- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS] BUILD REGRESSION 21eb7b92f86861232fed9eff3c46634d7535ef8a
by kernel test robot 04 Jan '25

04 Jan '25

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: 21eb7b92f86861232fed9eff3c46634d7535ef8a !14500 sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK Error/Warning (recently discovered and may have been fixed): block/blk-io-hierarchy/debugfs.c:63:2: error: implicit declaration of function 'hierarchy_show_slow_io' [-Werror,-Wimplicit-function-declaration] drivers/char/hw_random/phytium-rng.c:137:34: warning: unused variable 'phytium_rng_dt_ids' [-Wunused-const-variable] fs/debugfs/file.o: warning: objtool: full_proxy_open()+0x55a: unreachable instruction kernel/bpf/verifier.o: warning: objtool: missing symbol for section .text Unverified Error/Warning (likely false positive, kindly check if interested): drivers/dma/ti/edma.c:1962:35-51: opportunity for str_yes_no(ecc -> chmap_exist) Error/Warning ids grouped by kconfigs: recent_errors |-- arm64-allnoconfig | |-- kernel-sched-core.c:error:implicit-declaration-of-function-init_auto_affinity | |-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains | |-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled |-- arm64-randconfig-001-20250103 | |-- drivers-clocksource-arm_arch_timer.c:error:hisi_161010101_read_cntvct_el0-undeclared-(first-use-in-this-function) | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled |-- arm64-randconfig-002-20250103 | |-- drivers-clocksource-arm_arch_timer.c:error:hisi_161010101_read_cntvct_el0-undeclared-(first-use-in-this-function) | |-- drivers-nvme-host-core.c:error:compat_uptr_t-undeclared-(first-use-in-this-function) | |-- kernel-sched-core.c:error:implicit-declaration-of-function-init_auto_affinity | |-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled |-- arm64-randconfig-003-20250103 | |-- drivers-nvme-host-core.c:error:compat_uptr_t-undeclared-(first-use-in-this-function) | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled |-- arm64-randconfig-004-20250103 | |-- drivers-staging-gmjstcm-tcm_tis_spi.c:warning:tcm_tis_spi_acpi_match-defined-but-not-used | |-- kernel-sched-core.c:error:implicit-declaration-of-function-init_auto_affinity | |-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled |-- arm64-randconfig-r054-20241226 | `-- drivers-dma-ti-edma.c:opportunity-for-str_yes_no(ecc-chmap_exist) |-- x86_64-allnoconfig | |-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa-Werror-Wimplicit-function-declaration | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled-Werror-Wimplicit-function-declaration |-- x86_64-allyesconfig | |-- drivers-net-ethernet-hisilicon-hns3-hns3_extension-hns3_enet_it.c:warning:no-previous-prototype-for-function-hns3_nic_select_queue_it | `-- samples-vfio-mdev-.tmp_mdpy-fb.o:warning:objtool:missing-symbol-for-section-.init.text |-- x86_64-buildonly-randconfig-001-20241231 | |-- block-blk-io-hierarchy-debugfs.c:error:implicit-declaration-of-function-hierarchy_show_slow_io-Werror-Wimplicit-function-declaration | `-- drivers-char-hw_random-phytium-rng.c:warning:unused-variable-phytium_rng_dt_ids |-- x86_64-buildonly-randconfig-001-20250103 | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled |-- x86_64-buildonly-randconfig-002-20250103 | |-- arch-x86-kernel-unwind_orc.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-bcma-driver_chipcommon_pflash.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-input-rmi4-rmi_2d_sensor.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-pci-ats.o:warning:objtool:missing-symbol-for-section-.text | |-- kernel-gcov-base.o:warning:objtool:missing-symbol-for-section-.text | |-- kernel-hung_task.c:error:use-of-undeclared-identifier-sysctl_hung_task_all_cpu_backtrace | |-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa-Werror-Wimplicit-function-declaration | |-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled-Werror-Wimplicit-function-declaration | |-- net-ipv4-metrics.o:warning:objtool:missing-symbol-for-section-.text | |-- net-ipv4-netlink.o:warning:objtool:missing-symbol-for-section-.text | |-- net-tls-tls_device.o:warning:objtool:missing-symbol-for-section-.init.text | |-- sound-drivers-opl3-opl3_synth.o:warning:objtool:missing-symbol-for-section-.text | `-- sound-drivers-vx-vx_core.o:warning:objtool:missing-symbol-for-section-.text |-- x86_64-buildonly-randconfig-003-20250103 | |-- arch-x86-kernel-idt.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-bcma-driver_chipcommon_pflash.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-hwtracing-intel_th-debug.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-input-rmi4-rmi_2d_sensor.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-usb-dwc2-hcd_ddma.o:warning:objtool:missing-symbol-for-section-.text | |-- kernel-bpf-verifier.o:warning:objtool:missing-symbol-for-section-.text | |-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa | |-- mm-sparse.o:warning:objtool:missing-symbol-for-section-.init.text | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled |-- x86_64-buildonly-randconfig-004-20250103 | |-- arch-x86-events-zhaoxin-core.c:warning:attribute-declaration-must-precede-definition | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled-Werror-Wimplicit-function-declaration |-- x86_64-buildonly-randconfig-005-20250103 | |-- drivers-bcma-driver_chipcommon_pflash.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-char-ipmi-kcs_bmc_npcm7xx.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-fpga-dfl-fme-mgr.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-gpu-drm-nouveau-dispnv50-base.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-dispnv50-core.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-dispnv50-core507d.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-dispnv50-curs.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-dispnv50-oimm.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-dispnv50-oimm507b.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-dispnv50-ovly.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-dispnv50-wimm.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-nvif-disp.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-nvif-fifo.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-nvif-user.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-nvkm-engine-disp-hdmigv100.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-nvkm-engine-gr-ctxgf117.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-leds-leds-lm3601x.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-media-i2c-video-i2c.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-media-tuners-qm1d1b0004.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-mtd-nand-spi-core.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-pci-hotplug-pciehp_core.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-pci-pcie-dpc.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-video-backlight-otm3225a.o:warning:objtool:missing-symbol-for-section-.init.text | |-- kernel-sched-pelt.o:warning:objtool:missing-symbol-for-section-.text | |-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled-Werror-Wimplicit-function-declaration | |-- samples-vfio-mdev-mdpy-fb.o:warning:objtool:missing-symbol-for-section-.init.text | |-- sound-drivers-opl3-opl3_midi.o:warning:objtool:missing-symbol-for-section-.text | |-- sound-drivers-opl3-opl3_seq.o:warning:objtool:missing-symbol-for-section-.init.text | |-- sound-drivers-opl3-opl3_synth.o:warning:objtool:missing-symbol-for-section-.text | |-- sound-firewire-dice-dice-alesis.o:warning:objtool:missing-symbol-for-section-.text | |-- sound-firewire-dice-dice-extension.o:warning:objtool:missing-symbol-for-section-.text | |-- sound-firewire-dice-dice-mytek.o:warning:objtool:missing-symbol-for-section-.text | |-- sound-firewire-dice-dice-tcelectronic.o:warning:objtool:missing-symbol-for-section-.text | |-- sound-soc-codecs-rt1305.o:warning:objtool:missing-symbol-for-section-.init.text | |-- sound-soc-codecs-rt5668.o:warning:objtool:missing-symbol-for-section-.init.text | |-- sound-soc-codecs-ssm2305.o:warning:objtool:missing-symbol-for-section-.init.text | `-- sound-soc-codecs-tscs454.o:warning:objtool:missing-symbol-for-section-.init.text |-- x86_64-buildonly-randconfig-006-20250103 | |-- drivers-crypto-ccree-cc_hash.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-fpga-dfl-fme-mgr.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-fpga-dfl-fme-region.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-gpu-drm-bridge-cdns-dsi.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-gpu-drm-nouveau-nvif-fifo.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-nvif-user.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-nouveau-nvkm-engine-disp-hdmigv100.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-gpu-drm-panel-panel-ilitek-ili9881c.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-iio-dac-ad5696-i2c.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-iio-dac-ti-dac5571.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-leds-leds-lm3601x.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-media-tuners-qm1d1b0004.o:warning:objtool:missing-symbol-for-section-.init.text | |-- drivers-xen-mem-reservation.o:warning:objtool:missing-symbol-for-section-.text | |-- fs-f2fs-recovery.o:warning:objtool:missing-symbol-for-section-.init.text | |-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa-Werror-Wimplicit-function-declaration | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled-Werror-Wimplicit-function-declaration |-- x86_64-defconfig | |-- kernel-sched-pelt.o:warning:objtool:missing-symbol-for-section-.text | |-- net-ipv4-metrics.o:warning:objtool:missing-symbol-for-section-.text | `-- net-ipv4-netlink.o:warning:objtool:missing-symbol-for-section-.text |-- x86_64-randconfig-101-20250103 | |-- kernel-hung_task.c:error:use-of-undeclared-identifier-sysctl_hung_task_all_cpu_backtrace | |-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa-Werror-Wimplicit-function-declaration | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled-Werror-Wimplicit-function-declaration |-- x86_64-randconfig-102-20250103 | |-- drivers-acpi-cppc_acpi.c:WARNING:NULL-check-before-some-freeing-functions-is-not-needed. | `-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa-Werror-Wimplicit-function-declaration |-- x86_64-randconfig-103-20250103 | `-- kernel-hung_task.c:error:use-of-undeclared-identifier-sysctl_hung_task_all_cpu_backtrace |-- x86_64-randconfig-104-20250103 | |-- kernel-hung_task.c:error:use-of-undeclared-identifier-sysctl_hung_task_all_cpu_backtrace | |-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa-Werror-Wimplicit-function-declaration | `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled-Werror-Wimplicit-function-declaration |-- x86_64-randconfig-121-20250103 | |-- drivers-video-fbdev-ssd1307fb.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-to-got-unsigned-char-noderef-usertype-__iomem-dst | |-- drivers-video-fbdev-ssd1307fb.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-unsigned-char-noderef-usertype-__iomem-dst-got-void | |-- drivers-video-fbdev-ssd1307fb.c:sparse:sparse:incorrect-type-in-initializer-(different-address-spaces)-expected-unsigned-char-usertype-vmem-got-char-noderef-__iomem-screen_base | |-- kernel-hung_task.c:error:sysctl_hung_task_all_cpu_backtrace-undeclared-(first-use-in-this-function) | |-- kernel-time-time.c:sparse:sparse:symbol-__compat_get_timespec64-was-not-declared.-Should-it-be-static | |-- kernel-time-time.c:sparse:sparse:symbol-__compat_put_timespec64-was-not-declared.-Should-it-be-static | |-- lib-kobject.c:sparse:sparse:symbol-kset_get_ownership-was-not-declared.-Should-it-be-static | |-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa | |-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled | |-- net-core-sock.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-struct-socket_wq-noderef-__rcu-sk_wq-got-struct-socket_wq-wq | |-- net-ipv4-route.c:sparse:sparse:incorrect-type-in-assignment-(different-base-types)-expected-restricted-__be16-usertype-len-got-unsigned-long | `-- net-mac80211-rx.c:sparse:sparse:dubious:x-y |-- x86_64-randconfig-122-20241226 | `-- fs-debugfs-file.o:warning:objtool:full_proxy_open:unreachable-instruction |-- x86_64-randconfig-122-20250103 | `-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa-Werror-Wimplicit-function-declaration |-- x86_64-randconfig-123-20250103 | `-- mm-memory.c:error:implicit-declaration-of-function-hugetlb_insert_hugepage_pte_by_pa-Werror-Wimplicit-function-declaration `-- x86_64-randconfig-161-20250103 |-- block-blk-io-hierarchy-debugfs.c:error:implicit-declaration-of-function-hierarchy_show_slow_io-Werror-Wimplicit-function-declaration |-- drivers-gpu-drm-nouveau-nvkm-subdev-clk-nv50.o:warning:objtool:nv50_clk_read:can-t-find-switch-jump-table |-- drivers-gpu-drm-nouveau-nvkm-subdev-therm-temp.o:warning:objtool:nvkm_therm_sensor_event:can-t-find-switch-jump-table |-- drivers-media-i2c-saa7115.o:warning:objtool:saa711x_querystd:can-t-find-switch-jump-table |-- drivers-of-dynamic.o:warning:objtool:of_reconfig_get_state_change:can-t-find-switch-jump-table |-- fs-select.o:warning:objtool:poll_select_finish:can-t-find-switch-jump-table |-- kernel-hung_task.c:error:use-of-undeclared-identifier-sysctl_hung_task_all_cpu_backtrace `-- mm-vmscan.c:error:implicit-declaration-of-function-kernel_swap_enabled-Werror-Wimplicit-function-declaration elapsed time: 721m configs tested: 16 configs skipped: 129 tested configs: arm64 allmodconfig gcc-14.2.0 arm64 allnoconfig gcc-14.2.0 arm64 defconfig gcc-14.2.0 arm64 randconfig-001-20250103 gcc-14.2.0 arm64 randconfig-002-20250103 gcc-14.2.0 arm64 randconfig-003-20250103 gcc-14.2.0 arm64 randconfig-004-20250103 gcc-14.2.0 x86_64 allnoconfig clang-19 x86_64 allyesconfig clang-19 x86_64 buildonly-randconfig-001-20250103 gcc-12 x86_64 buildonly-randconfig-002-20250103 clang-19 x86_64 buildonly-randconfig-003-20250103 gcc-12 x86_64 buildonly-randconfig-004-20250103 clang-19 x86_64 buildonly-randconfig-005-20250103 clang-19 x86_64 buildonly-randconfig-006-20250103 clang-19 x86_64 defconfig gcc-11 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 2601/2601] drivers/vdpa/vdpa.c:759:19: sparse: sparse: cast to restricted __le16
by kernel test robot 04 Jan '25

