hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB963V
CVE: NA
--------------------------------
In nmi_trigger_cpumask_backtrace(), printk_safe_flush() is called after
sending NMI to flush the logs. When logbuf_lock is already held and the
current CPU is in printk-safe context (e.g., NMI context), attempting to
acquire the lock again can lead to deadlock.
Modify the function to return early when detecting logbuf_lock is held
and current CPU is in printk-safe context. This prevents deadlock scenarios
where CPU0 holds the lock while other CPUs try to acquire it in NMI
context.
Fixes: 099f1c84c005 ("printk: introduce per-cpu safe_print seq buffer")
Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com>
---
kernel/printk/printk_safe.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/printk/printk_safe.c b/kernel/printk/printk_safe.c
index 809f92492ec7..c97845688fe1 100644
--- a/kernel/printk/printk_safe.c
+++ b/kernel/printk/printk_safe.c
@@ -256,6 +256,10 @@ void printk_safe_flush(void)
{
int cpu;
+ if (raw_spin_is_locked(&logbuf_lock) &&
+ (this_cpu_read(printk_context) & PRINTK_SAFE_CONTEXT_MASK))
+ return;
+
for_each_possible_cpu(cpu) {
#ifdef CONFIG_PRINTK_NMI
__printk_safe_flush(&per_cpu(nmi_print_seq, cpu).work);
--
2.34.1
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB963V
CVE: NA
--------------------------------
In nmi_trigger_cpumask_backtrace(), printk_safe_flush() is called after
sending NMI to flush the logs. When logbuf_lock is already held and the
current CPU is in printk-safe context (e.g., NMI context), attempting to
acquire the lock again can lead to deadlock.
Modify the function to return early when detecting logbuf_lock is held
and current CPU is in printk-safe context. This prevents deadlock scenarios
where CPU0 holds the lock while other CPUs try to acquire it in NMI
context.
Fixes: 099f1c84c005 ("printk: introduce per-cpu safe_print seq buffer")
Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com>
---
kernel/printk/printk_safe.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/printk/printk_safe.c b/kernel/printk/printk_safe.c
index 809f92492ec7..c97845688fe1 100644
--- a/kernel/printk/printk_safe.c
+++ b/kernel/printk/printk_safe.c
@@ -256,6 +256,10 @@ void printk_safe_flush(void)
{
int cpu;
+ if (raw_spin_is_locked(&logbuf_lock) &&
+ (this_cpu_read(printk_context) & PRINTK_SAFE_CONTEXT_MASK))
+ return;
+
for_each_possible_cpu(cpu) {
#ifdef CONFIG_PRINTK_NMI
__printk_safe_flush(&per_cpu(nmi_print_seq, cpu).work);
--
2.34.1
From: Pavel Begunkov <asml.silence(a)gmail.com>
stable inclusion
from stable-v6.6.68
commit 2ca94c8de36091067b9ce7527ae8db3812d38781
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEG43
CVE: CVE-2024-56709
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit dbd2ca9367eb19bc5e269b8c58b0b1514ada9156 upstream.
task work can be executed after the task has gone through io_uring
termination, whether it's the final task_work run or the fallback path.
In this case, task work will find ->io_wq being already killed and
null'ed, which is a problem if it then tries to forward the request to
io_queue_iowq(). Make io_queue_iowq() fail requests in this case.
Note that it also checks PF_KTHREAD, because the user can first close
a DEFER_TASKRUN ring and shortly after kill the task, in which case
->iowq check would race.
Cc: stable(a)vger.kernel.org
Fixes: 50c52250e2d74 ("block: implement async io_uring discard cmd")
Fixes: 773af69121ecc ("io_uring: always reissue from task_work context")
Reported-by: Will <willsroot(a)protonmail.com>
Signed-off-by: Pavel Begunkov <asml.silence(a)gmail.com>
Link: https://lore.kernel.org/r/63312b4a2c2bb67ad67b857d17a300e1d3b078e8.17346379…
Signed-off-by: Jens Axboe <axboe(a)kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com>
---
io_uring/io_uring.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 4d69fb4cf803..bb37e8f08ae5 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1090,6 +1090,7 @@ static struct file *io_file_get(struct io_ring_ctx *ctx,
unsigned int issue_flags);
static void __io_queue_sqe(struct io_kiocb *req);
static void io_rsrc_put_work(struct work_struct *work);
+static void io_req_task_queue_fail(struct io_kiocb *req, int ret);
static void io_req_task_queue(struct io_kiocb *req);
static void io_submit_flush_completions(struct io_ring_ctx *ctx);
@@ -1459,7 +1460,11 @@ static void io_queue_async_work(struct io_kiocb *req, bool *locked)
locked = NULL;
BUG_ON(!tctx);
- BUG_ON(!tctx->io_wq);
+
+ if ((current->flags & PF_KTHREAD) || !tctx->io_wq) {
+ io_req_task_queue_fail(req, -ECANCELED);
+ return;
+ }
/* init ->work of the whole link before punting */
io_prep_async_link(req);
--
2.39.2
From: Pavel Begunkov <asml.silence(a)gmail.com>
stable inclusion
from stable-v6.6.68
commit 2ca94c8de36091067b9ce7527ae8db3812d38781
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEG43
CVE: CVE-2024-56709
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit dbd2ca9367eb19bc5e269b8c58b0b1514ada9156 upstream.
task work can be executed after the task has gone through io_uring
termination, whether it's the final task_work run or the fallback path.
In this case, task work will find ->io_wq being already killed and
null'ed, which is a problem if it then tries to forward the request to
io_queue_iowq(). Make io_queue_iowq() fail requests in this case.
Note that it also checks PF_KTHREAD, because the user can first close
a DEFER_TASKRUN ring and shortly after kill the task, in which case
->iowq check would race.
Cc: stable(a)vger.kernel.org
Fixes: 50c52250e2d74 ("block: implement async io_uring discard cmd")
Fixes: 773af69121ecc ("io_uring: always reissue from task_work context")
Reported-by: Will <willsroot(a)protonmail.com>
Signed-off-by: Pavel Begunkov <asml.silence(a)gmail.com>
Link: https://lore.kernel.org/r/63312b4a2c2bb67ad67b857d17a300e1d3b078e8.17346379…
Signed-off-by: Jens Axboe <axboe(a)kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com>
---
io_uring/io_uring.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 6e5e00a7692c..3a1eee5bac77 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1096,6 +1096,7 @@ static struct file *io_file_get(struct io_ring_ctx *ctx,
unsigned int issue_flags);
static void __io_queue_sqe(struct io_kiocb *req);
static void io_rsrc_put_work(struct work_struct *work);
+static void io_req_task_queue_fail(struct io_kiocb *req, int ret);
static void io_req_task_queue(struct io_kiocb *req);
static void io_submit_flush_completions(struct io_ring_ctx *ctx);
@@ -1465,7 +1466,11 @@ static void io_queue_async_work(struct io_kiocb *req, bool *locked)
locked = NULL;
BUG_ON(!tctx);
- BUG_ON(!tctx->io_wq);
+
+ if ((current->flags & PF_KTHREAD) || !tctx->io_wq) {
+ io_req_task_queue_fail(req, -ECANCELED);
+ return;
+ }
/* init ->work of the whole link before punting */
io_prep_async_link(req);
--
2.39.2
Hi Matti,
FYI, the error/warning still remains.
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 773f731853f1368508a0b112047bd9b5a4bb9a5e
commit: 30107fa6908b6c2747ee9100b40af813f99483c3 [1356/1356] mfd: bd71837: Core driver for ROHM BD71837 PMIC
config: x86_64-buildonly-randconfig-003-20241228 (https://download.01.org/0day-ci/archive/20241230/202412301525.GctcPXAM-lkp@…)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241230/202412301525.GctcPXAM-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202412301525.GctcPXAM-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from drivers/mfd/rohm-bd718x7.c:15:
include/linux/module.h:138:14: warning: 'cleanup_module' specifies less restrictive attribute than its target 'bd71837_i2c_exit': 'cold' [-Wmissing-attributes]
138 | void cleanup_module(void) __attribute__((alias(#exitfn)));
| ^~~~~~~~~~~~~~
drivers/mfd/rohm-bd718x7.c:207:1: note: in expansion of macro 'module_exit'
207 | module_exit(bd71837_i2c_exit);
| ^~~~~~~~~~~
drivers/mfd/rohm-bd718x7.c:203:20: note: 'cleanup_module' target declared here
203 | static void __exit bd71837_i2c_exit(void)
| ^~~~~~~~~~~~~~~~
include/linux/module.h:132:13: warning: 'init_module' specifies less restrictive attribute than its target 'bd71837_i2c_init': 'cold' [-Wmissing-attributes]
132 | int init_module(void) __attribute__((alias(#initfn)));
| ^~~~~~~~~~~
include/linux/module.h:115:41: note: in expansion of macro 'module_init'
115 | #define subsys_initcall(fn) module_init(fn)
| ^~~~~~~~~~~
drivers/mfd/rohm-bd718x7.c:201:1: note: in expansion of macro 'subsys_initcall'
201 | subsys_initcall(bd71837_i2c_init);
| ^~~~~~~~~~~~~~~
drivers/mfd/rohm-bd718x7.c:195:19: note: 'init_module' target declared here
195 | static int __init bd71837_i2c_init(void)
| ^~~~~~~~~~~~~~~~
>> drivers/mfd/rohm-bd718x7.o: warning: objtool: missing symbol for section .init.text
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB963V
CVE: NA
--------------------------------
In nmi_trigger_cpumask_backtrace(), printk_safe_flush() is called after
sending NMI to flush the logs. When logbuf_lock is already held and the
current CPU is in printk-safe context (e.g., NMI context), attempting to
acquire the lock again can lead to deadlock.
Modify the function to return early when detecting logbuf_lock is held
and current CPU is in printk-safe context. This prevents deadlock scenarios
where CPU0 holds the lock while other CPUs try to acquire it in NMI
context.
Fixes: 099f1c84c005 ("printk: introduce per-cpu safe_print seq buffer")
Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com>
---
kernel/printk/printk_safe.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/printk/printk_safe.c b/kernel/printk/printk_safe.c
index 809f92492ec7..c97845688fe1 100644
--- a/kernel/printk/printk_safe.c
+++ b/kernel/printk/printk_safe.c
@@ -256,6 +256,10 @@ void printk_safe_flush(void)
{
int cpu;
+ if (raw_spin_is_locked(&logbuf_lock) &&
+ (this_cpu_read(printk_context) & PRINTK_SAFE_CONTEXT_MASK))
+ return;
+
for_each_possible_cpu(cpu) {
#ifdef CONFIG_PRINTK_NMI
__printk_safe_flush(&per_cpu(nmi_print_seq, cpu).work);
--
2.34.1
From: Dan Carpenter <dan.carpenter(a)linaro.org>
mainline inclusion
from mainline-v6.13-rc1
commit 93a11608fb3720e1bc2b19a2649ac2b49cca1921
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGV
CVE: CVE-2024-53163
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
----------------------------------------------------------------------
This is called from uof_get_name_420xx() where "num_objs" is the
ARRAY_SIZE() of fw_objs[]. The > needs to be >= to prevent an out of
bounds access.
Fixes: fcf60f4bcf54 ("crypto: qat - add support for 420xx devices")
Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Acked-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com>
Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au>
Signed-off-by: Ye Bin <yebin10(a)huawei.com>
---
drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c
index 78f0ea49254d..9faef33e54bd 100644
--- a/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c
+++ b/drivers/crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c
@@ -375,7 +375,7 @@ static const char *uof_get_name(struct adf_accel_dev *accel_dev, u32 obj_num,
else
id = -EINVAL;
- if (id < 0 || id > num_objs)
+ if (id < 0 || id >= num_objs)
return NULL;
return fw_objs[id];
--
2.34.1