- Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10 3011/3011] drivers/net/ethernet/mucse/rnpm/rnpm_sysfs.c:1524:2: warning: 'strncpy' specified bound 100 equals destination size
by kernel test robot 04 Jul '25

04 Jul '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 41b7827f33a9fc1fe425b85029312de34b0f0abe commit: a0c5bfdbc099daf30cbadb9657803f0cb3f89d0b [3011/3011] drivers: support for rnpm drivers from Mucse Technology N10/N400 config: arm64-randconfig-004-20250704 (https://download.01.org/0day-ci/archive/20250704/202507041638.fqBxner2-lkp@…) compiler: aarch64-linux-gcc (GCC) 10.5.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250704/202507041638.fqBxner2-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202507041638.fqBxner2-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/net/ethernet/mucse/rnpm/rnpm_sysfs.c:263:5: warning: no previous prototype for 'rnpm_mbx_get_pn_sn' [-Wmissing-prototypes] 263 | int rnpm_mbx_get_pn_sn(struct rnpm_hw *hw, char pn[33], char sn[33]) | ^~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_sysfs.c: In function '_switch_loopback': >> drivers/net/ethernet/mucse/rnpm/rnpm_sysfs.c:1524:2: warning: 'strncpy' specified bound 100 equals destination size [-Wstringop-truncation] 1524 | strncpy(name, peer_eth, sizeof(name)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/strncpy +1524 drivers/net/ethernet/mucse/rnpm/rnpm_sysfs.c 1515 1516 static ssize_t _switch_loopback(struct rnpm_adapter *adapter, 1517 const char *peer_eth, int en) 1518 { 1519 struct net_device *peer_netdev = NULL; 1520 struct rnpm_adapter *peer_adapter = NULL; 1521 int i; 1522 char name[100]; 1523 > 1524 strncpy(name, peer_eth, sizeof(name)); 1525 strim(name); 1526 1527 peer_netdev = dev_get_by_name(&init_net, name); 1528 if (!peer_netdev) { 1529 e_dev_info("canot' find [%s]\n", name); 1530 return -EINVAL; 1531 } 1532 peer_adapter = netdev_priv(peer_netdev); 1533 1534 // check if in same slot 1535 if (PCI_SLOT(peer_adapter->pdev->devfn) != 1536 PCI_SLOT(adapter->pdev->devfn)) { 1537 e_dev_info("%s %s not in same slot\n", 1538 netdev_name(adapter->netdev), 1539 netdev_name(peer_adapter->netdev)); 1540 dev_put(peer_netdev); 1541 return -EINVAL; 1542 } 1543 1544 e_dev_info("%s: %s(%d,%d) <-> %s(%d,%d) en:%d\n", __func__, 1545 netdev_name(adapter->netdev), adapter->lane, adapter->port, 1546 netdev_name(peer_adapter->netdev), peer_adapter->lane, 1547 peer_adapter->port, en); 1548 1549 /* clear pf0/pf1 input port policy eth reg */ 1550 for (i = 0; i < MAX_PORT_NUM; i++) { 1551 wr32(&adapter->hw, RNPM_ETH_INPORT_POLICY_REG(i), 0); 1552 wr32(&peer_adapter->hw, RNPM_ETH_INPORT_POLICY_REG(i), 0); 1553 } 1554 1555 wr32(&adapter->hw, RNPM_ETH_INPORT_POLICY_VAL, 0); 1556 wr32(&peer_adapter->hw, RNPM_ETH_INPORT_POLICY_VAL, 0); 1557 1558 do_switch_loopback_set(adapter, en, adapter->lane, 1559 to_switch_port(peer_adapter)); 1560 1561 do_switch_loopback_set(peer_adapter, en, peer_adapter->lane, 1562 to_switch_port(adapter)); 1563 1564 if (peer_netdev) 1565 dev_put(peer_netdev); 1566 1567 return 0; 1568 } 1569 static ssize_t switch_loopback_on_store(struct device *dev, 1570 struct device_attribute *attr, 1571 const char *buf, size_t count) 1572 { 1573 struct rnpm_adapter *adapter = netdev_priv(to_net_device(dev)); 1574 1575 return _switch_loopback(adapter, buf, 1) == 0 ? count : -EINVAL; 1576 } 1577 static DEVICE_ATTR_WO(switch_loopback_on); 1578 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] scsi: target: iscsi: Fix timeout on deleted connection
by Yifan Qiao 04 Jul '25

04 Jul '25

From: Dmitry Bogdanov <d.bogdanov(a)yadro.com> stable inclusion from stable-v6.6.93 commit fe8421e853ef289e1324fcda004751c89dd9c18a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICGAEJ CVE: CVE-2025-38075 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 7f533cc5ee4c4436cee51dc58e81dfd9c3384418 ] NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_handle_nopin_response_timeout+0xfc/0x120 [iscsi_target_mod] call_timer_fn+0x58/0x1f0 run_timer_softirq+0x740/0x860 __do_softirq+0x16c/0x420 irq_exit+0x188/0x1c0 timer_interrupt+0x184/0x410 That is because nopin response timer may be re-started on nopin timer expiration. Stop nopin timer before stopping the nopin response timer to be sure that no one of them will be re-started. Signed-off-by: Dmitry Bogdanov <d.bogdanov(a)yadro.com> Link: https://lore.kernel.org/r/20241224101757.32300-1-d.bogdanov@yadro.com Reviewed-by: Maurizio Lombardi <mlombard(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- drivers/target/iscsi/iscsi_target.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c index b516c2893420..b756d4cfecfe 100644 --- a/drivers/target/iscsi/iscsi_target.c +++ b/drivers/target/iscsi/iscsi_target.c @@ -4323,8 +4323,8 @@ int iscsit_close_connection( spin_unlock(&iscsit_global->ts_bitmap_lock); iscsit_stop_timers_for_cmds(conn); - iscsit_stop_nopin_response_timer(conn); iscsit_stop_nopin_timer(conn); + iscsit_stop_nopin_response_timer(conn); if (conn->conn_transport->iscsit_wait_conn) conn->conn_transport->iscsit_wait_conn(conn); -- 2.39.2

2 1

[PATCH OLK-6.6] f2fs: fix to do sanity check on sbi->total_valid_block_count
by Yifan Qiao 04 Jul '25

04 Jul '25

From: Chao Yu <chao(a)kernel.org> stable inclusion from stable-v6.6.94 commit a39cc43efc1bca74ed9d6cf9e60b995071f7d178 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICJT6T CVE: CVE-2025-38163 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 05872a167c2cab80ef186ef23cc34a6776a1a30c ] syzbot reported a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/f2fs.h:2521! RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 Call Trace: f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 notify_change+0xbca/0xe90 fs/attr.c:552 do_truncate+0x222/0x310 fs/open.c:65 handle_truncate fs/namei.c:3466 [inline] do_open fs/namei.c:3849 [inline] path_openat+0x2e4f/0x35d0 fs/namei.c:4004 do_filp_open+0x284/0x4e0 fs/namei.c:4031 do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 do_sys_open fs/open.c:1444 [inline] __do_sys_creat fs/open.c:1522 [inline] __se_sys_creat fs/open.c:1516 [inline] __x64_sys_creat+0x124/0x170 fs/open.c:1516 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 The reason is: in fuzzed image, sbi->total_valid_block_count is inconsistent w/ mapped blocks indexed by inode, so, we should not trigger panic for such case, instead, let's print log and set fsck flag. Fixes: 39a53e0ce0df ("f2fs: add superblock and major in-memory structure") Reported-by: syzbot+8b376a77b2f364097fbe(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/67f3c0b2.050a0220.396535.0547.GAE@… Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/f2fs/f2fs.h | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index c5297bb8968d..c47243818ef1 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -2445,8 +2445,14 @@ static inline void dec_valid_block_count(struct f2fs_sb_info *sbi, blkcnt_t sectors = count << F2FS_LOG_SECTORS_PER_BLOCK; spin_lock(&sbi->stat_lock); - f2fs_bug_on(sbi, sbi->total_valid_block_count < (block_t) count); - sbi->total_valid_block_count -= (block_t)count; + if (unlikely(sbi->total_valid_block_count < count)) { + f2fs_warn(sbi, "Inconsistent total_valid_block_count:%u, ino:%lu, count:%u", + sbi->total_valid_block_count, inode->i_ino, count); + sbi->total_valid_block_count = 0; + set_sbi_flag(sbi, SBI_NEED_FSCK); + } else { + sbi->total_valid_block_count -= count; + } if (sbi->reserved_blocks && sbi->current_reserved_blocks < sbi->reserved_blocks) sbi->current_reserved_blocks = min(sbi->reserved_blocks, -- 2.39.2

2 1

[PATCH v3 OLK-6.6] config: Enable CONFIG_VIRT_DRIVERS
by Cai Xinchen 04 Jul '25

04 Jul '25

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/IBWQ24 -------------------------------- To use tsm report for arm cca guest, enable CONFIG_VIRT_DRIVERS in openeuler_defconfig by default. ARM_CCA_GUEST and TSM_REPORTS will open as module by default. CONFIG_VMGENID will enable by default. Set VMGENID disable. All of CONFIG_NITRO_ENCLAVES dependencies are enable, but this patch only wants to enable CONFIG_ARM_CCA_GUEST, so set CONFIG_NITRO_ENCLAVES disable. Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- arch/arm64/configs/openeuler_defconfig | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index f048a1b098d1..4e1e6a5a62b8 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -6491,7 +6491,9 @@ CONFIG_VFIO_PLATFORM=m # end of VFIO platform reset drivers # end of VFIO support for platform devices -# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRT_DRIVERS=y +# CONFIG_VMGENID is not set +# CONFIG_NITRO_ENCLAVES is not set CONFIG_VIRTIO_ANCHOR=y CONFIG_VIRTIO=m CONFIG_VIRTIO_PCI_LIB=m -- 2.18.0.huawei.25

2 1

[PATCH openEuler-1.0-LTS] dm raid: fix address sanitizer warning in raid_resume
by Wang ShaoBo 04 Jul '25

04 Jul '25

From: Mikulas Patocka <mpatocka(a)redhat.com> stable inclusion from stable-v4.19.256 commit 3bfdc95466f5be4d8d95db5a5b470d61641a7c24 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICGA8J CVE: CVE-2022-50085 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7dad24db59d2d2803576f2e3645728866a056dab upstream. There is a KASAN warning in raid_resume when running the lvm test lvconvert-raid.sh. The reason for the warning is that mddev->raid_disks is greater than rs->raid_disks, so the loop touches one entry beyond the allocated length. Cc: stable(a)vger.kernel.org Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wang ShaoBo <bobo.shaobowang(a)huawei.com> --- drivers/md/dm-raid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c index 9a5d65d2223b..49209dae7fdd 100644 --- a/drivers/md/dm-raid.c +++ b/drivers/md/dm-raid.c @@ -3801,7 +3801,7 @@ static void attempt_restore_of_faulty_devices(struct raid_set *rs) memset(cleared_failed_devices, 0, sizeof(cleared_failed_devices)); - for (i = 0; i < mddev->raid_disks; i++) { + for (i = 0; i < rs->raid_disks; i++) { r = &rs->dev[i].rdev; /* HM FIXME: enhance journal device recovery processing */ if (test_bit(Journal, &r->flags)) -- 2.25.1

