- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] net/mlx5: Properly link new fs rules into the tree
by Li Huafei 30 May '24

30 May '24

From: Cosmin Ratiu <cratiu(a)nvidia.com> stable inclusion from stable-v4.19.313 commit de0139719cdda82806a47580ca0df06fc85e0bd2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRLI CVE: CVE-2024-35960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 7c6782ad4911cbee874e85630226ed389ff2e453 ] Previously, add_rule_fg would only add newly created rules from the handle into the tree when they had a refcount of 1. On the other hand, create_flow_handle tries hard to find and reference already existing identical rules instead of creating new ones. These two behaviors can result in a situation where create_flow_handle 1) creates a new rule and references it, then 2) in a subsequent step during the same handle creation references it again, resulting in a rule with a refcount of 2 that is not linked into the tree, will have a NULL parent and root and will result in a crash when the flow group is deleted because del_sw_hw_rule, invoked on rule deletion, assumes node->parent is != NULL. This happened in the wild, due to another bug related to incorrect handling of duplicate pkt_reformat ids, which lead to the code in create_flow_handle incorrectly referencing a just-added rule in the same flow handle, resulting in the problem described above. Full details are at [1]. This patch changes add_rule_fg to add new rules without parents into the tree, properly initializing them and avoiding the crash. This makes it more consistent with how rules are added to an FTE in create_flow_handle. Fixes: 74491de93712 ("net/mlx5: Add multi dest support") Link: https://lore.kernel.org/netdev/ea5264d6-6b55-4449-a602-214c6f509c1e@163.com… [1] Signed-off-by: Cosmin Ratiu <cratiu(a)nvidia.com> Reviewed-by: Tariq Toukan <tariqt(a)nvidia.com> Reviewed-by: Mark Bloch <mbloch(a)nvidia.com> Signed-off-by: Saeed Mahameed <saeedm(a)nvidia.com> Signed-off-by: Tariq Toukan <tariqt(a)nvidia.com> Link: https://lore.kernel.org/r/20240409190820.227554-5-tariqt@nvidia.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> --- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c index a38a0c86705ab..a23323f717a35 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c @@ -1450,8 +1450,9 @@ static struct mlx5_flow_handle *add_rule_fg(struct mlx5_flow_group *fg, } trace_mlx5_fs_set_fte(fte, false); + /* Link newly added rules into the tree. */ for (i = 0; i < handle->num_rules; i++) { - if (refcount_read(&handle->rule[i]->node.refcount) == 1) { + if (!handle->rule[i]->node.parent) { tree_add_node(&handle->rule[i]->node, &fte->node); trace_mlx5_fs_add_rule(handle->rule[i]); } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] soc: qcom: llcc: Handle a second device without data corruption
by Kaixiong Yu 30 May '24

30 May '24

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> stable inclusion from stable-v5.10.201 commit 5e5b85ea0f4bc484bfe4cc73ead51fa48d2366a0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFK0 CVE: CVE-2023-52871 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f1a1bc8775b26345aba2be278118999e7f661d3d ] Usually there is only one llcc device. But if there were a second, even a failed probe call would modify the global drv_data pointer. So check if drv_data is valid before overwriting it. Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Fixes: a3134fb09e0b ("drivers: soc: Add LLCC driver") Link: https://lore.kernel.org/r/20230926083229.2073890-1-u.kleine-koenig@pengutro… Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- drivers/soc/qcom/llcc-qcom.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/soc/qcom/llcc-qcom.c b/drivers/soc/qcom/llcc-qcom.c index 2e06f48d683d..63ff622722d7 100644 --- a/drivers/soc/qcom/llcc-qcom.c +++ b/drivers/soc/qcom/llcc-qcom.c @@ -413,6 +413,9 @@ static int qcom_llcc_probe(struct platform_device *pdev) const struct llcc_slice_config *llcc_cfg; u32 sz; + if (!IS_ERR(drv_data)) + return -EBUSY; + drv_data = devm_kzalloc(dev, sizeof(*drv_data), GFP_KERNEL); if (!drv_data) { ret = -ENOMEM; -- 2.25.1

2 1

[PATCH OLK-5.10] soc: qcom: llcc: Handle a second device without data corruption
by Kaixiong Yu 30 May '24

30 May '24

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> stable inclusion from stable-v5.10.201 commit 5e5b85ea0f4bc484bfe4cc73ead51fa48d2366a0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFK0 CVE: CVE-2023-52871 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f1a1bc8775b26345aba2be278118999e7f661d3d ] Usually there is only one llcc device. But if there were a second, even a failed probe call would modify the global drv_data pointer. So check if drv_data is valid before overwriting it. Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Fixes: a3134fb09e0b ("drivers: soc: Add LLCC driver") Link: https://lore.kernel.org/r/20230926083229.2073890-1-u.kleine-koenig@pengutro… Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- drivers/soc/qcom/llcc-qcom.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/soc/qcom/llcc-qcom.c b/drivers/soc/qcom/llcc-qcom.c index c60fe98f03e3..8cf7b142e141 100644 --- a/drivers/soc/qcom/llcc-qcom.c +++ b/drivers/soc/qcom/llcc-qcom.c @@ -413,6 +413,9 @@ static int qcom_llcc_probe(struct platform_device *pdev) const struct llcc_slice_config *llcc_cfg; u32 sz; + if (!IS_ERR(drv_data)) + return -EBUSY; + drv_data = devm_kzalloc(dev, sizeof(*drv_data), GFP_KERNEL); if (!drv_data) { ret = -ENOMEM; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] drm/amd/pm: Update intermediate power state for SI
by Liu Chuang 30 May '24

30 May '24

From: Lijo Lazar <lijo.lazar(a)amd.com> mainline inclusion from mainline-v5.15-rc3 commit ab39d3cef526ba09c4c6923b4cd7e6ec1c5d4faa bugzilla: https://gitee.com/openeuler/kernel/issues/I9TKIT Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… CVE: CVE-2021-47362 -------------------------------- Update the current state as boot state during dpm initialization. During the subsequent initialization, set_power_state gets called to transition to the final power state. set_power_state refers to values from the current state and without current state populated, it could result in NULL pointer dereference. For ex: on platforms where PCI speed change is supported through ACPI ATCS method, the link speed of current state needs to be queried before deciding on changing to final power state's link speed. The logic to query ATCS-support was broken on certain platforms. The issue became visible when broken ATCS-support logic got fixed with commit f9b7f3703ff9 ("drm/amdgpu/acpi: make ATPX/ATCS structures global (v2)"). Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1698 Signed-off-by: Lijo Lazar <lijo.lazar(a)amd.com> Reviewed-by: Hawking Zhang <Hawking.Zhang(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Conflicts: drivers/gpu/drm/amd/pm/powerplay/si_dpm.c [The conflict occurs because commit e098bc9612c2("drm/amd/pm: optimize the power related source code layout") is not merged.] Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/amd/amdgpu/si_dpm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/si_dpm.c b/drivers/gpu/drm/amd/amdgpu/si_dpm.c index 7c724d3de111..0b80cd38f968 100644 --- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c +++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c @@ -6888,6 +6888,8 @@ static int si_dpm_enable(struct amdgpu_device *adev) si_enable_auto_throttle_source(adev, AMDGPU_DPM_AUTO_THROTTLE_SRC_THERMAL, true); si_thermal_start_thermal_controller(adev); + ni_update_current_ps(adev, boot_ps); + return 0; } -- 2.34.1

2 1

[PATCH OLK-5.10] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
by Ziyang Xuan 30 May '24

30 May '24

From: Sungwoo Kim <iam(a)sung-woo.kim> mainline inclusion from mainline-v6.9 commit 4d7b41c0e43995b0e992b9f8903109275744b658 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RMPS CVE: CVE-2024-36013 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311 Fixes: 73ffa904b782 ("Bluetooth: Move conf_{req,rsp} stuff to struct l2cap_chan") Signed-off-by: Sungwoo Kim <iam(a)sung-woo.kim> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Conflicts: net/bluetooth/l2cap_core.c [The version does not include commit e7b02296fb40, so the return value of l2cap_connect() is still used in l2cap_create_channel_req().] Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- net/bluetooth/l2cap_core.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index cf78a48085ed..b450f1736c7b 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -4129,7 +4129,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, { struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; struct l2cap_conn_rsp rsp; - struct l2cap_chan *chan = NULL, *pchan; + struct l2cap_chan *chan = NULL, *pchan = NULL; int result, status = L2CAP_CS_NO_INFO; u16 dcid = 0, scid = __le16_to_cpu(req->scid); @@ -4142,7 +4142,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, &conn->hcon->dst, ACL_LINK); if (!pchan) { result = L2CAP_CR_BAD_PSM; - goto sendresp; + goto response; } mutex_lock(&conn->chan_lock); @@ -4230,17 +4230,15 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, } response: - l2cap_chan_unlock(pchan); - mutex_unlock(&conn->chan_lock); - l2cap_chan_put(pchan); - -sendresp: rsp.scid = cpu_to_le16(scid); rsp.dcid = cpu_to_le16(dcid); rsp.result = cpu_to_le16(result); rsp.status = cpu_to_le16(status); l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp); + if (!pchan) + return NULL; + if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) { struct l2cap_info_req info; info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); @@ -4263,6 +4261,10 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, chan->num_conf_req++; } + l2cap_chan_unlock(pchan); + mutex_unlock(&conn->chan_lock); + l2cap_chan_put(pchan); + return chan; } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] tcp: fix page frag corruption on page fault
by Liu Jian 30 May '24

30 May '24

From: Paolo Abeni <pabeni(a)redhat.com> mainline inclusion from mainline-v5.16-rc4 commit dacb5d8875cc6cd3a553363b4d6f06760fcbe70c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9S257 CVE: CVE-2021-47544 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- Steffen reported a TCP stream corruption for HTTP requests served by the apache web-server using a cifs mount-point and memory mapping the relevant file. The root cause is quite similar to the one addressed by commit 20eb4f29b602 ("net: fix sk_page_frag() recursion from memory reclaim"). Here the nested access to the task page frag is caused by a page fault on the (mmapped) user-space memory buffer coming from the cifs file. The page fault handler performs an smb transaction on a different socket, inside the same process context. Since sk->sk_allaction for such socket does not prevent the usage for the task_frag, the nested allocation modify "under the hood" the page frag in use by the outer sendmsg call, corrupting the stream. The overall relevant stack trace looks like the following: httpd 78268 [001] 3461630.850950: probe:tcp_sendmsg_locked: ffffffff91461d91 tcp_sendmsg_locked+0x1 ffffffff91462b57 tcp_sendmsg+0x27 ffffffff9139814e sock_sendmsg+0x3e ffffffffc06dfe1d smb_send_kvec+0x28 [...] ffffffffc06cfaf8 cifs_readpages+0x213 ffffffff90e83c4b read_pages+0x6b ffffffff90e83f31 __do_page_cache_readahead+0x1c1 ffffffff90e79e98 filemap_fault+0x788 ffffffff90eb0458 __do_fault+0x38 ffffffff90eb5280 do_fault+0x1a0 ffffffff90eb7c84 __handle_mm_fault+0x4d4 ffffffff90eb8093 handle_mm_fault+0xc3 ffffffff90c74f6d __do_page_fault+0x1ed ffffffff90c75277 do_page_fault+0x37 ffffffff9160111e page_fault+0x1e ffffffff9109e7b5 copyin+0x25 ffffffff9109eb40 _copy_from_iter_full+0xe0 ffffffff91462370 tcp_sendmsg_locked+0x5e0 ffffffff91462370 tcp_sendmsg_locked+0x5e0 ffffffff91462b57 tcp_sendmsg+0x27 ffffffff9139815c sock_sendmsg+0x4c ffffffff913981f7 sock_write_iter+0x97 ffffffff90f2cc56 do_iter_readv_writev+0x156 ffffffff90f2dff0 do_iter_write+0x80 ffffffff90f2e1c3 vfs_writev+0xa3 ffffffff90f2e27c do_writev+0x5c ffffffff90c042bb do_syscall_64+0x5b ffffffff916000ad entry_SYSCALL_64_after_hwframe+0x65 The cifs filesystem rightfully sets sk_allocations to GFP_NOFS, we can avoid the nesting using the sk page frag for allocation lacking the __GFP_FS flag. Do not define an additional mm-helper for that, as this is strictly tied to the sk page frag usage. v1 -> v2: - use a stricted sk_page_frag() check instead of reordering the code (Eric) Reported-by: Steffen Froemer <sfroemer(a)redhat.com> Fixes: 5640f7685831 ("net: use a per task frag allocator") Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: include/net/sock.h [This is because we did not backport commit 66256e0b15bd.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- include/net/sock.h | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index a1bfb777a1af..66e9c1060b13 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -2333,16 +2333,19 @@ struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp, * @sk: socket * * Use the per task page_frag instead of the per socket one for - * optimization when we know that we're in the normal context and owns + * optimization when we know that we're in process context and own * everything that's associated with %current. * - * gfpflags_allow_blocking() isn't enough here as direct reclaim may nest - * inside other socket operations and end up recursing into sk_page_frag() - * while it's already in use. + * Both direct reclaim and page faults can nest inside other + * socket operations and end up recursing into sk_page_frag() + * while it's already in use: explicitly avoid task page_frag + * usage if the caller is potentially doing any of them. + * This assumes that page fault handlers use the GFP_NOFS flags. */ static inline struct page_frag *sk_page_frag(struct sock *sk) { - if (gfpflags_normal_context(sk->sk_allocation)) + if ((sk->sk_allocation & (__GFP_DIRECT_RECLAIM | __GFP_MEMALLOC | __GFP_FS)) == + (__GFP_DIRECT_RECLAIM | __GFP_FS)) return &current->task_frag; return &sk->sk_frag; -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP2] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v5.10.202 commit 717de20abdcd1d4993fa450e28b8086a352620ea category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RE6D CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Fixes: 7643a2c3fcc1 ("cfg80211: move txpower wext from mac80211") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index bede84209ecf..c8d2fe8fbc0a 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2728,6 +2728,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v5.10.202 commit 717de20abdcd1d4993fa450e28b8086a352620ea category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RE6D CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Fixes: 7643a2c3fcc1 ("cfg80211: move txpower wext from mac80211") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 70126518ad16..2a62d7d91519 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2729,6 +2729,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] soc: qcom: llcc: Handle a second device without data corruption
by Kaixiong Yu 30 May '24

30 May '24

From: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> stable inclusion from stable-v5.10.201 commit 5e5b85ea0f4bc484bfe4cc73ead51fa48d2366a0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFK0 CVE: CVE-2023-52871 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f1a1bc8775b26345aba2be278118999e7f661d3d ] Usually there is only one llcc device. But if there were a second, even a failed probe call would modify the global drv_data pointer. So check if drv_data is valid before overwriting it. Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Fixes: a3134fb09e0b ("drivers: soc: Add LLCC driver") Link: https://lore.kernel.org/r/20230926083229.2073890-1-u.kleine-koenig@pengutro… Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/soc/qcom/llcc-slice.c Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- drivers/soc/qcom/llcc-slice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/soc/qcom/llcc-slice.c b/drivers/soc/qcom/llcc-slice.c index 54063a31132f..3f1cac3145a4 100644 --- a/drivers/soc/qcom/llcc-slice.c +++ b/drivers/soc/qcom/llcc-slice.c @@ -283,6 +283,9 @@ int qcom_llcc_probe(struct platform_device *pdev, void __iomem *base; int ret, i; + if (!IS_ERR(drv_data)) + return -EBUSY; + drv_data = devm_kzalloc(dev, sizeof(*drv_data), GFP_KERNEL); if (!drv_data) return -ENOMEM; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v4.19.300 commit 298e767362cade639b7121ecb3cc5345b6529f62 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RE6D CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Fixes: 7643a2c3fcc1 ("cfg80211: move txpower wext from mac80211") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 93c6b50be818..d384fb85b8df 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2459,6 +2459,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v5.10.202 commit 717de20abdcd1d4993fa450e28b8086a352620ea category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RE6D CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Fixes: 7643a2c3fcc1 ("cfg80211: move txpower wext from mac80211") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index dd6f3d8b015e..aee27e4f761a 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2729,6 +2729,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] ocfs2: fix data corruption after conversion from inline format
by Long Li 30 May '24

30 May '24

From: Jan Kara <jack(a)suse.cz> stable inclusion from stable-v4.19.213 commit a3a089c241cd49b33a8cdd7fcb37cc87a086912a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RC18 CVE: CVE-2021-47460 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- commit 5314454ea3ff6fc746eaf71b9a7ceebed52888fa upstream. Commit 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()") uncovered a latent bug in ocfs2 conversion from inline inode format to a normal inode format. The code in ocfs2_convert_inline_data_to_extents() attempts to zero out the whole cluster allocated for file data by grabbing, zeroing, and dirtying all pages covering this cluster. However these pages are beyond i_size, thus writeback code generally ignores these dirty pages and no blocks were ever actually zeroed on the disk. This oversight was fixed by commit 693c241a5f6a ("ocfs2: No need to zero pages past i_size.") for standard ocfs2 write path, inline conversion path was apparently forgotten; the commit log also has a reasoning why the zeroing actually is not needed. After commit 6dbf7bb55598, things became worse as writeback code stopped invalidating buffers on pages beyond i_size and thus these pages end up with clean PageDirty bit but with buffers attached to these pages being still dirty. So when a file is converted from inline format, then writeback triggers, and then the file is grown so that these pages become valid, the invalid dirtiness state is preserved, mark_buffer_dirty() does nothing on these pages (buffers are already dirty) but page is never written back because it is clean. So data written to these pages is lost once pages are reclaimed. Simple reproducer for the problem is: xfs_io -f -c "pwrite 0 2000" -c "pwrite 2000 2000" -c "fsync" \ -c "pwrite 4000 2000" ocfs2_file After unmounting and mounting the fs again, you can observe that end of 'ocfs2_file' has lost its contents. Fix the problem by not doing the pointless zeroing during conversion from inline format similarly as in the standard write path. [akpm(a)linux-foundation.org: fix whitespace, per Joseph] Link: https://lkml.kernel.org/r/20210930095405.21433-1-jack@suse.cz Fixes: 6dbf7bb55598 ("fs: Don't invalidate page buffers in block_write_full_page()") Signed-off-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Tested-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Acked-by: Gang He <ghe(a)suse.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: "Markov, Andrey" <Markov.Andrey(a)Dell.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/ocfs2/alloc.c | 46 ++++++++++++---------------------------------- 1 file changed, 12 insertions(+), 34 deletions(-) diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c index 40842c409af1..9769114f0c5a 100644 --- a/fs/ocfs2/alloc.c +++ b/fs/ocfs2/alloc.c @@ -7048,7 +7048,7 @@ void ocfs2_set_inode_data_inline(struct inode *inode, struct ocfs2_dinode *di) int ocfs2_convert_inline_data_to_extents(struct inode *inode, struct buffer_head *di_bh) { - int ret, i, has_data, num_pages = 0; + int ret, has_data, num_pages = 0; int need_free = 0; u32 bit_off, num; handle_t *handle; @@ -7057,26 +7057,17 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; struct ocfs2_alloc_context *data_ac = NULL; - struct page **pages = NULL; - loff_t end = osb->s_clustersize; + struct page *page = NULL; struct ocfs2_extent_tree et; int did_quota = 0; has_data = i_size_read(inode) ? 1 : 0; if (has_data) { - pages = kcalloc(ocfs2_pages_per_cluster(osb->sb), - sizeof(struct page *), GFP_NOFS); - if (pages == NULL) { - ret = -ENOMEM; - mlog_errno(ret); - return ret; - } - ret = ocfs2_reserve_clusters(osb, 1, &data_ac); if (ret) { mlog_errno(ret); - goto free_pages; + goto out; } } @@ -7096,7 +7087,8 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, } if (has_data) { - unsigned int page_end; + unsigned int page_end = min_t(unsigned, PAGE_SIZE, + osb->s_clustersize); u64 phys; ret = dquot_alloc_space_nodirty(inode, @@ -7120,15 +7112,8 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, */ block = phys = ocfs2_clusters_to_blocks(inode->i_sb, bit_off); - /* - * Non sparse file systems zero on extend, so no need - * to do that now. - */ - if (!ocfs2_sparse_alloc(osb) && - PAGE_SIZE < osb->s_clustersize) - end = PAGE_SIZE; - - ret = ocfs2_grab_eof_pages(inode, 0, end, pages, &num_pages); + ret = ocfs2_grab_eof_pages(inode, 0, page_end, &page, + &num_pages); if (ret) { mlog_errno(ret); need_free = 1; @@ -7139,20 +7124,15 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, * This should populate the 1st page for us and mark * it up to date. */ - ret = ocfs2_read_inline_data(inode, pages[0], di_bh); + ret = ocfs2_read_inline_data(inode, page, di_bh); if (ret) { mlog_errno(ret); need_free = 1; goto out_unlock; } - page_end = PAGE_SIZE; - if (PAGE_SIZE > osb->s_clustersize) - page_end = osb->s_clustersize; - - for (i = 0; i < num_pages; i++) - ocfs2_map_and_dirty_page(inode, handle, 0, page_end, - pages[i], i > 0, &phys); + ocfs2_map_and_dirty_page(inode, handle, 0, page_end, page, 0, + &phys); } spin_lock(&oi->ip_lock); @@ -7183,8 +7163,8 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, } out_unlock: - if (pages) - ocfs2_unlock_and_free_pages(pages, num_pages); + if (page) + ocfs2_unlock_and_free_pages(&page, num_pages); out_commit: if (ret < 0 && did_quota) @@ -7208,8 +7188,6 @@ int ocfs2_convert_inline_data_to_extents(struct inode *inode, out: if (data_ac) ocfs2_free_alloc_context(data_ac); -free_pages: - kfree(pages); return ret; } -- 2.39.2

2 1

[openeuler:openEuler-1.0-LTS 19767/22580] fs/cifs/transport.c:108 _cifs_mid_q_entry_release() warn: always true condition '(((midEntry->command)) >= 0) => (0-u16max >= 0)'
by kernel test robot 30 May '24

30 May '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 001f12b6928e25e5551ad2fbae86556c280757a1 commit: 28b546c67ad5b05406ea31184515152c8b0abeba [19767/22580] CIFS: Fix retry mid list corruption on reconnects config: x86_64-randconfig-161-20240530 (https://download.01.org/0day-ci/archive/20240530/202405301643.qKz6P2N2-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202405301643.qKz6P2N2-lkp@intel.com/ smatch warnings: fs/cifs/transport.c:108 _cifs_mid_q_entry_release() warn: always true condition '(((midEntry->command)) >= 0) => (0-u16max >= 0)' vim +108 fs/cifs/transport.c ^1da177e4c3f415 Linus Torvalds 2005-04-16 85 696e420bb2a6624 Lars Persson 2018-06-25 86 static void _cifs_mid_q_entry_release(struct kref *refcount) 696e420bb2a6624 Lars Persson 2018-06-25 87 { 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 88 struct mid_q_entry *midEntry = 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 89 container_of(refcount, struct mid_q_entry, refcount); 1047abc159b4eb4 Steve French 2005-10-11 90 #ifdef CONFIG_CIFS_STATS2 2dc7e1c03316940 Pavel Shilovsky 2011-12-26 91 __le16 command = midEntry->server->vals->lock_cmd; 1047abc159b4eb4 Steve French 2005-10-11 92 unsigned long now; 1047abc159b4eb4 Steve French 2005-10-11 93 #endif 7c9421e1a9ce8d1 Pavel Shilovsky 2012-03-23 94 midEntry->mid_state = MID_FREE; 8097531a5cb55c6 Jeff Layton 2011-01-11 95 atomic_dec(&midCount); 7c9421e1a9ce8d1 Pavel Shilovsky 2012-03-23 96 if (midEntry->large_buf) ^1da177e4c3f415 Linus Torvalds 2005-04-16 97 cifs_buf_release(midEntry->resp_buf); b8643e1b5253a6a Steve French 2005-04-28 98 else b8643e1b5253a6a Steve French 2005-04-28 99 cifs_small_buf_release(midEntry->resp_buf); 1047abc159b4eb4 Steve French 2005-10-11 100 #ifdef CONFIG_CIFS_STATS2 1047abc159b4eb4 Steve French 2005-10-11 101 now = jiffies; 1047abc159b4eb4 Steve French 2005-10-11 102 /* commands taking longer than one second are indications that 1047abc159b4eb4 Steve French 2005-10-11 103 something is wrong, unless it is quite a slow link or server */ 020eec5f712ffb4 Steve French 2018-08-01 104 if (time_after(now, midEntry->when_alloc + HZ) && 020eec5f712ffb4 Steve French 2018-08-01 105 (midEntry->command != command)) { 468d677954c0d94 Steve French 2018-08-04 106 /* smb2slowcmd[NUMBER_OF_SMB2_COMMANDS] counts by command */ 468d677954c0d94 Steve French 2018-08-04 107 if ((le16_to_cpu(midEntry->command) < NUMBER_OF_SMB2_COMMANDS) && 468d677954c0d94 Steve French 2018-08-04 @108 (le16_to_cpu(midEntry->command) >= 0)) 468d677954c0d94 Steve French 2018-08-04 109 cifs_stats_inc(&midEntry->server->smb2slowcmd[le16_to_cpu(midEntry->command)]); 468d677954c0d94 Steve French 2018-08-04 110 020eec5f712ffb4 Steve French 2018-08-01 111 trace_smb3_slow_rsp(le16_to_cpu(midEntry->command), 020eec5f712ffb4 Steve French 2018-08-01 112 midEntry->mid, midEntry->pid, 020eec5f712ffb4 Steve French 2018-08-01 113 midEntry->when_sent, midEntry->when_received); 020eec5f712ffb4 Steve French 2018-08-01 114 if (cifsFYI & CIFS_TIMER) { 0b456f04bcdf5b1 Andy Shevchenko 2014-08-27 115 pr_debug(" CIFS slow rsp: cmd %d mid %llu", 1047abc159b4eb4 Steve French 2005-10-11 116 midEntry->command, midEntry->mid); 0b456f04bcdf5b1 Andy Shevchenko 2014-08-27 117 pr_info(" A: 0x%lx S: 0x%lx R: 0x%lx\n", 1047abc159b4eb4 Steve French 2005-10-11 118 now - midEntry->when_alloc, 1047abc159b4eb4 Steve French 2005-10-11 119 now - midEntry->when_sent, 1047abc159b4eb4 Steve French 2005-10-11 120 now - midEntry->when_received); 1047abc159b4eb4 Steve French 2005-10-11 121 } 1047abc159b4eb4 Steve French 2005-10-11 122 } 1047abc159b4eb4 Steve French 2005-10-11 123 #endif 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 124 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 125 mempool_free(midEntry, cifs_mid_poolp); 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 126 } 28b546c67ad5b05 Pavel Shilovsky 2022-08-27 127 :::::: The code at line 108 was first introduced by commit :::::: 468d677954c0d94fec59275d91222257fe8b4416 smb3: display stats counters for number of slow commands :::::: TO: Steve French <stfrench(a)microsoft.com> :::::: CC: Steve French <stfrench(a)microsoft.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
by Wenyu Huang 30 May '24

30 May '24

From: Mario Limonciello <mario.limonciello(a)amd.com> stable inclusion from stable-v4.19.315 commit a63fd579e7b1c3a9ebd6e6c494d49b1b6cf5515e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFE8 CVE: CVE-2023-52819 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- [ Upstream commit 0f0e59075b5c22f1e871fbd508d6e4f495048356 ] For pptable structs that use flexible array sizes, use flexible arrays. Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036742 Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wenyu Huang <huangwenyu5(a)huawei.com> --- drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h b/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h index 1e870f58dd12..153459262a7e 100644 --- a/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h +++ b/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h @@ -164,7 +164,7 @@ typedef struct _ATOM_Tonga_State { typedef struct _ATOM_Tonga_State_Array { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_State entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_State entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_State_Array; typedef struct _ATOM_Tonga_MCLK_Dependency_Record { @@ -210,7 +210,7 @@ typedef struct _ATOM_Polaris_SCLK_Dependency_Record { typedef struct _ATOM_Polaris_SCLK_Dependency_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Polaris_SCLK_Dependency_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Polaris_SCLK_Dependency_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Polaris_SCLK_Dependency_Table; typedef struct _ATOM_Tonga_PCIE_Record { @@ -222,7 +222,7 @@ typedef struct _ATOM_Tonga_PCIE_Record { typedef struct _ATOM_Tonga_PCIE_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_PCIE_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_PCIE_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_PCIE_Table; typedef struct _ATOM_Polaris10_PCIE_Record { @@ -235,7 +235,7 @@ typedef struct _ATOM_Polaris10_PCIE_Record { typedef struct _ATOM_Polaris10_PCIE_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Polaris10_PCIE_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Polaris10_PCIE_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Polaris10_PCIE_Table; @@ -252,7 +252,7 @@ typedef struct _ATOM_Tonga_MM_Dependency_Record { typedef struct _ATOM_Tonga_MM_Dependency_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_MM_Dependency_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_MM_Dependency_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_MM_Dependency_Table; typedef struct _ATOM_Tonga_Voltage_Lookup_Record { @@ -265,7 +265,7 @@ typedef struct _ATOM_Tonga_Voltage_Lookup_Record { typedef struct _ATOM_Tonga_Voltage_Lookup_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_Voltage_Lookup_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_Voltage_Lookup_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_Voltage_Lookup_Table; typedef struct _ATOM_Tonga_Fan_Table { -- 2.34.1

2 1

[PATCH OLK-5.10 0/7] net: backport hulk patches
by Dong Chenchen 30 May '24

30 May '24

backport hulk patches Dong Chenchen (1): net: xfrm: skip policies marked as dead while reinserting policies Lu Wei (4): netfilter: make return-type and function-name in the same line bpf: fix magic numbers in bpf_get_sockops_uid_gid() bpf: socketmap: add Kconfig for customized socketmap tcp_comp: modify default value of TCP_COMP to n Ziyang Xuan (2): bpf: fix format type mismatch warning bpf: fix type incompatible warning arch/arm64/configs/openeuler_defconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 + include/net/netfilter/nf_conntrack.h | 2 ++ include/net/sock.h | 6 +++++- net/Kconfig | 10 ++++++++++ net/core/filter.c | 11 ++++++++++- net/core/sock.c | 4 ++++ net/ipv4/Kconfig | 1 + net/netfilter/nf_conntrack_proto.c | 16 +++++++++++----- net/socket.c | 2 ++ net/xfrm/xfrm_policy.c | 2 +- 11 files changed, 48 insertions(+), 8 deletions(-) -- 2.25.1

2 8

[PATCH openEuler-22.03-LTS] [Backport] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v5.10.202 commit 717de20abdcd1d4993fa450e28b8086a352620ea category: bugfix bugzilla: 189268 CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index dd6f3d8b015e..aee27e4f761a 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2729,6 +2729,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] [Backport] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v5.10.202 commit 717de20abdcd1d4993fa450e28b8086a352620ea category: bugfix bugzilla: 189268 CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 70126518ad16..2a62d7d91519 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2729,6 +2729,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS v2] [Backport] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v5.10.202 commit 717de20abdcd1d4993fa450e28b8086a352620ea category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RE6D CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index dd6f3d8b015e..aee27e4f761a 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2729,6 +2729,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

1 0

[PATCH openEuler-22.03-LTS-SP2] [Backport] wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
by Zheng Yejian 30 May '24

30 May '24

From: Ping-Ke Shih <pkshih(a)realtek.com> stable inclusion from stable-v5.10.202 commit 717de20abdcd1d4993fa450e28b8086a352620ea category: bugfix bugzilla: 189268 CVE: CVE-2023-52832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- net/mac80211/cfg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index bede84209ecf..c8d2fe8fbc0a 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2728,6 +2728,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy, else *dbm = sdata->vif.bss_conf.txpower; + /* INT_MIN indicates no power level was set yet */ + if (*dbm == INT_MIN) + return -EINVAL; + return 0; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS] net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path
by Zheng Yejian 30 May '24

30 May '24

From: Miko Larsson <mikoxyzzz(a)gmail.com> stable inclusion from stable-v5.10.169 commit 525bdcb0838d19d918c7786151ee14661967a030 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7V9QX CVE: CVE-2023-52703 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------- commit c68f345b7c425b38656e1791a0486769a8797016 upstream. syzbot reported that act_len in kalmia_send_init_packet() is uninitialized when passing it to the first usb_bulk_msg error path. Jiri Pirko noted that it's pointless to pass it in the error path, and that the value that would be printed in the second error path would be the value of act_len from the first call to usb_bulk_msg.[1] With this in mind, let's just not pass act_len to the usb_bulk_msg error paths. 1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/ Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") Reported-and-tested-by: syzbot+cd80c5ef5121bfe85b55(a)syzkaller.appspotmail.com Signed-off-by: Miko Larsson <mikoxyzzz(a)gmail.com> Reviewed-by: Alexander Duyck <alexanderduyck(a)fb.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: zhaoxiaoqiang11 <zhaoxiaoqiang11(a)jd.com> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- drivers/net/usb/kalmia.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/usb/kalmia.c b/drivers/net/usb/kalmia.c index fc5895f85cee..a552bb1665b8 100644 --- a/drivers/net/usb/kalmia.c +++ b/drivers/net/usb/kalmia.c @@ -65,8 +65,8 @@ kalmia_send_init_packet(struct usbnet *dev, u8 *init_msg, u8 init_msg_len, init_msg, init_msg_len, &act_len, KALMIA_USB_TIMEOUT); if (status != 0) { netdev_err(dev->net, - "Error sending init packet. Status %i, length %i\n", - status, act_len); + "Error sending init packet. Status %i\n", + status); return status; } else if (act_len != init_msg_len) { @@ -83,8 +83,8 @@ kalmia_send_init_packet(struct usbnet *dev, u8 *init_msg, u8 init_msg_len, if (status != 0) netdev_err(dev->net, - "Error receiving init result. Status %i, length %i\n", - status, act_len); + "Error receiving init result. Status %i\n", + status); else if (act_len != expected_len) netdev_err(dev->net, "Unexpected init result length: %i\n", act_len); -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path
by Zheng Yejian 30 May '24

