- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
by Zhengchao Shao 08 Jun '24

08 Jun '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v6.6.31 commit 8745a8d74ba17dafe72b6ab461fa6c007d879747 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9TM8A CVE: CVE-2024-36902 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit d101291b2681e5ab938554e3e323f7a7ee33e3aa ] syzbot is able to trigger the following crash [1], caused by unsafe ip6_dst_idev() use. Indeed ip6_dst_idev() can return NULL, and must always be checked. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline] RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267 Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700 RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760 RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000 R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00 FS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317 fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108 ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline] ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649 ip6_route_output include/net/ip6_route.h:93 [inline] ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120 ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250 sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326 sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455 sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662 sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099 __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 5e5f3f0f8013 ("[IPV6] ADDRCONF: Convert ipv6_get_saddr() to ipv6_dev_get_saddr().") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Reviewed-by: David Ahern <dsahern(a)kernel.org> Link: https://lore.kernel.org/r/20240507163145.835254-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ipv6/fib6_rules.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c index be52b18e08a6..6eeab21512ba 100644 --- a/net/ipv6/fib6_rules.c +++ b/net/ipv6/fib6_rules.c @@ -233,8 +233,12 @@ static int __fib6_rule_action(struct fib_rule *rule, struct flowi *flp, rt = pol_lookup_func(lookup, net, table, flp6, arg->lookup_data, flags); if (rt != net->ipv6.ip6_null_entry) { + struct inet6_dev *idev = ip6_dst_idev(&rt->dst); + + if (!idev) + goto again; err = fib6_rule_saddr(net, rule, flags, flp6, - ip6_dst_idev(&rt->dst)->dev); + idev->dev); if (err == -EAGAIN) goto again; -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS 18949/22827] mm/khugepaged.c:974:21: sparse: sparse: invalid assignment: |=
by kernel test robot 08 Jun '24