2 1

[PATCH v2 OLK-6.6] config: Enable CONFIG_VIRT_DRIVERS
by Cai Xinchen 04 Jul '25

04 Jul '25

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8JVN0 -------------------------------- To use tsm report for arm cca guest, enable CONFIG_VIRT_DRIVERS in openeuler_defconfig by default. ARM_CCA_GUEST and TSM_REPORTS will open as module by default. CONFIG_VMGENID will enable by default. Set VMGENID disable. All of CONFIG_NITRO_ENCLAVES dependencies are enable, but this patch only wants to enable CONFIG_ARM_CCA_GUEST, so set CONFIG_NITRO_ENCLAVES disable. Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- arch/arm64/configs/openeuler_defconfig | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index f048a1b098d1..4e1e6a5a62b8 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -6491,7 +6491,9 @@ CONFIG_VFIO_PLATFORM=m # end of VFIO platform reset drivers # end of VFIO support for platform devices -# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRT_DRIVERS=y +# CONFIG_VMGENID is not set +# CONFIG_NITRO_ENCLAVES is not set CONFIG_VIRTIO_ANCHOR=y CONFIG_VIRTIO=m CONFIG_VIRTIO_PCI_LIB=m -- 2.18.0.huawei.25

2 1

[PATCH openEuler-1.0-LTS] usb: host: ohci-ppc-of: Fix refcount leak bug
by Wang ShaoBo 04 Jul '25

04 Jul '25

From: Liang He <windhl(a)126.com> stable inclusion from stable-v4.19.256 commit ec583e300aee9f152a64911445092d18e1c36729 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICG8ST CVE: CVE-2022-50033 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 40a959d7042bb7711e404ad2318b30e9f92c6b9b ] In ohci_hcd_ppc_of_probe(), of_find_compatible_node() will return a node pointer with refcount incremented. We should use of_node_put() when it is not used anymore. Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Liang He <windhl(a)126.com> Link: https://lore.kernel.org/r/20220617034637.4003115-1-windhl@126.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang ShaoBo <bobo.shaobowang(a)huawei.com> --- drivers/usb/host/ohci-ppc-of.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/host/ohci-ppc-of.c b/drivers/usb/host/ohci-ppc-of.c index 76a9b40b08f1..96c5c7655283 100644 --- a/drivers/usb/host/ohci-ppc-of.c +++ b/drivers/usb/host/ohci-ppc-of.c @@ -169,6 +169,7 @@ static int ohci_hcd_ppc_of_probe(struct platform_device *op) release_mem_region(res.start, 0x4); } else pr_debug("%s: cannot get ehci offset from fdt\n", __FILE__); + of_node_put(np); } irq_dispose_mapping(irq); -- 2.25.1

2 1

[PATCH OLK-6.6] sched/fair: Avoid offline tasks starve to death for priority load balance
by Lu Jialin 04 Jul '25

04 Jul '25

From: Song Zhang <zhangsong34(a)huawei.com> euleros inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICIG0E CVE: NA -------------------- When priority load balance enabled for online/offline tasks co-location, offline tasks maybe starve to death by load balance detach_tasks() if env->loop exceed env->loop_max and can not be migrate to idle cpus. So we should set env->loop to 0 and detach offline tasks again. Fixes: 89bf80a4d6d5 ("sched: Introduce priority load balance for qos scheduler") Signed-off-by: Song Zhang <zhangsong34(a)huawei.com> Confict: kernel/sched/fair.c Patch adaptation due to context changes Signed-off-by: yangjiaqi <yangjiaqi16(a)huawei.com> --- kernel/sched/fair.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index c4c3afa6e7b4..ea3be1ff723e 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -11024,6 +11024,13 @@ static int detach_tasks(struct lb_env *env) #ifdef CONFIG_QOS_SCHED_PRIO_LB if (sysctl_sched_prio_load_balance_enabled && env->imbalance > 0) { + /* + * Avoid offline tasks starve to death if env->loop exceed + * env->loop_max, so we should set env->loop to 0 and detach + * offline tasks again. + */ + if (env->loop > env->loop_max) + env->loop = 0; loop++; if (loop == 1) { tasks = &env->src_rq->cfs_offline_tasks; -- 2.33.0

2 1

[PATCH OLK-6.6] wifi: ath9k_htc: Abort software beacon handling if disabled
by Yongjian Sun 04 Jul '25

04 Jul '25

From: Toke Høiland-Jørgensen <toke(a)toke.dk> mainline inclusion from mainline-v6.16-rc1 commit ac4e317a95a1092b5da5b9918b7118759342641c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICJTGW CVE: CVE-2025-38157 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled. Reported-by: Robert Morris <rtm(a)csail.mit.edu> Closes: https://lore.kernel.org/r/88967.1743099372@localhost Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots") Signed-off-by: Toke Høiland-Jørgensen <toke(a)toke.dk> Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk Signed-off-by: Jeff Johnson <jeff.johnson(a)oss.qualcomm.com> Signed-off-by: Yongjian Sun <sunyongjian1(a)huawei.com> --- drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c index 533471e69400..18c7654bc539 100644 --- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c +++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c @@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv, struct ath_common *common = ath9k_hw_common(priv->ah); int slot; + if (!priv->cur_beacon_conf.enable_beacon) + return; + if (swba->beacon_pending != 0) { priv->beacon.bmisscnt++; if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) { -- 2.39.2

2 1

[PATCH OLK-5.10] media: uvcvideo: Remove dangling pointers
by Zhao Yipeng 04 Jul '25

