Haibo Xu (1): arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE
Jonathan Cameron (2): ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() ACPI: processor: Fix memory leaks in error paths of processor_add()
Justin Stitt (2): ntp: Clamp maxerror and esterror to operating range ntp: Safeguard against time_constant overflow
Phil Chang (1): hrtimer: Prevent queuing of hrtimer without a function callback
Xiongfeng Wang (1): Revert "ntp: Avoid undefined behaviour in second_overflow()"
Zqiang (1): smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
arch/arm64/kernel/acpi_numa.c | 2 +- drivers/acpi/acpi_processor.c | 15 ++++++++------- kernel/smp.c | 1 + kernel/time/hrtimer.c | 2 ++ kernel/time/ntp.c | 11 ++++------- 5 files changed, 16 insertions(+), 15 deletions(-)
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/12292 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/D...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/12292 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/D...
From: Jonathan Cameron Jonathan.Cameron@huawei.com
stable inclusion from stable-v4.19.322 commit a30476afbaac69face9537cd8d0694d46d5d1ef5 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit fadf231f0a06a6748a7fc4a2c29ac9ef7bca6bfd ]
Rafael observed [1] that returning 0 from processor_add() will result in acpi_default_enumeration() being called which will attempt to create a platform device, but that makes little sense when the processor is known to be not available. So just return the error code from acpi_processor_get_info() instead.
Link: https://lore.kernel.org/all/CAJZ5v0iKU8ra9jR+EmgxbuNm=Uwx2m1-8vn_RAZ+aCiUVLe... [1] Suggested-by: Rafael J. Wysocki rafael@kernel.org Acked-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Reviewed-by: Gavin Shan gshan@redhat.com Signed-off-by: Jonathan Cameron Jonathan.Cameron@huawei.com Link: https://lore.kernel.org/r/20240529133446.28446-5-Jonathan.Cameron@huawei.com Signed-off-by: Catalin Marinas catalin.marinas@arm.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Xiongfeng Wang wangxiongfeng2@huawei.com --- drivers/acpi/acpi_processor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c index cfdf7cf6d8f1..8029a733652f 100644 --- a/drivers/acpi/acpi_processor.c +++ b/drivers/acpi/acpi_processor.c @@ -391,7 +391,7 @@ static int acpi_processor_add(struct acpi_device *device,
result = acpi_processor_get_info(device); if (result) /* Processor is not physically present or unavailable */ - return 0; + return result;
BUG_ON(pr->id >= nr_cpu_ids);
From: Zqiang qiang.zhang1211@gmail.com
stable inclusion from stable-v4.19.322 commit 2d6a7a1ee3862d129c0e0fbd3cc147e185a379dc category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 77aeb1b685f9db73d276bad4bb30d48505a6fd23 ]
For CONFIG_DEBUG_OBJECTS_WORK=y kernels sscs.work defined by INIT_WORK_ONSTACK() is initialized by debug_object_init_on_stack() for the debug check in __init_work() to work correctly.
But this lacks the counterpart to remove the tracked object from debug objects again, which will cause a debug object warning once the stack is freed.
Add the missing destroy_work_on_stack() invocation to cure that.
[ tglx: Massaged changelog ]
Signed-off-by: Zqiang qiang.zhang1211@gmail.com Signed-off-by: Thomas Gleixner tglx@linutronix.de Tested-by: Paul E. McKenney paulmck@kernel.org Link: https://lore.kernel.org/r/20240704065213.13559-1-qiang.zhang1211@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Xiongfeng Wang wangxiongfeng2@huawei.com --- kernel/smp.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/kernel/smp.c b/kernel/smp.c index be15d3a57954..826d6905112e 100644 --- a/kernel/smp.c +++ b/kernel/smp.c @@ -791,6 +791,7 @@ int smp_call_on_cpu(unsigned int cpu, int (*func)(void *), void *par, bool phys)
queue_work_on(cpu, system_wq, &sscs.work); wait_for_completion(&sscs.done); + destroy_work_on_stack(&sscs.work);
return sscs.ret; }
From: Phil Chang phil.chang@mediatek.com
stable inclusion from stable-v4.19.321 commit ccef3adcb84816a30b8e535c8c4fcb167904e7b1 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ]
The hrtimer function callback must not be NULL. It has to be specified by the call side but it is not validated by the hrtimer code. When a hrtimer is queued without a function callback, the kernel crashes with a null pointer dereference when trying to execute the callback in __run_hrtimer().
Introduce a validation before queuing the hrtimer in hrtimer_start_range_ns().
[anna-maria: Rephrase commit message]
Signed-off-by: Phil Chang phil.chang@mediatek.com Signed-off-by: Anna-Maria Behnsen anna-maria@linutronix.de Signed-off-by: Thomas Gleixner tglx@linutronix.de Reviewed-by: Anna-Maria Behnsen anna-maria@linutronix.de Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Xiongfeng Wang wangxiongfeng2@huawei.com --- kernel/time/hrtimer.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c index 8512f06f0ebe..ce8fe5adafb0 100644 --- a/kernel/time/hrtimer.c +++ b/kernel/time/hrtimer.c @@ -1171,6 +1171,8 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, struct hrtimer_clock_base *base; unsigned long flags;
+ if (WARN_ON_ONCE(!timer->function)) + return; /* * Check whether the HRTIMER_MODE_SOFT bit and hrtimer.is_soft * match.
From: Haibo Xu haibo1.xu@intel.com
stable inclusion from stable-v4.19.321 commit 2fbc3c6736cb0a1c2738664bf9381d0c96fb7a06 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit a21dcf0ea8566ebbe011c79d6ed08cdfea771de3 upstream.
Currently, only acpi_early_node_map[0] was initialized to NUMA_NO_NODE. To ensure all the values were properly initialized, switch to initialize all of them to NUMA_NO_NODE.
Fixes: e18962491696 ("arm64: numa: rework ACPI NUMA initialization") Cc: stable@vger.kernel.org # 4.19.x Reported-by: Andrew Jones ajones@ventanamicro.com Suggested-by: Andrew Jones ajones@ventanamicro.com Signed-off-by: Haibo Xu haibo1.xu@intel.com Reviewed-by: Anshuman Khandual anshuman.khandual@arm.com Reviewed-by: Sunil V L sunilvl@ventanamicro.com Reviewed-by: Andrew Jones ajones@ventanamicro.com Acked-by: Catalin Marinas catalin.marinas@arm.com Acked-by: Lorenzo Pieralisi lpieralisi@kernel.org Reviewed-by: Hanjun Guo guohanjun@huawei.com Link: https://lore.kernel.org/r/853d7f74aa243f6f5999e203246f0d1ae92d2b61.172282842... Signed-off-by: Catalin Marinas catalin.marinas@arm.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Xiongfeng Wang wangxiongfeng2@huawei.com --- arch/arm64/kernel/acpi_numa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/acpi_numa.c b/arch/arm64/kernel/acpi_numa.c index b63705407e5d..fc1ccf2b3b5f 100644 --- a/arch/arm64/kernel/acpi_numa.c +++ b/arch/arm64/kernel/acpi_numa.c @@ -28,7 +28,7 @@
#include <asm/numa.h>
-static int acpi_early_node_map[NR_CPUS] __initdata = { NUMA_NO_NODE }; +static int acpi_early_node_map[NR_CPUS] __initdata = { [0 ... NR_CPUS - 1] = NUMA_NO_NODE };
int __init acpi_numa_get_nid(unsigned int cpu) {
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA
--------------------------------
This reverts commit d8df4fe5da0c687788bc2431bfc18b2e7ba3defd. Revert hulk inclusion patch. The next patch will apply the mainline modification.
Signed-off-by: Xiongfeng Wang wangxiongfeng2@huawei.com --- kernel/time/ntp.c | 2 -- 1 file changed, 2 deletions(-)
diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index 2b728ceb5da5..e1110a7bd3e6 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -687,8 +687,6 @@ static inline void process_adjtimex_modes(const struct timex *txc, s32 *time_tai
if (txc->modes & ADJ_MAXERROR) time_maxerror = txc->maxerror; - if (time_maxerror > NTP_PHASE_LIMIT) - time_maxerror = NTP_PHASE_LIMIT;
if (txc->modes & ADJ_ESTERROR) time_esterror = txc->esterror;
From: Justin Stitt justinstitt@google.com
stable inclusion from stable-v4.19.320 commit 9dfe2eef1ecfbb1f29e678700247de6010784eb9 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 87d571d6fb77ec342a985afa8744bb9bb75b3622 ]
Using syzkaller alongside the newly reintroduced signed integer overflow sanitizer spits out this report:
UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16 9223372036854775807 + 500 cannot be represented in type 'long' Call Trace: handle_overflow+0x171/0x1b0 second_overflow+0x2d6/0x500 accumulate_nsecs_to_secs+0x60/0x160 timekeeping_advance+0x1fe/0x890 update_wall_time+0x10/0x30
time_maxerror is unconditionally incremented and the result is checked against NTP_PHASE_LIMIT, but the increment itself can overflow, resulting in wrap-around to negative space.
Before commit eea83d896e31 ("ntp: NTP4 user space bits update") the user supplied value was sanity checked to be in the operating range. That change removed the sanity check and relied on clamping in handle_overflow() which does not work correctly when the user supplied value is in the overflow zone of the '+ 500' operation.
The operation requires CAP_SYS_TIME and the side effect of the overflow is NTP getting out of sync.
Miroslav confirmed that the input value should be clamped to the operating range and the same applies to time_esterror. The latter is not used by the kernel, but the value still should be in the operating range as it was before the sanity check got removed.
Clamp them to the operating range.
[ tglx: Changed it to clamping and included time_esterror ]
Fixes: eea83d896e31 ("ntp: NTP4 user space bits update") Signed-off-by: Justin Stitt justinstitt@google.com Signed-off-by: Thomas Gleixner tglx@linutronix.de Cc: Miroslav Lichvar mlichvar@redhat.com Link: https://lore.kernel.org/all/20240517-b4-sio-ntp-usec-v2-1-d539180f2b79@googl... Closes: https://github.com/KSPP/linux/issues/354 Signed-off-by: Sasha Levin sashal@kernel.org [ cast things to __kernel_long_t to fix compiler warnings - gregkh ] Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Xiongfeng Wang wangxiongfeng2@huawei.com --- kernel/time/ntp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index e1110a7bd3e6..b32b42c424e0 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -686,10 +686,10 @@ static inline void process_adjtimex_modes(const struct timex *txc, s32 *time_tai }
if (txc->modes & ADJ_MAXERROR) - time_maxerror = txc->maxerror; + time_maxerror = clamp(txc->maxerror, (__kernel_long_t)0, (__kernel_long_t)NTP_PHASE_LIMIT);
if (txc->modes & ADJ_ESTERROR) - time_esterror = txc->esterror; + time_esterror = clamp(txc->esterror, (__kernel_long_t)0, (__kernel_long_t)NTP_PHASE_LIMIT);
if (txc->modes & ADJ_TIMECONST) { time_constant = txc->constant;
From: Justin Stitt justinstitt@google.com
stable inclusion from stable-v4.19.320 commit a13f8b269b6f4c9371ab149ecb65d2edb52e9669 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 06c03c8edce333b9ad9c6b207d93d3a5ae7c10c0 upstream.
Using syzkaller with the recently reintroduced signed integer overflow sanitizer produces this UBSAN report:
UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:738:18 9223372036854775806 + 4 cannot be represented in type 'long' Call Trace: handle_overflow+0x171/0x1b0 __do_adjtimex+0x1236/0x1440 do_adjtimex+0x2be/0x740
The user supplied time_constant value is incremented by four and then clamped to the operating range.
Before commit eea83d896e31 ("ntp: NTP4 user space bits update") the user supplied value was sanity checked to be in the operating range. That change removed the sanity check and relied on clamping after incrementing which does not work correctly when the user supplied value is in the overflow zone of the '+ 4' operation.
The operation requires CAP_SYS_TIME and the side effect of the overflow is NTP getting out of sync.