30 May '24

From: Miko Larsson <mikoxyzzz(a)gmail.com> stable inclusion from stable-v5.10.169 commit 525bdcb0838d19d918c7786151ee14661967a030 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7V9QX CVE: CVE-2023-52703 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------- commit c68f345b7c425b38656e1791a0486769a8797016 upstream. syzbot reported that act_len in kalmia_send_init_packet() is uninitialized when passing it to the first usb_bulk_msg error path. Jiri Pirko noted that it's pointless to pass it in the error path, and that the value that would be printed in the second error path would be the value of act_len from the first call to usb_bulk_msg.[1] With this in mind, let's just not pass act_len to the usb_bulk_msg error paths. 1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/ Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") Reported-and-tested-by: syzbot+cd80c5ef5121bfe85b55(a)syzkaller.appspotmail.com Signed-off-by: Miko Larsson <mikoxyzzz(a)gmail.com> Reviewed-by: Alexander Duyck <alexanderduyck(a)fb.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: zhaoxiaoqiang11 <zhaoxiaoqiang11(a)jd.com> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- drivers/net/usb/kalmia.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/usb/kalmia.c b/drivers/net/usb/kalmia.c index fc5895f85cee..a552bb1665b8 100644 --- a/drivers/net/usb/kalmia.c +++ b/drivers/net/usb/kalmia.c @@ -65,8 +65,8 @@ kalmia_send_init_packet(struct usbnet *dev, u8 *init_msg, u8 init_msg_len, init_msg, init_msg_len, &act_len, KALMIA_USB_TIMEOUT); if (status != 0) { netdev_err(dev->net, - "Error sending init packet. Status %i, length %i\n", - status, act_len); + "Error sending init packet. Status %i\n", + status); return status; } else if (act_len != init_msg_len) { @@ -83,8 +83,8 @@ kalmia_send_init_packet(struct usbnet *dev, u8 *init_msg, u8 init_msg_len, if (status != 0) netdev_err(dev->net, - "Error receiving init result. Status %i, length %i\n", - status, act_len); + "Error receiving init result. Status %i\n", + status); else if (act_len != expected_len) netdev_err(dev->net, "Unexpected init result length: %i\n", act_len); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path
by Zheng Yejian 30 May '24

30 May '24

From: Miko Larsson <mikoxyzzz(a)gmail.com> stable inclusion from stable-v4.19.273 commit 723ef7b66f37c0841f5a451ccbce47ee1641e081 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4LE CVE: CVE-2023-52703 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit c68f345b7c425b38656e1791a0486769a8797016 upstream. syzbot reported that act_len in kalmia_send_init_packet() is uninitialized when passing it to the first usb_bulk_msg error path. Jiri Pirko noted that it's pointless to pass it in the error path, and that the value that would be printed in the second error path would be the value of act_len from the first call to usb_bulk_msg.[1] With this in mind, let's just not pass act_len to the usb_bulk_msg error paths. 1: https://lore.kernel.org/lkml/Y9pY61y1nwTuzMOa@nanopsycho/ Fixes: d40261236e8e ("net/usb: Add Samsung Kalmia driver for Samsung GT-B3730") Reported-and-tested-by: syzbot+cd80c5ef5121bfe85b55(a)syzkaller.appspotmail.com Signed-off-by: Miko Larsson <mikoxyzzz(a)gmail.com> Reviewed-by: Alexander Duyck <alexanderduyck(a)fb.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- drivers/net/usb/kalmia.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/usb/kalmia.c b/drivers/net/usb/kalmia.c index 0cc6993c279a..93ee909c7939 100644 --- a/drivers/net/usb/kalmia.c +++ b/drivers/net/usb/kalmia.c @@ -69,8 +69,8 @@ kalmia_send_init_packet(struct usbnet *dev, u8 *init_msg, u8 init_msg_len, init_msg, init_msg_len, &act_len, KALMIA_USB_TIMEOUT); if (status != 0) { netdev_err(dev->net, - "Error sending init packet. Status %i, length %i\n", - status, act_len); + "Error sending init packet. Status %i\n", + status); return status; } else if (act_len != init_msg_len) { @@ -87,8 +87,8 @@ kalmia_send_init_packet(struct usbnet *dev, u8 *init_msg, u8 init_msg_len, if (status != 0) netdev_err(dev->net, - "Error receiving init result. Status %i, length %i\n", - status, act_len); + "Error receiving init result. Status %i\n", + status); else if (act_len != expected_len) netdev_err(dev->net, "Unexpected init result length: %i\n", act_len); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS 0/1] CVE-2021-47277
by Yongqiang Liu 30 May '24

30 May '24

Paolo Bonzini (1): kvm: avoid speculation-based attacks from out-of-range memslot accesses include/linux/kvm_host.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) -- 2.34.1

2 2

[PATCH openEuler-1.0-LTS] mcb: fix error handling in mcb_alloc_bus()
by Hui Tang 30 May '24

30 May '24

From: Dan Carpenter <dan.carpenter(a)oracle.com> stable inclusion from stable-v4.19.209 commit 66f74ba9be9daf9c47fface6af3677f602774f6b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4M2 CVE: CVE-2021-47361 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- commit 25a1433216489de4abc889910f744e952cb6dbae upstream. There are two bugs: 1) If ida_simple_get() fails then this code calls put_device(carrier) but we haven't yet called get_device(carrier) and probably that leads to a use after free. 2) After device_initialize() then we need to use put_device() to release the bus. This will free the internal resources tied to the device and call mcb_free_bus() which will free the rest. Fixes: 5d9e2ab9fea4 ("mcb: Implement bus->dev.release callback") Fixes: 18d288198099 ("mcb: Correctly initialize the bus's device") Cc: stable(a)vger.kernel.org Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Johannes Thumshirn <jth(a)kernel.org> Link: https://lore.kernel.org/r/32e160cf6864ce77f9d62948338e24db9fd8ead9.16309313… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Hui Tang <tanghui20(a)huawei.com> --- drivers/mcb/mcb-core.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/mcb/mcb-core.c b/drivers/mcb/mcb-core.c index cee4f28baf95..4a2002ba2e23 100644 --- a/drivers/mcb/mcb-core.c +++ b/drivers/mcb/mcb-core.c @@ -280,8 +280,8 @@ struct mcb_bus *mcb_alloc_bus(struct device *carrier) bus_nr = ida_simple_get(&mcb_ida, 0, 0, GFP_KERNEL); if (bus_nr < 0) { - rc = bus_nr; - goto err_free; + kfree(bus); + return ERR_PTR(bus_nr); } bus->bus_nr = bus_nr; @@ -296,12 +296,12 @@ struct mcb_bus *mcb_alloc_bus(struct device *carrier) dev_set_name(&bus->dev, "mcb:%d", bus_nr); rc = device_add(&bus->dev); if (rc) - goto err_free; + goto err_put; return bus; -err_free: - put_device(carrier); - kfree(bus); + +err_put: + put_device(&bus->dev); return ERR_PTR(rc); } EXPORT_SYMBOL_GPL(mcb_alloc_bus); -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS] s390/dasd: protect device queue against concurrent access
by Liu Shixin 30 May '24

30 May '24

From: Jan Höppner <hoeppner(a)linux.ibm.com> stable inclusion from stable-v5.10.203 commit c841de6247e94e07566d57163d3c0d8b29278f7a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4KR CVE: CVE-2023-52774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit db46cd1e0426f52999d50fa72cfa97fa39952885 upstream. In dasd_profile_start() the amount of requests on the device queue are counted. The access to the device queue is unprotected against concurrent access. With a lot of parallel I/O, especially with alias devices enabled, the device queue can change while dasd_profile_start() is accessing the queue. In the worst case this leads to a kernel panic due to incorrect pointer accesses. Fix this by taking the device lock before accessing the queue and counting the requests. Additionally the check for a valid profile data pointer can be done earlier to avoid unnecessary locking in a hot path. Cc: <stable(a)vger.kernel.org> Fixes: 4fa52aa7a82f ("[S390] dasd: add enhanced DASD statistics interface") Reviewed-by: Stefan Haberland <sth(a)linux.ibm.com> Signed-off-by: Jan Höppner <hoeppner(a)linux.ibm.com> Signed-off-by: Stefan Haberland <sth(a)linux.ibm.com> Link: https://lore.kernel.org/r/20231025132437.1223363-3-sth@linux.ibm.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: sanglipeng <sanglipeng1(a)jd.com> Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- drivers/s390/block/dasd.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/drivers/s390/block/dasd.c b/drivers/s390/block/dasd.c index f4edfe383e9d..0b195c1dc8de 100644 --- a/drivers/s390/block/dasd.c +++ b/drivers/s390/block/dasd.c @@ -737,18 +737,20 @@ static void dasd_profile_start(struct dasd_block *block, * we count each request only once. */ device = cqr->startdev; - if (device->profile.data) { - counter = 1; /* request is not yet queued on the start device */ - list_for_each(l, &device->ccw_queue) - if (++counter >= 31) - break; - } + if (!device->profile.data) + return; + + spin_lock(get_ccwdev_lock(device->cdev)); + counter = 1; /* request is not yet queued on the start device */ + list_for_each(l, &device->ccw_queue) + if (++counter >= 31) + break; + spin_unlock(get_ccwdev_lock(device->cdev)); + spin_lock(&device->profile.lock); - if (device->profile.data) { - device->profile.data->dasd_io_nr_req[counter]++; - if (rq_data_dir(req) == READ) - device->profile.data->dasd_read_nr_req[counter]++; - } + device->profile.data->dasd_io_nr_req[counter]++; + if (rq_data_dir(req) == READ) + device->profile.data->dasd_read_nr_req[counter]++; spin_unlock(&device->profile.lock); } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
by Wenyu Huang 30 May '24

30 May '24

From: Mario Limonciello <mario.limonciello(a)amd.com> stable inclusion from stable-v5.10.202 commit 8c1dbddbfcb051e82cea0c197c620f9dcdc38e92 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFE8 CVE: CVE-2023-52819 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 0f0e59075b5c22f1e871fbd508d6e4f495048356 ] For pptable structs that use flexible array sizes, use flexible arrays. Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036742 Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wenyu Huang <huangwenyu5(a)huawei.com> --- .../gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h index 1e870f58dd12..153459262a7e 100644 --- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h +++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pptable_v1_0.h @@ -164,7 +164,7 @@ typedef struct _ATOM_Tonga_State { typedef struct _ATOM_Tonga_State_Array { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_State entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_State entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_State_Array; typedef struct _ATOM_Tonga_MCLK_Dependency_Record { @@ -210,7 +210,7 @@ typedef struct _ATOM_Polaris_SCLK_Dependency_Record { typedef struct _ATOM_Polaris_SCLK_Dependency_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Polaris_SCLK_Dependency_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Polaris_SCLK_Dependency_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Polaris_SCLK_Dependency_Table; typedef struct _ATOM_Tonga_PCIE_Record { @@ -222,7 +222,7 @@ typedef struct _ATOM_Tonga_PCIE_Record { typedef struct _ATOM_Tonga_PCIE_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_PCIE_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_PCIE_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_PCIE_Table; typedef struct _ATOM_Polaris10_PCIE_Record { @@ -235,7 +235,7 @@ typedef struct _ATOM_Polaris10_PCIE_Record { typedef struct _ATOM_Polaris10_PCIE_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Polaris10_PCIE_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Polaris10_PCIE_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Polaris10_PCIE_Table; @@ -252,7 +252,7 @@ typedef struct _ATOM_Tonga_MM_Dependency_Record { typedef struct _ATOM_Tonga_MM_Dependency_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_MM_Dependency_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_MM_Dependency_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_MM_Dependency_Table; typedef struct _ATOM_Tonga_Voltage_Lookup_Record { @@ -265,7 +265,7 @@ typedef struct _ATOM_Tonga_Voltage_Lookup_Record { typedef struct _ATOM_Tonga_Voltage_Lookup_Table { UCHAR ucRevId; UCHAR ucNumEntries; /* Number of entries. */ - ATOM_Tonga_Voltage_Lookup_Record entries[1]; /* Dynamically allocate entries. */ + ATOM_Tonga_Voltage_Lookup_Record entries[]; /* Dynamically allocate entries. */ } ATOM_Tonga_Voltage_Lookup_Table; typedef struct _ATOM_Tonga_Fan_Table { -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/2] jfs: fix two
by Long Li 30 May '24

30 May '24

This patch set fix two array-index-out-of-bounds issuse. Manas Ghandat (1): jfs: fix array-index-out-of-bounds in dbFindLeaf Yogesh (1): fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev fs/jfs/jfs_dmap.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) -- 2.39.2

2 3

[PATCH OLK-6.6] xfs: Fix file creation failure
by Zizhi Wo 30 May '24

30 May '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9TDTA CVE: NA -------------------------------- In the file system expansion test and concurrent file creation and writing scenarios, file creation fails occasionally. The detailed test scheme is as follows: 1. If the remaining space is less than 128 MB, expand the space by 1 GB; --xfs_growfs /$DEV -D $bc -m 100 2. 32 processes create a file every 0.5s and write 4 KB to 4 MB data randomly. --filesize=$((RANDOM % 1024 + 1)) --dd if=/dev/zero oflag=direct of=$filename bs=4K count=$filesize And when the file creation fails, there are still hundreds of megabytes of free space. The overall analysis process is as follows: Direct write Create file xfs_file_write_iter ... xfs_direct_write_iomap_begin xfs_iomap_write_direct ... xfs_alloc_ag_vextent_near xfs_alloc_cur_finish xfs_alloc_fixup_trees xfs_btree_delete xfs_btree_delrec xfs_allocbt_update_lastrec // Longest = 0 because numrec == 0. agf->agf_longest = len = 0 xfs_create ... xfs_dialloc ... xfs_alloc_fix_freelist xfs_alloc_space_available -> as longest=0, it will return false, no space for inode alloc. The root cause of the problem is that allocation extents holds agf locks, but the inode creation process will quickly check whether there is space firstly, which does not have agf locks. And when the first judgment fails, it returns directly. If the first judgment passes, the lock is held before entering the second judgment, that's how the "check-lock-check again" algorithm is designed. If all AG fails in no lock check, an error will return. This problem occurs probably when there is not enough space left for all the AG's in front, and the last AG deletes the last CNT tree record and the new record is not inserted yet. Fix this issue by adding the bc_free_longest field to the xfs_btree_cur_t structure to store the longest count that will be updated. The assignment is done in xfs_alloc_fixup_trees() and xfs_free_ag_extent(). Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/xfs/libxfs/xfs_alloc.c | 14 ++++++++++++++ fs/xfs/libxfs/xfs_alloc_btree.c | 9 ++++++++- fs/xfs/libxfs/xfs_btree.h | 1 + 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c index 6e448f50cef4..4dd3238161cf 100644 --- a/fs/xfs/libxfs/xfs_alloc.c +++ b/fs/xfs/libxfs/xfs_alloc.c @@ -586,6 +586,13 @@ xfs_alloc_fixup_trees( nfbno2 = rbno + rlen; nflen2 = (fbno + flen) - nfbno2; } + + /* + * Record the potential maximum free length in advance. + */ + if (nfbno1 != NULLAGBLOCK || nfbno2 != NULLAGBLOCK) + cnt_cur->bc_ag.bc_free_longest = XFS_EXTLEN_MAX(nflen1, nflen2); + /* * Delete the entry from the by-size btree. */ @@ -2019,6 +2026,13 @@ xfs_free_ag_extent( * Now allocate and initialize a cursor for the by-size tree. */ cnt_cur = xfs_allocbt_init_cursor(mp, tp, agbp, pag, XFS_BTNUM_CNT); + /* + * Record the potential maximum free length in advance. + */ + if (haveleft) + cnt_cur->bc_ag.bc_free_longest = ltlen; + if (haveright) + cnt_cur->bc_ag.bc_free_longest = gtlen; /* * Have both left and right contiguous neighbors. * Merge all three into a single free block. diff --git a/fs/xfs/libxfs/xfs_alloc_btree.c b/fs/xfs/libxfs/xfs_alloc_btree.c index c65228efed4a..d2c7a217a74b 100644 --- a/fs/xfs/libxfs/xfs_alloc_btree.c +++ b/fs/xfs/libxfs/xfs_alloc_btree.c @@ -146,7 +146,14 @@ xfs_allocbt_update_lastrec( rrp = XFS_ALLOC_REC_ADDR(cur->bc_mp, block, numrecs); len = rrp->ar_blockcount; } else { - len = 0; + /* + * Update in advance to prevent file creation failure + * for concurrent processes even though there is no + * numrec currently. + * And there's no need to worry as the value that no + * less than bc_free_longest will be inserted later. + */ + len = cpu_to_be32(cur->bc_ag.bc_free_longest); } break; diff --git a/fs/xfs/libxfs/xfs_btree.h b/fs/xfs/libxfs/xfs_btree.h index 4d68a58be160..bf63bbcd4914 100644 --- a/fs/xfs/libxfs/xfs_btree.h +++ b/fs/xfs/libxfs/xfs_btree.h @@ -218,6 +218,7 @@ union xfs_btree_irec { /* Per-AG btree information. */ struct xfs_btree_cur_ag { struct xfs_perag *pag; + xfs_extlen_t bc_free_longest; /* the potential longest free extent */ union { struct xfs_buf *agbp; struct xbtree_afakeroot *afake; /* for staging cursor */ -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] mac80211: fix use-after-free in CCMP/GCMP RX
by Li Huafei 30 May '24

30 May '24

From: Johannes Berg <johannes.berg(a)intel.com> stable inclusion from stable-v4.19.209 commit 3d5d629c99c468458022e9b381789de3595bf4dd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4NV CVE: CVE-2021-47388 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 94513069eb549737bcfc3d988d6ed4da948a2de8 upstream. When PN checking is done in mac80211, for fragmentation we need to copy the PN to the RX struct so we can later use it to do a comparison, since commit bf30ca922a0c ("mac80211: check defrag PN against current frame"). Unfortunately, in that commit I used the 'hdr' variable without it being necessarily valid, so use-after-free could occur if it was necessary to reallocate (parts of) the frame. Fix this by reloading the variable after the code that results in the reallocations, if any. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401. Cc: stable(a)vger.kernel.org Fixes: bf30ca922a0c ("mac80211: check defrag PN against current frame") Link: https://lore.kernel.org/r/20210927115838.12b9ac6bb233.I1d066acd5408a662c3b6… Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> --- net/mac80211/wpa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c index dbeccccf0fdf3..b1d2e2b54f85a 100644 --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c @@ -523,6 +523,9 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx, return RX_DROP_UNUSABLE; } + /* reload hdr - skb might have been reallocated */ + hdr = (void *)rx->skb->data; + data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len; if (!rx->sta || data_len < 0) return RX_DROP_UNUSABLE; @@ -752,6 +755,9 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx) return RX_DROP_UNUSABLE; } + /* reload hdr - skb might have been reallocated */ + hdr = (void *)rx->skb->data; + data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len; if (!rx->sta || data_len < 0) return RX_DROP_UNUSABLE; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] s390/dasd: protect device queue against concurrent access
by Liu Shixin 30 May '24

30 May '24

From: Jan Höppner <hoeppner(a)linux.ibm.com> stable inclusion from stable-v4.19.301 commit f75617cc8df4155374132f0b500b0b3ebb967458 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4KR CVE: CVE-2023-52774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit db46cd1e0426f52999d50fa72cfa97fa39952885 upstream. In dasd_profile_start() the amount of requests on the device queue are counted. The access to the device queue is unprotected against concurrent access. With a lot of parallel I/O, especially with alias devices enabled, the device queue can change while dasd_profile_start() is accessing the queue. In the worst case this leads to a kernel panic due to incorrect pointer accesses. Fix this by taking the device lock before accessing the queue and counting the requests. Additionally the check for a valid profile data pointer can be done earlier to avoid unnecessary locking in a hot path. Cc: <stable(a)vger.kernel.org> Fixes: 4fa52aa7a82f ("[S390] dasd: add enhanced DASD statistics interface") Reviewed-by: Stefan Haberland <sth(a)linux.ibm.com> Signed-off-by: Jan Höppner <hoeppner(a)linux.ibm.com> Signed-off-by: Stefan Haberland <sth(a)linux.ibm.com> Link: https://lore.kernel.org/r/20231025132437.1223363-3-sth@linux.ibm.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- drivers/s390/block/dasd.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/drivers/s390/block/dasd.c b/drivers/s390/block/dasd.c index 433651225fca..180c24cb4538 100644 --- a/drivers/s390/block/dasd.c +++ b/drivers/s390/block/dasd.c @@ -725,18 +725,20 @@ static void dasd_profile_start(struct dasd_block *block, * we count each request only once. */ device = cqr->startdev; - if (device->profile.data) { - counter = 1; /* request is not yet queued on the start device */ - list_for_each(l, &device->ccw_queue) - if (++counter >= 31) - break; - } + if (!device->profile.data) + return; + + spin_lock(get_ccwdev_lock(device->cdev)); + counter = 1; /* request is not yet queued on the start device */ + list_for_each(l, &device->ccw_queue) + if (++counter >= 31) + break; + spin_unlock(get_ccwdev_lock(device->cdev)); + spin_lock(&device->profile.lock); - if (device->profile.data) { - device->profile.data->dasd_io_nr_req[counter]++; - if (rq_data_dir(req) == READ) - device->profile.data->dasd_read_nr_req[counter]++; - } + device->profile.data->dasd_io_nr_req[counter]++; + if (rq_data_dir(req) == READ) + device->profile.data->dasd_read_nr_req[counter]++; spin_unlock(&device->profile.lock); } -- 2.25.1

2 1

[PATCH OLK-5.10] mptcp: ensure tx skbs always have the MPTCP ext
by Ziyang Xuan 30 May '24

30 May '24

From: Paolo Abeni <pabeni(a)redhat.com> mainline inclusion from mainline-v5.15-rc3 commit 977d293e23b48a1129830d7968605f61c4af71a0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4NZ CVE: CVE-2021-47370 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Due to signed/unsigned comparison, the expression: info->size_goal - skb->len > 0 evaluates to true when the size goal is smaller than the skb size. That results in lack of tx cache refill, so that the skb allocated by the core TCP code lacks the required MPTCP skb extensions. Due to the above, syzbot is able to trigger the following WARN_ON(): WARNING: CPU: 1 PID: 810 at net/mptcp/protocol.c:1366 mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366 Modules linked in: CPU: 1 PID: 810 Comm: syz-executor.4 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:mptcp_sendmsg_frag+0x1362/0x1bc0 net/mptcp/protocol.c:1366 Code: ff 4c 8b 74 24 50 48 8b 5c 24 58 e9 0f fb ff ff e8 13 44 8b f8 4c 89 e7 45 31 ed e8 98 57 2e fe e9 81 f4 ff ff e8 fe 43 8b f8 <0f> 0b 41 bd ea ff ff ff e9 6f f4 ff ff 4c 89 e7 e8 b9 8e d2 f8 e9 RSP: 0018:ffffc9000531f6a0 EFLAGS: 00010216 RAX: 000000000000697f RBX: 0000000000000000 RCX: ffffc90012107000 RDX: 0000000000040000 RSI: ffffffff88eac9e2 RDI: 0000000000000003 RBP: ffff888078b15780 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff88eac017 R11: 0000000000000000 R12: ffff88801de0a280 R13: 0000000000006b58 R14: ffff888066278280 R15: ffff88803c2fe9c0 FS: 00007fd9f866e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007faebcb2f718 CR3: 00000000267cb000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __mptcp_push_pending+0x1fb/0x6b0 net/mptcp/protocol.c:1547 mptcp_release_cb+0xfe/0x210 net/mptcp/protocol.c:3003 release_sock+0xb4/0x1b0 net/core/sock.c:3206 sk_stream_wait_memory+0x604/0xed0 net/core/stream.c:145 mptcp_sendmsg+0xc39/0x1bc0 net/mptcp/protocol.c:1749 inet6_sendmsg+0x99/0xe0 net/ipv6/af_inet6.c:643 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 sock_write_iter+0x2a0/0x3e0 net/socket.c:1057 call_write_iter include/linux/fs.h:2163 [inline] new_sync_write+0x40b/0x640 fs/read_write.c:507 vfs_write+0x7cf/0xae0 fs/read_write.c:594 ksys_write+0x1ee/0x250 fs/read_write.c:647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd9f866e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665f9 RDX: 00000000000e7b78 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 R13: 0000000000a9fb1f R14: 00007fd9f866e300 R15: 0000000000022000 Fix the issue rewriting the relevant expression to avoid sign-related problems - note: size_goal is always >= 0. Additionally, ensure that the skb in the tx cache always carries the relevant extension. Reported-and-tested-by: syzbot+263a248eec3e875baa7b(a)syzkaller.appspotmail.com Fixes: 1094c6fe7280 ("mptcp: fix possible divide by zero") Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: net/mptcp/protocol.c [The version does not include commit 1094c6fe7280.] Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- net/mptcp/protocol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 09d0510eaaa6..6ee641a3838d 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -933,7 +933,7 @@ static int mptcp_sendmsg_frag(struct sock *sk, struct sock *ssk, * queue management operation, to avoid breaking the ext <-> * SSN association set here */ - can_collapse = (size_goal - skb->len > 0) && + can_collapse = (size_goal > skb->len) && mptcp_skb_can_collapse_to(*write_seq, skb, mpext); if (!can_collapse) TCP_SKB_CB(skb)->eor = 1; -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] perf: hisi: Fix use-after-free when register pmu fails
by Luo Gengkun 30 May '24

30 May '24

From: Junhao He <hejunhao3(a)huawei.com> mainline inclusion from mainline-v6.7-rc1 commit b805cafc604bfdb671fae7347a57f51154afa735 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RKWV CVE: CVE-2023-52859 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When we fail to register the uncore pmu, the pmu context may not been allocated. The error handing will call cpuhp_state_remove_instance() to call uncore pmu offline callback, which migrate the pmu context. Since that's liable to lead to some kind of use-after-free. Use cpuhp_state_remove_instance_nocalls() instead of cpuhp_state_remove_instance() so that the notifiers don't execute after the PMU device has been failed to register. Fixes: a0ab25cd82ee ("drivers/perf: hisi: Add support for HiSilicon PA PMU driver") FIxes: 3bf30882c3c7 ("drivers/perf: hisi: Add support for HiSilicon SLLC PMU driver") Signed-off-by: Junhao He <hejunhao3(a)huawei.com> Link: https://lore.kernel.org/r/20231024113630.13472-1-hejunhao3@huawei.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/perf/hisilicon/hisi_uncore_pa_pmu.c | 4 ++-- drivers/perf/hisilicon/hisi_uncore_sllc_pmu.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/perf/hisilicon/hisi_uncore_pa_pmu.c b/drivers/perf/hisilicon/hisi_uncore_pa_pmu.c index f1e6b5cee075..65ed4aa19266 100644 --- a/drivers/perf/hisilicon/hisi_uncore_pa_pmu.c +++ b/drivers/perf/hisilicon/hisi_uncore_pa_pmu.c @@ -430,8 +430,8 @@ static int hisi_pa_pmu_probe(struct platform_device *pdev) ret = perf_pmu_register(&pa_pmu->pmu, name, -1); if (ret) { dev_err(pa_pmu->dev, "PMU register failed, ret = %d\n", ret); - cpuhp_state_remove_instance(CPUHP_AP_PERF_ARM_HISI_PA_ONLINE, - &pa_pmu->node); + cpuhp_state_remove_instance_nocalls(CPUHP_AP_PERF_ARM_HISI_PA_ONLINE, + &pa_pmu->node); return ret; } diff --git a/drivers/perf/hisilicon/hisi_uncore_sllc_pmu.c b/drivers/perf/hisilicon/hisi_uncore_sllc_pmu.c index 835ec3e2178f..1a3d58ca854c 100644 --- a/drivers/perf/hisilicon/hisi_uncore_sllc_pmu.c +++ b/drivers/perf/hisilicon/hisi_uncore_sllc_pmu.c @@ -463,8 +463,8 @@ static int hisi_sllc_pmu_probe(struct platform_device *pdev) ret = perf_pmu_register(&sllc_pmu->pmu, name, -1); if (ret) { dev_err(sllc_pmu->dev, "PMU register failed, ret = %d\n", ret); - cpuhp_state_remove_instance(CPUHP_AP_PERF_ARM_HISI_SLLC_ONLINE, - &sllc_pmu->node); + cpuhp_state_remove_instance_nocalls(CPUHP_AP_PERF_ARM_HISI_SLLC_ONLINE, + &sllc_pmu->node); return ret; } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] ipvlan: add ipvlan_route_v6_outbound() helper
by Zhengchao Shao 30 May '24

30 May '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v4.19.300 commit 4f7f850611aa27aaaf1bf5687702ad2240ae442a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFH5 CVE: CVE-2023-52796 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 18f039428c7df183b09c69ebf10ffd4e521035d2 ] Inspired by syzbot reports using a stack of multiple ipvlan devices. Reduce stack size needed in ipvlan_process_v6_outbound() by moving the flowi6 struct used for the route lookup in an non inlined helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack, immediately reclaimed. Also make sure ipvlan_process_v4_outbound() is not inlined. We might also have to lower MAX_NEST_DEV, because only syzbot uses setups with more than four stacked devices. BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000) stack guard page: 0000 [#1] SMP KASAN CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89 RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <#DF> </#DF> <TASK> [<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 [<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline] [<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] [<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline] [<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline] [<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline] [<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 [<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 [<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline] [<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 [<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 [<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline] [<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 [<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638 [<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 [<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline] [<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline] [<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff84d4a65e>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff84d4a65e>] neigh_resolve_output+0x64e/0x750 net/core/neighbour.c:1560 [<ffffffff855ce503>] neigh_output include/net/neighbour.h:545 [inline] [<ffffffff855ce503>] ip6_finish_output2+0x1643/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff855b9ce4>] dst_output include/net/dst.h:444 [inline] [<ffffffff855b9ce4>] NF_HOOK include/linux/netfilter.h:309 [inline] [<ffffffff855b9ce4>] ip6_xmit+0x11a4/0x1b20 net/ipv6/ip6_output.c:352 [<ffffffff8597984e>] sctp_v6_xmit+0x9ae/0x1230 net/sctp/ipv6.c:250 [<ffffffff8594623e>] sctp_packet_transmit+0x25de/0x2bc0 net/sctp/output.c:653 [<ffffffff858f5142>] sctp_packet_singleton+0x202/0x310 net/sctp/outqueue.c:783 [<ffffffff858ea411>] sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] [<ffffffff858ea411>] sctp_outq_flush+0x661/0x3d40 net/sctp/outqueue.c:1212 [<ffffffff858f02f9>] sctp_outq_uncork+0x79/0xb0 net/sctp/outqueue.c:764 [<ffffffff8589f060>] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] [<ffffffff8589f060>] sctp_do_sm+0x55c0/0x5c30 net/sctp/sm_sideeffect.c:1170 [<ffffffff85941567>] sctp_primitive_ASSOCIATE+0x97/0xc0 net/sctp/primitive.c:73 [<ffffffff859408b2>] sctp_sendmsg_to_asoc+0xf62/0x17b0 net/sctp/socket.c:1839 [<ffffffff85910b5e>] sctp_sendmsg+0x212e/0x33b0 net/sctp/socket.c:2029 [<ffffffff8544d559>] inet_sendmsg+0x149/0x310 net/ipv4/af_inet.c:849 [<ffffffff84c6c4d2>] sock_sendmsg_nosec net/socket.c:716 [inline] [<ffffffff84c6c4d2>] sock_sendmsg net/socket.c:736 [inline] [<ffffffff84c6c4d2>] ____sys_sendmsg+0x572/0x8c0 net/socket.c:2504 [<ffffffff84c6ca91>] ___sys_sendmsg net/socket.c:2558 [inline] [<ffffffff84c6ca91>] __sys_sendmsg+0x271/0x360 net/socket.c:2587 [<ffffffff84c6cbff>] __do_sys_sendmsg net/socket.c:2596 [inline] [<ffffffff84c6cbff>] __se_sys_sendmsg net/socket.c:2594 [inline] [<ffffffff84c6cbff>] __x64_sys_sendmsg+0x7f/0x90 net/socket.c:2594 [<ffffffff85b32553>] do_syscall_x64 arch/x86/entry/common.c:51 [inline] [<ffffffff85b32553>] do_syscall_64+0x53/0x80 arch/x86/entry/common.c:84 [<ffffffff85c00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Mahesh Bandewar <maheshb(a)google.com> Cc: Willem de Bruijn <willemb(a)google.com> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/net/ipvlan/ipvlan_core.c [The conflict occurs because the commit ff672b9ffeb3("ipvlan: properly track tx_errors") is not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- drivers/net/ipvlan/ipvlan_core.c | 41 +++++++++++++++++++------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c index 9bb096e222d3..b25c60af02f6 100644 --- a/drivers/net/ipvlan/ipvlan_core.c +++ b/drivers/net/ipvlan/ipvlan_core.c @@ -418,7 +418,7 @@ static struct ipvl_addr *ipvlan_addr_lookup(struct ipvl_port *port, return addr; } -static int ipvlan_process_v4_outbound(struct sk_buff *skb) +static noinline_for_stack int ipvlan_process_v4_outbound(struct sk_buff *skb) { const struct iphdr *ip4h = ip_hdr(skb); struct net_device *dev = skb->dev; @@ -460,13 +460,11 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) } #if IS_ENABLED(CONFIG_IPV6) -static int ipvlan_process_v6_outbound(struct sk_buff *skb) + +static noinline_for_stack int +ipvlan_route_v6_outbound(struct net_device *dev, struct sk_buff *skb) { const struct ipv6hdr *ip6h = ipv6_hdr(skb); - struct net_device *dev = skb->dev; - struct net *net = dev_net(dev); - struct dst_entry *dst; - int err, ret = NET_XMIT_DROP; struct flowi6 fl6 = { .flowi6_oif = dev->ifindex, .daddr = ip6h->daddr, @@ -476,27 +474,38 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) .flowi6_mark = skb->mark, .flowi6_proto = ip6h->nexthdr, }; + struct dst_entry *dst; + int err; - dst = ip6_route_output(net, NULL, &fl6); - if (dst->error) { - ret = dst->error; + dst = ip6_route_output(dev_net(dev), NULL, &fl6); + err = dst->error; + if (err) { dst_release(dst); - goto err; + return err; } skb_dst_set(skb, dst); + return 0; +} + +static int ipvlan_process_v6_outbound(struct sk_buff *skb) +{ + struct net_device *dev = skb->dev; + int err, ret = NET_XMIT_DROP; + + err = ipvlan_route_v6_outbound(dev, skb); + if (unlikely(err)) { + dev->stats.tx_errors++; + kfree_skb(skb); + return err; + } memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); - err = ip6_local_out(net, skb->sk, skb); + err = ip6_local_out(dev_net(dev), skb->sk, skb); if (unlikely(net_xmit_eval(err))) dev->stats.tx_errors++; else ret = NET_XMIT_SUCCESS; - goto out; -err: - dev->stats.tx_errors++; - kfree_skb(skb); -out: return ret; } #else -- 2.34.1

2 1

[PATCH OLK-5.10 V2 0/5] Fix CVE-2023-52732
by Zizhi Wo 30 May '24

30 May '24

V2: Modify conflicting files in the commit message. V1: Fix main error Jeff Layton (4): ceph: drop private list from remove_session_caps_cb ceph: fix auth cap handling logic in remove_session_caps_cb ceph: refactor remove_session_caps_cb ceph: shut down access to inode when async create fails Xiubo Li (1): ceph: blocklist the kclient when receiving corrupted snap trace fs/ceph/addr.c | 24 ++++-- fs/ceph/caps.c | 138 +++++++++++++++++++++++++++++++-- fs/ceph/export.c | 12 ++- fs/ceph/file.c | 13 +++- fs/ceph/inode.c | 33 +++++++- fs/ceph/locks.c | 7 ++ fs/ceph/mds_client.c | 144 ++++++++--------------------------- fs/ceph/snap.c | 36 ++++++++- fs/ceph/super.h | 12 +++ include/linux/ceph/libceph.h | 1 + 10 files changed, 289 insertions(+), 131 deletions(-) -- 2.39.2

2 6

[PATCH openEuler-1.0-LTS] tty: fix hang on tty device with no_room set
by Yi Yang 30 May '24

30 May '24

From: Hui Li <caelli(a)tencent.com> mainline inclusion from mainline-v6.5-rc1 commit 4903fde8047a28299d1fc79c1a0dcc255e928f12 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9T85S Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- It is possible to hang pty devices in this case, the reader was blocking at epoll on master side, the writer was sleeping at wait_woken inside n_tty_write on slave side, and the write buffer on tty_port was full, we found that the reader and writer would never be woken again and blocked forever. The problem was caused by a race between reader and kworker: n_tty_read(reader): n_tty_receive_buf_common(kworker): copy_from_read_buf()| |room = N_TTY_BUF_SIZE - (ldata->read_head - tail) |room <= 0 n_tty_kick_worker() | |ldata->no_room = true After writing to slave device, writer wakes up kworker to flush data on tty_port to reader, and the kworker finds that reader has no room to store data so room <= 0 is met. At this moment, reader consumes all the data on reader buffer and calls n_tty_kick_worker to check ldata->no_room which is false and reader quits reading. Then kworker sets ldata->no_room=true and quits too. If write buffer is not full, writer will wake kworker to flush data again after following writes, but if write buffer is full and writer goes to sleep, kworker will never be woken again and tty device is blocked. This problem can be solved with a check for read buffer size inside n_tty_receive_buf_common, if read buffer is empty and ldata->no_room is true, a call to n_tty_kick_worker is necessary to keep flushing data to reader. Cc: <stable(a)vger.kernel.org> Fixes: 42458f41d08f ("n_tty: Ensure reader restarts worker for next reader") Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Hui Li <caelli(a)tencent.com> Message-ID: <1680749090-14106-1-git-send-email-caelli(a)tencent.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/tty/n_tty.c [commit 947d66b68f3c ("n_tty: Rename tail to old_tail in n_tty_read()") was not merge] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/n_tty.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index a8d7ab7ee057..bc6345664fdb 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -204,8 +204,8 @@ static void n_tty_kick_worker(struct tty_struct *tty) struct n_tty_data *ldata = tty->disc_data; /* Did the input worker stop? Restart it */ - if (unlikely(ldata->no_room)) { - ldata->no_room = 0; + if (unlikely(READ_ONCE(ldata->no_room))) { + WRITE_ONCE(ldata->no_room, 0); WARN_RATELIMIT(tty->port->itty == NULL, "scheduling with invalid itty\n"); @@ -1727,7 +1727,7 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp, if (overflow && room < 0) ldata->read_head--; room = overflow; - ldata->no_room = flow && !room; + WRITE_ONCE(ldata->no_room, flow && !room); } else overflow = 0; @@ -1758,6 +1758,17 @@ n_tty_receive_buf_common(struct tty_struct *tty, const unsigned char *cp, } else n_tty_check_throttle(tty); + if (unlikely(ldata->no_room)) { + /* + * Barrier here is to ensure to read the latest read_tail in + * chars_in_buffer() and to make sure that read_tail is not loaded + * before ldata->no_room is set. + */ + smp_mb(); + if (!chars_in_buffer(tty)) + n_tty_kick_worker(tty); + } + up_read(&tty->termios_rwsem); return rcvd; @@ -2261,8 +2272,14 @@ static ssize_t n_tty_read(struct tty_struct *tty, struct file *file, if (time) timeout = time; } - if (tail != ldata->read_tail) + if (tail != ldata->read_tail) { + /* + * Make sure no_room is not read in n_tty_kick_worker() + * before setting ldata->read_tail in copy_from_read_buf(). + */ + smp_mb(); n_tty_kick_worker(tty); + } up_read(&tty->termios_rwsem); remove_wait_queue(&tty->read_wait, &wait); -- 2.25.1

2 1

[PATCH OLK-5.10] ipvlan: add ipvlan_route_v6_outbound() helper
by Zhengchao Shao 30 May '24

30 May '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v5.10.202 commit 43b781e7cb5cd0b435de276111953bf2bacd1f02 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFH5 CVE: CVE-2023-52796 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 18f039428c7df183b09c69ebf10ffd4e521035d2 ] Inspired by syzbot reports using a stack of multiple ipvlan devices. Reduce stack size needed in ipvlan_process_v6_outbound() by moving the flowi6 struct used for the route lookup in an non inlined helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack, immediately reclaimed. Also make sure ipvlan_process_v4_outbound() is not inlined. We might also have to lower MAX_NEST_DEV, because only syzbot uses setups with more than four stacked devices. BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000) stack guard page: 0000 [#1] SMP KASAN CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188 Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89 RSP: 0018:ffffc9000e804000 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568 RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000 FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <#DF> </#DF> <TASK> [<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31 [<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline] [<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] [<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline] [<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline] [<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline] [<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632 [<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306 [<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline] [<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221 [<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606 [<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline] [<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116 [<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638 [<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651 [<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline] [<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline] [<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline] [<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline] [<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline] [<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline] [<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324 [<ffffffff84d4a65e>] dev_queue_xmit include/linux/netdevice.h:3067 [inline] [<ffffffff84d4a65e>] neigh_resolve_output+0x64e/0x750 net/core/neighbour.c:1560 [<ffffffff855ce503>] neigh_output include/net/neighbour.h:545 [inline] [<ffffffff855ce503>] ip6_finish_output2+0x1643/0x1ae0 net/ipv6/ip6_output.c:139 [<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff855b9ce4>] dst_output include/net/dst.h:444 [inline] [<ffffffff855b9ce4>] NF_HOOK include/linux/netfilter.h:309 [inline] [<ffffffff855b9ce4>] ip6_xmit+0x11a4/0x1b20 net/ipv6/ip6_output.c:352 [<ffffffff8597984e>] sctp_v6_xmit+0x9ae/0x1230 net/sctp/ipv6.c:250 [<ffffffff8594623e>] sctp_packet_transmit+0x25de/0x2bc0 net/sctp/output.c:653 [<ffffffff858f5142>] sctp_packet_singleton+0x202/0x310 net/sctp/outqueue.c:783 [<ffffffff858ea411>] sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] [<ffffffff858ea411>] sctp_outq_flush+0x661/0x3d40 net/sctp/outqueue.c:1212 [<ffffffff858f02f9>] sctp_outq_uncork+0x79/0xb0 net/sctp/outqueue.c:764 [<ffffffff8589f060>] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] [<ffffffff8589f060>] sctp_do_sm+0x55c0/0x5c30 net/sctp/sm_sideeffect.c:1170 [<ffffffff85941567>] sctp_primitive_ASSOCIATE+0x97/0xc0 net/sctp/primitive.c:73 [<ffffffff859408b2>] sctp_sendmsg_to_asoc+0xf62/0x17b0 net/sctp/socket.c:1839 [<ffffffff85910b5e>] sctp_sendmsg+0x212e/0x33b0 net/sctp/socket.c:2029 [<ffffffff8544d559>] inet_sendmsg+0x149/0x310 net/ipv4/af_inet.c:849 [<ffffffff84c6c4d2>] sock_sendmsg_nosec net/socket.c:716 [inline] [<ffffffff84c6c4d2>] sock_sendmsg net/socket.c:736 [inline] [<ffffffff84c6c4d2>] ____sys_sendmsg+0x572/0x8c0 net/socket.c:2504 [<ffffffff84c6ca91>] ___sys_sendmsg net/socket.c:2558 [inline] [<ffffffff84c6ca91>] __sys_sendmsg+0x271/0x360 net/socket.c:2587 [<ffffffff84c6cbff>] __do_sys_sendmsg net/socket.c:2596 [inline] [<ffffffff84c6cbff>] __se_sys_sendmsg net/socket.c:2594 [inline] [<ffffffff84c6cbff>] __x64_sys_sendmsg+0x7f/0x90 net/socket.c:2594 [<ffffffff85b32553>] do_syscall_x64 arch/x86/entry/common.c:51 [inline] [<ffffffff85b32553>] do_syscall_64+0x53/0x80 arch/x86/entry/common.c:84 [<ffffffff85c00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Mahesh Bandewar <maheshb(a)google.com> Cc: Willem de Bruijn <willemb(a)google.com> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Conflicts: drivers/net/ipvlan/ipvlan_core.c [The conflict occurs because the commit ff672b9ffeb3("ipvlan: properly track tx_errors") is not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- drivers/net/ipvlan/ipvlan_core.c | 41 +++++++++++++++++++------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c index c7a0f89edcc6..fe9936f42c21 100644 --- a/drivers/net/ipvlan/ipvlan_core.c +++ b/drivers/net/ipvlan/ipvlan_core.c @@ -412,7 +412,7 @@ struct ipvl_addr *ipvlan_addr_lookup(struct ipvl_port *port, void *lyr3h, return addr; } -static int ipvlan_process_v4_outbound(struct sk_buff *skb) +static noinline_for_stack int ipvlan_process_v4_outbound(struct sk_buff *skb) { const struct iphdr *ip4h = ip_hdr(skb); struct net_device *dev = skb->dev; @@ -454,13 +454,11 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) } #if IS_ENABLED(CONFIG_IPV6) -static int ipvlan_process_v6_outbound(struct sk_buff *skb) + +static noinline_for_stack int +ipvlan_route_v6_outbound(struct net_device *dev, struct sk_buff *skb) { const struct ipv6hdr *ip6h = ipv6_hdr(skb); - struct net_device *dev = skb->dev; - struct net *net = dev_net(dev); - struct dst_entry *dst; - int err, ret = NET_XMIT_DROP; struct flowi6 fl6 = { .flowi6_oif = dev->ifindex, .daddr = ip6h->daddr, @@ -470,27 +468,38 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) .flowi6_mark = skb->mark, .flowi6_proto = ip6h->nexthdr, }; + struct dst_entry *dst; + int err; - dst = ip6_route_output(net, NULL, &fl6); - if (dst->error) { - ret = dst->error; + dst = ip6_route_output(dev_net(dev), NULL, &fl6); + err = dst->error; + if (err) { dst_release(dst); - goto err; + return err; } skb_dst_set(skb, dst); + return 0; +} + +static int ipvlan_process_v6_outbound(struct sk_buff *skb) +{ + struct net_device *dev = skb->dev; + int err, ret = NET_XMIT_DROP; + + err = ipvlan_route_v6_outbound(dev, skb); + if (unlikely(err)) { + dev->stats.tx_errors++; + kfree_skb(skb); + return err; + } memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); - err = ip6_local_out(net, skb->sk, skb); + err = ip6_local_out(dev_net(dev), skb->sk, skb); if (unlikely(net_xmit_eval(err))) dev->stats.tx_errors++; else ret = NET_XMIT_SUCCESS; - goto out; -err: - dev->stats.tx_errors++; - kfree_skb(skb); -out: return ret; } #else -- 2.34.1

2 1

[PATCH OLK-5.10] xfs: Fix file creation failure
by Zizhi Wo 30 May '24

30 May '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9TDTA CVE: NA -------------------------------- In the file system expansion test and concurrent file creation and writing scenarios, file creation fails occasionally. The detailed test scheme is as follows: 1. If the remaining space is less than 128 MB, expand the space by 1 GB; --xfs_growfs /$DEV -D $bc -m 100 2. 32 processes create a file every 0.5s and write 4 KB to 4 MB data randomly. --filesize=$((RANDOM % 1024 + 1)) --dd if=/dev/zero oflag=direct of=$filename bs=4K count=$filesize And when the file creation fails, there are still hundreds of megabytes of free space. The overall analysis process is as follows: Direct write Create file xfs_file_write_iter ... xfs_direct_write_iomap_begin xfs_iomap_write_direct ... xfs_alloc_vextent xfs_alloc_ag_vextent xfs_alloc_ag_vextent_near xfs_alloc_cur_finish xfs_alloc_fixup_trees xfs_btree_delete xfs_btree_delrec xfs_allocbt_update_lastrec /* The longest update is 0 * because numrec == 0. */ agf->agf_longest = len = 0 xfs_create ... xfs_dialloc xfs_ialloc_ag_alloc xfs_alloc_vextent xfs_alloc_fix_freelist xfs_alloc_space_available -> as longest=0, it will return false, no space for inode alloc. The root cause of the problem is that allocation extents holds agf locks, but the inode creation process will quickly check whether there is space firstly, which does not have agf locks. And when the first judgment fails, it returns directly. If the first judgment passes, the lock is held before entering the second judgment, that's how the "check-lock-check again" algorithm is designed. If all AG fails in no lock check, an error will return. This problem occurs probably when there is not enough space left for all the AG's in front, and the last AG deletes the last CNT tree record and the new record is not inserted yet. Fix this issue by adding the bc_free_longest field to the xfs_btree_cur_t structure to store the longest count that will be updated. The assignment is done in xfs_alloc_fixup_trees() and xfs_free_ag_extent(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/xfs/libxfs/xfs_alloc.c | 14 ++++++++++++++ fs/xfs/libxfs/xfs_alloc_btree.c | 9 ++++++++- fs/xfs/libxfs/xfs_btree.h | 1 + 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c index b901eedf3bb8..95bfe89651ad 100644 --- a/fs/xfs/libxfs/xfs_alloc.c +++ b/fs/xfs/libxfs/xfs_alloc.c @@ -543,6 +543,13 @@ xfs_alloc_fixup_trees( nfbno2 = rbno + rlen; nflen2 = (fbno + flen) - nfbno2; } + + /* + * Record the potential maximum free length in advance. + */ + if (nfbno1 != NULLAGBLOCK || nfbno2 != NULLAGBLOCK) + cnt_cur->bc_free_longest = max_t(xfs_extlen_t, nflen1, nflen2); + /* * Delete the entry from the by-size btree. */ @@ -2039,6 +2046,13 @@ xfs_free_ag_extent( * Now allocate and initialize a cursor for the by-size tree. */ cnt_cur = xfs_allocbt_init_cursor(mp, tp, agbp, agno, XFS_BTNUM_CNT); + /* + * Record the potential maximum free length in advance. + */ + if (haveleft) + cnt_cur->bc_free_longest = ltlen; + if (haveright) + cnt_cur->bc_free_longest = gtlen; /* * Have both left and right contiguous neighbors. * Merge all three into a single free block. diff --git a/fs/xfs/libxfs/xfs_alloc_btree.c b/fs/xfs/libxfs/xfs_alloc_btree.c index 613a1743fdd5..d6dbbe85e819 100644 --- a/fs/xfs/libxfs/xfs_alloc_btree.c +++ b/fs/xfs/libxfs/xfs_alloc_btree.c @@ -147,7 +147,14 @@ xfs_allocbt_update_lastrec( rrp = XFS_ALLOC_REC_ADDR(cur->bc_mp, block, numrecs); len = rrp->ar_blockcount; } else { - len = 0; + /* + * Update in advance to prevent file creation failure + * for concurrent processes even though there is no + * numrec currently. + * And there's no need to worry as the value that not + * less than bc_free_longest will be inserted later. + */ + len = cpu_to_be32(cur->bc_free_longest); } break; diff --git a/fs/xfs/libxfs/xfs_btree.h b/fs/xfs/libxfs/xfs_btree.h index d172046ae833..1d89b897c056 100644 --- a/fs/xfs/libxfs/xfs_btree.h +++ b/fs/xfs/libxfs/xfs_btree.h @@ -235,6 +235,7 @@ typedef struct xfs_btree_cur struct xfs_btree_cur_ag bc_ag; struct xfs_btree_cur_ino bc_ino; }; + xfs_extlen_t bc_free_longest; /* the actual longest free extent */ } xfs_btree_cur_t; /* cursor flags */ -- 2.39.2

