- Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10] BUILD SUCCESS c516c8ef905082317494ad56998c05d743334dd3
by kernel test robot 25 Jul '24

25 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-5.10 branch HEAD: c516c8ef905082317494ad56998c05d743334dd3 !10309 net: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr elapsed time: 735m configs tested: 34 configs skipped: 126 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240724 gcc-14.1.0 arm64 randconfig-002-20240724 gcc-14.1.0 arm64 randconfig-003-20240724 gcc-14.1.0 arm64 randconfig-004-20240724 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240725 clang-18 x86_64 buildonly-randconfig-002-20240725 clang-18 x86_64 buildonly-randconfig-003-20240725 clang-18 x86_64 buildonly-randconfig-004-20240725 clang-18 x86_64 buildonly-randconfig-005-20240725 gcc-13 x86_64 buildonly-randconfig-006-20240725 gcc-13 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240725 clang-18 x86_64 randconfig-002-20240725 clang-18 x86_64 randconfig-003-20240725 clang-18 x86_64 randconfig-004-20240725 clang-18 x86_64 randconfig-005-20240725 gcc-13 x86_64 randconfig-006-20240725 gcc-13 x86_64 randconfig-011-20240725 gcc-10 x86_64 randconfig-012-20240725 clang-18 x86_64 randconfig-013-20240725 gcc-13 x86_64 randconfig-014-20240725 gcc-13 x86_64 randconfig-015-20240725 clang-18 x86_64 randconfig-016-20240725 gcc-8 x86_64 randconfig-071-20240725 gcc-13 x86_64 randconfig-072-20240725 clang-18 x86_64 randconfig-073-20240725 gcc-8 x86_64 randconfig-074-20240725 clang-18 x86_64 randconfig-075-20240725 clang-18 x86_64 randconfig-076-20240725 gcc-12 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6] BUILD SUCCESS 45c11497989a10c6aaba1cd66b27ec26110ade51
by kernel test robot 25 Jul '24

25 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: 45c11497989a10c6aaba1cd66b27ec26110ade51 !10078 bpf: Set run context for rawtp test_run callback Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | `-- clang:warning:no-such-include-directory:drivers-infiniband-hw-hiroce3-include-mag |-- arm64-randconfig-001-20240724 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- arm64-randconfig-003-20240724 | |-- WARNING:modpost:vmlinux:section-mismatch-in-reference:arm_smmu_device_probe-(section:.text)-arm_smmu_v3_plat_info-(section:.init.data) | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- arm64-randconfig-004-20240724 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- loongarch-allmodconfig | `-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument `-- x86_64-allyesconfig `-- drivers-gpu-drm-amd-amdgpu-..-amdkfd-kfd_topology.c:warning:stack-frame-size-()-exceeds-limit-()-in-kfd_topology_add_device elapsed time: 722m configs tested: 38 configs skipped: 132 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240724 gcc-14.1.0 arm64 randconfig-002-20240724 gcc-14.1.0 arm64 randconfig-003-20240724 gcc-14.1.0 arm64 randconfig-004-20240724 gcc-14.1.0 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 loongarch randconfig-001-20240724 gcc-14.1.0 loongarch randconfig-002-20240724 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240724 clang-18 x86_64 buildonly-randconfig-002-20240724 clang-18 x86_64 buildonly-randconfig-003-20240724 gcc-13 x86_64 buildonly-randconfig-004-20240724 clang-18 x86_64 buildonly-randconfig-005-20240724 clang-18 x86_64 buildonly-randconfig-006-20240724 clang-18 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240724 clang-18 x86_64 randconfig-002-20240724 clang-18 x86_64 randconfig-003-20240724 clang-18 x86_64 randconfig-004-20240724 gcc-10 x86_64 randconfig-005-20240724 clang-18 x86_64 randconfig-006-20240724 gcc-13 x86_64 randconfig-011-20240724 clang-18 x86_64 randconfig-012-20240724 gcc-13 x86_64 randconfig-013-20240724 clang-18 x86_64 randconfig-014-20240724 clang-18 x86_64 randconfig-015-20240724 clang-18 x86_64 randconfig-016-20240724 clang-18 x86_64 randconfig-071-20240724 gcc-13 x86_64 randconfig-072-20240724 gcc-11 x86_64 randconfig-073-20240724 clang-18 x86_64 randconfig-074-20240724 gcc-13 x86_64 randconfig-075-20240724 gcc-13 x86_64 randconfig-076-20240724 gcc-13 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 18554/23360] drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:82:14: error: 'NGBE_LINK_SPEED_10GB_FULL' undeclared; did you mean 'NGBE_LINK_SPEED_1GB_FULL'?
by kernel test robot 25 Jul '24

25 Jul '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 0a1bad10c9f0f69fbd09f08348ff59f98231875a commit: 206f9c11a8c8b0197da5a26859d96d2ed65f5757 [18554/23360] net: ngbe: Add Netswift Giga NIC driver config: arm64-randconfig-003-20240725 (https://download.01.org/0day-ci/archive/20240725/202407250304.iuUXdu7B-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240725/202407250304.iuUXdu7B-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407250304.iuUXdu7B-lkp@intel.com/ All error/warnings (new ones prefixed by >>): In file included from include/linux/sctp.h:57, from drivers/net/ethernet/netswift/ngbe/ngbe.h:28, from drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:19: include/uapi/linux/sctp.h:390:1: warning: alignment 4 of 'struct sctp_paddr_change' is less than 8 [-Wpacked-not-aligned] 390 | } __attribute__((packed, aligned(4))); | ^ include/uapi/linux/sctp.h:719:1: warning: alignment 4 of 'struct sctp_setpeerprim' is less than 8 [-Wpacked-not-aligned] 719 | } __attribute__((packed, aligned(4))); | ^ include/uapi/linux/sctp.h:718:33: warning: 'sspp_addr' offset 4 in 'struct sctp_setpeerprim' isn't aligned to 8 [-Wpacked-not-aligned] 718 | struct sockaddr_storage sspp_addr; | ^~~~~~~~~ include/uapi/linux/sctp.h:732:1: warning: alignment 4 of 'struct sctp_prim' is less than 8 [-Wpacked-not-aligned] 732 | } __attribute__((packed, aligned(4))); | ^ include/uapi/linux/sctp.h:731:33: warning: 'ssp_addr' offset 4 in 'struct sctp_prim' isn't aligned to 8 [-Wpacked-not-aligned] 731 | struct sockaddr_storage ssp_addr; | ^~~~~~~~ include/uapi/linux/sctp.h:783:1: warning: alignment 4 of 'struct sctp_paddrparams' is less than 8 [-Wpacked-not-aligned] 783 | } __attribute__((packed, aligned(4))); | ^ include/uapi/linux/sctp.h:775:33: warning: 'spp_address' offset 4 in 'struct sctp_paddrparams' isn't aligned to 8 [-Wpacked-not-aligned] 775 | struct sockaddr_storage spp_address; | ^~~~~~~~~~~ include/uapi/linux/sctp.h:896:1: warning: alignment 4 of 'struct sctp_paddrinfo' is less than 8 [-Wpacked-not-aligned] 896 | } __attribute__((packed, aligned(4))); | ^ include/uapi/linux/sctp.h:890:33: warning: 'spinfo_address' offset 4 in 'struct sctp_paddrinfo' isn't aligned to 8 [-Wpacked-not-aligned] 890 | struct sockaddr_storage spinfo_address; | ^~~~~~~~~~~~~~ drivers/net/ethernet/netswift/ngbe/ngbe.h: In function 'ngbe_misc_isb': drivers/net/ethernet/netswift/ngbe/ngbe.h:764:13: warning: variable 'cur_diff' set but not used [-Wunused-but-set-variable] 764 | u32 cur_diff = 0; | ^~~~~~~~ drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c: In function 'ngbe_portspeed': >> drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:82:14: error: 'NGBE_LINK_SPEED_10GB_FULL' undeclared (first use in this function); did you mean 'NGBE_LINK_SPEED_1GB_FULL'? 82 | case NGBE_LINK_SPEED_10GB_FULL: | ^~~~~~~~~~~~~~~~~~~~~~~~~ | NGBE_LINK_SPEED_1GB_FULL drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:82:14: note: each undeclared identifier is reported only once for each function it appears in drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c: In function 'ngbe_rxupacks': >> drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:165:55: error: 'NGBE_TPR' undeclared (first use in this function); did you mean 'NGBE_ERR'? 165 | return snprintf(page, count, "%d\n", rd32(hw, NGBE_TPR)); | ^~~~~~~~ | NGBE_ERR drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c: In function 'ngbe_linkstat': >> drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:364:13: warning: unused variable 'link_speed' [-Wunused-variable] 364 | u32 link_speed; | ^~~~~~~~~~ drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c: At top level: >> drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:770:6: warning: no previous prototype for 'ngbe_del_proc_entries' [-Wmissing-prototypes] 770 | void ngbe_del_proc_entries(struct ngbe_adapter *adapter) | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c: In function 'ngbe_del_proc_entries': >> drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:779:25: error: 'NGBE_MAX_SENSORS' undeclared (first use in this function); did you mean 'NGBE_MAX_EITR'? 779 | for (i = 0; i < NGBE_MAX_SENSORS; i++) { | ^~~~~~~~~~~~~~~~ | NGBE_MAX_EITR >> drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:780:39: error: invalid use of undefined type 'struct proc_dir_entry' 780 | if (adapter->therm_dir[i] == NULL) | ^ drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:780:21: error: invalid use of undefined type 'struct proc_dir_entry' 780 | if (adapter->therm_dir[i] == NULL) | ^~~~~~~ drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c: In function 'ngbe_procfs_init': >> drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:859:23: error: implicit declaration of function 'create_proc_read_entry' [-Werror=implicit-function-declaration] 859 | if (!(create_proc_read_entry(ngbe_proc_entries[index].name, | ^~~~~~~~~~~~~~~~~~~~~~ In file included from drivers/net/ethernet/netswift/ngbe/ngbe.h:39: >> drivers/net/ethernet/netswift/ngbe/ngbe_type.h:2761:40: error: 'struct ngbe_hw' has no member named 'ops' 2761 | #define TCALL(hw, func, args...) (((hw)->func != NULL) \ | ^~ drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:869:14: note: in expansion of macro 'TCALL' 869 | if (!TCALL(&(adapter->hw), ops.init_thermal_sensor_thresh)) | ^~~~~ drivers/net/ethernet/netswift/ngbe/ngbe_type.h:2762:23: error: 'struct ngbe_hw' has no member named 'ops' 2762 | ? (hw)->func((hw), ##args) : NGBE_NOT_IMPLEMENTED) | ^~ drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:869:14: note: in expansion of macro 'TCALL' 869 | if (!TCALL(&(adapter->hw), ops.init_thermal_sensor_thresh)) | ^~~~~ >> drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:833:13: warning: unused variable 'i' [-Wunused-variable] 833 | int i; | ^ drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c: In function 'ngbe_rxupacks': >> drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c:166:1: warning: control reaches end of non-void function [-Wreturn-type] 166 | } | ^ cc1: some warnings being treated as errors vim +82 drivers/net/ethernet/netswift/ngbe/ngbe_procfs.c 64 65 static int ngbe_portspeed(char *page, char __always_unused **start, 66 off_t __always_unused off, int count, 67 int __always_unused *eof, void *data) 68 { 69 struct ngbe_adapter *adapter = (struct ngbe_adapter *)data; 70 int speed = 0; 71 72 if (adapter == NULL) 73 return snprintf(page, count, "error: no adapter\n"); 74 75 switch (adapter->link_speed) { 76 case NGBE_LINK_SPEED_100_FULL: 77 speed = 1; 78 break; 79 case NGBE_LINK_SPEED_1GB_FULL: 80 speed = 10; 81 break; > 82 case NGBE_LINK_SPEED_10GB_FULL: 83 speed = 100; 84 break; 85 default: 86 break; 87 } 88 return snprintf(page, count, "%d\n", speed); 89 } 90 91 static int ngbe_wqlflag(char *page, char __always_unused **start, 92 off_t __always_unused off, int count, 93 int __always_unused *eof, void *data) 94 { 95 struct ngbe_adapter *adapter = (struct ngbe_adapter *)data; 96 if (adapter == NULL) 97 return snprintf(page, count, "error: no adapter\n"); 98 99 return snprintf(page, count, "%d\n", adapter->wol); 100 } 101 102 static int ngbe_xflowctl(char *page, char __always_unused **start, 103 off_t __always_unused off, int count, 104 int __always_unused *eof, void *data) 105 { 106 struct ngbe_adapter *adapter = (struct ngbe_adapter *)data; 107 struct ngbe_hw *hw; 108 109 if (adapter == NULL) 110 return snprintf(page, count, "error: no adapter\n"); 111 112 hw = &adapter->hw; 113 if (hw == NULL) 114 return snprintf(page, count, "error: no hw data\n"); 115 116 return snprintf(page, count, "%d\n", hw->fc.current_mode); 117 } 118 119 static int ngbe_rxdrops(char *page, char __always_unused **start, 120 off_t __always_unused off, int count, 121 int __always_unused *eof, void *data) 122 { 123 struct ngbe_adapter *adapter = (struct ngbe_adapter *)data; 124 struct net_device_stats *net_stats; 125 126 if (adapter == NULL) 127 return snprintf(page, count, "error: no adapter\n"); 128 net_stats = procfs_get_stats(adapter->netdev); 129 if (net_stats == NULL) 130 return snprintf(page, count, "error: no net stats\n"); 131 132 return snprintf(page, count, "%lu\n", 133 net_stats->rx_dropped); 134 } 135 136 static int ngbe_rxerrors(char *page, char __always_unused **start, 137 off_t __always_unused off, int count, 138 int __always_unused *eof, void *data) 139 { 140 struct ngbe_adapter *adapter = (struct ngbe_adapter *)data; 141 struct net_device_stats *net_stats; 142 143 if (adapter == NULL) 144 return snprintf(page, count, "error: no adapter\n"); 145 net_stats = procfs_get_stats(adapter->netdev); 146 if (net_stats == NULL) 147 return snprintf(page, count, "error: no net stats\n"); 148 149 return snprintf(page, count, "%lu\n", net_stats->rx_errors); 150 } 151 152 static int ngbe_rxupacks(char *page, char __always_unused **start, 153 off_t __always_unused off, int count, 154 int __always_unused *eof, void *data) 155 { 156 struct ngbe_hw *hw; 157 struct ngbe_adapter *adapter = (struct ngbe_adapter *)data; 158 if (adapter == NULL) 159 return snprintf(page, count, "error: no adapter\n"); 160 161 hw = &adapter->hw; 162 if (hw == NULL) 163 return snprintf(page, count, "error: no hw data\n"); 164 > 165 return snprintf(page, count, "%d\n", rd32(hw, NGBE_TPR)); > 166 } 167 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] bpf: Fix too early release of tcx_entry
by Liu Jian 24 Jul '24

24 Jul '24

From: Daniel Borkmann <daniel(a)iogearbox.net> stable inclusion from stable-v6.6.41 commit 230bb13650b0f186f540500fd5f5f7096a822a2a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADR5O CVE: CVE-2024-41010 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 1cb6f0bae50441f4b4b32a28315853b279c7404e ] Pedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported an issue that the tcx_entry can be released too early leading to a use after free (UAF) when an active old-style ingress or clsact qdisc with a shared tc block is later replaced by another ingress or clsact instance. Essentially, the sequence to trigger the UAF (one example) can be as follows: 1. A network namespace is created 2. An ingress qdisc is created. This allocates a tcx_entry, and &tcx_entry->miniq is stored in the qdisc's miniqp->p_miniq. At the same time, a tcf block with index 1 is created. 3. chain0 is attached to the tcf block. chain0 must be connected to the block linked to the ingress qdisc to later reach the function tcf_chain0_head_change_cb_del() which triggers the UAF. 4. Create and graft a clsact qdisc. This causes the ingress qdisc created in step 1 to be removed, thus freeing the previously linked tcx_entry: rtnetlink_rcv_msg() => tc_modify_qdisc() => qdisc_create() => clsact_init() [a] => qdisc_graft() => qdisc_destroy() => __qdisc_destroy() => ingress_destroy() [b] => tcx_entry_free() => kfree_rcu() // tcx_entry freed 5. Finally, the network namespace is closed. This registers the cleanup_net worker, and during the process of releasing the remaining clsact qdisc, it accesses the tcx_entry that was already freed in step 4, causing the UAF to occur: cleanup_net() => ops_exit_list() => default_device_exit_batch() => unregister_netdevice_many() => unregister_netdevice_many_notify() => dev_shutdown() => qdisc_put() => clsact_destroy() [c] => tcf_block_put_ext() => tcf_chain0_head_change_cb_del() => tcf_chain_head_change_item() => clsact_chain_head_change() => mini_qdisc_pair_swap() // UAF There are also other variants, the gist is to add an ingress (or clsact) qdisc with a specific shared block, then to replace that qdisc, waiting for the tcx_entry kfree_rcu() to be executed and subsequently accessing the current active qdisc's miniq one way or another. The correct fix is to turn the miniq_active boolean into a counter. What can be observed, at step 2 above, the counter transitions from 0->1, at step [a] from 1->2 (in order for the miniq object to remain active during the replacement), then in [b] from 2->1 and finally [c] 1->0 with the eventual release. The reference counter in general ranges from [0,2] and it does not need to be atomic since all access to the counter is protected by the rtnl mutex. With this in place, there is no longer a UAF happening and the tcx_entry is freed at the correct time. Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support") Reported-by: Pedro Pinto <xten(a)osec.io> Co-developed-by: Pedro Pinto <xten(a)osec.io> Signed-off-by: Pedro Pinto <xten(a)osec.io> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Cc: Hyunwoo Kim <v4bel(a)theori.io> Cc: Wongi Lee <qwerty(a)theori.io> Cc: Martin KaFai Lau <martin.lau(a)kernel.org> Link: https://lore.kernel.org/r/20240708133130.11609-1-daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- include/net/tcx.h | 13 +++++++++---- net/sched/sch_ingress.c | 12 ++++++------ 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/include/net/tcx.h b/include/net/tcx.h index 264f147953ba..a0f78fd5cb28 100644 --- a/include/net/tcx.h +++ b/include/net/tcx.h @@ -13,7 +13,7 @@ struct mini_Qdisc; struct tcx_entry { struct mini_Qdisc __rcu *miniq; struct bpf_mprog_bundle bundle; - bool miniq_active; + u32 miniq_active; struct rcu_head rcu; }; @@ -129,11 +129,16 @@ static inline void tcx_skeys_dec(bool ingress) tcx_dec(); } -static inline void tcx_miniq_set_active(struct bpf_mprog_entry *entry, - const bool active) +static inline void tcx_miniq_inc(struct bpf_mprog_entry *entry) { ASSERT_RTNL(); - tcx_entry(entry)->miniq_active = active; + tcx_entry(entry)->miniq_active++; +} + +static inline void tcx_miniq_dec(struct bpf_mprog_entry *entry) +{ + ASSERT_RTNL(); + tcx_entry(entry)->miniq_active--; } static inline bool tcx_entry_is_active(struct bpf_mprog_entry *entry) diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c index a463a63192c3..8dde3548dc11 100644 --- a/net/sched/sch_ingress.c +++ b/net/sched/sch_ingress.c @@ -91,7 +91,7 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt, entry = tcx_entry_fetch_or_create(dev, true, &created); if (!entry) return -ENOMEM; - tcx_miniq_set_active(entry, true); + tcx_miniq_inc(entry); mini_qdisc_pair_init(&q->miniqp, sch, &tcx_entry(entry)->miniq); if (created) tcx_entry_update(dev, entry, true); @@ -121,7 +121,7 @@ static void ingress_destroy(struct Qdisc *sch) tcf_block_put_ext(q->block, sch, &q->block_info); if (entry) { - tcx_miniq_set_active(entry, false); + tcx_miniq_dec(entry); if (!tcx_entry_is_active(entry)) { tcx_entry_update(dev, NULL, true); tcx_entry_free(entry); @@ -256,7 +256,7 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt, entry = tcx_entry_fetch_or_create(dev, true, &created); if (!entry) return -ENOMEM; - tcx_miniq_set_active(entry, true); + tcx_miniq_inc(entry); mini_qdisc_pair_init(&q->miniqp_ingress, sch, &tcx_entry(entry)->miniq); if (created) tcx_entry_update(dev, entry, true); @@ -275,7 +275,7 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt, entry = tcx_entry_fetch_or_create(dev, false, &created); if (!entry) return -ENOMEM; - tcx_miniq_set_active(entry, true); + tcx_miniq_inc(entry); mini_qdisc_pair_init(&q->miniqp_egress, sch, &tcx_entry(entry)->miniq); if (created) tcx_entry_update(dev, entry, false); @@ -301,7 +301,7 @@ static void clsact_destroy(struct Qdisc *sch) tcf_block_put_ext(q->egress_block, sch, &q->egress_block_info); if (ingress_entry) { - tcx_miniq_set_active(ingress_entry, false); + tcx_miniq_dec(ingress_entry); if (!tcx_entry_is_active(ingress_entry)) { tcx_entry_update(dev, NULL, true); tcx_entry_free(ingress_entry); @@ -309,7 +309,7 @@ static void clsact_destroy(struct Qdisc *sch) } if (egress_entry) { - tcx_miniq_set_active(egress_entry, false); + tcx_miniq_dec(egress_entry); if (!tcx_entry_is_active(egress_entry)) { tcx_entry_update(dev, NULL, false); tcx_entry_free(egress_entry); -- 2.34.1

2 1

[PATCH OLK-6.6] wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
by Yue Haibing 24 Jul '24

24 Jul '24

From: Nicolas Escande <nico.escande(a)gmail.com> stable inclusion from stable-v6.6.35 commit 63d5f89bb5664d60edbf8cf0df911aaae8ed96a4 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAD6H2 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ] The hwmp code use objects of type mesh_preq_queue, added to a list in ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath gets deleted, ex mesh interface is removed, the entries in that list will never get cleaned. Fix this by flushing all corresponding items of the preq_queue in mesh_path_flush_pending(). This should take care of KASAN reports like this: unreferenced object 0xffff00000668d800 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s) hex dump (first 32 bytes): 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h..... 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>........... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 unreferenced object 0xffff000009051f00 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s) hex dump (first 32 bytes): 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h..... 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy..... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") Signed-off-by: Nicolas Escande <nico.escande(a)gmail.com> Link: https://msgid.link/20240528142605.1060566-1-nico.escande@gmail.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Yue Haibing <yuehaibing(a)huawei.com> --- net/mac80211/mesh_pathtbl.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c index 59f7264194ce..530581ba812b 100644 --- a/net/mac80211/mesh_pathtbl.c +++ b/net/mac80211/mesh_pathtbl.c @@ -1011,10 +1011,23 @@ void mesh_path_discard_frame(struct ieee80211_sub_if_data *sdata, */ void mesh_path_flush_pending(struct mesh_path *mpath) { + struct ieee80211_sub_if_data *sdata = mpath->sdata; + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; + struct mesh_preq_queue *preq, *tmp; struct sk_buff *skb; while ((skb = skb_dequeue(&mpath->frame_queue)) != NULL) mesh_path_discard_frame(mpath->sdata, skb); + + spin_lock_bh(&ifmsh->mesh_preq_queue_lock); + list_for_each_entry_safe(preq, tmp, &ifmsh->preq_queue.list, list) { + if (ether_addr_equal(mpath->dst, preq->dst)) { + list_del(&preq->list); + kfree(preq); + --ifmsh->preq_queue_len; + } + } + spin_unlock_bh(&ifmsh->mesh_preq_queue_lock); } /** -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] batman-adv: bypass empty buckets in batadv_purge_orig_ref()
by Liu Jian 24 Jul '24

24 Jul '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v4.19.317 commit 79636f636126775436a11ee9cf00a9253a33ac11 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACS84 CVE: CVE-2024-40981 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 40dc8ab605894acae1473e434944924a22cfaaa0 ] Many syzbot reports are pointing to soft lockups in batadv_purge_orig_ref() [1] Root cause is unknown, but we can avoid spending too much time there and perhaps get more interesting reports. [1] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:6:621] Modules linked in: irq event stamp: 6182794 hardirqs last enabled at (6182793): [<ffff8000801dae10>] __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 hardirqs last disabled at (6182794): [<ffff80008ad66a78>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline] hardirqs last disabled at (6182794): [<ffff80008ad66a78>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551 softirqs last enabled at (6182792): [<ffff80008aab71c4>] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (6182792): [<ffff80008aab71c4>] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 softirqs last disabled at (6182790): [<ffff80008aab61dc>] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (6182790): [<ffff80008aab61dc>] batadv_purge_orig_ref+0x164/0x1228 net/batman-adv/originator.c:1271 CPU: 0 PID: 621 Comm: kworker/u4:6 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Workqueue: bat_events batadv_purge_orig pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : should_resched arch/arm64/include/asm/preempt.h:79 [inline] pc : __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:388 lr : __local_bh_enable_ip+0x224/0x44c kernel/softirq.c:386 sp : ffff800099007970 x29: ffff800099007980 x28: 1fffe00018fce1bd x27: dfff800000000000 x26: ffff0000d2620008 x25: ffff0000c7e70de8 x24: 0000000000000001 x23: 1fffe00018e57781 x22: dfff800000000000 x21: ffff80008aab71c4 x20: ffff0001b40136c0 x19: ffff0000c72bbc08 x18: 1fffe0001a817bb0 x17: ffff800125414000 x16: ffff80008032116c x15: 0000000000000001 x14: 1fffe0001ee9d610 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 00000000005e5789 x7 : ffff80008aab61dc x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000006 x1 : 0000000000000080 x0 : ffff800125414000 Call trace: __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] arch_local_irq_enable arch/arm64/include/asm/irqflags.h:49 [inline] __local_bh_enable_ip+0x228/0x44c kernel/softirq.c:386 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x3c/0x4c kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] batadv_purge_orig_ref+0x114c/0x1228 net/batman-adv/originator.c:1287 batadv_purge_orig+0x20/0x70 net/batman-adv/originator.c:1300 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:51 lr : default_idle_call+0xf8/0x128 kernel/sched/idle.c:103 sp : ffff800093a17d30 x29: ffff800093a17d30 x28: dfff800000000000 x27: 1ffff00012742fb4 x26: ffff80008ec9d000 x25: 0000000000000000 x24: 0000000000000002 x23: 1ffff00011d93a74 x22: ffff80008ec9d3a0 x21: 0000000000000000 x20: ffff0000c19dbc00 x19: ffff8000802d0fd8 x18: 1fffe00036804396 x17: ffff80008ec9d000 x16: ffff8000802d089c x15: 0000000000000001 x14: 1fffe00036805f10 x13: 0000000000000000 x12: 0000000000000003 x11: 0000000000000001 x10: 0000000000000003 x9 : 0000000000000000 x8 : 00000000000ce8d1 x7 : ffff8000804609e4 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008ad6aac0 x2 : 0000000000000000 x1 : ffff80008aedea60 x0 : ffff800125436000 Call trace: __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline] arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:49 cpuidle_idle_call kernel/sched/idle.c:170 [inline] do_idle+0x1f0/0x4e8 kernel/sched/idle.c:312 cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:410 secondary_start_kernel+0x198/0x1c0 arch/arm64/kernel/smp.c:272 __secondary_switched+0xb8/0xbc arch/arm64/kernel/head.S:404 Signed-off-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/batman-adv/originator.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c index 1d295da3e342..c1ad1ae21eea 100644 --- a/net/batman-adv/originator.c +++ b/net/batman-adv/originator.c @@ -1358,6 +1358,8 @@ void batadv_purge_orig_ref(struct batadv_priv *bat_priv) /* for all origins... */ for (i = 0; i < hash->size; i++) { head = &hash->table[i]; + if (hlist_empty(head)) + continue; list_lock = &hash->list_locks[i]; spin_lock_bh(list_lock); -- 2.34.1

2 1

[PATCH OLK-5.10] net: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr
by Liu Jian 24 Jul '24

24 Jul '24

From: Miaoqian Lin <linmq006(a)gmail.com> mainline inclusion from mainline-v5.17-rc8 commit c9ffa3e2bc451816ce0295e40063514fabf2bd36 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGT8 CVE: CVE-2022-48859 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- This node pointer is returned by of_find_compatible_node() with refcount incremented. Calling of_node_put() to aovid the refcount leak. Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices") Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: drivers/net/ethernet/marvell/prestera/prestera_main.c [Did not backport 83216e3988cd1.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/ethernet/marvell/prestera/prestera_main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c index f406f5b517b0..e1e251f84c7d 100644 --- a/drivers/net/ethernet/marvell/prestera/prestera_main.c +++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c @@ -480,6 +480,7 @@ static int prestera_switch_set_base_mac_addr(struct prestera_switch *sw) eth_random_addr(sw->base_mac); dev_info(prestera_dev(sw), "using random base mac address\n"); } + of_node_put(np); return prestera_hw_switch_mac_set(sw, sw->base_mac); } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] net: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr
by Liu Jian 24 Jul '24

24 Jul '24

From: Miaoqian Lin <linmq006(a)gmail.com> mainline inclusion from mainline-v5.17-rc8 commit c9ffa3e2bc451816ce0295e40063514fabf2bd36 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGT8 CVE: CVE-2022-48859 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- This node pointer is returned by of_find_compatible_node() with refcount incremented. Calling of_node_put() to aovid the refcount leak. Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices") Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: drivers/net/ethernet/marvell/prestera/prestera_main.c [Did not backport 83216e3988cd1.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/ethernet/marvell/prestera/prestera_main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c index f406f5b517b0..e1e251f84c7d 100644 --- a/drivers/net/ethernet/marvell/prestera/prestera_main.c +++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c @@ -480,6 +480,7 @@ static int prestera_switch_set_base_mac_addr(struct prestera_switch *sw) eth_random_addr(sw->base_mac); dev_info(prestera_dev(sw), "using random base mac address\n"); } + of_node_put(np); return prestera_hw_switch_mac_set(sw, sw->base_mac); } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
by Yue Haibing 24 Jul '24

24 Jul '24

From: Nicolas Escande <nico.escande(a)gmail.com> stable inclusion from stable-v4.19.317 commit 377dbb220edc8421b7960691876c5b3bef62f89b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD0PK CVE: CVE-2024-40942 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ] The hwmp code use objects of type mesh_preq_queue, added to a list in ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath gets deleted, ex mesh interface is removed, the entries in that list will never get cleaned. Fix this by flushing all corresponding items of the preq_queue in mesh_path_flush_pending(). This should take care of KASAN reports like this: unreferenced object 0xffff00000668d800 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s) hex dump (first 32 bytes): 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h..... 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>........... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 unreferenced object 0xffff000009051f00 (size 128): comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s) hex dump (first 32 bytes): 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h..... 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy..... backtrace: [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c [<00000000049bd418>] kmalloc_trace+0x34/0x80 [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8 [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4 [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764 [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4 [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440 [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4 [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508 [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c [<00000000b36425d1>] worker_thread+0x9c/0x634 [<0000000005852dd5>] kthread+0x1bc/0x1c4 [<000000005fccd770>] ret_from_fork+0x10/0x20 Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") Signed-off-by: Nicolas Escande <nico.escande(a)gmail.com> Link: https://msgid.link/20240528142605.1060566-1-nico.escande@gmail.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yue Haibing <yuehaibing(a)huawei.com> --- net/mac80211/mesh_pathtbl.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c index ac1f5db52994..1d5626daddfa 100644 --- a/net/mac80211/mesh_pathtbl.c +++ b/net/mac80211/mesh_pathtbl.c @@ -739,10 +739,23 @@ void mesh_path_discard_frame(struct ieee80211_sub_if_data *sdata, */ void mesh_path_flush_pending(struct mesh_path *mpath) { + struct ieee80211_sub_if_data *sdata = mpath->sdata; + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; + struct mesh_preq_queue *preq, *tmp; struct sk_buff *skb; while ((skb = skb_dequeue(&mpath->frame_queue)) != NULL) mesh_path_discard_frame(mpath->sdata, skb); + + spin_lock_bh(&ifmsh->mesh_preq_queue_lock); + list_for_each_entry_safe(preq, tmp, &ifmsh->preq_queue.list, list) { + if (ether_addr_equal(mpath->dst, preq->dst)) { + list_del(&preq->list); + kfree(preq); + --ifmsh->preq_queue_len; + } + } + spin_unlock_bh(&ifmsh->mesh_preq_queue_lock); } /** -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] mISDN: Fix memory leak in dsp_pipeline_build()
by Pu Lehui 24 Jul '24

24 Jul '24

From: Alexey Khoroshilov <khoroshilov(a)ispras.ru> mainline inclusion from mainline-v5.17-rc8 commit c6a502c2299941c8326d029cfc8a3bc8a4607ad5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGSF CVE: CVE-2022-48863 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, "|"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE. Signed-off-by: Alexey Khoroshilov <khoroshilov(a)ispras.ru> Fixes: 960366cf8dbb ("Add mISDN DSP") Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: drivers/isdn/mISDN/dsp_pipeline.c [The conflicts were due to not merge some unnecessary commit] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/isdn/mISDN/dsp_pipeline.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/isdn/mISDN/dsp_pipeline.c b/drivers/isdn/mISDN/dsp_pipeline.c index e72b4e73cd61..fb8153f1aff7 100644 --- a/drivers/isdn/mISDN/dsp_pipeline.c +++ b/drivers/isdn/mISDN/dsp_pipeline.c @@ -236,7 +236,7 @@ void dsp_pipeline_destroy(struct dsp_pipeline *pipeline) int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg) { int incomplete = 0, found = 0; - char *dup, *tok, *name, *args; + char *dup, *next, *tok, *name, *args; struct dsp_element_entry *entry, *n; struct dsp_pipeline_entry *pipeline_entry; struct mISDN_dsp_element *elem; @@ -247,10 +247,10 @@ int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg) if (!list_empty(&pipeline->list)) _dsp_pipeline_destroy(pipeline); - dup = kstrdup(cfg, GFP_ATOMIC); + dup = next = kstrdup(cfg, GFP_ATOMIC); if (!dup) return 0; - while ((tok = strsep(&dup, "|"))) { + while ((tok = strsep(&next, "|"))) { if (!strlen(tok)) continue; name = strsep(&tok, "("); -- 2.34.1

2 1