From: Zhou Qingyang <zhou1615(a)umn.edu>
stable inclusion
from stable-v4.19.220
commit 676dc7d9b15bf8733233a2db1ec3f9091ab34275
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9S1ZN
CVE: CVE-2021-47541
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit addad7643142f500080417dd7272f49b7a185570 upstream.
In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
After that mlx4_en_alloc_resources() is called and there is a dereference
of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
a use after free problem on failure of mlx4_en_copy_priv().
Fix this bug by adding a check of mlx4_en_copy_priv()
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_MLX4_EN=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems")
Signed-off-by: Zhou Qingyang <zhou1615(a)umn.edu>
Reviewed-by: Leon Romanovsky <leonro(a)nvidia.com>
Link: https://lore.kernel.org/r/20211130164438.190591-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Pu Lehui <pulehui(a)huawei.com>
---
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
index 47eee3e083ec..e60ca4c86482 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -2279,9 +2279,14 @@ int mlx4_en_try_alloc_resources(struct mlx4_en_priv *priv,
bool carry_xdp_prog)
{
struct bpf_prog *xdp_prog;
- int i, t;
+ int i, t, ret;
- mlx4_en_copy_priv(tmp, priv, prof);
+ ret = mlx4_en_copy_priv(tmp, priv, prof);
+ if (ret) {
+ en_warn(priv, "%s: mlx4_en_copy_priv() failed, return\n",
+ __func__);
+ return ret;
+ }
if (mlx4_en_alloc_resources(tmp)) {
en_warn(priv,
--
2.34.1
From: Junhao He <hejunhao3(a)huawei.com>
mainline inclusion
from mainline-v6.7-rc1
commit b805cafc604bfdb671fae7347a57f51154afa735
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RKWV
CVE: CVE-2023-52859
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
When we fail to register the uncore pmu, the pmu context may not been
allocated. The error handing will call cpuhp_state_remove_instance()
to call uncore pmu offline callback, which migrate the pmu context.
Since that's liable to lead to some kind of use-after-free.
Use cpuhp_state_remove_instance_nocalls() instead of
cpuhp_state_remove_instance() so that the notifiers don't execute after
the PMU device has been failed to register.
Fixes: a0ab25cd82ee ("drivers/perf: hisi: Add support for HiSilicon PA PMU driver")
FIxes: 3bf30882c3c7 ("drivers/perf: hisi: Add support for HiSilicon SLLC PMU driver")
Signed-off-by: Junhao He <hejunhao3(a)huawei.com>
Link: https://lore.kernel.org/r/20231024113630.13472-1-hejunhao3@huawei.com
Signed-off-by: Will Deacon <will(a)kernel.org>
Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com>
---
drivers/perf/hisilicon/hisi_uncore_pa_pmu.c | 4 ++--
drivers/perf/hisilicon/hisi_uncore_sllc_pmu.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/perf/hisilicon/hisi_uncore_pa_pmu.c b/drivers/perf/hisilicon/hisi_uncore_pa_pmu.c
index f1e6b5cee075..65ed4aa19266 100644
--- a/drivers/perf/hisilicon/hisi_uncore_pa_pmu.c
+++ b/drivers/perf/hisilicon/hisi_uncore_pa_pmu.c
@@ -430,8 +430,8 @@ static int hisi_pa_pmu_probe(struct platform_device *pdev)
ret = perf_pmu_register(&pa_pmu->pmu, name, -1);
if (ret) {
dev_err(pa_pmu->dev, "PMU register failed, ret = %d\n", ret);
- cpuhp_state_remove_instance(CPUHP_AP_PERF_ARM_HISI_PA_ONLINE,
- &pa_pmu->node);
+ cpuhp_state_remove_instance_nocalls(CPUHP_AP_PERF_ARM_HISI_PA_ONLINE,
+ &pa_pmu->node);
return ret;
}
diff --git a/drivers/perf/hisilicon/hisi_uncore_sllc_pmu.c b/drivers/perf/hisilicon/hisi_uncore_sllc_pmu.c
index 835ec3e2178f..1a3d58ca854c 100644
--- a/drivers/perf/hisilicon/hisi_uncore_sllc_pmu.c
+++ b/drivers/perf/hisilicon/hisi_uncore_sllc_pmu.c
@@ -463,8 +463,8 @@ static int hisi_sllc_pmu_probe(struct platform_device *pdev)
ret = perf_pmu_register(&sllc_pmu->pmu, name, -1);
if (ret) {
dev_err(sllc_pmu->dev, "PMU register failed, ret = %d\n", ret);
- cpuhp_state_remove_instance(CPUHP_AP_PERF_ARM_HISI_SLLC_ONLINE,
- &sllc_pmu->node);
+ cpuhp_state_remove_instance_nocalls(CPUHP_AP_PERF_ARM_HISI_SLLC_ONLINE,
+ &sllc_pmu->node);
return ret;
}
--
2.34.1
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 03933bd11a64b94203f2cbe30ae71061807872fb
commit: 1a378b87531ea80e7847bf0105adedff28a73080 [16561/22602] mm: add pin memory method for checkpoint add restore
config: arm64-randconfig-002-20240531 (https://download.01.org/0day-ci/archive/20240531/202405310530.QbRwB9XW-lkp@…)
compiler: aarch64-linux-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240531/202405310530.QbRwB9XW-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202405310530.QbRwB9XW-lkp@intel.com/
Note: it may well be a FALSE warning. FWIW you are at least aware of it now.
