1. 10 8月, 2023 4 次提交
  2. 09 8月, 2023 6 次提交
  3. 08 8月, 2023 3 次提交
  4. 07 8月, 2023 12 次提交
    • O
      !1672 tty: fix pid memleak in disassociate_ctty() · 5ff9556b
      openeuler-ci-bot 提交于
      Merge Pull Request from: @ci-robot 
       
      PR sync from: Yi Yang <yiyang13@huawei.com>
      https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/F3MDGNSS4NARSSKD53VIBRG3ZXPCVNL4/ 
       
      https://gitee.com/openeuler/kernel/issues/I7LEZX 
       
      Link:https://gitee.com/openeuler/kernel/pulls/1672 
      
      Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
      Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 
      5ff9556b
    • O
      !1268 [sync] PR-1070: crypto: hisilicon - fix some reset problem · c07e067c
      openeuler-ci-bot 提交于
      Merge Pull Request from: @openeuler-sync-bot 
       
      
      Origin pull request: 
      https://gitee.com/openeuler/kernel/pulls/1070 
       
      Fix some reset problem for accelerator drivers.
      
      Weili Qian (5):
      crypto: hisilicon/qm - flush all work before driver removed.
      crypto: hisilicon/hpre - enable sva error interrupt event
      crypto: hisilicon/qm - remove duplicate assignment and release
      crypto: hisilicon/qm - disable same error report before resetting
      crypto: hisilicon/qm - disable error report before flr 
       
      Link:https://gitee.com/openeuler/kernel/pulls/1268 
      
      Reviewed-by: Yang Shen <shenyang39@huawei.com> 
      Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 
      c07e067c
    • F
      netfilter: nft_set_pipapo: fix improper element removal · 979e0dee
      Florian Westphal 提交于
      stable inclusion
      from stable-v5.10.188
      commit 3a91099ecd59a42d1632fcb152bf7222f268ea2b
      category: bugfix
      bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7P3TK
      CVE: CVE-2023-4004
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3a91099ecd59a42d1632fcb152bf7222f268ea2b
      
      ---------------------------
      
      [ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ]
      
      end key should be equal to start unless NFT_SET_EXT_KEY_END is present.
      
      Its possible to add elements that only have a start key
      ("{ 1.0.0.0 . 2.0.0.0 }") without an internval end.
      
      Insertion treats this via:
      
      if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
         end = (const u8 *)nft_set_ext_key_end(ext)->data;
      else
         end = start;
      
      but removal side always uses nft_set_ext_key_end().
      This is wrong and leads to garbage remaining in the set after removal
      next lookup/insert attempt will give:
      
      BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90
      Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399
      Call Trace:
       kasan_report+0x105/0x140
       pipapo_get+0x8eb/0xb90
       nft_pipapo_insert+0x1dc/0x1710
       nf_tables_newsetelem+0x31f5/0x4e00
       ..
      
      Fixes: 3c4287f6 ("nf_tables: Add set type for arbitrary concatenation of ranges")
      Reported-by: Nlonial con <kongln9170@gmail.com>
      Reviewed-by: NStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NLu Wei <luwei32@huawei.com>
      979e0dee
    • Y
      tty: fix pid memleak in disassociate_ctty() · e2944873
      Yi Yang 提交于
      hulk inclusion
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I7LEZX
      
      --------------------------------
      
      There is memleak in alloc_pid:
      ------------------------------
      unreferenced object 0xffff88810c181940 (size 224):
        comm "sshd", pid 8191, jiffies 4294946950 (age 524.570s)
        hex dump (first 32 bytes):
          01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de  .............N..
          ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff  ....kkkk........
        backtrace:
          [<ffffffff814774e6>] kmem_cache_alloc+0x5c6/0x9b0
          [<ffffffff81177342>] alloc_pid+0x72/0x570
          [<ffffffff81140ac4>] copy_process+0x1374/0x2470
          [<ffffffff81141d77>] kernel_clone+0xb7/0x900
          [<ffffffff81142645>] __se_sys_clone+0x85/0xb0
          [<ffffffff8114269b>] __x64_sys_clone+0x2b/0x30
          [<ffffffff83965a72>] do_syscall_64+0x32/0x80
          [<ffffffff83a00085>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
      
      The pid memleak is triggered by the following race:
      task[sshd]                      task[bash]
      -----------------------		-----------------------
      				do_exit();
      				disassociate_ctty();
      				spin_lock_irq(¤t->sighand->siglock);
      				put_pid(current->signal->tty_old_pgrp);
      				current->signal->tty_old_pgrp = NULL;
      				tty = tty_kref_get(current->signal->tty);
      				//tty is not NULL
      				spin_unlock_irq(¤t->sighand->siglock);
      tty_vhangup();
      tty_lock(tty);
      ...
      tty_signal_session_leader();
      spin_lock_irq(&p->sighand->siglock);
      ...
      p->signal->tty_old_pgrp = get_pid(tty->pgrp); // tty_old_pgrp reassign
      spin_unlock_irq(&p->sighand->siglock);
      ...
      tty_unlock(tty);
      				if (tty) {
      				    tty_lock(tty);
      				    ...
      				    put_pid(tty->pgrp);
      				    tty->pgrp = NULL;// It's too late
      				    ...
      				    tty_unlock(tty);
      				}
      
      in task[bash], tty_old_pgrp is released by disassociate_ctty(), then it's
      reassigned by tty_signal_session_leader() in task[sshd], cause memleak.
      
      fix the memleak by add put_pid() in disassociate_ctty() after tty_old_pgrp
      is reassigned.
      
      Fixes: c8bcd9c5 ("tty: Fix ->session locking")
      Signed-off-by: NYi Yang <yiyang13@huawei.com>
      e2944873
    • O
      !1659 vfio-pci: Match specific devices with vendor id and device id · 4554a847
      openeuler-ci-bot 提交于
      Merge Pull Request from: @did-you-collect-the-wool-today 
       
      virt inclusion
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I7QPGW
      CVE: NA
      
      ------------------------------------------------------------------
      
      In probe_vendor_drivers, all registered vendor drivers are traversed.
      This is not a good idea. If a vendor driver is not implemented well
      enough, it may cause the system to panic. Use the vendor id and
      device id to select a proper driver.
      
      In the pervious device registration logic, since the live migration
      operation ops of the three accelerator devices is the same.
      Therefore, only one driver entity will be registered. As a result,
      only the first sec will be loaded successfully, while hpre and zip
      cannot be loaded.
      
      The acc live migration driver needs to be adapted.
      Signed-off-by: NLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: NKunkun Jiang <jiangkunkun@huawei.com>
       
       
      Link:https://gitee.com/openeuler/kernel/pulls/1659 
      
      Reviewed-by: Zenghui Yu <yuzenghui@huawei.com> 
      Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 
      4554a847
    • O
      !1657 media: usb: siano: Fix CVE-2023-4132 · d3907308
      openeuler-ci-bot 提交于
      Merge Pull Request from: @ci-robot 
       
      PR sync from: Ruan Jinjie <ruanjinjie@huawei.com>
      https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/DMKZQARD2PWAP2YXIKY6D454ZNKTEVT3/ 
      Backport CVE-2023-4132 fix commits.
      
      Duoming Zhou (2):
        media: usb: siano: Fix use after free bugs caused by do_submit_urb
        media: usb: siano: Fix warning due to null work_func_t function
          pointer
      
      
      -- 
      2.34.1
       
      https://gitee.com/openeuler/kernel/issues/I7QTMZ 
       
      Link:https://gitee.com/openeuler/kernel/pulls/1657 
      
      Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
      Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 
      d3907308
    • O
      !1522 Allow bpf_get_netns_cookie in BPF_PROG_TYPE_SK_MSG and BPF_PROG_TYPE_SOCK_OPS · 4e547f49
      openeuler-ci-bot 提交于
      Merge Pull Request from: @kwb0523 
       
      We'd like to be able to identify netns from sock_ops and sk_msg hooks to
      accelerate local process communication form different netns. 
       
      Link:https://gitee.com/openeuler/kernel/pulls/1522 
      
      Reviewed-by: Jackie Liu <liuyun01@kylinos.cn> 
      Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
      Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 
      4e547f49
    • Z
      sched/fair: remove cpu.qos_leve from root cpu cgroup · bc13a2bc
      zhangwei123171 提交于
      jingdong inclusion
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I7R399
      
      -----------------------------------------------------
      
      /sys/fs/cgroup/cpu/cpu.qos_level is not needed, and easy
      to cause misunderstanding.
      Signed-off-by: Nzhangwei123171 <zhangwei123171@jd.com>
      Reviewed-by: Nzhaoxiaoqiang11 <zhaoxiaoqiang11@jd.com>
      bc13a2bc
    • K
      vfio-pci: Match specific devices with vendor id and device id · 6ecf6566
      Kunkun Jiang 提交于
      virt inclusion
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I7QPGW
      CVE: NA
      
      ------------------------------------------------------------------
      
      In probe_vendor_drivers, all registered vendor drivers are traversed.
      This is not a good idea. If a vendor driver is not implemented well
      enough, it may cause the system to panic. Use the vendor id and
      device id to select a proper driver.
      
      In the pervious device registration logic, since the live migration
      operation ops of the three accelerator devices is the same.
      Therefore, only one driver entity will be registered. As a result,
      only the first sec will be loaded successfully, while hpre and zip
      cannot be loaded.
      
      The acc live migration driver needs to be adapted.
      Signed-off-by: NLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: NKunkun Jiang <jiangkunkun@huawei.com>
      6ecf6566
    • D
      media: usb: siano: Fix warning due to null work_func_t function pointer · d6a3c21a
      Duoming Zhou 提交于
      mainline inclusion
      from mainline-v6.5-rc1
      commit 6f489a966fbeb0da63d45c2c66a8957eab604bf6
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I7QTMZ
      CVE: CVE-2023-4132
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6f489a966fbeb0da63d45c2c66a8957eab604bf6
      
      --------------------------------
      
      The previous commit ebad8e73 ("media: usb: siano: Fix use after
      free bugs caused by do_submit_urb") adds cancel_work_sync() in
      smsusb_stop_streaming(). But smsusb_stop_streaming() may be called,
      even if the work_struct surb->wq has not been initialized. As a result,
      the warning will occur. One of the processes that could lead to warning
      is shown below:
      
      smsusb_probe()
        smsusb_init_device()
          if (!dev->in_ep || !dev->out_ep || align < 0) {
               smsusb_term_device(intf);
                 smsusb_stop_streaming()
                   cancel_work_sync(&dev->surbs[i].wq);
                     __cancel_work_timer()
                       __flush_work()
                         if (WARN_ON(!work->func)) // work->func is null
      
      The log reported by syzbot is shown below:
      
      WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063
      Modules linked in:
      CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0
      RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066
      ...
      RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246
      RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e
      RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8
      RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f
      R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8
      R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001
      FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160
       smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline]
       smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344
       smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419
       smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567
      ...
      
      This patch adds check before cancel_work_sync(). If surb->wq has not
      been initialized, the cancel_work_sync() will not be executed.
      
      Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com
      Fixes: ebad8e73 ("media: usb: siano: Fix use after free bugs caused by do_submit_urb")
      Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NRuan Jinjie <ruanjinjie@huawei.com>
      d6a3c21a
    • D
      media: usb: siano: Fix use after free bugs caused by do_submit_urb · a6fbd041
      Duoming Zhou 提交于
      mainline inclusion
      from mainline-v6.3-rc1
      commit ebad8e73
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I7QTMZ
      CVE: CVE-2023-4132
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ebad8e731c1c06adf04621d6fd327b860c0861b5
      
      --------------------------------
      
      There are UAF bugs caused by do_submit_urb(). One of the KASan reports
      is shown below:
      
