January 2025 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()
by Qi Xi 07 Jan '25

07 Jan '25

From: Gaosheng Cui <cuigaosheng1(a)huawei.com> mainline inclusion from mainline-v6.13-rc1 commit 0f514068fbc5d4d189c817adc7c4e32cffdc2e47 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAMP CVE: CVE-2024-56572 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The buffer in the loop should be released under the exception path, otherwise there may be a memory leak here. To mitigate this, free the buffer when allegro_alloc_buffer fails. Fixes: f20387dfd065 ("media: allegro: add Allegro DVT video IP core driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Gaosheng Cui <cuigaosheng1(a)huawei.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Conflicts: drivers/media/platform/allegro-dvt/allegro-core.c drivers/staging/media/allegro-dvt/allegro-core.c [Context conflicts] Signed-off-by: Qi Xi <xiqi2(a)huawei.com> --- drivers/staging/media/allegro-dvt/allegro-core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/media/allegro-dvt/allegro-core.c b/drivers/staging/media/allegro-dvt/allegro-core.c index 28b6ba895ccd..84bd3d8649a8 100644 --- a/drivers/staging/media/allegro-dvt/allegro-core.c +++ b/drivers/staging/media/allegro-dvt/allegro-core.c @@ -1208,8 +1208,10 @@ static int allocate_buffers_internal(struct allegro_channel *channel, INIT_LIST_HEAD(&buffer->head); err = allegro_alloc_buffer(dev, buffer, size); - if (err) + if (err) { + kfree(buffer); goto err; + } list_add(&buffer->head, list); } -- 2.33.0

2 1

[PATCH OLK-6.6] media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()
by Qi Xi 07 Jan '25

07 Jan '25

From: Gaosheng Cui <cuigaosheng1(a)huawei.com> mainline inclusion from mainline-v6.13-rc1 commit 0f514068fbc5d4d189c817adc7c4e32cffdc2e47 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAMP CVE: CVE-2024-56572 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The buffer in the loop should be released under the exception path, otherwise there may be a memory leak here. To mitigate this, free the buffer when allegro_alloc_buffer fails. Fixes: f20387dfd065 ("media: allegro: add Allegro DVT video IP core driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Gaosheng Cui <cuigaosheng1(a)huawei.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Qi Xi <xiqi2(a)huawei.com> --- drivers/media/platform/allegro-dvt/allegro-core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/allegro-dvt/allegro-core.c b/drivers/media/platform/allegro-dvt/allegro-core.c index da61f9beb6b4..7dffea2ad88a 100644 --- a/drivers/media/platform/allegro-dvt/allegro-core.c +++ b/drivers/media/platform/allegro-dvt/allegro-core.c @@ -1509,8 +1509,10 @@ static int allocate_buffers_internal(struct allegro_channel *channel, INIT_LIST_HEAD(&buffer->head); err = allegro_alloc_buffer(dev, buffer, size); - if (err) + if (err) { + kfree(buffer); goto err; + } list_add(&buffer->head, list); } -- 2.33.0

2 1

[PATCH openEuler-22.03-LTS-SP1] i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs()
by Qi Xi 07 Jan '25

07 Jan '25

From: Frank Li <Frank.Li(a)nxp.com> mainline inclusion from mainline-v6.13-rc1 commit 3082990592f7c6d7510a9133afa46e31bbe26533 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAM5 CVE: CVE-2024-56562 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- if (dev->boardinfo && dev->boardinfo->init_dyn_addr) ^^^ here check "init_dyn_addr" i3c_bus_set_addr_slot_status(&master->bus, dev->info.dyn_addr, ...) ^^^^ free "dyn_addr" Fix copy/paste error "dyn_addr" by replacing it with "init_dyn_addr". Cc: stable(a)kernel.org Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure") Reviewed-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Signed-off-by: Frank Li <Frank.Li(a)nxp.com> Link: https://lore.kernel.org/r/20241001162608.224039-1-Frank.Li@nxp.com Signed-off-by: Alexandre Belloni <alexandre.belloni(a)bootlin.com> Signed-off-by: Qi Xi <xiqi2(a)huawei.com> --- drivers/i3c/master.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c index 1c6b78ad5ade..c3f1345c08de 100644 --- a/drivers/i3c/master.c +++ b/drivers/i3c/master.c @@ -1285,7 +1285,7 @@ static void i3c_master_put_i3c_addrs(struct i3c_dev_desc *dev) I3C_ADDR_SLOT_FREE); if (dev->boardinfo && dev->boardinfo->init_dyn_addr) - i3c_bus_set_addr_slot_status(&master->bus, dev->info.dyn_addr, + i3c_bus_set_addr_slot_status(&master->bus, dev->boardinfo->init_dyn_addr, I3C_ADDR_SLOT_FREE); } -- 2.33.0

2 1

[PATCH OLK-5.10] i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs()
by Qi Xi 07 Jan '25

07 Jan '25

From: Frank Li <Frank.Li(a)nxp.com> mainline inclusion from mainline-v6.13-rc1 commit 3082990592f7c6d7510a9133afa46e31bbe26533 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAM5 CVE: CVE-2024-56562 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- if (dev->boardinfo && dev->boardinfo->init_dyn_addr) ^^^ here check "init_dyn_addr" i3c_bus_set_addr_slot_status(&master->bus, dev->info.dyn_addr, ...) ^^^^ free "dyn_addr" Fix copy/paste error "dyn_addr" by replacing it with "init_dyn_addr". Cc: stable(a)kernel.org Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure") Reviewed-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Signed-off-by: Frank Li <Frank.Li(a)nxp.com> Link: https://lore.kernel.org/r/20241001162608.224039-1-Frank.Li@nxp.com Signed-off-by: Alexandre Belloni <alexandre.belloni(a)bootlin.com> Signed-off-by: Qi Xi <xiqi2(a)huawei.com> --- drivers/i3c/master.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c index 828fb236a63a..2527965a6f24 100644 --- a/drivers/i3c/master.c +++ b/drivers/i3c/master.c @@ -1285,7 +1285,7 @@ static void i3c_master_put_i3c_addrs(struct i3c_dev_desc *dev) I3C_ADDR_SLOT_FREE); if (dev->boardinfo && dev->boardinfo->init_dyn_addr) - i3c_bus_set_addr_slot_status(&master->bus, dev->info.dyn_addr, + i3c_bus_set_addr_slot_status(&master->bus, dev->boardinfo->init_dyn_addr, I3C_ADDR_SLOT_FREE); } -- 2.33.0

2 1

[PATCH OLK-6.6] i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs()
by Qi Xi 07 Jan '25

07 Jan '25

From: Frank Li <Frank.Li(a)nxp.com> mainline inclusion from mainline-v6.13-rc1 commit 3082990592f7c6d7510a9133afa46e31bbe26533 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAM5 CVE: CVE-2024-56562 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- if (dev->boardinfo && dev->boardinfo->init_dyn_addr) ^^^ here check "init_dyn_addr" i3c_bus_set_addr_slot_status(&master->bus, dev->info.dyn_addr, ...) ^^^^ free "dyn_addr" Fix copy/paste error "dyn_addr" by replacing it with "init_dyn_addr". Cc: stable(a)kernel.org Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure") Reviewed-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Signed-off-by: Frank Li <Frank.Li(a)nxp.com> Link: https://lore.kernel.org/r/20241001162608.224039-1-Frank.Li@nxp.com Signed-off-by: Alexandre Belloni <alexandre.belloni(a)bootlin.com> Signed-off-by: Qi Xi <xiqi2(a)huawei.com> --- drivers/i3c/master.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c index 0e9ff5500a77..70d120dfb090 100644 --- a/drivers/i3c/master.c +++ b/drivers/i3c/master.c @@ -1293,7 +1293,7 @@ static void i3c_master_put_i3c_addrs(struct i3c_dev_desc *dev) I3C_ADDR_SLOT_FREE); if (dev->boardinfo && dev->boardinfo->init_dyn_addr) - i3c_bus_set_addr_slot_status(&master->bus, dev->info.dyn_addr, + i3c_bus_set_addr_slot_status(&master->bus, dev->boardinfo->init_dyn_addr, I3C_ADDR_SLOT_FREE); } -- 2.33.0

2 1

[PATCH openEuler-22.03-LTS-SP1] mfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device
by Zeng Heng 07 Jan '25

07 Jan '25

From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> stable inclusion from stable-v5.10.231 commit 0b648968bfa4f5c9c4983bca9f2de17626ed6fb6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEDOS CVE: CVE-2024-56691 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 686fb77712a4bc94b76a0c5ae74c60118b7a0d79 ] While design wise the idea of converting the driver to use the hierarchy of the IRQ chips is correct, the implementation has (inherited) flaws. This was unveiled when platform_get_irq() had started WARN() on IRQ 0 that is supposed to be a Linux IRQ number (also known as vIRQ). Rework the driver to respect IRQ domain when creating each MFD device separately, as the domain is not the same for all of them. Fixes: 9c6235c86332 ("mfd: intel_soc_pmic_bxtwc: Add bxt_wcove_usbc device") Fixes: d2061f9cc32d ("usb: typec: add driver for Intel Whiskey Cove PMIC USB Type-C PHY") Fixes: 57129044f504 ("mfd: intel_soc_pmic_bxtwc: Use chained IRQs for second level IRQ chips") Reported-by: Zhang Ning <zhangn1985(a)outlook.com> Closes: https://lore.kernel.org/r/TY2PR01MB3322FEDCDC048B7D3794F922CDBA2@TY2PR01MB3… Tested-by: Zhang Ning <zhangn1985(a)outlook.com> Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Acked-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Link: https://lore.kernel.org/r/20241005193029.1929139-2-andriy.shevchenko@linux.… Signed-off-by: Lee Jones <lee(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- drivers/mfd/intel_soc_pmic_bxtwc.c | 61 ++++++++++++++++++++---------- drivers/usb/typec/tcpm/wcove.c | 4 -- 2 files changed, 40 insertions(+), 25 deletions(-) diff --git a/drivers/mfd/intel_soc_pmic_bxtwc.c b/drivers/mfd/intel_soc_pmic_bxtwc.c index eba89780dbe7..e1570191795d 100644 --- a/drivers/mfd/intel_soc_pmic_bxtwc.c +++ b/drivers/mfd/intel_soc_pmic_bxtwc.c @@ -240,16 +240,6 @@ static struct mfd_cell bxt_wc_dev[] = { .num_resources = ARRAY_SIZE(thermal_resources), .resources = thermal_resources, }, - { - .name = "bxt_wcove_usbc", - .num_resources = ARRAY_SIZE(usbc_resources), - .resources = usbc_resources, - }, - { - .name = "bxt_wcove_ext_charger", - .num_resources = ARRAY_SIZE(charger_resources), - .resources = charger_resources, - }, { .name = "bxt_wcove_bcu", .num_resources = ARRAY_SIZE(bcu_resources), @@ -271,6 +261,19 @@ static struct mfd_cell bxt_wc_dev[] = { }, }; +static struct mfd_cell bxt_wc_chgr_dev[] = { + { + .name = "bxt_wcove_usbc", + .num_resources = ARRAY_SIZE(usbc_resources), + .resources = usbc_resources, + }, + { + .name = "bxt_wcove_ext_charger", + .num_resources = ARRAY_SIZE(charger_resources), + .resources = charger_resources, + }, +}; + static int regmap_ipc_byte_reg_read(void *context, unsigned int reg, unsigned int *val) { @@ -421,6 +424,26 @@ static int bxtwc_add_chained_irq_chip(struct intel_soc_pmic *pmic, 0, chip, data); } +static int bxtwc_add_chained_devices(struct intel_soc_pmic *pmic, + const struct mfd_cell *cells, int n_devs, + struct regmap_irq_chip_data *pdata, + int pirq, int irq_flags, + const struct regmap_irq_chip *chip, + struct regmap_irq_chip_data **data) +{ + struct device *dev = pmic->dev; + struct irq_domain *domain; + int ret; + + ret = bxtwc_add_chained_irq_chip(pmic, pdata, pirq, irq_flags, chip, data); + if (ret) + return dev_err_probe(dev, ret, "Failed to add %s IRQ chip\n", chip->name); + + domain = regmap_irq_get_domain(*data); + + return devm_mfd_add_devices(dev, PLATFORM_DEVID_NONE, cells, n_devs, NULL, 0, domain); +} + static int bxtwc_probe(struct platform_device *pdev) { int ret; @@ -520,18 +543,14 @@ static int bxtwc_probe(struct platform_device *pdev) return ret; } - /* Add chained IRQ handler for CHGR IRQs */ - ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data, - BXTWC_CHGR_LVL1_IRQ, - IRQF_ONESHOT, - &bxtwc_regmap_irq_chip_chgr, - &pmic->irq_chip_data_chgr); - - - if (ret) { - dev_err(&pdev->dev, "Failed to add CHGR IRQ chip\n"); + ret = bxtwc_add_chained_devices(pmic, bxt_wc_chgr_dev, ARRAY_SIZE(bxt_wc_chgr_dev), + pmic->irq_chip_data, + BXTWC_CHGR_LVL1_IRQ, + IRQF_ONESHOT, + &bxtwc_regmap_irq_chip_chgr, + &pmic->irq_chip_data_chgr); + if (ret) return ret; - } /* Add chained IRQ handler for CRIT IRQs */ ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data, diff --git a/drivers/usb/typec/tcpm/wcove.c b/drivers/usb/typec/tcpm/wcove.c index 7e9c279bf49d..22fe8d60fe36 100644 --- a/drivers/usb/typec/tcpm/wcove.c +++ b/drivers/usb/typec/tcpm/wcove.c @@ -620,10 +620,6 @@ static int wcove_typec_probe(struct platform_device *pdev) if (irq < 0) return irq; - irq = regmap_irq_get_virq(pmic->irq_chip_data_chgr, irq); - if (irq < 0) - return irq; - ret = guid_parse(WCOVE_DSM_UUID, &wcove->guid); if (ret) return ret; -- 2.25.1

2 1

[PATCH OLK-5.10] mfd: intel_soc_pmic_bxtwc: Use IRQ domain for USB Type-C device
by Zeng Heng 07 Jan '25

07 Jan '25

From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> stable inclusion from stable-v5.10.231 commit 0b648968bfa4f5c9c4983bca9f2de17626ed6fb6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEDOS CVE: CVE-2024-56691 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 686fb77712a4bc94b76a0c5ae74c60118b7a0d79 ] While design wise the idea of converting the driver to use the hierarchy of the IRQ chips is correct, the implementation has (inherited) flaws. This was unveiled when platform_get_irq() had started WARN() on IRQ 0 that is supposed to be a Linux IRQ number (also known as vIRQ). Rework the driver to respect IRQ domain when creating each MFD device separately, as the domain is not the same for all of them. Fixes: 9c6235c86332 ("mfd: intel_soc_pmic_bxtwc: Add bxt_wcove_usbc device") Fixes: d2061f9cc32d ("usb: typec: add driver for Intel Whiskey Cove PMIC USB Type-C PHY") Fixes: 57129044f504 ("mfd: intel_soc_pmic_bxtwc: Use chained IRQs for second level IRQ chips") Reported-by: Zhang Ning <zhangn1985(a)outlook.com> Closes: https://lore.kernel.org/r/TY2PR01MB3322FEDCDC048B7D3794F922CDBA2@TY2PR01MB3… Tested-by: Zhang Ning <zhangn1985(a)outlook.com> Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Acked-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Link: https://lore.kernel.org/r/20241005193029.1929139-2-andriy.shevchenko@linux.… Signed-off-by: Lee Jones <lee(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- drivers/mfd/intel_soc_pmic_bxtwc.c | 61 ++++++++++++++++++++---------- drivers/usb/typec/tcpm/wcove.c | 4 -- 2 files changed, 40 insertions(+), 25 deletions(-) diff --git a/drivers/mfd/intel_soc_pmic_bxtwc.c b/drivers/mfd/intel_soc_pmic_bxtwc.c index eba89780dbe7..e1570191795d 100644 --- a/drivers/mfd/intel_soc_pmic_bxtwc.c +++ b/drivers/mfd/intel_soc_pmic_bxtwc.c @@ -240,16 +240,6 @@ static struct mfd_cell bxt_wc_dev[] = { .num_resources = ARRAY_SIZE(thermal_resources), .resources = thermal_resources, }, - { - .name = "bxt_wcove_usbc", - .num_resources = ARRAY_SIZE(usbc_resources), - .resources = usbc_resources, - }, - { - .name = "bxt_wcove_ext_charger", - .num_resources = ARRAY_SIZE(charger_resources), - .resources = charger_resources, - }, { .name = "bxt_wcove_bcu", .num_resources = ARRAY_SIZE(bcu_resources), @@ -271,6 +261,19 @@ static struct mfd_cell bxt_wc_dev[] = { }, }; +static struct mfd_cell bxt_wc_chgr_dev[] = { + { + .name = "bxt_wcove_usbc", + .num_resources = ARRAY_SIZE(usbc_resources), + .resources = usbc_resources, + }, + { + .name = "bxt_wcove_ext_charger", + .num_resources = ARRAY_SIZE(charger_resources), + .resources = charger_resources, + }, +}; + static int regmap_ipc_byte_reg_read(void *context, unsigned int reg, unsigned int *val) { @@ -421,6 +424,26 @@ static int bxtwc_add_chained_irq_chip(struct intel_soc_pmic *pmic, 0, chip, data); } +static int bxtwc_add_chained_devices(struct intel_soc_pmic *pmic, + const struct mfd_cell *cells, int n_devs, + struct regmap_irq_chip_data *pdata, + int pirq, int irq_flags, + const struct regmap_irq_chip *chip, + struct regmap_irq_chip_data **data) +{ + struct device *dev = pmic->dev; + struct irq_domain *domain; + int ret; + + ret = bxtwc_add_chained_irq_chip(pmic, pdata, pirq, irq_flags, chip, data); + if (ret) + return dev_err_probe(dev, ret, "Failed to add %s IRQ chip\n", chip->name); + + domain = regmap_irq_get_domain(*data); + + return devm_mfd_add_devices(dev, PLATFORM_DEVID_NONE, cells, n_devs, NULL, 0, domain); +} + static int bxtwc_probe(struct platform_device *pdev) { int ret; @@ -520,18 +543,14 @@ static int bxtwc_probe(struct platform_device *pdev) return ret; } - /* Add chained IRQ handler for CHGR IRQs */ - ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data, - BXTWC_CHGR_LVL1_IRQ, - IRQF_ONESHOT, - &bxtwc_regmap_irq_chip_chgr, - &pmic->irq_chip_data_chgr); - - - if (ret) { - dev_err(&pdev->dev, "Failed to add CHGR IRQ chip\n"); + ret = bxtwc_add_chained_devices(pmic, bxt_wc_chgr_dev, ARRAY_SIZE(bxt_wc_chgr_dev), + pmic->irq_chip_data, + BXTWC_CHGR_LVL1_IRQ, + IRQF_ONESHOT, + &bxtwc_regmap_irq_chip_chgr, + &pmic->irq_chip_data_chgr); + if (ret) return ret; - } /* Add chained IRQ handler for CRIT IRQs */ ret = bxtwc_add_chained_irq_chip(pmic, pmic->irq_chip_data, diff --git a/drivers/usb/typec/tcpm/wcove.c b/drivers/usb/typec/tcpm/wcove.c index 7e9c279bf49d..22fe8d60fe36 100644 --- a/drivers/usb/typec/tcpm/wcove.c +++ b/drivers/usb/typec/tcpm/wcove.c @@ -620,10 +620,6 @@ static int wcove_typec_probe(struct platform_device *pdev) if (irq < 0) return irq; - irq = regmap_irq_get_virq(pmic->irq_chip_data_chgr, irq); - if (irq < 0) - return irq; - ret = guid_parse(WCOVE_DSM_UUID, &wcove->guid); if (ret) return ret; -- 2.25.1

2 1

[PATCH OLK-6.6] usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer
by Liu Mingrui 07 Jan '25

07 Jan '25

From: Lianqin Hu <hulianqin(a)vivo.com> stable inclusion from stable-v6.6.67 commit 8ca07a3d18f39b1669927ef536e485787e856df6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAO8 CVE: CVE-2024-56670 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b upstream. Considering that in some extreme cases, when u_serial driver is accessed by multiple threads, Thread A is executing the open operation and calling the gs_open, Thread B is executing the disconnect operation and calling the gserial_disconnect function,The port->port_usb pointer will be set to NULL. E.g. Thread A Thread B gs_open() gadget_unbind_driver() gs_start_io() composite_disconnect() gs_start_rx() gserial_disconnect() ... ... spin_unlock(&port->port_lock) status = usb_ep_queue() spin_lock(&port->port_lock) spin_lock(&port->port_lock) port->port_usb = NULL gs_free_requests(port->port_usb->in) spin_unlock(&port->port_lock) Crash This causes thread A to access a null pointer (port->port_usb is null) when calling the gs_free_requests function, causing a crash. If port_usb is NULL, the release request will be skipped as it will be done by gserial_disconnect. So add a null pointer check to gs_start_io before attempting to access the value of the pointer port->port_usb. Call trace: gs_start_io+0x164/0x25c gs_open+0x108/0x13c tty_open+0x314/0x638 chrdev_open+0x1b8/0x258 do_dentry_open+0x2c4/0x700 vfs_open+0x2c/0x3c path_openat+0xa64/0xc60 do_filp_open+0xb8/0x164 do_sys_openat2+0x84/0xf0 __arm64_sys_openat+0x70/0x9c invoke_syscall+0x58/0x114 el0_svc_common+0x80/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x38/0x68 Fixes: c1dca562be8a ("usb gadget: split out serial core") Cc: stable(a)vger.kernel.org Suggested-by: Prashanth K <quic_prashk(a)quicinc.com> Signed-off-by: Lianqin Hu <hulianqin(a)vivo.com> Acked-by: Prashanth K <quic_prashk(a)quicinc.com> Link: https://lore.kernel.org/r/TYUPR06MB62178DC3473F9E1A537DCD02D2362@TYUPR06MB6… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- drivers/usb/gadget/function/u_serial.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c index 8962f96ae729..729b0472bab0 100644 --- a/drivers/usb/gadget/function/u_serial.c +++ b/drivers/usb/gadget/function/u_serial.c @@ -575,9 +575,12 @@ static int gs_start_io(struct gs_port *port) * we didn't in gs_start_tx() */ tty_wakeup(port->port.tty); } else { - gs_free_requests(ep, head, &port->read_allocated); - gs_free_requests(port->port_usb->in, &port->write_pool, - &port->write_allocated); + /* Free reqs only if we are still connected */ + if (port->port_usb) { + gs_free_requests(ep, head, &port->read_allocated); + gs_free_requests(port->port_usb->in, &port->write_pool, + &port->write_allocated); + } status = -EIO; } -- 2.25.1

2 1

[PATCH OLK-6.6] net/mlx5: DR, prevent potential error pointer dereference
by Wang Wensheng 07 Jan '25

07 Jan '25

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v6.6.67 commit 325cf73a1b449fea3158ab99d03a7a717aad1618 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAMV CVE: CVE-2024-56660 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=325c… -------------------------------- [ Upstream commit 11776cff0b563c8b8a4fa76cab620bfb633a8cb8 ] The dr_domain_add_vport_cap() function generally returns NULL on error but sometimes we want it to return ERR_PTR(-EBUSY) so the caller can retry. The problem here is that "ret" can be either -EBUSY or -ENOMEM and if it's and -ENOMEM then the error pointer is propogated back and eventually dereferenced in dr_ste_v0_build_src_gvmi_qpn_tag(). Fixes: 11a45def2e19 ("net/mlx5: DR, Add support for SF vports") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Tariq Toukan <tariqt(a)nvidia.com> Link: https://patch.msgid.link/07477254-e179-43e2-b1b3-3b9db4674195@stanley.mount… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Wensheng <wangwensheng4(a)huawei.com> --- drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c index 3d74109f8230..49f22cad92bf 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c @@ -297,7 +297,9 @@ dr_domain_add_vport_cap(struct mlx5dr_domain *dmn, u16 vport) if (ret) { mlx5dr_dbg(dmn, "Couldn't insert new vport into xarray (%d)\n", ret); kvfree(vport_caps); - return ERR_PTR(ret); + if (ret == -EBUSY) + return ERR_PTR(-EBUSY); + return NULL; } return vport_caps; -- 2.22.0

2 1

[PATCH openEuler-1.0-LTS] BMA: Fix Oops and spin lock deadlock problem, and change the version number.
by Yuan Can 07 Jan '25

07 Jan '25

From: Wujiahai <wujiahai(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IBD74A CVE: NA ----------------------------------------- 1. Prevents iBMA driver from causing Oops problems. 2. The spin lock deadlock bug of the ibma iBMA is fixed. 3. Change the iBMA driver version. Fixes: ea190d90c609 ("Huawei BMA: Adding Huawei BMA driver: host_edma_drv") Signed-off-by: Wujiahai <wujiahai(a)huawei.com> --- drivers/net/ethernet/huawei/bma/cdev_drv/bma_cdev.c | 2 +- drivers/net/ethernet/huawei/bma/edma_drv/bma_devintf.c | 10 ++++++++-- drivers/net/ethernet/huawei/bma/edma_drv/bma_pci.h | 2 +- drivers/net/ethernet/huawei/bma/edma_drv/edma_host.c | 9 --------- .../net/ethernet/huawei/bma/kbox_drv/kbox_include.h | 2 +- drivers/net/ethernet/huawei/bma/veth_drv/veth_hb.h | 2 +- 6 files changed, 12 insertions(+), 15 deletions(-) diff --git a/drivers/net/ethernet/huawei/bma/cdev_drv/bma_cdev.c b/drivers/net/ethernet/huawei/bma/cdev_drv/bma_cdev.c index 4be8a4fc6cec..275c2cdfe5db 100644 --- a/drivers/net/ethernet/huawei/bma/cdev_drv/bma_cdev.c +++ b/drivers/net/ethernet/huawei/bma/cdev_drv/bma_cdev.c @@ -28,7 +28,7 @@ #ifdef DRV_VERSION #define CDEV_VERSION MICRO_TO_STR(DRV_VERSION) #else -#define CDEV_VERSION "0.3.8" +#define CDEV_VERSION "0.3.10" #endif #define CDEV_DEFAULT_NUM 4 diff --git a/drivers/net/ethernet/huawei/bma/edma_drv/bma_devintf.c b/drivers/net/ethernet/huawei/bma/edma_drv/bma_devintf.c index 556130ab8a65..baa65b8885ff 100644 --- a/drivers/net/ethernet/huawei/bma/edma_drv/bma_devintf.c +++ b/drivers/net/ethernet/huawei/bma/edma_drv/bma_devintf.c @@ -135,6 +135,7 @@ static void bma_priv_clean_up(struct bma_priv_data_s *bma_priv) int i = 0; struct bma_priv_data_s *priv = bma_priv; struct edma_recv_msg_s *msg = NULL; + unsigned long flags = 0; if (!priv) return; @@ -144,6 +145,7 @@ static void bma_priv_clean_up(struct bma_priv_data_s *bma_priv) return; } + spin_lock_irqsave(&priv->recv_msg_lock, flags); for (i = 0; i < priv->user.max_recvmsg_nums; i++) { ret = edma_host_recv_msg(&g_bma_dev->edma_host, priv, &msg); if (ret) @@ -151,6 +153,7 @@ static void bma_priv_clean_up(struct bma_priv_data_s *bma_priv) kfree(msg); } + spin_unlock_irqrestore(&priv->recv_msg_lock, flags); priv->user.type = TYPE_UNKNOWN; priv->user.sub_type = 0; @@ -419,8 +422,8 @@ EXPORT_SYMBOL(bma_intf_int_to_bmc); int bma_intf_is_link_ok(void) { - if ((&g_bma_dev->edma_host != NULL) && - (g_bma_dev->edma_host.statistics.remote_status == REGISTERED)) + if (g_bma_dev && + g_bma_dev->edma_host.statistics.remote_status == REGISTERED) return 1; return 0; } @@ -432,6 +435,7 @@ int bma_cdev_recv_msg(void *handle, char __user *data, size_t count) struct edma_recv_msg_s *msg = NULL; int result = 0; int len = 0; + unsigned long flags = 0; if (!handle || !data || count == 0) { BMA_LOG(DLOG_DEBUG, "input NULL point!\n"); @@ -440,7 +444,9 @@ int bma_cdev_recv_msg(void *handle, char __user *data, size_t count) priv = (struct bma_priv_data_s *)handle; + spin_lock_irqsave(&priv->recv_msg_lock, flags); result = edma_host_recv_msg(&g_bma_dev->edma_host, priv, &msg); + spin_unlock_irqrestore(&priv->recv_msg_lock, flags); if (result != 0) return -ENODATA; diff --git a/drivers/net/ethernet/huawei/bma/edma_drv/bma_pci.h b/drivers/net/ethernet/huawei/bma/edma_drv/bma_pci.h index d1c62a77a434..7639b11a3f50 100644 --- a/drivers/net/ethernet/huawei/bma/edma_drv/bma_pci.h +++ b/drivers/net/ethernet/huawei/bma/edma_drv/bma_pci.h @@ -71,7 +71,7 @@ struct bma_pci_dev_s { #ifdef DRV_VERSION #define BMA_VERSION MICRO_TO_STR(DRV_VERSION) #else -#define BMA_VERSION "0.3.8" +#define BMA_VERSION "0.3.10" #endif #ifdef CONFIG_ARM64 diff --git a/drivers/net/ethernet/huawei/bma/edma_drv/edma_host.c b/drivers/net/ethernet/huawei/bma/edma_drv/edma_host.c index 4641e359e8fc..d9da64b94eb9 100644 --- a/drivers/net/ethernet/huawei/bma/edma_drv/edma_host.c +++ b/drivers/net/ethernet/huawei/bma/edma_drv/edma_host.c @@ -1069,21 +1069,14 @@ int edma_host_recv_msg(struct edma_host_s *edma_host, struct bma_priv_data_s *priv, struct edma_recv_msg_s **msg) { - unsigned long flags = 0; struct list_head *entry = NULL; struct edma_recv_msg_s *msg_tmp = NULL; - struct bma_dev_s *bma_dev = NULL; if (!edma_host || !priv || !msg) return -EAGAIN; - bma_dev = list_entry(edma_host, struct bma_dev_s, edma_host); - - spin_lock_irqsave(&bma_dev->priv_list_lock, flags); - if (list_empty(&priv->recv_msgs)) { priv->user.cur_recvmsg_nums = 0; - spin_unlock_irqrestore(&bma_dev->priv_list_lock, flags); BMA_LOG(DLOG_DEBUG, "recv msgs empty\n"); return -EAGAIN; } @@ -1095,8 +1088,6 @@ int edma_host_recv_msg(struct edma_host_s *edma_host, if (priv->user.cur_recvmsg_nums > 0) priv->user.cur_recvmsg_nums--; - spin_unlock_irqrestore(&bma_dev->priv_list_lock, flags); - *msg = msg_tmp; BMA_LOG(DLOG_DEBUG, "msg->msg_len = %d\n", (int)msg_tmp->msg_len); diff --git a/drivers/net/ethernet/huawei/bma/kbox_drv/kbox_include.h b/drivers/net/ethernet/huawei/bma/kbox_drv/kbox_include.h index 8371903e2c33..0d82ee6f7c83 100644 --- a/drivers/net/ethernet/huawei/bma/kbox_drv/kbox_include.h +++ b/drivers/net/ethernet/huawei/bma/kbox_drv/kbox_include.h @@ -23,7 +23,7 @@ #ifdef DRV_VERSION #define KBOX_VERSION MICRO_TO_STR(DRV_VERSION) #else -#define KBOX_VERSION "0.3.8" +#define KBOX_VERSION "0.3.10" #endif #define UNUSED(x) (x = x) diff --git a/drivers/net/ethernet/huawei/bma/veth_drv/veth_hb.h b/drivers/net/ethernet/huawei/bma/veth_drv/veth_hb.h index f03e6eccde6c..242d3ec128d3 100644 --- a/drivers/net/ethernet/huawei/bma/veth_drv/veth_hb.h +++ b/drivers/net/ethernet/huawei/bma/veth_drv/veth_hb.h @@ -31,7 +31,7 @@ extern "C" { #ifdef DRV_VERSION #define VETH_VERSION MICRO_TO_STR(DRV_VERSION) #else -#define VETH_VERSION "0.3.8" +#define VETH_VERSION "0.3.10" #endif #define MODULE_NAME "veth" -- 2.22.0

2 1

2025

2024

2023

2022

2021

2020

2019

Kernel January 2025