November 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-6.6 0/1] fix CVE-2024-50115
by Liao Chen 12 Nov '24

12 Nov '24

fix CVE-2024-50115 Sean Christopherson (1): [Backport] KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory arch/x86/kvm/svm/nested.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) -- 2.34.1

2 2

[PATCH OLK-6.6] net/ncsi: Disable the ncsi work before freeing the associated structure
by Zhang Changzhong 12 Nov '24

12 Nov '24

From: Eddie James <eajames(a)linux.ibm.com> mainline inclusion from mainline-v6.12-rc2 commit a0ffa68c70b367358b2672cdab6fa5bc4c40de2c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA5 CVE: CVE-2024-49945 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The work function can run after the ncsi device is freed, resulting in use-after-free bugs or kernel panic. Fixes: 2d283bdd079c ("net/ncsi: Resource management") Signed-off-by: Eddie James <eajames(a)linux.ibm.com> Link: https://patch.msgid.link/20240925155523.1017097-1-eajames@linux.ibm.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Conflicts: net/ncsi/ncsi-manage.c [commit 86898fa6b8cd ("workqueue: Implement disable/enable for (delayed) work items") not merged] Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> --- net/ncsi/ncsi-manage.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c index 90c6cf6..60725e0 100644 --- a/net/ncsi/ncsi-manage.c +++ b/net/ncsi/ncsi-manage.c @@ -1949,6 +1949,8 @@ void ncsi_unregister_dev(struct ncsi_dev *nd) list_del_rcu(&ndp->node); spin_unlock_irqrestore(&ncsi_dev_lock, flags); + cancel_work_sync(&ndp->work); + kfree(ndp); } EXPORT_SYMBOL_GPL(ncsi_unregister_dev); -- 2.9.5

2 1

[PATCH openEuler-22.03-LTS-SP1] net/ncsi: Disable the ncsi work before freeing the associated structure
by Zhang Changzhong 12 Nov '24

12 Nov '24

From: Eddie James <eajames(a)linux.ibm.com> mainline inclusion from mainline-v6.12-rc2 commit a0ffa68c70b367358b2672cdab6fa5bc4c40de2c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA5 CVE: CVE-2024-49945 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The work function can run after the ncsi device is freed, resulting in use-after-free bugs or kernel panic. Fixes: 2d283bdd079c ("net/ncsi: Resource management") Signed-off-by: Eddie James <eajames(a)linux.ibm.com> Link: https://patch.msgid.link/20240925155523.1017097-1-eajames@linux.ibm.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Conflicts: net/ncsi/ncsi-manage.c [commit 86898fa6b8cd ("workqueue: Implement disable/enable for (delayed) work items") not merged] Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> --- net/ncsi/ncsi-manage.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c index ffff8da..4f51dc0 100644 --- a/net/ncsi/ncsi-manage.c +++ b/net/ncsi/ncsi-manage.c @@ -1895,6 +1895,8 @@ void ncsi_unregister_dev(struct ncsi_dev *nd) list_del_rcu(&ndp->node); spin_unlock_irqrestore(&ncsi_dev_lock, flags); + cancel_work_sync(&ndp->work); + kfree(ndp); } EXPORT_SYMBOL_GPL(ncsi_unregister_dev); -- 2.9.5

2 1

[PATCH OLK-5.10] net/ncsi: Disable the ncsi work before freeing the associated structure
by Zhang Changzhong 12 Nov '24

12 Nov '24

From: Eddie James <eajames(a)linux.ibm.com> mainline inclusion from mainline-v6.12-rc2 commit a0ffa68c70b367358b2672cdab6fa5bc4c40de2c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA5 CVE: CVE-2024-49945 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The work function can run after the ncsi device is freed, resulting in use-after-free bugs or kernel panic. Fixes: 2d283bdd079c ("net/ncsi: Resource management") Signed-off-by: Eddie James <eajames(a)linux.ibm.com> Link: https://patch.msgid.link/20240925155523.1017097-1-eajames@linux.ibm.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Conflicts: net/ncsi/ncsi-manage.c [commit 86898fa6b8cd ("workqueue: Implement disable/enable for (delayed) work items") not merged] Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> --- net/ncsi/ncsi-manage.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c index ffff8da..4f51dc0 100644 --- a/net/ncsi/ncsi-manage.c +++ b/net/ncsi/ncsi-manage.c @@ -1895,6 +1895,8 @@ void ncsi_unregister_dev(struct ncsi_dev *nd) list_del_rcu(&ndp->node); spin_unlock_irqrestore(&ncsi_dev_lock, flags); + cancel_work_sync(&ndp->work); + kfree(ndp); } EXPORT_SYMBOL_GPL(ncsi_unregister_dev); -- 2.9.5

2 1

[openeuler:OLK-5.10 2418/2418] drivers/gpu/drm/phytium/phytium_dp.c:300:17: warning: 'strncpy' output may be truncated copying 32 bytes from a string of length 439
by kernel test robot 12 Nov '24

