- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] usb: typec: ucsi: Fix null pointer dereference in trace
by Zhang Zekun 29 Sep '24

29 Sep '24

From: Abhishek Pandit-Subedi <abhishekpandit(a)chromium.org> stable inclusion from stable-v5.10.226 commit 7e64cabe81c303bdf6fd26b6a09a3289b33bc870 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARV3B CVE: CVE-2024-46719 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------------ [ Upstream commit 99516f76db48e1a9d54cdfed63c1babcee4e71a5 ] ucsi_register_altmode checks IS_ERR for the alt pointer and treats NULL as valid. When CONFIG_TYPEC_DP_ALTMODE is not enabled, ucsi_register_displayport returns NULL which causes a NULL pointer dereference in trace. Rather than return NULL, call typec_port_register_altmode to register DisplayPort alternate mode as a non-controllable mode when CONFIG_TYPEC_DP_ALTMODE is not enabled. Reviewed-by: Benson Leung <bleung(a)chromium.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit(a)chromium.org> Signed-off-by: Jameson Thies <jthies(a)google.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Link: https://lore.kernel.org/r/20240510201244.2968152-2-jthies@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/usb/typec/ucsi/ucsi.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h index cc1459b366cc..20995adc6b81 100644 --- a/drivers/usb/typec/ucsi/ucsi.h +++ b/drivers/usb/typec/ucsi/ucsi.h @@ -376,7 +376,7 @@ ucsi_register_displayport(struct ucsi_connector *con, bool override, int offset, struct typec_altmode_desc *desc) { - return NULL; + return typec_port_register_altmode(con->port, desc); } static inline void -- 2.17.1

2 1

[PATCH OLK-5.10] of/irq: Prevent device address out-of-bounds read in interrupt map walk
by Zhang Zekun 29 Sep '24

29 Sep '24

From: Stefan Wiehler <stefan.wiehler(a)nokia.com> stable inclusion from stable-v5.10.226 commit 9d1e9f0876b03d74d44513a0ed3ed15ef8f2fed5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWTE CVE: CVE-2024-46743 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------------------------------------- [ Upstream commit b739dffa5d570b411d4bdf4bb9b8dfd6b7d72305 ] When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg="func of_irq_parse_* +p"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size. Signed-off-by: Stefan Wiehler <stefan.wiehler(a)nokia.com> Link: https://lore.kernel.org/r/20240812100652.3800963-1-stefan.wiehler@nokia.com Signed-off-by: Rob Herring (Arm) <robh(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/of/irq.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/of/irq.c b/drivers/of/irq.c index 352e14b007e7..ad0cb49e233a 100644 --- a/drivers/of/irq.c +++ b/drivers/of/irq.c @@ -288,7 +288,8 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar struct device_node *p; const __be32 *addr; u32 intsize; - int i, res; + int i, res, addr_len; + __be32 addr_buf[3] = { 0 }; pr_debug("of_irq_parse_one: dev=%pOF, index=%d\n", device, index); @@ -297,13 +298,19 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar return of_irq_parse_oldworld(device, index, out_irq); /* Get the reg property (if any) */ - addr = of_get_property(device, "reg", NULL); + addr = of_get_property(device, "reg", &addr_len); + + /* Prevent out-of-bounds read in case of longer interrupt parent address size */ + if (addr_len > (3 * sizeof(__be32))) + addr_len = 3 * sizeof(__be32); + if (addr) + memcpy(addr_buf, addr, addr_len); /* Try the new-style interrupts-extended first */ res = of_parse_phandle_with_args(device, "interrupts-extended", "#interrupt-cells", index, out_irq); if (!res) - return of_irq_parse_raw(addr, out_irq); + return of_irq_parse_raw(addr_buf, out_irq); /* Look for the interrupt parent. */ p = of_irq_find_parent(device); @@ -333,7 +340,7 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar /* Check if there are any interrupt-map translations to process */ - res = of_irq_parse_raw(addr, out_irq); + res = of_irq_parse_raw(addr_buf, out_irq); out: of_node_put(p); return res; -- 2.17.1

2 1

[PATCH OLK-5.10] KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
by Zhang Zekun 29 Sep '24

29 Sep '24

From: Marc Zyngier <maz(a)kernel.org> stable inclusion from stable-v5.10.225 commit 15818af2f7aa55eff375333cb7689df15d3f24ef category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR5D2 CVE: CVE-2024-46707 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------------------------- commit 3e6245ebe7ef341639e9a7e402b3ade8ad45a19f upstream. On a system with a GICv3, if a guest hasn't been configured with GICv3 and that the host is not capable of GICv2 emulation, a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2. We therefore try to emulate the SGI access, only to hit a NULL pointer as no private interrupt is allocated (no GIC, remember?). The obvious fix is to give the guest what it deserves, in the shape of a UNDEF exception. Reported-by: Alexander Potapenko <glider(a)google.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240820100349.3544850-2-maz@kernel.org Signed-off-by: Oliver Upton <oliver.upton(a)linux.dev> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: arch/arm64/kvm/vgic/vgic.h [Code context change only] Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- arch/arm64/kvm/sys_regs.c | 6 ++++++ arch/arm64/kvm/vgic/vgic.h | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c index 0cb9e4de5afd..1ee3c00ed8a0 100644 --- a/arch/arm64/kvm/sys_regs.c +++ b/arch/arm64/kvm/sys_regs.c @@ -30,6 +30,7 @@ #include <trace/events/kvm.h> #include "sys_regs.h" +#include "vgic/vgic.h" #include "trace.h" @@ -275,6 +276,11 @@ static bool access_gic_sgi(struct kvm_vcpu *vcpu, { bool g1; + if (!kvm_has_gicv3(vcpu->kvm)) { + kvm_inject_undefined(vcpu); + return false; + } + if (!p->is_write) return read_from_write_only(vcpu, p, r); diff --git a/arch/arm64/kvm/vgic/vgic.h b/arch/arm64/kvm/vgic/vgic.h index 47abce1ff89e..06564e8dd69b 100644 --- a/arch/arm64/kvm/vgic/vgic.h +++ b/arch/arm64/kvm/vgic/vgic.h @@ -330,4 +330,11 @@ void vgic_v4_configure_vsgis(struct kvm *kvm); void vgic_v4_get_vlpi_state(struct vgic_irq *irq, bool *val); void vgic_v4_configure_vtimer(struct kvm *kvm); +static inline bool kvm_has_gicv3(struct kvm *kvm) +{ + return (static_branch_unlikely(&kvm_vgic_global_state.gicv3_cpuif) && + irqchip_in_kernel(kvm) && + kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3); +} + #endif -- 2.17.1

2 1

[PATCH openEuler-22.03-LTS-SP1] btrfs: remove NULL transaction support for btrfs_lookup_extent_info()
by Yifan Qiao 29 Sep '24

29 Sep '24

From: Filipe Manana <fdmanana(a)suse.com> mainline inclusion from mainline-v6.11-rc1 commit 119474bdbac0858053cf367c8c932dd5c4bb4e85 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX0N Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There are no callers of btrfs_lookup_extent_info() that pass a NULL value for the transaction handle argument, so there's no point in having special logic to deal with the NULL. The last caller that passed a NULL value was removed in commit 19b546d7a1b2 ("btrfs: relocation: Use btrfs_find_all_leafs to locate data extent parent tree leaves"). So remove the NULL handling from btrfs_lookup_extent_info(). Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202409271612.ikY68CAg-lkp@intel.com/ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Conflicts: fs/btrfs/extent-tree.c [Context differences.] Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/btrfs/extent-tree.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index 9521cb45433f..4049405548ac 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -135,11 +135,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, if (!path) return -ENOMEM; - if (!trans) { - path->skip_locking = 1; - path->search_commit_root = 1; - } - search_again: key.objectid = bytenr; key.offset = offset; @@ -172,10 +167,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, if (unlikely(item_size < sizeof(*ei))) { ret = -EINVAL; btrfs_print_v0_err(fs_info); - if (trans) - btrfs_abort_transaction(trans, ret); - else - btrfs_handle_fs_error(fs_info, ret, NULL); + btrfs_abort_transaction(trans, ret); goto out_free; } @@ -197,9 +189,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, ret = 0; } - if (!trans) - goto out; - delayed_refs = &trans->transaction->delayed_refs; spin_lock(&delayed_refs->lock); head = btrfs_find_delayed_ref_head(delayed_refs, bytenr); @@ -239,7 +228,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, mutex_unlock(&head->mutex); } spin_unlock(&delayed_refs->lock); -out: + WARN_ON(num_refs == 0); if (refs) *refs = num_refs; -- 2.39.2

2 1

[PATCH OLK-6.6] btrfs: remove NULL transaction support for btrfs_lookup_extent_info()
by Yifan Qiao 29 Sep '24

29 Sep '24

From: Filipe Manana <fdmanana(a)suse.com> mainline inclusion from mainline-v6.11-rc1 commit 119474bdbac0858053cf367c8c932dd5c4bb4e85 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX0N Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There are no callers of btrfs_lookup_extent_info() that pass a NULL value for the transaction handle argument, so there's no point in having special logic to deal with the NULL. The last caller that passed a NULL value was removed in commit 19b546d7a1b2 ("btrfs: relocation: Use btrfs_find_all_leafs to locate data extent parent tree leaves"). So remove the NULL handling from btrfs_lookup_extent_info(). Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202409271612.ikY68CAg-lkp@intel.com/ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/btrfs/extent-tree.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index 9bf1e4ac4de0..39afb1c46907 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -124,11 +124,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, if (!path) return -ENOMEM; - if (!trans) { - path->skip_locking = 1; - path->search_commit_root = 1; - } - search_again: key.objectid = bytenr; key.offset = offset; @@ -164,11 +159,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, btrfs_err(fs_info, "unexpected extent item size, has %u expect >= %zu", item_size, sizeof(*ei)); - if (trans) - btrfs_abort_transaction(trans, ret); - else - btrfs_handle_fs_error(fs_info, ret, NULL); - + btrfs_abort_transaction(trans, ret); goto out_free; } @@ -189,9 +180,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, ret = 0; } - if (!trans) - goto out; - delayed_refs = &trans->transaction->delayed_refs; spin_lock(&delayed_refs->lock); head = btrfs_find_delayed_ref_head(delayed_refs, bytenr); @@ -231,7 +219,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, mutex_unlock(&head->mutex); } spin_unlock(&delayed_refs->lock); -out: + WARN_ON(num_refs == 0); if (refs) *refs = num_refs; -- 2.39.2

2 1

[PATCH OLK-5.10] btrfs: remove NULL transaction support for btrfs_lookup_extent_info()
by Yifan Qiao 29 Sep '24

29 Sep '24

From: Filipe Manana <fdmanana(a)suse.com> mainline inclusion from mainline-v6.11-rc1 commit 119474bdbac0858053cf367c8c932dd5c4bb4e85 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX0N Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There are no callers of btrfs_lookup_extent_info() that pass a NULL value for the transaction handle argument, so there's no point in having special logic to deal with the NULL. The last caller that passed a NULL value was removed in commit 19b546d7a1b2 ("btrfs: relocation: Use btrfs_find_all_leafs to locate data extent parent tree leaves"). So remove the NULL handling from btrfs_lookup_extent_info(). Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Closes: https://lore.kernel.org/r/202409271612.ikY68CAg-lkp@intel.com/ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Conflicts: fs/btrfs/extent-tree.c [Context differences.] Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/btrfs/extent-tree.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index 054785ffacf7..ae6625aa2c4a 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -135,11 +135,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, if (!path) return -ENOMEM; - if (!trans) { - path->skip_locking = 1; - path->search_commit_root = 1; - } - search_again: key.objectid = bytenr; key.offset = offset; @@ -172,10 +167,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, if (unlikely(item_size < sizeof(*ei))) { ret = -EINVAL; btrfs_print_v0_err(fs_info); - if (trans) - btrfs_abort_transaction(trans, ret); - else - btrfs_handle_fs_error(fs_info, ret, NULL); + btrfs_abort_transaction(trans, ret); goto out_free; } @@ -197,9 +189,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, ret = 0; } - if (!trans) - goto out; - delayed_refs = &trans->transaction->delayed_refs; spin_lock(&delayed_refs->lock); head = btrfs_find_delayed_ref_head(delayed_refs, bytenr); @@ -239,7 +228,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, mutex_unlock(&head->mutex); } spin_unlock(&delayed_refs->lock); -out: + WARN_ON(num_refs == 0); if (refs) *refs = num_refs; -- 2.39.2

2 1

[PATCH OLK-5.10] kprobes: Fix deadlock issue with kmemleak
by Zheng Yejian 29 Sep '24

29 Sep '24

Offering: HULK hulk inclusion category: bugfix bugzilla: https://codehub-y.huawei.com/hulk/bugzilla/issues/196 -------------------------------- There is following deadlock issue: CPU0 CPU1 ==== ==== kretprobe_trampoline kmem_cache_alloc trampoline_handler kmemleak_alloc __kretprobe_trampoline_handler create_object kretprobe_hash_lock <-- hold kmemleak lock <-- hold kretprobe table lock __link_object recycle_rp_inst stack_trace_save kfree_rcu kvfree_call_rcu ... kmemleak_ignore unwind_next_frame kretprobe_find_ret_addr <-- wait for kmemleak lock kretprobe_hash_lock <-- wait for kretprobe table lock One task on CPU0 hold kretprobe_hash_lock and wait for kmemleak_lock, however, kmemleak_lock was held by other task on CPU1 and that task is waiting for kretprobe_hash_lock, then deadlock happended. To fix it, move kfree_rcu() out of kretprobe table lock area. Fixes: b67815b05d67 ("[Backport] kprobes: Add kretprobe_find_ret_addr() for searching return address") Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- kernel/kprobes.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/kernel/kprobes.c b/kernel/kprobes.c index dacb71214fa1..5d64d97975ba 100644 --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -1223,7 +1223,7 @@ void kprobes_inc_nmissed_count(struct kprobe *p) } NOKPROBE_SYMBOL(kprobes_inc_nmissed_count); -static void recycle_rp_inst(struct kretprobe_instance *ri) +static void recycle_rp_inst(struct kretprobe_instance *ri, struct hlist_head *head) { struct kretprobe *rp = ri->rp; @@ -1235,7 +1235,7 @@ static void recycle_rp_inst(struct kretprobe_instance *ri) hlist_add_head(&ri->hlist, &rp->free_instances); raw_spin_unlock(&rp->lock); } else - kfree_rcu(ri, rcu); + hlist_add_head(&ri->hlist, head); } NOKPROBE_SYMBOL(recycle_rp_inst); @@ -1326,6 +1326,7 @@ void kprobe_flush_task(struct task_struct *tk) struct hlist_head *head; struct hlist_node *tmp; unsigned long hash, flags = 0; + HLIST_HEAD(empty_rp); if (unlikely(!kprobes_initialized)) /* Early boot. kretprobe_table_locks not yet initialized. */ @@ -1338,10 +1339,16 @@ void kprobe_flush_task(struct task_struct *tk) kretprobe_table_lock(hash, &flags); hlist_for_each_entry_safe(ri, tmp, head, hlist) { if (ri->task == tk) - recycle_rp_inst(ri); + recycle_rp_inst(ri, &empty_rp); } kretprobe_table_unlock(hash, &flags); + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + INIT_HLIST_NODE(&ri->hlist); + kfree_rcu(ri, rcu); + } + kprobe_busy_end(); } NOKPROBE_SYMBOL(kprobe_flush_task); @@ -2014,6 +2021,7 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, unsigned long flags; kprobe_opcode_t *correct_ret_addr = NULL; bool skipped = false; + HLIST_HEAD(empty_rp); kretprobe_hash_lock(current, &head, &flags); @@ -2082,7 +2090,7 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, __this_cpu_write(current_kprobe, prev); } - recycle_rp_inst(ri); + recycle_rp_inst(ri, &empty_rp); if (ri == last) break; @@ -2090,6 +2098,12 @@ unsigned long __kretprobe_trampoline_handler(struct pt_regs *regs, kretprobe_hash_unlock(current, &flags); + hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + INIT_HLIST_NODE(&ri->hlist); + kfree_rcu(ri, rcu); + } + return (unsigned long)correct_ret_addr; } NOKPROBE_SYMBOL(__kretprobe_trampoline_handler) -- 2.25.1

2 1

[openeuler:openEuler-1.0-LTS 5940/23799] drivers/iommu/iommu.c:979:31: sparse: sparse: dubious: !x | !y
by kernel test robot 29 Sep '24

