November 2024 - Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1 0/5] ext4: fix CVE-2024-47701
by Baokun Li 05 Nov '24

05 Nov '24

Eric Whitney (1): ext4: fix RENAME_WHITEOUT handling for inline directories Thadeu Lima de Souza Cascardo (4): ext4: ext4_search_dir should return a proper error ext4: return error on ext4_find_inline_entry ext4: explicitly exit when ext4_find_inline_entry returns an error ext4: avoid OOB when system.data xattr changes underneath the filesystem fs/ext4/inline.c | 35 +++++++++++++++++++++++++---------- fs/ext4/namei.c | 25 ++++++++++++++----------- 2 files changed, 39 insertions(+), 21 deletions(-) -- 2.46.1

2 6

[PATCH OLK-6.6 0/2] ext4: some dependencies of CVE-2024-47701
by Baokun Li 05 Nov '24

05 Nov '24

Thadeu Lima de Souza Cascardo (2): ext4: ext4_search_dir should return a proper error ext4: explicitly exit when ext4_find_inline_entry returns an error fs/ext4/namei.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) -- 2.46.1

2 3

[openeuler:openEuler-1.0-LTS 1257/1257] net/9p/.tmp_client.o: warning: objtool: missing symbol for section .init.text
by kernel test robot 05 Nov '24

05 Nov '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 0c1156b86933300fc91692f839a7f6e0676f55d7 commit: a6fb923f7803f40a567445dfe1ff3a539c8adc1f [1257/1257] 9p: Use a slab for allocating requests config: x86_64-buildonly-randconfig-002-20241102 (https://download.01.org/0day-ci/archive/20241105/202411051635.WyTNB2ku-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241105/202411051635.WyTNB2ku-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411051635.WyTNB2ku-lkp@intel.com/ All warnings (new ones prefixed by >>): net/9p/client.c:376: warning: Function parameter or member 'c' not described in 'p9_client_cb' net/9p/client.c:376: warning: Function parameter or member 'req' not described in 'p9_client_cb' net/9p/client.c:376: warning: Function parameter or member 'status' not described in 'p9_client_cb' net/9p/client.c:523: warning: Function parameter or member 'uidata' not described in 'p9_check_zc_errors' net/9p/client.c:774: warning: Function parameter or member 'in_hdrlen' not described in 'p9_client_zc_rpc' net/9p/client.c:774: warning: Excess function parameter 'hdrlen' description in 'p9_client_zc_rpc' net/9p/.tmp_client.o: warning: objtool: parse_opts()+0x2c3: sibling call from callable instruction with modified stack frame net/9p/.tmp_client.o: warning: objtool: p9_client_destroy()+0x6f: sibling call from callable instruction with modified stack frame net/9p/.tmp_client.o: warning: objtool: p9_client_readdir()+0x179: sibling call from callable instruction with modified stack frame net/9p/.tmp_client.o: warning: objtool: p9_client_write()+0x10d: sibling call from callable instruction with modified stack frame net/9p/.tmp_client.o: warning: objtool: p9_client_read()+0x1f8: sibling call from callable instruction with modified stack frame net/9p/.tmp_client.o: warning: objtool: p9_client_clunk()+0x13: sibling call from callable instruction with modified stack frame >> net/9p/.tmp_client.o: warning: objtool: missing symbol for section .init.text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] drivers/perf: hisi: Enable HiSilicon Erratum 162700402 quirk for HIP09
by Yushan Wang 05 Nov '24

