Kernel
Threads by month
- ----- 2025 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- 18856 discussions
[PATCH OLK-6.6] ethtool: check device is present when getting link settings
by Wang Liang 27 Sep '24
by Wang Liang 27 Sep '24
27 Sep '24
From: Jamie Bainbridge <jamie.bainbridge(a)gmail.com>
stable inclusion
from stable-v6.6.49
commit 94ab317024ba373d37340893d1c0358638935fbb
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4EU
CVE: CVE-2024-46679
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit a699781c79ecf6cfe67fb00a0331b4088c7c8466 ]
A sysfs reader can race with a device reset or removal, attempting to
read device state when the device is not actually present. eg:
[exception RIP: qed_get_current_link+17]
#8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]
#9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3
#10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4
#11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300
#12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c
#13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b
#14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3
#15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1
#16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f
#17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb
crash> struct net_device.state ffff9a9d21336000
state = 5,
state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).
The device is not present, note lack of __LINK_STATE_PRESENT (0b10).
This is the same sort of panic as observed in commit 4224cfd7fb65
("net-sysfs: add check for netdevice being present to speed_show").
There are many other callers of __ethtool_get_link_ksettings() which
don't have a device presence check.
Move this check into ethtool to protect all callers.
Fixes: d519e17e2d01 ("net: export device speed and duplex via sysfs")
Fixes: 4224cfd7fb65 ("net-sysfs: add check for netdevice being present to speed_show")
Signed-off-by: Jamie Bainbridge <jamie.bainbridge(a)gmail.com>
Link: https://patch.msgid.link/8bae218864beaa44ed01628140475b9bf641c5b0.172439367…
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Wang Liang <wangliang74(a)huawei.com>
---
net/core/net-sysfs.c | 2 +-
net/ethtool/ioctl.c | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 5a9487af44e0..f7404bc67974 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -216,7 +216,7 @@ static ssize_t speed_show(struct device *dev,
if (!rtnl_trylock())
return restart_syscall();
- if (netif_running(netdev) && netif_device_present(netdev)) {
+ if (netif_running(netdev)) {
struct ethtool_link_ksettings cmd;
if (!__ethtool_get_link_ksettings(netdev, &cmd))
diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 7cb23bcf8ef7..4486cbe2faf0 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -438,6 +438,9 @@ int __ethtool_get_link_ksettings(struct net_device *dev,
if (!dev->ethtool_ops->get_link_ksettings)
return -EOPNOTSUPP;
+ if (!netif_device_present(dev))
+ return -ENODEV;
+
memset(link_ksettings, 0, sizeof(*link_ksettings));
return dev->ethtool_ops->get_link_ksettings(dev, link_ksettings);
}
--
2.34.1
2
1
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IATU6E
CVE: NA
--------------------------------
If req->tx_pid == req->tx_pid when sched_net_relationship_submit() called,
which cause rship->net_lock AA deadlock in task_net_group().
Fixes: 2ac826b258e9 ("sched: Introduce task relationship by net and memory")
Signed-off-by: Hui Tang <tanghui20(a)huawei.com>
---
kernel/sched/relationship.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/sched/relationship.c b/kernel/sched/relationship.c
index 515c913aeb33..d17041585c39 100644
--- a/kernel/sched/relationship.c
+++ b/kernel/sched/relationship.c
@@ -141,6 +141,9 @@ int sched_net_relationship_submit(struct net_relationship_req *req)
req->net_rship_type == NET_RS_TYPE_TX)
return remote_rxtx_process(req);
+ if (req->rx_pid == req->tx_pid)
+ return -EINVAL;
+
rcu_read_lock();
rx_tsk = find_task_by_pid_ns(req->rx_pid, &init_pid_ns);
--
2.34.1
2
1
[PATCH OLK-6.6] smb: client: fix double put of @cfile in smb2_set_path_size()
by Zheng Qixing 27 Sep '24
by Zheng Qixing 27 Sep '24
27 Sep '24
From: Paulo Alcantara <pc(a)manguebit.com>
stable inclusion
from stable-v6.6.51
commit 5a72d1edb0843e4c927a4096f81e631031c25c28
category: kasan
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWCG
CVE: CVE-2024-46796
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit f9c169b51b6ce20394594ef674d6b10efba31220 upstream.
If smb2_compound_op() is called with a valid @cfile and returned
-EINVAL, we need to call cifs_get_writable_path() before retrying it
as the reference of @cfile was already dropped by previous call.
This fixes the following KASAN splat when running fstests generic/013
against Windows Server 2022:
CIFS: Attempting to mount //w22-fs0/scratch
run fstests generic/013 at 2024-09-02 19:48:59
==================================================================
BUG: KASAN: slab-use-after-free in detach_if_pending+0xab/0x200
Write of size 8 at addr ffff88811f1a3730 by task kworker/3:2/176
CPU: 3 UID: 0 PID: 176 Comm: kworker/3:2 Not tainted 6.11.0-rc6 #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40
04/01/2014
Workqueue: cifsoplockd cifs_oplock_break [cifs]
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
? detach_if_pending+0xab/0x200
print_report+0x156/0x4d9
? detach_if_pending+0xab/0x200
? __virt_addr_valid+0x145/0x300
? __phys_addr+0x46/0x90
? detach_if_pending+0xab/0x200
kasan_report+0xda/0x110
? detach_if_pending+0xab/0x200
detach_if_pending+0xab/0x200
timer_delete+0x96/0xe0
? __pfx_timer_delete+0x10/0x10
? rcu_is_watching+0x20/0x50
try_to_grab_pending+0x46/0x3b0
__cancel_work+0x89/0x1b0
? __pfx___cancel_work+0x10/0x10
? kasan_save_track+0x14/0x30
cifs_close_deferred_file+0x110/0x2c0 [cifs]
? __pfx_cifs_close_deferred_file+0x10/0x10 [cifs]
? __pfx_down_read+0x10/0x10
cifs_oplock_break+0x4c1/0xa50 [cifs]
? __pfx_cifs_oplock_break+0x10/0x10 [cifs]
? lock_is_held_type+0x85/0xf0
? mark_held_locks+0x1a/0x90
process_one_work+0x4c6/0x9f0
? find_held_lock+0x8a/0xa0
? __pfx_process_one_work+0x10/0x10
? lock_acquired+0x220/0x550
? __list_add_valid_or_report+0x37/0x100
worker_thread+0x2e4/0x570
? __kthread_parkme+0xd1/0xf0
? __pfx_worker_thread+0x10/0x10
kthread+0x17f/0x1c0
? kthread+0xda/0x1c0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x31/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 1118:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0xaa/0xb0
cifs_new_fileinfo+0xc8/0x9d0 [cifs]
cifs_atomic_open+0x467/0x770 [cifs]
lookup_open.isra.0+0x665/0x8b0
path_openat+0x4c3/0x1380
do_filp_open+0x167/0x270
do_sys_openat2+0x129/0x160
__x64_sys_creat+0xad/0xe0
do_syscall_64+0xbb/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 83:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x70
poison_slab_object+0xe9/0x160
__kasan_slab_free+0x32/0x50
kfree+0xf2/0x300
process_one_work+0x4c6/0x9f0
worker_thread+0x2e4/0x570
kthread+0x17f/0x1c0
ret_from_fork+0x31/0x60
ret_from_fork_asm+0x1a/0x30
Last potentially related work creation:
kasan_save_stack+0x30/0x50
__kasan_record_aux_stack+0xad/0xc0
insert_work+0x29/0xe0
__queue_work+0x5ea/0x760
queue_work_on+0x6d/0x90
_cifsFileInfo_put+0x3f6/0x770 [cifs]
smb2_compound_op+0x911/0x3940 [cifs]
smb2_set_path_size+0x228/0x270 [cifs]
cifs_set_file_size+0x197/0x460 [cifs]
cifs_setattr+0xd9c/0x14b0 [cifs]
notify_change+0x4e3/0x740
do_truncate+0xfa/0x180
vfs_truncate+0x195/0x200
__x64_sys_truncate+0x109/0x150
do_syscall_64+0xbb/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 71f15c90e785 ("smb: client: retry compound request without reusing lease")
Cc: stable(a)vger.kernel.org
Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com>
Cc: David Howells <dhowells(a)redhat.com>
Signed-off-by: Steve French <stfrench(a)microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com>
---
fs/smb/client/smb2inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index 28031c7ba6b1..c51ec2e1adb0 100644
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -1148,6 +1148,7 @@ smb2_set_path_size(const unsigned int xid, struct cifs_tcon *tcon,
cfile, NULL, NULL, dentry);
if (rc == -EINVAL) {
cifs_dbg(FYI, "invalid lease key, resending request without lease");
+ cifs_get_writable_path(tcon, full_path, FIND_WR_ANY, &cfile);
rc = smb2_compound_op(xid, tcon, cifs_sb,
full_path, &oparms, &in_iov,
&(int){SMB2_OP_SET_EOF}, 1,
--
2.39.2
2
1
[PATCH openEuler-22.03-LTS-SP1] ksmbd: unset the binding mark of a reused connection
by Long Li 27 Sep '24
by Long Li 27 Sep '24
27 Sep '24
From: Namjae Jeon <linkinjeon(a)kernel.org>
stable inclusion
from stable-v5.15.166
commit 9914f1bd61d5e838bb1ab15a71076d37a6db65d1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWIK
CVE: CVE-2024-46795
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=…
--------------------------------
[ Upstream commit 78c5a6f1f630172b19af4912e755e1da93ef0ab5 ]
Steve French reported null pointer dereference error from sha256 lib.
cifs.ko can send session setup requests on reused connection.
If reused connection is used for binding session, conn->binding can
still remain true and generate_preauth_hash() will not set
sess->Preauth_HashValue and it will be NULL.
It is used as a material to create an encryption key in
ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer
dereference error from crypto_shash_update().
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 8 PID: 429254 Comm: kworker/8:39
Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )
Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
<TASK>
? show_regs+0x6d/0x80
? __die+0x24/0x80
? page_fault_oops+0x99/0x1b0
? do_user_addr_fault+0x2ee/0x6b0
? exc_page_fault+0x83/0x1b0
? asm_exc_page_fault+0x27/0x30
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
_sha256_update+0x77/0xa0 [sha256_ssse3]
sha256_avx2_update+0x15/0x30 [sha256_ssse3]
crypto_shash_update+0x1e/0x40
hmac_update+0x12/0x20
crypto_shash_update+0x1e/0x40
generate_key+0x234/0x380 [ksmbd]
generate_smb3encryptionkey+0x40/0x1c0 [ksmbd]
ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]
ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]
smb2_sess_setup+0x952/0xaa0 [ksmbd]
__process_request+0xa3/0x1d0 [ksmbd]
__handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]
handle_ksmbd_work+0x2d/0xa0 [ksmbd]
process_one_work+0x16c/0x350
worker_thread+0x306/0x440
? __pfx_worker_thread+0x10/0x10
kthread+0xef/0x120
? __pfx_kthread+0x10/0x10
ret_from_fork+0x44/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Fixes: f5a544e3bab7 ("ksmbd: add support for SMB3 multichannel")
Cc: stable(a)vger.kernel.org # v5.15+
Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org>
Signed-off-by: Steve French <stfrench(a)microsoft.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/ksmbd/smb2pdu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 50ef53115cab..f4aeca5e7e57 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -1704,6 +1704,8 @@ int smb2_sess_setup(struct ksmbd_work *work)
rc = ksmbd_session_register(conn, sess);
if (rc)
goto out_err;
+
+ conn->binding = false;
} else if (conn->dialect >= SMB30_PROT_ID &&
(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) &&
req->Flags & SMB2_SESSION_REQ_FLAG_BINDING) {
@@ -1782,6 +1784,8 @@ int smb2_sess_setup(struct ksmbd_work *work)
sess = NULL;
goto out_err;
}
+
+ conn->binding = false;
}
work->sess = sess;
--
2.39.2
2
1
27 Sep '24
From: Zhihao Cheng <chengzhihao1(a)huawei.com>
Zhihao Cheng (1):
ext4: dax: fix overflowing extents beyond inode size when partially
writing
yangerkun (1):
ext4: dax: keep orphan list before truncate overflow allocated blocks
fs/ext4/file.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--
2.39.2
2
3
27 Sep '24
From: Namjae Jeon <linkinjeon(a)kernel.org>
mainline inclusion
from mainline-v6.10-rc2
commit 78c5a6f1f630172b19af4912e755e1da93ef0ab5
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWIK
CVE: CVE-2024-46795
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
Steve French reported null pointer dereference error from sha256 lib.
cifs.ko can send session setup requests on reused connection.
If reused connection is used for binding session, conn->binding can
still remain true and generate_preauth_hash() will not set
sess->Preauth_HashValue and it will be NULL.
It is used as a material to create an encryption key in
ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer
dereference error from crypto_shash_update().
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 8 PID: 429254 Comm: kworker/8:39
Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )
Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
<TASK>
? show_regs+0x6d/0x80
? __die+0x24/0x80
? page_fault_oops+0x99/0x1b0
? do_user_addr_fault+0x2ee/0x6b0
? exc_page_fault+0x83/0x1b0
? asm_exc_page_fault+0x27/0x30
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
_sha256_update+0x77/0xa0 [sha256_ssse3]
sha256_avx2_update+0x15/0x30 [sha256_ssse3]
crypto_shash_update+0x1e/0x40
hmac_update+0x12/0x20
crypto_shash_update+0x1e/0x40
generate_key+0x234/0x380 [ksmbd]
generate_smb3encryptionkey+0x40/0x1c0 [ksmbd]
ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]
ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]
smb2_sess_setup+0x952/0xaa0 [ksmbd]
__process_request+0xa3/0x1d0 [ksmbd]
__handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]
handle_ksmbd_work+0x2d/0xa0 [ksmbd]
process_one_work+0x16c/0x350
worker_thread+0x306/0x440
? __pfx_worker_thread+0x10/0x10
kthread+0xef/0x120
? __pfx_kthread+0x10/0x10
ret_from_fork+0x44/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Fixes: f5a544e3bab7 ("ksmbd: add support for SMB3 multichannel")
Cc: stable(a)vger.kernel.org # v5.15+
Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org>
Signed-off-by: Steve French <stfrench(a)microsoft.com>
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/smb/server/smb2pdu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 4d91210e6acf..28684316bccb 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -1681,6 +1681,8 @@ int smb2_sess_setup(struct ksmbd_work *work)
rc = ksmbd_session_register(conn, sess);
if (rc)
goto out_err;
+
+ conn->binding = false;
} else if (conn->dialect >= SMB30_PROT_ID &&
(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) &&
req->Flags & SMB2_SESSION_REQ_FLAG_BINDING) {
@@ -1759,6 +1761,8 @@ int smb2_sess_setup(struct ksmbd_work *work)
sess = NULL;
goto out_err;
}
+
+ conn->binding = false;
}
work->sess = sess;
--
2.39.2
2
1
27 Sep '24
From: Olivier Sobrie <olivier(a)sobrie.be>
stable inclusion
from stable-v6.6.51
commit 60dc4ee0428d70bcbb41436b6729d29f1cbdfb89
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARV9S
CVE: CVE-2024-46746
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 97155021ae17b86985121b33cf8098bcde00d497 ]
HID driver callbacks aren't called anymore once hid_destroy_device() has
been called. Hence, hid driver_data should be freed only after the
hid_destroy_device() function returned as driver_data is used in several
callbacks.
I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling
KASAN to debug memory allocation, I got this output:
[ 13.050438] ==================================================================
[ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh]
[ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3
[ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479
[ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
[ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
[ 13.067860] Call Trace:
[ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8
[ 13.071486] <TASK>
[ 13.071492] dump_stack_lvl+0x5d/0x80
[ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002)
[ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.082199] print_report+0x174/0x505
[ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.097464] kasan_report+0xc8/0x150
[ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
[ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0
[ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
[ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.150446] ? __devm_add_action+0x167/0x1d0
[ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.161814] platform_probe+0xa2/0x150
[ 13.165029] really_probe+0x1e3/0x8a0
[ 13.168243] __driver_probe_device+0x18c/0x370
[ 13.171500] driver_probe_device+0x4a/0x120
[ 13.175000] __driver_attach+0x190/0x4a0
[ 13.178521] ? __pfx___driver_attach+0x10/0x10
[ 13.181771] bus_for_each_dev+0x106/0x180
[ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10
[ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.194382] bus_add_driver+0x29e/0x4d0
[ 13.197328] driver_register+0x1a5/0x360
[ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.203362] do_one_initcall+0xa7/0x380
[ 13.206432] ? __pfx_do_one_initcall+0x10/0x10
[ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.213211] ? kasan_unpoison+0x44/0x70
[ 13.216688] do_init_module+0x238/0x750
[ 13.219696] load_module+0x5011/0x6af0
[ 13.223096] ? kasan_save_stack+0x30/0x50
[ 13.226743] ? kasan_save_track+0x14/0x30
[ 13.230080] ? kasan_save_free_info+0x3b/0x60
[ 13.233323] ? poison_slab_object+0x109/0x180
[ 13.236778] ? __pfx_load_module+0x10/0x10
[ 13.239703] ? poison_slab_object+0x109/0x180
[ 13.243070] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.245924] ? init_module_from_file+0x13d/0x150
[ 13.248745] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.251503] ? init_module_from_file+0xdf/0x150
[ 13.254198] init_module_from_file+0xdf/0x150
[ 13.256826] ? __pfx_init_module_from_file+0x10/0x10
[ 13.259428] ? kasan_save_track+0x14/0x30
[ 13.261959] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.264471] ? kasan_save_free_info+0x3b/0x60
[ 13.267026] ? poison_slab_object+0x109/0x180
[ 13.269494] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.271949] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.274324] ? _raw_spin_lock+0x85/0xe0
[ 13.276671] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.278963] ? __rseq_handle_notify_resume+0x1a6/0xad0
[ 13.281193] idempotent_init_module+0x23b/0x650
[ 13.283420] ? __pfx_idempotent_init_module+0x10/0x10
[ 13.285619] ? __pfx___seccomp_filter+0x10/0x10
[ 13.287714] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.289828] ? __fget_light+0x57/0x420
[ 13.291870] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.293880] ? security_capable+0x74/0xb0
[ 13.295820] __x64_sys_finit_module+0xbe/0x130
[ 13.297874] do_syscall_64+0x82/0x190
[ 13.299898] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.301905] ? irqtime_account_irq+0x3d/0x1f0
[ 13.303877] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.305753] ? __irq_exit_rcu+0x4e/0x130
[ 13.307577] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.309489] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 13.311371] RIP: 0033:0x7a21f96ade9d
[ 13.313234] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48
[ 13.317051] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 13.319024] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d
[ 13.321100] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c
[ 13.323314] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0
[ 13.325505] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
[ 13.327637] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530
[ 13.329737] </TASK>
[ 13.333945] Allocated by task 139:
[ 13.336111] kasan_save_stack+0x30/0x50
[ 13.336121] kasan_save_track+0x14/0x30
[ 13.336125] __kasan_kmalloc+0xaa/0xb0
[ 13.336129] amdtp_hid_probe+0xb1/0x440 [amd_sfh]
[ 13.336138] amd_sfh_hid_client_init+0xb8a/0x10f0 [amd_sfh]
[ 13.336144] sfh_init_work+0x47/0x120 [amd_sfh]
[ 13.336150] process_one_work+0x673/0xeb0
[ 13.336155] worker_thread+0x795/0x1250
[ 13.336160] kthread+0x290/0x350
[ 13.336164] ret_from_fork+0x34/0x70
[ 13.336169] ret_from_fork_asm+0x1a/0x30
[ 13.338175] Freed by task 139:
[ 13.340064] kasan_save_stack+0x30/0x50
[ 13.340072] kasan_save_track+0x14/0x30
[ 13.340076] kasan_save_free_info+0x3b/0x60
[ 13.340081] poison_slab_object+0x109/0x180
[ 13.340085] __kasan_slab_free+0x32/0x50
[ 13.340089] kfree+0xe5/0x310
[ 13.340094] amdtp_hid_remove+0xb2/0x160 [amd_sfh]
[ 13.340102] amd_sfh_hid_client_deinit+0x324/0x640 [amd_sfh]
[ 13.340107] amd_sfh_hid_client_init+0x94a/0x10f0 [amd_sfh]
[ 13.340113] sfh_init_work+0x47/0x120 [amd_sfh]
[ 13.340118] process_one_work+0x673/0xeb0
[ 13.340123] worker_thread+0x795/0x1250
[ 13.340127] kthread+0x290/0x350
[ 13.340132] ret_from_fork+0x34/0x70
[ 13.340136] ret_from_fork_asm+0x1a/0x30
[ 13.342482] The buggy address belongs to the object at ffff88813152f400
which belongs to the cache kmalloc-64 of size 64
[ 13.347357] The buggy address is located 8 bytes inside of
freed 64-byte region [ffff88813152f400, ffff88813152f440)
[ 13.347367] The buggy address belongs to the physical page:
[ 13.355409] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13152f
[ 13.355416] anon flags: 0x2ffff8000000000(node=0|zone=2|lastcpupid=0x1ffff)
[ 13.355423] page_type: 0xffffefff(slab)
[ 13.355429] raw: 02ffff8000000000 ffff8881000428c0 ffffea0004c43a00 0000000000000005
[ 13.355435] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000
[ 13.355439] page dumped because: kasan: bad access detected
[ 13.357295] Memory state around the buggy address:
[ 13.357299] ffff88813152f300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 13.357303] ffff88813152f380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 13.357306] >ffff88813152f400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 13.357309] ^
[ 13.357311] ffff88813152f480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 13.357315] ffff88813152f500: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc
[ 13.357318] ==================================================================
[ 13.357405] Disabling lock debugging due to kernel taint
[ 13.383534] Oops: general protection fault, probably for non-canonical address 0xe0a1bc4140000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 13.383544] KASAN: maybe wild-memory-access in range [0x050e020a00000098-0x050e020a0000009f]
[ 13.383551] CPU: 3 PID: 479 Comm: (udev-worker) Tainted: G B 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
[ 13.383561] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
[ 13.383565] RIP: 0010:amd_sfh_get_report+0x81/0x530 [amd_sfh]
[ 13.383580] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 78 03 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 08 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 1a 03 00 00 45 8b 74 24 10 45
[ 13.383585] RSP: 0018:ffff8881261f7388 EFLAGS: 00010212
[ 13.383592] RAX: dffffc0000000000 RBX: ffff88813152f400 RCX: 0000000000000002
[ 13.383597] RDX: 00a1c04140000013 RSI: 0000000000000008 RDI: 050e020a0000009b
[ 13.383600] RBP: ffff88814d010000 R08: 0000000000000002 R09: fffffbfff3ddb8c0
[ 13.383604] R10: ffffffff9eedc607 R11: ffff88810ce98000 R12: 050e020a0000008b
[ 13.383607] R13: ffff88814d010000 R14: dffffc0000000000 R15: 0000000000000004
[ 13.383611] FS: 00007a21f94d0880(0000) GS:ffff8887e7d80000(0000) knlGS:0000000000000000
[ 13.383615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 13.383618] CR2: 00007e0014c438f0 CR3: 000000012614c000 CR4: 0000000000f50ef0
[ 13.383622] PKRU: 55555554
[ 13.383625] Call Trace:
[ 13.383629] <TASK>
[ 13.383632] ? __die_body.cold+0x19/0x27
[ 13.383644] ? die_addr+0x46/0x70
[ 13.383652] ? exc_general_protection+0x150/0x240
[ 13.383664] ? asm_exc_general_protection+0x26/0x30
[ 13.383674] ? amd_sfh_get_report+0x81/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.383686] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.383697] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.383706] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383713] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
[ 13.383727] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.383739] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383745] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.383753] ? _raw_spin_lock_irqsave+0x96/0xf0
[ 13.383762] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 13.383768] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
[ 13.383790] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383795] ? __devm_add_action+0x167/0x1d0
[ 13.383806] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.383818] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383826] platform_probe+0xa2/0x150
[ 13.383832] really_probe+0x1e3/0x8a0
[ 13.383838] __driver_probe_device+0x18c/0x370
[ 13.383844] driver_probe_device+0x4a/0x120
[ 13.383851] __driver_attach+0x190/0x4a0
[ 13.383857] ? __pfx___driver_attach+0x10/0x10
[ 13.383863] bus_for_each_dev+0x106/0x180
[ 13.383868] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.383874] ? __pfx_bus_for_each_dev+0x10/0x10
[ 13.383880] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383887] bus_add_driver+0x29e/0x4d0
[ 13.383895] driver_register+0x1a5/0x360
[ 13.383902] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.383910] do_one_initcall+0xa7/0x380
[ 13.383919] ? __pfx_do_one_initcall+0x10/0x10
[ 13.383927] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383933] ? kasan_unpoison+0x44/0x70
[ 13.383943] do_init_module+0x238/0x750
[ 13.383955] load_module+0x5011/0x6af0
[ 13.383962] ? kasan_save_stack+0x30/0x50
[ 13.383968] ? kasan_save_track+0x14/0x30
[ 13.383973] ? kasan_save_free_info+0x3b/0x60
[ 13.383980] ? poison_slab_object+0x109/0x180
[ 13.383993] ? __pfx_load_module+0x10/0x10
[ 13.384007] ? poison_slab_object+0x109/0x180
[ 13.384012] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384018] ? init_module_from_file+0x13d/0x150
[ 13.384025] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384032] ? init_module_from_file+0xdf/0x150
[ 13.384037] init_module_from_file+0xdf/0x150
[ 13.384044] ? __pfx_init_module_from_file+0x10/0x10
[ 13.384050] ? kasan_save_track+0x14/0x30
[ 13.384055] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384060] ? kasan_save_free_info+0x3b/0x60
[ 13.384066] ? poison_slab_object+0x109/0x180
[ 13.384071] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384080] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384085] ? _raw_spin_lock+0x85/0xe0
[ 13.384091] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.384096] ? __rseq_handle_notify_resume+0x1a6/0xad0
[ 13.384106] idempotent_init_module+0x23b/0x650
[ 13.384114] ? __pfx_idempotent_init_module+0x10/0x10
[ 13.384120] ? __pfx___seccomp_filter+0x10/0x10
[ 13.384129] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384135] ? __fget_light+0x57/0x420
[ 13.384142] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384147] ? security_capable+0x74/0xb0
[ 13.384157] __x64_sys_finit_module+0xbe/0x130
[ 13.384164] do_syscall_64+0x82/0x190
[ 13.384174] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384179] ? irqtime_account_irq+0x3d/0x1f0
[ 13.384188] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384193] ? __irq_exit_rcu+0x4e/0x130
[ 13.384201] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384206] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 13.384212] RIP: 0033:0x7a21f96ade9d
[ 13.384263] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48
[ 13.384267] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 13.384273] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d
[ 13.384277] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c
[ 13.384280] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0
[ 13.384284] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
[ 13.384288] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530
[ 13.384297] </TASK>
[ 13.384299] Modules linked in: soundwire_amd(+) hid_sensor_gyro_3d(+) hid_sensor_magn_3d hid_sensor_accel_3d soundwire_generic_allocation amdxcp hid_sensor_trigger drm_exec industrialio_triggered_buffer soundwire_bus gpu_sched kvm_amd kfifo_buf qmi_helpers joydev drm_buddy hid_sensor_iio_common mousedev snd_soc_core industrialio i2c_algo_bit mac80211 snd_compress drm_suballoc_helper kvm snd_hda_intel drm_ttm_helper ac97_bus snd_pcm_dmaengine snd_intel_dspcfg ttm thinkpad_acpi(+) snd_intel_sdw_acpi hid_sensor_hub snd_rpl_pci_acp6x drm_display_helper snd_hda_codec hid_multitouch libarc4 snd_acp_pci platform_profile think_lmi(+) hid_generic firmware_attributes_class wmi_bmof cec snd_acp_legacy_common sparse_keymap rapl snd_hda_core psmouse cfg80211 pcspkr snd_pci_acp6x snd_hwdep video snd_pcm snd_pci_acp5x snd_timer snd_rn_pci_acp3x ucsi_acpi snd_acp_config snd sp5100_tco rfkill snd_soc_acpi typec_ucsi thunderbolt amd_sfh k10temp mhi soundcore i2c_piix4 snd_pci_acp3x typec i2c_hid_acpi roles i2c_hid wmi acpi_tad amd_pmc
[ 13.384454] mac_hid i2c_dev crypto_user loop nfnetlink zram ip_tables x_tables dm_crypt cbc encrypted_keys trusted asn1_encoder tee dm_mod crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic gf128mul ghash_clmulni_intel serio_raw sha512_ssse3 atkbd sha256_ssse3 libps2 sha1_ssse3 vivaldi_fmap nvme aesni_intel crypto_simd nvme_core cryptd ccp xhci_pci i8042 nvme_auth xhci_pci_renesas serio vfat fat btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq
[ 13.384552] ---[ end trace 0000000000000000 ]---
KASAN reports a use-after-free of hid->driver_data in function
amd_sfh_get_report(). The backtrace indicates that the function is called
by amdtp_hid_request() which is one of the callbacks of hid device.
The current make sure that driver_data is freed only once
hid_destroy_device() returned.
Note that I observed the crash both on v6.9.9 and v6.10.0. The
code seems to be as it was from the early days of the driver.
Signed-off-by: Olivier Sobrie <olivier(a)sobrie.be>
Acked-by: Basavaraj Natikar <Basavaraj.Natikar(a)amd.com>
Signed-off-by: Jiri Kosina <jkosina(a)suse.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: He Yujie <coka.heyujie(a)huawei.com>
---
drivers/hid/amd-sfh-hid/amd_sfh_hid.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_hid.c b/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
index 705b52337068..81f3024b7b1b 100644
--- a/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
+++ b/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
@@ -171,11 +171,13 @@ int amdtp_hid_probe(u32 cur_hid_dev, struct amdtp_cl_data *cli_data)
void amdtp_hid_remove(struct amdtp_cl_data *cli_data)
{
int i;
+ struct amdtp_hid_data *hid_data;
for (i = 0; i < cli_data->num_hid_devices; ++i) {
if (cli_data->hid_sensor_hubs[i]) {
- kfree(cli_data->hid_sensor_hubs[i]->driver_data);
+ hid_data = cli_data->hid_sensor_hubs[i]->driver_data;
hid_destroy_device(cli_data->hid_sensor_hubs[i]);
+ kfree(hid_data);
cli_data->hid_sensor_hubs[i] = NULL;
}
}
--
2.34.1
2
1
27 Sep '24
From: Namjae Jeon <linkinjeon(a)kernel.org>
stable inclusion
from stable-v5.15.166
commit 9914f1bd61d5e838bb1ab15a71076d37a6db65d1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWIK
CVE: CVE-2024-46795
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=…
--------------------------------
[ Upstream commit 78c5a6f1f630172b19af4912e755e1da93ef0ab5 ]
Steve French reported null pointer dereference error from sha256 lib.
cifs.ko can send session setup requests on reused connection.
If reused connection is used for binding session, conn->binding can
still remain true and generate_preauth_hash() will not set
sess->Preauth_HashValue and it will be NULL.
It is used as a material to create an encryption key in
ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer
dereference error from crypto_shash_update().
BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 8 PID: 429254 Comm: kworker/8:39
Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )
Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
<TASK>
? show_regs+0x6d/0x80
? __die+0x24/0x80
? page_fault_oops+0x99/0x1b0
? do_user_addr_fault+0x2ee/0x6b0
? exc_page_fault+0x83/0x1b0
? asm_exc_page_fault+0x27/0x30
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
_sha256_update+0x77/0xa0 [sha256_ssse3]
sha256_avx2_update+0x15/0x30 [sha256_ssse3]
crypto_shash_update+0x1e/0x40
hmac_update+0x12/0x20
crypto_shash_update+0x1e/0x40
generate_key+0x234/0x380 [ksmbd]
generate_smb3encryptionkey+0x40/0x1c0 [ksmbd]
ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]
ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]
smb2_sess_setup+0x952/0xaa0 [ksmbd]
__process_request+0xa3/0x1d0 [ksmbd]
__handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]
handle_ksmbd_work+0x2d/0xa0 [ksmbd]
process_one_work+0x16c/0x350
worker_thread+0x306/0x440
? __pfx_worker_thread+0x10/0x10
kthread+0xef/0x120
? __pfx_kthread+0x10/0x10
ret_from_fork+0x44/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Fixes: f5a544e3bab7 ("ksmbd: add support for SMB3 multichannel")
Cc: stable(a)vger.kernel.org # v5.15+
Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org>
Signed-off-by: Steve French <stfrench(a)microsoft.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/ksmbd/smb2pdu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 50ef53115cab..f4aeca5e7e57 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -1704,6 +1704,8 @@ int smb2_sess_setup(struct ksmbd_work *work)
rc = ksmbd_session_register(conn, sess);
if (rc)
goto out_err;
+
+ conn->binding = false;
} else if (conn->dialect >= SMB30_PROT_ID &&
(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) &&
req->Flags & SMB2_SESSION_REQ_FLAG_BINDING) {
@@ -1782,6 +1784,8 @@ int smb2_sess_setup(struct ksmbd_work *work)
sess = NULL;
goto out_err;
}
+
+ conn->binding = false;
}
work->sess = sess;
--
2.39.2
2
1
27 Sep '24
From: Olivier Sobrie <olivier(a)sobrie.be>
stable inclusion
from stable-v6.6.51
commit 60dc4ee0428d70bcbb41436b6729d29f1cbdfb89
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARV9S?from=project-issue
CVE: CVE-2024-46746
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 97155021ae17b86985121b33cf8098bcde00d497 ]
HID driver callbacks aren't called anymore once hid_destroy_device() has
been called. Hence, hid driver_data should be freed only after the
hid_destroy_device() function returned as driver_data is used in several
callbacks.
I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling
KASAN to debug memory allocation, I got this output:
[ 13.050438] ==================================================================
[ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh]
[ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3
[ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479
[ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
[ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
[ 13.067860] Call Trace:
[ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8
[ 13.071486] <TASK>
[ 13.071492] dump_stack_lvl+0x5d/0x80
[ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002)
[ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.082199] print_report+0x174/0x505
[ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.097464] kasan_report+0xc8/0x150
[ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
[ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0
[ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
[ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.150446] ? __devm_add_action+0x167/0x1d0
[ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.161814] platform_probe+0xa2/0x150
[ 13.165029] really_probe+0x1e3/0x8a0
[ 13.168243] __driver_probe_device+0x18c/0x370
[ 13.171500] driver_probe_device+0x4a/0x120
[ 13.175000] __driver_attach+0x190/0x4a0
[ 13.178521] ? __pfx___driver_attach+0x10/0x10
[ 13.181771] bus_for_each_dev+0x106/0x180
[ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10
[ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.194382] bus_add_driver+0x29e/0x4d0
[ 13.197328] driver_register+0x1a5/0x360
[ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.203362] do_one_initcall+0xa7/0x380
[ 13.206432] ? __pfx_do_one_initcall+0x10/0x10
[ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.213211] ? kasan_unpoison+0x44/0x70
[ 13.216688] do_init_module+0x238/0x750
[ 13.219696] load_module+0x5011/0x6af0
[ 13.223096] ? kasan_save_stack+0x30/0x50
[ 13.226743] ? kasan_save_track+0x14/0x30
[ 13.230080] ? kasan_save_free_info+0x3b/0x60
[ 13.233323] ? poison_slab_object+0x109/0x180
[ 13.236778] ? __pfx_load_module+0x10/0x10
[ 13.239703] ? poison_slab_object+0x109/0x180
[ 13.243070] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.245924] ? init_module_from_file+0x13d/0x150
[ 13.248745] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.251503] ? init_module_from_file+0xdf/0x150
[ 13.254198] init_module_from_file+0xdf/0x150
[ 13.256826] ? __pfx_init_module_from_file+0x10/0x10
[ 13.259428] ? kasan_save_track+0x14/0x30
[ 13.261959] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.264471] ? kasan_save_free_info+0x3b/0x60
[ 13.267026] ? poison_slab_object+0x109/0x180
[ 13.269494] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.271949] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.274324] ? _raw_spin_lock+0x85/0xe0
[ 13.276671] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.278963] ? __rseq_handle_notify_resume+0x1a6/0xad0
[ 13.281193] idempotent_init_module+0x23b/0x650
[ 13.283420] ? __pfx_idempotent_init_module+0x10/0x10
[ 13.285619] ? __pfx___seccomp_filter+0x10/0x10
[ 13.287714] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.289828] ? __fget_light+0x57/0x420
[ 13.291870] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.293880] ? security_capable+0x74/0xb0
[ 13.295820] __x64_sys_finit_module+0xbe/0x130
[ 13.297874] do_syscall_64+0x82/0x190
[ 13.299898] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.301905] ? irqtime_account_irq+0x3d/0x1f0
[ 13.303877] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.305753] ? __irq_exit_rcu+0x4e/0x130
[ 13.307577] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.309489] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 13.311371] RIP: 0033:0x7a21f96ade9d
[ 13.313234] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48
[ 13.317051] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 13.319024] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d
[ 13.321100] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c
[ 13.323314] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0
[ 13.325505] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
[ 13.327637] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530
[ 13.329737] </TASK>
[ 13.333945] Allocated by task 139:
[ 13.336111] kasan_save_stack+0x30/0x50
[ 13.336121] kasan_save_track+0x14/0x30
[ 13.336125] __kasan_kmalloc+0xaa/0xb0
[ 13.336129] amdtp_hid_probe+0xb1/0x440 [amd_sfh]
[ 13.336138] amd_sfh_hid_client_init+0xb8a/0x10f0 [amd_sfh]
[ 13.336144] sfh_init_work+0x47/0x120 [amd_sfh]
[ 13.336150] process_one_work+0x673/0xeb0
[ 13.336155] worker_thread+0x795/0x1250
[ 13.336160] kthread+0x290/0x350
[ 13.336164] ret_from_fork+0x34/0x70
[ 13.336169] ret_from_fork_asm+0x1a/0x30
[ 13.338175] Freed by task 139:
[ 13.340064] kasan_save_stack+0x30/0x50
[ 13.340072] kasan_save_track+0x14/0x30
[ 13.340076] kasan_save_free_info+0x3b/0x60
[ 13.340081] poison_slab_object+0x109/0x180
[ 13.340085] __kasan_slab_free+0x32/0x50
[ 13.340089] kfree+0xe5/0x310
[ 13.340094] amdtp_hid_remove+0xb2/0x160 [amd_sfh]
[ 13.340102] amd_sfh_hid_client_deinit+0x324/0x640 [amd_sfh]
[ 13.340107] amd_sfh_hid_client_init+0x94a/0x10f0 [amd_sfh]
[ 13.340113] sfh_init_work+0x47/0x120 [amd_sfh]
[ 13.340118] process_one_work+0x673/0xeb0
[ 13.340123] worker_thread+0x795/0x1250
[ 13.340127] kthread+0x290/0x350
[ 13.340132] ret_from_fork+0x34/0x70
[ 13.340136] ret_from_fork_asm+0x1a/0x30
[ 13.342482] The buggy address belongs to the object at ffff88813152f400
which belongs to the cache kmalloc-64 of size 64
[ 13.347357] The buggy address is located 8 bytes inside of
freed 64-byte region [ffff88813152f400, ffff88813152f440)
[ 13.347367] The buggy address belongs to the physical page:
[ 13.355409] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13152f
[ 13.355416] anon flags: 0x2ffff8000000000(node=0|zone=2|lastcpupid=0x1ffff)
[ 13.355423] page_type: 0xffffefff(slab)
[ 13.355429] raw: 02ffff8000000000 ffff8881000428c0 ffffea0004c43a00 0000000000000005
[ 13.355435] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000
[ 13.355439] page dumped because: kasan: bad access detected
[ 13.357295] Memory state around the buggy address:
[ 13.357299] ffff88813152f300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 13.357303] ffff88813152f380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 13.357306] >ffff88813152f400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 13.357309] ^
[ 13.357311] ffff88813152f480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 13.357315] ffff88813152f500: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc
[ 13.357318] ==================================================================
[ 13.357405] Disabling lock debugging due to kernel taint
[ 13.383534] Oops: general protection fault, probably for non-canonical address 0xe0a1bc4140000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 13.383544] KASAN: maybe wild-memory-access in range [0x050e020a00000098-0x050e020a0000009f]
[ 13.383551] CPU: 3 PID: 479 Comm: (udev-worker) Tainted: G B 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
[ 13.383561] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
[ 13.383565] RIP: 0010:amd_sfh_get_report+0x81/0x530 [amd_sfh]
[ 13.383580] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 78 03 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 08 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 1a 03 00 00 45 8b 74 24 10 45
[ 13.383585] RSP: 0018:ffff8881261f7388 EFLAGS: 00010212
[ 13.383592] RAX: dffffc0000000000 RBX: ffff88813152f400 RCX: 0000000000000002
[ 13.383597] RDX: 00a1c04140000013 RSI: 0000000000000008 RDI: 050e020a0000009b
[ 13.383600] RBP: ffff88814d010000 R08: 0000000000000002 R09: fffffbfff3ddb8c0
[ 13.383604] R10: ffffffff9eedc607 R11: ffff88810ce98000 R12: 050e020a0000008b
[ 13.383607] R13: ffff88814d010000 R14: dffffc0000000000 R15: 0000000000000004
[ 13.383611] FS: 00007a21f94d0880(0000) GS:ffff8887e7d80000(0000) knlGS:0000000000000000
[ 13.383615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 13.383618] CR2: 00007e0014c438f0 CR3: 000000012614c000 CR4: 0000000000f50ef0
[ 13.383622] PKRU: 55555554
[ 13.383625] Call Trace:
[ 13.383629] <TASK>
[ 13.383632] ? __die_body.cold+0x19/0x27
[ 13.383644] ? die_addr+0x46/0x70
[ 13.383652] ? exc_general_protection+0x150/0x240
[ 13.383664] ? asm_exc_general_protection+0x26/0x30
[ 13.383674] ? amd_sfh_get_report+0x81/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.383686] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.383697] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.383706] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383713] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
[ 13.383727] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.383739] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383745] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.383753] ? _raw_spin_lock_irqsave+0x96/0xf0
[ 13.383762] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 13.383768] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
[ 13.383790] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383795] ? __devm_add_action+0x167/0x1d0
[ 13.383806] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.383818] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383826] platform_probe+0xa2/0x150
[ 13.383832] really_probe+0x1e3/0x8a0
[ 13.383838] __driver_probe_device+0x18c/0x370
[ 13.383844] driver_probe_device+0x4a/0x120
[ 13.383851] __driver_attach+0x190/0x4a0
[ 13.383857] ? __pfx___driver_attach+0x10/0x10
[ 13.383863] bus_for_each_dev+0x106/0x180
[ 13.383868] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.383874] ? __pfx_bus_for_each_dev+0x10/0x10
[ 13.383880] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383887] bus_add_driver+0x29e/0x4d0
[ 13.383895] driver_register+0x1a5/0x360
[ 13.383902] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.383910] do_one_initcall+0xa7/0x380
[ 13.383919] ? __pfx_do_one_initcall+0x10/0x10
[ 13.383927] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383933] ? kasan_unpoison+0x44/0x70
[ 13.383943] do_init_module+0x238/0x750
[ 13.383955] load_module+0x5011/0x6af0
[ 13.383962] ? kasan_save_stack+0x30/0x50
[ 13.383968] ? kasan_save_track+0x14/0x30
[ 13.383973] ? kasan_save_free_info+0x3b/0x60
[ 13.383980] ? poison_slab_object+0x109/0x180
[ 13.383993] ? __pfx_load_module+0x10/0x10
[ 13.384007] ? poison_slab_object+0x109/0x180
[ 13.384012] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384018] ? init_module_from_file+0x13d/0x150
[ 13.384025] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384032] ? init_module_from_file+0xdf/0x150
[ 13.384037] init_module_from_file+0xdf/0x150
[ 13.384044] ? __pfx_init_module_from_file+0x10/0x10
[ 13.384050] ? kasan_save_track+0x14/0x30
[ 13.384055] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384060] ? kasan_save_free_info+0x3b/0x60
[ 13.384066] ? poison_slab_object+0x109/0x180
[ 13.384071] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384080] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384085] ? _raw_spin_lock+0x85/0xe0
[ 13.384091] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.384096] ? __rseq_handle_notify_resume+0x1a6/0xad0
[ 13.384106] idempotent_init_module+0x23b/0x650
[ 13.384114] ? __pfx_idempotent_init_module+0x10/0x10
[ 13.384120] ? __pfx___seccomp_filter+0x10/0x10
[ 13.384129] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384135] ? __fget_light+0x57/0x420
[ 13.384142] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384147] ? security_capable+0x74/0xb0
[ 13.384157] __x64_sys_finit_module+0xbe/0x130
[ 13.384164] do_syscall_64+0x82/0x190
[ 13.384174] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384179] ? irqtime_account_irq+0x3d/0x1f0
[ 13.384188] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384193] ? __irq_exit_rcu+0x4e/0x130
[ 13.384201] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384206] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 13.384212] RIP: 0033:0x7a21f96ade9d
[ 13.384263] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48
[ 13.384267] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 13.384273] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d
[ 13.384277] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c
[ 13.384280] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0
[ 13.384284] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
[ 13.384288] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530
[ 13.384297] </TASK>
[ 13.384299] Modules linked in: soundwire_amd(+) hid_sensor_gyro_3d(+) hid_sensor_magn_3d hid_sensor_accel_3d soundwire_generic_allocation amdxcp hid_sensor_trigger drm_exec industrialio_triggered_buffer soundwire_bus gpu_sched kvm_amd kfifo_buf qmi_helpers joydev drm_buddy hid_sensor_iio_common mousedev snd_soc_core industrialio i2c_algo_bit mac80211 snd_compress drm_suballoc_helper kvm snd_hda_intel drm_ttm_helper ac97_bus snd_pcm_dmaengine snd_intel_dspcfg ttm thinkpad_acpi(+) snd_intel_sdw_acpi hid_sensor_hub snd_rpl_pci_acp6x drm_display_helper snd_hda_codec hid_multitouch libarc4 snd_acp_pci platform_profile think_lmi(+) hid_generic firmware_attributes_class wmi_bmof cec snd_acp_legacy_common sparse_keymap rapl snd_hda_core psmouse cfg80211 pcspkr snd_pci_acp6x snd_hwdep video snd_pcm snd_pci_acp5x snd_timer snd_rn_pci_acp3x ucsi_acpi snd_acp_config snd sp5100_tco rfkill snd_soc_acpi typec_ucsi thunderbolt amd_sfh k10temp mhi soundcore i2c_piix4 snd_pci_acp3x typec i2c_hid_acpi roles i2c_hid wmi acpi_tad amd_pmc
[ 13.384454] mac_hid i2c_dev crypto_user loop nfnetlink zram ip_tables x_tables dm_crypt cbc encrypted_keys trusted asn1_encoder tee dm_mod crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic gf128mul ghash_clmulni_intel serio_raw sha512_ssse3 atkbd sha256_ssse3 libps2 sha1_ssse3 vivaldi_fmap nvme aesni_intel crypto_simd nvme_core cryptd ccp xhci_pci i8042 nvme_auth xhci_pci_renesas serio vfat fat btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq
[ 13.384552] ---[ end trace 0000000000000000 ]---
KASAN reports a use-after-free of hid->driver_data in function
amd_sfh_get_report(). The backtrace indicates that the function is called
by amdtp_hid_request() which is one of the callbacks of hid device.
The current make sure that driver_data is freed only once
hid_destroy_device() returned.
Note that I observed the crash both on v6.9.9 and v6.10.0. The
code seems to be as it was from the early days of the driver.
Signed-off-by: Olivier Sobrie <olivier(a)sobrie.be>
Acked-by: Basavaraj Natikar <Basavaraj.Natikar(a)amd.com>
Signed-off-by: Jiri Kosina <jkosina(a)suse.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: He Yujie <coka.heyujie(a)huawei.com>
---
drivers/hid/amd-sfh-hid/amd_sfh_hid.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_hid.c b/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
index 705b52337068..81f3024b7b1b 100644
--- a/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
+++ b/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
@@ -171,11 +171,13 @@ int amdtp_hid_probe(u32 cur_hid_dev, struct amdtp_cl_data *cli_data)
void amdtp_hid_remove(struct amdtp_cl_data *cli_data)
{
int i;
+ struct amdtp_hid_data *hid_data;
for (i = 0; i < cli_data->num_hid_devices; ++i) {
if (cli_data->hid_sensor_hubs[i]) {
- kfree(cli_data->hid_sensor_hubs[i]->driver_data);
+ hid_data = cli_data->hid_sensor_hubs[i]->driver_data;
hid_destroy_device(cli_data->hid_sensor_hubs[i]);
+ kfree(hid_data);
cli_data->hid_sensor_hubs[i] = NULL;
}
}
--
2.34.1
2
1
[openeuler:OLK-6.6 11427/14193] loongarch64-linux-ld: rpm-traces.c:undefined reference to `__trace_trigger_soft_disabled'
by kernel test robot 27 Sep '24
by kernel test robot 27 Sep '24
27 Sep '24
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: 515984f18a6f359887b37e95ef5a785b04ae2da7
commit: d14435b8c5cdcdadede980b086f439a7d6747d0c [11427/14193] LoongArch: Fix callchain parse error with kernel tracepoint events again
config: loongarch-randconfig-002-20240925 (https://download.01.org/0day-ci/archive/20240927/202409271347.SHAKNDVo-lkp@…)
compiler: loongarch64-linux-gcc (GCC) 14.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240927/202409271347.SHAKNDVo-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409271347.SHAKNDVo-lkp@intel.com/
All errors (new ones prefixed by >>):
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L572':
power-traces.c:(.text+0x359c): undefined reference to `trace_event_printf'
loongarch64-linux-ld: power-traces.c:(.text+0x35c0): undefined reference to `trace_handle_return'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L580':
power-traces.c:(.text+0x3678): undefined reference to `trace_print_symbols_seq'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L581':
power-traces.c:(.text+0x36ac): undefined reference to `trace_output_call'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L587':
power-traces.c:(.text+0x3788): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `trace_raw_output_pm_qos_update':
power-traces.c:(.text+0x37dc): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L100011':
power-traces.c:(.text+0x39d8): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L606':
power-traces.c:(.text+0x3a3c): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `perf_trace_wakeup_source':
power-traces.c:(.text+0x3ae8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L615':
power-traces.c:(.text+0x3b84): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L613':
power-traces.c:(.text+0x3c0c): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L638':
power-traces.c:(.text+0x3f10): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L654':
power-traces.c:(.text+0x3fcc): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L659':
power-traces.c:(.text+0x40a8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L667':
power-traces.c:(.text+0x414c): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L678':
power-traces.c:(.text+0x4230): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L697':
power-traces.c:(.text+0x43f4): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L690':
power-traces.c:(.text+0x4420): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: power-traces.c:(.text+0x4474): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: kernel/trace/power-traces.o: in function `.L708':
power-traces.c:(.text+0x44c8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x18): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x40): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x60): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x88): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0xa8): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0xd0): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0xf0): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x118): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x138): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x160): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x180): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x1a8): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x1c8): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x1f0): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x210): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x238): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x258): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x280): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x2a0): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x2c8): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x2e8): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x310): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x330): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x358): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x378): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x3a0): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x3c0): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x3e8): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x408): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/power-traces.o:(.ref.data+0x430): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `trace_raw_output_rpm_internal':
rpm-traces.c:(.text+0x2a4): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `.L49':
rpm-traces.c:(.text+0x338): undefined reference to `trace_event_printf'
loongarch64-linux-ld: rpm-traces.c:(.text+0x358): undefined reference to `trace_handle_return'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `trace_raw_output_rpm_return_int':
rpm-traces.c:(.text+0x384): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: rpm-traces.c:(.text+0x3dc): undefined reference to `trace_event_printf'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `.L55':
rpm-traces.c:(.text+0x3fc): undefined reference to `trace_handle_return'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `.L59':
rpm-traces.c:(.text+0x4bc): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `.L62':
rpm-traces.c:(.text+0x514): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `perf_trace_rpm_internal':
rpm-traces.c:(.text+0x694): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `.L83':
rpm-traces.c:(.text+0x734): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `.L96':
rpm-traces.c:(.text+0x8a4): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `trace_event_raw_event_rpm_return_int':
rpm-traces.c:(.text+0x8d4): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `.L118':
rpm-traces.c:(.text+0x95c): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `.L101':
rpm-traces.c:(.text+0x9c8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `.L117':
rpm-traces.c:(.text+0xa5c): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `trace_event_raw_event_rpm_internal':
rpm-traces.c:(.text+0xad4): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: kernel/trace/rpm-traces.o: in function `.L130':
rpm-traces.c:(.text+0xb5c): undefined reference to `trace_event_buffer_reserve'
>> loongarch64-linux-ld: rpm-traces.c:(.text+0xba8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: kernel/trace/rpm-traces.o:(.ref.data+0x18): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/rpm-traces.o:(.ref.data+0x40): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/trace/rpm-traces.o:(.ref.data+0x60): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/trace/rpm-traces.o:(.ref.data+0x88): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/rseq.o: in function `perf_trace_rseq_update':
rseq.c:(.text+0x3d4): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: kernel/rseq.o: in function `.L34':
rseq.c:(.text+0x430): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: kernel/rseq.o: in function `perf_trace_rseq_ip_fixup':
rseq.c:(.text+0x52c): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: kernel/rseq.o: in function `.L46':
rseq.c:(.text+0x568): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: kernel/rseq.o: in function `trace_event_raw_event_rseq_update':
rseq.c:(.text+0x650): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: kernel/rseq.o: in function `.L61':
rseq.c:(.text+0x690): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: kernel/rseq.o: in function `.L57':
rseq.c:(.text+0x6e8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: kernel/rseq.o: in function `trace_event_raw_event_rseq_ip_fixup':
rseq.c:(.text+0x770): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: rseq.c:(.text+0x78c): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: kernel/rseq.o: in function `.L68':
rseq.c:(.text+0x7e8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: rseq.c:(.text+0x81c): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: kernel/rseq.o: in function `trace_raw_output_rseq_update':
rseq.c:(.text+0x878): undefined reference to `trace_event_printf'
loongarch64-linux-ld: rseq.c:(.text+0x898): undefined reference to `trace_handle_return'
loongarch64-linux-ld: kernel/rseq.o: in function `.L84':
rseq.c:(.text+0x8c4): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: kernel/rseq.o: in function `trace_raw_output_rseq_ip_fixup':
rseq.c:(.text+0x91c): undefined reference to `trace_event_printf'
loongarch64-linux-ld: rseq.c:(.text+0x93c): undefined reference to `trace_handle_return'
loongarch64-linux-ld: kernel/rseq.o:(.ref.data+0x18): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/rseq.o:(.ref.data+0x40): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: kernel/rseq.o:(.ref.data+0x60): undefined reference to `trace_event_reg'
loongarch64-linux-ld: kernel/rseq.o:(.ref.data+0x88): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/filemap.o: in function `perf_trace_mm_filemap_op_page_cache':
filemap.c:(.text+0x2ac): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: mm/filemap.o: in function `.L54':
filemap.c:(.text+0x390): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/filemap.o: in function `perf_trace_filemap_set_wb_err':
filemap.c:(.text+0x494): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: mm/filemap.o: in function `.L68':
filemap.c:(.text+0x4e4): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/filemap.o: in function `perf_trace_file_check_and_advance_wb_err':
filemap.c:(.text+0x5d4): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: mm/filemap.o: in function `.L82':
filemap.c:(.text+0x638): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/filemap.o: in function `.L94':
filemap.c:(.text+0x720): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: mm/filemap.o: in function `.L99':
filemap.c:(.text+0x7e4): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/filemap.o: in function `.L95':
filemap.c:(.text+0x86c): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/filemap.o: in function `.L96':
filemap.c:(.text+0x8e8): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: mm/filemap.o: in function `trace_event_raw_event_filemap_set_wb_err':
filemap.c:(.text+0x918): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/filemap.o: in function `.L115':
filemap.c:(.text+0x988): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/filemap.o: in function `.L116':
filemap.c:(.text+0x9f8): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: mm/filemap.o: in function `trace_event_raw_event_file_check_and_advance_wb_err':
filemap.c:(.text+0xa40): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/filemap.o: in function `.L128':
filemap.c:(.text+0xaac): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/filemap.o: in function `.L124':
filemap.c:(.text+0xae4): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/filemap.o: in function `trace_raw_output_mm_filemap_op_page_cache':
filemap.c:(.text+0xb6c): undefined reference to `trace_event_printf'
loongarch64-linux-ld: filemap.c:(.text+0xb8c): undefined reference to `trace_handle_return'
loongarch64-linux-ld: filemap.c:(.text+0xbb4): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/filemap.o: in function `.L142':
filemap.c:(.text+0xc20): undefined reference to `trace_event_printf'
loongarch64-linux-ld: mm/filemap.o: in function `trace_raw_output_filemap_set_wb_err':
filemap.c:(.text+0xc40): undefined reference to `trace_handle_return'
loongarch64-linux-ld: filemap.c:(.text+0xc6c): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/filemap.o: in function `.L148':
filemap.c:(.text+0xce8): undefined reference to `trace_event_printf'
loongarch64-linux-ld: mm/filemap.o: in function `trace_raw_output_file_check_and_advance_wb_err':
filemap.c:(.text+0xd08): undefined reference to `trace_handle_return'
loongarch64-linux-ld: mm/filemap.o:(.ref.data+0x18): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/filemap.o:(.ref.data+0x40): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/filemap.o:(.ref.data+0x60): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/filemap.o:(.ref.data+0x88): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/filemap.o:(.ref.data+0xa8): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/filemap.o:(.ref.data+0xd0): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/oom_kill.o: in function `perf_trace_oom_score_adj_update':
oom_kill.c:(.text+0x4a0): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L83':
oom_kill.c:(.text+0x4fc): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L82':
oom_kill.c:(.text+0x578): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: mm/oom_kill.o: in function `perf_trace_reclaim_retry_zone':
oom_kill.c:(.text+0x66c): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L85':
oom_kill.c:(.text+0x6c4): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/oom_kill.o: in function `perf_trace_mark_victim':
oom_kill.c:(.text+0x7b4): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L97':
oom_kill.c:(.text+0x7e4): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/oom_kill.o: in function `perf_trace_wake_reaper':
oom_kill.c:(.text+0x8b4): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L109':
oom_kill.c:(.text+0x8e4): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/oom_kill.o: in function `perf_trace_start_task_reaping':
oom_kill.c:(.text+0x9b4): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L121':
oom_kill.c:(.text+0x9e4): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/oom_kill.o: in function `perf_trace_finish_task_reaping':
oom_kill.c:(.text+0xab4): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: oom_kill.c:(.text+0xae4): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/oom_kill.o: in function `perf_trace_skip_task_reaping':
oom_kill.c:(.text+0xbb4): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: oom_kill.c:(.text+0xbe4): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/oom_kill.o: in function `perf_trace_compact_retry':
oom_kill.c:(.text+0xcdc): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: oom_kill.c:(.text+0xd38): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L156':
oom_kill.c:(.text+0xe0c): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_event_raw_event_oom_score_adj_update':
oom_kill.c:(.text+0xe40): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L175':
oom_kill.c:(.text+0xe8c): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_event_raw_event_reclaim_retry_zone':
oom_kill.c:(.text+0xf30): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: oom_kill.c:(.text+0xf6c): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L187':
oom_kill.c:(.text+0xfe8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L183':
oom_kill.c:(.text+0x1058): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: oom_kill.c:(.text+0x1068): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_event_raw_event_mark_victim':
oom_kill.c:(.text+0x10a8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L194':
oom_kill.c:(.text+0x1118): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: oom_kill.c:(.text+0x1128): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_event_raw_event_wake_reaper':
oom_kill.c:(.text+0x1168): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L205':
oom_kill.c:(.text+0x11d8): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: oom_kill.c:(.text+0x11e8): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L206':
oom_kill.c:(.text+0x1228): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L220':
oom_kill.c:(.text+0x1298): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L216':
oom_kill.c:(.text+0x12a8): undefined reference to `trace_event_buffer_commit'
>> loongarch64-linux-ld: oom_kill.c:(.text+0x12e8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_event_raw_event_finish_task_reaping':
oom_kill.c:(.text+0x1358): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L231':
oom_kill.c:(.text+0x1368): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L227':
oom_kill.c:(.text+0x13a8): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L242':
oom_kill.c:(.text+0x1438): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L238':
oom_kill.c:(.text+0x1474): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_event_raw_event_compact_retry':
oom_kill.c:(.text+0x14ec): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: oom_kill.c:(.text+0x1524): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L249':
oom_kill.c:(.text+0x1578): undefined reference to `trace_event_printf'
loongarch64-linux-ld: oom_kill.c:(.text+0x1598): undefined reference to `trace_handle_return'
loongarch64-linux-ld: oom_kill.c:(.text+0x15c4): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_raw_output_oom_score_adj_update':
oom_kill.c:(.text+0x1610): undefined reference to `trace_event_printf'
loongarch64-linux-ld: oom_kill.c:(.text+0x1630): undefined reference to `trace_handle_return'
loongarch64-linux-ld: oom_kill.c:(.text+0x165c): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_raw_output_mark_victim':
oom_kill.c:(.text+0x16b0): undefined reference to `trace_event_printf'
loongarch64-linux-ld: oom_kill.c:(.text+0x16d0): undefined reference to `trace_handle_return'
loongarch64-linux-ld: oom_kill.c:(.text+0x16fc): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_raw_output_wake_reaper':
oom_kill.c:(.text+0x1750): undefined reference to `trace_event_printf'
loongarch64-linux-ld: oom_kill.c:(.text+0x1770): undefined reference to `trace_handle_return'
loongarch64-linux-ld: oom_kill.c:(.text+0x179c): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L280':
oom_kill.c:(.text+0x17f0): undefined reference to `trace_event_printf'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_raw_output_start_task_reaping':
oom_kill.c:(.text+0x1810): undefined reference to `trace_handle_return'
loongarch64-linux-ld: oom_kill.c:(.text+0x183c): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L286':
oom_kill.c:(.text+0x1890): undefined reference to `trace_event_printf'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_raw_output_finish_task_reaping':
oom_kill.c:(.text+0x18b0): undefined reference to `trace_handle_return'
loongarch64-linux-ld: oom_kill.c:(.text+0x18dc): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L292':
oom_kill.c:(.text+0x1938): undefined reference to `trace_print_symbols_seq'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_raw_output_skip_task_reaping':
oom_kill.c:(.text+0x1970): undefined reference to `trace_event_printf'
loongarch64-linux-ld: oom_kill.c:(.text+0x1994): undefined reference to `trace_handle_return'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L298':
oom_kill.c:(.text+0x19bc): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/oom_kill.o: in function `trace_raw_output_reclaim_retry_zone':
oom_kill.c:(.text+0x1a28): undefined reference to `trace_print_symbols_seq'
loongarch64-linux-ld: oom_kill.c:(.text+0x1a40): undefined reference to `trace_print_symbols_seq'
loongarch64-linux-ld: mm/oom_kill.o: in function `.L304':
oom_kill.c:(.text+0x1a68): undefined reference to `trace_event_printf'
loongarch64-linux-ld: oom_kill.c:(.text+0x1a94): undefined reference to `trace_handle_return'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x18): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x40): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x60): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x88): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0xa8): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0xd0): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0xf0): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x118): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x138): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x160): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x180): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x1a8): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x1c8): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x1f0): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x210): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/oom_kill.o:(.ref.data+0x238): undefined reference to `trace_event_raw_init'
loongarch64-linux-ld: mm/swap.o: in function `.L20':
swap.c:(.text+0x13c): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: swap.c:(.text+0x1dc): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/swap.o: in function `.L32':
swap.c:(.text+0x2d4): undefined reference to `perf_trace_buf_alloc'
loongarch64-linux-ld: mm/swap.o: in function `.L38':
swap.c:(.text+0x42c): undefined reference to `perf_trace_run_bpf_submit'
loongarch64-linux-ld: mm/swap.o: in function `trace_event_raw_event_mm_lru_insertion':
swap.c:(.text+0x560): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: mm/swap.o: in function `.L63':
swap.c:(.text+0x69c): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/swap.o: in function `.L75':
swap.c:(.text+0x72c): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: mm/swap.o: in function `trace_event_raw_event_mm_lru_activate':
swap.c:(.text+0x7c0): undefined reference to `trace_event_buffer_reserve'
loongarch64-linux-ld: mm/swap.o: in function `.L80':
swap.c:(.text+0x844): undefined reference to `trace_event_buffer_commit'
loongarch64-linux-ld: mm/swap.o: in function `.L76':
swap.c:(.text+0x8ac): undefined reference to `__trace_trigger_soft_disabled'
loongarch64-linux-ld: swap.c:(.text+0x8e4): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/swap.o: in function `.L105':
swap.c:(.text+0x978): undefined reference to `trace_event_printf'
loongarch64-linux-ld: mm/swap.o: in function `.L107':
swap.c:(.text+0x998): undefined reference to `trace_handle_return'
loongarch64-linux-ld: mm/swap.o: in function `.L102':
swap.c:(.text+0xa64): undefined reference to `trace_raw_output_prep'
loongarch64-linux-ld: mm/swap.o: in function `.L100':
swap.c:(.text+0xab4): undefined reference to `trace_event_printf'
loongarch64-linux-ld: mm/swap.o: in function `trace_raw_output_mm_lru_activate':
swap.c:(.text+0xad4): undefined reference to `trace_handle_return'
loongarch64-linux-ld: mm/swap.o:(.ref.data+0x18): undefined reference to `trace_event_reg'
loongarch64-linux-ld: mm/swap.o:(.ref.data+0x40): undefined reference to `trace_event_raw_init'
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for PGP_PRELOAD
Depends on [n]: CRYPTO [=y] && ASYMMETRIC_KEY_TYPE [=n]
Selected by [y]:
- PGP_PRELOAD_PUBLIC_KEYS [=y] && CRYPTO [=y]
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
1
0