- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS 0/1] irqchip/mbigen: Fix mbigen node address layout
by Yuntao Liu 24 Sep '24

24 Sep '24

irqchip/mbigen: Fix mbigen node address layout Yipeng Zou (1): irqchip/mbigen: Fix mbigen node address layout drivers/irqchip/irq-mbigen.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) -- 2.34.1

2 2

[PATCH OLK-6.6] driver: iio: add missing checks on iio_info's callback access
by Cui GaoSheng 24 Sep '24

24 Sep '24

From: Julien Stephan <jstephan(a)baylibre.com> stable inclusion from stable-v6.6.50 commit 72f022ebb9deac28663fa4c04ba315ed5d6654d1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARV1X CVE: CVE-2024-46715 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c4ec8dedca961db056ec85cb7ca8c9f7e2e92252 ] Some callbacks from iio_info structure are accessed without any check, so if a driver doesn't implement them trying to access the corresponding sysfs entries produce a kernel oops such as: [ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute [...] [ 2203.783416] Call trace: [ 2203.783429] iio_read_channel_info_avail from dev_attr_show+0x18/0x48 [ 2203.789807] dev_attr_show from sysfs_kf_seq_show+0x90/0x120 [ 2203.794181] sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4 [ 2203.798555] seq_read_iter from vfs_read+0x238/0x2a0 [ 2203.802236] vfs_read from ksys_read+0xa4/0xd4 [ 2203.805385] ksys_read from ret_fast_syscall+0x0/0x54 [ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0) [ 2203.812880] dfa0: 00000003 b6f10f80 00000003 b6eab000 00020000 00000000 [ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000 [ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0 [ 2203.830363] Code: bad PC value [ 2203.832695] ---[ end trace 0000000000000000 ]--- Reviewed-by: Nuno Sa <nuno.sa(a)analog.com> Signed-off-by: Julien Stephan <jstephan(a)baylibre.com> Link: https://lore.kernel.org/r/20240530-iio-core-fix-segfault-v3-1-8b7cd2a03773@… Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cui GaoSheng <cuigaosheng1(a)huawei.com> --- drivers/iio/industrialio-core.c | 7 ++++++- drivers/iio/industrialio-event.c | 9 +++++++++ drivers/iio/inkern.c | 32 ++++++++++++++++++++++---------- 3 files changed, 37 insertions(+), 11 deletions(-) diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c index 5e1a85ca1211..121bde49ccb7 100644 --- a/drivers/iio/industrialio-core.c +++ b/drivers/iio/industrialio-core.c @@ -752,9 +752,11 @@ static ssize_t iio_read_channel_info(struct device *dev, INDIO_MAX_RAW_ELEMENTS, vals, &val_len, this_attr->address); - else + else if (indio_dev->info->read_raw) ret = indio_dev->info->read_raw(indio_dev, this_attr->c, &vals[0], &vals[1], this_attr->address); + else + return -EINVAL; if (ret < 0) return ret; @@ -836,6 +838,9 @@ static ssize_t iio_read_channel_info_avail(struct device *dev, int length; int type; + if (!indio_dev->info->read_avail) + return -EINVAL; + ret = indio_dev->info->read_avail(indio_dev, this_attr->c, &vals, &type, &length, this_attr->address); diff --git a/drivers/iio/industrialio-event.c b/drivers/iio/industrialio-event.c index 19f7a91157ee..f67e4afa5f94 100644 --- a/drivers/iio/industrialio-event.c +++ b/drivers/iio/industrialio-event.c @@ -285,6 +285,9 @@ static ssize_t iio_ev_state_store(struct device *dev, if (ret < 0) return ret; + if (!indio_dev->info->write_event_config) + return -EINVAL; + ret = indio_dev->info->write_event_config(indio_dev, this_attr->c, iio_ev_attr_type(this_attr), iio_ev_attr_dir(this_attr), val); @@ -300,6 +303,9 @@ static ssize_t iio_ev_state_show(struct device *dev, struct iio_dev_attr *this_attr = to_iio_dev_attr(attr); int val; + if (!indio_dev->info->read_event_config) + return -EINVAL; + val = indio_dev->info->read_event_config(indio_dev, this_attr->c, iio_ev_attr_type(this_attr), iio_ev_attr_dir(this_attr)); @@ -318,6 +324,9 @@ static ssize_t iio_ev_value_show(struct device *dev, int val, val2, val_arr[2]; int ret; + if (!indio_dev->info->read_event_value) + return -EINVAL; + ret = indio_dev->info->read_event_value(indio_dev, this_attr->c, iio_ev_attr_type(this_attr), iio_ev_attr_dir(this_attr), iio_ev_attr_info(this_attr), diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c index 7a1f6713318a..b85556538475 100644 --- a/drivers/iio/inkern.c +++ b/drivers/iio/inkern.c @@ -562,6 +562,7 @@ EXPORT_SYMBOL_GPL(devm_iio_channel_get_all); static int iio_channel_read(struct iio_channel *chan, int *val, int *val2, enum iio_chan_info_enum info) { + const struct iio_info *iio_info = chan->indio_dev->info; int unused; int vals[INDIO_MAX_RAW_ELEMENTS]; int ret; @@ -573,15 +574,18 @@ static int iio_channel_read(struct iio_channel *chan, int *val, int *val2, if (!iio_channel_has_info(chan->channel, info)) return -EINVAL; - if (chan->indio_dev->info->read_raw_multi) { - ret = chan->indio_dev->info->read_raw_multi(chan->indio_dev, - chan->channel, INDIO_MAX_RAW_ELEMENTS, - vals, &val_len, info); + if (iio_info->read_raw_multi) { + ret = iio_info->read_raw_multi(chan->indio_dev, + chan->channel, + INDIO_MAX_RAW_ELEMENTS, + vals, &val_len, info); *val = vals[0]; *val2 = vals[1]; + } else if (iio_info->read_raw) { + ret = iio_info->read_raw(chan->indio_dev, + chan->channel, val, val2, info); } else { - ret = chan->indio_dev->info->read_raw(chan->indio_dev, - chan->channel, val, val2, info); + return -EINVAL; } return ret; @@ -801,11 +805,15 @@ static int iio_channel_read_avail(struct iio_channel *chan, const int **vals, int *type, int *length, enum iio_chan_info_enum info) { + const struct iio_info *iio_info = chan->indio_dev->info; + if (!iio_channel_has_available(chan->channel, info)) return -EINVAL; - return chan->indio_dev->info->read_avail(chan->indio_dev, chan->channel, - vals, type, length, info); + if (iio_info->read_avail) + return iio_info->read_avail(chan->indio_dev, chan->channel, + vals, type, length, info); + return -EINVAL; } int iio_read_avail_channel_attribute(struct iio_channel *chan, @@ -995,8 +1003,12 @@ EXPORT_SYMBOL_GPL(iio_get_channel_type); static int iio_channel_write(struct iio_channel *chan, int val, int val2, enum iio_chan_info_enum info) { - return chan->indio_dev->info->write_raw(chan->indio_dev, - chan->channel, val, val2, info); + const struct iio_info *iio_info = chan->indio_dev->info; + + if (iio_info->write_raw) + return iio_info->write_raw(chan->indio_dev, + chan->channel, val, val2, info); + return -EINVAL; } int iio_write_channel_attribute(struct iio_channel *chan, int val, int val2, -- 2.34.1

2 1

[PATCH OLK-5.10] driver: iio: add missing checks on iio_info's callback access
by Cui GaoSheng 24 Sep '24

24 Sep '24

From: Julien Stephan <jstephan(a)baylibre.com> stable inclusion from stable-v6.1.109 commit 0cc7e0ee31e5c44904e98e2229d591e093282a70 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARV1X CVE: CVE-2024-46715 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c4ec8dedca961db056ec85cb7ca8c9f7e2e92252 ] Some callbacks from iio_info structure are accessed without any check, so if a driver doesn't implement them trying to access the corresponding sysfs entries produce a kernel oops such as: [ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute [...] [ 2203.783416] Call trace: [ 2203.783429] iio_read_channel_info_avail from dev_attr_show+0x18/0x48 [ 2203.789807] dev_attr_show from sysfs_kf_seq_show+0x90/0x120 [ 2203.794181] sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4 [ 2203.798555] seq_read_iter from vfs_read+0x238/0x2a0 [ 2203.802236] vfs_read from ksys_read+0xa4/0xd4 [ 2203.805385] ksys_read from ret_fast_syscall+0x0/0x54 [ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0) [ 2203.812880] dfa0: 00000003 b6f10f80 00000003 b6eab000 00020000 00000000 [ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000 [ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0 [ 2203.830363] Code: bad PC value [ 2203.832695] ---[ end trace 0000000000000000 ]--- Reviewed-by: Nuno Sa <nuno.sa(a)analog.com> Signed-off-by: Julien Stephan <jstephan(a)baylibre.com> Link: https://lore.kernel.org/r/20240530-iio-core-fix-segfault-v3-1-8b7cd2a03773@… Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/iio/inkern.c [ Context conflicts with commit 110f11589c8777. ] Signed-off-by: Cui GaoSheng <cuigaosheng1(a)huawei.com> --- drivers/iio/industrialio-core.c | 7 ++++++- drivers/iio/industrialio-event.c | 9 ++++++++ drivers/iio/inkern.c | 35 ++++++++++++++++++++++---------- 3 files changed, 39 insertions(+), 12 deletions(-) diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c index ea98aad9fb81..b57461731718 100644 --- a/drivers/iio/industrialio-core.c +++ b/drivers/iio/industrialio-core.c @@ -684,9 +684,11 @@ static ssize_t iio_read_channel_info(struct device *dev, INDIO_MAX_RAW_ELEMENTS, vals, &val_len, this_attr->address); - else + else if (indio_dev->info->read_raw) ret = indio_dev->info->read_raw(indio_dev, this_attr->c, &vals[0], &vals[1], this_attr->address); + else + return -EINVAL; if (ret < 0) return ret; @@ -791,6 +793,9 @@ static ssize_t iio_read_channel_info_avail(struct device *dev, int length; int type; + if (!indio_dev->info->read_avail) + return -EINVAL; + ret = indio_dev->info->read_avail(indio_dev, this_attr->c, &vals, &type, &length, this_attr->address); diff --git a/drivers/iio/industrialio-event.c b/drivers/iio/industrialio-event.c index 99ba657b8568..8720b86d8834 100644 --- a/drivers/iio/industrialio-event.c +++ b/drivers/iio/industrialio-event.c @@ -274,6 +274,9 @@ static ssize_t iio_ev_state_store(struct device *dev, if (ret < 0) return ret; + if (!indio_dev->info->write_event_config) + return -EINVAL; + ret = indio_dev->info->write_event_config(indio_dev, this_attr->c, iio_ev_attr_type(this_attr), iio_ev_attr_dir(this_attr), val); @@ -289,6 +292,9 @@ static ssize_t iio_ev_state_show(struct device *dev, struct iio_dev_attr *this_attr = to_iio_dev_attr(attr); int val; + if (!indio_dev->info->read_event_config) + return -EINVAL; + val = indio_dev->info->read_event_config(indio_dev, this_attr->c, iio_ev_attr_type(this_attr), iio_ev_attr_dir(this_attr)); @@ -307,6 +313,9 @@ static ssize_t iio_ev_value_show(struct device *dev, int val, val2, val_arr[2]; int ret; + if (!indio_dev->info->read_event_value) + return -EINVAL; + ret = indio_dev->info->read_event_value(indio_dev, this_attr->c, iio_ev_attr_type(this_attr), iio_ev_attr_dir(this_attr), iio_ev_attr_info(this_attr), diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c index c32b2577dd99..746e05dd899d 100644 --- a/drivers/iio/inkern.c +++ b/drivers/iio/inkern.c @@ -500,6 +500,7 @@ EXPORT_SYMBOL_GPL(devm_iio_channel_get_all); static int iio_channel_read(struct iio_channel *chan, int *val, int *val2, enum iio_chan_info_enum info) { + const struct iio_info *iio_info = chan->indio_dev->info; int unused; int vals[INDIO_MAX_RAW_ELEMENTS]; int ret; @@ -511,15 +512,19 @@ static int iio_channel_read(struct iio_channel *chan, int *val, int *val2, if (!iio_channel_has_info(chan->channel, info)) return -EINVAL; - if (chan->indio_dev->info->read_raw_multi) { - ret = chan->indio_dev->info->read_raw_multi(chan->indio_dev, - chan->channel, INDIO_MAX_RAW_ELEMENTS, - vals, &val_len, info); + if (iio_info->read_raw_multi) { + ret = iio_info->read_raw_multi(chan->indio_dev, + chan->channel, + INDIO_MAX_RAW_ELEMENTS, + vals, &val_len, info); *val = vals[0]; *val2 = vals[1]; - } else - ret = chan->indio_dev->info->read_raw(chan->indio_dev, - chan->channel, val, val2, info); + } else if (iio_info->read_raw) { + ret = iio_info->read_raw(chan->indio_dev, + chan->channel, val, val2, info); + } else { + return -EINVAL; + } return ret; } @@ -720,11 +725,15 @@ static int iio_channel_read_avail(struct iio_channel *chan, const int **vals, int *type, int *length, enum iio_chan_info_enum info) { + const struct iio_info *iio_info = chan->indio_dev->info; + if (!iio_channel_has_available(chan->channel, info)) return -EINVAL; - return chan->indio_dev->info->read_avail(chan->indio_dev, chan->channel, - vals, type, length, info); + if (iio_info->read_avail) + return iio_info->read_avail(chan->indio_dev, chan->channel, + vals, type, length, info); + return -EINVAL; } int iio_read_avail_channel_attribute(struct iio_channel *chan, @@ -852,8 +861,12 @@ EXPORT_SYMBOL_GPL(iio_get_channel_type); static int iio_channel_write(struct iio_channel *chan, int val, int val2, enum iio_chan_info_enum info) { - return chan->indio_dev->info->write_raw(chan->indio_dev, - chan->channel, val, val2, info); + const struct iio_info *iio_info = chan->indio_dev->info; + + if (iio_info->write_raw) + return iio_info->write_raw(chan->indio_dev, + chan->channel, val, val2, info); + return -EINVAL; } int iio_write_channel_attribute(struct iio_channel *chan, int val, int val2, -- 2.34.1

2 1

[PATCH OLK-5.10 0/5] A group of optimization and bug fix for numa-affinity
by Nanyong Sun 24 Sep '24

24 Sep '24

A group of optimization and bug fix for numa-affinity. Nanyong Sun (5): mm: thp: support to control numa migration mm: numa-affinity: add helper numa_affinity_sampling_enabled() mm: numa-affinity: adapt for should_numa_migrate_memory mm: numa-affinity: adapt for task_numa_placement mm: numa-affinity: fix build error when !CONFIG_PROC_SYSCTL Documentation/admin-guide/mm/transhuge.rst | 8 ++++++ arch/arm64/Kconfig | 1 + arch/arm64/configs/openeuler_defconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 + include/linux/huge_mm.h | 13 +++++++++ include/linux/mem_sampling.h | 13 +++++++++ kernel/sched/fair.c | 30 ++++++++++++++------ mm/Kconfig | 10 +++++++ mm/huge_memory.c | 33 ++++++++++++++++++++++ mm/mem_sampling.c | 4 --- mm/migrate.c | 3 ++ 11 files changed, 105 insertions(+), 12 deletions(-) -- 2.33.0

2 6

[openeuler:OLK-5.10 16261/30000] drivers/video/fbdev/ls2k500sfb.c:244: undefined reference to `fg_console'
by kernel test robot 24 Sep '24

24 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: ec708b533135368027cf0b97c4d1abf6950e86db commit: d74f3b70d73220d919db010ec1c81aa1d89082b6 [16261/30000] fbdev: add ls2k500sfb driver for ls2k500 bmc. config: x86_64-randconfig-074-20240924 (https://download.01.org/0day-ci/archive/20240924/202409241851.FLydbyQT-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240924/202409241851.FLydbyQT-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409241851.FLydbyQT-lkp@intel.com/ All errors (new ones prefixed by >>): ld: drivers/video/fbdev/ls2k500sfb.o: in function `ls2k500sfb_events_fn': >> drivers/video/fbdev/ls2k500sfb.c:244: undefined reference to `fg_console' >> ld: drivers/video/fbdev/ls2k500sfb.c:244: undefined reference to `fg_console' >> ld: drivers/video/fbdev/ls2k500sfb.c:244: undefined reference to `fg_console' vim +244 drivers/video/fbdev/ls2k500sfb.c 110 111 static void ls2k500sfb_events_fn(struct work_struct *work) 112 { 113 struct ls2k500sfb_struct *priv = container_of(work, struct ls2k500sfb_struct, work); 114 struct pci_dev *pdev = priv->dev; 115 struct pci_dev *ppdev = pdev->bus->self; 116 uint32_t i, d, timeout, retry = 0; 117 static const uint32_t index[] = { 118 0x10, 0x14, 0x18, 0x1c, 0x20, 0x24, 0x30, 0x3c, 0x54, 0x58, 0x78, 0x7c, 0x80, 4 119 }; 120 121 static uint32_t data[sizeof(index) / 4]; 122 static const uint32_t cindex[] = { 0x10, 0x3c, 4 }; 123 124 static uint32_t cdata[sizeof(cindex) / 4]; 125 static uint32_t d80c, d71c, ctrl; 126 static void *p; 127 128 if (!priv->running) { 129 for (i = 0; i < ARRAY_SIZE(index); i++) 130 pci_read_config_dword(ppdev, index[i], &data[i]); 131 for (i = 0; i < ARRAY_SIZE(cindex); i++) 132 pci_read_config_dword(pdev, cindex[i], &cdata[i]); 133 if (ppdev->vendor == 0x14) { 134 pci_read_config_dword(ppdev, 0x80c, &d80c); 135 d80c = (d80c & ~(3 << 17)) | (1 << 17); 136 137 pci_read_config_dword(ppdev, 0x71c, &d71c); 138 d71c |= 1 << 26; 139 140 p = pci_iomap(ppdev, 0, 0x100); 141 } 142 ctrl = readl(p); 143 return; 144 } 145 local_bh_disable(); 146 pciebreak_smp_send_stop(100); 147 wmb(); /* flush all write before we disable pcie window */ 148 pci_write_config_dword(ppdev, 0x18, 0); 149 pci_write_config_dword(ppdev, 0x1c, 0); 150 pci_write_config_dword(ppdev, 0x20, 0); 151 atomic_set(&waiting_for_pciebreak_ipi, 0); 152 wmb(); /* flush all write after change pcie window */ 153 local_bh_enable(); 154 if (ppdev->vendor == 0x14) { 155 timeout = 10000; 156 while (timeout) { 157 pci_read_config_dword(ppdev, 0x10, &d); 158 d &= ~0xf; 159 if (!d) 160 break; 161 mdelay(1); 162 timeout--; 163 }; 164 if (!timeout) 165 pr_info("bar not clear 0\n"); 166 167 pci_read_config_dword(ppdev, 0x0, &d); 168 pr_info("pcie port deviceid=0x%x recover begin\n", d); 169 retrain: 170 while (1) { 171 pci_write_config_dword(ppdev, index[0], data[0]); 172 pci_read_config_dword(ppdev, index[0], &d); 173 d &= ~0xf; 174 if (d) 175 break; 176 mdelay(1); 177 } 178 179 while (1) { 180 for (i = 0; i < ARRAY_SIZE(index); i++) { 181 if (index[i] != 0x18 && index[i] != 0x1c && index[i] != 0x20) 182 pci_write_config_dword(ppdev, index[i], data[i]); 183 } 184 pci_write_config_dword(ppdev, 0x80c, d80c); 185 pci_write_config_dword(ppdev, 0x71c, d71c); 186 187 pci_read_config_dword(ppdev, 0x10, &d); 188 d &= ~0xf; 189 if (d) 190 break; 191 mdelay(1); 192 } 193 194 timeout = 10000; 195 196 writel(ctrl | 0x8, p); 197 while (1) { 198 d = readl(p + 0xc); 199 if ((d & 0x11) == 0x11) { 200 break; 201 } else if (!timeout) { 202 pr_info("pcie train failed status=0x%x\n", d); 203 goto out; 204 } 205 mdelay(1); 206 timeout--; 207 } 208 209 210 pr_info("pcie recovered done\n"); 211 212 if (!retry) { 213 /*wait u-boot ddr config */ 214 set_current_state(TASK_UNINTERRUPTIBLE); 215 schedule_timeout(HZ*resetbootwait); 216 set_current_state(TASK_RUNNING); 217 pci_read_config_dword(ppdev, 0x10, &d); 218 d &= ~0xf; 219 if (!d) { 220 retry = 1; 221 goto retrain; 222 } 223 } 224 } else { 225 set_current_state(TASK_UNINTERRUPTIBLE); 226 schedule_timeout(HZ*resetbootwait); 227 set_current_state(TASK_RUNNING); 228 } 229 local_bh_disable(); 230 pciebreak_smp_send_stop(10000); 231 wmb(); /* flush all write before we update pcie window */ 232 for (i = 0; i < ARRAY_SIZE(index); i++) 233 pci_write_config_dword(ppdev, index[i], data[i]); 234 235 for (i = 0; i < ARRAY_SIZE(cindex); i++) 236 pci_write_config_dword(pdev, cindex[i], cdata[i]); 237 atomic_set(&waiting_for_pciebreak_ipi, 0); 238 wmb(); /* flush all write after we update pcie window */ 239 local_bh_enable(); 240 241 242 pr_info("redraw console\n"); 243 > 244 saved_console = fg_console; 245 switch_console(fg_console > 0?fg_console - 1 : fg_console + 1); 246 queue_delayed_work(priv->wq, &priv->redraw_work, HZ); 247 out: 248 priv->running = 0; 249 } 250 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
by Liu Mingrui 24 Sep '24

24 Sep '24

From: robelin <robelin(a)nvidia.com> stable inclusion from stable-v5.10.226 commit 8ca21e7a27c66b95a4b215edc8e45e5d66679f9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYAA CVE: CVE-2024-46798 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b4a90b543d9f62d3ac34ec1ab97fc5334b048565 upstream. When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it. Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables") Signed-off-by: robelin <robelin(a)nvidia.com> Signed-off-by: Sameer Pujar <spujar(a)nvidia.com> Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- sound/soc/soc-dapm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 754c1f16ee83..acb46e1f9c0a 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -4014,6 +4014,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w, case SND_SOC_DAPM_POST_PMD: kfree(substream->runtime); + substream->runtime = NULL; break; default: -- 2.25.1

2 1

[PATCH OLK-5.10] ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
by Liu Mingrui 24 Sep '24

24 Sep '24

From: robelin <robelin(a)nvidia.com> stable inclusion from stable-v5.10.226 commit 8ca21e7a27c66b95a4b215edc8e45e5d66679f9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYAA CVE: CVE-2024-46798 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b4a90b543d9f62d3ac34ec1ab97fc5334b048565 upstream. When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it. Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables") Signed-off-by: robelin <robelin(a)nvidia.com> Signed-off-by: Sameer Pujar <spujar(a)nvidia.com> Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- sound/soc/soc-dapm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 754c1f16ee83..acb46e1f9c0a 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -4014,6 +4014,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w, case SND_SOC_DAPM_POST_PMD: kfree(substream->runtime); + substream->runtime = NULL; break; default: -- 2.25.1

2 1

[PATCH OLK-6.6] ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
by Liu Mingrui 24 Sep '24

24 Sep '24

From: robelin <robelin(a)nvidia.com> stable inclusion from stable-v5.10.226 commit 8ca21e7a27c66b95a4b215edc8e45e5d66679f9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYAA CVE: CVE-2024-46798 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b4a90b543d9f62d3ac34ec1ab97fc5334b048565 upstream. When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it. Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables") Signed-off-by: robelin <robelin(a)nvidia.com> Signed-off-by: Sameer Pujar <spujar(a)nvidia.com> Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- sound/soc/soc-dapm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 85e3bbf7e5f0..7729f8f4d5e6 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -4018,6 +4018,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w, case SND_SOC_DAPM_POST_PMD: kfree(substream->runtime); + substream->runtime = NULL; break; default: -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
by Bowen You 24 Sep '24

24 Sep '24

mainline inclusion from mainline-v6.11-rc1 commit 0974d03eb479384466d828d65637814bee6b26d7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWPW CVE: CVE-2024-46774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. Signed-off-by: Nathan Lynch <nathanl(a)linux.ibm.com> Reported-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Breno Leitao <leitao(a)debian.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm… Conflicts: arch/powerpc/kernel/rtas.c [Some header files are not included.] Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- arch/powerpc/kernel/rtas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 7e0722b62cae..e39d25744ea2 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -24,6 +24,7 @@ #include <linux/completion.h> #include <linux/cpumask.h> #include <linux/memblock.h> +#include <linux/nospec.h> #include <linux/slab.h> #include <linux/reboot.h> #include <linux/syscalls.h> @@ -1224,6 +1225,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL; + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); + /* Copy in args. */ if (copy_from_user(args.args, uargs->args, nargs * sizeof(rtas_arg_t)) != 0) -- 2.34.1

2 1

[openeuler:OLK-5.10 29872/30000] ld.lld: error: duplicate symbol: lld_dev_hold
by kernel test robot 24 Sep '24

24 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 686352476cd29ec854b93e09a49d57c25a18a32f commit: 33116132568edcf6565cfd65cfa433f440d90494 [29872/30000] drm/qxl: Add check for drm_cvt_mode config: x86_64-allyesconfig (https://download.01.org/0day-ci/archive/20240924/202409241604.35w0b2j4-lkp@…) compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240924/202409241604.35w0b2j4-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409241604.35w0b2j4-lkp@intel.com/ Note: the openeuler/OLK-5.10 HEAD 686352476cd29ec854b93e09a49d57c25a18a32f builds fine. It only hurts bisectability. All errors (new ones prefixed by >>): >> ld.lld: error: duplicate symbol: lld_dev_hold >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_hold) in archive drivers/built-in.a >>> defined at sss_adapter_mgmt.c >>> net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.o:(.text+0x20) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: lld_dev_put >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_put) in archive drivers/built-in.a >>> defined at sss_adapter_mgmt.c >>> net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.o:(.text+0x80) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: g_uld_mutex >>> defined at sss_pci_global.c >>> net/ethernet/3snic/sssnic/hw/sss_pci_global.o:(g_uld_mutex) in archive drivers/built-in.a >>> defined at hinic3_lld.c >>> net/ethernet/huawei/hinic3/hw/hinic3_lld.o:(.bss+0x340) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: lld_dev_hold >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_hold) in archive drivers/built-in.a >>> defined at hinic3_dev_mgmt.c >>> net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.o:(.text+0x120) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: lld_dev_put >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_put) in archive drivers/built-in.a >>> defined at hinic3_dev_mgmt.c >>> net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.o:(.text+0x180) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: nic_ioctl >>> defined at hinic_nictool.c >>> net/ethernet/huawei/hinic/hinic_nictool.o:(nic_ioctl) in archive drivers/built-in.a >>> defined at hinic3_dbg.c >>> net/ethernet/huawei/hinic3/hinic3_dbg.o:(.text+0x0) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: set_slave_host_enable >>> defined at hinic_multi_host_mgmt.c >>> net/ethernet/huawei/hinic/hinic_multi_host_mgmt.o:(set_slave_host_enable) in archive drivers/built-in.a >>> defined at hinic3_hwdev.c >>> net/ethernet/huawei/hinic3/hw/hinic3_hwdev.o:(.text+0x0) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: set_func_host_mode >>> defined at hinic_multi_host_mgmt.c >>> net/ethernet/huawei/hinic/hinic_multi_host_mgmt.o:(set_func_host_mode) in archive drivers/built-in.a >>> defined at hinic3_hwdev.c >>> net/ethernet/huawei/hinic3/hw/hinic3_hwdev.o:(.text+0x2C0) in archive drivers/built-in.a -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0