- Kernel - mailweb.openeuler.org

[openeuler:OLK-6.6 2618/2618] drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1869:3: error: call to undeclared function '__symbol_put'; ISO C99 and later do not support implicit function declarations
by kernel test robot 01 Aug '25

01 Aug '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 8c3c65c303f0b7266ec761ebaf173b86b36ac913 commit: 0bf0c942a09ba92e1d22e6960464b628dd4408fa [2618/2618] net/hinic3: Synchronize new NIC features and bug fixes config: arm64-randconfig-001-20250801 (https://download.01.org/0day-ci/archive/20250801/202508011513.18ofSIpR-lkp@…) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 8f09b03aebb71c154f3bbe725c29e3f47d37c26e) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250801/202508011513.18ofSIpR-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202508011513.18ofSIpR-lkp@intel.com/ All errors (new ones prefixed by >>): drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:108:6: warning: no previous prototype for function 'hinic3_uld_lock_init' [-Wmissing-prototypes] 108 | void hinic3_uld_lock_init(void) | ^ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:108:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 108 | void hinic3_uld_lock_init(void) | ^ | static drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:526:5: warning: no previous prototype for function 'hinic3_pdev_is_virtfn' [-Wmissing-prototypes] 526 | u32 hinic3_pdev_is_virtfn(struct pci_dev *pdev) | ^ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:526:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 526 | u32 hinic3_pdev_is_virtfn(struct pci_dev *pdev) | ^ | static drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:788:5: warning: no previous prototype for function '__set_vroce_func_state' [-Wmissing-prototypes] 788 | int __set_vroce_func_state(struct hinic3_pcidev *pci_adapter) | ^ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:788:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 788 | int __set_vroce_func_state(struct hinic3_pcidev *pci_adapter) | ^ | static drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:831:6: warning: no previous prototype for function 'slave_host_mgmt_vroce_work' [-Wmissing-prototypes] 831 | void slave_host_mgmt_vroce_work(struct work_struct *work) | ^ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:831:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 831 | void slave_host_mgmt_vroce_work(struct work_struct *work) | ^ | static drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:841:7: warning: no previous prototype for function 'hinic3_get_roce_uld_by_pdev' [-Wmissing-prototypes] 841 | void *hinic3_get_roce_uld_by_pdev(struct pci_dev *pdev) | ^ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:841:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 841 | void *hinic3_get_roce_uld_by_pdev(struct pci_dev *pdev) | ^ | static drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1784:6: warning: no previous prototype for function 'hinic3_set_func_state' [-Wmissing-prototypes] 1784 | void hinic3_set_func_state(struct hinic3_pcidev *pci_adapter) | ^ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1784:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1784 | void hinic3_set_func_state(struct hinic3_pcidev *pci_adapter) | ^ | static drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1810:6: warning: no previous prototype for function 'slave_host_mgmt_work' [-Wmissing-prototypes] 1810 | void slave_host_mgmt_work(struct work_struct *work) | ^ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1810:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1810 | void slave_host_mgmt_work(struct work_struct *work) | ^ | static >> drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1869:3: error: call to undeclared function '__symbol_put'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 1869 | __symbol_put("migration_dev_migration_probe"); | ^ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1869:3: note: did you mean '__symbol_get'? include/linux/module.h:301:7: note: '__symbol_get' declared here 301 | void *__symbol_get(const char *symbol); | ^ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1928:3: error: call to undeclared function '__symbol_put'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 1928 | __symbol_put("migration_dev_add_vf"); | ^ 7 warnings and 2 errors generated. Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for HALTPOLL_CPUIDLE Depends on [n]: CPU_IDLE [=n] && ARCH_CPUIDLE_HALTPOLL [=y] && ARCH_HAS_OPTIMIZED_POLL [=y] Selected by [y]: - ARM64 [=y] vim +/__symbol_put +1869 drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c 1847 1848 static void slave_host_vfio_probe_delay_work(struct work_struct *work) 1849 { 1850 struct delayed_work *delay = to_delayed_work(work); 1851 struct hinic3_pcidev *pci_adapter = container_of(delay, struct hinic3_pcidev, 1852 migration_probe_dwork); 1853 struct pci_dev *pdev = pci_adapter->pcidev; 1854 int (*dev_migration_probe)(struct pci_dev *pdev); 1855 int rc; 1856 1857 if (hinic3_func_type((struct hinic3_hwdev *)pci_adapter->hwdev) != TYPE_PF) 1858 return; 1859 1860 dev_migration_probe = __symbol_get("migration_dev_migration_probe"); 1861 if (!(dev_migration_probe)) { 1862 sdk_err(&pdev->dev, 1863 "Failed to find: migration_dev_migration_probe"); 1864 queue_delayed_work(pci_adapter->migration_probe_workq, 1865 &pci_adapter->migration_probe_dwork, 1866 WAIT_TIME * HZ); 1867 } else { 1868 rc = dev_migration_probe(pdev); > 1869 __symbol_put("migration_dev_migration_probe"); 1870 if (rc) { 1871 sdk_err(&pdev->dev, 1872 "Failed to __dev_migration_probe, rc:0x%x, pf migrated(%d).\n", 1873 rc, g_is_pf_migrated); 1874 } else { 1875 g_is_pf_migrated = true; 1876 sdk_info(&pdev->dev, 1877 "Succeeded in __dev_migration_probe, pf migrated(%d).\n", 1878 g_is_pf_migrated); 1879 } 1880 } 1881 } 1882 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] net_sched: sch_sfq: don't allow 1 packet limit
by Wang Liang 01 Aug '25

