- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] usb-storage: alauda: Check whether the media is initialized
by Jinjiang Tu 23 Jul '24

23 Jul '24

From: Shichao Lai <shichaorai(a)gmail.com> mainline inclusion from mainline-v6.10-rc4 commit 16637fea001ab3c8df528a8995b3211906165a30 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6YQV CVE: CVE-2024-38619 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The member "uzonesize" of struct alauda_info will remain 0 if alauda_init_media() fails, potentially causing divide errors in alauda_read_data() and alauda_write_lba(). - Add a member "media_initialized" to struct alauda_info. - Change a condition in alauda_check_media() to ensure the first initialization. - Add an error check for the return value of alauda_init_media(). Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support") Reported-by: xingwei lee <xrivendell7(a)gmail.com> Reported-by: yue sun <samsun1006219(a)gmail.com> Reviewed-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Shichao Lai <shichaorai(a)gmail.com> Link: https://lore.kernel.org/r/20240526012745.2852061-1-shichaorai@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- drivers/usb/storage/alauda.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c index dcc4778d1ae9..17fe35083f04 100644 --- a/drivers/usb/storage/alauda.c +++ b/drivers/usb/storage/alauda.c @@ -105,6 +105,8 @@ struct alauda_info { unsigned char sense_key; unsigned long sense_asc; /* additional sense code */ unsigned long sense_ascq; /* additional sense code qualifier */ + + bool media_initialized; }; #define short_pack(lsb,msb) ( ((u16)(lsb)) | ( ((u16)(msb))<<8 ) ) @@ -476,11 +478,12 @@ static int alauda_check_media(struct us_data *us) } /* Check for media change */ - if (status[0] & 0x08) { + if (status[0] & 0x08 || !info->media_initialized) { usb_stor_dbg(us, "Media change detected\n"); alauda_free_maps(&MEDIA_INFO(us)); - alauda_init_media(us); - + rc = alauda_init_media(us); + if (rc == USB_STOR_TRANSPORT_GOOD) + info->media_initialized = true; info->sense_key = UNIT_ATTENTION; info->sense_asc = 0x28; info->sense_ascq = 0x00; -- 2.25.1

2 1

[PATCH OLK-6.6] net: bridge: mst: fix vlan use-after-free
by Yuan Can 23 Jul '24

23 Jul '24

From: Nikolay Aleksandrov <razor(a)blackwall.org> mainline inclusion from mainline-v6.10-rc1 commit 3a7c1661ae1383364cd6092d851f5e5da64d476b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S78 CVE: CVE-2024-36979 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 3a7c1661ae1383364cd6092d851f5e5da64d476b ] syzbot reported a suspicious rcu usage[1] in bridge's mst code. While fixing it I noticed that nothing prevents a vlan to be freed while walking the list from the same path (br forward delay timer). Fix the rcu usage and also make sure we are not accessing freed memory by making br_mst_vlan_set_state use rcu read lock. [1] WARNING: suspicious RCU usage 6.9.0-rc6-syzkaller #0 Not tainted ----------------------------- net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage! ... stack backtrace: CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nbp_vlan_group net/bridge/br_private.h:1599 [inline] br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105 br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47 br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429 run_timer_base kernel/time/timer.c:2438 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448 __do_softirq+0x2c6/0x980 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758 Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25 RSP: 0018:ffffc90013657100 EFLAGS: 00000206 RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001 RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60 RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0 R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28 R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246 Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") Reported-by: syzbot+fa04eb8a56fd923fc5d8(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=fa04eb8a56fd923fc5d8 Signed-off-by: Nikolay Aleksandrov <razor(a)blackwall.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yuan Can <yuancan(a)huawei.com> --- net/bridge/br_mst.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/net/bridge/br_mst.c b/net/bridge/br_mst.c index ee680adcee17..3c66141d34d6 100644 --- a/net/bridge/br_mst.c +++ b/net/bridge/br_mst.c @@ -78,7 +78,7 @@ static void br_mst_vlan_set_state(struct net_bridge_port *p, struct net_bridge_v { struct net_bridge_vlan_group *vg = nbp_vlan_group(p); - if (v->state == state) + if (br_vlan_get_state(v) == state) return; br_vlan_set_state(v, state); @@ -100,11 +100,12 @@ int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, }; struct net_bridge_vlan_group *vg; struct net_bridge_vlan *v; - int err; + int err = 0; + rcu_read_lock(); vg = nbp_vlan_group(p); if (!vg) - return 0; + goto out; /* MSTI 0 (CST) state changes are notified via the regular * SWITCHDEV_ATTR_ID_PORT_STP_STATE. @@ -112,17 +113,20 @@ int br_mst_set_state(struct net_bridge_port *p, u16 msti, u8 state, if (msti) { err = switchdev_port_attr_set(p->dev, &attr, extack); if (err && err != -EOPNOTSUPP) - return err; + goto out; } - list_for_each_entry(v, &vg->vlan_list, vlist) { + err = 0; + list_for_each_entry_rcu(v, &vg->vlan_list, vlist) { if (v->brvlan->msti != msti) continue; br_mst_vlan_set_state(p, v, state); } - return 0; +out: + rcu_read_unlock(); + return err; } static void br_mst_vlan_sync_state(struct net_bridge_vlan *pv, u16 msti) -- 2.17.1

2 1

[PATCH openEuler-1.0-LTS] net: ieee802154: at86rf230: Stop leaking skb's
by Zhengchao Shao 23 Jul '24

23 Jul '24

From: Miquel Raynal <miquel.raynal(a)bootlin.com> stable inclusion from stable-v4.19.231 commit 6312f6a53fd3ea38125dcaca5e3c9aa7d8a60cf7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADG4I CVE: CVE-2022-48794 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit e5ce576d45bf72fd0e3dc37eff897bfcc488f6a9 ] Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. In the Tx case we then leak the skb structure. Free the skb structure upon error before returning when appropriate. As the 'is_tx = 0' cannot be moved in the complete handler because of a possible race between the delay in switching to STATE_RX_AACK_ON and a new interrupt, we introduce an intermediate 'was_tx' boolean just for this purpose. There is no Fixes tag applying here, many changes have been made on this area and the issue kind of always existed. Suggested-by: Alexander Aring <alex.aring(a)gmail.com> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Acked-by: Alexander Aring <aahringo(a)redhat.com> Link: https://lore.kernel.org/r/20220125121426.848337-4-miquel.raynal@bootlin.com Signed-off-by: Stefan Schmidt <stefan(a)datenfreihafen.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- drivers/net/ieee802154/at86rf230.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c index 3d9e91579866..1bc09b6c308f 100644 --- a/drivers/net/ieee802154/at86rf230.c +++ b/drivers/net/ieee802154/at86rf230.c @@ -108,6 +108,7 @@ struct at86rf230_local { unsigned long cal_timeout; bool is_tx; bool is_tx_from_off; + bool was_tx; u8 tx_retry; struct sk_buff *tx_skb; struct at86rf230_state_change tx; @@ -351,7 +352,11 @@ at86rf230_async_error_recover_complete(void *context) if (ctx->free) kfree(ctx); - ieee802154_wake_queue(lp->hw); + if (lp->was_tx) { + lp->was_tx = 0; + dev_kfree_skb_any(lp->tx_skb); + ieee802154_wake_queue(lp->hw); + } } static void @@ -360,7 +365,11 @@ at86rf230_async_error_recover(void *context) struct at86rf230_state_change *ctx = context; struct at86rf230_local *lp = ctx->lp; - lp->is_tx = 0; + if (lp->is_tx) { + lp->was_tx = 1; + lp->is_tx = 0; + } + at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON, at86rf230_async_error_recover_complete); } -- 2.34.1

2 1

[openeuler:OLK-6.6] BUILD SUCCESS 55840856d646155a61b61b78b058eeffbe5c3dca
by kernel test robot 23 Jul '24

