- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 1/1] of: module: prevent NULL pointer dereference in vsnprintf()
by Chen Jun 21 Oct '24

21 Oct '24

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> mainline inclusion from mainline-v6.9-rc3 commit a1aa5390cc912934fee76ce80af5f940452fa987 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG8R CVE: CVE-2024-35878 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In of_modalias(), we can get passed the str and len parameters which would cause a kernel oops in vsnprintf() since it only allows passing a NULL ptr when the length is also 0. Also, we need to filter out the negative values of the len parameter as these will result in a really huge buffer since snprintf() takes size_t parameter while ours is ssize_t... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/1d211023-3923-685b-20f0-f3f90ea56e1f@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Conflicts: drivers/of/device.c drivers/of/module.c [chenjun: context conflicts. of_modalias() is not extracted from of_device_get_modalias().] Signed-off-by: Chen Jun <chenjun102(a)huawei.com> --- drivers/of/device.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/of/device.c b/drivers/of/device.c index 93f08f18f6b3..0b1d317acb88 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -226,6 +226,14 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len if ((!dev) || (!dev->of_node)) return -ENODEV; + /* + * Prevent a kernel oops in vsnprintf() -- it only allows passing a + * NULL ptr when the length is also 0. Also filter out the negative + * lengths... + */ + if ((len > 0 && !str) || len < 0) + return -EINVAL; + /* Name & Type */ /* %p eats all alphanum characters, so %c must be used here */ csize = snprintf(str, len, "of:N%pOFn%c%s", dev->of_node, 'T', -- 2.17.1

2 1

[PATCH OLK-6.6] rintk: Add notation to console_srcu locking
by Xiaomeng Zhang 21 Oct '24

21 Oct '24

From: John Ogness <john.ogness(a)linutronix.de> stable inclusion from stable-v6.12-rc1 commit eda25860bf6e71932311f1b5acdf8fc05cd84ff3 category: bugfix bugzilla: 190343 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- kernel/printk/printk.c:284:5: sparse: sparse: context imbalance in 'console_srcu_read_lock' - wrong count at exit include/linux/srcu.h:301:9: sparse: sparse: context imbalance in 'console_srcu_read_unlock' - unexpected unlock Fixes: 6c4afa79147e ("printk: Prepare for SRCU console list protection") Signed-off-by: John Ogness <john.ogness(a)linutronix.de> Reviewed-by: Petr Mladek <pmladek(a)suse.com> Acked-by: Paul E. McKenney <paulmck(a)kernel.org> Link: https://lore.kernel.org/r/20240820063001.36405-2-john.ogness@linutronix.de Signed-off-by: Petr Mladek <pmladek(a)suse.com> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- kernel/printk/printk.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index b4e390e0b4bd..1ab3185846a7 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -288,6 +288,7 @@ EXPORT_SYMBOL(console_list_unlock); * Return: A cookie to pass to console_srcu_read_unlock(). */ int console_srcu_read_lock(void) + __acquires(&console_srcu) { return srcu_read_lock_nmisafe(&console_srcu); } @@ -301,6 +302,7 @@ EXPORT_SYMBOL(console_srcu_read_lock); * Counterpart to console_srcu_read_lock() */ void console_srcu_read_unlock(int cookie) + __releases(&console_srcu) { srcu_read_unlock_nmisafe(&console_srcu, cookie); } -- 2.34.1

2 1

[PATCH OLK-6.6] kabi: cca-da: reserve space for cca-da related structure
by Guangwei Zhou 21 Oct '24

21 Oct '24

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/IAYHMY CVE: NA ---------------------------------------------------------------------- Reserve space for struct device for CCA device assignment feature. Signed-off-by: Guangwei Zhou <zhouguangwei5(a)huawei.com> --- include/linux/device.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/linux/device.h b/include/linux/device.h index 17427fc8e035..8e7288221947 100644 --- a/include/linux/device.h +++ b/include/linux/device.h @@ -814,6 +814,13 @@ struct device { KABI_RESERVE(6) KABI_RESERVE(7) KABI_RESERVE(8) + KABI_RESERVE(9) + KABI_RESERVE(10) + KABI_RESERVE(11) + KABI_RESERVE(12) + KABI_RESERVE(13) + KABI_RESERVE(14) + KABI_RESERVE(15) }; /** -- 2.33.0

2 1

[PATCH OLK-6.6] kabi: reserve kabi in IOMMU related structs
by yuhao_zhang 21 Oct '24

21 Oct '24

hulk inclusion category: feature bugzilla:https://gitee.com/openeuler/kernel/issues/IAYJUR CVE: NA ------------------ To ensure flexibility in the ongoing development of the IOMMU Framework, reserve fields in both the struct iommu_domain_ops and struct iommu_domain structures. Signed-off-by: Yuhao Zhang <yuhao.zhang(a)huawei.com> --- include/linux/iommu.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/include/linux/iommu.h b/include/linux/iommu.h index 8fb93470a134..604151db18ec 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -256,22 +256,24 @@ struct iommu_domain { * protected by iommu_sva_lock. */ struct list_head next; + KABI_RESERVE(1) + KABI_RESERVE(2) }; }; struct mutex switch_log_lock; #ifdef CONFIG_HISI_VIRTCCA_HOST - KABI_USE(1, bool secure) + KABI_USE(3, bool secure) #else - KABI_RESERVE(1) -#endif - KABI_RESERVE(2) KABI_RESERVE(3) +#endif KABI_RESERVE(4) KABI_RESERVE(5) KABI_RESERVE(6) KABI_RESERVE(7) KABI_RESERVE(8) + KABI_RESERVE(9) + KABI_RESERVE(10) }; static inline bool iommu_is_dma_domain(struct iommu_domain *domain) @@ -745,6 +747,8 @@ struct iommu_domain_ops { KABI_RESERVE(6) KABI_RESERVE(7) KABI_RESERVE(8) + KABI_RESERVE(9) + KABI_RESERVE(10) }; /** -- 2.39.5 (Apple Git-154)

2 1

[PATCH OLK-6.6] kabi: reserve kabi in IOMMU related structs
by yuhao_zhang 21 Oct '24

21 Oct '24

hulk inclusion category: feature bugzilla:https://gitee.com/openeuler/kernel/issues/IAYJUR CVE: NA ------------------ To ensure flexibility in the ongoing development of the IOMMU Framework, reserve fields in both the struct iommu_domain_ops and struct iommu_domain structures. Signed-off-by: Yuhao Zhang <yuhao.zhang(a)huawei.com> --- include/linux/iommu.h | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/include/linux/iommu.h b/include/linux/iommu.h index 8fb93470a134..604151db18ec 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -256,22 +256,24 @@ struct iommu_domain { * protected by iommu_sva_lock. */ struct list_head next; + KABI_RESERVE(1) + KABI_RESERVE(2) }; }; struct mutex switch_log_lock; #ifdef CONFIG_HISI_VIRTCCA_HOST - KABI_USE(1, bool secure) + KABI_USE(3, bool secure) #else - KABI_RESERVE(1) -#endif - KABI_RESERVE(2) KABI_RESERVE(3) +#endif KABI_RESERVE(4) KABI_RESERVE(5) KABI_RESERVE(6) KABI_RESERVE(7) KABI_RESERVE(8) + KABI_RESERVE(9) + KABI_RESERVE(10) }; static inline bool iommu_is_dma_domain(struct iommu_domain *domain) @@ -745,6 +747,8 @@ struct iommu_domain_ops { KABI_RESERVE(6) KABI_RESERVE(7) KABI_RESERVE(8) + KABI_RESERVE(9) + KABI_RESERVE(10) }; /** -- 2.39.5 (Apple Git-154)

2 1

[PATCH] kabi: cca-da: reserve space for cca-da related structure
by Guangwei Zhou 21 Oct '24

