- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
by Zhang Changzhong 05 Dec '24

05 Dec '24

From: Hyunwoo Kim <v4bel(a)theori.io> stable inclusion from stable-v5.10.230 commit eb1bdcb7dfc30b24495ee4c5533af0ed135cb5f1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AUY CVE: CVE-2024-50264 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f upstream. During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL. Cc: stable <stable(a)kernel.org> Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") Signed-off-by: Hyunwoo Kim <v4bel(a)theori.io> Signed-off-by: Wongi Lee <qwerty(a)theori.io> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Message-Id: <2024102245-strive-crib-c8d3@gregkh> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> --- net/vmw_vsock/virtio_transport_common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index c9ee925..067a7dd 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -680,6 +680,7 @@ void virtio_transport_destruct(struct vsock_sock *vsk) struct virtio_vsock_sock *vvs = vsk->trans; kfree(vvs); + vsk->trans = NULL; } EXPORT_SYMBOL_GPL(virtio_transport_destruct); -- 2.9.5

2 1

[openeuler:OLK-5.10 2516/2516] drivers/ub/urma/ubcore/ubcore_netlink.c:89:15: warning: 'strncpy' output may be truncated copying 63 bytes from a string of length 63
by kernel test robot 05 Dec '24

05 Dec '24

Hi WenChen, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: fdc4bca5e9e486a894194c2b6a956492b11d8cc5 commit: 5d130e2cfa3d2aaee4d10e18c075f6c3750600c5 [2516/2516] urma: upload kernel patch for 20240511_mig config: arm64-randconfig-003-20241203 (https://download.01.org/0day-ci/archive/20241205/202412051837.t5BmEbw0-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241205/202412051837.t5BmEbw0-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412051837.t5BmEbw0-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/ub/urma/ubcore/ubcore_netlink.c:192:5: warning: no previous prototype for 'ubcore_genl_unicast' [-Wmissing-prototypes] 192 | int ubcore_genl_unicast(struct ubcore_nlmsg *req, uint32_t len) | ^~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netlink.c: In function 'ubcore_create_nl_session': >> drivers/ub/urma/ubcore/ubcore_netlink.c:89:15: warning: 'strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Wstringop-truncation] 89 | (void)strncpy(s->dev_name, dev->dev_name, UBCORE_MAX_DEV_NAME - 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- drivers/ub/urma/ubcore/ubcore_tp.c:70:17: warning: no previous prototype for 'ubcore_get_mtu' [-Wmissing-prototypes] 70 | enum ubcore_mtu ubcore_get_mtu(int mtu) | ^~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_tp.c:341:5: warning: no previous prototype for 'ubcore_modify_tp_state' [-Wmissing-prototypes] 341 | int ubcore_modify_tp_state(struct ubcore_device *dev, struct ubcore_tp *tp, | ^~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_tp.c: In function 'ubcore_send_del_tp_req': >> drivers/ub/urma/ubcore/ubcore_tp.c:687:15: warning: 'strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Wstringop-truncation] 687 | (void)strncpy(data->dev_name, dev->dev_name, UBCORE_MAX_DEV_NAME - 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_tp.c: In function 'ubcore_init_create_tp_req': drivers/ub/urma/ubcore/ubcore_tp.c:581:15: warning: 'strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Wstringop-truncation] 581 | (void)strncpy(data->dev_name, dev->dev_name, UBCORE_MAX_DEV_NAME - 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- drivers/ub/urma/ubcore/ubcore_device.c:413:6: warning: no previous prototype for 'ubcore_destroy_upi_list' [-Wmissing-prototypes] 413 | void ubcore_destroy_upi_list(struct ubcore_device *dev) | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_device.c:1666:5: warning: no previous prototype for 'ubcore_dispatch_event' [-Wmissing-prototypes] 1666 | int ubcore_dispatch_event(struct ubcore_event *event) | ^~~~~~~~~~~~~~~~~~~~~ In file included from include/linux/printk.h:7, from include/linux/kernel.h:17, from include/asm-generic/bug.h:20, from arch/arm64/include/asm/bug.h:26, from include/linux/bug.h:5, from include/linux/refcount.h:96, from include/net/net_namespace.h:9, from drivers/ub/urma/ubcore/ubcore_device.c:21: drivers/ub/urma/ubcore/ubcore_device.c: In function 'ubcore_add_ueid': include/linux/kern_levels.h:5:25: warning: too many arguments for format [-Wformat-extra-args] 5 | #define KERN_SOH "\001" /* ASCII Start Of Header */ | ^~~~~~ include/linux/kern_levels.h:11:25: note: in expansion of macro 'KERN_SOH' 11 | #define KERN_ERR KERN_SOH "3" /* error conditions */ | ^~~~~~~~ include/linux/printk.h:392:16: note: in expansion of macro 'KERN_ERR' 392 | printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__) | ^~~~~~~~ drivers/ub/urma/ubcore/ubcore_log.h:46:16: note: in expansion of macro 'pr_err' 46 | ((void)pr_##l("%s|%s:[%d]|" format, UBCORE_LOG_TAG, __func__, __LINE__, ##args)) | ^~~ drivers/ub/urma/ubcore/ubcore_log.h:57:17: note: in expansion of macro 'ubcore_default_log' 57 | ubcore_default_log(err, __VA_ARGS__); \ | ^~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_device.c:1874:17: note: in expansion of macro 'ubcore_log_err' 1874 | ubcore_log_err("failed to add ueid, ret:%d\n", | ^~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_device.c: In function 'ubcore_delete_ueid': include/linux/kern_levels.h:5:25: warning: too many arguments for format [-Wformat-extra-args] 5 | #define KERN_SOH "\001" /* ASCII Start Of Header */ | ^~~~~~ include/linux/kern_levels.h:11:25: note: in expansion of macro 'KERN_SOH' 11 | #define KERN_ERR KERN_SOH "3" /* error conditions */ | ^~~~~~~~ include/linux/printk.h:392:16: note: in expansion of macro 'KERN_ERR' 392 | printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__) | ^~~~~~~~ drivers/ub/urma/ubcore/ubcore_log.h:46:16: note: in expansion of macro 'pr_err' 46 | ((void)pr_##l("%s|%s:[%d]|" format, UBCORE_LOG_TAG, __func__, __LINE__, ##args)) | ^~~ drivers/ub/urma/ubcore/ubcore_log.h:57:17: note: in expansion of macro 'ubcore_default_log' 57 | ubcore_default_log(err, __VA_ARGS__); \ | ^~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_device.c:1896:17: note: in expansion of macro 'ubcore_log_err' 1896 | ubcore_log_err("failed to add ueid, ret:%d\n", | ^~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_device.c: At top level: drivers/ub/urma/ubcore/ubcore_device.c:2372:6: warning: no previous prototype for 'ubcore_net_exit' [-Wmissing-prototypes] 2372 | void ubcore_net_exit(struct net *net) | ^~~~~~~~~~~~~~~ In function 'ubcore_send_remove_tpf_dev_info', inlined from 'uninit_ubcore_device' at drivers/ub/urma/ubcore/ubcore_device.c:1057:37: >> drivers/ub/urma/ubcore/ubcore_device.c:823:15: warning: 'strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Wstringop-truncation] 823 | (void)strncpy(data->dev_name, dev->dev_name, UBCORE_MAX_DEV_NAME - 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_device.c: In function 'ubcore_new_tpf_dev_msg': drivers/ub/urma/ubcore/ubcore_device.c:888:15: warning: 'strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Wstringop-truncation] 888 | (void)strncpy(data->dev_name, dev->dev_name, UBCORE_MAX_DEV_NAME - 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_device.c:892:17: warning: 'strnlen' specified bound 64 exceeds source size 16 [-Wstringop-overread] 892 | strnlen(dev->netdev->name, UBCORE_MAX_DEV_NAME) < UBCORE_MAX_DEV_NAME) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from drivers/ub/urma/ubcore/ubcore_device.c:32: include/linux/netdevice.h:1957:33: note: source object allocated here 1957 | char name[IFNAMSIZ]; | ^~~~ -- drivers/ub/urma/ubcore/ubcore_vtp.c:337:6: warning: no previous prototype for 'ubcore_hash_table_rmv_vtpn' [-Wmissing-prototypes] 337 | void ubcore_hash_table_rmv_vtpn(struct ubcore_device *dev, struct ubcore_vtpn *vtpn, | ^~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'ubcore_send_create_vtp_req', inlined from 'ubcore_connect_vtp' at drivers/ub/urma/ubcore/ubcore_vtp.c:419:8: >> drivers/ub/urma/ubcore/ubcore_vtp.c:93:15: warning: 'strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Wstringop-truncation] 93 | (void)strncpy(create->dev_name, dev->dev_name, UBCORE_MAX_DEV_NAME - 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- >> drivers/ub/urma/ubcore/ubcore_tpg.c:85:6: warning: no previous prototype for 'ubcore_tpg_kref_get' [-Wmissing-prototypes] 85 | void ubcore_tpg_kref_get(struct ubcore_tpg *tpg) | ^~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_tpg.c: In function 'ubcore_find_remove_tpg': drivers/ub/urma/ubcore/ubcore_tpg.c:100:42: warning: the comparison will always evaluate as 'false' for the address of 'head' will never be NULL [-Waddress] 100 | if (&dev->ht[UBCORE_HT_TPG].head == NULL) { | ^~ In file included from drivers/ub/urma/ubcore/ubcore_hash_table.h:24, from drivers/ub/urma/ubcore/ubcore_tpg.c:23: include/urma/ubcore_types.h:178:28: note: 'head' declared here 178 | struct hlist_head *head; | ^~~~ drivers/ub/urma/ubcore/ubcore_tpg.c: In function 'ubcore_find_remove_tp_node': drivers/ub/urma/ubcore/ubcore_tpg.c:131:41: warning: the comparison will always evaluate as 'false' for the address of 'head' will never be NULL [-Waddress] 131 | if (&dev->ht[UBCORE_HT_TP].head == NULL) { | ^~ include/urma/ubcore_types.h:178:28: note: 'head' declared here 178 | struct hlist_head *head; | ^~~~ -- drivers/ub/urma/ubcore/ubcore_umem.c:242:21: warning: no previous prototype for 'ubcore_umem_get' [-Wmissing-prototypes] 242 | struct ubcore_umem *ubcore_umem_get(struct ubcore_device *dev, uint64_t va, | ^~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_umem.c:260:6: warning: no previous prototype for 'ubcore_umem_release' [-Wmissing-prototypes] 260 | void ubcore_umem_release(struct ubcore_umem *umem) | ^~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/ubcore/ubcore_umem.c:284:10: warning: no previous prototype for 'ubcore_umem_find_best_page_size' [-Wmissing-prototypes] 284 | uint64_t ubcore_umem_find_best_page_size(struct ubcore_umem *umem, uint64_t page_size_bitmap, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- drivers/ub/urma/ubcore/ubcore_netdev.c:41:25: warning: no previous prototype for 'ubcore_lookup_sip_info_without_lock' [-Wmissing-prototypes] 41 | struct ubcore_sip_info *ubcore_lookup_sip_info_without_lock( | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:75:5: warning: no previous prototype for 'ubcore_notify_uvs_del_sip' [-Wmissing-prototypes] 75 | int ubcore_notify_uvs_del_sip(struct ubcore_device *dev, | ^~~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:113:22: warning: no previous prototype for 'ubcore_new_sip_req_msg' [-Wmissing-prototypes] 113 | struct ubcore_nlmsg *ubcore_new_sip_req_msg(struct ubcore_device *dev, | ^~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:145:5: warning: no previous prototype for 'ubcore_notify_uvs_add_sip' [-Wmissing-prototypes] 145 | int ubcore_notify_uvs_add_sip(struct ubcore_device *dev, | ^~~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:177:5: warning: no previous prototype for 'ubcore_check_port_state' [-Wmissing-prototypes] 177 | int ubcore_check_port_state(struct ubcore_device *dev) | ^~~~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/ubcore/ubcore_netdev.c:204:6: warning: no previous prototype for 'ubcore_fill_port_netdev' [-Wmissing-prototypes] 204 | void ubcore_fill_port_netdev(struct ubcore_device *dev, | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:268:5: warning: no previous prototype for 'ubcore_set_port_netdev' [-Wmissing-prototypes] 268 | int ubcore_set_port_netdev(struct ubcore_device *dev, struct net_device *ndev, | ^~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:353:5: warning: no previous prototype for 'ubcore_unset_port_netdev' [-Wmissing-prototypes] 353 | int ubcore_unset_port_netdev(struct ubcore_device *dev, struct net_device *ndev, | ^~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:385:6: warning: no previous prototype for 'ubcore_put_port_netdev' [-Wmissing-prototypes] 385 | void ubcore_put_port_netdev(struct ubcore_device *dev) | ^~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:412:5: warning: no previous prototype for 'ubcore_sip_table_init' [-Wmissing-prototypes] 412 | int ubcore_sip_table_init(struct ubcore_sip_table *sip_table, uint32_t size) | ^~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:431:6: warning: no previous prototype for 'ubcore_sip_table_uninit' [-Wmissing-prototypes] 431 | void ubcore_sip_table_uninit(struct ubcore_sip_table *sip_table) | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:442:5: warning: no previous prototype for 'ubcore_sip_idx_alloc' [-Wmissing-prototypes] 442 | int ubcore_sip_idx_alloc(struct ubcore_sip_table *sip_table) | ^~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:458:5: warning: no previous prototype for 'ubcore_sip_idx_free' [-Wmissing-prototypes] 458 | int ubcore_sip_idx_free(struct ubcore_sip_table *sip_table, uint32_t idx) | ^~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:471:5: warning: no previous prototype for 'ubcore_add_sip_entry' [-Wmissing-prototypes] 471 | int ubcore_add_sip_entry(struct ubcore_sip_table *sip_table, const struct ubcore_sip_info *sip, | ^~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:489:5: warning: no previous prototype for 'ubcore_del_sip_entry' [-Wmissing-prototypes] 489 | int ubcore_del_sip_entry(struct ubcore_sip_table *sip_table, uint32_t idx) | ^~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/ubcore/ubcore_netdev.c:519:5: warning: no previous prototype for 'ubcore_update_sip_entry' [-Wmissing-prototypes] 519 | int ubcore_update_sip_entry(struct ubcore_sip_table *sip_table, struct ubcore_sip_info *new_sip, | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:548:5: warning: no previous prototype for 'ubcore_lookup_sip_idx' [-Wmissing-prototypes] 548 | int ubcore_lookup_sip_idx(struct ubcore_sip_table *sip_table, struct ubcore_sip_info *sip, | ^~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c: In function 'ubcore_set_port_netdev': drivers/ub/urma/ubcore/ubcore_netdev.c:275:17: warning: 'strnlen' specified bound 64 exceeds source size 21 [-Wstringop-overread] 275 | strnlen(netdev_name(ndev), UBCORE_MAX_DEV_NAME) >= UBCORE_MAX_DEV_NAME) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c: In function 'ubcore_unset_port_netdev': drivers/ub/urma/ubcore/ubcore_netdev.c:360:17: warning: 'strnlen' specified bound 64 exceeds source size 21 [-Wstringop-overread] 360 | strnlen(netdev_name(ndev), UBCORE_MAX_DEV_NAME) >= UBCORE_MAX_DEV_NAME) { | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- drivers/ub/urma/ubcore/ubcore_msg.c:519:28: warning: no previous prototype for 'ubcore_asyn_send_fe2tpf_msg' [-Wmissing-prototypes] 519 | struct ubcore_msg_session *ubcore_asyn_send_fe2tpf_msg(struct ubcore_device *dev, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ In function 'ubcore_migrate_req', inlined from 'ubcore_recv_req' at drivers/ub/urma/ubcore/ubcore_msg.c:368:16: >> drivers/ub/urma/ubcore/ubcore_msg.c:264:15: warning: 'strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Wstringop-truncation] 264 | (void)strncpy(mig_resp->dev_name, dev->dev_name, UBCORE_MAX_DEV_NAME - 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- >> drivers/ub/urma/uburma/uburma_mmap.c:29:6: warning: no previous prototype for 'uburma_umap_priv_init' [-Wmissing-prototypes] 29 | void uburma_umap_priv_init(struct uburma_umap_priv *priv, | ^~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/uburma/uburma_mmap.c:42:6: warning: no previous prototype for 'uburma_unmap_vma_pages' [-Wmissing-prototypes] 42 | void uburma_unmap_vma_pages(struct uburma_file *ufile) | ^~~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/uburma/uburma_mmap.c:157:36: warning: no previous prototype for 'uburma_get_umap_ops' [-Wmissing-prototypes] 157 | const struct vm_operations_struct *uburma_get_umap_ops(void) | ^~~~~~~~~~~~~~~~~~~ vim +/strncpy +89 drivers/ub/urma/ubcore/ubcore_netlink.c 72 73 static struct ubcore_nl_session *ubcore_create_nl_session(struct ubcore_device *dev, 74 struct ubcore_nlmsg *req) 75 { 76 struct ubcore_nl_session *s; 77 unsigned long flags; 78 79 s = kzalloc(sizeof(struct ubcore_nl_session), GFP_KERNEL); 80 if (s == NULL) 81 return NULL; 82 83 s->req = req; 84 spin_lock_irqsave(&g_nl_session_lock, flags); 85 list_add_tail(&s->node, &g_nl_session_list); 86 spin_unlock_irqrestore(&g_nl_session_lock, flags); 87 kref_init(&s->kref); 88 init_completion(&s->comp); > 89 (void)strncpy(s->dev_name, dev->dev_name, UBCORE_MAX_DEV_NAME - 1); 90 91 return s; 92 } 93 94 static void ubcore_free_nl_session(struct kref *kref) 95 { 96 struct ubcore_nl_session *s = container_of(kref, struct ubcore_nl_session, kref); 97 unsigned long flags; 98 99 spin_lock_irqsave(&g_nl_session_lock, flags); 100 list_del(&s->node); 101 spin_unlock_irqrestore(&g_nl_session_lock, flags); 102 kfree(s); 103 } 104 105 static inline void ubcore_destroy_nl_session(struct ubcore_nl_session *s) 106 { 107 (void)kref_put(&s->kref, ubcore_free_nl_session); 108 } 109 110 static struct ubcore_nl_session *ubcore_find_nl_session(uint32_t nlmsg_seq) 111 { 112 struct ubcore_nl_session *tmp, *target = NULL; 113 unsigned long flags; 114 115 spin_lock_irqsave(&g_nl_session_lock, flags); 116 list_for_each_entry(tmp, &g_nl_session_list, node) { 117 if (tmp->req->nlmsg_seq == nlmsg_seq) { 118 target = tmp; 119 kref_get(&target->kref); 120 break; 121 } 122 } 123 spin_unlock_irqrestore(&g_nl_session_lock, flags); 124 return target; 125 } 126 127 static struct ubcore_nlmsg *ubcore_get_genlmsg_data(struct genl_info *info) 128 { 129 struct ubcore_nlmsg *msg; 130 uint32_t payload_len = 0; 131 132 if (!info->attrs[UBCORE_MSG_SEQ] || !info->attrs[UBCORE_PAYLOAD_LEN]) 133 return NULL; 134 135 payload_len = nla_get_u32(info->attrs[UBCORE_PAYLOAD_LEN]); 136 if (payload_len > UBCORE_MAX_NL_MSG_BUF_LEN) { 137 ubcore_log_err("Invalid payload len: %d", payload_len); 138 return NULL; 139 } 140 141 msg = kzalloc((size_t)(sizeof(struct ubcore_nlmsg) + payload_len), GFP_KERNEL); 142 if (msg == NULL) 143 return NULL; 144 145 msg->payload_len = payload_len; 146 msg->nlmsg_seq = nla_get_u32(info->attrs[UBCORE_MSG_SEQ]); 147 if (info->attrs[UBCORE_MSG_TYPE]) 148 msg->msg_type = nla_get_u32(info->attrs[UBCORE_MSG_TYPE]); 149 150 if (info->attrs[UBCORE_TRANSPORT_TYPE]) 151 msg->transport_type = (enum ubcore_transport_type) 152 nla_get_u32(info->attrs[UBCORE_TRANSPORT_TYPE]); 153 154 if (info->attrs[UBORE_SRC_ID]) 155 (void)memcpy(&msg->src_eid, 156 nla_data(info->attrs[UBORE_SRC_ID]), UBCORE_EID_SIZE); 157 158 if (info->attrs[UBORE_DST_ID]) 159 (void)memcpy(&msg->dst_eid, 160 nla_data(info->attrs[UBORE_DST_ID]), UBCORE_EID_SIZE); 161 162 if (info->attrs[UBCORE_PAYLOAD_DATA]) { 163 (void)memcpy(msg->payload, 164 nla_data(info->attrs[UBCORE_PAYLOAD_DATA]), payload_len); 165 } 166 167 return msg; 168 } 169 170 int ubcore_tp_resp_ops(struct sk_buff *skb, struct genl_info *info) 171 { 172 struct ubcore_nl_session *s; 173 struct ubcore_nlmsg *resp; 174 175 resp = ubcore_get_genlmsg_data(info); 176 if (resp == NULL) { 177 ubcore_log_err("Failed to calloc and copy response"); 178 return -1; 179 } 180 s = ubcore_find_nl_session(resp->nlmsg_seq); 181 if (s == NULL) { 182 ubcore_log_err("Failed to find nl session with seq %u", resp->nlmsg_seq); 183 kfree(resp); 184 return -1; 185 } 186 s->resp = resp; 187 (void)kref_put(&s->kref, ubcore_free_nl_session); 188 complete(&s->comp); 189 return 0; 190 } 191 > 192 int ubcore_genl_unicast(struct ubcore_nlmsg *req, uint32_t len) 193 { 194 struct sk_buff *nl_skb; 195 struct nlmsghdr *nlh; 196 197 if (req == NULL || g_genl_port == UBCORE_NL_INVALID_PORT) { 198 ubcore_log_err("There are illegal parameters.\n"); 199 return -1; 200 } 201 202 /* create sk_buff */ 203 nl_skb = genlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 204 if (nl_skb == NULL) { 205 ubcore_log_err("failed to alloc.\n"); 206 return -1; 207 } 208 /* set genl head */ 209 nlh = genlmsg_put(nl_skb, g_genl_port, req->nlmsg_seq, &ubcore_genl_family, 0, 210 (uint8_t)req->msg_type); 211 if (nlh == NULL) { 212 ubcore_log_err("Failed to nlmsg put.\n"); 213 nlmsg_free(nl_skb); 214 return -1; 215 } 216 if (nla_put_u32(nl_skb, UBCORE_MSG_SEQ, req->nlmsg_seq) || 217 nla_put_u32(nl_skb, UBCORE_MSG_TYPE, (uint32_t)req->msg_type) || 218 nla_put_u32(nl_skb, UBCORE_TRANSPORT_TYPE, (uint32_t)req->transport_type) || 219 nla_put_u32(nl_skb, UBCORE_PAYLOAD_LEN, req->payload_len) || 220 nla_put(nl_skb, UBCORE_PAYLOAD_DATA, (int)req->payload_len, req->payload)) { 221 nlmsg_free(nl_skb); 222 return -1; 223 } 224 225 genlmsg_end(nl_skb, nlh); 226 ubcore_log_info("send genl msg type %d seq:%u payload_len %u", 227 (int)req->msg_type, req->nlmsg_seq, req->payload_len); 228 return nlmsg_unicast(g_genl_sock, nl_skb, g_genl_port); 229 } 230 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 2546/2546] net/netfilter/nft_set_pipapo.o: warning: objtool: nft_pipapo_remove()+0x65f: unreachable instruction
by kernel test robot 05 Dec '24

05 Dec '24

Hi Florian, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: fdc4bca5e9e486a894194c2b6a956492b11d8cc5 commit: 6da9c2b3be7f43cb2dc8c55be00b80bcdc27dba1 [2546/2546] netfilter: nft_set_pipapo: do not free live element config: x86_64-buildonly-randconfig-004-20241205 (https://download.01.org/0day-ci/archive/20241205/202412051737.2B7Mf0Ys-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241205/202412051737.2B7Mf0Ys-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412051737.2B7Mf0Ys-lkp@intel.com/ All warnings (new ones prefixed by >>): >> net/netfilter/nft_set_pipapo.o: warning: objtool: nft_pipapo_remove()+0x65f: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1321/1321] sas_expander.c:undefined reference to `ata_dev_same_device'
by kernel test robot 05 Dec '24

05 Dec '24

Hi Jason, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: d05ffd830132e58bd394d5e8123765b9037141b2 commit: d856ec500c97835c591ffacc005f514509f1a931 [1321/1321] scsi: libsas: check if the same sata device when flutter config: x86_64-buildonly-randconfig-005-20241205 (https://download.01.org/0day-ci/archive/20241205/202412051729.ejnzHbRm-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241205/202412051729.ejnzHbRm-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412051729.ejnzHbRm-lkp@intel.com/ All errors (new ones prefixed by >>): ld: warning: arch/x86/lib/csum-copy_64.o: missing .note.GNU-stack section implies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld: warning: arch/x86/lib/csum-copy_64.o: missing .note.GNU-stack section implies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld: warning: .tmp_vmlinux1 has a LOAD segment with RWX permissions ld: drivers/scsi/libsas/sas_expander.o: in function `sas_rediscover_dev': >> sas_expander.c:(.text.unlikely+0x3f4): undefined reference to `ata_dev_same_device' -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] block, bfq: fix bfqq uaf in bfq_limit_depth()
by Zheng Qixing 05 Dec '24

05 Dec '24

From: Yu Kuai <yukuai3(a)huawei.com> mainline inclusion from mainline-v6.13-rc1 commit e8b8344de3980709080d86c157d24e7de07d70ad category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB96M5 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ----------------------- Set new allocated bfqq to bic or remove freed bfqq from bic are both protected by bfqd->lock, however bfq_limit_depth() is deferencing bfqq from bic without the lock, this can lead to UAF if the io_context is shared by multiple tasks. For example, test bfq with io_uring can trigger following UAF in v6.6: ================================================================== BUG: KASAN: slab-use-after-free in bfqq_group+0x15/0x50 Call Trace: <TASK> dump_stack_lvl+0x47/0x80 print_address_description.constprop.0+0x66/0x300 print_report+0x3e/0x70 kasan_report+0xb4/0xf0 bfqq_group+0x15/0x50 bfqq_request_over_limit+0x130/0x9a0 bfq_limit_depth+0x1b5/0x480 __blk_mq_alloc_requests+0x2b5/0xa00 blk_mq_get_new_requests+0x11d/0x1d0 blk_mq_submit_bio+0x286/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __block_write_full_folio+0x3d0/0x640 writepage_cb+0x3b/0xc0 write_cache_pages+0x254/0x6c0 write_cache_pages+0x254/0x6c0 do_writepages+0x192/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 808602: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x83/0x90 kmem_cache_alloc_node+0x1b1/0x6d0 bfq_get_queue+0x138/0xfa0 bfq_get_bfqq_handle_split+0xe3/0x2c0 bfq_init_rq+0x196/0xbb0 bfq_insert_request.isra.0+0xb5/0x480 bfq_insert_requests+0x156/0x180 blk_mq_insert_request+0x15d/0x440 blk_mq_submit_bio+0x8a4/0xb00 submit_bio_noacct_nocheck+0x331/0x400 __blkdev_direct_IO_async+0x2dd/0x330 blkdev_write_iter+0x39a/0x450 io_write+0x22a/0x840 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Freed by task 808589: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 __kasan_slab_free+0x126/0x1b0 kmem_cache_free+0x10c/0x750 bfq_put_queue+0x2dd/0x770 __bfq_insert_request.isra.0+0x155/0x7a0 bfq_insert_request.isra.0+0x122/0x480 bfq_insert_requests+0x156/0x180 blk_mq_dispatch_plug_list+0x528/0x7e0 blk_mq_flush_plug_list.part.0+0xe5/0x590 __blk_flush_plug+0x3b/0x90 blk_finish_plug+0x40/0x60 do_writepages+0x19d/0x310 filemap_fdatawrite_wbc+0x95/0xc0 __filemap_fdatawrite_range+0x99/0xd0 filemap_write_and_wait_range.part.0+0x4d/0xa0 blkdev_read_iter+0xef/0x1e0 io_read+0x1b6/0x8a0 io_issue_sqe+0x87/0x300 io_wq_submit_work+0xeb/0x390 io_worker_handle_work+0x24d/0x550 io_wq_worker+0x27f/0x6c0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x1b/0x30 Fix the problem by protecting bic_to_bfqq() with bfqd->lock. CC: Jan Kara <jack(a)suse.cz> Fixes: 76f1df88bbc2 ("bfq: Limit number of requests consumed by each cgroup") Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20241129091509.2227136-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- block/bfq-iosched.c | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c index b350d2c51bfc..8294f77892bf 100644 --- a/block/bfq-iosched.c +++ b/block/bfq-iosched.c @@ -583,23 +583,31 @@ static struct request *bfq_choose_req(struct bfq_data *bfqd, #define BFQ_LIMIT_INLINE_DEPTH 16 #ifdef CONFIG_BFQ_GROUP_IOSCHED -static bool bfqq_request_over_limit(struct bfq_queue *bfqq, int limit) +static bool bfqq_request_over_limit(struct bfq_data *bfqd, + struct bfq_io_cq *bic, blk_opf_t opf, + unsigned int act_idx, int limit) { - struct bfq_data *bfqd = bfqq->bfqd; - struct bfq_entity *entity = &bfqq->entity; struct bfq_entity *inline_entities[BFQ_LIMIT_INLINE_DEPTH]; struct bfq_entity **entities = inline_entities; - int depth, level, alloc_depth = BFQ_LIMIT_INLINE_DEPTH; - int class_idx = bfqq->ioprio_class - 1; + int alloc_depth = BFQ_LIMIT_INLINE_DEPTH; struct bfq_sched_data *sched_data; + struct bfq_entity *entity; + struct bfq_queue *bfqq; unsigned long wsum; bool ret = false; - - if (!entity->on_st_or_in_serv) - return false; + int depth; + int level; retry: spin_lock_irq(&bfqd->lock); + bfqq = bic_to_bfqq(bic, op_is_sync(opf), act_idx); + if (!bfqq) + goto out; + + entity = &bfqq->entity; + if (!entity->on_st_or_in_serv) + goto out; + /* +1 for bfqq entity, root cgroup not included */ depth = bfqg_to_blkg(bfqq_group(bfqq))->blkcg->css.cgroup->level + 1; if (depth > alloc_depth) { @@ -644,7 +652,7 @@ static bool bfqq_request_over_limit(struct bfq_queue *bfqq, int limit) * class. */ wsum = 0; - for (i = 0; i <= class_idx; i++) { + for (i = 0; i <= bfqq->ioprio_class - 1; i++) { wsum = wsum * IOPRIO_BE_NR + sched_data->service_tree[i].wsum; } @@ -667,7 +675,9 @@ static bool bfqq_request_over_limit(struct bfq_queue *bfqq, int limit) return ret; } #else -static bool bfqq_request_over_limit(struct bfq_queue *bfqq, int limit) +static bool bfqq_request_over_limit(struct bfq_data *bfqd, + struct bfq_io_cq *bic, blk_opf_t opf, + unsigned int act_idx, int limit) { return false; } @@ -705,8 +715,9 @@ static void bfq_limit_depth(blk_opf_t opf, struct blk_mq_alloc_data *data) } for (act_idx = 0; bic && act_idx < bfqd->num_actuators; act_idx++) { - struct bfq_queue *bfqq = - bic_to_bfqq(bic, op_is_sync(opf), act_idx); + /* Fast path to check if bfqq is already allocated. */ + if (!bic_to_bfqq(bic, op_is_sync(opf), act_idx)) + continue; /* * Does queue (or any parent entity) exceed number of @@ -714,7 +725,7 @@ static void bfq_limit_depth(blk_opf_t opf, struct blk_mq_alloc_data *data) * limit depth so that it cannot consume more * available requests and thus starve other entities. */ - if (bfqq && bfqq_request_over_limit(bfqq, limit)) { + if (bfqq_request_over_limit(bfqd, bic, opf, act_idx, limit)) { depth = 1; break; } -- 2.39.2

2 1

[openeuler:OLK-5.10 2546/2546] drivers/acpi/cppc_acpi.c:1530: warning: Function parameter or member 'auto_act_window' not described in 'cppc_set_auto_act_window'
by kernel test robot 05 Dec '24

05 Dec '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: fdc4bca5e9e486a894194c2b6a956492b11d8cc5 commit: 6d474065f368e21b77526a5c30f5a1aed017142a [2546/2546] ACPI: CPPC: Add three register ABIs config: arm64-randconfig-004-20241205 (https://download.01.org/0day-ci/archive/20241205/202412051441.aDAuRsLp-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241205/202412051441.aDAuRsLp-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412051441.aDAuRsLp-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/acpi/cppc_acpi.c:450: warning: Function parameter or member 'cpc_pptr' not described in '__acpi_get_psd_map' drivers/acpi/cppc_acpi.c:700: warning: Function parameter or member 'pcc_ss_id' not described in 'pcc_data_alloc' >> drivers/acpi/cppc_acpi.c:1530: warning: Function parameter or member 'auto_act_window' not described in 'cppc_set_auto_act_window' >> drivers/acpi/cppc_acpi.c:1530: warning: Excess function parameter 'enable' description in 'cppc_set_auto_act_window' >> drivers/acpi/cppc_acpi.c:1541: warning: Function parameter or member 'cpunum' not described in 'cppc_get_auto_act_window' >> drivers/acpi/cppc_acpi.c:1541: warning: Function parameter or member 'auto_act_window' not described in 'cppc_get_auto_act_window' >> drivers/acpi/cppc_acpi.c:1541: warning: Excess function parameter 'cpu' description in 'cppc_get_auto_act_window' >> drivers/acpi/cppc_acpi.c:1541: warning: Excess function parameter 'enable' description in 'cppc_get_auto_act_window' drivers/acpi/cppc_acpi.c:1552: warning: Function parameter or member 'auto_sel' not described in 'cppc_get_auto_sel' >> drivers/acpi/cppc_acpi.c:1552: warning: Excess function parameter 'enable' description in 'cppc_get_auto_sel' >> drivers/acpi/cppc_acpi.c:1575: warning: Function parameter or member 'epp_val' not described in 'cppc_set_epp' >> drivers/acpi/cppc_acpi.c:1575: warning: Excess function parameter 'enable' description in 'cppc_set_epp' drivers/acpi/cppc_acpi.c:1716: warning: Function parameter or member 'cpu_num' not described in 'cppc_get_transition_latency' vim +1530 drivers/acpi/cppc_acpi.c 1523 1524 /** 1525 * cppc_set_auto_act_window - Write autonomous act window register. 1526 * @cpu : CPU to which to write register. 1527 * @enable : the desired value of autonomous act window register to be updated. 1528 */ 1529 int cppc_set_auto_act_window(int cpu, u64 auto_act_window) > 1530 { 1531 return cppc_set_reg(cpu, AUTO_ACT_WINDOW, auto_act_window); 1532 } 1533 EXPORT_SYMBOL_GPL(cppc_set_auto_act_window); 1534 1535 /** 1536 * cppc_get_auto_act_window - Read autonomous act window register. 1537 * @cpu : CPU to which to write register. 1538 * @enable : the desired value of autonomous act window register to be updated. 1539 */ 1540 int cppc_get_auto_act_window(int cpunum, u64 *auto_act_window) > 1541 { 1542 return cppc_get_reg(cpunum, AUTO_ACT_WINDOW, auto_act_window); 1543 } 1544 EXPORT_SYMBOL_GPL(cppc_get_auto_act_window); 1545 1546 /** 1547 * cppc_get_auto_sel - Read autonomous selection register. 1548 * @cpunum : CPU to which to write register. 1549 * @enable : the desired value of autonomous selection resiter to be updated. 1550 */ 1551 int cppc_get_auto_sel(int cpunum, u64 *auto_sel) > 1552 { 1553 return cppc_get_reg(cpunum, AUTO_SEL_ENABLE, auto_sel); 1554 } 1555 EXPORT_SYMBOL_GPL(cppc_get_auto_sel); 1556 1557 1558 /** 1559 * cppc_set_auto_sel - Write autonomous selection register. 1560 * @cpu : CPU to which to write register. 1561 * @enable : the desired value of autonomous selection resiter to be updated. 1562 */ 1563 int cppc_set_auto_sel(int cpu, bool enable) 1564 { 1565 return cppc_set_reg(cpu, AUTO_SEL_ENABLE, enable); 1566 } 1567 EXPORT_SYMBOL_GPL(cppc_set_auto_sel); 1568 1569 /** 1570 * cppc_set_epp - Write energe perf register. 1571 * @cpu : CPU to which to write register. 1572 * @enable : the desired value of energe perf register to be updated. 1573 */ 1574 int cppc_set_epp(int cpu, u64 epp_val) > 1575 { 1576 return cppc_set_reg(cpu, ENERGY_PERF, epp_val); 1577 } 1578 EXPORT_SYMBOL_GPL(cppc_set_epp); 1579 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 2516/2516] drivers/ub/urma/ubcore/ubcore_vtp.c:261:6: warning: no previous prototype for 'ubcore_hash_table_rmv_vtpn'
by kernel test robot 05 Dec '24

05 Dec '24

Hi WenChen, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: fdc4bca5e9e486a894194c2b6a956492b11d8cc5 commit: 013280dfab06d20e73de842e8d2fc2a200055455 [2516/2516] urma: upload kernel patch for 20240224_rain config: arm64-randconfig-003-20241203 (https://download.01.org/0day-ci/archive/20241205/202412051356.um0lEVov-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241205/202412051356.um0lEVov-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412051356.um0lEVov-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/ub/urma/ubcore/ubcore_vtp.c:261:6: warning: no previous prototype for 'ubcore_hash_table_rmv_vtpn' [-Wmissing-prototypes] 261 | void ubcore_hash_table_rmv_vtpn(struct ubcore_device *dev, struct ubcore_vtpn *vtpn) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/ubcore_hash_table_rmv_vtpn +261 drivers/ub/urma/ubcore/ubcore_vtp.c 260 > 261 void ubcore_hash_table_rmv_vtpn(struct ubcore_device *dev, struct ubcore_vtpn *vtpn) 262 { 263 struct ubcore_hash_table *ht; 264 265 ht = ubcore_get_vtpn_ht(dev, vtpn->trans_mode); 266 if (ht == NULL) 267 return; 268 ubcore_hash_table_remove(ht, &vtpn->hnode); 269 } 270 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] USB: serial: io_edgeport: fix use after free in debug printk
by Guo Mengqi 05 Dec '24

05 Dec '24

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v5.10.230 commit e567fc8f7a4460e486e52c9261b1e8b9f5dc42aa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVJ CVE: CVE-2024-50267 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 37bb5628379295c1254c113a407cab03a0f4d0b4 upstream. The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) is a use after free of the "urb" pointer. Store the "dev" pointer at the start of the function to avoid this issue. Fixes: 984f68683298 ("USB: serial: io_edgeport.c: remove dbg() usage") Cc: stable(a)vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/usb/serial/io_edgeport.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 4b48ef4adbeb..618e2b16e204 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -846,11 +846,12 @@ static void edge_bulk_out_data_callback(struct urb *urb) static void edge_bulk_out_cmd_callback(struct urb *urb) { struct edgeport_port *edge_port = urb->context; + struct device *dev = &urb->dev->dev; int status = urb->status; atomic_dec(&CmdUrbs); - dev_dbg(&urb->dev->dev, "%s - FREE URB %p (outstanding %d)\n", - __func__, urb, atomic_read(&CmdUrbs)); + dev_dbg(dev, "%s - FREE URB %p (outstanding %d)\n", __func__, urb, + atomic_read(&CmdUrbs)); /* clean up the transfer buffer */ @@ -860,8 +861,7 @@ static void edge_bulk_out_cmd_callback(struct urb *urb) usb_free_urb(urb); if (status) { - dev_dbg(&urb->dev->dev, - "%s - nonzero write bulk status received: %d\n", + dev_dbg(dev, "%s - nonzero write bulk status received: %d\n", __func__, status); return; } -- 2.17.1

2 1

[PATCH OLK-5.10] USB: serial: io_edgeport: fix use after free in debug printk
by Guo Mengqi 05 Dec '24

05 Dec '24

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v5.10.230 commit e567fc8f7a4460e486e52c9261b1e8b9f5dc42aa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVJ CVE: CVE-2024-50267 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 37bb5628379295c1254c113a407cab03a0f4d0b4 upstream. The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) is a use after free of the "urb" pointer. Store the "dev" pointer at the start of the function to avoid this issue. Fixes: 984f68683298 ("USB: serial: io_edgeport.c: remove dbg() usage") Cc: stable(a)vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/usb/serial/io_edgeport.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 4b48ef4adbeb..618e2b16e204 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -846,11 +846,12 @@ static void edge_bulk_out_data_callback(struct urb *urb) static void edge_bulk_out_cmd_callback(struct urb *urb) { struct edgeport_port *edge_port = urb->context; + struct device *dev = &urb->dev->dev; int status = urb->status; atomic_dec(&CmdUrbs); - dev_dbg(&urb->dev->dev, "%s - FREE URB %p (outstanding %d)\n", - __func__, urb, atomic_read(&CmdUrbs)); + dev_dbg(dev, "%s - FREE URB %p (outstanding %d)\n", __func__, urb, + atomic_read(&CmdUrbs)); /* clean up the transfer buffer */ @@ -860,8 +861,7 @@ static void edge_bulk_out_cmd_callback(struct urb *urb) usb_free_urb(urb); if (status) { - dev_dbg(&urb->dev->dev, - "%s - nonzero write bulk status received: %d\n", + dev_dbg(dev, "%s - nonzero write bulk status received: %d\n", __func__, status); return; } -- 2.17.1

2 1

[PATCH OLK-6.6 0/2] mm, slab: put should_failslab() back behind CONFIG_SHOULD_FAILSLAB
by Jinjie Ruan 05 Dec '24

05 Dec '24

Backport 2 salb improve patch, which has 1% improve for fork. Vlastimil Babka (2): mm, slab: put should_failslab() back behind CONFIG_SHOULD_FAILSLAB mm, page_alloc: put should_fail_alloc_page() back behing CONFIG_FAIL_PAGE_ALLOC include/linux/fault-inject.h | 11 ++++------- kernel/bpf/verifier.c | 4 ++++ mm/fail_page_alloc.c | 4 +++- mm/failslab.c | 14 ++++++++------ mm/page_alloc.c | 6 ------ mm/slab_common.c | 8 -------- 6 files changed, 19 insertions(+), 28 deletions(-) -- 2.34.1

2 3