- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6 0/6] kabi: arch related KABI reserve
by Liao Chen 29 Jan '24

29 Jan '24

Affected files and structs: include/linux/mfd/core.h struct mfd_cell cpuhotplug.h enum cpuhp_state irq_work.h struct irq_work irqdesc.h struct irq_desc irqdomain_defs.h enum irq_domain_bus_token irqdomain.h struct irq_domain Liao Chen (6): kabi: reserve space for enum cpuhp_state kabi: reserve space for struct irq_work kabi: reserve space for struct irq_desc kabi: reserve space for struct irq_domain kabi: reserve space for enum irq_domain_bus_token kabi: reserve space for struct mfd_cell include/linux/cpuhotplug.h | 9 +++++++++ include/linux/irq_work.h | 5 +++++ include/linux/irqdesc.h | 5 +++++ include/linux/irqdomain.h | 5 +++++ include/linux/irqdomain_defs.h | 8 ++++++++ include/linux/mfd/core.h | 6 ++++++ 6 files changed, 38 insertions(+) -- 2.34.1

1 7

[PATCH OLK-6.6 0/4] reserve space for arm64 related structures.
by Yuntao Liu 29 Jan '24

29 Jan '24

Reserve space for arm64 related structures. Include efi.h, extable.h, fb.h, processor.h Jinjie Ruan (4): kabi: reserve space for efi.h kabi: reserve space for extable.h kabi: reserve space for fb.h kabi: reserve space for processor.h arch/arm64/include/asm/extable.h | 3 +++ arch/arm64/include/asm/processor.h | 9 +++++++++ include/linux/efi.h | 3 +++ include/linux/fb.h | 7 +++++++ 4 files changed, 22 insertions(+) -- 2.34.1

1 0

[openeuler:openEuler-1.0-LTS 4988/21589] kernel/sched/core.c:132:6: sparse: sparse: symbol 'account_irqtime_to_task' was not declared. Should it be static?
by kernel test robot 29 Jan '24

29 Jan '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: ef2982312942ba96fb8217df5d832051bae4afd2 commit: b171c3e6cde7063e53a50b33e04101d25338d87d [4988/21589] sched/cputime: add cmdline account_irqtime_to_task config: x86_64-randconfig-121-20240125 (attached as .config) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (attached as reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202401291933.XaMvht5n-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> kernel/sched/core.c:132:6: sparse: sparse: symbol 'account_irqtime_to_task' was not declared. Should it be static? kernel/sched/core.c:521:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/core.c:521:9: sparse: struct sched_domain [noderef] __rcu * kernel/sched/core.c:521:9: sparse: struct sched_domain * kernel/sched/core.c:1630:17: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/core.c:1630:17: sparse: struct sched_domain [noderef] __rcu * kernel/sched/core.c:1630:17: sparse: struct sched_domain * kernel/sched/core.c:1818:27: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/core.c:1818:27: sparse: struct task_struct [noderef] __rcu * kernel/sched/core.c:1818:27: sparse: struct task_struct * kernel/sched/core.c:6536:11: sparse: sparse: symbol 'min_cfs_quota_period' was not declared. Should it be static? kernel/sched/core.c:6616:5: sparse: sparse: symbol 'tg_set_cfs_quota' was not declared. Should it be static? kernel/sched/core.c:6629:6: sparse: sparse: symbol 'tg_get_cfs_quota' was not declared. Should it be static? kernel/sched/core.c:6642:5: sparse: sparse: symbol 'tg_set_cfs_period' was not declared. Should it be static? kernel/sched/core.c:6652:6: sparse: sparse: symbol 'tg_get_cfs_period' was not declared. Should it be static? In file included from kernel/sched/core.c:8: In file included from kernel/sched/sched.h:39: In file included from include/linux/blkdev.h:16: include/linux/pagemap.h:401:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict] 401 | filler_t *filler = (filler_t *)mapping->a_ops->readpage; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from kernel/sched/core.c:8: kernel/sched/sched.h:1154:15: warning: cast from 'void (*)(struct rq *)' to 'void (*)(struct callback_head *)' converts to incompatible function type [-Wcast-function-type-strict] 1154 | head->func = (void (*)(struct callback_head *))func; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/sched/core.c:1571:6: warning: no previous prototype for function 'sched_set_stop_task' [-Wmissing-prototypes] 1571 | void sched_set_stop_task(int cpu, struct task_struct *stop) | ^ kernel/sched/core.c:1571:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1571 | void sched_set_stop_task(int cpu, struct task_struct *stop) | ^ | static kernel/sched/core.c:2743:10: warning: cast from 'void (*)(struct callback_head *)' to 'void (*)(struct rq *)' converts to incompatible function type [-Wcast-function-type-strict] 2743 | func = (void (*)(struct rq *))head->func; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/sched/core.c:3702:35: warning: no previous prototype for function 'preempt_schedule_irq' [-Wmissing-prototypes] 3702 | asmlinkage __visible void __sched preempt_schedule_irq(void) | ^ kernel/sched/core.c:3702:22: note: declare 'static' if the function is not intended to be used outside of this translation unit 3702 | asmlinkage __visible void __sched preempt_schedule_irq(void) | ^ | static kernel/sched/core.c:6616:5: warning: no previous prototype for function 'tg_set_cfs_quota' [-Wmissing-prototypes] 6616 | int tg_set_cfs_quota(struct task_group *tg, long cfs_quota_us) | ^ kernel/sched/core.c:6616:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 6616 | int tg_set_cfs_quota(struct task_group *tg, long cfs_quota_us) | ^ | static kernel/sched/core.c:6629:6: warning: no previous prototype for function 'tg_get_cfs_quota' [-Wmissing-prototypes] 6629 | long tg_get_cfs_quota(struct task_group *tg) | ^ kernel/sched/core.c:6629:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 6629 | long tg_get_cfs_quota(struct task_group *tg) | ^ | static kernel/sched/core.c:6642:5: warning: no previous prototype for function 'tg_set_cfs_period' [-Wmissing-prototypes] 6642 | int tg_set_cfs_period(struct task_group *tg, long cfs_period_us) | ^ kernel/sched/core.c:6642:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 6642 | int tg_set_cfs_period(struct task_group *tg, long cfs_period_us) | ^ | static kernel/sched/core.c:6652:6: warning: no previous prototype for function 'tg_get_cfs_period' [-Wmissing-prototypes] 6652 | long tg_get_cfs_period(struct task_group *tg) | ^ kernel/sched/core.c:6652:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 6652 | long tg_get_cfs_period(struct task_group *tg) | ^ | static 9 warnings generated. vim +/account_irqtime_to_task +132 kernel/sched/core.c 3e71a462dd483c Peter Zijlstra 2016-04-28 128 535b9552bb81ee Ingo Molnar 2017-02-01 129 /* 535b9552bb81ee Ingo Molnar 2017-02-01 130 * RQ-clock updating methods: 535b9552bb81ee Ingo Molnar 2017-02-01 131 */ b171c3e6cde706 Xie XiuQi 2019-04-17 @132 bool account_irqtime_to_task __read_mostly; b171c3e6cde706 Xie XiuQi 2019-04-17 133 static int __init setup_account_irqtime(char *str) b171c3e6cde706 Xie XiuQi 2019-04-17 134 { b171c3e6cde706 Xie XiuQi 2019-04-17 135 account_irqtime_to_task = true; b171c3e6cde706 Xie XiuQi 2019-04-17 136 b171c3e6cde706 Xie XiuQi 2019-04-17 137 return 0; b171c3e6cde706 Xie XiuQi 2019-04-17 138 } b171c3e6cde706 Xie XiuQi 2019-04-17 139 __setup("account-irqtime-to-task", setup_account_irqtime); 535b9552bb81ee Ingo Molnar 2017-02-01 140 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 v2 0/2] kabi reserve for memcg and cgroup_bpf
by Xiang Yang 29 Jan '24

29 Jan '24

v2: add some kabi and fix the code conflict in include/linux/memcontrol.h Lu Jialin (2): memcg/kabi: reserve space for memcg related structures cgroup_bpf/kabi: reserve space for cgroup_bpf releated structure include/linux/bpf-cgroup-defs.h | 20 ++++++++++++ include/linux/bpf.h | 11 +++++++ include/linux/memcontrol.h | 54 +++++++++++++++++++++++++++++++++ mm/memcontrol.c | 16 ++++++++++ 4 files changed, 101 insertions(+) -- 2.34.1

1 2

[PATCH OLK-6.6] KABI: add reserve space for sched structures
by Hui Tang 29 Jan '24

29 Jan '24

From: Guan Jing <guanjing6(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8ZJI8 CVE: NA ------------------------------- We reserve some fields beforehand for sched structures prone to change, therefore, we can hot add/change features of sched with this enhancement. After reserving, normally cache does not matter as the reserved fields are not accessed at all. Signed-off-by: Guan Jing <guanjing6(a)huawei.com> --- include/linux/fwnode.h | 7 ++++++ include/linux/module.h | 4 ++++ include/linux/sched.h | 28 +++++++++++++++++++++++ include/linux/sched/signal.h | 5 +++++ kernel/sched/sched.h | 43 +++++++++++++++++++++++++++++++++++- 5 files changed, 86 insertions(+), 1 deletion(-) diff --git a/include/linux/fwnode.h b/include/linux/fwnode.h index 5700451b300f..b5084e655ddc 100644 --- a/include/linux/fwnode.h +++ b/include/linux/fwnode.h @@ -13,6 +13,7 @@ #include <linux/list.h> #include <linux/bits.h> #include <linux/err.h> +#include <linux/kabi.h> struct fwnode_operations; struct device; @@ -45,6 +46,8 @@ struct fwnode_handle { struct list_head suppliers; struct list_head consumers; u8 flags; + KABI_RESERVE(1) + KABI_RESERVE(2) }; /* @@ -164,6 +167,10 @@ struct fwnode_operations { void __iomem *(*iomap)(struct fwnode_handle *fwnode, int index); int (*irq_get)(const struct fwnode_handle *fwnode, unsigned int index); int (*add_links)(struct fwnode_handle *fwnode); + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) }; #define fwnode_has_op(fwnode, op) \ diff --git a/include/linux/module.h b/include/linux/module.h index c6ee29331e87..4db2878d9e42 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -602,6 +602,10 @@ struct module { #ifdef CONFIG_DYNAMIC_DEBUG_CORE struct _ddebug_info dyndbg_info; #endif + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) } ____cacheline_aligned __randomize_layout; #ifndef MODULE_ARCH_INIT #define MODULE_ARCH_INIT {} diff --git a/include/linux/sched.h b/include/linux/sched.h index 4f18d4505618..adfe7939a8d5 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -39,6 +39,7 @@ #include <linux/livepatch_sched.h> #include <asm/kmap_size.h> #include <linux/thread_bits.h> +#include <linux/kabi.h> /* task_struct member predeclarations (sorted alphabetically): */ struct audit_context; @@ -595,6 +596,10 @@ struct sched_entity { */ struct sched_avg avg; #endif + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) }; struct sched_rt_entity { @@ -613,6 +618,8 @@ struct sched_rt_entity { /* rq "owned" by this entity/group: */ struct rt_rq *my_q; #endif + KABI_RESERVE(1) + KABI_RESERVE(2) } __randomize_layout; struct sched_dl_entity { @@ -751,6 +758,9 @@ struct kmap_ctrl { #endif }; +struct task_struct_resvd { +}; + struct task_struct { #ifdef CONFIG_THREAD_INFO_IN_TASK /* @@ -1570,6 +1580,24 @@ struct task_struct { */ randomized_struct_fields_end + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) + KABI_RESERVE(5) + KABI_RESERVE(6) + KABI_RESERVE(7) + KABI_RESERVE(8) + KABI_RESERVE(9) + KABI_RESERVE(10) + KABI_RESERVE(11) + KABI_RESERVE(12) + KABI_RESERVE(13) + KABI_RESERVE(14) + KABI_RESERVE(15) + KABI_RESERVE(16) + KABI_AUX_PTR(task_struct) + /* CPU-specific state of this task: */ struct thread_struct thread; diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h index 0014d3adaf84..75e71a0ce2d1 100644 --- a/include/linux/sched/signal.h +++ b/include/linux/sched/signal.h @@ -12,6 +12,7 @@ #include <linux/posix-timers.h> #include <linux/mm_types.h> #include <asm/ptrace.h> +#include <linux/kabi.h> /* * Types defining task->signal and task->sighand and APIs using them: @@ -245,6 +246,10 @@ struct signal_struct { * and may have inconsistent * permissions. */ + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) } __randomize_layout; /* diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h index 88dbcbe3d7c1..9029f73c6a21 100644 --- a/kernel/sched/sched.h +++ b/kernel/sched/sched.h @@ -285,6 +285,8 @@ struct rt_bandwidth { u64 rt_runtime; struct hrtimer rt_period_timer; unsigned int rt_period_active; + KABI_RESERVE(1) + KABI_RESERVE(2) }; void __dl_clear_params(struct task_struct *p); @@ -360,6 +362,14 @@ struct cfs_bandwidth { u64 throttled_time; u64 burst_time; #endif + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) + KABI_RESERVE(5) + KABI_RESERVE(6) + KABI_RESERVE(7) + KABI_RESERVE(8) }; @@ -455,6 +465,14 @@ struct task_group { #if defined(CONFIG_QOS_SCHED_SMART_GRID) && !defined(__GENKSYMS__) struct auto_affinity *auto_affinity; #endif + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) + KABI_RESERVE(5) + KABI_RESERVE(6) + KABI_RESERVE(7) + KABI_RESERVE(8) }; #ifdef CONFIG_FAIR_GROUP_SCHED @@ -721,7 +739,14 @@ struct cfs_rq { unsigned long qos_idle_h_nr_running_padding; }; #endif - + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) + KABI_RESERVE(5) + KABI_RESERVE(6) + KABI_RESERVE(7) + KABI_RESERVE(8) }; static inline int rt_bandwidth_enabled(void) @@ -768,6 +793,8 @@ struct rt_rq { struct rq *rq; struct task_group *tg; #endif + KABI_RESERVE(1) + KABI_RESERVE(2) }; static inline bool rt_rq_is_runnable(struct rt_rq *rt_rq) @@ -962,6 +989,8 @@ struct root_domain { * CPUs of the rd. Protected by RCU. */ struct perf_domain __rcu *pd; + KABI_RESERVE(1) + KABI_RESERVE(2) }; extern void init_defrootdomain(void); @@ -1256,6 +1285,14 @@ struct rq { call_single_data_t cfsb_csd; struct list_head cfsb_csd_list; #endif + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) + KABI_RESERVE(5) + KABI_RESERVE(6) + KABI_RESERVE(7) + KABI_RESERVE(8) }; #ifdef CONFIG_FAIR_GROUP_SCHED @@ -2021,6 +2058,8 @@ struct sched_group { struct sched_group_capacity *sgc; int asym_prefer_cpu; /* CPU of highest priority in group */ int flags; + KABI_RESERVE(1) + KABI_RESERVE(2) /* * The CPUs this group covers. @@ -2404,6 +2443,8 @@ struct sched_class { #ifdef CONFIG_SCHED_CORE int (*task_is_throttled)(struct task_struct *p, int cpu); #endif + KABI_RESERVE(1) + KABI_RESERVE(2) }; static inline void put_prev_task(struct rq *rq, struct task_struct *prev) -- 2.34.1

1 0

[PATCH OLK-6.6 0/4] reserve space for arm64 related structures.
by Yuntao Liu 29 Jan '24

29 Jan '24

Reserve space for arm64 related structures. Include efi.h, extable.h, fb.h, processor.h Jinjie Ruan (4): kabi: reserve space for efi.h kabi: reserve space for extable.h kabi: reserve space for fb.h kabi: reserve space for processor.h arch/arm64/include/asm/extable.h | 3 +++ arch/arm64/include/asm/processor.h | 9 +++++++++ include/linux/efi.h | 3 +++ include/linux/fb.h | 7 +++++++ 4 files changed, 22 insertions(+) -- 2.34.1

1 4

[PATCH OLK-6.6 v3] kabi: reserve space for cpu cgroup and cpuset cgroup related structures
by Xiang Yang 29 Jan '24

29 Jan '24

From: Lu Jialin <lujialin4(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8SWPP --------------------------------------------- We reserve some fields beforehand for cpu cgroup and cpuset related structures prone to change, therefore, we can hot add/change features of cpu cgroup cpuset and cgroup with this enhancement. After reserving, normally cache does not matter as the reserved fields are not accessed at all. Signed-off-by: Lu Jialin <lujialin4(a)huawei.com> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- kernel/cgroup/cpuset.c | 6 ++++++ kernel/sched/sched.h | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c index cfdca8aeabda..ea78008dd899 100644 --- a/kernel/cgroup/cpuset.c +++ b/kernel/cgroup/cpuset.c @@ -43,6 +43,7 @@ #include <linux/sched/isolation.h> #include <linux/cgroup.h> #include <linux/wait.h> +#include <linux/kabi.h> DEFINE_STATIC_KEY_FALSE(cpusets_pre_enable_key); DEFINE_STATIC_KEY_FALSE(cpusets_enabled_key); @@ -186,6 +187,11 @@ struct cpuset { /* Handle for cpuset.cpus.partition */ struct cgroup_file partition_file; + + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) }; /* diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h index 88dbcbe3d7c1..bd5d45ba0de8 100644 --- a/kernel/sched/sched.h +++ b/kernel/sched/sched.h @@ -68,6 +68,7 @@ #include <linux/wait_api.h> #include <linux/wait_bit.h> #include <linux/workqueue_api.h> +#include <linux/kabi.h> #include <trace/events/power.h> #include <trace/events/sched.h> @@ -455,6 +456,15 @@ struct task_group { #if defined(CONFIG_QOS_SCHED_SMART_GRID) && !defined(__GENKSYMS__) struct auto_affinity *auto_affinity; #endif + + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) + KABI_RESERVE(5) + KABI_RESERVE(6) + KABI_RESERVE(7) + KABI_RESERVE(8) }; #ifdef CONFIG_FAIR_GROUP_SCHED -- 2.34.1

1 0

[PATCH openEuler-1.0-LTS] drm/atomic: Fix potential use-after-free in nonblocking commits
by Guo Mengqi 29 Jan '24

29 Jan '24

From: Daniel Vetter <daniel.vetter(a)ffwll.ch> stable inclusion from stable-v4.19.291 commit 73a82b22963defa87204f0f9f44a534adf7f831a category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7V6NJ CVE: CVE-2023-51043 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. This requires a bit of background. Properly done a modeset driver's unload/remove sequence should be drm_dev_unplug(); drm_atomic_helper_shutdown(); drm_dev_put(); The trouble is that the drm_dev_unplugged() checks are by design racy, they do not synchronize against all outstanding ioctl. This is because those ioctl could block forever (both for modeset and for driver specific ioctls), leading to deadlocks in hotunplug. Instead the code sections that touch the hardware need to be annotated with drm_dev_enter/exit, to avoid accessing hardware resources after the unload/remove has finished. To avoid use-after-free issues all the involved userspace visible objects are supposed to hold a reference on the underlying drm_device, like drm_file does. The issue now is that we missed one, the atomic modeset ioctl can be run in a nonblocking fashion, and in that case it cannot rely on the implied drm_device reference provided by the ioctl calling context. This can result in a use-after-free if an nonblocking atomic commit is carefully raced against a driver unload. Fix this by unconditionally grabbing a drm_device reference for any drm_atomic_state structures. Strictly speaking this isn't required for blocking commits and TEST_ONLY calls, but it's the simpler approach. Thanks to shanzhulig for the initial idea of grabbing an unconditional reference, I just added comments, a condensed commit message and fixed a minor potential issue in where exactly we drop the final reference. Reported-by: shanzhulig <shanzhulig(a)gmail.com> Suggested-by: shanzhulig <shanzhulig(a)gmail.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: stable(a)kernel.org Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> Signed-off-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index 1a4b44923aec..e703341e4cb2 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -91,6 +91,12 @@ drm_atomic_state_init(struct drm_device *dev, struct drm_atomic_state *state) if (!state->planes) goto fail; + /* + * Because drm_atomic_state can be committed asynchronously we need our + * own reference and cannot rely on the on implied by drm_file in the + * ioctl call. + */ + drm_dev_get(dev); state->dev = dev; DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); @@ -250,7 +256,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); void __drm_atomic_state_free(struct kref *ref) { struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); - struct drm_mode_config *config = &state->dev->mode_config; + struct drm_device *dev = state->dev; + struct drm_mode_config *config = &dev->mode_config; drm_atomic_state_clear(state); @@ -262,6 +269,8 @@ void __drm_atomic_state_free(struct kref *ref) drm_atomic_state_default_release(state); kfree(state); } + + drm_dev_put(dev); } EXPORT_SYMBOL(__drm_atomic_state_free); -- 2.17.1

1 0

[PATCH openEuler-1.0-LTS] smb: client: fix NULL deref in asn1_ber_decoder()
by ZhaoLong Wang 29 Jan '24

29 Jan '24

From: Paulo Alcantara <pc(a)manguebit.com> stable inclusion from stable-v4.19.304 commit 832c20fc4cc82c497566db35996ea488661fc764 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8ZPJF CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 90d025c2e953c11974e76637977c473200593a46 ] If server replied SMB2_NEGOTIATE with a zero SecurityBufferOffset, smb2_get_data_area() sets @len to non-zero but return NULL, so decode_negTokeninit() ends up being called with a NULL @security_blob: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 2 PID: 871 Comm: mount.cifs Not tainted 6.7.0-rc4 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:asn1_ber_decoder+0x173/0xc80 Code: 01 4c 39 2c 24 75 09 45 84 c9 0f 85 2f 03 00 00 48 8b 14 24 4c 29 ea 48 83 fa 01 0f 86 1e 07 00 00 48 8b 74 24 28 4d 8d 5d 01 <42> 0f b6 3c 2e 89 fa 40 88 7c 24 5c f7 d2 83 e2 1f 0f 84 3d 07 00 RSP: 0018:ffffc9000063f950 EFLAGS: 00010202 RAX: 0000000000000002 RBX: 0000000000000000 RCX: 000000000000004a RDX: 000000000000004a RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000000 R14: 000000000000004d R15: 0000000000000000 FS: 00007fce52b0fbc0(0000) GS:ffff88806ba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000001ae64000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x181/0x480 ? __stack_depot_save+0x1e6/0x480 ? exc_page_fault+0x6f/0x1c0 ? asm_exc_page_fault+0x26/0x30 ? asn1_ber_decoder+0x173/0xc80 ? check_object+0x40/0x340 decode_negTokenInit+0x1e/0x30 [cifs] SMB2_negotiate+0xc99/0x17c0 [cifs] ? smb2_negotiate+0x46/0x60 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 smb2_negotiate+0x46/0x60 [cifs] cifs_negotiate_protocol+0xae/0x130 [cifs] cifs_get_smb_ses+0x517/0x1040 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? queue_delayed_work_on+0x5d/0x90 cifs_mount_get_session+0x78/0x200 [cifs] dfs_mount_share+0x13a/0x9f0 [cifs] ? srso_alias_return_thunk+0x5/0xfbef5 ? lock_acquire+0xbf/0x2b0 ? find_nls+0x16/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 cifs_mount+0x7e/0x350 [cifs] cifs_smb3_do_mount+0x128/0x780 [cifs] smb3_get_tree+0xd9/0x290 [cifs] vfs_get_tree+0x2c/0x100 ? capable+0x37/0x70 path_mount+0x2d7/0xb80 ? srso_alias_return_thunk+0x5/0xfbef5 ? _raw_spin_unlock_irqrestore+0x44/0x60 __x64_sys_mount+0x11a/0x150 do_syscall_64+0x47/0xf0 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fce52c2ab1e Fix this by setting @len to zero when @off == 0 so callers won't attempt to dereference non-existing data areas. Reported-by: Robert Morris <rtm(a)csail.mit.edu> Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: ZhaoLong Wang <wangzhaolong1(a)huawei.com> --- fs/cifs/smb2misc.c | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c index 94fb82077bdd..6ac33ec15583 100644 --- a/fs/cifs/smb2misc.c +++ b/fs/cifs/smb2misc.c @@ -302,6 +302,9 @@ static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { char * smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr) { + const int max_off = 4096; + const int max_len = 128 * 1024; + *off = 0; *len = 0; @@ -369,29 +372,20 @@ smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr) * Invalid length or offset probably means data area is invalid, but * we have little choice but to ignore the data area in this case. */ - if (*off > 4096) { - cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off); - *len = 0; - *off = 0; - } else if (*off < 0) { - cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n", - *off); + if (unlikely(*off < 0 || *off > max_off || + *len < 0 || *len > max_len)) { + cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n", + __func__, *off, *len); *off = 0; *len = 0; - } else if (*len < 0) { - cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n", - *len); - *len = 0; - } else if (*len > 128 * 1024) { - cifs_dbg(VFS, "data area larger than 128K: %d\n", *len); + } else if (*off == 0) { *len = 0; } /* return pointer to beginning of data area, ie offset from SMB start */ - if ((*off != 0) && (*len != 0)) + if (*off > 0 && *len > 0) return (char *)shdr + *off; - else - return NULL; + return NULL; } /* -- 2.39.2

2 1

[PATCH OLK-6.6 0/2] Expose swapcache stat for memcg v1
by Liu Shixin 29 Jan '24

29 Jan '24

The first patch expose swapcache stat for memcg v1, the second patch remote unused do_memsw_account() in memcg1_stat_format(). Liu Shixin (2): memcg: expose swapcache stat for memcg v1 memcg: remove unused do_memsw_account in memcg1_stat_format Documentation/admin-guide/cgroup-v1/memory.rst | 1 + mm/memcontrol.c | 15 ++++++++------- 2 files changed, 9 insertions(+), 7 deletions(-) -- 2.25.1

1 2