12 Nov '24

Hi Li, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 400fd9ccb52e01bf78acae2bbc1710923a15f033 commit: b2a83bcdafcaaaa60199147d04798d431cc800cc [2418/2418] DRM: Phytium display DRM driver config: arm64-randconfig-001-20241112 (https://download.01.org/0day-ci/archive/20241112/202411121753.yQqZUvdw-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241112/202411121753.yQqZUvdw-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411121753.yQqZUvdw-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/gpu/drm/phytium/phytium_dp.c:503:6: warning: no previous prototype for 'phytium_dp_coding_8b10b_need_enable' [-Wmissing-prototypes] 503 | bool phytium_dp_coding_8b10b_need_enable(unsigned char test_pattern) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:520:6: warning: no previous prototype for 'phytium_dp_scrambled_need_enable' [-Wmissing-prototypes] 520 | bool phytium_dp_scrambled_need_enable(unsigned char test_pattern) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:653:6: warning: no previous prototype for 'phytium_dp_hw_enable_audio' [-Wmissing-prototypes] 653 | void phytium_dp_hw_enable_audio(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:822:6: warning: no previous prototype for 'phytium_dp_hw_disable_video' [-Wmissing-prototypes] 822 | void phytium_dp_hw_disable_video(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:833:6: warning: no previous prototype for 'phytium_dp_hw_video_is_enable' [-Wmissing-prototypes] 833 | bool phytium_dp_hw_video_is_enable(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:844:6: warning: no previous prototype for 'phytium_dp_hw_enable_video' [-Wmissing-prototypes] 844 | void phytium_dp_hw_enable_video(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:856:6: warning: no previous prototype for 'phytium_dp_hw_config_video' [-Wmissing-prototypes] 856 | void phytium_dp_hw_config_video(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:945:6: warning: no previous prototype for 'phytium_dp_hw_disable_output' [-Wmissing-prototypes] 945 | void phytium_dp_hw_disable_output(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:957:6: warning: no previous prototype for 'phytium_dp_hw_enable_output' [-Wmissing-prototypes] 957 | void phytium_dp_hw_enable_output(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:969:6: warning: no previous prototype for 'phytium_dp_hw_enable_input_source' [-Wmissing-prototypes] 969 | void phytium_dp_hw_enable_input_source(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:980:6: warning: no previous prototype for 'phytium_dp_hw_disable_input_source' [-Wmissing-prototypes] 980 | void phytium_dp_hw_disable_input_source(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:990:6: warning: no previous prototype for 'phytium_dp_hw_output_is_enable' [-Wmissing-prototypes] 990 | bool phytium_dp_hw_output_is_enable(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:1027:6: warning: no previous prototype for 'phytium_dp_hw_hpd_irq_setup' [-Wmissing-prototypes] 1027 | void phytium_dp_hw_hpd_irq_setup(struct phytium_dp_device *phytium_dp, bool enable) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:1042:5: warning: no previous prototype for 'phytium_dp_hw_init' [-Wmissing-prototypes] 1042 | int phytium_dp_hw_init(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:1220:6: warning: no previous prototype for 'phytium_dp_dpcd_sink_dpms' [-Wmissing-prototypes] 1220 | void phytium_dp_dpcd_sink_dpms(struct phytium_dp_device *phytium_dp, int mode) | ^~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:1445:5: warning: no previous prototype for 'phytium_dp_get_link_train_fallback_values' [-Wmissing-prototypes] 1445 | int phytium_dp_get_link_train_fallback_values(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:1494:5: warning: no previous prototype for 'phytium_dp_start_link_train' [-Wmissing-prototypes] 1494 | int phytium_dp_start_link_train(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:1799:6: warning: no previous prototype for 'phytium_dp_hpd_poll_handler' [-Wmissing-prototypes] 1799 | void phytium_dp_hpd_poll_handler(struct phytium_display_private *priv) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:1946:6: warning: no previous prototype for 'phytium_dp_fast_link_train' [-Wmissing-prototypes] 1946 | bool phytium_dp_fast_link_train(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:2137:6: warning: no previous prototype for 'phytium_dp_adjust_link_train_parameter' [-Wmissing-prototypes] 2137 | void phytium_dp_adjust_link_train_parameter(struct phytium_dp_device *phytium_dp) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:2197:1: warning: no previous prototype for 'phytium_encoder_mode_valid' [-Wmissing-prototypes] 2197 | phytium_encoder_mode_valid(struct drm_encoder *encoder, const struct drm_display_mode *mode) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c:2447:5: warning: no previous prototype for 'phytium_get_encoder_crtc_mask' [-Wmissing-prototypes] 2447 | int phytium_get_encoder_crtc_mask(struct phytium_dp_device *phytium_dp, int port) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/phytium/phytium_dp.c: In function 'phytium_connector_add_common_modes': >> drivers/gpu/drm/phytium/phytium_dp.c:300:17: warning: 'strncpy' output may be truncated copying 32 bytes from a string of length 439 [-Wstringop-truncation] 300 | strncpy(mode->name, common_mode[i].name, DRM_DISPLAY_MODE_LEN); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/strncpy +300 drivers/gpu/drm/phytium/phytium_dp.c 244 245 static int phytium_connector_add_common_modes(struct phytium_dp_device *phytium_dp) 246 { 247 int i = 0, ret = 0; 248 struct drm_device *dev = phytium_dp->dev; 249 struct drm_display_mode *mode = NULL, *current_mode = NULL; 250 struct drm_display_mode *native_mode = &phytium_dp->native_mode; 251 bool mode_existed = false; 252 struct mode_size { 253 char name[DRM_DISPLAY_MODE_LEN]; 254 int w; 255 int h; 256 } common_mode[] = { 257 { "640x480", 640, 480}, 258 { "800x600", 800, 600}, 259 { "1024x768", 1024, 768}, 260 { "1280x720", 1280, 720}, 261 { "1280x800", 1280, 800}, 262 {"1280x1024", 1280, 1024}, 263 { "1440x900", 1440, 900}, 264 {"1680x1050", 1680, 1050}, 265 {"1600x1200", 1600, 1200}, 266 {"1920x1080", 1920, 1080}, 267 {"1920x1200", 1920, 1200} 268 }; 269 270 if (native_mode->clock == 0) 271 return ret; 272 273 for (i = 0; i < ARRAY_SIZE(common_mode); i++) { 274 mode_existed = false; 275 276 if (common_mode[i].w > native_mode->hdisplay || 277 common_mode[i].h > native_mode->vdisplay || 278 (common_mode[i].w == native_mode->hdisplay && 279 common_mode[i].h == native_mode->vdisplay)) 280 continue; 281 282 list_for_each_entry(current_mode, &phytium_dp->connector.probed_modes, head) { 283 if (common_mode[i].w == current_mode->hdisplay && 284 common_mode[i].h == current_mode->vdisplay) { 285 mode_existed = true; 286 break; 287 } 288 } 289 290 if (mode_existed) 291 continue; 292 293 mode = drm_mode_duplicate(dev, native_mode); 294 if (mode == NULL) 295 continue; 296 297 mode->hdisplay = common_mode[i].w; 298 mode->vdisplay = common_mode[i].h; 299 mode->type &= ~DRM_MODE_TYPE_PREFERRED; > 300 strncpy(mode->name, common_mode[i].name, DRM_DISPLAY_MODE_LEN); 301 drm_mode_probed_add(&phytium_dp->connector, mode); 302 ret++; 303 } 304 305 return ret; 306 } 307 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] serial: core: Fix atomicity violation in uart_tiocmget
by Yi Yang 12 Nov '24

12 Nov '24

From: Gui-Dong Han <2045gemini(a)gmail.com> mainline inclusion from mainline-v6.8-rc3 commit 30926783a46841c2d1bbf3f74067ba85d304fd0d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB1MRY CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In uart_tiocmget(): result = uport->mctrl; uart_port_lock_irq(uport); result |= uport->ops->get_mctrl(uport); uart_port_unlock_irq(uport); ... return result; In uart_update_mctrl(): uart_port_lock_irqsave(port, &flags); ... port->mctrl = (old & ~clear) | set; ... port->ops->set_mctrl(port, port->mctrl); ... uart_port_unlock_irqrestore(port, flags); An atomicity violation is identified due to the concurrent execution of uart_tiocmget() and uart_update_mctrl(). After assigning result = uport->mctrl, the mctrl value may change in uart_update_mctrl(), leading to a mismatch between the value returned by uport->ops->get_mctrl(uport) and the mctrl value previously read. This can result in uart_tiocmget() returning an incorrect value. This possible bug is found by an experimental static analysis tool developed by our team, BassCheck[1]. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. The above possible bug is reported when our tool analyzes the source code of Linux 5.17. To address this issue, it is suggested to move the line result = uport->mctrl inside the uart_port_lock block to ensure atomicity and prevent the mctrl value from being altered during the execution of uart_tiocmget(). With this patch applied, our tool no longer reports the bug, with the kernel configuration allyesconfig for x86_64. Due to the absence of the requisite hardware, we are unable to conduct runtime testing of the patch. Therefore, our verification is solely based on code logic analysis. [1] https://sites.google.com/view/basscheck/ Fixes: c5f4644e6c8b ("[PATCH] Serial: Adjust serial locking") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <2045gemini(a)gmail.com> Link: https://lore.kernel.org/r/20240112113624.17048-1-2045gemini@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/tty/serial/serial_core.c [Commit 559c7ff4e324("serial: core: Use port lock wrappers") not merged, no functional change.] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/serial/serial_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 537bcd7c4941..d9d7506a9f6e 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -1078,8 +1078,8 @@ static int uart_tiocmget(struct tty_struct *tty) goto out; if (!tty_io_error(tty)) { - result = uport->mctrl; spin_lock_irq(&uport->lock); + result = uport->mctrl; result |= uport->ops->get_mctrl(uport); spin_unlock_irq(&uport->lock); } -- 2.25.1

2 1

[openeuler:OLK-5.10 2417/2417] vmlinux.o: warning: objtool: do_syscall_64()+0x8b: call to memset() leaves .noinstr.text section
by kernel test robot 12 Nov '24

12 Nov '24

Hi Kees, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 400fd9ccb52e01bf78acae2bbc1710923a15f033 commit: 130620d5878d2348208258965876547a69353f9f [2417/2417] x86/entry: Enable random_kstack_offset support config: x86_64-buildonly-randconfig-003-20241112 (https://download.01.org/0day-ci/archive/20241112/202411121519.FfuB626X-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241112/202411121519.FfuB626X-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411121519.FfuB626X-lkp@intel.com/ All warnings (new ones prefixed by >>): >> vmlinux.o: warning: objtool: do_syscall_64()+0x8b: call to memset() leaves .noinstr.text section vmlinux.o: warning: objtool: sync_regs()+0x1c: call to memcpy() leaves .noinstr.text section vmlinux.o: warning: objtool: fixup_bad_iret()+0x32: call to memset() leaves .noinstr.text section vmlinux.o: warning: objtool: mce_read_aux()+0x42: call to {dynamic}() leaves .noinstr.text section vmlinux.o: warning: objtool: do_machine_check()+0x13f: call to mce_no_way_out() leaves .noinstr.text section -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS v3] sched: smart_grid: Prevent double-free in sched_grid_qos_free
by Yipeng Zou 12 Nov '24

12 Nov '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB3N2A ---------------------------------------- KASAN detected a double-free bug in the smart grid. This issue arises from the uninitialized use of p->grid_qos within the task {fork,free} processes. The sequence of events leading to the double-free is as follows: CPU0 CPU1 fork (in some error process) goto bad_fork_free call_rcu(__delayed_free_task) __delayed_free_task sched_grid_qos_free realse_task delayed_put_task_struct __put_task_struct sched_grid_qos_free(double free) When copy_process returns with an error, grid_qos is double-freed. To address this, grid_qos is initialized to NULL in dup_task_struct, and a NULL check is added for p->grid_qos before freeing. Bug report details: ================================================================== BUG: KASAN: double-free or invalid-free in sched_grid_qos_free+0x3c/0x90 CPU: 343 PID: 0 Comm: swapper/343 Kdump: loaded Tainted: G B E Call trace: dump_backtrace+0x0/0x3e0 show_stack+0x1c/0x28 dump_stack+0x13c/0x190 print_address_description.constprop.0+0x28/0x1f0 kasan_report_invalid_free+0x44/0x6c __kasan_slab_free+0x158/0x180 kasan_slab_free+0x10/0x20 kfree+0xe0/0x6e0 sched_grid_qos_free+0x3c/0x90 free_task+0xc4/0x164 __put_task_struct+0x264/0x31c delayed_put_task_struct+0x94/0x180 rcu_do_batch+0x2ec/0x9f0 rcu_core+0x34c/0x530 rcu_core_si+0x14/0x30 __do_softirq+0x284/0x900 irq_exit+0x2d4/0x35c __handle_domain_irq+0x108/0x1f0 gic_handle_irq+0x74/0x620 el1_irq+0xbc/0x140 arch_cpu_idle+0x14/0x3c default_idle_call+0x80/0x320 cpuidle_idle_call+0x244/0x2b0 do_idle+0x138/0x260 cpu_startup_entry+0x2c/0x70 secondary_start_kernel+0x35c/0x4e4 Allocated by task 44027: kasan_save_stack+0x24/0x50 __kasan_kmalloc.constprop.0+0xa0/0xcc kasan_kmalloc+0xc/0x14 kmem_cache_alloc_trace+0xdc/0x5d0 sched_grid_qos_fork+0x50/0x20c copy_process+0x8fc/0x3f60 kernel_clone+0x12c/0x660 __se_sys_clone+0xc0/0x110 __arm64_sys_clone+0xa8/0x110 invoke_syscall+0x70/0x274 el0_svc_common.constprop.0+0x1fc/0x2dc do_el0_svc+0xe8/0x140 el0_svc+0x1c/0x2c el0_sync_handler+0xb0/0xb4 el0_sync+0x168/0x180 Freed by task 1748: kasan_save_stack+0x24/0x50 kasan_set_track+0x24/0x34 kasan_set_free_info+0x24/0x4c __kasan_slab_free+0xf8/0x180 kasan_slab_free+0x10/0x20 kfree+0xe0/0x6e0 sched_grid_qos_free+0x3c/0x90 free_task+0xc4/0x164 __delayed_free_task+0x18/0x3c rcu_do_batch+0x2ec/0x9f0 rcu_core+0x34c/0x530 rcu_core_si+0x14/0x30 __do_softirq+0x284/0x900 Fixes: ce35ded5d577 ("sched: smart grid: init sched_grid_qos structure on QOS purpose") Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> --- kernel/sched/grid/qos.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/sched/grid/qos.c b/kernel/sched/grid/qos.c index b3df69d91499..bf9f7069c19a 100644 --- a/kernel/sched/grid/qos.c +++ b/kernel/sched/grid/qos.c @@ -68,6 +68,9 @@ int sched_grid_qos_fork(struct task_struct *p, struct task_struct *orig) void sched_grid_qos_free(struct task_struct *p) { + if (!p->_resvd->grid_qos) + return; + kfree(p->_resvd->grid_qos); p->_resvd->grid_qos = NULL; } -- 2.34.1

