- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 1614/1614] include/trace/trace_events.h:26:23: warning: 'str__fs__trace_system_name' defined but not used
by kernel test robot 07 May '25

07 May '25

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: ac2dbcb2630a54db6d68c792a6cfff34c6bd5232 commit: a4f256bae217c9679528b4957b6dc68e52cd4782 [1614/1614] vfs: add bare tracepoints for vfs read and release config: arm64-randconfig-001-20250506 (https://download.01.org/0day-ci/archive/20250507/202505070314.0zdCBK7T-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250507/202505070314.0zdCBK7T-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202505070314.0zdCBK7T-lkp@intel.com/ All warnings (new ones prefixed by >>): fs/read_write.c:483:9: warning: no previous prototype for '__vfs_write' [-Wmissing-prototypes] 483 | ssize_t __vfs_write(struct file *file, const char __user *p, size_t count, | ^~~~~~~~~~~ In file included from include/trace/define_trace.h:96, from include/trace/events/fs.h:33, from fs/read_write.c:28: >> include/trace/trace_events.h:26:23: warning: 'str__fs__trace_system_name' defined but not used [-Wunused-const-variable=] 26 | #define __app__(x, y) str__##x##y | ^~~~~ include/trace/trace_events.h:27:21: note: in expansion of macro '__app__' 27 | #define __app(x, y) __app__(x, y) | ^~~~~~~ include/trace/trace_events.h:29:29: note: in expansion of macro '__app' 29 | #define TRACE_SYSTEM_STRING __app(TRACE_SYSTEM_VAR,__trace_system_name) | ^~~~~ include/trace/trace_events.h:32:27: note: in expansion of macro 'TRACE_SYSTEM_STRING' 32 | static const char TRACE_SYSTEM_STRING[] = \ | ^~~~~~~~~~~~~~~~~~~ include/trace/trace_events.h:35:1: note: in expansion of macro 'TRACE_MAKE_SYSTEM_STR' 35 | TRACE_MAKE_SYSTEM_STR(); | ^~~~~~~~~~~~~~~~~~~~~ fs/read_write.c:90: warning: Function parameter or member 'maxsize' not described in 'generic_file_llseek_size' fs/read_write.c:90: warning: Excess function parameter 'size' description in 'generic_file_llseek_size' vim +/str__fs__trace_system_name +26 include/trace/trace_events.h acd388fd3af350 include/trace/ftrace.h Steven Rostedt (Red Hat 2015-03-31 25) acd388fd3af350 include/trace/ftrace.h Steven Rostedt (Red Hat 2015-03-31 @26) #define __app__(x, y) str__##x##y acd388fd3af350 include/trace/ftrace.h Steven Rostedt (Red Hat 2015-03-31 27) #define __app(x, y) __app__(x, y) acd388fd3af350 include/trace/ftrace.h Steven Rostedt (Red Hat 2015-03-31 28) :::::: The code at line 26 was first introduced by commit :::::: acd388fd3af350ab24c6ab6f19b83fc4a4f3aa60 tracing: Give system name a pointer :::::: TO: Steven Rostedt (Red Hat) <rostedt(a)goodmis.org> :::::: CC: Steven Rostedt <rostedt(a)goodmis.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 2200/2200] drivers/vhost/vdpa.c:589:23: error: implicit declaration of function 'iommufd_ctx_from_fd'; did you mean 'iommufd_ctx_from_file'?
by kernel test robot 07 May '25

07 May '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 9af1041f05d76435457d805d2d60c2aea1dc71f2 commit: 6a58b8be556fb7de52ae0272a994a1c73fffc903 [2200/2200] vhost/vdpa: Add support to bind and attach iommufd config: x86_64-buildonly-randconfig-006-20250506 (https://download.01.org/0day-ci/archive/20250507/202505070025.y1C68ZCV-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250507/202505070025.y1C68ZCV-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202505070025.y1C68ZCV-lkp@intel.com/ All error/warnings (new ones prefixed by >>): drivers/vhost/vdpa.c: In function 'vhost_vdpa_bind_iommufd': >> drivers/vhost/vdpa.c:589:23: error: implicit declaration of function 'iommufd_ctx_from_fd'; did you mean 'iommufd_ctx_from_file'? [-Werror=implicit-function-declaration] 589 | iommufd_ctx = iommufd_ctx_from_fd(bind.iommufd); | ^~~~~~~~~~~~~~~~~~~ | iommufd_ctx_from_file >> drivers/vhost/vdpa.c:589:21: warning: assignment to 'struct iommufd_ctx *' from 'int' makes pointer from integer without a cast [-Wint-conversion] 589 | iommufd_ctx = iommufd_ctx_from_fd(bind.iommufd); | ^ cc1: some warnings being treated as errors Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for PTP_1588_CLOCK Depends on [n]: NET [=y] && POSIX_TIMERS [=n] Selected by [y]: - SXE [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_LINKDATA [=y] && (X86 [=y] || ARM64) && PCI [=y] - SXE_VF [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_LINKDATA [=y] && (X86 [=y] || ARM64) && PCI [=y] vim +589 drivers/vhost/vdpa.c 576 577 static long vhost_vdpa_bind_iommufd(struct vhost_vdpa *v, int __user *argp) 578 { 579 struct vhost_vdpa_bind_iommufd bind; 580 struct iommufd_ctx *iommufd_ctx; 581 struct iommufd_device *idev; 582 struct device *dma_dev = vdpa_get_dma_dev(v->vdpa); 583 struct iommu_group *iommu_group = iommu_group_get(dma_dev); 584 int ret = 0; 585 586 if (copy_from_user(&bind, argp, sizeof(bind))) 587 return -EFAULT; 588 > 589 iommufd_ctx = iommufd_ctx_from_fd(bind.iommufd); 590 if (IS_ERR(iommufd_ctx)) 591 return PTR_ERR(iommufd_ctx); 592 593 if (v->domain) { 594 iommu_detach_device(v->domain, dma_dev); 595 iommu_domain_free(v->domain); 596 v->domain = NULL; 597 } 598 599 /** 600 * Default iommu domain is created when vdpa device driver probes. 601 * Unuse default domain first to avoid failure when claiming dma owner. 602 */ 603 if (dma_dev->bus && dma_dev->bus->dma_cleanup) 604 dma_dev->bus->dma_cleanup(dma_dev); 605 ret = iommu_group_claim_dma_owner(iommu_group, iommufd_ctx); 606 if (ret) 607 goto dma_configure; 608 609 idev = iommufd_device_bind(iommufd_ctx, dma_dev, &bind.out_devid); 610 if (IS_ERR(idev)) { 611 ret = PTR_ERR(idev); 612 goto release_owner; 613 } 614 v->iommufd_dev = idev; 615 616 if (copy_to_user(argp, &bind, sizeof(bind))) { 617 ret = -EFAULT; 618 goto unbind; 619 } 620 621 goto out; 622 623 unbind: 624 iommufd_device_unbind(v->iommufd_dev); 625 v->iommufd_dev = NULL; 626 release_owner: 627 iommu_group_release_dma_owner(iommu_group); 628 dma_configure: 629 if (dma_dev->bus && dma_dev->bus->dma_configure) 630 dma_dev->bus->dma_configure(dma_dev); 631 out: 632 iommufd_ctx_put(iommufd_ctx); 633 return ret; 634 } 635 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 2888/2888] include/linux/minmax.h:20:35: warning: comparison of distinct pointer types lacks a cast
by kernel test robot 06 May '25

