- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] ima: Fix use-after-free on a dentry's dname.name
by GONG, Ruiqi 22 Jul '24

22 Jul '24

From: Stefan Berger <stefanb(a)linux.ibm.com> mainline inclusion from mainline-v6.10-rc1 commit be84f32bb2c981ca670922e047cdde1488b233de category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD0O1 CVE: CVE-2024-39494 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead. Link: https://lore.kernel.org/all/20240202182732.GE2087318@ZenIV/ Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Stefan Berger <stefanb(a)linux.ibm.com> Signed-off-by: Mimi Zohar <zohar(a)linux.ibm.com> Conflicts: security/integrity/ima/ima_api.c [Just context conflicts.] Signed-off-by: GONG, Ruiqi <gongruiqi1(a)huawei.com> --- security/integrity/ima/ima_api.c | 16 ++++++++++++---- security/integrity/ima/ima_template_lib.c | 17 ++++++++++++++--- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 6ecaf6834844..d383b47c2d5e 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -234,7 +234,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, { const char *audit_cause = "failed"; struct inode *inode = file_inode(file); - const char *filename = file->f_path.dentry->d_name.name; + struct name_snapshot filename; int result = 0; int length; void *tmpbuf; @@ -293,9 +293,13 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, if (file->f_flags & O_DIRECT) audit_cause = "failed(directio)"; + take_dentry_name_snapshot(&filename, file->f_path.dentry); + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, - filename, "collect_data", audit_cause, - result, 0); + filename.name.name, "collect_data", + audit_cause, result, 0); + + release_dentry_name_snapshot(&filename); } return result; } @@ -416,6 +420,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, */ const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf) { + struct name_snapshot filename; char *pathname = NULL; *pathbuf = __getname(); @@ -429,7 +434,10 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf) } if (!pathname) { - strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX); + take_dentry_name_snapshot(&filename, path->dentry); + strscpy(namebuf, filename.name.name, NAME_MAX); + release_dentry_name_snapshot(&filename); + pathname = namebuf; } diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 90040fac150b..d49eeb9c87c7 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -386,7 +386,10 @@ static int ima_eventname_init_common(struct ima_event_data *event_data, bool size_limit) { const char *cur_filename = NULL; + struct name_snapshot filename; u32 cur_filename_len = 0; + bool snapshot = false; + int ret; BUG_ON(event_data->filename == NULL && event_data->file == NULL); @@ -399,7 +402,10 @@ static int ima_eventname_init_common(struct ima_event_data *event_data, } if (event_data->file) { - cur_filename = event_data->file->f_path.dentry->d_name.name; + take_dentry_name_snapshot(&filename, + event_data->file->f_path.dentry); + snapshot = true; + cur_filename = filename.name.name; cur_filename_len = strlen(cur_filename); } else /* @@ -408,8 +414,13 @@ static int ima_eventname_init_common(struct ima_event_data *event_data, */ cur_filename_len = IMA_EVENT_NAME_LEN_MAX; out: - return ima_write_template_field_data(cur_filename, cur_filename_len, - DATA_FMT_STRING, field_data); + ret = ima_write_template_field_data(cur_filename, cur_filename_len, + DATA_FMT_STRING, field_data); + + if (snapshot) + release_dentry_name_snapshot(&filename); + + return ret; } /* -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] staging: gdm724x: fix use after free in gdm_lte_rx()
by Zheng Zucheng 21 Jul '24

21 Jul '24

From: Dan Carpenter <dan.carpenter(a)oracle.com> stable inclusion from stable-v5.10.106 commit 6d9700b445098dbbce0caff4b8cfca214cf1e757 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGSJ CVE: CVE-2022-48851 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit fc7f750dc9d102c1ed7bbe4591f991e770c99033 upstream. The netif_rx_ni() function frees the skb so we can't dereference it to save the skb->len. Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver") Cc: stable <stable(a)vger.kernel.org> Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Link: https://lore.kernel.org/r/20220228074331.GA13685@kili Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yu Liao <liaoyu15(a)huawei.com> Signed-off-by: Zheng Zucheng <zhengzucheng(a)huawei.com> --- drivers/staging/gdm724x/gdm_lte.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c index 3c2aab7a921e..fc64d3fed8b4 100644 --- a/drivers/staging/gdm724x/gdm_lte.c +++ b/drivers/staging/gdm724x/gdm_lte.c @@ -76,14 +76,15 @@ static void tx_complete(void *arg) static int gdm_lte_rx(struct sk_buff *skb, struct nic *nic, int nic_type) { - int ret; + int ret, len; + len = skb->len + ETH_HLEN; ret = netif_rx_ni(skb); if (ret == NET_RX_DROP) { nic->stats.rx_dropped++; } else { nic->stats.rx_packets++; - nic->stats.rx_bytes += skb->len + ETH_HLEN; + nic->stats.rx_bytes += len; } return 0; -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS] BUILD SUCCESS 3e36513da2c9286f7809293f49e229bb822dec55
by kernel test robot 21 Jul '24

21 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: 3e36513da2c9286f7809293f49e229bb822dec55 !10137 NFSD: Fix ia_size underflow elapsed time: 727m configs tested: 34 configs skipped: 128 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig gcc-14.1.0 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240720 gcc-14.1.0 arm64 randconfig-002-20240720 gcc-14.1.0 arm64 randconfig-003-20240720 gcc-14.1.0 arm64 randconfig-004-20240720 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240720 clang-18 x86_64 buildonly-randconfig-002-20240720 gcc-13 x86_64 buildonly-randconfig-003-20240720 clang-18 x86_64 buildonly-randconfig-004-20240720 clang-18 x86_64 buildonly-randconfig-005-20240720 gcc-13 x86_64 buildonly-randconfig-006-20240720 gcc-13 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240720 clang-18 x86_64 randconfig-002-20240720 gcc-13 x86_64 randconfig-003-20240720 clang-18 x86_64 randconfig-004-20240720 clang-18 x86_64 randconfig-005-20240720 clang-18 x86_64 randconfig-006-20240720 gcc-13 x86_64 randconfig-011-20240720 gcc-13 x86_64 randconfig-012-20240720 clang-18 x86_64 randconfig-013-20240720 gcc-13 x86_64 randconfig-014-20240720 clang-18 x86_64 randconfig-015-20240720 gcc-13 x86_64 randconfig-016-20240720 gcc-13 x86_64 randconfig-071-20240720 clang-18 x86_64 randconfig-072-20240720 gcc-13 x86_64 randconfig-073-20240720 gcc-13 x86_64 randconfig-074-20240720 gcc-9 x86_64 randconfig-075-20240720 gcc-13 x86_64 randconfig-076-20240720 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6] BUILD REGRESSION 0cb6baf8db0ebcae5f155083f70760b040c66655
by kernel test robot 21 Jul '24

21 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: 0cb6baf8db0ebcae5f155083f70760b040c66655 !10219 CVE-2024-35931 Error/Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | `-- clang:warning:no-such-include-directory:drivers-infiniband-hw-hiroce3-include-mag |-- arm64-randconfig-001-20240720 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- loongarch-allmodconfig | `-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument |-- loongarch-randconfig-001-20240720 | `-- arch-loongarch-kvm-..-..-..-virt-kvm-kvm_main.c:warning:kvmalloc_array-sizes-specified-with-sizeof-in-the-earlier-argument-and-not-in-the-later-argument |-- loongarch-randconfig-002-20240720 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- x86_64-allyesconfig | `-- drivers-gpu-drm-amd-amdgpu-..-amdkfd-kfd_topology.c:warning:stack-frame-size-()-exceeds-limit-()-in-kfd_topology_add_device |-- x86_64-randconfig-072-20240720 | |-- arch-x86-kvm-svm-sev.c:error:lvalue-required-as-unary-operand | `-- arch-x86-kvm-svm-sev.c:error:struct-hygon_kvm_hooks_table-has-no-member-named-false `-- x86_64-randconfig-073-20240720 |-- arch-x86-kvm-svm-sev.c:error:lvalue-required-as-unary-operand `-- arch-x86-kvm-svm-sev.c:error:struct-hygon_kvm_hooks_table-has-no-member-named-false elapsed time: 721m configs tested: 38 configs skipped: 124 tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240720 gcc-14.1.0 arm64 randconfig-002-20240720 clang-17 arm64 randconfig-003-20240720 gcc-14.1.0 arm64 randconfig-004-20240720 clang-19 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 loongarch randconfig-001-20240720 gcc-14.1.0 loongarch randconfig-002-20240720 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240720 clang-18 x86_64 buildonly-randconfig-002-20240720 gcc-13 x86_64 buildonly-randconfig-003-20240720 clang-18 x86_64 buildonly-randconfig-004-20240720 clang-18 x86_64 buildonly-randconfig-005-20240720 gcc-13 x86_64 buildonly-randconfig-006-20240720 gcc-13 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240720 clang-18 x86_64 randconfig-002-20240720 gcc-13 x86_64 randconfig-003-20240720 clang-18 x86_64 randconfig-004-20240720 clang-18 x86_64 randconfig-005-20240720 clang-18 x86_64 randconfig-006-20240720 gcc-13 x86_64 randconfig-011-20240720 gcc-13 x86_64 randconfig-012-20240720 clang-18 x86_64 randconfig-013-20240720 gcc-13 x86_64 randconfig-014-20240720 clang-18 x86_64 randconfig-015-20240720 gcc-13 x86_64 randconfig-016-20240720 gcc-13 x86_64 randconfig-071-20240720 clang-18 x86_64 randconfig-072-20240720 gcc-13 x86_64 randconfig-073-20240720 gcc-13 x86_64 randconfig-074-20240720 gcc-9 x86_64 randconfig-075-20240720 gcc-13 x86_64 randconfig-076-20240720 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10] BUILD SUCCESS 3af93aaba7a41d14c705c3d5511e2b5313157be7
by kernel test robot 20 Jul '24

20 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-5.10 branch HEAD: 3af93aaba7a41d14c705c3d5511e2b5313157be7 !10135 ALSA: timer: Set lower bound of start tick time elapsed time: 726m configs tested: 34 configs skipped: 127 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240720 gcc-14.1.0 arm64 randconfig-002-20240720 clang-17 arm64 randconfig-003-20240720 gcc-14.1.0 arm64 randconfig-004-20240720 clang-19 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240720 clang-18 x86_64 buildonly-randconfig-002-20240720 gcc-13 x86_64 buildonly-randconfig-003-20240720 clang-18 x86_64 buildonly-randconfig-004-20240720 clang-18 x86_64 buildonly-randconfig-005-20240720 gcc-13 x86_64 buildonly-randconfig-006-20240720 gcc-13 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240720 clang-18 x86_64 randconfig-002-20240720 gcc-13 x86_64 randconfig-003-20240720 clang-18 x86_64 randconfig-004-20240720 clang-18 x86_64 randconfig-005-20240720 clang-18 x86_64 randconfig-006-20240720 gcc-13 x86_64 randconfig-011-20240720 gcc-13 x86_64 randconfig-012-20240720 clang-18 x86_64 randconfig-013-20240720 gcc-13 x86_64 randconfig-014-20240720 clang-18 x86_64 randconfig-015-20240720 gcc-13 x86_64 randconfig-016-20240720 gcc-13 x86_64 randconfig-071-20240720 clang-18 x86_64 randconfig-072-20240720 gcc-13 x86_64 randconfig-073-20240720 gcc-13 x86_64 randconfig-074-20240720 gcc-9 x86_64 randconfig-075-20240720 gcc-13 x86_64 randconfig-076-20240720 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] PCI/ROM: Fix PCI ROM header check bug
by liwei 20 Jul '24

20 Jul '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAEAGS -------------------------------- In UEFI Specification Version 2.8, describes that the PCIR data structure must start on a 4-byte boundary. Add checks to prevent vulnerabilities. Fixes: d7ad2254fa7c ("[IA64] SN: Correct ROM resource length for BIOS copy") Signed-off-by: liwei <liwei728(a)huawei.com> --- drivers/pci/rom.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c index e18d3a4383ba..0fa6b3da63cc 100644 --- a/drivers/pci/rom.c +++ b/drivers/pci/rom.c @@ -98,6 +98,12 @@ static size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, } /* get the PCI data structure and check its "PCIR" signature */ pds = image + readw(image + 24); + /* The PCIR data structure must begin on a 4-byte boundary */ + if (!IS_ALIGNED((unsigned long)pds, 4)) { + pci_info(pdev, "Invalid PCI ROM header signature: PCIR %#06x\n", + readw(image + 24)); + break; + } if (readl(pds) != 0x52494350) { pci_info(pdev, "Invalid PCI ROM data signature: expecting 0x52494350, got %#010x\n", readl(pds)); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] MIPS: smp: fill in sibling and core maps earlier
by liwei 20 Jul '24

20 Jul '24

From: Alexander Lobakin <alobakin(a)pm.me> mainline inclusion from mainline-v5.17-rc7 commit f2703def339c793674010cc9f01bfe4980231808 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGS6 CVE: CVE-2022-48845 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------- After enabling CONFIG_SCHED_CORE (landed during 5.14 cycle), 2-core 2-thread-per-core interAptiv (CPS-driven) started emitting the following: [ 0.025698] CPU1 revision is: 0001a120 (MIPS interAptiv (multi)) [ 0.048183] ------------[ cut here ]------------ [ 0.048187] WARNING: CPU: 1 PID: 0 at kernel/sched/core.c:6025 sched_core_cpu_starting+0x198/0x240 [ 0.048220] Modules linked in: [ 0.048233] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc3+ #35 b7b319f24073fd9a3c2aa7ad15fb7993eec0b26f [ 0.048247] Stack : 817f0000 00000004 327804c8 810eb050 00000000 00000004 00000000 c314fdd1 [ 0.048278] 830cbd64 819c0000 81800000 817f0000 83070bf4 00000001 830cbd08 00000000 [ 0.048307] 00000000 00000000 815fcbc4 00000000 00000000 00000000 00000000 00000000 [ 0.048334] 00000000 00000000 00000000 00000000 817f0000 00000000 00000000 817f6f34 [ 0.048361] 817f0000 818a3c00 817f0000 00000004 00000000 00000000 4dc33260 0018c933 [ 0.048389] ... [ 0.048396] Call Trace: [ 0.048399] [<8105a7bc>] show_stack+0x3c/0x140 [ 0.048424] [<8131c2a0>] dump_stack_lvl+0x60/0x80 [ 0.048440] [<8108b5c0>] __warn+0xc0/0xf4 [ 0.048454] [<8108b658>] warn_slowpath_fmt+0x64/0x10c [ 0.048467] [<810bd418>] sched_core_cpu_starting+0x198/0x240 [ 0.048483] [<810c6514>] sched_cpu_starting+0x14/0x80 [ 0.048497] [<8108c0f8>] cpuhp_invoke_callback_range+0x78/0x140 [ 0.048510] [<8108d914>] notify_cpu_starting+0x94/0x140 [ 0.048523] [<8106593c>] start_secondary+0xbc/0x280 [ 0.048539] [ 0.048543] ---[ end trace 0000000000000000 ]--- [ 0.048636] Synchronize counters for CPU 1: done. ...for each but CPU 0/boot. Basic debug printks right before the mentioned line say: [ 0.048170] CPU: 1, smt_mask: So smt_mask, which is sibling mask obviously, is empty when entering the function. This is critical, as sched_core_cpu_starting() calculates core-scheduling parameters only once per CPU start, and it's crucial to have all the parameters filled in at that moment (at least it uses cpu_smt_mask() which in fact is `&cpu_sibling_map[cpu]` on MIPS). A bit of debugging led me to that set_cpu_sibling_map() performing the actual map calculation, was being invocated after notify_cpu_start(), and exactly the latter function starts CPU HP callback round (sched_core_cpu_starting() is basically a CPU HP callback). While the flow is same on ARM64 (maps after the notifier, although before calling set_cpu_online()), x86 started calculating sibling maps earlier than starting the CPU HP callbacks in Linux 4.14 (see [0] for the reference). Neither me nor my brief tests couldn't find any potential caveats in calculating the maps right after performing delay calibration, but the WARN splat is now gone. The very same debug prints now yield exactly what I expected from them: [ 0.048433] CPU: 1, smt_mask: 0-1 [0] https://git.kernel.org/pub/scm/linux/kernel/git/mips/linux.git/commit/?id=7… Signed-off-by: Alexander Lobakin <alobakin(a)pm.me> Reviewed-by: Philippe Mathieu-Daudé <f4bug(a)amsat.org> Signed-off-by: Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> Signed-off-by: liwei <liwei728(a)huawei.com> --- arch/mips/kernel/smp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/mips/kernel/smp.c b/arch/mips/kernel/smp.c index d84b9066b465..7206a6977be9 100644 --- a/arch/mips/kernel/smp.c +++ b/arch/mips/kernel/smp.c @@ -372,6 +372,9 @@ asmlinkage void start_secondary(void) cpu = smp_processor_id(); cpu_data[cpu].udelay_val = loops_per_jiffy; + set_cpu_sibling_map(cpu); + set_cpu_core_map(cpu); + cpumask_set_cpu(cpu, &cpu_coherent_mask); notify_cpu_starting(cpu); @@ -383,9 +386,6 @@ asmlinkage void start_secondary(void) /* The CPU is running and counters synchronised, now mark it online */ set_cpu_online(cpu, true); - set_cpu_sibling_map(cpu); - set_cpu_core_map(cpu); - calculate_cpu_foreign_map(); /* -- 2.25.1

2 1

[openeuler:OLK-6.6 10543/10853] arch/x86/kvm/svm/sev.c:2200:24: error: 'struct hygon_kvm_hooks_table' has no member named 'false'
by kernel test robot 20 Jul '24

20 Jul '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: b53be02fc76386cd434560ddfa8c5f5f908ced12 commit: 1c3b1095a26ed8bc1aa7ac3d4e8dd3e65964a74b [10543/10853] KVM: SVM: Add KVM_CSV_COMMAND_BATCH command for applying CSV RING_BUFFER mode config: x86_64-randconfig-072-20240720 (https://download.01.org/0day-ci/archive/20240720/202407201747.if3DROph-lkp@…) compiler: gcc-13 (Ubuntu 13.2.0-4ubuntu3) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240720/202407201747.if3DROph-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407201747.if3DROph-lkp@intel.com/ All errors (new ones prefixed by >>): arch/x86/kvm/svm/sev.c:2198:6: warning: no previous prototype for 'sev_install_hooks' [-Wmissing-prototypes] 2198 | void sev_install_hooks(void) | ^~~~~~~~~~~~~~~~~ arch/x86/kvm/svm/sev.c: In function 'sev_install_hooks': >> arch/x86/kvm/svm/sev.c:2200:24: error: 'struct hygon_kvm_hooks_table' has no member named 'false' 2200 | hygon_kvm_hooks.sev_enabled = &sev_enabled; | ^ >> arch/x86/kvm/svm/sev.c:2200:39: error: lvalue required as unary '&' operand 2200 | hygon_kvm_hooks.sev_enabled = &sev_enabled; | ^ vim +2200 arch/x86/kvm/svm/sev.c 2195 2196 #ifdef CONFIG_HYGON_CSV 2197 /* Code to set all of the function and vaiable pointers */ > 2198 void sev_install_hooks(void) 2199 { > 2200 hygon_kvm_hooks.sev_enabled = &sev_enabled; 2201 hygon_kvm_hooks.sev_issue_cmd = sev_issue_cmd; 2202 hygon_kvm_hooks.get_num_contig_pages = get_num_contig_pages; 2203 hygon_kvm_hooks.sev_pin_memory = sev_pin_memory; 2204 hygon_kvm_hooks.sev_unpin_memory = sev_unpin_memory; 2205 2206 hygon_kvm_hooks.sev_hooks_installed = true; 2207 } 2208 #endif 2209 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] cxl/region: Fix memregion leaks in devm_cxl_add_region()
by Pu Lehui 20 Jul '24

20 Jul '24

From: Li Zhijian <lizhijian(a)fujitsu.com> stable inclusion from stable-v6.6.35 commit d8316838aa0686da63a8be4194b7a17b0103ae4a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD05U CVE: CVE-2024-40936 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 49ba7b515c4c0719b866d16f068e62d16a8a3dd1 ] Move the mode verification to __create_region() before allocating the memregion to avoid the memregion leaks. Fixes: 6e099264185d ("cxl/region: Add volatile region creation support") Signed-off-by: Li Zhijian <lizhijian(a)fujitsu.com> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Link: https://lore.kernel.org/r/20240507053421.456439-1-lizhijian@fujitsu.com Signed-off-by: Dave Jiang <dave.jiang(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/cxl/core/region.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c index e2a82ee4ff0c..6f06255012f0 100644 --- a/drivers/cxl/core/region.c +++ b/drivers/cxl/core/region.c @@ -2186,15 +2186,6 @@ static struct cxl_region *devm_cxl_add_region(struct cxl_root_decoder *cxlrd, struct device *dev; int rc; - switch (mode) { - case CXL_DECODER_RAM: - case CXL_DECODER_PMEM: - break; - default: - dev_err(&cxlrd->cxlsd.cxld.dev, "unsupported mode %d\n", mode); - return ERR_PTR(-EINVAL); - } - cxlr = cxl_region_alloc(cxlrd, id); if (IS_ERR(cxlr)) return cxlr; @@ -2245,6 +2236,15 @@ static struct cxl_region *__create_region(struct cxl_root_decoder *cxlrd, { int rc; + switch (mode) { + case CXL_DECODER_RAM: + case CXL_DECODER_PMEM: + break; + default: + dev_err(&cxlrd->cxlsd.cxld.dev, "unsupported mode %d\n", mode); + return ERR_PTR(-EINVAL); + } + rc = memregion_alloc(GFP_KERNEL); if (rc < 0) return ERR_PTR(rc); -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] scsi: ufs: Fix a deadlock in the error handler
by Pu Lehui 20 Jul '24

20 Jul '24

From: Bart Van Assche <bvanassche(a)acm.org> mainline inclusion from mainline-v5.17-rc1 commit 945c3cca05d78351bba29fa65d93834cb7934c7b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADG3U CVE: CVE-2021-47622 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The following deadlock has been observed on a test setup: - All tags allocated - The SCSI error handler calls ufshcd_eh_host_reset_handler() - ufshcd_eh_host_reset_handler() queues work that calls ufshcd_err_handler() - ufshcd_err_handler() locks up as follows: Workqueue: ufs_eh_wq_0 ufshcd_err_handler.cfi_jt Call trace: __switch_to+0x298/0x5d8 __schedule+0x6cc/0xa94 schedule+0x12c/0x298 blk_mq_get_tag+0x210/0x480 __blk_mq_alloc_request+0x1c8/0x284 blk_get_request+0x74/0x134 ufshcd_exec_dev_cmd+0x68/0x640 ufshcd_verify_dev_init+0x68/0x35c ufshcd_probe_hba+0x12c/0x1cb8 ufshcd_host_reset_and_restore+0x88/0x254 ufshcd_reset_and_restore+0xd0/0x354 ufshcd_err_handler+0x408/0xc58 process_one_work+0x24c/0x66c worker_thread+0x3e8/0xa4c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 Fix this lockup by making ufshcd_exec_dev_cmd() allocate a reserved request. Link: https://lore.kernel.org/r/20211203231950.193369-10-bvanassche@acm.org Tested-by: Bean Huo <beanhuo(a)micron.com> Reviewed-by: Adrian Hunter <adrian.hunter(a)intel.com> Reviewed-by: Bean Huo <beanhuo(a)micron.com> Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Conflicts: drivers/scsi/ufs/ufshcd.c [The Conflicts were due to not backport some unnecessary patch] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/scsi/ufs/ufshcd.c | 52 +++++++++++---------------------------- drivers/scsi/ufs/ufshcd.h | 2 ++ 2 files changed, 16 insertions(+), 38 deletions(-) diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index 129c45c6bba5..3aa8a600e9a5 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -125,8 +125,9 @@ EXPORT_SYMBOL_GPL(ufshcd_dump_regs); enum { UFSHCD_MAX_CHANNEL = 0, UFSHCD_MAX_ID = 1, - UFSHCD_CMD_PER_LUN = 32, - UFSHCD_CAN_QUEUE = 32, + UFSHCD_NUM_RESERVED = 1, + UFSHCD_CMD_PER_LUN = 32 - UFSHCD_NUM_RESERVED, + UFSHCD_CAN_QUEUE = 32 - UFSHCD_NUM_RESERVED, }; /* UFSHCD states */ @@ -2046,6 +2047,7 @@ static inline int ufshcd_hba_capabilities(struct ufs_hba *hba) hba->nutrs = (hba->capabilities & MASK_TRANSFER_REQUESTS_SLOTS) + 1; hba->nutmrs = ((hba->capabilities & MASK_TASK_MANAGEMENT_REQUEST_SLOTS) >> 16) + 1; + hba->reserved_slot = hba->nutrs - 1; /* Read crypto capabilities */ err = ufshcd_hba_init_crypto_capabilities(hba); @@ -2774,31 +2776,16 @@ static int ufshcd_wait_for_dev_cmd(struct ufs_hba *hba, static int ufshcd_exec_dev_cmd(struct ufs_hba *hba, enum dev_cmd_type cmd_type, int timeout) { - struct request_queue *q = hba->cmd_queue; - struct request *req; + const u32 tag = hba->reserved_slot; struct ufshcd_lrb *lrbp; int err; - int tag; struct completion wait; unsigned long flags; - down_read(&hba->clk_scaling_lock); + /* Protects use of hba->reserved_slot. */ + lockdep_assert_held(&hba->dev_cmd.lock); - /* - * Get free slot, sleep if slots are unavailable. - * Even though we use wait_event() which sleeps indefinitely, - * the maximum wait time is bounded by SCSI request timeout. - */ - req = blk_get_request(q, REQ_OP_DRV_OUT, 0); - if (IS_ERR(req)) { - err = PTR_ERR(req); - goto out_unlock; - } - tag = req->tag; - WARN_ON_ONCE(!ufshcd_valid_tag(hba, tag)); - /* Set the timeout such that the SCSI error handler is not activated. */ - req->timeout = msecs_to_jiffies(2 * timeout); - blk_mq_start_request(req); + down_read(&hba->clk_scaling_lock); init_completion(&wait); lrbp = &hba->lrb[tag]; @@ -2822,8 +2809,6 @@ static int ufshcd_exec_dev_cmd(struct ufs_hba *hba, err ? "query_complete_err" : "query_complete"); out_put_tag: - blk_put_request(req); -out_unlock: up_read(&hba->clk_scaling_lock); return err; } @@ -6380,24 +6365,17 @@ static int ufshcd_issue_devman_upiu_cmd(struct ufs_hba *hba, enum dev_cmd_type cmd_type, enum query_opcode desc_op) { - struct request_queue *q = hba->cmd_queue; - struct request *req; + const u32 tag = hba->reserved_slot; struct ufshcd_lrb *lrbp; int err = 0; - int tag; struct completion wait; unsigned long flags; u8 upiu_flags; - down_read(&hba->clk_scaling_lock); + /* Protects use of hba->reserved_slot. */ + lockdep_assert_held(&hba->dev_cmd.lock); - req = blk_get_request(q, REQ_OP_DRV_OUT, 0); - if (IS_ERR(req)) { - err = PTR_ERR(req); - goto out_unlock; - } - tag = req->tag; - WARN_ON_ONCE(!ufshcd_valid_tag(hba, tag)); + down_read(&hba->clk_scaling_lock); init_completion(&wait); lrbp = &hba->lrb[tag]; @@ -6474,8 +6452,6 @@ static int ufshcd_issue_devman_upiu_cmd(struct ufs_hba *hba, } } - blk_put_request(req); -out_unlock: up_read(&hba->clk_scaling_lock); return err; } @@ -9146,8 +9122,8 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq) /* Configure LRB */ ufshcd_host_memory_configure(hba); - host->can_queue = hba->nutrs; - host->cmd_per_lun = hba->nutrs; + host->can_queue = hba->nutrs - UFSHCD_NUM_RESERVED; + host->cmd_per_lun = hba->nutrs - UFSHCD_NUM_RESERVED; host->max_id = UFSHCD_MAX_ID; host->max_lun = UFS_MAX_LUNS; host->max_channel = UFSHCD_MAX_CHANNEL; diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h index 35dd5197ccb9..160a6ef58942 100644 --- a/drivers/scsi/ufs/ufshcd.h +++ b/drivers/scsi/ufs/ufshcd.h @@ -634,6 +634,7 @@ struct ufs_hba_variant_params { * @capabilities: UFS Controller Capabilities * @nutrs: Transfer Request Queue depth supported by controller * @nutmrs: Task Management Queue depth supported by controller + * @reserved_slot: Used to submit device commands. Protected by @dev_cmd.lock. * @ufs_version: UFS Version to which controller complies * @vops: pointer to variant specific operations * @priv: pointer to variant specific private data @@ -719,6 +720,7 @@ struct ufs_hba { u32 capabilities; int nutrs; int nutmrs; + u32 reserved_slot; u32 ufs_version; const struct ufs_hba_variant_ops *vops; struct ufs_hba_variant_params *vps; -- 2.34.1

2 1