uld_mutex) in archive drivers/built-in.a
>>> defined at hinic3_lld.c
>>> net/ethernet/huawei/hinic3/hw/hinic3_lld.o:(.bss+0x340) in archive drivers/built-in.a
--
>> ld.lld: error: duplicate symbol: lld_dev_hold
>>> defined at hifc_lld.c
>>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_hold) in archive drivers/built-in.a
>>> defined at hinic3_dev_mgmt.c
>>> net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.o:(.text+0x120) in archive drivers/built-in.a
--
>> ld.lld: error: duplicate symbol: lld_dev_put
>>> defined at hifc_lld.c
>>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_put) in archive drivers/built-in.a
>>> defined at hinic3_dev_mgmt.c
>>> net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.o:(.text+0x180) in archive drivers/built-in.a
--
>> ld.lld: error: duplicate symbol: nic_ioctl
>>> defined at hinic_nictool.c
>>> net/ethernet/huawei/hinic/hinic_nictool.o:(nic_ioctl) in archive drivers/built-in.a
>>> defined at hinic3_dbg.c
>>> net/ethernet/huawei/hinic3/hinic3_dbg.o:(.text+0x0) in archive drivers/built-in.a
--
>> ld.lld: error: duplicate symbol: set_slave_host_enable
>>> defined at hinic_multi_host_mgmt.c
>>> net/ethernet/huawei/hinic/hinic_multi_host_mgmt.o:(set_slave_host_enable) in archive drivers/built-in.a
>>> defined at hinic3_hwdev.c
>>> net/ethernet/huawei/hinic3/hw/hinic3_hwdev.o:(.text+0x0) in archive drivers/built-in.a
--
>> ld.lld: error: duplicate symbol: set_func_host_mode
>>> defined at hinic_multi_host_mgmt.c
>>> net/ethernet/huawei/hinic/hinic_multi_host_mgmt.o:(set_func_host_mode) in archive drivers/built-in.a
>>> defined at hinic3_hwdev.c
>>> net/ethernet/huawei/hinic3/hw/hinic3_hwdev.o:(.text+0x2C0) in archive drivers/built-in.a
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
From: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com>
mainline inclusion
from mainline-v6.11-rc7
commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARY1L
CVE: CVE-2024-46738
Reference: https://lore.kernel.org/lkml/20240828154338.754746-1-david.fernandez.gonzal…
--------------------------------
When removing a resource from vmci_resource_table in
vmci_resource_remove(), the search is performed using the resource
handle by comparing context and resource fields.
It is possible though to create two resources with different types
but same handle (same context and resource fields).
When trying to remove one of the resources, vmci_resource_remove()
may not remove the intended one, but the object will still be freed
as in the case of the datagram type in vmci_datagram_destroy_handle().
vmci_resource_table will still hold a pointer to this freed resource
leading to a use-after-free vulnerability.
BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106
print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239
__kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425
kasan_report+0x38/0x51 mm/kasan/report.c:442
vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182
ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444
kref_put include/linux/kref.h:65 [inline]
vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]
vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195
vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143
__fput+0x261/0xa34 fs/file_table.c:282
task_work_run+0xf0/0x194 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187
exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220
__syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]
syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313
do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x6e/0x0
This change ensures the type is also checked when removing
the resource from vmci_resource_table in vmci_resource_remove().
Fixes: bc63dedb7d46 ("VMCI: resource object implementation.")
Cc: stable(a)vger.kernel.org
Reported-by: George Kennedy <george.kennedy(a)oracle.com>
Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com>
Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com>
---
drivers/misc/vmw_vmci/vmci_resource.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/vmw_vmci/vmci_resource.c b/drivers/misc/vmw_vmci/vmci_resource.c
index da1ee2e1ba99..2779704e128a 100644
--- a/drivers/misc/vmw_vmci/vmci_resource.c
+++ b/drivers/misc/vmw_vmci/vmci_resource.c
@@ -152,7 +152,8 @@ void vmci_resource_remove(struct vmci_resource *resource)
spin_lock(&vmci_resource_table.lock);
hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) {
- if (vmci_handle_is_equal(r->handle, resource->handle)) {
+ if (vmci_handle_is_equal(r->handle, resource->handle) &&
+ resource->type == r->type) {
hlist_del_init_rcu(&r->node);
break;
}
--
2.34.1