- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 0/3] Avoid-use-after-free-issues-with-crtc-and-plane
by Zhang Kunbo 26 Oct '24

26 Oct '24

*** BLURB HERE *** Katya Orlova (1): drm/stm: Avoid use-after-free issues with crtc and plane Raphael Gallais-Pou (1): drm/stm: ltdc: add support for CRC hashing feature Yannick Fertre (1): drm/stm: ltdc: support of new hardware version drivers/gpu/drm/stm/drv.c | 3 +- drivers/gpu/drm/stm/ltdc.c | 339 ++++++++++++++++++++++++++++--------- drivers/gpu/drm/stm/ltdc.h | 6 +- 3 files changed, 264 insertions(+), 84 deletions(-) -- 2.34.1

2 4

[PATCH OLK-6.6] ocfs2: cancel dqi_sync_work before freeing oinfo
by Huang Xiaojia 26 Oct '24

26 Oct '24

From: Joseph Qi <joseph.qi(a)linux.alibaba.com> stable inclusion from stable-v6.6.55 commit ef768020366f47d23f39c4f57bcb03af6d1e24b3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRD6 CVE: CVE-2024-49966 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 35fccce29feb3706f649726d410122dd81b92c18 upstream. ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the end, if error occurs after successfully reading global quota, it will trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c This reports that there is an active delayed work when freeing oinfo in error handling, so cancel dqi_sync_work first. BTW, return status instead of -1 when .read_file_info fails. Link: https://syzkaller.appspot.com/bug?extid=f7af59df5d6b25f0febd Link: https://lkml.kernel.org/r/20240904071004.2067695-1-joseph.qi@linux.alibaba.… Fixes: 171bf93ce11f ("ocfs2: Periodic quota syncing") Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Reported-by: syzbot+f7af59df5d6b25f0febd(a)syzkaller.appspotmail.com Tested-by: syzbot+f7af59df5d6b25f0febd(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Huang Xiaojia <huangxiaojia2(a)huawei.com> --- fs/ocfs2/quota_local.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index dfaae1e52412..257f13cdd14c 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -689,7 +689,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) int status; struct buffer_head *bh = NULL; struct ocfs2_quota_recovery *rec; - int locked = 0; + int locked = 0, global_read = 0; info->dqi_max_spc_limit = 0x7fffffffffffffffLL; info->dqi_max_ino_limit = 0x7fffffffffffffffLL; @@ -697,6 +697,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) if (!oinfo) { mlog(ML_ERROR, "failed to allocate memory for ocfs2 quota" " info."); + status = -ENOMEM; goto out_err; } info->dqi_priv = oinfo; @@ -709,6 +710,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) status = ocfs2_global_read_info(sb, type); if (status < 0) goto out_err; + global_read = 1; status = ocfs2_inode_lock(lqinode, &oinfo->dqi_lqi_bh, 1); if (status < 0) { @@ -779,10 +781,12 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) if (locked) ocfs2_inode_unlock(lqinode, 1); ocfs2_release_local_quota_bitmaps(&oinfo->dqi_chunk); + if (global_read) + cancel_delayed_work_sync(&oinfo->dqi_sync_work); kfree(oinfo); } brelse(bh); - return -1; + return status; } /* Write local info to quota file */ -- 2.34.1

2 1

[PATCH OLK-5.10] ocfs2: cancel dqi_sync_work before freeing oinfo
by Huang Xiaojia 26 Oct '24

26 Oct '24

From: Joseph Qi <joseph.qi(a)linux.alibaba.com> stable inclusion from stable-v5.10.227 commit 14114d8148db07e7946fb06b56a50cfa425e26c7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRD6 CVE: CVE-2024-49966 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 35fccce29feb3706f649726d410122dd81b92c18 upstream. ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the end, if error occurs after successfully reading global quota, it will trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c This reports that there is an active delayed work when freeing oinfo in error handling, so cancel dqi_sync_work first. BTW, return status instead of -1 when .read_file_info fails. Link: https://syzkaller.appspot.com/bug?extid=f7af59df5d6b25f0febd Link: https://lkml.kernel.org/r/20240904071004.2067695-1-joseph.qi@linux.alibaba.… Fixes: 171bf93ce11f ("ocfs2: Periodic quota syncing") Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Reported-by: syzbot+f7af59df5d6b25f0febd(a)syzkaller.appspotmail.com Tested-by: syzbot+f7af59df5d6b25f0febd(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Huang Xiaojia <huangxiaojia2(a)huawei.com> --- fs/ocfs2/quota_local.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index b1a8b046f4c2..7a1c8da9e44b 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -689,7 +689,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) int status; struct buffer_head *bh = NULL; struct ocfs2_quota_recovery *rec; - int locked = 0; + int locked = 0, global_read = 0; info->dqi_max_spc_limit = 0x7fffffffffffffffLL; info->dqi_max_ino_limit = 0x7fffffffffffffffLL; @@ -697,6 +697,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) if (!oinfo) { mlog(ML_ERROR, "failed to allocate memory for ocfs2 quota" " info."); + status = -ENOMEM; goto out_err; } info->dqi_priv = oinfo; @@ -709,6 +710,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) status = ocfs2_global_read_info(sb, type); if (status < 0) goto out_err; + global_read = 1; status = ocfs2_inode_lock(lqinode, &oinfo->dqi_lqi_bh, 1); if (status < 0) { @@ -779,10 +781,12 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) if (locked) ocfs2_inode_unlock(lqinode, 1); ocfs2_release_local_quota_bitmaps(&oinfo->dqi_chunk); + if (global_read) + cancel_delayed_work_sync(&oinfo->dqi_sync_work); kfree(oinfo); } brelse(bh); - return -1; + return status; } /* Write local info to quota file */ -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ocfs2: cancel dqi_sync_work before freeing oinfo
by Huang Xiaojia 26 Oct '24

26 Oct '24

From: Joseph Qi <joseph.qi(a)linux.alibaba.com> stable inclusion from stable-v5.10.227 commit 14114d8148db07e7946fb06b56a50cfa425e26c7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRD6 CVE: CVE-2024-49966 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 35fccce29feb3706f649726d410122dd81b92c18 upstream. ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the end, if error occurs after successfully reading global quota, it will trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c This reports that there is an active delayed work when freeing oinfo in error handling, so cancel dqi_sync_work first. BTW, return status instead of -1 when .read_file_info fails. Link: https://syzkaller.appspot.com/bug?extid=f7af59df5d6b25f0febd Link: https://lkml.kernel.org/r/20240904071004.2067695-1-joseph.qi@linux.alibaba.… Fixes: 171bf93ce11f ("ocfs2: Periodic quota syncing") Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Reported-by: syzbot+f7af59df5d6b25f0febd(a)syzkaller.appspotmail.com Tested-by: syzbot+f7af59df5d6b25f0febd(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Huang Xiaojia <huangxiaojia2(a)huawei.com> --- fs/ocfs2/quota_local.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index b1a8b046f4c2..7a1c8da9e44b 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -689,7 +689,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) int status; struct buffer_head *bh = NULL; struct ocfs2_quota_recovery *rec; - int locked = 0; + int locked = 0, global_read = 0; info->dqi_max_spc_limit = 0x7fffffffffffffffLL; info->dqi_max_ino_limit = 0x7fffffffffffffffLL; @@ -697,6 +697,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) if (!oinfo) { mlog(ML_ERROR, "failed to allocate memory for ocfs2 quota" " info."); + status = -ENOMEM; goto out_err; } info->dqi_priv = oinfo; @@ -709,6 +710,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) status = ocfs2_global_read_info(sb, type); if (status < 0) goto out_err; + global_read = 1; status = ocfs2_inode_lock(lqinode, &oinfo->dqi_lqi_bh, 1); if (status < 0) { @@ -779,10 +781,12 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) if (locked) ocfs2_inode_unlock(lqinode, 1); ocfs2_release_local_quota_bitmaps(&oinfo->dqi_chunk); + if (global_read) + cancel_delayed_work_sync(&oinfo->dqi_sync_work); kfree(oinfo); } brelse(bh); - return -1; + return status; } /* Write local info to quota file */ -- 2.34.1

