October 2024 - Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10 18663/30000] drivers/ub/urma/ubcore/ubcore_tp.c:40:17: warning: no previous prototype for 'ubcore_get_mtu'
by kernel test robot 01 Nov '24

01 Nov '24

Hi Yizhen, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: c78205e40443cde6028b0539f30a00fda4167edd commit: 832e9fe8cf1ed02211ff43bd4f3f16ddc2d69969 [18663/30000] ub: ubcore add create/delete tp table api config: arm64-randconfig-003-20241029 (https://download.01.org/0day-ci/archive/20241101/202411010411.aKWhEHwD-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241101/202411010411.aKWhEHwD-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411010411.aKWhEHwD-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/ub/urma/ubcore/ubcore_tp.c:40:17: warning: no previous prototype for 'ubcore_get_mtu' [-Wmissing-prototypes] 40 | enum ubcore_mtu ubcore_get_mtu(int mtu) | ^~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_tp.c:75:19: warning: no previous prototype for 'ubcore_create_vtp' [-Wmissing-prototypes] 75 | struct ubcore_tp *ubcore_create_vtp(struct ubcore_device *dev, const union ubcore_eid *remote_eid, | ^~~~~~~~~~~~~~~~~ drivers/ub/urma/ubcore/ubcore_tp.c:83:5: warning: no previous prototype for 'ubcore_destroy_vtp' [-Wmissing-prototypes] 83 | int ubcore_destroy_vtp(struct ubcore_tp *vtp) | ^~~~~~~~~~~~~~~~~~ vim +/ubcore_get_mtu +40 drivers/ub/urma/ubcore/ubcore_tp.c c75b0bccca77778 Yizhen Fan 2023-09-14 39 c75b0bccca77778 Yizhen Fan 2023-09-14 @40 enum ubcore_mtu ubcore_get_mtu(int mtu) c75b0bccca77778 Yizhen Fan 2023-09-14 41 { c75b0bccca77778 Yizhen Fan 2023-09-14 42 mtu = mtu - UB_PROTOCOL_HEAD_BYTES; c75b0bccca77778 Yizhen Fan 2023-09-14 43 c75b0bccca77778 Yizhen Fan 2023-09-14 44 if (mtu >= ubcore_mtu_enum_to_int(UBCORE_MTU_8192)) c75b0bccca77778 Yizhen Fan 2023-09-14 45 return UBCORE_MTU_8192; c75b0bccca77778 Yizhen Fan 2023-09-14 46 if (mtu >= ubcore_mtu_enum_to_int(UBCORE_MTU_4096)) c75b0bccca77778 Yizhen Fan 2023-09-14 47 return UBCORE_MTU_4096; c75b0bccca77778 Yizhen Fan 2023-09-14 48 else if (mtu >= ubcore_mtu_enum_to_int(UBCORE_MTU_2048)) c75b0bccca77778 Yizhen Fan 2023-09-14 49 return UBCORE_MTU_2048; c75b0bccca77778 Yizhen Fan 2023-09-14 50 else if (mtu >= ubcore_mtu_enum_to_int(UBCORE_MTU_1024)) c75b0bccca77778 Yizhen Fan 2023-09-14 51 return UBCORE_MTU_1024; c75b0bccca77778 Yizhen Fan 2023-09-14 52 else if (mtu >= ubcore_mtu_enum_to_int(UBCORE_MTU_512)) c75b0bccca77778 Yizhen Fan 2023-09-14 53 return UBCORE_MTU_512; c75b0bccca77778 Yizhen Fan 2023-09-14 54 else if (mtu >= ubcore_mtu_enum_to_int(UBCORE_MTU_256)) c75b0bccca77778 Yizhen Fan 2023-09-14 55 return UBCORE_MTU_256; c75b0bccca77778 Yizhen Fan 2023-09-14 56 else c75b0bccca77778 Yizhen Fan 2023-09-14 57 return 0; c75b0bccca77778 Yizhen Fan 2023-09-14 58 } c75b0bccca77778 Yizhen Fan 2023-09-14 59 EXPORT_SYMBOL(ubcore_get_mtu); c75b0bccca77778 Yizhen Fan 2023-09-14 60 :::::: The code at line 40 was first introduced by commit :::::: c75b0bccca77778d5663004cb19d3dd31ef71f0a ub: ubcore add get_mtu and other APIs that will be used by the driver. :::::: TO: Yizhen Fan <fanyizhen(a)huawei.com> :::::: CC: fanyizhen1995 <en_0015767(a)163.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 15253/23924] arch/arm64/kernel/mpam/mpam_resctrl.c:358:1: warning: conflicting types for 'mpam_get_raw_resctrl_resource' due to enum/integer mismatch; have 'struct raw_resctrl_resource *(enum resctrl_resource_level)'
by kernel test robot 01 Nov '24

01 Nov '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: e73db5f1f4d00d788085541fcfcb33402ee9221c commit: a453ee059c9d7c7372b6f413ef152b9ea8ee800e [15253/23924] arm64/mpam: Init resctrl resources' info from resctrl_res selected config: arm64-randconfig-001-20241029 (https://download.01.org/0day-ci/archive/20241101/202411010258.ysot0OR8-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241101/202411010258.ysot0OR8-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411010258.ysot0OR8-lkp@intel.com/ All warnings (new ones prefixed by >>): >> arch/arm64/kernel/mpam/mpam_resctrl.c:358:1: warning: conflicting types for 'mpam_get_raw_resctrl_resource' due to enum/integer mismatch; have 'struct raw_resctrl_resource *(enum resctrl_resource_level)' [-Wenum-int-mismatch] 358 | mpam_get_raw_resctrl_resource(enum resctrl_resource_level level) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from arch/arm64/kernel/mpam/mpam_resctrl.c:47: arch/arm64/kernel/mpam/mpam_internal.h:127:1: note: previous declaration of 'mpam_get_raw_resctrl_resource' with type 'struct raw_resctrl_resource *(u32)' {aka 'struct raw_resctrl_resource *(unsigned int)'} 127 | mpam_get_raw_resctrl_resource(u32 level); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ arch/arm64/kernel/mpam/mpam_resctrl.c:784:5: warning: no previous prototype for 'cpus_ctrl_write' [-Wmissing-prototypes] 784 | int cpus_ctrl_write(struct rdtgroup *rdtgrp, cpumask_var_t newmask, | ^~~~~~~~~~~~~~~ arch/arm64/kernel/mpam/mpam_resctrl.c:872:5: warning: no previous prototype for 'cpus_mon_write' [-Wmissing-prototypes] 872 | int cpus_mon_write(struct rdtgroup *rdtgrp, cpumask_var_t newmask, | ^~~~~~~~~~~~~~ arch/arm64/kernel/mpam/mpam_resctrl.c: In function 'rdt_last_cmd_printf': arch/arm64/kernel/mpam/mpam_resctrl.c:1016:9: warning: function 'rdt_last_cmd_printf' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format] 1016 | seq_buf_vprintf(&last_cmd_status, fmt, ap); | ^~~~~~~~~~~~~~~ arch/arm64/kernel/mpam/mpam_resctrl.c: At top level: arch/arm64/kernel/mpam/mpam_resctrl.c:1089:5: warning: no previous prototype for 'resctrl_ctrlmon_enable' [-Wmissing-prototypes] 1089 | int resctrl_ctrlmon_enable(struct kernfs_node *parent_kn, | ^~~~~~~~~~~~~~~~~~~~~~ arch/arm64/kernel/mpam/mpam_resctrl.c:1117:6: warning: no previous prototype for 'resctrl_ctrlmon_disable' [-Wmissing-prototypes] 1117 | void resctrl_ctrlmon_disable(struct kernfs_node *kn_mondata, | ^~~~~~~~~~~~~~~~~~~~~~~ vim +358 arch/arm64/kernel/mpam/mpam_resctrl.c 356 357 struct raw_resctrl_resource * > 358 mpam_get_raw_resctrl_resource(enum resctrl_resource_level level) 359 { 360 if (level >= RDT_NUM_RESOURCES) 361 return NULL; 362 363 return &raw_resctrl_resources_all[level]; 364 } 365 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 18659/30000] drivers/ub/urma/uburma/uburma_cmd.c:180:6: warning: no previous prototype for 'uburma_jetty_event_cb'
by kernel test robot 01 Nov '24

01 Nov '24

Hi Yizhen, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: c78205e40443cde6028b0539f30a00fda4167edd commit: c3af5be3e72710b357d9f23a5bdcafe8f96d6dfd [18659/30000] ub: uburma add cmd create jetty implementation. config: arm64-randconfig-003-20241029 (https://download.01.org/0day-ci/archive/20241101/202411010152.inffSTWn-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241101/202411010152.inffSTWn-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411010152.inffSTWn-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/ub/urma/uburma/uburma_cmd.c:144:6: warning: no previous prototype for 'uburma_jfc_event_cb' [-Wmissing-prototypes] 144 | void uburma_jfc_event_cb(struct ubcore_event *event, struct ubcore_ucontext *ctx) | ^~~~~~~~~~~~~~~~~~~ drivers/ub/urma/uburma/uburma_cmd.c:156:6: warning: no previous prototype for 'uburma_jfs_event_cb' [-Wmissing-prototypes] 156 | void uburma_jfs_event_cb(struct ubcore_event *event, struct ubcore_ucontext *ctx) | ^~~~~~~~~~~~~~~~~~~ drivers/ub/urma/uburma/uburma_cmd.c:168:6: warning: no previous prototype for 'uburma_jfr_event_cb' [-Wmissing-prototypes] 168 | void uburma_jfr_event_cb(struct ubcore_event *event, struct ubcore_ucontext *ctx) | ^~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/uburma/uburma_cmd.c:180:6: warning: no previous prototype for 'uburma_jetty_event_cb' [-Wmissing-prototypes] 180 | void uburma_jetty_event_cb(struct ubcore_event *event, struct ubcore_ucontext *ctx) | ^~~~~~~~~~~~~~~~~~~~~ vim +/uburma_jetty_event_cb +180 drivers/ub/urma/uburma/uburma_cmd.c 179 > 180 void uburma_jetty_event_cb(struct ubcore_event *event, struct ubcore_ucontext *ctx) 181 { 182 struct uburma_jetty_uobj *jetty_uobj; 183 184 if (event->element.jetty == NULL) 185 return; 186 187 jetty_uobj = (struct uburma_jetty_uobj *)event->element.jetty->jetty_cfg.jetty_context; 188 uburma_write_async_event(ctx, event->element.jetty->urma_jetty, event->event_type, 189 &jetty_uobj->async_event_list, &jetty_uobj->async_events_reported); 190 } 191 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 19333/30000] fs/ext4/fast_commit.o: warning: objtool: __ext4_fc_track_unlink()+0x275: unreachable instruction
by kernel test robot 31 Oct '24

31 Oct '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: c67d418d86fea7b8c2a11c7273229ffb0a7a57ed commit: f2c902d8c653f8021f9761092a27f7b9db42b662 [19333/30000] tracing: Make tracepoint lockdep check actually test something config: x86_64-buildonly-randconfig-001-20241030 (https://download.01.org/0day-ci/archive/20241031/202410312220.K72H6v5s-lkp@…) compiler: clang version 19.1.2 (https://github.com/llvm/llvm-project 7ba7d8e2f7b6445b60679da826210cdde29eaf8b) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241031/202410312220.K72H6v5s-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410312220.K72H6v5s-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/ext4/fast_commit.o: warning: objtool: __ext4_fc_track_unlink()+0x275: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] NFSv4: release seqid when open failed for nfs4.0
by Li Lingfeng 31 Oct '24

31 Oct '24

From: Yang Erkun <yangerkun(a)huaweicloud.com> hulk inclusion category: bugfix bugzilla: http://openeuler.huawei.com/bugzilla/show_bug.cgi?id=190327 CVE: NA -------------------------------- Two threads that work with the same cred try to open different files concurrently, they will utilize the same nfs4_state_owner. And in order to sequential open request send to server, the second task will fall into RPC_TASK_QUEUED in nfs_wait_on_sequence since there is already one work doing the open operation. Furthermore, the second task will wait until the first task completes its work, call rpc_wake_up_queued_task in nfs_release_seqid to wake up the second task, allowing it to complete the remaining open operation. The preceding logic does not cause any problems under normal circumstances. However, when once we force an unmount using `umount -f`, the function nfs_umount_begin attempts to kill all tasks by calling rpc_signal_task. This help wake up the second task, but it sets the status to -ERESTARTSYS. This status prevents `nfs4_open_release` from calling `nfs4_opendata_to_nfs4_state`. Consequently, while the second task will be freed, the original tasks will still exist in sequence->list(see nfs_release_seqid). Latter, when the first thread calls nfs_release_seqid and attempts to wake up the second task, it will trigger the uaf. To resolve this issue, ensure rpc_task will remove it from sequence->list in nfs4_open_release when open failed, besides, we can only wakeup the next rpc_task, or use-after-free will happen too since privious rpc_task may be released too. ================================================================== BUG: KASAN: slab-use-after-free in rpc_wake_up_queued_task+0xbb/0xc0 Read of size 8 at addr ff11000007639930 by task bash/792 CPU: 0 UID: 0 PID: 792 Comm: bash Tainted: G B W 6.11.0-09960-gd10b58fe53dc-dirty #10 Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xa3/0x120 print_address_description.constprop.0+0x63/0x510 print_report+0xf5/0x360 kasan_report+0xd9/0x140 __asan_report_load8_noabort+0x24/0x40 rpc_wake_up_queued_task+0xbb/0xc0 nfs_release_seqid+0x1e1/0x2f0 nfs_free_seqid+0x1a/0x40 nfs4_opendata_free+0xc6/0x3e0 _nfs4_do_open.isra.0+0xbe3/0x1380 nfs4_do_open+0x28b/0x620 nfs4_atomic_open+0x2c6/0x3a0 nfs_atomic_open+0x4f8/0x1180 atomic_open+0x186/0x4e0 lookup_open.isra.0+0x3e7/0x15b0 open_last_lookups+0x85d/0x1260 path_openat+0x151/0x7b0 do_filp_open+0x1e0/0x310 do_sys_openat2+0x178/0x1f0 do_sys_open+0xa2/0x100 __x64_sys_openat+0xa8/0x120 x64_sys_call+0x2507/0x4540 do_syscall_64+0xa7/0x240 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... Allocated by task 767: kasan_save_stack+0x3b/0x70 kasan_save_track+0x1c/0x40 kasan_save_alloc_info+0x44/0x70 __kasan_slab_alloc+0xaf/0xc0 kmem_cache_alloc_noprof+0x1e0/0x4f0 rpc_new_task+0xe7/0x220 rpc_run_task+0x27/0x7d0 nfs4_run_open_task+0x477/0x810 _nfs4_proc_open+0xc0/0x6d0 _nfs4_open_and_get_state+0x178/0xc50 _nfs4_do_open.isra.0+0x47f/0x1380 nfs4_do_open+0x28b/0x620 nfs4_atomic_open+0x2c6/0x3a0 nfs_atomic_open+0x4f8/0x1180 atomic_open+0x186/0x4e0 lookup_open.isra.0+0x3e7/0x15b0 open_last_lookups+0x85d/0x1260 path_openat+0x151/0x7b0 do_filp_open+0x1e0/0x310 do_sys_openat2+0x178/0x1f0 do_sys_open+0xa2/0x100 __x64_sys_openat+0xa8/0x120 x64_sys_call+0x2507/0x4540 do_syscall_64+0xa7/0x240 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 767: kasan_save_stack+0x3b/0x70 kasan_save_track+0x1c/0x40 kasan_save_free_info+0x43/0x80 __kasan_slab_free+0x4f/0x90 kmem_cache_free+0x199/0x4f0 mempool_free_slab+0x1f/0x30 mempool_free+0xdf/0x3d0 rpc_free_task+0x12d/0x180 rpc_final_put_task+0x10e/0x150 rpc_do_put_task+0x63/0x80 rpc_put_task+0x18/0x30 nfs4_run_open_task+0x4f4/0x810 _nfs4_proc_open+0xc0/0x6d0 _nfs4_open_and_get_state+0x178/0xc50 _nfs4_do_open.isra.0+0x47f/0x1380 nfs4_do_open+0x28b/0x620 nfs4_atomic_open+0x2c6/0x3a0 nfs_atomic_open+0x4f8/0x1180 atomic_open+0x186/0x4e0 lookup_open.isra.0+0x3e7/0x15b0 open_last_lookups+0x85d/0x1260 path_openat+0x151/0x7b0 do_filp_open+0x1e0/0x310 do_sys_openat2+0x178/0x1f0 do_sys_open+0xa2/0x100 __x64_sys_openat+0xa8/0x120 x64_sys_call+0x2507/0x4540 do_syscall_64+0xa7/0x240 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: 24ac23ab88df ("NFSv4: Convert open() into an asynchronous RPC call") Signed-off-by: Yang Erkun <yangerkun(a)huaweicloud.com> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfs/nfs4_fs.h | 1 + fs/nfs/nfs4proc.c | 2 ++ fs/nfs/nfs4state.c | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+) diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h index d22176d87448..586428cca20b 100644 --- a/fs/nfs/nfs4_fs.h +++ b/fs/nfs/nfs4_fs.h @@ -505,6 +505,7 @@ extern struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter, gfp_ extern int nfs_wait_on_sequence(struct nfs_seqid *seqid, struct rpc_task *task); extern void nfs_increment_open_seqid(int status, struct nfs_seqid *seqid); extern void nfs_increment_lock_seqid(int status, struct nfs_seqid *seqid); +extern void nfs_release_seqid_inorder(struct nfs_seqid *seqid); extern void nfs_release_seqid(struct nfs_seqid *seqid); extern void nfs_free_seqid(struct nfs_seqid *seqid); extern int nfs4_setup_sequence(struct nfs_client *client, diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index ef9e80928f2a..b19a738dd2e1 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -2411,6 +2411,8 @@ static void nfs4_open_release(void *calldata) struct nfs4_opendata *data = calldata; struct nfs4_state *state = NULL; + if (data->rpc_status != 0 || !data->rpc_done) + nfs_release_seqid_inorder(data->o_arg.seqid); /* If this request hasn't been cancelled, do nothing */ if (!data->cancelled) goto out_free; diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c index c843917f8e2c..6a5479453256 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c @@ -1103,6 +1103,24 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter, gfp_t gfp_m return new; } +void nfs_release_seqid_inorder(struct nfs_seqid *seqid) +{ + struct nfs_seqid_counter *sequence; + + if (seqid == NULL || list_empty(&seqid->list)) + return; + sequence = seqid->sequence; + spin_lock(&sequence->lock); + if (!list_is_last(&seqid->list, &sequence->list)) { + struct nfs_seqid *next; + + next = list_next_entry(seqid, list); + rpc_wake_up_queued_task(&sequence->wait, next->task); + } + list_del_init(&seqid->list); + spin_unlock(&sequence->lock); +} + void nfs_release_seqid(struct nfs_seqid *seqid) { struct nfs_seqid_counter *sequence; -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1 0/1] CVE-2024-47716
by Yuntao Liu 31 Oct '24

