- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] sched: Optimize the latency of select_task_rq and pick_next_task.
by He Yujie 09 Dec '24

09 Dec '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBA1PI -------------------------------- Reducing the select_task_rq run time by Checking the enable status of dynamic affinity before attempting to hold rcu_lock and deleting the enable check int dynamic_affinity_mode function. Inline functions are used to reduce the execution time of pick_next_time functions. Fixes: 6eb07f9925a9 ("sched: Introduce smart grid scheduling strategy for cfs") Signed-off-by: He Yujie <coka.heyujie(a)huawei.com> --- kernel/sched/fair.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index f1cd57e70f1f..88ff8783978b 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -6844,9 +6844,6 @@ static inline struct cpumask *task_prefer_cpus(struct task_struct *p) static inline int dynamic_affinity_mode(struct task_struct *p) { - if (!prefer_cpus_valid(p)) - return -1; - if (smart_grid_used()) return task_group(p)->auto_affinity->mode == 0 ? -1 : 1; @@ -7307,9 +7304,6 @@ static inline struct cpumask *task_prefer_cpus(struct task_struct *p) static inline int dynamic_affinity_mode(struct task_struct *p) { - if (!prefer_cpus_valid(p)) - return -1; - return 0; } #endif /* CONFIG_QOS_SCHED_DYNAMIC_AFFINITY */ @@ -9038,6 +9032,9 @@ static void set_task_select_cpus(struct task_struct *p, int *idlest_cpu, int cpu, mode; p->select_cpus = p->cpus_ptr; + if (!prefer_cpus_valid(p)) + return; + rcu_read_lock(); mode = dynamic_affinity_mode(p); if (mode == -1) { @@ -9721,7 +9718,7 @@ static int __init qos_sched_smt_noexpell_setup(char *__unused) } __setup("nosmtexpell", qos_sched_smt_noexpell_setup); -static bool qos_smt_check_siblings_status(int this_cpu) +static __always_inline bool qos_smt_check_siblings_status(int this_cpu) { int cpu; -- 2.34.1

2 1

[openeuler:OLK-6.6 1609/1609] arch/x86/kvm/svm/sev.c:2198:6: warning: no previous prototype for function 'sev_install_hooks'
by kernel test robot 09 Dec '24

09 Dec '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 31c4fffa86e17e8a946c944e91e7412db7f8427b commit: 0f13b8634792cff1f2fb18bf35e5a24d7a8cbf8e [1609/1609] KVM: x86: Support VM_ATTESTATION hypercall config: x86_64-allyesconfig (https://download.01.org/0day-ci/archive/20241209/202412091737.uk2gKO2t-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241209/202412091737.uk2gKO2t-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412091737.uk2gKO2t-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from arch/x86/kvm/svm/sev.c:12: In file included from include/linux/kvm_host.h:16: In file included from include/linux/mm.h:2234: include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 509 | item]; | ~~~~ include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 515 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 516 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 527 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 528 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 536 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 537 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ >> arch/x86/kvm/svm/sev.c:2198:6: warning: no previous prototype for function 'sev_install_hooks' [-Wmissing-prototypes] 2198 | void sev_install_hooks(void) | ^ arch/x86/kvm/svm/sev.c:2198:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 2198 | void sev_install_hooks(void) | ^ | static 6 warnings generated. -- In file included from arch/x86/kvm/svm/csv.c:10: In file included from include/linux/kvm_host.h:16: In file included from include/linux/mm.h:2234: include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 509 | item]; | ~~~~ include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 515 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 516 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 527 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 528 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 536 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 537 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ >> arch/x86/kvm/svm/csv.c:30:5: warning: no previous prototype for function 'csv_vm_attestation' [-Wmissing-prototypes] 30 | int csv_vm_attestation(struct kvm *kvm, unsigned long gpa, unsigned long len) | ^ arch/x86/kvm/svm/csv.c:30:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 30 | int csv_vm_attestation(struct kvm *kvm, unsigned long gpa, unsigned long len) | ^ | static 6 warnings generated. vim +/sev_install_hooks +2198 arch/x86/kvm/svm/sev.c 2195 2196 #ifdef CONFIG_HYGON_CSV 2197 /* Code to set all of the function and vaiable pointers */ > 2198 void sev_install_hooks(void) 2199 { 2200 hygon_kvm_hooks.sev_issue_cmd = sev_issue_cmd; 2201 hygon_kvm_hooks.get_num_contig_pages = get_num_contig_pages; 2202 hygon_kvm_hooks.sev_pin_memory = sev_pin_memory; 2203 hygon_kvm_hooks.sev_unpin_memory = sev_unpin_memory; 2204 2205 hygon_kvm_hooks.sev_hooks_installed = true; 2206 } 2207 #endif 2208 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] media: cx24116: prevent overflows on SNR calculus
by Li Nan 09 Dec '24