05 Nov '24

From: Junhao He <hejunhao3(a)huawei.com> mainline inclusion from mainline-v6.9-rc1 commit e10b6976f6b9afdf3564f88c851e42d139bb19c0 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB23U8 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------------------------------------------- HiSilicon UC PMU v2 suffers the erratum 162700402 that the PMU counter cannot be set due to the lack of clock under power saving mode. This will lead to error or inaccurate counts. The clock can be enabled by the PMU global enabling control. This patch tries to fix this by set the UC PMU enable before set event period to turn on the clock, and then restore the UC PMU configuration. The counter register can hold its value without a clock. Fixes: 312eca95e28d ("drivers/perf: hisi: Add support for HiSilicon UC PMU driver") Signed-off-by: Junhao He <hejunhao3(a)huawei.com> Reviewed-by: Yicong Yang <yangyicong(a)hisilicon.com> Link: https://lore.kernel.org/r/20240227125231.53127-1-hejunhao3@huawei.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: zhangqz <14294317+zwx1160575(a)user.noreply.gitee.com> --- drivers/perf/hisilicon/hisi_uncore_uc_pmu.c | 42 ++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/drivers/perf/hisilicon/hisi_uncore_uc_pmu.c b/drivers/perf/hisilicon/hisi_uncore_uc_pmu.c index 636fb79647c8..481dcc9e8fbf 100644 --- a/drivers/perf/hisilicon/hisi_uncore_uc_pmu.c +++ b/drivers/perf/hisilicon/hisi_uncore_uc_pmu.c @@ -287,12 +287,52 @@ static u64 hisi_uc_pmu_read_counter(struct hisi_pmu *uc_pmu, return readq(uc_pmu->base + HISI_UC_CNTR_REGn(hwc->idx)); } -static void hisi_uc_pmu_write_counter(struct hisi_pmu *uc_pmu, +static bool hisi_uc_pmu_get_glb_en_state(struct hisi_pmu *uc_pmu) +{ + u32 val; + + val = readl(uc_pmu->base + HISI_UC_EVENT_CTRL_REG); + return !!FIELD_GET(HISI_UC_EVENT_GLB_EN, val); +} + +static void hisi_uc_pmu_write_counter_normal(struct hisi_pmu *uc_pmu, struct hw_perf_event *hwc, u64 val) { writeq(val, uc_pmu->base + HISI_UC_CNTR_REGn(hwc->idx)); } +static void hisi_uc_pmu_write_counter_quirk_v2(struct hisi_pmu *uc_pmu, + struct hw_perf_event *hwc, u64 val) +{ + hisi_uc_pmu_start_counters(uc_pmu); + hisi_uc_pmu_write_counter_normal(uc_pmu, hwc, val); + hisi_uc_pmu_stop_counters(uc_pmu); +} + +static void hisi_uc_pmu_write_counter(struct hisi_pmu *uc_pmu, + struct hw_perf_event *hwc, u64 val) +{ + bool enable = hisi_uc_pmu_get_glb_en_state(uc_pmu); + bool erratum = uc_pmu->identifier == HISI_PMU_V2; + + /* + * HiSilicon UC PMU v2 suffers the erratum 162700402 that the + * PMU counter cannot be set due to the lack of clock under power + * saving mode. This will lead to error or inaccurate counts. + * The clock can be enabled by the PMU global enabling control. + * The irq handler and pmu_start() will call the function to set + * period. If the function under irq context, the PMU has been + * enabled therefore we set counter directly. Other situations + * the PMU is disabled, we need to enable it to turn on the + * counter clock to set period, and then restore PMU enable + * status, the counter can hold its value without a clock. + */ + if (enable || !erratum) + hisi_uc_pmu_write_counter_normal(uc_pmu, hwc, val); + else + hisi_uc_pmu_write_counter_quirk_v2(uc_pmu, hwc, val); +} + static void hisi_uc_pmu_enable_counter_int(struct hisi_pmu *uc_pmu, struct hw_perf_event *hwc) { -- 2.33.0

2 1

[openeuler:openEuler-1.0-LTS 1231/1231] arch/arm64/kernel/mpam/mpam_ctrlmon.c:403: warning: Function parameter or member 'type' not described in 'show_doms'
by kernel test robot 05 Nov '24

05 Nov '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 0d426553bb97ebfcb4ea34e8fd63477a44316644 commit: 58e843d94efe3f7085dfaac06cb1d011ecb898b1 [1231/1231] arm64/mpam: resctrl: Support priority and hardlimit(Memory bandwidth) configuration config: arm64-randconfig-001-20241029 (https://download.01.org/0day-ci/archive/20241105/202411051527.GvGiUwZk-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241105/202411051527.GvGiUwZk-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411051527.GvGiUwZk-lkp@intel.com/ All warnings (new ones prefixed by >>): arch/arm64/kernel/mpam/mpam_ctrlmon.c: In function 'add_schema': arch/arm64/kernel/mpam/mpam_ctrlmon.c:53:37: warning: variable 'sc_hdl' set but not used [-Wunused-but-set-variable] 53 | struct resctrl_schema_ctrl *sc_hdl = NULL; | ^~~~~~ arch/arm64/kernel/mpam/mpam_ctrlmon.c:52:37: warning: variable 'sc_pri' set but not used [-Wunused-but-set-variable] 52 | struct resctrl_schema_ctrl *sc_pri = NULL; | ^~~~~~ arch/arm64/kernel/mpam/mpam_ctrlmon.c: In function 'resctrl_mkdir_mondata_all_subdir': arch/arm64/kernel/mpam/mpam_ctrlmon.c:676:54: warning: variable 'rr' set but not used [-Wunused-but-set-variable] 676 | struct raw_resctrl_resource *rr; | ^~ arch/arm64/kernel/mpam/mpam_ctrlmon.c:403: warning: Function parameter or member 's' not described in 'show_doms' arch/arm64/kernel/mpam/mpam_ctrlmon.c:403: warning: Function parameter or member 'r' not described in 'show_doms' arch/arm64/kernel/mpam/mpam_ctrlmon.c:403: warning: Function parameter or member 'schema_name' not described in 'show_doms' >> arch/arm64/kernel/mpam/mpam_ctrlmon.c:403: warning: Function parameter or member 'type' not described in 'show_doms' arch/arm64/kernel/mpam/mpam_ctrlmon.c:403: warning: Function parameter or member 'closid' not described in 'show_doms' vim +403 arch/arm64/kernel/mpam/mpam_ctrlmon.c 1abcabe9dab59ec arch/arm64/kernel/mpam_ctrlmon.c Yang Yingliang 2019-01-30 389 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 390 /** 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 391 * MPAM resources such as L2 may have too many domains for arm64, 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 392 * at this time we should rearrange this display for brevity and 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 393 * harmonious interaction. 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 394 * 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 395 * Before rearrangement: L2:0=ff;1=ff;2=fc;3=ff;4=f;....;255=ff 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 396 * After rearrangement: L2:S;2=fc;S;4=f;S 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 397 * Those continuous fully sharable domains will be combined into 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 398 * a single "S" simply. 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 399 */ 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 400 static void show_doms(struct seq_file *s, struct resctrl_resource *r, 58e843d94efe3f7 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 401 char *schema_name, enum resctrl_ctrl_type type, 58e843d94efe3f7 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 402 struct sd_closid *closid) be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 @403 { 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 404 struct raw_resctrl_resource *rr = r->res; be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 405 struct rdt_domain *dom; 857e8d34273e190 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 406 struct msr_param para; be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 407 bool sep = false; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 408 bool rg = false; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 409 bool prev_auto_fill = false; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 410 u32 reg_val; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 411 857e8d34273e190 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 412 para.closid = closid; 58e843d94efe3f7 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 413 para.type = type; 857e8d34273e190 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 414 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 415 if (r->dom_num > RESCTRL_SHOW_DOM_MAX_NUM) 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 416 rg = true; be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 417 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 418 seq_printf(s, "%*s:", max_name_width, schema_name); be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 419 list_for_each_entry(dom, &r->domains, list) { 857e8d34273e190 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 420 reg_val = rr->msr_read(dom, &para); 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 421 58e843d94efe3f7 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 422 if (rg && reg_val == r->default_ctrl[SCHEMA_COMM] && 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 423 prev_auto_fill == true) 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 424 continue; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 425 be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 426 if (sep) be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 427 seq_puts(s, ";"); 58e843d94efe3f7 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 428 if (rg && reg_val == r->default_ctrl[SCHEMA_COMM]) { 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 429 prev_auto_fill = true; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 430 seq_puts(s, "S"); 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 431 } else { 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 432 seq_printf(s, rr->format_str, dom->id, 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 433 max_data_width, reg_val); 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 434 } be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 435 sep = true; be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 436 } be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 437 seq_puts(s, "\n"); be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 438 } be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 439 :::::: The code at line 403 was first introduced by commit :::::: be2167d2a188dc20648fa10c2c5ccd56ba579533 arm64/mpam: support resctrl_group_schemata_show :::::: TO: Xie XiuQi <xiexiuqi(a)huawei.com> :::::: CC: Xie XiuQi <xiexiuqi(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 0/7] Some patches of RDMA/hns from Linux to OLK-6.6
by Chengchang Tang 05 Nov '24

