- Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10 2668/2668] fs/cachefiles/ondemand.c:211:9: sparse: sparse: incorrect type in assignment (different address spaces)
by kernel test robot 08 Jan '25

08 Jan '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: ed8467e701e8f5ed9f2b39cf55710a156fc2593f commit: 2937cd5f8c58bd8e7895f6b2698057721442248e [2668/2668] cachefiles: notify the user daemon when looking up cookie config: x86_64-randconfig-121-20250108 (https://download.01.org/0day-ci/archive/20250108/202501081846.dn5sbz8W-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250108/202501081846.dn5sbz8W-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501081846.dn5sbz8W-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> fs/cachefiles/ondemand.c:211:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] __rcu ** @@ fs/cachefiles/ondemand.c:211:9: sparse: expected void **slot fs/cachefiles/ondemand.c:211:9: sparse: got void [noderef] __rcu ** >> fs/cachefiles/ondemand.c:211:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] __rcu ** @@ fs/cachefiles/ondemand.c:211:9: sparse: expected void **slot fs/cachefiles/ondemand.c:211:9: sparse: got void [noderef] __rcu ** >> fs/cachefiles/ondemand.c:213:55: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] __rcu **slot @@ got void **slot @@ fs/cachefiles/ondemand.c:213:55: sparse: expected void [noderef] __rcu **slot fs/cachefiles/ondemand.c:213:55: sparse: got void **slot fs/cachefiles/ondemand.c:211:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] __rcu **slot @@ got void **slot @@ fs/cachefiles/ondemand.c:211:9: sparse: expected void [noderef] __rcu **slot fs/cachefiles/ondemand.c:211:9: sparse: got void **slot >> fs/cachefiles/ondemand.c:211:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] __rcu ** @@ fs/cachefiles/ondemand.c:211:9: sparse: expected void **slot fs/cachefiles/ondemand.c:211:9: sparse: got void [noderef] __rcu ** -- >> fs/cachefiles/daemon.c:155:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] __rcu ** @@ fs/cachefiles/daemon.c:155:9: sparse: expected void **slot fs/cachefiles/daemon.c:155:9: sparse: got void [noderef] __rcu ** >> fs/cachefiles/daemon.c:155:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] __rcu ** @@ fs/cachefiles/daemon.c:155:9: sparse: expected void **slot fs/cachefiles/daemon.c:155:9: sparse: got void [noderef] __rcu ** >> fs/cachefiles/daemon.c:156:55: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] __rcu **slot @@ got void **slot @@ fs/cachefiles/daemon.c:156:55: sparse: expected void [noderef] __rcu **slot fs/cachefiles/daemon.c:156:55: sparse: got void **slot fs/cachefiles/daemon.c:155:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] __rcu **slot @@ got void **slot @@ fs/cachefiles/daemon.c:155:9: sparse: expected void [noderef] __rcu **slot fs/cachefiles/daemon.c:155:9: sparse: got void **slot >> fs/cachefiles/daemon.c:155:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] __rcu ** @@ fs/cachefiles/daemon.c:155:9: sparse: expected void **slot fs/cachefiles/daemon.c:155:9: sparse: got void [noderef] __rcu ** vim +211 fs/cachefiles/ondemand.c 194 195 ssize_t cachefiles_ondemand_daemon_read(struct cachefiles_cache *cache, 196 char __user *_buffer, size_t buflen, loff_t *pos) 197 { 198 struct cachefiles_req *req; 199 struct cachefiles_msg *msg; 200 unsigned long id = 0; 201 size_t n; 202 int ret = 0; 203 struct radix_tree_iter iter; 204 void **slot; 205 206 /* 207 * Search for a request that has not ever been processed, to prevent 208 * requests from being processed repeatedly. 209 */ 210 xa_lock(&cache->reqs); > 211 radix_tree_for_each_tagged(slot, &cache->reqs, &iter, 0, 212 CACHEFILES_REQ_NEW) { > 213 req = radix_tree_deref_slot_protected(slot, 214 &cache->reqs.xa_lock); 215 216 msg = &req->msg; 217 n = msg->len; 218 219 if (n > buflen) { 220 xa_unlock(&cache->reqs); 221 return -EMSGSIZE; 222 } 223 224 radix_tree_iter_tag_clear(&cache->reqs, &iter, 225 CACHEFILES_REQ_NEW); 226 xa_unlock(&cache->reqs); 227 228 id = iter.index; 229 msg->msg_id = id; 230 231 if (msg->opcode == CACHEFILES_OP_OPEN) { 232 ret = cachefiles_ondemand_get_fd(req); 233 if (ret) 234 goto error; 235 } 236 237 if (copy_to_user(_buffer, msg, n) != 0) { 238 ret = -EFAULT; 239 goto err_put_fd; 240 } 241 return n; 242 } 243 xa_unlock(&cache->reqs); 244 return 0; 245 246 err_put_fd: 247 if (msg->opcode == CACHEFILES_OP_OPEN) 248 __close_fd(current->files, 249 ((struct cachefiles_open *)msg->data)->fd); 250 error: 251 xa_lock(&cache->reqs); 252 radix_tree_delete(&cache->reqs, id); 253 xa_unlock(&cache->reqs); 254 req->error = ret; 255 complete(&req->done); 256 return ret; 257 } 258 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 0/1] olk-6.6
by Yuntao Liu 08 Jan '25