04 Jan '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: d51fb86ce6a3a3e59d7cba58738b63903b8cb37c commit: 661b972e802c8e252911361538651db906c084bb [2601/2601] vdpa: Introduce query of device config layout config: x86_64-randconfig-121-20241228 (https://download.01.org/0day-ci/archive/20250104/202501040206.QD8GJyq4-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250104/202501040206.QD8GJyq4-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501040206.QD8GJyq4-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> drivers/vdpa/vdpa.c:759:19: sparse: sparse: cast to restricted __le16 >> drivers/vdpa/vdpa.c:759:19: sparse: sparse: cast from restricted __virtio16 drivers/vdpa/vdpa.c:775:19: sparse: sparse: cast to restricted __le16 drivers/vdpa/vdpa.c:775:19: sparse: sparse: cast from restricted __virtio16 drivers/vdpa/vdpa.c:779:19: sparse: sparse: cast to restricted __le16 drivers/vdpa/vdpa.c:779:19: sparse: sparse: cast from restricted __virtio16 vim +759 drivers/vdpa/vdpa.c 749 750 static int vdpa_dev_net_mq_config_fill(struct vdpa_device *vdev, 751 struct sk_buff *msg, u64 features, 752 const struct virtio_net_config *config) 753 { 754 u16 val_u16; 755 756 if ((features & (1ULL << VIRTIO_NET_F_MQ)) == 0) 757 return 0; 758 > 759 val_u16 = le16_to_cpu(config->max_virtqueue_pairs); 760 return nla_put_u16(msg, VDPA_ATTR_DEV_NET_CFG_MAX_VQP, val_u16); 761 } 762 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 1693/1693] fs/jffs2/jffs2.o: warning: objtool: .text.jffs2_erase_pending_blocks: unexpected end of section
by kernel test robot 03 Jan '25

