- Kernel - mailweb.openeuler.org

[PATCH RESEND OLK-5.10 0/3] Add support for kunpeng920 Ultrasoc System Memory Buffer driver
by Qi Liu 21 Feb '22

21 Feb '22

Add support for kunpeng920 Ultrasoc System Memory Buffer driver Qi Liu (3): coresight: etm4x: Modify core-commit to avoid HiSilicon ETM overflow drivers/coresight: Add Ultrasoc System Memory Buffer driver arm64: openeuler_defconfig: Enable config for ultrasoc driver arch/arm64/configs/openeuler_defconfig | 7 +- drivers/hwtracing/coresight/Kconfig | 20 + drivers/hwtracing/coresight/Makefile | 1 + .../coresight/coresight-etm4x-core.c | 98 +++ drivers/hwtracing/coresight/coresight-etm4x.h | 8 + drivers/hwtracing/coresight/ultrasoc-smb.c | 602 ++++++++++++++++++ drivers/hwtracing/coresight/ultrasoc-smb.h | 100 +++ 7 files changed, 835 insertions(+), 1 deletion(-) create mode 100644 drivers/hwtracing/coresight/ultrasoc-smb.c create mode 100644 drivers/hwtracing/coresight/ultrasoc-smb.h -- 2.33.0

2 4

[PATCH openEuler-1.0-LTS] mm,hwpoison: Fix use-after-free in memory_failure()
by Yang Yingliang 21 Feb '22

21 Feb '22

From: Ma Wupeng <mawupeng1(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4LE22 CVE: NA -------------------------------- BUG: KASAN: use-after-free in __mutex_lock.isra.1+0x77c/0x860 Read of size 4 at addr ffff8000d8382040 by task syz-executor658/454 CPU: 3 PID: 454 Comm: syz-executor658 Not tainted 4.19.90+ #8 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x3f0 show_stack+0x28/0x38 dump_stack+0x170/0x1dc print_address_description+0x68/0x2c8 kasan_report+0x130/0x2e8 __asan_report_load4_noabort+0x30/0x40 __mutex_lock.isra.1+0x77c/0x860 __mutex_lock_slowpath+0x24/0x30 mutex_lock+0x4c/0x58 memory_failure+0x1a8/0xf00 do_madvise+0x8bc/0x12b0 __arm64_sys_madvise+0x74/0x218 el0_svc_common+0x134/0x570 el0_svc_handler+0x190/0x260 el0_svc+0x10/0x218 Allocated by task 423: kasan_kmalloc+0xdc/0x190 kasan_slab_alloc+0x14/0x20 kmem_cache_alloc_node+0xec/0x2a0 copy_process.isra.7.part.8+0x117c/0x58f0 _do_fork+0x188/0x8f0 __arm64_sys_clone+0xb0/0x108 el0_svc_common+0x134/0x570 el0_svc_handler+0x190/0x260 el0_svc+0x10/0x218 Freed by task 19: __kasan_slab_free+0x120/0x228 kasan_slab_free+0x10/0x18 kmem_cache_free+0x1b8/0x270 free_task+0xb8/0xe0 __put_task_struct+0x248/0x318 delayed_put_task_struct+0x58/0x210 rcu_nocb_kthread+0x2b0/0x508 kthread+0x2c8/0x348 ret_from_fork+0x10/0x18 After commit 02d80b17ba49 ("mm/memory-failure: use a mutex to avoid memory_failure() races"), all the error paths in memory_failure() need unlock mf_mutx, or the above use-after-free occurred, fix the missing one if try_to_split_thp_page() fails. Fixes: a668355ac487 ("mm,hwpoison: unify THP handling for hard and soft offline") Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> Reviewed-by: Kefeng Wang <wangkefeng.wang(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- mm/memory-failure.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index cd3394dd70e16..578859c94866f 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -1408,7 +1408,8 @@ int memory_failure(unsigned long pfn, int flags) if (PageTransHuge(hpage)) { if (try_to_split_thp_page(p, "Memory Failure") < 0) { action_result(pfn, MF_MSG_UNSPLIT_THP, MF_IGNORED); - return -EBUSY; + res = -EBUSY; + goto unlock_mutex; } VM_BUG_ON_PAGE(!page_count(p), p); } -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS] dm-mpath: fix UAF in multipath_message()
by Yang Yingliang 21 Feb '22

