Kernel
Threads by month
- ----- 2025 -----
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- 55 participants
- 16935 discussions
[openeuler:openEuler-1.0-LTS 1407/1407] include/linux/mempolicy.h:329:13: warning: '__do_mbind' defined but not used
by kernel test robot 17 Jan '25
by kernel test robot 17 Jan '25
17 Jan '25
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 52349611d09c6a9a2b558b3ce1cb1dca0d47dbe8
commit: 1811840c2cdebd0820818392a8217ffbd1be5c67 [1407/1407] mm/sharepool: Fix sharepool node id invalid when using sp_alloc
config: arm64-allnoconfig (https://download.01.org/0day-ci/archive/20250117/202501172158.pLxZDrP8-lkp@…)
compiler: aarch64-linux-gcc (GCC) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250117/202501172158.pLxZDrP8-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202501172158.pLxZDrP8-lkp@intel.com/
All warnings (new ones prefixed by >>):
kernel/fork.c:741:20: warning: no previous prototype for 'arch_task_cache_init' [-Wmissing-prototypes]
741 | void __init __weak arch_task_cache_init(void) { }
| ^~~~~~~~~~~~~~~~~~~~
kernel/fork.c:826:12: warning: no previous prototype for 'arch_dup_task_struct' [-Wmissing-prototypes]
826 | int __weak arch_dup_task_struct(struct task_struct *dst,
| ^~~~~~~~~~~~~~~~~~~~
kernel/fork.c: In function 'dup_task_struct':
kernel/fork.c:845:27: warning: variable 'stack_vm_area' set but not used [-Wunused-but-set-variable]
845 | struct vm_struct *stack_vm_area;
| ^~~~~~~~~~~~~
In file included from include/linux/sched/signal.h:7,
from include/linux/sched/cputime.h:5,
from kernel/fork.c:23:
include/linux/signal.h: In function 'sigemptyset':
include/linux/signal.h:180:29: warning: this statement may fall through [-Wimplicit-fallthrough=]
180 | case 2: set->sig[1] = 0;
| ~~~~~~~~~~~~^~~
include/linux/signal.h:181:9: note: here
181 | case 1: set->sig[0] = 0;
| ^~~~
In file included from kernel/fork.c:31:
include/linux/mempolicy.h: At top level:
>> include/linux/mempolicy.h:329:13: warning: '__do_mbind' defined but not used [-Wunused-function]
329 | static long __do_mbind(unsigned long start, unsigned long len,
| ^~~~~~~~~~
In file included from arch/arm64/include/asm/atomic.h:36,
from include/linux/atomic.h:7,
from include/asm-generic/bitops/atomic.h:5,
from arch/arm64/include/asm/bitops.h:37,
from include/linux/bitops.h:19,
from include/linux/kernel.h:11,
from include/asm-generic/bug.h:18,
from arch/arm64/include/asm/bug.h:37,
from include/linux/bug.h:5,
from include/linux/mmdebug.h:5,
from include/linux/gfp.h:5,
from include/linux/slab.h:15,
from kernel/fork.c:14:
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2,
inlined from 'spin_lock' at include/linux/spinlock.h:329:2,
inlined from '__mmput' at kernel/fork.c:1074:3,
inlined from 'mmput_async_fn' at kernel/fork.c:1104:2:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
In file included from include/linux/spinlock.h:82,
from include/linux/mmzone.h:9,
from include/linux/gfp.h:6:
kernel/fork.c: In function 'mmput_async_fn':
kernel/fork.c:939:44: note: object 'mmlist_lock' of size 4
939 | __cacheline_aligned_in_smp DEFINE_SPINLOCK(mmlist_lock);
| ^~~~~~~~~~~
include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK'
81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
| ^
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2,
inlined from 'spin_lock' at include/linux/spinlock.h:329:2,
inlined from '__mmput' at kernel/fork.c:1074:3,
inlined from 'mmput_async_fn' at kernel/fork.c:1104:2:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
kernel/fork.c: In function 'mmput_async_fn':
kernel/fork.c:939:44: note: object 'mmlist_lock' of size 4
939 | __cacheline_aligned_in_smp DEFINE_SPINLOCK(mmlist_lock);
| ^~~~~~~~~~~
include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK'
81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
| ^
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2,
inlined from 'spin_lock' at include/linux/spinlock.h:329:2,
inlined from '__mmput' at kernel/fork.c:1074:3,
inlined from 'mmput' at kernel/fork.c:1094:3,
inlined from 'mmput' at kernel/fork.c:1086:6:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
kernel/fork.c: In function 'mmput':
kernel/fork.c:939:44: note: object 'mmlist_lock' of size 4
939 | __cacheline_aligned_in_smp DEFINE_SPINLOCK(mmlist_lock);
| ^~~~~~~~~~~
include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK'
81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
| ^
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2,
inlined from 'spin_lock' at include/linux/spinlock.h:329:2,
inlined from '__mmput' at kernel/fork.c:1074:3,
inlined from 'mmput' at kernel/fork.c:1094:3,
inlined from 'mmput' at kernel/fork.c:1086:6:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
kernel/fork.c: In function 'mmput':
kernel/fork.c:939:44: note: object 'mmlist_lock' of size 4
939 | __cacheline_aligned_in_smp DEFINE_SPINLOCK(mmlist_lock);
--
kernel/exit.c:1677:13: warning: no previous prototype for 'abort' [-Wmissing-prototypes]
1677 | __weak void abort(void)
| ^~~~~
In file included from kernel/exit.c:37:
>> include/linux/mempolicy.h:329:13: warning: '__do_mbind' defined but not used [-Wunused-function]
329 | static long __do_mbind(unsigned long start, unsigned long len,
| ^~~~~~~~~~
--
In file included from include/linux/shmem_fs.h:7,
from kernel/umh.c:29:
>> include/linux/mempolicy.h:329:13: warning: '__do_mbind' defined but not used [-Wunused-function]
329 | static long __do_mbind(unsigned long start, unsigned long len,
| ^~~~~~~~~~
In file included from arch/arm64/include/asm/atomic.h:36,
from include/linux/atomic.h:7,
from include/asm-generic/bitops/atomic.h:5,
from arch/arm64/include/asm/bitops.h:37,
from include/linux/bitops.h:19,
from include/linux/kernel.h:11,
from include/linux/list.h:9,
from include/linux/module.h:10,
from kernel/umh.c:4:
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2,
inlined from 'spin_lock' at include/linux/spinlock.h:329:2,
inlined from 'proc_cap_handler' at kernel/umh.c:668:2:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
In file included from include/linux/spinlock.h:82,
from include/linux/seqlock.h:36,
from include/linux/time.h:6,
from include/linux/stat.h:19,
from include/linux/module.h:11:
kernel/umh.c: In function 'proc_cap_handler':
kernel/umh.c:41:24: note: object 'umh_sysctl_lock' of size 4
41 | static DEFINE_SPINLOCK(umh_sysctl_lock);
| ^~~~~~~~~~~~~~~
include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK'
81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
| ^
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2,
inlined from 'spin_lock' at include/linux/spinlock.h:329:2,
inlined from 'proc_cap_handler' at kernel/umh.c:668:2:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
kernel/umh.c: In function 'proc_cap_handler':
kernel/umh.c:41:24: note: object 'umh_sysctl_lock' of size 4
41 | static DEFINE_SPINLOCK(umh_sysctl_lock);
| ^~~~~~~~~~~~~~~
include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK'
81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
| ^
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2,
inlined from 'spin_lock' at include/linux/spinlock.h:329:2,
inlined from 'proc_cap_handler' at kernel/umh.c:701:3:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
kernel/umh.c: In function 'proc_cap_handler':
kernel/umh.c:41:24: note: object 'umh_sysctl_lock' of size 4
41 | static DEFINE_SPINLOCK(umh_sysctl_lock);
| ^~~~~~~~~~~~~~~
include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK'
81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
| ^
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2,
inlined from 'spin_lock' at include/linux/spinlock.h:329:2,
inlined from 'proc_cap_handler' at kernel/umh.c:701:3:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
kernel/umh.c: In function 'proc_cap_handler':
kernel/umh.c:41:24: note: object 'umh_sysctl_lock' of size 4
41 | static DEFINE_SPINLOCK(umh_sysctl_lock);
| ^~~~~~~~~~~~~~~
include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK'
81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
| ^
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
--
In file included from kernel/workqueue.c:39:
>> include/linux/mempolicy.h:329:13: warning: '__do_mbind' defined but not used [-Wunused-function]
329 | static long __do_mbind(unsigned long start, unsigned long len,
| ^~~~~~~~~~
In file included from arch/arm64/include/asm/atomic.h:36,
from include/linux/atomic.h:7,
from include/asm-generic/bitops/atomic.h:5,
from arch/arm64/include/asm/bitops.h:37,
from include/linux/bitops.h:19,
from include/linux/kernel.h:11,
from kernel/workqueue.c:28:
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2,
inlined from 'spin_lock' at include/linux/spinlock.h:329:2,
inlined from 'pool_mayday_timeout' at kernel/workqueue.c:2003:2:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
In file included from include/linux/spinlock.h:82,
from include/linux/ipc.h:5,
from include/uapi/linux/sem.h:5,
from include/linux/sem.h:5,
from include/linux/sched.h:15,
from kernel/workqueue.c:29:
kernel/workqueue.c: In function 'pool_mayday_timeout':
kernel/workqueue.c:302:24: note: object 'wq_mayday_lock' of size 4
302 | static DEFINE_SPINLOCK(wq_mayday_lock); /* protects wq->maydays list */
| ^~~~~~~~~~~~~~
include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK'
81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
| ^
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2,
inlined from 'spin_lock' at include/linux/spinlock.h:329:2,
inlined from 'pool_mayday_timeout' at kernel/workqueue.c:2003:2:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
kernel/workqueue.c: In function 'pool_mayday_timeout':
kernel/workqueue.c:302:24: note: object 'wq_mayday_lock' of size 4
302 | static DEFINE_SPINLOCK(wq_mayday_lock); /* protects wq->maydays list */
| ^~~~~~~~~~~~~~
include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK'
81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
| ^
kernel/workqueue.c: In function 'create_worker':
kernel/workqueue.c:1887:54: warning: '%d' directive output may be truncated writing between 1 and 10 bytes into a region of size between 5 and 14 [-Wformat-truncation=]
1887 | snprintf(id_buf, sizeof(id_buf), "%d:%d%s", pool->cpu, id,
| ^~
kernel/workqueue.c:1887:50: note: directive argument in the range [0, 2147483647]
1887 | snprintf(id_buf, sizeof(id_buf), "%d:%d%s", pool->cpu, id,
| ^~~~~~~~~
kernel/workqueue.c:1887:17: note: 'snprintf' output between 4 and 23 bytes into a destination of size 16
1887 | snprintf(id_buf, sizeof(id_buf), "%d:%d%s", pool->cpu, id,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1888 | pool->attrs->nice < 0 ? "H" : "");
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock_irq' at include/linux/spinlock_api_smp.h:129:2,
inlined from 'spin_lock_irq' at include/linux/spinlock.h:354:2,
inlined from 'rescuer_thread' at kernel/workqueue.c:2461:2:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
kernel/workqueue.c: In function 'rescuer_thread':
kernel/workqueue.c:302:24: note: object 'wq_mayday_lock' of size 4
302 | static DEFINE_SPINLOCK(wq_mayday_lock); /* protects wq->maydays list */
| ^~~~~~~~~~~~~~
include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK'
81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x)
| ^
In function '__cmpxchg_case_acq_4',
inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1,
inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8,
inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2,
inlined from '__raw_spin_lock_irq' at include/linux/spinlock_api_smp.h:129:2,
inlined from 'spin_lock_irq' at include/linux/spinlock.h:354:2,
inlined from 'rescuer_thread' at kernel/workqueue.c:2461:2:
arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=]
259 | asm volatile( \
| ^~~
arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE'
283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory")
| ^~~~~~~~~~~~~~
..
vim +/__do_mbind +329 include/linux/mempolicy.h
328
> 329 static long __do_mbind(unsigned long start, unsigned long len,
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
1
0
[PATCH OLK-6.6] [Backport] btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount
by Yongjian Sun 17 Jan '25
by Yongjian Sun 17 Jan '25
17 Jan '25
From: Filipe Manana <fdmanana(a)suse.com>
mainline inclusion
from mainline-v6.12-rc3
commit f10bef73fb355e3fc85e63a50386798be68ff486
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBIAEJ
CVE: CVE-2024-57896
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
During the unmount path, at close_ctree(), we first stop the cleaner
kthread, using kthread_stop() which frees the associated task_struct, and
then stop and destroy all the work queues. However after we stopped the
cleaner we may still have a worker from the delalloc_workers queue running
inode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(),
which in turn tries to wake up the cleaner kthread - which was already
destroyed before, resulting in a use-after-free on the task_struct.
Syzbot reported this with the following stack traces:
BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089
Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btrfs-delalloc btrfs_work_helper
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
__lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205
submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615
run_ordered_work fs/btrfs/async-thread.c:288 [inline]
btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 2:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4104 [inline]
slab_alloc_node mm/slub.c:4153 [inline]
kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205
alloc_task_struct_node kernel/fork.c:180 [inline]
dup_task_struct+0x57/0x8c0 kernel/fork.c:1113
copy_process+0x5d1/0x3d50 kernel/fork.c:2225
kernel_clone+0x223/0x870 kernel/fork.c:2807
kernel_thread+0x1bc/0x240 kernel/fork.c:2869
create_kthread kernel/kthread.c:412 [inline]
kthreadd+0x60d/0x810 kernel/kthread.c:767
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 24:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2338 [inline]
slab_free mm/slub.c:4598 [inline]
kmem_cache_free+0x195/0x410 mm/slub.c:4700
put_task_struct include/linux/sched/task.h:144 [inline]
delayed_put_task_struct+0x125/0x300 kernel/exit.c:227
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823
handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554
run_ksoftirqd+0xca/0x130 kernel/softirq.c:943
smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:544
__call_rcu_common kernel/rcu/tree.c:3086 [inline]
call_rcu+0x167/0xa70 kernel/rcu/tree.c:3190
context_switch kernel/sched/core.c:5372 [inline]
__schedule+0x1803/0x4be0 kernel/sched/core.c:6756
__schedule_loop kernel/sched/core.c:6833 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6848
schedule_timeout+0xb0/0x290 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common kernel/sched/completion.c:116 [inline]
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion+0x355/0x620 kernel/sched/completion.c:148
kthread_stop+0x19e/0x640 kernel/kthread.c:712
close_ctree+0x524/0xd60 fs/btrfs/disk-io.c:4328
generic_shutdown_super+0x139/0x2d0 fs/super.c:642
kill_anon_super+0x3b/0x70 fs/super.c:1237
btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2112
deactivate_locked_super+0xc4/0x130 fs/super.c:473
cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373
task_work_run+0x24f/0x310 kernel/task_work.c:239
ptrace_notify+0x2d2/0x380 kernel/signal.c:2503
ptrace_report_syscall include/linux/ptrace.h:415 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
syscall_exit_work+0xc7/0x1d0 kernel/entry/common.c:173
syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
syscall_exit_to_user_mode+0x24a/0x340 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff8880259d1e00
which belongs to the cache task_struct of size 7424
The buggy address is located 2584 bytes inside of
freed 7424-byte region [ffff8880259d1e00, ffff8880259d3b00)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x259d0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88802f4b56c1
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801bafe500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000040004 00000001f5000000 ffff88802f4b56c1
head: 00fff00000000040 ffff88801bafe500 dead000000000100 dead000000000122
head: 0000000000000000 0000000000040004 00000001f5000000 ffff88802f4b56c1
head: 00fff00000000003 ffffea0000967401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 12, tgid 12 (kworker/u8:1), ts 7328037942, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0x3651/0x37a0 mm/page_alloc.c:3474
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x140 mm/slub.c:2408
allocate_slab+0x5a/0x2f0 mm/slub.c:2574
new_slab mm/slub.c:2627 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3815
__slab_alloc+0x58/0xa0 mm/slub.c:3905
__slab_alloc_node mm/slub.c:3980 [inline]
slab_alloc_node mm/slub.c:4141 [inline]
kmem_cache_alloc_node_noprof+0x269/0x380 mm/slub.c:4205
alloc_task_struct_node kernel/fork.c:180 [inline]
dup_task_struct+0x57/0x8c0 kernel/fork.c:1113
copy_process+0x5d1/0x3d50 kernel/fork.c:2225
kernel_clone+0x223/0x870 kernel/fork.c:2807
user_mode_thread+0x132/0x1a0 kernel/fork.c:2885
call_usermodehelper_exec_work+0x5c/0x230 kernel/umh.c:171
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880259d2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880259d2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880259d2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880259d2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880259d2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Fix this by flushing the delalloc workers queue before stopping the
cleaner kthread.
Reported-by: syzbot+b7cf50a0c173770dcb14(a)syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/674ed7e8.050a0220.48a03.0031.GAE@google…
Reviewed-by: Qu Wenruo <wqu(a)suse.com>
Signed-off-by: Filipe Manana <fdmanana(a)suse.com>
Reviewed-by: David Sterba <dsterba(a)suse.com>
Signed-off-by: David Sterba <dsterba(a)suse.com>
Signed-off-by: Yongjian Sun <sunyongjian1(a)huawei.com>
---
fs/btrfs/disk-io.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 8ec411eb9c9b..967c6b5dd0a4 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -4323,6 +4323,15 @@ void __cold close_ctree(struct btrfs_fs_info *fs_info)
* already the cleaner, but below we run all pending delayed iputs.
*/
btrfs_flush_workqueue(fs_info->fixup_workers);
+ /*
+ * Similar case here, we have to wait for delalloc workers before we
+ * proceed below and stop the cleaner kthread, otherwise we trigger a
+ * use-after-tree on the cleaner kthread task_struct when a delalloc
+ * worker running submit_compressed_extents() adds a delayed iput, which
+ * does a wake up on the cleaner kthread, which was already freed below
+ * when we call kthread_stop().
+ */
+ btrfs_flush_workqueue(fs_info->delalloc_workers);
/*
* After we parked the cleaner kthread, ordered extents may have
--
2.39.2
2
1
[openeuler:OLK-5.10 2707/2707] include/linux/lsm_hook_defs.h:162:18: warning: 'file_ioctl_compat_default' defined but not used
by kernel test robot 17 Jan '25
by kernel test robot 17 Jan '25
17 Jan '25
tree: https://gitee.com/openeuler/kernel.git OLK-5.10
head: 08e54ea5e4a4948874ca30d91be3e5cca4ecbeec
commit: 294c837d37ed484f656397130bb059ee741a4ca4 [2707/2707] lsm: new security_file_ioctl_compat() hook
config: x86_64-defconfig (https://download.01.org/0day-ci/archive/20250117/202501172051.HxlkrA5w-lkp@…)
compiler: gcc-11 (Debian 11.3.0-12) 11.3.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250117/202501172051.HxlkrA5w-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202501172051.HxlkrA5w-lkp@intel.com/
All warnings (new ones prefixed by >>):
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:177:1: note: in expansion of macro 'LSM_HOOK'
177 | LSM_HOOK(int, 0, task_alloc, struct task_struct *task,
| ^~~~~~~~
include/linux/lsm_hook_defs.h:176:18: warning: 'file_open_default' defined but not used [-Wunused-const-variable=]
176 | LSM_HOOK(int, 0, file_open, struct file *file)
| ^~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:176:1: note: in expansion of macro 'LSM_HOOK'
176 | LSM_HOOK(int, 0, file_open, struct file *file)
| ^~~~~~~~
include/linux/lsm_hook_defs.h:175:18: warning: 'file_receive_default' defined but not used [-Wunused-const-variable=]
175 | LSM_HOOK(int, 0, file_receive, struct file *file)
| ^~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:175:1: note: in expansion of macro 'LSM_HOOK'
175 | LSM_HOOK(int, 0, file_receive, struct file *file)
| ^~~~~~~~
include/linux/lsm_hook_defs.h:173:18: warning: 'file_send_sigiotask_default' defined but not used [-Wunused-const-variable=]
173 | LSM_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk,
| ^~~~~~~~~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:173:1: note: in expansion of macro 'LSM_HOOK'
173 | LSM_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk,
| ^~~~~~~~
include/linux/lsm_hook_defs.h:170:18: warning: 'file_fcntl_default' defined but not used [-Wunused-const-variable=]
170 | LSM_HOOK(int, 0, file_fcntl, struct file *file, unsigned int cmd,
| ^~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:170:1: note: in expansion of macro 'LSM_HOOK'
170 | LSM_HOOK(int, 0, file_fcntl, struct file *file, unsigned int cmd,
| ^~~~~~~~
include/linux/lsm_hook_defs.h:169:18: warning: 'file_lock_default' defined but not used [-Wunused-const-variable=]
169 | LSM_HOOK(int, 0, file_lock, struct file *file, unsigned int cmd)
| ^~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:169:1: note: in expansion of macro 'LSM_HOOK'
169 | LSM_HOOK(int, 0, file_lock, struct file *file, unsigned int cmd)
| ^~~~~~~~
include/linux/lsm_hook_defs.h:167:18: warning: 'file_mprotect_default' defined but not used [-Wunused-const-variable=]
167 | LSM_HOOK(int, 0, file_mprotect, struct vm_area_struct *vma,
| ^~~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:167:1: note: in expansion of macro 'LSM_HOOK'
167 | LSM_HOOK(int, 0, file_mprotect, struct vm_area_struct *vma,
| ^~~~~~~~
include/linux/lsm_hook_defs.h:165:18: warning: 'mmap_file_default' defined but not used [-Wunused-const-variable=]
165 | LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot,
| ^~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:165:1: note: in expansion of macro 'LSM_HOOK'
165 | LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot,
| ^~~~~~~~
include/linux/lsm_hook_defs.h:164:18: warning: 'mmap_addr_default' defined but not used [-Wunused-const-variable=]
164 | LSM_HOOK(int, 0, mmap_addr, unsigned long addr)
| ^~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:164:1: note: in expansion of macro 'LSM_HOOK'
164 | LSM_HOOK(int, 0, mmap_addr, unsigned long addr)
| ^~~~~~~~
>> include/linux/lsm_hook_defs.h:162:18: warning: 'file_ioctl_compat_default' defined but not used [-Wunused-const-variable=]
162 | LSM_HOOK(int, 0, file_ioctl_compat, struct file *file, unsigned int cmd,
| ^~~~~~~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:162:1: note: in expansion of macro 'LSM_HOOK'
162 | LSM_HOOK(int, 0, file_ioctl_compat, struct file *file, unsigned int cmd,
| ^~~~~~~~
include/linux/lsm_hook_defs.h:160:18: warning: 'file_ioctl_default' defined but not used [-Wunused-const-variable=]
160 | LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd,
| ^~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:160:1: note: in expansion of macro 'LSM_HOOK'
160 | LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd,
| ^~~~~~~~
include/linux/lsm_hook_defs.h:158:18: warning: 'file_alloc_security_default' defined but not used [-Wunused-const-variable=]
158 | LSM_HOOK(int, 0, file_alloc_security, struct file *file)
| ^~~~~~~~~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:158:1: note: in expansion of macro 'LSM_HOOK'
158 | LSM_HOOK(int, 0, file_alloc_security, struct file *file)
| ^~~~~~~~
include/linux/lsm_hook_defs.h:157:18: warning: 'file_permission_default' defined but not used [-Wunused-const-variable=]
157 | LSM_HOOK(int, 0, file_permission, struct file *file, int mask)
| ^~~~~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:157:1: note: in expansion of macro 'LSM_HOOK'
157 | LSM_HOOK(int, 0, file_permission, struct file *file, int mask)
| ^~~~~~~~
include/linux/lsm_hook_defs.h:155:18: warning: 'kernfs_init_security_default' defined but not used [-Wunused-const-variable=]
155 | LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir,
| ^~~~~~~~~~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:155:1: note: in expansion of macro 'LSM_HOOK'
155 | LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir,
| ^~~~~~~~
include/linux/lsm_hook_defs.h:153:18: warning: 'inode_copy_up_default' defined but not used [-Wunused-const-variable=]
153 | LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new)
| ^~~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:153:1: note: in expansion of macro 'LSM_HOOK'
153 | LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new)
| ^~~~~~~~
include/linux/lsm_hook_defs.h:150:18: warning: 'inode_listsecurity_default' defined but not used [-Wunused-const-variable=]
150 | LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
| ^~~~~~~~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:150:1: note: in expansion of macro 'LSM_HOOK'
150 | LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
| ^~~~~~~~
include/linux/lsm_hook_defs.h:145:18: warning: 'inode_killpriv_default' defined but not used [-Wunused-const-variable=]
145 | LSM_HOOK(int, 0, inode_killpriv, struct dentry *dentry)
| ^~~~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
| ^~~~
security/security.c:712:9: note: in expansion of macro 'DECLARE_LSM_RET_DEFAULT_int'
712 | DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
| ^~~~~~~~~~~~~~~~~~~~~~~~
include/linux/lsm_hook_defs.h:145:1: note: in expansion of macro 'LSM_HOOK'
145 | LSM_HOOK(int, 0, inode_killpriv, struct dentry *dentry)
| ^~~~~~~~
include/linux/lsm_hook_defs.h:144:18: warning: 'inode_need_killpriv_default' defined but not used [-Wunused-const-variable=]
144 | LSM_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry)
| ^~~~~~~~~~~~~~~~~~~
security/security.c:707:32: note: in definition of macro 'LSM_RET_DEFAULT'
707 | #define LSM_RET_DEFAULT(NAME) (NAME##_default)
vim +/file_ioctl_compat_default +162 include/linux/lsm_hook_defs.h
108
109 /* Needed for inode based security check */
110 LSM_HOOK(int, 0, path_notify, const struct path *path, u64 mask,
111 unsigned int obj_type)
112 LSM_HOOK(int, 0, inode_alloc_security, struct inode *inode)
113 LSM_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode)
114 LSM_HOOK(int, 0, inode_init_security, struct inode *inode,
115 struct inode *dir, const struct qstr *qstr, const char **name,
116 void **value, size_t *len)
117 LSM_HOOK(int, 0, inode_create, struct inode *dir, struct dentry *dentry,
118 umode_t mode)
119 LSM_HOOK(int, 0, inode_link, struct dentry *old_dentry, struct inode *dir,
120 struct dentry *new_dentry)
121 LSM_HOOK(int, 0, inode_unlink, struct inode *dir, struct dentry *dentry)
122 LSM_HOOK(int, 0, inode_symlink, struct inode *dir, struct dentry *dentry,
123 const char *old_name)
124 LSM_HOOK(int, 0, inode_mkdir, struct inode *dir, struct dentry *dentry,
125 umode_t mode)
126 LSM_HOOK(int, 0, inode_rmdir, struct inode *dir, struct dentry *dentry)
127 LSM_HOOK(int, 0, inode_mknod, struct inode *dir, struct dentry *dentry,
128 umode_t mode, dev_t dev)
129 LSM_HOOK(int, 0, inode_rename, struct inode *old_dir, struct dentry *old_dentry,
130 struct inode *new_dir, struct dentry *new_dentry)
131 LSM_HOOK(int, 0, inode_readlink, struct dentry *dentry)
132 LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode,
133 bool rcu)
134 LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask)
135 LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr)
136 LSM_HOOK(int, 0, inode_getattr, const struct path *path)
137 LSM_HOOK(int, 0, inode_setxattr, struct dentry *dentry, const char *name,
138 const void *value, size_t size, int flags)
139 LSM_HOOK(void, LSM_RET_VOID, inode_post_setxattr, struct dentry *dentry,
140 const char *name, const void *value, size_t size, int flags)
141 LSM_HOOK(int, 0, inode_getxattr, struct dentry *dentry, const char *name)
142 LSM_HOOK(int, 0, inode_listxattr, struct dentry *dentry)
143 LSM_HOOK(int, 0, inode_removexattr, struct dentry *dentry, const char *name)
144 LSM_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry)
145 LSM_HOOK(int, 0, inode_killpriv, struct dentry *dentry)
146 LSM_HOOK(int, -EOPNOTSUPP, inode_getsecurity, struct inode *inode,
147 const char *name, void **buffer, bool alloc)
148 LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode,
149 const char *name, const void *value, size_t size, int flags)
150 LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
151 size_t buffer_size)
152 LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid)
153 LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new)
154 LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, const char *name)
155 LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir,
156 struct kernfs_node *kn)
157 LSM_HOOK(int, 0, file_permission, struct file *file, int mask)
158 LSM_HOOK(int, 0, file_alloc_security, struct file *file)
159 LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file)
160 LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd,
161 unsigned long arg)
> 162 LSM_HOOK(int, 0, file_ioctl_compat, struct file *file, unsigned int cmd,
163 unsigned long arg)
164 LSM_HOOK(int, 0, mmap_addr, unsigned long addr)
165 LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot,
166 unsigned long prot, unsigned long flags)
167 LSM_HOOK(int, 0, file_mprotect, struct vm_area_struct *vma,
168 unsigned long reqprot, unsigned long prot)
169 LSM_HOOK(int, 0, file_lock, struct file *file, unsigned int cmd)
170 LSM_HOOK(int, 0, file_fcntl, struct file *file, unsigned int cmd,
171 unsigned long arg)
172 LSM_HOOK(void, LSM_RET_VOID, file_set_fowner, struct file *file)
173 LSM_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk,
174 struct fown_struct *fown, int sig)
175 LSM_HOOK(int, 0, file_receive, struct file *file)
176 LSM_HOOK(int, 0, file_open, struct file *file)
177 LSM_HOOK(int, 0, task_alloc, struct task_struct *task,
178 unsigned long clone_flags)
179 LSM_HOOK(void, LSM_RET_VOID, task_free, struct task_struct *task)
180 LSM_HOOK(int, 0, cred_alloc_blank, struct cred *cred, gfp_t gfp)
181 LSM_HOOK(void, LSM_RET_VOID, cred_free, struct cred *cred)
182 LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old,
183 gfp_t gfp)
184 LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new,
185 const struct cred *old)
186 LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid)
187 LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid)
188 LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode)
189 LSM_HOOK(int, 0, kernel_module_request, char *kmod_name)
190 LSM_HOOK(int, 0, kernel_load_data, enum kernel_load_data_id id, bool contents)
191 LSM_HOOK(int, 0, kernel_post_load_data, char *buf, loff_t size,
192 enum kernel_load_data_id id, char *description)
193 LSM_HOOK(int, 0, kernel_read_file, struct file *file,
194 enum kernel_read_file_id id, bool contents)
195 LSM_HOOK(int, 0, kernel_post_read_file, struct file *file, char *buf,
196 loff_t size, enum kernel_read_file_id id)
197 LSM_HOOK(int, 0, task_fix_setuid, struct cred *new, const struct cred *old,
198 int flags)
199 LSM_HOOK(int, 0, task_fix_setgid, struct cred *new, const struct cred * old,
200 int flags)
201 LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid)
202 LSM_HOOK(int, 0, task_getpgid, struct task_struct *p)
203 LSM_HOOK(int, 0, task_getsid, struct task_struct *p)
204 LSM_HOOK(void, LSM_RET_VOID, task_getsecid, struct task_struct *p, u32 *secid)
205 LSM_HOOK(int, 0, task_setnice, struct task_struct *p, int nice)
206 LSM_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio)
207 LSM_HOOK(int, 0, task_getioprio, struct task_struct *p)
208 LSM_HOOK(int, 0, task_prlimit, const struct cred *cred,
209 const struct cred *tcred, unsigned int flags)
210 LSM_HOOK(int, 0, task_setrlimit, struct task_struct *p, unsigned int resource,
211 struct rlimit *new_rlim)
212 LSM_HOOK(int, 0, task_setscheduler, struct task_struct *p)
213 LSM_HOOK(int, 0, task_getscheduler, struct task_struct *p)
214 LSM_HOOK(int, 0, task_movememory, struct task_struct *p)
215 LSM_HOOK(int, 0, task_kill, struct task_struct *p, struct kernel_siginfo *info,
216 int sig, const struct cred *cred)
217 LSM_HOOK(int, -ENOSYS, task_prctl, int option, unsigned long arg2,
218 unsigned long arg3, unsigned long arg4, unsigned long arg5)
219 LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p,
220 struct inode *inode)
221 LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag)
222 LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp,
223 u32 *secid)
224 LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg)
225 LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg)
226 LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm)
227 LSM_HOOK(void, LSM_RET_VOID, msg_queue_free_security,
228 struct kern_ipc_perm *perm)
229 LSM_HOOK(int, 0, msg_queue_associate, struct kern_ipc_perm *perm, int msqflg)
230 LSM_HOOK(int, 0, msg_queue_msgctl, struct kern_ipc_perm *perm, int cmd)
231 LSM_HOOK(int, 0, msg_queue_msgsnd, struct kern_ipc_perm *perm,
232 struct msg_msg *msg, int msqflg)
233 LSM_HOOK(int, 0, msg_queue_msgrcv, struct kern_ipc_perm *perm,
234 struct msg_msg *msg, struct task_struct *target, long type, int mode)
235 LSM_HOOK(int, 0, shm_alloc_security, struct kern_ipc_perm *perm)
236 LSM_HOOK(void, LSM_RET_VOID, shm_free_security, struct kern_ipc_perm *perm)
237 LSM_HOOK(int, 0, shm_associate, struct kern_ipc_perm *perm, int shmflg)
238 LSM_HOOK(int, 0, shm_shmctl, struct kern_ipc_perm *perm, int cmd)
239 LSM_HOOK(int, 0, shm_shmat, struct kern_ipc_perm *perm, char __user *shmaddr,
240 int shmflg)
241 LSM_HOOK(int, 0, sem_alloc_security, struct kern_ipc_perm *perm)
242 LSM_HOOK(void, LSM_RET_VOID, sem_free_security, struct kern_ipc_perm *perm)
243 LSM_HOOK(int, 0, sem_associate, struct kern_ipc_perm *perm, int semflg)
244 LSM_HOOK(int, 0, sem_semctl, struct kern_ipc_perm *perm, int cmd)
245 LSM_HOOK(int, 0, sem_semop, struct kern_ipc_perm *perm, struct sembuf *sops,
246 unsigned nsops, int alter)
247 LSM_HOOK(int, 0, netlink_send, struct sock *sk, struct sk_buff *skb)
248 LSM_HOOK(void, LSM_RET_VOID, d_instantiate, struct dentry *dentry,
249 struct inode *inode)
250 LSM_HOOK(int, -EINVAL, getprocattr, struct task_struct *p, char *name,
251 char **value)
252 LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)
253 LSM_HOOK(int, 0, ismaclabel, const char *name)
254 LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,
255 u32 *seclen)
256 LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)
257 LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen)
258 LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
259 LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen)
260 LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen)
261 LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode, void **ctx,
262 u32 *ctxlen)
263
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
1
0
17 Jan '25
From: Thomas Richter <tmricht(a)linux.ibm.com>
stable inclusion
from stable-v6.6.66
commit a69752f1e5de817941a2ea0609254f6f25acd274
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBI7GX
CVE: CVE-2024-57849
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit a0bd7dacbd51c632b8e2c0500b479af564afadf3 ]
CPU hotplug remove handling triggers the following function
call sequence:
CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu()
...
CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu()
The s390 CPUMF sampling CPU hotplug handler invokes:
s390_pmu_sf_offline_cpu()
+--> cpusf_pmu_setup()
+--> setup_pmc_cpu()
+--> deallocate_buffers()
This function de-allocates all sampling data buffers (SDBs) allocated
for that CPU at event initialization. It also clears the
PMU_F_RESERVED bit. The CPU is gone and can not be sampled.
With the event still being active on the removed CPU, the CPU event
hotplug support in kernel performance subsystem triggers the
following function calls on the removed CPU:
perf_event_exit_cpu()
+--> perf_event_exit_cpu_context()
+--> __perf_event_exit_context()
+--> __perf_remove_from_context()
+--> event_sched_out()
+--> cpumsf_pmu_del()
+--> cpumsf_pmu_stop()
+--> hw_perf_event_update()
to stop and remove the event. During removal of the event, the
sampling device driver tries to read out the remaining samples from
the sample data buffers (SDBs). But they have already been freed
(and may have been re-assigned). This may lead to a use after free
situation in which case the samples are most likely invalid. In the
best case the memory has not been reassigned and still contains
valid data.
Remedy this situation and check if the CPU is still in reserved
state (bit PMU_F_RESERVED set). In this case the SDBs have not been
released an contain valid data. This is always the case when
the event is removed (and no CPU hotplug off occured).
If the PMU_F_RESERVED bit is not set, the SDB buffers are gone.
