- Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10 12306/30000] mm/hugetlb.c:3611 hugepages_setup() warn: potential spectre issue 'default_hugepages_in_node' [w]
by kernel test robot 30 Jan '24

30 Jan '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: d5c6fe9611048ed35ceab6a450d2d8a801e946a6 commit: 16a9f8e683ea65ac4484e67742171cfa8b0234eb [12306/30000] hugetlbfs: fix a truncation issue in hugepages parameter :::::: branch date: 8 hours ago :::::: commit date: 1 year, 9 months ago config: x86_64-randconfig-161-20240129 (attached as .config) compiler: gcc-7 (Ubuntu 7.5.0-6ubuntu2) 7.5.0 If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202401300555.biTw6IGs-lkp@intel.com/ smatch warnings: mm/hugetlb.c:3611 hugepages_setup() warn: potential spectre issue 'default_hugepages_in_node' [w] mm/hugetlb.c:3613 hugepages_setup() warn: potential spectre issue 'parsed_hstate->max_huge_pages_node' [w] vim +/default_hugepages_in_node +3611 mm/hugetlb.c a3437870160cf2 Nishanth Aravamudan 2008-07-23 3550 f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3551 bool __init __weak hugetlb_node_alloc_supported(void) f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3552 { f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3553 return true; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3554 } 282f4214384ee2 Mike Kravetz 2020-06-03 3555 /* 282f4214384ee2 Mike Kravetz 2020-06-03 3556 * hugepages command line processing 282f4214384ee2 Mike Kravetz 2020-06-03 3557 * hugepages normally follows a valid hugepagsz or default_hugepagsz 282f4214384ee2 Mike Kravetz 2020-06-03 3558 * specification. If not, ignore the hugepages value. hugepages can also 282f4214384ee2 Mike Kravetz 2020-06-03 3559 * be the first huge page command line option in which case it implicitly 282f4214384ee2 Mike Kravetz 2020-06-03 3560 * specifies the number of huge pages for the default size. 282f4214384ee2 Mike Kravetz 2020-06-03 3561 */ 282f4214384ee2 Mike Kravetz 2020-06-03 3562 static int __init hugepages_setup(char *s) a3437870160cf2 Nishanth Aravamudan 2008-07-23 3563 { a3437870160cf2 Nishanth Aravamudan 2008-07-23 3564 unsigned long *mhp; 8faa8b077b2cdc Andi Kleen 2008-07-23 3565 static unsigned long *last_mhp; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3566 int node = NUMA_NO_NODE; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3567 int count; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3568 unsigned long tmp; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3569 char *p = s; a3437870160cf2 Nishanth Aravamudan 2008-07-23 3570 9fee021d15ddd8 Vaishali Thakkar 2016-05-19 3571 if (!parsed_valid_hugepagesz) { 282f4214384ee2 Mike Kravetz 2020-06-03 3572 pr_warn("HugeTLB: hugepages=%s does not follow a valid hugepagesz, ignoring\n", s); 9fee021d15ddd8 Vaishali Thakkar 2016-05-19 3573 parsed_valid_hugepagesz = true; 282f4214384ee2 Mike Kravetz 2020-06-03 3574 return 0; 9fee021d15ddd8 Vaishali Thakkar 2016-05-19 3575 } 282f4214384ee2 Mike Kravetz 2020-06-03 3576 a3437870160cf2 Nishanth Aravamudan 2008-07-23 3577 /* 282f4214384ee2 Mike Kravetz 2020-06-03 3578 * !hugetlb_max_hstate means we haven't parsed a hugepagesz= parameter 282f4214384ee2 Mike Kravetz 2020-06-03 3579 * yet, so this hugepages= parameter goes to the "default hstate". 282f4214384ee2 Mike Kravetz 2020-06-03 3580 * Otherwise, it goes with the previously parsed hugepagesz or 282f4214384ee2 Mike Kravetz 2020-06-03 3581 * default_hugepagesz. a3437870160cf2 Nishanth Aravamudan 2008-07-23 3582 */ 9fee021d15ddd8 Vaishali Thakkar 2016-05-19 3583 else if (!hugetlb_max_hstate) a3437870160cf2 Nishanth Aravamudan 2008-07-23 3584 mhp = &default_hstate_max_huge_pages; a3437870160cf2 Nishanth Aravamudan 2008-07-23 3585 else a3437870160cf2 Nishanth Aravamudan 2008-07-23 3586 mhp = &parsed_hstate->max_huge_pages; a3437870160cf2 Nishanth Aravamudan 2008-07-23 3587 8faa8b077b2cdc Andi Kleen 2008-07-23 3588 if (mhp == last_mhp) { 282f4214384ee2 Mike Kravetz 2020-06-03 3589 pr_warn("HugeTLB: hugepages= specified twice without interleaving hugepagesz=, ignoring hugepages=%s\n", s); 282f4214384ee2 Mike Kravetz 2020-06-03 3590 return 0; 8faa8b077b2cdc Andi Kleen 2008-07-23 3591 } 8faa8b077b2cdc Andi Kleen 2008-07-23 3592 f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3593 while (*p) { f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3594 count = 0; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3595 if (sscanf(p, "%lu%n", &tmp, &count) != 1) f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3596 goto invalid; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3597 /* Parameter is node format */ f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3598 if (p[count] == ':') { f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3599 if (!hugetlb_node_alloc_supported()) { f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3600 pr_warn("HugeTLB: architecture can't support node specific alloc, ignoring!\n"); f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3601 return 0; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3602 } 16a9f8e683ea65 Liu Yuntao 2022-04-19 3603 if (tmp >= nr_online_nodes) 16a9f8e683ea65 Liu Yuntao 2022-04-19 3604 goto invalid; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3605 node = tmp; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3606 p += count + 1; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3607 /* Parse hugepages */ f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3608 if (sscanf(p, "%lu%n", &tmp, &count) != 1) f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3609 goto invalid; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3610 if (!hugetlb_max_hstate) f4ada01a2c72a1 Zhenguo Yao 2022-01-17 @3611 default_hugepages_in_node[node] = tmp; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3612 else f4ada01a2c72a1 Zhenguo Yao 2022-01-17 @3613 parsed_hstate->max_huge_pages_node[node] = tmp; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3614 *mhp += tmp; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3615 /* Go to parse next node*/ f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3616 if (p[count] == ',') f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3617 p += count + 1; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3618 else f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3619 break; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3620 } else { f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3621 if (p != s) f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3622 goto invalid; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3623 *mhp = tmp; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3624 break; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3625 } f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3626 } a3437870160cf2 Nishanth Aravamudan 2008-07-23 3627 8faa8b077b2cdc Andi Kleen 2008-07-23 3628 /* 8faa8b077b2cdc Andi Kleen 2008-07-23 3629 * Global state is always initialized later in hugetlb_init. 8faa8b077b2cdc Andi Kleen 2008-07-23 3630 * But we need to allocate >= MAX_ORDER hstates here early to still 8faa8b077b2cdc Andi Kleen 2008-07-23 3631 * use the bootmem allocator. 8faa8b077b2cdc Andi Kleen 2008-07-23 3632 */ 47d38344abd0c7 Aneesh Kumar K.V 2012-07-31 3633 if (hugetlb_max_hstate && parsed_hstate->order >= MAX_ORDER) 8faa8b077b2cdc Andi Kleen 2008-07-23 3634 hugetlb_hstate_alloc_pages(parsed_hstate); 8faa8b077b2cdc Andi Kleen 2008-07-23 3635 8faa8b077b2cdc Andi Kleen 2008-07-23 3636 last_mhp = mhp; 8faa8b077b2cdc Andi Kleen 2008-07-23 3637 a3437870160cf2 Nishanth Aravamudan 2008-07-23 3638 return 1; f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3639 f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3640 invalid: f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3641 pr_warn("HugeTLB: Invalid hugepages parameter %s\n", p); f4ada01a2c72a1 Zhenguo Yao 2022-01-17 3642 return 0; a3437870160cf2 Nishanth Aravamudan 2008-07-23 3643 } 282f4214384ee2 Mike Kravetz 2020-06-03 3644 __setup("hugepages=", hugepages_setup); e11bfbfcb08ef4 Nick Piggin 2008-07-23 3645 :::::: The code at line 3611 was first introduced by commit :::::: f4ada01a2c72a1a69a6da3c56764b414081e639b hugetlbfs: extend the definition of hugepages parameter to support node allocation :::::: TO: Zhenguo Yao <yaozhenguo1(a)gmail.com> :::::: CC: Zheng Zengkai <zhengzengkai(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 3670/21589] drivers/staging/erofs/unzip_vle_lz4.o: warning: objtool: missing symbol for section .text
by kernel test robot 30 Jan '24

30 Jan '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: ef2982312942ba96fb8217df5d832051bae4afd2 commit: 2e59f7a6876bfa6adca4ec9180ab3945e6ede7e1 [3670/21589] staging: erofs: compressed_pages should not be accessed again after freed :::::: branch date: 13 hours ago :::::: commit date: 4 years, 1 month ago config: x86_64-buildonly-randconfig-001-20240129 (attached as .config) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (attached as reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202401300403.bq4A24vh-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/staging/erofs/unzip_vle_lz4.o: warning: objtool: missing symbol for section .text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 13850/21589] arch/arm64/mm/init.c:784:17: error: 'mem_sleep_current' undeclared
by kernel test robot 30 Jan '24

30 Jan '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: ef2982312942ba96fb8217df5d832051bae4afd2 commit: fdda68feeca82610ccbcdcbda7250623a6d187d2 [13850/21589] arm64/ascend: Set mem_sleep_current to PM_SUSPEND_ON for ascend platform :::::: branch date: 12 hours ago :::::: commit date: 3 years, 4 months ago config: arm64-randconfig-002-20240125 (attached as .config) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (attached as reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202401300313.05KTJWfI-lkp@intel.com/ All errors (new ones prefixed by >>): arch/arm64/mm/init.c:469:13: warning: no previous prototype for 'arm64_memblock_init' [-Wmissing-prototypes] 469 | void __init arm64_memblock_init(void) | ^~~~~~~~~~~~~~~~~~~ arch/arm64/mm/init.c: In function 'ascend_enable_setup': >> arch/arm64/mm/init.c:784:17: error: 'mem_sleep_current' undeclared (first use in this function) 784 | mem_sleep_current = PM_SUSPEND_ON; | ^~~~~~~~~~~~~~~~~ arch/arm64/mm/init.c:784:17: note: each undeclared identifier is reported only once for each function it appears in vim +/mem_sleep_current +784 arch/arm64/mm/init.c a7f8de168ace48 Ard Biesheuvel 2016-02-16 770 342049dccae659 Ding Tianhong 2020-08-31 771 #ifdef CONFIG_ASCEND_FEATURES 342049dccae659 Ding Tianhong 2020-08-31 772 static int __init ascend_enable_setup(char *__unused) 342049dccae659 Ding Tianhong 2020-08-31 773 { 342049dccae659 Ding Tianhong 2020-08-31 774 if (IS_ENABLED(CONFIG_ASCEND_DVPP_MMAP)) 0d9400057107e6 Ding Tianhong 2020-09-08 775 enable_mmap_dvpp = 1; 342049dccae659 Ding Tianhong 2020-08-31 776 342049dccae659 Ding Tianhong 2020-08-31 777 if (IS_ENABLED(CONFIG_ASCEND_IOPF_HIPRI)) 342049dccae659 Ding Tianhong 2020-08-31 778 enable_iopf_hipri = 1; 342049dccae659 Ding Tianhong 2020-08-31 779 342049dccae659 Ding Tianhong 2020-08-31 780 if (IS_ENABLED(CONFIG_ASCEND_CHARGE_MIGRATE_HUGEPAGES)) 342049dccae659 Ding Tianhong 2020-08-31 781 enable_charge_mighp = 1; 342049dccae659 Ding Tianhong 2020-08-31 782 fdda68feeca826 Ding Tianhong 2020-09-22 783 if (IS_ENABLED(CONFIG_SUSPEND)) fdda68feeca826 Ding Tianhong 2020-09-22 @784 mem_sleep_current = PM_SUSPEND_ON; fdda68feeca826 Ding Tianhong 2020-09-22 785 342049dccae659 Ding Tianhong 2020-08-31 786 return 1; 342049dccae659 Ding Tianhong 2020-08-31 787 } 342049dccae659 Ding Tianhong 2020-08-31 788 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 5766/21589] arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: incorrect type in argument 1 (different address spaces)
by kernel test robot 30 Jan '24

30 Jan '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: ef2982312942ba96fb8217df5d832051bae4afd2 commit: ca67230a79f23abbf552a5cb3471d46ff8b672c8 [5766/21589] x86/uaccess: Dont leak the AC flag into __put_user() argument evaluation :::::: branch date: 12 hours ago :::::: commit date: 4 years, 1 month ago config: x86_64-randconfig-121-20240125 (attached as .config) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (attached as reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202401300305.gYla1O9J-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: cast removes address space '__user' of expression >> arch/x86/kernel/fpu/signal.c:94:16: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void const volatile [noderef] __user *ptr @@ got unsigned int [usertype] *__pu_ptr @@ arch/x86/kernel/fpu/signal.c:94:16: sparse: expected void const volatile [noderef] __user *ptr arch/x86/kernel/fpu/signal.c:94:16: sparse: got unsigned int [usertype] *__pu_ptr arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void const volatile [noderef] __user *ptr @@ got unsigned int [usertype] * @@ arch/x86/kernel/fpu/signal.c:101:16: sparse: expected void const volatile [noderef] __user *ptr arch/x86/kernel/fpu/signal.c:101:16: sparse: got unsigned int [usertype] * arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:101:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: cast removes address space '__user' of expression arch/x86/kernel/fpu/signal.c:116:16: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void const volatile [noderef] __user *ptr @@ got unsigned int [usertype] *__pu_ptr @@ arch/x86/kernel/fpu/signal.c:116:16: sparse: expected void const volatile [noderef] __user *ptr arch/x86/kernel/fpu/signal.c:116:16: sparse: got unsigned int [usertype] *__pu_ptr vim +94 arch/x86/kernel/fpu/signal.c b992c660d3b316 Ingo Molnar 2015-04-30 79 b992c660d3b316 Ingo Molnar 2015-04-30 80 static inline int save_xstate_epilog(void __user *buf, int ia32_frame) b992c660d3b316 Ingo Molnar 2015-04-30 81 { c47ada305de380 Ingo Molnar 2015-04-30 82 struct xregs_state __user *x = buf; b992c660d3b316 Ingo Molnar 2015-04-30 83 struct _fpx_sw_bytes *sw_bytes; b992c660d3b316 Ingo Molnar 2015-04-30 84 u32 xfeatures; b992c660d3b316 Ingo Molnar 2015-04-30 85 int err; b992c660d3b316 Ingo Molnar 2015-04-30 86 b992c660d3b316 Ingo Molnar 2015-04-30 87 /* Setup the bytes not touched by the [f]xsave and reserved for SW. */ b992c660d3b316 Ingo Molnar 2015-04-30 88 sw_bytes = ia32_frame ? &fx_sw_reserved_ia32 : &fx_sw_reserved; b992c660d3b316 Ingo Molnar 2015-04-30 89 err = __copy_to_user(&x->i387.sw_reserved, sw_bytes, sizeof(*sw_bytes)); b992c660d3b316 Ingo Molnar 2015-04-30 90 b992c660d3b316 Ingo Molnar 2015-04-30 91 if (!use_xsave()) b992c660d3b316 Ingo Molnar 2015-04-30 92 return err; b992c660d3b316 Ingo Molnar 2015-04-30 93 a1141e0b5ca6ee Fenghua Yu 2016-05-20 @94 err |= __put_user(FP_XSTATE_MAGIC2, a1141e0b5ca6ee Fenghua Yu 2016-05-20 95 (__u32 *)(buf + fpu_user_xstate_size)); b992c660d3b316 Ingo Molnar 2015-04-30 96 b992c660d3b316 Ingo Molnar 2015-04-30 97 /* b992c660d3b316 Ingo Molnar 2015-04-30 98 * Read the xfeatures which we copied (directly from the cpu or b992c660d3b316 Ingo Molnar 2015-04-30 99 * from the state in task struct) to the user buffers. b992c660d3b316 Ingo Molnar 2015-04-30 100 */ b992c660d3b316 Ingo Molnar 2015-04-30 101 err |= __get_user(xfeatures, (__u32 *)&x->header.xfeatures); b992c660d3b316 Ingo Molnar 2015-04-30 102 b992c660d3b316 Ingo Molnar 2015-04-30 103 /* b992c660d3b316 Ingo Molnar 2015-04-30 104 * For legacy compatible, we always set FP/SSE bits in the bit b992c660d3b316 Ingo Molnar 2015-04-30 105 * vector while saving the state to the user context. This will b992c660d3b316 Ingo Molnar 2015-04-30 106 * enable us capturing any changes(during sigreturn) to b992c660d3b316 Ingo Molnar 2015-04-30 107 * the FP/SSE bits by the legacy applications which don't touch b992c660d3b316 Ingo Molnar 2015-04-30 108 * xfeatures in the xsave header. b992c660d3b316 Ingo Molnar 2015-04-30 109 * b992c660d3b316 Ingo Molnar 2015-04-30 110 * xsave aware apps can change the xfeatures in the xsave b992c660d3b316 Ingo Molnar 2015-04-30 111 * header as well as change any contents in the memory layout. b992c660d3b316 Ingo Molnar 2015-04-30 112 * xrestore as part of sigreturn will capture all the changes. b992c660d3b316 Ingo Molnar 2015-04-30 113 */ d91cab78133d33 Dave Hansen 2015-09-02 114 xfeatures |= XFEATURE_MASK_FPSSE; b992c660d3b316 Ingo Molnar 2015-04-30 115 b992c660d3b316 Ingo Molnar 2015-04-30 116 err |= __put_user(xfeatures, (__u32 *)&x->header.xfeatures); b992c660d3b316 Ingo Molnar 2015-04-30 117 b992c660d3b316 Ingo Molnar 2015-04-30 118 return err; b992c660d3b316 Ingo Molnar 2015-04-30 119 } b992c660d3b316 Ingo Molnar 2015-04-30 120 :::::: The code at line 94 was first introduced by commit :::::: a1141e0b5ca6ee3e5e35d5f1a310a5ecb9c96ce5 x86/fpu/xstate: Define and use 'fpu_user_xstate_size' :::::: TO: Fenghua Yu <fenghua.yu(a)intel.com> :::::: CC: Ingo Molnar <mingo(a)kernel.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 0/4] reserve space for arm64 related structures.
by Yuntao Liu 30 Jan '24

30 Jan '24

Reserve space for arm64 related structures. Include efi.h, extable.h, fb.h, processor.h Yuntao Liu (4): kabi: reserve space for efi.h kabi: reserve space for extable.h kabi: reserve space for fb.h kabi: reserve space for processor.h arch/arm64/include/asm/extable.h | 3 +++ arch/arm64/include/asm/processor.h | 9 +++++++++ include/linux/efi.h | 3 +++ include/linux/fb.h | 7 +++++++ 4 files changed, 22 insertions(+) -- 2.34.1

1 4

[PATCH openEuler-22.03-LTS-SP2] drm/atomic: Fix potential use-after-free in nonblocking commits
by Guo Mengqi 30 Jan '24

30 Jan '24

From: Daniel Vetter <daniel.vetter(a)ffwll.ch> stable inclusion from stable-v5.10.188 commit f09c0ac142c59495262dd80545f261b2aeeba538 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7V6NJ CVE: CVE-2023-51043 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. This requires a bit of background. Properly done a modeset driver's unload/remove sequence should be drm_dev_unplug(); drm_atomic_helper_shutdown(); drm_dev_put(); The trouble is that the drm_dev_unplugged() checks are by design racy, they do not synchronize against all outstanding ioctl. This is because those ioctl could block forever (both for modeset and for driver specific ioctls), leading to deadlocks in hotunplug. Instead the code sections that touch the hardware need to be annotated with drm_dev_enter/exit, to avoid accessing hardware resources after the unload/remove has finished. To avoid use-after-free issues all the involved userspace visible objects are supposed to hold a reference on the underlying drm_device, like drm_file does. The issue now is that we missed one, the atomic modeset ioctl can be run in a nonblocking fashion, and in that case it cannot rely on the implied drm_device reference provided by the ioctl calling context. This can result in a use-after-free if an nonblocking atomic commit is carefully raced against a driver unload. Fix this by unconditionally grabbing a drm_device reference for any drm_atomic_state structures. Strictly speaking this isn't required for blocking commits and TEST_ONLY calls, but it's the simpler approach. Thanks to shanzhulig for the initial idea of grabbing an unconditional reference, I just added comments, a condensed commit message and fixed a minor potential issue in where exactly we drop the final reference. Reported-by: shanzhulig <shanzhulig(a)gmail.com> Suggested-by: shanzhulig <shanzhulig(a)gmail.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: stable(a)kernel.org Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> Signed-off-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index 98b659981f1a..b10ba5057735 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -98,6 +98,12 @@ drm_atomic_state_init(struct drm_device *dev, struct drm_atomic_state *state) if (!state->planes) goto fail; + /* + * Because drm_atomic_state can be committed asynchronously we need our + * own reference and cannot rely on the on implied by drm_file in the + * ioctl call. + */ + drm_dev_get(dev); state->dev = dev; DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); @@ -257,7 +263,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); void __drm_atomic_state_free(struct kref *ref) { struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); - struct drm_mode_config *config = &state->dev->mode_config; + struct drm_device *dev = state->dev; + struct drm_mode_config *config = &dev->mode_config; drm_atomic_state_clear(state); @@ -269,6 +276,8 @@ void __drm_atomic_state_free(struct kref *ref) drm_atomic_state_default_release(state); kfree(state); } + + drm_dev_put(dev); } EXPORT_SYMBOL(__drm_atomic_state_free); -- 2.17.1

2 1

[PATCH OLK-6.6 0/6] kabi: arch related KABI reserve
by Liao Chen 30 Jan '24

30 Jan '24

Affected files and structs: include/linux/mfd/core.h struct mfd_cell cpuhotplug.h enum cpuhp_state irq_work.h struct irq_work irqdesc.h struct irq_desc irqdomain_defs.h enum irq_domain_bus_token irqdomain.h struct irq_domain Liao Chen (6): kabi: reserve space for enum cpuhp_state kabi: reserve space for struct irq_work kabi: reserve space for struct irq_desc kabi: reserve space for struct irq_domain kabi: reserve space for enum irq_domain_bus_token kabi: reserve space for struct mfd_cell include/linux/cpuhotplug.h | 9 +++++++++ include/linux/irq_work.h | 5 +++++ include/linux/irqdesc.h | 5 +++++ include/linux/irqdomain.h | 5 +++++ include/linux/irqdomain_defs.h | 8 ++++++++ include/linux/mfd/core.h | 6 ++++++ 6 files changed, 38 insertions(+) -- 2.34.1

2 7

[PATCH OLK-6.6 0/4] reserve space for arm64 related structures.
by Yuntao Liu 30 Jan '24

30 Jan '24

Reserve space for arm64 related structures. Include efi.h, extable.h, fb.h, processor.h Yuntao Liu (4): kabi: reserve space for efi.h kabi: reserve space for extable.h kabi: reserve space for fb.h kabi: reserve space for processor.h arch/arm64/include/asm/extable.h | 3 +++ arch/arm64/include/asm/processor.h | 9 +++++++++ include/linux/efi.h | 3 +++ include/linux/fb.h | 7 +++++++ 4 files changed, 22 insertions(+) -- 2.34.1

1 4

[PATCH OLK-6.6 0/4] reserve space for arm64 related structures.
by Yuntao Liu 30 Jan '24

30 Jan '24

Reserve space for arm64 related structures. Include efi.h, extable.h, fb.h, processor.h Jinjie Ruan (4): kabi: reserve space for efi.h kabi: reserve space for extable.h kabi: reserve space for fb.h kabi: reserve space for processor.h arch/arm64/include/asm/extable.h | 3 +++ arch/arm64/include/asm/processor.h | 9 +++++++++ include/linux/efi.h | 3 +++ include/linux/fb.h | 7 +++++++ 4 files changed, 22 insertions(+) -- 2.34.1

2 5

[PATCH openEuler-22.03-LTS-SP1] drm/atomic: Fix potential use-after-free in nonblocking commits
by Guo Mengqi 30 Jan '24

30 Jan '24

From: Daniel Vetter <daniel.vetter(a)ffwll.ch> stable inclusion from stable-v5.10.188 commit f09c0ac142c59495262dd80545f261b2aeeba538 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7V6NJ CVE: CVE-2023-51043 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. This requires a bit of background. Properly done a modeset driver's unload/remove sequence should be drm_dev_unplug(); drm_atomic_helper_shutdown(); drm_dev_put(); The trouble is that the drm_dev_unplugged() checks are by design racy, they do not synchronize against all outstanding ioctl. This is because those ioctl could block forever (both for modeset and for driver specific ioctls), leading to deadlocks in hotunplug. Instead the code sections that touch the hardware need to be annotated with drm_dev_enter/exit, to avoid accessing hardware resources after the unload/remove has finished. To avoid use-after-free issues all the involved userspace visible objects are supposed to hold a reference on the underlying drm_device, like drm_file does. The issue now is that we missed one, the atomic modeset ioctl can be run in a nonblocking fashion, and in that case it cannot rely on the implied drm_device reference provided by the ioctl calling context. This can result in a use-after-free if an nonblocking atomic commit is carefully raced against a driver unload. Fix this by unconditionally grabbing a drm_device reference for any drm_atomic_state structures. Strictly speaking this isn't required for blocking commits and TEST_ONLY calls, but it's the simpler approach. Thanks to shanzhulig for the initial idea of grabbing an unconditional reference, I just added comments, a condensed commit message and fixed a minor potential issue in where exactly we drop the final reference. Reported-by: shanzhulig <shanzhulig(a)gmail.com> Suggested-by: shanzhulig <shanzhulig(a)gmail.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: stable(a)kernel.org Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> Signed-off-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index 58527f151984..23a645a7e439 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -98,6 +98,12 @@ drm_atomic_state_init(struct drm_device *dev, struct drm_atomic_state *state) if (!state->planes) goto fail; + /* + * Because drm_atomic_state can be committed asynchronously we need our + * own reference and cannot rely on the on implied by drm_file in the + * ioctl call. + */ + drm_dev_get(dev); state->dev = dev; DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); @@ -257,7 +263,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); void __drm_atomic_state_free(struct kref *ref) { struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); - struct drm_mode_config *config = &state->dev->mode_config; + struct drm_device *dev = state->dev; + struct drm_mode_config *config = &dev->mode_config; drm_atomic_state_clear(state); @@ -269,6 +276,8 @@ void __drm_atomic_state_free(struct kref *ref) drm_atomic_state_default_release(state); kfree(state); } + + drm_dev_put(dev); } EXPORT_SYMBOL(__drm_atomic_state_free); -- 2.17.1

1 0