- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] apparmor: Fix null pointer deref when receiving skb during sock creation
by Gu Bowen 28 Aug '24

28 Aug '24

From: Xiao Liang <shaw.leon(a)gmail.com> stable inclusion from stable-v5.10.224 commit 347dcb84a4874b5fb375092c08d8cc4069b94f81 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKPW7 CVE: CVE-2023-52889 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit fce09ea314505a52f2436397608fa0a5d0934fb1 ] The panic below is observed when receiving ICMP packets with secmark set while an ICMP raw socket is being created. SK_CTX(sk)->label is updated in apparmor_socket_post_create(), but the packet is delivered to the socket before that, causing the null pointer dereference. Drop the packet if label context is not set. BUG: kernel NULL pointer dereference, address: 000000000000004c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020 RIP: 0010:aa_label_next_confined+0xb/0x40 Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2 RSP: 0018:ffffa92940003b08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002 R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400 R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000 FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0 PKRU: 55555554 Call Trace: <IRQ> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x7f/0x180 ? asm_exc_page_fault+0x26/0x30 ? aa_label_next_confined+0xb/0x40 apparmor_secmark_check+0xec/0x330 security_sock_rcv_skb+0x35/0x50 sk_filter_trim_cap+0x47/0x250 sock_queue_rcv_skb_reason+0x20/0x60 raw_rcv+0x13c/0x210 raw_local_deliver+0x1f3/0x250 ip_protocol_deliver_rcu+0x4f/0x2f0 ip_local_deliver_finish+0x76/0xa0 __netif_receive_skb_one_core+0x89/0xa0 netif_receive_skb+0x119/0x170 ? __netdev_alloc_skb+0x3d/0x140 vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a] vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a] __napi_poll+0x28/0x1b0 net_rx_action+0x2a4/0x380 __do_softirq+0xd1/0x2c8 __irq_exit_rcu+0xbb/0xf0 common_interrupt+0x86/0xa0 </IRQ> <TASK> asm_common_interrupt+0x26/0x40 RIP: 0010:apparmor_socket_post_create+0xb/0x200 Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48 RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286 RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003 R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748 ? __pfx_apparmor_socket_post_create+0x10/0x10 security_socket_post_create+0x4b/0x80 __sock_create+0x176/0x1f0 __sys_socket+0x89/0x100 __x64_sys_socket+0x17/0x20 do_syscall_64+0x5d/0x90 ? do_syscall_64+0x6c/0x90 ? do_syscall_64+0x6c/0x90 ? do_syscall_64+0x6c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fixes: ab9f2115081a ("apparmor: Allow filtering based on secmark policy") Signed-off-by: Xiao Liang <shaw.leon(a)gmail.com> Signed-off-by: John Johansen <john.johansen(a)canonical.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- security/apparmor/lsm.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 052f1b920e43..37aa1650c74e 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1048,6 +1048,13 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) if (!skb->secmark) return 0; + /* + * If reach here before socket_post_create hook is called, in which + * case label is null, drop the packet. + */ + if (!ctx->label) + return -EACCES; + return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, skb->secmark, sk); } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] io_uring: add a schedule point in io_add_buffers()
by Zizhi Wo 28 Aug '24

28 Aug '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-5.10.103 commit 4a93c6594613c3429b6f30136fff115c7f803af4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALQ20 CVE: CVE-2022-48937 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- commit f240762f88b4b1b58561939ffd44837759756477 upstream. Looping ~65535 times doing kmalloc() calls can trigger soft lockups, especially with DEBUG features (like KASAN). [ 253.536212] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [b219417889:12575] [ 253.544433] Modules linked in: vfat fat i2c_mux_pca954x i2c_mux spidev cdc_acm xhci_pci xhci_hcd sha3_generic gq(O) [ 253.544451] CPU: 64 PID: 12575 Comm: b219417889 Tainted: G S O 5.17.0-smp-DEV #801 [ 253.544457] RIP: 0010:kernel_text_address (./include/asm-generic/sections.h:192 ./include/linux/kallsyms.h:29 kernel/extable.c:67 kernel/extable.c:98) [ 253.544464] Code: 0f 93 c0 48 c7 c1 e0 63 d7 a4 48 39 cb 0f 92 c1 20 c1 0f b6 c1 5b 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 fb <48> c7 c0 00 00 80 a0 41 be 01 00 00 00 48 39 c7 72 0c 48 c7 c0 40 [ 253.544468] RSP: 0018:ffff8882d8baf4c0 EFLAGS: 00000246 [ 253.544471] RAX: 1ffff1105b175e00 RBX: ffffffffa13ef09a RCX: 00000000a13ef001 [ 253.544474] RDX: ffffffffa13ef09a RSI: ffff8882d8baf558 RDI: ffffffffa13ef09a [ 253.544476] RBP: ffff8882d8baf4d8 R08: ffff8882d8baf5e0 R09: 0000000000000004 [ 253.544479] R10: ffff8882d8baf5e8 R11: ffffffffa0d59a50 R12: ffff8882eab20380 [ 253.544481] R13: ffffffffa0d59a50 R14: dffffc0000000000 R15: 1ffff1105b175eb0 [ 253.544483] FS: 00000000016d3380(0000) GS:ffff88af48c00000(0000) knlGS:0000000000000000 [ 253.544486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 253.544488] CR2: 00000000004af0f0 CR3: 00000002eabfa004 CR4: 00000000003706e0 [ 253.544491] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 253.544492] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 253.544494] Call Trace: [ 253.544496] <TASK> [ 253.544498] ? io_queue_sqe (fs/io_uring.c:7143) [ 253.544505] __kernel_text_address (kernel/extable.c:78) [ 253.544508] unwind_get_return_address (arch/x86/kernel/unwind_frame.c:19) [ 253.544514] arch_stack_walk (arch/x86/kernel/stacktrace.c:27) [ 253.544517] ? io_queue_sqe (fs/io_uring.c:7143) [ 253.544521] stack_trace_save (kernel/stacktrace.c:123) [ 253.544527] ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) [ 253.544531] ? ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) [ 253.544533] ? __kasan_kmalloc (mm/kasan/common.c:524) [ 253.544535] ? kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567) [ 253.544541] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [ 253.544544] ? __io_queue_sqe (fs/io_uring.c:?) [ 253.544551] __kasan_kmalloc (mm/kasan/common.c:524) [ 253.544553] kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567) [ 253.544556] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [ 253.544560] io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) [ 253.544564] ? __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 253.544567] ? __kasan_slab_alloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 253.544569] ? kmem_cache_alloc_bulk (mm/slab.h:732 mm/slab.c:3546) [ 253.544573] ? __io_alloc_req_refill (fs/io_uring.c:2078) [ 253.544578] ? io_submit_sqes (fs/io_uring.c:7441) [ 253.544581] ? __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096) [ 253.544584] ? __x64_sys_io_uring_enter (fs/io_uring.c:10096) [ 253.544587] ? do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 253.544590] ? entry_SYSCALL_64_after_hwframe (??:?) [ 253.544596] __io_queue_sqe (fs/io_uring.c:?) [ 253.544600] io_queue_sqe (fs/io_uring.c:7143) [ 253.544603] io_submit_sqe (fs/io_uring.c:?) [ 253.544608] io_submit_sqes (fs/io_uring.c:?) [ 253.544612] __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096) [ 253.544616] __x64_sys_io_uring_enter (fs/io_uring.c:10096) [ 253.544619] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 253.544623] entry_SYSCALL_64_after_hwframe (??:?) Fixes: ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Pavel Begunkov <asml.silence(a)gmail.com> Cc: io-uring <io-uring(a)vger.kernel.org> Reported-by: syzbot <syzkaller(a)googlegroups.com> Link: https://lore.kernel.org/r/20220215041003.2394784-1-eric.dumazet@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/io_uring.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/io_uring.c b/fs/io_uring.c index dde9205fc287..411b7491f3f5 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -3647,6 +3647,7 @@ static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head) } else { list_add_tail(&buf->list, &(*head)->list); } + cond_resched(); } return i ? i : -ENOMEM; -- 2.39.2

2 1

[openeuler:openEuler-1.0-LTS 17746/23570] drivers/dax/.tmp_bus.o: warning: objtool: __dax_driver_register()+0xd5: unreachable instruction
by kernel test robot 28 Aug '24

28 Aug '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 7ad52b4435297d752bdb8c2fce6524544448d4af commit: 9bb67bd58e6a7e3ef00793b4966be7bb0a346830 [17746/23570] Intel: device-dax: Add support for a dax override driver config: x86_64-buildonly-randconfig-004-20240825 (https://download.01.org/0day-ci/archive/20240828/202408281448.DeW129VU-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240828/202408281448.DeW129VU-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408281448.DeW129VU-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/dax/.tmp_bus.o: warning: objtool: __dax_driver_register()+0xd5: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 7193/13757] mm/page_alloc.c:4110:9: error: implicit declaration of function 'dynamic_pool_should_alloc' is invalid in C99
by kernel test robot 28 Aug '24

28 Aug '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: e59105d1ac962dacde2b6480857e834f97ca108e commit: fd855715f24e3eeadaa56de5fde21c55a14aeea0 [7193/13757] mm/mem_reliable: Fallback to dpool if reliable memory is not enough config: arm64-randconfig-003-20240827 (https://download.01.org/0day-ci/archive/20240828/202408281316.tzOrTedV-lkp@…) compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240828/202408281316.tzOrTedV-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408281316.tzOrTedV-lkp@intel.com/ All errors (new ones prefixed by >>): >> mm/page_alloc.c:4110:9: error: implicit declaration of function 'dynamic_pool_should_alloc' is invalid in C99 [-Werror,-Wimplicit-function-declaration] return dynamic_pool_should_alloc(gfp_mask & ~GFP_RELIABLE, order); ^ 1 error generated. vim +/dynamic_pool_should_alloc +4110 mm/page_alloc.c 4101 4102 static inline bool mem_reliable_fallback_dpool(gfp_t gfp_mask, unsigned int order) 4103 { 4104 if (!reliable_allow_fb_enabled()) 4105 return false; 4106 4107 if (!(gfp_mask & GFP_RELIABLE)) 4108 return false; 4109 > 4110 return dynamic_pool_should_alloc(gfp_mask & ~GFP_RELIABLE, order); 4111 } 4112 #else 4113 static inline struct zone *mem_reliable_fallback_zone(gfp_t gfp_mask, 4114 struct alloc_context *ac) 4115 { 4116 return NULL; 4117 } 4118 static inline void mem_reliable_fallback_slowpath(gfp_t gfp_mask, 4119 struct alloc_context *ac) {} 4120 static inline bool mem_reliable_fallback_dpool(gfp_t gfp_mask, unsigned int order) 4121 { 4122 return false; 4123 } 4124 #endif 4125 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 27370/30000] arch/x86/kvm/x86.c:805:5: warning: no previous prototype for 'kvm_read_guest_page_mmu'
by kernel test robot 28 Aug '24

28 Aug '24

Hi Sean, FYI, the error/warning was bisected to this commit, please ignore it if it's irrelevant. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: d96e94294726506c2893c3a71305c65168c22526 commit: aeaeb4dcb428b870d4207cc0fae7c125b7522406 [27370/30000] KVM: x86: Subsume nested GPA read helper into load_pdptrs() config: x86_64-buildonly-randconfig-005-20240828 (https://download.01.org/0day-ci/archive/20240828/202408281227.MN7ngvtP-lkp@…) compiler: gcc-11 (Debian 11.3.0-12) 11.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240828/202408281227.MN7ngvtP-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408281227.MN7ngvtP-lkp@intel.com/ All warnings (new ones prefixed by >>): >> arch/x86/kvm/x86.c:805:5: warning: no previous prototype for 'kvm_read_guest_page_mmu' [-Wmissing-prototypes] 805 | int kvm_read_guest_page_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, | ^~~~~~~~~~~~~~~~~~~~~~~ arch/x86/kvm/x86.c:900:6: warning: no previous prototype for 'kvm_post_set_cr0' [-Wmissing-prototypes] 900 | void kvm_post_set_cr0(struct kvm_vcpu *vcpu, unsigned long old_cr0, unsigned long cr0) | ^~~~~~~~~~~~~~~~ arch/x86/kvm/x86.c:1081:6: warning: no previous prototype for 'kvm_post_set_cr4' [-Wmissing-prototypes] 1081 | void kvm_post_set_cr4(struct kvm_vcpu *vcpu, unsigned long old_cr4, unsigned long cr4) | ^~~~~~~~~~~~~~~~ vim +/kvm_read_guest_page_mmu +805 arch/x86/kvm/x86.c 16f8a6f9798ab9 Nadav Amit 2014-10-03 799 ec92fe44e7ff94 Joerg Roedel 2010-09-10 800 /* ec92fe44e7ff94 Joerg Roedel 2010-09-10 801 * This function will be used to read from the physical memory of the currently 54bf36aac52031 Paolo Bonzini 2015-04-08 802 * running guest. The difference to kvm_vcpu_read_guest_page is that this function ec92fe44e7ff94 Joerg Roedel 2010-09-10 803 * can read from guest physical or from the guest's guest physical memory. ec92fe44e7ff94 Joerg Roedel 2010-09-10 804 */ ec92fe44e7ff94 Joerg Roedel 2010-09-10 @805 int kvm_read_guest_page_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, ec92fe44e7ff94 Joerg Roedel 2010-09-10 806 gfn_t ngfn, void *data, int offset, int len, ec92fe44e7ff94 Joerg Roedel 2010-09-10 807 u32 access) ec92fe44e7ff94 Joerg Roedel 2010-09-10 808 { 54987b7afa902e Paolo Bonzini 2014-09-02 809 struct x86_exception exception; ec92fe44e7ff94 Joerg Roedel 2010-09-10 810 gfn_t real_gfn; ec92fe44e7ff94 Joerg Roedel 2010-09-10 811 gpa_t ngpa; ec92fe44e7ff94 Joerg Roedel 2010-09-10 812 ec92fe44e7ff94 Joerg Roedel 2010-09-10 813 ngpa = gfn_to_gpa(ngfn); 54987b7afa902e Paolo Bonzini 2014-09-02 814 real_gfn = mmu->translate_gpa(vcpu, ngpa, access, &exception); ec92fe44e7ff94 Joerg Roedel 2010-09-10 815 if (real_gfn == UNMAPPED_GVA) ec92fe44e7ff94 Joerg Roedel 2010-09-10 816 return -EFAULT; ec92fe44e7ff94 Joerg Roedel 2010-09-10 817 ec92fe44e7ff94 Joerg Roedel 2010-09-10 818 real_gfn = gpa_to_gfn(real_gfn); ec92fe44e7ff94 Joerg Roedel 2010-09-10 819 54bf36aac52031 Paolo Bonzini 2015-04-08 820 return kvm_vcpu_read_guest_page(vcpu, real_gfn, data, offset, len); ec92fe44e7ff94 Joerg Roedel 2010-09-10 821 } ec92fe44e7ff94 Joerg Roedel 2010-09-10 822 EXPORT_SYMBOL_GPL(kvm_read_guest_page_mmu); ec92fe44e7ff94 Joerg Roedel 2010-09-10 823 :::::: The code at line 805 was first introduced by commit :::::: ec92fe44e7ff94d04d8305e49efcffd8773e1cf6 KVM: X86: Add kvm_read_guest_page_mmu function :::::: TO: Joerg Roedel <joerg.roedel(a)amd.com> :::::: CC: Avi Kivity <avi(a)redhat.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] wifi: cfg80211: Avoid Wdiscarded-qualifiers warning
by Yue Haibing 28 Aug '24

28 Aug '24

Commit 591481cccbad trigger a warning: In file included from ./include/net/genetlink.h:6, from net/wireless/nl80211.c:25: net/wireless/nl80211.c:692:69: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 692 | [NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range), | ^ ./include/net/netlink.h:407:18: note: in definition of macro 'NLA_POLICY_FULL_RANGE' 407 | .range = _range, \ | ^~~~~~ Remove const qualifier to fix this. Fixes: 591481cccbad ("wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values") Signed-off-by: Yue Haibing <yuehaibing(a)huawei.com> --- net/wireless/nl80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 89b94d482fcf..674a0d54aff8 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -403,7 +403,7 @@ nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + .len = IEEE80211_MAX_DATA_LEN } }; -static const struct netlink_range_validation q_range = { +static struct netlink_range_validation q_range = { .max = INT_MAX, }; -- 2.34.1

2 1

[openeuler:OLK-6.6 7193/13757] mm/page_alloc.c:4110:9: error: call to undeclared function 'dynamic_pool_should_alloc'; ISO C99 and later do not support implicit function declarations
by kernel test robot 28 Aug '24

28 Aug '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: e59105d1ac962dacde2b6480857e834f97ca108e commit: fd855715f24e3eeadaa56de5fde21c55a14aeea0 [7193/13757] mm/mem_reliable: Fallback to dpool if reliable memory is not enough config: arm64-randconfig-r064-20240828 (https://download.01.org/0day-ci/archive/20240828/202408281109.dl4CIWeu-lkp@…) compiler: clang version 15.0.7 (https://github.com/llvm/llvm-project 8dfdcc7b7bf66834a761bd8de445840ef68e4d1a) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240828/202408281109.dl4CIWeu-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408281109.dl4CIWeu-lkp@intel.com/ All errors (new ones prefixed by >>): >> mm/page_alloc.c:4110:9: error: call to undeclared function 'dynamic_pool_should_alloc'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration] return dynamic_pool_should_alloc(gfp_mask & ~GFP_RELIABLE, order); ^ 1 error generated. vim +/dynamic_pool_should_alloc +4110 mm/page_alloc.c 4101 4102 static inline bool mem_reliable_fallback_dpool(gfp_t gfp_mask, unsigned int order) 4103 { 4104 if (!reliable_allow_fb_enabled()) 4105 return false; 4106 4107 if (!(gfp_mask & GFP_RELIABLE)) 4108 return false; 4109 > 4110 return dynamic_pool_should_alloc(gfp_mask & ~GFP_RELIABLE, order); 4111 } 4112 #else 4113 static inline struct zone *mem_reliable_fallback_zone(gfp_t gfp_mask, 4114 struct alloc_context *ac) 4115 { 4116 return NULL; 4117 } 4118 static inline void mem_reliable_fallback_slowpath(gfp_t gfp_mask, 4119 struct alloc_context *ac) {} 4120 static inline bool mem_reliable_fallback_dpool(gfp_t gfp_mask, unsigned int order) 4121 { 4122 return false; 4123 } 4124 #endif 4125 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] scsi: qla2xxx: validate nvme_local_port correctly
by He Yujie 28 Aug '24

28 Aug '24

From: Nilesh Javali <njavali(a)marvell.com> mainline inclusion from mainline-v6.11-rc1 commit eb1d4ce2609584eeb7694866f34d4b213caa3af9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ0D CVE: CVE-2024-42286 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The driver load failed with error message, qla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef and with a kernel crash, BUG: unable to handle kernel NULL pointer dereference at 0000000000000070 Workqueue: events_unbound qla_register_fcport_fn [qla2xxx] RIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc] RSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000 RDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000 RBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030 R10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4 R13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8 FS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0 Call Trace: qla_nvme_register_remote+0xeb/0x1f0 [qla2xxx] ? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx] qla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx] qla_register_fcport_fn+0x54/0xc0 [qla2xxx] Exit the qla_nvme_register_remote() function when qla_nvme_register_hba() fails and correctly validate nvme_local_port. Cc: stable(a)vger.kernel.org Signed-off-by: Nilesh Javali <njavali(a)marvell.com> Link: https://lore.kernel.org/r/20240710171057.35066-3-njavali@marvell.com Reviewed-by: Himanshu Madhani <himanshu.madhani(a)oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: He Yujie <coka.heyujie(a)huawei.com> --- drivers/scsi/qla2xxx/qla_nvme.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c index d63ccdf6e988..f898a9cc8d06 100644 --- a/drivers/scsi/qla2xxx/qla_nvme.c +++ b/drivers/scsi/qla2xxx/qla_nvme.c @@ -27,7 +27,10 @@ int qla_nvme_register_remote(struct scsi_qla_host *vha, struct fc_port *fcport) return 0; } - if (!vha->nvme_local_port && qla_nvme_register_hba(vha)) + if (qla_nvme_register_hba(vha)) + return 0; + + if (!vha->nvme_local_port) return 0; if (!(fcport->nvme_prli_service_param & -- 2.34.1

2 1

[PATCH OLK-5.10] scsi: qla2xxx: validate nvme_local_port correctly
by He Yujie 28 Aug '24

28 Aug '24

From: Nilesh Javali <njavali(a)marvell.com> mainline inclusion from mainline-v6.11-rc1 commit eb1d4ce2609584eeb7694866f34d4b213caa3af9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ0D CVE: CVE-2024-42286 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The driver load failed with error message, qla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef and with a kernel crash, BUG: unable to handle kernel NULL pointer dereference at 0000000000000070 Workqueue: events_unbound qla_register_fcport_fn [qla2xxx] RIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc] RSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000 RDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000 RBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030 R10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4 R13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8 FS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0 Call Trace: qla_nvme_register_remote+0xeb/0x1f0 [qla2xxx] ? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx] qla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx] qla_register_fcport_fn+0x54/0xc0 [qla2xxx] Exit the qla_nvme_register_remote() function when qla_nvme_register_hba() fails and correctly validate nvme_local_port. Cc: stable(a)vger.kernel.org Signed-off-by: Nilesh Javali <njavali(a)marvell.com> Link: https://lore.kernel.org/r/20240710171057.35066-3-njavali@marvell.com Reviewed-by: Himanshu Madhani <himanshu.madhani(a)oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: He Yujie <coka.heyujie(a)huawei.com> --- drivers/scsi/qla2xxx/qla_nvme.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c index 6dad7787f20d..28a5b40e0f32 100644 --- a/drivers/scsi/qla2xxx/qla_nvme.c +++ b/drivers/scsi/qla2xxx/qla_nvme.c @@ -27,7 +27,10 @@ int qla_nvme_register_remote(struct scsi_qla_host *vha, struct fc_port *fcport) return 0; } - if (!vha->nvme_local_port && qla_nvme_register_hba(vha)) + if (qla_nvme_register_hba(vha)) + return 0; + + if (!vha->nvme_local_port) return 0; if (!(fcport->nvme_prli_service_param & -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] scsi: qla2xxx: validate nvme_local_port correctly
by He Yujie 28 Aug '24

28 Aug '24

From: Nilesh Javali <njavali(a)marvell.com> mainline inclusion from mainline-v6.11-rc1 commit eb1d4ce2609584eeb7694866f34d4b213caa3af9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ0D CVE: CVE-2024-42286 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The driver load failed with error message, qla2xxx [0000:04:00.0]-ffff:0: register_localport failed: ret=ffffffef and with a kernel crash, BUG: unable to handle kernel NULL pointer dereference at 0000000000000070 Workqueue: events_unbound qla_register_fcport_fn [qla2xxx] RIP: 0010:nvme_fc_register_remoteport+0x16/0x430 [nvme_fc] RSP: 0018:ffffaaa040eb3d98 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff9dfb46b78c00 RCX: 0000000000000000 RDX: ffff9dfb46b78da8 RSI: ffffaaa040eb3e08 RDI: 0000000000000000 RBP: ffff9dfb612a0a58 R08: ffffffffaf1d6270 R09: 3a34303a30303030 R10: 34303a303030305b R11: 2078787832616c71 R12: ffff9dfb46b78dd4 R13: ffff9dfb46b78c24 R14: ffff9dfb41525300 R15: ffff9dfb46b78da8 FS: 0000000000000000(0000) GS:ffff9dfc67c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000070 CR3: 000000018da10004 CR4: 00000000000206f0 Call Trace: qla_nvme_register_remote+0xeb/0x1f0 [qla2xxx] ? qla2x00_dfs_create_rport+0x231/0x270 [qla2xxx] qla2x00_update_fcport+0x2a1/0x3c0 [qla2xxx] qla_register_fcport_fn+0x54/0xc0 [qla2xxx] Exit the qla_nvme_register_remote() function when qla_nvme_register_hba() fails and correctly validate nvme_local_port. Cc: stable(a)vger.kernel.org Signed-off-by: Nilesh Javali <njavali(a)marvell.com> Link: https://lore.kernel.org/r/20240710171057.35066-3-njavali@marvell.com Reviewed-by: Himanshu Madhani <himanshu.madhani(a)oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: He Yujie <coka.heyujie(a)huawei.com> --- drivers/scsi/qla2xxx/qla_nvme.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c index db367e428095..daa412667d6e 100644 --- a/drivers/scsi/qla2xxx/qla_nvme.c +++ b/drivers/scsi/qla2xxx/qla_nvme.c @@ -30,7 +30,10 @@ int qla_nvme_register_remote(struct scsi_qla_host *vha, struct fc_port *fcport) return 0; } - if (!vha->nvme_local_port && qla_nvme_register_hba(vha)) + if (qla_nvme_register_hba(vha)) + return 0; + + if (!vha->nvme_local_port) return 0; if (!(fcport->nvme_prli_service_param & -- 2.34.1

2 1