- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] ocfs2: uncache inode which has failed entering the group
by Yifan Qiao 05 Dec '24

05 Dec '24

From: Dmitry Antipov <dmantipov(a)yandex.ru> stable inclusion from stable-v6.6.63 commit 843dfc804af4b338ead42331dd58081b428ecdf8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB8IUZ CVE: CVE-2024-53112 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 737f34137844d6572ab7d473c998c7f977ff30eb upstream. Syzbot has reported the following BUG: kernel BUG at fs/ocfs2/uptodate.c:509! ... Call Trace: <TASK> ? __die_body+0x5f/0xb0 ? die+0x9e/0xc0 ? do_trap+0x15a/0x3a0 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ? do_error_trap+0x1dc/0x2c0 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ? __pfx_do_error_trap+0x10/0x10 ? handle_invalid_op+0x34/0x40 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ? exc_invalid_op+0x38/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? ocfs2_set_new_buffer_uptodate+0x2e/0x160 ? ocfs2_set_new_buffer_uptodate+0x144/0x160 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ocfs2_group_add+0x39f/0x15a0 ? __pfx_ocfs2_group_add+0x10/0x10 ? __pfx_lock_acquire+0x10/0x10 ? mnt_get_write_access+0x68/0x2b0 ? __pfx_lock_release+0x10/0x10 ? rcu_read_lock_any_held+0xb7/0x160 ? __pfx_rcu_read_lock_any_held+0x10/0x10 ? smack_log+0x123/0x540 ? mnt_get_write_access+0x68/0x2b0 ? mnt_get_write_access+0x68/0x2b0 ? mnt_get_write_access+0x226/0x2b0 ocfs2_ioctl+0x65e/0x7d0 ? __pfx_ocfs2_ioctl+0x10/0x10 ? smack_file_ioctl+0x29e/0x3a0 ? __pfx_smack_file_ioctl+0x10/0x10 ? lockdep_hardirqs_on_prepare+0x43d/0x780 ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 ? __pfx_ocfs2_ioctl+0x10/0x10 __se_sys_ioctl+0xfb/0x170 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> When 'ioctl(OCFS2_IOC_GROUP_ADD, ...)' has failed for the particular inode in 'ocfs2_verify_group_and_input()', corresponding buffer head remains cached and subsequent call to the same 'ioctl()' for the same inode issues the BUG() in 'ocfs2_set_new_buffer_uptodate()' (trying to cache the same buffer head of that inode). Fix this by uncaching the buffer head with 'ocfs2_remove_from_cache()' on error path in 'ocfs2_group_add()'. Link: https://lkml.kernel.org/r/20241114043844.111847-1-dmantipov@yandex.ru Fixes: 7909f2bf8353 ("[PATCH 2/2] ocfs2: Implement group add for online resize") Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Reported-by: syzbot+453873f1588c2d75b447(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=453873f1588c2d75b447 Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Dmitry Antipov <dmantipov(a)yandex.ru> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/ocfs2/resize.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c index d65d43c61857..b2b47bb79529 100644 --- a/fs/ocfs2/resize.c +++ b/fs/ocfs2/resize.c @@ -566,6 +566,8 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input) ocfs2_commit_trans(osb, handle); out_free_group_bh: + if (ret < 0) + ocfs2_remove_from_cache(INODE_CACHE(inode), group_bh); brelse(group_bh); out_unlock: -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1] ocfs2: uncache inode which has failed entering the group
by Yifan Qiao 05 Dec '24

05 Dec '24

From: Dmitry Antipov <dmantipov(a)yandex.ru> mainline inclusion from mainline-v6.12 commit 737f34137844d6572ab7d473c998c7f977ff30eb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB8IUZ CVE: CVE-2024-53112 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Syzbot has reported the following BUG: kernel BUG at fs/ocfs2/uptodate.c:509! ... Call Trace: <TASK> ? __die_body+0x5f/0xb0 ? die+0x9e/0xc0 ? do_trap+0x15a/0x3a0 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ? do_error_trap+0x1dc/0x2c0 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ? __pfx_do_error_trap+0x10/0x10 ? handle_invalid_op+0x34/0x40 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ? exc_invalid_op+0x38/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? ocfs2_set_new_buffer_uptodate+0x2e/0x160 ? ocfs2_set_new_buffer_uptodate+0x144/0x160 ? ocfs2_set_new_buffer_uptodate+0x145/0x160 ocfs2_group_add+0x39f/0x15a0 ? __pfx_ocfs2_group_add+0x10/0x10 ? __pfx_lock_acquire+0x10/0x10 ? mnt_get_write_access+0x68/0x2b0 ? __pfx_lock_release+0x10/0x10 ? rcu_read_lock_any_held+0xb7/0x160 ? __pfx_rcu_read_lock_any_held+0x10/0x10 ? smack_log+0x123/0x540 ? mnt_get_write_access+0x68/0x2b0 ? mnt_get_write_access+0x68/0x2b0 ? mnt_get_write_access+0x226/0x2b0 ocfs2_ioctl+0x65e/0x7d0 ? __pfx_ocfs2_ioctl+0x10/0x10 ? smack_file_ioctl+0x29e/0x3a0 ? __pfx_smack_file_ioctl+0x10/0x10 ? lockdep_hardirqs_on_prepare+0x43d/0x780 ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 ? __pfx_ocfs2_ioctl+0x10/0x10 __se_sys_ioctl+0xfb/0x170 do_syscall_64+0xf3/0x230 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... </TASK> When 'ioctl(OCFS2_IOC_GROUP_ADD, ...)' has failed for the particular inode in 'ocfs2_verify_group_and_input()', corresponding buffer head remains cached and subsequent call to the same 'ioctl()' for the same inode issues the BUG() in 'ocfs2_set_new_buffer_uptodate()' (trying to cache the same buffer head of that inode). Fix this by uncaching the buffer head with 'ocfs2_remove_from_cache()' on error path in 'ocfs2_group_add()'. Link: https://lkml.kernel.org/r/20241114043844.111847-1-dmantipov@yandex.ru Fixes: 7909f2bf8353 ("[PATCH 2/2] ocfs2: Implement group add for online resize") Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Reported-by: syzbot+453873f1588c2d75b447(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=453873f1588c2d75b447 Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Dmitry Antipov <dmantipov(a)yandex.ru> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/ocfs2/resize.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c index 24eb52f9059c..78788659ccf5 100644 --- a/fs/ocfs2/resize.c +++ b/fs/ocfs2/resize.c @@ -568,6 +568,8 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input) ocfs2_commit_trans(osb, handle); out_free_group_bh: + if (ret < 0) + ocfs2_remove_from_cache(INODE_CACHE(inode), group_bh); brelse(group_bh); out_unlock: -- 2.39.2

2 1

[openeuler:OLK-5.10 2516/2516] drivers/ub/urma/ubcore/ubcore_device.c:1329:5: warning: no previous prototype for 'ubcore_dispatch_event'
by kernel test robot 05 Dec '24

05 Dec '24

Hi WenChen, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: b71af6f00ede58be00cb7306c9acb2660ec90947 commit: f1753f8b17480bdb750cbd33fbaa358aef5dbb23 [2516/2516] urma: upload kernel patch for 20240219_Spring config: arm64-randconfig-003-20241203 (https://download.01.org/0day-ci/archive/20241205/202412051043.VbAyfzTq-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241205/202412051043.VbAyfzTq-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412051043.VbAyfzTq-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/ub/urma/ubcore/ubcore_device.c:352:6: warning: no previous prototype for 'ubcore_destroy_upi_list' [-Wmissing-prototypes] 352 | void ubcore_destroy_upi_list(struct ubcore_device *dev) | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_device.c:440:23: warning: no previous prototype for 'ubcore_find_tpf_device_legacy' [-Wmissing-prototypes] 440 | struct ubcore_device *ubcore_find_tpf_device_legacy(void) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/ubcore/ubcore_device.c:1329:5: warning: no previous prototype for 'ubcore_dispatch_event' [-Wmissing-prototypes] 1329 | int ubcore_dispatch_event(struct ubcore_event *event) | ^~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_device.c:1454:6: warning: no previous prototype for 'ubcore_dev_accessible' [-Wmissing-prototypes] 1454 | bool ubcore_dev_accessible(struct ubcore_device *dev) | ^~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/ubcore/ubcore_device.c:2015:6: warning: no previous prototype for 'ubcore_net_exit' [-Wmissing-prototypes] 2015 | void ubcore_net_exit(struct net *net) | ^~~~~~~~~~~~~~~ -- >> drivers/ub/urma/ubcore/ubcore_cdev_file.c:690:5: warning: no previous prototype for 'ubcore_create_port_attr_files' [-Wmissing-prototypes] 690 | int ubcore_create_port_attr_files(struct ubcore_logic_device *ldev, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_cdev_file.c:785:5: warning: no previous prototype for 'ubcore_create_eid_attr_files' [-Wmissing-prototypes] 785 | int ubcore_create_eid_attr_files(struct ubcore_logic_device *ldev, uint32_t eid_num) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/ubcore/ubcore_cdev_file.c:797:5: warning: no previous prototype for 'ubcore_create_dev_attr_files' [-Wmissing-prototypes] 797 | int ubcore_create_dev_attr_files(struct ubcore_logic_device *ldev) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/ubcore/ubcore_cdev_file.c:810:6: warning: no previous prototype for 'ubcore_remove_port_attr_files' [-Wmissing-prototypes] 810 | void ubcore_remove_port_attr_files(struct ubcore_logic_device *ldev, uint8_t port_id) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_cdev_file.c:815:6: warning: no previous prototype for 'ubcore_remove_eid_attr_files' [-Wmissing-prototypes] 815 | void ubcore_remove_eid_attr_files(struct ubcore_logic_device *ldev, uint32_t eid_num) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/ubcore/ubcore_cdev_file.c:820:6: warning: no previous prototype for 'ubcore_remove_dev_attr_files' [-Wmissing-prototypes] 820 | void ubcore_remove_dev_attr_files(struct ubcore_logic_device *ldev) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/ubcore_dispatch_event +1329 drivers/ub/urma/ubcore/ubcore_device.c 1328 > 1329 int ubcore_dispatch_event(struct ubcore_event *event) 1330 { 1331 struct ubcore_event_work *l_ubcore_event; 1332 1333 l_ubcore_event = kzalloc(sizeof(*l_ubcore_event), GFP_ATOMIC); 1334 if (!l_ubcore_event) 1335 return -ENOMEM; 1336 1337 INIT_WORK(&l_ubcore_event->work, ubcore_dispatch_event_task); 1338 l_ubcore_event->event = *event; 1339 1340 if (ubcore_queue_work((int)UBCORE_DISPATCH_EVENT_WQ, &l_ubcore_event->work) != 0) { 1341 kfree(l_ubcore_event); 1342 ubcore_log_err("Queue work failed"); 1343 } 1344 1345 return 0; 1346 } 1347 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] USB: serial: io_edgeport: fix use after free in debug printk
by Guo Mengqi 05 Dec '24

05 Dec '24

From: Dan Carpenter <dan.carpenter(a)linaro.org> commit 37bb5628379295c1254c113a407cab03a0f4d0b4 upstream. The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) is a use after free of the "urb" pointer. Store the "dev" pointer at the start of the function to avoid this issue. Fixes: 984f68683298 ("USB: serial: io_edgeport.c: remove dbg() usage") Cc: stable(a)vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/usb/serial/io_edgeport.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 4b48ef4adbeb..618e2b16e204 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -846,11 +846,12 @@ static void edge_bulk_out_data_callback(struct urb *urb) static void edge_bulk_out_cmd_callback(struct urb *urb) { struct edgeport_port *edge_port = urb->context; + struct device *dev = &urb->dev->dev; int status = urb->status; atomic_dec(&CmdUrbs); - dev_dbg(&urb->dev->dev, "%s - FREE URB %p (outstanding %d)\n", - __func__, urb, atomic_read(&CmdUrbs)); + dev_dbg(dev, "%s - FREE URB %p (outstanding %d)\n", __func__, urb, + atomic_read(&CmdUrbs)); /* clean up the transfer buffer */ @@ -860,8 +861,7 @@ static void edge_bulk_out_cmd_callback(struct urb *urb) usb_free_urb(urb); if (status) { - dev_dbg(&urb->dev->dev, - "%s - nonzero write bulk status received: %d\n", + dev_dbg(dev, "%s - nonzero write bulk status received: %d\n", __func__, status); return; } -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1] USB: serial: io_edgeport: fix use after free in debug printk
by Guo Mengqi 05 Dec '24

05 Dec '24

From: Dan Carpenter <dan.carpenter(a)linaro.org> commit 37bb5628379295c1254c113a407cab03a0f4d0b4 upstream. The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) is a use after free of the "urb" pointer. Store the "dev" pointer at the start of the function to avoid this issue. Fixes: 984f68683298 ("USB: serial: io_edgeport.c: remove dbg() usage") Cc: stable(a)vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/usb/serial/io_edgeport.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 4b48ef4adbeb..618e2b16e204 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -846,11 +846,12 @@ static void edge_bulk_out_data_callback(struct urb *urb) static void edge_bulk_out_cmd_callback(struct urb *urb) { struct edgeport_port *edge_port = urb->context; + struct device *dev = &urb->dev->dev; int status = urb->status; atomic_dec(&CmdUrbs); - dev_dbg(&urb->dev->dev, "%s - FREE URB %p (outstanding %d)\n", - __func__, urb, atomic_read(&CmdUrbs)); + dev_dbg(dev, "%s - FREE URB %p (outstanding %d)\n", __func__, urb, + atomic_read(&CmdUrbs)); /* clean up the transfer buffer */ @@ -860,8 +861,7 @@ static void edge_bulk_out_cmd_callback(struct urb *urb) usb_free_urb(urb); if (status) { - dev_dbg(&urb->dev->dev, - "%s - nonzero write bulk status received: %d\n", + dev_dbg(dev, "%s - nonzero write bulk status received: %d\n", __func__, status); return; } -- 2.17.1

2 1

[PATCH openEuler-1.0-LTS] USB: serial: io_edgeport: fix use after free in debug printk
by Guo Mengqi 05 Dec '24

05 Dec '24

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v4.19.324 commit e6ceb04eeb6115d872d4c4078d12f1170ed755ce category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVJ CVE: CVE-2024-50267 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 37bb5628379295c1254c113a407cab03a0f4d0b4 upstream. The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) is a use after free of the "urb" pointer. Store the "dev" pointer at the start of the function to avoid this issue. Fixes: 984f68683298 ("USB: serial: io_edgeport.c: remove dbg() usage") Cc: stable(a)vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/usb/serial/io_edgeport.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c index 97eb738b058f..8090b6ec2641 100644 --- a/drivers/usb/serial/io_edgeport.c +++ b/drivers/usb/serial/io_edgeport.c @@ -846,11 +846,12 @@ static void edge_bulk_out_data_callback(struct urb *urb) static void edge_bulk_out_cmd_callback(struct urb *urb) { struct edgeport_port *edge_port = urb->context; + struct device *dev = &urb->dev->dev; int status = urb->status; atomic_dec(&CmdUrbs); - dev_dbg(&urb->dev->dev, "%s - FREE URB %p (outstanding %d)\n", - __func__, urb, atomic_read(&CmdUrbs)); + dev_dbg(dev, "%s - FREE URB %p (outstanding %d)\n", __func__, urb, + atomic_read(&CmdUrbs)); /* clean up the transfer buffer */ @@ -860,8 +861,7 @@ static void edge_bulk_out_cmd_callback(struct urb *urb) usb_free_urb(urb); if (status) { - dev_dbg(&urb->dev->dev, - "%s - nonzero write bulk status received: %d\n", + dev_dbg(dev, "%s - nonzero write bulk status received: %d\n", __func__, status); return; } -- 2.17.1

2 1

[PATCH OLK-6.6 v3 0/3] irqchip: gic: some bugfix of hip10
by Zhou Wang 05 Dec '24

05 Dec '24

Patch#1: add erratum 162200803 for hip10c and exclude GICv4.1 for hip10/hip10c erratum 162200803. Patch#2: replace 'is_pending' with 'val' and change hisi cpu type hip09 to hip10. Patch#3: fix the bug that a large-specification VM fails to be created. Kunkun Jiang (2): KVM: arm64: vgic-v3: Fix a issue of hip10 erratum 162200806 irqchip/gic-v4.1:Check whether indirect table is supported in allocate_vpe_l1_table Zhou Wang (1): irqchip/gic-v3: Exclude GICv4.1 for hip10 erratum 162200803 Documentation/arch/arm64/silicon-errata.rst | 4 +-- arch/arm64/kvm/vgic/vgic-mmio-v3.c | 2 +- arch/arm64/kvm/vgic/vgic-mmio.c | 15 ++++---- arch/arm64/kvm/vgic/vgic-mmio.h | 4 +-- drivers/irqchip/irq-gic-v3-its.c | 8 +++-- drivers/irqchip/irq-gic-v3.c | 38 +++++++++++++-------- 6 files changed, 42 insertions(+), 29 deletions(-) -- 2.33.0

2 4

[PATCH openEuler-22.03-LTS-SP1] vp_vdpa: fix id_table array not null terminated error
by liukai 05 Dec '24

05 Dec '24

From: Xiaoguang Wang <lege.wang(a)jaguarmicro.com> stable inclusion from stable-v6.1.119 commit 870d68fe17b5d9032049dcad98b5781a344a8657 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB8IUJ CVE: CVE-2024-53110 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- commit 4e39ecadf1d2a08187139619f1f314b64ba7d947 upstream. Allocate one extra virtio_device_id as null terminator, otherwise vdpa_mgmtdev_get_classes() may iterate multiple times and visit undefined memory. Fixes: ffbda8e9df10 ("vdpa/vp_vdpa : add vdpa tool support in vp_vdpa") Cc: stable(a)vger.kernel.org Suggested-by: Parav Pandit <parav(a)nvidia.com> Signed-off-by: Angus Chen <angus.chen(a)jaguarmicro.com> Signed-off-by: Xiaoguang Wang <lege.wang(a)jaguarmicro.com> Message-Id: <20241105133518.1494-1-lege.wang(a)jaguarmicro.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Reviewed-by: Parav Pandit <parav(a)nvidia.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Kai <liukai284(a)huawei.com> --- drivers/vdpa/virtio_pci/vp_vdpa.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/vdpa/virtio_pci/vp_vdpa.c b/drivers/vdpa/virtio_pci/vp_vdpa.c index bc0bdcc7bcea..4e513a38df60 100644 --- a/drivers/vdpa/virtio_pci/vp_vdpa.c +++ b/drivers/vdpa/virtio_pci/vp_vdpa.c @@ -574,7 +574,11 @@ static int vp_vdpa_probe(struct pci_dev *pdev, const struct pci_device_id *id) goto mdev_err; } - mdev_id = kzalloc(sizeof(struct virtio_device_id), GFP_KERNEL); + /* + * id_table should be a null terminated array, so allocate one additional + * entry here, see vdpa_mgmtdev_get_classes(). + */ + mdev_id = kcalloc(2, sizeof(struct virtio_device_id), GFP_KERNEL); if (!mdev_id) { err = -ENOMEM; goto mdev_id_err; @@ -594,8 +598,8 @@ static int vp_vdpa_probe(struct pci_dev *pdev, const struct pci_device_id *id) goto probe_err; } - mdev_id->device = mdev->id.device; - mdev_id->vendor = mdev->id.vendor; + mdev_id[0].device = mdev->id.device; + mdev_id[0].vendor = mdev->id.vendor; mgtdev->id_table = mdev_id; mgtdev->max_supported_vqs = vp_modern_get_num_queues(mdev); mgtdev->supported_features = vp_modern_get_features(mdev); -- 2.34.1

2 1

[openeuler:OLK-5.10 2544/2544] drivers/ub/urma/uburma/uburma_dev_ops.c:50:19: sparse: sparse: incompatible types in comparison expression (different address spaces):
by kernel test robot 05 Dec '24

05 Dec '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: b71af6f00ede58be00cb7306c9acb2660ec90947 commit: aeda8188894b2ed9ecf04dabaf5e147bce811725 [2544/2544] ub: change name in kconfig, and kconfig content of ub config: x86_64-randconfig-121-20241205 (https://download.01.org/0day-ci/archive/20241205/202412050919.gZc1zM8m-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241205/202412050919.gZc1zM8m-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412050919.gZc1zM8m-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) drivers/ub/urma/uburma/uburma_dev_ops.c: note: in included file (through include/linux/kernel.h, include/linux/list.h, include/linux/wait.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type drivers/ub/urma/uburma/uburma_dev_ops.c: note: in included file (through include/linux/printk.h, include/linux/kernel.h, include/linux/list.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type drivers/ub/urma/uburma/uburma_dev_ops.c: note: in included file (through include/linux/string.h, include/linux/bitmap.h, include/linux/cpumask.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type >> drivers/ub/urma/uburma/uburma_dev_ops.c:50:19: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/ub/urma/uburma/uburma_dev_ops.c:50:19: sparse: struct ubcore_device [noderef] __rcu * drivers/ub/urma/uburma/uburma_dev_ops.c:50:19: sparse: struct ubcore_device * drivers/ub/urma/uburma/uburma_dev_ops.c:71:9: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/ub/urma/uburma/uburma_dev_ops.c:71:9: sparse: struct ubcore_device [noderef] __rcu * drivers/ub/urma/uburma/uburma_dev_ops.c:71:9: sparse: struct ubcore_device * drivers/ub/urma/uburma/uburma_dev_ops.c:98:19: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/ub/urma/uburma/uburma_dev_ops.c:98:19: sparse: struct ubcore_device [noderef] __rcu * drivers/ub/urma/uburma/uburma_dev_ops.c:98:19: sparse: struct ubcore_device * -- drivers/ub/urma/uburma/uburma_event.c: note: in included file (through include/linux/kernel.h, include/asm-generic/bug.h, arch/x86/include/asm/bug.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type drivers/ub/urma/uburma/uburma_event.c: note: in included file (through include/linux/printk.h, include/linux/kernel.h, include/asm-generic/bug.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type drivers/ub/urma/uburma/uburma_event.c: note: in included file (through include/linux/string.h, include/linux/bitmap.h, include/linux/cpumask.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type >> drivers/ub/urma/uburma/uburma_event.c:102:20: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/ub/urma/uburma/uburma_event.c:102:20: sparse: void [noderef] __rcu * drivers/ub/urma/uburma/uburma_event.c:102:20: sparse: void * -- drivers/ub/urma/uburma/uburma_main.c: note: in included file (through include/linux/kernel.h, include/asm-generic/bug.h, arch/x86/include/asm/bug.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type drivers/ub/urma/uburma/uburma_main.c: note: in included file (through include/linux/printk.h, include/linux/kernel.h, include/asm-generic/bug.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type drivers/ub/urma/uburma/uburma_main.c: note: in included file (through include/linux/string.h, include/linux/bitmap.h, include/linux/cpumask.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type >> drivers/ub/urma/uburma/uburma_main.c:215:9: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/ub/urma/uburma/uburma_main.c:215:9: sparse: struct ubcore_device [noderef] __rcu * drivers/ub/urma/uburma/uburma_main.c:215:9: sparse: struct ubcore_device * drivers/ub/urma/uburma/uburma_main.c:239:9: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/ub/urma/uburma/uburma_main.c:239:9: sparse: struct ubcore_device [noderef] __rcu * drivers/ub/urma/uburma/uburma_main.c:239:9: sparse: struct ubcore_device * -- drivers/ub/urma/uburma/uburma_uobj.c: note: in included file (through include/linux/kernel.h): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type drivers/ub/urma/uburma/uburma_uobj.c: note: in included file (through include/linux/printk.h, include/linux/kernel.h): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type drivers/ub/urma/uburma/uburma_uobj.c: note: in included file (through include/linux/string.h, include/linux/bitmap.h, include/linux/cpumask.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type >> drivers/ub/urma/uburma/uburma_uobj.c:95:19: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/ub/urma/uburma/uburma_uobj.c:95:19: sparse: struct ubcore_device [noderef] __rcu * drivers/ub/urma/uburma/uburma_uobj.c:95:19: sparse: struct ubcore_device * drivers/ub/urma/uburma/uburma_uobj.c:396:19: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/ub/urma/uburma/uburma_uobj.c:396:19: sparse: struct ubcore_device [noderef] __rcu * drivers/ub/urma/uburma/uburma_uobj.c:396:19: sparse: struct ubcore_device * -- drivers/ub/urma/uburma/uburma_cmd.c: note: in included file (through include/linux/kernel.h, include/linux/list.h, include/linux/wait.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type drivers/ub/urma/uburma/uburma_cmd.c: note: in included file (through include/linux/printk.h, include/linux/kernel.h, include/linux/list.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type drivers/ub/urma/uburma/uburma_cmd.c: note: in included file (through include/linux/string.h, include/linux/bitmap.h, include/linux/cpumask.h, ...): /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: Expected ) in function call /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:44: sparse: sparse: got < /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:43: sparse: sparse: not a function <noident> /opt/cross/clang-ab51eccf88/lib/clang/19/include/stdarg.h:22:22: sparse: sparse: bad constant expression type >> drivers/ub/urma/uburma/uburma_cmd.c:296:16: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/ub/urma/uburma/uburma_cmd.c:296:16: sparse: void [noderef] __rcu * drivers/ub/urma/uburma/uburma_cmd.c:296:16: sparse: void * drivers/ub/urma/uburma/uburma_cmd.c:1568:19: sparse: sparse: incompatible types in comparison expression (different address spaces): drivers/ub/urma/uburma/uburma_cmd.c:1568:19: sparse: struct ubcore_device [noderef] __rcu * drivers/ub/urma/uburma/uburma_cmd.c:1568:19: sparse: struct ubcore_device * vim +50 drivers/ub/urma/uburma/uburma_dev_ops.c cd637a6dded9c0 Yizhen Fan 2023-09-12 32 7d130c6018dbfd Yizhen Fan 2023-09-12 33 int uburma_mmap(struct file *filp, struct vm_area_struct *vma) 7d130c6018dbfd Yizhen Fan 2023-09-12 34 { 7d130c6018dbfd Yizhen Fan 2023-09-12 35 struct uburma_file *file = filp->private_data; 7d130c6018dbfd Yizhen Fan 2023-09-12 36 struct uburma_device *ubu_dev; 7d130c6018dbfd Yizhen Fan 2023-09-12 37 struct ubcore_device *ubc_dev; 7d130c6018dbfd Yizhen Fan 2023-09-12 38 int srcu_idx; 7d130c6018dbfd Yizhen Fan 2023-09-12 39 int ret; 7d130c6018dbfd Yizhen Fan 2023-09-12 40 7d130c6018dbfd Yizhen Fan 2023-09-12 41 if (file == NULL || file->ucontext == NULL) { 7d130c6018dbfd Yizhen Fan 2023-09-12 42 uburma_log_err("can not find ucontext.\n"); 7d130c6018dbfd Yizhen Fan 2023-09-12 43 return -EINVAL; 7d130c6018dbfd Yizhen Fan 2023-09-12 44 } 7d130c6018dbfd Yizhen Fan 2023-09-12 45 7d130c6018dbfd Yizhen Fan 2023-09-12 46 ubu_dev = file->ubu_dev; 7d130c6018dbfd Yizhen Fan 2023-09-12 47 uburma_cmd_inc(ubu_dev); 7d130c6018dbfd Yizhen Fan 2023-09-12 48 7d130c6018dbfd Yizhen Fan 2023-09-12 49 srcu_idx = srcu_read_lock(&ubu_dev->ubc_dev_srcu); 7d130c6018dbfd Yizhen Fan 2023-09-12 @50 ubc_dev = srcu_dereference(ubu_dev->ubc_dev, &ubu_dev->ubc_dev_srcu); 7d130c6018dbfd Yizhen Fan 2023-09-12 51 if (ubc_dev == NULL || ubc_dev->ops == NULL || ubc_dev->ops->mmap == NULL) { 7d130c6018dbfd Yizhen Fan 2023-09-12 52 uburma_log_err("can not find ubcore device.\n"); 7d130c6018dbfd Yizhen Fan 2023-09-12 53 ret = -ENODEV; 7d130c6018dbfd Yizhen Fan 2023-09-12 54 goto out; 7d130c6018dbfd Yizhen Fan 2023-09-12 55 } 7d130c6018dbfd Yizhen Fan 2023-09-12 56 7d130c6018dbfd Yizhen Fan 2023-09-12 57 ret = ubc_dev->ops->mmap(file->ucontext, vma); 7d130c6018dbfd Yizhen Fan 2023-09-12 58 7d130c6018dbfd Yizhen Fan 2023-09-12 59 out: 7d130c6018dbfd Yizhen Fan 2023-09-12 60 srcu_read_unlock(&ubu_dev->ubc_dev_srcu, srcu_idx); 7d130c6018dbfd Yizhen Fan 2023-09-12 61 uburma_cmd_dec(ubu_dev); 7d130c6018dbfd Yizhen Fan 2023-09-12 62 return ret; 7d130c6018dbfd Yizhen Fan 2023-09-12 63 } 7d130c6018dbfd Yizhen Fan 2023-09-12 64 :::::: The code at line 50 was first introduced by commit :::::: 7d130c6018dbfd09c6e1c5d91b347fdbf3924321 ub: add mmap ops support in ubcore and uburma :::::: TO: Yizhen Fan <fanyizhen(a)huawei.com> :::::: CC: fanyizhen1995 <en_0015767(a)163.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] usb: typec: altmode should keep reference to parent
by Zhang Zekun 05 Dec '24

05 Dec '24

From: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> stable inclusion from stable-v4.19.323 commit 2b0b33e8a58388fa9078f0fbe9af1900e6b08879 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2SU4 CVE: CVE-2024-50150 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------------------- [ Upstream commit befab3a278c59db0cc88c8799638064f6d3fd6f8 ] The altmode device release refers to its parent device, but without keeping a reference to it. When registering the altmode, get a reference to the parent and put it in the release function. Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues like this: [ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000) [ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000) [ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000) [ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000) [ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000) [ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000) [ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000) [ 46.612867] ================================================================== [ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129 [ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48 [ 46.614538] [ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535 [ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 46.616042] Workqueue: events kobject_delayed_cleanup [ 46.616446] Call Trace: [ 46.616648] <TASK> [ 46.616820] dump_stack_lvl+0x5b/0x7c [ 46.617112] ? typec_altmode_release+0x38/0x129 [ 46.617470] print_report+0x14c/0x49e [ 46.617769] ? rcu_read_unlock_sched+0x56/0x69 [ 46.618117] ? __virt_addr_valid+0x19a/0x1ab [ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d [ 46.618807] ? typec_altmode_release+0x38/0x129 [ 46.619161] kasan_report+0x8d/0xb4 [ 46.619447] ? typec_altmode_release+0x38/0x129 [ 46.619809] ? process_scheduled_works+0x3cb/0x85f [ 46.620185] typec_altmode_release+0x38/0x129 [ 46.620537] ? process_scheduled_works+0x3cb/0x85f [ 46.620907] device_release+0xaf/0xf2 [ 46.621206] kobject_delayed_cleanup+0x13b/0x17a [ 46.621584] process_scheduled_works+0x4f6/0x85f [ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10 [ 46.622353] ? hlock_class+0x31/0x9a [ 46.622647] ? lock_acquired+0x361/0x3c3 [ 46.622956] ? move_linked_works+0x46/0x7d [ 46.623277] worker_thread+0x1ce/0x291 [ 46.623582] ? __kthread_parkme+0xc8/0xdf [ 46.623900] ? __pfx_worker_thread+0x10/0x10 [ 46.624236] kthread+0x17e/0x190 [ 46.624501] ? kthread+0xfb/0x190 [ 46.624756] ? __pfx_kthread+0x10/0x10 [ 46.625015] ret_from_fork+0x20/0x40 [ 46.625268] ? __pfx_kthread+0x10/0x10 [ 46.625532] ret_from_fork_asm+0x1a/0x30 [ 46.625805] </TASK> [ 46.625953] [ 46.626056] Allocated by task 678: [ 46.626287] kasan_save_stack+0x24/0x44 [ 46.626555] kasan_save_track+0x14/0x2d [ 46.626811] __kasan_kmalloc+0x3f/0x4d [ 46.627049] __kmalloc_noprof+0x1bf/0x1f0 [ 46.627362] typec_register_port+0x23/0x491 [ 46.627698] cros_typec_probe+0x634/0xbb6 [ 46.628026] platform_probe+0x47/0x8c [ 46.628311] really_probe+0x20a/0x47d [ 46.628605] device_driver_attach+0x39/0x72 [ 46.628940] bind_store+0x87/0xd7 [ 46.629213] kernfs_fop_write_iter+0x1aa/0x218 [ 46.629574] vfs_write+0x1d6/0x29b [ 46.629856] ksys_write+0xcd/0x13b [ 46.630128] do_syscall_64+0xd4/0x139 [ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 46.630820] [ 46.630946] Freed by task 48: [ 46.631182] kasan_save_stack+0x24/0x44 [ 46.631493] kasan_save_track+0x14/0x2d [ 46.631799] kasan_save_free_info+0x3f/0x4d [ 46.632144] __kasan_slab_free+0x37/0x45 [ 46.632474] kfree+0x1d4/0x252 [ 46.632725] device_release+0xaf/0xf2 [ 46.633017] kobject_delayed_cleanup+0x13b/0x17a [ 46.633388] process_scheduled_works+0x4f6/0x85f [ 46.633764] worker_thread+0x1ce/0x291 [ 46.634065] kthread+0x17e/0x190 [ 46.634324] ret_from_fork+0x20/0x40 [ 46.634621] ret_from_fork_asm+0x1a/0x30 Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Link: https://lore.kernel.org/r/20241004123738.2964524-1-cascardo@igalia.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/usb/typec/class.c [Context difference only, no logical change] Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/usb/typec/class.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c index 1916ee1600b4..80efe0a53a55 100644 --- a/drivers/usb/typec/class.c +++ b/drivers/usb/typec/class.c @@ -462,6 +462,7 @@ static void typec_altmode_release(struct device *dev) typec_altmode_put_partner(alt); altmode_id_remove(alt->adev.dev.parent, alt->id); + put_device(alt->adev.dev.parent); kfree(alt); } @@ -509,6 +510,8 @@ typec_register_altmode(struct device *parent, alt->adev.dev.type = &typec_altmode_dev_type; dev_set_name(&alt->adev.dev, "%s.%u", dev_name(parent), id); + get_device(alt->adev.dev.parent); + /* Link partners and plugs with the ports */ if (is_port) BLOCKING_INIT_NOTIFIER_HEAD(&alt->nh); -- 2.17.1

2 1