From: Maciej Żenczykowski <maze(a)google.com>
stable inclusion
from stable-v5.10.165
commit e92c70059178da751e5af7de02384b7dfadb5ec7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALIDP
CVE: CVE-2023-52894
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit c6ec929595c7443250b2a4faea988c62019d5cd2 upstream.
In Google internal bug 265639009 we've received an (as yet) unreproducible
crash report from an aarch64 GKI 5.10.149-android13 running device.
AFAICT the source code is at:
https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_1…
The call stack is:
ncm_close() -> ncm_notify() -> ncm_do_notify()
with the crash at:
ncm_do_notify+0x98/0x270
Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)
Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):
// halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)
0B 0D 00 79 strh w11, [x8, #6]
// word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)
6C 0A 00 B9 str w12, [x19, #8]
// x10 (NULL) was read here from offset 0 of valid pointer x9
// IMHO we're reading 'cdev->gadget' and getting NULL
// gadget is indeed at offset 0 of struct usb_composite_dev
2A 01 40 F9 ldr x10, [x9]
// loading req->buf pointer, which is at offset 0 of struct usb_request
69 02 40 F9 ldr x9, [x19]
// x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed
4B 5D 40 B9 ldr w11, [x10, #0x5c]
which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:
event->wLength = cpu_to_le16(8);
req->length = NCM_STATUS_BYTECOUNT;
/* SPEED_CHANGE data is up/down speeds in bits/sec */
data = req->buf + sizeof *event;
data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
My analysis of registers and NULL ptr deref crash offset
(Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)
heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:
data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
which calls:
ncm_bitrate(NULL)
which then calls:
gadget_is_superspeed(NULL)
which reads
((struct usb_gadget *)NULL)->max_speed
and hits a panic.
AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.
(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)
It's not at all clear to me how this is all supposed to work...
but returning 0 seems much better than panic-ing...
Cc: Felipe Balbi <balbi(a)kernel.org>
Cc: Lorenzo Colitti <lorenzo(a)google.com>
Cc: Carlos Llamas <cmllamas(a)google.com>
Cc: stable(a)vger.kernel.org
Signed-off-by: Maciej Żenczykowski <maze(a)google.com>
Cc: stable <stable(a)kernel.org>
Link: https://lore.kernel.org/r/20230117131839.1138208-1-maze@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Wang Hai <wanghai38(a)huawei.com>
---
drivers/usb/gadget/function/f_ncm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c
index 855127249f24..f56147489835 100644
--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -85,7 +85,9 @@ static inline struct f_ncm *func_to_ncm(struct usb_function *f)
/* peak (theoretical) bulk transfer rate in bits-per-second */
static inline unsigned ncm_bitrate(struct usb_gadget *g)
{
- if (gadget_is_superspeed(g) && g->speed >= USB_SPEED_SUPER_PLUS)
+ if (!g)
+ return 0;
+ else if (gadget_is_superspeed(g) && g->speed >= USB_SPEED_SUPER_PLUS)
return 4250000000U;
else if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER)
return 3750000000U;
--
2.17.1
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: c46f803e3465bd0ca66716804a4d3e20f586ac0d
commit: 713cfd2684fa5ea08b144d92b9858b932c0f1705 [20703/23707] sched: Introduce smart grid scheduling strategy for cfs
config: arm64-randconfig-004-20240913 (https://download.01.org/0day-ci/archive/20240913/202409131450.IS4ToWpC-lkp@…)
compiler: aarch64-linux-gcc (GCC) 14.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240913/202409131450.IS4ToWpC-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409131450.IS4ToWpC-lkp@intel.com/
All errors (new ones prefixed by >>):
kernel/sched/core.c:1587:6: warning: no previous prototype for 'sched_set_stop_task' [-Wmissing-prototypes]
1587 | void sched_set_stop_task(int cpu, struct task_struct *stop)
| ^~~~~~~~~~~~~~~~~~~
kernel/sched/core.c:3771:35: warning: no previous prototype for 'preempt_schedule_irq' [-Wmissing-prototypes]
3771 | asmlinkage __visible void __sched preempt_schedule_irq(void)
| ^~~~~~~~~~~~~~~~~~~~
kernel/sched/core.c: In function 'sched_cpu_activate':
kernel/sched/core.c:5845:9: error: implicit declaration of function 'tg_update_affinity_domains' [-Werror=implicit-function-declaration]
5845 | tg_update_affinity_domains(cpu, 1);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
kernel/sched/core.c: In function 'sched_init_smp':
>> kernel/sched/core.c:5976:9: error: implicit declaration of function 'init_auto_affinity'; did you mean 'irq_set_affinity'? [-Werror=implicit-function-declaration]
5976 | init_auto_affinity(&root_task_group);
| ^~~~~~~~~~~~~~~~~~
| irq_set_affinity
kernel/sched/core.c:5976:29: error: 'root_task_group' undeclared (first use in this function); did you mean 'task_group'?
