- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'
by Li Nan 06 Jul '24

06 Jul '24

From: Yu Kuai <yukuai3(a)huawei.com> mainline inclusion from mainline-v6.10-rc1 commit a2db328b0839312c169eb42746ec46fc1ab53ed2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D6H CVE: CVE-2024-36478 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Writing 'power' and 'submit_queues' concurrently will trigger kernel panic: Test script: modprobe null_blk nr_devices=0 mkdir -p /sys/kernel/config/nullb/nullb0 while true; do echo 1 > submit_queues; echo 4 > submit_queues; done & while true; do echo 1 > power; echo 0 > power; done Test result: BUG: kernel NULL pointer dereference, address: 0000000000000148 Oops: 0000 [#1] PREEMPT SMP RIP: 0010:__lock_acquire+0x41d/0x28f0 Call Trace: <TASK> lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive_removal+0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x79/0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150 This is because del_gendisk() can concurrent with blk_mq_update_nr_hw_queues(): nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // still set while gendisk is deleted return 0 blk_mq_update_nr_hw_queues dev->nullb = NULL Fix this problem by resuing the global mutex to protect nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs. Fixes: 45919fbfe1c4 ("null_blk: Enable modifying 'submit_queues' after an instance has been configured") Reported-and-tested-by: Yi Zhang <yi.zhang(a)redhat.com> Closes: https://lore.kernel.org/all/CAHj4cs9LgsHLnjg8z06LQ3Pr5cax-+Ps+xT7AP7TPnEjSt… Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Zhu Yanjun <yanjun.zhu(a)linux.dev> Link: https://lore.kernel.org/r/20240523153934.1937851-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: drivers/block/null_blk/main.c [ A lot of conflict, this patch just expand the protection range of mutex, ignore conflict. ] Signed-off-by: Li Nan <linan122(a)huawei.com> --- drivers/block/null_blk/main.c | 43 +++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c index 35b390a785dd..91c8412442d0 100644 --- a/drivers/block/null_blk/main.c +++ b/drivers/block/null_blk/main.c @@ -323,11 +323,9 @@ CONFIGFS_ATTR(nullb_device_, NAME); static int nullb_apply_submit_queues(struct nullb_device *dev, unsigned int submit_queues) { - struct nullb *nullb = dev->nullb; + struct nullb *nullb; struct blk_mq_tag_set *set; - - if (!nullb) - return 0; + int ret = 0; /* * Make sure that null_init_hctx() does not access nullb->queues[] past @@ -335,9 +333,20 @@ static int nullb_apply_submit_queues(struct nullb_device *dev, */ if (submit_queues > nr_cpu_ids) return -EINVAL; + + mutex_lock(&lock); + + nullb = dev->nullb; + if (!nullb) + goto out; + set = nullb->tag_set; blk_mq_update_nr_hw_queues(set, submit_queues); - return set->nr_hw_queues == submit_queues ? 0 : -ENOMEM; + ret = set->nr_hw_queues == submit_queues ? 0 : -ENOMEM; + +out: + mutex_unlock(&lock); + return ret; } NULLB_DEVICE_ATTR(size, ulong, NULL); @@ -378,27 +387,31 @@ static ssize_t nullb_device_power_store(struct config_item *item, if (ret < 0) return ret; + ret = count; + mutex_lock(&lock); if (!dev->power && newp) { if (test_and_set_bit(NULLB_DEV_FL_UP, &dev->flags)) - return count; + goto out; + if (null_add_dev(dev)) { clear_bit(NULLB_DEV_FL_UP, &dev->flags); - return -ENOMEM; + ret = -ENOMEM; + goto out; } set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); dev->power = newp; } else if (dev->power && !newp) { if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) { - mutex_lock(&lock); dev->power = newp; null_del_dev(dev->nullb); - mutex_unlock(&lock); } clear_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); } - return count; +out: + mutex_unlock(&lock); + return ret; } CONFIGFS_ATTR(nullb_device_, power); @@ -1880,15 +1893,11 @@ static int null_add_dev(struct nullb_device *dev) blk_queue_flag_set(QUEUE_FLAG_NONROT, nullb->q); blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, nullb->q); - mutex_lock(&lock); rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); - if (rv < 0) { - mutex_unlock(&lock); + if (rv < 0) goto out_cleanup_zone; - } nullb->index = rv; dev->index = rv; - mutex_unlock(&lock); blk_queue_logical_block_size(nullb->q, dev->blocksize); blk_queue_physical_block_size(nullb->q, dev->blocksize); @@ -1901,9 +1910,7 @@ static int null_add_dev(struct nullb_device *dev) if (rv) goto out_ida_free; - mutex_lock(&lock); list_add_tail(&nullb->list, &nullb_list); - mutex_unlock(&lock); return 0; @@ -1985,7 +1992,9 @@ static int __init null_init(void) ret = -ENOMEM; goto err_dev; } + mutex_lock(&lock); ret = null_add_dev(dev); + mutex_unlock(&lock); if (ret) { null_free_dev(dev); goto err_dev; -- 2.39.2

2 1

[PATCH OLK-5.10] null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'
by Li Nan 06 Jul '24

06 Jul '24

From: Yu Kuai <yukuai3(a)huawei.com> mainline inclusion from mainline-v6.10-rc1 commit a2db328b0839312c169eb42746ec46fc1ab53ed2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D6H CVE: CVE-2024-36478 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Writing 'power' and 'submit_queues' concurrently will trigger kernel panic: Test script: modprobe null_blk nr_devices=0 mkdir -p /sys/kernel/config/nullb/nullb0 while true; do echo 1 > submit_queues; echo 4 > submit_queues; done & while true; do echo 1 > power; echo 0 > power; done Test result: BUG: kernel NULL pointer dereference, address: 0000000000000148 Oops: 0000 [#1] PREEMPT SMP RIP: 0010:__lock_acquire+0x41d/0x28f0 Call Trace: <TASK> lock_acquire+0x121/0x450 down_write+0x5f/0x1d0 simple_recursive_removal+0x12f/0x5c0 blk_mq_debugfs_unregister_hctxs+0x7c/0x100 blk_mq_update_nr_hw_queues+0x4a3/0x720 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x79/0xf0 [null_blk] configfs_write_iter+0x119/0x1e0 vfs_write+0x326/0x730 ksys_write+0x74/0x150 This is because del_gendisk() can concurrent with blk_mq_update_nr_hw_queues(): nullb_device_power_store nullb_apply_submit_queues null_del_dev del_gendisk nullb_update_nr_hw_queues if (!dev->nullb) // still set while gendisk is deleted return 0 blk_mq_update_nr_hw_queues dev->nullb = NULL Fix this problem by resuing the global mutex to protect nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs. Fixes: 45919fbfe1c4 ("null_blk: Enable modifying 'submit_queues' after an instance has been configured") Reported-and-tested-by: Yi Zhang <yi.zhang(a)redhat.com> Closes: https://lore.kernel.org/all/CAHj4cs9LgsHLnjg8z06LQ3Pr5cax-+Ps+xT7AP7TPnEjSt… Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Zhu Yanjun <yanjun.zhu(a)linux.dev> Link: https://lore.kernel.org/r/20240523153934.1937851-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: drivers/block/null_blk/main.c [ A lot of conflict, this patch just expand the protection range of mutex, ignore conflict. ] Signed-off-by: Li Nan <linan122(a)huawei.com> --- drivers/block/null_blk/main.c | 43 +++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c index 35b390a785dd..91c8412442d0 100644 --- a/drivers/block/null_blk/main.c +++ b/drivers/block/null_blk/main.c @@ -323,11 +323,9 @@ CONFIGFS_ATTR(nullb_device_, NAME); static int nullb_apply_submit_queues(struct nullb_device *dev, unsigned int submit_queues) { - struct nullb *nullb = dev->nullb; + struct nullb *nullb; struct blk_mq_tag_set *set; - - if (!nullb) - return 0; + int ret = 0; /* * Make sure that null_init_hctx() does not access nullb->queues[] past @@ -335,9 +333,20 @@ static int nullb_apply_submit_queues(struct nullb_device *dev, */ if (submit_queues > nr_cpu_ids) return -EINVAL; + + mutex_lock(&lock); + + nullb = dev->nullb; + if (!nullb) + goto out; + set = nullb->tag_set; blk_mq_update_nr_hw_queues(set, submit_queues); - return set->nr_hw_queues == submit_queues ? 0 : -ENOMEM; + ret = set->nr_hw_queues == submit_queues ? 0 : -ENOMEM; + +out: + mutex_unlock(&lock); + return ret; } NULLB_DEVICE_ATTR(size, ulong, NULL); @@ -378,27 +387,31 @@ static ssize_t nullb_device_power_store(struct config_item *item, if (ret < 0) return ret; + ret = count; + mutex_lock(&lock); if (!dev->power && newp) { if (test_and_set_bit(NULLB_DEV_FL_UP, &dev->flags)) - return count; + goto out; + if (null_add_dev(dev)) { clear_bit(NULLB_DEV_FL_UP, &dev->flags); - return -ENOMEM; + ret = -ENOMEM; + goto out; } set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); dev->power = newp; } else if (dev->power && !newp) { if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) { - mutex_lock(&lock); dev->power = newp; null_del_dev(dev->nullb); - mutex_unlock(&lock); } clear_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags); } - return count; +out: + mutex_unlock(&lock); + return ret; } CONFIGFS_ATTR(nullb_device_, power); @@ -1880,15 +1893,11 @@ static int null_add_dev(struct nullb_device *dev) blk_queue_flag_set(QUEUE_FLAG_NONROT, nullb->q); blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, nullb->q); - mutex_lock(&lock); rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); - if (rv < 0) { - mutex_unlock(&lock); + if (rv < 0) goto out_cleanup_zone; - } nullb->index = rv; dev->index = rv; - mutex_unlock(&lock); blk_queue_logical_block_size(nullb->q, dev->blocksize); blk_queue_physical_block_size(nullb->q, dev->blocksize); @@ -1901,9 +1910,7 @@ static int null_add_dev(struct nullb_device *dev) if (rv) goto out_ida_free; - mutex_lock(&lock); list_add_tail(&nullb->list, &nullb_list); - mutex_unlock(&lock); return 0; @@ -1985,7 +1992,9 @@ static int __init null_init(void) ret = -ENOMEM; goto err_dev; } + mutex_lock(&lock); ret = null_add_dev(dev); + mutex_unlock(&lock); if (ret) { null_free_dev(dev); goto err_dev; -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] ftrace: Use preempt disable instead of rcu lock in ftrace_location_range()
by Zheng Yejian 06 Jul '24

06 Jul '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAA3U5 CVE: NA -------------------------------- After commit 5e66a5bdad69 ("ftrace: Fix rcu warn in ftrace_location()"), syzkaller reports following warning: WARNING: lock held when returning to user space! 4.18.0+ #16 Tainted: G W ---------r- - ------------------------------------------------ modprobe/4255 is leaving the kernel with locks still held! 1 lock held by modprobe/4255: #0: 0000000012ba3568 (rcu_read_lock){....}, at: ftrace_location_range+0x292/0x440 BUG: scheduling while atomic: modprobe/4255/0x00000002 ============================= BUG: scheduling while atomic: modprobe/4256/0x00000002 INFO: lockdep is turned off. Modules linked in: Kernel panic - not syncing: scheduling while atomic It seems that rcu_read_lock() is held but rcu_read_unlock() is not called, this is most likely due to the inconsistent state when calling in_atomic(). To fix it, use preemt_{disable,enable}_notrace() instead of rcu_read_{,un}lock(). Fixes: 5e66a5bdad69 ("ftrace: Fix rcu warn in ftrace_location()") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- kernel/trace/ftrace.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index ad4440da5b78..ceb4bab432f1 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1581,12 +1581,7 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) key.ip = start; key.flags = end; /* overload flags, as it is unsigned long */ - /* - * It is in atomic context when called from ftrace_int3_handler(), - * in this case rcu lock is not needed. - */ - if (!in_atomic()) - rcu_read_lock(); + preempt_disable_notrace(); for (pg = ftrace_pages_start; pg; pg = pg->next) { if (pg->index == 0 || end < pg->records[0].ip || @@ -1600,8 +1595,7 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) break; } } - if (!in_atomic()) - rcu_read_unlock(); + preempt_enable_notrace(); return ip; } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] sch_cake: do not call cake_destroy() from cake_init()
by Xiang Yang 06 Jul '24

06 Jul '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v4.19.222 commit 4e388232e630ebe4f94b4a0715ec98c0e2b314a3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SGX CVE: CVE-2021-47598 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- [ Upstream commit ab443c53916730862cec202078d36fd4008bea79 ] qdiscs are not supposed to call their own destroy() method from init(), because core stack already does that. syzbot was able to trigger use after free: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline] WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Modules linked in: CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline] RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740 Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8 RSP: 0018:ffffc9000627f290 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44 RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000 FS: 0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0 Call Trace: <TASK> tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810 tcf_block_put_ext net/sched/cls_api.c:1381 [inline] tcf_block_put_ext net/sched/cls_api.c:1376 [inline] tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f1bb06badb9 Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f. RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003 R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688 R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2 </TASK> Fixes: 046f6fd5daef ("sched: Add Common Applications Kept Enhanced (cake) qdisc") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Acked-by: Toke Høiland-Jørgensen <toke(a)toke.dk> Link: https://lore.kernel.org/r/20211210142046.698336-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- net/sched/sch_cake.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c index 2025f0f559de..18c207b85d51 100644 --- a/net/sched/sch_cake.c +++ b/net/sched/sch_cake.c @@ -2675,7 +2675,7 @@ static int cake_init(struct Qdisc *sch, struct nlattr *opt, q->tins = kvcalloc(CAKE_MAX_TINS, sizeof(struct cake_tin_data), GFP_KERNEL); if (!q->tins) - goto nomem; + return -ENOMEM; for (i = 0; i < CAKE_MAX_TINS; i++) { struct cake_tin_data *b = q->tins + i; @@ -2705,10 +2705,6 @@ static int cake_init(struct Qdisc *sch, struct nlattr *opt, q->min_netlen = ~0; q->min_adjlen = ~0; return 0; - -nomem: - cake_destroy(sch); - return -ENOMEM; } static int cake_dump(struct Qdisc *sch, struct sk_buff *skb) -- 2.34.1

2 1

[PATCH OLK-5.10] drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference
by Zheng Zucheng 06 Jul '24

06 Jul '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> stable inclusion from stable-v6.6.33 commit dcf53e6103b26e7458be71491d0641f49fbd5840 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SEW CVE: CVE-2024-38548 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 935a92a1c400285545198ca2800a4c6c519c650a ] In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is assigned to mhdp_state->current_mode, and there is a dereference of it in drm_mode_set_name(), which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Fix this bug add a check of mhdp_state->current_mode. Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP bridge") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Reviewed-by: Robert Foss <rfoss(a)kernel.org> Signed-off-by: Robert Foss <rfoss(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20240408125810.21899-1-amishi… Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com> Signed-off-by: Zheng Zucheng <zhengzucheng(a)huawei.com> --- drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c index 6af565ac307a..858f5b650849 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c @@ -2057,6 +2057,9 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge, mhdp_state = to_cdns_mhdp_bridge_state(new_state); mhdp_state->current_mode = drm_mode_duplicate(bridge->dev, mode); + if (!mhdp_state->current_mode) + return; + drm_mode_set_name(mhdp_state->current_mode); dev_dbg(mhdp->dev, "%s: Enabling mode %s\n", __func__, mode->name); -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference
by Zheng Zucheng 06 Jul '24

06 Jul '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> stable inclusion from stable-v6.6.33 commit dcf53e6103b26e7458be71491d0641f49fbd5840 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SEW CVE: CVE-2024-38548 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 935a92a1c400285545198ca2800a4c6c519c650a ] In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is assigned to mhdp_state->current_mode, and there is a dereference of it in drm_mode_set_name(), which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Fix this bug add a check of mhdp_state->current_mode. Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP bridge") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Reviewed-by: Robert Foss <rfoss(a)kernel.org> Signed-off-by: Robert Foss <rfoss(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20240408125810.21899-1-amishi… Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com> Signed-off-by: Zheng Zucheng <zhengzucheng(a)huawei.com> --- drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c index 6af565ac307a..858f5b650849 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c @@ -2057,6 +2057,9 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge, mhdp_state = to_cdns_mhdp_bridge_state(new_state); mhdp_state->current_mode = drm_mode_duplicate(bridge->dev, mode); + if (!mhdp_state->current_mode) + return; + drm_mode_set_name(mhdp_state->current_mode); dev_dbg(mhdp->dev, "%s: Enabling mode %s\n", __func__, mode->name); -- 2.34.1

2 1

[PATCH OLK-6.6] drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference
by Zheng Zucheng 06 Jul '24

06 Jul '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> stable inclusion from stable-v6.6.33 commit dcf53e6103b26e7458be71491d0641f49fbd5840 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SEW CVE: CVE-2024-38548 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 935a92a1c400285545198ca2800a4c6c519c650a ] In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() is assigned to mhdp_state->current_mode, and there is a dereference of it in drm_mode_set_name(), which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Fix this bug add a check of mhdp_state->current_mode. Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP bridge") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Reviewed-by: Robert Foss <rfoss(a)kernel.org> Signed-off-by: Robert Foss <rfoss(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20240408125810.21899-1-amishi… Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com> Signed-off-by: Zheng Zucheng <zhengzucheng(a)huawei.com> --- drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c index 6af565ac307a..858f5b650849 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c @@ -2057,6 +2057,9 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge, mhdp_state = to_cdns_mhdp_bridge_state(new_state); mhdp_state->current_mode = drm_mode_duplicate(bridge->dev, mode); + if (!mhdp_state->current_mode) + return; + drm_mode_set_name(mhdp_state->current_mode); dev_dbg(mhdp->dev, "%s: Enabling mode %s\n", __func__, mode->name); -- 2.34.1

2 1

[PATCH OLK-5.10 v3] net: fix one NULL pointer dereference bug in net_rship module
by Liu Jian 06 Jul '24

06 Jul '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAAZJ8 -------------------------------- The call trace as below: Call trace: __netdev_alloc_skb+0x8c/0x1e0 ad_lacpdu_send+0x34/0x18c [bonding] ad_tx_machine+0xcc/0x174 [bonding] bond_3ad_state_machine_handler+0x120/0x470 [bonding] process_one_work+0x1d8/0x4e0 worker_thread+0x154/0x420 kthread+0x108/0x150 ret_from_fork+0x10/0x18 It is caused by null pointer dereference in net_rship module. The code path is as follows: ad_lacpdu_send dev_alloc_skb netdev_alloc_skb(NULL, length) // dev is NULL __netdev_alloc_skb(dev, length, GFP_ATOMIC) net_rship_skb_record_dev_rxinfo(skb, dev) // here dereference dev, it is NULL pointer, trigger issue. So we should add null pointer check to avoid the issue. Fixes: 64ba5634c4c6 ("net: add some bpf hooks in tcp stack for network numa relationship") Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- include/net/net_rship.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/net/net_rship.h b/include/net/net_rship.h index ad8af5a5cb9b..dda4dd732bd0 100644 --- a/include/net/net_rship.h +++ b/include/net/net_rship.h @@ -222,6 +222,9 @@ static inline void net_rship_skb_record_dev_rxinfo(struct sk_buff *skb, struct n if (gnet_bpf_enabled(GNET_RCV_NIC_NODE)) { struct sched_net_rship_skb *ext = __get_skb_net_rship(skb); + if (!dev) + return; + ext->rx_dev_idx = dev->ifindex; ext->rx_dev_net_cookie = dev_net(dev)->net_cookie; } -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS] BUILD SUCCESS 4949c9455d5ad3ecd338b3fe8c5aafe54dfeacda
by kernel test robot 06 Jul '24

06 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: 4949c9455d5ad3ecd338b3fe8c5aafe54dfeacda !9786 drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable() elapsed time: 733m configs tested: 34 configs skipped: 127 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig gcc-13.2.0 arm64 allnoconfig gcc-13.2.0 arm64 randconfig-001-20240705 gcc-13.2.0 arm64 randconfig-002-20240705 gcc-13.2.0 arm64 randconfig-003-20240705 gcc-13.2.0 arm64 randconfig-004-20240705 gcc-13.2.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240705 gcc-7 x86_64 buildonly-randconfig-002-20240705 gcc-13 x86_64 buildonly-randconfig-003-20240705 clang-18 x86_64 buildonly-randconfig-004-20240705 clang-18 x86_64 buildonly-randconfig-005-20240705 clang-18 x86_64 buildonly-randconfig-006-20240705 clang-18 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240705 clang-18 x86_64 randconfig-002-20240705 gcc-13 x86_64 randconfig-003-20240705 clang-18 x86_64 randconfig-004-20240705 gcc-13 x86_64 randconfig-005-20240705 gcc-13 x86_64 randconfig-006-20240705 gcc-13 x86_64 randconfig-011-20240705 clang-18 x86_64 randconfig-012-20240705 gcc-9 x86_64 randconfig-013-20240705 clang-18 x86_64 randconfig-014-20240705 gcc-13 x86_64 randconfig-015-20240705 clang-18 x86_64 randconfig-016-20240705 gcc-9 x86_64 randconfig-071-20240705 gcc-13 x86_64 randconfig-072-20240705 gcc-13 x86_64 randconfig-073-20240705 clang-18 x86_64 randconfig-074-20240705 gcc-13 x86_64 randconfig-075-20240705 clang-18 x86_64 randconfig-076-20240705 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6] BUILD REGRESSION ea4dd5f0e87fde262e6fa081be0fb7f9e103057f
by kernel test robot 06 Jul '24

06 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: ea4dd5f0e87fde262e6fa081be0fb7f9e103057f !9649 f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() Error/Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | `-- clang:warning:no-such-include-directory:drivers-infiniband-hw-hiroce3-include-mag `-- x86_64-randconfig-014-20240705 |-- crypto-asymmetric_keys-pgp_public_key.c:(.text):undefined-reference-to-public_key_subtype |-- ld:crypto-asymmetric_keys-pgp_public_key.c:(.text):undefined-reference-to-public_key_free `-- ld:crypto-asymmetric_keys-pgp_public_key.c:(.text):undefined-reference-to-public_key_subtype elapsed time: 730m configs tested: 38 configs skipped: 123 tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-13.2.0 arm64 randconfig-001-20240705 clang-19 arm64 randconfig-002-20240705 clang-19 arm64 randconfig-003-20240705 clang-19 arm64 randconfig-004-20240705 clang-19 loongarch allmodconfig gcc-13.2.0 loongarch allnoconfig gcc-13.2.0 loongarch randconfig-001-20240705 gcc-13.2.0 loongarch randconfig-002-20240705 gcc-13.2.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240705 gcc-7 x86_64 buildonly-randconfig-002-20240705 gcc-13 x86_64 buildonly-randconfig-003-20240705 clang-18 x86_64 buildonly-randconfig-004-20240705 clang-18 x86_64 buildonly-randconfig-005-20240705 clang-18 x86_64 buildonly-randconfig-006-20240705 clang-18 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240705 clang-18 x86_64 randconfig-002-20240705 gcc-13 x86_64 randconfig-003-20240705 clang-18 x86_64 randconfig-004-20240705 gcc-13 x86_64 randconfig-005-20240705 gcc-13 x86_64 randconfig-006-20240705 gcc-13 x86_64 randconfig-011-20240705 clang-18 x86_64 randconfig-012-20240705 gcc-9 x86_64 randconfig-013-20240705 clang-18 x86_64 randconfig-014-20240705 gcc-13 x86_64 randconfig-015-20240705 clang-18 x86_64 randconfig-016-20240705 gcc-9 x86_64 randconfig-071-20240705 gcc-13 x86_64 randconfig-072-20240705 gcc-13 x86_64 randconfig-073-20240705 clang-18 x86_64 randconfig-074-20240705 gcc-13 x86_64 randconfig-075-20240705 clang-18 x86_64 randconfig-076-20240705 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0