04 Jul '25

From: Ricardo Ribalda <ribalda(a)chromium.org> mainline inclusion from mainline-v6.14-rc1 commit 221cd51efe4565501a3dbf04cc011b537dcce7fb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC8W CVE: CVE-2024-58002 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/comm… -------------------------------- When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled. Cc: stable(a)vger.kernel.org Fixes: e5225c820c05 ("media: uvcvideo: Send a control event when a Control Change interrupt arrives") Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Link: https://lore.kernel.org/r/20241203-uvc-fix-async-v6-3-26c867231118@chromium… Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Conflicts: drivers/media/usb/uvc/uvc_ctrl.c drivers/media/usb/uvc/uvc_v4l2.c drivers/media/usb/uvc/uvcvideo.h [The guard() function is not introduced. 'for' loop initial declaration are only allowed in C99 or C11 mode. And other conflicts are contextual due to the commits d9fecd096f67 and 9e56380ae625 not being merged.] Signed-off-by: Zhao Yipeng <zhaoyipeng5(a)huawei.com> --- drivers/media/usb/uvc/uvc_ctrl.c | 64 +++++++++++++++++++++++++++++++- drivers/media/usb/uvc/uvc_v4l2.c | 2 + drivers/media/usb/uvc/uvcvideo.h | 9 ++++- 3 files changed, 72 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index 5e0acabed37a..c29c2fd67523 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -1276,6 +1276,40 @@ static void uvc_ctrl_send_slave_event(struct uvc_video_chain *chain, uvc_ctrl_send_event(chain, handle, ctrl, mapping, val, changes); } +static void uvc_ctrl_set_handle(struct uvc_fh *handle, struct uvc_control *ctrl, + struct uvc_fh *new_handle) +{ + lockdep_assert_held(&handle->chain->ctrl_mutex); + + if (new_handle) { + if (ctrl->handle) + dev_warn_ratelimited(&handle->stream->dev->udev->dev, + "UVC non compliance: Setting an async control with a pending operation."); + + if (new_handle == ctrl->handle) + return; + + if (ctrl->handle) { + WARN_ON(!ctrl->handle->pending_async_ctrls); + if (ctrl->handle->pending_async_ctrls) + ctrl->handle->pending_async_ctrls--; + } + + ctrl->handle = new_handle; + handle->pending_async_ctrls++; + return; + } + + /* Cannot clear the handle for a control not owned by us.*/ + if (WARN_ON(ctrl->handle != handle)) + return; + + ctrl->handle = NULL; + if (WARN_ON(!handle->pending_async_ctrls)) + return; + handle->pending_async_ctrls--; +} + void uvc_ctrl_status_event(struct uvc_video_chain *chain, struct uvc_control *ctrl, const u8 *data) { @@ -1286,7 +1320,8 @@ void uvc_ctrl_status_event(struct uvc_video_chain *chain, mutex_lock(&chain->ctrl_mutex); handle = ctrl->handle; - ctrl->handle = NULL; + if (handle) + uvc_ctrl_set_handle(handle, ctrl, NULL); list_for_each_entry(mapping, &ctrl->info.mappings, list) { s32 value = __uvc_ctrl_get_value(mapping, data); @@ -1693,7 +1728,7 @@ int uvc_ctrl_set(struct uvc_fh *handle, uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT)); if (ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS) - ctrl->handle = handle; + uvc_ctrl_set_handle(handle, ctrl, handle); ctrl->dirty = 1; ctrl->modified = 1; @@ -2337,6 +2372,31 @@ int uvc_ctrl_init_device(struct uvc_device *dev) return 0; } +void uvc_ctrl_cleanup_fh(struct uvc_fh *handle) +{ + struct uvc_entity *entity; + + mutex_lock(&handle->chain->ctrl_mutex); + + if (!handle->pending_async_ctrls) { + mutex_unlock(&handle->chain->ctrl_mutex); + return; + } + + list_for_each_entry(entity, &handle->chain->dev->entities, list) { + unsigned int i; + + for (i = 0; i < entity->ncontrols; ++i) { + if (entity->controls[i].handle != handle) + continue; + uvc_ctrl_set_handle(handle, &entity->controls[i], NULL); + } + } + + WARN_ON(handle->pending_async_ctrls); + mutex_unlock(&handle->chain->ctrl_mutex); +} + /* * Cleanup device controls. */ diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c index b40a2b904ace..7ad00ba0b99f 100644 --- a/drivers/media/usb/uvc/uvc_v4l2.c +++ b/drivers/media/usb/uvc/uvc_v4l2.c @@ -593,6 +593,8 @@ static int uvc_v4l2_release(struct file *file) uvc_trace(UVC_TRACE_CALLS, "uvc_v4l2_release\n"); + uvc_ctrl_cleanup_fh(handle); + /* Only free resources if this is a privileged handle. */ if (uvc_has_privileges(handle)) uvc_queue_release(&stream->queue); diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index c75990c0957e..3edf454c164f 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -448,7 +448,11 @@ struct uvc_video_chain { struct uvc_entity *processing; /* Processing unit */ struct uvc_entity *selector; /* Selector unit */ - struct mutex ctrl_mutex; /* Protects ctrl.info */ + struct mutex ctrl_mutex; /* + * Protects ctrl.info, + * ctrl.handle and + * uvc_fh.pending_async_ctrls + */ struct v4l2_prio_state prio; /* V4L2 priority state */ u32 caps; /* V4L2 chain-wide caps */ @@ -694,6 +698,7 @@ struct uvc_fh { struct uvc_video_chain *chain; struct uvc_streaming *stream; enum uvc_handle_state state; + unsigned int pending_async_ctrls; }; struct uvc_driver { @@ -866,6 +871,8 @@ int uvc_ctrl_set(struct uvc_fh *handle, struct v4l2_ext_control *xctrl); int uvc_xu_ctrl_query(struct uvc_video_chain *chain, struct uvc_xu_control_query *xqry); +void uvc_ctrl_cleanup_fh(struct uvc_fh *handle); + /* Utility functions */ void uvc_simplify_fraction(u32 *numerator, u32 *denominator, unsigned int n_terms, unsigned int threshold); -- 2.34.1

2 1