- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] x86/pm: Fix false positive kmemleak report in msr_build_context()
by Yongqiang Liu 30 May '23

30 May '23

From: Matthieu Baerts <matthieu.baerts(a)tessares.net> mainline inclusion from mainline-v5.19-rc1 commit b0b592cf08367719e1d1ef07c9f136e8c17f7ec3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I78RHX CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Since e2a1256b17b1 ("x86/speculation: Restore speculation related MSRs during S3 resume") kmemleak reports this issue: unreferenced object 0xffff888009cedc00 (size 256): comm "swapper/0", pid 1, jiffies 4294693823 (age 73.764s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00 ........H....... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: msr_build_context (include/linux/slab.h:621) pm_check_save_msr (arch/x86/power/cpu.c:520) do_one_initcall (init/main.c:1298) kernel_init_freeable (init/main.c:1370) kernel_init (init/main.c:1504) ret_from_fork (arch/x86/entry/entry_64.S:304) Reproducer: - boot the VM with a debug kernel config (see https://github.com/multipath-tcp/mptcp_net-next/issues/268) - wait ~1 minute - start a kmemleak scan The root cause here is alignment within the packed struct saved_context (from suspend_64.h). Kmemleak only searches for pointers that are aligned (see how pointers are scanned in kmemleak.c), but pahole shows that the saved_msrs struct member and all members after it in the structure are unaligned: struct saved_context { struct pt_regs regs; /* 0 168 */ /* --- cacheline 2 boundary (128 bytes) was 40 bytes ago --- */ u16 ds; /* 168 2 */ ... u64 misc_enable; /* 232 8 */ bool misc_enable_saved; /* 240 1 */ /* Note below odd offset values for the remainder of this struct */ struct saved_msrs saved_msrs; /* 241 16 */ /* --- cacheline 4 boundary (256 bytes) was 1 bytes ago --- */ long unsigned int efer; /* 257 8 */ u16 gdt_pad; /* 265 2 */ struct desc_ptr gdt_desc; /* 267 10 */ u16 idt_pad; /* 277 2 */ struct desc_ptr idt; /* 279 10 */ u16 ldt; /* 289 2 */ u16 tss; /* 291 2 */ long unsigned int tr; /* 293 8 */ long unsigned int safety; /* 301 8 */ long unsigned int return_address; /* 309 8 */ /* size: 317, cachelines: 5, members: 25 */ /* last cacheline: 61 bytes */ } __attribute__((__packed__)); Move misc_enable_saved to the end of the struct declaration so that saved_msrs fits in before the cacheline 4 boundary. The comment above the saved_context declaration says to fix wakeup_64.S file and __save/__restore_processor_state() if the struct is modified: it looks like all the accesses in wakeup_64.S are done through offsets which are computed at build-time. Update that comment accordingly. At the end, the false positive kmemleak report is due to a limitation from kmemleak but it is always good to avoid unaligned members for optimisation purposes. Please note that it looks like this issue is not new, e.g. https://lore.kernel.org/all/9f1bb619-c4ee-21c4-a251-870bd4db04fa@lwfinger.n… https://lore.kernel.org/all/94e48fcd-1dbd-ebd2-4c91-f39941735909@molgen.mpg… [ bp: Massage + cleanup commit message. ] Fixes: 7a9c2dd08ead ("x86/pm: Introduce quirk framework to save/restore extra MSR registers around suspend/resume") Suggested-by: Mat Martineau <mathew.j.martineau(a)linux.intel.com> Signed-off-by: Matthieu Baerts <matthieu.baerts(a)tessares.net> Signed-off-by: Borislav Petkov <bp(a)suse.de> Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Link: https://lore.kernel.org/r/20220426202138.498310-1-matthieu.baerts@tessares.… Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> Reviewed-by: Wei Li <liwei391(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- arch/x86/include/asm/suspend_32.h | 2 +- arch/x86/include/asm/suspend_64.h | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/arch/x86/include/asm/suspend_32.h b/arch/x86/include/asm/suspend_32.h index 8be6afb58471..32662cbaa27e 100644 --- a/arch/x86/include/asm/suspend_32.h +++ b/arch/x86/include/asm/suspend_32.h @@ -21,7 +21,6 @@ struct saved_context { #endif unsigned long cr0, cr2, cr3, cr4; u64 misc_enable; - bool misc_enable_saved; struct saved_msrs saved_msrs; struct desc_ptr gdt_desc; struct desc_ptr idt; @@ -30,6 +29,7 @@ struct saved_context { unsigned long tr; unsigned long safety; unsigned long return_address; + bool misc_enable_saved; } __attribute__((packed)); #endif /* _ASM_X86_SUSPEND_32_H */ diff --git a/arch/x86/include/asm/suspend_64.h b/arch/x86/include/asm/suspend_64.h index a7af9f53c0cb..b2861400c6a2 100644 --- a/arch/x86/include/asm/suspend_64.h +++ b/arch/x86/include/asm/suspend_64.h @@ -14,9 +14,13 @@ * Image of the saved processor state, used by the low level ACPI suspend to * RAM code and by the low level hibernation code. * - * If you modify it, fix arch/x86/kernel/acpi/wakeup_64.S and make sure that - * __save/__restore_processor_state(), defined in arch/x86/kernel/suspend_64.c, - * still work as required. + * If you modify it, check how it is used in arch/x86/kernel/acpi/wakeup_64.S + * and make sure that __save/__restore_processor_state(), defined in + * arch/x86/power/cpu.c, still work as required. + * + * Because the structure is packed, make sure to avoid unaligned members. For + * optimisation purposes but also because tools like kmemleak only search for + * pointers that are aligned. */ struct saved_context { struct pt_regs regs; @@ -36,7 +40,6 @@ struct saved_context { unsigned long cr0, cr2, cr3, cr4, cr8; u64 misc_enable; - bool misc_enable_saved; struct saved_msrs saved_msrs; unsigned long efer; u16 gdt_pad; /* Unused */ @@ -48,6 +51,7 @@ struct saved_context { unsigned long tr; unsigned long safety; unsigned long return_address; + bool misc_enable_saved; } __attribute__((packed)); #define loaddebug(thread,register) \ -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS 1/2] drm: Fix use-after-free read in drm_getunique()
by Yongqiang Liu 30 May '23

30 May '23

From: Desmond Cheong Zhi Xi <desmondcheongzx(a)gmail.com> stable inclusion from stable-v4.19.195 commit 7d233ba700ceb593905ea82b42dadb4ec8ef85e9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I52XND CVE: CVE-2022-1280 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b436acd1cf7fac0ba987abd22955d98025c80c2b upstream. There is a time-of-check-to-time-of-use error in drm_getunique() due to retrieving file_priv->master prior to locking the device's master mutex. An example can be seen in the crash report of the use-after-free error found by Syzbot: https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f8… In the report, the master pointer was used after being freed. This is because another process had acquired the device's master mutex in drm_setmaster_ioctl(), then overwrote fpriv->master in drm_new_set_master(). The old value of fpriv->master was subsequently freed before the mutex was unlocked. To fix this, we lock the device's master mutex before retrieving the pointer from from fpriv->master. This patch passes the Syzbot reproducer test. Reported-by: syzbot+c3a706cec1ea99e1c693(a)syzkaller.appspotmail.com Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20210608110436.239583-1-desmo… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> Reviewed-by: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/gpu/drm/drm_ioctl.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c index 3fe512b8a488..d15d95e3bbf4 100644 --- a/drivers/gpu/drm/drm_ioctl.c +++ b/drivers/gpu/drm/drm_ioctl.c @@ -112,17 +112,18 @@ int drm_getunique(struct drm_device *dev, void *data, struct drm_file *file_priv) { struct drm_unique *u = data; - struct drm_master *master = file_priv->master; + struct drm_master *master; - mutex_lock(&master->dev->master_mutex); + mutex_lock(&dev->master_mutex); + master = file_priv->master; if (u->unique_len >= master->unique_len) { if (copy_to_user(u->unique, master->unique, master->unique_len)) { - mutex_unlock(&master->dev->master_mutex); + mutex_unlock(&dev->master_mutex); return -EFAULT; } } u->unique_len = master->unique_len; - mutex_unlock(&master->dev->master_mutex); + mutex_unlock(&dev->master_mutex); return 0; } -- 2.25.1

1 1

[PATCH 01/15] fix hikptool rciep rsp filed error problem
by veega 30 May '23

30 May '23

From: veega2022 <zhuweijia(a)huawei.com> union hikp_space_rsp 0xF8h is reserved and 0xFCh is cpl_status Signed-off-by: hesiyuan <hesiyuan4(a)huawei.com> --- libhikptdev/src/rciep/hikpt_rciep.c | 2 +- libhikptdev/src/rciep/hikpt_rciep.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libhikptdev/src/rciep/hikpt_rciep.c b/libhikptdev/src/rciep/hikpt_rciep.c index 9b7a82a..5c7e82f 100644 --- a/libhikptdev/src/rciep/hikpt_rciep.c +++ b/libhikptdev/src/rciep/hikpt_rciep.c @@ -97,7 +97,7 @@ static uint32_t hikp_wait_for_cpl_status(void) uint32_t status; do { - status = g_hikp_req->field.cpl_status; + status = g_hikp_rsp->field.cpl_status; if (status != HIKP_INIT_STAT) return status; count--; diff --git a/libhikptdev/src/rciep/hikpt_rciep.h b/libhikptdev/src/rciep/hikpt_rciep.h index 093724a..8fbb3c0 100644 --- a/libhikptdev/src/rciep/hikpt_rciep.h +++ b/libhikptdev/src/rciep/hikpt_rciep.h @@ -75,8 +75,8 @@ union hikp_space_rsp { uint32_t version; /* 000h */ uint32_t rsp_para_num; /* 004h */ uint32_t data[HIKP_RSP_DATA_MAX]; /* 008h */ - uint32_t cpl_status; /* 0F8h */ - uint32_t pid_record; /* 0FCh */ + uint32_t rsv; /* 0F8h */ + uint32_t cpl_status; /* 0FCh */ struct iep_doorbell sw_db; /* 100h. Fixed and unmodifiable */ } field; -- 2.36.1.windows.1

1 17

[PATCH] perf/smmuv3: Enable HiSilicon Erratum quirk
by Junhao He 29 May '23

29 May '23

From: Yicong Yang <yangyicong(a)hisilicon.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I798Y2 CVE: NA ---------------------------------------------------------------------- Some HiSilicon SMMU PMCG suffers the erratum that the global PMU disable control sometimes fail to disable each used the counters. This will lead to error or inaccurate data since before we enable the counters the counter's still counting for the event used in last perf session. This patch tries to fix this by hardening the global disable process. Before disable the PMU, writing an invalid event type (0xff) to focibly stop the counters. Signed-off-by: Yicong Yang <yangyicong(a)hisilicon.com> Signed-off-by: Junhao He <hejunhao3(a)huawei.com> --- drivers/acpi/arm64/iort.c | 3 +++ drivers/perf/arm_smmuv3_pmu.c | 22 +++++++++++++++++++++- include/linux/acpi_iort.h | 1 + 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c index d6e1569a72b1..33362f37b04a 100644 --- a/drivers/acpi/arm64/iort.c +++ b/drivers/acpi/arm64/iort.c @@ -1478,6 +1478,9 @@ static struct acpi_platform_list pmcg_plat_info[] __initdata = { /* HiSilicon Hip08 Platform */ {"HISI ", "HIP08 ", 0, ACPI_SIG_IORT, greater_than_or_equal, "Erratum #162001800", IORT_SMMU_V3_PMCG_HISI_HIP08}, + /* HiSilicon Hip09 Platform */ + {"HISI ", "HIP09 ", 0, ACPI_SIG_IORT, greater_than_or_equal, + "Erratum #162001900", IORT_SMMU_V3_PMCG_HISI_HIP09}, { } }; diff --git a/drivers/perf/arm_smmuv3_pmu.c b/drivers/perf/arm_smmuv3_pmu.c index f5de59451307..591d98bb4294 100644 --- a/drivers/perf/arm_smmuv3_pmu.c +++ b/drivers/perf/arm_smmuv3_pmu.c @@ -96,6 +96,7 @@ #define SMMU_PMCG_PA_SHIFT 12 #define SMMU_PMCG_EVCNTR_RDONLY BIT(0) +#define SMMU_PMCG_DISABLE_HARDEN BIT(1) static int cpuhp_state_num; @@ -140,10 +141,26 @@ static inline void smmu_pmu_enable(struct pmu *pmu) writel(SMMU_PMCG_CR_ENABLE, smmu_pmu->reg_base + SMMU_PMCG_CR); } +static inline void smmu_pmu_disable_harden(struct smmu_pmu *smmu_pmu) +{ + unsigned int idx; + + /* + * The global disable of PMU sometimes fail to stop the counting. + * Harden this by writing an invalid event type to each used counter + * to forcibly stop counting. + */ + for_each_set_bit(idx, smmu_pmu->used_counters, smmu_pmu->num_counters) + writel(0xffff, smmu_pmu->reg_base + SMMU_PMCG_EVTYPER(idx)); +} + static inline void smmu_pmu_disable(struct pmu *pmu) { struct smmu_pmu *smmu_pmu = to_smmu_pmu(pmu); + if (smmu_pmu->options & SMMU_PMCG_DISABLE_HARDEN) + smmu_pmu_disable_harden(smmu_pmu); + writel(0, smmu_pmu->reg_base + SMMU_PMCG_CR); writel(0, smmu_pmu->reg_base + SMMU_PMCG_IRQ_CTRL); } @@ -756,7 +773,10 @@ static void smmu_pmu_get_acpi_options(struct smmu_pmu *smmu_pmu) switch (model) { case IORT_SMMU_V3_PMCG_HISI_HIP08: /* HiSilicon Erratum 162001800 */ - smmu_pmu->options |= SMMU_PMCG_EVCNTR_RDONLY; + smmu_pmu->options |= SMMU_PMCG_EVCNTR_RDONLY | SMMU_PMCG_DISABLE_HARDEN; + break; + case IORT_SMMU_V3_PMCG_HISI_HIP09: + smmu_pmu->options |= SMMU_PMCG_DISABLE_HARDEN; break; } diff --git a/include/linux/acpi_iort.h b/include/linux/acpi_iort.h index 1a12baa58e40..136dba94c646 100644 --- a/include/linux/acpi_iort.h +++ b/include/linux/acpi_iort.h @@ -21,6 +21,7 @@ */ #define IORT_SMMU_V3_PMCG_GENERIC 0x00000000 /* Generic SMMUv3 PMCG */ #define IORT_SMMU_V3_PMCG_HISI_HIP08 0x00000001 /* HiSilicon HIP08 PMCG */ +#define IORT_SMMU_V3_PMCG_HISI_HIP09 0x00000002 /* HiSilicon HIP09 PMCG */ int iort_register_domain_token(int trans_id, phys_addr_t base, struct fwnode_handle *fw_node); -- 2.33.0

1 0

[OLK-5.10 0/3] Support T6 ETM and Workaround CPU hung bug on hip09
by Junhao He 29 May '23

29 May '23

1. Added support for HiSilicon T6 ETM 2. Fix CPU hold issue caused by hip09 ETM overflow Junhao He (3): coresight: etm4x: Add Support for HiSilicon T6 ETM coresight: etm4x: Workaround CPU hung bug on hip09 perf cs-etm: add error logging to cs_etm_is_etmv4() .../hwtracing/coresight/coresight-etm4x-core.c | 15 ++++++++++++++- tools/perf/arch/arm/util/cs-etm.c | 11 ++++++----- 2 files changed, 20 insertions(+), 6 deletions(-) -- 2.33.0

1 3

[PATCH OLK-5.10 1/2] config: enable CONFIG_ARM64_AMU_EXTN to be compatible with AMU platform
by Zeng Heng 29 May '23

29 May '23

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I73EPL -------------------------------- The KunPeng newest released platform supports the feature of AMU, and this configuration is backward compatible. This patch would acts as a prepatch for the following patch series. Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- arch/arm64/configs/openeuler_defconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index 76de734953fc..7b047c0265ee 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -488,7 +488,7 @@ CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y # # ARMv8.4 architectural features # -# CONFIG_ARM64_AMU_EXTN is not set +CONFIG_ARM64_AMU_EXTN=y CONFIG_AS_HAS_ARMV8_4=y CONFIG_ARM64_TLB_RANGE=y # end of ARMv8.4 architectural features -- 2.25.1

1 1

[OLK-5.10 1/4] cpumask: Introduce DYING mask
by Zeng Heng 29 May '23

29 May '23

From: Peter Zijlstra <peterz(a)infradead.org> mainline inclusion from mainline-v5.13-rc1 commit e40f74c535b8a0ecf3ef0388b51a34cdadb34fb5 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6VS35 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Introduce a cpumask that indicates (for each CPU) what direction the CPU hotplug is currently going. Notably, it tracks rollbacks. Eg. when an up fails and we do a roll-back down, it will accurately reflect the direction. Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Reviewed-by: Valentin Schneider <valentin.schneider(a)arm.com> Link: https://lkml.kernel.org/r/20210310150109.151441252@infradead.org Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- include/linux/cpumask.h | 19 +++++++++++++++++++ kernel/cpu.c | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h index 0159986ac9ce..92d5ecad8de6 100644 --- a/include/linux/cpumask.h +++ b/include/linux/cpumask.h @@ -91,10 +91,12 @@ extern struct cpumask __cpu_possible_mask; extern struct cpumask __cpu_online_mask; extern struct cpumask __cpu_present_mask; extern struct cpumask __cpu_active_mask; +extern struct cpumask __cpu_dying_mask; #define cpu_possible_mask ((const struct cpumask *)&__cpu_possible_mask) #define cpu_online_mask ((const struct cpumask *)&__cpu_online_mask) #define cpu_present_mask ((const struct cpumask *)&__cpu_present_mask) #define cpu_active_mask ((const struct cpumask *)&__cpu_active_mask) +#define cpu_dying_mask ((const struct cpumask *)&__cpu_dying_mask) extern atomic_t __num_online_cpus; @@ -118,6 +120,11 @@ static inline unsigned int num_online_cpus(void) #define cpu_possible(cpu) cpumask_test_cpu((cpu), cpu_possible_mask) #define cpu_present(cpu) cpumask_test_cpu((cpu), cpu_present_mask) #define cpu_active(cpu) cpumask_test_cpu((cpu), cpu_active_mask) +static inline int cpumask_test_cpu(int cpu, const struct cpumask *cpumask); +static inline bool cpu_dying(unsigned int cpu) +{ + return cpumask_test_cpu(cpu, cpu_dying_mask); +} #else #define num_online_cpus() 1U #define num_possible_cpus() 1U @@ -127,6 +134,10 @@ static inline unsigned int num_online_cpus(void) #define cpu_possible(cpu) ((cpu) == 0) #define cpu_present(cpu) ((cpu) == 0) #define cpu_active(cpu) ((cpu) == 0) +static inline bool cpu_dying(unsigned int cpu) +{ + return false; +} #endif extern cpumask_t cpus_booted_once_mask; @@ -851,6 +862,14 @@ set_cpu_active(unsigned int cpu, bool active) cpumask_clear_cpu(cpu, &__cpu_active_mask); } +static inline void +set_cpu_dying(unsigned int cpu, bool dying) +{ + if (dying) + cpumask_set_cpu(cpu, &__cpu_dying_mask); + else + cpumask_clear_cpu(cpu, &__cpu_dying_mask); +} /** * to_cpumask - convert an NR_CPUS bitmap to a struct cpumask * diff --git a/kernel/cpu.c b/kernel/cpu.c index c06ced18f78a..2a81a9dae3a7 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -157,6 +157,9 @@ static int cpuhp_invoke_callback(unsigned int cpu, enum cpuhp_state state, int (*cb)(unsigned int cpu); int ret, cnt; + if (cpu_dying(cpu) != !bringup) + set_cpu_dying(cpu, !bringup); + if (st->fail == state) { st->fail = CPUHP_INVALID; @@ -2502,6 +2505,9 @@ EXPORT_SYMBOL(__cpu_present_mask); struct cpumask __cpu_active_mask __read_mostly; EXPORT_SYMBOL(__cpu_active_mask); +struct cpumask __cpu_dying_mask __read_mostly; +EXPORT_SYMBOL(__cpu_dying_mask); + atomic_t __num_online_cpus __read_mostly; EXPORT_SYMBOL(__num_online_cpus); -- 2.25.1

1 3

[OLK-5.10 1/2] config: enable CONFIG_ARM64_AMU_EXTN to be compatible with AMU platform
by Zeng Heng 29 May '23

29 May '23

Offering: HULK hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I73EPL -------------------------------- The KunPeng newest released platform supports the feature of AMU, and this configuration is backward compatible. This patch would acts as a prepatch for the following patch series. Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- arch/arm64/configs/openeuler_defconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index 76de734953fc..7b047c0265ee 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -488,7 +488,7 @@ CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y # # ARMv8.4 architectural features # -# CONFIG_ARM64_AMU_EXTN is not set +CONFIG_ARM64_AMU_EXTN=y CONFIG_AS_HAS_ARMV8_4=y CONFIG_ARM64_TLB_RANGE=y # end of ARMv8.4 architectural features -- 2.25.1

1 1

[PATCH openEuler-1.0-LTS 1/6] ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum
by Yongqiang Liu 27 May '23

27 May '23

From: Tudor Ambarus <tudor.ambarus(a)linaro.org> stable inclusion from stable-v5.10.180 commit 0dde3141c527b09b96bef1e7eeb18b8127810ce9 category: bugfix bugzilla: 188791,https://gitee.com/openeuler/kernel/issues/I76XUJ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4f04351888a83e595571de672e0a4a8b74f4fb31 upstream. When modifying the block device while it is mounted by the filesystem, syzbot reported the following: BUG: KASAN: slab-out-of-bounds in crc16+0x206/0x280 lib/crc16.c:58 Read of size 1 at addr ffff888075f5c0a8 by task syz-executor.2/15586 CPU: 1 PID: 15586 Comm: syz-executor.2 Not tainted 6.2.0-rc5-syzkaller-00205-gc96618275234 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:306 print_report+0x107/0x1f0 mm/kasan/report.c:417 kasan_report+0xcd/0x100 mm/kasan/report.c:517 crc16+0x206/0x280 lib/crc16.c:58 ext4_group_desc_csum+0x81b/0xb20 fs/ext4/super.c:3187 ext4_group_desc_csum_set+0x195/0x230 fs/ext4/super.c:3210 ext4_mb_clear_bb fs/ext4/mballoc.c:6027 [inline] ext4_free_blocks+0x191a/0x2810 fs/ext4/mballoc.c:6173 ext4_remove_blocks fs/ext4/extents.c:2527 [inline] ext4_ext_rm_leaf fs/ext4/extents.c:2710 [inline] ext4_ext_remove_space+0x24ef/0x46a0 fs/ext4/extents.c:2958 ext4_ext_truncate+0x177/0x220 fs/ext4/extents.c:4416 ext4_truncate+0xa6a/0xea0 fs/ext4/inode.c:4342 ext4_setattr+0x10c8/0x1930 fs/ext4/inode.c:5622 notify_change+0xe50/0x1100 fs/attr.c:482 do_truncate+0x200/0x2f0 fs/open.c:65 handle_truncate fs/namei.c:3216 [inline] do_open fs/namei.c:3561 [inline] path_openat+0x272b/0x2dd0 fs/namei.c:3714 do_filp_open+0x264/0x4f0 fs/namei.c:3741 do_sys_openat2+0x124/0x4e0 fs/open.c:1310 do_sys_open fs/open.c:1326 [inline] __do_sys_creat fs/open.c:1402 [inline] __se_sys_creat fs/open.c:1396 [inline] __x64_sys_creat+0x11f/0x160 fs/open.c:1396 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f72f8a8c0c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f72f97e3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 00007f72f8bac050 RCX: 00007f72f8a8c0c9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000280 RBP: 00007f72f8ae7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd165348bf R14: 00007f72f97e3300 R15: 0000000000022000 Replace le16_to_cpu(sbi->s_es->s_desc_size) with sbi->s_desc_size It reduces ext4's compiled text size, and makes the code more efficient (we remove an extra indirect reference and a potential byte swap on big endian systems), and there is no downside. It also avoids the potential KASAN / syzkaller failure, as a bonus. Reported-by: syzbot+fc51227e7100c9294894(a)syzkaller.appspotmail.com Reported-by: syzbot+8785e41224a3afd04321(a)syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=70d28d11ab14bd7938f3e088365252aa923cff… Link: https://syzkaller.appspot.com/bug?id=b85721b38583ecc6b5e72ff524c67302abbc30… Link: https://lore.kernel.org/all/000000000000ece18705f3b20934@google.com/ Fixes: 717d50e4971b ("Ext4: Uninitialized Block Groups") Cc: stable(a)vger.kernel.org Signed-off-by: Tudor Ambarus <tudor.ambarus(a)linaro.org> Link: https://lore.kernel.org/r/20230504121525.3275886-1-tudor.ambarus@linaro.org Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Yang Erkun <yangerkun(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/ext4/super.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 79f983b4c69b..cc2efe2e6ee2 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2596,11 +2596,9 @@ static __le16 ext4_group_desc_csum(struct super_block *sb, __u32 block_group, crc = crc16(crc, (__u8 *)gdp, offset); offset += sizeof(gdp->bg_checksum); /* skip checksum */ /* for checksum of struct ext4_group_desc do the rest...*/ - if (ext4_has_feature_64bit(sb) && - offset < le16_to_cpu(sbi->s_es->s_desc_size)) + if (ext4_has_feature_64bit(sb) && offset < sbi->s_desc_size) crc = crc16(crc, (__u8 *)gdp + offset, - le16_to_cpu(sbi->s_es->s_desc_size) - - offset); + sbi->s_desc_size - offset); out: return cpu_to_le16(crc); -- 2.25.1

1 5

[PATCH OLK-5.10 0/2] Remove the automatic loading of the hisi_trng driver
by Weili Qian 26 May '23

26 May '23

From: JiangShui Yang <yangjiangshui(a)h-partners.com> Weili Qian (2): crypto: hisilicon/trng - use %u to print u32 variables crypto/trng: Remove the automatic loading of the hisi_trng driver drivers/crypto/hisilicon/trng/trng.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.30.0

1 2

2024

2023

2022

2021

2020

2019

Kernel