2 1

[PATCH OLK-6.6] block: fix potential invalid pointer dereference in blk_add_partition
by Zheng Qixing 26 Oct '24

26 Oct '24

From: Riyan Dhiman <riyandhiman14(a)gmail.com> stable inclusion from stable-v6.6.54 commit 80f5bfbb80ea1615290dbc24f49d3d8c86db58fe category: bugifx bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJH CVE: CVE-2024-47705 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 26e197b7f9240a4ac301dd0ad520c0c697c2ea7d ] The blk_add_partition() function initially used a single if-condition (IS_ERR(part)) to check for errors when adding a partition. This was modified to handle the specific case of -ENXIO separately, allowing the function to proceed without logging the error in this case. However, this change unintentionally left a path where md_autodetect_dev() could be called without confirming that part is a valid pointer. This commit separates the error handling logic by splitting the initial if-condition, improving code readability and handling specific error scenarios explicitly. The function now distinguishes the general error case from -ENXIO without altering the existing behavior of md_autodetect_dev() calls. Fixes: b72053072c0b (block: allow partitions on host aware zone devices) Signed-off-by: Riyan Dhiman <riyandhiman14(a)gmail.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://lore.kernel.org/r/20240911132954.5874-1-riyandhiman14@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: block/partitions/core.c [The conflict occurs because commit 0d7ddfc89284 ("block: print symbolic error name instead of error code") is not introduced.] Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- block/partitions/core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/block/partitions/core.c b/block/partitions/core.c index 962e4b57d64a..0cdc44d11cb0 100644 --- a/block/partitions/core.c +++ b/block/partitions/core.c @@ -574,9 +574,11 @@ static bool blk_add_partition(struct gendisk *disk, part = add_partition(disk, p, from, size, state->parts[p].flags, &state->parts[p].info); - if (IS_ERR(part) && PTR_ERR(part) != -ENXIO) { - printk(KERN_ERR " %s: p%d could not be added: %ld\n", - disk->disk_name, p, -PTR_ERR(part)); + if (IS_ERR(part)) { + if (PTR_ERR(part) != -ENXIO) { + printk(KERN_ERR " %s: p%d could not be added: %pe\n", + disk->disk_name, p, -PTR_ERR(part)); + } return true; } -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] svm: fix UAF/Double Free in svm
by Lin Ruifeng 26 Oct '24