21 Oct '24

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/IAYHMY CVE: NA ---------------------------------------------------------------------- Reserve space for struct device for CCA device assignment feature. Signed-off-by: Guangwei Zhou <zhouguangwei5(a)huawei.com> --- include/linux/device.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/linux/device.h b/include/linux/device.h index 17427fc8e035..8e7288221947 100644 --- a/include/linux/device.h +++ b/include/linux/device.h @@ -814,6 +814,13 @@ struct device { KABI_RESERVE(6) KABI_RESERVE(7) KABI_RESERVE(8) + KABI_RESERVE(9) + KABI_RESERVE(10) + KABI_RESERVE(11) + KABI_RESERVE(12) + KABI_RESERVE(13) + KABI_RESERVE(14) + KABI_RESERVE(15) }; /** -- 2.33.0

1 0

[PATCH openEuler-1.0-LTS] hwmon: (nct6775-core) Fix underflows seen when writing limit attributes
by Lin Ruifeng 21 Oct '24

21 Oct '24

From: Guenter Roeck <linux(a)roeck-us.net> stable inclusion from stable-v4.19.322 commit 298a55f11edd811f2189b74eb8f53dee34d4f14c bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWFE CVE: CVE-2024-46757 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 0403e10bf0824bf0ec2bb135d4cf1c0cc3bf4bf0 ] DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations. Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Lin Ruifeng <linruifeng4(a)huawei.com> --- drivers/hwmon/nct6775.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c index 559101a1c136..23581dc62246 100644 --- a/drivers/hwmon/nct6775.c +++ b/drivers/hwmon/nct6775.c @@ -2264,7 +2264,7 @@ store_temp_offset(struct device *dev, struct device_attribute *attr, if (err < 0) return err; - val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127); + val = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000); mutex_lock(&data->update_lock); data->temp_offset[nr] = val; -- 2.17.1

2 1

[PATCH OLK-6.6] mm: mem_reliable: Initialize reliable_nr_page when mm_init()
by Wupeng Ma 21 Oct '24

21 Oct '24

From: Ma Wupeng <mawupeng1(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6RKHX -------------------------------- After the fork operation, it is erroneous for the child process to have a reliable page size twice that of its parent process. Upon examining the mm_struct structure, it was discovered that reliable_nr_page should be initialized to 0, similar to how RSS is initialized during mm_init(). This particular problem that arises during forking is merely one such example. To resolve this issue, it is recommended to set reliable_nr_page to 0 during the mm_init() operation. Fixes: 8fc2546f8508 ("proc: mem_reliable: Count reliable memory usage of reliable tasks") Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- include/linux/mem_reliable.h | 9 +++++++++ kernel/fork.c | 1 + 2 files changed, 10 insertions(+) diff --git a/include/linux/mem_reliable.h b/include/linux/mem_reliable.h index d8cabf94f4a32..1e928ff69d997 100644 --- a/include/linux/mem_reliable.h +++ b/include/linux/mem_reliable.h @@ -216,6 +216,14 @@ static inline void add_reliable_page_counter(struct page *page, reliable_page_counter_inner(mm, val); } + +static inline void reliable_clear_page_counter(struct mm_struct *mm) +{ + if (!mem_reliable_is_enabled()) + return; + + atomic_long_set(&mm->reliable_nr_page, 0); +} #else #define reliable_enabled 0 @@ -259,6 +267,7 @@ static inline void add_reliable_folio_counter(struct folio *folio, struct mm_struct *mm, int val) {} static inline void reliable_report_usage(struct seq_file *m, struct mm_struct *mm) {} +static inline void reliable_clear_page_counter(struct mm_struct *mm) {} #endif #endif diff --git a/kernel/fork.c b/kernel/fork.c index e033388b11bd9..27d605c64b45d 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1326,6 +1326,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p, mm->locked_vm = 0; atomic64_set(&mm->pinned_vm, 0); memset(&mm->rss_stat, 0, sizeof(mm->rss_stat)); + reliable_clear_page_counter(mm); spin_lock_init(&mm->page_table_lock); spin_lock_init(&mm->arg_lock); mm_init_cpumask(mm); -- 2.25.1

2 1

[PATCH OLK-5.10] blk-mq: fix blk_mq_hw_ctx active request accounting
by Zheng Qixing 21 Oct '24

21 Oct '24

From: Tian Lan <tian.lan(a)twosigma.com> mainline inclusion from mainline-v6.4-rc6 commit ddad59331a4e16088468ca0ad228a9fe32d7955a category: panic bugzilla: https://gitee.com/openeuler/kernel/issues/IAWGLV Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The nr_active counter continues to increase over time which causes the blk_mq_get_tag to hang until the thread is rescheduled to a different core despite there are still tags available. kernel-stack INFO: task inboundIOReacto:3014879 blocked for more than 2 seconds Not tainted 6.1.15-amd64 #1 Debian 6.1.15~debian11 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:inboundIOReacto state:D stack:0 pid:3014879 ppid:4557 flags:0x00000000 Call Trace: <TASK> __schedule+0x351/0xa20 scheduler+0x5d/0xe0 io_schedule+0x42/0x70 blk_mq_get_tag+0x11a/0x2a0 ? dequeue_task_stop+0x70/0x70 __blk_mq_alloc_requests+0x191/0x2e0 kprobe output showing RQF_MQ_INFLIGHT bit is not cleared before __blk_mq_free_request being called. 320 320 kworker/29:1H __blk_mq_free_request rq_flags 0x220c0 in-flight 1 b'__blk_mq_free_request+0x1 [kernel]' b'bt_iter+0x50 [kernel]' b'blk_mq_queue_tag_busy_iter+0x318 [kernel]' b'blk_mq_timeout_work+0x7c [kernel]' b'process_one_work+0x1c4 [kernel]' b'worker_thread+0x4d [kernel]' b'kthread+0xe6 [kernel]' b'ret_from_fork+0x1f [kernel]' Signed-off-by: Tian Lan <tian.lan(a)twosigma.com> Fixes: 2e315dc07df0 ("blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter") Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20230513221227.497327-1-tilan7663@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: block/blk-mq.c [The conflict here is caused by the introduction of commit a668e8669590 ("blk-mq: allow hardware queue to get more tag while sharing a tag set"), which depends on this patch.] Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- block/blk-mq.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index 0c0b869a012e..39f9a889b19b 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -577,6 +577,15 @@ static void __blk_mq_free_request(struct request *rq) blk_crypto_free_request(rq); blk_pm_mark_last_busy(rq); rq->mq_hctx = NULL; + + if (rq->rq_flags & RQF_MQ_INFLIGHT) { + __blk_mq_dec_active_requests(hctx); + if (mq_unfair_dtag && !__blk_mq_active_requests(hctx)) { + blk_mq_tag_idle(hctx); + blk_mq_dtag_idle(hctx, true); + } + } + if (rq->tag != BLK_MQ_NO_TAG) blk_mq_put_tag(hctx->tags, ctx, rq->tag); if (sched_tag != BLK_MQ_NO_TAG) @@ -590,7 +599,6 @@ void blk_mq_free_request(struct request *rq) struct request_queue *q = rq->q; struct elevator_queue *e = q->elevator; struct blk_mq_ctx *ctx = rq->mq_ctx; - struct blk_mq_hw_ctx *hctx = rq->mq_hctx; if (rq->rq_flags & RQF_ELVPRIV) { if (e && e->type->ops.finish_request) @@ -602,13 +610,6 @@ void blk_mq_free_request(struct request *rq) } ctx->rq_completed[rq_is_sync(rq)]++; - if (rq->rq_flags & RQF_MQ_INFLIGHT) { - __blk_mq_dec_active_requests(hctx); - if (mq_unfair_dtag && !__blk_mq_active_requests(hctx)) { - blk_mq_tag_idle(hctx); - blk_mq_dtag_idle(hctx, true); - } - } if (unlikely(laptop_mode && !blk_rq_is_passthrough(rq))) laptop_io_completion(q->backing_dev_info); -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1] blk-mq: fix blk_mq_hw_ctx active request accounting
by Zheng Qixing 21 Oct '24

21 Oct '24

From: Tian Lan <tian.lan(a)twosigma.com> mainline inclusion from mainline-v6.4-rc6 commit ddad59331a4e16088468ca0ad228a9fe32d7955a category: panic bugzilla: https://gitee.com/openeuler/kernel/issues/IAWGLV Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The nr_active counter continues to increase over time which causes the blk_mq_get_tag to hang until the thread is rescheduled to a different core despite there are still tags available. kernel-stack INFO: task inboundIOReacto:3014879 blocked for more than 2 seconds Not tainted 6.1.15-amd64 #1 Debian 6.1.15~debian11 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:inboundIOReacto state:D stack:0 pid:3014879 ppid:4557 flags:0x00000000 Call Trace: <TASK> __schedule+0x351/0xa20 scheduler+0x5d/0xe0 io_schedule+0x42/0x70 blk_mq_get_tag+0x11a/0x2a0 ? dequeue_task_stop+0x70/0x70 __blk_mq_alloc_requests+0x191/0x2e0 kprobe output showing RQF_MQ_INFLIGHT bit is not cleared before __blk_mq_free_request being called. 320 320 kworker/29:1H __blk_mq_free_request rq_flags 0x220c0 in-flight 1 b'__blk_mq_free_request+0x1 [kernel]' b'bt_iter+0x50 [kernel]' b'blk_mq_queue_tag_busy_iter+0x318 [kernel]' b'blk_mq_timeout_work+0x7c [kernel]' b'process_one_work+0x1c4 [kernel]' b'worker_thread+0x4d [kernel]' b'kthread+0xe6 [kernel]' b'ret_from_fork+0x1f [kernel]' Signed-off-by: Tian Lan <tian.lan(a)twosigma.com> Fixes: 2e315dc07df0 ("blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter") Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20230513221227.497327-1-tilan7663@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: block/blk-mq.c [The conflict here is caused by the introduction of commit a668e8669590 ("blk-mq: allow hardware queue to get more tag while sharing a tag set"), which depends on this patch.] Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- block/blk-mq.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index 0c0b869a012e..39f9a889b19b 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -577,6 +577,15 @@ static void __blk_mq_free_request(struct request *rq) blk_crypto_free_request(rq); blk_pm_mark_last_busy(rq); rq->mq_hctx = NULL; + + if (rq->rq_flags & RQF_MQ_INFLIGHT) { + __blk_mq_dec_active_requests(hctx); + if (mq_unfair_dtag && !__blk_mq_active_requests(hctx)) { + blk_mq_tag_idle(hctx); + blk_mq_dtag_idle(hctx, true); + } + } + if (rq->tag != BLK_MQ_NO_TAG) blk_mq_put_tag(hctx->tags, ctx, rq->tag); if (sched_tag != BLK_MQ_NO_TAG) @@ -590,7 +599,6 @@ void blk_mq_free_request(struct request *rq) struct request_queue *q = rq->q; struct elevator_queue *e = q->elevator; struct blk_mq_ctx *ctx = rq->mq_ctx; - struct blk_mq_hw_ctx *hctx = rq->mq_hctx; if (rq->rq_flags & RQF_ELVPRIV) { if (e && e->type->ops.finish_request) @@ -602,13 +610,6 @@ void blk_mq_free_request(struct request *rq) } ctx->rq_completed[rq_is_sync(rq)]++; - if (rq->rq_flags & RQF_MQ_INFLIGHT) { - __blk_mq_dec_active_requests(hctx); - if (mq_unfair_dtag && !__blk_mq_active_requests(hctx)) { - blk_mq_tag_idle(hctx); - blk_mq_dtag_idle(hctx, true); - } - } if (unlikely(laptop_mode && !blk_rq_is_passthrough(rq))) laptop_io_completion(q->backing_dev_info); -- 2.39.2

2 1

2025

2024

2023

2022

2021

2020

2019

Kernel