03 Jan '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 604e996dd0189ddb0875f389b87fa2084b3a9424 commit: 349fde599db65d4827820ef6553e3f9ee75b8c7c [1693/1693] arch: enable HAS_LTO_CLANG with KASAN and KCOV config: x86_64-randconfig-103-20250103 (https://download.01.org/0day-ci/archive/20250103/202501032202.oO79Fo9u-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250103/202501032202.oO79Fo9u-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501032202.oO79Fo9u-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/jffs2/jffs2.o: warning: objtool: .text.jffs2_erase_pending_blocks: unexpected end of section -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 1693/1693] arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces)
by kernel test robot 03 Jan '25

03 Jan '25

Hi Song, First bad commit (maybe != root cause): tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 604e996dd0189ddb0875f389b87fa2084b3a9424 commit: 031d5914323febe9668956dfa7fe8443b7dc597c [1693/1693] LoongArch: KVM: Add PMU support for guest config: loongarch-randconfig-r112-20250103 (https://download.01.org/0day-ci/archive/20250103/202501032224.CjyqUkQC-lkp@…) compiler: loongarch64-linux-gcc (GCC) 14.2.0 reproduce: (https://download.01.org/0day-ci/archive/20250103/202501032224.CjyqUkQC-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501032224.CjyqUkQC-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) arch/loongarch/kvm/vcpu.c:17:49: sparse: sparse: array of flexible structures arch/loongarch/kvm/vcpu.c: note: in included file: include/linux/kvm_host.h:2045:56: sparse: sparse: array of flexible structures arch/loongarch/kvm/vcpu.c:104:15: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:106:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:124:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/vcpu.c:224:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/vcpu.c:224:9: sparse: expected void *ptr arch/loongarch/kvm/vcpu.c:224:9: sparse: got int [noderef] __percpu * arch/loongarch/kvm/vcpu.c:290:42: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:1442:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' arch/loongarch/kvm/vcpu.c:1529:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:1578:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:1671:42: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:40:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:41:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:42:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:43:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/kvm/vcpu.c:44:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:45:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:46:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:47:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:55:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:56:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:57:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:58:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:59:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:60:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:61:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c:62:9: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c: note: in included file (through arch/loongarch/include/asm/loongarch.h, arch/loongarch/include/asm/cpu-info.h, ...): ../lib/gcc/loongarch64-linux/14.2.0/include/larchintrin.h:107:10: sparse: sparse: undefined identifier '__builtin_loongarch_cpucfg' arch/loongarch/kvm/vcpu.c: note: in included file (through arch/loongarch/include/asm/cpu-info.h, arch/loongarch/include/asm/processor.h, ...): arch/loongarch/include/asm/loongarch.h:1282:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' arch/loongarch/include/asm/loongarch.h:1282:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_w' arch/loongarch/include/asm/loongarch.h:1282:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' arch/loongarch/include/asm/loongarch.h:1282:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_w' arch/loongarch/kvm/vcpu.c: note: in included file (through arch/loongarch/kvm/trace.h): arch/loongarch/include/asm/kvm_csr.h:167:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' arch/loongarch/include/asm/kvm_csr.h:167:1: sparse: sparse: undefined identifier '__builtin_loongarch_csrwr_d' arch/loongarch/kvm/vcpu.c: note: in included file: arch/loongarch/include/asm/fpu.h:76:17: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' arch/loongarch/include/asm/fpu.h:85:17: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_w' vim +224 arch/loongarch/kvm/vcpu.c 3ec7320b0a2844 Tianrui Zhao 2023-10-02 221 3f5dde7efb48ae Bibo Mao 2024-07-09 222 static void kvm_late_check_requests(struct kvm_vcpu *vcpu) 3f5dde7efb48ae Bibo Mao 2024-07-09 223 { 3f5dde7efb48ae Bibo Mao 2024-07-09 @224 lockdep_assert_irqs_disabled(); 3f5dde7efb48ae Bibo Mao 2024-07-09 225 if (kvm_check_request(KVM_REQ_TLB_FLUSH_GPA, vcpu)) 3f5dde7efb48ae Bibo Mao 2024-07-09 226 if (vcpu->arch.flush_gpa != INVALID_GPA) { 3f5dde7efb48ae Bibo Mao 2024-07-09 227 kvm_flush_tlb_gpa(vcpu, vcpu->arch.flush_gpa); 3f5dde7efb48ae Bibo Mao 2024-07-09 228 vcpu->arch.flush_gpa = INVALID_GPA; 3f5dde7efb48ae Bibo Mao 2024-07-09 229 } 3f5dde7efb48ae Bibo Mao 2024-07-09 230 } 3f5dde7efb48ae Bibo Mao 2024-07-09 231 :::::: The code at line 224 was first introduced by commit :::::: 3f5dde7efb48ae2725aebecfbd47aacfa3def181 LoongArch: KVM: Delay secondary mmu tlb flush until guest entry :::::: TO: Bibo Mao <maobibo(a)loongson.cn> :::::: CC: Xianglai Li <lixianglai(a)loongson.cn> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 1693/1693] arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces)
by kernel test robot 03 Jan '25

03 Jan '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 604e996dd0189ddb0875f389b87fa2084b3a9424 commit: 3f5dde7efb48ae2725aebecfbd47aacfa3def181 [1693/1693] LoongArch: KVM: Delay secondary mmu tlb flush until guest entry config: loongarch-randconfig-r112-20250103 (https://download.01.org/0day-ci/archive/20250103/202501032032.1nlRwHlW-lkp@…) compiler: loongarch64-linux-gcc (GCC) 14.2.0 reproduce: (https://download.01.org/0day-ci/archive/20250103/202501032032.1nlRwHlW-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501032032.1nlRwHlW-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got unsigned int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got unsigned int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got int [noderef] __percpu * >> arch/loongarch/kvm/tlb.c:26:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void *ptr @@ got int [noderef] __percpu * @@ arch/loongarch/kvm/tlb.c:26:9: sparse: expected void *ptr arch/loongarch/kvm/tlb.c:26:9: sparse: got int [noderef] __percpu * arch/loongarch/kvm/tlb.c:28:33: sparse: sparse: undefined identifier '__builtin_loongarch_csrrd_d' vim +26 arch/loongarch/kvm/tlb.c 23 24 void kvm_flush_tlb_gpa(struct kvm_vcpu *vcpu, unsigned long gpa) 25 { > 26 lockdep_assert_irqs_disabled(); -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] [Backport] btrfs: fix use-after-free in btrfs_encoded_read_endio()
by Yongjian Sun 03 Jan '25

03 Jan '25

From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> mainline inclusion from mainline-v6.12-rc3 commit 05b36b04d74a517d6675bf2f90829ff1ac7e28dc category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAOP CVE: CVE-2024-56582 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Shinichiro reported the following use-after free that sometimes is happening in our CI system when running fstests' btrfs/284 on a TCMU runner device: BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780 Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219 CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: <TASK> dump_stack_lvl+0x6e/0xa0 ? lock_release+0x708/0x780 print_report+0x174/0x505 ? lock_release+0x708/0x780 ? __virt_addr_valid+0x224/0x410 ? lock_release+0x708/0x780 kasan_report+0xda/0x1b0 ? lock_release+0x708/0x780 ? __wake_up+0x44/0x60 lock_release+0x708/0x780 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? lock_is_held_type+0x9a/0x110 _raw_spin_unlock_irqrestore+0x1f/0x60 __wake_up+0x44/0x60 btrfs_encoded_read_endio+0x14b/0x190 [btrfs] btrfs_check_read_bio+0x8d9/0x1360 [btrfs] ? lock_release+0x1b0/0x780 ? trace_lock_acquire+0x12f/0x1a0 ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs] ? process_one_work+0x7e3/0x1460 ? lock_acquire+0x31/0xc0 ? process_one_work+0x7e3/0x1460 process_one_work+0x85c/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5e6/0xfc0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2c3/0x3a0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 3661: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x4f/0x70 kfree+0x143/0x490 btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs] send_extent_data+0xf0f/0x24a0 [btrfs] process_extent+0x48a/0x1830 [btrfs] changed_cb+0x178b/0x2ea0 [btrfs] btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs] _btrfs_ioctl_send+0x117/0x330 [btrfs] btrfs_ioctl+0x184a/0x60a0 [btrfs] __x64_sys_ioctl+0x12e/0x1a0 do_syscall_64+0x95/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e The buggy address belongs to the object at ffff888106a83f00 which belongs to the cache kmalloc-rnd-07-96 of size 96 The buggy address is located 24 bytes inside of freed 96-byte region [ffff888106a83f00, ffff888106a83f60) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: f5(slab) raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004 raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Further analyzing the trace and the crash dump's vmcore file shows that the wake_up() call in btrfs_encoded_read_endio() is calling wake_up() on the wait_queue that is in the private data passed to the end_io handler. Commit 4ff47df40447 ("btrfs: move priv off stack in btrfs_encoded_read_regular_fill_pages()") moved 'struct btrfs_encoded_read_private' off the stack. Before that commit one can see a corruption of the private data when analyzing the vmcore after a crash: *(struct btrfs_encoded_read_private *)0xffff88815626eec8 = { .wait = (wait_queue_head_t){ .lock = (spinlock_t){ .rlock = (struct raw_spinlock){ .raw_lock = (arch_spinlock_t){ .val = (atomic_t){ .counter = (int)-2005885696, }, .locked = (u8)0, .pending = (u8)157, .locked_pending = (u16)40192, .tail = (u16)34928, }, .magic = (unsigned int)536325682, .owner_cpu = (unsigned int)29, .owner = (void *)__SCT__tp_func_btrfs_transaction_commit+0x0 = 0x0, .dep_map = (struct lockdep_map){ .key = (struct lock_class_key *)0xffff8881575a3b6c, .class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 }, .name = (const char *)0xffff88815626f100 = "", .wait_type_outer = (u8)37, .wait_type_inner = (u8)178, .lock_type = (u8)154, }, }, .__padding = (u8 [24]){ 0, 157, 112, 136, 50, 174, 247, 31, 29 }, .dep_map = (struct lockdep_map){ .key = (struct lock_class_key *)0xffff8881575a3b6c, .class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 }, .name = (const char *)0xffff88815626f100 = "", .wait_type_outer = (u8)37, .wait_type_inner = (u8)178, .lock_type = (u8)154, }, }, .head = (struct list_head){ .next = (struct list_head *)0x112cca, .prev = (struct list_head *)0x47, }, }, .pending = (atomic_t){ .counter = (int)-1491499288, }, .status = (blk_status_t)130, } Here we can see several indicators of in-memory data corruption, e.g. the large negative atomic values of ->pending or ->wait->lock->rlock->raw_lock->val, as well as the bogus spinlock magic 0x1ff7ae32 (decimal 536325682 above) instead of 0xdead4ead or the bogus pointer values for ->wait->head. To fix this, change atomic_dec_return() to atomic_dec_and_test() to fix the corruption, as atomic_dec_return() is defined as two instructions on x86_64, whereas atomic_dec_and_test() is defined as a single atomic operation. This can lead to a situation where counter value is already decremented but the if statement in btrfs_encoded_read_endio() is not completely processed, i.e. the 0 test has not completed. If another thread continues executing btrfs_encoded_read_regular_fill_pages() the atomic_dec_return() there can see an already updated ->pending counter and continues by freeing the private data. Continuing in the endio handler the test for 0 succeeds and the wait_queue is woken up, resulting in a use-after-free. Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Suggested-by: Damien Le Moal <Damien.LeMoal(a)wdc.com> Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sun Yongjian <sunyongjian1(a)huawei.com> --- fs/btrfs/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index fae45b8d485e..1511405abfe0 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9974,7 +9974,7 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio) */ WRITE_ONCE(priv->status, bbio->bio.bi_status); } - if (!atomic_dec_return(&priv->pending)) + if (!atomic_dec_and_test(&priv->pending)) wake_up(&priv->wait); bio_put(&bbio->bio); } -- 2.39.2

2 9

[PATCH openEuler-22.03-LTS-SP1] [Backport] jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
by Yongjian Sun 03 Jan '25

03 Jan '25

From: Nihar Chaithanya <niharchaithanya(a)gmail.com> mainline inclusion from mainline-v6.12-rc3 commit a174706ba4dad895c40b1d2277bade16dfacdcd9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAOK CVE: CVE-2024-56595 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When the value of lp is 0 at the beginning of the for loop, it will become negative in the next assignment and we should bail out. Reported-by: syzbot+412dea214d8baa3f7483(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=412dea214d8baa3f7483 Tested-by: syzbot+412dea214d8baa3f7483(a)syzkaller.appspotmail.com Signed-off-by: Nihar Chaithanya <niharchaithanya(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sun Yongjian <sunyongjian1(a)huawei.com> --- fs/jfs/jfs_dmap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 24bd3591c8e0..5ecd79e5c74b 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -2945,6 +2945,9 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) /* bubble the new value up the tree as required. */ for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) { + if (lp == 0) + break; + /* get the index of the first leaf of the 4 leaf * group containing the specified leaf (leafno). */ -- 2.39.2

2 5

[PATCH OLK-5.10] [Backport] jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
by Yongjian Sun 03 Jan '25

03 Jan '25

From: Nihar Chaithanya <niharchaithanya(a)gmail.com> mainline inclusion from mainline-v6.12-rc3 commit a174706ba4dad895c40b1d2277bade16dfacdcd9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAOK CVE: CVE-2024-56595 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When the value of lp is 0 at the beginning of the for loop, it will become negative in the next assignment and we should bail out. Reported-by: syzbot+412dea214d8baa3f7483(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=412dea214d8baa3f7483 Tested-by: syzbot+412dea214d8baa3f7483(a)syzkaller.appspotmail.com Signed-off-by: Nihar Chaithanya <niharchaithanya(a)gmail.com> Signed-off-by: Dave Kleikamp <dave.kleikamp(a)oracle.com> Signed-off-by: Sun Yongjian <sunyongjian1(a)huawei.com> --- fs/jfs/jfs_dmap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index bf1f3d4d23f2..aa72e09d4be8 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -2955,6 +2955,9 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl) /* bubble the new value up the tree as required. */ for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) { + if (lp == 0) + break; + /* get the index of the first leaf of the 4 leaf * group containing the specified leaf (leafno). */ -- 2.39.2

2 5

[PATCH openEuler-22.03-LTS-SP1] io_uring: check for overflows in io_pin_pages
by Long Li 03 Jan '25

03 Jan '25

From: Pavel Begunkov <asml.silence(a)gmail.com> mainline inclusion from mainline-v6.10-rc2 commit 0c0a4eae26ac78379d0c1db053de168a8febc6c9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAFR CVE: CVE-2024-53187 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- WARNING: CPU: 0 PID: 5834 at io_uring/memmap.c:144 io_pin_pages+0x149/0x180 io_uring/memmap.c:144 CPU: 0 UID: 0 PID: 5834 Comm: syz-executor825 Not tainted 6.12.0-next-20241118-syzkaller #0 Call Trace: <TASK> __io_uaddr_map+0xfb/0x2d0 io_uring/memmap.c:183 io_rings_map io_uring/io_uring.c:2611 [inline] io_allocate_scq_urings+0x1c0/0x650 io_uring/io_uring.c:3470 io_uring_create+0x5b5/0xc00 io_uring/io_uring.c:3692 io_uring_setup io_uring/io_uring.c:3781 [inline] ... </TASK> io_pin_pages()'s uaddr parameter came directly from the user and can be garbage. Don't just add size to it as it can overflow. Cc: stable(a)vger.kernel.org Reported-by: syzbot+2159cbb522b02847c053(a)syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov <asml.silence(a)gmail.com> Link: https://lore.kernel.org/r/1b7520ddb168e1d537d64be47414a0629d0d8f8f.17325810… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: io_uring/io_uring.c io_uring/memmap.c [Conflicts due to d8c2237d0aa9 ("io_uring: add io_pin_pages() helper")] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- io_uring/io_uring.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 4d69fb4cf803..c048cd9f531f 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -8690,7 +8690,7 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov, struct io_mapped_ubuf *imu = NULL; struct vm_area_struct **vmas = NULL; struct page **pages = NULL; - unsigned long off, start, end, ubuf; + unsigned long off, start, end, ubuf, len; size_t size; int ret, pret, nr_pages, i; @@ -8700,7 +8700,13 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov, } ubuf = (unsigned long) iov->iov_base; - end = (ubuf + iov->iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT; + len = (unsigned long) iov->iov_len; + if (check_add_overflow(ubuf, len, &end)) + return -EOVERFLOW; + if (check_add_overflow(end, PAGE_SIZE - 1, &end)) + return -EOVERFLOW; + + end = end >> PAGE_SHIFT; start = ubuf >> PAGE_SHIFT; nr_pages = end - start; -- 2.39.2

2 1

[PATCH OLK-5.10] io_uring: check for overflows in io_pin_pages
by Long Li 03 Jan '25

03 Jan '25

From: Pavel Begunkov <asml.silence(a)gmail.com> mainline inclusion from mainline-v6.10-rc2 commit 0c0a4eae26ac78379d0c1db053de168a8febc6c9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAFR CVE: CVE-2024-53187 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- WARNING: CPU: 0 PID: 5834 at io_uring/memmap.c:144 io_pin_pages+0x149/0x180 io_uring/memmap.c:144 CPU: 0 UID: 0 PID: 5834 Comm: syz-executor825 Not tainted 6.12.0-next-20241118-syzkaller #0 Call Trace: <TASK> __io_uaddr_map+0xfb/0x2d0 io_uring/memmap.c:183 io_rings_map io_uring/io_uring.c:2611 [inline] io_allocate_scq_urings+0x1c0/0x650 io_uring/io_uring.c:3470 io_uring_create+0x5b5/0xc00 io_uring/io_uring.c:3692 io_uring_setup io_uring/io_uring.c:3781 [inline] ... </TASK> io_pin_pages()'s uaddr parameter came directly from the user and can be garbage. Don't just add size to it as it can overflow. Cc: stable(a)vger.kernel.org Reported-by: syzbot+2159cbb522b02847c053(a)syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov <asml.silence(a)gmail.com> Link: https://lore.kernel.org/r/1b7520ddb168e1d537d64be47414a0629d0d8f8f.17325810… Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: io_uring/io_uring.c io_uring/memmap.c [Conflicts due to d8c2237d0aa9 ("io_uring: add io_pin_pages() helper")] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- io_uring/io_uring.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 6e5e00a7692c..a7e52a8b0b5f 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -8886,7 +8886,7 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov, struct io_mapped_ubuf *imu = NULL; struct vm_area_struct **vmas = NULL; struct page **pages = NULL; - unsigned long off, start, end, ubuf; + unsigned long off, start, end, ubuf, len; size_t size; int ret, pret, nr_pages, i; @@ -8896,7 +8896,13 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov, } ubuf = (unsigned long) iov->iov_base; - end = (ubuf + iov->iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT; + len = (unsigned long) iov->iov_len; + if (check_add_overflow(ubuf, len, &end)) + return -EOVERFLOW; + if (check_add_overflow(end, PAGE_SIZE - 1, &end)) + return -EOVERFLOW; + + end = end >> PAGE_SHIFT; start = ubuf >> PAGE_SHIFT; nr_pages = end - start; -- 2.39.2

2 1