http://gcc.gnu.org/wiki/Better_Uninitialized_Warnings
All warnings (new ones prefixed by >>):
In file included from include/linux/compat.h:19,
from arch/arm64/include/asm/ftrace.h:20,
from include/linux/ftrace.h:21,
from include/linux/kprobes.h:42,
from drivers/char/pin_memory.c:8:
In function '_copy_from_user',
inlined from 'copy_from_user' at include/linux/uaccess.h:144:7,
inlined from 'set_pin_mem_area' at drivers/char/pin_memory.c:95:6:
>> include/linux/uaccess.h:112:17: warning: 'pmas' may be used uninitialized [-Wmaybe-uninitialized]
112 | kasan_check_write(to, n);
| ^~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/compiler.h:251,
from include/linux/export.h:45,
from include/linux/linkage.h:7,
from include/linux/kernel.h:7,
from drivers/char/pin_memory.c:6:
include/linux/kasan-checks.h: In function 'set_pin_mem_area':
include/linux/kasan-checks.h:7:6: note: by argument 1 of type 'const volatile void *' to 'kasan_check_write' declared here
7 | void kasan_check_write(const volatile void *p, unsigned int size);
| ^~~~~~~~~~~~~~~~~
drivers/char/pin_memory.c:90:33: note: 'pmas' declared here
90 | struct pin_mem_area_set pmas;
| ^~~~
In function '_copy_from_user',
inlined from 'copy_from_user' at include/linux/uaccess.h:144:7,
inlined from 'pin_mem_remap' at drivers/char/pin_memory.c:116:6:
>> include/linux/uaccess.h:112:17: warning: 'pid' may be used uninitialized [-Wmaybe-uninitialized]
112 | kasan_check_write(to, n);
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/kasan-checks.h: In function 'pin_mem_remap':
include/linux/kasan-checks.h:7:6: note: by argument 1 of type 'const volatile void *' to 'kasan_check_write' declared here
7 | void kasan_check_write(const volatile void *p, unsigned int size);
| ^~~~~~~~~~~~~~~~~
drivers/char/pin_memory.c:107:13: note: 'pid' declared here
107 | int pid;
| ^~~
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for HARDLOCKUP_DETECTOR
Depends on [n]: DEBUG_KERNEL [=n] && !S390 && (HAVE_HARDLOCKUP_DETECTOR_PERF [=n] || HAVE_HARDLOCKUP_DETECTOR_ARCH [=y])
Selected by [y]:
- SDEI_WATCHDOG [=y] && <choice> && ARM_SDE_INTERFACE [=y] && !HARDLOCKUP_CHECK_TIMESTAMP [=n]
vim +/pmas +112 include/linux/uaccess.h
d597580d373774 Al Viro 2017-03-20 104
d597580d373774 Al Viro 2017-03-20 105 #ifdef INLINE_COPY_FROM_USER
d597580d373774 Al Viro 2017-03-20 106 static inline unsigned long
d597580d373774 Al Viro 2017-03-20 107 _copy_from_user(void *to, const void __user *from, unsigned long n)
d597580d373774 Al Viro 2017-03-20 108 {
d597580d373774 Al Viro 2017-03-20 109 unsigned long res = n;
9c5f6908de03a4 Al Viro 2017-06-29 110 might_fault();
4983cb67a383a7 Linus Torvalds 2019-02-14 111 if (likely(access_ok(from, n))) {
9c5f6908de03a4 Al Viro 2017-06-29 @112 kasan_check_write(to, n);
d597580d373774 Al Viro 2017-03-20 113 res = raw_copy_from_user(to, from, n);
9c5f6908de03a4 Al Viro 2017-06-29 114 }
d597580d373774 Al Viro 2017-03-20 115 if (unlikely(res))
d597580d373774 Al Viro 2017-03-20 116 memset(to + (n - res), 0, res);
d597580d373774 Al Viro 2017-03-20 117 return res;
d597580d373774 Al Viro 2017-03-20 118 }
d597580d373774 Al Viro 2017-03-20 119 #else
d597580d373774 Al Viro 2017-03-20 120 extern unsigned long
d597580d373774 Al Viro 2017-03-20 121 _copy_from_user(void *, const void __user *, unsigned long);
d597580d373774 Al Viro 2017-03-20 122 #endif
d597580d373774 Al Viro 2017-03-20 123
d597580d373774 Al Viro 2017-03-20 124 #ifdef INLINE_COPY_TO_USER
d597580d373774 Al Viro 2017-03-20 125 static inline unsigned long
d597580d373774 Al Viro 2017-03-20 126 _copy_to_user(void __user *to, const void *from, unsigned long n)
d597580d373774 Al Viro 2017-03-20 127 {
9c5f6908de03a4 Al Viro 2017-06-29 128 might_fault();
4983cb67a383a7 Linus Torvalds 2019-02-14 129 if (access_ok(to, n)) {
9c5f6908de03a4 Al Viro 2017-06-29 130 kasan_check_read(from, n);
d597580d373774 Al Viro 2017-03-20 131 n = raw_copy_to_user(to, from, n);
9c5f6908de03a4 Al Viro 2017-06-29 132 }
d597580d373774 Al Viro 2017-03-20 133 return n;
d597580d373774 Al Viro 2017-03-20 134 }
d597580d373774 Al Viro 2017-03-20 135 #else
d597580d373774 Al Viro 2017-03-20 136 extern unsigned long
d597580d373774 Al Viro 2017-03-20 137 _copy_to_user(void __user *, const void *, unsigned long);
d597580d373774 Al Viro 2017-03-20 138 #endif
d597580d373774 Al Viro 2017-03-20 139
d597580d373774 Al Viro 2017-03-20 140 static __always_inline unsigned long __must_check
d597580d373774 Al Viro 2017-03-20 141 copy_from_user(void *to, const void __user *from, unsigned long n)
d597580d373774 Al Viro 2017-03-20 142 {
b0377fedb65280 Al Viro 2017-06-29 143 if (likely(check_copy_size(to, n, false)))
d597580d373774 Al Viro 2017-03-20 @144 n = _copy_from_user(to, from, n);
d597580d373774 Al Viro 2017-03-20 145 return n;
d597580d373774 Al Viro 2017-03-20 146 }
d597580d373774 Al Viro 2017-03-20 147
:::::: The code at line 112 was first introduced by commit
:::::: 9c5f6908de03a4f52ba7364b11fcd6116225480c copy_{from,to}_user(): move kasan checks and might_fault() out-of-line
:::::: TO: Al Viro <viro(a)zeniv.linux.org.uk>
:::::: CC: Al Viro <viro(a)zeniv.linux.org.uk>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 03933bd11a64b94203f2cbe30ae71061807872fb
commit: 70a232a564cfa99401d197708cf380398ad5e2d7 [19669/22602] sched: Adjust wakeup cpu range according CPU util dynamicly
config: arm64-randconfig-001-20240531 (https://download.01.org/0day-ci/archive/20240531/202405310225.ixqT7RKx-lkp@…)
compiler: aarch64-linux-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240531/202405310225.ixqT7RKx-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202405310225.ixqT7RKx-lkp@intel.com/
All errors (new ones prefixed by >>):
kernel/sched/fair.c:3675:6: warning: no previous prototype for 'sync_entity_load_avg' [-Wmissing-prototypes]
3675 | void sync_entity_load_avg(struct sched_entity *se)
| ^~~~~~~~~~~~~~~~~~~~
kernel/sched/fair.c:3688:6: warning: no previous prototype for 'remove_entity_load_avg' [-Wmissing-prototypes]
3688 | void remove_entity_load_avg(struct sched_entity *se)
| ^~~~~~~~~~~~~~~~~~~~~~
kernel/sched/fair.c:5206:6: warning: no previous prototype for 'init_cfs_bandwidth' [-Wmissing-prototypes]
5206 | void init_cfs_bandwidth(struct cfs_bandwidth *cfs_b) {}
| ^~~~~~~~~~~~~~~~~~
In file included from arch/arm64/include/asm/current.h:5,
from include/linux/sched.h:12,
from kernel/sched/sched.h:5,
from kernel/sched/fair.c:23:
kernel/sched/fair.c: In function 'set_task_select_cpus':
>> kernel/sched/fair.c:6701:33: error: invalid use of undefined type 'struct task_group'
6701 | if (unlikely(!tg->se[cpu]))
| ^~
include/linux/compiler.h:77:45: note: in definition of macro 'unlikely'
77 | # define unlikely(x) __builtin_expect(!!(x), 0)
| ^
kernel/sched/fair.c:6707:61: error: invalid use of undefined type 'struct task_group'
6707 | spare = (long)(capacity_of(cpu) - tg->se[cpu]->avg.util_avg);
| ^~
kernel/sched/fair.c:6720:35: error: invalid use of undefined type 'struct task_group'
6720 | util_avg_sum += tg->se[cpu]->avg.util_avg;
| ^~
kernel/sched/fair.c: In function 'select_task_rq_fair':
kernel/sched/fair.c:6747:23: warning: variable 'time' set but not used [-Wunused-but-set-variable]
6747 | unsigned long time;
| ^~~~
kernel/sched/fair.c: In function 'pick_next_task_fair':
kernel/sched/fair.c:7291:23: warning: variable 'time' set but not used [-Wunused-but-set-variable]
7291 | unsigned long time;
| ^~~~
kernel/sched/fair.c: At top level:
kernel/sched/fair.c:11034:6: warning: no previous prototype for 'free_fair_sched_group' [-Wmissing-prototypes]
11034 | void free_fair_sched_group(struct task_group *tg) { }
| ^~~~~~~~~~~~~~~~~~~~~
kernel/sched/fair.c:11036:5: warning: no previous prototype for 'alloc_fair_sched_group' [-Wmissing-prototypes]
11036 | int alloc_fair_sched_group(struct task_group *tg, struct task_group *parent)
| ^~~~~~~~~~~~~~~~~~~~~~
kernel/sched/fair.c:11041:6: warning: no previous prototype for 'online_fair_sched_group' [-Wmissing-prototypes]
11041 | void online_fair_sched_group(struct task_group *tg) { }
| ^~~~~~~~~~~~~~~~~~~~~~~
kernel/sched/fair.c:11043:6: warning: no previous prototype for 'unregister_fair_sched_group' [-Wmissing-prototypes]
11043 | void unregister_fair_sched_group(struct task_group *tg) { }
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/migrate.h:6,
from kernel/sched/sched.h:52:
include/linux/mempolicy.h:329:13: warning: '__do_mbind' defined but not used [-Wunused-function]
329 | static long __do_mbind(unsigned long start, unsigned long len,
| ^~~~~~~~~~
vim +6701 kernel/sched/fair.c
6670
6671 /*
6672 * set_task_select_cpus: select the cpu range for task
6673 * @p: the task whose available cpu range will to set
6674 * @idlest_cpu: the cpu which is the idlest in prefer cpus
6675 *
6676 * If sum of 'util_avg' among 'preferred_cpus' lower than the percentage
6677 * 'sysctl_sched_util_low_pct' of 'preferred_cpus' capacity, select
6678 * 'preferred_cpus' range for task, otherwise select 'preferred_cpus' for task.
6679 *
6680 * The available cpu range set to p->select_cpus. Idlest cpu in preferred cpus
6681 * set to @idlest_cpu, which is set to wakeup cpu when fast path wakeup cpu
6682 * without p->select_cpus.
6683 */
6684 static void set_task_select_cpus(struct task_struct *p, int *idlest_cpu,
6685 int sd_flag)
6686 {
6687 unsigned long util_avg_sum = 0;
6688 unsigned long tg_capacity = 0;
6689 long min_util = INT_MIN;
6690 struct task_group *tg;
6691 long spare;
6692 int cpu;
6693
6694 p->select_cpus = &p->cpus_allowed;
6695 if (!prefer_cpus_valid(p))
6696 return;
6697
6698 rcu_read_lock();
6699 tg = task_group(p);
6700 for_each_cpu(cpu, p->prefer_cpus) {
> 6701 if (unlikely(!tg->se[cpu]))
6702 continue;
6703
6704 if (idlest_cpu && available_idle_cpu(cpu)) {
6705 *idlest_cpu = cpu;
6706 } else if (idlest_cpu) {
6707 spare = (long)(capacity_of(cpu) - tg->se[cpu]->avg.util_avg);
6708 if (spare > min_util) {
6709 min_util = spare;
6710 *idlest_cpu = cpu;
6711 }
6712 }
6713
6714 if (available_idle_cpu(cpu)) {
6715 rcu_read_unlock();
6716 p->select_cpus = p->prefer_cpus;
6717 return;
6718 }
6719
6720 util_avg_sum += tg->se[cpu]->avg.util_avg;
6721 tg_capacity += capacity_of(cpu);
6722 }
6723 rcu_read_unlock();
6724
6725 if (tg_capacity > cpumask_weight(p->prefer_cpus) &&
6726 util_avg_sum * 100 <= tg_capacity * sysctl_sched_util_low_pct) {
6727 p->select_cpus = p->prefer_cpus;
6728 }
6729 }
6730 #endif
6731
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki