- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] net: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr
by Liu Jian 24 Jul '24

24 Jul '24

From: Miaoqian Lin <linmq006(a)gmail.com> mainline inclusion from mainline-v5.17-rc8 commit c9ffa3e2bc451816ce0295e40063514fabf2bd36 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGT8 CVE: CVE-2022-48859 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- This node pointer is returned by of_find_compatible_node() with refcount incremented. Calling of_node_put() to aovid the refcount leak. Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices") Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: drivers/net/ethernet/marvell/prestera/prestera_main.c [Did not backport 83216e3988cd1.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/ethernet/marvell/prestera/prestera_main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c index f406f5b517b0..e1e251f84c7d 100644 --- a/drivers/net/ethernet/marvell/prestera/prestera_main.c +++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c @@ -480,6 +480,7 @@ static int prestera_switch_set_base_mac_addr(struct prestera_switch *sw) eth_random_addr(sw->base_mac); dev_info(prestera_dev(sw), "using random base mac address\n"); } + of_node_put(np); return prestera_hw_switch_mac_set(sw, sw->base_mac); } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
by Yue Haibing 24 Jul '24

24 Jul '24

From: Nicolas Escande <nico.escande(a)gmail.com> stable inclusion from stable-v4.19.317 commit 377dbb220edc8421b7960691876c5b3bef62f89b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD0PK CVE: CVE-2024-40942 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ] The hwmp code use objects of type mesh_preq_queue, added to a list in ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath gets deleted, ex mesh interface is removed, the entries in that list will never get cleaned. Fix this by flushing all corresponding items of the preq_queue in mesh_path_flush_pending(). This should take care of KASAN reports like this: unreferenced object 0xffff00000668d800 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s) hex dump (first 32 bytes): 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h..... 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>........... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 unreferenced object 0xffff000009051f00 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s) hex dump (first 32 bytes): 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h..... 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy..... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") Signed-off-by: Nicolas Escande <nico.escande(a)gmail.com> Link: https://msgid.link/20240528142605.1060566-1-nico.escande@gmail.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yue Haibing <yuehaibing(a)huawei.com> --- net/mac80211/mesh_pathtbl.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c index ac1f5db52994..1d5626daddfa 100644 --- a/net/mac80211/mesh_pathtbl.c +++ b/net/mac80211/mesh_pathtbl.c @@ -739,10 +739,23 @@ void mesh_path_discard_frame(struct ieee80211_sub_if_data *sdata, */ void mesh_path_flush_pending(struct mesh_path *mpath) { + struct ieee80211_sub_if_data *sdata = mpath->sdata; + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; + struct mesh_preq_queue *preq, *tmp; struct sk_buff *skb; while ((skb = skb_dequeue(&mpath->frame_queue)) != NULL) mesh_path_discard_frame(mpath->sdata, skb); + + spin_lock_bh(&ifmsh->mesh_preq_queue_lock); + list_for_each_entry_safe(preq, tmp, &ifmsh->preq_queue.list, list) { + if (ether_addr_equal(mpath->dst, preq->dst)) { + list_del(&preq->list); + kfree(preq); + --ifmsh->preq_queue_len; + } + } + spin_unlock_bh(&ifmsh->mesh_preq_queue_lock); } /** -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] mISDN: Fix memory leak in dsp_pipeline_build()
by Pu Lehui 24 Jul '24

24 Jul '24

From: Alexey Khoroshilov <khoroshilov(a)ispras.ru> mainline inclusion from mainline-v5.17-rc8 commit c6a502c2299941c8326d029cfc8a3bc8a4607ad5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGSF CVE: CVE-2022-48863 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, "|"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE. Signed-off-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Fixes: 960366cf8dbb ("Add mISDN DSP") Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: drivers/isdn/mISDN/dsp_pipeline.c [The conflicts were due to not merge some unnecessary commit] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/isdn/mISDN/dsp_pipeline.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/isdn/mISDN/dsp_pipeline.c b/drivers/isdn/mISDN/dsp_pipeline.c index e72b4e73cd61..fb8153f1aff7 100644 --- a/drivers/isdn/mISDN/dsp_pipeline.c +++ b/drivers/isdn/mISDN/dsp_pipeline.c @@ -236,7 +236,7 @@ void dsp_pipeline_destroy(struct dsp_pipeline *pipeline) int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg) { int incomplete = 0, found = 0; - char *dup, *tok, *name, *args; + char *dup, *next, *tok, *name, *args; struct dsp_element_entry *entry, *n; struct dsp_pipeline_entry *pipeline_entry; struct mISDN_dsp_element *elem; @@ -247,10 +247,10 @@ int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg) if (!list_empty(&pipeline->list)) _dsp_pipeline_destroy(pipeline); - dup = kstrdup(cfg, GFP_ATOMIC); + dup = next = kstrdup(cfg, GFP_ATOMIC); if (!dup) return 0; - while ((tok = strsep(&dup, "|"))) { + while ((tok = strsep(&next, "|"))) { if (!strlen(tok)) continue; name = strsep(&tok, "("); -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS] BUILD SUCCESS WITH WARNING 9bfba2528a2aa14944ebc307632e8d93b929947d
by kernel test robot 24 Jul '24

24 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: 9bfba2528a2aa14944ebc307632e8d93b929947d !10125 nvme-rdma: fix possible use-after-free in transport error_recovery work Warning: (recently discovered and may have been fixed) kernel/livepatch/core.c:75:16: warning: no previous prototype for function 'klp_check_patch_kprobed' [-Wmissing-prototypes] Unverified Warning (likely false positive, please contact us if interested): drivers/block/loop.c:1338 loop_set_status() warn: inconsistent returns '&loop_ctl_mutex'. Warning ids grouped by kconfigs: recent_errors |-- x86_64-buildonly-randconfig-001-20240724 | |-- drivers-scsi-huawei-hifc-unf_io_abnormal.o:warning:objtool:missing-symbol-for-section-.text | `-- drivers-scsi-huawei-hifc-unf_npiv.o:warning:objtool:missing-symbol-for-section-.text |-- x86_64-randconfig-073-20240521 | `-- kernel-livepatch-core.c:warning:no-previous-prototype-for-function-klp_check_patch_kprobed `-- x86_64-randconfig-161-20240430 `-- drivers-block-loop.c-loop_set_status()-warn:inconsistent-returns-loop_ctl_mutex-. elapsed time: 731m configs tested: 19 configs skipped: 139 tested configs: arm64 allmodconfig gcc-14.1.0 arm64 allnoconfig gcc-14.1.0 arm64 defconfig gcc-14.1.0 arm64 randconfig-001-20240724 gcc-14.1.0 arm64 randconfig-002-20240724 gcc-14.1.0 arm64 randconfig-003-20240724 gcc-14.1.0 arm64 randconfig-004-20240724 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240724 clang-18 x86_64 buildonly-randconfig-002-20240724 clang-18 x86_64 buildonly-randconfig-003-20240724 gcc-13 x86_64 buildonly-randconfig-004-20240724 clang-18 x86_64 buildonly-randconfig-005-20240724 clang-18 x86_64 buildonly-randconfig-006-20240724 clang-18 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240724 clang-18 x86_64 randconfig-002-20240724 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10] BUILD SUCCESS ba9f4e2064691aaa5bdbc0e8514f1aa7cb4d0ffc
by kernel test robot 24 Jul '24

24 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-5.10 branch HEAD: ba9f4e2064691aaa5bdbc0e8514f1aa7cb4d0ffc !9780 ksmbd: fix wrong DataOffset validation of create context elapsed time: 725m configs tested: 35 configs skipped: 139 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-14.1.0 arm64 defconfig gcc-14.1.0 arm64 randconfig-001-20240724 gcc-14.1.0 arm64 randconfig-002-20240724 gcc-14.1.0 arm64 randconfig-003-20240724 gcc-14.1.0 arm64 randconfig-004-20240724 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240724 clang-18 x86_64 buildonly-randconfig-002-20240724 clang-18 x86_64 buildonly-randconfig-003-20240724 gcc-13 x86_64 buildonly-randconfig-004-20240724 clang-18 x86_64 buildonly-randconfig-005-20240724 clang-18 x86_64 buildonly-randconfig-006-20240724 clang-18 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240724 clang-18 x86_64 randconfig-002-20240724 clang-18 x86_64 randconfig-003-20240724 clang-18 x86_64 randconfig-004-20240724 gcc-10 x86_64 randconfig-005-20240724 clang-18 x86_64 randconfig-006-20240724 gcc-13 x86_64 randconfig-011-20240724 clang-18 x86_64 randconfig-012-20240724 gcc-13 x86_64 randconfig-013-20240724 clang-18 x86_64 randconfig-014-20240724 clang-18 x86_64 randconfig-015-20240724 clang-18 x86_64 randconfig-016-20240724 clang-18 x86_64 randconfig-071-20240724 gcc-13 x86_64 randconfig-072-20240724 gcc-11 x86_64 randconfig-073-20240724 clang-18 x86_64 randconfig-074-20240724 gcc-13 x86_64 randconfig-075-20240724 gcc-13 x86_64 randconfig-076-20240724 gcc-13 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6] BUILD SUCCESS e41736c067dfafe9852c82c3422860f0f70ab11f
by kernel test robot 24 Jul '24

24 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: e41736c067dfafe9852c82c3422860f0f70ab11f !9782 usb-storage: alauda: Check whether the media is initialized Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | `-- clang:warning:no-such-include-directory:drivers-infiniband-hw-hiroce3-include-mag |-- arm64-randconfig-001-20240724 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- arm64-randconfig-003-20240724 | |-- WARNING:modpost:vmlinux:section-mismatch-in-reference:arm_smmu_device_probe-(section:.text)-arm_smmu_v3_plat_info-(section:.init.data) | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- arm64-randconfig-004-20240724 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- loongarch-allmodconfig | `-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument `-- x86_64-allyesconfig `-- drivers-gpu-drm-amd-amdgpu-..-amdkfd-kfd_topology.c:warning:stack-frame-size-()-exceeds-limit-()-in-kfd_topology_add_device elapsed time: 720m configs tested: 14 configs skipped: 134 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240724 gcc-14.1.0 arm64 randconfig-002-20240724 gcc-14.1.0 arm64 randconfig-003-20240724 gcc-14.1.0 arm64 randconfig-004-20240724 gcc-14.1.0 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 loongarch randconfig-001-20240724 gcc-14.1.0 loongarch randconfig-002-20240724 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 defconfig gcc-13 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] netfilter: nf_tables: do not compare internal table flags on updates
by dinglongwei 23 Jul '24

23 Jul '24

From: Pablo Neira Ayuso <pablo(a)netfilter.org> stable inclusion from stable-v5.10.214 commit fcf32a5bfcb8a57ac0ce717fcfa4d688c91f1005 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L9IS CVE: CVE-2024-27065 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139 ] Restore skipping transaction if table update does not modify flags. Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: dinglongwei <dinglongwei1(a)huawei.com> --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 3c98254f3a37..1a3bc800534d 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1116,7 +1116,7 @@ static int nf_tables_updtable(struct nft_ctx *ctx) if (flags & ~NFT_TABLE_F_DORMANT) return -EINVAL; - if (flags == ctx->table->flags) + if (flags == (ctx->table->flags & NFT_TABLE_F_MASK)) return 0; /* No dormant off/on/off/on games in single transaction */ -- 2.17.1

2 1

[PATCH openEuler-1.0-LTS] NFSD: Fix the behavior of READ near OFFSET_MAX
by Li Lingfeng 23 Jul '24

23 Jul '24

From: Chuck Lever <chuck.lever(a)oracle.com> mainline inclusion from mainline-v5.17-rc4 commit 0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADG80 CVE: CVE-2022-48827 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Dan Aloni reports: > Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to > the RPC read layers") on the client, a read of 0xfff is aligned up > to server rsize of 0x1000. > > As a result, in a test where the server has a file of size > 0x7fffffffffffffff, and the client tries to read from the offset > 0x7ffffffffffff000, the read causes loff_t overflow in the server > and it returns an NFS code of EINVAL to the client. The client as > a result indefinitely retries the request. The Linux NFS client does not handle NFS?ERR_INVAL, even though all NFS specifications permit servers to return that status code for a READ. Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed and return a short result. Set the EOF flag in the result to prevent the client from retrying the READ request. This behavior appears to be consistent with Solaris NFS servers. Note that NFSv3 and NFSv4 use u64 offset values on the wire. These must be converted to loff_t internally before use -- an implicit type cast is not adequate for this purpose. Otherwise VFS checks against sb->s_maxbytes do not work properly. Reported-by: Dan Aloni <dan.aloni(a)vastdata.com> Cc: stable(a)vger.kernel.org Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Conflicts: fs/nfsd/nfs3proc.c fs/nfsd/nfs4proc.c fs/nfsd/nfs4xdr.c [Commit be63bd2ac6bb("NFSD: Update READ3arg decoder to use struct xdr_stream") modified the method of initializing resp->count; Commit 5c4583b2b78e("nfsd: hook up nfs4_preprocess_stateid_op to the nfsd_file cache") remove rd_filp from nfsd4_read and remove the check of rd_tmp_file in nfsd4_encode_read; Commit 528b84934eb9("NFSD: Add READ_PLUS data support") add READ_PLUS data support.] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs3proc.c | 11 ++++++++--- fs/nfsd/nfs4proc.c | 8 ++++++-- fs/nfsd/nfs4xdr.c | 5 +---- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c index c9cf46e0c040..2ac8f5912dfa 100644 --- a/fs/nfsd/nfs3proc.c +++ b/fs/nfsd/nfs3proc.c @@ -154,18 +154,23 @@ nfsd3_proc_read(struct svc_rqst *rqstp) struct nfsd3_readres *resp = rqstp->rq_resp; __be32 nfserr; u32 max_blocksize = svc_max_payload(rqstp); - unsigned long cnt = min(argp->count, max_blocksize); dprintk("nfsd: READ(3) %s %lu bytes at %Lu\n", SVCFH_fmt(&argp->fh), (unsigned long) argp->count, (unsigned long long) argp->offset); + argp->count = min_t(u32, argp->count, max_blocksize); + if (argp->offset > (u64)OFFSET_MAX) + argp->offset = (u64)OFFSET_MAX; + if (argp->offset + argp->count > (u64)OFFSET_MAX) + argp->count = (u64)OFFSET_MAX - argp->offset; + /* Obtain buffer pointer for payload. * 1 (status) + 22 (post_op_attr) + 1 (count) + 1 (eof) * + 1 (xdr opaque byte count) = 26 */ - resp->count = cnt; + resp->count = argp->count; svc_reserve_auth(rqstp, ((1 + NFS3_POST_OP_ATTR_WORDS + 3)<<2) + resp->count +4); fh_copy(&resp->fh, &argp->fh); @@ -175,7 +180,7 @@ nfsd3_proc_read(struct svc_rqst *rqstp) &resp->count); if (nfserr == 0) { struct inode *inode = d_inode(resp->fh.fh_dentry); - resp->eof = nfsd_eof_on_read(cnt, resp->count, argp->offset, + resp->eof = nfsd_eof_on_read(resp->count, resp->count, argp->offset, inode->i_size); } diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 1c3e6de6bcba..8bb0b6d2ea4e 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -760,12 +760,16 @@ nfsd4_read(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, __be32 status; read->rd_filp = NULL; - if (read->rd_offset >= OFFSET_MAX) - return nfserr_inval; trace_nfsd_read_start(rqstp, &cstate->current_fh, read->rd_offset, read->rd_length); + read->rd_length = min_t(u32, read->rd_length, svc_max_payload(rqstp)); + if (read->rd_offset > (u64)OFFSET_MAX) + read->rd_offset = (u64)OFFSET_MAX; + if (read->rd_offset + read->rd_length > (u64)OFFSET_MAX) + read->rd_length = (u64)OFFSET_MAX - read->rd_offset; + /* * If we do a zero copy read, then a client will see read data * that reflects the state of the file *after* performing the diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index db0beefe65ec..7dae38d21041 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -3595,11 +3595,8 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr, } xdr_commit_encode(xdr); - maxcount = svc_max_payload(resp->rqstp); - maxcount = min_t(unsigned long, maxcount, + maxcount = min_t(unsigned long, read->rd_length, (xdr->buf->buflen - xdr->buf->len)); - maxcount = min_t(unsigned long, maxcount, read->rd_length); - if (read->rd_tmp_file) ra = nfsd_init_raparms(file); -- 2.31.1

2 1

[openeuler:openEuler-1.0-LTS 1696/23347] drivers/usb/roles/class.o: warning: objtool: missing symbol for section .exit.text
by kernel test robot 23 Jul '24

23 Jul '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 8d2f09e210f079f53eb6c1ba1ef639d73a17d61b commit: bb87eff0e698d6e312b435f482d4b0b5672b11d0 [1696/23347] usb: roles: Add a description for the class to Kconfig config: x86_64-buildonly-randconfig-005-20240723 (https://download.01.org/0day-ci/archive/20240723/202407232033.iAaUwu3f-lkp@…) compiler: gcc-12 (Ubuntu 12.3.0-9ubuntu2) 12.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240723/202407232033.iAaUwu3f-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407232033.iAaUwu3f-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from drivers/usb/roles/class.c:12: include/linux/module.h:133:13: warning: 'init_module' specifies less restrictive attribute than its target 'usb_roles_init': 'cold' [-Wmissing-attributes] 133 | int init_module(void) __attribute__((alias(#initfn))); | ^~~~~~~~~~~ include/linux/module.h:116:41: note: in expansion of macro 'module_init' 116 | #define subsys_initcall(fn) module_init(fn) | ^~~~~~~~~~~ drivers/usb/roles/class.c:303:1: note: in expansion of macro 'subsys_initcall' 303 | subsys_initcall(usb_roles_init); | ^~~~~~~~~~~~~~~ drivers/usb/roles/class.c:298:19: note: 'init_module' target declared here 298 | static int __init usb_roles_init(void) | ^~~~~~~~~~~~~~ include/linux/module.h:139:14: warning: 'cleanup_module' specifies less restrictive attribute than its target 'usb_roles_exit': 'cold' [-Wmissing-attributes] 139 | void cleanup_module(void) __attribute__((alias(#exitfn))); | ^~~~~~~~~~~~~~ drivers/usb/roles/class.c:309:1: note: in expansion of macro 'module_exit' 309 | module_exit(usb_roles_exit); | ^~~~~~~~~~~ drivers/usb/roles/class.c:305:20: note: 'cleanup_module' target declared here 305 | static void __exit usb_roles_exit(void) | ^~~~~~~~~~~~~~ >> drivers/usb/roles/class.o: warning: objtool: missing symbol for section .exit.text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH v2 openEuler-22.03-LTS-SP1] usb-storage: alauda: Check whether the media is initialized
by Jinjiang Tu 23 Jul '24

23 Jul '24

From: Shichao Lai <shichaorai(a)gmail.com> mainline inclusion from mainline-v6.10-rc4 commit 16637fea001ab3c8df528a8995b3211906165a30 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6YQV CVE: CVE-2024-38619 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The member "uzonesize" of struct alauda_info will remain 0 if alauda_init_media() fails, potentially causing divide errors in alauda_read_data() and alauda_write_lba(). - Add a member "media_initialized" to struct alauda_info. - Change a condition in alauda_check_media() to ensure the first initialization. - Add an error check for the return value of alauda_init_media(). Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support") Reported-by: xingwei lee <xrivendell7(a)gmail.com> Reported-by: yue sun <samsun1006219(a)gmail.com> Reviewed-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Shichao Lai <shichaorai(a)gmail.com> Link: https://lore.kernel.org/r/20240526012745.2852061-1-shichaorai@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/usb/storage/alauda.c [Due to LTS commit fe7c3a445d22 is not merged, the rc variable is not defined.] Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- drivers/usb/storage/alauda.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c index 20b857e97e60..fd487f047b89 100644 --- a/drivers/usb/storage/alauda.c +++ b/drivers/usb/storage/alauda.c @@ -105,6 +105,8 @@ struct alauda_info { unsigned char sense_key; unsigned long sense_asc; /* additional sense code */ unsigned long sense_ascq; /* additional sense code qualifier */ + + bool media_initialized; }; #define short_pack(lsb,msb) ( ((u16)(lsb)) | ( ((u16)(msb))<<8 ) ) @@ -453,6 +455,7 @@ static int alauda_check_media(struct us_data *us) { struct alauda_info *info = (struct alauda_info *) us->extra; unsigned char status[2]; + int rc; alauda_get_media_status(us, status); @@ -468,11 +471,12 @@ static int alauda_check_media(struct us_data *us) } /* Check for media change */ - if (status[0] & 0x08) { + if (status[0] & 0x08 || !info->media_initialized) { usb_stor_dbg(us, "Media change detected\n"); alauda_free_maps(&MEDIA_INFO(us)); - alauda_init_media(us); - + rc = alauda_init_media(us); + if (rc == USB_STOR_TRANSPORT_GOOD) + info->media_initialized = true; info->sense_key = UNIT_ATTENTION; info->sense_asc = 0x28; info->sense_ascq = 0x00; -- 2.25.1

2 1