05 Nov '24

From: Xinghai Cen <cenxinghai(a)h-partners.com> Some patches of RDMA/hns from Linux to OLK-6.6 Junxian Huang (1): RDMA/hns: Use dev_* printings in hem code instead of ibdev_* Xinghai Cen (2): Revert "RDMA/hns: Fix missing spin_lock_init() for qp flush lock" Revert "RDMA/hns: Fix flush cqe error when racing with destroy qp" Yuyu Li (1): RDMA/hns: Modify debugfs name wenglianfa (3): RDMA/hns: Fix an AEQE overflow error caused by untimely update of eq_db_ci RDMA/hns: Fix flush cqe error when racing with destroy qp RDMA/hns: Fix cpu stuck caused by printings during reset drivers/infiniband/hw/hns/hns_roce_cq.c | 4 +- drivers/infiniband/hw/hns/hns_roce_debugfs.c | 3 +- drivers/infiniband/hw/hns/hns_roce_device.h | 1 + drivers/infiniband/hw/hns/hns_roce_hem.c | 44 ++++---- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 100 +++++++++++-------- drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 5 + drivers/infiniband/hw/hns/hns_roce_qp.c | 56 +++++++---- 7 files changed, 125 insertions(+), 88 deletions(-) -- 2.33.0

2 8

[PATCH OLK-6.6] tty: n_gsm: Fix use-after-free in gsm_cleanup_mux
by Yi Yang 05 Nov '24

05 Nov '24

From: Longlong Xia <xialonglong(a)kylinos.cn> stable inclusion from stable-v6.6.58 commit c29f192e0d44cc1cbaf698fa1ff198f63556691a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB0EQM CVE: CVE-2024-50073 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 9462f4ca56e7d2430fdb6dcc8498244acbfc4489 upstream. BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock. Signed-off-by: Longlong Xia <xialonglong(a)kylinos.cn> Cc: stable <stable(a)kernel.org> Suggested-by: Jiri Slaby <jirislaby(a)kernel.org> Link: https://lore.kernel.org/r/20240926130213.531959-1-xialonglong@kylinos.cn Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/n_gsm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 5fc8540a83e3..8559ba1361c6 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -3156,6 +3156,8 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) mutex_unlock(&gsm->mutex); /* Now wipe the queues */ tty_ldisc_flush(gsm->tty); + + guard(spinlock_irqsave)(&gsm->tx_lock); list_for_each_entry_safe(txq, ntxq, &gsm->tx_ctrl_list, list) kfree(txq); INIT_LIST_HEAD(&gsm->tx_ctrl_list); -- 2.25.1

2 1

[PATCH OLK-5.10] tty: n_gsm: Fix use-after-free in gsm_cleanup_mux
by Yi Yang 05 Nov '24

05 Nov '24

From: Longlong Xia <xialonglong(a)kylinos.cn> mainline inclusion from mainline-v6.12-rc4 commit 9462f4ca56e7d2430fdb6dcc8498244acbfc4489 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB0EQM CVE: CVE-2024-50073 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock. Signed-off-by: Longlong Xia <xialonglong(a)kylinos.cn> Cc: stable <stable(a)kernel.org> Suggested-by: Jiri Slaby <jirislaby(a)kernel.org> Link: https://lore.kernel.org/r/20240926130213.531959-1-xialonglong@kylinos.cn Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/tty/n_gsm.c [Commit 54da6a092431("locking: Introduce __cleanup() based infrastructure") not merged, The guard() function is not introduced.] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/n_gsm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 0a367fa23c27..b8d77f3d924d 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2228,6 +2228,7 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) int i; struct gsm_dlci *dlci; struct gsm_msg *txq, *ntxq; + unsigned long flags; gsm->dead = true; mutex_lock(&gsm->mutex); @@ -2255,9 +2256,12 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) mutex_unlock(&gsm->mutex); /* Now wipe the queues */ tty_ldisc_flush(gsm->tty); + + spin_lock_irqsave(&gsm->tx_lock, flags); list_for_each_entry_safe(txq, ntxq, &gsm->tx_list, list) kfree(txq); INIT_LIST_HEAD(&gsm->tx_list); + spin_unlock_irqrestore(&gsm->tx_lock, flags); } /** -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] tty: n_gsm: Fix use-after-free in gsm_cleanup_mux
by Yi Yang 05 Nov '24

05 Nov '24

From: Longlong Xia <xialonglong(a)kylinos.cn> mainline inclusion from mainline-v6.12-rc4 commit 9462f4ca56e7d2430fdb6dcc8498244acbfc4489 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB0EQM CVE: CVE-2024-50073 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock. Signed-off-by: Longlong Xia <xialonglong(a)kylinos.cn> Cc: stable <stable(a)kernel.org> Suggested-by: Jiri Slaby <jirislaby(a)kernel.org> Link: https://lore.kernel.org/r/20240926130213.531959-1-xialonglong@kylinos.cn Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/tty/n_gsm.c [Commit 54da6a092431("locking: Introduce __cleanup() based infrastructure") not merged, The guard() function is not introduced.] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/n_gsm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 4b25e011967c..6a41ea82fe47 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2043,6 +2043,7 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) int i; struct gsm_dlci *dlci; struct gsm_msg *txq, *ntxq; + unsigned long flags; gsm->dead = 1; mutex_lock(&gsm->mutex); @@ -2077,9 +2078,12 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) gsm_dlci_release(gsm->dlci[i]); mutex_unlock(&gsm->mutex); /* Now wipe the queues */ + + spin_lock_irqsave(&gsm->tx_lock, flags); list_for_each_entry_safe(txq, ntxq, &gsm->tx_list, list) kfree(txq); INIT_LIST_HEAD(&gsm->tx_list); + spin_unlock_irqrestore(&gsm->tx_lock, flags); } /** -- 2.25.1

2 1

[openeuler:openEuler-1.0-LTS 1257/1257] fs/ubifs/.tmp_master.o: warning: objtool: missing symbol for section .text
by kernel test robot 05 Nov '24

05 Nov '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 0d426553bb97ebfcb4ea34e8fd63477a44316644 commit: 2e52eb74463f15c745d64948cedfaee722d6268c [1257/1257] ubifs: Rework ubifs_assert() config: x86_64-buildonly-randconfig-002-20241102 (https://download.01.org/0day-ci/archive/20241105/202411051232.roOpwrLm-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241105/202411051232.roOpwrLm-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411051232.roOpwrLm-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/ubifs/.tmp_master.o: warning: objtool: missing symbol for section .text -- >> fs/ubifs/.tmp_lpt_commit.o: warning: objtool: missing symbol for section .text.unlikely -- >> fs/ubifs/.tmp_budget.o: warning: objtool: missing symbol for section .text -- >> fs/ubifs/.tmp_recovery.o: warning: objtool: missing symbol for section .text -- >> fs/ubifs/.tmp_log.o: warning: objtool: missing symbol for section .text -- >> fs/ubifs/.tmp_commit.o: warning: objtool: missing symbol for section .text -- >> fs/ubifs/.tmp_scan.o: warning: objtool: missing symbol for section .text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0