26 Oct '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAZLJE CVE: NA -------------------------------------------------- fix DTS2024100908489 Fixes: 221302d362d3 (“svm: add support for allocing memory which is within 4G physical address in svm_mmap”) Signed-off-by: Lin Ruifeng <linruifeng4(a)huawei.com> --- drivers/char/svm.c | 55 +++++++++++++++++++++++++++++++++------------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/drivers/char/svm.c b/drivers/char/svm.c index 4cd04ca378ff..d7f70f2019e2 100644 --- a/drivers/char/svm.c +++ b/drivers/char/svm.c @@ -1503,6 +1503,40 @@ static int svm_proc_load_flag(int __user *arg) return put_user(flag, arg); } +static void svm_vma_open(struct vm_area_struct *vma) +{ + struct page *page = vma->vm_private_data; + + if (page) + get_page(page); +} + +static void svm_vma_close(struct vm_area_struct *vma) +{ + struct page *page = vma->vm_private_data; + + put_page(page); +} + +/* avoid split */ +static int svm_vma_split(struct vm_area_struct *area, unsigned long addr) +{ + return -EINVAL; +} + +/* avoid mremap */ +static int svm_vma_mremap(struct vm_area_struct *area) +{ + return -EINVAL; +} + +static const struct vm_operations_struct svm_vma_ops = { + .open = svm_vma_open, + .close = svm_vma_close, + .split = svm_vma_split, + .mremap = svm_vma_mremap, +}; + static int svm_mmap(struct file *file, struct vm_area_struct *vma) { int err; @@ -1540,6 +1574,9 @@ static int svm_mmap(struct file *file, struct vm_area_struct *vma) dev_err(sdev->dev, "fail to remap 0x%pK err=%d\n", (void *)vma->vm_start, err); + + vma->vm_private_data = page; + vma->vm_ops = &svm_vma_ops; } else { if ((vma->vm_end < vma->vm_start) || ((vma->vm_end - vma->vm_start) > sdev->l2size)) @@ -1566,9 +1603,7 @@ static int svm_release_phys32(unsigned long __user *arg) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma = NULL; - struct page *page = NULL; - pte_t *pte = NULL; - unsigned long phys, addr, offset; + unsigned long addr; unsigned int len = 0; if (arg == NULL) @@ -1578,28 +1613,18 @@ static int svm_release_phys32(unsigned long __user *arg) return -EFAULT; down_read(&mm->mmap_sem); - pte = svm_walk_pt(addr, NULL, &offset); - if (pte && pte_present(*pte)) { - phys = PFN_PHYS(pte_pfn(*pte)) + offset; - } else { - up_read(&mm->mmap_sem); - return -EINVAL; - } vma = find_vma(mm, addr); - if (!vma) { + if (!vma || addr != vma->vm_start) { up_read(&mm->mmap_sem); return -EFAULT; } - page = phys_to_page(phys); len = vma->vm_end - vma->vm_start; - __free_pages(page, get_order(len)); - up_read(&mm->mmap_sem); - return 0; + return vm_munmap(addr, len); } static unsigned long svm_sp_alloc_mem(unsigned long __user *arg) -- 2.17.1

2 1

[openeuler:openEuler-1.0-LTS 2662/23859] arch/arm64/include/asm/irqflags.h:88:9: warning: 'flags' may be used uninitialized
by kernel test robot 26 Oct '24

26 Oct '24

Hi Geert, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: d2a40c79ddef4b96b8a7a396bd7273121b1b4a5c commit: 9dae7e237a64858407b7626260bad53aa13c9198 [2662/23859] serial: sh-sci: Fix locking in sci_submit_rx() config: arm64-randconfig-002-20241026 (https://download.01.org/0day-ci/archive/20241026/202410260911.Qmhlx5mF-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241026/202410260911.Qmhlx5mF-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410260911.Qmhlx5mF-lkp@intel.com/ Note: it may well be a FALSE warning. FWIW you are at least aware of it now. http://gcc.gnu.org/wiki/Better_Uninitialized_Warnings All warnings (new ones prefixed by >>): In file included from include/linux/irqflags.h:16, from include/linux/spinlock.h:54, from include/linux/rwsem.h:16, from include/linux/notifier.h:15, from include/linux/clk.h:17, from drivers/tty/serial/sh-sci.c:24: In function 'arch_local_irq_restore', inlined from '__raw_spin_unlock_irqrestore' at include/linux/spinlock_api_smp.h:160:2, inlined from 'spin_unlock_irqrestore' at include/linux/spinlock.h:384:2, inlined from 'sci_submit_rx' at drivers/tty/serial/sh-sci.c:1376:3: >> arch/arm64/include/asm/irqflags.h:88:9: warning: 'flags' may be used uninitialized [-Wmaybe-uninitialized] 88 | asm volatile( | ^~~ drivers/tty/serial/sh-sci.c: In function 'sci_submit_rx': drivers/tty/serial/sh-sci.c:1338:23: note: 'flags' was declared here 1338 | unsigned long flags; | ^~~~~ In file included from drivers/tty/serial/sh-sci.c:53: In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:940:7: include/linux/tty_flip.h:27:53: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 27 | *flag_buf_ptr(tb, tb->used) = flag; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ In file included from include/linux/serial_core.h:29, from include/linux/serial_sci.h:6, from drivers/tty/serial/sh-sci.c:46: include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:940:7: include/linux/tty_flip.h:28:47: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 28 | *char_buf_ptr(tb, tb->used++) = ch; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:950:7: include/linux/tty_flip.h:27:53: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 27 | *flag_buf_ptr(tb, tb->used) = flag; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:950:7: include/linux/tty_flip.h:28:47: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 28 | *char_buf_ptr(tb, tb->used++) = ch; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:960:7: include/linux/tty_flip.h:27:53: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 27 | *flag_buf_ptr(tb, tb->used) = flag; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:960:7: include/linux/tty_flip.h:28:47: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 28 | *char_buf_ptr(tb, tb->used++) = ch; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_receive_chars' at drivers/tty/serial/sh-sci.c:906:5: include/linux/tty_flip.h:27:53: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 27 | *flag_buf_ptr(tb, tb->used) = flag; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ include/linux/tty.h: In function 'sci_receive_chars': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_receive_chars' at drivers/tty/serial/sh-sci.c:906:5: include/linux/tty_flip.h:28:47: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 28 | *char_buf_ptr(tb, tb->used++) = ch; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ include/linux/tty.h: In function 'sci_receive_chars': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_receive_chars' at drivers/tty/serial/sh-sci.c:883:5: include/linux/tty_flip.h:27:53: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 27 | *flag_buf_ptr(tb, tb->used) = flag; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ include/linux/tty.h: In function 'sci_receive_chars': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_receive_chars' at drivers/tty/serial/sh-sci.c:883:5: include/linux/tty_flip.h:28:47: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 28 | *char_buf_ptr(tb, tb->used++) = ch; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ include/linux/tty.h: In function 'sci_receive_chars': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ vim +/flags +88 arch/arm64/include/asm/irqflags.h fb9bd7d6df81dd Marc Zyngier 2012-03-05 82 fb9bd7d6df81dd Marc Zyngier 2012-03-05 83 /* fb9bd7d6df81dd Marc Zyngier 2012-03-05 84 * restore saved IRQ state fb9bd7d6df81dd Marc Zyngier 2012-03-05 85 */ fb9bd7d6df81dd Marc Zyngier 2012-03-05 86 static inline void arch_local_irq_restore(unsigned long flags) fb9bd7d6df81dd Marc Zyngier 2012-03-05 87 { fb9bd7d6df81dd Marc Zyngier 2012-03-05 @88 asm volatile( fb9bd7d6df81dd Marc Zyngier 2012-03-05 89 "msr daif, %0 // arch_local_irq_restore" fb9bd7d6df81dd Marc Zyngier 2012-03-05 90 : fb9bd7d6df81dd Marc Zyngier 2012-03-05 91 : "r" (flags) fb9bd7d6df81dd Marc Zyngier 2012-03-05 92 : "memory"); fb9bd7d6df81dd Marc Zyngier 2012-03-05 93 } fb9bd7d6df81dd Marc Zyngier 2012-03-05 94 :::::: The code at line 88 was first introduced by commit :::::: fb9bd7d6df81ddf1e7ab6648ac89ddbe0625b26b arm64: IRQ handling :::::: TO: Marc Zyngier <marc.zyngier(a)arm.com> :::::: CC: Catalin Marinas <catalin.marinas(a)arm.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] nbd: fix race between timeout and normal completion
by Zheng Qixing 26 Oct '24

26 Oct '24

From: Ming Lei <ming.lei(a)redhat.com> mainline inclusion from mainline-v6.12-rc1 commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQRD CVE: CVE-2024-49855 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue. Cc: Josef Bacik <josef(a)toxicpanda.com> Cc: Yu Kuai <yukuai3(a)huawei.com> Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed") Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/block/nbd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index fae0846d9409..9d413c4fd64c 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -169,6 +169,17 @@ static void nbd_requeue_cmd(struct nbd_cmd *cmd) { struct request *req = blk_mq_rq_from_pdu(cmd); + lockdep_assert_held(&cmd->lock); + + /* + * Clear INFLIGHT flag so that this cmd won't be completed in + * normal completion path + * + * INFLIGHT flag will be set when the cmd is queued to nbd next + * time. + */ + __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags); + if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags)) blk_mq_requeue_request(req, true); } @@ -434,8 +445,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req, nbd_mark_nsock_dead(nbd, nsock, 1); mutex_unlock(&nsock->tx_lock); } - mutex_unlock(&cmd->lock); nbd_requeue_cmd(cmd); + mutex_unlock(&cmd->lock); nbd_config_put(nbd); return BLK_EH_DONE; } -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1] nbd: fix race between timeout and normal completion
by Zheng Qixing 26 Oct '24

26 Oct '24

From: Ming Lei <ming.lei(a)redhat.com> mainline inclusion from mainline-v6.12-rc1 commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQRD CVE: CVE-2024-49855 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue. Cc: Josef Bacik <josef(a)toxicpanda.com> Cc: Yu Kuai <yukuai3(a)huawei.com> Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed") Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/block/nbd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 6a9e8fd84f03..9dbd7cb3df13 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -172,6 +172,17 @@ static void nbd_requeue_cmd(struct nbd_cmd *cmd) { struct request *req = blk_mq_rq_from_pdu(cmd); + lockdep_assert_held(&cmd->lock); + + /* + * Clear INFLIGHT flag so that this cmd won't be completed in + * normal completion path + * + * INFLIGHT flag will be set when the cmd is queued to nbd next + * time. + */ + __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags); + if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags)) blk_mq_requeue_request(req, true); } @@ -453,8 +464,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req, nbd_mark_nsock_dead(nbd, nsock, 1); mutex_unlock(&nsock->tx_lock); } - mutex_unlock(&cmd->lock); nbd_requeue_cmd(cmd); + mutex_unlock(&cmd->lock); nbd_config_put(nbd); return BLK_EH_DONE; } -- 2.39.2

2 1

[PATCH OLK-5.10] nbd: fix race between timeout and normal completion
by Zheng Qixing 26 Oct '24

26 Oct '24

From: Ming Lei <ming.lei(a)redhat.com> mainline inclusion from mainline-v6.12-rc1 commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQRD CVE: CVE-2024-49855 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue. Cc: Josef Bacik <josef(a)toxicpanda.com> Cc: Yu Kuai <yukuai3(a)huawei.com> Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed") Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/block/nbd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 6a9e8fd84f03..9dbd7cb3df13 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -172,6 +172,17 @@ static void nbd_requeue_cmd(struct nbd_cmd *cmd) { struct request *req = blk_mq_rq_from_pdu(cmd); + lockdep_assert_held(&cmd->lock); + + /* + * Clear INFLIGHT flag so that this cmd won't be completed in + * normal completion path + * + * INFLIGHT flag will be set when the cmd is queued to nbd next + * time. + */ + __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags); + if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags)) blk_mq_requeue_request(req, true); } @@ -453,8 +464,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req, nbd_mark_nsock_dead(nbd, nsock, 1); mutex_unlock(&nsock->tx_lock); } - mutex_unlock(&cmd->lock); nbd_requeue_cmd(cmd); + mutex_unlock(&cmd->lock); nbd_config_put(nbd); return BLK_EH_DONE; } -- 2.39.2

2 1