5976 | init_auto_affinity(&root_task_group);
| ^~~~~~~~~~~~~~~
| task_group
kernel/sched/core.c:5976:29: note: each undeclared identifier is reported only once for each function it appears in
kernel/sched/core.c: In function 'sched_init':
kernel/sched/core.c:6029:39: warning: variable 'ptr' set but not used [-Wunused-but-set-variable]
6029 | unsigned long alloc_size = 0, ptr;
| ^~~
In file included from include/linux/migrate.h:6,
from kernel/sched/sched.h:52,
from kernel/sched/core.c:8:
include/linux/mempolicy.h: At top level:
include/linux/mempolicy.h:329:13: warning: '__do_mbind' defined but not used [-Wunused-function]
329 | static long __do_mbind(unsigned long start, unsigned long len,
| ^~~~~~~~~~
cc1: some warnings being treated as errors
--
In file included from include/linux/list.h:9,
from include/linux/resource_ext.h:17,
from include/linux/acpi.h:26,
from drivers/iommu/arm-smmu-v3.c:23:
drivers/iommu/arm-smmu-v3.c: In function 'arm_smmu_device_hw_probe':
>> drivers/iommu/arm-smmu-v3.c:223:55: error: 'CONFIG_CMA_ALIGNMENT' undeclared (first use in this function); did you mean 'CONFIG_CMDLINE'?
223 | #define Q_MAX_SZ_SHIFT (PAGE_SHIFT + CONFIG_CMA_ALIGNMENT)
| ^~~~~~~~~~~~~~~~~~~~
include/linux/kernel.h:851:36: note: in definition of macro '__typecheck'
851 | (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
| ^
include/linux/kernel.h:875:31: note: in expansion of macro '__safe_cmp'
875 | __builtin_choose_expr(__safe_cmp(x, y), \
| ^~~~~~~~~~
include/linux/kernel.h:943:33: note: in expansion of macro '__careful_cmp'
943 | #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
| ^~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:4024:40: note: in expansion of macro 'min_t'
4024 | smmu->cmdq.q.llq.max_n_shift = min_t(u32, CMDQ_MAX_SZ_SHIFT,
| ^~~~~
drivers/iommu/arm-smmu-v3.c:296:42: note: in expansion of macro 'Q_MAX_SZ_SHIFT'
296 | #define CMDQ_MAX_SZ_SHIFT (Q_MAX_SZ_SHIFT - CMDQ_ENT_SZ_SHIFT)
| ^~~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:4024:51: note: in expansion of macro 'CMDQ_MAX_SZ_SHIFT'
4024 | smmu->cmdq.q.llq.max_n_shift = min_t(u32, CMDQ_MAX_SZ_SHIFT,
| ^~~~~~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:223:55: note: each undeclared identifier is reported only once for each function it appears in
223 | #define Q_MAX_SZ_SHIFT (PAGE_SHIFT + CONFIG_CMA_ALIGNMENT)
| ^~~~~~~~~~~~~~~~~~~~
include/linux/kernel.h:851:36: note: in definition of macro '__typecheck'
851 | (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
| ^
include/linux/kernel.h:875:31: note: in expansion of macro '__safe_cmp'
875 | __builtin_choose_expr(__safe_cmp(x, y), \
| ^~~~~~~~~~
include/linux/kernel.h:943:33: note: in expansion of macro '__careful_cmp'
943 | #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
| ^~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:4024:40: note: in expansion of macro 'min_t'
4024 | smmu->cmdq.q.llq.max_n_shift = min_t(u32, CMDQ_MAX_SZ_SHIFT,
| ^~~~~
drivers/iommu/arm-smmu-v3.c:296:42: note: in expansion of macro 'Q_MAX_SZ_SHIFT'
296 | #define CMDQ_MAX_SZ_SHIFT (Q_MAX_SZ_SHIFT - CMDQ_ENT_SZ_SHIFT)
| ^~~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:4024:51: note: in expansion of macro 'CMDQ_MAX_SZ_SHIFT'
4024 | smmu->cmdq.q.llq.max_n_shift = min_t(u32, CMDQ_MAX_SZ_SHIFT,
| ^~~~~~~~~~~~~~~~~
>> include/linux/kernel.h:875:9: error: first argument to '__builtin_choose_expr' not a constant
875 | __builtin_choose_expr(__safe_cmp(x, y), \
| ^~~~~~~~~~~~~~~~~~~~~
include/linux/kernel.h:943:33: note: in expansion of macro '__careful_cmp'
943 | #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
| ^~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:4024:40: note: in expansion of macro 'min_t'
4024 | smmu->cmdq.q.llq.max_n_shift = min_t(u32, CMDQ_MAX_SZ_SHIFT,
| ^~~~~
>> include/linux/kernel.h:875:9: error: first argument to '__builtin_choose_expr' not a constant
875 | __builtin_choose_expr(__safe_cmp(x, y), \
| ^~~~~~~~~~~~~~~~~~~~~
include/linux/kernel.h:943:33: note: in expansion of macro '__careful_cmp'
943 | #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
| ^~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:4038:40: note: in expansion of macro 'min_t'