08 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 6a98543755cf2f636ae3169f3774d226d328d2cf commit: ff0fb9e816fac221fa24a1810dd895745406070b [18949/22827] mm: thp: Add memory reliable support for hugepaged collapse config: arm64-randconfig-r123-20240607 (https://download.01.org/0day-ci/archive/20240608/202406081538.GZO9E4bP-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240608/202406081538.GZO9E4bP-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406081538.GZO9E4bP-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> mm/khugepaged.c:974:21: sparse: sparse: invalid assignment: |= mm/khugepaged.c:974:21: sparse: left side has type restricted gfp_t mm/khugepaged.c:974:21: sparse: right side has type unsigned int mm/khugepaged.c:1352:21: sparse: sparse: invalid assignment: |= mm/khugepaged.c:1352:21: sparse: left side has type restricted gfp_t mm/khugepaged.c:1352:21: sparse: right side has type unsigned int mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1409:56: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1409:56: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1409:56: sparse: got void **slot mm/khugepaged.c:1458:22: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1458:22: sparse: expected void **slot mm/khugepaged.c:1458:22: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1459:17: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1459:17: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1459:17: sparse: got void **slot mm/khugepaged.c:1483:60: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1483:60: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1483:60: sparse: got void **slot mm/khugepaged.c:1486:47: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1486:47: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1486:47: sparse: got void **slot mm/khugepaged.c:1486:22: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1486:22: sparse: expected void **slot mm/khugepaged.c:1486:22: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1378:9: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1378:9: sparse: got void **slot mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1597:68: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1597:68: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1597:68: sparse: got void **slot mm/khugepaged.c:1598:55: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1598:55: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1598:55: sparse: got void **slot mm/khugepaged.c:1598:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1598:30: sparse: expected void **slot mm/khugepaged.c:1598:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1578:17: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1578:17: sparse: got void **slot mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1637:46: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1637:46: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1637:46: sparse: got void **slot mm/khugepaged.c:1639:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1639:30: sparse: expected void **slot mm/khugepaged.c:1639:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1682:55: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1682:55: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1682:55: sparse: got void **slot mm/khugepaged.c:1682:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1682:30: sparse: expected void **slot mm/khugepaged.c:1682:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1633:9: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1633:9: sparse: got void **slot mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c: note: in included file (through include/linux/mm.h): include/linux/gfp.h:457:34: sparse: sparse: restricted gfp_t degrades to integer mm/khugepaged.c:1336: warning: Function parameter or member 'mm' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'mapping' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'start' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'hpage' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'node' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'reliable' not described in 'collapse_shmem' vim +974 mm/khugepaged.c 949 950 static void collapse_huge_page(struct mm_struct *mm, 951 unsigned long address, 952 struct page **hpage, 953 int node, int referenced, int unmapped, 954 bool reliable) 955 { 956 pmd_t *pmd, _pmd; 957 pte_t *pte; 958 pgtable_t pgtable; 959 struct page *new_page; 960 spinlock_t *pmd_ptl, *pte_ptl; 961 int isolated = 0, result = 0; 962 struct mem_cgroup *memcg; 963 struct vm_area_struct *vma; 964 unsigned long mmun_start; /* For mmu_notifiers */ 965 unsigned long mmun_end; /* For mmu_notifiers */ 966 gfp_t gfp; 967 968 VM_BUG_ON(address & ~HPAGE_PMD_MASK); 969 970 /* Only allocate from the target node */ 971 gfp = alloc_hugepage_khugepaged_gfpmask() | __GFP_THISNODE; 972 973 if (reliable) > 974 gfp |= ___GFP_RELIABILITY; 975 976 /* 977 * Before allocating the hugepage, release the mmap_sem read lock. 978 * The allocation can take potentially a long time if it involves 979 * sync compaction, and we do not need to hold the mmap_sem during 980 * that. We will recheck the vma after taking it again in write mode. 981 */ 982 up_read(&mm->mmap_sem); 983 new_page = khugepaged_alloc_page(hpage, gfp, node); 984 if (!new_page) { 985 result = SCAN_ALLOC_HUGE_PAGE_FAIL; 986 goto out_nolock; 987 } 988 989 if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) { 990 result = SCAN_CGROUP_CHARGE_FAIL; 991 goto out_nolock; 992 } 993 994 down_read(&mm->mmap_sem); 995 result = hugepage_vma_revalidate(mm, address, &vma); 996 if (result) { 997 mem_cgroup_cancel_charge(new_page, memcg, true); 998 up_read(&mm->mmap_sem); 999 goto out_nolock; 1000 } 1001 1002 pmd = mm_find_pmd(mm, address); 1003 if (!pmd) { 1004 result = SCAN_PMD_NULL; 1005 mem_cgroup_cancel_charge(new_page, memcg, true); 1006 up_read(&mm->mmap_sem); 1007 goto out_nolock; 1008 } 1009 1010 /* 1011 * __collapse_huge_page_swapin always returns with mmap_sem locked. 1012 * If it fails, we release mmap_sem and jump out_nolock. 1013 * Continuing to collapse causes inconsistency. 1014 */ 1015 if (unmapped && !__collapse_huge_page_swapin(mm, vma, address, 1016 pmd, referenced)) { 1017 mem_cgroup_cancel_charge(new_page, memcg, true); 1018 up_read(&mm->mmap_sem); 1019 goto out_nolock; 1020 } 1021 1022 up_read(&mm->mmap_sem); 1023 /* 1024 * Prevent all access to pagetables with the exception of 1025 * gup_fast later handled by the ptep_clear_flush and the VM 1026 * handled by the anon_vma lock + PG_lock. 1027 */ 1028 down_write(&mm->mmap_sem); 1029 result = hugepage_vma_revalidate(mm, address, &vma); 1030 if (result) 1031 goto out; 1032 /* check if the pmd is still valid */ 1033 if (mm_find_pmd(mm, address) != pmd) 1034 goto out; 1035 1036 anon_vma_lock_write(vma->anon_vma); 1037 1038 pte = pte_offset_map(pmd, address); 1039 pte_ptl = pte_lockptr(mm, pmd); 1040 1041 mmun_start = address; 1042 mmun_end = address + HPAGE_PMD_SIZE; 1043 mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end); 1044 pmd_ptl = pmd_lock(mm, pmd); /* probably unnecessary */ 1045 /* 1046 * After this gup_fast can't run anymore. This also removes 1047 * any huge TLB entry from the CPU so we won't allow 1048 * huge and small TLB entries for the same virtual address 1049 * to avoid the risk of CPU bugs in that area. 1050 */ 1051 _pmd = pmdp_collapse_flush(vma, address, pmd); 1052 spin_unlock(pmd_ptl); 1053 mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end); 1054 1055 spin_lock(pte_ptl); 1056 isolated = __collapse_huge_page_isolate(vma, address, pte); 1057 spin_unlock(pte_ptl); 1058 1059 if (unlikely(!isolated)) { 1060 pte_unmap(pte); 1061 spin_lock(pmd_ptl); 1062 BUG_ON(!pmd_none(*pmd)); 1063 /* 1064 * We can only use set_pmd_at when establishing 1065 * hugepmds and never for establishing regular pmds that 1066 * points to regular pagetables. Use pmd_populate for that 1067 */ 1068 pmd_populate(mm, pmd, pmd_pgtable(_pmd)); 1069 spin_unlock(pmd_ptl); 1070 anon_vma_unlock_write(vma->anon_vma); 1071 result = SCAN_FAIL; 1072 goto out; 1073 } 1074 1075 /* 1076 * All pages are isolated and locked so anon_vma rmap 1077 * can't run anymore. 1078 */ 1079 anon_vma_unlock_write(vma->anon_vma); 1080 1081 __collapse_huge_page_copy(pte, new_page, vma, address, pte_ptl); 1082 pte_unmap(pte); 1083 __SetPageUptodate(new_page); 1084 pgtable = pmd_pgtable(_pmd); 1085 1086 _pmd = mk_huge_pmd(new_page, vma->vm_page_prot); 1087 _pmd = maybe_pmd_mkwrite(pmd_mkdirty(_pmd), vma); 1088 1089 /* 1090 * spin_lock() below is not the equivalent of smp_wmb(), so 1091 * this is needed to avoid the copy_huge_page writes to become 1092 * visible after the set_pmd_at() write. 1093 */ 1094 smp_wmb(); 1095 1096 spin_lock(pmd_ptl); 1097 BUG_ON(!pmd_none(*pmd)); 1098 page_add_new_anon_rmap(new_page, vma, address, true); 1099 mem_cgroup_commit_charge(new_page, memcg, false, true); 1100 count_memcg_events(memcg, THP_COLLAPSE_ALLOC, 1); 1101 lru_cache_add_active_or_unevictable(new_page, vma); 1102 pgtable_trans_huge_deposit(mm, pmd, pgtable); 1103 set_pmd_at(mm, address, pmd, _pmd); 1104 update_mmu_cache_pmd(vma, address, pmd); 1105 spin_unlock(pmd_ptl); 1106 1107 *hpage = NULL; 1108 1109 khugepaged_pages_collapsed++; 1110 result = SCAN_SUCCEED; 1111 out_up_write: 1112 up_write(&mm->mmap_sem); 1113 out_nolock: 1114 trace_mm_collapse_huge_page(mm, isolated, result); 1115 return; 1116 out: 1117 mem_cgroup_cancel_charge(new_page, memcg, true); 1118 goto out_up_write; 1119 } 1120 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] wl1251: Fix possible buffer overflow in wl1251_cmd_scan
by Xia Fukun 08 Jun '24