Similar to the fixups for time_maxerror and time_esterror, clamp the user space supplied value to the operating range.
[ tglx: Switch to clamping ]
Fixes: eea83d896e31 ("ntp: NTP4 user space bits update") Signed-off-by: Justin Stitt justinstitt@google.com Signed-off-by: Thomas Gleixner tglx@linutronix.de Cc: Miroslav Lichvar mlichvar@redhat.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20240517-b4-sio-ntp-c-v2-1-f3a80096f36f@google.c... Closes: https://github.com/KSPP/linux/issues/352 Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Xiongfeng Wang wangxiongfeng2@huawei.com --- kernel/time/ntp.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index b32b42c424e0..58aba0a3484d 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -692,11 +692,10 @@ static inline void process_adjtimex_modes(const struct timex *txc, s32 *time_tai time_esterror = clamp(txc->esterror, (__kernel_long_t)0, (__kernel_long_t)NTP_PHASE_LIMIT);
if (txc->modes & ADJ_TIMECONST) { - time_constant = txc->constant; + time_constant = clamp(txc->constant, (__kernel_long_t)0, (__kernel_long_t)MAXTC); if (!(time_status & STA_NANO)) time_constant += 4; - time_constant = min(time_constant, (long)MAXTC); - time_constant = max(time_constant, 0l); + time_constant = clamp(time_constant, (long)0, (long)MAXTC); }
if (txc->modes & ADJ_TAI &&
From: Jonathan Cameron Jonathan.Cameron@huawei.com
stable inclusion from stable-v4.19.322 commit 00259ae5206a713234e3ac12a8a0f731e86b754b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAYQRI CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 47ec9b417ed9b6b8ec2a941cd84d9de62adc358a ]
If acpi_processor_get_info() returned an error, pr and the associated pr->throttling.shared_cpu_map were leaked.
The unwind code was in the wrong order wrt to setup, relying on some unwind actions having no affect (clearing variables that were never set etc). That makes it harder to reason about so reorder and add appropriate labels to only undo what was actually set up in the first place.
Acked-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Reviewed-by: Gavin Shan gshan@redhat.com Signed-off-by: Jonathan Cameron Jonathan.Cameron@huawei.com Link: https://lore.kernel.org/r/20240529133446.28446-6-Jonathan.Cameron@huawei.com Signed-off-by: Catalin Marinas catalin.marinas@arm.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Xiongfeng Wang wangxiongfeng2@huawei.com --- drivers/acpi/acpi_processor.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c index 8029a733652f..fa5dc338a65a 100644 --- a/drivers/acpi/acpi_processor.c +++ b/drivers/acpi/acpi_processor.c @@ -391,7 +391,7 @@ static int acpi_processor_add(struct acpi_device *device,
result = acpi_processor_get_info(device); if (result) /* Processor is not physically present or unavailable */ - return result; + goto err_clear_driver_data;
BUG_ON(pr->id >= nr_cpu_ids);
@@ -406,7 +406,7 @@ static int acpi_processor_add(struct acpi_device *device, "BIOS reported wrong ACPI id %d for the processor\n", pr->id); /* Give up, but do not abort the namespace scan. */ - goto err; + goto err_clear_driver_data; } /* * processor_device_array is not cleared on errors to allow buggy BIOS @@ -418,12 +418,12 @@ static int acpi_processor_add(struct acpi_device *device, dev = get_cpu_device(pr->id); if (!dev) { result = -ENODEV; - goto err; + goto err_clear_per_cpu; }
result = acpi_bind_one(dev, device); if (result) - goto err; + goto err_clear_per_cpu;
pr->dev = dev;
@@ -434,10 +434,11 @@ static int acpi_processor_add(struct acpi_device *device, dev_err(dev, "Processor driver could not be attached\n"); acpi_unbind_one(dev);
- err: - free_cpumask_var(pr->throttling.shared_cpu_map); - device->driver_data = NULL; + err_clear_per_cpu: per_cpu(processors, pr->id) = NULL; + err_clear_driver_data: + device->driver_data = NULL; + free_cpumask_var(pr->throttling.shared_cpu_map); err_free_pr: kfree(pr); return result;