01 Aug '25

From: Octavian Purdila <tavip(a)google.com> mainline inclusion from mainline-v6.14-rc1 commit 10685681bafce6febb39770f3387621bf5d67d0b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBVH45 CVE: CVE-2024-57996 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access. Reported-by: syzbot <syzkaller(a)googlegroups.com> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Octavian Purdila <tavip(a)google.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20241204030520.2084663-2-tavip@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/sched/sch_sfq.c [conflicts due to not merge e4650d7ae425 ("net_sched: sch_sfq: handle bigger packets")] Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- net/sched/sch_sfq.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c index 066754a18569..453136d7a13c 100644 --- a/net/sched/sch_sfq.c +++ b/net/sched/sch_sfq.c @@ -654,6 +654,9 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt) if (!p) return -ENOMEM; } + if (ctl->limit == 1) + return -EINVAL; + sch_tree_lock(sch); if (ctl->quantum) { q->quantum = ctl->quantum; -- 2.34.1

2 1

[PATCH OLK-5.10] net/sched: act_ct: fix ref leak when switching zones
by Wang Liang 01 Aug '25

01 Aug '25

From: Marcelo Ricardo Leitner <marcelo.leitner(a)gmail.com> mainline inclusion from mainline-v5.18-rc1 commit bcb74e132a76ce0502bb33d5b65533a4ed72d159 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP2JY CVE: CVE-2022-49183 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When switching zones or network namespaces without doing a ct clear in between, it is now leaking a reference to the old ct entry. That's because tcf_ct_skb_nfct_cached() returns false and tcf_ct_flow_table_lookup() may simply overwrite it. The fix is to, as the ct entry is not reusable, free it already at tcf_ct_skb_nfct_cached(). Reported-by: Florian Westphal <fw(a)strlen.de> Fixes: 2f131de361f6 ("net/sched: act_ct: Fix flow table lookup after ct clear or switching zones") Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: net/sched/act_ct.c [conflicts due to not mergered 408bdcfce8df ("net: prefer nf_ct_put instead of nf_conntrack_put")] Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- net/sched/act_ct.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 52ba1b278c54..6524efee71e2 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -580,22 +580,25 @@ static bool tcf_ct_skb_nfct_cached(struct net *net, struct sk_buff *skb, if (!ct) return false; if (!net_eq(net, read_pnet(&ct->ct_net))) - return false; + goto drop_ct; if (nf_ct_zone(ct)->id != zone_id) - return false; + goto drop_ct; /* Force conntrack entry direction. */ if (force && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) { if (nf_ct_is_confirmed(ct)) nf_ct_kill(ct); - nf_conntrack_put(&ct->ct_general); - nf_ct_set(skb, NULL, IP_CT_UNTRACKED); - - return false; + goto drop_ct; } return true; + +drop_ct: + nf_conntrack_put(&ct->ct_general); + nf_ct_set(skb, NULL, IP_CT_UNTRACKED); + + return false; } /* Trim the skb to the length specified by the IP/IPv6 header, -- 2.34.1

2 1

[PATCH OLK-5.10] net: annotate races around sk->sk_bound_dev_if
by Wang Liang 01 Aug '25

01 Aug '25

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v5.19-rc1 commit 4c971d2f3548e4f11b1460ac048f5307e4b39fdb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP3SY CVE: CVE-2022-49420 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- UDP sendmsg() is lockless, and reads sk->sk_bound_dev_if while this field can be changed by another thread. Adds minimal annotations to avoid KCSAN splats for UDP. Following patches will add more annotations to potential lockless readers. BUG: KCSAN: data-race in __ip6_datagram_connect / udpv6_sendmsg write to 0xffff888136d47a94 of 4 bytes by task 7681 on cpu 0: __ip6_datagram_connect+0x6e2/0x930 net/ipv6/datagram.c:221 ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272 inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576 __sys_connect_file net/socket.c:1900 [inline] __sys_connect+0x197/0x1b0 net/socket.c:1917 __do_sys_connect net/socket.c:1927 [inline] __se_sys_connect net/socket.c:1924 [inline] __x64_sys_connect+0x3d/0x50 net/socket.c:1924 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff888136d47a94 of 4 bytes by task 7670 on cpu 1: udpv6_sendmsg+0xc60/0x16e0 net/ipv6/udp.c:1436 inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:652 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg net/socket.c:725 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 ___sys_sendmsg net/socket.c:2467 [inline] __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553 __do_sys_sendmmsg net/socket.c:2582 [inline] __se_sys_sendmmsg net/socket.c:2579 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x00000000 -> 0xffffff9b Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 7670 Comm: syz-executor.3 Tainted: G W 5.18.0-rc1-syzkaller-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 I chose to not add Fixes: tag because race has minor consequences and stable teams busy enough. Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: net/ipv6/udp.c [conflicts due to not merge 5298953e742d ("udp6: don't make extra copies of iflow")] Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- include/net/ip.h | 2 +- include/net/sock.h | 5 +++-- net/ipv6/datagram.c | 6 +++--- net/ipv6/udp.c | 11 ++++++----- 4 files changed, 13 insertions(+), 11 deletions(-) diff --git a/include/net/ip.h b/include/net/ip.h index c5a7bf4eb234..12cb525572f0 100644 --- a/include/net/ip.h +++ b/include/net/ip.h @@ -93,7 +93,7 @@ static inline void ipcm_init_sk(struct ipcm_cookie *ipcm, ipcm->sockc.mark = inet->sk.sk_mark; ipcm->sockc.tsflags = inet->sk.sk_tsflags; - ipcm->oif = inet->sk.sk_bound_dev_if; + ipcm->oif = READ_ONCE(inet->sk.sk_bound_dev_if); ipcm->addr = inet->inet_saddr; ipcm->protocol = inet->inet_num; } diff --git a/include/net/sock.h b/include/net/sock.h index cdf00877055a..b81e870a9fcc 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -2859,13 +2859,14 @@ static inline void sk_pacing_shift_update(struct sock *sk, int val) */ static inline bool sk_dev_equal_l3scope(struct sock *sk, int dif) { + int bound_dev_if = READ_ONCE(sk->sk_bound_dev_if); int mdif; - if (!sk->sk_bound_dev_if || sk->sk_bound_dev_if == dif) + if (!bound_dev_if || bound_dev_if == dif) return true; mdif = l3mdev_master_ifindex_by_index(sock_net(sk), dif); - if (mdif && mdif == sk->sk_bound_dev_if) + if (mdif && mdif == bound_dev_if) return true; return false; diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c index a30ff5d6808a..fc8a969288d5 100644 --- a/net/ipv6/datagram.c +++ b/net/ipv6/datagram.c @@ -218,11 +218,11 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, err = -EINVAL; goto out; } - sk->sk_bound_dev_if = usin->sin6_scope_id; + WRITE_ONCE(sk->sk_bound_dev_if, usin->sin6_scope_id); } if (!sk->sk_bound_dev_if && (addr_type & IPV6_ADDR_MULTICAST)) - sk->sk_bound_dev_if = np->mcast_oif; + WRITE_ONCE(sk->sk_bound_dev_if, np->mcast_oif); /* Connect to link-local address requires an interface */ if (!sk->sk_bound_dev_if) { @@ -798,7 +798,7 @@ int ip6_datagram_send_ctl(struct net *net, struct sock *sk, if (src_idx) { if (fl6->flowi6_oif && src_idx != fl6->flowi6_oif && - (sk->sk_bound_dev_if != fl6->flowi6_oif || + (READ_ONCE(sk->sk_bound_dev_if) != fl6->flowi6_oif || !sk_dev_equal_l3scope(sk, src_idx))) return -EINVAL; fl6->flowi6_oif = src_idx; diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 43eab741b32b..00b22f541422 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -116,7 +116,7 @@ static int compute_score(struct sock *sk, struct net *net, const struct in6_addr *daddr, unsigned short hnum, int dif, int sdif) { - int score; + int bound_dev_if, score; struct inet_sock *inet; bool dev_match; @@ -143,10 +143,11 @@ static int compute_score(struct sock *sk, struct net *net, score++; } - dev_match = udp_sk_bound_dev_eq(net, sk->sk_bound_dev_if, dif, sdif); + bound_dev_if = READ_ONCE(sk->sk_bound_dev_if); + dev_match = udp_sk_bound_dev_eq(net, bound_dev_if, dif, sdif); if (!dev_match) return -1; - if (sk->sk_bound_dev_if) + if (bound_dev_if) score++; if (READ_ONCE(sk->sk_incoming_cpu) == raw_smp_processor_id()) @@ -793,7 +794,7 @@ static bool __udp_v6_is_mcast_sock(struct net *net, struct sock *sk, (inet->inet_dport && inet->inet_dport != rmt_port) || (!ipv6_addr_any(&sk->sk_v6_daddr) && !ipv6_addr_equal(&sk->sk_v6_daddr, rmt_addr)) || - !udp_sk_bound_dev_eq(net, sk->sk_bound_dev_if, dif, sdif) || + !udp_sk_bound_dev_eq(net, READ_ONCE(sk->sk_bound_dev_if), dif, sdif) || (!ipv6_addr_any(&sk->sk_v6_rcv_saddr) && !ipv6_addr_equal(&sk->sk_v6_rcv_saddr, loc_addr))) return false; @@ -1438,7 +1439,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) } if (!fl6.flowi6_oif) - fl6.flowi6_oif = sk->sk_bound_dev_if; + fl6.flowi6_oif = READ_ONCE(sk->sk_bound_dev_if); if (!fl6.flowi6_oif) fl6.flowi6_oif = np->sticky_pktinfo.ipi6_ifindex; -- 2.34.1

2 1

[PATCH OLK-5.10] net: sched: Disallow replacing of child qdisc from one parent to another
by Wang Liang 01 Aug '25

01 Aug '25

From: Jamal Hadi Salim <jhs(a)mojatatu.com> mainline inclusion from mainline-v6.14-rc1 commit bc50835e83f60f56e9bec2b392fb5544f250fb6f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBM687 CVE: CVE-2025-21700 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec(a)gmail.com> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jamal Hadi Salim <jhs(a)mojatatu.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250116013713.900000-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- net/sched/sch_api.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 0b809dfb0e43..51f2ea115f30 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -1604,6 +1604,10 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, q = qdisc_lookup(dev, tcm->tcm_handle); if (!q) goto create_n_graft; + if (q->parent != tcm->tcm_parent) { + NL_SET_ERR_MSG(extack, "Cannot move an existing qdisc to a different parent"); + return -EINVAL; + } if (n->nlmsg_flags & NLM_F_EXCL) { NL_SET_ERR_MSG(extack, "Exclusivity flag on, cannot override"); return -EEXIST; -- 2.34.1

2 1

[PATCH OLK-6.6] bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT
by Fanhua Li 01 Aug '25

01 Aug '25

From: Somnath Kotur <somnath.kotur(a)broadcom.com> stable inclusion from stable-v6.6.99 commit 5909679a82cd74cf0343d9e3ddf4b6931aa7e613 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICOXO4 CVE: CVE-2025-38439 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3cdf199d4755d477972ee87110b2aebc88b3cfad ] When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: <IRQ> ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en] Fixes: f18c2b77b2e4 ("bnxt_en: optimized XDP_REDIRECT support") Signed-off-by: Somnath Kotur <somnath.kotur(a)broadcom.com> Signed-off-by: Michael Chan <michael.chan(a)broadcom.com> Link: https://patch.msgid.link/20250710213938.1959625-4-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Fanhua Li <lifanhua5(a)huawei.com> --- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c index 7e9de1081828..b1d384d3d293 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c @@ -114,7 +114,7 @@ static void __bnxt_xmit_xdp_redirect(struct bnxt *bp, tx_buf->action = XDP_REDIRECT; tx_buf->xdpf = xdpf; dma_unmap_addr_set(tx_buf, mapping, mapping); - dma_unmap_len_set(tx_buf, len, 0); + dma_unmap_len_set(tx_buf, len, len); } void bnxt_tx_int_xdp(struct bnxt *bp, struct bnxt_napi *bnapi, int budget) -- 2.43.0

