August 2024 - Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 17249/23564] kernel/.tmp_kprobes.o: warning: objtool: register_kprobe()+0x6d4: unreachable instruction
by kernel test robot 28 Aug '24

28 Aug '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 73a86ad60aabf460a4c8a0f96a1b2ddb98522fd8 commit: 388c9a84a807812e7226e0e1ca606563e14a7f5a [17249/23564] kprobes: Warn if the kprobe is reregistered config: x86_64-buildonly-randconfig-004-20240825 (https://download.01.org/0day-ci/archive/20240828/202408280332.EuYU3ttl-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240828/202408280332.EuYU3ttl-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408280332.EuYU3ttl-lkp@intel.com/ All warnings (new ones prefixed by >>): kernel/kprobes.c:120:14: warning: no previous prototype for function 'alloc_insn_page' [-Wmissing-prototypes] 120 | void __weak *alloc_insn_page(void) | ^ kernel/kprobes.c:120:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 120 | void __weak *alloc_insn_page(void) | ^ | static kernel/kprobes.c:125:13: warning: no previous prototype for function 'free_insn_page' [-Wmissing-prototypes] 125 | void __weak free_insn_page(void *page) | ^ kernel/kprobes.c:125:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 125 | void __weak free_insn_page(void *page) | ^ | static 2 warnings generated. kernel/kprobes.c:145: warning: Function parameter or member 'c' not described in '__get_insn_slot' >> kernel/.tmp_kprobes.o: warning: objtool: register_kprobe()+0x6d4: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] jfs: Fix shift-out-of-bounds in dbDiscardAG
by GONG Ruiqi 27 Aug '24

27 Aug '24

From: Pei Li <peili.dev(a)gmail.com> mainline inclusion from mainline-v6.11-rc1 commit 7063b80268e2593e58bee8a8d709c2f3ff93e2f2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMMML CVE: CVE-2024-44938 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------------- When searching for the next smaller log2 block, BLKSTOL2() returned 0, causing shift exponent -1 to be negative. This patch fixes the issue by exiting the loop directly when negative shift is found. Reported-by: syzbot+61be3359d2ee3467e7e4(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=61be3359d2ee3467e7e4 Signed-off-by: Pei Li <peili.dev(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Conflicts: fs/jfs/jfs_dmap.c [Just context conflicts: 1 vs 1LL at the next line.] Signed-off-by: GONG Ruiqi <gongruiqi1(a)huawei.com> --- fs/jfs/jfs_dmap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index bd69bc08222f..2b3df1704d23 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -1700,6 +1700,8 @@ s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen) } else if (rc == -ENOSPC) { /* search for next smaller log2 block */ l2nb = BLKSTOL2(nblocks) - 1; + if (unlikely(l2nb < 0)) + break; nblocks = 1 << l2nb; } else { /* Trim any already allocated blocks */ -- 2.25.1

2 1

[openeuler:OLK-6.6] BUILD REGRESSION e65c0786c5c765daf978c13bfe587f5426745bc7
by kernel test robot 27 Aug '24

27 Aug '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: e65c0786c5c765daf978c13bfe587f5426745bc7 !11156 v3 Fix CVE-2024-43869 Error/Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | |-- arch-arm64-kernel-virtcca_cvm_tsi.c:warning:variable-ver-is-uninitialized-when-used-here | |-- arch-arm64-kvm-arm.c:warning:variable-r-is-used-uninitialized-whenever-if-condition-is-false | |-- arch-arm64-kvm-tmi.c:warning:no-previous-prototype-for-function-tmi_tmm_inf_test | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_create_ttt_levels | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_get_num_brps | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_get_num_wrps | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_ipa_limit | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_populate_par_region | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_supports_pmu | `-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_supports_sve |-- x86_64-buildonly-randconfig-001-20240827 | `-- kernel-sched-isolation.c:error:use-of-undeclared-identifier-setup_max_cpus |-- x86_64-buildonly-randconfig-002-20240827 | `-- kernel-sched-isolation.c:error:setup_max_cpus-undeclared-(first-use-in-this-function) `-- x86_64-buildonly-randconfig-003-20240827 `-- kernel-sched-isolation.c:error:setup_max_cpus-undeclared-(first-use-in-this-function) elapsed time: 736m configs tested: 28 configs skipped: 122 tested configs: arm64 allmodconfig clang-20 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240827 gcc-14.1.0 arm64 randconfig-002-20240827 clang-14 arm64 randconfig-003-20240827 clang-14 arm64 randconfig-004-20240827 clang-20 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 loongarch randconfig-001-20240827 gcc-14.1.0 loongarch randconfig-002-20240827 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240827 clang-18 x86_64 buildonly-randconfig-002-20240827 gcc-12 x86_64 buildonly-randconfig-003-20240827 gcc-12 x86_64 buildonly-randconfig-004-20240827 gcc-12 x86_64 buildonly-randconfig-005-20240827 clang-18 x86_64 buildonly-randconfig-006-20240827 gcc-12 x86_64 defconfig gcc-11 x86_64 randconfig-001-20240827 clang-18 x86_64 randconfig-002-20240827 gcc-12 x86_64 randconfig-003-20240827 gcc-12 x86_64 randconfig-004-20240827 gcc-12 x86_64 randconfig-005-20240827 clang-18 x86_64 randconfig-006-20240827 gcc-12 x86_64 randconfig-011-20240827 gcc-12 x86_64 randconfig-012-20240827 gcc-12 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10 0/4] kprobe support %pd/%pD type
by Ye Bin 27 Aug '24

27 Aug '24

Ye Bin (4): tracing/probes: support '%pd' type for print struct dentry's name tracing/probes: support '%pD' type for print struct file's name Documentation: tracing: add new type '%pd' and '%pD' for kprobe selftests/ftrace: add kprobe test cases for VFS type "%pd" and "%pD" Documentation/trace/kprobetrace.rst | 7 +- kernel/trace/trace.c | 2 +- kernel/trace/trace_kprobe.c | 6 ++ kernel/trace/trace_probe.c | 64 +++++++++++++++++++ kernel/trace/trace_probe.h | 2 + .../ftrace/test.d/kprobe/kprobe_args_vfs.tc | 40 ++++++++++++ 6 files changed, 118 insertions(+), 3 deletions(-) create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_vfs.tc -- 2.34.1

2 5

[PATCH OLK-6.6 0/6] kprobe support %pd/%pD type
by Ye Bin 27 Aug '24

27 Aug '24

Masami Hiramatsu (Google) (1): selftests/ftrace: Fix required features for VFS type test case Ye Bin (5): tracing/probes: support '%pd' type for print struct dentry's name tracing/probes: support '%pD' type for print struct file's name Documentation: tracing: add new type '%pd' and '%pD' for kprobe selftests/ftrace: add kprobe test cases for VFS type "%pd" and "%pD" selftests/ftrace: add fprobe test cases for VFS type "%pd" and "%pD" Documentation/trace/kprobetrace.rst | 6 +- kernel/trace/trace.c | 2 +- kernel/trace/trace_fprobe.c | 6 ++ kernel/trace/trace_kprobe.c | 6 ++ kernel/trace/trace_probe.c | 63 +++++++++++++++++++ kernel/trace/trace_probe.h | 2 + .../ftrace/test.d/dynevent/fprobe_args_vfs.tc | 41 ++++++++++++ .../ftrace/test.d/kprobe/kprobe_args_vfs.tc | 40 ++++++++++++ 8 files changed, 164 insertions(+), 2 deletions(-) create mode 100644 tools/testing/selftests/ftrace/test.d/dynevent/fprobe_args_vfs.tc create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_vfs.tc -- 2.34.1

2 7

[PATCH OLK-5.10] ksmbd: discard write access to the directory open
by Guo Mengqi 27 Aug '24

27 Aug '24

From: Hobin Woo <hobin.woo(a)samsung.com> mainline inclusion from mainline-v6.10-rc7 commit e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELQ CVE: CVE-2024-41030 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- may_open() does not allow a directory to be opened with the write access. However, some writing flags set by client result in adding write access on server, making ksmbd incompatible with FUSE file system. Simply, let's discard the write access when opening a directory. list_add corruption. next is NULL. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:26! pc : __list_add_valid+0x88/0xbc lr : __list_add_valid+0x88/0xbc Call trace: __list_add_valid+0x88/0xbc fuse_finish_open+0x11c/0x170 fuse_open_common+0x284/0x5e8 fuse_dir_open+0x14/0x24 do_dentry_open+0x2a4/0x4e0 dentry_open+0x50/0x80 smb2_open+0xbe4/0x15a4 handle_ksmbd_work+0x478/0x5ec process_one_work+0x1b4/0x448 worker_thread+0x25c/0x430 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20 Cc: stable(a)vger.kernel.org Signed-off-by: Yoonho Shin <yoonho.shin(a)samsung.com> Signed-off-by: Hobin Woo <hobin.woo(a)samsung.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/server/smb2pdu.c fs/ksmbd/smb2pdu.c [lc:file path is not same] Signed-off-by: XiongWei Yang <yangxiongwei6(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 50ef53115cab..feec18445829 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2043,15 +2043,22 @@ int smb2_tree_connect(struct ksmbd_work *work) * @access: file access flags * @disposition: file disposition flags * @may_flags: set with MAY_ flags + * @is_dir: is creating open flags for directory * * Return: file open flags */ static int smb2_create_open_flags(bool file_present, __le32 access, __le32 disposition, - int *may_flags) + int *may_flags, + bool is_dir) { int oflags = O_NONBLOCK | O_LARGEFILE; + if (is_dir) { + access &= ~FILE_WRITE_DESIRE_ACCESS_LE; + ksmbd_debug(SMB, "Discard write access to a directory\n"); + } + if (access & FILE_READ_DESIRED_ACCESS_LE && access & FILE_WRITE_DESIRE_ACCESS_LE) { oflags |= O_RDWR; @@ -2891,7 +2898,9 @@ int smb2_open(struct ksmbd_work *work) open_flags = smb2_create_open_flags(file_present, daccess, req->CreateDisposition, - &may_flags); + &may_flags, + req->CreateOptions & FILE_DIRECTORY_FILE_LE || + (file_present && S_ISDIR(d_inode(path.dentry)->i_mode))); if (!test_tree_conn_flag(tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { if (open_flags & O_CREAT) { -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ksmbd: discard write access to the directory open
by Guo Mengqi 27 Aug '24