09 Dec '24

From: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> stable inclusion from stable-v5.10.230 commit 828047c70f4716fde4b1316f7b610e97a4e83824 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVY CVE: CVE-2024-50290 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream. as reported by Coverity, if reading SNR registers fail, a negative number will be returned, causing an underflow when reading SNR registers. Prevent that. Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Li Nan <linan122(a)huawei.com> --- drivers/media/dvb-frontends/cx24116.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-frontends/cx24116.c b/drivers/media/dvb-frontends/cx24116.c index ea8264ccbb4e..191645a86550 100644 --- a/drivers/media/dvb-frontends/cx24116.c +++ b/drivers/media/dvb-frontends/cx24116.c @@ -741,6 +741,7 @@ static int cx24116_read_snr_pct(struct dvb_frontend *fe, u16 *snr) { struct cx24116_state *state = fe->demodulator_priv; u8 snr_reading; + int ret; static const u32 snr_tab[] = { /* 10 x Table (rounded up) */ 0x00000, 0x0199A, 0x03333, 0x04ccD, 0x06667, 0x08000, 0x0999A, 0x0b333, 0x0cccD, 0x0e667, @@ -749,7 +750,11 @@ static int cx24116_read_snr_pct(struct dvb_frontend *fe, u16 *snr) dprintk("%s()\n", __func__); - snr_reading = cx24116_readreg(state, CX24116_REG_QUALITY0); + ret = cx24116_readreg(state, CX24116_REG_QUALITY0); + if (ret < 0) + return ret; + + snr_reading = ret; if (snr_reading >= 0xa0 /* 100% */) *snr = 0xffff; -- 2.39.2

2 1

[PATCH OLK-5.10] media: cx24116: prevent overflows on SNR calculus
by Li Nan 09 Dec '24

09 Dec '24

From: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> stable inclusion from stable-v5.10.230 commit 828047c70f4716fde4b1316f7b610e97a4e83824 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVY CVE: CVE-2024-50290 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream. as reported by Coverity, if reading SNR registers fail, a negative number will be returned, causing an underflow when reading SNR registers. Prevent that. Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Li Nan <linan122(a)huawei.com> --- drivers/media/dvb-frontends/cx24116.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-frontends/cx24116.c b/drivers/media/dvb-frontends/cx24116.c index ea8264ccbb4e..191645a86550 100644 --- a/drivers/media/dvb-frontends/cx24116.c +++ b/drivers/media/dvb-frontends/cx24116.c @@ -741,6 +741,7 @@ static int cx24116_read_snr_pct(struct dvb_frontend *fe, u16 *snr) { struct cx24116_state *state = fe->demodulator_priv; u8 snr_reading; + int ret; static const u32 snr_tab[] = { /* 10 x Table (rounded up) */ 0x00000, 0x0199A, 0x03333, 0x04ccD, 0x06667, 0x08000, 0x0999A, 0x0b333, 0x0cccD, 0x0e667, @@ -749,7 +750,11 @@ static int cx24116_read_snr_pct(struct dvb_frontend *fe, u16 *snr) dprintk("%s()\n", __func__); - snr_reading = cx24116_readreg(state, CX24116_REG_QUALITY0); + ret = cx24116_readreg(state, CX24116_REG_QUALITY0); + if (ret < 0) + return ret; + + snr_reading = ret; if (snr_reading >= 0xa0 /* 100% */) *snr = 0xffff; -- 2.39.2

2 1

[PATCH OLK-5.10] mm: only enforce minimum stack gap size if it's sensible
by Liu Shixin 09 Dec '24

09 Dec '24

From: David Gow <davidgow(a)google.com> stable inclusion from stable-v5.10.227 commit 52f7cab2903959316c907441100adef85eba88a7 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB8I85 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 69b50d4351ed924f29e3d46b159e28f70dfc707f upstream. The generic mmap_base code tries to leave a gap between the top of the stack and the mmap base address, but enforces a minimum gap size (MIN_GAP) of 128MB, which is too large on some setups. In particular, on arm tasks without ADDR_LIMIT_32BIT, the STACK_TOP value is less than 128MB, so it's impossible to fit such a gap in. Only enforce this minimum if MIN_GAP < MAX_GAP, as we'd prefer to honour MAX_GAP, which is defined proportionally, so scales better and always leaves us with both _some_ stack space and some room for mmap. This fixes the usercopy KUnit test suite on 32-bit arm, as it doesn't set any personality flags so gets the default (in this case 26-bit) task size. This test can be run with: ./tools/testing/kunit/kunit.py run --arch arm usercopy --make_options LLVM=1 Link: https://lkml.kernel.org/r/20240803074642.1849623-2-davidgow@google.com Fixes: dba79c3df4a2 ("arm: use generic mmap top-down layout and brk randomization") Signed-off-by: David Gow <davidgow(a)google.com> Reviewed-by: Kees Cook <kees(a)kernel.org> Cc: Alexandre Ghiti <alex(a)ghiti.fr> Cc: Linus Walleij <linus.walleij(a)linaro.org> Cc: Luis Chamberlain <mcgrof(a)kernel.org> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Russell King <linux(a)armlinux.org.uk> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- mm/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/util.c b/mm/util.c index 63d510d39c47..b2e0ae3c65aa 100644 --- a/mm/util.c +++ b/mm/util.c @@ -420,7 +420,7 @@ static unsigned long mmap_base(unsigned long rnd, struct rlimit *rlim_stack) if (gap + pad > gap) gap += pad; - if (gap < MIN_GAP) + if (gap < MIN_GAP && MIN_GAP < MAX_GAP) gap = MIN_GAP; else if (gap > MAX_GAP) gap = MAX_GAP; -- 2.34.1

2 1

[PATCH OLK-6.6 0/2] fork: Return early to improve the fork performance
by Jinjie Ruan 09 Dec '24

09 Dec '24

Return early if ctx is NULL for dup_userfaultfd() or if anon_vma is NULL for anon_vma_fork(). Jinjie Ruan (2): fork: Return early if ctx is NULL for dup_userfaultfd() fork: Return early if anon_vma is NULL for anon_vma_fork() fs/userfaultfd.c | 2 -- kernel/fork.c | 17 ++++++++++++----- mm/rmap.c | 4 ---- 3 files changed, 12 insertions(+), 11 deletions(-) -- 2.34.1

2 3

[PATCH OLK-6.6] bpf: sync_linked_regs() must preserve subreg_def
by Pu Lehui 09 Dec '24