06 May '25

Hi SeongJae, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: f5912cbd669a2722f81f0f054fb8aec1525da8ee commit: 83b931be40b2829e20f38356509d8706ea6b6238 [2888/2888] mm/damon/core-test: test damon_set_regions config: x86_64-buildonly-randconfig-006-20250506 (https://download.01.org/0day-ci/archive/20250506/202505062356.u2rMcCQF-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250506/202505062356.u2rMcCQF-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202505062356.u2rMcCQF-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from include/linux/kernel.h:14, from arch/x86/include/asm/percpu.h:27, from arch/x86/include/asm/current.h:6, from include/linux/mutex.h:14, from include/linux/damon.h:11, from mm/damon/core.c:10: mm/damon/core-test.h: In function 'damon_test_set_regions': >> include/linux/minmax.h:20:35: warning: comparison of distinct pointer types lacks a cast 20 | (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) | ^~ include/kunit/test.h:748:16: note: in expansion of macro '__typecheck' 748 | ((void)__typecheck(__left, __right)); \ | ^~~~~~~~~~~ include/kunit/test.h:772:9: note: in expansion of macro 'KUNIT_BASE_BINARY_ASSERTION' 772 | KUNIT_BASE_BINARY_ASSERTION(test, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ include/kunit/test.h:861:9: note: in expansion of macro 'KUNIT_BASE_EQ_MSG_ASSERTION' 861 | KUNIT_BASE_EQ_MSG_ASSERTION(test, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ include/kunit/test.h:871:9: note: in expansion of macro 'KUNIT_BINARY_EQ_MSG_ASSERTION' 871 | KUNIT_BINARY_EQ_MSG_ASSERTION(test, \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/kunit/test.h:1234:9: note: in expansion of macro 'KUNIT_BINARY_EQ_ASSERTION' 1234 | KUNIT_BINARY_EQ_ASSERTION(test, KUNIT_EXPECTATION, left, right) | ^~~~~~~~~~~~~~~~~~~~~~~~~ mm/damon/core-test.h:284:9: note: in expansion of macro 'KUNIT_EXPECT_EQ' 284 | KUNIT_EXPECT_EQ(test, damon_nr_regions(t), 3); | ^~~~~~~~~~~~~~~ vim +20 include/linux/minmax.h cffb222bc2e032 Rikard Falkeborn 2021-06-07 6 b296a6d53339a7 Andy Shevchenko 2020-10-15 7 /* b296a6d53339a7 Andy Shevchenko 2020-10-15 8 * min()/max()/clamp() macros must accomplish three things: b296a6d53339a7 Andy Shevchenko 2020-10-15 9 * b296a6d53339a7 Andy Shevchenko 2020-10-15 10 * - avoid multiple evaluations of the arguments (so side-effects like b296a6d53339a7 Andy Shevchenko 2020-10-15 11 * "x++" happen only once) when non-constant. b296a6d53339a7 Andy Shevchenko 2020-10-15 12 * - perform strict type-checking (to generate warnings instead of b296a6d53339a7 Andy Shevchenko 2020-10-15 13 * nasty runtime surprises). See the "unnecessary" pointer comparison b296a6d53339a7 Andy Shevchenko 2020-10-15 14 * in __typecheck(). b296a6d53339a7 Andy Shevchenko 2020-10-15 15 * - retain result as a constant expressions when called with only b296a6d53339a7 Andy Shevchenko 2020-10-15 16 * constant expressions (to avoid tripping VLA warnings in stack b296a6d53339a7 Andy Shevchenko 2020-10-15 17 * allocation usage). b296a6d53339a7 Andy Shevchenko 2020-10-15 18 */ b296a6d53339a7 Andy Shevchenko 2020-10-15 19 #define __typecheck(x, y) \ b296a6d53339a7 Andy Shevchenko 2020-10-15 @20 (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) b296a6d53339a7 Andy Shevchenko 2020-10-15 21 :::::: The code at line 20 was first introduced by commit :::::: b296a6d53339a79082c1d2c1761e948e8b3def69 kernel.h: split out min()/max() et al. helpers :::::: TO: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> :::::: CC: Linus Torvalds <torvalds(a)linux-foundation.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] driver: base: fix UAF when driver_attach failed
by Yin Tirui 06 May '25

06 May '25

From: Schspa Shi <schspa(a)gmail.com> mainline inclusion from mainline-v5.19-rc1 commit 310862e574001a97ad02272bac0fd13f75f42a27 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP35K CVE: CVE-2022-49385 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- When driver_attach(drv); failed, the driver_private will be freed. But it has been added to the bus, which caused a UAF. To fix it, we need to delete it from the bus when failed. Fixes: 190888ac01d0 ("driver core: fix possible missing of device probe") Signed-off-by: Schspa Shi <schspa(a)gmail.com> Link: https://lore.kernel.org/r/20220513112444.45112-1-schspa@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/base/bus.c [Fixing conflicts] Signed-off-by: Tirui Yin <yintirui(a)huawei.com> Reviewed-by: Weilong Chen <chenweilong(a)huawei.com> --- drivers/base/bus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/base/bus.c b/drivers/base/bus.c index 5f1966081c42..f45506c56c33 100644 --- a/drivers/base/bus.c +++ b/drivers/base/bus.c @@ -661,7 +661,7 @@ int bus_add_driver(struct device_driver *drv) } else { error = driver_attach(drv); if (error) - goto out_unregister; + goto out_del_list; } } module_add_driver(drv->owner, drv); @@ -689,6 +689,8 @@ int bus_add_driver(struct device_driver *drv) return 0; +out_del_list: + klist_del(&priv->knode_bus); out_unregister: kobject_put(&priv->kobj); /* drv->p is freed in driver_release() */ -- 2.22.0

2 1

[PATCH openEuler-1.0-LTS] [Backport] scsi: pm8001: Fix abort all task initialization
by Lin Ruifeng 06 May '25

06 May '25

From: Damien Le Moal <damien.lemoal(a)opensource.wdc.com> stable inclusion from stable-v4.19.238 commit 1824a21b2cedc5774a5adfa74f5f7b90472d8677 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP73H CVE: CVE-2022-49217 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 7f12845c8389855dbcc67baa068b6832dc4a396e ] In pm80xx_send_abort_all(), the n_elem field of the ccb used is not initialized to 0. This missing initialization sometimes lead to the task completion path seeing the ccb with a non-zero n_elem resulting in the execution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(), causing a crash such as: [ 197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280 [ 197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012 [ 197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0 [ 197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0 [ 197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b [ 197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000 [ 197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000 [ 197.741493] FS: 0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000 [ 197.749659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0 [ 197.762656] Call Trace: [ 197.765127] <IRQ> [ 197.767162] pm8001_ccb_task_free+0x5f1/0x820 [pm80xx] [ 197.772364] ? do_raw_spin_unlock+0x54/0x220 [ 197.776680] pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx] [ 197.782406] process_oq+0xe85/0x7890 [pm80xx] [ 197.786817] ? lock_acquire+0x194/0x490 [ 197.790697] ? handle_irq_event+0x10e/0x1b0 [ 197.794920] ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx] [ 197.800378] ? __wake_up_bit+0x100/0x100 [ 197.804340] ? lock_is_held_type+0x98/0x110 [ 197.808565] pm80xx_chip_isr+0x94/0x130 [pm80xx] [ 197.813243] tasklet_action_common.constprop.0+0x24b/0x2f0 [ 197.818785] __do_softirq+0x1b5/0x82d [ 197.822485] ? do_raw_spin_unlock+0x54/0x220 [ 197.826799] __irq_exit_rcu+0x17e/0x1e0 [ 197.830678] irq_exit_rcu+0xa/0x20 [ 197.834114] common_interrupt+0x78/0x90 [ 197.840051] </IRQ> [ 197.844236] <TASK> [ 197.848397] asm_common_interrupt+0x1e/0x40 Avoid this issue by always initializing the ccb n_elem field to 0 in pm8001_send_abort_all(), pm8001_send_read_log() and pm80xx_send_abort_all(). Link: https://lore.kernel.org/r/20220220031810.738362-17-damien.lemoal@opensource… Fixes: c6b9ef5779c3 ("[SCSI] pm80xx: NCQ error handling changes") Reviewed-by: Jack Wang <jinpu.wang(a)ionos.com> Signed-off-by: Damien Le Moal <damien.lemoal(a)opensource.wdc.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Lin Ruifeng <linruifeng4(a)huawei.com> --- drivers/scsi/pm8001/pm8001_hwi.c | 2 ++ drivers/scsi/pm8001/pm80xx_hwi.c | 1 + 2 files changed, 3 insertions(+) diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c index 3e814c0469fb..0c943189b3ba 100644 --- a/drivers/scsi/pm8001/pm8001_hwi.c +++ b/drivers/scsi/pm8001/pm8001_hwi.c @@ -1748,6 +1748,7 @@ static void pm8001_send_abort_all(struct pm8001_hba_info *pm8001_ha, ccb->device = pm8001_ha_dev; ccb->ccb_tag = ccb_tag; ccb->task = task; + ccb->n_elem = 0; circularQ = &pm8001_ha->inbnd_q_tbl[0]; @@ -1810,6 +1811,7 @@ static void pm8001_send_read_log(struct pm8001_hba_info *pm8001_ha, ccb->device = pm8001_ha_dev; ccb->ccb_tag = ccb_tag; ccb->task = task; + ccb->n_elem = 0; pm8001_ha_dev->id |= NCQ_READ_LOG_FLAG; pm8001_ha_dev->id |= NCQ_2ND_RLE_FLAG; diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c index 327992fbb553..1bc13452276d 100644 --- a/drivers/scsi/pm8001/pm80xx_hwi.c +++ b/drivers/scsi/pm8001/pm80xx_hwi.c @@ -1435,6 +1435,7 @@ static void pm80xx_send_abort_all(struct pm8001_hba_info *pm8001_ha, ccb->device = pm8001_ha_dev; ccb->ccb_tag = ccb_tag; ccb->task = task; + ccb->n_elem = 0; circularQ = &pm8001_ha->inbnd_q_tbl[0]; -- 2.22.0

2 1

[PATCH openEuler-1.0-LTS] [Backport] video: fbdev: cirrusfb: check pixclock to avoid divide by zero
by Lin Ruifeng 06 May '25

06 May '25

From: George Kennedy <george.kennedy(a)oracle.com> stable inclusion from stable-v4.19.238 commit 40b13e3d85744210db13457785646634e2d056bd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP6SB CVE: CVE-2021-47641 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 5c6f402bdcf9e7239c6bc7087eda71ac99b31379 ] Do a sanity check on pixclock value to avoid divide by zero. If the pixclock value is zero, the cirrusfb driver will round up pixclock to get the derived frequency as close to maxclock as possible. Syzkaller reported a divide error in cirrusfb_check_pixclock. divide error: 0000 [#1] SMP KASAN PTI CPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2 RIP: 0010:cirrusfb_check_var+0x6f1/0x1260 Call Trace: fb_set_var+0x398/0xf90 do_fb_ioctl+0x4b8/0x6f0 fb_ioctl+0xeb/0x130 __x64_sys_ioctl+0x19d/0x220 do_syscall_64+0x3a/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: George Kennedy <george.kennedy(a)oracle.com> Reviewed-by: Geert Uytterhoeven <geert(a)linux-m68k.org> Signed-off-by: Helge Deller <deller(a)gmx.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Lin Ruifeng <linruifeng4(a)huawei.com> --- drivers/video/fbdev/cirrusfb.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/video/fbdev/cirrusfb.c b/drivers/video/fbdev/cirrusfb.c index b3be06dd2908..72358d187023 100644 --- a/drivers/video/fbdev/cirrusfb.c +++ b/drivers/video/fbdev/cirrusfb.c @@ -470,7 +470,7 @@ static int cirrusfb_check_mclk(struct fb_info *info, long freq) return 0; } -static int cirrusfb_check_pixclock(const struct fb_var_screeninfo *var, +static int cirrusfb_check_pixclock(struct fb_var_screeninfo *var, struct fb_info *info) { long freq; @@ -479,9 +479,7 @@ static int cirrusfb_check_pixclock(const struct fb_var_screeninfo *var, unsigned maxclockidx = var->bits_per_pixel >> 3; /* convert from ps to kHz */ - freq = PICOS2KHZ(var->pixclock); - - dev_dbg(info->device, "desired pixclock: %ld kHz\n", freq); + freq = PICOS2KHZ(var->pixclock ? : 1); maxclock = cirrusfb_board_info[cinfo->btype].maxclock[maxclockidx]; cinfo->multiplexing = 0; @@ -489,11 +487,13 @@ static int cirrusfb_check_pixclock(const struct fb_var_screeninfo *var, /* If the frequency is greater than we can support, we might be able * to use multiplexing for the video mode */ if (freq > maxclock) { - dev_err(info->device, - "Frequency greater than maxclock (%ld kHz)\n", - maxclock); - return -EINVAL; + var->pixclock = KHZ2PICOS(maxclock); + + while ((freq = PICOS2KHZ(var->pixclock)) > maxclock) + var->pixclock++; } + dev_dbg(info->device, "desired pixclock: %ld kHz\n", freq); + /* * Additional constraint: 8bpp uses DAC clock doubling to allow maximum * pixel clock -- 2.22.0

2 1

[PATCH openEuler-1.0-LTS] can: peak_usb: fix use after free bugs
by Zhang Changzhong 06 May '25

06 May '25

From: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> stable inclusion from stable-v4.19.171 commit 5408824636fa0dfedb9ecb0d94abd573131bfbbe category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC21UY CVE: CVE-2021-47670 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 50aca891d7a554db0901b245167cd653d73aaa71 ] After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the peak_usb_netif_rx_ni(). Reordering the lines solves the issue. Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") Link: https://lore.kernel.org/r/20210120114137.200019-4-mailhol.vincent@wanadoo.fr Signed-off-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> --- drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c index 4198835..87574ce 100644 --- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c @@ -514,11 +514,11 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if, else memcpy(cfd->data, rm->d, cfd->len); - peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low)); - netdev->stats.rx_packets++; netdev->stats.rx_bytes += cfd->len; + peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low)); + return 0; } @@ -574,11 +574,11 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if, if (!skb) return -ENOMEM; - peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low)); - netdev->stats.rx_packets++; netdev->stats.rx_bytes += cf->can_dlc; + peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low)); + return 0; } -- 2.9.5

2 1

[PATCH] driver: base: fix UAF when driver_attach failed
by Yin Tirui 06 May '25

06 May '25

From: Schspa Shi <schspa(a)gmail.com> mainline inclusion from mainline-v5.19-rc1 commit 310862e574001a97ad02272bac0fd13f75f42a27 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP35K CVE: CVE-2022-49385 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- When driver_attach(drv); failed, the driver_private will be freed. But it has been added to the bus, which caused a UAF. To fix it, we need to delete it from the bus when failed. Fixes: 190888ac01d0 ("driver core: fix possible missing of device probe") Signed-off-by: Schspa Shi <schspa(a)gmail.com> Link: https://lore.kernel.org/r/20220513112444.45112-1-schspa@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yin Tirui <yintirui(a)huawei.com> Reviewed-by: Weilong Chen <chenweilong(a)huawei.com> --- drivers/base/bus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/base/bus.c b/drivers/base/bus.c index 5f1966081c42..f45506c56c33 100644 --- a/drivers/base/bus.c +++ b/drivers/base/bus.c @@ -661,7 +661,7 @@ int bus_add_driver(struct device_driver *drv) } else { error = driver_attach(drv); if (error) - goto out_unregister; + goto out_del_list; } } module_add_driver(drv->owner, drv); @@ -689,6 +689,8 @@ int bus_add_driver(struct device_driver *drv) return 0; +out_del_list: + klist_del(&priv->knode_bus); out_unregister: kobject_put(&priv->kobj); /* drv->p is freed in driver_release() */ -- 2.22.0

1 0

[PATCH OLK-5.10 v2] ipv6: mcast: extend RCU protection in igmp6_send()
by Dong Chenchen 06 May '25

06 May '25

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.14-rc3 commit 087c1faa594fa07a66933d750c0b2610aa1a2946 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC5R CVE: CVE-2025-21759 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- igmp6_send() can be called without RTNL or RCU being held. Extend RCU protection so that we can safely fetch the net pointer and avoid a potential UAF. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection. Fixes: b8ad0cbc58f7 ("[NETNS][IPV6] mcast - handle several network namespace") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: David Ahern <dsahern(a)kernel.org> Reviewed-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Link: https://patch.msgid.link/20250207135841.1948589-9-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ipv6/mcast.c [commit b4a11b2033b7 separates OUTREQUESTS stastic from MIB_OUT, which not merged lead to context conflicts. commit 2e7ef287f07c convert from timer to delayed work. Because this patch was not merged, we use GFP_ATOMIC flag] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/ipv6/mcast.c | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c index 9fb5077f8e9a..e0d5125de202 100644 --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -1974,21 +1974,21 @@ static void mld_send_cr(struct inet6_dev *idev) static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type) { - struct net *net = dev_net(dev); - struct sock *sk = net->ipv6.igmp_sk; + const struct in6_addr *snd_addr, *saddr; + int err, len, payload_len, full_len; + struct in6_addr addr_buf; struct inet6_dev *idev; struct sk_buff *skb; struct mld_msg *hdr; - const struct in6_addr *snd_addr, *saddr; - struct in6_addr addr_buf; int hlen = LL_RESERVED_SPACE(dev); int tlen = dev->needed_tailroom; - int err, len, payload_len, full_len; u8 ra[8] = { IPPROTO_ICMPV6, 0, IPV6_TLV_ROUTERALERT, 2, 0, 0, IPV6_TLV_PADN, 0 }; - struct flowi6 fl6; struct dst_entry *dst; + struct flowi6 fl6; + struct net *net; + struct sock *sk; if (type == ICMPV6_MGM_REDUCTION) snd_addr = &in6addr_linklocal_allrouters; @@ -1999,20 +1999,20 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type) payload_len = len + sizeof(ra); full_len = sizeof(struct ipv6hdr) + payload_len; - rcu_read_lock(); - IP6_UPD_PO_STATS(net, __in6_dev_get(dev), - IPSTATS_MIB_OUT, full_len); - rcu_read_unlock(); - - skb = sock_alloc_send_skb(sk, hlen + tlen + full_len, 1, &err); + skb = alloc_skb(hlen + tlen + full_len, GFP_ATOMIC); + rcu_read_lock(); + net = dev_net_rcu(dev); + idev = __in6_dev_get(dev); + IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, full_len); if (!skb) { - rcu_read_lock(); - IP6_INC_STATS(net, __in6_dev_get(dev), - IPSTATS_MIB_OUTDISCARDS); + IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); rcu_read_unlock(); return; } + sk = net->ipv6.igmp_sk; + skb_set_owner_w(skb, sk); + skb->priority = TC_PRIO_CONTROL; skb_reserve(skb, hlen); @@ -2037,9 +2037,6 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type) IPPROTO_ICMPV6, csum_partial(hdr, len, 0)); - rcu_read_lock(); - idev = __in6_dev_get(skb->dev); - icmpv6_flow_init(sk, &fl6, type, &ipv6_hdr(skb)->saddr, &ipv6_hdr(skb)->daddr, skb->dev->ifindex); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS v2] ipv6: mcast: extend RCU protection in igmp6_send()
by Dong Chenchen 06 May '25

