- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 15323/22974] drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:181:6: sparse: sparse: symbol 'hclge_ext_init' was not declared. Should it be static?
by kernel test robot 19 Jun '24

19 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 9e57bb4473766dca5e26f8b78853f38dd62d1aa3 commit: c3acbb84d1aa72a112cdfb9479ae744b21a92751 [15323/22974] net: hns3: adds support for setting pf max tx rate via sysfs config: arm64-randconfig-r111-20240615 (https://download.01.org/0day-ci/archive/20240619/202406191251.tnS3pNVS-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240619/202406191251.tnS3pNVS-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406191251.tnS3pNVS-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:140:44: sparse: sparse: mixing different enum types: drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:140:44: sparse: unsigned int enum hnae3_reset_type drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:140:44: sparse: unsigned int enum hnae3_event_type_custom drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:97:6: sparse: sparse: symbol 'hclge_reset_event_it' was not declared. Should it be static? drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:148:6: sparse: sparse: symbol 'hclge_reset_done_it' was not declared. Should it be static? >> drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:181:6: sparse: sparse: symbol 'hclge_ext_init' was not declared. Should it be static? >> drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:186:6: sparse: sparse: symbol 'hclge_ext_uninit' was not declared. Should it be static? >> drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:195:6: sparse: sparse: symbol 'hclge_ext_reset_done' was not declared. Should it be static? drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:204:5: sparse: sparse: symbol 'hclge_init_it' was not declared. Should it be static? drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:97:6: warning: no previous prototype for 'hclge_reset_event_it' [-Wmissing-prototypes] 97 | void hclge_reset_event_it(struct pci_dev *pdev, struct hnae3_handle *handle) | ^~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c: In function 'hclge_reset_event_it': drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:140:44: warning: implicit conversion from 'enum hnae3_reset_type' to 'enum hnae3_event_type_custom' [-Wenum-conversion] 140 | nic_call_event(netdev, hdev->reset_level); | ~~~~^~~~~~~~~~~~~ drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c: At top level: drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:148:6: warning: no previous prototype for 'hclge_reset_done_it' [-Wmissing-prototypes] 148 | bool hclge_reset_done_it(struct hnae3_handle *handle, bool done) | ^~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:181:6: warning: no previous prototype for 'hclge_ext_init' [-Wmissing-prototypes] 181 | void hclge_ext_init(struct hnae3_handle *handle) | ^~~~~~~~~~~~~~ drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:186:6: warning: no previous prototype for 'hclge_ext_uninit' [-Wmissing-prototypes] 186 | void hclge_ext_uninit(struct hnae3_handle *handle) | ^~~~~~~~~~~~~~~~ drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:195:6: warning: no previous prototype for 'hclge_ext_reset_done' [-Wmissing-prototypes] 195 | void hclge_ext_reset_done(struct hnae3_handle *handle) | ^~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c:204:5: warning: no previous prototype for 'hclge_init_it' [-Wmissing-prototypes] 204 | int hclge_init_it(void) | ^~~~~~~~~~~~~ vim +/hclge_ext_init +181 drivers/net/ethernet/hisilicon/hns3/hns3_extension/hns3pf/hclge_main_it.c 179 180 #ifdef CONFIG_HNS3_TEST > 181 void hclge_ext_init(struct hnae3_handle *handle) 182 { 183 hclge_sysfs_init(handle); 184 } 185 > 186 void hclge_ext_uninit(struct hnae3_handle *handle) 187 { 188 struct hclge_vport *vport = hclge_get_vport(handle); 189 struct hclge_dev *hdev = vport->back; 190 191 hclge_reset_pf_rate(hdev); 192 hclge_sysfs_uninit(handle); 193 } 194 > 195 void hclge_ext_reset_done(struct hnae3_handle *handle) 196 { 197 struct hclge_vport *vport = hclge_get_vport(handle); 198 struct hclge_dev *hdev = vport->back; 199 200 hclge_resume_pf_rate(hdev); 201 } 202 #endif 203 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] kprobes: Fix possible use-after-free issue on kprobe registration
by Chen Zhongjin 19 Jun '24

19 Jun '24

stable inclusion from stable-v4.19.313 commit b5808d40093403334d939e2c3c417144d12a6f33 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRI5 CVE: CVE-2024-35955 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8 upstream. When unloading a module, its state is changing MODULE_STATE_LIVE -> MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take a time. `is_module_text_address()` and `__module_text_address()` works with MODULE_STATE_LIVE and MODULE_STATE_GOING. If we use `is_module_text_address()` and `__module_text_address()` separately, there is a chance that the first one is succeeded but the next one is failed because module->state becomes MODULE_STATE_UNFORMED between those operations. In `check_kprobe_address_safe()`, if the second `__module_text_address()` is failed, that is ignored because it expected a kernel_text address. But it may have failed simply because module->state has been changed to MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify non-exist module text address (use-after-free). To fix this problem, we should not use separated `is_module_text_address()` and `__module_text_address()`, but use only `__module_text_address()` once and do `try_module_get(module)` which is only available with MODULE_STATE_LIVE. Link: https://lore.kernel.org/all/20240410015802.265220-1-zhengyejian1@huawei.com/ Fixes: 28f6c37a2910 ("kprobes: Forbid probing on trampoline and BPF code areas") Cc: stable(a)vger.kernel.org Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> [Fix conflict due to lack dependency commit 223a76b268c9 ("kprobes: Fix coding style issues")] Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Fix conflict due to lack dependency commit 1efda38d6f9b ("kprobes: Prohibit probes in gate area")] Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- kernel/kprobes.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index f4871c2b69b6..81ea5a3bd05f 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1564,9 +1564,17 @@ static int check_kprobe_address_safe(struct kprobe *p, jump_label_lock(); preempt_disable(); - /* Ensure it is not in reserved area nor out of text */ - if (!(core_kernel_text((unsigned long) p->addr) || - is_module_text_address((unsigned long) p->addr)) || + /* Ensure the address is in a text area, and find a module if exists. */ + *probed_mod = NULL; + if (!core_kernel_text((unsigned long) p->addr)) { + *probed_mod = __module_text_address((unsigned long) p->addr); + if (!(*probed_mod)) { + ret = -EINVAL; + goto out; + } + } + /* Ensure it is not in reserved area. */ + if (in_gate_area_no_mm((unsigned long) p->addr) || within_kprobe_blacklist((unsigned long) p->addr) || jump_label_text_reserved(p->addr, p->addr) || find_bug((unsigned long)p->addr)) { @@ -1574,8 +1582,7 @@ static int check_kprobe_address_safe(struct kprobe *p, goto out; } - /* Check if are we probing a module */ - *probed_mod = __module_text_address((unsigned long) p->addr); + /* Get module refcount and reject __init functions for loaded modules. */ if (*probed_mod) { /* * We must hold a refcount of the probed module while updating -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] dyndbg: fix old BUG_ON in >control parser
by Guo Mengqi 19 Jun '24

19 Jun '24

From: Jim Cromie <jim.cromie(a)gmail.com> stable inclusion from stable-v5.10.217 commit 41d8ac238ab1cab01a8c71798d61903304f4e79b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGMG CVE: CVE-2024-35947 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c upstream. Fix a BUG_ON from 2009. Even if it looks "unreachable" (I didn't really look), lets make sure by removing it, doing pr_err and return -EINVAL instead. Cc: stable <stable(a)kernel.org> Signed-off-by: Jim Cromie <jim.cromie(a)gmail.com> Link: https://lore.kernel.org/r/20240429193145.66543-2-jim.cromie@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Chen Jun <chenjun102(a)huawei.com> --- lib/dynamic_debug.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c index 10a50c03074e..685cf3e6771d 100644 --- a/lib/dynamic_debug.c +++ b/lib/dynamic_debug.c @@ -260,7 +260,11 @@ static int ddebug_tokenize(char *buf, char *words[], int maxwords) } else { for (end = buf; *end && !isspace(*end); end++) ; - BUG_ON(end == buf); + if (end == buf) { + pr_err("parse err after word:%d=%s\n", nwords, + nwords ? words[nwords - 1] : "<none>"); + return -EINVAL; + } } /* `buf' is start of word, `end' is one past its end */ -- 2.17.1

2 1

[PATCH OLK-5.10] dyndbg: fix old BUG_ON in >control parser
by Guo Mengqi 19 Jun '24

19 Jun '24

From: Jim Cromie <jim.cromie(a)gmail.com> stable inclusion from stable-v5.10.217 commit 41d8ac238ab1cab01a8c71798d61903304f4e79b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGMG CVE: CVE-2024-35947 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c upstream. Fix a BUG_ON from 2009. Even if it looks "unreachable" (I didn't really look), lets make sure by removing it, doing pr_err and return -EINVAL instead. Cc: stable <stable(a)kernel.org> Signed-off-by: Jim Cromie <jim.cromie(a)gmail.com> Link: https://lore.kernel.org/r/20240429193145.66543-2-jim.cromie@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Chen Jun <chenjun102(a)huawei.com> --- lib/dynamic_debug.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c index 10a50c03074e..685cf3e6771d 100644 --- a/lib/dynamic_debug.c +++ b/lib/dynamic_debug.c @@ -260,7 +260,11 @@ static int ddebug_tokenize(char *buf, char *words[], int maxwords) } else { for (end = buf; *end && !isspace(*end); end++) ; - BUG_ON(end == buf); + if (end == buf) { + pr_err("parse err after word:%d=%s\n", nwords, + nwords ? words[nwords - 1] : "<none>"); + return -EINVAL; + } } /* `buf' is start of word, `end' is one past its end */ -- 2.17.1

2 1

[PATCH OLK-5.10] ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()
by Guo Mengqi 19 Jun '24

19 Jun '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v5.10.212 commit 810fa7d5e5202fcfb22720304b755f1bdfd4c174 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8NB Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 10bfd453da64a057bcfd1a49fb6b271c48653cdb ] It seems that if userspace provides a correct IFA_TARGET_NETNSID value but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr() returns -EINVAL with an elevated "struct net" refcount. Fixes: 6ecf4c37eb3e ("ipv6: enable IFA_TARGET_NETNSID for RTM_GETADDR") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: David Ahern <dsahern(a)kernel.org> Reviewed-by: David Ahern <dsahern(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- net/ipv6/addrconf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 5e42149b954f..e4e2656b5ccb 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -5443,9 +5443,10 @@ static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh, } addr = extract_addr(tb[IFA_ADDRESS], tb[IFA_LOCAL], &peer); - if (!addr) - return -EINVAL; - + if (!addr) { + err = -EINVAL; + goto errout; + } ifm = nlmsg_data(nlh); if (ifm->ifa_index) dev = dev_get_by_index(tgt_net, ifm->ifa_index); -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()
by Guo Mengqi 19 Jun '24

19 Jun '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v5.10.212 commit 810fa7d5e5202fcfb22720304b755f1bdfd4c174 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8NB Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 10bfd453da64a057bcfd1a49fb6b271c48653cdb ] It seems that if userspace provides a correct IFA_TARGET_NETNSID value but no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr() returns -EINVAL with an elevated "struct net" refcount. Fixes: 6ecf4c37eb3e ("ipv6: enable IFA_TARGET_NETNSID for RTM_GETADDR") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: David Ahern <dsahern(a)kernel.org> Reviewed-by: David Ahern <dsahern(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- net/ipv6/addrconf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index a2bdefcd2b30..1d9efa737dd9 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -5414,9 +5414,10 @@ static int inet6_rtm_getaddr(struct sk_buff *in_skb, struct nlmsghdr *nlh, } addr = extract_addr(tb[IFA_ADDRESS], tb[IFA_LOCAL], &peer); - if (!addr) - return -EINVAL; - + if (!addr) { + err = -EINVAL; + goto errout; + } ifm = nlmsg_data(nlh); if (ifm->ifa_index) dev = dev_get_by_index(tgt_net, ifm->ifa_index); -- 2.17.1

2 1

[PATCH OLK-5.10] init/main.c: Fix potential static_command_line memory overflow
by Guo Mengqi 19 Jun '24

19 Jun '24

From: Yuntao Wang <ytcoode(a)gmail.com> stable inclusion from stable-v5.10.216 commit 2ef607ea103616aec0289f1b65d103d499fa903a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5HF CVE: CVE-2024-26988 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 46dad3c1e57897ab9228332f03e1c14798d2d3b9 upstream. We allocate memory of size 'xlen + strlen(boot_command_line) + 1' for static_command_line, but the strings copied into static_command_line are extra_command_line and command_line, rather than extra_command_line and boot_command_line. When strlen(command_line) > strlen(boot_command_line), static_command_line will overflow. This patch just recovers strlen(command_line) which was miss-consolidated with strlen(boot_command_line) in the commit f5c7310ac73e ("init/main: add checks for the return value of memblock_alloc*()") Link: https://lore.kernel.org/all/20240412081733.35925-2-ytcoode@gmail.com/ Fixes: f5c7310ac73e ("init/main: add checks for the return value of memblock_alloc*()") Cc: stable(a)vger.kernel.org Signed-off-by: Yuntao Wang <ytcoode(a)gmail.com> Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Huang Xiaojia <huangxiaojia2(a)huawei.com> --- init/main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/init/main.c b/init/main.c index f06fbe79a84a..2b466bd04110 100644 --- a/init/main.c +++ b/init/main.c @@ -631,6 +631,8 @@ static void __init setup_command_line(char *command_line) if (!saved_command_line) panic("%s: Failed to allocate %zu bytes\n", __func__, len + ilen); + len = xlen + strlen(command_line) + 1; + static_command_line = memblock_alloc(len, SMP_CACHE_BYTES); if (!static_command_line) panic("%s: Failed to allocate %zu bytes\n", __func__, len); -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1] init/main.c: Fix potential static_command_line memory overflow
by Guo Mengqi 19 Jun '24

19 Jun '24

From: Yuntao Wang <ytcoode(a)gmail.com> stable inclusion from stable-v5.10.216 commit 2ef607ea103616aec0289f1b65d103d499fa903a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5HF CVE: CVE-2024-26988 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 46dad3c1e57897ab9228332f03e1c14798d2d3b9 upstream. We allocate memory of size 'xlen + strlen(boot_command_line) + 1' for static_command_line, but the strings copied into static_command_line are extra_command_line and command_line, rather than extra_command_line and boot_command_line. When strlen(command_line) > strlen(boot_command_line), static_command_line will overflow. This patch just recovers strlen(command_line) which was miss-consolidated with strlen(boot_command_line) in the commit f5c7310ac73e ("init/main: add checks for the return value of memblock_alloc*()") Link: https://lore.kernel.org/all/20240412081733.35925-2-ytcoode@gmail.com/ Fixes: f5c7310ac73e ("init/main: add checks for the return value of memblock_alloc*()") Cc: stable(a)vger.kernel.org Signed-off-by: Yuntao Wang <ytcoode(a)gmail.com> Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Huang Xiaojia <huangxiaojia2(a)huawei.com> --- init/main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/init/main.c b/init/main.c index 21b65f18ba83..31f01f926329 100644 --- a/init/main.c +++ b/init/main.c @@ -633,6 +633,8 @@ static void __init setup_command_line(char *command_line) if (!saved_command_line) panic("%s: Failed to allocate %zu bytes\n", __func__, len + ilen); + len = xlen + strlen(command_line) + 1; + static_command_line = memblock_alloc(len, SMP_CACHE_BYTES); if (!static_command_line) panic("%s: Failed to allocate %zu bytes\n", __func__, len); -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1] scsi: core: Fix unremoved procfs host directory regression
by Guo Mengqi 19 Jun '24

19 Jun '24

From: "Guilherme G. Piccoli" <gpiccoli(a)igalia.com> stable inclusion from stable-v5.10.215 commit 5c2386ba80e779a92ec3bb64ccadbedd88f779b1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5HN CVE: CVE-2024-26935 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit f23a4d6e07570826fe95023ca1aa96a011fa9f84 upstream. Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") fixed a bug related to modules loading/unloading, by adding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led to a potential duplicate call to the hostdir_rm() routine, since it's also called from scsi_host_dev_release(). That triggered a regression report, which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression"). The fix just dropped the hostdir_rm() call from dev_release(). But it happens that this proc directory is created on scsi_host_alloc(), and that function "pairs" with scsi_host_dev_release(), while scsi_remove_host() pairs with scsi_add_host(). In other words, it seems the reason for removing the proc directory on dev_release() was meant to cover cases in which a SCSI host structure was allocated, but the call to scsi_add_host() didn't happen. And that pattern happens to exist in some error paths, for example. Syzkaller causes that by using USB raw gadget device, error'ing on usb-storage driver, at usb_stor_probe2(). By checking that path, we can see that the BadDevice label leads to a scsi_host_put() after a SCSI host allocation, but there's no call to scsi_add_host() in such path. That leads to messages like this in dmesg (and a leak of the SCSI host proc structure): usb-storage 4-1:87.51: USB Mass Storage device detected proc_dir_entry 'scsi/usb-storage' already registered WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376 The proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(), but guard that with the state check for SHOST_CREATED; there is even a comment in scsi_host_dev_release() detailing that: such conditional is meant for cases where the SCSI host was allocated but there was no calls to {add,remove}_host(), like the usb-storage case. This is what we propose here and with that, the error path of usb-storage does not trigger the warning anymore. Reported-by: syzbot+c645abf505ed21f931b5(a)syzkaller.appspotmail.com Fixes: be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression") Cc: stable(a)vger.kernel.org Cc: Bart Van Assche <bvanassche(a)acm.org> Cc: John Garry <john.g.garry(a)oracle.com> Cc: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Signed-off-by: Guilherme G. Piccoli <gpiccoli(a)igalia.com> Link: https://lore.kernel.org/r/20240313113006.2834799-1-gpiccoli@igalia.com Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/scsi/hosts.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c index 0553ad4571df..bc84ba58df14 100644 --- a/drivers/scsi/hosts.c +++ b/drivers/scsi/hosts.c @@ -335,12 +335,13 @@ static void scsi_host_dev_release(struct device *dev) if (shost->shost_state == SHOST_CREATED) { /* - * Free the shost_dev device name here if scsi_host_alloc() - * and scsi_host_put() have been called but neither + * Free the shost_dev device name and remove the proc host dir + * here if scsi_host_{alloc,put}() have been called but neither * scsi_host_add() nor scsi_host_remove() has been called. * This avoids that the memory allocated for the shost_dev - * name is leaked. + * name as well as the proc dir structure are leaked. */ + scsi_proc_hostdir_rm(shost->hostt); kfree(dev_name(&shost->shost_dev)); } -- 2.17.1

2 1

[PATCH OLK-5.10] netfilter: nf_tables: do not compare internal table flags on updates
by Guo Mengqi 19 Jun '24

19 Jun '24

From: Pablo Neira Ayuso <pablo(a)netfilter.org> stable inclusion from stable-v5.10.214 commit fcf32a5bfcb8a57ac0ce717fcfa4d688c91f1005 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L9IS Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139 ] Restore skipping transaction if table update does not modify flags. Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 061fda7c076a..d464351925c7 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1121,7 +1121,7 @@ static int nf_tables_updtable(struct nft_ctx *ctx) if (flags & ~NFT_TABLE_F_DORMANT) return -EINVAL; - if (flags == ctx->table->flags) + if (flags == (ctx->table->flags & NFT_TABLE_F_MASK)) return 0; /* No dormant off/on/off/on games in single transaction */ -- 2.17.1

2 1