- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] net: ieee802154: at86rf230: Stop leaking skb's
by Zhengchao Shao 23 Jul '24

23 Jul '24

From: Miquel Raynal <miquel.raynal(a)bootlin.com> stable inclusion from stable-v4.19.231 commit 6312f6a53fd3ea38125dcaca5e3c9aa7d8a60cf7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADG4I CVE: CVE-2022-48794 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit e5ce576d45bf72fd0e3dc37eff897bfcc488f6a9 ] Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. In the Tx case we then leak the skb structure. Free the skb structure upon error before returning when appropriate. As the 'is_tx = 0' cannot be moved in the complete handler because of a possible race between the delay in switching to STATE_RX_AACK_ON and a new interrupt, we introduce an intermediate 'was_tx' boolean just for this purpose. There is no Fixes tag applying here, many changes have been made on this area and the issue kind of always existed. Suggested-by: Alexander Aring <alex.aring(a)gmail.com> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Acked-by: Alexander Aring <aahringo(a)redhat.com> Link: https://lore.kernel.org/r/20220125121426.848337-4-miquel.raynal@bootlin.com Signed-off-by: Stefan Schmidt <stefan(a)datenfreihafen.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- drivers/net/ieee802154/at86rf230.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c index 3d9e91579866..1bc09b6c308f 100644 --- a/drivers/net/ieee802154/at86rf230.c +++ b/drivers/net/ieee802154/at86rf230.c @@ -108,6 +108,7 @@ struct at86rf230_local { unsigned long cal_timeout; bool is_tx; bool is_tx_from_off; + bool was_tx; u8 tx_retry; struct sk_buff *tx_skb; struct at86rf230_state_change tx; @@ -351,7 +352,11 @@ at86rf230_async_error_recover_complete(void *context) if (ctx->free) kfree(ctx); - ieee802154_wake_queue(lp->hw); + if (lp->was_tx) { + lp->was_tx = 0; + dev_kfree_skb_any(lp->tx_skb); + ieee802154_wake_queue(lp->hw); + } } static void @@ -360,7 +365,11 @@ at86rf230_async_error_recover(void *context) struct at86rf230_state_change *ctx = context; struct at86rf230_local *lp = ctx->lp; - lp->is_tx = 0; + if (lp->is_tx) { + lp->was_tx = 1; + lp->is_tx = 0; + } + at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON, at86rf230_async_error_recover_complete); } -- 2.34.1

2 1

[openeuler:OLK-6.6] BUILD SUCCESS 55840856d646155a61b61b78b058eeffbe5c3dca
by kernel test robot 23 Jul '24

23 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: 55840856d646155a61b61b78b058eeffbe5c3dca !10160 fix CVE-2024-40915 Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | `-- clang:warning:no-such-include-directory:drivers-infiniband-hw-hiroce3-include-mag |-- arm64-defconfig | |-- WARNING:modpost:vmlinux:section-mismatch-in-reference:arm_smmu_device_probe-(section:.text)-arm_smmu_v3_plat_info-(section:.init.data) | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- arm64-randconfig-001-20240722 | `-- WARNING:modpost:vmlinux:section-mismatch-in-reference:arm_smmu_device_probe-(section:.text)-arm_smmu_v3_plat_info-(section:.init.data) |-- loongarch-allmodconfig | `-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument |-- loongarch-defconfig | |-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- loongarch-randconfig-001-20240722 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- loongarch-randconfig-002-20240722 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and `-- x86_64-allyesconfig `-- drivers-gpu-drm-amd-amdgpu-..-amdkfd-kfd_topology.c:warning:stack-frame-size-()-exceeds-limit-()-in-kfd_topology_add_device elapsed time: 728m configs tested: 34 configs skipped: 134 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-14.1.0 arm64 defconfig gcc-14.1.0 arm64 randconfig-001-20240722 clang-19 arm64 randconfig-002-20240722 clang-19 arm64 randconfig-003-20240722 clang-15 arm64 randconfig-004-20240722 gcc-14.1.0 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 loongarch defconfig gcc-14.1.0 loongarch randconfig-001-20240722 gcc-14.1.0 loongarch randconfig-002-20240722 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240723 gcc-10 x86_64 buildonly-randconfig-002-20240723 gcc-10 x86_64 buildonly-randconfig-003-20240723 gcc-12 x86_64 buildonly-randconfig-004-20240723 gcc-8 x86_64 buildonly-randconfig-005-20240723 gcc-12 x86_64 buildonly-randconfig-006-20240723 gcc-10 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240723 clang-18 x86_64 randconfig-002-20240723 clang-18 x86_64 randconfig-003-20240723 clang-18 x86_64 randconfig-004-20240723 clang-18 x86_64 randconfig-005-20240723 clang-18 x86_64 randconfig-006-20240723 clang-18 x86_64 randconfig-011-20240723 gcc-12 x86_64 randconfig-012-20240723 clang-18 x86_64 randconfig-013-20240723 gcc-13 x86_64 randconfig-014-20240723 gcc-13 x86_64 randconfig-015-20240723 gcc-10 x86_64 randconfig-071-20240723 gcc-13 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 8557/23347] drivers/thermal/intel_powerclamp.o: warning: objtool: missing symbol for section .text.unlikely
by kernel test robot 23 Jul '24

23 Jul '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 8d2f09e210f079f53eb6c1ba1ef639d73a17d61b commit: 775947c125d5bd6e00e0dcf9d12c57fd5d44d07f [8557/23347] asm-generic: fix -Wtype-limits compiler warnings config: x86_64-buildonly-randconfig-002-20240723 (https://download.01.org/0day-ci/archive/20240723/202407230549.TmLejsNZ-lkp@…) compiler: gcc-10 (Ubuntu 10.5.0-1ubuntu1) 10.5.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240723/202407230549.TmLejsNZ-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407230549.TmLejsNZ-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/thermal/intel_powerclamp.o: warning: objtool: missing symbol for section .text.unlikely -- >> net/ipv6/icmp.o: warning: objtool: missing symbol for section .text.unlikely -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1505/23347] drivers/spi/spi.c:2040:7: error: implicit declaration of function 'gpiod_count'; did you mean 'cpuid_count'?
by kernel test robot 23 Jul '24

23 Jul '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 8d2f09e210f079f53eb6c1ba1ef639d73a17d61b commit: 708663738592c63da3c851ed86ce6c084409f6c8 [1505/23347] spi: add ACPI support for SPI controller chip select lines(cs-gpios) config: x86_64-randconfig-001-20240722 (https://download.01.org/0day-ci/archive/20240723/202407230136.x5FmFlxg-lkp@…) compiler: gcc-8 (Ubuntu 8.4.0-3ubuntu2) 8.4.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240723/202407230136.x5FmFlxg-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407230136.x5FmFlxg-lkp@intel.com/ All errors (new ones prefixed by >>): drivers/spi/spi.c: In function '__spi_register_controller': >> drivers/spi/spi.c:2040:7: error: implicit declaration of function 'gpiod_count'; did you mean 'cpuid_count'? [-Werror=implicit-function-declaration] nb = gpiod_count(&ctlr->dev, "cs"); ^~~~~~~~~~~ cpuid_count >> drivers/spi/spi.c:2064:11: error: implicit declaration of function 'devm_gpiod_get_index'; did you mean 'devm_gpio_free'? [-Werror=implicit-function-declaration] desc = devm_gpiod_get_index(&ctlr->dev, "cs", ^~~~~~~~~~~~~~~~~~~~ devm_gpio_free >> drivers/spi/spi.c:2065:14: error: 'GPIOD_ASIS' undeclared (first use in this function); did you mean 'GPIOF_IN'? i, GPIOD_ASIS); ^~~~~~~~~~ GPIOF_IN drivers/spi/spi.c:2065:14: note: each undeclared identifier is reported only once for each function it appears in >> drivers/spi/spi.c:2068:12: error: implicit declaration of function 'desc_to_gpio'; did you mean 'irq_to_gpio'? [-Werror=implicit-function-declaration] cs[i] = desc_to_gpio(desc); ^~~~~~~~~~~~ irq_to_gpio drivers/spi/spi.c: In function 'spi_unregister_controller': drivers/spi/spi.c:2306:6: warning: variable 'dummy' set but not used [-Wunused-but-set-variable] int dummy; ^~~~~ cc1: some warnings being treated as errors vim +2040 drivers/spi/spi.c 2033 2034 static int __spi_register_controller(struct spi_controller *ctlr) 2035 { 2036 int nb, i, *cs; 2037 struct device_node *np = ctlr->dev.of_node; 2038 struct gpio_desc *desc; 2039 > 2040 nb = gpiod_count(&ctlr->dev, "cs"); 2041 ctlr->num_chipselect = max_t(int, nb, ctlr->num_chipselect); 2042 2043 /* Return error only for an incorrectly formed cs-gpios property */ 2044 if (nb == 0 || nb == -ENOENT) 2045 return 0; 2046 else if (nb < 0) 2047 return nb; 2048 2049 cs = devm_kcalloc(&ctlr->dev, ctlr->num_chipselect, sizeof(int), 2050 GFP_KERNEL); 2051 ctlr->cs_gpios = cs; 2052 2053 if (!ctlr->cs_gpios) 2054 return -ENOMEM; 2055 2056 for (i = 0; i < ctlr->num_chipselect; i++) 2057 cs[i] = -ENOENT; 2058 2059 if (IS_ENABLED(CONFIG_OF) && np) { 2060 for (i = 0; i < nb; i++) 2061 cs[i] = of_get_named_gpio(np, "cs-gpios", i); 2062 } else if (IS_ENABLED(CONFIG_ACPI) && ACPI_HANDLE(&ctlr->dev)) { 2063 for (i = 0; i < nb; i++) { > 2064 desc = devm_gpiod_get_index(&ctlr->dev, "cs", > 2065 i, GPIOD_ASIS); 2066 if (IS_ERR(desc)) 2067 continue; > 2068 cs[i] = desc_to_gpio(desc); 2069 } 2070 } 2071 return 0; 2072 } 2073 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1 0/3] *** SUBJECT HERE ***
by dinglongwei 23 Jul '24