      [   36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890
      [   36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49
      [   36.408316]
      [   36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237a-dir8
      [   36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584
      [   36.416157] Workqueue:  0x0 (events)
      [   36.417654] Call Trace:
      [   36.418546]  <TASK>
      [   36.419320]  dump_stack_lvl+0x96/0xd0
      [   36.420522]  print_address_description+0x75/0x350
      [   36.421992]  print_report+0x11b/0x250
      [   36.423174]  ? _raw_spin_lock_irqsave+0x87/0xd0
      [   36.424806]  ? __virt_addr_valid+0xcf/0x170
      [   36.426069]  ? worker_thread+0x4a2/0x890
      [   36.427355]  kasan_report+0x131/0x160
      [   36.428556]  ? worker_thread+0x4a2/0x890
      [   36.430053]  worker_thread+0x4a2/0x890
      [   36.431297]  ? worker_clr_flags+0x90/0x90
      [   36.432479]  kthread+0x166/0x190
      [   36.433493]  ? kthread_blkcg+0x50/0x50
      [   36.434669]  ret_from_fork+0x22/0x30
      [   36.435923]  </TASK>
      [   36.436684]
      [   36.437215] Allocated by task 24:
      [   36.438289]  kasan_set_track+0x50/0x80
      [   36.439436]  __kasan_kmalloc+0x89/0xa0
      [   36.440566]  smsusb_probe+0x374/0xc90
      [   36.441920]  usb_probe_interface+0x2d1/0x4c0
      [   36.443253]  really_probe+0x1d5/0x580
      [   36.444539]  __driver_probe_device+0xe3/0x130
      [   36.446085]  driver_probe_device+0x49/0x220
      [   36.447423]  __device_attach_driver+0x19e/0x1b0
      [   36.448931]  bus_for_each_drv+0xcb/0x110
      [   36.450217]  __device_attach+0x132/0x1f0
      [   36.451470]  bus_probe_device+0x59/0xf0
      [   36.452563]  device_add+0x4ec/0x7b0
      [   36.453830]  usb_set_configuration+0xc63/0xe10
      [   36.455230]  usb_generic_driver_probe+0x3b/0x80
      [   36.456166] printk: console [ttyGS0] disabled
      [   36.456569]  usb_probe_device+0x90/0x110
      [   36.459523]  really_probe+0x1d5/0x580
      [   36.461027]  __driver_probe_device+0xe3/0x130
      [   36.462465]  driver_probe_device+0x49/0x220
      [   36.463847]  __device_attach_driver+0x19e/0x1b0
      [   36.465229]  bus_for_each_drv+0xcb/0x110
      [   36.466466]  __device_attach+0x132/0x1f0
      [   36.467799]  bus_probe_device+0x59/0xf0
      [   36.469010]  device_add+0x4ec/0x7b0
      [   36.470125]  usb_new_device+0x863/0xa00
      [   36.471374]  hub_event+0x18c7/0x2220
      [   36.472746]  process_one_work+0x34c/0x5b0
      [   36.474041]  worker_thread+0x4b7/0x890
      [   36.475216]  kthread+0x166/0x190
      [   36.476267]  ret_from_fork+0x22/0x30
      [   36.477447]
      [   36.478160] Freed by task 24:
      [   36.479239]  kasan_set_track+0x50/0x80
      [   36.480512]  kasan_save_free_info+0x2b/0x40
      [   36.481808]  ____kasan_slab_free+0x122/0x1a0
      [   36.483173]  __kmem_cache_free+0xc4/0x200
      [   36.484563]  smsusb_term_device+0xcd/0xf0
      [   36.485896]  smsusb_probe+0xc85/0xc90
      [   36.486976]  usb_probe_interface+0x2d1/0x4c0
      [   36.488303]  really_probe+0x1d5/0x580
      [   36.489498]  __driver_probe_device+0xe3/0x130
      [   36.491140]  driver_probe_device+0x49/0x220
      [   36.492475]  __device_attach_driver+0x19e/0x1b0
      [   36.493988]  bus_for_each_drv+0xcb/0x110
      [   36.495171]  __device_attach+0x132/0x1f0
      [   36.496617]  bus_probe_device+0x59/0xf0
      [   36.497875]  device_add+0x4ec/0x7b0
      [   36.498972]  usb_set_configuration+0xc63/0xe10
      [   36.500264]  usb_generic_driver_probe+0x3b/0x80
      [   36.501740]  usb_probe_device+0x90/0x110
      [   36.503084]  really_probe+0x1d5/0x580
      [   36.504241]  __driver_probe_device+0xe3/0x130
      [   36.505548]  driver_probe_device+0x49/0x220
      [   36.506766]  __device_attach_driver+0x19e/0x1b0
      [   36.508368]  bus_for_each_drv+0xcb/0x110
      [   36.509646]  __device_attach+0x132/0x1f0
      [   36.510911]  bus_probe_device+0x59/0xf0
      [   36.512103]  device_add+0x4ec/0x7b0
      [   36.513215]  usb_new_device+0x863/0xa00
      [   36.514736]  hub_event+0x18c7/0x2220
      [   36.516130]  process_one_work+0x34c/0x5b0
      [   36.517396]  worker_thread+0x4b7/0x890
      [   36.518591]  kthread+0x166/0x190
      [   36.519599]  ret_from_fork+0x22/0x30
      [   36.520851]
      [   36.521405] Last potentially related work creation:
      [   36.523143]  kasan_save_stack+0x3f/0x60
      [   36.524275]  kasan_record_aux_stack_noalloc+0x9d/0xb0
      [   36.525831]  insert_work+0x25/0x130
      [   36.527039]  __queue_work+0x4d4/0x620
      [   36.528236]  queue_work_on+0x72/0xb0
      [   36.529344]  __usb_hcd_giveback_urb+0x13f/0x1b0
      [   36.530819]  dummy_timer+0x350/0x1a40
      [   36.532149]  call_timer_fn+0x2c/0x190
      [   36.533567]  expire_timers+0x69/0x1f0
      [   36.534736]  __run_timers+0x289/0x2d0
      [   36.535841]  run_timer_softirq+0x2d/0x60
      [   36.537110]  __do_softirq+0x116/0x380
      [   36.538377]
      [   36.538950] Second to last potentially related work creation:
      [   36.540855]  kasan_save_stack+0x3f/0x60
      [   36.542084]  kasan_record_aux_stack_noalloc+0x9d/0xb0
      [   36.543592]  insert_work+0x25/0x130
      [   36.544891]  __queue_work+0x4d4/0x620
      [   36.546168]  queue_work_on+0x72/0xb0
      [   36.547328]  __usb_hcd_giveback_urb+0x13f/0x1b0
      [   36.548805]  dummy_timer+0x350/0x1a40
      [   36.550116]  call_timer_fn+0x2c/0x190
      [   36.551570]  expire_timers+0x69/0x1f0
      [   36.552762]  __run_timers+0x289/0x2d0
      [   36.553916]  run_timer_softirq+0x2d/0x60
      [   36.555118]  __do_softirq+0x116/0x380
      [   36.556239]
      [   36.556807] The buggy address belongs to the object at ffff888005960000
      [   36.556807]  which belongs to the cache kmalloc-4k of size 4096
      [   36.560652] The buggy address is located 232 bytes inside of
      [   36.560652]  4096-byte region [ffff888005960000, ffff888005961000)
      [   36.564791]
      [   36.565355] The buggy address belongs to the physical page:
      [   36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00
      [   36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0
      [   36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1)
      [   36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000
      [   36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
      [   36.580175] page dumped because: kasan: bad access detected
      [   36.581994]
      [   36.582548] Memory state around the buggy address:
      [   36.583983]  ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [   36.586240]  ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   36.591071]                                                           ^
      [   36.593295]  ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   36.595705]  ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [   36.598026] ==================================================================
      [   36.600224] Disabling lock debugging due to kernel taint
      [   36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I
      [   36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G    B              6.2.0-rc3-15798-8
      [   36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584
      [   36.615026] Workqueue: events do_submit_urb
      [   36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0
      [   36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5
      [   36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046
      [   36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7
      [   36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0
      [   36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f
      [   36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020
      [   36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001
      [   36.636438] FS:  0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
      [   36.639092] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0
      [   36.643411] Call Trace:
      [   36.644215]  <TASK>
      [   36.644902]  smscore_getbuffer+0x3e/0x1e0
      [   36.646147]  do_submit_urb+0x4f/0x190
      [   36.647449]  process_one_work+0x34c/0x5b0
      [   36.648777]  worker_thread+0x4b7/0x890
      [   36.649984]  ? worker_clr_flags+0x90/0x90
      [   36.651166]  kthread+0x166/0x190
      [   36.652151]  ? kthread_blkcg+0x50/0x50
      [   36.653547]  ret_from_fork+0x22/0x30
      [   36.655051]  </TASK>
      [   36.655733] Modules linked in:
      [   36.656787] ---[ end trace 0000000000000000 ]---
      [   36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0
      [   36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5
      [   36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046
      [   36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7
      [   36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0
      [   36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f
      [   36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020
      [   36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001
      [   36.679184] FS:  0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
      [   36.681655] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0
      [   36.685733] Kernel panic - not syncing: Fatal exception
      [   36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff)
      [   36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]---
      
      When the siano device is plugged in, it may call the following functions
      to initialize the device.
      
      smsusb_probe()-->smsusb_init_device()-->smscore_start_device().
      
      When smscore_start_device() gets failed, the function smsusb_term_device()
      will be called and smsusb_device_t will be deallocated. Although we use
      usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests
      and wait for them to finish, the worker threads that are scheduled by
      smsusb_onresponse() may be still running. As a result, the UAF bugs
      could happen.
      
      We add cancel_work_sync() in smsusb_stop_streaming() in order that the
      worker threads could finish before the smsusb_device_t is deallocated.
      
      Fixes: dd47fbd4 ("[media] smsusb: don't sleep while atomic")
      Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: NMauro Carvalho Chehab <mchehab@kernel.org>
      Signed-off-by: NRuan Jinjie <ruanjinjie@huawei.com>
      a6fbd041
    • O
      !1596 ksmbd: fix out-of-bound read in deassemble_neg_contexts() · 75cd4528
      openeuler-ci-bot 提交于
      Merge Pull Request from: @ci-robot 
       
      PR sync from: Li Lingfeng <lilingfeng3@huawei.com>
      https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/MKD6POKWLXC45KXPZXCZ7N52MPOZMNAR/ 
       
      https://gitee.com/src-openeuler/kernel/issues/I7LU2Q 
       
      Link:https://gitee.com/openeuler/kernel/pulls/1596 
      
      Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
      Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 
      75cd4528
  5. 04 8月, 2023 3 次提交
  6. 03 8月, 2023 7 次提交
  7. 02 8月, 2023 5 次提交