2 1

[PATCH OLK-5.10 0/5] Fix CVE-2023-52732
by Zizhi Wo 30 May '24

30 May '24

Fix CVE-2023-52732. Jeff Layton (4): ceph: drop private list from remove_session_caps_cb ceph: fix auth cap handling logic in remove_session_caps_cb ceph: refactor remove_session_caps_cb ceph: shut down access to inode when async create fails Xiubo Li (1): ceph: blocklist the kclient when receiving corrupted snap trace fs/ceph/addr.c | 24 ++++-- fs/ceph/caps.c | 138 +++++++++++++++++++++++++++++++-- fs/ceph/export.c | 12 ++- fs/ceph/file.c | 13 +++- fs/ceph/inode.c | 33 +++++++- fs/ceph/locks.c | 7 ++ fs/ceph/mds_client.c | 144 ++++++++--------------------------- fs/ceph/snap.c | 36 ++++++++- fs/ceph/super.h | 12 +++ include/linux/ceph/libceph.h | 1 + 10 files changed, 289 insertions(+), 131 deletions(-) -- 2.39.2

2 6

[PATCH openEuler-1.0-LTS v2] powerpc/mm: Fix lockup on kernel exec fault
by Liu Shixin 30 May '24

30 May '24

From: Christophe Leroy <christophe.leroy(a)csgroup.eu> stable inclusion from stable-v5.4.133 commit a82471a14aad90f79d1608d2bcbb019f0ffb53f0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4CI CVE: CVE-2021-47350 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit cd5d5e602f502895e47e18cd46804d6d7014e65c upstream. The powerpc kernel is not prepared to handle exec faults from kernel. Especially, the function is_exec_fault() will return 'false' when an exec fault is taken by kernel, because the check is based on reading current->thread.regs->trap which contains the trap from user. For instance, when provoking a LKDTM EXEC_USERSPACE test, current->thread.regs->trap is set to SYSCALL trap (0xc00), and the fault taken by the kernel is not seen as an exec fault by set_access_flags_filter(). Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix with autonuma") made it clear and handled it properly. But later on commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") removed that handling, introducing test based on error_code. And here is the problem, because on the 603 all upper bits of SRR1 get cleared when the TLB instruction miss handler bails out to ISI. Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy search_exception_tables() verification"), an exec fault from kernel at a userspace address was indirectly caught by the lack of entry for that address in the exception tables. But after that commit the kernel mainly relies on KUAP or on core mm handling to catch wrong user accesses. Here the access is not wrong, so mm handles it. It is a minor fault because PAGE_EXEC is not set, set_access_flags_filter() should set PAGE_EXEC and voila. But as is_exec_fault() returns false as explained in the beginning, set_access_flags_filter() bails out without setting PAGE_EXEC flag, which leads to a forever minor exec fault. As the kernel is not prepared to handle such exec faults, the thing to do is to fire in bad_kernel_fault() for any exec fault taken by the kernel, as it was prior to commit d3ca587404b3. Fixes: d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute faults") Cc: stable(a)vger.kernel.org # v4.14+ Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Acked-by: Nicholas Piggin <npiggin(a)gmail.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://lore.kernel.org/r/024bb05105050f704743a0083fe3548702be5706.16251382… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: arch/powerpc/mm/fault.c [ Context conflicts due to lack of commit de78a9c42a79 ("powerpc: Add a framework for Kernel Userspace Access Protection"). ] Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- arch/powerpc/mm/fault.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c index 5b04d029f824..41f1de87edb6 100644 --- a/arch/powerpc/mm/fault.c +++ b/arch/powerpc/mm/fault.c @@ -221,9 +221,7 @@ static int mm_fault_error(struct pt_regs *regs, unsigned long addr, static bool bad_kernel_fault(bool is_exec, unsigned long error_code, unsigned long address) { - /* NX faults set DSISR_PROTFAULT on the 8xx, DSISR_NOEXEC_OR_G on others */ - if (is_exec && (error_code & (DSISR_NOEXEC_OR_G | DSISR_KEYFAULT | - DSISR_PROTFAULT))) { + if (is_exec) { printk_ratelimited(KERN_CRIT "kernel tried to execute" " exec-protected page (%lx) -" "exploit attempt? (uid: %d)\n", -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] atm: iphase: fix possible use-after-free in ia_module_exit()
by Liu Shixin 30 May '24

30 May '24

From: Zou Wei <zou_wei(a)huawei.com> stable inclusion from stable-v4.19.198 commit 89ce0b0747f319eb70f85bc820dcc43cebbd5417 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4E8 CVE: CVE-2021-47357 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 1c72e6ab66b9598cac741ed397438a52065a8f1f ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot <hulkci(a)huawei.com> Signed-off-by: Zou Wei <zou_wei(a)huawei.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- drivers/atm/iphase.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c index 008905d4152a..827c6d5e6177 100644 --- a/drivers/atm/iphase.c +++ b/drivers/atm/iphase.c @@ -3301,7 +3301,7 @@ static void __exit ia_module_exit(void) { pci_unregister_driver(&ia_driver); - del_timer(&ia_timer); + del_timer_sync(&ia_timer); } module_init(ia_module_init); -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS 0/2] CVE-2023-52735
by Pu Lehui 30 May '24

30 May '24

Jakub Sitnicki (2): bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener include/linux/util_macros.h | 12 ++++++++++++ net/core/sock_map.c | 34 ++++++++++++++++++++-------------- net/ipv4/tcp_bpf.c | 4 ++-- 3 files changed, 34 insertions(+), 16 deletions(-) -- 2.34.1

2 3

[PATCH openEuler-22.03-LTS-SP1 0/2] CVE-2023-52735
by Pu Lehui 30 May '24

30 May '24

Jakub Sitnicki (2): bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener include/linux/util_macros.h | 12 ++++++++ net/core/sock_map.c | 59 +++++++++++++++++++++---------------- net/ipv4/tcp_bpf.c | 4 +-- 3 files changed, 47 insertions(+), 28 deletions(-) -- 2.34.1

2 3

[PATCH openEuler-22.03-LTS-SP1] drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference
by Liu Chuang 30 May '24

30 May '24

From: Ma Ke <make_ruc2021(a)163.com> stable inclusion from stable-v5.10.202 commit 9acc2bc00135e9ecd13a70ce1140e2673e504cdc category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9TCIL CVE: CVE-2023-52826 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f22def5970c423ea7f87d5247bd0ef91416b0658 ] In tpg110_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Signed-off-by: Ma Ke <make_ruc2021(a)163.com> Reviewed-by: Neil Armstrong <neil.armstrong(a)linaro.org> Link: https://lore.kernel.org/r/20231009090446.4043798-1-make_ruc2021@163.com Signed-off-by: Neil Armstrong <neil.armstrong(a)linaro.org> Link: https://patchwork.freedesktop.org/patch/msgid/20231009090446.4043798-1-make… Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/panel/panel-tpo-tpg110.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/panel/panel-tpo-tpg110.c b/drivers/gpu/drm/panel/panel-tpo-tpg110.c index d57ed75a977c..494cec50a682 100644 --- a/drivers/gpu/drm/panel/panel-tpo-tpg110.c +++ b/drivers/gpu/drm/panel/panel-tpo-tpg110.c @@ -378,6 +378,8 @@ static int tpg110_get_modes(struct drm_panel *panel, connector->display_info.bus_flags = tpg->panel_mode->bus_flags; mode = drm_mode_duplicate(connector->dev, &tpg->panel_mode->mode); + if (!mode) + return -ENOMEM; drm_mode_set_name(mode); mode->type = DRM_MODE_TYPE_DRIVER | DRM_MODE_TYPE_PREFERRED; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] netfilter: conntrack: serialize hash resizes and cleanups
by Liu Jian 30 May '24

30 May '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v5.15-rc4 commit e9edc188fc76499b0b9bd60364084037f6d03773 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4NQ CVE: CVE-2021-47408 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- Syzbot was able to trigger the following warning [1] No repro found by syzbot yet but I was able to trigger similar issue by having 2 scripts running in parallel, changing conntrack hash sizes, and: for j in `seq 1 1000` ; do unshare -n /bin/true >/dev/null ; done It would take more than 5 minutes for net_namespace structures to be cleaned up. This is because nf_ct_iterate_cleanup() has to restart everytime a resize happened. By adding a mutex, we can serialize hash resizes and cleanups and also make get_next_corpse() faster by skipping over empty buckets. Even without resizes in the picture, this patch considerably speeds up network namespace dismantles. [1] INFO: task syz-executor.0:8312 can't die for more than 144 seconds. task:syz-executor.0 state:R running task stack:25672 pid: 8312 ppid: 6573 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6408 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35 __local_bh_enable_ip+0x109/0x120 kernel/softirq.c:390 local_bh_enable include/linux/bottom_half.h:32 [inline] get_next_corpse net/netfilter/nf_conntrack_core.c:2252 [inline] nf_ct_iterate_cleanup+0x15a/0x450 net/netfilter/nf_conntrack_core.c:2275 nf_conntrack_cleanup_net_list+0x14c/0x4f0 net/netfilter/nf_conntrack_core.c:2469 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171 setup_net+0x639/0xa30 net/core/net_namespace.c:349 copy_net_ns+0x319/0x760 net/core/net_namespace.c:470 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226 ksys_unshare+0x445/0x920 kernel/fork.c:3128 __do_sys_unshare kernel/fork.c:3202 [inline] __se_sys_unshare kernel/fork.c:3200 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3200 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f63da68e739 RSP: 002b:00007f63d7c05188 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007f63da792f80 RCX: 00007f63da68e739 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 00007f63da6e8cc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f63da792f80 R13: 00007fff50b75d3f R14: 00007f63d7c05300 R15: 0000000000022000 Showing all locks held in the system: 1 lock held by khungtaskd/27: #0: ffffffff8b980020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446 2 locks held by kworker/u4:2/153: #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268 #1: ffffc9000140fdb0 ((kfence_timer).work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272 1 lock held by systemd-udevd/2970: 1 lock held by in:imklog/6258: #0: ffff88807f970ff0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990 3 locks held by kworker/1:6/8158: 1 lock held by syz-executor.0/8312: 2 locks held by kworker/u4:13/9320: 1 lock held by syz-executor.5/10178: 1 lock held by syz-executor.4/10217: Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Conflicts: net/netfilter/nf_conntrack_core.c [This is because we did not backport commit 4608fdfc07e1.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/netfilter/nf_conntrack_core.c | 70 ++++++++++++++++--------------- 1 file changed, 37 insertions(+), 33 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 6bfdc8f6e961..755e1cee32cb 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -81,6 +81,9 @@ static __read_mostly spinlock_t nf_conntrack_locks_all_lock; static __read_mostly DEFINE_SPINLOCK(nf_conntrack_locks_all_lock); static __read_mostly bool nf_conntrack_locks_all; +/* serialize hash resizes and nf_ct_iterate_cleanup */ +static DEFINE_MUTEX(nf_conntrack_mutex); + /* every gc cycle scans at most 1/GC_MAX_BUCKETS_DIV part of table */ #define GC_MAX_BUCKETS_DIV 128u /* upper bound of full table scan */ @@ -2054,28 +2057,31 @@ get_next_corpse(int (*iter)(struct nf_conn *i, void *data), spinlock_t *lockp; for (; *bucket < nf_conntrack_htable_size; (*bucket)++) { + struct hlist_nulls_head *hslot = &nf_conntrack_hash[*bucket]; + + if (hlist_nulls_empty(hslot)) + continue; + lockp = &nf_conntrack_locks[*bucket % CONNTRACK_LOCKS]; local_bh_disable(); nf_conntrack_lock(lockp); - if (*bucket < nf_conntrack_htable_size) { - hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[*bucket], hnnode) { - if (NF_CT_DIRECTION(h) != IP_CT_DIR_REPLY) - continue; - /* All nf_conn objects are added to hash table twice, one - * for original direction tuple, once for the reply tuple. - * - * Exception: In the IPS_NAT_CLASH case, only the reply - * tuple is added (the original tuple already existed for - * a different object). - * - * We only need to call the iterator once for each - * conntrack, so we just use the 'reply' direction - * tuple while iterating. - */ - ct = nf_ct_tuplehash_to_ctrack(h); - if (iter(ct, data)) - goto found; - } + hlist_nulls_for_each_entry(h, n, hslot, hnnode) { + if (NF_CT_DIRECTION(h) != IP_CT_DIR_REPLY) + continue; + /* All nf_conn objects are added to hash table twice, one + * for original direction tuple, once for the reply tuple. + * + * Exception: In the IPS_NAT_CLASH case, only the reply + * tuple is added (the original tuple already existed for + * a different object). + * + * We only need to call the iterator once for each + * conntrack, so we just use the 'reply' direction + * tuple while iterating. + */ + ct = nf_ct_tuplehash_to_ctrack(h); + if (iter(ct, data)) + goto found; } spin_unlock(lockp); local_bh_enable(); @@ -2093,26 +2099,20 @@ get_next_corpse(int (*iter)(struct nf_conn *i, void *data), static void nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data, u32 portid, int report) { - unsigned int bucket = 0, sequence; + unsigned int bucket = 0; struct nf_conn *ct; might_sleep(); - for (;;) { - sequence = read_seqcount_begin(&nf_conntrack_generation); - - while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) { - /* Time to push up daises... */ + mutex_lock(&nf_conntrack_mutex); + while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) { + /* Time to push up daises... */ - nf_ct_delete(ct, portid, report); - nf_ct_put(ct); - cond_resched(); - } - - if (!read_seqcount_retry(&nf_conntrack_generation, sequence)) - break; - bucket = 0; + nf_ct_delete(ct, portid, report); + nf_ct_put(ct); + cond_resched(); } + mutex_unlock(&nf_conntrack_mutex); } struct iter_data { @@ -2346,8 +2346,10 @@ int nf_conntrack_hash_resize(unsigned int hashsize) if (!hash) return -ENOMEM; + mutex_lock(&nf_conntrack_mutex); old_size = nf_conntrack_htable_size; if (old_size == hashsize) { + mutex_unlock(&nf_conntrack_mutex); kvfree(hash); return 0; } @@ -2383,6 +2385,8 @@ int nf_conntrack_hash_resize(unsigned int hashsize) nf_conntrack_all_unlock(); local_bh_enable(); + mutex_unlock(&nf_conntrack_mutex); + synchronize_net(); kvfree(old_hash); return 0; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] locking/ww_mutex/test: Fix potential workqueue corruption
by Xie XiuQi 30 May '24

30 May '24

From: John Stultz <jstultz(a)google.com> mainline inclusion from mainline-v6.7-rc1 commit bccdd808902f8c677317cec47c306e42b93b849e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFIG CVE: CVE-2023-52836 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- In some cases running with the test-ww_mutex code, I was seeing odd behavior where sometimes it seemed flush_workqueue was returning before all the work threads were finished. Often this would cause strange crashes as the mutexes would be freed while they were being used. Looking at the code, there is a lifetime problem as the controlling thread that spawns the work allocates the "struct stress" structures that are passed to the workqueue threads. Then when the workqueue threads are finished, they free the stress struct that was passed to them. Unfortunately the workqueue work_struct node is in the stress struct. Which means the work_struct is freed before the work thread returns and while flush_workqueue is waiting. It seems like a better idea to have the controlling thread both allocate and free the stress structures, so that we can be sure we don't corrupt the workqueue by freeing the structure prematurely. So this patch reworks the test to do so, and with this change I no longer see the early flush_workqueue returns. Signed-off-by: John Stultz <jstultz(a)google.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Link: https://lore.kernel.org/r/20230922043616.19282-3-jstultz@google.com (cherry picked from commit bccdd808902f8c677317cec47c306e42b93b849e) Signed-off-by: Xie XiuQi <xiexiuqi(a)huawei.com> --- kernel/locking/test-ww_mutex.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/kernel/locking/test-ww_mutex.c b/kernel/locking/test-ww_mutex.c index 65a3b7e55b9f..4fd05d9d5d6d 100644 --- a/kernel/locking/test-ww_mutex.c +++ b/kernel/locking/test-ww_mutex.c @@ -439,7 +439,6 @@ static void stress_inorder_work(struct work_struct *work) } while (!time_after(jiffies, stress->timeout)); kfree(order); - kfree(stress); } struct reorder_lock { @@ -504,7 +503,6 @@ static void stress_reorder_work(struct work_struct *work) list_for_each_entry_safe(ll, ln, &locks, link) kfree(ll); kfree(order); - kfree(stress); } static void stress_one_work(struct work_struct *work) @@ -525,8 +523,6 @@ static void stress_one_work(struct work_struct *work) break; } } while (!time_after(jiffies, stress->timeout)); - - kfree(stress); } #define STRESS_INORDER BIT(0) @@ -537,15 +533,24 @@ static void stress_one_work(struct work_struct *work) static int stress(int nlocks, int nthreads, unsigned int flags) { struct ww_mutex *locks; - int n; + struct stress *stress_array; + int n, count; locks = kmalloc_array(nlocks, sizeof(*locks), GFP_KERNEL); if (!locks) return -ENOMEM; + stress_array = kmalloc_array(nthreads, sizeof(*stress_array), + GFP_KERNEL); + if (!stress_array) { + kfree(locks); + return -ENOMEM; + } + for (n = 0; n < nlocks; n++) ww_mutex_init(&locks[n], &ww_class); + count = 0; for (n = 0; nthreads; n++) { struct stress *stress; void (*fn)(struct work_struct *work); @@ -569,9 +574,7 @@ static int stress(int nlocks, int nthreads, unsigned int flags) if (!fn) continue; - stress = kmalloc(sizeof(*stress), GFP_KERNEL); - if (!stress) - break; + stress = &stress_array[count++]; INIT_WORK(&stress->work, fn); stress->locks = locks; @@ -586,6 +589,7 @@ static int stress(int nlocks, int nthreads, unsigned int flags) for (n = 0; n < nlocks; n++) ww_mutex_destroy(&locks[n]); + kfree(stress_array); kfree(locks); return 0; -- 2.20.1

2 1

[openeuler:OLK-6.6 6865/9792] drivers/net/ethernet/mucse/rnpvf/rnpvf_regs.h:21:26: error: called object is not a function or function pointer
by kernel test robot 30 May '24

30 May '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: c0b6b4438dc70167c4c16f6436499cde257f782a commit: 6adab536d69347a10c2366aaf6b86de963d5994b [6865/9792] drivers: initial support for rnpvf drivers from Mucse Technology config: loongarch-randconfig-002-20240530 (https://download.01.org/0day-ci/archive/20240530/202405300821.FdTsPW2u-lkp@…) compiler: loongarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240530/202405300821.FdTsPW2u-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202405300821.FdTsPW2u-lkp@intel.com/ All error/warnings (new ones prefixed by >>): drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:127:6: warning: no previous prototype for 'rnpvf_unmap_and_free_tx_resource' [-Wmissing-prototypes] 127 | void rnpvf_unmap_and_free_tx_resource(struct rnpvf_ring *ring, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:1365:6: warning: no previous prototype for 'rnpvf_alloc_rx_buffers' [-Wmissing-prototypes] 1365 | void rnpvf_alloc_rx_buffers(struct rnpvf_ring *rx_ring, u16 cleaned_count) | ^~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c: In function 'rnpvf_clean_rx_irq': drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:1659:14: warning: variable 'xdp_xmit' set but not used [-Wunused-but-set-variable] 1659 | bool xdp_xmit = false; | ^~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c: At top level: drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:1945:6: warning: no previous prototype for 'update_rx_count' [-Wmissing-prototypes] 1945 | void update_rx_count(int cleaned, struct rnpvf_q_vector *q_vector) | ^~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2420:6: warning: no previous prototype for 'rnpvf_write_eitr_rx' [-Wmissing-prototypes] 2420 | void rnpvf_write_eitr_rx(struct rnpvf_q_vector *q_vector) | ^~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2523:6: warning: no previous prototype for 'rnpvf_configure_tx_ring' [-Wmissing-prototypes] 2523 | void rnpvf_configure_tx_ring(struct rnpvf_adapter *adapter, | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2589:6: warning: no previous prototype for 'rnpvf_disable_rx_queue' [-Wmissing-prototypes] 2589 | void rnpvf_disable_rx_queue(struct rnpvf_adapter *adapter, | ^~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2595:6: warning: no previous prototype for 'rnpvf_enable_rx_queue' [-Wmissing-prototypes] 2595 | void rnpvf_enable_rx_queue(struct rnpvf_adapter *adapter, | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2601:6: warning: no previous prototype for 'rnpvf_configure_rx_ring' [-Wmissing-prototypes] 2601 | void rnpvf_configure_rx_ring(struct rnpvf_adapter *adapter, | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c: In function 'rnpvf_vlan_rx_kill_vid': drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:2736:13: warning: variable 'err' set but not used [-Wunused-but-set-variable] 2736 | int err = -EOPNOTSUPP; | ^~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c: In function 'rnpvf_acquire_msix_vectors': drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:3307:13: warning: variable 'vector_threshold' set but not used [-Wunused-but-set-variable] 3307 | int vector_threshold; | ^~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c: In function 'irq_miss_check': drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:3456:26: warning: variable 'hw' set but not used [-Wunused-but-set-variable] 3456 | struct rnpvf_hw *hw; | ^~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c: At top level: drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:4590:6: warning: no previous prototype for 'rnpvf_tx_ctxtdesc' [-Wmissing-prototypes] 4590 | void rnpvf_tx_ctxtdesc(struct rnpvf_ring *tx_ring, u16 mss_seg_len, | ^~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5039:6: warning: no previous prototype for 'rnpvf_maybe_tx_ctxtdesc' [-Wmissing-prototypes] 5039 | void rnpvf_maybe_tx_ctxtdesc(struct rnpvf_ring *tx_ring, | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5089:13: warning: no previous prototype for 'rnpvf_xmit_frame_ring' [-Wmissing-prototypes] 5089 | netdev_tx_t rnpvf_xmit_frame_ring(struct sk_buff *skb, | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5580:6: warning: no previous prototype for 'rnpvf_assign_netdev_ops' [-Wmissing-prototypes] 5580 | void rnpvf_assign_netdev_ops(struct net_device *dev) | ^~~~~~~~~~~~~~~~~~~~~~~ In file included from drivers/net/ethernet/mucse/rnpvf/vf.h:14, from drivers/net/ethernet/mucse/rnpvf/rnpvf.h:14, from drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:26: drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c: In function 'rnpvf_vfnum': >> drivers/net/ethernet/mucse/rnpvf/rnpvf_regs.h:21:26: error: called object is not a function or function pointer 21 | #define RNP_DMA_RX_START (0x10) | ^ drivers/net/ethernet/mucse/rnpvf/rnpvf_regs.h:104:42: note: in definition of macro 'rnpvf_rd_reg' 104 | #define rnpvf_rd_reg(reg) readl((void *)(reg)) | ^~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5599:21: note: in expansion of macro 'rd32' 5599 | v = rd32(hw, RNP_DMA_RX_START(ring)); | ^~~~ drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5599:30: note: in expansion of macro 'RNP_DMA_RX_START' 5599 | v = rd32(hw, RNP_DMA_RX_START(ring)); | ^~~~~~~~~~~~~~~~ >> drivers/net/ethernet/mucse/rnpvf/rnpvf_main.c:5591:13: warning: unused variable 'pfvfnum_reg' [-Wunused-variable] 5591 | u32 pfvfnum_reg; | ^~~~~~~~~~~ vim +21 drivers/net/ethernet/mucse/rnpvf/rnpvf_regs.h 13 14 #define RNP_DMA_RING_BASE 0x8000 15 #define RNP_DMA_RX_DESC_TIMEOUT_TH 0x8000 16 #define RNP_DMA_TX_DESC_FETCH_CTL 0x8004 17 #define RNP_DMA_TX_FLOW_CTRL_TM 0x8008 18 #define RNP_RING_BASE_N10 (0x8000) 19 #define RNP_RING_BASE_N500 (0x1000) 20 #define RNP_RING_OFFSET(i) (0x100 * (i)) > 21 #define RNP_DMA_RX_START (0x10) 22 #define RNP_DMA_RX_READY (0x14) 23 #define RNP_DMA_TX_START (0x18) 24 #define RNP_DMA_TX_READY (0x1c) 25 #define RNP_DMA_INT_STAT (0x20) 26 #define RNP_DMA_INT_MASK (0x24) 27 #define TX_INT_MASK (0x1 << 1) 28 #define RX_INT_MASK (0x1 << 0) 29 #define RNP_DMA_INT_CLR (0x28) 30 #define RNP_DMA_INT_TRIG (0x2c) 31 #define RNP_DMA_REG_RX_DESC_BUF_BASE_ADDR_HI (0x30) 32 #define RNP_DMA_REG_RX_DESC_BUF_BASE_ADDR_LO (0x34) 33 #define RNP_DMA_REG_RX_DESC_BUF_LEN (0x38) 34 #define RNP_DMA_REG_RX_DESC_BUF_HEAD (0x3c) 35 #define RNP_DMA_REG_RX_DESC_BUF_TAIL (0x40) 36 #define RNP_DMA_REG_RX_DESC_FETCH_CTRL (0x44) 37 #define RNP_DMA_REG_RX_INT_DELAY_TIMER (0x48) 38 #define RNP_DMA_REG_RX_INT_DELAY_PKTCNT (0x4c) 39 #define RNP_DMA_REG_RX_ARB_DEF_LVL (0x50) 40 #define PCI_DMA_REG_RX_DESC_TIMEOUT_TH (0x54) 41 #define PCI_DMA_REG_RX_SCATTER_LENGTH (0x58) 42 #define RNP_DMA_REG_TX_DESC_BUF_BASE_ADDR_HI (0x60) 43 #define RNP_DMA_REG_TX_DESC_BUF_BASE_ADDR_LO (0x64) 44 #define RNP_DMA_REG_TX_DESC_BUF_LEN (0x68) 45 #define RNP_DMA_REG_TX_DESC_BUF_HEAD (0x6c) 46 #define RNP_DMA_REG_TX_DESC_BUF_TAIL (0x70) 47 #define RNP_DMA_REG_TX_DESC_FETCH_CTRL (0x74) 48 #define RNP_DMA_REG_TX_INT_DELAY_TIMER (0x78) 49 #define RNP_DMA_REG_TX_INT_DELAY_PKTCNT (0x7c) 50 #define RNP_DMA_REG_TX_ARB_DEF_LVL (0x80) 51 #define RNP_DMA_REG_TX_FLOW_CTRL_TH (0x84) 52 #define RNP_DMA_REG_TX_FLOW_CTRL_TM (0x88) 53 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS] BUILD REGRESSION aec283517697385e25d19ae7312a63bad805b4a7
by kernel test robot 30 May '24

30 May '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: aec283517697385e25d19ae7312a63bad805b4a7 !7804 v2 selinux: avoid dereference of garbage after mount failure Error/Warning reports: https://lore.kernel.org/oe-kbuild-all/202405292306.oKi0pqkq-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202405300401.gTFtRxYB-lkp@intel.com Error/Warning: (recently discovered and may have been fixed) drivers/hid/i2c-hid/.tmp_i2c-hid-core.o: warning: objtool: missing symbol for section .exit.text drivers/net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.c:234:30: error: no member named 'physfn' in 'struct pci_dev' drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c:53:32: error: no member named 'physfn' in 'struct pci_dev' Error/Warning ids grouped by kconfigs: gcc_recent_errors |-- arm64-allmodconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code |-- arm64-defconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code |-- x86_64-buildonly-randconfig-004-20240530 | `-- fs-f2fs-.tmp_recovery.o:warning:objtool:missing-symbol-for-section-.init.text |-- x86_64-buildonly-randconfig-005-20240527 | `-- drivers-hid-i2c-hid-.tmp_i2c-hid-core.o:warning:objtool:missing-symbol-for-section-.exit.text |-- x86_64-randconfig-013-20240530 | `-- kernel-sched-sparsemask.h:warning:array-subscript-is-outside-array-bounds-of-const-struct-sparsemask_chunk |-- x86_64-randconfig-014-20240530 | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code `-- x86_64-randconfig-076-20240530 `-- kernel-sched-sparsemask.h:warning:array-subscript-is-outside-array-bounds-of-const-struct-sparsemask_chunk clang_recent_errors |-- x86_64-allyesconfig | |-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension | `-- fs-f2fs-.tmp_recovery.o:warning:objtool:missing-symbol-for-section-.init.text |-- x86_64-buildonly-randconfig-001-20240530 | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension |-- x86_64-buildonly-randconfig-002-20240530 | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension |-- x86_64-randconfig-004-20240530 | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension |-- x86_64-randconfig-015-20240530 | |-- drivers-net-ethernet-3snic-sssnic-hw-sss_adapter_mgmt.c:error:no-member-named-physfn-in-struct-pci_dev | `-- drivers-net-ethernet-3snic-sssnic-hw-sss_pci_probe.c:error:no-member-named-physfn-in-struct-pci_dev `-- x86_64-randconfig-072-20240530 `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension elapsed time: 817m configs tested: 35 configs skipped: 148 tested configs: arm64 allmodconfig gcc arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240529 gcc arm64 randconfig-002-20240529 gcc arm64 randconfig-003-20240529 gcc arm64 randconfig-004-20240529 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240530 clang x86_64 buildonly-randconfig-002-20240530 clang x86_64 buildonly-randconfig-003-20240530 gcc x86_64 buildonly-randconfig-004-20240530 gcc x86_64 buildonly-randconfig-005-20240530 clang x86_64 buildonly-randconfig-006-20240530 gcc x86_64 defconfig gcc x86_64 randconfig-001-20240530 clang x86_64 randconfig-002-20240530 clang x86_64 randconfig-003-20240530 clang x86_64 randconfig-004-20240530 clang x86_64 randconfig-005-20240530 clang x86_64 randconfig-006-20240530 clang x86_64 randconfig-011-20240530 clang x86_64 randconfig-012-20240530 gcc x86_64 randconfig-013-20240530 gcc x86_64 randconfig-014-20240530 gcc x86_64 randconfig-015-20240530 clang x86_64 randconfig-016-20240530 gcc x86_64 randconfig-071-20240530 clang x86_64 randconfig-072-20240530 clang x86_64 randconfig-073-20240530 clang x86_64 randconfig-074-20240530 clang x86_64 randconfig-075-20240530 gcc x86_64 randconfig-076-20240530 gcc x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6] BUILD REGRESSION c0b6b4438dc70167c4c16f6436499cde257f782a
by kernel test robot 30 May '24

30 May '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: c0b6b4438dc70167c4c16f6436499cde257f782a !7948 【OLK-6.6】Fix BUILD REGRESSION warnings in bzwx N5/N6 series NIC drivers Error/Warning reports: https://lore.kernel.org/oe-kbuild-all/202405300112.F3n9I6tZ-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202405300401.Q7EpPsSe-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202405300505.GzvBHBcM-lkp@intel.com Error/Warning: (recently discovered and may have been fixed) drivers/gpu/drm/phytium/phytium_pci.c:236:9: error: call to undeclared function 'pci_enable_msi'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] drivers/gpu/drm/phytium/phytium_pci.c:271:3: error: call to undeclared function 'pci_disable_msi'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] drivers/net/ethernet/mucse/rnpm/rnpm_lib.c:1008:35: error: 'struct rnpm_tx_buffer' has no member named 'gso_need_padding' drivers/net/ethernet/mucse/rnpm/rnpm_main.c:6449:38: error: 'struct rnpm_tx_buffer' has no member named 'gso_need_padding' vgettimeofday.c:(.text+0x28): undefined reference to `__tsan_volatile_read4' vgettimeofday.c:(.text+0x584): undefined reference to `__tsan_write8' vgettimeofday.c:(.text.startup+0x8): undefined reference to `__tsan_init' Error/Warning ids grouped by kconfigs: gcc_recent_errors |-- arm64-defconfig | |-- arch-arm64-kernel-cpufeature.c:warning:enable_pseudo_nmi-defined-but-not-used | `-- arch-arm64-kvm-vgic-vgic-mmio.c:warning:variable-is_pending-set-but-not-used |-- arm64-randconfig-003-20240530 | |-- vgettimeofday.c:(.text):undefined-reference-to-__tsan_volatile_read4 | |-- vgettimeofday.c:(.text):undefined-reference-to-__tsan_write8 | `-- vgettimeofday.c:(.text.startup):undefined-reference-to-__tsan_init |-- loongarch-alldefconfig | `-- drivers-irqchip-irq-loongson-eiointc.c:error:NODES_PER_FLATMODE_NODE-undeclared-(first-use-in-this-function) |-- loongarch-allnoconfig | `-- drivers-irqchip-irq-loongson-eiointc.c:error:NODES_PER_FLATMODE_NODE-undeclared-(first-use-in-this-function) `-- loongarch-randconfig-002-20240530 |-- drivers-irqchip-irq-loongson-eiointc.c:error:NODES_PER_FLATMODE_NODE-undeclared-(first-use-in-this-function) |-- drivers-net-ethernet-mucse-rnpm-rnpm_lib.c:error:struct-rnpm_tx_buffer-has-no-member-named-gso_need_padding `-- drivers-net-ethernet-mucse-rnpm-rnpm_main.c:error:struct-rnpm_tx_buffer-has-no-member-named-gso_need_padding clang_recent_errors |-- arm64-allmodconfig | `-- arch-arm64-kvm-vgic-vgic-mmio.c:warning:variable-is_pending-set-but-not-used |-- arm64-randconfig-004-20240530 | |-- drivers-char-ipmi-ipmi_bt_sm.c:error:call-to-undeclared-function-acpi_evaluate_integer-ISO-C99-and-later-do-not-support-implicit-function-declarations | |-- drivers-gpu-drm-phytium-phytium_pci.c:error:call-to-undeclared-function-pci_disable_msi-ISO-C99-and-later-do-not-support-implicit-function-declarations | |-- drivers-gpu-drm-phytium-phytium_pci.c:error:call-to-undeclared-function-pci_enable_msi-ISO-C99-and-later-do-not-support-implicit-function-declarations | `-- mm-page_alloc.c:error:call-to-undeclared-function-dynamic_pool_should_alloc-ISO-C99-and-later-do-not-support-implicit-function-declarations `-- x86_64-randconfig-161-20240530 `-- arch-x86-kernel-zhaoxin_kh40000.c:warning:bitwise-or-with-non-zero-value-always-evaluates-to-true elapsed time: 741m configs tested: 17 configs skipped: 142 tested configs: arm64 allmodconfig clang arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240530 clang arm64 randconfig-002-20240530 gcc arm64 randconfig-003-20240530 gcc arm64 randconfig-004-20240530 clang loongarch alldefconfig gcc loongarch allmodconfig gcc loongarch allnoconfig gcc loongarch defconfig gcc loongarch randconfig-001-20240530 gcc loongarch randconfig-002-20240530 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 defconfig gcc x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10] BUILD SUCCESS c7a6065e6fa19c661225cda7f76c04f2bd5cf381
by kernel test robot 30 May '24

30 May '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-5.10 branch HEAD: c7a6065e6fa19c661225cda7f76c04f2bd5cf381 !8238 arm: unwinder: Fix pc off-by-one in arm unwinder Warning ids grouped by kconfigs: clang_recent_errors `-- x86_64-allnoconfig |-- Warning:openEuler-MAINTAINERS-references-a-file-that-doesn-t-exist:Documentation-networking-hinic3.rst |-- drivers-net-ethernet-yunsilicon-xsc-net-main.c:common-qp.h-is-included-more-than-once. |-- drivers-ub-urma-ubcore-ubcore_cdev_file.c:linux-version.h-not-needed. |-- drivers-ub-urma-ubcore-ubcore_device.c:linux-version.h-not-needed. |-- drivers-ub-urma-ubcore-ubcore_genl.c:linux-version.h-not-needed. |-- drivers-ub-urma-ubcore-ubcore_genl_admin.c:linux-version.h-not-needed. |-- drivers-ub-urma-ubcore-ubcore_uvs_cmd.c:ubcore_device.h-is-included-more-than-once. `-- drivers-ub-urma-uburma-uburma_mmap.c:linux-version.h-not-needed. elapsed time: 745m configs tested: 35 configs skipped: 146 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240529 clang arm64 randconfig-002-20240529 clang arm64 randconfig-003-20240529 gcc arm64 randconfig-004-20240529 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240530 clang x86_64 buildonly-randconfig-002-20240530 clang x86_64 buildonly-randconfig-003-20240530 gcc x86_64 buildonly-randconfig-004-20240530 gcc x86_64 buildonly-randconfig-005-20240530 clang x86_64 buildonly-randconfig-006-20240530 gcc x86_64 defconfig gcc x86_64 randconfig-001-20240530 clang x86_64 randconfig-002-20240530 clang x86_64 randconfig-003-20240530 clang x86_64 randconfig-004-20240530 clang x86_64 randconfig-005-20240530 clang x86_64 randconfig-006-20240530 clang x86_64 randconfig-011-20240530 clang x86_64 randconfig-012-20240530 gcc x86_64 randconfig-013-20240530 gcc x86_64 randconfig-014-20240530 gcc x86_64 randconfig-015-20240530 clang x86_64 randconfig-016-20240530 gcc x86_64 randconfig-071-20240530 clang x86_64 randconfig-072-20240530 clang x86_64 randconfig-073-20240530 clang x86_64 randconfig-074-20240530 clang x86_64 randconfig-075-20240530 gcc x86_64 randconfig-076-20240530 gcc x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 4037/9792] drivers/net/ethernet/mucse/rnpm/rnpm_main.c:6449:38: error: 'struct rnpm_tx_buffer' has no member named 'gso_need_padding'
by kernel test robot 30 May '24

30 May '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: c0b6b4438dc70167c4c16f6436499cde257f782a commit: 5deaf74c4b3edcf88f67f18aa352690deb9dc212 [4037/9792] drivers: initial support for rnpm drivers from Mucse Technology config: loongarch-randconfig-002-20240530 (https://download.01.org/0day-ci/archive/20240530/202405300505.GzvBHBcM-lkp@…) compiler: loongarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240530/202405300505.GzvBHBcM-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202405300505.GzvBHBcM-lkp@intel.com/ All errors (new ones prefixed by >>): drivers/net/ethernet/mucse/rnpm/rnpm_main.c:256:6: warning: no previous prototype for 'rnpm_pf_service_event_schedule' [-Wmissing-prototypes] 256 | void rnpm_pf_service_event_schedule(struct rnpm_pf_adapter *pf_adapter) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:1137:5: warning: no previous prototype for 'rnpm_rx_ring_reinit' [-Wmissing-prototypes] 1137 | int rnpm_rx_ring_reinit(struct rnpm_adapter *adapter, struct rnpm_ring *rx_ring) | ^~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c: In function 'rnpm_clean_rx_irq': drivers/net/ethernet/mucse/rnpm/rnpm_main.c:2015:14: warning: variable 'xdp_xmit' set but not used [-Wunused-but-set-variable] 2015 | bool xdp_xmit = false; | ^~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c: At top level: drivers/net/ethernet/mucse/rnpm/rnpm_main.c:2207:6: warning: no previous prototype for 'rnpm_write_eitr' [-Wmissing-prototypes] 2207 | void rnpm_write_eitr(struct rnpm_q_vector *q_vector, bool is_rxframe) | ^~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:3013:5: warning: no previous prototype for 'rnpm_xmit_nop_frame_ring' [-Wmissing-prototypes] 3013 | int rnpm_xmit_nop_frame_ring(struct rnpm_adapter *adapter, | ^~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:3037:5: warning: no previous prototype for 'rnpm_xmit_nop_frame_ring_temp' [-Wmissing-prototypes] 3037 | int rnpm_xmit_nop_frame_ring_temp(struct rnpm_adapter *adapter, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:3909:6: warning: no previous prototype for 'rnpm_vlan_stags_flag' [-Wmissing-prototypes] 3909 | void rnpm_vlan_stags_flag(struct rnpm_adapter *adapter) | ^~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:4031:6: warning: no previous prototype for 'control_mac_rx' [-Wmissing-prototypes] 4031 | void control_mac_rx(struct rnpm_adapter *adapter, bool on) | ^~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:5803:6: warning: no previous prototype for 'rnpm_pf_service_timer' [-Wmissing-prototypes] 5803 | void rnpm_pf_service_timer(struct timer_list *t) | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:5821:6: warning: no previous prototype for 'rnpm_service_timer' [-Wmissing-prototypes] 5821 | void rnpm_service_timer(struct timer_list *t) | ^~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:5962:21: warning: no previous prototype for 'wait_all_port_resetting' [-Wmissing-prototypes] 5962 | __maybe_unused void wait_all_port_resetting(struct rnpm_pf_adapter *pf_adapter) | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:5974:21: warning: no previous prototype for 'clean_all_port_resetting' [-Wmissing-prototypes] 5974 | __maybe_unused void clean_all_port_resetting(struct rnpm_pf_adapter *pf_adapter) | ^~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:6185:5: warning: no previous prototype for 'rnpm_check_mc_addr' [-Wmissing-prototypes] 6185 | int rnpm_check_mc_addr(struct rnpm_adapter *adapter) | ^~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:6211:6: warning: no previous prototype for 'update_pf_vlan' [-Wmissing-prototypes] 6211 | void update_pf_vlan(struct rnpm_adapter *adapter) | ^~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:6262:6: warning: no previous prototype for 'rnpm_pf_service_task' [-Wmissing-prototypes] 6262 | void rnpm_pf_service_task(struct work_struct *work) | ^~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c: In function 'rnpm_tso': >> drivers/net/ethernet/mucse/rnpm/rnpm_main.c:6449:38: error: 'struct rnpm_tx_buffer' has no member named 'gso_need_padding' 6449 | first->gso_need_padding = !!gso_need_pad; | ^~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c: In function 'rnpm_tx_csum': drivers/net/ethernet/mucse/rnpm/rnpm_main.c:6517:30: error: 'struct rnpm_tx_buffer' has no member named 'gso_need_padding' 6517 | first->gso_need_padding = true; | ^~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c: At top level: drivers/net/ethernet/mucse/rnpm/rnpm_main.c:7528:6: warning: no previous prototype for 'rnpm_clear_udp_tunnel_port' [-Wmissing-prototypes] 7528 | void rnpm_clear_udp_tunnel_port(struct rnpm_adapter *adapter) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:7692:6: warning: no previous prototype for 'rnpm_assign_netdev_ops' [-Wmissing-prototypes] 7692 | void rnpm_assign_netdev_ops(struct net_device *dev) | ^~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:7785:6: warning: no previous prototype for 'rnpm_fix_queue_number' [-Wmissing-prototypes] 7785 | void rnpm_fix_queue_number(struct rnpm_hw *hw) | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_main.c:8760:5: warning: no previous prototype for 'rnpm_can_rpu_start' [-Wmissing-prototypes] 8760 | int rnpm_can_rpu_start(struct rnpm_pf_adapter *pf_adapter) | ^~~~~~~~~~~~~~~~~~ -- drivers/net/ethernet/mucse/rnpm/rnpm_lib.c: In function 'rnpm_maybe_tx_ctxtdesc': >> drivers/net/ethernet/mucse/rnpm/rnpm_lib.c:1008:35: error: 'struct rnpm_tx_buffer' has no member named 'gso_need_padding' 1008 | if (!first->gso_need_padding) | ^~ drivers/net/ethernet/mucse/rnpm/rnpm_lib.c:1010:30: error: 'struct rnpm_tx_buffer' has no member named 'gso_need_padding' 1010 | first->gso_need_padding = false; | ^~ drivers/net/ethernet/mucse/rnpm/rnpm_lib.c: At top level: drivers/net/ethernet/mucse/rnpm/rnpm_lib.c:1185:6: warning: no previous prototype for 'rnpm_setup_layer2_remapping' [-Wmissing-prototypes] 1185 | void rnpm_setup_layer2_remapping(struct rnpm_hw *hw, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_lib.c:1209:6: warning: no previous prototype for 'rnpm_setup_tuple5_remapping' [-Wmissing-prototypes] 1209 | void rnpm_setup_tuple5_remapping(struct rnpm_hw *hw, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/mucse/rnpm/rnpm_lib.c:1280:6: warning: no previous prototype for 'rnpm_setup_tuple5_remapping_tcam' [-Wmissing-prototypes] 1280 | void rnpm_setup_tuple5_remapping_tcam(struct rnpm_hw *hw, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +6449 drivers/net/ethernet/mucse/rnpm/rnpm_main.c 6309 6310 static int rnpm_tso(struct rnpm_ring *tx_ring, struct rnpm_tx_buffer *first, 6311 u8 *hdr_len) 6312 { 6313 struct rnpm_adapter *adapter = netdev_priv(tx_ring->netdev); 6314 struct sk_buff *skb = first->skb; 6315 union { 6316 struct iphdr *v4; 6317 struct ipv6hdr *v6; 6318 unsigned char *hdr; 6319 } ip; 6320 union { 6321 struct tcphdr *tcp; 6322 struct udphdr *udp; 6323 unsigned char *hdr; 6324 } l4; 6325 u32 paylen, l4_offset; 6326 int err; 6327 u8 *inner_mac; 6328 u16 gso_segs, gso_size; 6329 u16 gso_need_pad; 6330 6331 if (skb->ip_summed != CHECKSUM_PARTIAL) 6332 return 0; 6333 6334 if (!skb_is_gso(skb)) 6335 return 0; 6336 6337 err = skb_cow_head(skb, 0); 6338 if (err < 0) 6339 return err; 6340 6341 inner_mac = skb->data; 6342 ip.hdr = skb_network_header(skb); 6343 l4.hdr = skb_transport_header(skb); 6344 6345 first->tx_flags |= 6346 RNPM_TXD_FLAG_TSO | RNPM_TXD_IP_CSUM | RNPM_TXD_L4_CSUM; 6347 6348 /* initialize outer IP header fields */ 6349 if (ip.v4->version == 4) { 6350 /* IP header will have to cancel out any data that 6351 * is not a part of the outer IP header 6352 */ 6353 ip.v4->check = 0x0000; 6354 } else { 6355 ip.v6->payload_len = 0; 6356 } 6357 #ifdef HAVE_ENCAP_TSO_OFFLOAD 6358 if (skb_shinfo(skb)->gso_type & 6359 (SKB_GSO_GRE | 6360 #ifdef NETIF_F_GSO_PARTIAL 6361 SKB_GSO_GRE_CSUM | 6362 #endif 6363 SKB_GSO_UDP_TUNNEL | SKB_GSO_UDP_TUNNEL_CSUM)) { 6364 #ifndef NETIF_F_GSO_PARTIAL 6365 if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_TUNNEL_CSUM) { 6366 #else 6367 if (!(skb_shinfo(skb)->gso_type & SKB_GSO_PARTIAL) && 6368 (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_TUNNEL_CSUM)) { 6369 #endif 6370 } 6371 /* we should always do this */ 6372 inner_mac = skb_inner_mac_header(skb); 6373 6374 first->tunnel_hdr_len = (inner_mac - skb->data); 6375 if (skb_shinfo(skb)->gso_type & 6376 (SKB_GSO_UDP_TUNNEL | SKB_GSO_UDP_TUNNEL_CSUM)) { 6377 first->tx_flags |= RNPM_TXD_TUNNEL_VXLAN; 6378 l4.udp->check = 0; 6379 tx_dbg("set outer l4.udp to 0\n"); 6380 } else { 6381 first->tx_flags |= RNPM_TXD_TUNNEL_NVGRE; 6382 } 6383 6384 /* reset pointers to inner headers */ 6385 ip.hdr = skb_inner_network_header(skb); 6386 l4.hdr = skb_inner_transport_header(skb); 6387 } 6388 6389 #endif /* HAVE_ENCAP_TSO_OFFLOAD */ 6390 if (ip.v4->version == 4) { 6391 /* IP header will have to cancel out any data that 6392 * is not a part of the outer IP header 6393 */ 6394 ip.v4->check = 0x0000; 6395 6396 } else { 6397 ip.v6->payload_len = 0; 6398 /* set ipv6 type */ 6399 6400 first->tx_flags |= (RNPM_TXD_FLAG_IPv6); 6401 } 6402 6403 /* determine offset of inner transport header */ 6404 l4_offset = l4.hdr - skb->data; 6405 6406 paylen = skb->len - l4_offset; 6407 tx_dbg("before l4 checksum is %x\n", l4.tcp->check); 6408 6409 // csum_replace_by_diff(&l4.tcp->check, htonl(paylen)); 6410 6411 tx_dbg("l4 checksum is %x\n", l4.tcp->check); 6412 6413 if (skb->csum_offset == offsetof(struct tcphdr, check)) { 6414 tx_dbg("tcp before l4 checksum is %x\n", l4.tcp->check); 6415 // first->tx_flags |= RNP_TXD_L4_TYPE_TCP; 6416 first->tx_flags |= RNPM_TXD_L4_TYPE_TCP; 6417 /* compute length of segmentation header */ 6418 *hdr_len = (l4.tcp->doff * 4) + l4_offset; 6419 csum_replace_by_diff(&l4.tcp->check, 6420 (__force __wsum)htonl(paylen)); 6421 tx_dbg("tcp l4 checksum is %x\n", l4.tcp->check); 6422 // we should clear tcp.flags.push flas 6423 l4.tcp->psh = 0; 6424 } else { 6425 tx_dbg("paylen is %x\n", paylen); 6426 // first->tx_flags |= RNP_TXD_L4_TYPE_UDP; 6427 first->tx_flags |= RNPM_TXD_L4_TYPE_UDP; 6428 /* compute length of segmentation header */ 6429 tx_dbg("udp before l4 checksum is %x\n", l4.udp->check); 6430 *hdr_len = sizeof(*l4.udp) + l4_offset; 6431 csum_replace_by_diff(&l4.udp->check, 6432 (__force __wsum)htonl(paylen)); 6433 tx_dbg("udp l4 checksum is %x\n", l4.udp->check); 6434 } 6435 6436 first->mac_ip_len = l4.hdr - ip.hdr; 6437 first->mac_ip_len |= (ip.hdr - inner_mac) << 9; 6438 /* pull values out of skb_shinfo */ 6439 gso_size = skb_shinfo(skb)->gso_size; 6440 gso_segs = skb_shinfo(skb)->gso_segs; 6441 6442 if (adapter->priv_flags & RNPM_PRIV_FLAG_TX_PADDING) { 6443 gso_need_pad = (first->skb->len - *hdr_len) % gso_size; 6444 if (gso_need_pad) { 6445 if ((gso_need_pad + *hdr_len) <= 6446 tx_ring->gso_padto_bytes) { 6447 gso_need_pad = tx_ring->gso_padto_bytes - 6448 (gso_need_pad + *hdr_len); > 6449 first->gso_need_padding = !!gso_need_pad; 6450 } 6451 } 6452 } 6453 /* update gso size and bytecount with header size */ 6454 /* to fix tx status */ 6455 first->gso_segs = gso_segs; 6456 first->bytecount += (first->gso_segs - 1) * *hdr_len; 6457 6458 first->mss_len_vf_num |= (gso_size | ((l4.tcp->doff * 4) << 24)); 6459 // rnpm_tx_ctxtdesc(tx_ring,skb_shinfo(skb)->gso_size ,l4len, 0, 0, 6460 // type_tucmd); 6461 6462 first->ctx_flag = true; 6463 return 1; 6464 } 6465 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0