23 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: 55840856d646155a61b61b78b058eeffbe5c3dca !10160 fix CVE-2024-40915 Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | `-- clang:warning:no-such-include-directory:drivers-infiniband-hw-hiroce3-include-mag |-- arm64-defconfig | |-- WARNING:modpost:vmlinux:section-mismatch-in-reference:arm_smmu_device_probe-(section:.text)-arm_smmu_v3_plat_info-(section:.init.data) | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- arm64-randconfig-001-20240722 | `-- WARNING:modpost:vmlinux:section-mismatch-in-reference:arm_smmu_device_probe-(section:.text)-arm_smmu_v3_plat_info-(section:.init.data) |-- loongarch-allmodconfig | `-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument |-- loongarch-defconfig | |-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- loongarch-randconfig-001-20240722 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- loongarch-randconfig-002-20240722 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and `-- x86_64-allyesconfig `-- drivers-gpu-drm-amd-amdgpu-..-amdkfd-kfd_topology.c:warning:stack-frame-size-()-exceeds-limit-()-in-kfd_topology_add_device elapsed time: 728m configs tested: 34 configs skipped: 134 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-14.1.0 arm64 defconfig gcc-14.1.0 arm64 randconfig-001-20240722 clang-19 arm64 randconfig-002-20240722 clang-19 arm64 randconfig-003-20240722 clang-15 arm64 randconfig-004-20240722 gcc-14.1.0 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 loongarch defconfig gcc-14.1.0 loongarch randconfig-001-20240722 gcc-14.1.0 loongarch randconfig-002-20240722 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240723 gcc-10 x86_64 buildonly-randconfig-002-20240723 gcc-10 x86_64 buildonly-randconfig-003-20240723 gcc-12 x86_64 buildonly-randconfig-004-20240723 gcc-8 x86_64 buildonly-randconfig-005-20240723 gcc-12 x86_64 buildonly-randconfig-006-20240723 gcc-10 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240723 clang-18 x86_64 randconfig-002-20240723 clang-18 x86_64 randconfig-003-20240723 clang-18 x86_64 randconfig-004-20240723 clang-18 x86_64 randconfig-005-20240723 clang-18 x86_64 randconfig-006-20240723 clang-18 x86_64 randconfig-011-20240723 gcc-12 x86_64 randconfig-012-20240723 clang-18 x86_64 randconfig-013-20240723 gcc-13 x86_64 randconfig-014-20240723 gcc-13 x86_64 randconfig-015-20240723 gcc-10 x86_64 randconfig-071-20240723 gcc-13 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 8557/23347] drivers/thermal/intel_powerclamp.o: warning: objtool: missing symbol for section .text.unlikely
by kernel test robot 23 Jul '24

23 Jul '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 8d2f09e210f079f53eb6c1ba1ef639d73a17d61b commit: 775947c125d5bd6e00e0dcf9d12c57fd5d44d07f [8557/23347] asm-generic: fix -Wtype-limits compiler warnings config: x86_64-buildonly-randconfig-002-20240723 (https://download.01.org/0day-ci/archive/20240723/202407230549.TmLejsNZ-lkp@…) compiler: gcc-10 (Ubuntu 10.5.0-1ubuntu1) 10.5.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240723/202407230549.TmLejsNZ-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407230549.TmLejsNZ-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/thermal/intel_powerclamp.o: warning: objtool: missing symbol for section .text.unlikely -- >> net/ipv6/icmp.o: warning: objtool: missing symbol for section .text.unlikely -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1505/23347] drivers/spi/spi.c:2040:7: error: implicit declaration of function 'gpiod_count'; did you mean 'cpuid_count'?
by kernel test robot 23 Jul '24

23 Jul '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 8d2f09e210f079f53eb6c1ba1ef639d73a17d61b commit: 708663738592c63da3c851ed86ce6c084409f6c8 [1505/23347] spi: add ACPI support for SPI controller chip select lines(cs-gpios) config: x86_64-randconfig-001-20240722 (https://download.01.org/0day-ci/archive/20240723/202407230136.x5FmFlxg-lkp@…) compiler: gcc-8 (Ubuntu 8.4.0-3ubuntu2) 8.4.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240723/202407230136.x5FmFlxg-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407230136.x5FmFlxg-lkp@intel.com/ All errors (new ones prefixed by >>): drivers/spi/spi.c: In function '__spi_register_controller': >> drivers/spi/spi.c:2040:7: error: implicit declaration of function 'gpiod_count'; did you mean 'cpuid_count'? [-Werror=implicit-function-declaration] nb = gpiod_count(&ctlr->dev, "cs"); ^~~~~~~~~~~ cpuid_count >> drivers/spi/spi.c:2064:11: error: implicit declaration of function 'devm_gpiod_get_index'; did you mean 'devm_gpio_free'? [-Werror=implicit-function-declaration] desc = devm_gpiod_get_index(&ctlr->dev, "cs", ^~~~~~~~~~~~~~~~~~~~ devm_gpio_free >> drivers/spi/spi.c:2065:14: error: 'GPIOD_ASIS' undeclared (first use in this function); did you mean 'GPIOF_IN'? i, GPIOD_ASIS); ^~~~~~~~~~ GPIOF_IN drivers/spi/spi.c:2065:14: note: each undeclared identifier is reported only once for each function it appears in >> drivers/spi/spi.c:2068:12: error: implicit declaration of function 'desc_to_gpio'; did you mean 'irq_to_gpio'? [-Werror=implicit-function-declaration] cs[i] = desc_to_gpio(desc); ^~~~~~~~~~~~ irq_to_gpio drivers/spi/spi.c: In function 'spi_unregister_controller': drivers/spi/spi.c:2306:6: warning: variable 'dummy' set but not used [-Wunused-but-set-variable] int dummy; ^~~~~ cc1: some warnings being treated as errors vim +2040 drivers/spi/spi.c 2033 2034 static int __spi_register_controller(struct spi_controller *ctlr) 2035 { 2036 int nb, i, *cs; 2037 struct device_node *np = ctlr->dev.of_node; 2038 struct gpio_desc *desc; 2039 > 2040 nb = gpiod_count(&ctlr->dev, "cs"); 2041 ctlr->num_chipselect = max_t(int, nb, ctlr->num_chipselect); 2042 2043 /* Return error only for an incorrectly formed cs-gpios property */ 2044 if (nb == 0 || nb == -ENOENT) 2045 return 0; 2046 else if (nb < 0) 2047 return nb; 2048 2049 cs = devm_kcalloc(&ctlr->dev, ctlr->num_chipselect, sizeof(int), 2050 GFP_KERNEL); 2051 ctlr->cs_gpios = cs; 2052 2053 if (!ctlr->cs_gpios) 2054 return -ENOMEM; 2055 2056 for (i = 0; i < ctlr->num_chipselect; i++) 2057 cs[i] = -ENOENT; 2058 2059 if (IS_ENABLED(CONFIG_OF) && np) { 2060 for (i = 0; i < nb; i++) 2061 cs[i] = of_get_named_gpio(np, "cs-gpios", i); 2062 } else if (IS_ENABLED(CONFIG_ACPI) && ACPI_HANDLE(&ctlr->dev)) { 2063 for (i = 0; i < nb; i++) { > 2064 desc = devm_gpiod_get_index(&ctlr->dev, "cs", > 2065 i, GPIOD_ASIS); 2066 if (IS_ERR(desc)) 2067 continue; > 2068 cs[i] = desc_to_gpio(desc); 2069 } 2070 } 2071 return 0; 2072 } 2073 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1 0/3] *** SUBJECT HERE ***
by dinglongwei 23 Jul '24

