From: Aleksandr Mishin <amishin(a)t-argos.ru>
stable inclusion
from stable-v6.6.44
commit 99b642dac24f6d09ba3ebf1d690be8aefff86164
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ4U
CVE: CVE-2024-43818
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 5080808c3339de2220c602ab7c7fa23dc6c1a5a3 ]
acpi_get_first_physical_node() can return NULL in several cases (no such
device, ACPI table error, reference count drop to 0, etc).
Existing check just emit error message, but doesn't perform return.
Then this NULL pointer is passed to devm_acpi_dev_add_driver_gpios()
where it is dereferenced.
Adjust this error handling by adding error code return.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 02527c3f2300 ("ASoC: amd: add Machine driver for Jadeite platform")
Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru>
Link: https://patch.msgid.link/20240703191007.8524-1-amishin@t-argos.ru
Signed-off-by: Mark Brown <broonie(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com>
---
sound/soc/amd/acp-es8336.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/soc/amd/acp-es8336.c b/sound/soc/amd/acp-es8336.c
index 5e56d3a..49bffc5 100644
--- a/sound/soc/amd/acp-es8336.c
+++ b/sound/soc/amd/acp-es8336.c
@@ -203,8 +203,10 @@ static int st_es8336_late_probe(struct snd_soc_card *card)
codec_dev = acpi_get_first_physical_node(adev);
acpi_dev_put(adev);
- if (!codec_dev)
+ if (!codec_dev) {
dev_err(card->dev, "can not find codec dev\n");
+ return -ENODEV;
+ }
ret = devm_acpi_dev_add_driver_gpios(codec_dev, acpi_es8336_gpios);
if (ret)
--
2.9.5
From: Dikshita Agarwal <quic_dikshita(a)quicinc.com>
stable inclusion
from stable-v4.19.320
commit ad8cf035baf29467158e0550c7a42b7bb43d1db6
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ1L
CVE: CVE-2024-42313
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=…
--------------------------------
commit a0157b5aa34eb43ec4c5510f9c260bbb03be937e upstream.
There appears to be a possible use after free with vdec_close().
The firmware will add buffer release work to the work queue through
HFI callbacks as a normal part of decoding. Randomly closing the
decoder device from userspace during normal decoding can incur
a read after free for inst.
Fix it by cancelling the work in vdec_close.
Cc: stable(a)vger.kernel.org
Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions")
Signed-off-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com>
Acked-by: Vikash Garodia <quic_vgarodia(a)quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov(a)gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Xia Fukun <xiafukun(a)huawei.com>
---
drivers/media/platform/qcom/venus/vdec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c
index e3972dbf4c9a3..297a0e84b8dfd 100644
--- a/drivers/media/platform/qcom/venus/vdec.c
+++ b/drivers/media/platform/qcom/venus/vdec.c
@@ -1094,6 +1094,7 @@ static int vdec_close(struct file *file)
{
struct venus_inst *inst = to_inst(file);
+ cancel_work_sync(&inst->delayed_process_work);
v4l2_m2m_ctx_release(inst->m2m_ctx);
v4l2_m2m_release(inst->m2m_dev);
vdec_ctrl_deinit(inst);
--
2.34.1