- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] NFSD: Reset cb_seq_status after NFS4ERR_DELAY
by Li Lingfeng 26 Sep '24

26 Sep '24

From: Chuck Lever <chuck.lever(a)oracle.com> mainline inclusion from mainline-v6.9-rc1 commit 961b4b5e86bf56a2e4b567f81682defa5cba957e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IATOAX Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- I noticed that once an NFSv4.1 callback operation gets a NFS4ERR_DELAY status on CB_SEQUENCE and then the connection is lost, the callback client loops, resending it indefinitely. The switch arm in nfsd4_cb_sequence_done() that handles NFS4ERR_DELAY uses rpc_restart_call() to rearm the RPC state machine for the retransmit, but that path does not call the rpc_prepare_call callback again. Thus cb_seq_status is set to -10008 by the first NFS4ERR_DELAY result, but is never set back to 1 for the retransmits. nfsd4_cb_sequence_done() thinks it's getting nothing but a long series of CB_SEQUENCE NFS4ERR_DELAY replies. Fixes: 7ba6cad6c88f ("nfsd: New helper nfsd4_cb_sequence_done() for processing more cb errors") Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Reviewed-by: Benjamin Coddington <bcodding(a)redhat.com> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs4callback.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index 4039ffcf90ba..49a88dde9631 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -1202,6 +1202,7 @@ static bool nfsd4_cb_sequence_done(struct rpc_task *task, struct nfsd4_callback ret = false; break; case -NFS4ERR_DELAY: + cb->cb_seq_status = 1; if (!rpc_restart_call(task)) goto out; -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1] VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
by Zhang Kunbo 26 Sep '24

26 Sep '24

From: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com> stable inclusion from stable-v5.10.226 commit 6c563a29857aa8053b67ee141191f69757f27f6e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARY1L CVE: CVE-2024-46738 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7 upstream. When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove(). Fixes: bc63dedb7d46 ("VMCI: resource object implementation.") Cc: stable(a)vger.kernel.org Reported-by: George Kennedy <george.kennedy(a)oracle.com> Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com> Link: https://lore.kernel.org/r/20240828154338.754746-1-david.fernandez.gonzalez@… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/misc/vmw_vmci/vmci_resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/misc/vmw_vmci/vmci_resource.c b/drivers/misc/vmw_vmci/vmci_resource.c index 692daa9eff34..19c9d2cdd277 100644 --- a/drivers/misc/vmw_vmci/vmci_resource.c +++ b/drivers/misc/vmw_vmci/vmci_resource.c @@ -144,7 +144,8 @@ void vmci_resource_remove(struct vmci_resource *resource) spin_lock(&vmci_resource_table.lock); hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) { - if (vmci_handle_is_equal(r->handle, resource->handle)) { + if (vmci_handle_is_equal(r->handle, resource->handle) && + resource->type == r->type) { hlist_del_init_rcu(&r->node); break; } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] pktgen: use cpus_read_lock() in pg_net_init()
by Wang Liang 26 Sep '24

26 Sep '24

mainline inclusion from mainline-v6.11-rc6 commit 979b581e4c69257acab1af415ddad6b2d78a2fa5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4B3 CVE: CVE-2024-46681 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- We must use cpus_read_lock()/cpus_read_unlock() around the for_each_online_cpu(cpu) loop. While we are at it use WARN_ON_ONCE() to avoid a possible syslog flood. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20240821175339.1191779-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/core/pktgen.c [conflicts due to not mergered f568a3d49af9 ("bpf,lsm: Add BPF token LSM hooks") which include linux/bpf.h, and lead to inclusion of linux/cpu.h indirectly. The commit(f568a3d49af9) is complex and irrelevant to this problem. To solve the compile error, include linux/cpu.h manually.] Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- net/core/pktgen.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/core/pktgen.c b/net/core/pktgen.c index 3fba429f1f57..89ac59ff6598 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -170,6 +170,7 @@ #include <linux/uaccess.h> #include <asm/dma.h> #include <asm/div64.h> /* do_div */ +#include <linux/cpu.h> #define VERSION "2.75" #define IP_NAME_SZ 32 @@ -3464,7 +3465,7 @@ static int pktgen_thread_worker(void *arg) struct pktgen_dev *pkt_dev = NULL; int cpu = t->cpu; - WARN_ON(smp_processor_id() != cpu); + WARN_ON_ONCE(smp_processor_id() != cpu); init_waitqueue_head(&t->queue); complete(&t->start_done); @@ -3800,6 +3801,7 @@ static int __net_init pg_net_init(struct net *net) goto remove; } + cpus_read_lock(); for_each_online_cpu(cpu) { int err; @@ -3808,6 +3810,7 @@ static int __net_init pg_net_init(struct net *net) pr_warn("Cannot create thread for cpu %d (%d)\n", cpu, err); } + cpus_read_unlock(); if (list_empty(&pn->pktgen_threads)) { pr_err("Initialization failed for all threads\n"); -- 2.34.1

2 1

[PATCH OLK-5.10] pktgen: use cpus_read_lock() in pg_net_init()
by Wang Liang 26 Sep '24

26 Sep '24

mainline inclusion from mainline-v6.11-rc6 commit 979b581e4c69257acab1af415ddad6b2d78a2fa5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4B3 CVE: CVE-2024-46681 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- We must use cpus_read_lock()/cpus_read_unlock() around the for_each_online_cpu(cpu) loop. While we are at it use WARN_ON_ONCE() to avoid a possible syslog flood. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20240821175339.1191779-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/core/pktgen.c [conflicts due to not mergered f568a3d49af9 ("bpf,lsm: Add BPF token LSM hooks") which include linux/bpf.h, and lead to inclusion of linux/cpu.h indirectly. The commit(f568a3d49af9) is complex and irrelevant to this problem. To solve the compile error, include linux/cpu.h manually.] Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- net/core/pktgen.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/core/pktgen.c b/net/core/pktgen.c index c1e3d3bea128..28ba48d836d5 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -170,6 +170,7 @@ #include <linux/uaccess.h> #include <asm/dma.h> #include <asm/div64.h> /* do_div */ +#include <linux/cpu.h> #define VERSION "2.75" #define IP_NAME_SZ 32 @@ -3464,7 +3465,7 @@ static int pktgen_thread_worker(void *arg) struct pktgen_dev *pkt_dev = NULL; int cpu = t->cpu; - WARN_ON(smp_processor_id() != cpu); + WARN_ON_ONCE(smp_processor_id() != cpu); init_waitqueue_head(&t->queue); complete(&t->start_done); @@ -3800,6 +3801,7 @@ static int __net_init pg_net_init(struct net *net) goto remove; } + cpus_read_lock(); for_each_online_cpu(cpu) { int err; @@ -3808,6 +3810,7 @@ static int __net_init pg_net_init(struct net *net) pr_warn("Cannot create thread for cpu %d (%d)\n", cpu, err); } + cpus_read_unlock(); if (list_empty(&pn->pktgen_threads)) { pr_err("Initialization failed for all threads\n"); -- 2.34.1

2 1

[PATCH OLK-5.10 v2] drm/amd/display: Ensure index calculation will not overflow
by Tong Tiangen 26 Sep '24

26 Sep '24

mainline inclusion from mainline-v6.1-rc1 commit 8e2734bf444767fed787305ccdcb36a2be5301a2 bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARV8L CVE: CVE-2024-46726 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [WHY & HOW] Make sure vmid0p72_idx, vnom0p8_idx and vmax0p9_idx calculation will never overflow and exceess array size. This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity. Reviewed-by: Harry Wentland <harry.wentland(a)amd.com> Acked-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Conflicts: drivers/gpu/drm/amd/display/dc/calcs/dcn_calcs.c [Conflicts from: 1) commit 552b7cb0eed1 move drivers/gpu/drm/amd/display/dc/calcs/dcn_calcs.c to drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c; 2) commit 91954c6c904b move dcn_bw_update_from_pplib() to dcn_bw_update_from_pplib_fclks() and the code logic is the same.] Signed-off-by: Tong Tiangen <tongtiangen(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/calcs/dcn_calcs.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/calcs/dcn_calcs.c b/drivers/gpu/drm/amd/display/dc/calcs/dcn_calcs.c index 51397b565ddf..2186603d915c 100644 --- a/drivers/gpu/drm/amd/display/dc/calcs/dcn_calcs.c +++ b/drivers/gpu/drm/amd/display/dc/calcs/dcn_calcs.c @@ -1498,10 +1498,9 @@ void dcn_bw_update_from_pplib(struct dc *dc) ASSERT(fclks.num_levels); vmin0p65_idx = 0; - vmid0p72_idx = fclks.num_levels - - (fclks.num_levels > 2 ? 3 : (fclks.num_levels > 1 ? 2 : 1)); - vnom0p8_idx = fclks.num_levels - (fclks.num_levels > 1 ? 2 : 1); - vmax0p9_idx = fclks.num_levels - 1; + vmid0p72_idx = fclks.num_levels > 2 ? fclks.num_levels - 3 : 0; + vnom0p8_idx = fclks.num_levels > 1 ? fclks.num_levels - 2 : 0; + vmax0p9_idx = fclks.num_levels > 0 ? fclks.num_levels - 1 : 0; dc->dcn_soc->fabric_and_dram_bandwidth_vmin0p65 = 32 * (fclks.data[vmin0p65_idx].clocks_in_khz / 1000.0) / 1000.0; -- 2.25.1

