- Kernel - mailweb.openeuler.org

[openeuler:OLK-6.6 0/15] drivers/virt/coco/csv-guest/csv-guest.c:39:43: sparse: sparse: incorrect type in argument 2 (different address spaces)
by kernel test robot 30 Dec '25

30 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: f148785f0bb856bba8ceca2b699a2f102f22174a commit: be5ee944496f8e6f9b5d12ef9ce89ab7100fc84a [0/15] driver/virt/coco: Add HYGON CSV Guest dirver. config: x86_64-randconfig-122-20251230 (https://download.01.org/0day-ci/archive/20251230/202512300647.04amRDIb-lkp@…) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251230/202512300647.04amRDIb-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512300647.04amRDIb-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> drivers/virt/coco/csv-guest/csv-guest.c:39:43: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void const [noderef] __user *from @@ got unsigned char [usertype] *[addressable] report_data @@ drivers/virt/coco/csv-guest/csv-guest.c:39:43: sparse: expected void const [noderef] __user *from drivers/virt/coco/csv-guest/csv-guest.c:39:43: sparse: got unsigned char [usertype] *[addressable] report_data >> drivers/virt/coco/csv-guest/csv-guest.c:49:29: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] __user *to @@ got unsigned char [usertype] *[addressable] report_data @@ drivers/virt/coco/csv-guest/csv-guest.c:49:29: sparse: expected void [noderef] __user *to drivers/virt/coco/csv-guest/csv-guest.c:49:29: sparse: got unsigned char [usertype] *[addressable] report_data vim +39 drivers/virt/coco/csv-guest/csv-guest.c 19 20 static long csv_get_report(void __user *argp) 21 { 22 u8 *csv_report; 23 long ret; 24 struct csv_report_req req; 25 26 if (copy_from_user(&req, argp, sizeof(struct csv_report_req))) 27 return -EFAULT; 28 29 if (req.len < CSV_REPORT_INPUT_DATA_LEN) 30 return -EINVAL; 31 32 csv_report = kzalloc(req.len, GFP_KERNEL); 33 if (!csv_report) { 34 ret = -ENOMEM; 35 goto out; 36 } 37 38 /* Save user input data */ > 39 if (copy_from_user(csv_report, req.report_data, CSV_REPORT_INPUT_DATA_LEN)) { 40 ret = -EFAULT; 41 goto out; 42 } 43 44 /* Generate CSV_REPORT using "KVM_HC_VM_ATTESTATION" VMMCALL */ 45 ret = kvm_hypercall2(KVM_HC_VM_ATTESTATION, __pa(csv_report), req.len); 46 if (ret) 47 goto out; 48 > 49 if (copy_to_user(req.report_data, csv_report, req.len)) 50 ret = -EFAULT; 51 52 out: 53 kfree(csv_report); 54 return ret; 55 } 56 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 3408/3408] drivers/vfio/vfio.c:745: warning: Function parameter or member 'device_data' not described in 'vfio_init_group_dev'
by kernel test robot 30 Dec '25

30 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 1588d318a9e388d05b6cf5e2a63134c8beb6a355 commit: 7e292ed053bcdc739fdea7c6a4326905ade70176 [3408/3408] vfio: Split creation of a vfio_device into init and register ops config: arm64-randconfig-r113-20251213 (https://download.01.org/0day-ci/archive/20251230/202512300518.2iNoaLSP-lkp@…) compiler: aarch64-linux-gcc (GCC) 12.5.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251230/202512300518.2iNoaLSP-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512300518.2iNoaLSP-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/vfio/vfio.c:214: warning: Function parameter or member 'ops' not described in 'vfio_register_iommu_driver' drivers/vfio/vfio.c:263: warning: Function parameter or member 'group' not described in 'vfio_alloc_group_minor' drivers/vfio/vfio.c:283: warning: Function parameter or member 'container' not described in 'vfio_container_get' drivers/vfio/vfio.c:315: warning: Function parameter or member 'iommu_group' not described in 'vfio_create_group' drivers/vfio/vfio.c:527: warning: Function parameter or member 'device' not described in 'vfio_device_put' drivers/vfio/vfio.c:633: warning: Function parameter or member 'group' not described in 'vfio_group_nb_add_dev' drivers/vfio/vfio.c:633: warning: Function parameter or member 'dev' not described in 'vfio_group_nb_add_dev' drivers/vfio/vfio.c:745: warning: Function parameter or member 'device' not described in 'vfio_init_group_dev' drivers/vfio/vfio.c:745: warning: Function parameter or member 'dev' not described in 'vfio_init_group_dev' drivers/vfio/vfio.c:745: warning: Function parameter or member 'ops' not described in 'vfio_init_group_dev' >> drivers/vfio/vfio.c:745: warning: Function parameter or member 'device_data' not described in 'vfio_init_group_dev' drivers/vfio/vfio.c:833: warning: Function parameter or member 'dev' not described in 'vfio_device_get_from_dev' drivers/vfio/vfio.c:982: warning: Function parameter or member 'container' not described in 'vfio_ioctl_check_extension' drivers/vfio/vfio.c:982: warning: Function parameter or member 'arg' not described in 'vfio_ioctl_check_extension' drivers/vfio/vfio.c:1253: warning: Function parameter or member 'group' not described in '__vfio_group_unset_container' drivers/vfio/vfio.c:1588: warning: Function parameter or member 'inode' not described in 'vfio_device_fops_release' drivers/vfio/vfio.c:1588: warning: Function parameter or member 'filep' not described in 'vfio_device_fops_release' drivers/vfio/vfio.c:1682: warning: Function parameter or member 'filep' not described in 'vfio_group_get_external_user' drivers/vfio/vfio.c:1719: warning: Function parameter or member 'dev' not described in 'vfio_group_get_external_user_from_dev' drivers/vfio/vfio.c:1779: warning: Function parameter or member 'caps' not described in 'vfio_info_cap_add' drivers/vfio/vfio.c:1779: warning: Function parameter or member 'size' not described in 'vfio_info_cap_add' drivers/vfio/vfio.c:1779: warning: Function parameter or member 'id' not described in 'vfio_info_cap_add' drivers/vfio/vfio.c:1779: warning: Function parameter or member 'version' not described in 'vfio_info_cap_add' drivers/vfio/vfio.c:2316: warning: Function parameter or member 'dev' not described in 'vfio_devnode' drivers/vfio/vfio.c:2316: warning: Function parameter or member 'mode' not described in 'vfio_devnode' Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for PGP_PRELOAD Depends on [n]: CRYPTO [=y] && ASYMMETRIC_KEY_TYPE [=n] Selected by [y]: - PGP_PRELOAD_PUBLIC_KEYS [=y] && CRYPTO [=y] vim +745 drivers/vfio/vfio.c cba3345cc494ad2 Alex Williamson 2012-07-31 739 cba3345cc494ad2 Alex Williamson 2012-07-31 740 /** cba3345cc494ad2 Alex Williamson 2012-07-31 741 * VFIO driver API cba3345cc494ad2 Alex Williamson 2012-07-31 742 */ 7e292ed053bcdc7 Jason Gunthorpe 2022-11-18 743 void vfio_init_group_dev(struct vfio_device *device, struct device *dev, cba3345cc494ad2 Alex Williamson 2012-07-31 744 const struct vfio_device_ops *ops, void *device_data) cba3345cc494ad2 Alex Williamson 2012-07-31 @745 { 7e292ed053bcdc7 Jason Gunthorpe 2022-11-18 746 init_completion(&device->comp); 7e292ed053bcdc7 Jason Gunthorpe 2022-11-18 747 device->dev = dev; 7e292ed053bcdc7 Jason Gunthorpe 2022-11-18 748 device->ops = ops; 7e292ed053bcdc7 Jason Gunthorpe 2022-11-18 749 device->device_data = device_data; 7e292ed053bcdc7 Jason Gunthorpe 2022-11-18 750 } 7e292ed053bcdc7 Jason Gunthorpe 2022-11-18 751 EXPORT_SYMBOL_GPL(vfio_init_group_dev); 7e292ed053bcdc7 Jason Gunthorpe 2022-11-18 752 :::::: The code at line 745 was first introduced by commit :::::: cba3345cc494ad286ca8823f44b2c16cae496679 vfio: VFIO core :::::: TO: Alex Williamson <alex.williamson(a)redhat.com> :::::: CC: Alex Williamson <alex.williamson(a)redhat.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 0/15] htmldocs: ./fs/eventpoll.c:2043: warning: Function parameter or member 'ep' not described in 'ep_get_upwards_depth_proc'
by kernel test robot 30 Dec '25

30 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: f148785f0bb856bba8ceca2b699a2f102f22174a commit: e26c080d818afd35143c9bcc49978bdf5068ee33 [0/15] eventpoll: Fix semi-unbounded recursion reproduce: (https://download.01.org/0day-ci/archive/20251229/202512291934.AIV7LiBp-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512291934.AIV7LiBp-lkp@intel.com/ All warnings (new ones prefixed by >>): Error: Cannot open file ./include/linux/wmi.h Error: Cannot open file ./include/linux/fs.h Error: Cannot open file ./include/linux/fs.h Error: Cannot open file ./include/linux/dcache.h Error: Cannot open file ./include/linux/dcache.h >> ./fs/eventpoll.c:2043: warning: Function parameter or member 'ep' not described in 'ep_get_upwards_depth_proc' >> ./fs/eventpoll.c:2043: warning: Function parameter or member 'depth' not described in 'ep_get_upwards_depth_proc' Error: Cannot open file ./include/linux/fscache-cache.h Error: Cannot open file ./include/linux/fscache.h Error: Cannot open file ./include/linux/jbd2.h Error: Cannot open file ./include/linux/jbd2.h Error: Cannot open file ./include/linux/netfs.h vim +2043 ./fs/eventpoll.c 2038 2039 /** 2040 * ep_get_upwards_depth_proc - determine depth of @ep when traversed upwards 2041 */ 2042 static int ep_get_upwards_depth_proc(struct eventpoll *ep, int depth) > 2043 { 2044 int result = 0; 2045 struct epitem *epi; 2046 2047 if (ep->gen == loop_check_gen) 2048 return ep->loop_check_depth; 2049 hlist_for_each_entry_rcu(epi, &ep->refs, fllink) 2050 result = max(result, ep_get_upwards_depth_proc(epi->ep, depth + 1) + 1); 2051 ep->gen = loop_check_gen; 2052 ep->loop_check_depth = result; 2053 return result; 2054 } 2055 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS 0/3] patchset for fixing CVE-2023-54160
by Xinyu Zheng 29 Dec '25

29 Dec '25

Pierre Gondois (1): firmware: arm_sdei: Fix sleep from invalid context BUG Xinyu Zheng (1): firmware: arm_sdei: Fix "firmware: arm_sdei: Fix sleep from invalid context BUG" KABI issue Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++----------------- include/linux/cpuhotplug.h | 1 + 2 files changed, 21 insertions(+), 17 deletions(-) -- 2.34.1

2 4

[PATCH OLK-5.10] isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
by Zhang Kunbo 29 Dec '25

29 Dec '25

From: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> stable inclusion from stable-v5.10.247 commit adb7577e23a431fc53aa1b6107733c0d751015fb category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12813 CVE: CVE-2025-68734 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream. In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") Signed-off-by: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c index e8b37bd5e34a..a9565ebaab00 100644 --- a/drivers/isdn/hardware/mISDN/hfcsusb.c +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c @@ -1903,13 +1903,13 @@ setup_instance(struct hfcsusb *hw, struct device *parent) mISDN_freebchannel(&hw->bch[1]); mISDN_freebchannel(&hw->bch[0]); mISDN_freedchannel(&hw->dch); - kfree(hw); return err; } static int hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) { + int err; struct hfcsusb *hw; struct usb_device *dev = interface_to_usbdev(intf); struct usb_host_interface *iface = intf->cur_altsetting; @@ -2100,20 +2100,28 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) if (!hw->ctrl_urb) { pr_warn("%s: No memory for control urb\n", driver_info->vend_name); - kfree(hw); - return -ENOMEM; + err = -ENOMEM; + goto err_free_hw; } pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n", hw->name, __func__, driver_info->vend_name, conf_str[small_match], ifnum, alt_used); - if (setup_instance(hw, dev->dev.parent)) - return -EIO; + if (setup_instance(hw, dev->dev.parent)) { + err = -EIO; + goto err_free_urb; + } hw->intf = intf; usb_set_intfdata(hw->intf, hw); return 0; + +err_free_urb: + usb_free_urb(hw->ctrl_urb); +err_free_hw: + kfree(hw); + return err; } /* function called when an active device is removed */ -- 2.34.1

2 1

[PATCH OLK-6.6] isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
by Zhang Kunbo 29 Dec '25

29 Dec '25

From: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> stable inclusion from stable-v6.6.117 commit 03695541b3349bc40bf5d6563d44d6147fb20260 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12813 CVE: CVE-2025-68734 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3f978e3f1570155a1327ffa25f60968bc7b9398f upstream. In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") Signed-off-by: Abdun Nihaal <nihaal(a)cse.iitm.ac.in> Link: https://patch.msgid.link/20251030042524.194812-1-nihaal@cse.iitm.ac.in Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/isdn/hardware/mISDN/hfcsusb.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c index b82b89888a5e..c55438e1f678 100644 --- a/drivers/isdn/hardware/mISDN/hfcsusb.c +++ b/drivers/isdn/hardware/mISDN/hfcsusb.c @@ -1903,13 +1903,13 @@ setup_instance(struct hfcsusb *hw, struct device *parent) mISDN_freebchannel(&hw->bch[1]); mISDN_freebchannel(&hw->bch[0]); mISDN_freedchannel(&hw->dch); - kfree(hw); return err; } static int hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) { + int err; struct hfcsusb *hw; struct usb_device *dev = interface_to_usbdev(intf); struct usb_host_interface *iface = intf->cur_altsetting; @@ -2100,20 +2100,28 @@ hfcsusb_probe(struct usb_interface *intf, const struct usb_device_id *id) if (!hw->ctrl_urb) { pr_warn("%s: No memory for control urb\n", driver_info->vend_name); - kfree(hw); - return -ENOMEM; + err = -ENOMEM; + goto err_free_hw; } pr_info("%s: %s: detected \"%s\" (%s, if=%d alt=%d)\n", hw->name, __func__, driver_info->vend_name, conf_str[small_match], ifnum, alt_used); - if (setup_instance(hw, dev->dev.parent)) - return -EIO; + if (setup_instance(hw, dev->dev.parent)) { + err = -EIO; + goto err_free_urb; + } hw->intf = intf; usb_set_intfdata(hw->intf, hw); return 0; + +err_free_urb: + usb_free_urb(hw->ctrl_urb); +err_free_hw: + kfree(hw); + return err; } /* function called when an active device is removed */ -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/3] patchset for fixing CVE-2023-54160
by Xinyu Zheng 29 Dec '25

29 Dec '25

Pierre Gondois (1): firmware: arm_sdei: Fix sleep from invalid context BUG Xinyu Zheng (1): firmware: arm_sdei: Fix "firmware: arm_sdei: Fix sleep from invalid context BUG" KABI issue Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) -- 2.34.1

2 4

[PATCH openEuler-1.0-LTS 0/3] patchset for fixing CVE-2023-54160
by Xinyu Zheng 29 Dec '25

29 Dec '25

Pierre Gondois (1): firmware: arm_sdei: Fix sleep from invalid context BUG Xinyu Zheng (1): firmware: arm_sdei: Fix "firmware: arm_sdei: Fix sleep from invalid context BUG" KABI issue Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) -- 2.34.1

2 4

[PATCH openEuler-1.0-LTS 0/3] patchset for fixing CVE-2023-54160
by Xinyu Zheng 29 Dec '25

29 Dec '25

Pierre Gondois (1): firmware: arm_sdei: Fix sleep from invalid context BUG Xinyu Zheng (1): firmware: arm_sdei: Fix "firmware: arm_sdei: Fix sleep from invalid context BUG" KABI issue Xiongfeng Wang (1): firmware: arm_sdei: Fix the input parameter of cpuhp_remove_state() drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) -- 2.34.1

2 4

[PATCH OLK-6.6] [Backport] futex: Don't leak robust_list pointer on exec race
by Zhang Hongtao 29 Dec '25

29 Dec '25

From: Pranav Tyagi <pranav.tyagi03(a)gmail.com> stable inclusion from stable-v6.6.117 commit 4aced32596ead1820b7dbd8e40d30b30dc1f3ad4 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11416 CVE: CVE-2025-40341 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 6b54082c3ed4dc9821cdf0edb17302355cc5bb45 ] sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials. Suggested-by: Jann Horn <jann(a)thejh.net> Signed-off-by: Pranav Tyagi <pranav.tyagi03(a)gmail.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/linux-fsdevel/1477863998-3298-5-git-send-email-jann… Link: https://github.com/KSPP/linux/issues/119 Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Hongtao <zhanghongtao35(a)huawei.com> --- kernel/futex/syscalls.c | 106 +++++++++++++++++++++------------------- 1 file changed, 56 insertions(+), 50 deletions(-) diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c index a8074079b09e..48feaa545b3c 100644 --- a/kernel/futex/syscalls.c +++ b/kernel/futex/syscalls.c @@ -40,6 +40,56 @@ SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head, return 0; } +static inline void __user *futex_task_robust_list(struct task_struct *p, bool compat) +{ +#ifdef CONFIG_COMPAT + if (compat) + return p->compat_robust_list; +#endif + return p->robust_list; +} + +static void __user *futex_get_robust_list_common(int pid, bool compat) +{ + struct task_struct *p = current; + void __user *head; + int ret; + + scoped_guard(rcu) { + if (pid) { + p = find_task_by_vpid(pid); + if (!p) + return (void __user *)ERR_PTR(-ESRCH); + } + get_task_struct(p); + } + + /* + * Hold exec_update_lock to serialize with concurrent exec() + * so ptrace_may_access() is checked against stable credentials + */ + ret = down_read_killable(&p->signal->exec_update_lock); + if (ret) + goto err_put; + + ret = -EPERM; + if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) + goto err_unlock; + + head = futex_task_robust_list(p, compat); + + up_read(&p->signal->exec_update_lock); + put_task_struct(p); + + return head; + +err_unlock: + up_read(&p->signal->exec_update_lock); +err_put: + put_task_struct(p); + return (void __user *)ERR_PTR(ret); +} + /** * sys_get_robust_list() - Get the robust-futex list head of a task * @pid: pid of the process [zero for current task] @@ -50,36 +100,14 @@ SYSCALL_DEFINE3(get_robust_list, int, pid, struct robust_list_head __user * __user *, head_ptr, size_t __user *, len_ptr) { - struct robust_list_head __user *head; - unsigned long ret; - struct task_struct *p; - - rcu_read_lock(); - - ret = -ESRCH; - if (!pid) - p = current; - else { - p = find_task_by_vpid(pid); - if (!p) - goto err_unlock; - } - - ret = -EPERM; - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) - goto err_unlock; + struct robust_list_head __user *head = futex_get_robust_list_common(pid, false); - head = p->robust_list; - rcu_read_unlock(); + if (IS_ERR(head)) + return PTR_ERR(head); if (put_user(sizeof(*head), len_ptr)) return -EFAULT; return put_user(head, head_ptr); - -err_unlock: - rcu_read_unlock(); - - return ret; } long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout, @@ -322,36 +350,14 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid, compat_uptr_t __user *, head_ptr, compat_size_t __user *, len_ptr) { - struct compat_robust_list_head __user *head; - unsigned long ret; - struct task_struct *p; - - rcu_read_lock(); - - ret = -ESRCH; - if (!pid) - p = current; - else { - p = find_task_by_vpid(pid); - if (!p) - goto err_unlock; - } - - ret = -EPERM; - if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) - goto err_unlock; + struct compat_robust_list_head __user *head = futex_get_robust_list_common(pid, true); - head = p->compat_robust_list; - rcu_read_unlock(); + if (IS_ERR(head)) + return PTR_ERR(head); if (put_user(sizeof(*head), len_ptr)) return -EFAULT; return put_user(ptr_to_compat(head), head_ptr); - -err_unlock: - rcu_read_unlock(); - - return ret; } #endif /* CONFIG_COMPAT */ -- 2.34.1

2 1