- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] btrfs: reinitialize delayed ref list after deleting it from the list
by Zizhi Wo 22 Nov '24

22 Nov '24

From: Filipe Manana <fdmanana(a)suse.com> stable inclusion from stable-v5.10.230 commit bf0b0c6d159767c0d1c21f793950d78486690ee0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVH CVE: CVE-2024-50273 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- commit c9a75ec45f1111ef530ab186c2a7684d0a0c9245 upstream. At insert_delayed_ref() if we need to update the action of an existing ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's ref_add_list using list_del(), which leaves the ref's add_list member not reinitialized, as list_del() sets the next and prev members of the list to LIST_POISON1 and LIST_POISON2, respectively. If later we end up calling drop_delayed_ref() against the ref, which can happen during merging or when destroying delayed refs due to a transaction abort, we can trigger a crash since at drop_delayed_ref() we call list_empty() against the ref's add_list, which returns false since the list was not reinitialized after the list_del() and as a consequence we call list_del() again at drop_delayed_ref(). This results in an invalid list access since the next and prev members are set to poison pointers, resulting in a splat if CONFIG_LIST_HARDENED and CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences otherwise. So fix this by deleting from the list with list_del_init() instead. Fixes: 1d57ee941692 ("btrfs: improve delayed refs iterations") CC: stable(a)vger.kernel.org # 4.19+ Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/btrfs/delayed-ref.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c index 30883b9a26d8..e2309bc9e45d 100644 --- a/fs/btrfs/delayed-ref.c +++ b/fs/btrfs/delayed-ref.c @@ -620,7 +620,7 @@ static int insert_delayed_ref(struct btrfs_trans_handle *trans, &href->ref_add_list); else if (ref->action == BTRFS_DROP_DELAYED_REF) { ASSERT(!list_empty(&exist->add_list)); - list_del(&exist->add_list); + list_del_init(&exist->add_list); } else { ASSERT(0); } -- 2.46.1

2 1

[PATCH OLK-6.6] perf: Add PMCG platform information for HiSilicon HIP09A
by Yushan Wang 22 Nov '24

22 Nov '24

From: Qinxin Xia <xiaqinxin(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB5WVR CVE: NA ---------------------------------------------------------------------- Bugfix or Feature: Bugfix Description: HiSilicon HIP09A platforms using the same SMMU PMCG with HIP09 and thus suffers the same erratum. List them in the PMCG platform information list without introducing a new SMMU PMCG Model. Fixes: 0785c8a6d09e ("ACPI/IORT: Add PMCG platform information for HiSilicon HIP10/11") Signed-off-by: Qinxin Xia <xiaqinxin(a)huawei.com> Signed-off-by: zhangqz <14294317+zhangqizhi3(a)user.noreply.gitee.com> --- Documentation/arm64/silicon-errata.rst | 5 +++-- drivers/acpi/arm64/iort.c | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst index 77ba5531e0ee..29287a91bbb7 100644 --- a/Documentation/arm64/silicon-errata.rst +++ b/Documentation/arm64/silicon-errata.rst @@ -147,8 +147,9 @@ stable kernels. +----------------+-----------------+-----------------+-----------------------------+ | Hisilicon | Hip08 SMMU PMCG | #162001800 | N/A | +----------------+-----------------+-----------------+-----------------------------+ -| Hisilicon | Hip{08,09,10,10C| #162001900 | N/A | -| | ,11} SMMU PMCG | | | +| Hisilicon | Hip{08,09,09A, | #162001900 | N/A | +| | 10,10C,11} | | | +| | SMMU PMCG | | | +----------------+-----------------+-----------------+-----------------------------+ | Hisilicon | TSV{110,200} | #1980005 | HISILICON_ERRATUM_1980005 | +----------------+-----------------+-----------------+-----------------------------+ diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c index a0786cd8ca83..a86f65e47d17 100644 --- a/drivers/acpi/arm64/iort.c +++ b/drivers/acpi/arm64/iort.c @@ -1481,6 +1481,8 @@ static struct acpi_platform_list pmcg_plat_info[] __initdata = { /* HiSilicon Hip09 Platform */ {"HISI ", "HIP09 ", 0, ACPI_SIG_IORT, greater_than_or_equal, "Erratum #162001900", IORT_SMMU_V3_PMCG_HISI_HIP09}, + {"HISI ", "HIP09A ", 0, ACPI_SIG_IORT, greater_than_or_equal, + "Erratum #162001900", IORT_SMMU_V3_PMCG_HISI_HIP09}, /* HiSilicon Hip10/11 Platform uses the same SMMU IP with Hip09 */ {"HISI ", "HIP10 ", 0, ACPI_SIG_IORT, greater_than_or_equal, "Erratum #162001900", IORT_SMMU_V3_PMCG_HISI_HIP09}, -- 2.33.0