2 1

[PATCH OLK-5.10] bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT
by Fanhua Li 01 Aug '25

01 Aug '25

From: Somnath Kotur <somnath.kotur(a)broadcom.com> stable inclusion from stable-v5.10.240 commit 16ae306602163fcb7ae83f2701b542e43c100cee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICOXO4 CVE: CVE-2025-38439 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3cdf199d4755d477972ee87110b2aebc88b3cfad ] When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: <IRQ> ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en] Fixes: f18c2b77b2e4 ("bnxt_en: optimized XDP_REDIRECT support") Signed-off-by: Somnath Kotur <somnath.kotur(a)broadcom.com> Signed-off-by: Michael Chan <michael.chan(a)broadcom.com> Link: https://patch.msgid.link/20250710213938.1959625-4-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Fanhua Li <lifanhua5(a)huawei.com> --- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c index fcc262064766..dc9afaa14da8 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c @@ -65,7 +65,7 @@ static void __bnxt_xmit_xdp_redirect(struct bnxt *bp, tx_buf->action = XDP_REDIRECT; tx_buf->xdpf = xdpf; dma_unmap_addr_set(tx_buf, mapping, mapping); - dma_unmap_len_set(tx_buf, len, 0); + dma_unmap_len_set(tx_buf, len, len); } void bnxt_tx_int_xdp(struct bnxt *bp, struct bnxt_napi *bnapi, int nr_pkts) -- 2.43.0

2 1

[PATCH OLK-5.10] net: sched: Disallow replacing of child qdisc from one parent to another
by Wang Liang 01 Aug '25

01 Aug '25

From: Jamal Hadi Salim <jhs(a)mojatatu.com> mainline inclusion from mainline-v6.14-rc1 commit bc50835e83f60f56e9bec2b392fb5544f250fb6f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/XXXXXX CVE: CVE-2025-21700 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec(a)gmail.com> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jamal Hadi Salim <jhs(a)mojatatu.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250116013713.900000-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- net/sched/sch_api.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 0b809dfb0e43..51f2ea115f30 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -1604,6 +1604,10 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, q = qdisc_lookup(dev, tcm->tcm_handle); if (!q) goto create_n_graft; + if (q->parent != tcm->tcm_parent) { + NL_SET_ERR_MSG(extack, "Cannot move an existing qdisc to a different parent"); + return -EINVAL; + } if (n->nlmsg_flags & NLM_F_EXCL) { NL_SET_ERR_MSG(extack, "Exclusivity flag on, cannot override"); return -EEXIST; -- 2.34.1

2 1

[PATCH OLK-5.10] net: sched: fix ets qdisc OOB Indexing
by Wang Liang 01 Aug '25

01 Aug '25

From: Jamal Hadi Salim <jhs(a)mojatatu.com> stable inclusion from stable-v5.10.234 commit 03c56665dab1f4ac844bc156652d50d639093fa5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBLDIS CVE: CVE-2025-21692 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit d62b04fca4340a0d468d7853bd66e511935a18cb upstream. Haowei Yan <g1042620637(a)gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]--- Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc") Reported-by: Haowei Yan <g1042620637(a)gmail.com> Suggested-by: Haowei Yan <g1042620637(a)gmail.com> Signed-off-by: Jamal Hadi Salim <jhs(a)mojatatu.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Petr Machata <petrm(a)nvidia.com> Link: https://patch.msgid.link/20250111145740.74755-1-jhs@mojatatu.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- net/sched/sch_ets.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c index 05817c55692f..0afd9187f836 100644 --- a/net/sched/sch_ets.c +++ b/net/sched/sch_ets.c @@ -91,6 +91,8 @@ ets_class_from_arg(struct Qdisc *sch, unsigned long arg) { struct ets_sched *q = qdisc_priv(sch); + if (arg == 0 || arg > q->nbands) + return NULL; return &q->classes[arg - 1]; } -- 2.34.1