23 Jul '24

*** BLURB HERE *** Christian A. Ehrhardt (2): of: Fix double free in of_parse_phandle_with_args_map of: unittest: Fix compile in the non-dynamic case Geert Uytterhoeven (1): of: unittest: Fix of_count_phandle_with_args() expected value message drivers/of/base.c | 1 + drivers/of/unittest-data/tests-phandle.dtsi | 10 ++- drivers/of/unittest.c | 80 +++++++++++++-------- 3 files changed, 59 insertions(+), 32 deletions(-) -- 2.17.1

2 4

[PATCH OLK-6.6] HID: core: remove unnecessary WARN_ON() in implement()
by Wang Hai 22 Jul '24

22 Jul '24

From: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> stable inclusion from stable-v6.6.35 commit 30f76bc468b9b2cbbd5d3eb482661e3e4798893f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD00R CVE: CVE-2024-39509 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4aa2dcfbad538adf7becd0034a3754e1bd01b2b5 ] Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 Modules linked in: CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline] RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 ... Call Trace: <TASK> __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline] usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636 hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Fixes: 95d1c8951e5b ("HID: simplify implement() a bit") Reported-by: <syzbot+5186630949e3c55f0799(a)syzkaller.appspotmail.com> Suggested-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/hid/hid-core.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index e0181218ad85..85ddeb13a3fa 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1448,7 +1448,6 @@ static void implement(const struct hid_device *hid, u8 *report, hid_warn(hid, "%s() called with too large value %d (n: %d)! (%s)\n", __func__, value, n, current->comm); - WARN_ON(1); value &= m; } } -- 2.17.1

2 1

[PATCH OLK-6.6] ptp: fix integer overflow in max_vclocks_store
by Wang Hai 22 Jul '24

22 Jul '24

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v6.6.36 commit 666e934d749e50a37f3796caaf843a605f115b6f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD0AS CVE: CVE-2024-40994 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 81d23d2a24012e448f651e007fac2cfd20a45ce0 ] On 32bit systems, the "4 * max" multiply can overflow. Use kcalloc() to do the allocation to prevent this. Fixes: 44c494c8e30e ("ptp: track available ptp vclocks information") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Wojciech Drewek <wojciech.drewek(a)intel.com> Reviewed-by: Jiri Pirko <jiri(a)nvidia.com> Reviewed-by: Heng Qi <hengqi(a)linux.alibaba.com> Link: https://lore.kernel.org/r/ee8110ed-6619-4bd7-9024-28c1f2ac24f4@moroto.mount… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/ptp/ptp_sysfs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c index 34ea5c16123a..aefc06ae5d09 100644 --- a/drivers/ptp/ptp_sysfs.c +++ b/drivers/ptp/ptp_sysfs.c @@ -294,8 +294,7 @@ static ssize_t max_vclocks_store(struct device *dev, if (max < ptp->n_vclocks) goto out; - size = sizeof(int) * max; - vclock_index = kzalloc(size, GFP_KERNEL); + vclock_index = kcalloc(max, sizeof(int), GFP_KERNEL); if (!vclock_index) { err = -ENOMEM; goto out; -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1] HID: core: remove unnecessary WARN_ON() in implement()
by Wang Hai 22 Jul '24

22 Jul '24

From: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> stable inclusion from stable-v5.10.221 commit 33f6832798dd3297317901cc1db556ac3ae80c24 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD00R CVE: CVE-2024-39509 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4aa2dcfbad538adf7becd0034a3754e1bd01b2b5 ] Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 Modules linked in: CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline] RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 ... Call Trace: <TASK> __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline] usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636 hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Fixes: 95d1c8951e5b ("HID: simplify implement() a bit") Reported-by: <syzbot+5186630949e3c55f0799(a)syzkaller.appspotmail.com> Suggested-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/hid/hid-core.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 2f512814a111..6474aa50931c 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1429,7 +1429,6 @@ static void implement(const struct hid_device *hid, u8 *report, hid_warn(hid, "%s() called with too large value %d (n: %d)! (%s)\n", __func__, value, n, current->comm); - WARN_ON(1); value &= m; } } -- 2.17.1

2 1

[PATCH OLK-5.10] HID: core: remove unnecessary WARN_ON() in implement()
by Wang Hai 22 Jul '24

22 Jul '24

From: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> stable inclusion from stable-v5.10.221 commit 33f6832798dd3297317901cc1db556ac3ae80c24 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD00R CVE: CVE-2024-39509 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4aa2dcfbad538adf7becd0034a3754e1bd01b2b5 ] Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 Modules linked in: CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline] RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 ... Call Trace: <TASK> __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline] usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636 hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Fixes: 95d1c8951e5b ("HID: simplify implement() a bit") Reported-by: <syzbot+5186630949e3c55f0799(a)syzkaller.appspotmail.com> Suggested-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/hid/hid-core.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 476967ab6294..5281d693b32d 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1446,7 +1446,6 @@ static void implement(const struct hid_device *hid, u8 *report, hid_warn(hid, "%s() called with too large value %d (n: %d)! (%s)\n", __func__, value, n, current->comm); - WARN_ON(1); value &= m; } } -- 2.17.1

2 1

[PATCH openEuler-1.0-LTS] HID: core: remove unnecessary WARN_ON() in implement()
by Wang Hai 22 Jul '24

22 Jul '24

From: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> stable inclusion from stable-v5.10.221 commit 33f6832798dd3297317901cc1db556ac3ae80c24 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD00R CVE: CVE-2024-39509 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4aa2dcfbad538adf7becd0034a3754e1bd01b2b5 ] Syzkaller hit a warning [1] in a call to implement() when trying to write a value into a field of smaller size in an output report. Since implement() already has a warn message printed out with the help of hid_warn() and value in question gets trimmed with: ... value &= m; ... WARN_ON may be considered superfluous. Remove it to suppress future syzkaller triggers. [1] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 implement drivers/hid/hid-core.c:1451 [inline] WARNING: CPU: 0 PID: 5084 at drivers/hid/hid-core.c:1451 hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 Modules linked in: CPU: 0 PID: 5084 Comm: syz-executor424 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 RIP: 0010:implement drivers/hid/hid-core.c:1451 [inline] RIP: 0010:hid_output_report+0x548/0x760 drivers/hid/hid-core.c:1863 ... Call Trace: <TASK> __usbhid_submit_report drivers/hid/usbhid/hid-core.c:591 [inline] usbhid_submit_report+0x43d/0x9e0 drivers/hid/usbhid/hid-core.c:636 hiddev_ioctl+0x138b/0x1f00 drivers/hid/usbhid/hiddev.c:726 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Fixes: 95d1c8951e5b ("HID: simplify implement() a bit") Reported-by: <syzbot+5186630949e3c55f0799(a)syzkaller.appspotmail.com> Suggested-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- drivers/hid/hid-core.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index e70ac6d16ea8..4b12809b5a3b 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1241,7 +1241,6 @@ static void implement(const struct hid_device *hid, u8 *report, hid_warn(hid, "%s() called with too large value %d (n: %d)! (%s)\n", __func__, value, n, current->comm); - WARN_ON(1); value &= m; } } -- 2.17.1

2 1