2 1

[PATCH OLK-6.6] pktgen: use cpus_read_lock() in pg_net_init()
by Wang Liang 26 Sep '24

26 Sep '24

mainline inclusion from mainline-v6.11-rc6 commit 979b581e4c69257acab1af415ddad6b2d78a2fa5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4B3 CVE: CVE-2024-46681 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- We must use cpus_read_lock()/cpus_read_unlock() around the for_each_online_cpu(cpu) loop. While we are at it use WARN_ON_ONCE() to avoid a possible syslog flood. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20240821175339.1191779-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/core/pktgen.c [conflicts due to not mergered f568a3d49af9 ("bpf,lsm: Add BPF token LSM hooks") which include linux/bpf.h, and lead to inclusion of linux/cpu.h indirectly. The commit(f568a3d49af9) is complex and irrelevant to this problem. To solve the compile error, include linux/cpu.h manually.] Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- net/core/pktgen.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/core/pktgen.c b/net/core/pktgen.c index 0e472f6fab85..473503217201 100644 --- a/net/core/pktgen.c +++ b/net/core/pktgen.c @@ -170,6 +170,7 @@ #include <linux/uaccess.h> #include <asm/dma.h> #include <asm/div64.h> /* do_div */ +#include <linux/cpu.h> #define VERSION "2.75" #define IP_NAME_SZ 32 @@ -3605,7 +3606,7 @@ static int pktgen_thread_worker(void *arg) struct pktgen_dev *pkt_dev = NULL; int cpu = t->cpu; - WARN_ON(smp_processor_id() != cpu); + WARN_ON_ONCE(smp_processor_id() != cpu); init_waitqueue_head(&t->queue); complete(&t->start_done); @@ -3941,6 +3942,7 @@ static int __net_init pg_net_init(struct net *net) goto remove; } + cpus_read_lock(); for_each_online_cpu(cpu) { int err; @@ -3949,6 +3951,7 @@ static int __net_init pg_net_init(struct net *net) pr_warn("Cannot create thread for cpu %d (%d)\n", cpu, err); } + cpus_read_unlock(); if (list_empty(&pn->pktgen_threads)) { pr_err("Initialization failed for all threads\n"); -- 2.34.1

2 1

[PATCH OLK-5.10] VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
by Zhang Kunbo 26 Sep '24

26 Sep '24

From: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com> stable inclusion from stable-v5.10.226 commit 6c563a29857aa8053b67ee141191f69757f27f6e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARY1L CVE: CVE-2024-46738 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7 upstream. When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove(). Fixes: bc63dedb7d46 ("VMCI: resource object implementation.") Cc: stable(a)vger.kernel.org Reported-by: George Kennedy <george.kennedy(a)oracle.com> Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com> Link: https://lore.kernel.org/r/20240828154338.754746-1-david.fernandez.gonzalez@… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/misc/vmw_vmci/vmci_resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/misc/vmw_vmci/vmci_resource.c b/drivers/misc/vmw_vmci/vmci_resource.c index 692daa9eff34..19c9d2cdd277 100644 --- a/drivers/misc/vmw_vmci/vmci_resource.c +++ b/drivers/misc/vmw_vmci/vmci_resource.c @@ -144,7 +144,8 @@ void vmci_resource_remove(struct vmci_resource *resource) spin_lock(&vmci_resource_table.lock); hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) { - if (vmci_handle_is_equal(r->handle, resource->handle)) { + if (vmci_handle_is_equal(r->handle, resource->handle) && + resource->type == r->type) { hlist_del_init_rcu(&r->node); break; } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] memcg_write_event_control(): fix a user-triggerable oops
by Jinjiang Tu 26 Sep '24