4038 | smmu->evtq.q.llq.max_n_shift = min_t(u32, EVTQ_MAX_SZ_SHIFT,
| ^~~~~
>> include/linux/kernel.h:875:9: error: first argument to '__builtin_choose_expr' not a constant
875 | __builtin_choose_expr(__safe_cmp(x, y), \
| ^~~~~~~~~~~~~~~~~~~~~
include/linux/kernel.h:943:33: note: in expansion of macro '__careful_cmp'
943 | #define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
| ^~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:4040:40: note: in expansion of macro 'min_t'
4040 | smmu->priq.q.llq.max_n_shift = min_t(u32, PRIQ_MAX_SZ_SHIFT,
| ^~~~~
drivers/iommu/arm-smmu-v3.c: At top level:
drivers/iommu/arm-smmu-v3.c:4343:5: warning: no previous prototype for 'arm_smmu_set_dev_mpam' [-Wmissing-prototypes]
4343 | int arm_smmu_set_dev_mpam(struct device *dev, int ssid, int partid, int pmg,
| ^~~~~~~~~~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:4385:5: warning: no previous prototype for 'arm_smmu_get_dev_mpam' [-Wmissing-prototypes]
4385 | int arm_smmu_get_dev_mpam(struct device *dev, int ssid, int *partid, int *pmg,
| ^~~~~~~~~~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:4399:5: warning: no previous prototype for 'arm_smmu_set_dev_user_mpam_en' [-Wmissing-prototypes]
4399 | int arm_smmu_set_dev_user_mpam_en(struct device *dev, int user_mpam_en)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/iommu/arm-smmu-v3.c:4417:5: warning: no previous prototype for 'arm_smmu_get_dev_user_mpam_en' [-Wmissing-prototypes]
4417 | int arm_smmu_get_dev_user_mpam_en(struct device *dev, int *user_mpam_en)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +5976 kernel/sched/core.c
5949
5950 void __init sched_init_smp(void)
5951 {
5952 sched_init_numa();
5953
5954 /*
5955 * There's no userspace yet to cause hotplug operations; hence all the
5956 * CPU masks are stable and all blatant races in the below code cannot
5957 * happen. The hotplug lock is nevertheless taken to satisfy lockdep,
5958 * but there won't be any contention on it.
5959 */
5960 cpus_read_lock();
5961 mutex_lock(&sched_domains_mutex);
5962 sched_init_domains(cpu_active_mask);
5963 mutex_unlock(&sched_domains_mutex);
5964 cpus_read_unlock();
5965
5966 /* Move init over to a non-isolated CPU */
5967 if (set_cpus_allowed_ptr(current, housekeeping_cpumask(HK_FLAG_DOMAIN)) < 0)
5968 BUG();
5969 sched_init_granularity();
5970
5971 init_sched_rt_class();
5972 init_sched_dl_class();
5973
5974 sched_smp_initialized = true;
5975
> 5976 init_auto_affinity(&root_task_group);
5977 }
5978
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: 13706c950ff941dc015e16f76812077f9861e378
commit: 549b1f40b56511536196f7522ffa4d7b3da42337 [1359/13930] mm/sharepool: Implement mg_sp_make_share_u2k()
config: arm64-randconfig-001-20240913 (https://download.01.org/0day-ci/archive/20240913/202409131346.fyTGKf2l-lkp@…)
compiler: clang version 15.0.7 (https://github.com/llvm/llvm-project 8dfdcc7b7bf66834a761bd8de445840ef68e4d1a)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240913/202409131346.fyTGKf2l-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409131346.fyTGKf2l-lkp@intel.com/
All errors (new ones prefixed by >>):
>> mm/share_pool.c:1226:14: error: call to undeclared function 'huge_ptep_get'; ISO C99 and later do not support implicit function declarations [-Werror,-Wimplicit-function-declaration]
pte_t pte = huge_ptep_get(ptep);
^
>> mm/share_pool.c:1226:8: error: initializing 'pte_t' with an expression of incompatible type 'int'
pte_t pte = huge_ptep_get(ptep);
^ ~~~~~~~~~~~~~~~~~~~
2 errors generated.
vim +/huge_ptep_get +1226 mm/share_pool.c
1221
1222 static int sp_hugetlb_entry(pte_t *ptep, unsigned long hmask,
1223 unsigned long addr, unsigned long next,
1224 struct mm_walk *walk)
1225 {
> 1226 pte_t pte = huge_ptep_get(ptep);
1227 struct page *page = pte_page(pte);
1228 struct sp_walk_data *sp_walk_data;
1229
1230 if (unlikely(!pte_present(pte))) {
1231 pr_debug("the page of addr %lx unexpectedly not in RAM\n", (unsigned long)addr);
1232 return -EFAULT;
1233 }
1234
1235 sp_walk_data = walk->private;
1236 get_page(page);
1237 sp_walk_data->pages[sp_walk_data->page_count++] = page;
1238 return 0;
1239 }
1240
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki