- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] NFC: port100: fix use-after-free in port100_send_complete
by Wupeng Ma 27 Jul '24

27 Jul '24

From: Pavel Skripkin <paskripkin(a)gmail.com> stable inclusion from stable-v4.19.235 commit b1db33d4e54bc35d8db96ce143ea0ef92e23d58e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S9P CVE: CVE-2022-48857 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f80cfe2f26581f188429c12bd937eb905ad3ac7b ] Syzbot reported UAF in port100_send_complete(). The root case is in missing usb_kill_urb() calls on error handling path of ->probe function. port100_send_complete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free Fail log: BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 ... Allocated by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 alloc_dr drivers/base/devres.c:116 [inline] devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 devm_kzalloc include/linux/device.h:209 [inline] port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 Freed by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] __cache_free mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 release_nodes+0x112/0x1a0 drivers/base/devres.c:501 devres_release_all+0x114/0x190 drivers/base/devres.c:530 really_probe+0x626/0xcc0 drivers/base/dd.c:670 Reported-and-tested-by: syzbot+16bcb127fb73baeecb14(a)syzkaller.appspotmail.com Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation") Signed-off-by: Pavel Skripkin <paskripkin(a)gmail.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> Link: https://lore.kernel.org/r/20220308185007.6987-1-paskripkin@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- drivers/nfc/port100.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c index 60ae382f50da..08da712ad45f 100644 --- a/drivers/nfc/port100.c +++ b/drivers/nfc/port100.c @@ -1618,7 +1618,9 @@ static int port100_probe(struct usb_interface *interface, nfc_digital_free_device(dev->nfc_digital_dev); error: + usb_kill_urb(dev->in_urb); usb_free_urb(dev->in_urb); + usb_kill_urb(dev->out_urb); usb_free_urb(dev->out_urb); usb_put_dev(dev->udev); -- 2.25.1

2 1

[openeuler:OLK-5.10] BUILD SUCCESS 2b2a7e656e24161c2ed8fbec4744b6f231431b7f
by kernel test robot 27 Jul '24

27 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-5.10 branch HEAD: 2b2a7e656e24161c2ed8fbec4744b6f231431b7f !10316 sched: Add cfs_preferred_nid_init hook elapsed time: 731m configs tested: 35 configs skipped: 138 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-20 arm64 allnoconfig gcc-14.1.0 arm64 defconfig gcc-14.1.0 arm64 randconfig-001-20240727 clang-20 arm64 randconfig-002-20240727 gcc-14.1.0 arm64 randconfig-003-20240727 gcc-14.1.0 arm64 randconfig-004-20240727 clang-20 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240727 gcc-8 x86_64 buildonly-randconfig-002-20240727 gcc-13 x86_64 buildonly-randconfig-003-20240727 gcc-13 x86_64 buildonly-randconfig-004-20240727 gcc-13 x86_64 buildonly-randconfig-005-20240727 clang-18 x86_64 buildonly-randconfig-006-20240727 gcc-13 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240727 gcc-13 x86_64 randconfig-002-20240727 clang-18 x86_64 randconfig-003-20240727 clang-18 x86_64 randconfig-004-20240727 clang-18 x86_64 randconfig-005-20240727 gcc-13 x86_64 randconfig-006-20240727 clang-18 x86_64 randconfig-011-20240727 gcc-13 x86_64 randconfig-012-20240727 gcc-13 x86_64 randconfig-013-20240727 clang-18 x86_64 randconfig-014-20240727 gcc-10 x86_64 randconfig-015-20240727 gcc-12 x86_64 randconfig-016-20240727 gcc-10 x86_64 randconfig-071-20240727 gcc-13 x86_64 randconfig-072-20240727 gcc-13 x86_64 randconfig-073-20240727 gcc-8 x86_64 randconfig-074-20240727 gcc-8 x86_64 randconfig-075-20240727 clang-18 x86_64 randconfig-076-20240727 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6] BUILD SUCCESS 06bfbb032512dd58dfe4598cca653d0021fea49a
by kernel test robot 27 Jul '24

27 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: 06bfbb032512dd58dfe4598cca653d0021fea49a !9892 support for SMC-D loopback_lo feature Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | `-- clang:warning:no-such-include-directory:drivers-infiniband-hw-hiroce3-include-mag |-- arm64-defconfig | |-- WARNING:modpost:vmlinux:section-mismatch-in-reference:arm_smmu_device_probe-(section:.text)-arm_smmu_v3_plat_info-(section:.init.data) | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- arm64-randconfig-002-20240727 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- arm64-randconfig-003-20240727 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- loongarch-allmodconfig | `-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument |-- loongarch-defconfig | |-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- loongarch-randconfig-001-20240727 | |-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- loongarch-randconfig-002-20240727 | |-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and `-- x86_64-allyesconfig `-- drivers-gpu-drm-amd-amdgpu-..-amdkfd-kfd_topology.c:warning:stack-frame-size-()-exceeds-limit-()-in-kfd_topology_add_device elapsed time: 726m configs tested: 31 configs skipped: 134 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-20 arm64 allnoconfig gcc-14.1.0 arm64 defconfig gcc-14.1.0 arm64 randconfig-001-20240727 clang-20 arm64 randconfig-002-20240727 gcc-14.1.0 arm64 randconfig-003-20240727 gcc-14.1.0 arm64 randconfig-004-20240727 clang-20 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 loongarch defconfig gcc-14.1.0 loongarch randconfig-001-20240727 gcc-14.1.0 loongarch randconfig-002-20240727 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240727 gcc-8 x86_64 buildonly-randconfig-002-20240727 gcc-13 x86_64 buildonly-randconfig-003-20240727 gcc-13 x86_64 buildonly-randconfig-004-20240727 gcc-13 x86_64 buildonly-randconfig-005-20240727 clang-18 x86_64 buildonly-randconfig-006-20240727 gcc-13 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240727 gcc-13 x86_64 randconfig-002-20240727 clang-18 x86_64 randconfig-003-20240727 clang-18 x86_64 randconfig-004-20240727 clang-18 x86_64 randconfig-005-20240727 gcc-13 x86_64 randconfig-006-20240727 clang-18 x86_64 randconfig-011-20240727 gcc-13 x86_64 randconfig-012-20240727 gcc-13 x86_64 randconfig-013-20240727 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 9458/23370] drivers/iommu/.tmp_amd_iommu_quirks.o: warning: objtool: missing symbol for section .text
by kernel test robot 27 Jul '24

27 Jul '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 365ea86d72567c1550e42ecf0e3f4521da9a5570 commit: fe2ee4839a7421367da12f5610e1b45c619fcbad [9458/23370] iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems config: x86_64-buildonly-randconfig-005-20240727 (https://download.01.org/0day-ci/archive/20240727/202407271424.5G6KyQ0z-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240727/202407271424.5G6KyQ0z-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407271424.5G6KyQ0z-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/iommu/.tmp_amd_iommu_quirks.o: warning: objtool: missing symbol for section .text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] kobject: Fix global-out-of-bounds in kobject_action_type()
by Xia Fukun 27 Jul '24