21 Feb '22

From: Luo Meng <luomeng12(a)huawei.com> hulk inclusion category: bugfix bugzilla: 186184 CVE: NA -------------------------------- If dm_get_device() create dd in multipath_message(), and then call table_deps() after dm_put_table_device(), it will lead to concurrency UAF bugs. One of the concurrency UAF can be shown as below: (USE) | (FREE) | target_message | multipath_message | dm_put_device | dm_put_table_device # | kfree(td) # table_device *td ioctl # DM_TABLE_DEPS_CMD | ... table_deps | ... dm_get_live_or_inactive_table | ... retrieve_dep | ... list_for_each_entry | ... deps->dev[count++] = | ... huge_encode_dev | ... (dd->dm_dev->bdev->bd_dev) | list_del(&dd->list) | kfree(dd) # dm_dev_internal The root cause of UAF bugs is that find_device() failed in dm_get_device() and will create dd and refcount set 1, kfree() in dm_put_table() is not protected. When td, which there are still pointers point to, is released, the concurrency UAF bug will happen. This patch add a flag to determine whether to create a new dd. Signed-off-by: Luo Meng <luomeng12(a)huawei.com> Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/md/dm-mpath.c | 2 +- drivers/md/dm-table.c | 43 +++++++++++++++++++++-------------- include/linux/device-mapper.h | 2 ++ 3 files changed, 29 insertions(+), 18 deletions(-) diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c index bced42f082b02..e0bfa16aab379 100644 --- a/drivers/md/dm-mpath.c +++ b/drivers/md/dm-mpath.c @@ -1962,7 +1962,7 @@ static int multipath_message(struct dm_target *ti, unsigned argc, char **argv, goto out; } - r = dm_get_device(ti, argv[1], dm_table_get_mode(ti->table), &dev); + r = __dm_get_device(ti, argv[1], dm_table_get_mode(ti->table), &dev, false); if (r) { DMWARN("message: error getting device %s", argv[1]); diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 5c590895c14c3..f01c639f83875 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -361,12 +361,8 @@ dev_t dm_get_dev_t(const char *path) } EXPORT_SYMBOL_GPL(dm_get_dev_t); -/* - * Add a device to the list, or just increment the usage count if - * it's already present. - */ -int dm_get_device(struct dm_target *ti, const char *path, fmode_t mode, - struct dm_dev **result) +int __dm_get_device(struct dm_target *ti, const char *path, fmode_t mode, + struct dm_dev **result, bool create_dd) { int r; dev_t dev; @@ -390,19 +386,21 @@ int dm_get_device(struct dm_target *ti, const char *path, fmode_t mode, dd = find_device(&t->devices, dev); if (!dd) { - dd = kmalloc(sizeof(*dd), GFP_KERNEL); - if (!dd) - return -ENOMEM; - - if ((r = dm_get_table_device(t->md, dev, mode, &dd->dm_dev))) { - kfree(dd); - return r; - } + if (create_dd) { + dd = kmalloc(sizeof(*dd), GFP_KERNEL); + if (!dd) + return -ENOMEM; - refcount_set(&dd->count, 1); - list_add(&dd->list, &t->devices); - goto out; + if ((r = dm_get_table_device(t->md, dev, mode, &dd->dm_dev))) { + kfree(dd); + return r; + } + refcount_set(&dd->count, 1); + list_add(&dd->list, &t->devices); + goto out; + } else + return -ENODEV; } else if (dd->dm_dev->mode != (mode | dd->dm_dev->mode)) { r = upgrade_mode(dd, mode, t->md); if (r) @@ -413,6 +411,17 @@ int dm_get_device(struct dm_target *ti, const char *path, fmode_t mode, *result = dd->dm_dev; return 0; } +EXPORT_SYMBOL(__dm_get_device); + +/* + * Add a device to the list, or just increment the usage count if + * it's already present. + */ +int dm_get_device(struct dm_target *ti, const char *path, fmode_t mode, + struct dm_dev **result) +{ + return __dm_get_device(ti, path, mode, result, true); +} EXPORT_SYMBOL(dm_get_device); static int dm_set_device_limits(struct dm_target *ti, struct dm_dev *dev, diff --git a/include/linux/device-mapper.h b/include/linux/device-mapper.h index 50cc070cb1f7c..47db4a14c9258 100644 --- a/include/linux/device-mapper.h +++ b/include/linux/device-mapper.h @@ -162,6 +162,8 @@ dev_t dm_get_dev_t(const char *path); int dm_get_device(struct dm_target *ti, const char *path, fmode_t mode, struct dm_dev **result); void dm_put_device(struct dm_target *ti, struct dm_dev *d); +int __dm_get_device(struct dm_target *ti, const char *path, fmode_t mode, + struct dm_dev **result, bool create_dd); /* * Information about a target type -- 2.25.1

1 0

Re: [PATCH OLK-5.10 1/3] coresight: etm4x: Modify core-commit to avoid HiSilicon ETM overflow
by Xie XiuQi 19 Feb '22

19 Feb '22

你需要订阅 kernel(a)openeuler.org 邮件列表，不然别人都收不到你这个邮件。 On 2022/2/19 15:19, Qi Liu wrote: > > driver inclusion > ategory: feature > bugzilla: https://gitee.com/openeuler/kernel/issues/I4UA33 你这个不断的来源是哪里的，如果是上游社区的，不断作者应该是原作者。并标明补丁的上游 commit。如果还没进入上游版本，也需要给出上游讨论的链接。 > > ----------------------------------------- > > The ETM device can't keep up with the core pipeline when cpu core > is at full speed. This may cause overflow within core and its ETM. > This is a common phenomenon on ETM devices. > > On HiSilicon Hip08 platform, a specific feature is added to set > core pipeline. So commit rate can be reduced manually to avoid ETM > overflow. > > Reviewed-by: Suzuki K Poulose <suzuki.poulose(a)arm.com> > Signed-off-by: Qi Liu <liuqi115(a)huawei.com> > [Modified changelog title and Kconfig description] > Signed-off-by: Mathieu Poirier <mathieu.poirier(a)linaro.org> > Link: https://lore.kernel.org/r/20201208182651.1597945-4-mathieu.poirier@linaro.o… > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> 看这个补丁签名，社区应该是要讨论的。你如果要推送到 openEuler 社区，需要有你自己的签名。表明你对这个补丁负责。 > --- > drivers/hwtracing/coresight/Kconfig | 8 ++ > .../coresight/coresight-etm4x-core.c | 98 +++++++++++++++++++ > drivers/hwtracing/coresight/coresight-etm4x.h | 8 ++ > 3 files changed, 114 insertions(+) > > diff --git a/drivers/hwtracing/coresight/Kconfig b/drivers/hwtracing/coresight/Kconfig > index c1198245461d..7b44ba22cbe1 100644 > --- a/drivers/hwtracing/coresight/Kconfig > +++ b/drivers/hwtracing/coresight/Kconfig > @@ -110,6 +110,14 @@ config CORESIGHT_SOURCE_ETM4X > To compile this driver as a module, choose M here: the > module will be called coresight-etm4x. > > +config ETM4X_IMPDEF_FEATURE > + bool "Control implementation defined overflow support in ETM 4.x driver" > + depends on CORESIGHT_SOURCE_ETM4X > + help > + This control provides implementation define control for CoreSight > + ETM 4.x tracer module that can't reduce commit rate automatically. > + This avoids overflow between the ETM tracer module and the cpu core. > + > config CORESIGHT_STM > tristate "CoreSight System Trace Macrocell driver" > depends on (ARM && !(CPU_32v3 || CPU_32v4 || CPU_32v4T)) || ARM64 > diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c > index 74d3e2fe43d4..02d0b92cf510 100644 > --- a/drivers/hwtracing/coresight/coresight-etm4x-core.c > +++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c > @@ -3,6 +3,7 @@ > * Copyright (c) 2014, The Linux Foundation. All rights reserved. > */ > > +#include <linux/bitops.h> > #include <linux/kernel.h> > #include <linux/moduleparam.h> > #include <linux/init.h> > @@ -28,7 +29,9 @@ > #include <linux/perf_event.h> > #include <linux/pm_runtime.h> > #include <linux/property.h> > + > #include <asm/sections.h> > +#include <asm/sysreg.h> > #include <asm/local.h> > #include <asm/virt.h> > > @@ -103,6 +106,97 @@ struct etm4_enable_arg { > int rc; > }; > > +#ifdef CONFIG_ETM4X_IMPDEF_FEATURE > + > +#define HISI_HIP08_AMBA_ID 0x000b6d01 > +#define ETM4_AMBA_MASK 0xfffff > +#define HISI_HIP08_CORE_COMMIT_MASK 0x3000 > +#define HISI_HIP08_CORE_COMMIT_SHIFT 12 > +#define HISI_HIP08_CORE_COMMIT_FULL 0b00 > +#define HISI_HIP08_CORE_COMMIT_LVL_1 0b01 > +#define HISI_HIP08_CORE_COMMIT_REG sys_reg(3, 1, 15, 2, 5) > + > +struct etm4_arch_features { > + void (*arch_callback)(bool enable); > +}; > + > +static bool etm4_hisi_match_pid(unsigned int id) > +{ > + return (id & ETM4_AMBA_MASK) == HISI_HIP08_AMBA_ID; > +} > + > +static void etm4_hisi_config_core_commit(bool enable) > +{ > + u8 commit = enable ? HISI_HIP08_CORE_COMMIT_LVL_1 : > + HISI_HIP08_CORE_COMMIT_FULL; > + u64 val; > + > + /* > + * bit 12 and 13 of HISI_HIP08_CORE_COMMIT_REG are used together > + * to set core-commit, 2'b00 means cpu is at full speed, 2'b01, > + * 2'b10, 2'b11 mean reduce pipeline speed, and 2'b01 means level-1 > + * speed(minimun value). So bit 12 and 13 should be cleared together. > + */ > + val = read_sysreg_s(HISI_HIP08_CORE_COMMIT_REG); > + val &= ~HISI_HIP08_CORE_COMMIT_MASK; > + val |= commit << HISI_HIP08_CORE_COMMIT_SHIFT; > + write_sysreg_s(val, HISI_HIP08_CORE_COMMIT_REG); > +} > + > +static struct etm4_arch_features etm4_features[] = { > + [ETM4_IMPDEF_HISI_CORE_COMMIT] = { > + .arch_callback = etm4_hisi_config_core_commit, > + }, > + {}, > +}; > + > +static void etm4_enable_arch_specific(struct etmv4_drvdata *drvdata) > +{ > + struct etm4_arch_features *ftr; > + int bit; > + > + for_each_set_bit(bit, drvdata->arch_features, ETM4_IMPDEF_FEATURE_MAX) { > + ftr = &etm4_features[bit]; > + > + if (ftr->arch_callback) > + ftr->arch_callback(true); > + } > +} > + > +static void etm4_disable_arch_specific(struct etmv4_drvdata *drvdata) > +{ > + struct etm4_arch_features *ftr; > + int bit; > + > + for_each_set_bit(bit, drvdata->arch_features, ETM4_IMPDEF_FEATURE_MAX) { > + ftr = &etm4_features[bit]; > + > + if (ftr->arch_callback) > + ftr->arch_callback(false); > + } > +} > + > +static void etm4_check_arch_features(struct etmv4_drvdata *drvdata, > + unsigned int id) > +{ > + if (etm4_hisi_match_pid(id)) > + set_bit(ETM4_IMPDEF_HISI_CORE_COMMIT, drvdata->arch_features); > +} > +#else > +static void etm4_enable_arch_specific(struct etmv4_drvdata *drvdata) > +{ > +} > + > +static void etm4_disable_arch_specific(struct etmv4_drvdata *drvdata) > +{ > +} > + > +static void etm4_check_arch_features(struct etmv4_drvdata *drvdata, > + unsigned int id) > +{ > +} > +#endif /* CONFIG_ETM4X_IMPDEF_FEATURE */ > + > static int etm4_enable_hw(struct etmv4_drvdata *drvdata) > { > int i, rc; > @@ -110,6 +204,7 @@ static int etm4_enable_hw(struct etmv4_drvdata *drvdata) > struct device *etm_dev = &drvdata->csdev->dev; > > CS_UNLOCK(drvdata->base); > + etm4_enable_arch_specific(drvdata); > > etm4_os_unlock(drvdata); > > @@ -480,6 +575,7 @@ static void etm4_disable_hw(void *info) > int i; > > CS_UNLOCK(drvdata->base); > + etm4_disable_arch_specific(drvdata); > > if (!drvdata->skip_power_up) { > /* power can be removed from the trace unit now */ > @@ -1563,6 +1659,8 @@ static int etm4_probe(struct amba_device *adev, const struct amba_id *id) > drvdata->boot_enable = true; > } > > + etm4_check_arch_features(drvdata, id->id); > + > return 0; > } > > diff --git a/drivers/hwtracing/coresight/coresight-etm4x.h b/drivers/hwtracing/coresight/coresight-etm4x.h > index eefc7371c6c4..3dd3e0633328 100644 > --- a/drivers/hwtracing/coresight/coresight-etm4x.h > +++ b/drivers/hwtracing/coresight/coresight-etm4x.h > @@ -8,6 +8,7 @@ > > #include <asm/local.h> > #include <linux/spinlock.h> > +#include <linux/types.h> > #include "coresight-priv.h" > > /* > @@ -203,6 +204,11 @@ > /* Interpretation of resource numbers change at ETM v4.3 architecture */ > #define ETM4X_ARCH_4V3 0x43 > > +enum etm_impdef_type { > + ETM4_IMPDEF_HISI_CORE_COMMIT, > + ETM4_IMPDEF_FEATURE_MAX, > +}; > + > /** > * struct etmv4_config - configuration information related to an ETMv4 > * @mode: Controls various modes supported by this ETM. > @@ -415,6 +421,7 @@ struct etmv4_save_state { > * @state_needs_restore: True when there is context to restore after PM exit > * @skip_power_up: Indicates if an implementation can skip powering up > * the trace unit. > + * @arch_features: Bitmap of arch features of etmv4 devices. > */ > struct etmv4_drvdata { > void __iomem *base; > @@ -463,6 +470,7 @@ struct etmv4_drvdata { > struct etmv4_save_state *save_state; > bool state_needs_restore; > bool skip_power_up; > + DECLARE_BITMAP(arch_features, ETM4_IMPDEF_FEATURE_MAX); > }; > > /* Address comparator access types */ >

1 0

[PATCH OLK-5.10] scsi: spfc: Remove redundant mask and spinlock
by Yanling Song 18 Feb '22

18 Feb '22

Ramaxel inclusion from OLK-5.10 commit dff67aa564e7 ("scsi: spfc: initial commit the spfc module") category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4UA67 CVE: NA Fix: 1.Remove UNF_ORIGIN_HOTTAG_MASK and UNF_HOTTAG_FLAG 2.Update some output string 3.Remove spinlock protect in free_parent_sq() because there is spinlock protect in caller function free_parent_queue_info() Signed-off-by: Yanling Song <songyl(a)ramaxel.com> Reviewed-by: Yun Xu <xuyun(a)ramaxel.com> --- drivers/scsi/spfc/common/unf_common.h | 2 -- drivers/scsi/spfc/common/unf_io.c | 3 +-- drivers/scsi/spfc/common/unf_io_abnormal.c | 2 +- drivers/scsi/spfc/common/unf_rport.c | 2 +- drivers/scsi/spfc/common/unf_service.c | 19 +++++-------------- drivers/scsi/spfc/hw/spfc_hba.c | 2 +- drivers/scsi/spfc/hw/spfc_io.c | 2 +- drivers/scsi/spfc/hw/spfc_queue.c | 5 ----- drivers/scsi/spfc/hw/spfc_service.c | 22 ++++++++++++---------- 9 files changed, 22 insertions(+), 37 deletions(-) diff --git a/drivers/scsi/spfc/common/unf_common.h b/drivers/scsi/spfc/common/unf_common.h index bf9d156e07ce..9613649308bf 100644 --- a/drivers/scsi/spfc/common/unf_common.h +++ b/drivers/scsi/spfc/common/unf_common.h @@ -12,8 +12,6 @@ #define SPFC_DRV_DESC "Ramaxel Memory Technology Fibre Channel Driver" #define UNF_MAX_SECTORS 0xffff -#define UNF_ORIGIN_HOTTAG_MASK 0x7fff -#define UNF_HOTTAG_FLAG (1 << 15) #define UNF_PKG_FREE_OXID 0x0 #define UNF_PKG_FREE_RXID 0x1 diff --git a/drivers/scsi/spfc/common/unf_io.c b/drivers/scsi/spfc/common/unf_io.c index b1255ecba88c..5de69f8ddc6d 100644 --- a/drivers/scsi/spfc/common/unf_io.c +++ b/drivers/scsi/spfc/common/unf_io.c @@ -890,8 +890,7 @@ static int unf_send_fcpcmnd(struct unf_lport *lport, struct unf_rport *rport, unf_xchg->private_data[PKG_PRIVATE_XCHG_ALLOC_TIME]; pkg.private_data[PKG_PRIVATE_XCHG_VP_INDEX] = unf_lport->vp_index; pkg.private_data[PKG_PRIVATE_XCHG_RPORT_INDEX] = unf_rport->rport_index; - pkg.private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = - unf_xchg->hotpooltag | UNF_HOTTAG_FLAG; + pkg.private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = unf_xchg->hotpooltag; unf_select_sq(unf_xchg, &pkg); pkg.fcp_cmnd = &unf_xchg->fcp_cmnd; diff --git a/drivers/scsi/spfc/common/unf_io_abnormal.c b/drivers/scsi/spfc/common/unf_io_abnormal.c index fece7aa5f441..4e268ac026ca 100644 --- a/drivers/scsi/spfc/common/unf_io_abnormal.c +++ b/drivers/scsi/spfc/common/unf_io_abnormal.c @@ -763,7 +763,7 @@ int unf_send_scsi_mgmt_cmnd(struct unf_xchg *xchg, struct unf_lport *lport, pkg.xchg_contex = unf_xchg; pkg.private_data[PKG_PRIVATE_XCHG_RPORT_INDEX] = rport->rport_index; pkg.fcp_cmnd = &unf_xchg->fcp_cmnd; - pkg.private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = unf_xchg->hotpooltag | UNF_HOTTAG_FLAG; + pkg.private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = unf_xchg->hotpooltag; pkg.frame_head.csctl_sid = lport->nport_id; pkg.frame_head.rctl_did = rport->nport_id; diff --git a/drivers/scsi/spfc/common/unf_rport.c b/drivers/scsi/spfc/common/unf_rport.c index aa4967fc0ab6..9b06df884524 100644 --- a/drivers/scsi/spfc/common/unf_rport.c +++ b/drivers/scsi/spfc/common/unf_rport.c @@ -352,7 +352,7 @@ struct unf_rport *unf_find_valid_rport(struct unf_lport *lport, u64 wwpn, u32 si spin_unlock_irqrestore(rport_state_lock, flags); FC_DRV_PRINT(UNF_LOG_LOGIN_ATT, UNF_INFO, - "[err]Port(0x%x) RPort(0x%p) find by WWPN(0x%llx) is invalid", + "[info]Port(0x%x) RPort(0x%p) find by WWPN(0x%llx) is invalid", lport->port_id, rport_by_wwpn, wwpn); rport_by_wwpn = NULL; diff --git a/drivers/scsi/spfc/common/unf_service.c b/drivers/scsi/spfc/common/unf_service.c index 8f72f6470647..9c86c99374c8 100644 --- a/drivers/scsi/spfc/common/unf_service.c +++ b/drivers/scsi/spfc/common/unf_service.c @@ -130,7 +130,7 @@ void unf_fill_package(struct unf_frame_pkg *pkg, struct unf_xchg *xchg, pkg->private_data[PKG_PRIVATE_RPORT_RX_SIZE] = rport->max_frame_size; } - pkg->private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = xchg->hotpooltag | UNF_HOTTAG_FLAG; + pkg->private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = xchg->hotpooltag; pkg->private_data[PKG_PRIVATE_XCHG_ALLOC_TIME] = xchg->private_data[PKG_PRIVATE_XCHG_ALLOC_TIME]; pkg->private_data[PKG_PRIVATE_LOWLEVEL_XCHG_ADD] = @@ -250,7 +250,7 @@ u32 unf_send_abts(struct unf_lport *lport, struct unf_xchg *xchg) pkg.unf_cmnd_pload_bl.buffer_ptr = (u8 *)xchg->fcp_sfs_union.sfs_entry.fc_sfs_entry_ptr; pkg.unf_cmnd_pload_bl.buf_dma_addr = xchg->fcp_sfs_union.sfs_entry.sfs_buff_phy_addr; - pkg.private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = xchg->hotpooltag | UNF_HOTTAG_FLAG; + pkg.private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = xchg->hotpooltag; UNF_SET_XCHG_ALLOC_TIME(&pkg, xchg); UNF_SET_ABORT_INFO_IOTYPE(&pkg, xchg); @@ -407,19 +407,10 @@ static u32 unf_els_cmnd_default_handler(struct unf_lport *lport, struct unf_xchg rjt_info.reason_code = UNF_LS_RJT_NOT_SUPPORTED; unf_rport = unf_get_rport_by_nport_id(lport, sid); - if (unf_rport) { - if (unf_rport->rport_index != - xchg->private_data[PKG_PRIVATE_XCHG_RPORT_INDEX]) { - FC_DRV_PRINT(UNF_LOG_LOGIN_ATT, UNF_WARN, - "[warn]Port(0x%x_0x%x) NPort handle(0x%x) from low level is not equal to RPort index(0x%x)", - lport->port_id, lport->nport_id, - xchg->private_data[PKG_PRIVATE_XCHG_RPORT_INDEX], - unf_rport->rport_index); - } + if (unf_rport) ret = unf_send_els_rjt_by_rport(lport, xchg, unf_rport, &rjt_info); - } else { + else ret = unf_send_els_rjt_by_did(lport, xchg, sid, &rjt_info); - } return ret; } @@ -1389,7 +1380,7 @@ static void unf_fill_free_xid_pkg(struct unf_xchg *xchg, struct unf_frame_pkg *p pkg->frame_head.csctl_sid = xchg->sid; pkg->frame_head.rctl_did = xchg->did; pkg->frame_head.oxid_rxid = (u32)(((u32)xchg->oxid << UNF_SHIFT_16) | xchg->rxid); - pkg->private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = xchg->hotpooltag | UNF_HOTTAG_FLAG; + pkg->private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = xchg->hotpooltag; UNF_SET_XCHG_ALLOC_TIME(pkg, xchg); if (xchg->xchg_type == UNF_XCHG_TYPE_SFS) { diff --git a/drivers/scsi/spfc/hw/spfc_hba.c b/drivers/scsi/spfc/hw/spfc_hba.c index e12299c9e2c9..b033dcb78bb3 100644 --- a/drivers/scsi/spfc/hw/spfc_hba.c +++ b/drivers/scsi/spfc/hw/spfc_hba.c @@ -56,7 +56,7 @@ static struct unf_cfg_item spfc_port_cfg_parm[] = { {"port_topology", 0, 0xf, 0x20}, {"port_alpa", 0, 0xdead, 0xffff}, /* alpa address of port */ /* queue depth of originator registered to SCSI midlayer */ - {"max_queue_depth", 0, 128, 128}, + {"max_queue_depth", 0, 512, 512}, {"sest_num", 0, 2048, 2048}, {"max_login", 0, 2048, 2048}, /* nodename from 32 bit to 64 bit */ diff --git a/drivers/scsi/spfc/hw/spfc_io.c b/drivers/scsi/spfc/hw/spfc_io.c index 2b1d1c607b13..7184eb6a10af 100644 --- a/drivers/scsi/spfc/hw/spfc_io.c +++ b/drivers/scsi/spfc/hw/spfc_io.c @@ -1138,7 +1138,7 @@ u32 spfc_scq_recv_iresp(struct spfc_hba_info *hba, union spfc_scqe *wqe) pkg.private_data[PKG_PRIVATE_XCHG_ALLOC_TIME] = iresp->magic_num; pkg.frame_head.oxid_rxid = (((iresp->wd0.ox_id) << UNF_SHIFT_16) | (iresp->wd0.rx_id)); - hot_tag = (u16)iresp->wd2.hotpooltag & UNF_ORIGIN_HOTTAG_MASK; + hot_tag = (u16)iresp->wd2.hotpooltag; /* 2. HotTag validity check */ if (likely(hot_tag >= hba->exi_base && (hot_tag < hba->exi_base + hba->exi_count))) { pkg.status = UNF_IO_SUCCESS; diff --git a/drivers/scsi/spfc/hw/spfc_queue.c b/drivers/scsi/spfc/hw/spfc_queue.c index abcf1ff3f49f..fa4295832da7 100644 --- a/drivers/scsi/spfc/hw/spfc_queue.c +++ b/drivers/scsi/spfc/hw/spfc_queue.c @@ -2138,11 +2138,9 @@ static void spfc_free_parent_sq(struct spfc_hba_info *hba, u32 uidelaycnt = 0; struct list_head *list = NULL; struct spfc_suspend_sqe_info *suspend_sqe = NULL; - ulong flag = 0; sq_info = &parq_info->parent_sq_info; - spin_lock_irqsave(&parq_info->parent_queue_state_lock, flag); while (!list_empty(&sq_info->suspend_sqe_list)) { list = UNF_OS_LIST_NEXT(&sq_info->suspend_sqe_list); list_del(list); @@ -2156,7 +2154,6 @@ static void spfc_free_parent_sq(struct spfc_hba_info *hba, kfree(suspend_sqe); } } - spin_unlock_irqrestore(&parq_info->parent_queue_state_lock, flag); /* Free data cos */ spfc_update_cos_rport_cnt(hba, parq_info->queue_data_cos); @@ -4475,9 +4472,7 @@ void spfc_free_parent_queue_info(void *handle, struct spfc_parent_queue_info *pa * with the sq in the queue of the parent */ - spin_unlock_irqrestore(prtq_state_lock, flag); spfc_free_parent_sq(hba, parent_queue_info); - spin_lock_irqsave(prtq_state_lock, flag); /* The initialization of all queue id is invalid */ parent_queue_info->parent_cmd_scq_info.cqm_queue_id = INVALID_VALUE32; diff --git a/drivers/scsi/spfc/hw/spfc_service.c b/drivers/scsi/spfc/hw/spfc_service.c index e99802df50a2..1da58e3f9fbe 100644 --- a/drivers/scsi/spfc/hw/spfc_service.c +++ b/drivers/scsi/spfc/hw/spfc_service.c @@ -742,7 +742,7 @@ u32 spfc_scq_recv_abts_rsp(struct spfc_hba_info *hba, union spfc_scqe *scqe) ox_id = (u32)(abts_rsp->wd0.ox_id); - hot_tag = abts_rsp->wd1.hotpooltag & UNF_ORIGIN_HOTTAG_MASK; + hot_tag = abts_rsp->wd1.hotpooltag; if (unlikely(hot_tag < (u32)hba->exi_base || hot_tag >= (u32)(hba->exi_base + hba->exi_count))) { FC_DRV_PRINT(UNF_LOG_LOGIN_ATT, UNF_ERR, @@ -1210,7 +1210,7 @@ u32 spfc_scq_recv_ls_gs_rsp(struct spfc_hba_info *hba, union spfc_scqe *scqe) spfc_swap_16_in_32((u32 *)ls_gs_rsp_scqe->user_id, SPFC_LS_GS_USERID_LEN); ox_id = ls_gs_rsp_scqe->wd1.ox_id; - hot_tag = ((u16)(ls_gs_rsp_scqe->wd5.hotpooltag) & UNF_ORIGIN_HOTTAG_MASK) - hba->exi_base; + hot_tag = ((u16)ls_gs_rsp_scqe->wd5.hotpooltag) - hba->exi_base; pkg.frame_head.oxid_rxid = (u32)(ls_gs_rsp_scqe->wd1.rx_id) | ox_id << UNF_SHIFT_16; pkg.private_data[PKG_PRIVATE_XCHG_ALLOC_TIME] = ls_gs_rsp_scqe->magic_num; pkg.private_data[PKG_PRIVATE_XCHG_HOT_POOL_INDEX] = hot_tag; @@ -1317,8 +1317,7 @@ u32 spfc_scq_recv_els_rsp_sts(struct spfc_hba_info *hba, union spfc_scqe *scqe) pkg.private_data[PKG_PRIVATE_XCHG_ALLOC_TIME] = els_rsp_sts_scqe->magic_num; pkg.frame_head.oxid_rxid = rx_id | (u32)(els_rsp_sts_scqe->wd0.ox_id) << UNF_SHIFT_16; - hot_tag = (u32)((els_rsp_sts_scqe->wd1.hotpooltag & UNF_ORIGIN_HOTTAG_MASK) - - hba->exi_base); + hot_tag = (u32)(els_rsp_sts_scqe->wd1.hotpooltag - hba->exi_base); if (unlikely(SPFC_SCQE_HAS_ERRCODE(scqe))) pkg.status = UNF_IO_FAILED; @@ -1759,7 +1758,7 @@ u32 spfc_scq_recv_marker_sts(struct spfc_hba_info *hba, union spfc_scqe *scqe) tmf_marker_sts_scqe = &scqe->itmf_marker_sts; ox_id = (u32)tmf_marker_sts_scqe->wd1.ox_id; rx_id = (u32)tmf_marker_sts_scqe->wd1.rx_id; - hot_tag = (tmf_marker_sts_scqe->wd4.hotpooltag & UNF_ORIGIN_HOTTAG_MASK) - hba->exi_base; + hot_tag = tmf_marker_sts_scqe->wd4.hotpooltag - hba->exi_base; pkg.frame_head.oxid_rxid = rx_id | (u32)(ox_id) << UNF_SHIFT_16; pkg.private_data[PKG_PRIVATE_XCHG_ALLOC_TIME] = tmf_marker_sts_scqe->magic_num; pkg.frame_head.csctl_sid = tmf_marker_sts_scqe->wd3.sid; @@ -1800,7 +1799,7 @@ u32 spfc_scq_recv_abts_marker_sts(struct spfc_hba_info *hba, union spfc_scqe *sc ox_id = (u32)abts_marker_sts_scqe->wd1.ox_id; rx_id = (u32)abts_marker_sts_scqe->wd1.rx_id; - hot_tag = (abts_marker_sts_scqe->wd4.hotpooltag & UNF_ORIGIN_HOTTAG_MASK) - hba->exi_base; + hot_tag = abts_marker_sts_scqe->wd4.hotpooltag - hba->exi_base; pkg.frame_head.oxid_rxid = rx_id | (u32)(ox_id) << UNF_SHIFT_16; pkg.frame_head.csctl_sid = abts_marker_sts_scqe->wd3.sid; pkg.frame_head.rctl_did = abts_marker_sts_scqe->wd2.did; @@ -1972,8 +1971,7 @@ u32 spfc_scq_free_xid_sts(struct spfc_hba_info *hba, union spfc_scqe *scqe) rx_id = (u32)free_xid_sts_scqe->wd0.rx_id; if (free_xid_sts_scqe->wd1.hotpooltag != INVALID_VALUE16) { - hot_tag = (free_xid_sts_scqe->wd1.hotpooltag & - UNF_ORIGIN_HOTTAG_MASK) - hba->exi_base; + hot_tag = free_xid_sts_scqe->wd1.hotpooltag - hba->exi_base; } FC_DRV_PRINT(UNF_LOG_EQUIP_ATT, UNF_INFO, @@ -1998,7 +1996,7 @@ u32 spfc_scq_exchg_timeout_sts(struct spfc_hba_info *hba, union spfc_scqe *scqe) rx_id = (u32)time_out_scqe->wd0.rx_id; if (time_out_scqe->wd1.hotpooltag != INVALID_VALUE16) - hot_tag = (time_out_scqe->wd1.hotpooltag & UNF_ORIGIN_HOTTAG_MASK) - hba->exi_base; + hot_tag = time_out_scqe->wd1.hotpooltag - hba->exi_base; FC_DRV_PRINT(UNF_LOG_EQUIP_ATT, UNF_INFO, "Port(0x%x) recv timer time out sts hotpooltag(0x%x) magicnum(0x%x) ox_id(0x%x) rxid(0x%x) sts(%d)", @@ -2054,7 +2052,7 @@ u32 spfc_scq_rcv_sq_nop_sts(struct spfc_hba_info *hba, union spfc_scqe *scqe) FC_DRV_PRINT(UNF_LOG_LOGIN_ATT, UNF_INFO, "[info]Port(0x%x) rport_index(0x%x) find suspend sqe.", hba->port_cfg.port_id, rport_index); - if (sqn < sqn_max) { + if ((sqn < sqn_max) && (sqn >= sqn_base)) { ret = spfc_send_nop_cmd(hba, parent_sq_info, magic_num, sqn + 1); } else if (sqn == sqn_max) { if (!cancel_delayed_work(&suspend_sqe->timeout_work)) { @@ -2065,6 +2063,10 @@ u32 spfc_scq_rcv_sq_nop_sts(struct spfc_hba_info *hba, union spfc_scqe *scqe) parent_sq_info->need_offloaded = suspend_sqe->old_offload_sts; ret = spfc_pop_suspend_sqe(hba, prt_qinfo, suspend_sqe); kfree(suspend_sqe); + } else { + FC_DRV_PRINT(UNF_LOG_LOGIN_ATT, UNF_WARN, + "[warn]Port(0x%x) rport(0x%x) rcv error sqn(0x%x)", + hba->port_cfg.port_id, rport_index, sqn); } } else { FC_DRV_PRINT(UNF_LOG_LOGIN_ATT, UNF_WARN, -- 2.32.0

1 0

[PATCH openEuler-1.0-LTS 1/2] usb: gadget: don't release an existing dev->buf
by Yang Yingliang 18 Feb '22

18 Feb '22

From: Hangyu Hua <hbh25y(a)gmail.com> mainline inclusion from mainline-v5.17-rc1 commit 89f3594d0de58e8a57d92d497dea9fee3d4b9cda category: bugfix bugzilla: NA CVE: CVE-2022-24958 -------------------------------- dev->buf does not need to be released if it already exists before executing dev_config. Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Hangyu Hua <hbh25y(a)gmail.com> Link: https://lore.kernel.org/r/20211231172138.7993-2-hbh25y@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/usb/gadget/legacy/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c index f91d403da3141..a1488de12d450 100644 --- a/drivers/usb/gadget/legacy/inode.c +++ b/drivers/usb/gadget/legacy/inode.c @@ -1829,8 +1829,9 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr) spin_lock_irq (&dev->lock); value = -EINVAL; if (dev->buf) { + spin_unlock_irq(&dev->lock); kfree(kbuf); - goto fail; + return value; } dev->buf = kbuf; -- 2.25.1

1 1

[PATCH OLK-5.10 0/5] net/spnic: fix bugs:Remove unused functions about ceq
by Yanling Song 18 Feb '22

18 Feb '22

Fix 5 bugs: 1. Fix array bounds error in ethtool get_link_ksettings 2. Fix ethtool loopback command failure 3. Fix xor checksum error when sending a non 4B-aligned message to firmware 4. Fix an error when netdev failed to link up 5. Reduce the timeout of the channel between driver and firmware Yanling Song (5): net/spnic: Fix array bounds error in ethtool get_link_ksettings net/spnic: Fix ethtool loopback command failure net/spnic: Fix xor checksum error when sending a non 4B-aligned message to firmware net/spnic: Fix an error when netdev failed to link up net/spnic: Reduce the timeout of the channel between driver and firmware .../net/ethernet/ramaxel/spnic/hw/sphw_cmdq.c | 2 +- .../net/ethernet/ramaxel/spnic/hw/sphw_mbox.c | 10 ++-- .../net/ethernet/ramaxel/spnic/hw/sphw_mgmt.c | 2 +- .../ramaxel/spnic/spnic_ethtool_stats.c | 4 +- .../ethernet/ramaxel/spnic/spnic_mag_cfg.c | 2 +- .../ethernet/ramaxel/spnic/spnic_nic_cfg_vf.c | 49 ++++++++++++------- 6 files changed, 41 insertions(+), 28 deletions(-) -- 2.32.0

1 5

[PATCH openEuler-1.0-LTS 1/2] cgroup-v1: Require capabilities to set release_agent
by Yang Yingliang 17 Feb '22

17 Feb '22

From: "Eric W. Biederman" <ebiederm(a)xmission.com> stable inclusion from stable-v4.19.229 commit 939f8b491887c27585933ea7dc5ad4123de58ff3 CVE: CVE-2022-0492 ------------------------------- commit 24f6008564183aa120d07c03d9289519c2fe02af upstream. The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set fo capabilities. Therefore require capabilities when setting the release_agaent. Reported-by: Tabitha Sable <tabitha.c.sable(a)gmail.com> Tested-by: Tabitha Sable <tabitha.c.sable(a)gmail.com> Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") Cc: stable(a)vger.kernel.org # v2.6.24+ Signed-off-by: "Eric W. Biederman" <ebiederm(a)xmission.com> Signed-off-by: Tejun Heo <tj(a)kernel.org> [mkoutny: Adjust for pre-fs_context, duplicate mount/remount check, drop log messages.] Acked-by: Michal Koutný <mkoutny(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Lu Jialin <lujialin4(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- kernel/cgroup/cgroup-v1.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c index f833fe71fa5f6..c4cc6c1ddacde 100644 --- a/kernel/cgroup/cgroup-v1.c +++ b/kernel/cgroup/cgroup-v1.c @@ -580,6 +580,14 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of, BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); + /* + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ + if ((of->file->f_cred->user_ns != &init_user_ns) || + !capable(CAP_SYS_ADMIN)) + return -EPERM; + cgrp = cgroup_kn_lock_live(of->kn, false); if (!cgrp) return -ENODEV; @@ -1054,6 +1062,7 @@ static int cgroup1_remount(struct kernfs_root *kf_root, int *flags, char *data) { int ret = 0; struct cgroup_root *root = cgroup_root_from_kf(kf_root); + struct cgroup_namespace *ns = current->nsproxy->cgroup_ns; struct cgroup_sb_opts opts; u16 added_mask, removed_mask; @@ -1067,6 +1076,12 @@ static int cgroup1_remount(struct kernfs_root *kf_root, int *flags, char *data) if (opts.subsys_mask != root->subsys_mask || opts.release_agent) pr_warn("option changes via remount are deprecated (pid=%d comm=%s)\n", task_tgid_nr(current), current->comm); + /* See cgroup1_mount release_agent handling */ + if (opts.release_agent && + ((ns->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))) { + ret = -EINVAL; + goto out_unlock; + } added_mask = opts.subsys_mask & ~root->subsys_mask; removed_mask = root->subsys_mask & ~opts.subsys_mask; @@ -1205,6 +1220,15 @@ struct dentry *cgroup1_mount(struct file_system_type *fs_type, int flags, ret = -EPERM; goto out_unlock; } + /* + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ + if (opts.release_agent && + ((ns->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))) { + ret = -EINVAL; + goto out_unlock; + } root = kzalloc(sizeof(*root), GFP_KERNEL); if (!root) { -- 2.25.1

1 1

[PATCH openEuler-5.10 1/9] livepatch: Fix kobject refcount bug on klp_init_patch_early failure path
by Zheng Zengkai 17 Feb '22

17 Feb '22

From: David Vernet <void(a)manifault.com> mainline inclusion from mainline-v5.17-rc1 commit 5ef3dd20555e8e878ac390a71e658db5fd02845c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4TF7T Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When enabling a klp patch with klp_enable_patch(), klp_init_patch_early() is invoked to initialize the kobjects for the patch itself, as well as the 'struct klp_object' and 'struct klp_func' objects that comprise it. However, there are some error paths in klp_enable_patch() where some kobjects may have been initialized with kobject_init(), but an error code is still returned due to e.g. a 'struct klp_object' having a NULL funcs pointer. In these paths, the initial reference of the kobject of the 'struct klp_patch' may never be released, along with one or more of its objects and their functions, as kobject_put() is not invoked on the cleanup path if klp_init_patch_early() returns an error code. For example, if an object entry such as the following were added to the sample livepatch module's klp patch, it would cause the vmlinux klp_object, and its klp_func which updates 'cmdline_proc_show', to never be released: static struct klp_object objs[] = { { /* name being NULL means vmlinux */ .funcs = funcs, }, { /* NULL funcs -- would cause reference leak */ .name = "kvm", }, { } }; Without this change, if CONFIG_DEBUG_KOBJECT is enabled, and the sample klp patch is loaded, the kobjects (the patch, the vmlinux 'struct klp_object', and its func) are observed as initialized, but never released, in the dmesg log output. With the change, these kobject references no longer fail to be released as the error case is properly handled before they are initialized. Since 81fd525cedd9 ("[Huawei] livepatch: Add klp_{register,unregister}_patch for stop_machine model"), klp_register_patch was born out of klp_enable_patch with similar issue, we also fix it in this patch. Signed-off-by: David Vernet <void(a)manifault.com> Reviewed-by: Petr Mladek <pmladek(a)suse.com> Acked-by: Miroslav Benes <mbenes(a)suse.cz> Acked-by: Josh Poimboeuf <jpoimboe(a)redhat.com> Signed-off-by: Petr Mladek <pmladek(a)suse.com> Conflicts: kernel/livepatch/core.c Fixes: 0430f78bf38f ("livepatch: Consolidate klp_free functions") Fixes: c33e42836a74 ("livepatch/core: Allow implementation without ftrace") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- kernel/livepatch/core.c | 50 +++++++++++++++++------------------------ 1 file changed, 20 insertions(+), 30 deletions(-) diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c index b46ef236424d..b0f54d4c663b 100644 --- a/kernel/livepatch/core.c +++ b/kernel/livepatch/core.c @@ -1146,14 +1146,11 @@ static void klp_init_object_early(struct klp_patch *patch, #endif } -static int klp_init_patch_early(struct klp_patch *patch) +static void klp_init_patch_early(struct klp_patch *patch) { struct klp_object *obj; struct klp_func *func; - if (!patch->objs) - return -EINVAL; - INIT_LIST_HEAD(&patch->list); INIT_LIST_HEAD(&patch->obj_list); kobject_init(&patch->kobj, &klp_ktype_patch); @@ -1163,26 +1160,12 @@ static int klp_init_patch_early(struct klp_patch *patch) init_completion(&patch->finish); klp_for_each_object_static(patch, obj) { - if (!obj->funcs) - return -EINVAL; - klp_init_object_early(patch, obj); klp_for_each_func_static(obj, func) { klp_init_func_early(obj, func); } } - - /* - * For stop_machine model, we only need to module_get and module_put once when - * enable_patch and disable_patch respectively. - */ -#ifdef CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY - if (!try_module_get(patch->mod)) - return -ENODEV; -#endif - - return 0; } static int klp_init_patch(struct klp_patch *patch) @@ -1431,10 +1414,16 @@ static int __klp_enable_patch(struct klp_patch *patch) int klp_enable_patch(struct klp_patch *patch) { int ret; + struct klp_object *obj; - if (!patch || !patch->mod) + if (!patch || !patch->mod || !patch->objs) return -EINVAL; + klp_for_each_object_static(patch, obj) { + if (!obj->funcs) + return -EINVAL; + } + if (!is_livepatch_module(patch->mod)) { pr_err("module %s is not marked as a livepatch module\n", patch->mod->name); @@ -1458,11 +1447,10 @@ int klp_enable_patch(struct klp_patch *patch) return -EINVAL; } - ret = klp_init_patch_early(patch); - if (ret) { - mutex_unlock(&klp_mutex); - return ret; - } + if (!try_module_get(patch->mod)) + return -ENODEV; + + klp_init_patch_early(patch); ret = klp_init_patch(patch); if (ret) @@ -1609,10 +1597,16 @@ static int __klp_enable_patch(struct klp_patch *patch) int klp_register_patch(struct klp_patch *patch) { int ret; + struct klp_object *obj; - if (!patch || !patch->mod) + if (!patch || !patch->mod || !patch->objs) return -EINVAL; + klp_for_each_object_static(patch, obj) { + if (!obj->funcs) + return -EINVAL; + } + if (!is_livepatch_module(patch->mod)) { pr_err("module %s is not marked as a livepatch module\n", patch->mod->name); @@ -1629,11 +1623,7 @@ int klp_register_patch(struct klp_patch *patch) return -EINVAL; } - ret = klp_init_patch_early(patch); - if (ret) { - mutex_unlock(&klp_mutex); - return ret; - } + klp_init_patch_early(patch); ret = klp_init_patch(patch); if (ret) -- 2.20.1

1 8

[PATCH openEuler-1.0-LTS 1/2] NFSv4: Handle case where the lookup of a directory fails
by Yang Yingliang 16 Feb '22

16 Feb '22

From: Trond Myklebust <trond.myklebust(a)hammerspace.com> mainline inclusion from mainline-v5.16 commit ac795161c93699d600db16c1a8cc23a65a1eceaf category: bugfix bugzilla: 186205 CVE: CVE-2022-24448 ----------------------------------------------- If the application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() will punt to doing a regular lookup. If the server then returns a regular file, we will happily return a file descriptor with uninitialised open state. The fix is to return the expected ENOTDIR error in these cases. Reported-by: Lyu Tao <tao.lyu(a)epfl.ch> Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> Signed-off-by: Anna Schumaker <Anna.Schumaker(a)Netapp.com> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/nfs/dir.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c index ff9129c0572d9..757a83556b003 100644 --- a/fs/nfs/dir.c +++ b/fs/nfs/dir.c @@ -1637,6 +1637,19 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, no_open: res = nfs_lookup(dir, dentry, lookup_flags); + if (!res) { + inode = d_inode(dentry); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) + res = ERR_PTR(-ENOTDIR); + } else if (!IS_ERR(res)) { + inode = d_inode(res); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) { + dput(res); + res = ERR_PTR(-ENOTDIR); + } + } if (switched) { d_lookup_done(dentry); if (!res) -- 2.25.1

1 1