06 May '25

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.14-rc3 commit 087c1faa594fa07a66933d750c0b2610aa1a2946 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC5R CVE: CVE-2025-21759 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- igmp6_send() can be called without RTNL or RCU being held. Extend RCU protection so that we can safely fetch the net pointer and avoid a potential UAF. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection. Fixes: b8ad0cbc58f7 ("[NETNS][IPV6] mcast - handle several network namespace") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: David Ahern <dsahern(a)kernel.org> Reviewed-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Link: https://patch.msgid.link/20250207135841.1948589-9-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ipv6/mcast.c [commit b4a11b2033b7 separates OUTREQUESTS stastic from MIB_OUT, which not merged lead to context conflicts. commit 2e7ef287f07c convert from timer to delayed work. Because this patch was not merged, we use GFP_ATOMIC flag] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/ipv6/mcast.c | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c index 3d048401141f..bb484fe27e13 100644 --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -1979,21 +1979,21 @@ static void mld_send_cr(struct inet6_dev *idev) static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type) { - struct net *net = dev_net(dev); - struct sock *sk = net->ipv6.igmp_sk; + const struct in6_addr *snd_addr, *saddr; + int err, len, payload_len, full_len; + struct in6_addr addr_buf; struct inet6_dev *idev; struct sk_buff *skb; struct mld_msg *hdr; - const struct in6_addr *snd_addr, *saddr; - struct in6_addr addr_buf; int hlen = LL_RESERVED_SPACE(dev); int tlen = dev->needed_tailroom; - int err, len, payload_len, full_len; u8 ra[8] = { IPPROTO_ICMPV6, 0, IPV6_TLV_ROUTERALERT, 2, 0, 0, IPV6_TLV_PADN, 0 }; - struct flowi6 fl6; struct dst_entry *dst; + struct flowi6 fl6; + struct net *net; + struct sock *sk; if (type == ICMPV6_MGM_REDUCTION) snd_addr = &in6addr_linklocal_allrouters; @@ -2004,20 +2004,20 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type) payload_len = len + sizeof(ra); full_len = sizeof(struct ipv6hdr) + payload_len; - rcu_read_lock(); - IP6_UPD_PO_STATS(net, __in6_dev_get(dev), - IPSTATS_MIB_OUT, full_len); - rcu_read_unlock(); - - skb = sock_alloc_send_skb(sk, hlen + tlen + full_len, 1, &err); + skb = alloc_skb(hlen + tlen + full_len, GFP_ATOMIC); + rcu_read_lock(); + net = dev_net_rcu(dev); + idev = __in6_dev_get(dev); + IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, full_len); if (!skb) { - rcu_read_lock(); - IP6_INC_STATS(net, __in6_dev_get(dev), - IPSTATS_MIB_OUTDISCARDS); + IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); rcu_read_unlock(); return; } + sk = net->ipv6.igmp_sk; + skb_set_owner_w(skb, sk); + skb->priority = TC_PRIO_CONTROL; skb_reserve(skb, hlen); @@ -2042,9 +2042,6 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type) IPPROTO_ICMPV6, csum_partial(hdr, len, 0)); - rcu_read_lock(); - idev = __in6_dev_get(skb->dev); - icmpv6_flow_init(sk, &fl6, type, &ipv6_hdr(skb)->saddr, &ipv6_hdr(skb)->daddr, skb->dev->ifindex); -- 2.25.1

2 1