July 2024 - Kernel - mailweb.openeuler.org

[openeuler:OLK-6.6 4037/10605] drivers/net/ethernet/mucse/rnpm/rnpm_main.c:2911:41: warning: '%d' directive output may be truncated writing between 1 and 11 bytes into a region of size between 3 and 18
by kernel test robot 09 Jul '24

09 Jul '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 0dba2ca16050e1ea7b068850b6fa440dbeb6665b commit: 5deaf74c4b3edcf88f67f18aa352690deb9dc212 [4037/10605] drivers: initial support for rnpm drivers from Mucse Technology config: loongarch-randconfig-002-20240709 (https://download.01.org/0day-ci/archive/20240709/202407090319.Lo3bXFwf-lkp@…) compiler: loongarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240709/202407090319.Lo3bXFwf-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407090319.Lo3bXFwf-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/net/ethernet/mucse/rnpm/rnpm_main.c:256:6: warning: no previous prototype for 'rnpm_pf_service_event_schedule' [-Wmissing-prototypes] 256 | void rnpm_pf_service_event_schedule(struct rnpm_pf_adapter *pf_adapter) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:1137:5: warning: no previous prototype for 'rnpm_rx_ring_reinit' [-Wmissing-prototypes] 1137 | int rnpm_rx_ring_reinit(struct rnpm_adapter *adapter, struct rnpm_ring *rx_ring) | ^~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c: In function 'rnpm_clean_rx_irq': drivers/net/ethernet/mucse/rnpm/rnpm_main.c:2015:14: warning: variable 'xdp_xmit' set but not used [-Wunused-but-set-variable] 2015 | bool xdp_xmit = false; | ^~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c: At top level: drivers/net/ethernet/mucse/rnpm/rnpm_main.c:2207:6: warning: no previous prototype for 'rnpm_write_eitr' [-Wmissing-prototypes] 2207 | void rnpm_write_eitr(struct rnpm_q_vector *q_vector, bool is_rxframe) | ^~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:3013:5: warning: no previous prototype for 'rnpm_xmit_nop_frame_ring' [-Wmissing-prototypes] 3013 | int rnpm_xmit_nop_frame_ring(struct rnpm_adapter *adapter, | ^~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:3037:5: warning: no previous prototype for 'rnpm_xmit_nop_frame_ring_temp' [-Wmissing-prototypes] 3037 | int rnpm_xmit_nop_frame_ring_temp(struct rnpm_adapter *adapter, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:3909:6: warning: no previous prototype for 'rnpm_vlan_stags_flag' [-Wmissing-prototypes] 3909 | void rnpm_vlan_stags_flag(struct rnpm_adapter *adapter) | ^~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:4031:6: warning: no previous prototype for 'control_mac_rx' [-Wmissing-prototypes] 4031 | void control_mac_rx(struct rnpm_adapter *adapter, bool on) | ^~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:5803:6: warning: no previous prototype for 'rnpm_pf_service_timer' [-Wmissing-prototypes] 5803 | void rnpm_pf_service_timer(struct timer_list *t) | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:5821:6: warning: no previous prototype for 'rnpm_service_timer' [-Wmissing-prototypes] 5821 | void rnpm_service_timer(struct timer_list *t) | ^~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:5962:21: warning: no previous prototype for 'wait_all_port_resetting' [-Wmissing-prototypes] 5962 | __maybe_unused void wait_all_port_resetting(struct rnpm_pf_adapter *pf_adapter) | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:5974:21: warning: no previous prototype for 'clean_all_port_resetting' [-Wmissing-prototypes] 5974 | __maybe_unused void clean_all_port_resetting(struct rnpm_pf_adapter *pf_adapter) | ^~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:6185:5: warning: no previous prototype for 'rnpm_check_mc_addr' [-Wmissing-prototypes] 6185 | int rnpm_check_mc_addr(struct rnpm_adapter *adapter) | ^~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:6211:6: warning: no previous prototype for 'update_pf_vlan' [-Wmissing-prototypes] 6211 | void update_pf_vlan(struct rnpm_adapter *adapter) | ^~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:6262:6: warning: no previous prototype for 'rnpm_pf_service_task' [-Wmissing-prototypes] 6262 | void rnpm_pf_service_task(struct work_struct *work) | ^~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:7528:6: warning: no previous prototype for 'rnpm_clear_udp_tunnel_port' [-Wmissing-prototypes] 7528 | void rnpm_clear_udp_tunnel_port(struct rnpm_adapter *adapter) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:7692:6: warning: no previous prototype for 'rnpm_assign_netdev_ops' [-Wmissing-prototypes] 7692 | void rnpm_assign_netdev_ops(struct net_device *dev) | ^~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:7785:6: warning: no previous prototype for 'rnpm_fix_queue_number' [-Wmissing-prototypes] 7785 | void rnpm_fix_queue_number(struct rnpm_hw *hw) | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:8760:5: warning: no previous prototype for 'rnpm_can_rpu_start' [-Wmissing-prototypes] 8760 | int rnpm_can_rpu_start(struct rnpm_pf_adapter *pf_adapter) | ^~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c: In function 'rnpm_request_msix_irqs': >> drivers/net/ethernet/mucse/rnpm/rnpm_main.c:2911:41: warning: '%d' directive output may be truncated writing between 1 and 11 bytes into a region of size between 3 and 18 [-Wformat-truncation=] 2911 | "%s-%s-%d-%d", netdev->name, "TxRx", i, | ^~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:2911:34: note: directive argument in the range [-2147483643, 2147483646] 2911 | "%s-%s-%d-%d", netdev->name, "TxRx", i, | ^~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:2911:34: note: directive argument in the range [0, 65535] drivers/net/ethernet/mucse/rnpm/rnpm_main.c:2910:25: note: 'snprintf' output between 10 and 39 bytes into a destination of size 24 2910 | snprintf(q_vector->name, sizeof(q_vector->name) - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2911 | "%s-%s-%d-%d", netdev->name, "TxRx", i, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2912 | q_vector->v_idx); | ~~~~~~~~~~~~~~~~ vim +2911 drivers/net/ethernet/mucse/rnpm/rnpm_main.c 2887 2888 /** 2889 * rnpm_request_msix_irqs - Initialize MSI-X interrupts 2890 * @adapter: board private structure 2891 * 2892 * rnpm_request_msix_irqs allocates MSI-X vectors and requests 2893 * interrupts from the kernel. 2894 **/ 2895 static int rnpm_request_msix_irqs(struct rnpm_adapter *adapter) 2896 { 2897 struct net_device *netdev = adapter->netdev; 2898 int err; 2899 int i = 0; 2900 int cpu; 2901 2902 DPRINTK(IFUP, INFO, "num_q_vectors:%d\n", adapter->num_q_vectors); 2903 2904 for (i = 0; i < adapter->num_q_vectors; i++) { 2905 struct rnpm_q_vector *q_vector = adapter->q_vector[i]; 2906 struct msix_entry *entry = &adapter->msix_entries[i]; 2907 2908 // rnpm_dbg("use irq %d\n", entry->entry); 2909 if (q_vector->tx.ring && q_vector->rx.ring) { 2910 snprintf(q_vector->name, sizeof(q_vector->name) - 1, > 2911 "%s-%s-%d-%d", netdev->name, "TxRx", i, 2912 q_vector->v_idx); 2913 } else { 2914 WARN(!(q_vector->tx.ring && q_vector->rx.ring), 2915 "%s vector%d tx rx is null, v_idx:%d\n", 2916 netdev->name, i, q_vector->v_idx); 2917 /* skip this unused q_vector */ 2918 continue; 2919 } 2920 err = request_irq(entry->vector, &rnpm_msix_clean_rings, 0, 2921 q_vector->name, q_vector); 2922 if (err) { 2923 e_err(probe, 2924 "%s:request_irq failed for MSIX interrupt:%d Error: %d\n", 2925 netdev->name, entry->vector, err); 2926 goto free_queue_irqs; 2927 } 2928 /* register for affinity change notifications */ 2929 q_vector->affinity_notify.notify = rnpm_irq_affinity_notify; 2930 q_vector->affinity_notify.release = rnpm_irq_affinity_release; 2931 irq_set_affinity_notifier(entry->vector, 2932 &q_vector->affinity_notify); 2933 /* Spread affinity hints out across online CPUs. 2934 * 2935 * get_cpu_mask returns a static constant mask with 2936 * a permanent lifetime so it's ok to pass to 2937 * irq_set_affinity_hint without making a copy. 2938 */ 2939 cpu = cpumask_local_spread(q_vector->v_idx, -1); 2940 irq_set_affinity_hint(entry->vector, get_cpu_mask(cpu)); 2941 } 2942 2943 return 0; 2944 2945 free_queue_irqs: 2946 while (i) { 2947 i--; 2948 irq_set_affinity_hint(adapter->msix_entries[i].vector, NULL); 2949 irq_set_affinity_notifier(adapter->msix_entries[i].vector, 2950 NULL); 2951 irq_set_affinity_hint(adapter->msix_entries[i].vector, NULL); 2952 free_irq(adapter->msix_entries[i].vector, adapter->q_vector[i]); 2953 } 2954 2955 kfree(adapter->msix_entries); 2956 adapter->msix_entries = NULL; 2957 return err; 2958 } 2959 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 6865/10605] drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5599:32: error: called object type 'int' is not a function or function pointer
by kernel test robot 09 Jul '24

09 Jul '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 0dba2ca16050e1ea7b068850b6fa440dbeb6665b commit: 6adab536d69347a10c2366aaf6b86de963d5994b [6865/10605] drivers: initial support for rnpvf drivers from Mucse Technology config: arm64-randconfig-002-20240709 (https://download.01.org/0day-ci/archive/20240709/202407090326.YKEPYjUd-lkp@…) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240709/202407090326.YKEPYjUd-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407090326.YKEPYjUd-lkp@intel.com/ All errors (new ones prefixed by >>): | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:127:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 127 | void rnpvf_unmap_and_free_tx_resource(struct rnpvf_ring *ring, | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:1365:6: warning: no previous prototype for function 'rnpvf_alloc_rx_buffers' [-Wmissing-prototypes] 1365 | void rnpvf_alloc_rx_buffers(struct rnpvf_ring *rx_ring, u16 cleaned_count) | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:1365:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1365 | void rnpvf_alloc_rx_buffers(struct rnpvf_ring *rx_ring, u16 cleaned_count) | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:1659:7: warning: variable 'xdp_xmit' set but not used [-Wunused-but-set-variable] 1659 | bool xdp_xmit = false; | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:1945:6: warning: no previous prototype for function 'update_rx_count' [-Wmissing-prototypes] 1945 | void update_rx_count(int cleaned, struct rnpvf_q_vector *q_vector) | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:1945:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1945 | void update_rx_count(int cleaned, struct rnpvf_q_vector *q_vector) | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2420:6: warning: no previous prototype for function 'rnpvf_write_eitr_rx' [-Wmissing-prototypes] 2420 | void rnpvf_write_eitr_rx(struct rnpvf_q_vector *q_vector) | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2420:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 2420 | void rnpvf_write_eitr_rx(struct rnpvf_q_vector *q_vector) | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2523:6: warning: no previous prototype for function 'rnpvf_configure_tx_ring' [-Wmissing-prototypes] 2523 | void rnpvf_configure_tx_ring(struct rnpvf_adapter *adapter, | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2523:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 2523 | void rnpvf_configure_tx_ring(struct rnpvf_adapter *adapter, | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2589:6: warning: no previous prototype for function 'rnpvf_disable_rx_queue' [-Wmissing-prototypes] 2589 | void rnpvf_disable_rx_queue(struct rnpvf_adapter *adapter, | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2589:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 2589 | void rnpvf_disable_rx_queue(struct rnpvf_adapter *adapter, | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2595:6: warning: no previous prototype for function 'rnpvf_enable_rx_queue' [-Wmissing-prototypes] 2595 | void rnpvf_enable_rx_queue(struct rnpvf_adapter *adapter, | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2595:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 2595 | void rnpvf_enable_rx_queue(struct rnpvf_adapter *adapter, | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2601:6: warning: no previous prototype for function 'rnpvf_configure_rx_ring' [-Wmissing-prototypes] 2601 | void rnpvf_configure_rx_ring(struct rnpvf_adapter *adapter, | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2601:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 2601 | void rnpvf_configure_rx_ring(struct rnpvf_adapter *adapter, | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2736:6: warning: variable 'err' set but not used [-Wunused-but-set-variable] 2736 | int err = -EOPNOTSUPP; | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:3307:6: warning: variable 'vector_threshold' set but not used [-Wunused-but-set-variable] 3307 | int vector_threshold; | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:3456:19: warning: variable 'hw' set but not used [-Wunused-but-set-variable] 3456 | struct rnpvf_hw *hw; | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:4590:6: warning: no previous prototype for function 'rnpvf_tx_ctxtdesc' [-Wmissing-prototypes] 4590 | void rnpvf_tx_ctxtdesc(struct rnpvf_ring *tx_ring, u16 mss_seg_len, | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:4590:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 4590 | void rnpvf_tx_ctxtdesc(struct rnpvf_ring *tx_ring, u16 mss_seg_len, | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5039:6: warning: no previous prototype for function 'rnpvf_maybe_tx_ctxtdesc' [-Wmissing-prototypes] 5039 | void rnpvf_maybe_tx_ctxtdesc(struct rnpvf_ring *tx_ring, | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5039:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 5039 | void rnpvf_maybe_tx_ctxtdesc(struct rnpvf_ring *tx_ring, | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5089:13: warning: no previous prototype for function 'rnpvf_xmit_frame_ring' [-Wmissing-prototypes] 5089 | netdev_tx_t rnpvf_xmit_frame_ring(struct sk_buff *skb, | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5089:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 5089 | netdev_tx_t rnpvf_xmit_frame_ring(struct sk_buff *skb, | ^ | static drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5484:6: warning: variable 'ring_csum_err' set but not used [-Wunused-but-set-variable] 5484 | u64 ring_csum_err = 0; | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5485:6: warning: variable 'ring_csum_good' set but not used [-Wunused-but-set-variable] 5485 | u64 ring_csum_good = 0; | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5580:6: warning: no previous prototype for function 'rnpvf_assign_netdev_ops' [-Wmissing-prototypes] 5580 | void rnpvf_assign_netdev_ops(struct net_device *dev) | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5580:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 5580 | void rnpvf_assign_netdev_ops(struct net_device *dev) | ^ | static >> drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5599:32: error: called object type 'int' is not a function or function pointer 5599 | v = rd32(hw, RNP_DMA_RX_START(ring)); | ~~~~~~~~~~~~~~~~^ drivers/net/ethernet/mucse/rnpvf/rnpvf_regs.h:116:53: note: expanded from macro 'rd32' 116 | #define rd32(hw, off) rnpvf_rd_reg((hw)->hw_addr + (off)) | ^~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_regs.h:104:42: note: expanded from macro 'rnpvf_rd_reg' 104 | #define rnpvf_rd_reg(reg) readl((void *)(reg)) | ^~~ 18 warnings and 1 error generated. Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for RESCTRL_FS Depends on [n]: MISC_FILESYSTEMS [=n] && ARCH_HAS_CPU_RESCTRL [=y] Selected by [y]: - ARM64_MPAM [=y] vim +/int +5599 drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c 5587 5588 static u8 rnpvf_vfnum(struct rnpvf_hw *hw) 5589 { 5590 u16 vf_num = -1; 5591 u32 pfvfnum_reg; 5592 5593 #if CONFIG_BAR4_PFVFNUM 5594 int ring, v; 5595 u16 func = 0; 5596 5597 func = ((hw->pdev->devfn & 0x1) ? 1 : 0); 5598 for (ring = 0; ring < 128; ring += 2) { > 5599 v = rd32(hw, RNP_DMA_RX_START(ring)); 5600 if ((v & 0xFFFF) == hw->pdev->vendor) { 5601 continue; 5602 } else { 5603 vf_num = (1 << 7) /*vf-active*/ | 5604 (func << 6) /*pf*/ | (ring / 2) /*vfnum*/; 5605 break; 5606 } 5607 } 5608 return vf_num; 5609 #else 5610 pfvfnum_reg = 5611 (VF_NUM_REG_N10 & (pci_resource_len(hw->pdev, 0) - 1)); 5612 vf_num = readl(hw->hw_addr_bar0 + pfvfnum_reg); 5613 #define VF_NUM_MASK_TEMP (0xff0) 5614 #define VF_NUM_OFF (4) 5615 return ((vf_num & VF_NUM_MASK_TEMP) >> VF_NUM_OFF); 5616 #endif 5617 } 5618 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] kdb: Fix buffer overflow during tab-complete
by Tengda Wu 08 Jul '24

