June 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 V1] drm/vmwgfx: Fix invalid reads in fence signaled events
by Cheng Yu 09 Jun '24

09 Jun '24

From: Zack Rusin <zack.rusin(a)broadcom.com> mainline inclusion from mainline-v6.9-rc7 commit a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UNUO CVE: CVE-2024-36960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action") Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-23566 Cc: David Airlie <airlied(a)gmail.com> CC: Daniel Vetter <daniel(a)ffwll.ch> Cc: Zack Rusin <zack.rusin(a)broadcom.com> Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: linux-kernel(a)vger.kernel.org Cc: <stable(a)vger.kernel.org> # v3.4+ Reviewed-by: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> Reviewed-by: Martin Krastev <martin.krastev(a)broadcom.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240425192748.1761522-1-zack… Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c index 8bc41ec97d71..6bacdb7583df 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c @@ -1066,7 +1066,7 @@ static int vmw_event_fence_action_create(struct drm_file *file_priv, } event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED; - event->event.base.length = sizeof(*event); + event->event.base.length = sizeof(event->event); event->event.user_data = user_data; ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base); -- 2.25.1

2 1

[openeuler:openEuler-1.0-LTS 18952/22827] mm/shmem.c:1601:19: sparse: sparse: invalid assignment: |=
by kernel test robot 09 Jun '24

09 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 6a98543755cf2f636ae3169f3774d226d328d2cf commit: 3a3a1f75d885bc1d1a25bb753dd2cf9111c457f7 [18952/22827] shmem: Introduce shmem reliable config: arm64-randconfig-r123-20240607 (https://download.01.org/0day-ci/archive/20240609/202406090739.J3hAY6q8-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240609/202406090739.J3hAY6q8-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406090739.J3hAY6q8-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> mm/shmem.c:1601:19: sparse: sparse: invalid assignment: |= mm/shmem.c:1601:19: sparse: left side has type restricted gfp_t mm/shmem.c:1601:19: sparse: right side has type unsigned int mm/shmem.c: note: in included file (through include/linux/percpu_counter.h, include/linux/quota.h, include/linux/fs.h): include/linux/gfp.h:457:34: sparse: sparse: restricted gfp_t degrades to integer mm/shmem.c: In function 'shmem_fh_to_dentry': mm/shmem.c:3403:24: warning: array subscript 2 is outside array bounds of '__u32[0]' {aka 'unsigned int[]'} [-Warray-bounds=] 3403 | inum = fid->raw[2]; | ~~~~~~~~^~~ In file included from mm/shmem.c:53: include/linux/exportfs.h:129:23: note: while referencing 'raw' 129 | __u32 raw[0]; | ^~~ mm/shmem.c:3404:39: warning: array subscript 1 is outside array bounds of '__u32[0]' {aka 'unsigned int[]'} [-Warray-bounds=] 3404 | inum = (inum << 32) | fid->raw[1]; | ~~~~~~~~^~~ include/linux/exportfs.h:129:23: note: while referencing 'raw' 129 | __u32 raw[0]; | ^~~ mm/shmem.c:3406:61: warning: array subscript 0 is outside array bounds of '__u32[0]' {aka 'unsigned int[]'} [-Warray-bounds=] 3406 | inode = ilookup5(sb, (unsigned long)(inum + fid->raw[0]), | ~~~~~~~~^~~ include/linux/exportfs.h:129:23: note: while referencing 'raw' 129 | __u32 raw[0]; | ^~~ vim +1601 mm/shmem.c 1595 1596 static inline void shmem_prepare_alloc(gfp_t *gfp_mask) 1597 { 1598 if (!shmem_reliable_is_enabled()) 1599 return; 1600 > 1601 *gfp_mask |= ___GFP_RELIABILITY; 1602 } 1603 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS] BUILD REGRESSION 6a98543755cf2f636ae3169f3774d226d328d2cf
by kernel test robot 09 Jun '24

09 Jun '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: 6a98543755cf2f636ae3169f3774d226d328d2cf !8628 erspan: make sure erspan_base_hdr is present in skb->head Error/Warning reports: https://lore.kernel.org/oe-kbuild-all/202406081538.GZO9E4bP-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202406090015.Dx2VIQ1d-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202406090419.Or3DQ4pF-lkp@intel.com Error/Warning: (recently discovered and may have been fixed) mm/khugepaged.c:974:21: sparse: sparse: invalid assignment: |= Unverified Error/Warning (likely false positive, please contact us if interested): drivers/scsi/ufs/ufs-qcom.c:1665: error: Cannot parse struct or union! super.c:(.exit.text+0x7c): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `netlink_kernel_release' super.c:(.init.text+0x6b38): relocation truncated to fit: R_AARCH64_ADR_PREL_PG_HI21 against undefined symbol `init_net' super.c:(.init.text+0x6b48): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `__netlink_kernel_create' super.c:(.text+0x130dc): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `__alloc_skb' super.c:(.text+0x13144): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `__nlmsg_put' super.c:(.text+0x131b4): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `netlink_broadcast' super.c:(.text+0x131d8): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `kfree_skb' Error/Warning ids grouped by kconfigs: gcc_recent_errors |-- arm64-allmodconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code |-- arm64-defconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code |-- arm64-randconfig-004-20240608 | |-- drivers-scsi-ufs-ufs-qcom.c:error:Cannot-parse-struct-or-union | |-- super.c:(.exit.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-netlink_kernel_release | |-- super.c:(.init.text):relocation-truncated-to-fit:R_AARCH64_ADR_PREL_PG_HI21-against-undefined-symbol-init_net | |-- super.c:(.init.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-__netlink_kernel_create | |-- super.c:(.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-__alloc_skb | |-- super.c:(.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-__nlmsg_put | |-- super.c:(.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-kfree_skb | `-- super.c:(.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-netlink_broadcast |-- arm64-randconfig-r123-20240607 | |-- drivers-remoteproc-qcom_adsp_pil.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-void-mem_region-got-void-noderef-asn | |-- drivers-remoteproc-qcom_q6v5_pil.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-void-mba_region-got-void-noderef-asn | |-- drivers-remoteproc-qcom_q6v5_pil.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-void-mpss_region-got-void-noderef-asn | |-- drivers-remoteproc-qcom_wcnss.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-void-mem_region-got-void-noderef-asn | |-- mm-khugepaged.c:sparse:sparse:invalid-assignment: | `-- net-netfilter-nft_counter.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-struct-nft_counter_percpu_priv-noderef-asn-priv-got-struct-nft_counter_percpu_priv-priv |-- x86_64-buildonly-randconfig-004-20240609 | `-- fs-f2fs-.tmp_recovery.o:warning:objtool:missing-symbol-for-section-.init.text |-- x86_64-buildonly-randconfig-006-20240609 | |-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code | `-- fs-f2fs-recovery.o:warning:objtool:missing-symbol-for-section-.init.text `-- x86_64-randconfig-001-20240609 `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code clang_recent_errors |-- x86_64-allyesconfig | |-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension | `-- fs-f2fs-.tmp_recovery.o:warning:objtool:missing-symbol-for-section-.init.text |-- x86_64-buildonly-randconfig-002-20240609 | `-- fs-f2fs-recovery.o:warning:objtool:missing-symbol-for-section-.init.text `-- x86_64-buildonly-randconfig-005-20240609 |-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension `-- fs-f2fs-recovery.o:warning:objtool:missing-symbol-for-section-.init.text elapsed time: 1126m configs tested: 16 configs skipped: 131 tested configs: arm64 allmodconfig gcc arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-003-20240609 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240609 clang x86_64 buildonly-randconfig-002-20240609 clang x86_64 buildonly-randconfig-003-20240609 clang x86_64 buildonly-randconfig-004-20240609 gcc x86_64 buildonly-randconfig-005-20240609 clang x86_64 buildonly-randconfig-006-20240609 gcc x86_64 defconfig gcc x86_64 randconfig-001-20240609 gcc x86_64 randconfig-002-20240609 clang x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 18949/22827] mm/khugepaged.c:974:21: sparse: sparse: invalid assignment: |=
by kernel test robot 09 Jun '24

09 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 6a98543755cf2f636ae3169f3774d226d328d2cf commit: ff0fb9e816fac221fa24a1810dd895745406070b [18949/22827] mm: thp: Add memory reliable support for hugepaged collapse config: arm64-randconfig-r123-20240607 (https://download.01.org/0day-ci/archive/20240609/202406090419.Or3DQ4pF-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240609/202406090419.Or3DQ4pF-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406090419.Or3DQ4pF-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> mm/khugepaged.c:974:21: sparse: sparse: invalid assignment: |= mm/khugepaged.c:974:21: sparse: left side has type restricted gfp_t mm/khugepaged.c:974:21: sparse: right side has type unsigned int mm/khugepaged.c:1352:21: sparse: sparse: invalid assignment: |= mm/khugepaged.c:1352:21: sparse: left side has type restricted gfp_t mm/khugepaged.c:1352:21: sparse: right side has type unsigned int mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1409:56: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1409:56: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1409:56: sparse: got void **slot mm/khugepaged.c:1458:22: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1458:22: sparse: expected void **slot mm/khugepaged.c:1458:22: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1459:17: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1459:17: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1459:17: sparse: got void **slot mm/khugepaged.c:1483:60: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1483:60: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1483:60: sparse: got void **slot mm/khugepaged.c:1486:47: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1486:47: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1486:47: sparse: got void **slot mm/khugepaged.c:1486:22: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1486:22: sparse: expected void **slot mm/khugepaged.c:1486:22: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1378:9: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1378:9: sparse: got void **slot mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1597:68: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1597:68: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1597:68: sparse: got void **slot mm/khugepaged.c:1598:55: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1598:55: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1598:55: sparse: got void **slot mm/khugepaged.c:1598:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1598:30: sparse: expected void **slot mm/khugepaged.c:1598:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1578:17: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1578:17: sparse: got void **slot mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1637:46: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1637:46: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1637:46: sparse: got void **slot mm/khugepaged.c:1639:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1639:30: sparse: expected void **slot mm/khugepaged.c:1639:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1682:55: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1682:55: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1682:55: sparse: got void **slot mm/khugepaged.c:1682:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1682:30: sparse: expected void **slot mm/khugepaged.c:1682:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1633:9: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1633:9: sparse: got void **slot mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c: note: in included file (through include/linux/mm.h): include/linux/gfp.h:457:34: sparse: sparse: restricted gfp_t degrades to integer mm/khugepaged.c:1336: warning: Function parameter or member 'mm' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'mapping' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'start' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'hpage' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'node' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'reliable' not described in 'collapse_shmem' vim +974 mm/khugepaged.c 949 950 static void collapse_huge_page(struct mm_struct *mm, 951 unsigned long address, 952 struct page **hpage, 953 int node, int referenced, int unmapped, 954 bool reliable) 955 { 956 pmd_t *pmd, _pmd; 957 pte_t *pte; 958 pgtable_t pgtable; 959 struct page *new_page; 960 spinlock_t *pmd_ptl, *pte_ptl; 961 int isolated = 0, result = 0; 962 struct mem_cgroup *memcg; 963 struct vm_area_struct *vma; 964 unsigned long mmun_start; /* For mmu_notifiers */ 965 unsigned long mmun_end; /* For mmu_notifiers */ 966 gfp_t gfp; 967 968 VM_BUG_ON(address & ~HPAGE_PMD_MASK); 969 970 /* Only allocate from the target node */ 971 gfp = alloc_hugepage_khugepaged_gfpmask() | __GFP_THISNODE; 972 973 if (reliable) > 974 gfp |= ___GFP_RELIABILITY; 975 976 /* 977 * Before allocating the hugepage, release the mmap_sem read lock. 978 * The allocation can take potentially a long time if it involves 979 * sync compaction, and we do not need to hold the mmap_sem during 980 * that. We will recheck the vma after taking it again in write mode. 981 */ 982 up_read(&mm->mmap_sem); 983 new_page = khugepaged_alloc_page(hpage, gfp, node); 984 if (!new_page) { 985 result = SCAN_ALLOC_HUGE_PAGE_FAIL; 986 goto out_nolock; 987 } 988 989 if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) { 990 result = SCAN_CGROUP_CHARGE_FAIL; 991 goto out_nolock; 992 } 993 994 down_read(&mm->mmap_sem); 995 result = hugepage_vma_revalidate(mm, address, &vma); 996 if (result) { 997 mem_cgroup_cancel_charge(new_page, memcg, true); 998 up_read(&mm->mmap_sem); 999 goto out_nolock; 1000 } 1001 1002 pmd = mm_find_pmd(mm, address); 1003 if (!pmd) { 1004 result = SCAN_PMD_NULL; 1005 mem_cgroup_cancel_charge(new_page, memcg, true); 1006 up_read(&mm->mmap_sem); 1007 goto out_nolock; 1008 } 1009 1010 /* 1011 * __collapse_huge_page_swapin always returns with mmap_sem locked. 1012 * If it fails, we release mmap_sem and jump out_nolock. 1013 * Continuing to collapse causes inconsistency. 1014 */ 1015 if (unmapped && !__collapse_huge_page_swapin(mm, vma, address, 1016 pmd, referenced)) { 1017 mem_cgroup_cancel_charge(new_page, memcg, true); 1018 up_read(&mm->mmap_sem); 1019 goto out_nolock; 1020 } 1021 1022 up_read(&mm->mmap_sem); 1023 /* 1024 * Prevent all access to pagetables with the exception of 1025 * gup_fast later handled by the ptep_clear_flush and the VM 1026 * handled by the anon_vma lock + PG_lock. 1027 */ 1028 down_write(&mm->mmap_sem); 1029 result = hugepage_vma_revalidate(mm, address, &vma); 1030 if (result) 1031 goto out; 1032 /* check if the pmd is still valid */ 1033 if (mm_find_pmd(mm, address) != pmd) 1034 goto out; 1035 1036 anon_vma_lock_write(vma->anon_vma); 1037 1038 pte = pte_offset_map(pmd, address); 1039 pte_ptl = pte_lockptr(mm, pmd); 1040 1041 mmun_start = address; 1042 mmun_end = address + HPAGE_PMD_SIZE; 1043 mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end); 1044 pmd_ptl = pmd_lock(mm, pmd); /* probably unnecessary */ 1045 /* 1046 * After this gup_fast can't run anymore. This also removes 1047 * any huge TLB entry from the CPU so we won't allow 1048 * huge and small TLB entries for the same virtual address 1049 * to avoid the risk of CPU bugs in that area. 1050 */ 1051 _pmd = pmdp_collapse_flush(vma, address, pmd); 1052 spin_unlock(pmd_ptl); 1053 mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end); 1054 1055 spin_lock(pte_ptl); 1056 isolated = __collapse_huge_page_isolate(vma, address, pte); 1057 spin_unlock(pte_ptl); 1058 1059 if (unlikely(!isolated)) { 1060 pte_unmap(pte); 1061 spin_lock(pmd_ptl); 1062 BUG_ON(!pmd_none(*pmd)); 1063 /* 1064 * We can only use set_pmd_at when establishing 1065 * hugepmds and never for establishing regular pmds that 1066 * points to regular pagetables. Use pmd_populate for that 1067 */ 1068 pmd_populate(mm, pmd, pmd_pgtable(_pmd)); 1069 spin_unlock(pmd_ptl); 1070 anon_vma_unlock_write(vma->anon_vma); 1071 result = SCAN_FAIL; 1072 goto out; 1073 } 1074 1075 /* 1076 * All pages are isolated and locked so anon_vma rmap 1077 * can't run anymore. 1078 */ 1079 anon_vma_unlock_write(vma->anon_vma); 1080 1081 __collapse_huge_page_copy(pte, new_page, vma, address, pte_ptl); 1082 pte_unmap(pte); 1083 __SetPageUptodate(new_page); 1084 pgtable = pmd_pgtable(_pmd); 1085 1086 _pmd = mk_huge_pmd(new_page, vma->vm_page_prot); 1087 _pmd = maybe_pmd_mkwrite(pmd_mkdirty(_pmd), vma); 1088 1089 /* 1090 * spin_lock() below is not the equivalent of smp_wmb(), so 1091 * this is needed to avoid the copy_huge_page writes to become 1092 * visible after the set_pmd_at() write. 1093 */ 1094 smp_wmb(); 1095 1096 spin_lock(pmd_ptl); 1097 BUG_ON(!pmd_none(*pmd)); 1098 page_add_new_anon_rmap(new_page, vma, address, true); 1099 mem_cgroup_commit_charge(new_page, memcg, false, true); 1100 count_memcg_events(memcg, THP_COLLAPSE_ALLOC, 1); 1101 lru_cache_add_active_or_unevictable(new_page, vma); 1102 pgtable_trans_huge_deposit(mm, pmd, pgtable); 1103 set_pmd_at(mm, address, pmd, _pmd); 1104 update_mmu_cache_pmd(vma, address, pmd); 1105 spin_unlock(pmd_ptl); 1106 1107 *hpage = NULL; 1108 1109 khugepaged_pages_collapsed++; 1110 result = SCAN_SUCCEED; 1111 out_up_write: 1112 up_write(&mm->mmap_sem); 1113 out_nolock: 1114 trace_mm_collapse_huge_page(mm, isolated, result); 1115 return; 1116 out: 1117 mem_cgroup_cancel_charge(new_page, memcg, true); 1118 goto out_up_write; 1119 } 1120 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 5421/22827] drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: sparse: incorrect type in assignment (different address spaces)
by kernel test robot 09 Jun '24

09 Jun '24

Hi Paulo, First bad commit (maybe != root cause): tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 6a98543755cf2f636ae3169f3774d226d328d2cf commit: 71e217e85c3dff8a9151707ed3afc7b4b054a2d4 [5421/22827] selinux: use kernel linux/socket.h for genheaders and mdp config: arm64-randconfig-r123-20240607 (https://download.01.org/0day-ci/archive/20240609/202406090015.Dx2VIQ1d-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240609/202406090015.Dx2VIQ1d-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406090015.Dx2VIQ1d-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mem_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: expected void *mem_region drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: got void [noderef] <asn:2> * -- >> drivers/remoteproc/qcom_q6v5_pil.c:1096:27: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mba_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_q6v5_pil.c:1096:27: sparse: expected void *mba_region drivers/remoteproc/qcom_q6v5_pil.c:1096:27: sparse: got void [noderef] <asn:2> * >> drivers/remoteproc/qcom_q6v5_pil.c:1114:28: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mpss_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_q6v5_pil.c:1114:28: sparse: expected void *mpss_region drivers/remoteproc/qcom_q6v5_pil.c:1114:28: sparse: got void [noderef] <asn:2> * drivers/remoteproc/qcom_q6v5_pil.c: In function 'q6v5_mpss_load': drivers/remoteproc/qcom_q6v5_pil.c:741:70: warning: '%02d' directive output may be truncated writing between 2 and 11 bytes into a region of size 3 [-Wformat-truncation=] 741 | snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i); | ^~~~ drivers/remoteproc/qcom_q6v5_pil.c:741:62: note: directive argument in the range [-2147483641, 65534] 741 | snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i); | ^~~~~~~~~~~~~ drivers/remoteproc/qcom_q6v5_pil.c:741:25: note: 'snprintf' output between 10 and 19 bytes into a destination of size 10 741 | snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- >> drivers/remoteproc/qcom_wcnss.c:456:27: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mem_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_wcnss.c:456:27: sparse: expected void *mem_region drivers/remoteproc/qcom_wcnss.c:456:27: sparse: got void [noderef] <asn:2> * -- >> net/netfilter/nft_counter.c:158:35: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct nft_counter_percpu_priv [noderef] <asn:3> *priv @@ got struct nft_counter_percpu_priv *priv @@ net/netfilter/nft_counter.c:158:35: sparse: expected struct nft_counter_percpu_priv [noderef] <asn:3> *priv net/netfilter/nft_counter.c:158:35: sparse: got struct nft_counter_percpu_priv *priv net/netfilter/nft_counter.c:113:20: sparse: sparse: dereference of noderef expression vim +246 drivers/remoteproc/qcom_adsp_pil.c b9e718e950c3df Bjorn Andersson 2016-08-22 227 b9e718e950c3df Bjorn Andersson 2016-08-22 228 static int adsp_alloc_memory_region(struct qcom_adsp *adsp) b9e718e950c3df Bjorn Andersson 2016-08-22 229 { b9e718e950c3df Bjorn Andersson 2016-08-22 230 struct device_node *node; b9e718e950c3df Bjorn Andersson 2016-08-22 231 struct resource r; b9e718e950c3df Bjorn Andersson 2016-08-22 232 int ret; b9e718e950c3df Bjorn Andersson 2016-08-22 233 b9e718e950c3df Bjorn Andersson 2016-08-22 234 node = of_parse_phandle(adsp->dev->of_node, "memory-region", 0); b9e718e950c3df Bjorn Andersson 2016-08-22 235 if (!node) { b9e718e950c3df Bjorn Andersson 2016-08-22 236 dev_err(adsp->dev, "no memory-region specified\n"); b9e718e950c3df Bjorn Andersson 2016-08-22 237 return -EINVAL; b9e718e950c3df Bjorn Andersson 2016-08-22 238 } b9e718e950c3df Bjorn Andersson 2016-08-22 239 b9e718e950c3df Bjorn Andersson 2016-08-22 240 ret = of_address_to_resource(node, 0, &r); b9e718e950c3df Bjorn Andersson 2016-08-22 241 if (ret) b9e718e950c3df Bjorn Andersson 2016-08-22 242 return ret; b9e718e950c3df Bjorn Andersson 2016-08-22 243 b9e718e950c3df Bjorn Andersson 2016-08-22 244 adsp->mem_phys = adsp->mem_reloc = r.start; b9e718e950c3df Bjorn Andersson 2016-08-22 245 adsp->mem_size = resource_size(&r); b9e718e950c3df Bjorn Andersson 2016-08-22 @246 adsp->mem_region = devm_ioremap_wc(adsp->dev, adsp->mem_phys, adsp->mem_size); b9e718e950c3df Bjorn Andersson 2016-08-22 247 if (!adsp->mem_region) { b9e718e950c3df Bjorn Andersson 2016-08-22 248 dev_err(adsp->dev, "unable to map memory region: %pa+%zx\n", b9e718e950c3df Bjorn Andersson 2016-08-22 249 &r.start, adsp->mem_size); b9e718e950c3df Bjorn Andersson 2016-08-22 250 return -EBUSY; b9e718e950c3df Bjorn Andersson 2016-08-22 251 } b9e718e950c3df Bjorn Andersson 2016-08-22 252 b9e718e950c3df Bjorn Andersson 2016-08-22 253 return 0; b9e718e950c3df Bjorn Andersson 2016-08-22 254 } b9e718e950c3df Bjorn Andersson 2016-08-22 255 :::::: The code at line 246 was first introduced by commit :::::: b9e718e950c3dfa458bbf9180a8d8691e55413ae remoteproc: Introduce Qualcomm ADSP PIL :::::: TO: Bjorn Andersson <bjorn.andersson(a)sonymobile.com> :::::: CC: Bjorn Andersson <bjorn.andersson(a)linaro.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue
by Liu Jian 08 Jun '24

08 Jun '24

From: Jason Xing <kernelxing(a)tencent.com> stable inclusion from stable-v6.6.31 commit b397a0ab8582c533ec0c6b732392f141fc364f87 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U1UZ CVE: CVE-2024-3693 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 6648e613226e18897231ab5e42ffc29e63fa3365 ] Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which syzbot reported [1]. [1] BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [inline] sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843 sk_psock_put include/linux/skmsg.h:459 [inline] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: sk_psock_data_ready include/linux/skmsg.h:464 [inline] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [inline] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x312/0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 value changed: 0xffffffff83d7feb0 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer similarly due to no protection of saved_data_ready. Here is another different caller causing the same issue because of the same reason. So we should protect it with sk_callback_lock read lock because the writer side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);". To avoid errors that could happen in future, I move those two pairs of lock into the sk_psock_data_ready(), which is suggested by John Fastabend. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Reported-by: syzbot+aa8c8ec2538929f18f2d(a)syzkaller.appspotmail.com Signed-off-by: Jason Xing <kernelxing(a)tencent.com> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Reviewed-by: John Fastabend <john.fastabend(a)gmail.com> Closes: https://syzkaller.appspot.com/bug?extid=aa8c8ec2538929f18f2d Link: https://lore.kernel.org/all/20240329134037.92124-1-kerneljasonxing@gmail.com Link: https://lore.kernel.org/bpf/20240404021001.94815-1-kerneljasonxing@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- include/linux/skmsg.h | 2 ++ net/core/skmsg.c | 5 +---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h index f69af3de0da0..fdedb7a29c0e 100644 --- a/include/linux/skmsg.h +++ b/include/linux/skmsg.h @@ -467,10 +467,12 @@ static inline void sk_psock_put(struct sock *sk, struct sk_psock *psock) static inline void sk_psock_data_ready(struct sock *sk, struct sk_psock *psock) { + read_lock_bh(&sk->sk_callback_lock); if (psock->saved_data_ready) psock->saved_data_ready(sk); else sk->sk_data_ready(sk); + read_unlock_bh(&sk->sk_callback_lock); } static inline void psock_set_prog(struct bpf_prog **pprog, diff --git a/net/core/skmsg.c b/net/core/skmsg.c index 6f774de8f6b2..f2e7ce81fef0 100644 --- a/net/core/skmsg.c +++ b/net/core/skmsg.c @@ -1234,11 +1234,8 @@ static void sk_psock_verdict_data_ready(struct sock *sk) rcu_read_lock(); psock = sk_psock(sk); - if (psock) { - read_lock_bh(&sk->sk_callback_lock); + if (psock) sk_psock_data_ready(sk, psock); - read_unlock_bh(&sk->sk_callback_lock); - } rcu_read_unlock(); } } -- 2.34.1

2 1

[PATCH OLK-6.6] ipv6: prevent NULL dereference in ip6_output()
by Liu Jian 08 Jun '24

08 Jun '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.9 commit 4db783d68b9b39a411a96096c10828ff5dfada7a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UO9S CVE: CVE-2024-36901 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 778d80be5269 ("ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Larysa Zaremba <larysa.zaremba(a)intel.com> Link: https://lore.kernel.org/r/20240507161842.773961-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ipv6/ip6_output.c [Did not backport d289ab65b89c.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 53fe1375b147..412a16932341 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -227,7 +227,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) skb->protocol = htons(ETH_P_IPV6); skb->dev = dev; - if (unlikely(idev->cnf.disable_ipv6)) { + if (unlikely(!idev || idev->cnf.disable_ipv6)) { IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); kfree_skb_reason(skb, SKB_DROP_REASON_IPV6DISABLED); return 0; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] ipv6: prevent NULL dereference in ip6_output()
by Liu Jian 08 Jun '24

08 Jun '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.9 commit 4db783d68b9b39a411a96096c10828ff5dfada7a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UO9S CVE: CVE-2024-36901 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 778d80be5269 ("ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Larysa Zaremba <larysa.zaremba(a)intel.com> Link: https://lore.kernel.org/r/20240507161842.773961-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ipv6/ip6_output.c [Did not backport d289ab65b89c.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 968b2602c400..179fe599efba 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -206,7 +206,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) skb->protocol = htons(ETH_P_IPV6); skb->dev = dev; - if (unlikely(idev->cnf.disable_ipv6)) { + if (unlikely(!idev || idev->cnf.disable_ipv6)) { IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); kfree_skb(skb); return 0; -- 2.34.1

2 1

[PATCH OLK-5.10] ipv6: prevent NULL dereference in ip6_output()
by Liu Jian 08 Jun '24

08 Jun '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.9 commit 4db783d68b9b39a411a96096c10828ff5dfada7a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UO9S CVE: CVE-2024-36901 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 778d80be5269 ("ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Larysa Zaremba <larysa.zaremba(a)intel.com> Link: https://lore.kernel.org/r/20240507161842.773961-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ipv6/ip6_output.c [Did not backport d289ab65b89c.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 6adf0b536473..6d9571cb317d 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -240,7 +240,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) skb->protocol = htons(ETH_P_IPV6); skb->dev = dev; - if (unlikely(idev->cnf.disable_ipv6)) { + if (unlikely(!idev || idev->cnf.disable_ipv6)) { IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); kfree_skb(skb); return 0; -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ipv6: prevent NULL dereference in ip6_output()
by Liu Jian 08 Jun '24

08 Jun '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.9 commit 4db783d68b9b39a411a96096c10828ff5dfada7a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UO9S CVE: CVE-2024-36901 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 778d80be5269 ("ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Larysa Zaremba <larysa.zaremba(a)intel.com> Link: https://lore.kernel.org/r/20240507161842.773961-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ipv6/ip6_output.c [Did not backport d289ab65b89c.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index f30cc72887a3..f0c94aaa039f 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -234,7 +234,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) skb->protocol = htons(ETH_P_IPV6); skb->dev = dev; - if (unlikely(idev->cnf.disable_ipv6)) { + if (unlikely(!idev || idev->cnf.disable_ipv6)) { IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); kfree_skb(skb); return 0; -- 2.34.1

2 1