27 Jul '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9REGZ CVE: NA -------------------------------- The following c language code can trigger KASAN's global variable out-of-bounds access error in kobject_action_type(): int main() { int fd; char *filename = "/sys/block/ram12/uevent"; char str[86] = "offline"; int len = 86; fd = open(filename, O_WRONLY); if (fd == -1) { printf("open"); exit(1); } if (write(fd, str, len) == -1) { printf("write"); exit(1); } close(fd); return 0; } Function kobject_action_type() receives the input parameters buf and count, where count is the length of the string buf. In the use case we provided, count is 86, the count_first is 85. Buf points to a string with a length of 86, and its first seven characters are "offline". In line 87 of the code, kobject_actions[action] is the string "offline" with the length of 7,an out-of-boundary access will appear: kobject_actions[action][85]. Modify the judgment logic in line 87. If the length of the string kobject_actions[action] is greater than count_first(e.g. buf is "off", count is 3), continue the loop. Otherwise, the match is considered successful. This change means that our test case will be successfully parsed as an offline event and no out-of-bounds access error will occur. Fixes: f36776fafbaa ("kobject: support passing in variables for synthetic uevents") Signed-off-by: Xia Fukun <xiafukun(a)huawei.com> --- lib/kobject_uevent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c index 26d21339bef27..b5fc7b9ce197a 100644 --- a/lib/kobject_uevent.c +++ b/lib/kobject_uevent.c @@ -84,7 +84,7 @@ static int kobject_action_type(const char *buf, size_t count, for (action = 0; action < ARRAY_SIZE(kobject_actions); action++) { if (strncmp(kobject_actions[action], buf, count_first) != 0) continue; - if (kobject_actions[action][count_first] != '\0') + if (strlen(kobject_actions[action]) > count_first) continue; if (args) *args = args_start; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/5] BMA: Fix iBMA bug and change
by Wang Hai 27 Jul '24

27 Jul '24

From: Wujiahai <wujiahai(a)huawei.com> 1. a low probability that iBMA cdev_veth driver causes softlockup problem 2. a low probability that iBMA veth driver causes soft interrupt loops 3. Change the iBMA driver version. 4. Resolved the problem that the DMA reset does not meet the expectation due to the mismatch between the register configuration and the communication transmission direction during DMA reset. Wujiahai (5): BMA/edma_drv: Fix DMA reset problem and change the version number. BMA/cdev_drv: Change the version number. BMA/veth_drv: Fix soft interrupt loops and change the version number BMA/kbox_drv: Change the version number. BMA/cdev_veth_drv: Fix softlockup problem .../net/ethernet/huawei/bma/cdev_drv/bma_cdev.c | 2 +- .../bma/cdev_veth_drv/virtual_cdev_eth_net.c | 14 ++++++++------ drivers/net/ethernet/huawei/bma/edma_drv/bma_pci.h | 2 +- .../net/ethernet/huawei/bma/edma_drv/edma_host.c | 4 ++-- .../ethernet/huawei/bma/kbox_drv/kbox_include.h | 2 +- drivers/net/ethernet/huawei/bma/veth_drv/veth_hb.c | 12 +++++++++++- drivers/net/ethernet/huawei/bma/veth_drv/veth_hb.h | 2 +- 7 files changed, 25 insertions(+), 13 deletions(-) -- 2.27.0

2 6

[PATCH OLK-6.6] media: i2c: et8ek8: Don't strip remove function when driver is builtin
by Wupeng Ma 26 Jul '24

26 Jul '24

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> stable inclusion from stable-v6.6.33 commit c1a3803e5bb91c13e9ad582003e4288f67f06cd9 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA74DQ Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 545b215736c5c4b354e182d99c578a472ac9bfce ] Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text) Fixes: c5254e72b8ed ("[media] media: Driver for Toshiba et8ek8 5MP sensor") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- drivers/media/i2c/et8ek8/et8ek8_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/et8ek8/et8ek8_driver.c b/drivers/media/i2c/et8ek8/et8ek8_driver.c index d6fc843f9368..0d6f0f8506f7 100644 --- a/drivers/media/i2c/et8ek8/et8ek8_driver.c +++ b/drivers/media/i2c/et8ek8/et8ek8_driver.c @@ -1460,7 +1460,7 @@ static int et8ek8_probe(struct i2c_client *client) return ret; } -static void __exit et8ek8_remove(struct i2c_client *client) +static void et8ek8_remove(struct i2c_client *client) { struct v4l2_subdev *subdev = i2c_get_clientdata(client); struct et8ek8_sensor *sensor = to_et8ek8_sensor(subdev); @@ -1502,7 +1502,7 @@ static struct i2c_driver et8ek8_i2c_driver = { .of_match_table = et8ek8_of_table, }, .probe = et8ek8_probe, - .remove = __exit_p(et8ek8_remove), + .remove = et8ek8_remove, .id_table = et8ek8_id_table, }; -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] media: i2c: et8ek8: Don't strip remove function when driver is builtin
by Wupeng Ma 26 Jul '24

26 Jul '24

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> stable inclusion from stable-v6.6.33 commit c1a3803e5bb91c13e9ad582003e4288f67f06cd9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S9P CVE: CVE-2024-38611 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 545b215736c5c4b354e182d99c578a472ac9bfce ] Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text) Fixes: c5254e72b8ed ("[media] media: Driver for Toshiba et8ek8 5MP sensor") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/media/i2c/et8ek8/et8ek8_driver.c [Ma Wupeng: return val of et8ek8_remove lead to conflict] Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- drivers/media/i2c/et8ek8/et8ek8_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/et8ek8/et8ek8_driver.c b/drivers/media/i2c/et8ek8/et8ek8_driver.c index 256acf73d5ea..4d7c4eac5e20 100644 --- a/drivers/media/i2c/et8ek8/et8ek8_driver.c +++ b/drivers/media/i2c/et8ek8/et8ek8_driver.c @@ -1460,7 +1460,7 @@ static int et8ek8_probe(struct i2c_client *client) return ret; } -static int __exit et8ek8_remove(struct i2c_client *client) +static int et8ek8_remove(struct i2c_client *client) { struct v4l2_subdev *subdev = i2c_get_clientdata(client); struct et8ek8_sensor *sensor = to_et8ek8_sensor(subdev); @@ -1504,7 +1504,7 @@ static struct i2c_driver et8ek8_i2c_driver = { .of_match_table = et8ek8_of_table, }, .probe_new = et8ek8_probe, - .remove = __exit_p(et8ek8_remove), + .remove = et8ek8_remove, .id_table = et8ek8_id_table, }; -- 2.25.1

2 1

[PATCH OLK-5.10] media: i2c: et8ek8: Don't strip remove function when driver is builtin
by Wupeng Ma 26 Jul '24

26 Jul '24

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> stable inclusion from stable-v6.6.33 commit c1a3803e5bb91c13e9ad582003e4288f67f06cd9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S9P CVE: CVE-2024-38611 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 545b215736c5c4b354e182d99c578a472ac9bfce ] Using __exit for the remove function results in the remove callback being discarded with CONFIG_VIDEO_ET8EK8=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/media/i2c/et8ek8/et8ek8: section mismatch in reference: et8ek8_i2c_driver+0x10 (section: .data) -> et8ek8_remove (section: .exit.text) Fixes: c5254e72b8ed ("[media] media: Driver for Toshiba et8ek8 5MP sensor") Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/media/i2c/et8ek8/et8ek8_driver.c [Ma Wupeng: return val of et8ek8_remove lead to conflict] Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- drivers/media/i2c/et8ek8/et8ek8_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/et8ek8/et8ek8_driver.c b/drivers/media/i2c/et8ek8/et8ek8_driver.c index 256acf73d5ea..4d7c4eac5e20 100644 --- a/drivers/media/i2c/et8ek8/et8ek8_driver.c +++ b/drivers/media/i2c/et8ek8/et8ek8_driver.c @@ -1460,7 +1460,7 @@ static int et8ek8_probe(struct i2c_client *client) return ret; } -static int __exit et8ek8_remove(struct i2c_client *client) +static int et8ek8_remove(struct i2c_client *client) { struct v4l2_subdev *subdev = i2c_get_clientdata(client); struct et8ek8_sensor *sensor = to_et8ek8_sensor(subdev); @@ -1504,7 +1504,7 @@ static struct i2c_driver et8ek8_i2c_driver = { .of_match_table = et8ek8_of_table, }, .probe_new = et8ek8_probe, - .remove = __exit_p(et8ek8_remove), + .remove = et8ek8_remove, .id_table = et8ek8_id_table, }; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] thermal: Fix NULL pointer dereferences in of_thermal_ functions
by Liu Mingrui 26 Jul '24

26 Jul '24

From: Subbaraman Narayanamurthy <quic_subbaram(a)quicinc.com> stable inclusion from stable-v5.10.81 commit 6a315471cb6a07f651e1d3adc8962730f4fcccac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9FNF5 CVE: CVE-2021-47202 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 96cfe05051fd8543cdedd6807ec59a0e6c409195 upstream. of_parse_thermal_zones() parses the thermal-zones node and registers a thermal_zone device for each subnode. However, if a thermal zone is consuming a thermal sensor and that thermal sensor device hasn't probed yet, an attempt to set trip_point_*_temp for that thermal zone device can cause a NULL pointer dereference. Fix it. console:/sys/class/thermal/thermal_zone87 # echo 120000 > trip_point_0_temp ... Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 ... Call trace: of_thermal_set_trip_temp+0x40/0xc4 trip_point_temp_store+0xc0/0x1dc dev_attr_store+0x38/0x88 sysfs_kf_write+0x64/0xc0 kernfs_fop_write_iter+0x108/0x1d0 vfs_write+0x2f4/0x368 ksys_write+0x7c/0xec __arm64_sys_write+0x20/0x30 el0_svc_common.llvm.7279915941325364641+0xbc/0x1bc do_el0_svc+0x28/0xa0 el0_svc+0x14/0x24 el0_sync_handler+0x88/0xec el0_sync+0x1c0/0x200 While at it, fix the possible NULL pointer dereference in other functions as well: of_thermal_get_temp(), of_thermal_set_emul_temp(), of_thermal_get_trend(). Suggested-by: David Collins <quic_collinsd(a)quicinc.com> Signed-off-by: Subbaraman Narayanamurthy <quic_subbaram(a)quicinc.com> Acked-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/thermal/of-thermal.c Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- drivers/thermal/of-thermal.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/thermal/of-thermal.c b/drivers/thermal/of-thermal.c index 4f2816559205..856dce4d72e2 100644 --- a/drivers/thermal/of-thermal.c +++ b/drivers/thermal/of-thermal.c @@ -77,7 +77,7 @@ static int of_thermal_get_temp(struct thermal_zone_device *tz, { struct __thermal_zone *data = tz->devdata; - if (!data->ops->get_temp) + if (!data->ops || !data->ops->get_temp) return -EINVAL; return data->ops->get_temp(data->sensor_data, temp); @@ -174,6 +174,10 @@ static int of_thermal_set_emul_temp(struct thermal_zone_device *tz, { struct __thermal_zone *data = tz->devdata; + if (!data->ops || !data->ops->set_emul_temp) + return -EINVAL; + + return data->ops->set_emul_temp(data->sensor_data, temp); } @@ -182,7 +186,7 @@ static int of_thermal_get_trend(struct thermal_zone_device *tz, int trip, { struct __thermal_zone *data = tz->devdata; - if (!data->ops->get_trend) + if (!data->ops || !data->ops->get_trend) return -EINVAL; return data->ops->get_trend(data->sensor_data, trip, trend); @@ -310,7 +314,7 @@ static int of_thermal_set_trip_temp(struct thermal_zone_device *tz, int trip, if (trip >= data->ntrips || trip < 0) return -EDOM; - if (data->ops->set_trip_temp) { + if (data->ops && data->ops->set_trip_temp) { int ret; ret = data->ops->set_trip_temp(data->sensor_data, trip, temp); -- 2.25.1

2 1