- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 v2] memstick: r592: Fix UAF bug in r592_remove due to race condition
by Chen Zhongjin 20 Jun '23

20 Jun '23

From: Zheng Wang <zyytlz.wz(a)163.com> mainline inclusion from mainline-v6.4-rc1 commit 63264422785021704c39b38f65a78ab9e4a186d7 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7EK74 CVE: CVE-2023-3141 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In r592_probe, dev->detect_timer was bound with r592_detect_timer. In r592_irq function, the timer function will be invoked by mod_timer. If we remove the module which will call hantro_release to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in r592_remove. CPU0 CPU1 |r592_detect_timer r592_remove | memstick_free_host| put_device; | kfree(host); | | | queue_work | &host->media_checker //use Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- drivers/memstick/host/r592.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c index eaa2a94d18be..dd06c18495eb 100644 --- a/drivers/memstick/host/r592.c +++ b/drivers/memstick/host/r592.c @@ -828,7 +828,7 @@ static void r592_remove(struct pci_dev *pdev) /* Stop the processing thread. That ensures that we won't take any more requests */ kthread_stop(dev->io_thread); - + del_timer_sync(&dev->detect_timer); r592_enable_device(dev, false); while (!error && dev->req) { -- 2.17.1

2 1

[PATCH OLK-5.10] net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
by Zhengchao Shao 20 Jun '23

20 Jun '23

From: Hangyu Hua <hbh25y(a)gmail.com> stable inclusion from stable-v5.10.183 commit 7c5c67aa294444b53f697dc3ddce61b33ff8badd category: bugfix bugzilla: 188914 CVE: CVE-2023-35788 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4d56304e5827c8cc8cc18c75343d283af7c4825c ] If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total size is 252 bytes(key->enc_opts.len = 252) then key->enc_opts.len = opt->length = data_len / 4 = 0 when the third TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This bypasses the next bounds check and results in an out-of-bounds. Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") Signed-off-by: Hangyu Hua <hbh25y(a)gmail.com> Reviewed-by: Simon Horman <simon.horman(a)corigine.com> Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren(a)amd.com> Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/sched/cls_flower.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index 8ff6945b9f8f..275122cc0b6d 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -1080,6 +1080,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, if (option_len > sizeof(struct geneve_opt)) data_len = option_len - sizeof(struct geneve_opt); + if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4) + return -ERANGE; + opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; memset(opt, 0xff, option_len); opt->length = data_len / 4; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] memstick: r592: Fix UAF bug in r592_remove due to race condition
by Yongqiang Liu 20 Jun '23

20 Jun '23

From: Zheng Wang <zyytlz.wz(a)163.com> mainline inclusion from mainline-v6.4-rc1 commit 63264422785021704c39b38f65a78ab9e4a186d7 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7EK74 CVE: CVE-2023-3141 -------------------------------- In r592_probe, dev->detect_timer was bound with r592_detect_timer. In r592_irq function, the timer function will be invoked by mod_timer. If we remove the module which will call hantro_release to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in r592_remove. CPU0 CPU1 |r592_detect_timer r592_remove | memstick_free_host| put_device; | kfree(host); | | | queue_work | &host->media_checker //use Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> Reviewed-by: Xu Kuohai <xukuohai(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/memstick/host/r592.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c index 627d6e62fe31..61b9c97cf0e7 100644 --- a/drivers/memstick/host/r592.c +++ b/drivers/memstick/host/r592.c @@ -827,7 +827,7 @@ static void r592_remove(struct pci_dev *pdev) /* Stop the processing thread. That ensures that we won't take any more requests */ kthread_stop(dev->io_thread); - + del_timer_sync(&dev->detect_timer); r592_enable_device(dev, false); while (!error && dev->req) { -- 2.25.1

1 0

[PATCH OLK-5.10] memstick: r592: Fix UAF bug in r592_remove due to race condition
by Chen Zhongjin 20 Jun '23

20 Jun '23

From: Zheng Wang <zyytlz.wz(a)163.com> mainline inclusion from mainline-v6.4-rc1 commit 63264422785021704c39b38f65a78ab9e4a186d7 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7EK74 CVE: CVE-2023-3141 -------------------------------- In r592_probe, dev->detect_timer was bound with r592_detect_timer. In r592_irq function, the timer function will be invoked by mod_timer. If we remove the module which will call hantro_release to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in r592_remove. CPU0 CPU1 |r592_detect_timer r592_remove | memstick_free_host| put_device; | kfree(host); | | | queue_work | &host->media_checker //use Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- drivers/memstick/host/r592.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c index eaa2a94d18be..dd06c18495eb 100644 --- a/drivers/memstick/host/r592.c +++ b/drivers/memstick/host/r592.c @@ -828,7 +828,7 @@ static void r592_remove(struct pci_dev *pdev) /* Stop the processing thread. That ensures that we won't take any more requests */ kthread_stop(dev->io_thread); - + del_timer_sync(&dev->detect_timer); r592_enable_device(dev, false); while (!error && dev->req) { -- 2.17.1

1 0

[PATCH openEuler-22.03-LTS-SP2 0/2] Fix some warning messages in netacc
by Liu Jian 20 Jun '23

20 Jun '23

Fix below warning messages: libbpf: Error in bpf_create_map_xattr(redissock_map):ERROR: strerror_r(-524)=22(-524). Retrying without BTF. rmmod: ERROR: Module localip is not currently loaded Hengqi Chen (1): libbpf: Support uniform BTF-defined key/value specification across all BPF maps Liu Jian (1): tools: ignore one warning message tools/lib/bpf/libbpf.c | 24 ++++++++++++++++++++++++ tools/netacc/net-acc | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-) -- 2.34.1

2 3

[PATCH openEuler-22.03-LTS] mm: oom: move memcg_print_bad_task() out of mem_cgroup_scan_tasks()
by Liu Shixin 19 Jun '23

19 Jun '23

From: Kang Chen <void0red(a)hust.edu.cn> hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6NYW4 CVE: NA -------------------------------- raw call flow: oom_kill_process -> mem_cgroup_scan_tasks(.., .., message) -> memcg_print_bad_task(message, ..) message is "const char*" type, and incorrectly cast to "oom_control*" type in memcg_print_bad_task. Fix it by moving memcg_print_bad_task out of mem_cgroup_scan_tasks and call it in select_bad_process and dump_tasks. Furthermore, use struct oom_control* directly and remove the useless parm `ret`. Reviewed-by: Kefeng Wang <wangkefeng.wang(a)huawei.com> Signed-off-by: Kang Chen <void0red(a)hust.edu.cn> Conflicts: include/linux/memcontrol.h Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- include/linux/memcontrol.h | 3 ++- mm/memcontrol.c | 16 +++++++++------- mm/oom_kill.c | 14 ++++++++------ 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h index a0143237b8a7..3480d9030108 100644 --- a/include/linux/memcontrol.h +++ b/include/linux/memcontrol.h @@ -23,6 +23,7 @@ #include <linux/page-flags.h> #include <linux/kabi.h> #include <linux/dynamic_hugetlb.h> +#include <linux/oom.h> struct mem_cgroup; struct obj_cgroup; @@ -400,7 +401,7 @@ DECLARE_STATIC_KEY_FALSE(memcg_qos_stat_key); bool memcg_low_priority_scan_tasks(int (*)(struct task_struct *, void *), void *); -void memcg_print_bad_task(void *arg, int ret); +void memcg_print_bad_task(struct oom_control *oc); extern int sysctl_memcg_qos_handler(struct ctl_table *table, int write, void __user *buffer, size_t *length, loff_t *ppos); #endif diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 467c1f2fd6ae..81429e8266ab 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -1201,9 +1201,6 @@ int mem_cgroup_scan_tasks(struct mem_cgroup *memcg, break; } } -#ifdef CONFIG_MEMCG_QOS - memcg_print_bad_task(arg, ret); -#endif return ret; } @@ -3950,14 +3947,12 @@ bool memcg_low_priority_scan_tasks(int (*fn)(struct task_struct *, void *), return oc->chosen ? true : false; } -void memcg_print_bad_task(void *arg, int ret) +void memcg_print_bad_task(struct oom_control *oc) { - struct oom_control *oc = arg; - if (!static_branch_likely(&memcg_qos_stat_key)) return; - if (!ret && oc->chosen) { + if (oc->chosen) { struct mem_cgroup *memcg; memcg = mem_cgroup_from_task(oc->chosen); @@ -3988,6 +3983,13 @@ int sysctl_memcg_qos_handler(struct ctl_table *table, int write, return ret; } + +#else + +void memcg_print_bad_task(struct oom_control *oc) +{ +} + #endif #ifdef CONFIG_NUMA diff --git a/mm/oom_kill.c b/mm/oom_kill.c index 7eb4fda1ce87..41b1ea3b5703 100644 --- a/mm/oom_kill.c +++ b/mm/oom_kill.c @@ -408,9 +408,10 @@ static void select_bad_process(struct oom_control *oc) { oc->chosen_points = LONG_MIN; - if (is_memcg_oom(oc)) - mem_cgroup_scan_tasks(oc->memcg, oom_evaluate_task, oc); - else { + if (is_memcg_oom(oc)) { + if (!mem_cgroup_scan_tasks(oc->memcg, oom_evaluate_task, oc)) + memcg_print_bad_task(oc); + } else { struct task_struct *p; #ifdef CONFIG_MEMCG_QOS @@ -473,9 +474,10 @@ static void dump_tasks(struct oom_control *oc) pr_info("Tasks state (memory values in pages):\n"); pr_info("[ pid ] uid tgid total_vm rss pgtables_bytes swapents oom_score_adj name\n"); - if (is_memcg_oom(oc)) - mem_cgroup_scan_tasks(oc->memcg, dump_task, oc); - else { + if (is_memcg_oom(oc)) { + if (!mem_cgroup_scan_tasks(oc->memcg, dump_task, oc)) + memcg_print_bad_task(oc); + } else { struct task_struct *p; rcu_read_lock(); -- 2.25.1

2 1

[PATCH OLK-5.10] mm/page_alloc: allow high-order pages to be stored on the per-cpu lists
by Tu Jinjiang 19 Jun '23

19 Jun '23

From: Mel Gorman <mgorman(a)techsingularity.net> mainline inclusion from mainline-v5.14-rc1 commit 44042b4498728f4376e84bae1ac8016d146d850b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7EQDW CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------- The per-cpu page allocator (PCP) only stores order-0 pages. This means that all THP and "cheap" high-order allocations including SLUB contends on the zone->lock. This patch extends the PCP allocator to store THP and "cheap" high-order pages. Note that struct per_cpu_pages increases in size to 256 bytes (4 cache lines) on x86-64. Note that this is not necessarily a universal performance win because of how it is implemented. High-order pages can cause pcp->high to be exceeded prematurely for lower-orders so for example, a large number of THP pages being freed could release order-0 pages from the PCP lists. Hence, much depends on the allocation/free pattern as observed by a single CPU to determine if caching helps or hurts a particular workload. That said, basic performance testing passed. The following is a netperf UDP_STREAM test which hits the relevant patches as some of the network allocations are high-order. netperf-udp 5.13.0-rc2 5.13.0-rc2 mm-pcpburst-v3r4 mm-pcphighorder-v1r7 Hmean send-64 261.46 ( 0.00%) 266.30 * 1.85%* Hmean send-128 516.35 ( 0.00%) 536.78 * 3.96%* Hmean send-256 1014.13 ( 0.00%) 1034.63 * 2.02%* Hmean send-1024 3907.65 ( 0.00%) 4046.11 * 3.54%* Hmean send-2048 7492.93 ( 0.00%) 7754.85 * 3.50%* Hmean send-3312 11410.04 ( 0.00%) 11772.32 * 3.18%* Hmean send-4096 13521.95 ( 0.00%) 13912.34 * 2.89%* Hmean send-8192 21660.50 ( 0.00%) 22730.72 * 4.94%* Hmean send-16384 31902.32 ( 0.00%) 32637.50 * 2.30%* Functionally, a patch like this is necessary to make bulk allocation of high-order pages work with similar performance to order-0 bulk allocations. The bulk allocator is not updated in this series as it would have to be determined by bulk allocation users how they want to track the order of pages allocated with the bulk allocator. Link: https://lkml.kernel.org/r/20210611135753.GC30378@techsingularity.net Signed-off-by: Mel Gorman <mgorman(a)techsingularity.net> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Zi Yan <ziy(a)nvidia.com> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Jesper Dangaard Brouer <brouer(a)redhat.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Conflicts: include/linux/mmzone.h mm/internal.h mm/page_alloc.c Signed-off-by: Tu Jinjiang <tujinjiang(a)huawei.com> --- include/linux/gfp.h | 2 +- include/linux/mmzone.h | 20 ++++- mm/page_alloc.c | 170 ++++++++++++++++++++++++++++++----------- mm/swap.c | 2 +- 4 files changed, 145 insertions(+), 49 deletions(-) diff --git a/include/linux/gfp.h b/include/linux/gfp.h index 5c3df92a4745..e81a001861dd 100644 --- a/include/linux/gfp.h +++ b/include/linux/gfp.h @@ -600,7 +600,7 @@ void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); extern void __free_pages(struct page *page, unsigned int order); extern void free_pages(unsigned long addr, unsigned int order); -extern void free_unref_page(struct page *page); +extern void free_unref_page(struct page *page, unsigned int order); extern void free_unref_page_list(struct list_head *list); struct page_frag_cache; diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h index 0a70b4bdd236..85b91e4f6ebd 100644 --- a/include/linux/mmzone.h +++ b/include/linux/mmzone.h @@ -318,6 +318,24 @@ enum zone_watermarks { NR_WMARK }; +/* + * One per migratetype for each PAGE_ALLOC_COSTLY_ORDER plus one additional + * for pageblock size for THP if configured. + */ +#ifdef CONFIG_TRANSPARENT_HUGEPAGE +#define NR_PCP_THP 1 +#else +#define NR_PCP_THP 0 +#endif +#define NR_PCP_LISTS (MIGRATE_PCPTYPES * (PAGE_ALLOC_COSTLY_ORDER + 1 + NR_PCP_THP)) + +/* + * Shift to encode migratetype and order in the same integer, with order + * in the least significant bits. + */ +#define NR_PCP_ORDER_WIDTH 8 +#define NR_PCP_ORDER_MASK ((1<<NR_PCP_ORDER_WIDTH) - 1) + #define min_wmark_pages(z) (z->_watermark[WMARK_MIN] + z->watermark_boost) #define low_wmark_pages(z) (z->_watermark[WMARK_LOW] + z->watermark_boost) #define high_wmark_pages(z) (z->_watermark[WMARK_HIGH] + z->watermark_boost) @@ -329,7 +347,7 @@ struct per_cpu_pages { int batch; /* chunk size for buddy add/remove */ /* Lists of pages, one per migrate type stored on the pcp-lists */ - struct list_head lists[MIGRATE_PCPTYPES]; + struct list_head lists[NR_PCP_LISTS]; }; struct per_cpu_pageset { diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 12da70f39e0c..e3dbafd45f0c 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -222,6 +222,49 @@ static int __init early_init_on_free(char *buf) } early_param("init_on_free", early_init_on_free); +static inline unsigned int order_to_pindex(int migratetype, int order) +{ + int base = order; + +#ifdef CONFIG_TRANSPARENT_HUGEPAGE + if (order > PAGE_ALLOC_COSTLY_ORDER) { + VM_BUG_ON(order != pageblock_order); + base = PAGE_ALLOC_COSTLY_ORDER + 1; + } +#else + VM_BUG_ON(order > PAGE_ALLOC_COSTLY_ORDER); +#endif + + return (MIGRATE_PCPTYPES * base) + migratetype; +} + +static inline int pindex_to_order(unsigned int pindex) +{ + int order = pindex / MIGRATE_PCPTYPES; + +#ifdef CONFIG_TRANSPARENT_HUGEPAGE + if (order > PAGE_ALLOC_COSTLY_ORDER) { + order = pageblock_order; + VM_BUG_ON(order != pageblock_order); + } +#else + VM_BUG_ON(order > PAGE_ALLOC_COSTLY_ORDER); +#endif + + return order; +} + +static inline bool pcp_allowed_order(unsigned int order) +{ + if (order <= PAGE_ALLOC_COSTLY_ORDER) + return true; +#ifdef CONFIG_TRANSPARENT_HUGEPAGE + if (order == pageblock_order) + return true; +#endif + return false; +} + /* * A cached value of the page's pageblock's migratetype, used when the page is * put on a pcplist. Used to avoid the pageblock migratetype lookup when @@ -693,11 +736,11 @@ static void bad_page(struct page *page, const char *reason) * The first tail page's ->compound_order holds the order of allocation. * This usage means that zero-order pages may not be compound. */ - +static void free_the_page(struct page *page, unsigned int order); void free_compound_page(struct page *page) { mem_cgroup_uncharge(page); - __free_pages_ok(page, compound_order(page), FPI_NONE); + free_the_page(page, compound_order(page)); } void prep_compound_page(struct page *page, unsigned int order) @@ -1294,9 +1337,9 @@ __always_inline bool free_pages_prepare(struct page *page, * to pcp lists. With debug_pagealloc also enabled, they are also rechecked when * moved from pcp lists to free lists. */ -static bool free_pcp_prepare(struct page *page) +static bool free_pcp_prepare(struct page *page, unsigned int order) { - return free_pages_prepare(page, 0, true); + return free_pages_prepare(page, order, true); } static bool bulkfree_pcp_prepare(struct page *page) @@ -1313,12 +1356,12 @@ static bool bulkfree_pcp_prepare(struct page *page) * debug_pagealloc enabled, they are checked also immediately when being freed * to the pcp lists. */ -static bool free_pcp_prepare(struct page *page) +static bool free_pcp_prepare(struct page *page, unsigned int order) { if (debug_pagealloc_enabled_static()) - return free_pages_prepare(page, 0, true); + return free_pages_prepare(page, order, true); else - return free_pages_prepare(page, 0, false); + return free_pages_prepare(page, order, false); } static bool bulkfree_pcp_prepare(struct page *page) @@ -1350,8 +1393,10 @@ static inline void prefetch_buddy(struct page *page) static void free_pcppages_bulk(struct zone *zone, int count, struct per_cpu_pages *pcp) { - int migratetype = 0; + int pindex = 0; int batch_free = 0; + int nr_freed = 0; + unsigned int order; int prefetch_nr = READ_ONCE(pcp->batch); bool isolated_pageblocks; struct page *page, *tmp; @@ -1362,7 +1407,7 @@ static void free_pcppages_bulk(struct zone *zone, int count, * below while (list_empty(list)) loop. */ count = min(pcp->count, count); - while (count) { + while (count > 0) { struct list_head *list; /* @@ -1374,24 +1419,31 @@ static void free_pcppages_bulk(struct zone *zone, int count, */ do { batch_free++; - if (++migratetype == MIGRATE_PCPTYPES) - migratetype = 0; - list = &pcp->lists[migratetype]; + if (++pindex == NR_PCP_LISTS) + pindex = 0; + list = &pcp->lists[pindex]; } while (list_empty(list)); /* This is the only non-empty list. Free them all. */ - if (batch_free == MIGRATE_PCPTYPES) + if (batch_free == NR_PCP_LISTS) batch_free = count; + order = pindex_to_order(pindex); + BUILD_BUG_ON(MAX_ORDER >= (1<<NR_PCP_ORDER_WIDTH)); do { page = list_last_entry(list, struct page, lru); /* must delete to avoid corrupting pcp list */ list_del(&page->lru); - pcp->count--; + nr_freed += 1 << order; + count -= 1 << order; if (bulkfree_pcp_prepare(page)) continue; + /* Encode order with the migratetype */ + page->index <<= NR_PCP_ORDER_WIDTH; + page->index |= order; + list_add_tail(&page->lru, &head); /* @@ -1407,8 +1459,9 @@ static void free_pcppages_bulk(struct zone *zone, int count, prefetch_buddy(page); prefetch_nr--; } - } while (--count && --batch_free && !list_empty(list)); + } while (count > 0 && --batch_free && !list_empty(list)); } + pcp->count -= nr_freed; spin_lock(&zone->lock); isolated_pageblocks = has_isolate_pageblock(zone); @@ -1419,14 +1472,19 @@ static void free_pcppages_bulk(struct zone *zone, int count, */ list_for_each_entry_safe(page, tmp, &head, lru) { int mt = get_pcppage_migratetype(page); + + /* mt has been encoded with the order (see above) */ + order = mt & NR_PCP_ORDER_MASK; + mt >>= NR_PCP_ORDER_WIDTH; + /* MIGRATE_ISOLATE page should not go to pcplists */ VM_BUG_ON_PAGE(is_migrate_isolate(mt), page); /* Pageblock could have been isolated meanwhile */ if (unlikely(isolated_pageblocks)) mt = get_pageblock_migratetype(page); - __free_one_page(page, page_to_pfn(page), zone, 0, mt, FPI_NONE); - trace_mm_page_pcpu_drain(page, 0, mt); + __free_one_page(page, page_to_pfn(page), zone, order, mt, FPI_NONE); + trace_mm_page_pcpu_drain(page, order, mt); } spin_unlock(&zone->lock); } @@ -3182,11 +3240,12 @@ void mark_free_pages(struct zone *zone) } #endif /* CONFIG_PM */ -static bool free_unref_page_prepare(struct page *page, unsigned long pfn) +static bool free_unref_page_prepare(struct page *page, unsigned long pfn, + unsigned int order) { int migratetype; - if (!free_pcp_prepare(page)) + if (!free_pcp_prepare(page, order)) return false; migratetype = get_pfnblock_migratetype(page, pfn); @@ -3194,11 +3253,13 @@ static bool free_unref_page_prepare(struct page *page, unsigned long pfn) return true; } -static void free_unref_page_commit(struct page *page, unsigned long pfn) +static void free_unref_page_commit(struct page *page, unsigned long pfn, + unsigned int order) { struct zone *zone = page_zone(page); struct per_cpu_pages *pcp; int migratetype; + int pindex; migratetype = get_pcppage_migratetype(page); __count_vm_event(PGFREE); @@ -3220,16 +3281,17 @@ static void free_unref_page_commit(struct page *page, unsigned long pfn) } pcp = &this_cpu_ptr(zone->pageset)->pcp; - list_add(&page->lru, &pcp->lists[migratetype]); - pcp->count++; + pindex = order_to_pindex(migratetype, order); + list_add(&page->lru, &pcp->lists[pindex]); + pcp->count += 1 << order; if (pcp->count >= READ_ONCE(pcp->high)) free_pcppages_bulk(zone, READ_ONCE(pcp->batch), pcp); } /* - * Free a 0-order page + * Free a pcp page */ -void free_unref_page(struct page *page) +void free_unref_page(struct page *page, unsigned int order) { unsigned long flags; unsigned long pfn = page_to_pfn(page); @@ -3238,11 +3300,11 @@ void free_unref_page(struct page *page) if (free_page_to_dhugetlb_pool(page)) return; - if (!free_unref_page_prepare(page, pfn)) + if (!free_unref_page_prepare(page, pfn, order)) return; local_irq_save(flags); - free_unref_page_commit(page, pfn); + free_unref_page_commit(page, pfn, order); local_irq_restore(flags); } @@ -3261,7 +3323,7 @@ void free_unref_page_list(struct list_head *list) /* Prepare pages for freeing */ list_for_each_entry_safe(page, next, list, lru) { pfn = page_to_pfn(page); - if (!free_unref_page_prepare(page, pfn)) + if (!free_unref_page_prepare(page, pfn, 0)) list_del(&page->lru); set_page_private(page, pfn); } @@ -3272,7 +3334,7 @@ void free_unref_page_list(struct list_head *list) set_page_private(page, 0); trace_mm_page_free_batched(page); - free_unref_page_commit(page, pfn); + free_unref_page_commit(page, pfn, 0); /* * Guard against excessive IRQ disabled times when we get @@ -3407,7 +3469,8 @@ static inline void zone_statistics(struct zone *preferred_zone, struct zone *z) /* Remove page from the per-cpu list, caller must protect the list */ static inline -struct page *__rmqueue_pcplist(struct zone *zone, int migratetype, +struct page *__rmqueue_pcplist(struct zone *zone, unsigned int order, + int migratetype, unsigned int alloc_flags, struct per_cpu_pages *pcp, struct list_head *list) @@ -3416,16 +3479,30 @@ struct page *__rmqueue_pcplist(struct zone *zone, int migratetype, do { if (list_empty(list)) { - pcp->count += rmqueue_bulk(zone, 0, - READ_ONCE(pcp->batch), list, + int batch = READ_ONCE(pcp->batch); + int alloced; + + /* + * Scale batch relative to order if batch implies + * free pages can be stored on the PCP. Batch can + * be 1 for small zones or for boot pagesets which + * should never store free pages as the pages may + * belong to arbitrary zones. + */ + if (batch > 1) + batch = max(batch >> order, 2); + alloced = rmqueue_bulk(zone, order, + batch, list, migratetype, alloc_flags); + + pcp->count += alloced << order; if (unlikely(list_empty(list))) return NULL; } page = list_first_entry(list, struct page, lru); list_del(&page->lru); - pcp->count--; + pcp->count -= 1 << order; } while (check_new_pcp(page)); return page; @@ -3433,8 +3510,9 @@ struct page *__rmqueue_pcplist(struct zone *zone, int migratetype, /* Lock and remove page from the per-cpu list */ static struct page *rmqueue_pcplist(struct zone *preferred_zone, - struct zone *zone, gfp_t gfp_flags, - int migratetype, unsigned int alloc_flags) + struct zone *zone, unsigned int order, + gfp_t gfp_flags, int migratetype, + unsigned int alloc_flags) { struct per_cpu_pages *pcp; struct list_head *list; @@ -3443,8 +3521,8 @@ static struct page *rmqueue_pcplist(struct zone *preferred_zone, local_irq_save(flags); pcp = &this_cpu_ptr(zone->pageset)->pcp; - list = &pcp->lists[migratetype]; - page = __rmqueue_pcplist(zone, migratetype, alloc_flags, pcp, list); + list = &pcp->lists[order_to_pindex(migratetype, order)]; + page = __rmqueue_pcplist(zone, order, migratetype, alloc_flags, pcp, list); if (page) { __count_zid_vm_events(PGALLOC, page_zonenum(page), 1); zone_statistics(preferred_zone, zone); @@ -3465,15 +3543,15 @@ struct page *rmqueue(struct zone *preferred_zone, unsigned long flags; struct page *page; - if (likely(order == 0)) { + if (likely(pcp_allowed_order(order))) { /* * MIGRATE_MOVABLE pcplist could have the pages on CMA area and * we need to skip it when CMA area isn't allowed. */ if (!IS_ENABLED(CONFIG_CMA) || alloc_flags & ALLOC_CMA || migratetype != MIGRATE_MOVABLE) { - page = rmqueue_pcplist(preferred_zone, zone, gfp_flags, - migratetype, alloc_flags); + page = rmqueue_pcplist(preferred_zone, zone, order, + gfp_flags, migratetype, alloc_flags); goto out; } } @@ -5185,7 +5263,7 @@ unsigned long __alloc_pages_bulk(gfp_t gfp, int preferred_nid, /* Attempt the batch allocation */ local_irq_save(flags); pcp = &this_cpu_ptr(zone->pageset)->pcp; - pcp_list = &pcp->lists[ac.migratetype]; + pcp_list = &pcp->lists[order_to_pindex(ac.migratetype, 0)]; while (nr_populated < nr_pages) { @@ -5195,7 +5273,7 @@ unsigned long __alloc_pages_bulk(gfp_t gfp, int preferred_nid, continue; } - page = __rmqueue_pcplist(zone, ac.migratetype, alloc_flags, + page = __rmqueue_pcplist(zone, 0, ac.migratetype, alloc_flags, pcp, pcp_list); if (unlikely(!page)) { /* Try and get at least one page */ @@ -5454,8 +5532,8 @@ EXPORT_SYMBOL(get_zeroed_page); static inline void free_the_page(struct page *page, unsigned int order) { - if (order == 0) /* Via pcp? */ - free_unref_page(page); + if (pcp_allowed_order(order)) /* Via pcp? */ + free_unref_page(page, order); else __free_pages_ok(page, order, FPI_NONE); } @@ -6873,13 +6951,13 @@ static void pageset_update(struct per_cpu_pages *pcp, unsigned long high, static void pageset_init(struct per_cpu_pageset *p) { struct per_cpu_pages *pcp; - int migratetype; + int pindex; memset(p, 0, sizeof(*p)); pcp = &p->pcp; - for (migratetype = 0; migratetype < MIGRATE_PCPTYPES; migratetype++) - INIT_LIST_HEAD(&pcp->lists[migratetype]); + for (pindex = 0; pindex < NR_PCP_LISTS; pindex++) + INIT_LIST_HEAD(&pcp->lists[pindex]); /* * Set batch and high values safe for a boot pageset. A true percpu diff --git a/mm/swap.c b/mm/swap.c index c37fac5a73e8..d33ec3bb0564 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -95,7 +95,7 @@ static void __put_single_page(struct page *page) { __page_cache_release(page); mem_cgroup_uncharge(page); - free_unref_page(page); + free_unref_page(page, 0); } static void __put_compound_page(struct page *page) -- 2.25.1

2 1

[PATCH OLK-5.10] posix-cpu-timers: Implement timer_wait_running callback
by Xiongfeng Wang 19 Jun '23

19 Jun '23

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7EQ8B -------------------------------- For posix CPU timers, the .timer_wait_running() callback is missing, which cause WARN_ON() in timer_wait_running(). Commit f7abf14f0001 ("posix-cpu-timers: Implement the missing timer_wait_running callback") solved the problem. But it introduce a kabi broken which is hard to fix. The commit also describe a livelock in preemptible kernel. To fix the livelock, we add cond_resched() in the retry loop. *** below is from origin commit merge tag The reason is that for CONFIG_POSIX_CPU_TIMERS_TASK_WORK enabled systems there is a livelock issue independent of RT. CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y moves the expiry of POSIX CPU timers out from hard interrupt context to task work, which is handled before returning to user space or to a VM. The expiry mechanism moves the expired timers to a stack local list head with sighand lock held. Once sighand is dropped the task can be preempted and a task which wants to delete a timer will spin-wait until the expiry task is scheduled back in. In the worst case this will end up in a livelock when the preempting task and the expiry task are pinned on the same CPU. Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> --- kernel/time/posix-cpu-timers.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c index c97bc3e3b210..578d0ebedb67 100644 --- a/kernel/time/posix-cpu-timers.c +++ b/kernel/time/posix-cpu-timers.c @@ -1446,6 +1446,9 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags, spin_lock_irq(&timer.it_lock); error = posix_cpu_timer_del(&timer); spin_unlock_irq(&timer.it_lock); +#ifdef CONFIG_POSIX_CPU_TIMERS_TASK_WORK + cond_resched(); +#endif } if ((it.it_value.tv_sec | it.it_value.tv_nsec) == 0) { @@ -1546,6 +1549,18 @@ static int thread_cpu_timer_create(struct k_itimer *timer) return posix_cpu_timer_create(timer); } +static void posix_cpu_timer_wait_running(struct k_itimer *timr) +{ +#ifdef CONFIG_POSIX_CPU_TIMERS_TASK_WORK + rcu_read_unlock(); + cond_resched(); + rcu_read_lock(); +#else + cpu_relax(); +#endif +} + + const struct k_clock clock_posix_cpu = { .clock_getres = posix_cpu_clock_getres, .clock_set = posix_cpu_clock_set, @@ -1556,6 +1571,7 @@ const struct k_clock clock_posix_cpu = { .timer_del = posix_cpu_timer_del, .timer_get = posix_cpu_timer_get, .timer_rearm = posix_cpu_timer_rearm, + .timer_wait_running = posix_cpu_timer_wait_running, }; const struct k_clock clock_process = { -- 2.20.1

2 1

[PATCH openEuler-1.0-LTS] fbcon: Check font dimension limits
by Yongqiang Liu 19 Jun '23

19 Jun '23

From: Samuel Thibault <samuel.thibault(a)ens-lyon.org> mainline inclusion from mainline-v6.2-rc7 commit 2b09d5d364986f724f17001ccfe4126b9b43a0be category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7C2TM CVE: CVE-2023-3161 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- blit_x and blit_y are u32, so fbcon currently cannot support fonts larger than 32x32. The 32x32 case also needs shifting an unsigned int, to properly set bit 31, otherwise we get "UBSAN: shift-out-of-bounds in fbcon_set_font", as reported on: http://lore.kernel.org/all/IA1PR07MB98308653E259A6F2CE94A4AFABCE9@IA1PR07MB… Kernel Branch: 6.2.0-rc5-next-20230124 Kernel config: https://drive.google.com/file/d/1F-LszDAizEEH0ZX0HcSR06v5q8FPl2Uv/view?usp=… Reproducer: https://drive.google.com/file/d/1mP1jcLBY7vWCNM60OMf-ogw-urQRjNrm/view?usp=… Reported-by: Sanan Hasanov <sanan.hasanov(a)Knights.ucf.edu> Signed-off-by: Samuel Thibault <samuel.thibault(a)ens-lyon.org> Fixes: 2d2699d98492 ("fbcon: font setting should check limitation of driver") Cc: stable(a)vger.kernel.org Tested-by: Miko Larsson <mikoxyzzz(a)gmail.com> Reviewed-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Helge Deller <deller(a)gmx.de> Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Reviewed-by: yongqiang Liu <liuyongqiang13(a)huawei.com> Reviewed-by: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/video/fbdev/core/fbcon.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 5ecb90440c81..f5178eefec64 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2446,9 +2446,12 @@ static int fbcon_set_font(struct vc_data *vc, struct console_font *font, h > FBCON_SWAP(info->var.rotate, info->var.yres, info->var.xres)) return -EINVAL; + if (font->width > 32 || font->height > 32) + return -EINVAL; + /* Make sure drawing engine can handle the font */ - if (!(info->pixmap.blit_x & (1 << (font->width - 1))) || - !(info->pixmap.blit_y & (1 << (font->height - 1)))) + if (!(info->pixmap.blit_x & BIT(font->width - 1)) || + !(info->pixmap.blit_y & BIT(font->height - 1))) return -EINVAL; /* Make sure driver can handle the font length */ -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS] sched/rt: Fix possible warn when push_rt_task
by Yongqiang Liu 19 Jun '23

19 Jun '23

From: Hui Tang <tanghui20(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7DX9Y CVE: NA ------------------------------- A warn may be triggered during reboot, as follows: reboot ->kernel_restart ->machine_restart ->smp_send_stop --- ipi handler set_cpu_online(cpu, false) balance_callback -> __balance_callback ->push_rt_task -> find_lock_lowest_rq <从vec->mask获取的rq> -> find_lowest_rq -> cpupri_find -> cpupri_find_fitness -> __cpupri_find [cpumask_and(..., vec->mask)] -> set_task_cpu(next_task, lowest_rq->cpu) --- WARN_ON(!oneline(cpu) So add !cpu_online(lowest_rq->cpu) check before set_task_cpu(). The fix does not completely fix the problem, since cpu_online_mask may be cleared after check. Fixes: 4ff9083b8a9a8 ("sched/core: WARN() when migrating to an offline CPU") Signed-off-by: Hui Tang <tanghui20(a)huawei.com> Reviewed-by: Zhang Qiao <zhangqiao22(a)huawei.com> Reviewed-by: Chen Hui <judy.chenhui(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- kernel/sched/rt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c index 4d6f1bc86b1b..5dff9a6fe2cf 100644 --- a/kernel/sched/rt.c +++ b/kernel/sched/rt.c @@ -1874,6 +1874,9 @@ static int push_rt_task(struct rq *rq) goto retry; } + if (unlikely(!cpu_online(lowest_rq->cpu))) + goto out; + deactivate_task(rq, next_task, 0); set_task_cpu(next_task, lowest_rq->cpu); activate_task(lowest_rq, next_task, 0); -- 2.25.1

1 0