27 Aug '24

From: Hobin Woo <hobin.woo(a)samsung.com> mainline inclusion from mainline-v6.10-rc7 commit e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGELQ CVE: CVE-2024-41030 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- may_open() does not allow a directory to be opened with the write access. However, some writing flags set by client result in adding write access on server, making ksmbd incompatible with FUSE file system. Simply, let's discard the write access when opening a directory. list_add corruption. next is NULL. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:26! pc : __list_add_valid+0x88/0xbc lr : __list_add_valid+0x88/0xbc Call trace: __list_add_valid+0x88/0xbc fuse_finish_open+0x11c/0x170 fuse_open_common+0x284/0x5e8 fuse_dir_open+0x14/0x24 do_dentry_open+0x2a4/0x4e0 dentry_open+0x50/0x80 smb2_open+0xbe4/0x15a4 handle_ksmbd_work+0x478/0x5ec process_one_work+0x1b4/0x448 worker_thread+0x25c/0x430 kthread+0x104/0x1d4 ret_from_fork+0x10/0x20 Cc: stable(a)vger.kernel.org Signed-off-by: Yoonho Shin <yoonho.shin(a)samsung.com> Signed-off-by: Hobin Woo <hobin.woo(a)samsung.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/server/smb2pdu.c fs/ksmbd/smb2pdu.c [lc:file path is not same] Signed-off-by: XiongWei Yang <yangxiongwei6(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 50ef53115cab..feec18445829 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -2043,15 +2043,22 @@ int smb2_tree_connect(struct ksmbd_work *work) * @access: file access flags * @disposition: file disposition flags * @may_flags: set with MAY_ flags + * @is_dir: is creating open flags for directory * * Return: file open flags */ static int smb2_create_open_flags(bool file_present, __le32 access, __le32 disposition, - int *may_flags) + int *may_flags, + bool is_dir) { int oflags = O_NONBLOCK | O_LARGEFILE; + if (is_dir) { + access &= ~FILE_WRITE_DESIRE_ACCESS_LE; + ksmbd_debug(SMB, "Discard write access to a directory\n"); + } + if (access & FILE_READ_DESIRED_ACCESS_LE && access & FILE_WRITE_DESIRE_ACCESS_LE) { oflags |= O_RDWR; @@ -2891,7 +2898,9 @@ int smb2_open(struct ksmbd_work *work) open_flags = smb2_create_open_flags(file_present, daccess, req->CreateDisposition, - &may_flags); + &may_flags, + req->CreateOptions & FILE_DIRECTORY_FILE_LE || + (file_present && S_ISDIR(d_inode(path.dentry)->i_mode))); if (!test_tree_conn_flag(tcon, KSMBD_TREE_CONN_FLAG_WRITABLE)) { if (open_flags & O_CREAT) { -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1] drivers: core: synchronize really_probe() and dev_uevent()
by Guo Mengqi 27 Aug '24

27 Aug '24

From: Dirk Behme <dirk.behme(a)de.bosch.com> mainline inclusion from mainline-v6.10-rc4 commit c0a40097f0bc81deafc15f9195d1fb54595cd6d0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACSAA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Synchronize the dev->driver usage in really_probe() and dev_uevent(). These can run in different threads, what can result in the following race condition for dev->driver uninitialization: Thread #1: ========== really_probe() { ... probe_failed: ... device_unbind_cleanup(dev) { ... dev->driver = NULL; // <= Failed probe sets dev->driver to NULL ... } ... } Thread #2: ========== dev_uevent() { ... if (dev->driver) // If dev->driver is NULLed from really_probe() from here on, // after above check, the system crashes add_uevent_var(env, "DRIVER=%s", dev->driver->name); ... } really_probe() holds the lock, already. So nothing needs to be done there. dev_uevent() is called with lock held, often, too. But not always. What implies that we can't add any locking in dev_uevent() itself. So fix this race by adding the lock to the non-protected path. This is the path where above race is observed: dev_uevent+0x235/0x380 uevent_show+0x10c/0x1f0 <= Add lock here dev_attr_show+0x3a/0xa0 sysfs_kf_seq_show+0x17c/0x250 kernfs_seq_show+0x7c/0x90 seq_read_iter+0x2d7/0x940 kernfs_fop_read_iter+0xc6/0x310 vfs_read+0x5bc/0x6b0 ksys_read+0xeb/0x1b0 __x64_sys_read+0x42/0x50 x64_sys_call+0x27ad/0x2d30 do_syscall_64+0xcd/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Similar cases are reported by syzkaller in https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a But these are regarding the *initialization* of dev->driver dev->driver = drv; As this switches dev->driver to non-NULL these reports can be considered to be false-positives (which should be "fixed" by this commit, as well, though). The same issue was reported and tried to be fixed back in 2015 in https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@sam… already. Fixes: 239378f16aa1 ("Driver core: add uevent vars for devices of a class") Cc: stable <stable(a)kernel.org> Cc: syzbot+ffa8143439596313a85a(a)syzkaller.appspotmail.com Cc: Ashish Sangwan <a.sangwan(a)samsung.com> Cc: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Dirk Behme <dirk.behme(a)de.bosch.com> Link: https://lore.kernel.org/r/20240513050634.3964461-1-dirk.behme@de.bosch.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/base/core.c [Resolve conflicts due to several refactor patches not merged.] Signed-off-by: Yuan Can <yuancan(a)huawei.com> --- drivers/base/core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/base/core.c b/drivers/base/core.c index 1070e1bb501f..fcb5daf6604d 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -2006,8 +2006,11 @@ static ssize_t uevent_show(struct device *dev, struct device_attribute *attr, if (!env) return -ENOMEM; + /* Synchronize with really_probe() */ + device_lock(dev); /* let the kset specific function add its keys */ retval = kset->uevent_ops->uevent(kset, &dev->kobj, env); + device_unlock(dev); if (retval) goto out; -- 2.17.1

2 1

[PATCH OLK-5.10] drivers: core: synchronize really_probe() and dev_uevent()
by Guo Mengqi 27 Aug '24

27 Aug '24

From: Dirk Behme <dirk.behme(a)de.bosch.com> mainline inclusion from mainline-v6.10-rc4 commit c0a40097f0bc81deafc15f9195d1fb54595cd6d0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACSAA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Synchronize the dev->driver usage in really_probe() and dev_uevent(). These can run in different threads, what can result in the following race condition for dev->driver uninitialization: Thread #1: ========== really_probe() { ... probe_failed: ... device_unbind_cleanup(dev) { ... dev->driver = NULL; // <= Failed probe sets dev->driver to NULL ... } ... } Thread #2: ========== dev_uevent() { ... if (dev->driver) // If dev->driver is NULLed from really_probe() from here on, // after above check, the system crashes add_uevent_var(env, "DRIVER=%s", dev->driver->name); ... } really_probe() holds the lock, already. So nothing needs to be done there. dev_uevent() is called with lock held, often, too. But not always. What implies that we can't add any locking in dev_uevent() itself. So fix this race by adding the lock to the non-protected path. This is the path where above race is observed: dev_uevent+0x235/0x380 uevent_show+0x10c/0x1f0 <= Add lock here dev_attr_show+0x3a/0xa0 sysfs_kf_seq_show+0x17c/0x250 kernfs_seq_show+0x7c/0x90 seq_read_iter+0x2d7/0x940 kernfs_fop_read_iter+0xc6/0x310 vfs_read+0x5bc/0x6b0 ksys_read+0xeb/0x1b0 __x64_sys_read+0x42/0x50 x64_sys_call+0x27ad/0x2d30 do_syscall_64+0xcd/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Similar cases are reported by syzkaller in https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a But these are regarding the *initialization* of dev->driver dev->driver = drv; As this switches dev->driver to non-NULL these reports can be considered to be false-positives (which should be "fixed" by this commit, as well, though). The same issue was reported and tried to be fixed back in 2015 in https://lore.kernel.org/lkml/1421259054-2574-1-git-send-email-a.sangwan@sam… already. Fixes: 239378f16aa1 ("Driver core: add uevent vars for devices of a class") Cc: stable <stable(a)kernel.org> Cc: syzbot+ffa8143439596313a85a(a)syzkaller.appspotmail.com Cc: Ashish Sangwan <a.sangwan(a)samsung.com> Cc: Namjae Jeon <namjae.jeon(a)samsung.com> Signed-off-by: Dirk Behme <dirk.behme(a)de.bosch.com> Link: https://lore.kernel.org/r/20240513050634.3964461-1-dirk.behme@de.bosch.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/base/core.c [Resolve conflicts due to several refactor patches not merged.] Signed-off-by: Yuan Can <yuancan(a)huawei.com> --- drivers/base/core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/base/core.c b/drivers/base/core.c index 82b50a89cedc..a5ff2a88bbeb 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -2041,8 +2041,11 @@ static ssize_t uevent_show(struct device *dev, struct device_attribute *attr, if (!env) return -ENOMEM; + /* Synchronize with really_probe() */ + device_lock(dev); /* let the kset specific function add its keys */ retval = kset->uevent_ops->uevent(kset, &dev->kobj, env); + device_unlock(dev); if (retval) goto out; -- 2.17.1

2 1

[PATCH OLK-5.10] ibmvnic: don't release napi in __ibmvnic_open()
by Guo Mengqi 27 Aug '24

27 Aug '24

From: Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> mainline inclusion from mainline-v5.17-rc4 commit 61772b0908c640d0309c40f7d41d062ca4e979fa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGL6 CVE: CVE-2022-48811 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If __ibmvnic_open() encounters an error such as when setting link state, it calls release_resources() which frees the napi structures needlessly. Instead, have __ibmvnic_open() only clean up the work it did so far (i.e. disable napi and irqs) and leave the rest to the callers. If caller of __ibmvnic_open() is ibmvnic_open(), it should release the resources immediately. If the caller is do_reset() or do_hard_reset(), they will release the resources on the next reset. This fixes following crash that occurred when running the drmgr command several times to add/remove a vnic interface: [102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq [102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq [102056] ibmvnic 30000003 env3: Replenished 8 pools Kernel attempted to read user page (10) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000010 Faulting instruction address: 0xc000000000a3c840 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries ... CPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1 Workqueue: events_long __ibmvnic_reset [ibmvnic] NIP: c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820 REGS: c0000000548e37e0 TRAP: 0300 Not tainted (5.16.0-rc5-autotest-g6441998e2e37) MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 28248484 XER: 00000004 CFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0 GPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000 ... NIP [c000000000a3c840] napi_enable+0x20/0xc0 LR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic] Call Trace: [c0000000548e3a80] [0000000000000006] 0x6 (unreliable) [c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic] [c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic] [c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570 [c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660 [c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0 [c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 Instruction dump: 7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010 38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020 ---[ end trace 5f8033b08fd27706 ]--- Fixes: ed651a10875f ("ibmvnic: Updated reset handling") Reported-by: Abdul Haleem <abdhalee(a)linux.vnet.ibm.com> Signed-off-by: Sukadev Bhattiprolu <sukadev(a)linux.ibm.com> Reviewed-by: Dany Madden <drt(a)linux.ibm.com> Link: https://lore.kernel.org/r/20220208001918.900602-1-sukadev@linux.ibm.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: drivers/net/ethernet/ibm/ibmvnic.c [commit bbd809305bc7 invocate release_rx_pools() if resources initialization failed, which not merged lead to conflicts] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- drivers/net/ethernet/ibm/ibmvnic.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c index 955eea41dc16..89b36c928b0e 100644 --- a/drivers/net/ethernet/ibm/ibmvnic.c +++ b/drivers/net/ethernet/ibm/ibmvnic.c @@ -109,6 +109,7 @@ static void release_crq_queue(struct ibmvnic_adapter *); static int __ibmvnic_set_mac(struct net_device *, u8 *); static int init_crq_queue(struct ibmvnic_adapter *adapter); static int send_query_phys_parms(struct ibmvnic_adapter *adapter); +static void ibmvnic_disable_irqs(struct ibmvnic_adapter *adapter); struct ibmvnic_stat { char name[ETH_GSTRING_LEN]; @@ -1177,7 +1178,7 @@ static int __ibmvnic_open(struct net_device *netdev) rc = set_link_state(adapter, IBMVNIC_LOGICAL_LNK_UP); if (rc) { ibmvnic_napi_disable(adapter); - release_resources(adapter); + ibmvnic_disable_irqs(adapter); return rc; } @@ -1213,7 +1214,6 @@ static int ibmvnic_open(struct net_device *netdev) rc = init_resources(adapter); if (rc) { netdev_err(netdev, "failed to initialize resources\n"); - release_resources(adapter); goto out; } } @@ -1229,6 +1229,10 @@ static int ibmvnic_open(struct net_device *netdev) adapter->state = VNIC_OPEN; rc = 0; } + + if (rc) + release_resources(adapter); + return rc; } -- 2.17.1

2 1