Signed-off-by: Thomas Richter <tmricht(a)linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner(a)linux.ibm.com>
Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Heyuan Wang <wangheyuan2(a)h-partners.com>
---
arch/s390/kernel/perf_cpum_sf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
index a3169193775f..e52c89739bc9 100644
--- a/arch/s390/kernel/perf_cpum_sf.c
+++ b/arch/s390/kernel/perf_cpum_sf.c
@@ -1922,7 +1922,9 @@ static void cpumsf_pmu_stop(struct perf_event *event, int flags)
event->hw.state |= PERF_HES_STOPPED;
if ((flags & PERF_EF_UPDATE) && !(event->hw.state & PERF_HES_UPTODATE)) {
- hw_perf_event_update(event, 1);
+ /* CPU hotplug off removes SDBs. No samples to extract. */
+ if (cpuhw->flags & PMU_F_RESERVED)
+ hw_perf_event_update(event, 1);
event->hw.state |= PERF_HES_UPTODATE;
}
perf_pmu_enable(event->pmu);
--
2.25.1
2
1
17 Jan '25
From: Thomas Richter <tmricht(a)linux.ibm.com>
stable inclusion
from stable-v5.10.231
commit 99192c735ed4bfdff0d215ec85c8a87a677cb898
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBI7GX
CVE: CVE-2024-57849
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit a0bd7dacbd51c632b8e2c0500b479af564afadf3 ]
CPU hotplug remove handling triggers the following function
call sequence:
CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu()
...
CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu()
The s390 CPUMF sampling CPU hotplug handler invokes:
s390_pmu_sf_offline_cpu()
+--> cpusf_pmu_setup()
+--> setup_pmc_cpu()
+--> deallocate_buffers()
This function de-allocates all sampling data buffers (SDBs) allocated
for that CPU at event initialization. It also clears the
PMU_F_RESERVED bit. The CPU is gone and can not be sampled.
With the event still being active on the removed CPU, the CPU event
hotplug support in kernel performance subsystem triggers the
following function calls on the removed CPU:
perf_event_exit_cpu()
+--> perf_event_exit_cpu_context()
+--> __perf_event_exit_context()
+--> __perf_remove_from_context()
+--> event_sched_out()
+--> cpumsf_pmu_del()
+--> cpumsf_pmu_stop()
+--> hw_perf_event_update()
to stop and remove the event. During removal of the event, the
sampling device driver tries to read out the remaining samples from
the sample data buffers (SDBs). But they have already been freed
(and may have been re-assigned). This may lead to a use after free
situation in which case the samples are most likely invalid. In the
best case the memory has not been reassigned and still contains
valid data.
Remedy this situation and check if the CPU is still in reserved
state (bit PMU_F_RESERVED set). In this case the SDBs have not been
released an contain valid data. This is always the case when
the event is removed (and no CPU hotplug off occured).
If the PMU_F_RESERVED bit is not set, the SDB buffers are gone.
Signed-off-by: Thomas Richter <tmricht(a)linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner(a)linux.ibm.com>
Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Heyuan Wang <wangheyuan2(a)h-partners.com>
---
arch/s390/kernel/perf_cpum_sf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
index bcd31e0b4edb..af41550d34b9 100644
--- a/arch/s390/kernel/perf_cpum_sf.c
+++ b/arch/s390/kernel/perf_cpum_sf.c
@@ -1900,7 +1900,9 @@ static void cpumsf_pmu_stop(struct perf_event *event, int flags)
event->hw.state |= PERF_HES_STOPPED;
if ((flags & PERF_EF_UPDATE) && !(event->hw.state & PERF_HES_UPTODATE)) {
- hw_perf_event_update(event, 1);
+ /* CPU hotplug off removes SDBs. No samples to extract. */
+ if (cpuhw->flags & PMU_F_RESERVED)
+ hw_perf_event_update(event, 1);
event->hw.state |= PERF_HES_UPTODATE;
}
perf_pmu_enable(event->pmu);
--
2.25.1
2
1
[openeuler:OLK-5.10 2709/2709] fs/buffer.o: warning: objtool: __breadahead_gfp()+0x9b: unreachable instruction
by kernel test robot 17 Jan '25
by kernel test robot 17 Jan '25
17 Jan '25
Hi Zhang,
FYI, the error/warning still remains.
tree: https://gitee.com/openeuler/kernel.git OLK-5.10
head: 08e54ea5e4a4948874ca30d91be3e5cca4ecbeec
commit: 1ee722823d036ae6478e6bdb1afb12abff10a907 [2709/2709] fs/buffer: replace ll_rw_block()
config: x86_64-randconfig-161-20250117 (https://download.01.org/0day-ci/archive/20250117/202501171739.hW4TwhmP-lkp@…)
compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250117/202501171739.hW4TwhmP-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202501171739.hW4TwhmP-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> fs/buffer.o: warning: objtool: __breadahead_gfp()+0x9b: unreachable instruction
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
1
0
[PATCH OLK-6.6] ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()
by Liu Jian 17 Jan '25
by Liu Jian 17 Jan '25
17 Jan '25
From: Jinghao Jia <jinghao7(a)illinois.edu>
stable inclusion
from stable-v6.6.66
commit 124834133b32f9386bb2d8581d9ab92f65e951e4
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBICKD
CVE: CVE-2024-53680
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
-------------------------------------------------
[ Upstream commit 146b6f1112eb30a19776d6c323c994e9d67790db ]
Under certain kernel configurations when building with Clang/LLVM, the
compiler does not generate a return or jump as the terminator
instruction for ip_vs_protocol_init(), triggering the following objtool
warning during build time:
vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6()
At runtime, this either causes an oops when trying to load the ipvs
module or a boot-time panic if ipvs is built-in. This same issue has
been reported by the Intel kernel test robot previously.
Digging deeper into both LLVM and the kernel code reveals this to be a
undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer
of 64 chars to store the registered protocol names and leaves it
uninitialized after definition. The function calls strnlen() when
concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE
strnlen() performs an extra step to check whether the last byte of the
input char buffer is a null character (commit 3009f891bb9f ("fortify:
Allow strlen() and strnlen() to pass compile-time known lengths")).
This, together with possibly other configurations, cause the following
IR to be generated:
define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 {
%1 = alloca [64 x i8], align 16
...
14: ; preds = %11
%15 = getelementptr inbounds i8, ptr %1, i64 63
%16 = load i8, ptr %15, align 1
%17 = tail call i1 @llvm.is.constant.i8(i8 %16)
%18 = icmp eq i8 %16, 0
%19 = select i1 %17, i1 %18, i1 false
br i1 %19, label %20, label %23
20: ; preds = %14
%21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23
...
23: ; preds = %14, %11, %20
%24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24
...
}
The above code calculates the address of the last char in the buffer
(value %15) and then loads from it (value %16). Because the buffer is
never initialized, the LLVM GVN pass marks value %16 as undefined:
%13 = getelementptr inbounds i8, ptr %1, i64 63
br i1 undef, label %14, label %17
This gives later passes (SCCP, in particular) more DCE opportunities by
propagating the undef value further, and eventually removes everything
after the load on the uninitialized stack location:
define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section ".init.text" align 16 !kcfi_type !11 {
%1 = alloca [64 x i8], align 16
...
12: ; preds = %11
%13 = getelementptr inbounds i8, ptr %1, i64 63
unreachable
}
In this way, the generated native code will just fall through to the
next function, as LLVM does not generate any code for the unreachable IR
instruction and leaves the function without a terminator.
Zero the on-stack buffer to avoid this possible UB.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: kernel test robot <lkp(a)intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202402100205.PWXIz1ZK-lkp@intel.com/
Co-developed-by: Ruowen Qin <ruqin(a)redhat.com>
Signed-off-by: Ruowen Qin <ruqin(a)redhat.com>
Signed-off-by: Jinghao Jia <jinghao7(a)illinois.edu>
Acked-by: Julian Anastasov <ja(a)ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Liu Jian <liujian56(a)huawei.com>
---
net/netfilter/ipvs/ip_vs_proto.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_proto.c b/net/netfilter/ipvs/ip_vs_proto.c
index f100da4ba3bc..a9fd1d3fc2cb 100644
--- a/net/netfilter/ipvs/ip_vs_proto.c
+++ b/net/netfilter/ipvs/ip_vs_proto.c
@@ -340,7 +340,7 @@ void __net_exit ip_vs_protocol_net_cleanup(struct netns_ipvs *ipvs)
int __init ip_vs_protocol_init(void)
{
- char protocols[64];
+ char protocols[64] = { 0 };
#define REGISTER_PROTOCOL(p) \
do { \
register_ip_vs_protocol(p); \
@@ -348,8 +348,6 @@ int __init ip_vs_protocol_init(void)
strcat(protocols, (p)->name); \
} while (0)
- protocols[0] = '\0';
- protocols[2] = '\0';
#ifdef CONFIG_IP_VS_PROTO_TCP
REGISTER_PROTOCOL(&ip_vs_protocol_tcp);
#endif
--
2.34.1
2
1
17 Jan '25
The following series contains two patches that address clock-related issues in the Ralink SoC family:
- The first patch introduces a missing 'periph' clock to the RT3883 SoC's clock plan. This corrects issues with peripherals such as UART, I2C, I2S, and UARTlite, which previously relied on an undefined 'periph' clock.
