- Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10 2601/2601] drivers/vdpa/vdpa.c:759:19: sparse: sparse: cast to restricted __le16
by kernel test robot 04 Jan '25

04 Jan '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: d51fb86ce6a3a3e59d7cba58738b63903b8cb37c commit: 661b972e802c8e252911361538651db906c084bb [2601/2601] vdpa: Introduce query of device config layout config: x86_64-randconfig-121-20241228 (https://download.01.org/0day-ci/archive/20250104/202501040206.QD8GJyq4-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250104/202501040206.QD8GJyq4-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501040206.QD8GJyq4-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> drivers/vdpa/vdpa.c:759:19: sparse: sparse: cast to restricted __le16 >> drivers/vdpa/vdpa.c:759:19: sparse: sparse: cast from restricted __virtio16 drivers/vdpa/vdpa.c:775:19: sparse: sparse: cast to restricted __le16 drivers/vdpa/vdpa.c:775:19: sparse: sparse: cast from restricted __virtio16 drivers/vdpa/vdpa.c:779:19: sparse: sparse: cast to restricted __le16 drivers/vdpa/vdpa.c:779:19: sparse: sparse: cast from restricted __virtio16 vim +759 drivers/vdpa/vdpa.c 749 750 static int vdpa_dev_net_mq_config_fill(struct vdpa_device *vdev, 751 struct sk_buff *msg, u64 features, 752 const struct virtio_net_config *config) 753 { 754 u16 val_u16; 755 756 if ((features & (1ULL << VIRTIO_NET_F_MQ)) == 0) 757 return 0; 758 > 759 val_u16 = le16_to_cpu(config->max_virtqueue_pairs); 760 return nla_put_u16(msg, VDPA_ATTR_DEV_NET_CFG_MAX_VQP, val_u16); 761 } 762 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 1693/1693] fs/jffs2/jffs2.o: warning: objtool: .text.jffs2_erase_pending_blocks: unexpected end of section
by kernel test robot 03 Jan '25

03 Jan '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 604e996dd0189ddb0875f389b87fa2084b3a9424 commit: 349fde599db65d4827820ef6553e3f9ee75b8c7c [1693/1693] arch: enable HAS_LTO_CLANG with KASAN and KCOV config: x86_64-randconfig-103-20250103 (https://download.01.org/0day-ci/archive/20250103/202501032202.oO79Fo9u-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250103/202501032202.oO79Fo9u-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501032202.oO79Fo9u-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/jffs2/jffs2.o: warning: objtool: .text.jffs2_erase_pending_blocks: unexpected end of section -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 1693/1693] arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces)
by kernel test robot 03 Jan '25

03 Jan '25

Hi Song, First bad commit (maybe != root cause): tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 604e996dd0189ddb0875f389b87fa2084b3a9424 commit: 031d5914323febe9668956dfa7fe8443b7dc597c [1693/1693] LoongArch: KVM: Add PMU support for guest config: loongarch-randconfig-r112-20250103 (https://download.01.org/0day-ci/archive/20250103/202501032224.CjyqUkQC-lkp@…) compiler: loongarch64-linux-gcc (GCC) 14.2.0 reproduce: (https://download.01.org/0day-ci/archive/20250103/202501032224.CjyqUkQC-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501032224.CjyqUkQC-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) arch/loongarch/kvm/vcpu.c:17:49: sparse: sparse: array of flexible structures arch/loongarch/kvm/vcpu.c: note: in included file: include/linux/kvm_host.h:2045:56: sparse: sparse: array of flexible structures arch/loongarch/kvm/vcpu.c:104:15: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:106:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:124:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got int [noderef] __percpu * arch/loongarch/kvm/vcpu.c:290:42: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:1442:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' arch/loongarch/kvm/vcpu.c:1529:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:1578:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:1671:42: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:40:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:41:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:42:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:43:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:44:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:45:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:46:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:47:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:55:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:56:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:57:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:58:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:59:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:60:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:61:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:62:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c: note: in included file (through arch/loongarch/include/asm/loongarch.h, arch/loongarch/include/asm/cpu-info.h, ...): ../lib/gcc/loongarch64-linux/14.2.0/include/larchintrin.h:107:10: sparse: sparse: undefined identifier '__builtin_loongarch_cpucfg' arch/loongarch/kvm/vcpu.c: note: in included file (through arch/loongarch/include/asm/cpu-info.h, arch/loongarch/include/asm/processor.h, ...): arch/loongarch/include/asm/loongarch.h:1282:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' arch/loongarch/include/asm/loongarch.h:1282:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_w' arch/loongarch/include/asm/loongarch.h:1282:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' arch/loongarch/include/asm/loongarch.h:1282:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_w' arch/loongarch/kvm/vcpu.c: note: in included file (through arch/loongarch/kvm/trace.h): arch/loongarch/include/asm/kvm_csr.h:167:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/include/asm/kvm_csr.h:167:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c: note: in included file: arch/loongarch/include/asm/fpu.h:76:17: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' arch/loongarch/include/asm/fpu.h:85:17: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' vim +224 arch/loongarch/kvm/vcpu.c 3ec7320b0a2844 Tianrui Zhao 2023-10-02 221 3f5dde7efb48ae Bibo Mao 2024-07-09 222 static void kvm_late_check_requests(struct kvm_vcpu *vcpu) 3f5dde7efb48ae Bibo Mao 2024-07-09 223 { 3f5dde7efb48ae Bibo Mao 2024-07-09 @224 lockdep_assert_irqs_disabled(); 3f5dde7efb48ae Bibo Mao 2024-07-09 225 if (kvm_check_request(KVM_REQ_TLB_FLUSH_GPA, vcpu)) 3f5dde7efb48ae Bibo Mao 2024-07-09 226 if (vcpu->arch.flush_gpa != INVALID_GPA) { 3f5dde7efb48ae Bibo Mao 2024-07-09 227 kvm_flush_tlb_gpa(vcpu, vcpu->arch.flush_gpa); 3f5dde7efb48ae Bibo Mao 2024-07-09 228 vcpu->arch.flush_gpa = INVALID_GPA; 3f5dde7efb48ae Bibo Mao 2024-07-09 229 } 3f5dde7efb48ae Bibo Mao 2024-07-09 230 } 3f5dde7efb48ae Bibo Mao 2024-07-09 231 :::::: The code at line 224 was first introduced by commit :::::: 3f5dde7efb48ae2725aebecfbd47aacfa3def181 LoongArch: KVM: Delay secondary mmu tlb flush until guest entry :::::: TO: Bibo Mao <maobibo(a)loongson.cn> :::::: CC: Xianglai Li <lixianglai(a)loongson.cn> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 1693/1693] arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces)
by kernel test robot 03 Jan '25

03 Jan '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 604e996dd0189ddb0875f389b87fa2084b3a9424 commit: 3f5dde7efb48ae2725aebecfbd47aacfa3def181 [1693/1693] LoongArch: KVM: Delay secondary mmu tlb flush until guest entry config: loongarch-randconfig-r112-20250103 (https://download.01.org/0day-ci/archive/20250103/202501032032.1nlRwHlW-lkp@…) compiler: loongarch64-linux-gcc (GCC) 14.2.0 reproduce: (https://download.01.org/0day-ci/archive/20250103/202501032032.1nlRwHlW-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501032032.1nlRwHlW-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got int [noderef] __percpu * arch/loongarch/kvm/tlb.c:28:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' vim +26 arch/loongarch/kvm/tlb.c 23 24 void kvm_flush_tlb_gpa(struct kvm_vcpu *vcpu, unsigned long gpa) 25 { > 26 lockdep_assert_irqs_disabled(); -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] [Backport] btrfs: fix use-after-free in btrfs_encoded_read_endio()
by Yongjian Sun 03 Jan '25

03 Jan '25

From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> mainline inclusion from mainline-v6.12-rc3 commit 05b36b04d74a517d6675bf2f90829ff1ac7e28dc category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAOP CVE: CVE-2024-56582 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Shinichiro reported the following use-after free that sometimes is happening in our CI system when running fstests' btrfs/284 on a TCMU runner device: BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780 Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219 CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 ? lock_release+0x708/0x780 print_report+0x174/0x505 ? lock_release+0x708/0x780 ? __virt_addr_valid+0x224/0x410 ? lock_release+0x708/0x780 kasan_report+0xda/0x1b0 ? lock_release+0x708/0x780 ? __wake_up+0x44/0x60 lock_release+0x708/0x780 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? lock_is_held_type+0x9a/0x110 _raw_spin_unlock_irqrestore+0x1f/0x60 __wake_up+0x44/0x60 btrfs_encoded_read_endio+0x14b/0x190 [btrfs] btrfs_check_read_bio+0x8d9/0x1360 [btrfs] ? lock_release+0x1b0/0x780 ? trace_lock_acquire+0x12f/0x1a0 ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs] ? process_one_work+0x7e3/0x1460 ? lock_acquire+0x31/0xc0 ? process_one_work+0x7e3/0x1460 process_one_work+0x85c/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5e6/0xfc0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2c3/0x3a0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x4f/0x70 kfree+0x143/0x490 btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff888106a83f00 which belongs to the cache kmalloc-rnd-07-96 of size 96 The buggy address is located 24 bytes inside of freed 96-byte region [ffff888106a83f00, ffff888106a83f60) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004 raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Further analyzing the trace and the crash dump's vmcore file shows that the wake_up() call in btrfs_encoded_read_endio() is calling wake_up() on the wait_queue that is in the private data passed to the end_io handler. Commit 4ff47df40447 ("btrfs: move priv off stack in btrfs_encoded_read_regular_fill_pages()") moved 'struct btrfs_encoded_read_private' off the stack. Before that commit one can see a corruption of the private data when analyzing the vmcore after a crash: *(struct btrfs_encoded_read_private *)0xffff88815626eec8 = { .wait = (wait_queue_head_t){ .lock = (spinlock_t){ .rlock = (struct raw_spinlock){ .raw_lock = (arch_spinlock_t){ .val = (atomic_t){ .counter = (int)-2005885696, }, .locked = (u8)0, .pending = (u8)157, .locked_pending = (u16)40192, .tail = (u16)34928, }, .magic = (unsigned int)536325682, .owner_cpu = (unsigned int)29, .owner = (void *)__SCT__tp_func_btrfs_transaction_commit+0x0 = 0x0, .dep_map = (struct lockdep_map){ .key = (struct lock_class_key *)0xffff8881575a3b6c, .class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 }, .name = (const char *)0xffff88815626f100 = "", .wait_type_outer = (u8)37, .wait_type_inner = (u8)178, .lock_type = (u8)154, }, }, .__padding = (u8 [24]){ 0, 157, 112, 136, 50, 174, 247, 31, 29 }, .dep_map = (struct lockdep_map){ .key = (struct lock_class_key *)0xffff8881575a3b6c, .class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 }, .name = (const char *)0xffff88815626f100 = "", .wait_type_outer = (u8)37, .wait_type_inner = (u8)178, .lock_type = (u8)154, }, }, .head = (struct list_head){ .next = (struct list_head *)0x112cca, .prev = (struct list_head *)0x47, }, }, .pending = (atomic_t){ .counter = (int)-1491499288, }, .status = (blk_status_t)130, } Here we can see several indicators of in-memory data corruption, e.g. the large negative atomic values of ->pending or ->wait->lock->rlock->raw_lock->val, as well as the bogus spinlock magic 0x1ff7ae32 (decimal 536325682 above) instead of 0xdead4ead or the bogus pointer values for ->wait->head. To fix this, change atomic_dec_return() to atomic_dec_and_test() to fix the corruption, as atomic_dec_return() is defined as two instructions on x86_64, whereas atomic_dec_and_test() is defined as a single atomic operation. This can lead to a situation where counter value is already decremented but the if statement in btrfs_encoded_read_endio() is not completely processed, i.e. the 0 test has not completed. If another thread continues executing btrfs_encoded_read_regular_fill_pages() the atomic_dec_return() there can see an already updated ->pending counter and continues by freeing the private data. Continuing in the endio handler the test for 0 succeeds and the wait_queue is woken up, resulting in a use-after-free. Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Suggested-by: Damien Le Moal <Damien.LeMoal(a)wdc.com> Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sun Yongjian <sunyongjian1(a)huawei.com> --- fs/btrfs/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index fae45b8d485e..1511405abfe0 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9974,7 +9974,7 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio) */ WRITE_ONCE(priv->status, bbio->bio.bi_status); } - if (!atomic_dec_return(&priv->pending)) + if (!atomic_dec_and_test(&priv->pending)) wake_up(&priv->wait); bio_put(&bbio->bio); } -- 2.39.2

2 9

[PATCH openEuler-22.03-LTS-SP1] [Backport] jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
by Yongjian Sun 03 Jan '25

03 Jan '25

From: Nihar Chaithanya <niharchaithanya(a)gmail.com> mainline inclusion from mainline-v6.12-rc3 commit a174706ba4dad895c40b1d2277bade16dfacdcd9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAOK CVE: CVE-2024-56595 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When the value of lp is 0 at the beginning of the for loop, it will become negative in the next assignment and we should bail out. Reported-by: syzbot+412dea214d8baa3f7483(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=412dea214d8baa3f7483 Tested-by: syzbot+412dea214d8baa3f7483(a)syzkaller.appspotmail.com Signed-off-by: Nihar Chaithanya <niharchaithanya(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sun Yongjian <sunyongjian1(a)huawei.com> --- fs/jfs/jfs_dmap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 24bd3591c8e0..5ecd79e5c74b 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -2945,6 +2945,9 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) /* bubble the new value up the tree as required. */ for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) { + if (lp == 0) + break; + /* get the index of the first leaf of the 4 leaf * group containing the specified leaf (leafno). */ -- 2.39.2

2 5

[PATCH OLK-5.10] [Backport] jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
by Yongjian Sun 03 Jan '25

03 Jan '25

From: Nihar Chaithanya <niharchaithanya(a)gmail.com> mainline inclusion from mainline-v6.12-rc3 commit a174706ba4dad895c40b1d2277bade16dfacdcd9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAOK CVE: CVE-2024-56595 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When the value of lp is 0 at the beginning of the for loop, it will become negative in the next assignment and we should bail out. Reported-by: syzbot+412dea214d8baa3f7483(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=412dea214d8baa3f7483 Tested-by: syzbot+412dea214d8baa3f7483(a)syzkaller.appspotmail.com Signed-off-by: Nihar Chaithanya <niharchaithanya(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sun Yongjian <sunyongjian1(a)huawei.com> --- fs/jfs/jfs_dmap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index bf1f3d4d23f2..aa72e09d4be8 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -2955,6 +2955,9 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) /* bubble the new value up the tree as required. */ for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) { + if (lp == 0) + break; + /* get the index of the first leaf of the 4 leaf * group containing the specified leaf (leafno). */ -- 2.39.2

2 5

[PATCH openEuler-22.03-LTS-SP1] io_uring: check for overflows in io_pin_pages
by Long Li 03 Jan '25

03 Jan '25

From: Pavel Begunkov <asml.silence(a)gmail.com> mainline inclusion from mainline-v6.10-rc2 commit 0c0a4eae26ac78379d0c1db053de168a8febc6c9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAFR CVE: CVE-2024-53187 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- WARNING: CPU: 0 PID: 5834 at io_uring/memmap.c:144 io_pin_pages+0x149/0x180 io_uring/memmap.c:144 CPU: 0 UID: 0 PID: 5834 Comm: syz-executor825 Not tainted 6.12.0-next-20241118-syzkaller #0 Call Trace: <TASK> __io_uaddr_map+0xfb/0x2d0 io_uring/memmap.c:183 io_rings_map io_uring/io_uring.c:2611 [inline] io_allocate_scq_urings+0x1c0/0x650 io_uring/io_uring.c:3470 io_uring_create+0x5b5/0xc00 io_uring/io_uring.c:3692 io_uring_setup io_uring/io_uring.c:3781 [inline] ... </TASK> io_pin_pages()'s uaddr parameter came directly from the user and can be garbage. Don't just add size to it as it can overflow. Cc: stable(a)vger.kernel.org Reported-by: syzbot+2159cbb522b02847c053(a)syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov <asml.silence(a)gmail.com> Link: https://lore.kernel.org/r/1b7520ddb168e1d537d64be47414a0629d0d8f8f.17325810… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: io_uring/io_uring.c io_uring/memmap.c [Conflicts due to d8c2237d0aa9 ("io_uring: add io_pin_pages() helper")] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- io_uring/io_uring.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 4d69fb4cf803..c048cd9f531f 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -8690,7 +8690,7 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov, struct io_mapped_ubuf *imu = NULL; struct vm_area_struct **vmas = NULL; struct page **pages = NULL; - unsigned long off, start, end, ubuf; + unsigned long off, start, end, ubuf, len; size_t size; int ret, pret, nr_pages, i; @@ -8700,7 +8700,13 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov, } ubuf = (unsigned long) iov->iov_base; - end = (ubuf + iov->iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT; + len = (unsigned long) iov->iov_len; + if (check_add_overflow(ubuf, len, &end)) + return -EOVERFLOW; + if (check_add_overflow(end, PAGE_SIZE - 1, &end)) + return -EOVERFLOW; + + end = end >> PAGE_SHIFT; start = ubuf >> PAGE_SHIFT; nr_pages = end - start; -- 2.39.2