29 Sep '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 3841d75a6dcd12d108aaf56560b99431d18169e4 commit: ac084b72b429b1bc0378add3abecfe107a732b7a [5940/23799] iommu: introduce device fault report API config: arm64-randconfig-r133-20240926 (https://download.01.org/0day-ci/archive/20240929/202409290930.qkB2O1Kz-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce: (https://download.01.org/0day-ci/archive/20240929/202409290930.qkB2O1Kz-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409290930.qkB2O1Kz-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> drivers/iommu/iommu.c:979:31: sparse: sparse: dubious: !x | !y drivers/iommu/iommu.c: In function 'iommu_unregister_device_fault_handler': drivers/iommu/iommu.c:937:13: warning: variable 'ret' set but not used [-Wunused-but-set-variable] 937 | int ret = 0; | ^~~ vim +979 drivers/iommu/iommu.c 960 961 962 /** 963 * iommu_report_device_fault() - Report fault event to device 964 * @dev: the device 965 * @evt: fault event data 966 * 967 * Called by IOMMU model specific drivers when fault is detected, typically 968 * in a threaded IRQ handler. 969 * 970 * Return 0 on success, or an error. 971 */ 972 int iommu_report_device_fault(struct device *dev, struct iommu_fault_event *evt) 973 { 974 int ret = 0; 975 struct iommu_fault_event *evt_pending; 976 struct iommu_fault_param *fparam; 977 978 /* iommu_param is allocated when device is added to group */ > 979 if (!dev->iommu_param | !evt) 980 return -EINVAL; 981 /* we only report device fault if there is a handler registered */ 982 mutex_lock(&dev->iommu_param->lock); 983 if (!dev->iommu_param->fault_param || 984 !dev->iommu_param->fault_param->handler) { 985 ret = -EINVAL; 986 goto done_unlock; 987 } 988 fparam = dev->iommu_param->fault_param; 989 if (evt->type == IOMMU_FAULT_PAGE_REQ && evt->last_req) { 990 evt_pending = kzalloc(sizeof(*evt_pending), GFP_ATOMIC); 991 if (!evt_pending) { 992 ret = -ENOMEM; 993 goto done_unlock; 994 } 995 memcpy(evt_pending, evt, sizeof(struct iommu_fault_event)); 996 mutex_lock(&fparam->lock); 997 list_add_tail(&evt_pending->list, &fparam->faults); 998 mutex_unlock(&fparam->lock); 999 } 1000 ret = fparam->handler(evt, fparam->data); 1001 done_unlock: 1002 mutex_unlock(&dev->iommu_param->lock); 1003 return ret; 1004 } 1005 EXPORT_SYMBOL_GPL(iommu_report_device_fault); 1006 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 21562/30000] drivers/ub/urma/ubcore/ubcore_netdev.c:213:5: warning: no previous prototype for 'ubcore_unset_port_netdev'
by kernel test robot 29 Sep '24

29 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: bef6f06e039b8929481350d15d6d8c3ba81c6fd2 commit: 37c6170f742ef3a18a3131a2a157dd7b7aa08103 [21562/30000] ub: Fix bugs in urma kernel and user lib config: arm64-randconfig-004-20240928 (https://download.01.org/0day-ci/archive/20240929/202409290901.wWQmpMUX-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240929/202409290901.wWQmpMUX-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409290901.wWQmpMUX-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/ub/urma/ubcore/ubcore_netdev.c:51:5: warning: no previous prototype for 'ubcore_check_port_state' [-Wmissing-prototypes] 51 | int ubcore_check_port_state(struct ubcore_device *dev, uint8_t port_idx) | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:75:6: warning: no previous prototype for 'ubcore_find_port_netdev' [-Wmissing-prototypes] 75 | void ubcore_find_port_netdev(struct ubcore_device *dev, | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:133:5: warning: no previous prototype for 'ubcore_set_port_netdev' [-Wmissing-prototypes] 133 | int ubcore_set_port_netdev(struct ubcore_device *dev, struct net_device *ndev, | ^~~~~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/ubcore/ubcore_netdev.c:213:5: warning: no previous prototype for 'ubcore_unset_port_netdev' [-Wmissing-prototypes] 213 | int ubcore_unset_port_netdev(struct ubcore_device *dev, struct net_device *ndev, | ^~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:242:6: warning: no previous prototype for 'ubcore_put_port_netdev' [-Wmissing-prototypes] 242 | void ubcore_put_port_netdev(struct ubcore_device *dev) | ^~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:262:10: warning: no previous prototype for 'ubcore_sip_idx_alloc' [-Wmissing-prototypes] 262 | uint32_t ubcore_sip_idx_alloc(uint32_t idx) | ^~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:290:5: warning: no previous prototype for 'ubcore_sip_idx_free' [-Wmissing-prototypes] 290 | int ubcore_sip_idx_free(uint32_t idx) | ^~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:303:6: warning: no previous prototype for 'ubcore_sip_table_init' [-Wmissing-prototypes] 303 | void ubcore_sip_table_init(void) | ^~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:309:6: warning: no previous prototype for 'ubcore_sip_table_uninit' [-Wmissing-prototypes] 309 | void ubcore_sip_table_uninit(void) | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:324:5: warning: no previous prototype for 'ubcore_add_sip_entry' [-Wmissing-prototypes] 324 | int ubcore_add_sip_entry(const struct ubcore_sip_info *sip, uint32_t idx) | ^~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:344:5: warning: no previous prototype for 'ubcore_del_sip_entry' [-Wmissing-prototypes] 344 | int ubcore_del_sip_entry(uint32_t idx) | ^~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:358:5: warning: no previous prototype for 'ubcore_lookup_sip_idx' [-Wmissing-prototypes] 358 | int ubcore_lookup_sip_idx(struct ubcore_sip_info *sip, uint32_t *idx) | ^~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:379:10: warning: no previous prototype for 'ubcore_get_sip_max_cnt' [-Wmissing-prototypes] 379 | uint32_t ubcore_get_sip_max_cnt(void) | ^~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:384:25: warning: no previous prototype for 'ubcore_lookup_sip_info' [-Wmissing-prototypes] 384 | struct ubcore_sip_info *ubcore_lookup_sip_info(uint32_t idx) | ^~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:395:5: warning: no previous prototype for 'ubcore_notify_uvs_del_sip' [-Wmissing-prototypes] 395 | int ubcore_notify_uvs_del_sip(struct ubcore_device *dev, | ^~~~~~~~~~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_netdev.c:437:5: warning: no previous prototype for 'ubcore_notify_uvs_add_sip' [-Wmissing-prototypes] 437 | int ubcore_notify_uvs_add_sip(struct ubcore_device *dev, | ^~~~~~~~~~~~~~~~~~~~~~~~~ vim +/ubcore_unset_port_netdev +213 drivers/ub/urma/ubcore/ubcore_netdev.c 212 > 213 int ubcore_unset_port_netdev(struct ubcore_device *dev, struct net_device *ndev, 214 unsigned int port_id) 215 { 216 struct ubcore_ndev_port *port_info; 217 218 if (dev == NULL || ndev == NULL) { 219 ubcore_log_err("invalid input parameter.\n"); 220 return -1; 221 } 222 down_write(&g_port_list_lock); 223 list_for_each_entry(port_info, &dev->port_list, node) { 224 if (port_info->ndev == ndev) { 225 if (ubcore_del_port(port_info, (uint8_t)port_id, dev, ndev) != 0) { 226 up_write(&g_port_list_lock); 227 ubcore_log_err("Failed to do ubcore_del_port"); 228 return -1; 229 } 230 up_write(&g_port_list_lock); 231 return 0; 232 } 233 } 234 up_write(&g_port_list_lock); 235 236 ubcore_log_err("Failed to find and remove ndev:%s dev_name: %s bound port: %u\n", 237 netdev_name(ndev), dev->dev_name, port_id); 238 return -1; 239 } 240 EXPORT_SYMBOL(ubcore_unset_port_netdev); 241 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 21579/30000] net/smc/smc_core.c:770:6: sparse: sparse: symbol '__smcr_link_clear' was not declared. Should it be static?
by kernel test robot 29 Sep '24

29 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: bef6f06e039b8929481350d15d6d8c3ba81c6fd2 commit: 7dad816cb1f8841fda526c0978c10a94793f1178 [21579/30000] anolis: net/smc: Resolve the race between SMC-R link access and clear config: arm64-randconfig-r131-20240925 (https://download.01.org/0day-ci/archive/20240929/202409290926.Ll8zQyOY-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce: (https://download.01.org/0day-ci/archive/20240929/202409290926.Ll8zQyOY-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409290926.Ll8zQyOY-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> net/smc/smc_core.c:770:6: sparse: sparse: symbol '__smcr_link_clear' was not declared. Should it be static? vim +/__smcr_link_clear +770 net/smc/smc_core.c 769 > 770 void __smcr_link_clear(struct smc_link *lnk) 771 { 772 smc_wr_free_link_mem(lnk); 773 smc_lgr_put(lnk->lgr); /* lgr_hold in smcr_link_init() */ 774 memset(lnk, 0, sizeof(struct smc_link)); 775 lnk->state = SMC_LNK_UNUSED; 776 } 777 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0