23 Jul '24

*** BLURB HERE *** Christian A. Ehrhardt (2): of: Fix double free in of_parse_phandle_with_args_map of: unittest: Fix compile in the non-dynamic case Geert Uytterhoeven (1): of: unittest: Fix of_count_phandle_with_args() expected value message drivers/of/base.c | 1 + drivers/of/unittest-data/tests-phandle.dtsi | 10 ++- drivers/of/unittest.c | 80 +++++++++++++-------- 3 files changed, 59 insertions(+), 32 deletions(-) -- 2.17.1

2 4

[PATCH OLK-6.6] HID: core: remove unnecessary WARN_ON() in implement()
by Wang Hai 22 Jul '24

22 Jul '24

From: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> stable inclusion from stable-v6.6.35 commit 30f76bc468b9b2cbbd5d3eb482661e3e4798893f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD00R CVE: CVE-2024-39509 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4aa2dcfbad538adf7becd0034a3754e1bd01b2b5 ] Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 Modules linked in: CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline] RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 ... Call Trace: <TASK> __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline] usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636 hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Fixes: 95d1c8951e5b ("HID: simplify implement() a bit") Reported-by: <syzbot+5186630949e3c55f0799(a)syzkaller.appspotmail.com> Suggested-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/hid/hid-core.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index e0181218ad85..85ddeb13a3fa 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1448,7 +1448,6 @@ static void implement(const struct hid_device *hid, u8 *report, hid_warn(hid, "%s() called with too large value %d (n: %d)! (%s)\n", __func__, value, n, current->comm); - WARN_ON(1); value &= m; } } -- 2.17.1

2 1

[PATCH OLK-6.6] ptp: fix integer overflow in max_vclocks_store
by Wang Hai 22 Jul '24

22 Jul '24

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v6.6.36 commit 666e934d749e50a37f3796caaf843a605f115b6f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD0AS CVE: CVE-2024-40994 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 81d23d2a24012e448f651e007fac2cfd20a45ce0 ] On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc() to do the allocation to prevent this. Fixes: 44c494c8e30e ("ptp: track available ptp vclocks information") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Wojciech Drewek <wojciech.drewek(a)intel.com> Reviewed-by: Jiri Pirko <jiri(a)nvidia.com> Reviewed-by: Heng Qi <hengqi(a)linux.alibaba.com> Link: https://lore.kernel.org/r/ee8110ed-6619-4bd7-9024-28c1f2ac24f4@moroto.mount… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/ptp/ptp_sysfs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c index 34ea5c16123a..aefc06ae5d09 100644 --- a/drivers/ptp/ptp_sysfs.c +++ b/drivers/ptp/ptp_sysfs.c @@ -294,8 +294,7 @@ static ssize_t max_vclocks_store(struct device *dev, if (max < ptp->n_vclocks) goto out; - size = sizeof(int) * max; - vclock_index = kzalloc(size, GFP_KERNEL); + vclock_index = kcalloc(max, sizeof(int), GFP_KERNEL); if (!vclock_index) { err = -ENOMEM; goto out; -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1] HID: core: remove unnecessary WARN_ON() in implement()
by Wang Hai 22 Jul '24

22 Jul '24

From: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> stable inclusion from stable-v5.10.221 commit 33f6832798dd3297317901cc1db556ac3ae80c24 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD00R CVE: CVE-2024-39509 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4aa2dcfbad538adf7becd0034a3754e1bd01b2b5 ] Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 Modules linked in: CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline] RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 ... Call Trace: <TASK> __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline] usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636 hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Fixes: 95d1c8951e5b ("HID: simplify implement() a bit") Reported-by: <syzbot+5186630949e3c55f0799(a)syzkaller.appspotmail.com> Suggested-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/hid/hid-core.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 2f512814a111..6474aa50931c 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1429,7 +1429,6 @@ static void implement(const struct hid_device *hid, u8 *report, hid_warn(hid, "%s() called with too large value %d (n: %d)! (%s)\n", __func__, value, n, current->comm); - WARN_ON(1); value &= m; } } -- 2.17.1

2 1