From: Reinette Chatre <reinette.chatre(a)intel.com>
stable inclusion
from stable-v6.1.8~66
commit b9e8e3fcfec625fc1c2f68f684448aeeb882625b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALILE
CVE: CVE-2022-48867
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit 1beeec45f9ac31eba52478379f70a5fa9c2ad005 upstream.
On driver unload any pending descriptors are flushed at the
time the interrupt is freed:
idxd_dmaengine_drv_remove() ->
drv_disable_wq() ->
idxd_wq_free_irq() ->
idxd_flush_pending_descs().
If there are any descriptors present that need to be flushed this
flow triggers a "not present" page fault as below:
BUG: unable to handle page fault for address: ff391c97c70c9040
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
The address that triggers the fault is the address of the
descriptor that was freed moments earlier via:
drv_disable_wq()->idxd_wq_free_resources()
Fix the use after free by freeing the descriptors after any possible
usage. This is done after idxd_wq_reset() to ensure that the memory
remains accessible during possible completion writes by the device.
Fixes: 63c14ae6c161 ("dmaengine: idxd: refactor wq driver enable/disable operations")
Suggested-by: Dave Jiang <dave.jiang(a)intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre(a)intel.com>
Reviewed-by: Dave Jiang <dave.jiang(a)intel.com>
Reviewed-by: Fenghua Yu <fenghua.yu(a)intel.com>
Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/6c4657d9cff0a0a00501a7b928297ac966e9ec9d.16704524…
Signed-off-by: Vinod Koul <vkoul(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
drivers/dma/idxd/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
index 06f5d3783d77..300ee3b5cf63 100644
--- a/drivers/dma/idxd/device.c
+++ b/drivers/dma/idxd/device.c
@@ -1408,11 +1408,11 @@ void drv_disable_wq(struct idxd_wq *wq)
dev_warn(dev, "Clients has claim on wq %d: %d\n",
wq->id, idxd_wq_refcount(wq));
- idxd_wq_free_resources(wq);
idxd_wq_unmap_portal(wq);
idxd_wq_drain(wq);
idxd_wq_free_irq(wq);
idxd_wq_reset(wq);
+ idxd_wq_free_resources(wq);
percpu_ref_exit(&wq->wq_active);
wq->type = IDXD_WQT_NONE;
wq->client_count = 0;
--
2.25.1
tree: https://gitee.com/openeuler/kernel.git OLK-5.10
head: b7bed6628b750ffd687d1da0a170dece4b0c08bd
commit: 2e1b00fcf1e3152a1e73846f5f9ec37cef088a65 [29999/30000] ACPI/HMAT: Add missing locality information for hot-added device
config: x86_64-randconfig-013-20240903 (https://download.01.org/0day-ci/archive/20240904/202409040825.59qJfROR-lkp@…)
compiler: gcc-11 (Debian 11.3.0-12) 11.3.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240904/202409040825.59qJfROR-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409040825.59qJfROR-lkp@intel.com/
All errors (new ones prefixed by >>):
ld: drivers/acpi/acpi_memhotplug.o: in function `acpi_memory_enable_device':
>> drivers/acpi/acpi_memhotplug.c:236: undefined reference to `hmat_restore_target'
vim +236 drivers/acpi/acpi_memhotplug.c
171
172 static int acpi_memory_enable_device(struct acpi_memory_device *mem_device)
173 {
174 acpi_handle handle = mem_device->device->handle;
175 int result, num_enabled = 0;
176 struct acpi_memory_info *info;
177 int node;
178
179 node = acpi_get_node(handle);
180 /*
181 * Tell the VM there is more memory here...
182 * Note: Assume that this function returns zero on success
183 * We don't have memory-hot-add rollback function,now.
184 * (i.e. memory-hot-remove function)
185 */
186 list_for_each_entry(info, &mem_device->res_list, list) {
187 if (info->enabled) { /* just sanity check...*/
188 num_enabled++;
189 continue;
190 }
191 /*
192 * If the memory block size is zero, please ignore it.
193 * Don't try to do the following memory hotplug flowchart.
194 */
195 if (!info->length)
196 continue;
197 if (node < 0)
198 node = memory_add_physaddr_to_nid(info->start_addr);
199
200 result = __add_memory(node, info->start_addr, info->length,
201 MHP_NONE);
202
203 /*
204 * If the memory block has been used by the kernel, add_memory()
205 * returns -EEXIST. If add_memory() returns the other error, it
206 * means that this memory block is not used by the kernel.
207 */
208 if (result && result != -EEXIST)
209 continue;
210
211 result = acpi_bind_memory_blocks(info, mem_device->device);
212 if (result) {
213 acpi_unbind_memory_blocks(info);
214 return -ENODEV;
215 }
216
217 info->enabled = 1;
218
219 /*
220 * Add num_enable even if add_memory() returns -EEXIST, so the
221 * device is bound to this driver.
222 */
223
224 hotplug_mdev[node] = mem_device->device;
225 num_enabled++;
226 }
227 if (acpi_has_method(handle, "_HMA")) {
228 acpi_status status;
229 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
230
231 status = acpi_evaluate_object(handle, "_HMA", NULL, &buffer);
232 if (ACPI_SUCCESS(status) && buffer.length) {
233 union acpi_object *obj = buffer.pointer;
234
235 if (!obj->buffer.length)
> 236 hmat_restore_target(node);
237 }
238 }
239
240 if (!num_enabled) {
241 dev_err(&mem_device->device->dev, "add_memory failed\n");
242 return -EINVAL;
243 }
244 /*
245 * Sometimes the memory device will contain several memory blocks.
246 * When one memory block is hot-added to the system memory, it will
247 * be regarded as a success.
248 * Otherwise if the last memory block can't be hot-added to the system
249 * memory, it will be failure and the memory device can't be bound with
250 * driver.
251 */
252 return 0;
253 }
254
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git OLK-5.10
head: b7bed6628b750ffd687d1da0a170dece4b0c08bd
commit: 518ea89ec98b78c749c27d6ba7792e1bdb5779ed [29716/30000] net: hns3: add support for vf multiple tcs
config: x86_64-allyesconfig (https://download.01.org/0day-ci/archive/20240904/202409040605.jzWfVsDp-lkp@…)
compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240904/202409040605.jzWfVsDp-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409040605.jzWfVsDp-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c:1195:5: warning: no previous prototype for function 'hclge_tm_vf_tc_dwrr_cfg' [-Wmissing-prototypes]
1195 | int hclge_tm_vf_tc_dwrr_cfg(struct hclge_vport *vport)
| ^
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c:1195:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
1195 | int hclge_tm_vf_tc_dwrr_cfg(struct hclge_vport *vport)
| ^
| static
>> drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c:2323:5: warning: no previous prototype for function 'hclge_mbx_set_vf_multi_tc' [-Wmissing-prototypes]
2323 | int hclge_mbx_set_vf_multi_tc(struct hclge_vport *vport,
| ^
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c:2323:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
2323 | int hclge_mbx_set_vf_multi_tc(struct hclge_vport *vport,
| ^
| static
2 warnings generated.
vim +/hclge_tm_vf_tc_dwrr_cfg +1195 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
1194
> 1195 int hclge_tm_vf_tc_dwrr_cfg(struct hclge_vport *vport)
1196 {
1197 struct hnae3_knic_private_info *kinfo = &vport->nic.kinfo;
1198 struct hclge_dev *hdev = vport->back;
1199 struct hclge_pg_info *pg_info;
1200 u8 dwrr;
1201 int ret;
1202 u32 i;
1203
1204 for (i = 0; i < kinfo->tc_info.max_tc; i++) {
1205 pg_info = &hdev->tm_info.pg_info[hdev->tm_info.tc_info[i].pgid];
1206 dwrr = i < kinfo->tc_info.num_tc ? pg_info->tc_dwrr[i] : 0;
1207 ret = hclge_tm_qs_weight_cfg(hdev, vport->qs_offset + i, dwrr);
1208 if (ret)
1209 return ret;
1210 }
1211
1212 return 0;
1213 }
1214
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git OLK-5.10
head: b7bed6628b750ffd687d1da0a170dece4b0c08bd
commit: b4eaf3e808dc2abcab55bc72df3b0d15961f33f0 [29379/30000] can: mcp251xfd: fix infinite loop when xmit fails
config: x86_64-allyesconfig (https://download.01.org/0day-ci/archive/20240904/202409040151.sxh3qZ5K-lkp@…)
compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240904/202409040151.sxh3qZ5K-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409040151.sxh3qZ5K-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c:2327:6: warning: no previous prototype for function 'mcp251xfd_tx_obj_write_sync' [-Wmissing-prototypes]
2327 | void mcp251xfd_tx_obj_write_sync(struct work_struct *work)
| ^
drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c:2327:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
2327 | void mcp251xfd_tx_obj_write_sync(struct work_struct *work)
| ^
| static
drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c:511:1: warning: unused function 'mcp251xfd_chip_set_mode_nowait' [-Wunused-function]
511 | mcp251xfd_chip_set_mode_nowait(const struct mcp251xfd_priv *priv,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
vim +/mcp251xfd_tx_obj_write_sync +2327 drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
2326
> 2327 void mcp251xfd_tx_obj_write_sync(struct work_struct *work)
2328 {
2329 struct mcp251xfd_priv *priv = container_of(work, struct mcp251xfd_priv,
2330 tx_work);
2331 struct mcp251xfd_tx_obj *tx_obj = priv->tx_work_obj;
2332 struct mcp251xfd_tx_ring *tx_ring = priv->tx;
2333 int err;
2334
2335 err = spi_sync(priv->spi, &tx_obj->msg);
2336 if (err)
2337 mcp251xfd_tx_failure_drop(priv, tx_ring, err);
2338 }
2339
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki