- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 21291/23028] drivers/spi/spi-phytium-plat.c:186:34: warning: unused variable 'phytium_spi_of_match'
by kernel test robot 23 Jun '24

23 Jun '24

Hi Malloy, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 10a294b680ddfda97a09883fe559dd418e5340cd commit: e8483fcd43fc1dbb8d21bb7eacce804cbab6a7c6 [21291/23028] spi: add phytium spi support config: x86_64-randconfig-005-20240420 (https://download.01.org/0day-ci/archive/20240623/202406230104.pOYbvQkT-lkp@…) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240623/202406230104.pOYbvQkT-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406230104.pOYbvQkT-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/spi/spi-phytium-plat.c:186:34: warning: unused variable 'phytium_spi_of_match' [-Wunused-const-variable] 186 | static const struct of_device_id phytium_spi_of_match[] = { | ^~~~~~~~~~~~~~~~~~~~ 1 warning generated. Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for SPI_PHYTIUM Depends on [n]: SPI [=y] && SPI_MASTER [=y] && (ARCH_PHYTIUM || COMPILE_TEST [=n]) Selected by [y]: - SPI_PHYTIUM_PLAT [=y] && SPI [=y] && SPI_MASTER [=y] vim +/phytium_spi_of_match +186 drivers/spi/spi-phytium-plat.c 185 > 186 static const struct of_device_id phytium_spi_of_match[] = { 187 { .compatible = "phytium,spi", .data = (void *)0 }, 188 { /* end of table */} 189 }; 190 MODULE_DEVICE_TABLE(of, phytium_spi_of_match); 191 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 18534/23028] drivers/acpi/cppc_acpi.c:614:3-8: WARNING: NULL check before some freeing functions is not needed.
by kernel test robot 22 Jun '24

22 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 10a294b680ddfda97a09883fe559dd418e5340cd commit: b8815fbbe89b0d15fa3296c3e57d2197a92f5bc0 [18534/23028] ACPI: CPPC: Fix cppc_cpufreq_init failed in CPU Hotplug situation config: x86_64-randconfig-103-20240609 (https://download.01.org/0day-ci/archive/20240622/202406222234.Hz8OPmay-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406222234.Hz8OPmay-lkp@intel.com/ cocci warnings: (new ones prefixed by >>) >> drivers/acpi/cppc_acpi.c:614:3-8: WARNING: NULL check before some freeing functions is not needed. vim +614 drivers/acpi/cppc_acpi.c 576 577 int acpi_get_psd_map(struct cppc_cpudata **all_cpu_data) 578 { 579 struct cpc_desc **cpc_pptr, *cpc_ptr; 580 int parsed_core_num = 0; 581 int i, ret; 582 583 cpc_pptr = kcalloc(num_possible_cpus(), sizeof(void *), GFP_KERNEL); 584 if (!cpc_pptr) 585 return -ENOMEM; 586 for_each_possible_cpu(i) { 587 cpc_pptr[i] = kzalloc(sizeof(struct cpc_desc), GFP_KERNEL); 588 if (!cpc_pptr[i]) { 589 ret = -ENOMEM; 590 goto out; 591 } 592 } 593 594 /* 595 * We can not use acpi_get_devices() to walk the processor devices 596 * because some processor device is not present. 597 */ 598 ret = acpi_walk_namespace(ACPI_TYPE_DEVICE, ACPI_ROOT_OBJECT, 599 ACPI_UINT32_MAX, acpi_parse_cpc, NULL, 600 cpc_pptr, (void **)&parsed_core_num); 601 if (ret) 602 goto out; 603 if (parsed_core_num != num_possible_cpus()) { 604 ret = -EINVAL; 605 goto out; 606 } 607 608 ret = __acpi_get_psd_map(all_cpu_data, cpc_pptr); 609 610 out: 611 for_each_possible_cpu(i) { 612 cpc_ptr = cpc_pptr[i]; 613 if (cpc_ptr) > 614 kfree(cpc_ptr); 615 } 616 kfree(cpc_pptr); 617 618 return ret; 619 } 620 EXPORT_SYMBOL_GPL(acpi_get_psd_map); 621 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 18175/23028] mm/debug.c:174:3: warning: format specifies type 'void *' but the argument has type 'int'
by kernel test robot 22 Jun '24

22 Jun '24

Hi Ding, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 10a294b680ddfda97a09883fe559dd418e5340cd commit: 2d2fe6b40444bd8f84f674930ac5f98a6314702e [18175/23028] ascend: mm: add an owner for mm_struct config: x86_64-randconfig-005-20240420 (https://download.01.org/0day-ci/archive/20240622/202406222208.eM7WX2QL-lkp@…) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240622/202406222208.eM7WX2QL-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406222208.eM7WX2QL-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from mm/debug.c:14: In file included from include/linux/migrate.h:6: In file included from include/linux/mempolicy.h:16: include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict] 425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> mm/debug.c:174:3: warning: format specifies type 'void *' but the argument has type 'int' [-Wformat] 135 | atomic_read(&mm->tlb_flush_pending), | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/printk.h:342:35: note: expanded from macro 'pr_emerg' 342 | printk(KERN_EMERG pr_fmt(fmt), ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ >> mm/debug.c:175:3: warning: format specifies type 'int' but the argument has type 'unsigned long' [-Wformat] 142 | mm->def_flags, &mm->def_flags | ^~~~~~~~~~~~~ include/linux/printk.h:342:35: note: expanded from macro 'pr_emerg' 342 | printk(KERN_EMERG pr_fmt(fmt), ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ >> mm/debug.c:175:18: warning: format specifies type 'unsigned long' but the argument has type 'const unsigned long *' [-Wformat] 143 | mm->def_flags, &mm->def_flags | ^~~~~~~~~~~~~~ include/linux/printk.h:342:35: note: expanded from macro 'pr_emerg' 342 | printk(KERN_EMERG pr_fmt(fmt), ##__VA_ARGS__) | ~~~ ^~~~~~~~~~~ >> mm/debug.c:143:21: warning: more '%' conversions than data arguments [-Wformat-insufficient-args] 143 | "def_flags: %#lx(%pGv)\n", | ~^ include/linux/printk.h:342:27: note: expanded from macro 'pr_emerg' 342 | printk(KERN_EMERG pr_fmt(fmt), ##__VA_ARGS__) | ^~~ include/linux/printk.h:332:21: note: expanded from macro 'pr_fmt' 332 | #define pr_fmt(fmt) fmt | ^~~ 5 warnings generated. vim +174 mm/debug.c 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 @14 #include <linux/migrate.h> 4e462112e98f9a Vlastimil Babka 2016-03-15 15 #include <linux/page_owner.h> 82742a3a515219 Sasha Levin 2014-10-09 16 edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 17 #include "internal.h" edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 18 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 19 char *migrate_reason_names[MR_TYPES] = { 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 20 "compaction", 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 21 "memory_failure", 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 22 "memory_hotplug", 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 23 "syscall_or_cpuset", 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 24 "mempolicy_mbind", 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 25 "numa_misplaced", 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 26 "cma", 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 27 }; 7cd12b4abfd2f8 Vlastimil Babka 2016-03-15 28 edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 29 const struct trace_print_flags pageflag_names[] = { edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 30 __def_pageflag_names, edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 31 {0, NULL} edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 32 }; edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 33 edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 34 const struct trace_print_flags gfpflag_names[] = { edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 35 __def_gfpflag_names, edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 36 {0, NULL} 420adbe9fc1a45 Vlastimil Babka 2016-03-15 37 }; 420adbe9fc1a45 Vlastimil Babka 2016-03-15 38 edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 39 const struct trace_print_flags vmaflag_names[] = { edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 40 __def_vmaflag_names, edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 41 {0, NULL} 82742a3a515219 Sasha Levin 2014-10-09 42 }; 82742a3a515219 Sasha Levin 2014-10-09 43 ff8e81163889ac Vlastimil Babka 2016-03-15 44 void __dump_page(struct page *page, const char *reason) 82742a3a515219 Sasha Levin 2014-10-09 45 { fc36def997cfd6 Pavel Tatashin 2018-07-03 46 bool page_poisoned = PagePoisoned(page); fc36def997cfd6 Pavel Tatashin 2018-07-03 47 int mapcount; fc36def997cfd6 Pavel Tatashin 2018-07-03 48 fc36def997cfd6 Pavel Tatashin 2018-07-03 49 /* fc36def997cfd6 Pavel Tatashin 2018-07-03 50 * If struct page is poisoned don't access Page*() functions as that fc36def997cfd6 Pavel Tatashin 2018-07-03 51 * leads to recursive loop. Page*() check for poisoned pages, and calls fc36def997cfd6 Pavel Tatashin 2018-07-03 52 * dump_page() when detected. fc36def997cfd6 Pavel Tatashin 2018-07-03 53 */ fc36def997cfd6 Pavel Tatashin 2018-07-03 54 if (page_poisoned) { fc36def997cfd6 Pavel Tatashin 2018-07-03 55 pr_emerg("page:%px is uninitialized and poisoned", page); fc36def997cfd6 Pavel Tatashin 2018-07-03 56 goto hex_only; fc36def997cfd6 Pavel Tatashin 2018-07-03 57 } fc36def997cfd6 Pavel Tatashin 2018-07-03 58 9996f05eac0981 Kirill A. Shutemov 2016-10-07 59 /* 9996f05eac0981 Kirill A. Shutemov 2016-10-07 60 * Avoid VM_BUG_ON() in page_mapcount(). 9996f05eac0981 Kirill A. Shutemov 2016-10-07 61 * page->_mapcount space in struct page is used by sl[aou]b pages to 9996f05eac0981 Kirill A. Shutemov 2016-10-07 62 * encode own info. 9996f05eac0981 Kirill A. Shutemov 2016-10-07 63 */ fc36def997cfd6 Pavel Tatashin 2018-07-03 64 mapcount = PageSlab(page) ? 0 : page_mapcount(page); 4d35427ad7641c Kirill A. Shutemov 2016-09-19 65 152a2d199e1385 Matthew Wilcox 2018-01-04 66 pr_emerg("page:%px count:%d mapcount:%d mapping:%px index:%#lx", 4d35427ad7641c Kirill A. Shutemov 2016-09-19 67 page, page_ref_count(page), mapcount, 4d35427ad7641c Kirill A. Shutemov 2016-09-19 68 page->mapping, page_to_pgoff(page)); 53f9263baba69f Kirill A. Shutemov 2016-01-15 69 if (PageCompound(page)) 53f9263baba69f Kirill A. Shutemov 2016-01-15 70 pr_cont(" compound_mapcount: %d", compound_mapcount(page)); 53f9263baba69f Kirill A. Shutemov 2016-01-15 71 pr_cont("\n"); edf14cdbf9a0e5 Vlastimil Babka 2016-03-15 72 BUILD_BUG_ON(ARRAY_SIZE(pageflag_names) != __NR_PAGEFLAGS + 1); ff8e81163889ac Vlastimil Babka 2016-03-15 73 b8eceeb99014cf Vlastimil Babka 2016-03-15 74 pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags); b8eceeb99014cf Vlastimil Babka 2016-03-15 75 fc36def997cfd6 Pavel Tatashin 2018-07-03 76 hex_only: 46e8a3a08c23d0 Vlastimil Babka 2016-12-12 77 print_hex_dump(KERN_ALERT, "raw: ", DUMP_PREFIX_NONE, 32, 46e8a3a08c23d0 Vlastimil Babka 2016-12-12 78 sizeof(unsigned long), page, 46e8a3a08c23d0 Vlastimil Babka 2016-12-12 79 sizeof(struct page), false); 46e8a3a08c23d0 Vlastimil Babka 2016-12-12 80 82742a3a515219 Sasha Levin 2014-10-09 81 if (reason) 82742a3a515219 Sasha Levin 2014-10-09 82 pr_alert("page dumped because: %s\n", reason); b8eceeb99014cf Vlastimil Babka 2016-03-15 83 9edad6ea0f1416 Johannes Weiner 2014-12-10 84 #ifdef CONFIG_MEMCG fc36def997cfd6 Pavel Tatashin 2018-07-03 85 if (!page_poisoned && page->mem_cgroup) 152a2d199e1385 Matthew Wilcox 2018-01-04 86 pr_alert("page->mem_cgroup:%px\n", page->mem_cgroup); 9edad6ea0f1416 Johannes Weiner 2014-12-10 87 #endif 82742a3a515219 Sasha Levin 2014-10-09 88 } 82742a3a515219 Sasha Levin 2014-10-09 89 82742a3a515219 Sasha Levin 2014-10-09 90 void dump_page(struct page *page, const char *reason) 82742a3a515219 Sasha Levin 2014-10-09 91 { ff8e81163889ac Vlastimil Babka 2016-03-15 92 __dump_page(page, reason); 4e462112e98f9a Vlastimil Babka 2016-03-15 93 dump_page_owner(page); 82742a3a515219 Sasha Levin 2014-10-09 94 } 82742a3a515219 Sasha Levin 2014-10-09 95 EXPORT_SYMBOL(dump_page); 82742a3a515219 Sasha Levin 2014-10-09 96 82742a3a515219 Sasha Levin 2014-10-09 97 #ifdef CONFIG_DEBUG_VM 82742a3a515219 Sasha Levin 2014-10-09 98 82742a3a515219 Sasha Levin 2014-10-09 99 void dump_vma(const struct vm_area_struct *vma) 82742a3a515219 Sasha Levin 2014-10-09 100 { 152a2d199e1385 Matthew Wilcox 2018-01-04 101 pr_emerg("vma %px start %px end %px\n" 152a2d199e1385 Matthew Wilcox 2018-01-04 102 "next %px prev %px mm %px\n" 152a2d199e1385 Matthew Wilcox 2018-01-04 103 "prot %lx anon_vma %px vm_ops %px\n" 152a2d199e1385 Matthew Wilcox 2018-01-04 104 "pgoff %lx file %px private_data %px\n" b8eceeb99014cf Vlastimil Babka 2016-03-15 105 "flags: %#lx(%pGv)\n", 82742a3a515219 Sasha Levin 2014-10-09 106 vma, (void *)vma->vm_start, (void *)vma->vm_end, vma->vm_next, 82742a3a515219 Sasha Levin 2014-10-09 107 vma->vm_prev, vma->vm_mm, 82742a3a515219 Sasha Levin 2014-10-09 108 (unsigned long)pgprot_val(vma->vm_page_prot), 82742a3a515219 Sasha Levin 2014-10-09 109 vma->anon_vma, vma->vm_ops, vma->vm_pgoff, b8eceeb99014cf Vlastimil Babka 2016-03-15 110 vma->vm_file, vma->vm_private_data, b8eceeb99014cf Vlastimil Babka 2016-03-15 111 vma->vm_flags, &vma->vm_flags); 82742a3a515219 Sasha Levin 2014-10-09 112 } 82742a3a515219 Sasha Levin 2014-10-09 113 EXPORT_SYMBOL(dump_vma); 82742a3a515219 Sasha Levin 2014-10-09 114 31c9afa6db122a Sasha Levin 2014-10-09 115 void dump_mm(const struct mm_struct *mm) 31c9afa6db122a Sasha Levin 2014-10-09 116 { 7a9cdebdcc17e4 Linus Torvalds 2018-09-12 117 pr_emerg("mm %px mmap %px seqnum %llu task_size %lu\n" 31c9afa6db122a Sasha Levin 2014-10-09 118 #ifdef CONFIG_MMU 152a2d199e1385 Matthew Wilcox 2018-01-04 119 "get_unmapped_area %px\n" 31c9afa6db122a Sasha Levin 2014-10-09 120 #endif 31c9afa6db122a Sasha Levin 2014-10-09 121 "mmap_base %lu mmap_legacy_base %lu highest_vm_end %lu\n" 152a2d199e1385 Matthew Wilcox 2018-01-04 122 "pgd %px mm_users %d mm_count %d pgtables_bytes %lu map_count %d\n" 31c9afa6db122a Sasha Levin 2014-10-09 123 "hiwater_rss %lx hiwater_vm %lx total_vm %lx locked_vm %lx\n" 84638335900f19 Konstantin Khlebnikov 2016-01-14 124 "pinned_vm %lx data_vm %lx exec_vm %lx stack_vm %lx\n" 31c9afa6db122a Sasha Levin 2014-10-09 125 "start_code %lx end_code %lx start_data %lx end_data %lx\n" 31c9afa6db122a Sasha Levin 2014-10-09 126 "start_brk %lx brk %lx start_stack %lx\n" 31c9afa6db122a Sasha Levin 2014-10-09 127 "arg_start %lx arg_end %lx env_start %lx env_end %lx\n" 152a2d199e1385 Matthew Wilcox 2018-01-04 128 "binfmt %px flags %lx core_state %px\n" 31c9afa6db122a Sasha Levin 2014-10-09 129 #ifdef CONFIG_AIO 152a2d199e1385 Matthew Wilcox 2018-01-04 130 "ioctx_table %px\n" 31c9afa6db122a Sasha Levin 2014-10-09 131 #endif 2d2fe6b40444bd Ding Tianhong 2021-10-30 132 #ifdef CONFIG_MM_OWNER 152a2d199e1385 Matthew Wilcox 2018-01-04 133 "owner %px " 31c9afa6db122a Sasha Levin 2014-10-09 134 #endif 152a2d199e1385 Matthew Wilcox 2018-01-04 135 "exe_file %px\n" 31c9afa6db122a Sasha Levin 2014-10-09 136 #ifdef CONFIG_MMU_NOTIFIER 152a2d199e1385 Matthew Wilcox 2018-01-04 137 "mmu_notifier_mm %px\n" 31c9afa6db122a Sasha Levin 2014-10-09 138 #endif 31c9afa6db122a Sasha Levin 2014-10-09 139 #ifdef CONFIG_NUMA_BALANCING 31c9afa6db122a Sasha Levin 2014-10-09 140 "numa_next_scan %lu numa_scan_offset %lu numa_scan_seq %d\n" 31c9afa6db122a Sasha Levin 2014-10-09 141 #endif 31c9afa6db122a Sasha Levin 2014-10-09 142 "tlb_flush_pending %d\n" b8eceeb99014cf Vlastimil Babka 2016-03-15 @143 "def_flags: %#lx(%pGv)\n", 31c9afa6db122a Sasha Levin 2014-10-09 144 7a9cdebdcc17e4 Linus Torvalds 2018-09-12 145 mm, mm->mmap, (long long) mm->vmacache_seqnum, mm->task_size, 31c9afa6db122a Sasha Levin 2014-10-09 146 #ifdef CONFIG_MMU 31c9afa6db122a Sasha Levin 2014-10-09 147 mm->get_unmapped_area, 31c9afa6db122a Sasha Levin 2014-10-09 148 #endif 31c9afa6db122a Sasha Levin 2014-10-09 149 mm->mmap_base, mm->mmap_legacy_base, mm->highest_vm_end, 31c9afa6db122a Sasha Levin 2014-10-09 150 mm->pgd, atomic_read(&mm->mm_users), 31c9afa6db122a Sasha Levin 2014-10-09 151 atomic_read(&mm->mm_count), af5b0f6a09e42c Kirill A. Shutemov 2017-11-15 152 mm_pgtables_bytes(mm), 31c9afa6db122a Sasha Levin 2014-10-09 153 mm->map_count, 53f4e528406789 Daniel Jordan 2019-08-14 154 mm->hiwater_rss, mm->hiwater_vm, mm->total_vm, 53f4e528406789 Daniel Jordan 2019-08-14 155 atomic_long_read(&mm->locked_vm), 84638335900f19 Konstantin Khlebnikov 2016-01-14 156 mm->pinned_vm, mm->data_vm, mm->exec_vm, mm->stack_vm, 31c9afa6db122a Sasha Levin 2014-10-09 157 mm->start_code, mm->end_code, mm->start_data, mm->end_data, 31c9afa6db122a Sasha Levin 2014-10-09 158 mm->start_brk, mm->brk, mm->start_stack, 31c9afa6db122a Sasha Levin 2014-10-09 159 mm->arg_start, mm->arg_end, mm->env_start, mm->env_end, 31c9afa6db122a Sasha Levin 2014-10-09 160 mm->binfmt, mm->flags, mm->core_state, 31c9afa6db122a Sasha Levin 2014-10-09 161 #ifdef CONFIG_AIO 31c9afa6db122a Sasha Levin 2014-10-09 162 mm->ioctx_table, 31c9afa6db122a Sasha Levin 2014-10-09 163 #endif 31c9afa6db122a Sasha Levin 2014-10-09 164 #ifdef CONFIG_MEMCG 31c9afa6db122a Sasha Levin 2014-10-09 165 mm->owner, 31c9afa6db122a Sasha Levin 2014-10-09 166 #endif 31c9afa6db122a Sasha Levin 2014-10-09 167 mm->exe_file, 31c9afa6db122a Sasha Levin 2014-10-09 168 #ifdef CONFIG_MMU_NOTIFIER 31c9afa6db122a Sasha Levin 2014-10-09 169 mm->mmu_notifier_mm, 31c9afa6db122a Sasha Levin 2014-10-09 170 #endif 31c9afa6db122a Sasha Levin 2014-10-09 171 #ifdef CONFIG_NUMA_BALANCING 31c9afa6db122a Sasha Levin 2014-10-09 172 mm->numa_next_scan, mm->numa_scan_offset, mm->numa_scan_seq, 31c9afa6db122a Sasha Levin 2014-10-09 173 #endif 16af97dc5a8975 Nadav Amit 2017-08-10 @174 atomic_read(&mm->tlb_flush_pending), b8eceeb99014cf Vlastimil Babka 2016-03-15 @175 mm->def_flags, &mm->def_flags 31c9afa6db122a Sasha Levin 2014-10-09 176 ); 31c9afa6db122a Sasha Levin 2014-10-09 177 } 31c9afa6db122a Sasha Levin 2014-10-09 178 :::::: The code at line 174 was first introduced by commit :::::: 16af97dc5a8975371a83d9e30a64038b48f40a2d mm: migrate: prevent racy access to tlb_flush_pending :::::: TO: Nadav Amit <nadav.amit(a)gmail.com> :::::: CC: Linus Torvalds <torvalds(a)linux-foundation.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 13138/23028] kernel/livepatch/core.c:75:16: warning: no previous prototype for function 'klp_check_patch_kprobed'
by kernel test robot 22 Jun '24

22 Jun '24

Hi Cheng, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 10a294b680ddfda97a09883fe559dd418e5340cd commit: 7e2ab91ea07673f855f16b54b7c6e6853b2efc1c [13138/23028] livepatch/x86: support livepatch without ftrace config: x86_64-randconfig-073-20240521 (https://download.01.org/0day-ci/archive/20240622/202406222109.fcYovgIQ-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240622/202406222109.fcYovgIQ-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406222109.fcYovgIQ-lkp@intel.com/ All warnings (new ones prefixed by >>): >> kernel/livepatch/core.c:75:16: warning: no previous prototype for function 'klp_check_patch_kprobed' [-Wmissing-prototypes] 75 | struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch) | ^ kernel/livepatch/core.c:75:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 75 | struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch) | ^ | static kernel/livepatch/core.c:402:5: warning: no previous prototype for function 'klp_try_disable_patch' [-Wmissing-prototypes] 402 | int klp_try_disable_patch(void *data) | ^ kernel/livepatch/core.c:402:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 402 | int klp_try_disable_patch(void *data) | ^ | static kernel/livepatch/core.c:441:13: warning: no previous prototype for function 'arch_klp_code_modify_prepare' [-Wmissing-prototypes] 441 | void __weak arch_klp_code_modify_prepare(void) | ^ kernel/livepatch/core.c:441:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 441 | void __weak arch_klp_code_modify_prepare(void) | ^ | static kernel/livepatch/core.c:445:13: warning: no previous prototype for function 'arch_klp_code_modify_post_process' [-Wmissing-prototypes] 445 | void __weak arch_klp_code_modify_post_process(void) | ^ kernel/livepatch/core.c:445:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 445 | void __weak arch_klp_code_modify_post_process(void) | ^ | static kernel/livepatch/core.c:617:5: warning: no previous prototype for function 'klp_try_enable_patch' [-Wmissing-prototypes] 617 | int klp_try_enable_patch(void *data) | ^ kernel/livepatch/core.c:617:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 617 | int klp_try_enable_patch(void *data) | ^ | static kernel/livepatch/core.c:1013:12: warning: no previous prototype for function 'arch_klp_func_can_patch' [-Wmissing-prototypes] 1013 | int __weak arch_klp_func_can_patch(struct klp_func *func) | ^ kernel/livepatch/core.c:1013:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1013 | int __weak arch_klp_func_can_patch(struct klp_func *func) | ^ | static 6 warnings generated. vim +/klp_check_patch_kprobed +75 kernel/livepatch/core.c 7e8d223e3ef865 Cheng Jian 2019-01-28 69 c8f9d7a3aae362 Cheng Jian 2019-01-28 70 #ifdef CONFIG_LIVEPATCH_RESTRICT_KPROBE c8f9d7a3aae362 Cheng Jian 2019-01-28 71 /* c8f9d7a3aae362 Cheng Jian 2019-01-28 72 * Check whether a function has been registered with kprobes before patched. c8f9d7a3aae362 Cheng Jian 2019-01-28 73 * We can't patched this function util we unregisted the kprobes. c8f9d7a3aae362 Cheng Jian 2019-01-28 74 */ c8f9d7a3aae362 Cheng Jian 2019-01-28 @75 struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch) c8f9d7a3aae362 Cheng Jian 2019-01-28 76 { c8f9d7a3aae362 Cheng Jian 2019-01-28 77 struct klp_object *obj; c8f9d7a3aae362 Cheng Jian 2019-01-28 78 struct klp_func *func; c8f9d7a3aae362 Cheng Jian 2019-01-28 79 struct kprobe *kp; c8f9d7a3aae362 Cheng Jian 2019-01-28 80 int i; c8f9d7a3aae362 Cheng Jian 2019-01-28 81 c8f9d7a3aae362 Cheng Jian 2019-01-28 82 klp_for_each_object(patch, obj) { c8f9d7a3aae362 Cheng Jian 2019-01-28 83 klp_for_each_func(obj, func) { c8f9d7a3aae362 Cheng Jian 2019-01-28 84 for (i = 0; i < func->old_size; i++) { c8f9d7a3aae362 Cheng Jian 2019-01-28 85 kp = get_kprobe((void *)func->old_addr + i); c8f9d7a3aae362 Cheng Jian 2019-01-28 86 if (kp) { c8f9d7a3aae362 Cheng Jian 2019-01-28 87 pr_err("func %s has been probed, (un)patch failed\n", c8f9d7a3aae362 Cheng Jian 2019-01-28 88 func->old_name); c8f9d7a3aae362 Cheng Jian 2019-01-28 89 return kp; c8f9d7a3aae362 Cheng Jian 2019-01-28 90 } c8f9d7a3aae362 Cheng Jian 2019-01-28 91 } c8f9d7a3aae362 Cheng Jian 2019-01-28 92 } c8f9d7a3aae362 Cheng Jian 2019-01-28 93 } c8f9d7a3aae362 Cheng Jian 2019-01-28 94 c8f9d7a3aae362 Cheng Jian 2019-01-28 95 return NULL; c8f9d7a3aae362 Cheng Jian 2019-01-28 96 } c8f9d7a3aae362 Cheng Jian 2019-01-28 97 #else c8f9d7a3aae362 Cheng Jian 2019-01-28 98 static inline struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch) c8f9d7a3aae362 Cheng Jian 2019-01-28 99 { c8f9d7a3aae362 Cheng Jian 2019-01-28 100 return NULL; c8f9d7a3aae362 Cheng Jian 2019-01-28 101 } c8f9d7a3aae362 Cheng Jian 2019-01-28 102 #endif /* CONFIG_LIVEPATCH_RESTRICT_KPROBE */ c8f9d7a3aae362 Cheng Jian 2019-01-28 103 :::::: The code at line 75 was first introduced by commit :::::: c8f9d7a3aae362482f81ba7c6819d410d66619ab livepatch/core: Restrict livepatch patched/unpatched when plant kprobe :::::: TO: Cheng Jian <cj.chengjian(a)huawei.com> :::::: CC: Xie XiuQi <xiexiuqi(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS] serial: max3100: Lock port->lock when calling uart_handle_cts_change()
by Yi Yang 22 Jun '24

22 Jun '24

From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> stable inclusion from stable-v5.10.219 commit cc121e3722a0a2c8f716ef991e5425b180a5fb94 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D3L CVE: CVE-2024-38634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 77ab53371a2066fdf9b895246505f5ef5a4b5d47 ] uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100] Fixes: 7831d56b0a35 ("tty: MAX3100") Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Link: https://lore.kernel.org/r/20240402195306.269276-2-andriy.shevchenko@linux.i… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/serial/max3100.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c index 371569a0fd00..915d7753eec2 100644 --- a/drivers/tty/serial/max3100.c +++ b/drivers/tty/serial/max3100.c @@ -213,7 +213,7 @@ static int max3100_sr(struct max3100_port *s, u16 tx, u16 *rx) return 0; } -static int max3100_handlerx(struct max3100_port *s, u16 rx) +static int max3100_handlerx_unlocked(struct max3100_port *s, u16 rx) { unsigned int ch, flg, status = 0; int ret = 0, cts; @@ -253,6 +253,17 @@ static int max3100_handlerx(struct max3100_port *s, u16 rx) return ret; } +static int max3100_handlerx(struct max3100_port *s, u16 rx) +{ + unsigned long flags; + int ret; + + uart_port_lock_irqsave(&s->port, &flags); + ret = max3100_handlerx_unlocked(s, rx); + uart_port_unlock_irqrestore(&s->port, flags); + return ret; +} + static void max3100_work(struct work_struct *w) { struct max3100_port *s = container_of(w, struct max3100_port, work); -- 2.25.1

2 5

[PATCH openEuler-22.03-LTS] tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
by Yi Yang 22 Jun '24

22 Jun '24

stable inclusion from stable-v5.10.192 commit 869ce5e5984595bd2c62b598d977debc218b6f4d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8QFUO CVE: CVE-2023-6546 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3c4f8333b582487a2d1e02171f1465531cde53e3 upstream. In commit 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux"), the UAF problem is not completely fixed. There is a race condition in gsm_cleanup_mux(), which caused this UAF. The UAF problem is triggered by the following race: task[5046] task[5054] ----------------------- ----------------------- gsm_cleanup_mux(); dlci = gsm->dlci[0]; mutex_lock(&gsm->mutex); gsm_cleanup_mux(); dlci = gsm->dlci[0]; //Didn't take the lock gsm_dlci_release(gsm->dlci[i]); gsm->dlci[i] = NULL; mutex_unlock(&gsm->mutex); mutex_lock(&gsm->mutex); dlci->dead = true; //UAF Fix it by assigning values after mutex_lock(). Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000 Cc: stable <stable(a)kernel.org> Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux") Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command") Signed-off-by: Yi Yang <yiyang13(a)huawei.com> Co-developed-by: Qiumiao Zhang <zhangqiumiao1(a)huawei.com> Signed-off-by: Qiumiao Zhang <zhangqiumiao1(a)huawei.com> Link: https://lore.kernel.org/r/20230811031121.153237-1-yiyang13@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/n_gsm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index cb5ed4155a8d..2e446b34160f 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2158,12 +2158,13 @@ static void gsm_error(struct gsm_mux *gsm, static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) { int i; - struct gsm_dlci *dlci = gsm->dlci[0]; + struct gsm_dlci *dlci; struct gsm_msg *txq, *ntxq; gsm->dead = true; mutex_lock(&gsm->mutex); + dlci = gsm->dlci[0]; if (dlci) { if (disc && dlci->state != DLCI_CLOSED) { gsm_dlci_begin_close(dlci); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] firmware: arm_scpi: Fix string overflow in SCPI genpd driver
by Yi Yang 22 Jun '24

22 Jun '24

From: Sudeep Holla <sudeep.holla(a)arm.com> stable inclusion from stable-v4.19.222 commit 7e8645ca2c0046f7cd2f0f7d569fc036c8abaedb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SID CVE: CVE-2021-47609 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 upstream. Without the bound checks for scpi_pd->name, it could result in the buffer overflow when copying the SCPI device name from the corresponding device tree node as the name string is set at maximum size of 30. Let us fix it by using devm_kasprintf so that the string buffer is allocated dynamically. Fixes: 8bec4337ad40 ("firmware: scpi: add device power domain support using genpd") Reported-by: Pedro Batista <pedbap.g(a)gmail.com> Signed-off-by: Sudeep Holla <sudeep.holla(a)arm.com> Cc: stable(a)vger.kernel.org Cc: Cristian Marussi <cristian.marussi(a)arm.com> Link: https://lore.kernel.org/r/20211209120456.696879-1-sudeep.holla@arm.com' Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/firmware/scpi_pm_domain.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/firmware/scpi_pm_domain.c b/drivers/firmware/scpi_pm_domain.c index f395dec27113..a6e62a793fbe 100644 --- a/drivers/firmware/scpi_pm_domain.c +++ b/drivers/firmware/scpi_pm_domain.c @@ -27,7 +27,6 @@ struct scpi_pm_domain { struct generic_pm_domain genpd; struct scpi_ops *ops; u32 domain; - char name[30]; }; /* @@ -121,8 +120,13 @@ static int scpi_pm_domain_probe(struct platform_device *pdev) scpi_pd->domain = i; scpi_pd->ops = scpi_ops; - sprintf(scpi_pd->name, "%s.%d", np->name, i); - scpi_pd->genpd.name = scpi_pd->name; + scpi_pd->genpd.name = devm_kasprintf(dev, GFP_KERNEL, + "%s.%d", np->name, i); + if (!scpi_pd->genpd.name) { + dev_err(dev, "Failed to allocate genpd name:%s.%d\n", + np->name, i); + continue; + } scpi_pd->genpd.power_off = scpi_pd_power_off; scpi_pd->genpd.power_on = scpi_pd_power_on; -- 2.25.1

2 1

[PATCH OLK-6.6] net: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe()
by Yi Yang 22 Jun '24

22 Jun '24

From: Romain Gantois <romain.gantois(a)bootlin.com> stable inclusion from stable-v6.6.33 commit 5cd17f0e74cb99d209945b9f1f06d411aa667eb1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S9N CVE: CVE-2024-38584 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b31c7e78086127a7fcaa761e8d336ee855a920c6 upstream. In the prueth_probe() function, if one of the calls to emac_phy_connect() fails due to of_phy_connect() returning NULL, then the subsequent call to phy_attached_info() will dereference a NULL pointer. Check the return code of emac_phy_connect and fail cleanly if there is an error. Fixes: 128d5874c082 ("net: ti: icssg-prueth: Add ICSSG ethernet driver") Cc: stable(a)vger.kernel.org Signed-off-by: Romain Gantois <romain.gantois(a)bootlin.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Reviewed-by: MD Danish Anwar <danishanwar(a)ti.com> Link: https://lore.kernel.org/r/20240521-icssg-prueth-fix-v1-1-b4b17b1433e9@bootl… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/ti/icssg/icssg_prueth.c b/drivers/net/ethernet/ti/icssg/icssg_prueth.c index 925044c16c6a..fb120baee553 100644 --- a/drivers/net/ethernet/ti/icssg/icssg_prueth.c +++ b/drivers/net/ethernet/ti/icssg/icssg_prueth.c @@ -2136,7 +2136,12 @@ static int prueth_probe(struct platform_device *pdev) prueth->registered_netdevs[PRUETH_MAC0] = prueth->emac[PRUETH_MAC0]->ndev; - emac_phy_connect(prueth->emac[PRUETH_MAC0]); + ret = emac_phy_connect(prueth->emac[PRUETH_MAC0]); + if (ret) { + dev_err(dev, + "can't connect to MII0 PHY, error -%d", ret); + goto netdev_unregister; + } phy_attached_info(prueth->emac[PRUETH_MAC0]->ndev->phydev); } @@ -2148,7 +2153,12 @@ static int prueth_probe(struct platform_device *pdev) } prueth->registered_netdevs[PRUETH_MAC1] = prueth->emac[PRUETH_MAC1]->ndev; - emac_phy_connect(prueth->emac[PRUETH_MAC1]); + ret = emac_phy_connect(prueth->emac[PRUETH_MAC1]); + if (ret) { + dev_err(dev, + "can't connect to MII1 PHY, error %d", ret); + goto netdev_unregister; + } phy_attached_info(prueth->emac[PRUETH_MAC1]->ndev->phydev); } -- 2.25.1

2 1

[PATCH OLK-6.6] serial: max3100: Lock port->lock when calling uart_handle_cts_change()
by Yi Yang 22 Jun '24

22 Jun '24

From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> stable inclusion from stable-v6.6.33 commit 93df2fba6c7dfa9a2f08546ea9a5ca4728758458 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D3L CVE: CVE-2024-38634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 77ab53371a2066fdf9b895246505f5ef5a4b5d47 ] uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100] Fixes: 7831d56b0a35 ("tty: MAX3100") Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Link: https://lore.kernel.org/r/20240402195306.269276-2-andriy.shevchenko@linux.i… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/serial/max3100.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c index 5efb2b593be3..45022f2909f0 100644 --- a/drivers/tty/serial/max3100.c +++ b/drivers/tty/serial/max3100.c @@ -213,7 +213,7 @@ static int max3100_sr(struct max3100_port *s, u16 tx, u16 *rx) return 0; } -static int max3100_handlerx(struct max3100_port *s, u16 rx) +static int max3100_handlerx_unlocked(struct max3100_port *s, u16 rx) { unsigned int status = 0; int ret = 0, cts; @@ -254,6 +254,17 @@ static int max3100_handlerx(struct max3100_port *s, u16 rx) return ret; } +static int max3100_handlerx(struct max3100_port *s, u16 rx) +{ + unsigned long flags; + int ret; + + uart_port_lock_irqsave(&s->port, &flags); + ret = max3100_handlerx_unlocked(s, rx); + uart_port_unlock_irqrestore(&s->port, flags); + return ret; +} + static void max3100_work(struct work_struct *w) { struct max3100_port *s = container_of(w, struct max3100_port, work); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] serial: max3100: Lock port->lock when calling uart_handle_cts_change()
by Yi Yang 22 Jun '24

22 Jun '24

From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> stable inclusion from stable-v4.19.316 commit 44b38924135d2093e2ec1812969464845dd66dc9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D3L CVE: CVE-2024-38634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 77ab53371a2066fdf9b895246505f5ef5a4b5d47 ] uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100] Fixes: 7831d56b0a35 ("tty: MAX3100") Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Link: https://lore.kernel.org/r/20240402195306.269276-2-andriy.shevchenko@linux.i… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/serial/max3100.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c index 371569a0fd00..915d7753eec2 100644 --- a/drivers/tty/serial/max3100.c +++ b/drivers/tty/serial/max3100.c @@ -213,7 +213,7 @@ static int max3100_sr(struct max3100_port *s, u16 tx, u16 *rx) return 0; } -static int max3100_handlerx(struct max3100_port *s, u16 rx) +static int max3100_handlerx_unlocked(struct max3100_port *s, u16 rx) { unsigned int ch, flg, status = 0; int ret = 0, cts; @@ -253,6 +253,17 @@ static int max3100_handlerx(struct max3100_port *s, u16 rx) return ret; } +static int max3100_handlerx(struct max3100_port *s, u16 rx) +{ + unsigned long flags; + int ret; + + uart_port_lock_irqsave(&s->port, &flags); + ret = max3100_handlerx_unlocked(s, rx); + uart_port_unlock_irqrestore(&s->port, flags); + return ret; +} + static void max3100_work(struct work_struct *w) { struct max3100_port *s = container_of(w, struct max3100_port, work); -- 2.25.1

2 1

[PATCH OLK-5.10] serial: max3100: Lock port->lock when calling uart_handle_cts_change()
by Yi Yang 22 Jun '24

22 Jun '24

From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> stable inclusion from stable-v5.10.219 commit cc121e3722a0a2c8f716ef991e5425b180a5fb94 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D3L CVE: CVE-2024-38634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 77ab53371a2066fdf9b895246505f5ef5a4b5d47 ] uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100] Fixes: 7831d56b0a35 ("tty: MAX3100") Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Link: https://lore.kernel.org/r/20240402195306.269276-2-andriy.shevchenko@linux.i… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/serial/max3100.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c index 371569a0fd00..915d7753eec2 100644 --- a/drivers/tty/serial/max3100.c +++ b/drivers/tty/serial/max3100.c @@ -213,7 +213,7 @@ static int max3100_sr(struct max3100_port *s, u16 tx, u16 *rx) return 0; } -static int max3100_handlerx(struct max3100_port *s, u16 rx) +static int max3100_handlerx_unlocked(struct max3100_port *s, u16 rx) { unsigned int ch, flg, status = 0; int ret = 0, cts; @@ -253,6 +253,17 @@ static int max3100_handlerx(struct max3100_port *s, u16 rx) return ret; } +static int max3100_handlerx(struct max3100_port *s, u16 rx) +{ + unsigned long flags; + int ret; + + uart_port_lock_irqsave(&s->port, &flags); + ret = max3100_handlerx_unlocked(s, rx); + uart_port_unlock_irqrestore(&s->port, flags); + return ret; +} + static void max3100_work(struct work_struct *w) { struct max3100_port *s = container_of(w, struct max3100_port, work); -- 2.25.1

2 1

[PATCH OLK-5.10] serial: max3100: Lock port->lock when calling uart_handle_cts_change()
by Yi Yang 22 Jun '24

22 Jun '24

From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> stable inclusion from stable-v5.10.219 commit cc121e3722a0a2c8f716ef991e5425b180a5fb94 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D3L Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 77ab53371a2066fdf9b895246505f5ef5a4b5d47 ] uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100] Fixes: 7831d56b0a35 ("tty: MAX3100") Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Link: https://lore.kernel.org/r/20240402195306.269276-2-andriy.shevchenko@linux.i… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/serial/max3100.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c index 371569a0fd00..915d7753eec2 100644 --- a/drivers/tty/serial/max3100.c +++ b/drivers/tty/serial/max3100.c @@ -213,7 +213,7 @@ static int max3100_sr(struct max3100_port *s, u16 tx, u16 *rx) return 0; } -static int max3100_handlerx(struct max3100_port *s, u16 rx) +static int max3100_handlerx_unlocked(struct max3100_port *s, u16 rx) { unsigned int ch, flg, status = 0; int ret = 0, cts; @@ -253,6 +253,17 @@ static int max3100_handlerx(struct max3100_port *s, u16 rx) return ret; } +static int max3100_handlerx(struct max3100_port *s, u16 rx) +{ + unsigned long flags; + int ret; + + uart_port_lock_irqsave(&s->port, &flags); + ret = max3100_handlerx_unlocked(s, rx); + uart_port_unlock_irqrestore(&s->port, flags); + return ret; +} + static void max3100_work(struct work_struct *w) { struct max3100_port *s = container_of(w, struct max3100_port, work); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] serial: max3100: Lock port->lock when calling uart_handle_cts_change()
by Yi Yang 22 Jun '24

22 Jun '24

From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> stable inclusion from stable-v4.19.316 commit 44b38924135d2093e2ec1812969464845dd66dc9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D3L Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 77ab53371a2066fdf9b895246505f5ef5a4b5d47 ] uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100] Fixes: 7831d56b0a35 ("tty: MAX3100") Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Link: https://lore.kernel.org/r/20240402195306.269276-2-andriy.shevchenko@linux.i… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/serial/max3100.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c index 371569a0fd00..915d7753eec2 100644 --- a/drivers/tty/serial/max3100.c +++ b/drivers/tty/serial/max3100.c @@ -213,7 +213,7 @@ static int max3100_sr(struct max3100_port *s, u16 tx, u16 *rx) return 0; } -static int max3100_handlerx(struct max3100_port *s, u16 rx) +static int max3100_handlerx_unlocked(struct max3100_port *s, u16 rx) { unsigned int ch, flg, status = 0; int ret = 0, cts; @@ -253,6 +253,17 @@ static int max3100_handlerx(struct max3100_port *s, u16 rx) return ret; } +static int max3100_handlerx(struct max3100_port *s, u16 rx) +{ + unsigned long flags; + int ret; + + uart_port_lock_irqsave(&s->port, &flags); + ret = max3100_handlerx_unlocked(s, rx); + uart_port_unlock_irqrestore(&s->port, flags); + return ret; +} + static void max3100_work(struct work_struct *w) { struct max3100_port *s = container_of(w, struct max3100_port, work); -- 2.25.1

2 1

[PATCH OLK-6.6] serial: max3100: Lock port->lock when calling uart_handle_cts_change()
by Yi Yang 22 Jun '24

22 Jun '24

From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> stable inclusion from stable-v6.6.33 commit 93df2fba6c7dfa9a2f08546ea9a5ca4728758458 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D3L Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 77ab53371a2066fdf9b895246505f5ef5a4b5d47 ] uart_handle_cts_change() has to be called with port lock taken, Since we run it in a separate work, the lock may not be taken at the time of running. Make sure that it's taken by explicitly doing that. Without it we got a splat: WARNING: CPU: 0 PID: 10 at drivers/tty/serial/serial_core.c:3491 uart_handle_cts_change+0xa6/0xb0 ... Workqueue: max3100-0 max3100_work [max3100] RIP: 0010:uart_handle_cts_change+0xa6/0xb0 ... max3100_handlerx+0xc5/0x110 [max3100] max3100_work+0x12a/0x340 [max3100] Fixes: 7831d56b0a35 ("tty: MAX3100") Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Link: https://lore.kernel.org/r/20240402195306.269276-2-andriy.shevchenko@linux.i… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/serial/max3100.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/max3100.c b/drivers/tty/serial/max3100.c index 5efb2b593be3..45022f2909f0 100644 --- a/drivers/tty/serial/max3100.c +++ b/drivers/tty/serial/max3100.c @@ -213,7 +213,7 @@ static int max3100_sr(struct max3100_port *s, u16 tx, u16 *rx) return 0; } -static int max3100_handlerx(struct max3100_port *s, u16 rx) +static int max3100_handlerx_unlocked(struct max3100_port *s, u16 rx) { unsigned int status = 0; int ret = 0, cts; @@ -254,6 +254,17 @@ static int max3100_handlerx(struct max3100_port *s, u16 rx) return ret; } +static int max3100_handlerx(struct max3100_port *s, u16 rx) +{ + unsigned long flags; + int ret; + + uart_port_lock_irqsave(&s->port, &flags); + ret = max3100_handlerx_unlocked(s, rx); + uart_port_unlock_irqrestore(&s->port, flags); + return ret; +} + static void max3100_work(struct work_struct *w) { struct max3100_port *s = container_of(w, struct max3100_port, work); -- 2.25.1

2 1

[PATCH OLK-6.6] net: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe()
by Yi Yang 22 Jun '24

22 Jun '24

From: Romain Gantois <romain.gantois(a)bootlin.com> stable inclusion from stable-v6.6.33 commit 5cd17f0e74cb99d209945b9f1f06d411aa667eb1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S9N Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b31c7e78086127a7fcaa761e8d336ee855a920c6 upstream. In the prueth_probe() function, if one of the calls to emac_phy_connect() fails due to of_phy_connect() returning NULL, then the subsequent call to phy_attached_info() will dereference a NULL pointer. Check the return code of emac_phy_connect and fail cleanly if there is an error. Fixes: 128d5874c082 ("net: ti: icssg-prueth: Add ICSSG ethernet driver") Cc: stable(a)vger.kernel.org Signed-off-by: Romain Gantois <romain.gantois(a)bootlin.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Reviewed-by: MD Danish Anwar <danishanwar(a)ti.com> Link: https://lore.kernel.org/r/20240521-icssg-prueth-fix-v1-1-b4b17b1433e9@bootl… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/ti/icssg/icssg_prueth.c b/drivers/net/ethernet/ti/icssg/icssg_prueth.c index 925044c16c6a..fb120baee553 100644 --- a/drivers/net/ethernet/ti/icssg/icssg_prueth.c +++ b/drivers/net/ethernet/ti/icssg/icssg_prueth.c @@ -2136,7 +2136,12 @@ static int prueth_probe(struct platform_device *pdev) prueth->registered_netdevs[PRUETH_MAC0] = prueth->emac[PRUETH_MAC0]->ndev; - emac_phy_connect(prueth->emac[PRUETH_MAC0]); + ret = emac_phy_connect(prueth->emac[PRUETH_MAC0]); + if (ret) { + dev_err(dev, + "can't connect to MII0 PHY, error -%d", ret); + goto netdev_unregister; + } phy_attached_info(prueth->emac[PRUETH_MAC0]->ndev->phydev); } @@ -2148,7 +2153,12 @@ static int prueth_probe(struct platform_device *pdev) } prueth->registered_netdevs[PRUETH_MAC1] = prueth->emac[PRUETH_MAC1]->ndev; - emac_phy_connect(prueth->emac[PRUETH_MAC1]); + ret = emac_phy_connect(prueth->emac[PRUETH_MAC1]); + if (ret) { + dev_err(dev, + "can't connect to MII1 PHY, error %d", ret); + goto netdev_unregister; + } phy_attached_info(prueth->emac[PRUETH_MAC1]->ndev->phydev); } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
by Liu Jian 22 Jun '24

22 Jun '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.10-rc3 commit f921a58ae20852d188f70842431ce6519c4fdc36 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6H2M CVE: CVE-2024-36974 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided, taprio_parse_mqprio_opt() must validate it, or userspace can inject arbitrary data to the kernel, the second time taprio_change() is called. First call (with valid attributes) sets dev->num_tc to a non zero value. Second call (with arbitrary mqprio attributes) returns early from taprio_parse_mqprio_opt() and bad things can happen. Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule") Reported-by: Noam Rathaus <noamr(a)ssd-disclosure.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Reviewed-by: Vladimir Oltean <vladimir.oltean(a)nxp.com> Link: https://lore.kernel.org/r/20240604181511.769870-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/sched/sch_taprio.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index abef2e4d6000..8dd7e69e47bf 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -925,16 +925,13 @@ static int taprio_parse_mqprio_opt(struct net_device *dev, { int i, j; - if (!qopt && !dev->num_tc) { - NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); - return -EINVAL; - } - - /* If num_tc is already set, it means that the user already - * configured the mqprio part - */ - if (dev->num_tc) + if (!qopt) { + if (!dev->num_tc) { + NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); + return -EINVAL; + } return 0; + } /* Verify num_tc is not out of max range */ if (qopt->num_tc > TC_MAX_QUEUE) { -- 2.34.1

2 1

[PATCH OLK-5.10] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
by Liu Jian 22 Jun '24

22 Jun '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.10-rc3 commit f921a58ae20852d188f70842431ce6519c4fdc36 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6H2M CVE: CVE-2024-36974 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided, taprio_parse_mqprio_opt() must validate it, or userspace can inject arbitrary data to the kernel, the second time taprio_change() is called. First call (with valid attributes) sets dev->num_tc to a non zero value. Second call (with arbitrary mqprio attributes) returns early from taprio_parse_mqprio_opt() and bad things can happen. Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule") Reported-by: Noam Rathaus <noamr(a)ssd-disclosure.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Reviewed-by: Vladimir Oltean <vladimir.oltean(a)nxp.com> Link: https://lore.kernel.org/r/20240604181511.769870-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/sched/sch_taprio.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index e25fe44899ff..41fa731e7c47 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -925,16 +925,13 @@ static int taprio_parse_mqprio_opt(struct net_device *dev, { int i, j; - if (!qopt && !dev->num_tc) { - NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); - return -EINVAL; - } - - /* If num_tc is already set, it means that the user already - * configured the mqprio part - */ - if (dev->num_tc) + if (!qopt) { + if (!dev->num_tc) { + NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); + return -EINVAL; + } return 0; + } /* Verify num_tc is not out of max range */ if (qopt->num_tc > TC_MAX_QUEUE) { -- 2.34.1

2 1

[PATCH OLK-6.6] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
by Liu Jian 22 Jun '24

22 Jun '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v6.6.35 commit 724050ae4b76e4fae05a923cb54101d792cf4404 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6H2M CVE: CVE-2024-36974 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit f921a58ae20852d188f70842431ce6519c4fdc36 ] If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided, taprio_parse_mqprio_opt() must validate it, or userspace can inject arbitrary data to the kernel, the second time taprio_change() is called. First call (with valid attributes) sets dev->num_tc to a non zero value. Second call (with arbitrary mqprio attributes) returns early from taprio_parse_mqprio_opt() and bad things can happen. Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule") Reported-by: Noam Rathaus <noamr(a)ssd-disclosure.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Reviewed-by: Vladimir Oltean <vladimir.oltean(a)nxp.com> Link: https://lore.kernel.org/r/20240604181511.769870-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/sched/sch_taprio.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index 87d8070fffbe..118473e5dea7 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -1186,16 +1186,13 @@ static int taprio_parse_mqprio_opt(struct net_device *dev, { bool allow_overlapping_txqs = TXTIME_ASSIST_IS_ENABLED(taprio_flags); - if (!qopt && !dev->num_tc) { - NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); - return -EINVAL; - } - - /* If num_tc is already set, it means that the user already - * configured the mqprio part - */ - if (dev->num_tc) + if (!qopt) { + if (!dev->num_tc) { + NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary"); + return -EINVAL; + } return 0; + } /* taprio imposes that traffic classes map 1:n to tx queues */ if (qopt->num_tc > dev->num_tx_queues) { -- 2.34.1

2 1

[PATCH OLK-6.6 0/7] Some folio bugfix
by Liu Shixin 22 Jun '24

22 Jun '24

Some folio bugfix. Andrew Bresticker (1): mm/memory: don't require head page for do_set_pmd() Baolin Wang (2): mm: support multi-size THP numa balancing mm: shmem: fix getting incorrect lruvec when replacing a shmem folio Hugh Dickins (1): mm/migrate: fix kernel BUG at mm/compaction.c:2761! Kefeng Wang (1): mm: fix possible OOB in numa_rebuild_large_mapping() Ran Xiaokai (1): mm: huge_memory: fix misused mapping_large_folio_support() for anon folios Zi Yan (1): mm/rmap: do not add fully unmapped large folio to deferred split list include/linux/pagemap.h | 4 +++ mm/huge_memory.c | 28 +++++++++------- mm/memcontrol.c | 3 +- mm/memory.c | 71 +++++++++++++++++++++++++++++++++-------- mm/migrate.c | 8 ++++- mm/mprotect.c | 3 +- mm/rmap.c | 13 ++++++-- mm/shmem.c | 2 +- 8 files changed, 100 insertions(+), 32 deletions(-) -- 2.25.1

2 8

[PATCH openEuler-1.0-LTS] ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx()
by Liu Chuang 22 Jun '24

22 Jun '24

From: Mark Brown <broonie(a)kernel.org> stable inclusion from stable-v4.19.228 commit 7659f25a80e6affb784b690df8994b79b4212fd4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA72KY CVE: CVE-2022-48736 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- commit 4cf28e9ae6e2e11a044be1bcbcfa1b0d8675fe4d upstream. We don't currently validate that the values being set are within the range we advertised to userspace as being valid, do so and reject any values that are out of range. Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20220124153253.3548853-4-broonie@kernel.org Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- sound/soc/soc-ops.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c index 3980b1727c49..ef8fd331526b 100644 --- a/sound/soc/soc-ops.c +++ b/sound/soc/soc-ops.c @@ -910,6 +910,8 @@ int snd_soc_put_xr_sx(struct snd_kcontrol *kcontrol, unsigned int i, regval, regmask; int err; + if (val < mc->min || val > mc->max) + return -EINVAL; if (invert) val = max - val; val &= mask; -- 2.34.1

2 1

[PATCH OLK-6.6] af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
by Liu Jian 22 Jun '24

22 Jun '24

From: Breno Leitao <leitao(a)debian.org> stable inclusion from stable-v6.6.33 commit 0688d4e499bee3f2749bca27329bd128686230cb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SCO CVE: CVE-2024-38596 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 540bf24fba16b88c1b3b9353927204b4f1074e25 ] A data-race condition has been identified in af_unix. In one data path, the write function unix_release_sock() atomically writes to sk->sk_shutdown using WRITE_ONCE. However, on the reader side, unix_stream_sendmsg() does not read it atomically. Consequently, this issue is causing the following KCSAN splat to occur: BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28: unix_release_sock (net/unix/af_unix.c:640) unix_release (net/unix/af_unix.c:1050) sock_close (net/socket.c:659 net/socket.c:1421) __fput (fs/file_table.c:422) __fput_sync (fs/file_table.c:508) __se_sys_close (fs/open.c:1559 fs/open.c:1541) __x64_sys_close (fs/open.c:1541) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14: unix_stream_sendmsg (net/unix/af_unix.c:2273) __sock_sendmsg (net/socket.c:730 net/socket.c:745) ____sys_sendmsg (net/socket.c:2584) __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x01 -> 0x03 The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7"). Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.") addressed a comparable issue in the past regarding sk->sk_shutdown. However, it overlooked resolving this particular data path. This patch only offending unix_stream_sendmsg() function, since the other reads seem to be protected by unix_state_lock() as discussed in Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Link: https://lore.kernel.org/r/20240509081459.2807828-1-leitao@debian.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/unix/af_unix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 6eab35a5e2f3..aaa4d7878b5d 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -2199,7 +2199,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, goto out_err; } - if (sk->sk_shutdown & SEND_SHUTDOWN) + if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) goto pipe_err; while (sent < len) { -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1 0/3] CVE-2024-38596
by Liu Jian 22 Jun '24

22 Jun '24

CVE-2024-38596 Breno Leitao (1): af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg Kuniyuki Iwashima (2): af_unix: Fix data races around sk->sk_shutdown. af_unix: Fix data-races around sk->sk_shutdown. net/core/sock.c | 4 ++-- net/unix/af_unix.c | 22 +++++++++++++--------- 2 files changed, 15 insertions(+), 11 deletions(-) -- 2.34.1

2 4

[PATCH OLK-5.10] af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
by Liu Jian 22 Jun '24

22 Jun '24

From: Breno Leitao <leitao(a)debian.org> stable inclusion from stable-v5.10.219 commit 4d51845d734a4c5d079e56e0916f936a55e15055 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SCO CVE: CVE-2024-38596 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 540bf24fba16b88c1b3b9353927204b4f1074e25 ] A data-race condition has been identified in af_unix. In one data path, the write function unix_release_sock() atomically writes to sk->sk_shutdown using WRITE_ONCE. However, on the reader side, unix_stream_sendmsg() does not read it atomically. Consequently, this issue is causing the following KCSAN splat to occur: BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28: unix_release_sock (net/unix/af_unix.c:640) unix_release (net/unix/af_unix.c:1050) sock_close (net/socket.c:659 net/socket.c:1421) __fput (fs/file_table.c:422) __fput_sync (fs/file_table.c:508) __se_sys_close (fs/open.c:1559 fs/open.c:1541) __x64_sys_close (fs/open.c:1541) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14: unix_stream_sendmsg (net/unix/af_unix.c:2273) __sock_sendmsg (net/socket.c:730 net/socket.c:745) ____sys_sendmsg (net/socket.c:2584) __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x01 -> 0x03 The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7"). Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.") addressed a comparable issue in the past regarding sk->sk_shutdown. However, it overlooked resolving this particular data path. This patch only offending unix_stream_sendmsg() function, since the other reads seem to be protected by unix_state_lock() as discussed in Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Link: https://lore.kernel.org/r/20240509081459.2807828-1-leitao@debian.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/unix/af_unix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index e870c835eea8..79c3c6dd30e0 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -2028,7 +2028,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, goto out_err; } - if (sk->sk_shutdown & SEND_SHUTDOWN) + if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) goto pipe_err; while (sent < len) { -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
by Liu Jian 22 Jun '24

22 Jun '24

From: Breno Leitao <leitao(a)debian.org> stable inclusion from stable-v4.19.316 commit fca6072e1a7b1e709ada5604b951513b89b4bd0a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SCO CVE: CVE-2024-38596 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 540bf24fba16b88c1b3b9353927204b4f1074e25 ] A data-race condition has been identified in af_unix. In one data path, the write function unix_release_sock() atomically writes to sk->sk_shutdown using WRITE_ONCE. However, on the reader side, unix_stream_sendmsg() does not read it atomically. Consequently, this issue is causing the following KCSAN splat to occur: BUG: KCSAN: data-race in unix_release_sock / unix_stream_sendmsg write (marked) to 0xffff88867256ddbb of 1 bytes by task 7270 on cpu 28: unix_release_sock (net/unix/af_unix.c:640) unix_release (net/unix/af_unix.c:1050) sock_close (net/socket.c:659 net/socket.c:1421) __fput (fs/file_table.c:422) __fput_sync (fs/file_table.c:508) __se_sys_close (fs/open.c:1559 fs/open.c:1541) __x64_sys_close (fs/open.c:1541) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffff88867256ddbb of 1 bytes by task 989 on cpu 14: unix_stream_sendmsg (net/unix/af_unix.c:2273) __sock_sendmsg (net/socket.c:730 net/socket.c:745) ____sys_sendmsg (net/socket.c:2584) __sys_sendmmsg (net/socket.c:2638 net/socket.c:2724) __x64_sys_sendmmsg (net/socket.c:2753 net/socket.c:2750 net/socket.c:2750) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x01 -> 0x03 The line numbers are related to commit dd5a440a31fa ("Linux 6.9-rc7"). Commit e1d09c2c2f57 ("af_unix: Fix data races around sk->sk_shutdown.") addressed a comparable issue in the past regarding sk->sk_shutdown. However, it overlooked resolving this particular data path. This patch only offending unix_stream_sendmsg() function, since the other reads seem to be protected by unix_state_lock() as discussed in Link: https://lore.kernel.org/all/20240508173324.53565-1-kuniyu@amazon.com/ Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Link: https://lore.kernel.org/r/20240509081459.2807828-1-leitao@debian.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/unix/af_unix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index da7ad1bf5ada..5484083cfd68 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -1895,7 +1895,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, goto out_err; } - if (sk->sk_shutdown & SEND_SHUTDOWN) + if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) goto pipe_err; while (sent < len) { -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] firmware: arm_scpi: Fix string overflow in SCPI genpd driver
by Yi Yang 22 Jun '24

22 Jun '24

From: Sudeep Holla <sudeep.holla(a)arm.com> stable inclusion from stable-v4.19.222 commit 7e8645ca2c0046f7cd2f0f7d569fc036c8abaedb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SID Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 upstream. Without the bound checks for scpi_pd->name, it could result in the buffer overflow when copying the SCPI device name from the corresponding device tree node as the name string is set at maximum size of 30. Let us fix it by using devm_kasprintf so that the string buffer is allocated dynamically. Fixes: 8bec4337ad40 ("firmware: scpi: add device power domain support using genpd") Reported-by: Pedro Batista <pedbap.g(a)gmail.com> Signed-off-by: Sudeep Holla <sudeep.holla(a)arm.com> Cc: stable(a)vger.kernel.org Cc: Cristian Marussi <cristian.marussi(a)arm.com> Link: https://lore.kernel.org/r/20211209120456.696879-1-sudeep.holla@arm.com' Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/firmware/scpi_pm_domain.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/firmware/scpi_pm_domain.c b/drivers/firmware/scpi_pm_domain.c index f395dec27113..a6e62a793fbe 100644 --- a/drivers/firmware/scpi_pm_domain.c +++ b/drivers/firmware/scpi_pm_domain.c @@ -27,7 +27,6 @@ struct scpi_pm_domain { struct generic_pm_domain genpd; struct scpi_ops *ops; u32 domain; - char name[30]; }; /* @@ -121,8 +120,13 @@ static int scpi_pm_domain_probe(struct platform_device *pdev) scpi_pd->domain = i; scpi_pd->ops = scpi_ops; - sprintf(scpi_pd->name, "%s.%d", np->name, i); - scpi_pd->genpd.name = scpi_pd->name; + scpi_pd->genpd.name = devm_kasprintf(dev, GFP_KERNEL, + "%s.%d", np->name, i); + if (!scpi_pd->genpd.name) { + dev_err(dev, "Failed to allocate genpd name:%s.%d\n", + np->name, i); + continue; + } scpi_pd->genpd.power_off = scpi_pd_power_off; scpi_pd->genpd.power_on = scpi_pd_power_on; -- 2.25.1

2 1

[openeuler:openEuler-1.0-LTS 15565/23022] arch/x86/kvm/svm.c:1903 sev_vm_destroy() warn: inconsistent indenting
by kernel test robot 22 Jun '24

22 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 3441ff8f5dfa49d91987c2ef11a2d1647a0d56ff commit: 457eaaadf6723ca66af506471c5209bb4983f87d [15565/23022] KVM: SVM: Periodically schedule when unregistering regions on destroy config: x86_64-randconfig-161-20240622 (https://download.01.org/0day-ci/archive/20240622/202406221300.KSmWRO3o-lkp@…) compiler: gcc-13 (Ubuntu 13.2.0-4ubuntu3) 13.2.0 If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406221300.KSmWRO3o-lkp@intel.com/ smatch warnings: arch/x86/kvm/svm.c:1903 sev_vm_destroy() warn: inconsistent indenting vim +1903 arch/x86/kvm/svm.c 1883 1884 static void sev_vm_destroy(struct kvm *kvm) 1885 { 1886 struct kvm_sev_info *sev = &to_kvm_svm(kvm)->sev_info; 1887 struct list_head *head = &sev->regions_list; 1888 struct list_head *pos, *q; 1889 1890 if (!sev_guest(kvm)) 1891 return; 1892 1893 mutex_lock(&kvm->lock); 1894 1895 /* 1896 * if userspace was terminated before unregistering the memory regions 1897 * then lets unpin all the registered memory. 1898 */ 1899 if (!list_empty(head)) { 1900 list_for_each_safe(pos, q, head) { 1901 __unregister_enc_region_locked(kvm, 1902 list_entry(pos, struct enc_region, list)); > 1903 cond_resched(); 1904 } 1905 } 1906 1907 mutex_unlock(&kvm->lock); 1908 1909 sev_unbind_asid(kvm, sev->handle); 1910 sev_asid_free(kvm); 1911 } 1912 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS v2 0/5] Linux 4.19.312-313 LTS patches
by Liu Jian 22 Jun '24

22 Jun '24

some network LTS patches Dai Ngo (1): SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int Daniel Borkmann (1): vxlan: Fix regression when dropping packets due to invalid src addresses David Bauer (1): vxlan: drop packets from invalid src-address Jiri Benc (1): ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr Yick Xie (1): udp: preserve the connected status if only UDP cmsg drivers/net/vxlan.c | 4 ++++ include/linux/sunrpc/sched.h | 2 +- include/net/addrconf.h | 4 ++++ net/ipv4/udp.c | 5 +++-- net/ipv6/addrconf.c | 7 ++++--- net/ipv6/udp.c | 5 +++-- 6 files changed, 19 insertions(+), 8 deletions(-) -- 2.34.1

2 6

[PATCH openEuler-1.0-LTS 0/4] Linux 4.19.312-313 LTS patches
by Liu Jian 22 Jun '24

22 Jun '24

some network LTS patches. Dai Ngo (1): SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int David Bauer (1): vxlan: drop packets from invalid src-address Jiri Benc (1): ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr Yick Xie (1): udp: preserve the connected status if only UDP cmsg drivers/net/vxlan.c | 4 ++++ include/linux/sunrpc/sched.h | 2 +- include/net/addrconf.h | 4 ++++ net/ipv4/udp.c | 5 +++-- net/ipv6/addrconf.c | 7 ++++--- net/ipv6/udp.c | 5 +++-- 6 files changed, 19 insertions(+), 8 deletions(-) -- 2.34.1

2 5

[PATCH openEuler-1.0-LTS] drm/amd/display: Fix potential index out of bounds in color transformation function
by Cai Xinchen 22 Jun '24

22 Jun '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> stable inclusion from stable-v4.19.316 commit 604c506ca43fce52bb882cff9c1fdf2ec3b4029c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5J CVE: CVE-2024-38552 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 63ae548f1054a0b71678d0349c7dc9628ddd42ca ] Fixes index out of bounds issue in the color transformation function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, an error message is logged and the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Fixes: b629596072e5 ("drm/amd/display: Build unity lut for shaper") Cc: Vitaly Prosyak <vitaly.prosyak(a)amd.com> Cc: Charlene Liu <Charlene.Liu(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c index f8904f73f57b..67a3ba49234e 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c @@ -315,6 +315,11 @@ bool cm_helper_translate_curve_to_hw_format( i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) { + DC_LOG_ERROR("Index out of bounds: i=%d, TRANSFER_FUNC_POINTS=%d\n", + i, TRANSFER_FUNC_POINTS); + return false; + } rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.34.1

2 1

[PATCH OLK-5.10] drm/amd/display: Fix potential index out of bounds in color transformation function
by Cai Xinchen 22 Jun '24

22 Jun '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> stable inclusion from stable-v5.10.219 commit 04bc4d1090c343025d69149ca669a27c5b9c34a7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5J CVE: CVE-2024-38552 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 63ae548f1054a0b71678d0349c7dc9628ddd42ca ] Fixes index out of bounds issue in the color transformation function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, an error message is logged and the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Fixes: b629596072e5 ("drm/amd/display: Build unity lut for shaper") Cc: Vitaly Prosyak <vitaly.prosyak(a)amd.com> Cc: Charlene Liu <Charlene.Liu(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c index 7a00fe525dfb..bd9bc51983fe 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c @@ -379,6 +379,11 @@ bool cm_helper_translate_curve_to_hw_format( i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) { + DC_LOG_ERROR("Index out of bounds: i=%d, TRANSFER_FUNC_POINTS=%d\n", + i, TRANSFER_FUNC_POINTS); + return false; + } rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.34.1

2 1

[PATCH OLK-6.6] drm/amd/display: Fix potential index out of bounds in color transformation function
by Cai Xinchen 22 Jun '24

22 Jun '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> stable inclusion from stable-v6.6.33 commit 4e8c8b37ee84b3b19c448d2b8e4c916d2f5b9c86 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5J CVE: CVE-2024-38552 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 63ae548f1054a0b71678d0349c7dc9628ddd42ca ] Fixes index out of bounds issue in the color transformation function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, an error message is logged and the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:405 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:406 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:407 cm_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Fixes: b629596072e5 ("drm/amd/display: Build unity lut for shaper") Cc: Vitaly Prosyak <vitaly.prosyak(a)amd.com> Cc: Charlene Liu <Charlene.Liu(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c index 3538973bd0c6..c0372aa4ec83 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c @@ -382,6 +382,11 @@ bool cm_helper_translate_curve_to_hw_format(struct dc_context *ctx, i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) { + DC_LOG_ERROR("Index out of bounds: i=%d, TRANSFER_FUNC_POINTS=%d\n", + i, TRANSFER_FUNC_POINTS); + return false; + } rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.34.1

2 1

[PATCH src-openeuler] Add startup setting for hns3 interrupt coalesce parameters
by Zheng Zengkai 21 Jun '24

21 Jun '24

Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- hns3_int_coal_params_setting.service | 11 +++++++++++ hns3_int_coal_params_setting.sh | 14 ++++++++++++++ kernel.spec | 25 ++++++++++++++++++++++++- 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 hns3_int_coal_params_setting.service create mode 100644 hns3_int_coal_params_setting.sh diff --git a/hns3_int_coal_params_setting.service b/hns3_int_coal_params_setting.service new file mode 100644 index 0000000..06fe24b --- /dev/null +++ b/hns3_int_coal_params_setting.service @@ -0,0 +1,11 @@ +[Unit] +Description=Interrupt coalesce parameters setting for hns3 nic +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/hns3_int_coal_params_setting.sh + +[Install] +WantedBy=multi-user.target diff --git a/hns3_int_coal_params_setting.sh b/hns3_int_coal_params_setting.sh new file mode 100644 index 0000000..de3ae4c --- /dev/null +++ b/hns3_int_coal_params_setting.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# setting optimizing interrupt coalesce parameters for hns3 nic + +for hns3_devname_path in /sys/bus/pci/drivers/hns3/*/net/* +do + if [ -d "$hns3_devname_path" ] + then + hns3_devname=${hns3_devname_path##*/} + echo "setting $hns3_devname interrupt coalesce parameters" + ethtool -C $hns3_devname adaptive-rx off adaptive-tx off + ethtool -C $hns3_devname rx-usecs 15 tx-usecs 15 + fi +done diff --git a/kernel.spec b/kernel.spec index e9a153c..0a7f37b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -11,7 +11,7 @@ %global upstream_sublevel 0 %global devel_release 210 %global maintenance_release .0.0 -%global pkg_release .110 +%global pkg_release .111 %define with_debuginfo 1 # Do not recompute the build-id of vmlinux in find-debuginfo.sh @@ -72,6 +72,9 @@ Source200: mkgrub-menu-aarch64.sh Source2000: cpupower.service Source2001: cpupower.config +Source2002: hns3_int_coal_params_setting.service +Source2003: hns3_int_coal_params_setting.sh + %if 0%{?with_patch} Source9000: apply-patches Source9001: guards @@ -738,6 +741,13 @@ install -m644 %{SOURCE2001} %{buildroot}%{_sysconfdir}/sysconfig/cpupower make DESTDIR=%{buildroot} install popd %endif + +# hns3 nic interrupt coalesce parameters setting +%ifarch aarch64 +install -m644 %{SOURCE2002} %{buildroot}%{_unitdir}/hns3_int_coal_params_setting.service +install -m755 %{SOURCE2003} %{buildroot}%{_bindir}/hns3_int_coal_params_setting.sh +%endif + # thermal pushd tools/thermal/tmon make INSTALL_ROOT=%{buildroot} install @@ -827,6 +837,10 @@ fi %systemd_postun cpupower.service %endif +%ifarch aarch64 +%systemd_post hns3_int_coal_params_setting.service +%endif + %files %defattr (-, root, root) %doc @@ -901,6 +915,12 @@ fi %{_bindir}/turbostat %{_mandir}/man8/turbostat* %endif + +%ifarch aarch64 +%{_unitdir}/hns3_int_coal_params_setting.service +%{_bindir}/hns3_int_coal_params_setting.sh +%endif + %{_bindir}/tmon %{_bindir}/iio_event_monitor %{_bindir}/iio_generic_buffer @@ -952,6 +972,9 @@ fi %endif %changelog +* Fri Jun 21 2024 Zheng Zengkai <zhengzengkai(a)huawei.com> - 5.10.0-210.0.0.111 +- kernel.spec: Add startup setting for hns3 interrupt coalesce parameters + * Fri Jun 21 2024 Jialin Zhang <zhangjialin11(a)huawei.com> - 5.10.0-210.0.0.110 - !9268 net: sched: sch_multiq: fix possible OOB write in multiq_tune() - !9103 ksmbd: no response from compound read -- 2.33.0

1 0

[PATCH openEuler-1.0-LTS 0/4] round lts patches
by Zhengchao Shao 21 Jun '24

21 Jun '24

Round lts patches. David Bauer (1): net l2tp: drop flow hash on forward Felix Fietkau (2): net: bridge: fix multicast-to-unicast with fraglist GSO net: bridge: fix corrupted ethernet header on multicast-to-unicast linke li (1): net: mark racy access on sk->sk_rcvbuf net/bridge/br_forward.c | 9 +++++++-- net/core/sock.c | 4 ++-- net/l2tp/l2tp_eth.c | 3 +++ 3 files changed, 12 insertions(+), 4 deletions(-) -- 2.34.1

2 5

[PATCH OLK-5.10] Revert "sched/fair:ARM64 enables SIS_UTIL and disables SIS_PROP"
by Hui Tang 21 Jun '24

21 Jun '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA7CCA CVE: NA -------------------------------- This reverts commit 47559d11e27beaecec41c1059c215ea61ece62d6. We find the commit 47559d11e27b ("sched/fair:ARM64 enables SIS_UTIL and disables SIS_PROP"), which cause performance degradation with Unixbench pipe-base contextswich case tested on Kunpeng 920B. Test case: ./Run context1 -c `nproc` -i 3 Unixbench results (Pipe-based_Context_Switching): baseline patched 4.5w 8.5w Fixes: 47559d11e27b ("sched/fair:ARM64 enables SIS_UTIL and disables SIS_PROP") Signed-off-by: Hui Tang <tanghui20(a)huawei.com> --- kernel/sched/features.h | 5 ----- 1 file changed, 5 deletions(-) diff --git a/kernel/sched/features.h b/kernel/sched/features.h index 76fade025c4b..83f524cea64d 100644 --- a/kernel/sched/features.h +++ b/kernel/sched/features.h @@ -54,13 +54,8 @@ SCHED_FEAT(TTWU_QUEUE, true) /* * When doing wakeups, attempt to limit superfluous scans of the LLC domain. */ -#ifdef CONFIG_ARM64 SCHED_FEAT(SIS_PROP, false) SCHED_FEAT(SIS_UTIL, true) -#else -SCHED_FEAT(SIS_PROP, true) -SCHED_FEAT(SIS_UTIL, false) -#endif #ifdef CONFIG_SCHED_STEAL /* -- 2.34.1

2 1

[PATCH OLK-5.10] Revert "sched/fair:ARM64 enables SIS_UTIL and disables SIS_PROP"
by Hui Tang 21 Jun '24

21 Jun '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA7CCA CVE: NA -------------------------------- This reverts commit 47559d11e27beaecec41c1059c215ea61ece62d6. We find the commit 47559d11e27b ("sched/fair:ARM64 enables SIS_UTIL and disables SIS_PROP"), which cause performance degradation with Unixbench pipe-base contextswich case tested on Kunpeng 920B. Test case: ./Run context1 -c `nproc` -i 3 Unixbench results (Pipe-based_Context_Switching): baseline patched 4.5w 8.5w Signed-off-by: Hui Tang <tanghui20(a)huawei.com> --- kernel/sched/features.h | 5 ----- 1 file changed, 5 deletions(-) diff --git a/kernel/sched/features.h b/kernel/sched/features.h index 76fade025c4b..83f524cea64d 100644 --- a/kernel/sched/features.h +++ b/kernel/sched/features.h @@ -54,13 +54,8 @@ SCHED_FEAT(TTWU_QUEUE, true) /* * When doing wakeups, attempt to limit superfluous scans of the LLC domain. */ -#ifdef CONFIG_ARM64 SCHED_FEAT(SIS_PROP, false) SCHED_FEAT(SIS_UTIL, true) -#else -SCHED_FEAT(SIS_PROP, true) -SCHED_FEAT(SIS_UTIL, false) -#endif #ifdef CONFIG_SCHED_STEAL /* -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/1] CVE-2022-48755
by Yuntao Liu 21 Jun '24

21 Jun '24

CVE-2022-48755 Naveen N. Rao (1): [Backport] powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06 arch/powerpc/net/bpf_jit_comp64.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) -- 2.34.1

2 2

[PATCH OLK-5.10] Revert "sched/fair:ARM64 enables SIS_UTIL and disables SIS_PROP"
by Hui Tang 21 Jun '24

21 Jun '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA7CCA CVE: NA -------------------------------- This reverts commit 47559d11e27beaecec41c1059c215ea61ece62d6. We find the commit 47559d11e27b ("sched/fair:ARM64 enables SIS_UTIL and disables SIS_PROP"), which cause performance degradation with Unixbench pipe-base contextswich case tested on Kunpeng 920B. Test case: ./Run context1 -c `nproc` -i 3 Unixbench results (Pipe-based_Context_Switching): baseline patched 4.5w 8.5w --- kernel/sched/features.h | 5 ----- 1 file changed, 5 deletions(-) diff --git a/kernel/sched/features.h b/kernel/sched/features.h index 76fade025c4b..83f524cea64d 100644 --- a/kernel/sched/features.h +++ b/kernel/sched/features.h @@ -54,13 +54,8 @@ SCHED_FEAT(TTWU_QUEUE, true) /* * When doing wakeups, attempt to limit superfluous scans of the LLC domain. */ -#ifdef CONFIG_ARM64 SCHED_FEAT(SIS_PROP, false) SCHED_FEAT(SIS_UTIL, true) -#else -SCHED_FEAT(SIS_PROP, true) -SCHED_FEAT(SIS_UTIL, false) -#endif #ifdef CONFIG_SCHED_STEAL /* -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/2] spi: Fix deadlock when adding SPI controllers on SPI buses
by Zeng Heng 21 Jun '24

21 Jun '24

Mark Brown (1): spi: Fix deadlock when adding SPI controllers on SPI buses Zeng Heng (1): spi: fix kabi breakage in struct spi_controller drivers/spi/spi.c | 43 ++++++++++++++++++++++++++---------------- include/linux/device.h | 12 ++++++++++++ 2 files changed, 39 insertions(+), 16 deletions(-) -- 2.25.1

2 3

[PATCH openEuler-1.0-LTS 0/2] spi: Fix deadlock when adding
by Zeng Heng 21 Jun '24

21 Jun '24

Mark Brown (1): spi: Fix deadlock when adding SPI controllers on SPI buses Zeng Heng (1): spi: fix kabi breakage in struct spi_controller drivers/spi/spi.c | 43 ++++++++++++++++++++++++++---------------- include/linux/device.h | 12 ++++++++++++ 2 files changed, 39 insertions(+), 16 deletions(-) -- 2.25.1

2 3

[PATCH openEuler-1.0-LTS 0/1] CVE-2024-38538
by Yuntao Liu 21 Jun '24

21 Jun '24

CVE-2024-38538 Naveen N. Rao (1): [Backport] powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06 arch/powerpc/net/bpf_jit_comp64.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-1.0-LTS 0/1] CVE-2024-38538
by Yuntao Liu 21 Jun '24

21 Jun '24

CVE-2024-38538 Naveen N. Rao (1): [Backport] powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06 arch/powerpc/net/bpf_jit_comp64.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-1.0-LTS 0/1] CVE-2024-38538
by Yuntao Liu 21 Jun '24

21 Jun '24

CVE-2024-38538 Naveen N. Rao (1): [Backport] powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06 arch/powerpc/net/bpf_jit_comp64.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) -- 2.34.1

2 2

[PATCH OLK-5.10 v6 0/9] sync hulk-5.10 patches
by Yu Kuai 21 Jun '24

21 Jun '24

Changes in v6: - fix a typo Changes in v5: - rebase Changes in v4: - just resend Changes in v3: - modify openeuler_defconfig for disabled new config in patch 1,2 Changes in v2: - fix head in commit message Christoph Hellwig (2): block: serialize all debugfs operations using q->debugfs_mutex block: remove per-disk debugfs files in blk_unregister_queue Yu Kuai (7): block: add a switch to enable hungtask check for io blk-throttle: add a config to control hierarchical throttle in cgroup v1 blk-throttle: fix missing prefix "CONFIG_" block: protect blk_mq_debugfs_register/unregister_hctx() with 'debugfs_mutex' block: shutdown blktrace in blk_release_queue() block: support enable/disable blk-mq debugfs dynamically block: fix kabi broken in struct request_queue arch/arm64/configs/openeuler_defconfig | 3 + arch/powerpc/configs/openeuler_defconfig | 2 + arch/x86/configs/openeuler_defconfig | 3 + block/Kconfig | 37 +++++++++ block/bio.c | 2 +- block/blk-core.c | 13 +++- block/blk-exec.c | 2 +- block/blk-mq-debugfs.c | 97 +++++++++++++++++++++--- block/blk-mq-debugfs.h | 5 -- block/blk-mq-sched.c | 11 +++ block/blk-mq.c | 11 +++ block/blk-rq-qos.c | 2 - block/blk-rq-qos.h | 7 +- block/blk-sysfs.c | 82 +++++++++++++++++--- block/blk-throttle.c | 17 ++++- block/blk.h | 1 + include/linux/blkdev.h | 7 +- kernel/trace/blktrace.c | 3 - 18 files changed, 264 insertions(+), 41 deletions(-) -- 2.39.2

2 10

[PATCH OLK-6.6] of: module: add buffer overflow check in of_modalias()
by GONG, Ruiqi 21 Jun '24

21 Jun '24

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> stable inclusion from stable-v6.6.33 commit 0b0d5701a8bf02f8fee037e81aacf6746558bfd6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SDQ CVE: CVE-2024-38541 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit cf7385cb26ac4f0ee6c7385960525ad534323252 ] In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: GONG, Ruiqi <gongruiqi1(a)huawei.com> --- drivers/of/module.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/module.c b/drivers/of/module.c index f58e624953a2..780fd82a7ecc 100644 --- a/drivers/of/module.c +++ b/drivers/of/module.c @@ -29,14 +29,15 @@ ssize_t of_modalias(const struct device_node *np, char *str, ssize_t len) csize = snprintf(str, len, "of:N%pOFn%c%s", np, 'T', of_node_get_device_type(np)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(np, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); -- 2.25.1

2 1

[PATCH OLK-5.10 0/3] CVE-2024-26661 following bugfix
by Liao Chen 21 Jun '24

21 Jun '24

In order to apply (drm/amd/display: Fix && vs || typos) in full, we revert it, merge its precedent, and apply it back. Dan Carpenter (1): drm/amd/display: Fix && vs || typos Liao Chen (1): Revert "drm/amd/display: Fix && vs || typos" Srinivasan Shanmugam (1): drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' drivers/gpu/drm/amd/display/dc/dcn21/dcn21_hwseq.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) -- 2.34.1

2 4

[PATCH OLK-6.6] ftrace: Fix possible use-after-free issue in ftrace_location()
by Zheng Yejian 21 Jun '24

21 Jun '24

mainline inclusion from mainline-v6.10-rc1 commit e60b613df8b6253def41215402f72986fee3fc8d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5H CVE: CVE-2024-38588 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------------------ KASAN reports a bug: BUG: KASAN: use-after-free in ftrace_location+0x90/0x120 Read of size 8 at addr ffff888141d40010 by task insmod/424 CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+ [...] Call Trace: <TASK> dump_stack_lvl+0x68/0xa0 print_report+0xcf/0x610 kasan_report+0xb5/0xe0 ftrace_location+0x90/0x120 register_kprobe+0x14b/0xa40 kprobe_init+0x2d/0xff0 [kprobe_example] do_one_initcall+0x8f/0x2d0 do_init_module+0x13a/0x3c0 load_module+0x3082/0x33d0 init_module_from_file+0xd2/0x130 __x64_sys_finit_module+0x306/0x440 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79 The root cause is that, in lookup_rec(), ftrace record of some address is being searched in ftrace pages of some module, but those ftrace pages at the same time is being freed in ftrace_release_mod() as the corresponding module is being deleted: CPU1 | CPU2 register_kprobes() { | delete_module() { check_kprobe_address_safe() { | arch_check_ftrace_location() { | ftrace_location() { | lookup_rec() // USE! | ftrace_release_mod() // Free! To fix this issue: 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range(); 2. Use ftrace_location_range() instead of lookup_rec() in ftrace_location(); 3. Call synchronize_rcu() before freeing any ftrace pages both in ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem(). Link: https://lore.kernel.org/linux-trace-kernel/20240509192859.1273558-1-zhengye… Cc: stable(a)vger.kernel.org Cc: <mhiramat(a)kernel.org> Cc: <mark.rutland(a)arm.com> Cc: <mathieu.desnoyers(a)efficios.com> Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization") Suggested-by: Steven Rostedt <rostedt(a)goodmis.org> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- kernel/trace/ftrace.c | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c index 83ba342aef31..2f80239348f5 100644 --- a/kernel/trace/ftrace.c +++ b/kernel/trace/ftrace.c @@ -1595,12 +1595,15 @@ static struct dyn_ftrace *lookup_rec(unsigned long start, unsigned long end) unsigned long ftrace_location_range(unsigned long start, unsigned long end) { struct dyn_ftrace *rec; + unsigned long ip = 0; + rcu_read_lock(); rec = lookup_rec(start, end); if (rec) - return rec->ip; + ip = rec->ip; + rcu_read_unlock(); - return 0; + return ip; } /** @@ -1613,25 +1616,22 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end) */ unsigned long ftrace_location(unsigned long ip) { - struct dyn_ftrace *rec; + unsigned long loc; unsigned long offset; unsigned long size; - rec = lookup_rec(ip, ip); - if (!rec) { + loc = ftrace_location_range(ip, ip); + if (!loc) { if (!kallsyms_lookup_size_offset(ip, &size, &offset)) goto out; /* map sym+0 to __fentry__ */ if (!offset) - rec = lookup_rec(ip, ip + size - 1); + loc = ftrace_location_range(ip, ip + size - 1); } - if (rec) - return rec->ip; - out: - return 0; + return loc; } /** @@ -6593,6 +6593,8 @@ static int ftrace_process_locs(struct module *mod, /* We should have used all pages unless we skipped some */ if (pg_unuse) { WARN_ON(!skipped); + /* Need to synchronize with ftrace_location_range() */ + synchronize_rcu(); ftrace_free_pages(pg_unuse); } return ret; @@ -6806,6 +6808,9 @@ void ftrace_release_mod(struct module *mod) out_unlock: mutex_unlock(&ftrace_lock); + /* Need to synchronize with ftrace_location_range() */ + if (tmp_page) + synchronize_rcu(); for (pg = tmp_page; pg; pg = tmp_page) { /* Needs to be called outside of ftrace_lock */ @@ -7139,6 +7144,7 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) unsigned long start = (unsigned long)(start_ptr); unsigned long end = (unsigned long)(end_ptr); struct ftrace_page **last_pg = &ftrace_pages_start; + struct ftrace_page *tmp_page = NULL; struct ftrace_page *pg; struct dyn_ftrace *rec; struct dyn_ftrace key; @@ -7180,12 +7186,8 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) ftrace_update_tot_cnt--; if (!pg->index) { *last_pg = pg->next; - if (pg->records) { - free_pages((unsigned long)pg->records, pg->order); - ftrace_number_of_pages -= 1 << pg->order; - } - ftrace_number_of_groups--; - kfree(pg); + pg->next = tmp_page; + tmp_page = pg; pg = container_of(last_pg, struct ftrace_page, next); if (!(*last_pg)) ftrace_pages = pg; @@ -7202,6 +7204,11 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr) clear_func_from_hashes(func); kfree(func); } + /* Need to synchronize with ftrace_location_range() */ + if (tmp_page) { + synchronize_rcu(); + ftrace_free_pages(tmp_page); + } } void __init ftrace_free_init_mem(void) -- 2.25.1

2 1

[PATCH OLK-6.6] ring-buffer: Fix a race between readers and resize checks
by Zheng Yejian 21 Jun '24

21 Jun '24

From: Petr Pavlu <petr.pavlu(a)suse.com> mainline inclusion from mainline-v6.10-rc1 commit c2274b908db05529980ec056359fae916939fdaa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S8L CVE: CVE-2024-38601 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The reader code in rb_get_reader_page() swaps a new reader page into the ring buffer by doing cmpxchg on old->list.prev->next to point it to the new page. Following that, if the operation is successful, old->list.next->prev gets updated too. This means the underlying doubly-linked list is temporarily inconsistent, page->prev->next or page->next->prev might not be equal back to page for some page in the ring buffer. The resize operation in ring_buffer_resize() can be invoked in parallel. It calls rb_check_pages() which can detect the described inconsistency and stop further tracing: [ 190.271762] ------------[ cut here ]------------ [ 190.271771] WARNING: CPU: 1 PID: 6186 at kernel/trace/ring_buffer.c:1467 rb_check_pages.isra.0+0x6a/0xa0 [ 190.271789] Modules linked in: [...] [ 190.271991] Unloaded tainted modules: intel_uncore_frequency(E):1 skx_edac(E):1 [ 190.272002] CPU: 1 PID: 6186 Comm: cmd.sh Kdump: loaded Tainted: G E 6.9.0-rc6-default #5 158d3e1e6d0b091c34c3b96bfd99a1c58306d79f [ 190.272011] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552c-rebuilt.opensuse.org 04/01/2014 [ 190.272015] RIP: 0010:rb_check_pages.isra.0+0x6a/0xa0 [ 190.272023] Code: [...] [ 190.272028] RSP: 0018:ffff9c37463abb70 EFLAGS: 00010206 [ 190.272034] RAX: ffff8eba04b6cb80 RBX: 0000000000000007 RCX: ffff8eba01f13d80 [ 190.272038] RDX: ffff8eba01f130c0 RSI: ffff8eba04b6cd00 RDI: ffff8eba0004c700 [ 190.272042] RBP: ffff8eba0004c700 R08: 0000000000010002 R09: 0000000000000000 [ 190.272045] R10: 00000000ffff7f52 R11: ffff8eba7f600000 R12: ffff8eba0004c720 [ 190.272049] R13: ffff8eba00223a00 R14: 0000000000000008 R15: ffff8eba067a8000 [ 190.272053] FS: 00007f1bd64752c0(0000) GS:ffff8eba7f680000(0000) knlGS:0000000000000000 [ 190.272057] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.272061] CR2: 00007f1bd6662590 CR3: 000000010291e001 CR4: 0000000000370ef0 [ 190.272070] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.272073] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 190.272077] Call Trace: [ 190.272098] <TASK> [ 190.272189] ring_buffer_resize+0x2ab/0x460 [ 190.272199] __tracing_resize_ring_buffer.part.0+0x23/0xa0 [ 190.272206] tracing_resize_ring_buffer+0x65/0x90 [ 190.272216] tracing_entries_write+0x74/0xc0 [ 190.272225] vfs_write+0xf5/0x420 [ 190.272248] ksys_write+0x67/0xe0 [ 190.272256] do_syscall_64+0x82/0x170 [ 190.272363] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 190.272373] RIP: 0033:0x7f1bd657d263 [ 190.272381] Code: [...] [ 190.272385] RSP: 002b:00007ffe72b643f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 190.272391] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1bd657d263 [ 190.272395] RDX: 0000000000000002 RSI: 0000555a6eb538e0 RDI: 0000000000000001 [ 190.272398] RBP: 0000555a6eb538e0 R08: 000000000000000a R09: 0000000000000000 [ 190.272401] R10: 0000555a6eb55190 R11: 0000000000000246 R12: 00007f1bd6662500 [ 190.272404] R13: 0000000000000002 R14: 00007f1bd6667c00 R15: 0000000000000002 [ 190.272412] </TASK> [ 190.272414] ---[ end trace 0000000000000000 ]--- Note that ring_buffer_resize() calls rb_check_pages() only if the parent trace_buffer has recording disabled. Recent commit d78ab792705c ("tracing: Stop current tracer when resizing buffer") causes that it is now always the case which makes it more likely to experience this issue. The window to hit this race is nonetheless very small. To help reproducing it, one can add a delay loop in rb_get_reader_page(): ret = rb_head_page_replace(reader, cpu_buffer->reader_page); if (!ret) goto spin; for (unsigned i = 0; i < 1U << 26; i++) /* inserted delay loop */ __asm__ __volatile__ ("" : : : "memory"); rb_list_head(reader->list.next)->prev = &cpu_buffer->reader_page->list; .. and then run the following commands on the target system: echo 1 > /sys/kernel/tracing/events/sched/sched_switch/enable while true; do echo 16 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1 echo 8 > /sys/kernel/tracing/buffer_size_kb; sleep 0.1 done & while true; do for i in /sys/kernel/tracing/per_cpu/*; do timeout 0.1 cat $i/trace_pipe; sleep 0.2 done done To fix the problem, make sure ring_buffer_resize() doesn't invoke rb_check_pages() concurrently with a reader operating on the same ring_buffer_per_cpu by taking its cpu_buffer->reader_lock. Link: https://lore.kernel.org/linux-trace-kernel/20240517134008.24529-3-petr.pavl… Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Fixes: 659f451ff213 ("ring-buffer: Add integrity check at end of iter read") Signed-off-by: Petr Pavlu <petr.pavlu(a)suse.com> [ Fixed whitespace ] Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- kernel/trace/ring_buffer.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c index 7b36e80fe27a..72884e8073b3 100644 --- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -1599,6 +1599,11 @@ static void rb_check_bpage(struct ring_buffer_per_cpu *cpu_buffer, * * As a safety measure we check to make sure the data pages have not * been corrupted. + * + * Callers of this function need to guarantee that the list of pages doesn't get + * modified during the check. In particular, if it's possible that the function + * is invoked with concurrent readers which can swap in a new reader page then + * the caller should take cpu_buffer->reader_lock. */ static void rb_check_pages(struct ring_buffer_per_cpu *cpu_buffer) { @@ -2338,8 +2343,12 @@ int ring_buffer_resize(struct trace_buffer *buffer, unsigned long size, */ synchronize_rcu(); for_each_buffer_cpu(buffer, cpu) { + unsigned long flags; + cpu_buffer = buffer->buffers[cpu]; + raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags); rb_check_pages(cpu_buffer); + raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags); } atomic_dec(&buffer->record_disabled); } -- 2.25.1

2 1

[PATCH OLK-5.10 0/3] CVE-2024-26661 following bugfix
by Liao Chen 21 Jun '24

21 Jun '24

In order to apply (drm/amd/display: Fix && vs || typos) in full, we revert it, merge its precedent, and apply it back. Dan Carpenter (1): drm/amd/display: Fix && vs || typos Liao Chen (1): Revert "drm/amd/display: Fix && vs || typos" Srinivasan Shanmugam (1): drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' drivers/gpu/drm/amd/display/dc/dcn21/dcn21_hwseq.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) -- 2.34.1

2 4

[PATCH OLK-6.6] of: module: add buffer overflow check in of_modalias()
by GONG, Ruiqi 21 Jun '24

21 Jun '24

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> stable inclusion from stable-v6.6.33 commit 0b0d5701a8bf02f8fee037e81aacf6746558bfd6 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA6SDQ CVE: CVE-2024-38541 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit cf7385cb26ac4f0ee6c7385960525ad534323252 ] In of_modalias(), if the buffer happens to be too small even for the 1st snprintf() call, the len parameter will become negative and str parameter (if not NULL initially) will point beyond the buffer's end. Add the buffer overflow check after the 1st snprintf() call and fix such check after the strlen() call (accounting for the terminating NUL char). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Link: https://lore.kernel.org/r/bbfc6be0-c687-62b6-d015-5141b93f313e@omp.ru Signed-off-by: Rob Herring <robh(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: GONG, Ruiqi <gongruiqi1(a)huawei.com> --- drivers/of/module.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/of/module.c b/drivers/of/module.c index f58e624953a2..780fd82a7ecc 100644 --- a/drivers/of/module.c +++ b/drivers/of/module.c @@ -29,14 +29,15 @@ ssize_t of_modalias(const struct device_node *np, char *str, ssize_t len) csize = snprintf(str, len, "of:N%pOFn%c%s", np, 'T', of_node_get_device_type(np)); tsize = csize; + if (csize >= len) + csize = len > 0 ? len - 1 : 0; len -= csize; - if (str) - str += csize; + str += csize; of_property_for_each_string(np, "compatible", p, compat) { csize = strlen(compat) + 1; tsize += csize; - if (csize > len) + if (csize >= len) continue; csize = snprintf(str, len, "C%s", compat); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS 0/2] spi: Fix deadlock when adding
by Zeng Heng 21 Jun '24

21 Jun '24

Mark Brown (1): spi: Fix deadlock when adding SPI controllers on SPI buses Zeng Heng (1): spi: fix kabi breakage in struct spi_controller drivers/spi/spi.c | 43 ++++++++++++++++++++++++++---------------- include/linux/device.h | 8 ++++++++ 2 files changed, 35 insertions(+), 16 deletions(-) -- 2.25.1

2 3