26 Sep '24

From: Al Viro <viro(a)zeniv.linux.org.uk> stable inclusion from stable-v4.19.321 commit fa5bfdf6cb5846a00e712d630a43e3cf55ccb411 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAQOJK CVE: CVE-2024-45021 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 046667c4d3196938e992fba0dfcde570aa85cd0e upstream. we are *not* guaranteed that anything past the terminating NUL is mapped (let alone initialized with anything sane). Fixes: 0dea116876ee ("cgroup: implement eventfd-based generic API for notifications") Cc: stable(a)vger.kernel.org Cc: Andrew Morton <akpm(a)linux-foundation.org> Acked-by: Michal Hocko <mhocko(a)suse.com> Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- mm/memcontrol.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/mm/memcontrol.c b/mm/memcontrol.c index f6b6a6c4b491..778e1b5bf80a 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -4578,9 +4578,12 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, buf = endp + 1; cfd = simple_strtoul(buf, &endp, 10); - if ((*endp != ' ') && (*endp != '\0')) + if (*endp == '\0') + buf = endp; + else if (*endp == ' ') + buf = endp + 1; + else return -EINVAL; - buf = endp + 1; event = kzalloc(sizeof(*event), GFP_KERNEL); if (!event) -- 2.34.1

2 1

[PATCH OLK-6.6] hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
by Tong Tiangen 26 Sep '24

26 Sep '24

From: Guenter Roeck <linux(a)roeck-us.net> stable inclusion from stable-v6.6.51 commit 8fecb75bff1b7d87a071c32a37aa0700f2be379d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX5F CVE: CVE-2024-46756 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 5c1de37969b7bc0abcb20b86e91e70caebbd4f89 ] DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/hwmon/w83627ehf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c index fe960c0a624f..7d7d70afde65 100644 --- a/drivers/hwmon/w83627ehf.c +++ b/drivers/hwmon/w83627ehf.c @@ -895,7 +895,7 @@ store_target_temp(struct device *dev, struct device_attribute *attr, if (err < 0) return err; - val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 127); + val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 127000), 1000); mutex_lock(&data->update_lock); data->target_temp[nr] = val; @@ -920,7 +920,7 @@ store_tolerance(struct device *dev, struct device_attribute *attr, return err; /* Limit the temp to 0C - 15C */ - val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 15); + val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 15000), 1000); mutex_lock(&data->update_lock); reg = w83627ehf_read_value(data, W83627EHF_REG_TOLERANCE[nr]); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
by Tong Tiangen 26 Sep '24

26 Sep '24

From: Guenter Roeck <linux(a)roeck-us.net> stable inclusion from stable-v4.19.322 commit 93cf73a7bfdce683bde3a7bb65f270d3bd24497b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX5F CVE: CVE-2024-46756 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 5c1de37969b7bc0abcb20b86e91e70caebbd4f89 ] DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Tong Tiangen <tongtiangen(a)huawei.com> --- drivers/hwmon/w83627ehf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c index ad68b6d9ff17..8da5f77b8987 100644 --- a/drivers/hwmon/w83627ehf.c +++ b/drivers/hwmon/w83627ehf.c @@ -1519,7 +1519,7 @@ store_target_temp(struct device *dev, struct device_attribute *attr, if (err < 0) return err; - val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 127); + val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 127000), 1000); mutex_lock(&data->update_lock); data->target_temp[nr] = val; @@ -1545,7 +1545,7 @@ store_tolerance(struct device *dev, struct device_attribute *attr, return err; /* Limit the temp to 0C - 15C */ - val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 15); + val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 15000), 1000); mutex_lock(&data->update_lock); if (sio_data->kind == nct6775 || sio_data->kind == nct6776) { -- 2.25.1

2 1