- Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10 2612/2612] fs/fscache/main.c:52:21: warning: 'fscache_min_op_max_active' defined but not used
by kernel test robot 31 Dec '24

31 Dec '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 908c8608d2c0fcf6f49b1f48f074515c42474946 commit: c55fa11d134b40dbe1a4a5512a7fe43497cb6d5e [2612/2612] fscache: limit fscache_object_max_active to avoid blocking config: x86_64-buildonly-randconfig-002-20241231 (https://download.01.org/0day-ci/archive/20241231/202412311354.iggKIx0H-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241231/202412311354.iggKIx0H-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412311354.iggKIx0H-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/fscache/main.c:52:21: warning: 'fscache_min_op_max_active' defined but not used [-Wunused-variable] 52 | static unsigned int fscache_min_op_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE / 2; | ^~~~~~~~~~~~~~~~~~~~~~~~~ >> fs/fscache/main.c:51:21: warning: 'fscache_min_object_max_active' defined but not used [-Wunused-variable] 51 | static unsigned int fscache_min_object_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/fscache_min_op_max_active +52 fs/fscache/main.c 46 47 /* these values serve as lower bounds, will be adjusted in fscache_init() */ 48 #define FSCACHE_MIN_OBJECT_MAX_ACTIVE 4 49 static unsigned int fscache_object_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE; 50 static unsigned int fscache_op_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE / 2; > 51 static unsigned int fscache_min_object_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE; > 52 static unsigned int fscache_min_op_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE / 2; 53 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1359/1359] drivers/scsi/sssraid/sssraid_os.c:1704:9: error: implicit declaration of function 'for_each_pci_msi_entry'; did you mean 'for_each_msi_entry'?
by kernel test robot 31 Dec '24

31 Dec '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 4dc4cec05b40921a3db85d24f97f1142272e4abf commit: 2e2a4edd9d4a725c5474dc278b090913d9b5bfd5 [1359/1359] SCSI: SSSRAID: Support 3SNIC 3S5XX serial RAID/HBA controllers config: x86_64-buildonly-randconfig-004-20241231 (https://download.01.org/0day-ci/archive/20241231/202412311259.7ewDSIIe-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241231/202412311259.7ewDSIIe-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412311259.7ewDSIIe-lkp@intel.com/ All error/warnings (new ones prefixed by >>): drivers/scsi/sssraid/sssraid_os.c: In function 'sssraid_map_queues': >> drivers/scsi/sssraid/sssraid_os.c:1704:9: error: implicit declaration of function 'for_each_pci_msi_entry'; did you mean 'for_each_msi_entry'? [-Werror=implicit-function-declaration] 1704 | for_each_pci_msi_entry(entry, pdev) { | ^~~~~~~~~~~~~~~~~~~~~~ | for_each_msi_entry >> drivers/scsi/sssraid/sssraid_os.c:1704:44: error: expected ';' before '{' token 1704 | for_each_pci_msi_entry(entry, pdev) { | ^~ | ; drivers/scsi/sssraid/sssraid_os.c:1702:22: warning: unused variable 'node_id_array' [-Wunused-variable] 1702 | unsigned int node_id_array[100]; | ^~~~~~~~~~~~~ >> drivers/scsi/sssraid/sssraid_os.c:1701:28: warning: unused variable 'i' [-Wunused-variable] 1701 | u8 node_count = 0, i; | ^ drivers/scsi/sssraid/sssraid_os.c:1701:12: warning: unused variable 'node_count' [-Wunused-variable] 1701 | u8 node_count = 0, i; | ^~~~~~~~~~ drivers/scsi/sssraid/sssraid_os.c:1700:18: warning: unused variable 'queue' [-Wunused-variable] 1700 | int cpu, queue = 0; | ^~~~~ >> drivers/scsi/sssraid/sssraid_os.c:1700:13: warning: unused variable 'cpu' [-Wunused-variable] 1700 | int cpu, queue = 0; | ^~~ >> drivers/scsi/sssraid/sssraid_os.c:1699:31: warning: unused variable 'node_id_last' [-Wunused-variable] 1699 | unsigned int node_id, node_id_last = 0xFFFFFFFF; | ^~~~~~~~~~~~ >> drivers/scsi/sssraid/sssraid_os.c:1699:22: warning: unused variable 'node_id' [-Wunused-variable] 1699 | unsigned int node_id, node_id_last = 0xFFFFFFFF; | ^~~~~~~ >> drivers/scsi/sssraid/sssraid_os.c:1698:22: warning: unused variable 'nr_queues' [-Wunused-variable] 1698 | unsigned int nr_queues = tag_set->nr_hw_queues; | ^~~~~~~~~ drivers/scsi/sssraid/sssraid_os.c:1697:31: warning: unused variable 'node_mask' [-Wunused-variable] 1697 | const struct cpumask *node_mask = NULL; | ^~~~~~~~~ >> drivers/scsi/sssraid/sssraid_os.c:1696:23: warning: unused variable 'map' [-Wunused-variable] 1696 | unsigned int *map = tag_set->mq_map; | ^~~ drivers/scsi/sssraid/sssraid_os.c:1739:1: warning: no return statement in function returning non-void [-Wreturn-type] 1739 | } | ^ cc1: some warnings being treated as errors vim +1704 drivers/scsi/sssraid/sssraid_os.c 1689 1690 static int sssraid_map_queues(struct Scsi_Host *shost) 1691 { 1692 struct sssraid_ioc *sdioc = shost_priv(shost); 1693 struct pci_dev *pdev = sdioc->pdev; 1694 struct msi_desc *entry = NULL; 1695 struct blk_mq_tag_set *tag_set = &shost->tag_set; > 1696 unsigned int *map = tag_set->mq_map; 1697 const struct cpumask *node_mask = NULL; > 1698 unsigned int nr_queues = tag_set->nr_hw_queues; > 1699 unsigned int node_id, node_id_last = 0xFFFFFFFF; > 1700 int cpu, queue = 0; > 1701 u8 node_count = 0, i; 1702 unsigned int node_id_array[100]; 1703 > 1704 for_each_pci_msi_entry(entry, pdev) { 1705 struct list_head *msi_list = &pdev->dev.msi_list; 1706 1707 if (list_is_last(msi_list, &entry->list)) 1708 goto get_next_numa_node; 1709 1710 if (entry->irq) { 1711 node_mask = entry->affinity; 1712 1713 cpu = cpumask_first(node_mask); 1714 node_id = cpu_to_node(cpu); 1715 if (node_id_last == node_id) 1716 continue; 1717 1718 for (i = 0; i < node_count; i++) { 1719 if (node_id == node_id_array[i]) 1720 goto get_next_numa_node; 1721 } 1722 node_id_array[node_count++] = node_id; 1723 node_id_last = node_id; 1724 } 1725 get_next_numa_node: 1726 continue; 1727 } 1728 1729 for (i = 0; i < node_count; i++) { 1730 node_mask = cpumask_of_node(node_id_array[i]); 1731 dbgprint(sdioc, "NUMA_node = %d\n", node_id_array[i]); 1732 for_each_cpu(cpu, node_mask) { 1733 map[cpu] = (queue < nr_queues) ? queue++ : 0; 1734 dbgprint(sdioc, "map[%d] = %d\n", cpu, map[cpu]); 1735 } 1736 } 1737 1738 return 0; 1739 } 1740 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] NFSD: Prevent a potential integer overflow
by Li Lingfeng 31 Dec '24

31 Dec '24

From: Chuck Lever <chuck.lever(a)oracle.com> stable inclusion from stable-v5.10.231 commit 3c5f545c9a1f8a1869246f6f3ae8c17289d6a841 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHG9 CVE: CVE-2024-53146 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream. If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs4callback.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index bd79fc4934f0..9b692bcacd4b 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -286,17 +286,17 @@ static int decode_cb_compound4res(struct xdr_stream *xdr, u32 length; __be32 *p; - p = xdr_inline_decode(xdr, 4 + 4); + p = xdr_inline_decode(xdr, XDR_UNIT); if (unlikely(p == NULL)) goto out_overflow; - hdr->status = be32_to_cpup(p++); + hdr->status = be32_to_cpup(p); /* Ignore the tag */ - length = be32_to_cpup(p++); - p = xdr_inline_decode(xdr, length + 4); - if (unlikely(p == NULL)) + if (xdr_stream_decode_u32(xdr, &length) < 0) + goto out_overflow; + if (xdr_inline_decode(xdr, length) == NULL) + goto out_overflow; + if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0) goto out_overflow; - p += XDR_QUADLEN(length); - hdr->nops = be32_to_cpup(p); return 0; out_overflow: return -EIO; -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1] EDAC/bluefield: Fix potential integer overflow
by liukai 31 Dec '24

31 Dec '24

From: David Thompson <davthompson(a)nvidia.com> stable inclusion from stable-v5.10.231 commit e0269ea7a628fdeddd65b92fe29c09655dbb80b9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGU CVE: CVE-2024-53161 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 1fe774a93b46bb029b8f6fa9d1f25affa53f06c6 ] The 64-bit argument for the "get DIMM info" SMC call consists of mem_ctrl_idx left-shifted 16 bits and OR-ed with DIMM index. With mem_ctrl_idx defined as 32-bits wide the left-shift operation truncates the upper 16 bits of information during the calculation of the SMC argument. The mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any potential integer overflow, i.e. loss of data from upper 16 bits. Fixes: 82413e562ea6 ("EDAC, mellanox: Add ECC support for BlueField DDR4") Signed-off-by: David Thompson <davthompson(a)nvidia.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Shravan Kumar Ramani <shravankr(a)nvidia.com> Link: https://lore.kernel.org/r/20240930151056.10158-1-davthompson@nvidia.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Kai <liukai284(a)huawei.com> --- drivers/edac/bluefield_edac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/edac/bluefield_edac.c b/drivers/edac/bluefield_edac.c index e4736eb37bfb..0ef048982768 100644 --- a/drivers/edac/bluefield_edac.c +++ b/drivers/edac/bluefield_edac.c @@ -180,7 +180,7 @@ static void bluefield_edac_check(struct mem_ctl_info *mci) static void bluefield_edac_init_dimms(struct mem_ctl_info *mci) { struct bluefield_edac_priv *priv = mci->pvt_info; - int mem_ctrl_idx = mci->mc_idx; + u64 mem_ctrl_idx = mci->mc_idx; struct dimm_info *dimm; u64 smc_info, smc_arg; int is_empty = 1, i; -- 2.34.1

2 1

[PATCH OLK-6.6] NFSD: Prevent a potential integer overflow
by Li Lingfeng 31 Dec '24

31 Dec '24

From: Chuck Lever <chuck.lever(a)oracle.com> stable inclusion from stable-v6.6.64 commit dde654cad08fdaac370febb161ec41eb58e9d2a2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHG9 CVE: CVE-2024-53146 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream. If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs4callback.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index 49a88dde9631..a8671c7c3e22 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -297,17 +297,17 @@ static int decode_cb_compound4res(struct xdr_stream *xdr, u32 length; __be32 *p; - p = xdr_inline_decode(xdr, 4 + 4); + p = xdr_inline_decode(xdr, XDR_UNIT); if (unlikely(p == NULL)) goto out_overflow; - hdr->status = be32_to_cpup(p++); + hdr->status = be32_to_cpup(p); /* Ignore the tag */ - length = be32_to_cpup(p++); - p = xdr_inline_decode(xdr, length + 4); - if (unlikely(p == NULL)) + if (xdr_stream_decode_u32(xdr, &length) < 0) + goto out_overflow; + if (xdr_inline_decode(xdr, length) == NULL) + goto out_overflow; + if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0) goto out_overflow; - p += XDR_QUADLEN(length); - hdr->nops = be32_to_cpup(p); return 0; out_overflow: return -EIO; -- 2.31.1

2 1

[PATCH openEuler-1.0-LTS] NFSD: Prevent a potential integer overflow
by Li Lingfeng 31 Dec '24

31 Dec '24

From: Chuck Lever <chuck.lever(a)oracle.com> stable inclusion from stable-v4.19.325 commit 745f7ce5a95e783ba62fe774325829466aec2aa8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHG9 CVE: CVE-2024-53146 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream. If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: fs/nfsd/nfs4callback.c [Commit eb72f484a5eb ("NFS: Remove print_overflow_msg()") remove print_overflow_msg.] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs4callback.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index b601e5915e6f..282bb8163cd1 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -294,17 +294,17 @@ static int decode_cb_compound4res(struct xdr_stream *xdr, u32 length; __be32 *p; - p = xdr_inline_decode(xdr, 4 + 4); + p = xdr_inline_decode(xdr, XDR_UNIT); if (unlikely(p == NULL)) goto out_overflow; - hdr->status = be32_to_cpup(p++); + hdr->status = be32_to_cpup(p); /* Ignore the tag */ - length = be32_to_cpup(p++); - p = xdr_inline_decode(xdr, length + 4); - if (unlikely(p == NULL)) + if (xdr_stream_decode_u32(xdr, &length) < 0) + goto out_overflow; + if (xdr_inline_decode(xdr, length) == NULL) + goto out_overflow; + if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0) goto out_overflow; - p += XDR_QUADLEN(length); - hdr->nops = be32_to_cpup(p); return 0; out_overflow: print_overflow_msg(__func__, xdr); -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1] gpio: grgpio: Add NULL check in grgpio_probe
by Pu Lehui 31 Dec '24

31 Dec '24

From: Charles Han <hanchunchao(a)inspur.com> stable inclusion from stable-v5.10.231 commit 4733f68e59bb7b9e3d395699abb18366954b9ba7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANT CVE: CVE-2024-56634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 050b23d081da0f29474de043e9538c1f7a351b3b ] devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. Cc: stable(a)vger.kernel.org Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") Signed-off-by: Charles Han <hanchunchao(a)inspur.com> Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpio/gpio-grgpio.c [The conflicts were due to some minor issues.] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/gpio/gpio-grgpio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c index f954359c9544..e8e059ae5476 100644 --- a/drivers/gpio/gpio-grgpio.c +++ b/drivers/gpio/gpio-grgpio.c @@ -362,6 +362,9 @@ static int grgpio_probe(struct platform_device *ofdev) gc->owner = THIS_MODULE; gc->to_irq = grgpio_to_irq; gc->label = devm_kasprintf(&ofdev->dev, GFP_KERNEL, "%pOF", np); + if (!gc->label) + return -ENOMEM; + gc->base = -1; err = of_property_read_u32(np, "nbits", &prop); -- 2.34.1

2 1

[PATCH OLK-5.10] gpio: grgpio: Add NULL check in grgpio_probe
by Pu Lehui 31 Dec '24

31 Dec '24

From: Charles Han <hanchunchao(a)inspur.com> stable inclusion from stable-v5.10.231 commit 4733f68e59bb7b9e3d395699abb18366954b9ba7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANT CVE: CVE-2024-56634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 050b23d081da0f29474de043e9538c1f7a351b3b ] devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. Cc: stable(a)vger.kernel.org Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") Signed-off-by: Charles Han <hanchunchao(a)inspur.com> Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpio/gpio-grgpio.c [The conflicts were due to some minor issues.] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/gpio/gpio-grgpio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c index f954359c9544..e8e059ae5476 100644 --- a/drivers/gpio/gpio-grgpio.c +++ b/drivers/gpio/gpio-grgpio.c @@ -362,6 +362,9 @@ static int grgpio_probe(struct platform_device *ofdev) gc->owner = THIS_MODULE; gc->to_irq = grgpio_to_irq; gc->label = devm_kasprintf(&ofdev->dev, GFP_KERNEL, "%pOF", np); + if (!gc->label) + return -ENOMEM; + gc->base = -1; err = of_property_read_u32(np, "nbits", &prop); -- 2.34.1

2 1

[PATCH OLK-6.6] gpio: grgpio: Add NULL check in grgpio_probe
by Pu Lehui 31 Dec '24

31 Dec '24

From: Charles Han <hanchunchao(a)inspur.com> stable inclusion from stable-v6.6.66 commit 8d2ca6ac3711a4f4015d26b7cc84f325ac608edb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANT CVE: CVE-2024-56634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 050b23d081da0f29474de043e9538c1f7a351b3b ] devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. Cc: stable(a)vger.kernel.org Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") Signed-off-by: Charles Han <hanchunchao(a)inspur.com> Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpio/gpio-grgpio.c [The conflicts were due to some minor issues.] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/gpio/gpio-grgpio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c index 0163c95f6dd7..b8b9f55e1bc0 100644 --- a/drivers/gpio/gpio-grgpio.c +++ b/drivers/gpio/gpio-grgpio.c @@ -361,6 +361,9 @@ static int grgpio_probe(struct platform_device *ofdev) gc->owner = THIS_MODULE; gc->to_irq = grgpio_to_irq; gc->label = devm_kasprintf(&ofdev->dev, GFP_KERNEL, "%pOF", np); + if (!gc->label) + return -ENOMEM; + gc->base = -1; err = of_property_read_u32(np, "nbits", &prop); -- 2.34.1

2 1

[PATCH OLK-6.6] bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
by Pu Lehui 31 Dec '24

31 Dec '24

From: Jann Horn <jannh(a)google.com> stable inclusion from stable-v6.6.67 commit f9f85df30118f3f4112761e6682fc60ebcce23e5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAKR CVE: CVE-2024-56675 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit ef1b808e3b7c98612feceedf985c2fbbeb28f956 upstream. Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU protection. But it is possible to attach a non-sleepable BPF program to a uprobe, and non-sleepable BPF programs are freed via normal RCU (see __bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal RCU grace period does not imply a tasks-trace-RCU grace period. Fix it by explicitly waiting for a tasks-trace-RCU grace period after removing the attachment of a bpf_prog to a perf_event. Fixes: 8c7dcb84e3b7 ("bpf: implement sleepable uprobes by chaining gps") Suggested-by: Andrii Nakryiko <andrii(a)kernel.org> Suggested-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/bpf/20241210-bpf-fix-actual-uprobe-uaf-v1-1-1943984… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/trace/bpf_trace.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 93e06d370395..b084fe1dbe12 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -2224,6 +2224,13 @@ void perf_event_detach_bpf_prog(struct perf_event *event) bpf_prog_array_free_sleepable(old_array); } + /* + * It could be that the bpf_prog is not sleepable (and will be freed + * via normal RCU), but is called from a point that supports sleepable + * programs and uses tasks-trace-RCU. + */ + synchronize_rcu_tasks_trace(); + bpf_prog_put(event->prog); event->prog = NULL; -- 2.34.1

2 1