2 1

[PATCH OLK-5.10] io_uring: check for overflows in io_pin_pages
by Long Li 03 Jan '25

03 Jan '25

From: Pavel Begunkov <asml.silence(a)gmail.com> mainline inclusion from mainline-v6.10-rc2 commit 0c0a4eae26ac78379d0c1db053de168a8febc6c9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAFR CVE: CVE-2024-53187 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- WARNING: CPU: 0 PID: 5834 at io_uring/memmap.c:144 io_pin_pages+0x149/0x180 io_uring/memmap.c:144 CPU: 0 UID: 0 PID: 5834 Comm: syz-executor825 Not tainted 6.12.0-next-20241118-syzkaller #0 Call Trace: <TASK> __io_uaddr_map+0xfb/0x2d0 io_uring/memmap.c:183 io_rings_map io_uring/io_uring.c:2611 [inline] io_allocate_scq_urings+0x1c0/0x650 io_uring/io_uring.c:3470 io_uring_create+0x5b5/0xc00 io_uring/io_uring.c:3692 io_uring_setup io_uring/io_uring.c:3781 [inline] ... </TASK> io_pin_pages()'s uaddr parameter came directly from the user and can be garbage. Don't just add size to it as it can overflow. Cc: stable(a)vger.kernel.org Reported-by: syzbot+2159cbb522b02847c053(a)syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov <asml.silence(a)gmail.com> Link: https://lore.kernel.org/r/1b7520ddb168e1d537d64be47414a0629d0d8f8f.17325810… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: io_uring/io_uring.c io_uring/memmap.c [Conflicts due to d8c2237d0aa9 ("io_uring: add io_pin_pages() helper")] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- io_uring/io_uring.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 6e5e00a7692c..a7e52a8b0b5f 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -8886,7 +8886,7 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov, struct io_mapped_ubuf *imu = NULL; struct vm_area_struct **vmas = NULL; struct page **pages = NULL; - unsigned long off, start, end, ubuf; + unsigned long off, start, end, ubuf, len; size_t size; int ret, pret, nr_pages, i; @@ -8896,7 +8896,13 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov, } ubuf = (unsigned long) iov->iov_base; - end = (ubuf + iov->iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT; + len = (unsigned long) iov->iov_len; + if (check_add_overflow(ubuf, len, &end)) + return -EOVERFLOW; + if (check_add_overflow(end, PAGE_SIZE - 1, &end)) + return -EOVERFLOW; + + end = end >> PAGE_SHIFT; start = ubuf >> PAGE_SHIFT; nr_pages = end - start; -- 2.39.2

2 1

[openeuler:OLK-6.6 1693/1693] drivers/gpu/drm/loongson/ast_old/ast_mode.c:746:19: sparse: sparse: cast removes address space '__iomem' of expression
by kernel test robot 03 Jan '25

03 Jan '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 604e996dd0189ddb0875f389b87fa2084b3a9424 commit: 2815e6db6a7a2f0759dfc574e28b3b807a1a3377 [1693/1693] drm/loongson: use old version of ast driver for LoongArch platform config: loongarch-randconfig-r112-20250103 (https://download.01.org/0day-ci/archive/20250103/202501031900.rHaRpOIu-lkp@…) compiler: loongarch64-linux-gcc (GCC) 14.2.0 reproduce: (https://download.01.org/0day-ci/archive/20250103/202501031900.rHaRpOIu-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501031900.rHaRpOIu-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> drivers/gpu/drm/loongson/ast_old/ast_mode.c:746:19: sparse: sparse: cast removes address space '__iomem' of expression >> drivers/gpu/drm/loongson/ast_old/ast_mode.c:746:16: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected unsigned char [noderef] [usertype] __iomem *dstxor @@ got unsigned char [usertype] * @@ drivers/gpu/drm/loongson/ast_old/ast_mode.c:746:16: sparse: expected unsigned char [noderef] [usertype] __iomem *dstxor drivers/gpu/drm/loongson/ast_old/ast_mode.c:746:16: sparse: got unsigned char [usertype] * drivers/gpu/drm/loongson/ast_old/ast_mode.c: note: in included file (through arch/loongarch/include/asm/cpu-info.h, arch/loongarch/include/asm/processor.h, ...): arch/loongarch/include/asm/loongarch.h:1136:16: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' vim +/__iomem +746 drivers/gpu/drm/loongson/ast_old/ast_mode.c 719 720 /* 721 * Cursor plane 722 */ 723 724 static void ast_update_cursor_image(u8 __iomem *dst, const u8 *src, int width, 725 int height) 726 { 727 union { 728 u32 ul; 729 u8 b[4]; 730 } srcdata32[2], data32; 731 union { 732 u16 us; 733 u8 b[2]; 734 } data16; 735 u32 csum = 0; 736 s32 alpha_dst_delta, last_alpha_dst_delta; 737 u8 __iomem *dstxor; 738 const u8 *srcxor; 739 int i, j; 740 u32 per_pixel_copy, two_pixel_copy; 741 742 alpha_dst_delta = AST_MAX_HWC_WIDTH << 1; 743 last_alpha_dst_delta = alpha_dst_delta - (width << 1); 744 745 srcxor = src; > 746 dstxor = (u8 *)dst + last_alpha_dst_delta + 747 (AST_MAX_HWC_HEIGHT - height) * alpha_dst_delta; 748 per_pixel_copy = width & 1; 749 two_pixel_copy = width >> 1; 750 751 for (j = 0; j < height; j++) { 752 for (i = 0; i < two_pixel_copy; i++) { 753 srcdata32[0].ul = *((u32 *)srcxor) & 0xf0f0f0f0; 754 srcdata32[1].ul = *((u32 *)(srcxor + 4)) & 0xf0f0f0f0; 755 data32.b[0] = srcdata32[0].b[1] | 756 (srcdata32[0].b[0] >> 4); 757 data32.b[1] = srcdata32[0].b[3] | 758 (srcdata32[0].b[2] >> 4); 759 data32.b[2] = srcdata32[1].b[1] | 760 (srcdata32[1].b[0] >> 4); 761 data32.b[3] = srcdata32[1].b[3] | 762 (srcdata32[1].b[2] >> 4); 763 764 writel(data32.ul, dstxor); 765 csum += data32.ul; 766 767 dstxor += 4; 768 srcxor += 8; 769 } 770 771 for (i = 0; i < per_pixel_copy; i++) { 772 srcdata32[0].ul = *((u32 *)srcxor) & 0xf0f0f0f0; 773 data16.b[0] = srcdata32[0].b[1] | 774 (srcdata32[0].b[0] >> 4); 775 data16.b[1] = srcdata32[0].b[3] | 776 (srcdata32[0].b[2] >> 4); 777 writew(data16.us, dstxor); 778 csum += (u32)data16.us; 779 780 dstxor += 2; 781 srcxor += 4; 782 } 783 dstxor += last_alpha_dst_delta; 784 } 785 786 /* write checksum + signature */ 787 dst += AST_HWC_SIZE; 788 writel(csum, dst); 789 writel(width, dst + AST_HWC_SIGNATURE_SizeX); 790 writel(height, dst + AST_HWC_SIGNATURE_SizeY); 791 writel(0, dst + AST_HWC_SIGNATURE_HOTSPOTX); 792 writel(0, dst + AST_HWC_SIGNATURE_HOTSPOTY); 793 } 794 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0