2 1

[PATCH OLK-5.10] virtio_pmem: Check device status before requesting flush
by Jinjie Ruan 12 Nov '24

12 Nov '24

From: Philip Chen <philipchen(a)chromium.org> stable inclusion from stable-v5.10.227 commit 4ce662fe4be6fbc2595d9ef4888b2b6e778c99ed category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2YUI CVE: CVE-2024-50184 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit e25fbcd97cf52c3c9824d44b5c56c19673c3dd50 ] If a pmem device is in a bad status, the driver side could wait for host ack forever in virtio_pmem_flush(), causing the system to hang. So add a status check in the beginning of virtio_pmem_flush() to return early if the device is not activated. Signed-off-by: Philip Chen <philipchen(a)chromium.org> Message-Id: <20240826215313.2673566-1-philipchen(a)chromium.org> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Pankaj Gupta <pankaj.gupta.linux(a)gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Jinjie Ruan <ruanjinjie(a)huawei.com> --- drivers/nvdimm/nd_virtio.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/nvdimm/nd_virtio.c b/drivers/nvdimm/nd_virtio.c index 10351d5b49fa..41e97c6567cf 100644 --- a/drivers/nvdimm/nd_virtio.c +++ b/drivers/nvdimm/nd_virtio.c @@ -44,6 +44,15 @@ static int virtio_pmem_flush(struct nd_region *nd_region) unsigned long flags; int err, err1; + /* + * Don't bother to submit the request to the device if the device is + * not activated. + */ + if (vdev->config->get_status(vdev) & VIRTIO_CONFIG_S_NEEDS_RESET) { + dev_info(&vdev->dev, "virtio pmem device needs a reset\n"); + return -EIO; + } + might_sleep(); req_data = kmalloc(sizeof(*req_data), GFP_KERNEL); if (!req_data) -- 2.34.1

2 1

[PATCH OLK-5.10] virtio_pmem: Check device status before requesting flush
by Jinjie Ruan 12 Nov '24

12 Nov '24

From: Philip Chen <philipchen(a)chromium.org> stable inclusion from stable-v5.10.227 commit 4ce662fe4be6fbc2595d9ef4888b2b6e778c99ed category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2YUI CVE: CVE-2024-50184 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit e25fbcd97cf52c3c9824d44b5c56c19673c3dd50 ] If a pmem device is in a bad status, the driver side could wait for host ack forever in virtio_pmem_flush(), causing the system to hang. So add a status check in the beginning of virtio_pmem_flush() to return early if the device is not activated. Signed-off-by: Philip Chen <philipchen(a)chromium.org> Message-Id: <20240826215313.2673566-1-philipchen(a)chromium.org> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Pankaj Gupta <pankaj.gupta.linux(a)gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/nvdimm/nd_virtio.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/nvdimm/nd_virtio.c b/drivers/nvdimm/nd_virtio.c index 10351d5b49fa..41e97c6567cf 100644 --- a/drivers/nvdimm/nd_virtio.c +++ b/drivers/nvdimm/nd_virtio.c @@ -44,6 +44,15 @@ static int virtio_pmem_flush(struct nd_region *nd_region) unsigned long flags; int err, err1; + /* + * Don't bother to submit the request to the device if the device is + * not activated. + */ + if (vdev->config->get_status(vdev) & VIRTIO_CONFIG_S_NEEDS_RESET) { + dev_info(&vdev->dev, "virtio pmem device needs a reset\n"); + return -EIO; + } + might_sleep(); req_data = kmalloc(sizeof(*req_data), GFP_KERNEL); if (!req_data) -- 2.34.1

2 1

2024

2023

2022

2021

2020

2019

Kernel November 2024