08 Jul '24

From: Daniel Thompson <daniel.thompson(a)linaro.org> stable inclusion from stable-v6.6.34 commit 107e825cc448b7834b31e8b1b3cf0f57426d46d5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB05N CVE: CVE-2024-39480 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e9730744bf3af04cda23799029342aa3cddbc454 upstream. Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. Reported-by: Justin Stitt <justinstitt(a)google.com> Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziU… Cc: stable(a)vger.kernel.org Reviewed-by: Douglas Anderson <dianders(a)chromium.org> Reviewed-by: Justin Stitt <justinstitt(a)google.com> Tested-by: Justin Stitt <justinstitt(a)google.com> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-1-f236dbe9828d@lin… Signed-off-by: Daniel Thompson <daniel.thompson(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- kernel/debug/kdb/kdb_io.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index 9443bc63c5a2..06dfbccb1033 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -367,14 +367,19 @@ static char *kdb_read(char *buffer, size_t bufsize) kdb_printf(kdb_prompt_str); kdb_printf("%s", buffer); } else if (tab != 2 && count > 0) { - len_tmp = strlen(p_tmp); - strncpy(p_tmp+len_tmp, cp, lastchar-cp+1); - len_tmp = strlen(p_tmp); - strncpy(cp, p_tmp+len, len_tmp-len + 1); - len = len_tmp - len; - kdb_printf("%s", cp); - cp += len; - lastchar += len; + /* How many new characters do we want from tmpbuffer? */ + len_tmp = strlen(p_tmp) - len; + if (lastchar + len_tmp >= bufend) + len_tmp = bufend - lastchar; + + if (len_tmp) { + /* + 1 ensures the '\0' is memmove'd */ + memmove(cp+len_tmp, cp, (lastchar-cp) + 1); + memcpy(cp, p_tmp+len, len_tmp); + kdb_printf("%s", cp); + cp += len_tmp; + lastchar += len_tmp; + } } kdb_nextline = 1; /* reset output line number */ break; -- 2.34.1

2 1

[PATCH OLK-5.10] kdb: Fix buffer overflow during tab-complete
by Tengda Wu 08 Jul '24

08 Jul '24

From: Daniel Thompson <daniel.thompson(a)linaro.org> stable inclusion from stable-v5.10.219 commit cfdc2fa4db57503bc6d3817240547c8ddc55fa96 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB05N CVE: CVE-2024-39480 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e9730744bf3af04cda23799029342aa3cddbc454 upstream. Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. Reported-by: Justin Stitt <justinstitt(a)google.com> Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziU… Cc: stable(a)vger.kernel.org Reviewed-by: Douglas Anderson <dianders(a)chromium.org> Reviewed-by: Justin Stitt <justinstitt(a)google.com> Tested-by: Justin Stitt <justinstitt(a)google.com> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-1-f236dbe9828d@lin… Signed-off-by: Daniel Thompson <daniel.thompson(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- kernel/debug/kdb/kdb_io.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index 6735ac36b718..dcc7e13e98b3 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -354,14 +354,19 @@ static char *kdb_read(char *buffer, size_t bufsize) kdb_printf(kdb_prompt_str); kdb_printf("%s", buffer); } else if (tab != 2 && count > 0) { - len_tmp = strlen(p_tmp); - strncpy(p_tmp+len_tmp, cp, lastchar-cp+1); - len_tmp = strlen(p_tmp); - strncpy(cp, p_tmp+len, len_tmp-len + 1); - len = len_tmp - len; - kdb_printf("%s", cp); - cp += len; - lastchar += len; + /* How many new characters do we want from tmpbuffer? */ + len_tmp = strlen(p_tmp) - len; + if (lastchar + len_tmp >= bufend) + len_tmp = bufend - lastchar; + + if (len_tmp) { + /* + 1 ensures the '\0' is memmove'd */ + memmove(cp+len_tmp, cp, (lastchar-cp) + 1); + memcpy(cp, p_tmp+len, len_tmp); + kdb_printf("%s", cp); + cp += len_tmp; + lastchar += len_tmp; + } } kdb_nextline = 1; /* reset output line number */ break; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] kdb: Fix buffer overflow during tab-complete
by Tengda Wu 08 Jul '24

08 Jul '24

From: Daniel Thompson <daniel.thompson(a)linaro.org> stable inclusion from stable-v4.19.316 commit fb824a99e148ff272a53d71d84122728b5f00992 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB05N CVE: CVE-2024-39480 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e9730744bf3af04cda23799029342aa3cddbc454 upstream. Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. Reported-by: Justin Stitt <justinstitt(a)google.com> Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziU… Cc: stable(a)vger.kernel.org Reviewed-by: Douglas Anderson <dianders(a)chromium.org> Reviewed-by: Justin Stitt <justinstitt(a)google.com> Tested-by: Justin Stitt <justinstitt(a)google.com> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-1-f236dbe9828d@lin… Signed-off-by: Daniel Thompson <daniel.thompson(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- kernel/debug/kdb/kdb_io.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index 6a4b41484afe..2ce307c86977 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -364,14 +364,19 @@ static char *kdb_read(char *buffer, size_t bufsize) kdb_printf(kdb_prompt_str); kdb_printf("%s", buffer); } else if (tab != 2 && count > 0) { - len_tmp = strlen(p_tmp); - strncpy(p_tmp+len_tmp, cp, lastchar-cp+1); - len_tmp = strlen(p_tmp); - strncpy(cp, p_tmp+len, len_tmp-len + 1); - len = len_tmp - len; - kdb_printf("%s", cp); - cp += len; - lastchar += len; + /* How many new characters do we want from tmpbuffer? */ + len_tmp = strlen(p_tmp) - len; + if (lastchar + len_tmp >= bufend) + len_tmp = bufend - lastchar; + + if (len_tmp) { + /* + 1 ensures the '\0' is memmove'd */ + memmove(cp+len_tmp, cp, (lastchar-cp) + 1); + memcpy(cp, p_tmp+len, len_tmp); + kdb_printf("%s", cp); + cp += len_tmp; + lastchar += len_tmp; + } } kdb_nextline = 1; /* reset output line number */ break; -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] kdb: Fix buffer overflow during tab-complete
by Tengda Wu 08 Jul '24

08 Jul '24

From: Daniel Thompson <daniel.thompson(a)linaro.org> stable inclusion from stable-v5.10.219 commit cfdc2fa4db57503bc6d3817240547c8ddc55fa96 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB05N CVE: CVE-2024-39480 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e9730744bf3af04cda23799029342aa3cddbc454 upstream. Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. Reported-by: Justin Stitt <justinstitt(a)google.com> Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziU… Cc: stable(a)vger.kernel.org Reviewed-by: Douglas Anderson <dianders(a)chromium.org> Reviewed-by: Justin Stitt <justinstitt(a)google.com> Tested-by: Justin Stitt <justinstitt(a)google.com> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-1-f236dbe9828d@lin… Signed-off-by: Daniel Thompson <daniel.thompson(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- kernel/debug/kdb/kdb_io.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index 6735ac36b718..dcc7e13e98b3 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -354,14 +354,19 @@ static char *kdb_read(char *buffer, size_t bufsize) kdb_printf(kdb_prompt_str); kdb_printf("%s", buffer); } else if (tab != 2 && count > 0) { - len_tmp = strlen(p_tmp); - strncpy(p_tmp+len_tmp, cp, lastchar-cp+1); - len_tmp = strlen(p_tmp); - strncpy(cp, p_tmp+len, len_tmp-len + 1); - len = len_tmp - len; - kdb_printf("%s", cp); - cp += len; - lastchar += len; + /* How many new characters do we want from tmpbuffer? */ + len_tmp = strlen(p_tmp) - len; + if (lastchar + len_tmp >= bufend) + len_tmp = bufend - lastchar; + + if (len_tmp) { + /* + 1 ensures the '\0' is memmove'd */ + memmove(cp+len_tmp, cp, (lastchar-cp) + 1); + memcpy(cp, p_tmp+len, len_tmp); + kdb_printf("%s", cp); + cp += len_tmp; + lastchar += len_tmp; + } } kdb_nextline = 1; /* reset output line number */ break; -- 2.34.1

2 1

[PATCH OLK-5.10] arm64: mm: Pass pbha-performance-only bit under chosen node
by Wupeng Ma 08 Jul '24

08 Jul '24

From: Ma Wupeng <mawupeng1(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I96IZH -------------------------------- Pass pbha-performance-only under chosen node to slove booting problem. Fixes: f43933b3f947 ("arm64: cpufeature: Enable PBHA for stage1 early via FDT") Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- arch/arm64/kernel/cpufeature.c | 12 +++++++++++- drivers/firmware/efi/libstub/fdt.c | 7 ------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 9a4193991be5..36a426b0def2 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -1802,14 +1802,24 @@ void __init early_pbha_init(void) if (!fdt) goto unlock; + /* arm,pbha-performance-only may exist in both chosen and cpus node */ + node = fdt_path_offset(fdt, "/chosen"); + if (node < 0) + goto unlock; + + prop = fdt_getprop(fdt, node, "arm,pbha-performance-only", &size); + if (prop) + goto found; + node = fdt_path_offset(fdt, "/cpus"); if (node < 0) goto unlock; prop = fdt_getprop(fdt, node, "arm,pbha-performance-only", &size); - if (!prop) + if (prop) goto unlock; +found: if (!cpu_has_pbha()) goto unlock; diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c index cb8e8e4e3f63..30aeb2b54569 100644 --- a/drivers/firmware/efi/libstub/fdt.c +++ b/drivers/firmware/efi/libstub/fdt.c @@ -57,13 +57,6 @@ static efi_status_t fdt_init_hbm_mode(void *fdt, int node) if (status) return EFI_LOAD_ERROR; - node = fdt_subnode_offset(fdt, 0, "cpus"); - if (node < 0) { - node = fdt_add_subnode(fdt, 0, "cpus"); - if (node < 0) - return EFI_LOAD_ERROR; - } - /* Current PBHA bit59 is need to enable PBHA bit0 mode. */ status = fdt_setprop_var(fdt, node, "arm,pbha-performance-only", arr); if (status) { -- 2.25.1

2 1

[PATCH OLK-6.6] mm: mem_reliable: Make counting reliable task usage compatible with folio
by Wupeng Ma 08 Jul '24

08 Jul '24

From: Ma Wupeng <mawupeng1(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8USBA -------------------------------- Memory folio is enabled in current branch, however the counting of reliale memory task need some polish to make the counting right. In zap_present_folio_ptes, non-anon folio should also be counted. Fixes: b5be205e006a ("mm/memory: factor out zapping of present pte into zap_present_pte()") Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- kernel/events/uprobes.c | 2 +- mm/huge_memory.c | 4 ++-- mm/khugepaged.c | 2 +- mm/ksm.c | 2 +- mm/memory.c | 7 ++++--- mm/rmap.c | 8 ++++---- 6 files changed, 13 insertions(+), 12 deletions(-) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index 9f8d9baa7a2f..a80072c3f888 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -199,7 +199,7 @@ static int __replace_page(struct vm_area_struct *vma, unsigned long addr, set_pte_at_notify(mm, addr, pvmw.pte, mk_pte(new_page, vma->vm_page_prot)); - add_reliable_page_counter(old_page, mm, -1); + add_reliable_folio_counter(old_folio, mm, -1); folio_remove_rmap_pte(old_folio, old_page, vma); if (!folio_mapped(old_folio)) folio_free_swap(old_folio); diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 32ddf09db52b..d743502c70f0 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1608,7 +1608,7 @@ int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm, return -EAGAIN; } add_mm_counter(dst_mm, MM_ANONPAGES, HPAGE_PMD_NR); - add_reliable_page_counter(src_page, dst_mm, HPAGE_PMD_NR); + add_reliable_folio_counter(src_folio, dst_mm, HPAGE_PMD_NR); out_zero_page: mm_inc_nr_ptes(dst_mm); pgtable_trans_huge_deposit(dst_mm, dst_pmd, pgtable); @@ -2577,7 +2577,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, folio_mark_dirty(folio); if (!folio_test_referenced(folio) && pmd_young(old_pmd)) folio_set_referenced(folio); - add_reliable_page_counter(page, mm, -HPAGE_PMD_NR); + add_reliable_folio_counter(folio, mm, -HPAGE_PMD_NR); folio_remove_rmap_pmd(folio, page, vma); folio_put(folio); } diff --git a/mm/khugepaged.c b/mm/khugepaged.c index fa787464662f..06f31ad4452e 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1644,7 +1644,7 @@ int collapse_pte_mapped_thp(struct mm_struct *mm, unsigned long addr, */ ptep_clear(mm, addr, pte); folio_remove_rmap_pte(folio, page, vma); - add_reliable_page_counter(page, mm, -1); + add_reliable_folio_counter(folio, mm, -1); nr_ptes++; } diff --git a/mm/ksm.c b/mm/ksm.c index 94207293e6fc..09411079262b 100644 --- a/mm/ksm.c +++ b/mm/ksm.c @@ -1236,7 +1236,7 @@ static int replace_page(struct vm_area_struct *vma, struct page *page, */ if (!is_zero_pfn(page_to_pfn(kpage))) { folio_get(kfolio); - add_reliable_page_counter(kpage, mm, 1); + add_reliable_folio_counter(kfolio, mm, 1); folio_add_anon_rmap_pte(kfolio, kpage, vma, addr, RMAP_NONE); newpte = mk_pte(kpage, vma->vm_page_prot); } else { diff --git a/mm/memory.c b/mm/memory.c index fe10342687d0..49a5618661d8 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1495,12 +1495,12 @@ static __always_inline void zap_present_folio_ptes(struct mmu_gather *tlb, if (pte_young(ptent) && likely(vma_has_recency(vma))) folio_mark_accessed(folio); rss[mm_counter(folio)] -= nr; - add_reliable_page_counter(page, mm, -nr); } else { /* We don't need up-to-date accessed/dirty bits. */ clear_full_ptes(mm, addr, pte, nr, tlb->fullmm); rss[MM_ANONPAGES] -= nr; } + add_reliable_folio_counter(folio, mm, -nr); /* Checking a single PTE in a batch is sufficient. */ arch_check_zapped_pte(vma, ptent); @@ -1637,7 +1637,7 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb, */ WARN_ON_ONCE(!vma_is_anonymous(vma)); rss[mm_counter(folio)]--; - add_reliable_page_counter(page, mm, -1); + add_reliable_folio_counter(folio, mm, -1); if (is_device_private_entry(entry)) folio_remove_rmap_pte(folio, page, vma); folio_put(folio); @@ -1654,6 +1654,7 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb, if (!should_zap_folio(details, folio)) continue; rss[mm_counter(folio)]--; + add_reliable_folio_counter(folio, mm, -1); } else if (pte_marker_entry_uffd_wp(entry)) { /* * For anon: always drop the marker; for file: only @@ -4643,7 +4644,7 @@ vm_fault_t do_set_pmd(struct vm_fault *vmf, struct page *page) entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma); add_mm_counter(vma->vm_mm, mm_counter_file(folio), HPAGE_PMD_NR); - add_reliable_page_counter(page, vma->vm_mm, HPAGE_PMD_NR); + add_reliable_folio_counter(folio, vma->vm_mm, HPAGE_PMD_NR); folio_add_file_rmap_pmd(folio, page, vma); /* diff --git a/mm/rmap.c b/mm/rmap.c index d13003244e6a..d78bb701bda1 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -1757,7 +1757,7 @@ static bool try_to_unmap_one(struct folio *folio, struct vm_area_struct *vma, hsz); } else { dec_mm_counter(mm, mm_counter(folio)); - add_reliable_page_counter(&folio->page, mm, -1); + add_reliable_folio_counter(folio, mm, -1); set_pte_at(mm, address, pvmw.pte, pteval); } @@ -1773,7 +1773,7 @@ static bool try_to_unmap_one(struct folio *folio, struct vm_area_struct *vma, * copied pages. */ dec_mm_counter(mm, mm_counter(folio)); - add_reliable_page_counter(&folio->page, mm, -1); + add_reliable_folio_counter(folio, mm, -1); } else if (folio_test_anon(folio)) { swp_entry_t entry = page_swap_entry(subpage); pte_t swp_pte; @@ -2163,7 +2163,7 @@ static bool try_to_migrate_one(struct folio *folio, struct vm_area_struct *vma, hsz); } else { dec_mm_counter(mm, mm_counter(folio)); - add_reliable_page_counter(&folio->page, mm, -1); + add_reliable_folio_counter(folio, mm, -1); set_pte_at(mm, address, pvmw.pte, pteval); } @@ -2179,7 +2179,7 @@ static bool try_to_migrate_one(struct folio *folio, struct vm_area_struct *vma, * copied pages. */ dec_mm_counter(mm, mm_counter(folio)); - add_reliable_page_counter(&folio->page, mm, -1); + add_reliable_folio_counter(folio, mm, -1); } else { swp_entry_t entry; pte_t swp_pte; -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] kdb: Fix buffer overflow during tab-complete
by Tengda Wu 08 Jul '24

08 Jul '24

From: Daniel Thompson <daniel.thompson(a)linaro.org> stable inclusion from stable-v5.10.219 commit cfdc2fa4db57503bc6d3817240547c8ddc55fa96 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB05N CVE: CVE-2024-39480 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e9730744bf3af04cda23799029342aa3cddbc454 upstream. Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. Reported-by: Justin Stitt <justinstitt(a)google.com> Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziU… Cc: stable(a)vger.kernel.org Reviewed-by: Douglas Anderson <dianders(a)chromium.org> Reviewed-by: Justin Stitt <justinstitt(a)google.com> Tested-by: Justin Stitt <justinstitt(a)google.com> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-1-f236dbe9828d@lin… Signed-off-by: Daniel Thompson <daniel.thompson(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Fixes: 5d5314d6795f3c1c0f415348ff8c51f7de042b77 ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- kernel/debug/kdb/kdb_io.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index 6735ac36b718..dcc7e13e98b3 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -354,14 +354,19 @@ static char *kdb_read(char *buffer, size_t bufsize) kdb_printf(kdb_prompt_str); kdb_printf("%s", buffer); } else if (tab != 2 && count > 0) { - len_tmp = strlen(p_tmp); - strncpy(p_tmp+len_tmp, cp, lastchar-cp+1); - len_tmp = strlen(p_tmp); - strncpy(cp, p_tmp+len, len_tmp-len + 1); - len = len_tmp - len; - kdb_printf("%s", cp); - cp += len; - lastchar += len; + /* How many new characters do we want from tmpbuffer? */ + len_tmp = strlen(p_tmp) - len; + if (lastchar + len_tmp >= bufend) + len_tmp = bufend - lastchar; + + if (len_tmp) { + /* + 1 ensures the '\0' is memmove'd */ + memmove(cp+len_tmp, cp, (lastchar-cp) + 1); + memcpy(cp, p_tmp+len, len_tmp); + kdb_printf("%s", cp); + cp += len_tmp; + lastchar += len_tmp; + } } kdb_nextline = 1; /* reset output line number */ break; -- 2.34.1

2 1

[PATCH OLK-6.6] kdb: Fix buffer overflow during tab-complete
by Tengda Wu 08 Jul '24

08 Jul '24

From: Daniel Thompson <daniel.thompson(a)linaro.org> stable inclusion from stable-v6.6.34 commit 107e825cc448b7834b31e8b1b3cf0f57426d46d5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB05N CVE: CVE-2024-39480 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e9730744bf3af04cda23799029342aa3cddbc454 upstream. Currently, when the user attempts symbol completion with the Tab key, kdb will use strncpy() to insert the completed symbol into the command buffer. Unfortunately it passes the size of the source buffer rather than the destination to strncpy() with predictably horrible results. Most obviously if the command buffer is already full but cp, the cursor position, is in the middle of the buffer, then we will write past the end of the supplied buffer. Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() calls plus explicit boundary checks to make sure we have enough space before we start moving characters around. Reported-by: Justin Stitt <justinstitt(a)google.com> Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziU… Cc: stable(a)vger.kernel.org Reviewed-by: Douglas Anderson <dianders(a)chromium.org> Reviewed-by: Justin Stitt <justinstitt(a)google.com> Tested-by: Justin Stitt <justinstitt(a)google.com> Link: https://lore.kernel.org/r/20240424-kgdb_read_refactor-v3-1-f236dbe9828d@lin… Signed-off-by: Daniel Thompson <daniel.thompson(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Fixes: 5d5314d6795f3c1c0f415348ff8c51f7de042b77 ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- kernel/debug/kdb/kdb_io.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index 9443bc63c5a2..06dfbccb1033 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -367,14 +367,19 @@ static char *kdb_read(char *buffer, size_t bufsize) kdb_printf(kdb_prompt_str); kdb_printf("%s", buffer); } else if (tab != 2 && count > 0) { - len_tmp = strlen(p_tmp); - strncpy(p_tmp+len_tmp, cp, lastchar-cp+1); - len_tmp = strlen(p_tmp); - strncpy(cp, p_tmp+len, len_tmp-len + 1); - len = len_tmp - len; - kdb_printf("%s", cp); - cp += len; - lastchar += len; + /* How many new characters do we want from tmpbuffer? */ + len_tmp = strlen(p_tmp) - len; + if (lastchar + len_tmp >= bufend) + len_tmp = bufend - lastchar; + + if (len_tmp) { + /* + 1 ensures the '\0' is memmove'd */ + memmove(cp+len_tmp, cp, (lastchar-cp) + 1); + memcpy(cp, p_tmp+len, len_tmp); + kdb_printf("%s", cp); + cp += len_tmp; + lastchar += len_tmp; + } } kdb_nextline = 1; /* reset output line number */ break; -- 2.34.1

2 1

2024

2023

2022

2021

2020

2019

Kernel July 2024