From: Greg Kroah-Hartman gregkh@linuxfoundation.org
stable inclusion from stable-v5.10.114 commit 549209caabc89f2877ad5f62d11fca5c052e0e8f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5O6A9 CVE: CVE-2022-2991
---------------------------
In commit 9ea9b9c48387 ("remove the lightnvm subsystem") the lightnvm subsystem was removed as there is no hardware in the wild for it, and the code is known to have problems. This should also be disabled for older LTS kernels as well to prevent anyone from accidentally using it.
Cc: Christoph Hellwig hch@lst.de Cc: Matias Bjørling mb@lightnvm.io Cc: Javier González javier@javigon.com Cc: Jens Axboe axboe@kernel.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Guo Mengqi guomengqi3@huawei.com Reviewed-by: Weilong Chen chenweilong@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- drivers/lightnvm/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/lightnvm/Kconfig b/drivers/lightnvm/Kconfig index 439bf90d084d..1db33cb28859 100644 --- a/drivers/lightnvm/Kconfig +++ b/drivers/lightnvm/Kconfig @@ -4,7 +4,7 @@
menuconfig NVM bool "Open-Channel SSD target support" - depends on BLOCK && PCI + depends on BLOCK && PCI && BROKEN select BLK_DEV_NVME help Say Y here to get to enable Open-channel SSDs.
From: Zheyu Ma zheyuma97@gmail.com
mainline inclusion from mainline-v5.18-rc5 commit 15cf0b82271b1823fb02ab8c377badba614d95d5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5OVRU CVE: CVE-2022-3061
---------------------------
The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error.
Fix this by checking whether 'pixclock' is zero in the function i740fb_check_var().
The following log reveals it:
divide error: 0000 [#1] PREEMPT SMP KASAN PTI RIP: 0010:i740fb_decode_var drivers/video/fbdev/i740fb.c:444 [inline] RIP: 0010:i740fb_set_par+0x272f/0x3bb0 drivers/video/fbdev/i740fb.c:739 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1036 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1112 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1191 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline]
Signed-off-by: Zheyu Ma zheyuma97@gmail.com Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Xia Longlong xialonglong1@huawei.com Reviewed-by: Kefeng Wang wangkefeng.wang@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- drivers/video/fbdev/i740fb.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/video/fbdev/i740fb.c b/drivers/video/fbdev/i740fb.c index f6d7b04d6dff..719a3c99f1bd 100644 --- a/drivers/video/fbdev/i740fb.c +++ b/drivers/video/fbdev/i740fb.c @@ -656,6 +656,9 @@ static int i740fb_decode_var(const struct fb_var_screeninfo *var,
static int i740fb_check_var(struct fb_var_screeninfo *var, struct fb_info *info) { + if (!var->pixclock) + return -EINVAL; + switch (var->bits_per_pixel) { case 8: var->red.offset = var->green.offset = var->blue.offset = 0;
-
Yongqiang Liu