08 Jun '24

From: Lee Gibson <leegib(a)gmail.com> stable inclusion from stable-v4.19.314 commit 115103f6e3f1c26c473766c16439c7c8b235529a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4BX CVE: CVE-2021-47347 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- [ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ] Function wl1251_cmd_scan calls memcpy without checking the length. Harden by checking the length is within the maximum allowed size. Signed-off-by: Lee Gibson <leegib(a)gmail.com> Signed-off-by: Kalle Valo <kvalo(a)codeaurora.org> Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xia Fukun <xiafukun(a)huawei.com> --- drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c index 9547aea01b0f..ea0215246c5c 100644 --- a/drivers/net/wireless/ti/wl1251/cmd.c +++ b/drivers/net/wireless/ti/wl1251/cmd.c @@ -466,9 +466,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len, cmd->channels[i].channel = channels[i]->hw_value; } - cmd->params.ssid_len = ssid_len; - if (ssid) - memcpy(cmd->params.ssid, ssid, ssid_len); + if (ssid) { + int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN); + + cmd->params.ssid_len = len; + memcpy(cmd->params.ssid, ssid, len); + } ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd)); if (ret < 0) { -- 2.34.1

2 1

[PATCH OLK-6.6] ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()
by Cui GaoSheng 08 Jun '24

08 Jun '24

From: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> stable inclusion from stable-v6.6.31 commit 7db626d2730d3d80fd31638169054b1e507f07bf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UOP1 CVE: CVE-2024-36955 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c158cf914713efc3bcdc25680c7156c48c12ef6a ] The documentation for device_get_named_child_node() mentions this important point: " The caller is responsible for calling fwnode_handle_put() on the returned fwnode pointer. " Add fwnode_handle_put() to avoid a leaked reference. Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> Fixes: 08c2a4bc9f2a ("ALSA: hda: move Intel SoundWire ACPI scan to dedicated module") Message-ID: <20240426152731.38420-1-pierre-louis.bossart(a)linux.intel.com> Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cui GaoSheng <cuigaosheng1(a)huawei.com> --- sound/hda/intel-sdw-acpi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/hda/intel-sdw-acpi.c b/sound/hda/intel-sdw-acpi.c index b57d72ea4503..4e376994bf78 100644 --- a/sound/hda/intel-sdw-acpi.c +++ b/sound/hda/intel-sdw-acpi.c @@ -41,6 +41,8 @@ static bool is_link_enabled(struct fwnode_handle *fw_node, u8 idx) "intel-quirk-mask", &quirk_mask); + fwnode_handle_put(link); + if (quirk_mask & SDW_INTEL_QUIRK_MASK_BUS_DISABLE) return false; -- 2.34.1

2 1

[PATCH OLK-6.6] tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
by Cui GaoSheng 08 Jun '24

08 Jun '24

From: Daniel Starke <daniel.starke(a)siemens.com> stable inclusion from stable-v6.6.33 commit 2ab96b6e81d2a419d3e0d6bec043ea8f31eab86a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9TAHR CVE: CVE-2024-36016 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 47388e807f85948eefc403a8a5fdc5b406a65d5a upstream. Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size. Reported-by: j51569436(a)gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708 Tested-by: j51569436(a)gmail.com Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Cc: stable(a)vger.kernel.org Signed-off-by: Daniel Starke <daniel.starke(a)siemens.com> Link: https://lore.kernel.org/r/20240424054842.7741-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Cui GaoSheng <cuigaosheng1(a)huawei.com> --- drivers/tty/n_gsm.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 0ee7531c9201..f8858865c5bb 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2912,7 +2912,10 @@ static void gsm0_receive(struct gsm_mux *gsm, unsigned char c) break; case GSM_DATA: /* Data */ gsm->buf[gsm->count++] = c; - if (gsm->count == gsm->len) { + if (gsm->count >= MAX_MRU) { + gsm->bad_size++; + gsm->state = GSM_SEARCH; + } else if (gsm->count >= gsm->len) { /* Calculate final FCS for UI frames over all data */ if ((gsm->control & ~PF) != UIH) { gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf, @@ -3025,7 +3028,7 @@ static void gsm1_receive(struct gsm_mux *gsm, unsigned char c) gsm->state = GSM_DATA; break; case GSM_DATA: /* Data */ - if (gsm->count > gsm->mru) { /* Allow one for the FCS */ + if (gsm->count > gsm->mru || gsm->count > MAX_MRU) { /* Allow one for the FCS */ gsm->state = GSM_OVERRUN; gsm->bad_size++; } else -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
by Cui GaoSheng 08 Jun '24

