- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] crypto: bcm - Fix pointer arithmetic
by liwei 03 Jul '24

03 Jul '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> mainline inclusion from mainline-v6.10-rc1 commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5T CVE: CVE-2024-38579 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: dengquan <dengquan9(a)huawei.com> --- drivers/crypto/bcm/spu2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c index c860ffb0b4c3..670d439f204c 100644 --- a/drivers/crypto/bcm/spu2.c +++ b/drivers/crypto/bcm/spu2.c @@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, if (hash_iv_len) { packet_log(" Hash IV Length %u bytes\n", hash_iv_len); packet_dump(" hash IV: ", ptr, hash_iv_len); - ptr += ciph_key_len; + ptr += hash_iv_len; } if (ciph_iv_len) { -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] ax25: Fix reference count leak issue of net_device
by Zhengchao Shao 03 Jul '24

03 Jul '24

From: Duoming Zhou <duoming(a)zju.edu.cn> mainline inclusion from mainline-v6.10-rc1 commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4 CVE: CVE-2024-38554 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ax25/ax25_dev.c [The conflict occurs because the commit a968c799eb1d("ax25: merge repeat codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel universal linked list to implement ax25_dev_list") are not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ax25/ax25_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 55a611f7239b..68a417cee39c 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -141,6 +141,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + dev_put(dev); ax25_dev_put(ax25_dev); } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ax25: Fix reference count leak issue of net_device
by Zhengchao Shao 03 Jul '24

03 Jul '24

From: Duoming Zhou <duoming(a)zju.edu.cn> mainline inclusion from mainline-v6.10-rc1 commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4 CVE: CVE-2024-38554 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ax25/ax25_dev.c [The conflict occurs because the commit a968c799eb1d("ax25: merge repeat codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel universal linked list to implement ax25_dev_list") are not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ax25/ax25_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index d1d8d8a21ddd..f68f42c083c8 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -138,6 +138,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + dev_put(dev); ax25_dev_put(ax25_dev); } -- 2.34.1

2 1

[PATCH OLK-5.10] ax25: Fix reference count leak issue of net_device
by Zhengchao Shao 03 Jul '24

03 Jul '24

From: Duoming Zhou <duoming(a)zju.edu.cn> mainline inclusion from mainline-v6.10-rc1 commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4 CVE: CVE-2024-38554 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ax25/ax25_dev.c [The conflict occurs because the commit a968c799eb1d("ax25: merge repeat codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel universal linked list to implement ax25_dev_list") are not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ax25/ax25_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index d1d8d8a21ddd..f68f42c083c8 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -138,6 +138,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + dev_put(dev); ax25_dev_put(ax25_dev); } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] crypto: bcm - Fix pointer arithmetic
by liwei 03 Jul '24

03 Jul '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> mainline inclusion from mainline-v6.10-rc1 commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5T CVE: CVE-2024-38579 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: dengquan <dengquan9(a)huawei.com> --- drivers/crypto/bcm/spu2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c index c860ffb0b4c3..670d439f204c 100644 --- a/drivers/crypto/bcm/spu2.c +++ b/drivers/crypto/bcm/spu2.c @@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, if (hash_iv_len) { packet_log(" Hash IV Length %u bytes\n", hash_iv_len); packet_dump(" hash IV: ", ptr, hash_iv_len); - ptr += ciph_key_len; + ptr += hash_iv_len; } if (ciph_iv_len) { -- 2.25.1

2 1

[PATCH OLK-6.6] net/hinic3: Add pcie device ID adaption for DPU_NIC card
by z00857956 03 Jul '24

03 Jul '24

From: zhoushuai <zhoushuai28(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA9G0T?from=project-issue CVE: NA -------------------------------- The pcie device ID of DPU_NIC card is 0x0224, need be added to nic_devID_list, otherwise card_node will be alloced for every PF. Signed-off-by: zhoushuai <zhoushuai28(a)huawei.com> --- drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c | 2 +- drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c b/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c index 40ff4738420e..93231ebac18e 100644 --- a/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c +++ b/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c @@ -48,7 +48,7 @@ static int get_nic_drv_version(void *buf_out, const u32 *out_size) } err = snprintf(ver_info->ver, sizeof(ver_info->ver), "%s %s", - HINIC3_NIC_DRV_VERSION, "2023-05-17_19:56:38"); + HINIC3_NIC_DRV_VERSION, "2024-07-03_09:33:00"); if (err < 0) return -EINVAL; diff --git a/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h b/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h index bb7f5bb67ecb..02898a85e7b7 100644 --- a/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h +++ b/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h @@ -21,7 +21,9 @@ #define ULD_LOCK_MAX_USLEEP_TIME 1000 #define HINIC3_IS_VF_DEV(pdev) ((pdev)->device == HINIC3_DEV_ID_VF) -#define HINIC3_IS_SPU_DEV(pdev) ((pdev)->device == HINIC3_DEV_ID_SPU) +#define HINIC3_IS_SPU_DEV(pdev) \ + (((pdev)->device == HINIC3_DEV_ID_SPU) || ((pdev)->device == HINIC3_DEV_ID_SDI_5_0_PF) || \ + (((pdev)->device == HINIC3_DEV_ID_DPU_PF))) enum { HINIC3_NOT_PROBE = 1, -- 2.43.0

2 1

[PATCH OLK-6.6] tls: fix missing memory barrier in tls_init
by Liu Jian 03 Jul '24

03 Jul '24

From: "Dae R. Jeong" <threeearcat(a)gmail.com> stable inclusion from stable-v6.6.33 commit ab67c2fd3d070a21914d0c31319d3858ab4e199c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D88 CVE: CVE-2024-36489 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 91e61dd7a0af660408e87372d8330ceb218be302 ] In tls_init(), a write memory barrier is missing, and store-store reordering may cause NULL dereference in tls_{setsockopt,getsockopt}. CPU0 CPU1 ----- ----- // In tls_init() // In tls_ctx_create() ctx = kzalloc() ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1) // In update_sk_prot() WRITE_ONCE(sk->sk_prot, tls_prots) -(2) // In sock_common_setsockopt() READ_ONCE(sk->sk_prot)->setsockopt() // In tls_{setsockopt,getsockopt}() ctx->sk_proto->setsockopt() -(3) In the above scenario, when (1) and (2) are reordered, (3) can observe the NULL value of ctx->sk_proto, causing NULL dereference. To fix it, we rely on rcu_assign_pointer() which implies the release barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is initialized, we can ensure that ctx->sk_proto are visible when changing sk->sk_prot. Fixes: d5bee7374b68 ("net/tls: Annotate access to sk_prot with READ_ONCE/WRITE_ONCE") Signed-off-by: Yewon Choi <woni9911(a)gmail.com> Signed-off-by: Dae R. Jeong <threeearcat(a)gmail.com> Link: https://lore.kernel.org/netdev/ZU4OJG56g2V9z_H7@dragonet/T/ Link: https://lore.kernel.org/r/Zkx4vjSFp0mfpjQ2@libra05 Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/tls/tls_main.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index e97fcb502115..0a67b93a52ec 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -814,9 +814,17 @@ struct tls_context *tls_ctx_create(struct sock *sk) return NULL; mutex_init(&ctx->tx_lock); - rcu_assign_pointer(icsk->icsk_ulp_data, ctx); ctx->sk_proto = READ_ONCE(sk->sk_prot); ctx->sk = sk; + /* Release semantic of rcu_assign_pointer() ensures that + * ctx->sk_proto is visible before changing sk->sk_prot in + * update_sk_prot(), and prevents reading uninitialized value in + * tls_{getsockopt, setsockopt}. Note that we do not need a + * read barrier in tls_{getsockopt,setsockopt} as there is an + * address dependency between sk->sk_proto->{getsockopt,setsockopt} + * and ctx->sk_proto. + */ + rcu_assign_pointer(icsk->icsk_ulp_data, ctx); return ctx; } -- 2.34.1

2 1

[PATCH OLK-6.6] wifi: nl80211: Avoid address calculations via out of bounds array indexing
by Liu Jian 03 Jul '24

03 Jul '24

From: Kees Cook <keescook(a)chromium.org> stable inclusion from stable-v6.6.33 commit ed74398642fcb19f6ff385c35a7d512c6663e17b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SBS CVE: CVE-2024-38562 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 838c7b8f1f278404d9d684c34a8cb26dc41aaaa1 ] Before request->channels[] can be used, request->n_channels must be set. Additionally, address calculations for memory after the "channels" array need to be calculated from the allocation base ("request") rather than via the first "out of bounds" index of "channels", otherwise run-time bounds checking will throw a warning. Reported-by: Nathan Chancellor <nathan(a)kernel.org> Fixes: e3eac9f32ec0 ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by") Signed-off-by: Kees Cook <keescook(a)chromium.org> Tested-by: Nathan Chancellor <nathan(a)kernel.org> Link: https://msgid.link/20240424220057.work.819-kees@kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/wireless/nl80211.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index c4f08f7eb741..8f8f077e6cd4 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -9153,6 +9153,7 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) struct wiphy *wiphy; int err, tmp, n_ssids = 0, n_channels, i; size_t ie_len, size; + size_t ssids_offset, ie_offset; wiphy = &rdev->wiphy; @@ -9198,21 +9199,20 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) return -EINVAL; size = struct_size(request, channels, n_channels); + ssids_offset = size; size = size_add(size, array_size(sizeof(*request->ssids), n_ssids)); + ie_offset = size; size = size_add(size, ie_len); request = kzalloc(size, GFP_KERNEL); if (!request) return -ENOMEM; + request->n_channels = n_channels; if (n_ssids) - request->ssids = (void *)&request->channels[n_channels]; + request->ssids = (void *)request + ssids_offset; request->n_ssids = n_ssids; - if (ie_len) { - if (n_ssids) - request->ie = (void *)(request->ssids + n_ssids); - else - request->ie = (void *)(request->channels + n_channels); - } + if (ie_len) + request->ie = (void *)request + ie_offset; i = 0; if (scan_freqs) { -- 2.34.1

2 1

[PATCH OLK-6.6] ax25: Fix reference count leak issue of net_device
by Zhengchao Shao 03 Jul '24

03 Jul '24

From: Duoming Zhou <duoming(a)zju.edu.cn> stable inclusion from stable-v6.6.33 commit 965d940fb7414b310a22666503d2af69459c981b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4 CVE: CVE-2024-38554 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 ] There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: net/ax25/ax25_dev.c [The conflict occurs because the commit a7d6e36b9ad0("ax25: Use kernel universal linked list to implement ax25_dev_list") is not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ax25/ax25_dev.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 282ec581c072..6f4ccb735653 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -128,10 +128,6 @@ void ax25_dev_device_down(struct net_device *dev) s = s->next; } - spin_unlock_bh(&ax25_dev_lock); - dev->ax25_ptr = NULL; - ax25_dev_put(ax25_dev); - return; unlock_put: spin_unlock_bh(&ax25_dev_lock); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] ftrace: Fix rcu warn in ftrace_location()
by Zheng Yejian 03 Jul '24

03 Jul '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAA3U5 CVE: NA --------------------------- Lockdep report that: WARNING: suspicious RCU usage ./include/linux/rcupdate.h:625 rcu_read_lock() used illegally while idle! other info that might help us debug this: RCU used illegally from idle CPU! rcu_scheduler_active = 2, debug_locks = 1 RCU used illegally from extended quiescent state! 1 lock held by swapper/0/0: #0: 000000003f648ecc (rcu_read_lock){....}, at: ftrace_location_range+0x0/0x400 kernel/trace/ftrace.c:1326 [...] Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x125/0x1ae lib/dump_stack.c:117 rcu_read_lock include/linux/rcupdate.h:624 [inline] ftrace_location_range+0x2e4/0x400 kernel/trace/ftrace.c:1613 ftrace_int3_handler+0x47/0x220 arch/x86/kernel/ftrace.c:304 do_int3+0x1d2/0x260 arch/x86/kernel/traps.c:592 int3+0x33/0x40 arch/x86/entry/entry_64.S:1170 [...] default_idle_call+0x3c/0x60 kernel/sched/idle.c:95 cpuidle_idle_call kernel/sched/idle.c:155 [inline] do_idle+0x28a/0x380 kernel/sched/idle.c:257 cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:363 start_kernel+0x8bc/0x8fb init/main.c:744 secondary_startup_64+0xb7/0xc0 arch/x86/kernel/head_64.S:243 When function tracer is enabling, an 'int3' will be put at the fentry location of traced function, and before the fentry location being fully replaced as ftrace caller, any calls to the traced function will first redirect to call ftrace caller through ftrace_int3_handler(). When the traced function is called by idle task and rcu_read_lock() is indirectly called in ftrace_int3_handler(), then lockdep will warn that is illegal. RCU lock is not needed when ftrace_location() is called by ftrace_int3_handler() because that is an atomic context, so add in_atomic() check before hold or release RCU lock. Fixes: 85b642bd0701 ("ftrace: Fix possible use-after-free issue in ftrace_location()") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- kernel/trace/ftrace.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 6704150cb655..ad4440da5b78 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1581,7 +1581,12 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) key.ip = start; key.flags = end; /* overload flags, as it is unsigned long */ - rcu_read_lock(); + /* + * It is in atomic context when called from ftrace_int3_handler(), + * in this case rcu lock is not needed. + */ + if (!in_atomic()) + rcu_read_lock(); for (pg = ftrace_pages_start; pg; pg = pg->next) { if (pg->index == 0 || end < pg->records[0].ip || @@ -1595,7 +1600,8 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) break; } } - rcu_read_unlock(); + if (!in_atomic()) + rcu_read_unlock(); return ip; } -- 2.25.1

2 1