2 1

[openeuler:OLK-6.6 2618/2618] drivers/net/ethernet/huawei/hinic3/hinic3_main.c:154:9: error: call to undeclared function 'vlan_dev_priv'; ISO C99 and later do not support implicit function declarations
by kernel test robot 01 Aug '25

01 Aug '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 7bd792ffd08ba550c6bcfc003d84bed102147e07 commit: dcb286ce50a35a77e51b61db72c7cc001647b598 [2618/2618] net/hinic3: add huawei/hinic3 driver config: arm64-randconfig-001-20250801 (https://download.01.org/0day-ci/archive/20250801/202508011414.iDmsBjYd-lkp@…) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 8f09b03aebb71c154f3bbe725c29e3f47d37c26e) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250801/202508011414.iDmsBjYd-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202508011414.iDmsBjYd-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from drivers/net/ethernet/huawei/hinic3/hinic3_main.c:6: In file included from include/linux/pci.h:1663: In file included from include/linux/dmapool.h:14: In file included from include/linux/scatterlist.h:8: In file included from include/linux/mm.h:2193: include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 509 | item]; | ~~~~ include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 515 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 516 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 527 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 528 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 536 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 537 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ >> drivers/net/ethernet/huawei/hinic3/hinic3_main.c:154:9: error: call to undeclared function 'vlan_dev_priv'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 154 | ret = vlan_dev_priv(ndev)->real_dev; | ^ >> drivers/net/ethernet/huawei/hinic3/hinic3_main.c:154:30: error: member reference type 'int' is not a pointer 154 | ret = vlan_dev_priv(ndev)->real_dev; | ~~~~~~~~~~~~~~~~~~~ ^ drivers/net/ethernet/huawei/hinic3/hinic3_main.c:156:30: error: member reference type 'int' is not a pointer 156 | ret = vlan_dev_priv(ret)->real_dev; | ~~~~~~~~~~~~~~~~~~ ^ 5 warnings and 3 errors generated. vim +/vlan_dev_priv +154 drivers/net/ethernet/huawei/hinic3/hinic3_main.c 129 130 #define HINIC3_MAX_VLAN_DEPTH_OFFLOAD_SUPPORT 1 131 #define HINIC3_VLAN_CLEAR_OFFLOAD (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | \ 132 NETIF_F_SCTP_CRC | NETIF_F_RXCSUM | \ 133 NETIF_F_ALL_TSO) 134 135 static int hinic3_netdev_event(struct notifier_block *notifier, unsigned long event, void *ptr) 136 { 137 struct net_device *ndev = netdev_notifier_info_to_dev(ptr); 138 struct net_device *real_dev = NULL; 139 struct net_device *ret = NULL; 140 u16 vlan_depth; 141 142 if (!is_vlan_dev(ndev)) 143 return NOTIFY_DONE; 144 145 dev_hold(ndev); 146 147 switch (event) { 148 case NETDEV_REGISTER: 149 real_dev = vlan_dev_real_dev(ndev); 150 if (!hinic3_is_netdev_ops_match(real_dev)) 151 goto out; 152 153 vlan_depth = 1; > 154 ret = vlan_dev_priv(ndev)->real_dev; 155 while (is_vlan_dev(ret)) { 156 ret = vlan_dev_priv(ret)->real_dev; 157 vlan_depth++; 158 } 159 160 if (vlan_depth == HINIC3_MAX_VLAN_DEPTH_OFFLOAD_SUPPORT) { 161 ndev->vlan_features &= (~HINIC3_VLAN_CLEAR_OFFLOAD); 162 } else if (vlan_depth > HINIC3_MAX_VLAN_DEPTH_OFFLOAD_SUPPORT) { 163 #ifdef HAVE_NDO_SET_FEATURES 164 #ifdef HAVE_RHEL6_NET_DEVICE_OPS_EXT 165 set_netdev_hw_features(ndev, 166 get_netdev_hw_features(ndev) & 167 (~HINIC3_VLAN_CLEAR_OFFLOAD)); 168 #else 169 ndev->hw_features &= (~HINIC3_VLAN_CLEAR_OFFLOAD); 170 #endif 171 #endif 172 ndev->features &= (~HINIC3_VLAN_CLEAR_OFFLOAD); 173 } 174 175 break; 176 177 default: 178 break; 179 }; 180 181 out: 182 dev_put(ndev); 183 184 return NOTIFY_DONE; 185 } 186 #endif 187 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0