09 Dec '24

From: Eduard Zingerman <eddyz87(a)gmail.com> mainline inclusion from mainline-v6.12-rc4 commit e9bd9c498cb0f5843996dbe5cbce7a1836a83c70 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB9533 CVE: CVE-2024-53125 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Range propagation must not affect subreg_def marks, otherwise the following example is rewritten by verifier incorrectly when BPF_F_TEST_RND_HI32 flag is set: 0: call bpf_ktime_get_ns call bpf_ktime_get_ns 1: r0 &= 0x7fffffff after verifier r0 &= 0x7fffffff 2: w1 = w0 rewrites w1 = w0 3: if w0 < 10 goto +0 --------------> r11 = 0x2f5674a6 (r) 4: r1 >>= 32 r11 <<= 32 (r) 5: r0 = r1 r1 |= r11 (r) 6: exit; if w0 < 0xa goto pc+0 r1 >>= 32 r0 = r1 exit (or zero extension of w1 at (2) is missing for architectures that require zero extension for upper register half). The following happens w/o this patch: - r0 is marked as not a subreg at (0); - w1 is marked as subreg at (2); - w1 subreg_def is overridden at (3) by copy_register_state(); - w1 is read at (5) but mark_insn_zext() does not mark (2) for zero extension, because w1 subreg_def is not set; - because of BPF_F_TEST_RND_HI32 flag verifier inserts random value for hi32 bits of (2) (marked (r)); - this random value is read at (5). Fixes: 75748837b7e5 ("bpf: Propagate scalar ranges through register assignments.") Reported-by: Lonial Con <kongln9170(a)gmail.com> Signed-off-by: Lonial Con <kongln9170(a)gmail.com> Signed-off-by: Eduard Zingerman <eddyz87(a)gmail.com> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Acked-by: Daniel Borkmann <daniel(a)iogearbox.net> Closes: https://lore.kernel.org/bpf/7e2aa30a62d740db182c170fdd8f81c596df280d.camel@… Link: https://lore.kernel.org/bpf/20240924210844.1758441-1-eddyz87@gmail.com Conflicts: kernel/bpf/verifier.c [The conflicts were due to not merge commit 98d7ca374ba4 and 4bf79f9be434e] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/bpf/verifier.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 4e3f3ce2abdd..8fa7b37152c0 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -14551,8 +14551,12 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate, struct bpf_reg_state *reg; bpf_for_each_reg_in_vstate(vstate, state, reg, ({ - if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) + if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) { + s32 saved_subreg_def = reg->subreg_def; + copy_register_state(reg, known_reg); + reg->subreg_def = saved_subreg_def; + } })); } -- 2.34.1

2 1

[PATCH OLK-5.10] bpf: sync_linked_regs() must preserve subreg_def
by Pu Lehui 09 Dec '24

09 Dec '24

From: Eduard Zingerman <eddyz87(a)gmail.com> mainline inclusion from mainline-v6.12-rc4 commit e9bd9c498cb0f5843996dbe5cbce7a1836a83c70 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB9533 CVE: CVE-2024-53125 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Range propagation must not affect subreg_def marks, otherwise the following example is rewritten by verifier incorrectly when BPF_F_TEST_RND_HI32 flag is set: 0: call bpf_ktime_get_ns call bpf_ktime_get_ns 1: r0 &= 0x7fffffff after verifier r0 &= 0x7fffffff 2: w1 = w0 rewrites w1 = w0 3: if w0 < 10 goto +0 --------------> r11 = 0x2f5674a6 (r) 4: r1 >>= 32 r11 <<= 32 (r) 5: r0 = r1 r1 |= r11 (r) 6: exit; if w0 < 0xa goto pc+0 r1 >>= 32 r0 = r1 exit (or zero extension of w1 at (2) is missing for architectures that require zero extension for upper register half). The following happens w/o this patch: - r0 is marked as not a subreg at (0); - w1 is marked as subreg at (2); - w1 subreg_def is overridden at (3) by copy_register_state(); - w1 is read at (5) but mark_insn_zext() does not mark (2) for zero extension, because w1 subreg_def is not set; - because of BPF_F_TEST_RND_HI32 flag verifier inserts random value for hi32 bits of (2) (marked (r)); - this random value is read at (5). Fixes: 75748837b7e5 ("bpf: Propagate scalar ranges through register assignments.") Reported-by: Lonial Con <kongln9170(a)gmail.com> Signed-off-by: Lonial Con <kongln9170(a)gmail.com> Signed-off-by: Eduard Zingerman <eddyz87(a)gmail.com> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Acked-by: Daniel Borkmann <daniel(a)iogearbox.net> Closes: https://lore.kernel.org/bpf/7e2aa30a62d740db182c170fdd8f81c596df280d.camel@… Link: https://lore.kernel.org/bpf/20240924210844.1758441-1-eddyz87@gmail.com Conflicts: kernel/bpf/verifier.c [The conflicts were due to not merge commit 98d7ca374ba4 and 4bf79f9be434e] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/bpf/verifier.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 46ae1861d385..642746168b33 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -8394,8 +8394,12 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate, struct bpf_reg_state *reg; bpf_for_each_reg_in_vstate(vstate, state, reg, ({ - if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) + if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) { + s32 saved_subreg_def = reg->subreg_def; + copy_register_state(reg, known_reg); + reg->subreg_def = saved_subreg_def; + } })); } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] bpf: sync_linked_regs() must preserve subreg_def
by Pu Lehui 09 Dec '24

09 Dec '24

From: Eduard Zingerman <eddyz87(a)gmail.com> mainline inclusion from mainline-v6.12-rc4 commit e9bd9c498cb0f5843996dbe5cbce7a1836a83c70 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB9533 CVE: CVE-2024-53125 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Range propagation must not affect subreg_def marks, otherwise the following example is rewritten by verifier incorrectly when BPF_F_TEST_RND_HI32 flag is set: 0: call bpf_ktime_get_ns call bpf_ktime_get_ns 1: r0 &= 0x7fffffff after verifier r0 &= 0x7fffffff 2: w1 = w0 rewrites w1 = w0 3: if w0 < 10 goto +0 --------------> r11 = 0x2f5674a6 (r) 4: r1 >>= 32 r11 <<= 32 (r) 5: r0 = r1 r1 |= r11 (r) 6: exit; if w0 < 0xa goto pc+0 r1 >>= 32 r0 = r1 exit (or zero extension of w1 at (2) is missing for architectures that require zero extension for upper register half). The following happens w/o this patch: - r0 is marked as not a subreg at (0); - w1 is marked as subreg at (2); - w1 subreg_def is overridden at (3) by copy_register_state(); - w1 is read at (5) but mark_insn_zext() does not mark (2) for zero extension, because w1 subreg_def is not set; - because of BPF_F_TEST_RND_HI32 flag verifier inserts random value for hi32 bits of (2) (marked (r)); - this random value is read at (5). Fixes: 75748837b7e5 ("bpf: Propagate scalar ranges through register assignments.") Reported-by: Lonial Con <kongln9170(a)gmail.com> Signed-off-by: Lonial Con <kongln9170(a)gmail.com> Signed-off-by: Eduard Zingerman <eddyz87(a)gmail.com> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Acked-by: Daniel Borkmann <daniel(a)iogearbox.net> Closes: https://lore.kernel.org/bpf/7e2aa30a62d740db182c170fdd8f81c596df280d.camel@… Link: https://lore.kernel.org/bpf/20240924210844.1758441-1-eddyz87@gmail.com Conflicts: kernel/bpf/verifier.c [The conflicts were due to not merge commit 98d7ca374ba4 and 4bf79f9be434e] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/bpf/verifier.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index c1a03ab632bb..91c33601021d 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -8010,15 +8010,23 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate, state = vstate->frame[i]; for (j = 0; j < MAX_BPF_REG; j++) { reg = &state->regs[j]; - if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) + if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) { + s32 saved_subreg_def = reg->subreg_def; + *reg = *known_reg; + reg->subreg_def = saved_subreg_def; + } } bpf_for_each_spilled_reg(j, state, reg) { if (!reg) continue; - if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) + if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) { + s32 saved_subreg_def = reg->subreg_def; + *reg = *known_reg; + reg->subreg_def = saved_subreg_def; + } } } } -- 2.34.1

2 1

[openeuler:OLK-6.6 1610/1610] drivers/crypto/ccp/hygon/tdm-dev.c:340:40: error: incomplete definition of type 'struct module'
by kernel test robot 09 Dec '24

09 Dec '24

Hi chench00, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 31c4fffa86e17e8a946c944e91e7412db7f8427b commit: a1dd4972da4e66d9a9d1a89b3dfd8f742c20193b [1610/1610] crypto: tdm: Add Hygon TDM driver config: x86_64-buildonly-randconfig-005-20241209 (https://download.01.org/0day-ci/archive/20241209/202412091416.tF5xTUAU-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241209/202412091416.tF5xTUAU-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412091416.tF5xTUAU-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from drivers/crypto/ccp/hygon/tdm-dev.c:21: In file included from include/linux/kfifo.h:42: In file included from include/linux/scatterlist.h:8: In file included from include/linux/mm.h:2242: include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 509 | item]; | ~~~~ include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 515 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 516 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 527 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 528 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 536 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 537 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ drivers/crypto/ccp/hygon/tdm-dev.c:94:6: warning: variable 'ret' set but not used [-Wunused-but-set-variable] 94 | int ret = 0; | ^ >> drivers/crypto/ccp/hygon/tdm-dev.c:340:40: error: incomplete definition of type 'struct module' 340 | memcpy(ctx_msg.module_name, p_module->name, sizeof(p_module->name)); | ~~~~~~~~^ arch/x86/include/asm/alternative.h:103:8: note: forward declaration of 'struct module' 103 | struct module; | ^ drivers/crypto/ccp/hygon/tdm-dev.c:340:63: error: incomplete definition of type 'struct module' 340 | memcpy(ctx_msg.module_name, p_module->name, sizeof(p_module->name)); | ~~~~~~~~^ arch/x86/include/asm/alternative.h:103:8: note: forward declaration of 'struct module' 103 | struct module; | ^ drivers/crypto/ccp/hygon/tdm-dev.c:606:20: warning: variable 'head' set but not used [-Wunused-but-set-variable] 606 | struct list_head *head = NULL; | ^ 7 warnings and 2 errors generated. vim +340 drivers/crypto/ccp/hygon/tdm-dev.c 323 324 if (!hash) { 325 ret = -DYN_NULL_POINTER; 326 pr_err("Null pointer\n"); 327 goto end; 328 } 329 330 ctx_msg.flag = flag; 331 ctx_msg.pid = current->pid; 332 memcpy(ctx_msg.comm, current->comm, sizeof(current->comm)); 333 334 return_address = CALLER_ADDR1; 335 if (return_address) { 336 #if IS_BUILTIN(CONFIG_CRYPTO_DEV_CCP_DD) 337 p_module = __module_address(return_address); 338 // caller is module 339 if (p_module) > 340 memcpy(ctx_msg.module_name, p_module->name, sizeof(p_module->name)); 341 // caller is build-in 342 else 343 memset(ctx_msg.module_name, 0, sizeof(ctx_msg.module_name)); 344 #elif IS_ENABLED(CONFIG_KALLSYMS) 345 symbol_len = sprint_symbol((char *)symbol_buf, return_address); 346 if (!symbol_len) { 347 ret = -DYN_ERR_API; 348 pr_err("sprint_symbol failed\n"); 349 goto end; 350 } 351 symbol_begin = strchr((char *)symbol_buf, '['); 352 if (!symbol_begin) { 353 ret = -DYN_NULL_POINTER; 354 pr_err("module name is not exist\n"); 355 goto end; 356 } 357 symbol_end = strchr((char *)symbol_buf, ']'); 358 if (!symbol_end) { 359 ret = -DYN_NULL_POINTER; 360 pr_err("module name is not exist\n"); 361 goto end; 362 } 363 symbol_begin++; 364 if (symbol_end - symbol_begin) 365 memcpy(ctx_msg.module_name, symbol_begin, symbol_end - symbol_begin); 366 else 367 memset(ctx_msg.module_name, 0, sizeof(ctx_msg.module_name)); 368 #else 369 memset(ctx_msg.module_name, 0, sizeof(ctx_msg.module_name)); 370 #endif 371 } else 372 memset(ctx_msg.module_name, 0, sizeof(ctx_msg.module_name)); 373 374 ret = calc_task_context_hash(ctx_msg, hash); 375 if (ret) { 376 pr_err("calc_task_context_hash failed\n"); 377 goto end; 378 } 379 380 end: 381 return ret; 382 } 383 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0