2 1

[openeuler:OLK-6.6 1513/1513] drivers/crypto/montage/tsse/tsse_ipc_api.c:62:36: warning: variable 'device_handle' is uninitialized when used here
by kernel test robot 22 Nov '24

22 Nov '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: dccd6d8473b2f20aaa76e23820a3bf4934fc8d36 commit: 914854f2adb6988ac3b6521088ec96833d6743e2 [1513/1513] driver: crypto - update support for Mont-TSSE Driver config: x86_64-allyesconfig (https://download.01.org/0day-ci/archive/20241122/202411221252.PUnKjTWH-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241122/202411221252.PUnKjTWH-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411221252.PUnKjTWH-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from drivers/crypto/montage/tsse/tsse_ipc_api.c:10: In file included from drivers/crypto/montage/tsse/tsse_dev.h:13: In file included from include/linux/pci.h:1669: In file included from include/linux/dmapool.h:14: In file included from include/linux/scatterlist.h:8: In file included from include/linux/mm.h:2243: include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 509 | item]; | ~~~~ include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 515 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 516 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 527 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 528 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 536 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 537 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ >> drivers/crypto/montage/tsse/tsse_ipc_api.c:62:36: warning: variable 'device_handle' is uninitialized when used here [-Wuninitialized] 62 | service_instance->device_handle = device_handle; | ^~~~~~~~~~~~~ drivers/crypto/montage/tsse/tsse_ipc_api.c:56:19: note: initialize the variable 'device_handle' to silence this warning 56 | int device_handle; | ^ | = 0 6 warnings generated. vim +/device_handle +62 drivers/crypto/montage/tsse/tsse_ipc_api.c 41 42 /** 43 * tsse_im_service_handle_alloc() - Allocate IPC Message service handle for specific service. 44 * @name: IPC Message service name 45 * @cb: request callback for the service 46 * @handle: function output for the service handle 47 * Return: 0 if allocated successfully, other values for failure 48 */ 49 int tsse_im_service_handle_alloc( 50 const char *name, 51 tsse_im_cb_func cb, 52 tsse_im_service_handle *handle) 53 { 54 struct tsse_service_instance *service_instance; 55 int ret; 56 int device_handle; 57 58 service_instance = kzalloc(sizeof(struct tsse_service_instance), GFP_ATOMIC); 59 if (!service_instance) 60 return -ENOMEM; 61 service_instance->service_opened = 0; > 62 service_instance->device_handle = device_handle; 63 service_instance->cb = cb; 64 strscpy(service_instance->service_name, name, TSSE_IM_SERVICE_NAME_LEN); 65 66 ret = tsse_schedule_device_handle(service_instance); 67 if (ret) { 68 kfree(service_instance); 69 return ret; 70 } 71 72 ret = tsse_service_open(service_instance); 73 if (ret) { 74 pr_err("%s(): open service: %s failed: %d\n", 75 __func__, service_instance->service_name, ret); 76 kfree(service_instance); 77 return ret; 78 } 79 *handle = service_instance; 80 return 0; 81 } 82 EXPORT_SYMBOL_GPL(tsse_im_service_handle_alloc); 83 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1304/1304] kernel/sched/core.c:5845:2: error: implicit declaration of function 'tg_update_affinity_domains'
by kernel test robot 22 Nov '24

22 Nov '24

Hi Hui, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 81e029d5dd0cae934243168eee37ef303ebcce38 commit: 713cfd2684fa5ea08b144d92b9858b932c0f1705 [1304/1304] sched: Introduce smart grid scheduling strategy for cfs config: x86_64-randconfig-002-20241122 (https://download.01.org/0day-ci/archive/20241122/202411221242.ljLHS46N-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241122/202411221242.ljLHS46N-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411221242.ljLHS46N-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from kernel/sched/core.c:8: In file included from kernel/sched/sched.h:39: In file included from include/linux/blkdev.h:16: include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict] 425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from kernel/sched/core.c:8: kernel/sched/sched.h:1249:15: warning: cast from 'void (*)(struct rq *)' to 'void (*)(struct callback_head *)' converts to incompatible function type [-Wcast-function-type-strict] 1249 | head->func = (void (*)(struct callback_head *))func; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/sched/core.c:1587:6: warning: no previous prototype for function 'sched_set_stop_task' [-Wmissing-prototypes] 1587 | void sched_set_stop_task(int cpu, struct task_struct *stop) | ^ kernel/sched/core.c:1587:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1587 | void sched_set_stop_task(int cpu, struct task_struct *stop) | ^ | static kernel/sched/core.c:2741:10: warning: cast from 'void (*)(struct callback_head *)' to 'void (*)(struct rq *)' converts to incompatible function type [-Wcast-function-type-strict] 2741 | func = (void (*)(struct rq *))head->func; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/sched/core.c:3632:35: warning: no previous prototype for function 'schedule_user' [-Wmissing-prototypes] 3632 | asmlinkage __visible void __sched schedule_user(void) | ^ kernel/sched/core.c:3632:22: note: declare 'static' if the function is not intended to be used outside of this translation unit 3632 | asmlinkage __visible void __sched schedule_user(void) | ^ | static kernel/sched/core.c:3771:35: warning: no previous prototype for function 'preempt_schedule_irq' [-Wmissing-prototypes] 3771 | asmlinkage __visible void __sched preempt_schedule_irq(void) | ^ kernel/sched/core.c:3771:22: note: declare 'static' if the function is not intended to be used outside of this translation unit 3771 | asmlinkage __visible void __sched preempt_schedule_irq(void) | ^ | static >> kernel/sched/core.c:5845:2: error: implicit declaration of function 'tg_update_affinity_domains' [-Werror,-Wimplicit-function-declaration] 5845 | tg_update_affinity_domains(cpu, 1); | ^ kernel/sched/core.c:5904:2: error: implicit declaration of function 'tg_update_affinity_domains' [-Werror,-Wimplicit-function-declaration] 5904 | tg_update_affinity_domains(cpu, 0); | ^ kernel/sched/core.c:5976:2: error: implicit declaration of function 'init_auto_affinity' [-Werror,-Wimplicit-function-declaration] 5976 | init_auto_affinity(&root_task_group); | ^ kernel/sched/core.c:5976:2: note: did you mean 'irq_set_affinity'? include/linux/interrupt.h:292:1: note: 'irq_set_affinity' declared here 292 | irq_set_affinity(unsigned int irq, const struct cpumask *cpumask) | ^ kernel/sched/core.c:5976:22: error: use of undeclared identifier 'root_task_group'; did you mean 'task_group'? 5976 | init_auto_affinity(&root_task_group); | ^~~~~~~~~~~~~~~ | task_group kernel/sched/sched.h:1444:34: note: 'task_group' declared here 1444 | static inline struct task_group *task_group(struct task_struct *p) | ^ kernel/sched/core.c:6029:32: warning: variable 'ptr' set but not used [-Wunused-but-set-variable] 6029 | unsigned long alloc_size = 0, ptr; | ^ 7 warnings and 4 errors generated. vim +/tg_update_affinity_domains +5845 kernel/sched/core.c 5831 5832 int sched_cpu_activate(unsigned int cpu) 5833 { 5834 struct rq *rq = cpu_rq(cpu); 5835 struct rq_flags rf; 5836 5837 #ifdef CONFIG_SCHED_SMT 5838 /* 5839 * When going up, increment the number of cores with SMT present. 5840 */ 5841 if (cpumask_weight(cpu_smt_mask(cpu)) == 2) 5842 static_branch_inc_cpuslocked(&sched_smt_present); 5843 #endif 5844 set_cpu_active(cpu, true); > 5845 tg_update_affinity_domains(cpu, 1); 5846 5847 if (sched_smp_initialized) { 5848 sched_domains_numa_masks_set(cpu); 5849 cpuset_cpu_active(); 5850 } 5851 5852 /* 5853 * Put the rq online, if not already. This happens: 5854 * 5855 * 1) In the early boot process, because we build the real domains 5856 * after all CPUs have been brought up. 5857 * 5858 * 2) At runtime, if cpuset_cpu_active() fails to rebuild the 5859 * domains. 5860 */ 5861 rq_lock_irqsave(rq, &rf); 5862 if (rq->rd) { 5863 BUG_ON(!cpumask_test_cpu(cpu, rq->rd->span)); 5864 set_rq_online(rq); 5865 } 5866 rq_unlock_irqrestore(rq, &rf); 5867 5868 update_max_interval(); 5869 5870 return 0; 5871 } 5872 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] tpm: Lock TPM chip in tpm_pm_suspend() first
by Chen Zhongjin 22 Nov '24

22 Nov '24

From: Jarkko Sakkinen <jarkko(a)kernel.org> mainline inclusion from mainline-v6.12-rc1 commit 9265fed6db601ee2ec47577815387458ef4f047a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5KRG CVE: CVE-2024-53085 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy according, as this leaves window for tpm_hwrng_read() to be called while the operation is in progress. The recent bug report gives also evidence of this behaviour. Aadress this by locking the TPM chip before checking any chip->flags both in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED check inside tpm_get_random() so that it will be always checked only when the lock is reserved. Cc: stable(a)vger.kernel.org # v6.4+ Fixes: 99d464506255 ("tpm: Prevent hwrng from activating during resume") Reported-by: Mike Seo <mikeseohyungjin(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219383 Reviewed-by: Jerry Snitselaar <jsnitsel(a)redhat.com> Tested-by: Mike Seo <mikeseohyungjin(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> Conflicts: drivers/char/tpm/tpm-interface.c [df745e25098d ("tpm: Lazily flush the auth session") is not merged] Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- drivers/char/tpm/tpm-chip.c | 4 ---- drivers/char/tpm/tpm-interface.c | 29 +++++++++++++++++++++-------- 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 42b1062e33cd5..78999f7f248cb 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -519,10 +519,6 @@ static int tpm_hwrng_read(struct hwrng *rng, void *data, size_t max, bool wait) { struct tpm_chip *chip = container_of(rng, struct tpm_chip, hwrng); - /* Give back zero bytes, as TPM chip has not yet fully resumed: */ - if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) - return 0; - return tpm_get_random(chip, data, max); } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 66b16d26eecc7..c8ea52dfa5567 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -394,6 +394,13 @@ int tpm_pm_suspend(struct device *dev) if (!chip) return -ENODEV; + rc = tpm_try_get_ops(chip); + if (rc) { + /* Can be safely set out of locks, as no action cannot race: */ + chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + goto out; + } + if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED) goto suspended; @@ -401,19 +408,18 @@ int tpm_pm_suspend(struct device *dev) !pm_suspend_via_firmware()) goto suspended; - rc = tpm_try_get_ops(chip); - if (!rc) { - if (chip->flags & TPM_CHIP_FLAG_TPM2) - tpm2_shutdown(chip, TPM2_SU_STATE); - else - rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); - - tpm_put_ops(chip); + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_shutdown(chip, TPM2_SU_STATE); + goto suspended; } + rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + suspended: chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + tpm_put_ops(chip); +out: if (rc) dev_err(dev, "Ignoring error %d while suspending\n", rc); return 0; @@ -462,11 +468,18 @@ int tpm_get_random(struct tpm_chip *chip, u8 *out, size_t max) if (!chip) return -ENODEV; + /* Give back zero bytes, as TPM chip has not yet fully resumed: */ + if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) { + rc = 0; + goto out; + } + if (chip->flags & TPM_CHIP_FLAG_TPM2) rc = tpm2_get_random(chip, out, max); else rc = tpm1_get_random(chip, out, max); +out: tpm_put_ops(chip); return rc; } -- 2.25.1

2 1

[PATCH OLK-6.6 0/2] ext4: fix potential memory exposure issues during truncate in iomap
by Yongjian Sun 22 Nov '24

22 Nov '24

*** BLURB HERE *** Yongjian Sun (2): ext4: do not always order data when partial zeroing out a block ext4: fix potential memory exposure issues during truncate in iomap mode. fs/ext4/inode.c | 75 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 59 insertions(+), 16 deletions(-) -- 2.39.2

2 3

[PATCH OLK-5.10 V1] sched/topology: Prevent race condition in sched_domain topology
by Zicheng Qu 22 Nov '24

22 Nov '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB485D -------------------------------- A race condition in `build_sched_domains() -> build_sched_domain() -> sd_init()` can lead to a null pointer dereference when `tl->data` is accessed. This occurs because `build_sched_domains() -> alloc_state()` may skip memory allocation for `tl->data` based on `tl->flags` and `SDTL_SKIP`, which can be influenced by concurrent modifications through `sched_cluster_handler()`, supported by the feature named "scheduler: Add runtime knob sysctl_sched_cluster". The issue arises when `sysctl_sched_cluster()` is modified via `/proc/sys/kernel/sched_cluster`, affecting `tl->flags` through `sched_cluster_handler() -> set_sched_cluster()`. This can lead to an inconsistent state where `tl->data` is expected to be non-null in `sd_init()`, but was not allocated in `alloc_state()` before `sd_init()`. To resolve this, lock `sched_domains_mutex` before calling `set_sched_cluster()`. This ensures that changes to `tl->flags` do not interfere with the memory allocation process in `build_sched_domains()`. Fixes: 8ce3e706b314 ("scheduler: Add runtime knob sysctl_sched_cluster") Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- kernel/sched/topology.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c index 4bf575e4e7fc..3a8673a1a3fc 100644 --- a/kernel/sched/topology.c +++ b/kernel/sched/topology.c @@ -1722,7 +1722,13 @@ int sched_cluster_handler(struct ctl_table *table, int write, ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); if (!ret && write) { if (oldval != sysctl_sched_cluster) { + /* + * Here may have raced with partition_sched_domains_locked, + * it needs to be protected with sched_domains_mutex. + */ + mutex_lock(&sched_domains_mutex); set_sched_cluster(); + mutex_unlock(&sched_domains_mutex); arch_rebuild_cpu_topology(); } } -- 2.34.1

2 3

[PATCH openEuler-22.03-LTS-SP1 V1] udf: fix uninit-value use in udf_get_fileshortad
by Zicheng Qu 22 Nov '24

22 Nov '24

From: Gianfranco Trad <gianf.trad(a)gmail.com> stable inclusion from stable-v5.15.170 commit 4fc0d8660e391dcd8dde23c44d702be1f6846c61 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2SWN CVE: CVE-2024-50143 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ] Check for overflow when computing alen in udf_current_aext to mitigate later uninit-value use in udf_get_fileshortad KMSAN bug[1]. After applying the patch reproducer did not trigger any issue[2]. [1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df [2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000 Reported-by: syzbot+8901c4560b7ab5c2f9df(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df Tested-by: syzbot+8901c4560b7ab5c2f9df(a)syzkaller.appspotmail.com Suggested-by: Jan Kara <jack(a)suse.com> Signed-off-by: Gianfranco Trad <gianf.trad(a)gmail.com> Signed-off-by: Jan Kara <jack(a)suse.cz> Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/udf/inode.c [The stable version 5.10 is missing patch 4fc0d8660e391dcd8dde23c44d702be1f6846c61, which was pulled from 5.15. The current version of check_add_overflow() lacks the relevant commit d219d2a9a92e39aa92799efe8f2aa21259b6dd82 ("overflow: Allow mixed type arguments"). Therefore, it is necessary to cast the arguments to int.] Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- fs/udf/inode.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 3ae9955c42b0..1198d27552b5 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2182,12 +2182,15 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, alen = udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc; } else { + struct allocExtDesc *header = + (struct allocExtDesc *)epos->bh->b_data; + if (!epos->offset) epos->offset = sizeof(struct allocExtDesc); ptr = epos->bh->b_data + epos->offset; - alen = sizeof(struct allocExtDesc) + - le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)-> - lengthAllocDescs); + if (check_add_overflow((int)sizeof(struct allocExtDesc), + (int)le32_to_cpu(header->lengthAllocDescs), &alen)) + return -1; } switch (iinfo->i_alloc_type) { -- 2.34.1

2 1

[PATCH OLK-5.10 V1] udf: fix uninit-value use in udf_get_fileshortad
by Zicheng Qu 22 Nov '24

