NACK/CMT: [SRU][F][PATCH 0/4] CVE-2023-52498

[Guoqing Jiang]

On 10/11/24 16:57, Guoqing Jiang wrote:
> Hi,
>
> On 10/10/24 10:02, Ian Whitfield wrote:
>> [Impact]
>>
>> This patchset resolves multiple deadlock conditions in
>> drivers/base/power/main.c
>>
>> The primary CVE fix addresses a deadlock that happened on system resume
>> on low-memory hardware configurations. The second deadlock fixed by
>> this patchset occurs when a device handling a resume or suspend
>> attempts to unlock a particular mutex while the base calling code has
>> not yet dropped it.
>>
>> [Backport]
>>
>> The top-level fix patch for this CVE had two dependency patches and
>> conflicts due to missing two other patches. Dependency patches were
>> applied cleanly. Of the two conflict patches, one was not relevant and
>> easily resolved with context adjustment. The other conflicting patch
>> resolved further deadlock conditions which led me to include it in this
>> patchset. This secondary patch had one conflict, but this was resolved
>> by adjusting the patch context.
>>
>> This patchset therefore includes a fix for the original deadlock CVE,
>> its two dependency patches, and a second deadlock patch.
>
> I guess "a second deadlock patch " is the first patch, I am not sure 
> if it is appropriate to add
> CVE-2023-52498 to it. BTW, for 5.10 stable, it was added with this tag.
>
> Stable-dep-of: 7839d0078e0d ("PM: sleep: Fix possible deadlocks in 
> core system-wide PM code")

After go through other CVE patches, I think add CVE-2023-52498 would be 
fine.

>
> and the below commit might be needed for the first patch.
>
> commit 544e737dea5ad1a457f25dbddf68761ff25e028b
> Author: Rafael J. Wysocki <rafael.j.wysocki at intel.com>
> Date:   Thu Dec 16 20:30:18 2021 +0100
>
>     PM: sleep: Fix error handling in dpm_prepare()
>
> since it has Fixes: 2aa36604e824 ("PM: sleep: Avoid calling 
> put_device() under dpm_list_mtx").

Please include above commit in next version, and NACK this version for now.

Thanks,
Guoqing