From: Armin Wolf <W_Armin(a)gmx.de>
stable inclusion
from stable-v5.10.201
commit d426a2955e45a95b2282764105fcfb110a540453
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFHT
CVE: CVE-2023-52864
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit eba9ac7abab91c8f6d351460239108bef5e7a0b6 ]
Since commit fa1f68db6ca7 ("drivers: misc: pass miscdevice pointer via
file private data"), the miscdevice stores a pointer to itself inside
filp->private_data, which means that private_data will not be NULL when
wmi_char_open() is called. This might cause memory corruption should
wmi_char_open() be unable to find its driver, something which can
happen when the associated WMI device is deleted in wmi_free_devices().
Fix the problem by using the miscdevice pointer to retrieve the WMI
device data associated with a char device using container_of(). This
also avoids wmi_char_open() picking a wrong WMI device bound to a
driver with the same name as the original driver.
Fixes: 44b6b7661132 ("platform/x86: wmi: create userspace interface for drivers")
Signed-off-by: Armin Wolf <W_Armin(a)gmx.de>
Link: https://lore.kernel.org/r/20231020211005.38216-5-W_Armin@gmx.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Conflicts:
drivers/platform/x86/wmi.c
[Conflicts due to prior cleanup commit 43aacf838ef7 is not merged.]
Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com>
---
drivers/platform/x86/wmi.c | 20 ++++++--------------
1 file changed, 6 insertions(+), 14 deletions(-)
diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
index 1f80b2628162..f3f8cc827573 100644
--- a/drivers/platform/x86/wmi.c
+++ b/drivers/platform/x86/wmi.c
@@ -818,21 +818,13 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver)
}
static int wmi_char_open(struct inode *inode, struct file *filp)
{
- const char *driver_name = filp->f_path.dentry->d_iname;
- struct wmi_block *wblock = NULL;
- struct wmi_block *next = NULL;
-
- list_for_each_entry_safe(wblock, next, &wmi_block_list, list) {
- if (!wblock->dev.dev.driver)
- continue;
- if (strcmp(driver_name, wblock->dev.dev.driver->name) == 0) {
- filp->private_data = wblock;
- break;
- }
- }
+ /*
+ * The miscdevice already stores a pointer to itself
+ * inside filp->private_data
+ */
+ struct wmi_block *wblock = container_of(filp->private_data, struct wmi_block, char_dev);
- if (!filp->private_data)
- return -ENODEV;
+ filp->private_data = wblock;
return nonseekable_open(inode, filp);
}
--
2.25.1
From: Andrey Grodzovsky <andrey.grodzovsky(a)amd.com>
stable inclusion
from stable-v5.10.51
commit 0687411e2a8858262de2fc4a1d576016fd77292e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4AY
CVE: CVE-2021-47354
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 0b10ab80695d61422337ede6ff496552d8ace99d ]
Wait for all dependencies of a job to complete before
killing it to avoid data corruptions.
Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky(a)amd.com>
Reviewed-by: Christian König <christian.koenig(a)amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210519141407.88444-1-andrey…
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Conflicts:
drivers/gpu/drm/scheduler/sched_entity.c
[Because 620e762f9a98 not merged, So fix the context]
Signed-off-by: Felix Fu <fuzhen5(a)huawei.com>
---
drivers/gpu/drm/scheduler/gpu_scheduler.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/scheduler/gpu_scheduler.c b/drivers/gpu/drm/scheduler/gpu_scheduler.c
index 4fc211e19d6e..e7485cb688df 100644
--- a/drivers/gpu/drm/scheduler/gpu_scheduler.c
+++ b/drivers/gpu/drm/scheduler/gpu_scheduler.c
@@ -309,6 +309,7 @@ void drm_sched_entity_fini(struct drm_sched_entity *entity)
*/
if (spsc_queue_peek(&entity->job_queue)) {
struct drm_sched_job *job;
+ struct dma_fence *f;
int r;
/* Park the kernel for a moment to make sure it isn't processing
@@ -325,6 +326,10 @@ void drm_sched_entity_fini(struct drm_sched_entity *entity)
while ((job = to_drm_sched_job(spsc_queue_pop(&entity->job_queue)))) {
struct drm_sched_fence *s_fence = job->s_fence;
+ /* Wait for all dependencies to avoid data corruptions */
+ while ((f = job->sched->ops->dependency(job, entity)))
+ dma_fence_wait(f, false);
+
drm_sched_fence_scheduled(s_fence);
dma_fence_set_error(&s_fence->finished, -ESRCH);
--
2.34.1
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: d2901c3f0ff7d121adf97d64bd2cc3789821600d
commit: bba3f529a3ac03f6c6b8cea750cd48b355548d27 [18743/22626] xen/netback: don't queue unlimited number of packages
config: arm64-randconfig-002-20240531 (https://download.01.org/0day-ci/archive/20240601/202406010715.TcWqtXea-lkp@…)
compiler: aarch64-linux-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240601/202406010715.TcWqtXea-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202406010715.TcWqtXea-lkp@intel.com/
All errors (new ones prefixed by >>):
/tmp/ccJZCoWT.s: Assembler messages:
>> /tmp/ccJZCoWT.s:2346: Error: immediate out of range at operand 3 -- `bic w0,w20,5'
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for HARDLOCKUP_DETECTOR
Depends on [n]: DEBUG_KERNEL [=n] && !S390 && (HAVE_HARDLOCKUP_DETECTOR_PERF [=n] || HAVE_HARDLOCKUP_DETECTOR_ARCH [=y])
Selected by [y]:
- SDEI_WATCHDOG [=y] && <choice> && ARM_SDE_INTERFACE [=y] && !HARDLOCKUP_CHECK_TIMESTAMP [=n]
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6
branch HEAD: 735f0ab7121a98dd501241bd147c5c95e6e0b38c !7482 v2 perf parse-events: Make legacy events lower priority than sysfs/JSON
Error/Warning reports:
https://lore.kernel.org/oe-kbuild-all/202406010127.vZOEmkxm-lkp@intel.comhttps://lore.kernel.org/oe-kbuild-all/202406010224.zmFA3hCw-lkp@intel.comhttps://lore.kernel.org/oe-kbuild-all/202406010233.N3paZ0zK-lkp@intel.comhttps://lore.kernel.org/oe-kbuild-all/202406010419.AVhJIZza-lkp@intel.com
Error/Warning: (recently discovered and may have been fixed)
arch/arm64/kernel/ipi_nmi.c:39:2: error: call to undeclared function '__printk_safe_enter'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
arch/arm64/kernel/ipi_nmi.c:41:2: error: call to undeclared function '__printk_safe_exit'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
drivers/platform/mpam/mpam_devices.c:247:11: error: call to undeclared function '__acpi_get_mem_attribute'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
mm/mem_reliable.c:345:2: error: call to undeclared function 'mem_reliable_ctrl_bit_disable'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
mm/page_alloc.c:4110:16: error: implicit declaration of function 'dynamic_pool_should_alloc' [-Werror=implicit-function-declaration]
Error/Warning ids grouped by kconfigs:
gcc_recent_errors
|-- arm64-defconfig
| |-- arch-arm64-kernel-cpufeature.c:warning:enable_pseudo_nmi-defined-but-not-used
| `-- arch-arm64-kvm-vgic-vgic-mmio.c:warning:variable-is_pending-set-but-not-used
|-- arm64-randconfig-001-20240601
| `-- arch-arm64-kernel-cpufeature.c:warning:enable_pseudo_nmi-defined-but-not-used
|-- arm64-randconfig-004-20240601
| `-- mm-page_alloc.c:error:implicit-declaration-of-function-dynamic_pool_should_alloc
|-- loongarch-allnoconfig
| `-- drivers-irqchip-irq-loongson-eiointc.c:error:NODES_PER_FLATMODE_NODE-undeclared-(first-use-in-this-function)
`-- loongarch-randconfig-002-20240601
`-- drivers-irqchip-irq-loongson-eiointc.c:error:NODES_PER_FLATMODE_NODE-undeclared-(first-use-in-this-function)
clang_recent_errors
|-- arm64-allmodconfig
| `-- arch-arm64-kvm-vgic-vgic-mmio.c:warning:variable-is_pending-set-but-not-used
|-- arm64-randconfig-002-20240601
| |-- arch-arm64-kernel-ipi_nmi.c:error:call-to-undeclared-function-__printk_safe_enter-ISO-C99-and-later-do-not-support-implicit-function-declarations
| |-- arch-arm64-kernel-ipi_nmi.c:error:call-to-undeclared-function-__printk_safe_exit-ISO-C99-and-later-do-not-support-implicit-function-declarations
| `-- drivers-platform-mpam-mpam_devices.c:error:call-to-undeclared-function-__acpi_get_mem_attribute-ISO-C99-and-later-do-not-support-implicit-function-declarations
`-- arm64-randconfig-003-20240601
|-- arch-arm64-kernel-cpufeature.c:warning:unused-variable-enable_pseudo_nmi
|-- arch-arm64-kvm-vgic-vgic-mmio.c:warning:variable-is_pending-set-but-not-used
`-- mm-mem_reliable.c:error:call-to-undeclared-function-mem_reliable_ctrl_bit_disable-ISO-C99-and-later-do-not-support-implicit-function-declarations
elapsed time: 772m
configs tested: 16
configs skipped: 143
tested configs:
arm64 allmodconfig clang
arm64 allnoconfig gcc
arm64 defconfig gcc
arm64 randconfig-001-20240601 gcc
arm64 randconfig-002-20240601 clang
arm64 randconfig-003-20240601 clang
arm64 randconfig-004-20240601 gcc
loongarch allmodconfig gcc
loongarch allnoconfig gcc
loongarch defconfig gcc
loongarch randconfig-001-20240601 gcc
loongarch randconfig-002-20240601 gcc
x86_64 allnoconfig clang
x86_64 allyesconfig clang
x86_64 defconfig gcc
x86_64 rhel-8.3-rust clang
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki