- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] fs/ntfs3: Fix possible deadlock in mi_read
by Zizhi Wo 14 Nov '24

14 Nov '24

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> stable inclusion from stable-v5.15.171 commit 47e8a17491e37df53743bc2e72309f8f0d6224af category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB37AB CVE: CVE-2024-50245 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit 03b097099eef255fbf85ea6a786ae3c91b11f041 ] Mutex lock with another subclass used in ni_lock_dir(). Fixes: 374d4c9cc51b ("fs/ntfs3: Add file operations and implementation") Reported-by: syzbot+bc7ca0ae4591cb2550f9(a)syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/ntfs3/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ntfs3/namei.c b/fs/ntfs3/namei.c index 945dcf7a34d9..50d6d9fbcf67 100644 --- a/fs/ntfs3/namei.c +++ b/fs/ntfs3/namei.c @@ -79,7 +79,7 @@ static struct dentry *ntfs_lookup(struct inode *dir, struct dentry *dentry, if (err < 0) inode = ERR_PTR(err); else { - ni_lock(ni); + ni_lock_dir(ni); inode = dir_search_u(dir, uni, NULL); ni_unlock(ni); } -- 2.46.1

2 1

[PATCH OLK-5.10] fs/ntfs3: Check if more than chunk-size bytes are written
by Zizhi Wo 14 Nov '24

14 Nov '24

From: Andrew Ballance <andrewjballance(a)gmail.com> stable inclusion from stable-v5.15.171 commit e5ae7859008688626b4d2fa6139eeaa08e255053 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB379U CVE: CVE-2024-50247 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 9931122d04c6d431b2c11b5bb7b10f28584067f0 ] A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off. Signed-off-by: Andrew Ballance <andrewjballance(a)gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/ntfs3/lznt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c index 28f654561f27..09db01c1098c 100644 --- a/fs/ntfs3/lznt.c +++ b/fs/ntfs3/lznt.c @@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr, /* Do decompression until pointers are inside range. */ while (up < unc_end && cmpr < cmpr_end) { + // return err if more than LZNT_CHUNK_SIZE bytes are written + if (up - unc > LZNT_CHUNK_SIZE) + return -EINVAL; /* Correct index */ while (unc + s_max_off[index] < up) index += 1; -- 2.46.1

2 1

[PATCH openEuler-22.03-LTS-SP1] fs/ntfs3: Add rough attr alloc_size check
by Zizhi Wo 14 Nov '24

14 Nov '24

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> stable inclusion from stable-v6.6.60 commit e91fbb21f248bdd8140f343dac32b77b9bc10fec category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB37BA CVE: CVE-2024-50246 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c4a8ba334262e9a5c158d618a4820e1b9c12495c ] Reported-by: syzbot+c6d94bedd910a8216d25(a)syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/ntfs3/record.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index 463b0abc1051..cc1aa626bb9e 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -319,6 +319,9 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) if (attr->nres.c_unit) return NULL; + + if (alloc_size > mi->sbi->volume.size) + return NULL; } return attr; -- 2.46.1

2 1

[PATCH openEuler-22.03-LTS-SP1 V1] e100: Fix possible use after free in e100_xmit_prepare
by Zicheng Qu 14 Nov '24

14 Nov '24

From: Wang Hai <wanghai38(a)huawei.com> stable inclusion from stable-v5.10.158 commit b775f37d943966f6f77dca402f5a9dedce502c25 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYREC Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 45605c75c52c7ae7bfe902214343aabcfe5ba0ff ] In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will resend the skb. But the skb is already freed, which will cause UAF bug when the upper layer resends the skb. Remove the harmful free. Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare") Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Reviewed-by: Alexander Duyck <alexanderduyck(a)fb.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/net/ethernet/intel/e100.c [The purpose of the if condition is the same in both cases. In openeuler, it is `if (pci_dma_mapping_error(nic->pdev, dma_addr))`, and in version 5.10, it is `if (dma_mapping_error(&nic->pdev->dev, dma_addr))`. Both are intended to "map the skb, allowing the upper layer to try later." Therefore, retain the original `if` condition from openeuler, and remove the code that frees the skb, aligning with the patch's purpose.] Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- drivers/net/ethernet/intel/e100.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c index 8f7d2a335654..511f23f2a931 100644 --- a/drivers/net/ethernet/intel/e100.c +++ b/drivers/net/ethernet/intel/e100.c @@ -1742,11 +1742,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb, dma_addr = pci_map_single(nic->pdev, skb->data, skb->len, PCI_DMA_TODEVICE); /* If we can't map the skb, have the upper layer try later */ - if (pci_dma_mapping_error(nic->pdev, dma_addr)) { - dev_kfree_skb_any(skb); - skb = NULL; + if (pci_dma_mapping_error(nic->pdev, dma_addr)) return -ENOMEM; - } /* * Use the last 4 bytes of the SKB payload packet as the CRC, used for -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1 V1] aoe: fix the potential use-after-free problem in more places
by Zicheng Qu 14 Nov '24

14 Nov '24

From: Chun-Yi Lee <joeyli.kernel(a)gmail.com> stable inclusion from stable-v5.10.227 commit f63461af2c1a86af4217910e47a5c46e3372e645 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9W CVE: CVE-2024-49982 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 upstream. For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs into use-after-free. Then Nicolai Stange found more places in aoe have potential use-after-free problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push packet to tx queue. So they should also use dev_hold() to increase the refcnt of skb->dev. On the other hand, moving dev_put() to tx() causes that the refcnt of skb->dev be reduced to a negative value, because corresponding dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp(). This patch fixed this issue. Cc: stable(a)vger.kernel.org Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 Fixes: f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") Reported-by: Nicolai Stange <nstange(a)suse.com> Signed-off-by: Chun-Yi Lee <jlee(a)suse.com> Link: https://lore.kernel.org/stable/20240624064418.27043-1-jlee%40suse.com Link: https://lore.kernel.org/r/20241002035458.24401-1-jlee@suse.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- drivers/block/aoe/aoecmd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c index c805909c8e77..833ccf2cd5df 100644 --- a/drivers/block/aoe/aoecmd.c +++ b/drivers/block/aoe/aoecmd.c @@ -362,6 +362,7 @@ ata_rw_frameinit(struct frame *f) } ah->cmdstat = ATA_CMD_PIO_READ | writebit | extbit; + dev_hold(t->ifp->nd); skb->dev = t->ifp->nd; } @@ -402,6 +403,8 @@ aoecmd_ata_rw(struct aoedev *d) __skb_queue_head_init(&queue); __skb_queue_tail(&queue, skb); aoenet_xmit(&queue); + } else { + dev_put(f->t->ifp->nd); } return 1; } @@ -484,10 +487,13 @@ resend(struct aoedev *d, struct frame *f) memcpy(h->dst, t->addr, sizeof h->dst); memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src); + dev_hold(t->ifp->nd); skb->dev = t->ifp->nd; skb = skb_clone(skb, GFP_ATOMIC); - if (skb == NULL) + if (skb == NULL) { + dev_put(t->ifp->nd); return; + } f->sent = ktime_get(); __skb_queue_head_init(&queue); __skb_queue_tail(&queue, skb); @@ -618,6 +624,8 @@ probe(struct aoetgt *t) __skb_queue_head_init(&queue); __skb_queue_tail(&queue, skb); aoenet_xmit(&queue); + } else { + dev_put(f->t->ifp->nd); } } @@ -1403,6 +1411,7 @@ aoecmd_ata_id(struct aoedev *d) ah->cmdstat = ATA_CMD_ID_ATA; ah->lba3 = 0xa0; + dev_hold(t->ifp->nd); skb->dev = t->ifp->nd; d->rttavg = RTTAVG_INIT; @@ -1412,6 +1421,8 @@ aoecmd_ata_id(struct aoedev *d) skb = skb_clone(skb, GFP_ATOMIC); if (skb) f->sent = ktime_get(); + else + dev_put(t->ifp->nd); return skb; } -- 2.34.1

2 1

[PATCH OLK-5.10 V1] aoe: fix the potential use-after-free problem in more places
by Zicheng Qu 14 Nov '24

14 Nov '24

From: Chun-Yi Lee <joeyli.kernel(a)gmail.com> stable inclusion from stable-v5.10.227 commit f63461af2c1a86af4217910e47a5c46e3372e645 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9W CVE: CVE-2024-49982 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 upstream. For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs into use-after-free. Then Nicolai Stange found more places in aoe have potential use-after-free problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push packet to tx queue. So they should also use dev_hold() to increase the refcnt of skb->dev. On the other hand, moving dev_put() to tx() causes that the refcnt of skb->dev be reduced to a negative value, because corresponding dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp(). This patch fixed this issue. Cc: stable(a)vger.kernel.org Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270 Fixes: f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") Reported-by: Nicolai Stange <nstange(a)suse.com> Signed-off-by: Chun-Yi Lee <jlee(a)suse.com> Link: https://lore.kernel.org/stable/20240624064418.27043-1-jlee%40suse.com Link: https://lore.kernel.org/r/20241002035458.24401-1-jlee@suse.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- drivers/block/aoe/aoecmd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c index c805909c8e77..833ccf2cd5df 100644 --- a/drivers/block/aoe/aoecmd.c +++ b/drivers/block/aoe/aoecmd.c @@ -362,6 +362,7 @@ ata_rw_frameinit(struct frame *f) } ah->cmdstat = ATA_CMD_PIO_READ | writebit | extbit; + dev_hold(t->ifp->nd); skb->dev = t->ifp->nd; } @@ -402,6 +403,8 @@ aoecmd_ata_rw(struct aoedev *d) __skb_queue_head_init(&queue); __skb_queue_tail(&queue, skb); aoenet_xmit(&queue); + } else { + dev_put(f->t->ifp->nd); } return 1; } @@ -484,10 +487,13 @@ resend(struct aoedev *d, struct frame *f) memcpy(h->dst, t->addr, sizeof h->dst); memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src); + dev_hold(t->ifp->nd); skb->dev = t->ifp->nd; skb = skb_clone(skb, GFP_ATOMIC); - if (skb == NULL) + if (skb == NULL) { + dev_put(t->ifp->nd); return; + } f->sent = ktime_get(); __skb_queue_head_init(&queue); __skb_queue_tail(&queue, skb); @@ -618,6 +624,8 @@ probe(struct aoetgt *t) __skb_queue_head_init(&queue); __skb_queue_tail(&queue, skb); aoenet_xmit(&queue); + } else { + dev_put(f->t->ifp->nd); } } @@ -1403,6 +1411,7 @@ aoecmd_ata_id(struct aoedev *d) ah->cmdstat = ATA_CMD_ID_ATA; ah->lba3 = 0xa0; + dev_hold(t->ifp->nd); skb->dev = t->ifp->nd; d->rttavg = RTTAVG_INIT; @@ -1412,6 +1421,8 @@ aoecmd_ata_id(struct aoedev *d) skb = skb_clone(skb, GFP_ATOMIC); if (skb) f->sent = ktime_get(); + else + dev_put(t->ifp->nd); return skb; } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1 V1] scsi: pm80xx: Set phy->enable_completion only when we wait for it
by Zicheng Qu 14 Nov '24

14 Nov '24

From: Igor Pylypiv <ipylypiv(a)google.com> stable inclusion from stable-v6.6.51 commit 7b1d779647afaea9185fa2f150b1721e7c1aae89 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAVU94 CVE: CVE-2024-47666 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e4f949ef1516c0d74745ee54a0f4882c1f6c7aea ] pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash. Signed-off-by: Igor Pylypiv <ipylypiv(a)google.com> Signed-off-by: Terrence Adams <tadamsjr(a)google.com> Link: https://lore.kernel.org/r/20240627155924.2361370-2-tadamsjr@google.com Acked-by: Jack Wang <jinpu.wang(a)ionos.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/scsi/pm8001/pm8001_sas.c [The 5.10 stable version lacks this patch 7b1d779647afaea9185fa2f150b1721e7c1aae89, which was pulled from 6.6. Missing commits a961ea0afd632cc570b71e455fe4328ee2fd9348 and 4851c39aae3a917d09983e1c6948fa9d749b5448 in 5.10 led to manually removing the if (PM8001_CHIP_DISP->fatal_errors(pm8001_ha)) code.] Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- drivers/scsi/pm8001/pm8001_sas.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c index f77061396871..2d5f2ab0a0f7 100644 --- a/drivers/scsi/pm8001/pm8001_sas.c +++ b/drivers/scsi/pm8001/pm8001_sas.c @@ -163,7 +163,6 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, unsigned long flags; pm8001_ha = sas_phy->ha->lldd_ha; phy = &pm8001_ha->phy[phy_id]; - pm8001_ha->phy[phy_id].enable_completion = &completion; switch (func) { case PHY_FUNC_SET_LINK_RATE: rates = funcdata; @@ -176,6 +175,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, rates->maximum_linkrate; } if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion = &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } @@ -184,6 +184,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, break; case PHY_FUNC_HARD_RESET: if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion = &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } @@ -192,6 +193,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, break; case PHY_FUNC_LINK_RESET: if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion = &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } -- 2.34.1

2 1

[PATCH OLK-5.10 V1] scsi: pm80xx: Set phy->enable_completion only when we wait for it
by Zicheng Qu 14 Nov '24

14 Nov '24

From: Igor Pylypiv <ipylypiv(a)google.com> stable inclusion from stable-v6.6.51 commit 7b1d779647afaea9185fa2f150b1721e7c1aae89 category: bugfix bugzilla: IAVU94 CVE: CVE-2024-47666 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e4f949ef1516c0d74745ee54a0f4882c1f6c7aea ] pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash. Signed-off-by: Igor Pylypiv <ipylypiv(a)google.com> Signed-off-by: Terrence Adams <tadamsjr(a)google.com> Link: https://lore.kernel.org/r/20240627155924.2361370-2-tadamsjr@google.com Acked-by: Jack Wang <jinpu.wang(a)ionos.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/scsi/pm8001/pm8001_sas.c [The 5.10 stable version lacks this patch 7b1d779647afaea9185fa2f150b1721e7c1aae89, which was pulled from 6.6. Missing commits a961ea0afd632cc570b71e455fe4328ee2fd9348 and 4851c39aae3a917d09983e1c6948fa9d749b5448 in 5.10 led to manually removing the if (PM8001_CHIP_DISP->fatal_errors(pm8001_ha)) code.] Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- drivers/scsi/pm8001/pm8001_sas.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c index f77061396871..2d5f2ab0a0f7 100644 --- a/drivers/scsi/pm8001/pm8001_sas.c +++ b/drivers/scsi/pm8001/pm8001_sas.c @@ -163,7 +163,6 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, unsigned long flags; pm8001_ha = sas_phy->ha->lldd_ha; phy = &pm8001_ha->phy[phy_id]; - pm8001_ha->phy[phy_id].enable_completion = &completion; switch (func) { case PHY_FUNC_SET_LINK_RATE: rates = funcdata; @@ -176,6 +175,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, rates->maximum_linkrate; } if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion = &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } @@ -184,6 +184,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, break; case PHY_FUNC_HARD_RESET: if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion = &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } @@ -192,6 +193,7 @@ int pm8001_phy_control(struct asd_sas_phy *sas_phy, enum phy_func func, break; case PHY_FUNC_LINK_RESET: if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { + pm8001_ha->phy[phy_id].enable_completion = &completion; PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); wait_for_completion(&completion); } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1 V1] staging: iio: frequency: ad9834: Validate frequency parameter value
by Zicheng Qu 14 Nov '24

14 Nov '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> stable inclusion from stable-v5.10.226 commit 41cc91e3138fe52f8da92a81bebcd0e6cf488c53 category: bugfix bugzilla: IAVU8A CVE: CVE-2024-47663 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b48aa991758999d4e8f9296c5bbe388f293ef465 upstream. In ad9834_write_frequency() clk_get_rate() can return 0. In such case ad9834_calc_freqreg() call will lead to division by zero. Checking 'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. ad9834_write_frequency() is called from ad9834_write(), where fout is taken from text buffer, which can contain any value. Modify parameters checking. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 12b9d5bf76bf ("Staging: IIO: DDS: AD9833 / AD9834 driver") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://patch.msgid.link/20240703154506.25584-1-amishin@t-argos.ru Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- drivers/staging/iio/frequency/ad9834.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/iio/frequency/ad9834.c b/drivers/staging/iio/frequency/ad9834.c index 262c3590e64e..fa0a7056dea4 100644 --- a/drivers/staging/iio/frequency/ad9834.c +++ b/drivers/staging/iio/frequency/ad9834.c @@ -115,7 +115,7 @@ static int ad9834_write_frequency(struct ad9834_state *st, clk_freq = clk_get_rate(st->mclk); - if (fout > (clk_freq / 2)) + if (!clk_freq || fout > (clk_freq / 2)) return -EINVAL; regval = ad9834_calc_freqreg(clk_freq, fout); -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS 1294/1294] block/blk-io-hierarchy/debugfs.c:63:2: error: implicit declaration of function 'hierarchy_show_slow_io'
by kernel test robot 14 Nov '24

14 Nov '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: a81d020c58c2c6a55ebaf15846470a9ecb69bd1a commit: b2f723aef027af0f194ff0c9f53f8ae6a7cb7de3 [1294/1294] blk-io-hierarchy: support to recored the number of slow IO config: x86_64-randconfig-123-20241114 (https://download.01.org/0day-ci/archive/20241114/202411140945.MlPVuer1-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241114/202411140945.MlPVuer1-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411140945.MlPVuer1-lkp@intel.com/ All errors (new ones prefixed by >>): block/blk-io-hierarchy/debugfs.c: note: in included file (through include/linux/kernel.h, include/linux/list.h, include/linux/wait.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type block/blk-io-hierarchy/debugfs.c: note: in included file (through include/linux/printk.h, include/linux/kernel.h, include/linux/list.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type block/blk-io-hierarchy/debugfs.c: note: in included file (through include/linux/string.h, include/linux/bitmap.h, include/linux/cpumask.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type block/blk-io-hierarchy/debugfs.c:63:9: sparse: sparse: undefined identifier 'hierarchy_show_slow_io' In file included from block/blk-io-hierarchy/debugfs.c:15: In file included from include/linux/blkdev.h:16: include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict] 425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> block/blk-io-hierarchy/debugfs.c:63:2: error: implicit declaration of function 'hierarchy_show_slow_io' [-Werror,-Wimplicit-function-declaration] 63 | hierarchy_show_slow_io(hstats_data, m); | ^ block/blk-io-hierarchy/debugfs.c:63:2: note: did you mean 'hierarchy_account_slow_io'? block/blk-io-hierarchy/iodump.h:85:1: note: 'hierarchy_account_slow_io' declared here 85 | hierarchy_account_slow_io(struct hierarchy_stage *hstage, | ^ 1 warning and 1 error generated. -- In file included from block/blk-io-hierarchy/debugfs.c:15: In file included from include/linux/blkdev.h:16: include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict] 425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> block/blk-io-hierarchy/debugfs.c:63:2: error: implicit declaration of function 'hierarchy_show_slow_io' [-Werror,-Wimplicit-function-declaration] 63 | hierarchy_show_slow_io(hstats_data, m); | ^ block/blk-io-hierarchy/debugfs.c:63:2: note: did you mean 'hierarchy_account_slow_io'? block/blk-io-hierarchy/iodump.h:85:1: note: 'hierarchy_account_slow_io' declared here 85 | hierarchy_account_slow_io(struct hierarchy_stage *hstage, | ^ 1 warning and 1 error generated. Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for SPI_PHYTIUM Depends on [n]: SPI [=y] && SPI_MASTER [=y] && (ARCH_PHYTIUM || COMPILE_TEST [=n]) Selected by [y]: - SPI_PHYTIUM_PLAT [=y] && SPI [=y] && SPI_MASTER [=y] vim +/hierarchy_show_slow_io +63 block/blk-io-hierarchy/debugfs.c 28 29 static int __hierarchy_stats_show(struct hierarchy_stats_data *hstats_data, 30 struct seq_file *m, enum stage_group stage) 31 { 32 u64 dispatched[NR_NEW_STAT_GROUPS] = {0}; 33 u64 completed[NR_NEW_STAT_GROUPS] = {0}; 34 u64 latency[NR_NEW_STAT_GROUPS] = {0}; 35 int cpu; 36 int i; 37 38 for_each_possible_cpu(cpu) { 39 struct hierarchy_stats *stat = 40 per_cpu_ptr(hstats_data->hstats, cpu); 41 42 for (i = 0; i < NR_NEW_STAT_GROUPS; ++i) { 43 dispatched[i] += stat->dispatched[i]; 44 completed[i] += stat->completed[i]; 45 latency[i] += stage_is_rq(stage) ? 46 stat->jiffies[i] : stat->nsecs[i]; 47 } 48 } 49 50 if (stage_is_rq(stage)) 51 for (i = 0; i < NR_NEW_STAT_GROUPS; ++i) 52 latency[i] = 53 jiffies_to_msecs(latency[i]) * NSEC_PER_MSEC; 54 55 seq_printf(m, "%llu %llu %llu %llu %llu %llu %llu %llu %llu %llu %llu %llu", 56 dispatched[STAT_READ], completed[STAT_READ], 57 latency[STAT_READ], dispatched[STAT_WRITE], 58 completed[STAT_WRITE], latency[STAT_WRITE], 59 dispatched[STAT_DISCARD], completed[STAT_DISCARD], 60 latency[STAT_DISCARD], dispatched[STAT_FLUSH], 61 completed[STAT_FLUSH], latency[STAT_FLUSH]); 62 > 63 hierarchy_show_slow_io(hstats_data, m); 64 seq_putc(m, '\n'); 65 return 0; 66 } 67 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0