08 Jun '24

From: Daniel Starke <daniel.starke(a)siemens.com> stable inclusion from stable-v5.10.219 commit a200355b429825c9331c1bd70d7bb895c2f06b7d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9TAHR CVE: CVE-2024-36016 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 47388e807f85948eefc403a8a5fdc5b406a65d5a upstream. Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size. Reported-by: j51569436(a)gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708 Tested-by: j51569436(a)gmail.com Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Cc: stable(a)vger.kernel.org Signed-off-by: Daniel Starke <daniel.starke(a)siemens.com> Link: https://lore.kernel.org/r/20240424054842.7741-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Cui GaoSheng <cuigaosheng1(a)huawei.com> --- drivers/tty/n_gsm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 6cd87e71fecc..594be57f44ec 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2015,8 +2015,12 @@ static void gsm0_receive(struct gsm_mux *gsm, unsigned char c) break; case GSM_DATA: /* Data */ gsm->buf[gsm->count++] = c; - if (gsm->count == gsm->len) + if (gsm->count >= MAX_MRU) { + gsm->bad_size++; + gsm->state = GSM_SEARCH; + } else if (gsm->count >= gsm->len) { gsm->state = GSM_FCS; + } break; case GSM_FCS: /* FCS follows the packet */ gsm->received_fcs = c; @@ -2109,7 +2113,7 @@ static void gsm1_receive(struct gsm_mux *gsm, unsigned char c) gsm->state = GSM_DATA; break; case GSM_DATA: /* Data */ - if (gsm->count > gsm->mru) { /* Allow one for the FCS */ + if (gsm->count > gsm->mru || gsm->count > MAX_MRU) { /* Allow one for the FCS */ gsm->state = GSM_OVERRUN; gsm->bad_size++; } else -- 2.34.1

2 1

[PATCH OLK-5.10] tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
by Cui GaoSheng 08 Jun '24

08 Jun '24

From: Daniel Starke <daniel.starke(a)siemens.com> stable inclusion from stable-v5.10.219 commit a200355b429825c9331c1bd70d7bb895c2f06b7d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9TAHR CVE: CVE-2024-36016 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 47388e807f85948eefc403a8a5fdc5b406a65d5a upstream. Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size. Reported-by: j51569436(a)gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708 Tested-by: j51569436(a)gmail.com Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Cc: stable(a)vger.kernel.org Signed-off-by: Daniel Starke <daniel.starke(a)siemens.com> Link: https://lore.kernel.org/r/20240424054842.7741-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Cui GaoSheng <cuigaosheng1(a)huawei.com> --- drivers/tty/n_gsm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 3693ad9f4521..af2412450b10 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2019,8 +2019,12 @@ static void gsm0_receive(struct gsm_mux *gsm, unsigned char c) break; case GSM_DATA: /* Data */ gsm->buf[gsm->count++] = c; - if (gsm->count == gsm->len) + if (gsm->count >= MAX_MRU) { + gsm->bad_size++; + gsm->state = GSM_SEARCH; + } else if (gsm->count >= gsm->len) { gsm->state = GSM_FCS; + } break; case GSM_FCS: /* FCS follows the packet */ gsm->received_fcs = c; @@ -2113,7 +2117,7 @@ static void gsm1_receive(struct gsm_mux *gsm, unsigned char c) gsm->state = GSM_DATA; break; case GSM_DATA: /* Data */ - if (gsm->count > gsm->mru) { /* Allow one for the FCS */ + if (gsm->count > gsm->mru || gsm->count > MAX_MRU) { /* Allow one for the FCS */ gsm->state = GSM_OVERRUN; gsm->bad_size++; } else -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
by Cui GaoSheng 08 Jun '24

08 Jun '24

From: Daniel Starke <daniel.starke(a)siemens.com> stable inclusion from stable-v5.10.219 commit a200355b429825c9331c1bd70d7bb895c2f06b7d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9TAHR CVE: CVE-2024-36016 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 47388e807f85948eefc403a8a5fdc5b406a65d5a upstream. Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size. Reported-by: j51569436(a)gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708 Tested-by: j51569436(a)gmail.com Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Cc: stable(a)vger.kernel.org Signed-off-by: Daniel Starke <daniel.starke(a)siemens.com> Link: https://lore.kernel.org/r/20240424054842.7741-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Cui GaoSheng <cuigaosheng1(a)huawei.com> --- drivers/tty/n_gsm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 05d9064b4ee7..52a2e613b59a 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -1914,8 +1914,12 @@ static void gsm0_receive(struct gsm_mux *gsm, unsigned char c) break; case GSM_DATA: /* Data */ gsm->buf[gsm->count++] = c; - if (gsm->count == gsm->len) + if (gsm->count >= MAX_MRU) { + gsm->bad_size++; + gsm->state = GSM_SEARCH; + } else if (gsm->count >= gsm->len) { gsm->state = GSM_FCS; + } break; case GSM_FCS: /* FCS follows the packet */ gsm->received_fcs = c; @@ -1994,7 +1998,7 @@ static void gsm1_receive(struct gsm_mux *gsm, unsigned char c) gsm->state = GSM_DATA; break; case GSM_DATA: /* Data */ - if (gsm->count > gsm->mru) { /* Allow one for the FCS */ + if (gsm->count > gsm->mru || gsm->count > MAX_MRU) { /* Allow one for the FCS */ gsm->state = GSM_OVERRUN; gsm->bad_size++; } else -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1 v2] IB/IPoIB: Fix legacy IPoIB due to wrong number of queues
by Xiongfeng Wang 08 Jun '24

08 Jun '24

From: Dragos Tatulea <dtatulea(a)nvidia.com> stable inclusion from stable-v5.10.168 commit b1afb666c32931667c15ad1b58e7203f0119dcaf category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7URR4 CVE: CVE-2023-52745 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------- [ Upstream commit e632291a2dbce45a24cddeb5fe28fe71d724ba43 ] The cited commit creates child PKEY interfaces over netlink will multiple tx and rx queues, but some devices doesn't support more than 1 tx and 1 rx queues. This causes to a crash when traffic is sent over the PKEY interface due to the parent having a single queue but the child having multiple queues. This patch fixes the number of queues to 1 for legacy IPoIB at the earliest possible point in time. BUG: kernel NULL pointer dereference, address: 000000000000036b PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 4 PID: 209665 Comm: python3 Not tainted 6.1.0_for_upstream_min_debug_2022_12_12_17_02 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc+0xcb/0x450 Code: ce 7e 49 8b 50 08 49 83 78 10 00 4d 8b 28 0f 84 cb 02 00 00 4d 85 ed 0f 84 c2 02 00 00 41 8b 44 24 28 48 8d 4a 01 49 8b 3c 24 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 41 8b RSP: 0018:ffff88822acbbab8 EFLAGS: 00010202 RAX: 0000000000000070 RBX: ffff8881c28e3e00 RCX: 00000000064f8dae RDX: 00000000064f8dad RSI: 0000000000000a20 RDI: 0000000000030d00 RBP: 0000000000000a20 R08: ffff8882f5d30d00 R09: ffff888104032f40 R10: ffff88810fade828 R11: 736f6d6570736575 R12: ffff88810081c000 R13: 00000000000002fb R14: ffffffff817fc865 R15: 0000000000000000 FS: 00007f9324ff9700(0000) GS:ffff8882f5d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000036b CR3: 00000001125af004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> skb_clone+0x55/0xd0 ip6_finish_output2+0x3fe/0x690 ip6_finish_output+0xfa/0x310 ip6_send_skb+0x1e/0x60 udp_v6_send_skb+0x1e5/0x420 udpv6_sendmsg+0xb3c/0xe60 ? ip_mc_finish_output+0x180/0x180 ? __switch_to_asm+0x3a/0x60 ? __switch_to_asm+0x34/0x60 sock_sendmsg+0x33/0x40 __sys_sendto+0x103/0x160 ? _copy_to_user+0x21/0x30 ? kvm_clock_get_cycles+0xd/0x10 ? ktime_get_ts64+0x49/0xe0 __x64_sys_sendto+0x25/0x30 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f9374f1ed14 Code: 42 41 f8 ff 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 68 41 f8 ff 48 8b RSP: 002b:00007f9324ff7bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f9324ff7cc8 RCX: 00007f9374f1ed14 RDX: 00000000000002fb RSI: 00007f93000052f0 RDI: 0000000000000030 RBP: 0000000000000000 R08: 00007f9324ff7d40 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 000000012a05f200 R14: 0000000000000001 R15: 00007f9374d57bdc </TASK> Fixes: dbc94a0fb817 ("IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces") Signed-off-by: Dragos Tatulea <dtatulea(a)nvidia.com> Link: https://lore.kernel.org/r/95eb6b74c7cf49fa46281f9d056d685c9fa11d38.16745845… Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: zhaoxiaoqiang11 <zhaoxiaoqiang11(a)jd.com> Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> --- drivers/infiniband/ulp/ipoib/ipoib_main.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c index abfab89423f4..35322d23fc34 100644 --- a/drivers/infiniband/ulp/ipoib/ipoib_main.c +++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c @@ -2188,6 +2188,14 @@ int ipoib_intf_init(struct ib_device *hca, u8 port, const char *name, rn->attach_mcast = ipoib_mcast_attach; rn->detach_mcast = ipoib_mcast_detach; rn->hca = hca; + + rc = netif_set_real_num_tx_queues(dev, 1); + if (rc) + goto out; + + rc = netif_set_real_num_rx_queues(dev, 1); + if (rc) + goto out; } priv->rn_ops = dev->netdev_ops; -- 2.20.1