- The second patch ensures proper probe order of base clocks for older Ralink SoCs (RT2880, RT305x, and RT3883) by defining the 'xtal' clock first. This eliminates boot warnings and ensures that dependent clocks are set up correctly from the start.
Sergio Paracuellos (2):
clk: ralink: mtmips: fix clock plan for Ralink SoC RT3883
clk: ralink: mtmips: fix clocks probe order in oldest ralink SoCs
drivers/clk/ralink/clk-mtmips.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
--
2.22.0
2
3
[PATCH OLK-6.6 1/2] clk: ralink: mtmips: fix clock plan for Ralink SoC RT3883
by Tirui Yin 17 Jan '25
by Tirui Yin 17 Jan '25
17 Jan '25
From: Sergio Paracuellos <sergio.paracuellos(a)gmail.com>
stable inclusion
from stable-v6.6.64
commit f85a1d06afbcc57ac44176db8f9d7a934979952c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAEQ
CVE: CVE-2024-53223
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 33239152305567b3e9bf052f71fd4baecd626341 ]
Clock plan for Ralink SoC RT3883 needs an extra 'periph' clock to properly
set some peripherals that has this clock as their parent. When this driver
was mainlined we could not find any active users of this SoC so we cannot
perform any real tests for it. Now, one user of a Belkin f9k1109 version 1
device which uses this SoC appear and reported some issues in openWRT:
- https://github.com/openwrt/openwrt/issues/16054
The peripherals that are wrong are 'uart', 'i2c', 'i2s' and 'uartlite' which
has a not defined 'periph' clock as parent. Hence, introduce it to have a
properly working clock plan for this SoC.
Fixes: 6f3b15586eef ("clk: ralink: add clock and reset driver for MTMIPS SoCs")
Signed-off-by: Sergio Paracuellos <sergio.paracuellos(a)gmail.com>
Link: https://lore.kernel.org/r/20240910044024.120009-2-sergio.paracuellos@gmail.…
Signed-off-by: Stephen Boyd <sboyd(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com>
Signed-off-by: Tirui Yin <yintirui(a)huawei.com>
Reviewed-by: yongqiang Liu <liuyongqiang13(a)huawei.com>
---
drivers/clk/ralink/clk-mtmips.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/ralink/clk-mtmips.c b/drivers/clk/ralink/clk-mtmips.c
index 50a443bf79ec..62f9801ecd3a 100644
--- a/drivers/clk/ralink/clk-mtmips.c
+++ b/drivers/clk/ralink/clk-mtmips.c
@@ -267,6 +267,11 @@ static struct mtmips_clk_fixed rt305x_fixed_clocks[] = {
CLK_FIXED("xtal", NULL, 40000000)
};
+static struct mtmips_clk_fixed rt3883_fixed_clocks[] = {
+ CLK_FIXED("xtal", NULL, 40000000),
+ CLK_FIXED("periph", "xtal", 40000000)
+};
+
static struct mtmips_clk_fixed rt3352_fixed_clocks[] = {
CLK_FIXED("periph", "xtal", 40000000)
};
@@ -779,8 +784,8 @@ static const struct mtmips_clk_data rt3352_clk_data = {
static const struct mtmips_clk_data rt3883_clk_data = {
.clk_base = rt3883_clks_base,
.num_clk_base = ARRAY_SIZE(rt3883_clks_base),
- .clk_fixed = rt305x_fixed_clocks,
- .num_clk_fixed = ARRAY_SIZE(rt305x_fixed_clocks),
+ .clk_fixed = rt3883_fixed_clocks,
+ .num_clk_fixed = ARRAY_SIZE(rt3883_fixed_clocks),
.clk_factor = NULL,
.num_clk_factor = 0,
.clk_periph = rt5350_pherip_clks,
--
2.22.0
2
3
[openeuler:openEuler-1.0-LTS 1408/1408] include/linux/list.h:583:14: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]'
by kernel test robot 17 Jan '25
by kernel test robot 17 Jan '25
17 Jan '25
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 52349611d09c6a9a2b558b3ce1cb1dca0d47dbe8
commit: 08c9196f65d268e1f8dccde138d4644c427bde76 [1408/1408] mm/swap: use nr_node_ids for avail_lists in swap_info_struct
config: arm64-randconfig-004-20250117 (https://download.01.org/0day-ci/archive/20250117/202501171519.TpEUKk9L-lkp@…)
compiler: aarch64-linux-gcc (GCC) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250117/202501171519.TpEUKk9L-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202501171519.TpEUKk9L-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from arch/arm64/include/asm/bug.h:37,
from include/linux/bug.h:5,
from include/linux/mmdebug.h:5,
from include/linux/mm.h:9,
from mm/swapfile.c:8:
In function 'add_to_avail_list',
inlined from 'swap_range_free.constprop' at mm/swapfile.c:667:4:
mm/swapfile.c:648:43: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
648 | WARN_ON(!plist_node_empty(&p->avail_lists[nid]));
| ^~~~~~~~~~~~~~~~~~~~
include/asm-generic/bug.h:191:32: note: in definition of macro 'WARN_ON'
191 | int __ret_warn_on = !!(condition); \
| ^~~~~~~~~
In file included from mm/swapfile.c:15:
include/linux/swap.h: In function 'swap_range_free.constprop':
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
mm/swapfile.c: In function '_enable_swap_info':
mm/swapfile.c:2458:47: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
2458 | p->avail_lists[i].prio = 1;
| ~~~~~~~~~~~~~~^~~
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
mm/swapfile.c:2460:47: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
2460 | p->avail_lists[i].prio = -p->prio;
| ~~~~~~~~~~~~~~^~~
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
mm/swapfile.c:2455:39: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
2455 | p->avail_lists[i].prio = -p->prio;
| ~~~~~~~~~~~~~~^~~
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In function 'add_to_avail_list',
inlined from '_enable_swap_info' at mm/swapfile.c:2481:2:
mm/swapfile.c:648:43: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
648 | WARN_ON(!plist_node_empty(&p->avail_lists[nid]));
| ^~~~~~~~~~~~~~~~~~~~
include/asm-generic/bug.h:191:32: note: in definition of macro 'WARN_ON'
191 | int __ret_warn_on = !!(condition); \
| ^~~~~~~~~
include/linux/swap.h: In function '_enable_swap_info':
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In function '__del_from_avail_list',
inlined from 'del_from_avail_list' at mm/swapfile.c:621:2,
inlined from 'swap_range_alloc' at mm/swapfile.c:638:3,
inlined from 'scan_swap_map_slots' at mm/swapfile.c:802:2:
mm/swapfile.c:615:17: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
615 | plist_del(&p->avail_lists[nid], &swap_avail_heads[nid]);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/swap.h: In function 'scan_swap_map_slots':
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In file included from include/asm-generic/bug.h:18:
mm/swapfile.c: In function 'get_swap_pages':
mm/swapfile.c:970:81: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
970 | plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) {
include/linux/kernel.h:996:33: note: in definition of macro 'container_of'
996 | void *__mptr = (void *)(ptr); \
| ^~~
include/linux/list.h:440:9: note: in expansion of macro 'list_entry'
440 | list_entry((pos)->member.next, typeof(*(pos)), member)
| ^~~~~~~~~~
include/linux/list.h:582:21: note: in expansion of macro 'list_next_entry'
582 | n = list_next_entry(pos, member); \
| ^~~~~~~~~~~~~~~
include/linux/plist.h:206:9: note: in expansion of macro 'list_for_each_entry_safe'
206 | list_for_each_entry_safe(pos, n, &(head)->node_list, m.node_list)
| ^~~~~~~~~~~~~~~~~~~~~~~~
mm/swapfile.c:970:9: note: in expansion of macro 'plist_for_each_entry_safe'
970 | plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In file included from include/linux/preempt.h:11,
from include/linux/spinlock.h:51,
from include/linux/mmzone.h:8,
from include/linux/gfp.h:6,
from include/linux/mm.h:10:
>> include/linux/list.h:583:14: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
583 | &pos->member != (head); \
include/linux/plist.h:206:9: note: in expansion of macro 'list_for_each_entry_safe'
206 | list_for_each_entry_safe(pos, n, &(head)->node_list, m.node_list)
| ^~~~~~~~~~~~~~~~~~~~~~~~
mm/swapfile.c:970:9: note: in expansion of macro 'plist_for_each_entry_safe'
970 | plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
mm/swapfile.c:972:17: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
972 | plist_requeue(&si->avail_lists[node], &swap_avail_heads[node]);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
mm/swapfile.c:970:81: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
970 | plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) {
include/linux/kernel.h:996:33: note: in definition of macro 'container_of'
996 | void *__mptr = (void *)(ptr); \
| ^~~
include/linux/list.h:440:9: note: in expansion of macro 'list_entry'
440 | list_entry((pos)->member.next, typeof(*(pos)), member)
| ^~~~~~~~~~
include/linux/list.h:584:27: note: in expansion of macro 'list_next_entry'
584 | pos = n, n = list_next_entry(n, member))
| ^~~~~~~~~~~~~~~
include/linux/plist.h:206:9: note: in expansion of macro 'list_for_each_entry_safe'
206 | list_for_each_entry_safe(pos, n, &(head)->node_list, m.node_list)
| ^~~~~~~~~~~~~~~~~~~~~~~~
mm/swapfile.c:970:9: note: in expansion of macro 'plist_for_each_entry_safe'
970 | plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In function '__del_from_avail_list',
inlined from 'del_from_avail_list' at mm/swapfile.c:621:2,
inlined from '__do_sys_swapoff' at mm/swapfile.c:2566:2,
inlined from '__se_sys_swapoff' at mm/swapfile.c:2517:1:
mm/swapfile.c:615:17: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
615 | plist_del(&p->avail_lists[nid], &swap_avail_heads[nid]);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/swap.h: In function '__se_sys_swapoff':
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In function '__do_sys_swapoff',
inlined from '__se_sys_swapoff' at mm/swapfile.c:2517:1:
mm/swapfile.c:2576:52: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
2576 | if (si->avail_lists[nid].prio != 1)
| ~~~~~~~~~~~~~~~^~~~~
include/linux/swap.h: In function '__se_sys_swapoff':
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In function '__do_sys_swapoff',
inlined from '__se_sys_swapoff' at mm/swapfile.c:2517:1:
mm/swapfile.c:2577:56: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
2577 | si->avail_lists[nid].prio--;
| ~~~~~~~~~~~~~~~^~~~~
include/linux/swap.h: In function '__se_sys_swapoff':
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In function 'alloc_swap_info',
inlined from '__do_sys_swapon' at mm/swapfile.c:3125:6,
inlined from '__se_sys_swapon' at mm/swapfile.c:3097:1:
mm/swapfile.c:2860:17: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
2860 | plist_node_init(&p->avail_lists[i], 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/swap.h: In function '__se_sys_swapon':
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In function 'alloc_swap_info',
inlined from '__do_sys_swapon' at mm/swapfile.c:3125:6,
inlined from '__se_sys_swapon' at mm/swapfile.c:3097:1:
mm/swapfile.c:2860:48: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
2860 | plist_node_init(&p->avail_lists[i], 0);
| ~~~~~~~~~~~~~~^~~
include/linux/swap.h: In function '__se_sys_swapon':
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In file included from include/linux/sched.h:19,
from arch/arm64/include/asm/pgtable.h:46,
from include/linux/memremap.h:7,
from include/linux/mm.h:27:
In function 'plist_node_init',
inlined from 'alloc_swap_info' at mm/swapfile.c:2860:3,
inlined from '__do_sys_swapon' at mm/swapfile.c:3125:6,
inlined from '__se_sys_swapon' at mm/swapfile.c:3097:1:
>> include/linux/plist.h:137:9: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
137 | INIT_LIST_HEAD(&node->prio_list);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/swap.h: In function '__se_sys_swapon':
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
In function 'plist_node_init',
inlined from 'alloc_swap_info' at mm/swapfile.c:2860:3,
inlined from '__do_sys_swapon' at mm/swapfile.c:3125:6,
inlined from '__se_sys_swapon' at mm/swapfile.c:3097:1:
include/linux/plist.h:138:9: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=]
138 | INIT_LIST_HEAD(&node->node_list);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/swap.h: In function '__se_sys_swapon':
include/linux/swap.h:275:27: note: while referencing 'avail_lists'
275 | struct plist_node avail_lists[0]; /*
| ^~~~~~~~~~~
vim +583 include/linux/list.h
6d7581e62f8be4 Jiri Pirko 2013-05-29 433
008208c6b26f21 Oleg Nesterov 2013-11-12 434 /**
008208c6b26f21 Oleg Nesterov 2013-11-12 435 * list_next_entry - get the next element in list
008208c6b26f21 Oleg Nesterov 2013-11-12 436 * @pos: the type * to cursor
3943f42c11896c Andrey Utkin 2014-11-14 437 * @member: the name of the list_head within the struct.
008208c6b26f21 Oleg Nesterov 2013-11-12 438 */
008208c6b26f21 Oleg Nesterov 2013-11-12 439 #define list_next_entry(pos, member) \
008208c6b26f21 Oleg Nesterov 2013-11-12 440 list_entry((pos)->member.next, typeof(*(pos)), member)
008208c6b26f21 Oleg Nesterov 2013-11-12 441
008208c6b26f21 Oleg Nesterov 2013-11-12 442 /**
008208c6b26f21 Oleg Nesterov 2013-11-12 443 * list_prev_entry - get the prev element in list
008208c6b26f21 Oleg Nesterov 2013-11-12 444 * @pos: the type * to cursor
3943f42c11896c Andrey Utkin 2014-11-14 445 * @member: the name of the list_head within the struct.
008208c6b26f21 Oleg Nesterov 2013-11-12 446 */
008208c6b26f21 Oleg Nesterov 2013-11-12 447 #define list_prev_entry(pos, member) \
008208c6b26f21 Oleg Nesterov 2013-11-12 448 list_entry((pos)->member.prev, typeof(*(pos)), member)
008208c6b26f21 Oleg Nesterov 2013-11-12 449
^1da177e4c3f41 Linus Torvalds 2005-04-16 450 /**
^1da177e4c3f41 Linus Torvalds 2005-04-16 451 * list_for_each - iterate over a list
8e3a67a99231f9 Randy Dunlap 2006-06-25 452 * @pos: the &struct list_head to use as a loop cursor.
^1da177e4c3f41 Linus Torvalds 2005-04-16 453 * @head: the head for your list.
^1da177e4c3f41 Linus Torvalds 2005-04-16 454 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 455 #define list_for_each(pos, head) \
e66eed651fd18a Linus Torvalds 2011-05-19 456 for (pos = (head)->next; pos != (head); pos = pos->next)
^1da177e4c3f41 Linus Torvalds 2005-04-16 457
^1da177e4c3f41 Linus Torvalds 2005-04-16 458 /**
^1da177e4c3f41 Linus Torvalds 2005-04-16 459 * list_for_each_prev - iterate over a list backwards
8e3a67a99231f9 Randy Dunlap 2006-06-25 460 * @pos: the &struct list_head to use as a loop cursor.
^1da177e4c3f41 Linus Torvalds 2005-04-16 461 * @head: the head for your list.
^1da177e4c3f41 Linus Torvalds 2005-04-16 462 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 463 #define list_for_each_prev(pos, head) \
e66eed651fd18a Linus Torvalds 2011-05-19 464 for (pos = (head)->prev; pos != (head); pos = pos->prev)
^1da177e4c3f41 Linus Torvalds 2005-04-16 465
^1da177e4c3f41 Linus Torvalds 2005-04-16 466 /**
^1da177e4c3f41 Linus Torvalds 2005-04-16 467 * list_for_each_safe - iterate over a list safe against removal of list entry
8e3a67a99231f9 Randy Dunlap 2006-06-25 468 * @pos: the &struct list_head to use as a loop cursor.
^1da177e4c3f41 Linus Torvalds 2005-04-16 469 * @n: another &struct list_head to use as temporary storage
^1da177e4c3f41 Linus Torvalds 2005-04-16 470 * @head: the head for your list.
^1da177e4c3f41 Linus Torvalds 2005-04-16 471 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 472 #define list_for_each_safe(pos, n, head) \
^1da177e4c3f41 Linus Torvalds 2005-04-16 473 for (pos = (head)->next, n = pos->next; pos != (head); \
^1da177e4c3f41 Linus Torvalds 2005-04-16 474 pos = n, n = pos->next)
^1da177e4c3f41 Linus Torvalds 2005-04-16 475
37c42524d60906 Denis V. Lunev 2007-10-16 476 /**
8f731f7d83d6c6 Randy Dunlap 2007-10-18 477 * list_for_each_prev_safe - iterate over a list backwards safe against removal of list entry
37c42524d60906 Denis V. Lunev 2007-10-16 478 * @pos: the &struct list_head to use as a loop cursor.
37c42524d60906 Denis V. Lunev 2007-10-16 479 * @n: another &struct list_head to use as temporary storage
37c42524d60906 Denis V. Lunev 2007-10-16 480 * @head: the head for your list.
37c42524d60906 Denis V. Lunev 2007-10-16 481 */
37c42524d60906 Denis V. Lunev 2007-10-16 482 #define list_for_each_prev_safe(pos, n, head) \
37c42524d60906 Denis V. Lunev 2007-10-16 483 for (pos = (head)->prev, n = pos->prev; \
e66eed651fd18a Linus Torvalds 2011-05-19 484 pos != (head); \
37c42524d60906 Denis V. Lunev 2007-10-16 485 pos = n, n = pos->prev)
37c42524d60906 Denis V. Lunev 2007-10-16 486
^1da177e4c3f41 Linus Torvalds 2005-04-16 487 /**
^1da177e4c3f41 Linus Torvalds 2005-04-16 488 * list_for_each_entry - iterate over list of given type
8e3a67a99231f9 Randy Dunlap 2006-06-25 489 * @pos: the type * to use as a loop cursor.
^1da177e4c3f41 Linus Torvalds 2005-04-16 490 * @head: the head for your list.
3943f42c11896c Andrey Utkin 2014-11-14 491 * @member: the name of the list_head within the struct.
^1da177e4c3f41 Linus Torvalds 2005-04-16 492 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 493 #define list_for_each_entry(pos, head, member) \
93be3c2eb3371f Oleg Nesterov 2013-11-12 494 for (pos = list_first_entry(head, typeof(*pos), member); \
e66eed651fd18a Linus Torvalds 2011-05-19 495 &pos->member != (head); \
8120e2e5141a42 Oleg Nesterov 2013-11-12 496 pos = list_next_entry(pos, member))
^1da177e4c3f41 Linus Torvalds 2005-04-16 497
^1da177e4c3f41 Linus Torvalds 2005-04-16 498 /**
^1da177e4c3f41 Linus Torvalds 2005-04-16 499 * list_for_each_entry_reverse - iterate backwards over list of given type.
8e3a67a99231f9 Randy Dunlap 2006-06-25 500 * @pos: the type * to use as a loop cursor.
^1da177e4c3f41 Linus Torvalds 2005-04-16 501 * @head: the head for your list.
3943f42c11896c Andrey Utkin 2014-11-14 502 * @member: the name of the list_head within the struct.
^1da177e4c3f41 Linus Torvalds 2005-04-16 503 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 504 #define list_for_each_entry_reverse(pos, head, member) \
93be3c2eb3371f Oleg Nesterov 2013-11-12 505 for (pos = list_last_entry(head, typeof(*pos), member); \
e66eed651fd18a Linus Torvalds 2011-05-19 506 &pos->member != (head); \
8120e2e5141a42 Oleg Nesterov 2013-11-12 507 pos = list_prev_entry(pos, member))
^1da177e4c3f41 Linus Torvalds 2005-04-16 508
^1da177e4c3f41 Linus Torvalds 2005-04-16 509 /**
72fd4a35a82433 Robert P. J. Day 2007-02-10 510 * list_prepare_entry - prepare a pos entry for use in list_for_each_entry_continue()
^1da177e4c3f41 Linus Torvalds 2005-04-16 511 * @pos: the type * to use as a start point
^1da177e4c3f41 Linus Torvalds 2005-04-16 512 * @head: the head of the list
3943f42c11896c Andrey Utkin 2014-11-14 513 * @member: the name of the list_head within the struct.
fe96e57d77481c Randy Dunlap 2006-06-25 514 *
72fd4a35a82433 Robert P. J. Day 2007-02-10 515 * Prepares a pos entry for use as a start point in list_for_each_entry_continue().
^1da177e4c3f41 Linus Torvalds 2005-04-16 516 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 517 #define list_prepare_entry(pos, head, member) \
^1da177e4c3f41 Linus Torvalds 2005-04-16 518 ((pos) ? : list_entry(head, typeof(*pos), member))
^1da177e4c3f41 Linus Torvalds 2005-04-16 519
^1da177e4c3f41 Linus Torvalds 2005-04-16 520 /**
fe96e57d77481c Randy Dunlap 2006-06-25 521 * list_for_each_entry_continue - continue iteration over list of given type
8e3a67a99231f9 Randy Dunlap 2006-06-25 522 * @pos: the type * to use as a loop cursor.
^1da177e4c3f41 Linus Torvalds 2005-04-16 523 * @head: the head for your list.
3943f42c11896c Andrey Utkin 2014-11-14 524 * @member: the name of the list_head within the struct.
fe96e57d77481c Randy Dunlap 2006-06-25 525 *
fe96e57d77481c Randy Dunlap 2006-06-25 526 * Continue to iterate over list of given type, continuing after
fe96e57d77481c Randy Dunlap 2006-06-25 527 * the current position.
^1da177e4c3f41 Linus Torvalds 2005-04-16 528 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 529 #define list_for_each_entry_continue(pos, head, member) \
8120e2e5141a42 Oleg Nesterov 2013-11-12 530 for (pos = list_next_entry(pos, member); \
e66eed651fd18a Linus Torvalds 2011-05-19 531 &pos->member != (head); \
8120e2e5141a42 Oleg Nesterov 2013-11-12 532 pos = list_next_entry(pos, member))
^1da177e4c3f41 Linus Torvalds 2005-04-16 533
768f3591e2b1cc Pavel Emelyanov 2007-09-18 534 /**
768f3591e2b1cc Pavel Emelyanov 2007-09-18 535 * list_for_each_entry_continue_reverse - iterate backwards from the given point
768f3591e2b1cc Pavel Emelyanov 2007-09-18 536 * @pos: the type * to use as a loop cursor.
768f3591e2b1cc Pavel Emelyanov 2007-09-18 537 * @head: the head for your list.
3943f42c11896c Andrey Utkin 2014-11-14 538 * @member: the name of the list_head within the struct.
768f3591e2b1cc Pavel Emelyanov 2007-09-18 539 *
768f3591e2b1cc Pavel Emelyanov 2007-09-18 540 * Start to iterate over list of given type backwards, continuing after
768f3591e2b1cc Pavel Emelyanov 2007-09-18 541 * the current position.
768f3591e2b1cc Pavel Emelyanov 2007-09-18 542 */
768f3591e2b1cc Pavel Emelyanov 2007-09-18 543 #define list_for_each_entry_continue_reverse(pos, head, member) \
8120e2e5141a42 Oleg Nesterov 2013-11-12 544 for (pos = list_prev_entry(pos, member); \
e66eed651fd18a Linus Torvalds 2011-05-19 545 &pos->member != (head); \
8120e2e5141a42 Oleg Nesterov 2013-11-12 546 pos = list_prev_entry(pos, member))
768f3591e2b1cc Pavel Emelyanov 2007-09-18 547
e229c2fb3370a0 Arnaldo Carvalho de Melo 2006-03-20 548 /**
fe96e57d77481c Randy Dunlap 2006-06-25 549 * list_for_each_entry_from - iterate over list of given type from the current point
8e3a67a99231f9 Randy Dunlap 2006-06-25 550 * @pos: the type * to use as a loop cursor.
e229c2fb3370a0 Arnaldo Carvalho de Melo 2006-03-20 551 * @head: the head for your list.
3943f42c11896c Andrey Utkin 2014-11-14 552 * @member: the name of the list_head within the struct.
fe96e57d77481c Randy Dunlap 2006-06-25 553 *
fe96e57d77481c Randy Dunlap 2006-06-25 554 * Iterate over list of given type, continuing from current position.
e229c2fb3370a0 Arnaldo Carvalho de Melo 2006-03-20 555 */
e229c2fb3370a0 Arnaldo Carvalho de Melo 2006-03-20 556 #define list_for_each_entry_from(pos, head, member) \
e66eed651fd18a Linus Torvalds 2011-05-19 557 for (; &pos->member != (head); \
8120e2e5141a42 Oleg Nesterov 2013-11-12 558 pos = list_next_entry(pos, member))
e229c2fb3370a0 Arnaldo Carvalho de Melo 2006-03-20 559
b862815c3ee7b4 Jiri Pirko 2017-02-03 560 /**
b862815c3ee7b4 Jiri Pirko 2017-02-03 561 * list_for_each_entry_from_reverse - iterate backwards over list of given type
b862815c3ee7b4 Jiri Pirko 2017-02-03 562 * from the current point
b862815c3ee7b4 Jiri Pirko 2017-02-03 563 * @pos: the type * to use as a loop cursor.
b862815c3ee7b4 Jiri Pirko 2017-02-03 564 * @head: the head for your list.
b862815c3ee7b4 Jiri Pirko 2017-02-03 565 * @member: the name of the list_head within the struct.
b862815c3ee7b4 Jiri Pirko 2017-02-03 566 *
b862815c3ee7b4 Jiri Pirko 2017-02-03 567 * Iterate backwards over list of given type, continuing from current position.
b862815c3ee7b4 Jiri Pirko 2017-02-03 568 */
b862815c3ee7b4 Jiri Pirko 2017-02-03 569 #define list_for_each_entry_from_reverse(pos, head, member) \
b862815c3ee7b4 Jiri Pirko 2017-02-03 570 for (; &pos->member != (head); \
b862815c3ee7b4 Jiri Pirko 2017-02-03 571 pos = list_prev_entry(pos, member))
b862815c3ee7b4 Jiri Pirko 2017-02-03 572
^1da177e4c3f41 Linus Torvalds 2005-04-16 573 /**
^1da177e4c3f41 Linus Torvalds 2005-04-16 574 * list_for_each_entry_safe - iterate over list of given type safe against removal of list entry
8e3a67a99231f9 Randy Dunlap 2006-06-25 575 * @pos: the type * to use as a loop cursor.
^1da177e4c3f41 Linus Torvalds 2005-04-16 576 * @n: another type * to use as temporary storage
^1da177e4c3f41 Linus Torvalds 2005-04-16 577 * @head: the head for your list.
3943f42c11896c Andrey Utkin 2014-11-14 578 * @member: the name of the list_head within the struct.
^1da177e4c3f41 Linus Torvalds 2005-04-16 579 */
^1da177e4c3f41 Linus Torvalds 2005-04-16 580 #define list_for_each_entry_safe(pos, n, head, member) \
93be3c2eb3371f Oleg Nesterov 2013-11-12 581 for (pos = list_first_entry(head, typeof(*pos), member), \
8120e2e5141a42 Oleg Nesterov 2013-11-12 582 n = list_next_entry(pos, member); \
^1da177e4c3f41 Linus Torvalds 2005-04-16 @583 &pos->member != (head); \
8120e2e5141a42 Oleg Nesterov 2013-11-12 584 pos = n, n = list_next_entry(n, member))
^1da177e4c3f41 Linus Torvalds 2005-04-16 585
:::::: The code at line 583 was first introduced by commit
:::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2
:::::: TO: Linus Torvalds <torvalds(a)ppc970.osdl.org>
:::::: CC: Linus Torvalds <torvalds(a)ppc970.osdl.org>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
1
0