[PATCH openEuler-1.0-LTS 0/3] CVE-2024-23848

List overview All Threads
Download

newer

older

[PATCH openEuler-1.0-LTS 0/2]...

[PATCH v2 OLK-5.10] x86, relocs:...

Yongqiang Liu

4 Jul 2024 4 Jul '24

5:38 p.m.

Hans Verkuil (3): media: cec: cec-adap: always cancel work in cec_transmit_msg_fh media: cec: cec-api: add locking in cec_release() media: cec: core: avoid recursive cec_claim_log_addrs

drivers/media/cec/cec-adap.c | 9 ++++++--- drivers/media/cec/cec-api.c | 5 ++++- include/media/cec.h | 1 + 3 files changed, 11 insertions(+), 4 deletions(-)

-- 2.34.1

Show replies by date

Yongqiang Liu

4 Jul 4 Jul

5:38 p.m.

New subject: [PATCH openEuler-1.0-LTS 1/3] media: cec: cec-adap: always cancel work in cec_transmit_msg_fh

From: Hans Verkuil hverkuil-cisco@xs4all.nl

stable inclusion from stable-v4.19.316 commit 896dfd4d74f84c854d3a24d889e54a44329d313e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YC89 CVE: CVE-2024-23848

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit 9fe2816816a3c765dff3b88af5b5c3d9bbb911ce ]

Do not check for !data->completed, just always call cancel_delayed_work_sync(). This fixes a small race condition.

Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Reported-by: Yang, Chenyuan cy54@illinois.edu Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@P... Fixes: 490d84f6d73c ("media: cec: forgot to cancel delayed work") Signed-off-by: Mauro Carvalho Chehab mchehab@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- drivers/media/cec/cec-adap.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c index ba7e976bf6dc9..a9b8c6636e50c 100644 --- a/drivers/media/cec/cec-adap.c +++ b/drivers/media/cec/cec-adap.c @@ -863,8 +863,7 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg, */ mutex_unlock(&adap->lock); wait_for_completion_killable(&data->c); - if (!data->completed) - cancel_delayed_work_sync(&data->work); + cancel_delayed_work_sync(&data->work); mutex_lock(&adap->lock);

/* Cancel the transmit if it was interrupted */

-- 2.34.1

Yongqiang Liu

5:38 p.m.

New subject: [PATCH openEuler-1.0-LTS 2/3] media: cec: cec-api: add locking in cec_release()

From: Hans Verkuil hverkuil-cisco@xs4all.nl

stable inclusion from stable-v4.19.316 commit d2cfbc5298add5e0c6cfe8b343f73dfdf01c8b1c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YC89 CVE: CVE-2024-23848

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit 42bcaacae924bf18ae387c3f78c202df0b739292 ]

When cec_release() uses fh->msgs it has to take fh->lock, otherwise the list can get corrupted.

Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Reported-by: Yang, Chenyuan cy54@illinois.edu Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@P... Fixes: ca684386e6e2 ("[media] cec: add HDMI CEC framework (api)") Signed-off-by: Mauro Carvalho Chehab mchehab@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- drivers/media/cec/cec-api.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c index b2b3f779592fd..d4c848c2f3764 100644 --- a/drivers/media/cec/cec-api.c +++ b/drivers/media/cec/cec-api.c @@ -660,6 +660,8 @@ static int cec_release(struct inode *inode, struct file *filp) list_del(&data->xfer_list); } mutex_unlock(&adap->lock); + + mutex_lock(&fh->lock); while (!list_empty(&fh->msgs)) { struct cec_msg_entry *entry = list_first_entry(&fh->msgs, struct cec_msg_entry, list); @@ -677,6 +679,7 @@ static int cec_release(struct inode *inode, struct file *filp) kfree(entry); } } + mutex_unlock(&fh->lock); kfree(fh);

cec_put_device(devnode);

-- 2.34.1

Yongqiang Liu

5:38 p.m.

New subject: [PATCH openEuler-1.0-LTS 3/3] media: cec: core: avoid recursive cec_claim_log_addrs

From: Hans Verkuil hverkuil-cisco@xs4all.nl

stable inclusion from stable-v5.10.219 commit 5103090f4e55252cb1b1a6084da53d63434dc24b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YC89 CVE: CVE-2024-23848

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit 47c82aac10a6954d68f29f10d9758d016e8e5af1 ]

Keep track if cec_claim_log_addrs() is running, and return -EBUSY if it is when calling CEC_ADAP_S_LOG_ADDRS.

This prevents a case where cec_claim_log_addrs() could be called while it was still in progress.

Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Reported-by: Yang, Chenyuan cy54@illinois.edu Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@P... Fixes: ca684386e6e2 ("[media] cec: add HDMI CEC framework (api)") Signed-off-by: Mauro Carvalho Chehab mchehab@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Conflicts: include/media/cec.h [Yongqiang: context fix] Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- drivers/media/cec/cec-adap.c | 6 +++++- drivers/media/cec/cec-api.c | 2 +- include/media/cec.h | 1 + 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c index a9b8c6636e50c..5ba3b358c0d56 100644 --- a/drivers/media/cec/cec-adap.c +++ b/drivers/media/cec/cec-adap.c @@ -1481,9 +1481,12 @@ static int cec_config_thread_func(void *arg) */ static void cec_claim_log_addrs(struct cec_adapter *adap, bool block) { - if (WARN_ON(adap->is_configuring || adap->is_configured)) + if (WARN_ON(adap->is_claiming_log_addrs || + adap->is_configuring || adap->is_configured)) return;

+ adap->is_claiming_log_addrs = true; + init_completion(&adap->config_completion);

/* Ready to kick off the thread */ @@ -1497,6 +1500,7 @@ static void cec_claim_log_addrs(struct cec_adapter *adap, bool block) wait_for_completion(&adap->config_completion); mutex_lock(&adap->lock); } + adap->is_claiming_log_addrs = false; }

/* Set a new physical address and send an event notifying userspace of this. diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c index d4c848c2f3764..911b09fe2e17d 100644 --- a/drivers/media/cec/cec-api.c +++ b/drivers/media/cec/cec-api.c @@ -178,7 +178,7 @@ static long cec_adap_s_log_addrs(struct cec_adapter *adap, struct cec_fh *fh, CEC_LOG_ADDRS_FL_ALLOW_RC_PASSTHRU | CEC_LOG_ADDRS_FL_CDC_ONLY; mutex_lock(&adap->lock); - if (!adap->is_configuring && + if (!adap->is_claiming_log_addrs && !adap->is_configuring && (!log_addrs.num_log_addrs || !adap->is_configured) && !cec_is_busy(adap, fh)) { err = __cec_s_log_addrs(adap, &log_addrs, block); diff --git a/include/media/cec.h b/include/media/cec.h index 59bf280e9715c..604149ae0e127 100644 --- a/include/media/cec.h +++ b/include/media/cec.h @@ -171,6 +171,7 @@ struct cec_adapter {

u16 phys_addr; bool needs_hpd; + bool is_claiming_log_addrs; bool is_configuring; bool is_configured; bool cec_pin_is_high;

-- 2.34.1

patchwork bot

5:45 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/9759 邮件列表地址：https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/I...

FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/9759 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/I...

143

Age (days ago)

143

Last active (days ago)

kernel@openeuler.org

4 comments

2 participants

tags (0)

participants (2)

patchwork bot
Yongqiang Liu