2 1

[PATCH OLK-6.6] blk-iocost: avoid out of bounds shift
by Li Nan 08 Jun '24

08 Jun '24

From: Rik van Riel <riel(a)surriel.com> stable inclusion from stable-v6.6.31 commit ce0e99cae00e3131872936713b7f55eefd53ab86 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U4LC CVE: CVE-2024-36916 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit beaa51b36012fad5a4d3c18b88a617aea7a9b96d ] UBSAN catches undefined behavior in blk-iocost, where sometimes iocg->delay is shifted right by a number that is too large, resulting in undefined behavior on some architectures. [ 186.556576] ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') CPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1 Hardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020 Call Trace: <IRQ> dump_stack_lvl+0x8f/0xe0 __ubsan_handle_shift_out_of_bounds+0x22c/0x280 iocg_kick_delay+0x30b/0x310 ioc_timer_fn+0x2fb/0x1f80 __run_timer_base+0x1b6/0x250 ... Avoid that undefined behavior by simply taking the "delay = 0" branch if the shift is too large. I am not sure what the symptoms of an undefined value delay will be, but I suspect it could be more than a little annoying to debug. Signed-off-by: Rik van Riel <riel(a)surriel.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Josef Bacik <josef(a)toxicpanda.com> Cc: Jens Axboe <axboe(a)kernel.dk> Acked-by: Tejun Heo <tj(a)kernel.org> Link: https://lore.kernel.org/r/20240404123253.0f58010f@imladris.surriel.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Nan <linan122(a)huawei.com> --- block/blk-iocost.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/block/blk-iocost.c b/block/blk-iocost.c index 1351db658a78..6a3e8a21c0fc 100644 --- a/block/blk-iocost.c +++ b/block/blk-iocost.c @@ -1347,7 +1347,7 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now) { struct ioc *ioc = iocg->ioc; struct blkcg_gq *blkg = iocg_to_blkg(iocg); - u64 tdelta, delay, new_delay; + u64 tdelta, delay, new_delay, shift; s64 vover, vover_pct; u32 hwa; @@ -1362,8 +1362,9 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now) /* calculate the current delay in effect - 1/2 every second */ tdelta = now->now - iocg->delay_at; - if (iocg->delay) - delay = iocg->delay >> div64_u64(tdelta, USEC_PER_SEC); + shift = div64_u64(tdelta, USEC_PER_SEC); + if (iocg->delay && shift < BITS_PER_LONG) + delay = iocg->delay >> shift; else delay = 0; -- 2.39.2

2 1