- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1 0/1] fix CVE-2024-47742
by Lin Yujun 26 Oct '24

26 Oct '24

Jann Horn (1): firmware_loader: Block path traversal drivers/base/firmware_loader/main.c | 30 +++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) -- 2.34.1

2 2

[PATCH OLK-5.10 0/1] fix CVE-2024-47742
by Lin Yujun 26 Oct '24

26 Oct '24

Jann Horn (1): firmware_loader: Block path traversal drivers/base/firmware_loader/main.c | 30 +++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) -- 2.34.1

2 2

[PATCH OLK-6.6 0/1] fix CVE-2024-47742
by Lin Yujun 26 Oct '24

26 Oct '24

Jann Horn (1): firmware_loader: Block path traversal drivers/base/firmware_loader/main.c | 30 +++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) -- 2.34.1

2 2

[PATCH OLK-6.6] drm/amd/display: Validate function returns
by Heyuan Wang 26 Oct '24

26 Oct '24

From: Alex Hung <alex.hung(a)amd.com> mainline inclusion from mainline-v6.11 commit 673f816b9e1e92d1f70e1bf5f21b531e0ff9ad6c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYEW CVE: CVE-2024-46775 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity. Reviewed-by: Harry Wentland <harry.wentland(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Conflicts: drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c drivers/gpu/drm/amd/display/dc/hubbub/dcn20/dcn20_hubbub.c [Conflict due to not merge mainline commit 8b09656b22c0 and f9c7818c9d65] Signed-off-by: Yu Liao <liaoyu15(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c | 7 +++++-- .../drm/amd/display/dc/link/protocols/link_dp_training.c | 3 +-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c index 4c5ef3ef8dbd..8344957d7449 100644 --- a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c +++ b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c @@ -144,7 +144,9 @@ bool dc_dmub_srv_cmd_run_list(struct dc_dmub_srv *dc_dmub_srv, unsigned int coun if (status == DMUB_STATUS_QUEUE_FULL) { /* Execute and wait for queue to become empty again. */ dmub_srv_cmd_execute(dmub); - dmub_srv_wait_for_idle(dmub, 100000); + status = dmub_srv_wait_for_idle(dmub, 100000); + if (status != DMUB_STATUS_OK) + return false; /* Requeue the command. */ status = dmub_srv_cmd_queue(dmub, &cmd_list[i]); @@ -407,7 +409,8 @@ void dc_dmub_srv_get_visual_confirm_color_cmd(struct dc *dc, struct pipe_ctx *pi union dmub_rb_cmd cmd = { 0 }; unsigned int panel_inst = 0; - dc_get_edp_link_panel_inst(dc, pipe_ctx->stream->link, &panel_inst); + if (!dc_get_edp_link_panel_inst(dc, pipe_ctx->stream->link, &panel_inst)) + return; memset(&cmd, 0, sizeof(cmd)); diff --git a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c index 9d1adfc09fb2..11d42ad0bc18 100644 --- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c +++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c @@ -1676,8 +1676,7 @@ bool perform_link_training_with_retries( if (status == LINK_TRAINING_ABORT) { enum dc_connection_type type = dc_connection_none; - link_detect_connection_type(link, &type); - if (type == dc_connection_none) { + if (link_detect_connection_type(link, &type) && type == dc_connection_none) { DC_LOG_HW_LINK_TRAINING("%s: Aborting training because sink unplugged\n", __func__); break; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] devres: Fix memory leakage caused by driver API devm_free_percpu()
by Zhang Zekun 26 Oct '24

26 Oct '24

From: Zijun Hu <quic_zijuhu(a)quicinc.com> stable inclusion from stable-v5.10.224 commit ef56dcdca8f2a53abc3a83d388b8336447533d85 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALERD CVE: CVE-2024-43871 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit bd50a974097bb82d52a458bd3ee39fb723129a0c ] It will cause memory leakage when use driver API devm_free_percpu() to free memory allocated by devm_alloc_percpu(), fixed by using devres_release() instead of devres_destroy() within devm_free_percpu(). Fixes: ff86aae3b411 ("devres: add devm_alloc_percpu()") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> Link: https://lore.kernel.org/r/1719931914-19035-3-git-send-email-quic_zijuhu@qui… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/base/devres.c [There is a context difference, no functional change] Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/base/devres.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/base/devres.c b/drivers/base/devres.c index 586e9a75c840..ef3014194049 100644 --- a/drivers/base/devres.c +++ b/drivers/base/devres.c @@ -1227,7 +1227,11 @@ EXPORT_SYMBOL_GPL(__devm_alloc_percpu); */ void devm_free_percpu(struct device *dev, void __percpu *pdata) { - WARN_ON(devres_destroy(dev, devm_percpu_release, devm_percpu_match, + /* + * Use devres_release() to prevent memory leakage as + * devm_free_pages() does. + */ + WARN_ON(devres_release(dev, devm_percpu_release, devm_percpu_match, (void *)pdata)); } EXPORT_SYMBOL_GPL(devm_free_percpu); -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1] jfs: Fix array-index-out-of-bounds in diFree
by Zhang Zekun 26 Oct '24

26 Oct '24

From: Jeongjun Park <aha310510(a)gmail.com> stable inclusion from stable-v5.10.224 commit 538a27c8048f081a5ddd286f886eb986fbbc7f80 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ4Y CVE: CVE-2024-43858 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------------------------------------- [ Upstream commit f73f969b2eb39ad8056f6c7f3a295fa2f85e313a ] Reported-by: syzbot+241c815bda521982cb49(a)syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- fs/jfs/jfs_imap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index b0965f3ef186..36ed75682064 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -292,7 +292,7 @@ int diSync(struct inode *ipimap) int diRead(struct inode *ip) { struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb); - int iagno, ino, extno, rc; + int iagno, ino, extno, rc, agno; struct inode *ipimap; struct dinode *dp; struct iag *iagp; @@ -341,8 +341,11 @@ int diRead(struct inode *ip) /* get the ag for the iag */ agstart = le64_to_cpu(iagp->agstart); + agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb)); release_metapage(mp); + if (agno >= MAXAG || agno < 0) + return -EIO; rel_inode = (ino & (INOSPERPAGE - 1)); pageno = blkno >> sbi->l2nbperpage; -- 2.17.1

2 1

[PATCH OLK-5.10] soundwire: cadence: fix invalid PDI offset
by Zhang Zekun 26 Oct '24

26 Oct '24

From: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> mainline inclusion from mainline-v6.10-rc1 commit 8ee1b439b1540ae543149b15a2a61b9dff937d91 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D3E CVE: CVE-2024-38635 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------------------------------- For some reason, we add an offset to the PDI, presumably to skip the PDI0 and PDI1 which are reserved for BPT. This code is however completely wrong and leads to an out-of-bounds access. We were just lucky so far since we used only a couple of PDIs and remained within the PDI array bounds. A Fixes: tag is not provided since there are no known platforms where the out-of-bounds would be accessed, and the initial code had problems as well. A follow-up patch completely removes this useless offset. Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> Reviewed-by: Rander Wang <rander.wang(a)intel.com> Signed-off-by: Bard Liao <yung-chuan.liao(a)linux.intel.com> Link: https://lore.kernel.org/r/20240326090122.1051806-2-yung-chuan.liao@linux.in… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/soundwire/cadence_master.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c index 18e7d158fcca..d3e9cd3faadf 100644 --- a/drivers/soundwire/cadence_master.c +++ b/drivers/soundwire/cadence_master.c @@ -1698,7 +1698,7 @@ struct sdw_cdns_pdi *sdw_cdns_alloc_pdi(struct sdw_cdns *cdns, /* check if we found a PDI, else find in bi-directional */ if (!pdi) - pdi = cdns_find_pdi(cdns, 2, stream->num_bd, stream->bd, + pdi = cdns_find_pdi(cdns, 0, stream->num_bd, stream->bd, dai_id); if (pdi) { -- 2.17.1

2 1

[PATCH OLK-5.10] jfs: Fix array-index-out-of-bounds in diFree
by Zhang Zekun 26 Oct '24

26 Oct '24

From: Jeongjun Park <aha310510(a)gmail.com> stable inclusion from stable-v5.10.224 commit 538a27c8048f081a5ddd286f886eb986fbbc7f80 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ4Y CVE: CVE-2024-43858 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------------------------------------- [ Upstream commit f73f969b2eb39ad8056f6c7f3a295fa2f85e313a ] Reported-by: syzbot+241c815bda521982cb49(a)syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- fs/jfs/jfs_imap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index b0965f3ef186..36ed75682064 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -292,7 +292,7 @@ int diSync(struct inode *ipimap) int diRead(struct inode *ip) { struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb); - int iagno, ino, extno, rc; + int iagno, ino, extno, rc, agno; struct inode *ipimap; struct dinode *dp; struct iag *iagp; @@ -341,8 +341,11 @@ int diRead(struct inode *ip) /* get the ag for the iag */ agstart = le64_to_cpu(iagp->agstart); + agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb)); release_metapage(mp); + if (agno >= MAXAG || agno < 0) + return -EIO; rel_inode = (ino & (INOSPERPAGE - 1)); pageno = blkno >> sbi->l2nbperpage; -- 2.17.1

2 1

[PATCH OLK-5.10] devres: Fix memory leakage caused by driver API devm_free_percpu()
by Zhang Zekun 26 Oct '24

26 Oct '24

From: Zijun Hu <quic_zijuhu(a)quicinc.com> stable inclusion from stable-v5.10.224 commit ef56dcdca8f2a53abc3a83d388b8336447533d85 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALERD CVE: CVE-2024-43871 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit bd50a974097bb82d52a458bd3ee39fb723129a0c ] It will cause memory leakage when use driver API devm_free_percpu() to free memory allocated by devm_alloc_percpu(), fixed by using devres_release() instead of devres_destroy() within devm_free_percpu(). Fixes: ff86aae3b411 ("devres: add devm_alloc_percpu()") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> Link: https://lore.kernel.org/r/1719931914-19035-3-git-send-email-quic_zijuhu@qui… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/base/devres.c [There is a context difference, no functional change] Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/base/devres.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/base/devres.c b/drivers/base/devres.c index 586e9a75c840..ef3014194049 100644 --- a/drivers/base/devres.c +++ b/drivers/base/devres.c @@ -1227,7 +1227,11 @@ EXPORT_SYMBOL_GPL(__devm_alloc_percpu); */ void devm_free_percpu(struct device *dev, void __percpu *pdata) { - WARN_ON(devres_destroy(dev, devm_percpu_release, devm_percpu_match, + /* + * Use devres_release() to prevent memory leakage as + * devm_free_pages() does. + */ + WARN_ON(devres_release(dev, devm_percpu_release, devm_percpu_match, (void *)pdata)); } EXPORT_SYMBOL_GPL(devm_free_percpu); -- 2.17.1

2 1

[PATCH OLK-5.10] exfat: fix potential deadlock on __exfat_get_dentry_set
by Zhang Zekun 26 Oct '24

26 Oct '24

From: Sungjong Seo <sj1557.seo(a)samsung.com> mainline inclusion from mainline-v6.11-rc1 commit 89fc548767a2155231128cb98726d6d2ea1256c9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKPQ2 CVE: CVE-2024-42315 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------------------------------- When accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-array is allocated in __exfat_get_entry_set. The problem is that the bh-array is allocated with GFP_KERNEL. It does not make sense. In the following cases, a deadlock for sbi->s_lock between the two processes may occur. CPU0 CPU1 ---- ---- kswapd balance_pgdat lock(fs_reclaim) exfat_iterate lock(&sbi->s_lock) exfat_readdir exfat_get_uniname_from_ext_entry exfat_get_dentry_set __exfat_get_dentry_set kmalloc_array ... lock(fs_reclaim) ... evict exfat_evict_inode lock(&sbi->s_lock) To fix this, let's allocate bh-array with GFP_NOFS. Fixes: a3ff29a95fde ("exfat: support dynamic allocate bh for exfat_entry_set_cache") Cc: stable(a)vger.kernel.org # v6.2+ Reported-by: syzbot+412a392a2cd4a65e71db(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/000000000000fef47e0618c0327f@google.com Signed-off-by: Sungjong Seo <sj1557.seo(a)samsung.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Conflicts: fs/exfat/dir.c [There is a context defference, no functional difference] Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- fs/exfat/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/exfat/dir.c b/fs/exfat/dir.c index db735a0d32fc..4543013ac048 100644 --- a/fs/exfat/dir.c +++ b/fs/exfat/dir.c @@ -873,7 +873,7 @@ struct exfat_entry_set_cache *exfat_get_dentry_set(struct super_block *sb, num_bh = EXFAT_B_TO_BLK_ROUND_UP(off + num_entries * DENTRY_SIZE, sb); if (num_bh > ARRAY_SIZE(es->__bh)) { - es->bh = kmalloc_array(num_bh, sizeof(*es->bh), GFP_KERNEL); + es->bh = kmalloc_array(num_bh, sizeof(*es->bh), GFP_NOFS); if (!es->bh) { brelse(bh); kfree(es); -- 2.17.1

2 1

2025

2024

2023

2022

2021

2020

2019

Kernel