- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] ipv6: Fix infinite recursion in fib6_dump_done().
by Zhengchao Shao 25 May '24

25 May '24

From: Kuniyuki Iwashima <kuniyu(a)amazon.com> stable inclusion from stable-v5.10.215 commit fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG76 CVE: CVE-2024-35886 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae upstream. syzkaller reported infinite recursive calls of fib6_dump_done() during netlink socket destruction. [1] From the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then the response was generated. The following recvmmsg() resumed the dump for IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due to the fault injection. [0] 12:01:34 executing program 3: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, ... snip ...) recvmmsg(r0, ... snip ...) (fail_nth: 8) Here, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call of inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped receiving the response halfway through, and finally netlink_sock_destruct() called nlk_sk(sk)->cb.done(). fib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it is still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by nlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling itself recursively and hitting the stack guard page. To avoid the issue, let's set the destructor after kzalloc(). [0]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153) should_failslab (mm/slub.c:3733) kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992) inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662) rtnl_dump_all (net/core/rtnetlink.c:4029) netlink_dump (net/netlink/af_netlink.c:2269) netlink_recvmsg (net/netlink/af_netlink.c:1988) ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801) ___sys_recvmsg (net/socket.c:2846) do_recvmmsg (net/socket.c:2943) __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034) [1]: BUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb) stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events netlink_sock_destruct_work RIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570) Code: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d980000 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3 RDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358 RBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000 R13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68 FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <#DF> </#DF> <TASK> fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) ... fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1)) netlink_sock_destruct (net/netlink/af_netlink.c:401) __sk_destruct (net/core/sock.c:2177 (discriminator 2)) sk_destruct (net/core/sock.c:2224) __sk_free (net/core/sock.c:2235) sk_free (net/core/sock.c:2246) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:256) Modules linked in: Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzkaller <syzkaller(a)googlegroups.com> Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: David Ahern <dsahern(a)kernel.org> Link: https://lore.kernel.org/r/20240401211003.25274-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ipv6/ip6_fib.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index cb8122c33165..23881e5ebb3d 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -644,19 +644,19 @@ static int inet6_dump_fib(struct sk_buff *skb, struct netlink_callback *cb) if (!w) { /* New dump: * - * 1. hook callback destructor. - */ - cb->args[3] = (long)cb->done; - cb->done = fib6_dump_done; - - /* - * 2. allocate and initialize walker. + * 1. allocate and initialize walker. */ w = kzalloc(sizeof(*w), GFP_ATOMIC); if (!w) return -ENOMEM; w->func = fib6_dump_node; cb->args[2] = (long)w; + + /* 2. hook callback destructor. + */ + cb->args[3] = (long)cb->done; + cb->done = fib6_dump_done; + } arg.skb = skb; -- 2.34.1

2 1

[openeuler:OLK-5.10] BUILD SUCCESS 8d7f48064dc365d3e6bfdf6b71a9561d5aa6d3eb
by kernel test robot 25 May '24

25 May '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-5.10 branch HEAD: 8d7f48064dc365d3e6bfdf6b71a9561d5aa6d3eb !5484 [OLK-5.10] Add support for Mucse Virtual Function Network Adapter(N500/N210) Unverified Warning (likely false positive, please contact us if interested): Documentation/devicetree/bindings/iio/addac/adi,ad74413r.yaml: ^channel@[0-3]$: Missing additionalProperties/unevaluatedProperties constraint Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml: ^codec(-[0-9]+)?$: Missing additionalProperties/unevaluatedProperties constraint Warning ids grouped by kconfigs: clang_recent_errors |-- arm64-allyesconfig | |-- Documentation-devicetree-bindings-iio-addac-adi-ad74413r.yaml:channel:Missing-additionalProperties-unevaluatedProperties-constraint | `-- Documentation-devicetree-bindings-sound-amlogic-gx-sound-card.yaml:codec(-):Missing-additionalProperties-unevaluatedProperties-constraint `-- x86_64-allnoconfig |-- Warning:openEuler-MAINTAINERS-references-a-file-that-doesn-t-exist:Documentation-networking-hinic3.rst |-- drivers-net-ethernet-yunsilicon-xsc-net-main.c:common-qp.h-is-included-more-than-once. |-- drivers-ub-urma-ubcore-ubcore_cdev_file.c:linux-version.h-not-needed. |-- drivers-ub-urma-ubcore-ubcore_device.c:linux-version.h-not-needed. |-- drivers-ub-urma-ubcore-ubcore_genl.c:linux-version.h-not-needed. |-- drivers-ub-urma-ubcore-ubcore_genl_admin.c:linux-version.h-not-needed. |-- drivers-ub-urma-ubcore-ubcore_uvs_cmd.c:ubcore_device.h-is-included-more-than-once. `-- drivers-ub-urma-uburma-uburma_mmap.c:linux-version.h-not-needed. elapsed time: 743m configs tested: 35 configs skipped: 131 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240525 gcc arm64 randconfig-002-20240525 clang arm64 randconfig-003-20240525 gcc arm64 randconfig-004-20240525 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240525 clang x86_64 buildonly-randconfig-002-20240525 gcc x86_64 buildonly-randconfig-003-20240525 gcc x86_64 buildonly-randconfig-004-20240525 gcc x86_64 buildonly-randconfig-005-20240525 gcc x86_64 buildonly-randconfig-006-20240525 gcc x86_64 defconfig gcc x86_64 randconfig-001-20240525 clang x86_64 randconfig-002-20240525 clang x86_64 randconfig-003-20240525 clang x86_64 randconfig-004-20240525 clang x86_64 randconfig-005-20240525 clang x86_64 randconfig-006-20240525 clang x86_64 randconfig-011-20240525 clang x86_64 randconfig-012-20240525 clang x86_64 randconfig-013-20240525 gcc x86_64 randconfig-014-20240525 clang x86_64 randconfig-015-20240525 gcc x86_64 randconfig-016-20240525 clang x86_64 randconfig-071-20240525 gcc x86_64 randconfig-072-20240525 clang x86_64 randconfig-073-20240525 clang x86_64 randconfig-074-20240525 gcc x86_64 randconfig-075-20240525 gcc x86_64 randconfig-076-20240525 clang x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS] BUILD SUCCESS dde5bc8e6ecba8eecddbef68842609d9ea951a33
by kernel test robot 25 May '24

25 May '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: dde5bc8e6ecba8eecddbef68842609d9ea951a33 !7811 Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() Warning ids grouped by kconfigs: gcc_recent_errors |-- arm64-allmodconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code |-- arm64-defconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code `-- x86_64-buildonly-randconfig-002-20240524 `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code clang_recent_errors |-- x86_64-allyesconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension |-- x86_64-randconfig-003-20240524 | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension `-- x86_64-randconfig-012-20240524 `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension elapsed time: 735m configs tested: 25 configs skipped: 131 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig gcc arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240524 gcc arm64 randconfig-002-20240524 gcc arm64 randconfig-003-20240524 gcc arm64 randconfig-004-20240524 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240524 gcc x86_64 buildonly-randconfig-002-20240524 gcc x86_64 buildonly-randconfig-003-20240524 clang x86_64 buildonly-randconfig-004-20240524 gcc x86_64 buildonly-randconfig-005-20240524 gcc x86_64 buildonly-randconfig-006-20240524 gcc x86_64 defconfig gcc x86_64 randconfig-001-20240524 gcc x86_64 randconfig-002-20240524 clang x86_64 randconfig-003-20240524 clang x86_64 randconfig-004-20240524 clang x86_64 randconfig-005-20240524 clang x86_64 randconfig-006-20240524 gcc x86_64 randconfig-011-20240524 gcc x86_64 randconfig-012-20240524 clang x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10 v2 0/6] Add network relationship for NUMA isolation and consolidation
by Liu Jian 24 May '24

24 May '24

Add network relationship for NUMA isolation and consolidation Eric Dumazet (1): net: initialize net->net_cookie at netns setup Liu Jian (4): net: fix kabi breakage in struct net net: add one bpf prog type for network numa relationship net: add some bpf hooks in tcp stack for network numa relationship config: Add new config entry to default config file to fix CI warning Martynas Pumputis (1): net: retrieve netns cookie via getsocketopt arch/alpha/include/uapi/asm/socket.h | 2 + arch/mips/include/uapi/asm/socket.h | 2 + arch/parisc/include/uapi/asm/socket.h | 2 + arch/sparc/include/uapi/asm/socket.h | 2 + arch/x86/configs/openeuler_defconfig | 1 + include/linux/bpf_types.h | 4 + include/linux/filter.h | 68 ++++++ include/linux/skbuff.h | 4 + include/net/net_namespace.h | 8 +- include/net/net_rship.h | 329 ++++++++++++++++++++++++++ include/net/sock.h | 4 + include/uapi/asm-generic/socket.h | 2 + include/uapi/linux/bpf.h | 23 ++ init/Kconfig | 1 + kernel/bpf/syscall.c | 19 ++ net/Kconfig | 6 + net/core/dev.c | 4 + net/core/filter.c | 218 ++++++++++++++++- net/core/net_namespace.c | 19 +- net/core/skbuff.c | 17 +- net/core/sock.c | 28 +++ net/core/sysctl_net_core.c | 18 ++ net/ipv4/tcp.c | 6 + net/ipv4/tcp_output.c | 3 + tools/bpf/bpftool/prog.c | 5 + tools/include/uapi/linux/bpf.h | 27 +++ tools/lib/bpf/libbpf.c | 8 + tools/lib/bpf/libbpf_probes.c | 1 + 28 files changed, 806 insertions(+), 25 deletions(-) create mode 100644 include/net/net_rship.h -- 2.34.1

2 7

[PATCH openEuler-1.0-LTS] dm rq: don't queue request to blk-mq during DM suspend
by Li Lingfeng 24 May '24

24 May '24

From: Ming Lei <ming.lei(a)redhat.com> mainline inclusion from mainline-v5.15-rc6 commit commit b4459b11e84092658fa195a2587aff3b9637f0e7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RD8R CVE: CVE-2021-47498 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… b4459b11e84092658fa195a2587aff3b9637f0e7 -------------------------------- DM uses blk-mq's quiesce/unquiesce to stop/start device mapper queue. But blk-mq's unquiesce may come from outside events, such as elevator switch, updating nr_requests or others, and request may come during suspend, so simply ask for blk-mq to requeue it. Fixes one kernel panic issue when running updating nr_requests and dm-mpath suspend/resume stress test. Cc: stable(a)vger.kernel.org Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)redhat.com> Conflicts: drivers/md/dm-rq.c [Commit fa247089de99 ("dm: requeue IO if mapping table not yet available") has been applied in hulk code before while it was applied after this patch in mainline] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/md/dm-rq.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/md/dm-rq.c b/drivers/md/dm-rq.c index 288064e94e52..fc4eaed2d986 100644 --- a/drivers/md/dm-rq.c +++ b/drivers/md/dm-rq.c @@ -750,6 +750,14 @@ static blk_status_t dm_mq_queue_rq(struct blk_mq_hw_ctx *hctx, struct mapped_device *md = tio->md; struct dm_target *ti = md->immutable_target; + /* + * blk-mq's unquiesce may come from outside events, such as + * elevator switch, updating nr_requests or others, and request may + * come during suspend, so simply ask for blk-mq to requeue it. + */ + if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags))) + return BLK_STS_RESOURCE; + if (unlikely(!ti)) { int srcu_idx; struct dm_table *map; -- 2.31.1

2 1

[PATCH OLK-5.10 0/5] Add network relationship for NUMA isolation and consolidation
by Liu Jian 24 May '24

24 May '24

Add network relationship for NUMA isolation and consolidation. Eric Dumazet (1): net: initialize net->net_cookie at netns setup Liu Jian (3): net: fix kabi breakage in struct net net: add one bpf prog type for network numa relationship net: add some bpf hooks in tcp stack for network numa relationship Martynas Pumputis (1): net: retrieve netns cookie via getsocketopt arch/alpha/include/uapi/asm/socket.h | 2 + arch/mips/include/uapi/asm/socket.h | 2 + arch/parisc/include/uapi/asm/socket.h | 2 + arch/sparc/include/uapi/asm/socket.h | 2 + include/linux/bpf_types.h | 4 + include/linux/filter.h | 67 ++++++ include/linux/skbuff.h | 4 + include/net/net_namespace.h | 8 +- include/net/net_rship.h | 329 ++++++++++++++++++++++++++ include/net/sock.h | 4 + include/uapi/asm-generic/socket.h | 2 + include/uapi/linux/bpf.h | 23 ++ init/Kconfig | 1 + kernel/bpf/syscall.c | 19 ++ net/Kconfig | 6 + net/core/dev.c | 4 + net/core/filter.c | 218 ++++++++++++++++- net/core/net_namespace.c | 19 +- net/core/skbuff.c | 17 +- net/core/sock.c | 28 +++ net/core/sysctl_net_core.c | 18 ++ net/ipv4/tcp.c | 6 + net/ipv4/tcp_output.c | 3 + tools/bpf/bpftool/prog.c | 5 + tools/include/uapi/linux/bpf.h | 27 +++ tools/lib/bpf/libbpf.c | 8 + tools/lib/bpf/libbpf_probes.c | 1 + 27 files changed, 804 insertions(+), 25 deletions(-) create mode 100644 include/net/net_rship.h -- 2.34.1

2 6

[PATCH OLK-5.10 v3 0/2] sched: QOS_SCHED_DYNAMIC_AFFINITY depend on FAIR_GROUP_SCHED
by Yipeng Zou 24 May '24

24 May '24

It's typo error, should be FAIR_GROUP_SCHED but not FAIR_CGROUP_SCHED. Yipeng Zou (2): Revert "sched: QOS_SCHED_DYNAMIC_AFFINITY depend on FAIR_CGROUP_SCHED" sched: QOS_SCHED_DYNAMIC_AFFINITY depend on FAIR_GROUP_SCHED init/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.34.1

2 4

[PATCH OLK-5.10 0/5] Add network relationship for NUMA isolation and consolidation
by Liu Jian 24 May '24

24 May '24

Add network relationship for NUMA isolation and consolidation. Eric Dumazet (1): net: initialize net->net_cookie at netns setup Liu Jian (3): net: fix kabi breakage in struct net net: add one bpf prog type for network numa relationship net: add some bpf hooks in tcp stack for network numa relationship Martynas Pumputis (1): net: retrieve netns cookie via getsocketopt arch/alpha/include/uapi/asm/socket.h | 2 + arch/mips/include/uapi/asm/socket.h | 2 + arch/parisc/include/uapi/asm/socket.h | 2 + arch/sparc/include/uapi/asm/socket.h | 2 + include/linux/bpf_types.h | 4 + include/linux/filter.h | 67 ++++++ include/linux/skbuff.h | 4 + include/net/net_namespace.h | 8 +- include/net/net_rship.h | 329 ++++++++++++++++++++++++++ include/net/sock.h | 4 + include/uapi/asm-generic/socket.h | 2 + include/uapi/linux/bpf.h | 23 ++ init/Kconfig | 1 + kernel/bpf/syscall.c | 19 ++ net/Kconfig | 6 + net/core/dev.c | 4 + net/core/filter.c | 218 ++++++++++++++++- net/core/net_namespace.c | 19 +- net/core/skbuff.c | 17 +- net/core/sock.c | 28 +++ net/core/sysctl_net_core.c | 18 ++ net/ipv4/tcp.c | 6 + net/ipv4/tcp_output.c | 3 + tools/bpf/bpftool/prog.c | 5 + tools/include/uapi/linux/bpf.h | 27 +++ tools/lib/bpf/libbpf.c | 8 + tools/lib/bpf/libbpf_probes.c | 1 + 27 files changed, 804 insertions(+), 25 deletions(-) create mode 100644 include/net/net_rship.h -- 2.34.1

2 6

[PATCH openEuler-22.03-LTS-SP1] media: vidtv: psi: Add check for kstrdup
by Cai Xinchen 24 May '24

24 May '24

From: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> stable inclusion from stable-v5.10.201 commit 3387490c89b10aeb4e71d78b65dbc9ba4b2385b9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFIR CVE: CVE-2023-52844 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 76a2c5df6ca8bd8ada45e953b8c72b746f42918d ] Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. Fixes: 7a7899f6f58e ("media: vidtv: psi: Implement an Event Information Table (EIT)") Fixes: c2f78f0cb294 ("media: vidtv: psi: add a Network Information Table (NIT)") Fixes: f90cf6079bf6 ("media: vidtv: add a bridge driver") Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/media/test-drivers/vidtv/vidtv_psi.c | 45 +++++++++++++++++--- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/drivers/media/test-drivers/vidtv/vidtv_psi.c b/drivers/media/test-drivers/vidtv/vidtv_psi.c index 1724bb485e67..1726e76f0106 100644 --- a/drivers/media/test-drivers/vidtv/vidtv_psi.c +++ b/drivers/media/test-drivers/vidtv/vidtv_psi.c @@ -308,16 +308,29 @@ struct vidtv_psi_desc_service *vidtv_psi_service_desc_init(struct vidtv_psi_desc desc->service_name_len = service_name_len; - if (service_name && service_name_len) + if (service_name && service_name_len) { desc->service_name = kstrdup(service_name, GFP_KERNEL); + if (!desc->service_name) + goto free_desc; + } desc->provider_name_len = provider_name_len; - if (provider_name && provider_name_len) + if (provider_name && provider_name_len) { desc->provider_name = kstrdup(provider_name, GFP_KERNEL); + if (!desc->provider_name) + goto free_desc_service_name; + } vidtv_psi_desc_chain(head, (struct vidtv_psi_desc *)desc); return desc; + +free_desc_service_name: + if (service_name && service_name_len) + kfree(desc->service_name); +free_desc: + kfree(desc); + return NULL; } struct vidtv_psi_desc_registration @@ -362,8 +375,13 @@ struct vidtv_psi_desc_network_name desc->length = network_name_len; - if (network_name && network_name_len) + if (network_name && network_name_len) { desc->network_name = kstrdup(network_name, GFP_KERNEL); + if (!desc->network_name) { + kfree(desc); + return NULL; + } + } vidtv_psi_desc_chain(head, (struct vidtv_psi_desc *)desc); return desc; @@ -449,15 +467,32 @@ struct vidtv_psi_desc_short_event iso_language_code = "eng"; desc->iso_language_code = kstrdup(iso_language_code, GFP_KERNEL); + if (!desc->iso_language_code) + goto free_desc; - if (event_name && event_name_len) + if (event_name && event_name_len) { desc->event_name = kstrdup(event_name, GFP_KERNEL); + if (!desc->event_name) + goto free_desc_language_code; + } - if (text && text_len) + if (text && text_len) { desc->text = kstrdup(text, GFP_KERNEL); + if (!desc->text) + goto free_desc_event_name; + } vidtv_psi_desc_chain(head, (struct vidtv_psi_desc *)desc); return desc; + +free_desc_event_name: + if (event_name && event_name_len) + kfree(desc->event_name); +free_desc_language_code: + kfree(desc->iso_language_code); +free_desc: + kfree(desc); + return NULL; } struct vidtv_psi_desc *vidtv_psi_desc_clone(struct vidtv_psi_desc *desc) -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP2] media: vidtv: psi: Add check for kstrdup
by Cai Xinchen 24 May '24

24 May '24

From: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> stable inclusion from stable-v5.10.201 commit 3387490c89b10aeb4e71d78b65dbc9ba4b2385b9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFIR CVE: CVE-2023-52844 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 76a2c5df6ca8bd8ada45e953b8c72b746f42918d ] Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. Fixes: 7a7899f6f58e ("media: vidtv: psi: Implement an Event Information Table (EIT)") Fixes: c2f78f0cb294 ("media: vidtv: psi: add a Network Information Table (NIT)") Fixes: f90cf6079bf6 ("media: vidtv: add a bridge driver") Signed-off-by: Jiasheng Jiang <jiasheng(a)iscas.ac.cn> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/media/test-drivers/vidtv/vidtv_psi.c | 45 +++++++++++++++++--- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/drivers/media/test-drivers/vidtv/vidtv_psi.c b/drivers/media/test-drivers/vidtv/vidtv_psi.c index 1724bb485e67..1726e76f0106 100644 --- a/drivers/media/test-drivers/vidtv/vidtv_psi.c +++ b/drivers/media/test-drivers/vidtv/vidtv_psi.c @@ -308,16 +308,29 @@ struct vidtv_psi_desc_service *vidtv_psi_service_desc_init(struct vidtv_psi_desc desc->service_name_len = service_name_len; - if (service_name && service_name_len) + if (service_name && service_name_len) { desc->service_name = kstrdup(service_name, GFP_KERNEL); + if (!desc->service_name) + goto free_desc; + } desc->provider_name_len = provider_name_len; - if (provider_name && provider_name_len) + if (provider_name && provider_name_len) { desc->provider_name = kstrdup(provider_name, GFP_KERNEL); + if (!desc->provider_name) + goto free_desc_service_name; + } vidtv_psi_desc_chain(head, (struct vidtv_psi_desc *)desc); return desc; + +free_desc_service_name: + if (service_name && service_name_len) + kfree(desc->service_name); +free_desc: + kfree(desc); + return NULL; } struct vidtv_psi_desc_registration @@ -362,8 +375,13 @@ struct vidtv_psi_desc_network_name desc->length = network_name_len; - if (network_name && network_name_len) + if (network_name && network_name_len) { desc->network_name = kstrdup(network_name, GFP_KERNEL); + if (!desc->network_name) { + kfree(desc); + return NULL; + } + } vidtv_psi_desc_chain(head, (struct vidtv_psi_desc *)desc); return desc; @@ -449,15 +467,32 @@ struct vidtv_psi_desc_short_event iso_language_code = "eng"; desc->iso_language_code = kstrdup(iso_language_code, GFP_KERNEL); + if (!desc->iso_language_code) + goto free_desc; - if (event_name && event_name_len) + if (event_name && event_name_len) { desc->event_name = kstrdup(event_name, GFP_KERNEL); + if (!desc->event_name) + goto free_desc_language_code; + } - if (text && text_len) + if (text && text_len) { desc->text = kstrdup(text, GFP_KERNEL); + if (!desc->text) + goto free_desc_event_name; + } vidtv_psi_desc_chain(head, (struct vidtv_psi_desc *)desc); return desc; + +free_desc_event_name: + if (event_name && event_name_len) + kfree(desc->event_name); +free_desc_language_code: + kfree(desc->iso_language_code); +free_desc: + kfree(desc); + return NULL; } struct vidtv_psi_desc *vidtv_psi_desc_clone(struct vidtv_psi_desc *desc) -- 2.34.1

2 1