22 Nov '24

From: Gianfranco Trad <gianf.trad(a)gmail.com> stable inclusion from stable-v5.15.170 commit 4fc0d8660e391dcd8dde23c44d702be1f6846c61 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2SWN CVE: CVE-2024-50143 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ] Check for overflow when computing alen in udf_current_aext to mitigate later uninit-value use in udf_get_fileshortad KMSAN bug[1]. After applying the patch reproducer did not trigger any issue[2]. [1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df [2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000 Reported-by: syzbot+8901c4560b7ab5c2f9df(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df Tested-by: syzbot+8901c4560b7ab5c2f9df(a)syzkaller.appspotmail.com Suggested-by: Jan Kara <jack(a)suse.com> Signed-off-by: Gianfranco Trad <gianf.trad(a)gmail.com> Signed-off-by: Jan Kara <jack(a)suse.cz> Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/udf/inode.c [The stable version 5.10 is missing patch 4fc0d8660e391dcd8dde23c44d702be1f6846c61, which was pulled from 5.15. The current version of check_add_overflow() lacks the relevant commit d219d2a9a92e39aa92799efe8f2aa21259b6dd82 ("overflow: Allow mixed type arguments"). Therefore, it is necessary to cast the arguments to int.] Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- fs/udf/inode.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index a8105eded07e..6ff9cc8adb26 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2184,12 +2184,15 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, alen = udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc; } else { + struct allocExtDesc *header = + (struct allocExtDesc *)epos->bh->b_data; + if (!epos->offset) epos->offset = sizeof(struct allocExtDesc); ptr = epos->bh->b_data + epos->offset; - alen = sizeof(struct allocExtDesc) + - le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)-> - lengthAllocDescs); + if (check_add_overflow((int)sizeof(struct allocExtDesc), + (int)le32_to_cpu(header->lengthAllocDescs), &alen)) + return -1; } switch (iinfo->i_alloc_type) { -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS 1304/1304] drivers/regulator/qcom-rpmh-regulator.c:742:34: warning: 'rpmh_regulator_match_table' defined but not used
by kernel test robot 22 Nov '24

22 Nov '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 81e029d5dd0cae934243168eee37ef303ebcce38 commit: 46fc033eba42f5a4fb583b2ab53f0a9918468452 [1304/1304] regulator: add QCOM RPMh regulator driver config: x86_64-buildonly-randconfig-004-20241122 (https://download.01.org/0day-ci/archive/20241122/202411221130.VOHt3QyY-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241122/202411221130.VOHt3QyY-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411221130.VOHt3QyY-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/regulator/qcom-rpmh-regulator.c:742:34: warning: 'rpmh_regulator_match_table' defined but not used [-Wunused-const-variable=] 742 | static const struct of_device_id rpmh_regulator_match_table[] = { | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/regulator/qcom-rpmh-regulator.c:33: warning: Enum value 'VRM' not described in enum 'rpmh_regulator_type' drivers/regulator/qcom-rpmh-regulator.c:33: warning: Enum value 'XOB' not described in enum 'rpmh_regulator_type' drivers/regulator/qcom-rpmh-regulator.c:402: warning: Function parameter or member 'vreg' not described in 'rpmh_regulator_init_vreg' drivers/regulator/qcom-rpmh-regulator.c:402: warning: Function parameter or member 'dev' not described in 'rpmh_regulator_init_vreg' drivers/regulator/qcom-rpmh-regulator.c:402: warning: Function parameter or member 'node' not described in 'rpmh_regulator_init_vreg' drivers/regulator/qcom-rpmh-regulator.c:402: warning: Function parameter or member 'pmic_id' not described in 'rpmh_regulator_init_vreg' drivers/regulator/qcom-rpmh-regulator.c:402: warning: Function parameter or member 'pmic_rpmh_data' not described in 'rpmh_regulator_init_vreg' vim +/rpmh_regulator_match_table +742 drivers/regulator/qcom-rpmh-regulator.c 741 > 742 static const struct of_device_id rpmh_regulator_match_table[] = { 743 { 744 .compatible = "qcom,pm8998-rpmh-regulators", 745 .data = pm8998_vreg_data, 746 }, 747 { 748 .compatible = "qcom,pmi8998-rpmh-regulators", 749 .data = pmi8998_vreg_data, 750 }, 751 { 752 .compatible = "qcom,pm8005-rpmh-regulators", 753 .data = pm8005_vreg_data, 754 }, 755 {} 756 }; 757 MODULE_DEVICE_TABLE(of, rpmh_regulator_match_table); 758 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0