This patchset fixes CVE-2024-26771.
Conflicts of patch 2 and 3 is cause by commit 31f4b28f6c41 ("dmaengine: ti: edma: Add support for handling reserved channels") not being merged, which has been adapted.
Conflicts of patch 4 is a context conflict which does not effect the effectiveness of this patch.
v3: Added CVE tags for all patches as per request. v2: Removed CVE dedication for the first 3 patches.
Chuhong Yuan (2): dmaengine: ti: edma: fix missed failure handling dmaengine: ti: edma: add missed operations
Kunwu Chan (1): dmaengine: ti: edma: Add some null pointer checks to the edma_probe
Wei Yongjun (1): dmaengine: ti: edma: Fix error return code in edma_probe()
drivers/dma/ti/edma.c | 53 +++++++++++++++++++++++++++++-------------- 1 file changed, 36 insertions(+), 17 deletions(-)
From: Chuhong Yuan hslester96@gmail.com
mainline inclusion from mainline-v5.6-rc1 commit 340049d453682a9fe8d91fe794dd091730f4bb25 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2MP CVE: CVE-2024-26771
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
When devm_kcalloc fails, it forgets to call edma_free_slot. Replace direct return with failure handler to fix it.
Fixes: 1be5336bc7ba ("dmaengine: edma: New device tree binding") Signed-off-by: Chuhong Yuan hslester96@gmail.com Link: https://lore.kernel.org/r/20191118073802.28424-1-hslester96@gmail.com Signed-off-by: Vinod Koul vkoul@kernel.org Signed-off-by: GUO Zihua guozihua@huawei.com --- drivers/dma/ti/edma.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c index 982631d4e1f8..44158fa85973 100644 --- a/drivers/dma/ti/edma.c +++ b/drivers/dma/ti/edma.c @@ -2345,8 +2345,10 @@ static int edma_probe(struct platform_device *pdev)
ecc->tc_list = devm_kcalloc(dev, ecc->num_tc, sizeof(*ecc->tc_list), GFP_KERNEL); - if (!ecc->tc_list) - return -ENOMEM; + if (!ecc->tc_list) { + ret = -ENOMEM; + goto err_reg1; + }
for (i = 0;; i++) { ret = of_parse_phandle_with_fixed_args(node, "ti,tptcs",
From: Chuhong Yuan hslester96@gmail.com
mainline inclusion from mainline-v5.6-rc1 commit 2a03c1314506557277829562dd2ec5c11a6ea914 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2MP CVE: CVE-2024-26771
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The driver forgets to call pm_runtime_disable and pm_runtime_put_sync in probe failure and remove. Add the calls and modify probe failure handling to fix it.
To simplify the fix, the patch adjusts the calling order and merges checks for devm_kcalloc.
Fixes: 2b6b3b742019 ("ARM/dmaengine: edma: Merge the two drivers under drivers/dma/") Signed-off-by: Chuhong Yuan hslester96@gmail.com Acked-by: Peter Ujfalusi peter.ujfalusi@ti.com Link: https://lore.kernel.org/r/20191124052855.6472-1-hslester96@gmail.com Signed-off-by: Vinod Koul vkoul@kernel.org Conflicts: drivers/dma/ti/edma.c Signed-off-by: GUO Zihua guozihua@huawei.com --- drivers/dma/ti/edma.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-)
diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c index 44158fa85973..800271647574 100644 --- a/drivers/dma/ti/edma.c +++ b/drivers/dma/ti/edma.c @@ -2218,13 +2218,6 @@ static int edma_probe(struct platform_device *pdev) if (!info) return -ENODEV;
- pm_runtime_enable(dev); - ret = pm_runtime_get_sync(dev); - if (ret < 0) { - dev_err(dev, "pm_runtime_get_sync() failed\n"); - return ret; - } - ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(32)); if (ret) return ret; @@ -2255,21 +2248,27 @@ static int edma_probe(struct platform_device *pdev)
platform_set_drvdata(pdev, ecc);
+ pm_runtime_enable(dev); + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "pm_runtime_get_sync() failed\n"); + pm_runtime_disable(dev); + return ret; + } + /* Get eDMA3 configuration from IP */ ret = edma_setup_from_hw(dev, info, ecc); if (ret) - return ret; + goto err_disable_pm;
/* Allocate memory based on the information we got from the IP */ ecc->slave_chans = devm_kcalloc(dev, ecc->num_channels, sizeof(*ecc->slave_chans), GFP_KERNEL); - if (!ecc->slave_chans) - return -ENOMEM;
ecc->slot_inuse = devm_kcalloc(dev, BITS_TO_LONGS(ecc->num_slots), sizeof(unsigned long), GFP_KERNEL); - if (!ecc->slot_inuse) - return -ENOMEM; + if (!ecc->slave_chans || !ecc->slot_inuse) + goto err_disable_pm;