08 Jan '25

CVE-2024-53231 Jinjie Ruan (1): cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw() drivers/cpufreq/cppc_cpufreq.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.34.1

2 2

[PATCH OLK-6.6 0/1] olk-6.6
by Yuntao Liu 08 Jan '25

08 Jan '25

CVE-2024-53190 Guilherme G. Piccoli (1): wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures drivers/net/wireless/realtek/rtlwifi/efuse.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) -- 2.34.1

2 2

[PATCH OLK-6.6 0/1] CVE-2024-53190
by Yuntao Liu 08 Jan '25

08 Jan '25

CVE-2024-53190 Guilherme G. Piccoli (1): wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures drivers/net/wireless/realtek/rtlwifi/efuse.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) -- 2.34.1

2 2

[PATCH OLK-5.10 0/1] OLK-5.10
by Yuntao Liu 08 Jan '25

08 Jan '25

CVE-2024-53190 Guilherme G. Piccoli (1): wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures drivers/net/wireless/realtek/rtlwifi/efuse.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS-SP1 0/1] openEuler-22.03-LTS-SP1 olk-5.10
by Yuntao Liu 08 Jan '25

08 Jan '25

CVE-2024-53190 Guilherme G. Piccoli (1): wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures drivers/net/wireless/realtek/rtlwifi/efuse.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) -- 2.34.1

2 2

[PATCH OLK-6.6] drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability
by Zhao Yipeng 08 Jan '25

08 Jan '25

From: Suraj Kandpal <suraj.kandpal(a)intel.com> mainline inclusion from mainline-v6.12-rc1 commit 31b42af516afa1e184d1a9f9dd4096c54044269a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5KR6 CVE: CVE-2024-53051 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability Sometimes during hotplug scenario or suspend/resume scenario encoder is not always initialized when intel_hdcp_get_capability add a check to avoid kernel null pointer dereference. Signed-off-by: Suraj Kandpal <suraj.kandpal(a)intel.com> Reviewed-by: Dnyaneshwar Bhadane <dnyaneshwar.bhadane(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240722064451.3610512-2-sura… Conflicts: drivers/gpu/drm/i915/display/intel_hdcp.c [The conflict is that the name of the function intel_hdcp_capable has been changed to intel_hdcp_get_capability in the mainline commit 8e754d9e9e8a068d18cba6618e099a1f24347c98. And in order to reduce the scope of modification, only the code changes in the function are merged.] Signed-off-by: Zhao Yipeng <zhaoyipeng5(a)huawei.com> --- drivers/gpu/drm/i915/display/intel_hdcp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_hdcp.c b/drivers/gpu/drm/i915/display/intel_hdcp.c index cb99839afcd0..aa4c06b15190 100644 --- a/drivers/gpu/drm/i915/display/intel_hdcp.c +++ b/drivers/gpu/drm/i915/display/intel_hdcp.c @@ -142,11 +142,16 @@ int intel_hdcp_read_valid_bksv(struct intel_digital_port *dig_port, /* Is HDCP1.4 capable on Platform and Sink */ bool intel_hdcp_capable(struct intel_connector *connector) { - struct intel_digital_port *dig_port = intel_attached_dig_port(connector); + struct intel_digital_port *dig_port; const struct intel_hdcp_shim *shim = connector->hdcp.shim; bool capable = false; u8 bksv[5]; + if (!intel_attached_encoder(connector)) + return capable; + + dig_port = intel_attached_dig_port(connector); + if (!shim) return capable; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] net: af_can: do not leave a dangling sk pointer in can_create()
by Zhang Changzhong 08 Jan '25

08 Jan '25

From: Ignat Korchagin <ignat(a)cloudflare.com> mainline inclusion from mainline-v6.13-rc1 commit 811a7ca7320c062e15d0f5b171fe6ad8592d1434 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANB CVE: CVE-2024-56603 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- On error can_create() frees the allocated sk object, but sock_init_data() has already attached it to the provided sock object. This will leave a dangling sk pointer in the sock object and may cause use-after-free later. Signed-off-by: Ignat Korchagin <ignat(a)cloudflare.com> Reviewed-by: Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> Reviewed-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Reviewed-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Link: https://patch.msgid.link/20241014153808.51894-5-ignat@cloudflare.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> --- net/can/af_can.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/can/af_can.c b/net/can/af_can.c index 7c80315..76b75de 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c @@ -189,6 +189,7 @@ static int can_create(struct net *net, struct socket *sock, int protocol, /* release sk on errors */ sock_orphan(sk); sock_put(sk); + sock->sk = NULL; } errout: -- 2.9.5

2 1

[openeuler:OLK-6.6 1788/1788] drivers/cpufreq/cppc_cpufreq.c:852:26: error: invalid use of undefined type 'struct fb_ctr_pair'
by kernel test robot 08 Jan '25

08 Jan '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 31b452f6f79028714fdf063d4e4f6b9d5cb87751 commit: 12f136b2134d4ded731c3ef23ac08c85b9c0b1fa [1788/1788] cpufreq: CPPC: Keep the target core awake when reading its cpufreq rate config: arm64-randconfig-001-20250108 (https://download.01.org/0day-ci/archive/20250108/202501081558.g5cb5wQS-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250108/202501081558.g5cb5wQS-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501081558.g5cb5wQS-lkp@intel.com/ All error/warnings (new ones prefixed by >>): drivers/cpufreq/cppc_cpufreq.c: In function 'cppc_get_perf_ctrs_pair': >> drivers/cpufreq/cppc_cpufreq.c:852:26: error: invalid use of undefined type 'struct fb_ctr_pair' 852 | int cpu = fb_ctrs->cpu; | ^~ drivers/cpufreq/cppc_cpufreq.c:855:47: error: invalid use of undefined type 'struct fb_ctr_pair' 855 | ret = cppc_get_perf_ctrs(cpu, &fb_ctrs->fb_ctrs_t0); | ^~ drivers/cpufreq/cppc_cpufreq.c:861:48: error: invalid use of undefined type 'struct fb_ctr_pair' 861 | return cppc_get_perf_ctrs(cpu, &fb_ctrs->fb_ctrs_t1); | ^~ drivers/cpufreq/cppc_cpufreq.c: In function 'cppc_cpufreq_get_rate': >> drivers/cpufreq/cppc_cpufreq.c:866:16: error: variable 'fb_ctrs' has initializer but incomplete type 866 | struct fb_ctr_pair fb_ctrs = { .cpu = cpu, }; | ^~~~~~~~~~~ >> drivers/cpufreq/cppc_cpufreq.c:866:41: error: 'struct fb_ctr_pair' has no member named 'cpu' 866 | struct fb_ctr_pair fb_ctrs = { .cpu = cpu, }; | ^~~ >> drivers/cpufreq/cppc_cpufreq.c:866:47: warning: excess elements in struct initializer 866 | struct fb_ctr_pair fb_ctrs = { .cpu = cpu, }; | ^~~ drivers/cpufreq/cppc_cpufreq.c:866:47: note: (near initialization for 'fb_ctrs') >> drivers/cpufreq/cppc_cpufreq.c:866:28: error: storage size of 'fb_ctrs' isn't known 866 | struct fb_ctr_pair fb_ctrs = { .cpu = cpu, }; | ^~~~~~~ >> drivers/cpufreq/cppc_cpufreq.c:866:28: warning: unused variable 'fb_ctrs' [-Wunused-variable] vim +852 drivers/cpufreq/cppc_cpufreq.c 848 849 static int cppc_get_perf_ctrs_pair(void *val) 850 { 851 struct fb_ctr_pair *fb_ctrs = val; > 852 int cpu = fb_ctrs->cpu; 853 int ret; 854 855 ret = cppc_get_perf_ctrs(cpu, &fb_ctrs->fb_ctrs_t0); 856 if (ret) 857 return ret; 858 859 udelay(2); /* 2usec delay between sampling */ 860 861 return cppc_get_perf_ctrs(cpu, &fb_ctrs->fb_ctrs_t1); 862 } 863 864 static unsigned int cppc_cpufreq_get_rate(unsigned int cpu) 865 { > 866 struct fb_ctr_pair fb_ctrs = { .cpu = cpu, }; 867 struct cpufreq_policy *policy = cpufreq_cpu_get(cpu); 868 struct cppc_cpudata *cpu_data = policy->driver_data; 869 u64 delivered_perf; 870 int ret; 871 872 cpufreq_cpu_put(policy); 873 874 if (cpu_has_amu_feat(cpu)) 875 ret = smp_call_on_cpu(cpu, cppc_get_perf_ctrs_pair, 876 &fb_ctrs, false); 877 else 878 ret = cppc_get_perf_ctrs_pair(&fb_ctrs); 879 880 if (ret) 881 return 0; 882 883 delivered_perf = cppc_perf_from_fbctrs(cpu_data, 884 &fb_ctrs.fb_ctrs_t0, 885 &fb_ctrs.fb_ctrs_t1); 886 887 return cppc_cpufreq_perf_to_khz(cpu_data, delivered_perf); 888 } 889 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] af_packet: avoid erroring out after sock_init_data() in packet_create()
by Zhang Changzhong 08 Jan '25

08 Jan '25

From: Ignat Korchagin <ignat(a)cloudflare.com> stable inclusion from stable-v5.10.231 commit 1dc1e1db927056cb323296e2294a855cd003dfe7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANY CVE: CVE-2024-56606 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 46f2a11cb82b657fd15bab1c47821b635e03838b ] After sock_init_data() the allocated sk object is attached to the provided sock object. On error, packet_create() frees the sk object leaving the dangling pointer in the sock object on return. Some other code may try to use this pointer and cause use-after-free. Suggested-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Ignat Korchagin <ignat(a)cloudflare.com> Reviewed-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20241014153808.51894-2-ignat@cloudflare.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> --- net/packet/af_packet.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 6278535..62d1900 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3315,18 +3315,18 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, if (sock->type == SOCK_PACKET) sock->ops = &packet_ops_spkt; + po = pkt_sk(sk); + err = packet_alloc_pending(po); + if (err) + goto out_sk_free; + sock_init_data(sock, sk); - po = pkt_sk(sk); init_completion(&po->skb_completion); sk->sk_family = PF_PACKET; po->num = proto; po->xmit = dev_queue_xmit; - err = packet_alloc_pending(po); - if (err) - goto out2; - packet_cached_dev_reset(po); sk->sk_destruct = packet_sock_destruct; @@ -3361,7 +3361,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol, preempt_enable(); return 0; -out2: +out_sk_free: sk_free(sk); out: return err; -- 2.9.5

2 1

2025

2024

2023

2022

2021

2020

2019

Kernel