ecc->default_queue = info->default_queue;
@@ -2310,7 +2309,7 @@ static int edma_probe(struct platform_device *pdev) ecc); if (ret) { dev_err(dev, "CCINT (%d) failed --> %d\n", irq, ret); - return ret; + goto err_disable_pm; } ecc->ccint = irq; } @@ -2326,7 +2325,7 @@ static int edma_probe(struct platform_device *pdev) ecc); if (ret) { dev_err(dev, "CCERRINT (%d) failed --> %d\n", irq, ret); - return ret; + goto err_disable_pm; } ecc->ccerrint = irq; } @@ -2334,7 +2333,8 @@ static int edma_probe(struct platform_device *pdev) ecc->dummy_slot = edma_alloc_slot(ecc, EDMA_SLOT_ANY); if (ecc->dummy_slot < 0) { dev_err(dev, "Can't allocate PaRAM dummy slot\n"); - return ecc->dummy_slot; + ret = ecc->dummy_slot; + goto err_disable_pm; }
queue_priority_mapping = info->queue_priority_mapping; @@ -2418,6 +2418,9 @@ static int edma_probe(struct platform_device *pdev)
err_reg1: edma_free_slot(ecc, ecc->dummy_slot); +err_disable_pm: + pm_runtime_put_sync(dev); + pm_runtime_disable(dev); return ret; }
@@ -2448,6 +2451,8 @@ static int edma_remove(struct platform_device *pdev) if (ecc->dma_memcpy) dma_async_device_unregister(ecc->dma_memcpy); edma_free_slot(ecc, ecc->dummy_slot); + pm_runtime_put_sync(dev); + pm_runtime_disable(dev);
return 0; }
From: Wei Yongjun weiyongjun1@huawei.com
mainline inclusion from mainline-v5.6-rc1 commit d1fd03a35efc6285e43f4ef35ef04dbf2c9389c6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2MP CVE: CVE-2024-26771
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Fix to return negative error code -ENOMEM from the error handling case instead of 0, as done elsewhere in this function.
Fixes: 2a03c1314506 ("dmaengine: ti: edma: add missed operations") Signed-off-by: Wei Yongjun weiyongjun1@huawei.com Acked-by: Peter Ujfalusi peter.ujfalusi@ti.com Link: https://lore.kernel.org/r/20191212114622.127322-1-weiyongjun1@huawei.com Signed-off-by: Vinod Koul vkoul@kernel.org Conflicts: drivers/dma/ti/edma.c Signed-off-by: GUO Zihua guozihua@huawei.com --- drivers/dma/ti/edma.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c index 800271647574..c35fe3d82670 100644 --- a/drivers/dma/ti/edma.c +++ b/drivers/dma/ti/edma.c @@ -2267,8 +2267,10 @@ static int edma_probe(struct platform_device *pdev)
ecc->slot_inuse = devm_kcalloc(dev, BITS_TO_LONGS(ecc->num_slots), sizeof(unsigned long), GFP_KERNEL); - if (!ecc->slave_chans || !ecc->slot_inuse) + if (!ecc->slave_chans || !ecc->slot_inuse) { + ret = -ENOMEM; goto err_disable_pm; + }
ecc->default_queue = info->default_queue;
From: Kunwu Chan chentao@kylinos.cn
mainline inclusion from mainline-v6.8-rc3 commit 6e2276203ac9ff10fc76917ec9813c660f627369 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2MP CVE: CVE-2024-26771
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
devm_kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity.
Signed-off-by: Kunwu Chan chentao@kylinos.cn Link: https://lore.kernel.org/r/20240118031929.192192-1-chentao@kylinos.cn Signed-off-by: Vinod Koul vkoul@kernel.org Conflicts: drivers/dma/ti/edma.c Signed-off-by: GUO Zihua guozihua@huawei.com --- drivers/dma/ti/edma.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c index c35fe3d82670..2824f8cf414b 100644 --- a/drivers/dma/ti/edma.c +++ b/drivers/dma/ti/edma.c @@ -2307,6 +2307,11 @@ static int edma_probe(struct platform_device *pdev) if (irq >= 0) { irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_ccint", dev_name(dev)); + if (!irq_name) { + ret = -ENOMEM; + goto err_disable_pm; + } + ret = devm_request_irq(dev, irq, dma_irq_handler, 0, irq_name, ecc); if (ret) { @@ -2323,6 +2328,11 @@ static int edma_probe(struct platform_device *pdev) if (irq >= 0) { irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_ccerrint", dev_name(dev)); + if (!irq_name) { + ret = -ENOMEM; + goto err_disable_pm; + } + ret = devm_request_irq(dev, irq, dma_ccerr_handler, 0, irq_name, ecc); if (ret) {
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/5875 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/G...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/5875 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/G...