31 Oct '24

CVE-2024-47716 Calvin Owens (1): ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros arch/arm/vfp/vfpinstr.h | 48 ++++++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 22 deletions(-) -- 2.34.1

2 2

[PATCH OLK-5.10 0/1] CVE-2024-47716
by Yuntao Liu 31 Oct '24

31 Oct '24

CVE-2024-47716 Calvin Owens (1): ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros arch/arm/vfp/vfpinstr.h | 48 ++++++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 22 deletions(-) -- 2.34.1

2 2

[openeuler:OLK-5.10 18658/30000] drivers/ub/urma/uburma/uburma_cmd.c:144:6: warning: no previous prototype for 'uburma_jfc_event_cb'
by kernel test robot 31 Oct '24

31 Oct '24

Hi Yizhen, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 42d618475732fa8f470a2094cb00ac363f7e46fc commit: c4cd0655c0c898569c0a70162f36258fd5c50eeb [18658/30000] ub: uburma add cmd create jfc implementation. config: arm64-randconfig-003-20241029 (https://download.01.org/0day-ci/archive/20241031/202410312229.yZTH5DDS-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241031/202410312229.yZTH5DDS-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410312229.yZTH5DDS-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/ub/urma/uburma/uburma_cmd.c:144:6: warning: no previous prototype for 'uburma_jfc_event_cb' [-Wmissing-prototypes] 144 | void uburma_jfc_event_cb(struct ubcore_event *event, struct ubcore_ucontext *ctx) | ^~~~~~~~~~~~~~~~~~~ drivers/ub/urma/uburma/uburma_cmd.c:156:6: warning: no previous prototype for 'uburma_jfs_event_cb' [-Wmissing-prototypes] 156 | void uburma_jfs_event_cb(struct ubcore_event *event, struct ubcore_ucontext *ctx) | ^~~~~~~~~~~~~~~~~~~ drivers/ub/urma/uburma/uburma_cmd.c:168:6: warning: no previous prototype for 'uburma_jfr_event_cb' [-Wmissing-prototypes] 168 | void uburma_jfr_event_cb(struct ubcore_event *event, struct ubcore_ucontext *ctx) | ^~~~~~~~~~~~~~~~~~~ vim +/uburma_jfc_event_cb +144 drivers/ub/urma/uburma/uburma_cmd.c 143 > 144 void uburma_jfc_event_cb(struct ubcore_event *event, struct ubcore_ucontext *ctx) 145 { 146 struct uburma_jfc_uobj *jfc_uobj; 147 148 if (event->element.jfc == NULL) 149 return; 150 151 jfc_uobj = (struct uburma_jfc_uobj *)event->element.jfc->jfc_cfg.jfc_context; 152 uburma_write_async_event(ctx, event->element.jfc->urma_jfc, event->event_type, 153 &jfc_uobj->async_event_list, &jfc_uobj->async_events_reported); 154 } 155 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 v2] openeuler_defconfig: Disable CONFIG_DEBUG_INFO_BTF_MODULES
by Pu Lehui 31 Oct '24

31 Oct '24

Offering: HULK hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAX0HW -------------------------------- The BTF information of the data structure in the kernel module is generated based on the corresponding kernel's base BTF when compiling the kernel module. When the kernel module is loaded into other kernels, unpredictable BTF verification errors will occur due to different base BTF, which will lead to the kernel module loading failed. Disable CONFIG_DEBUG_INFO_BTF_MODULES will skip the kernel module BTF verification. Fixes: 4d88af8133c4 ("config: add initial openeuler_defconfig for x86") Fixes: 3c70ec8dbed1 ("config: add initial openeuler_defconfig for arm64") Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- arch/arm64/configs/openeuler_defconfig | 2 +- arch/x86/configs/openeuler_defconfig | 2 +- include/linux/module.h | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index 96ca8b990e22..3304cf0bd9e1 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -7923,7 +7923,7 @@ CONFIG_DEBUG_INFO_COMPRESSED_NONE=y CONFIG_DEBUG_INFO_BTF=y CONFIG_PAHOLE_HAS_SPLIT_BTF=y CONFIG_PAHOLE_HAS_LANG_EXCLUDE=y -CONFIG_DEBUG_INFO_BTF_MODULES=y +# CONFIG_DEBUG_INFO_BTF_MODULES is not set # CONFIG_MODULE_ALLOW_BTF_MISMATCH is not set # CONFIG_GDB_SCRIPTS is not set CONFIG_FRAME_WARN=2048 diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index d95d966f7fb2..6bf96adf974a 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -9076,7 +9076,7 @@ CONFIG_DEBUG_INFO_COMPRESSED_NONE=y CONFIG_DEBUG_INFO_BTF=y CONFIG_PAHOLE_HAS_SPLIT_BTF=y CONFIG_PAHOLE_HAS_LANG_EXCLUDE=y -CONFIG_DEBUG_INFO_BTF_MODULES=y +# CONFIG_DEBUG_INFO_BTF_MODULES is not set # CONFIG_MODULE_ALLOW_BTF_MISMATCH is not set # CONFIG_GDB_SCRIPTS is not set CONFIG_FRAME_WARN=2048 diff --git a/include/linux/module.h b/include/linux/module.h index 4db2878d9e42..990f9d66d2f1 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -516,6 +516,9 @@ struct module { #ifdef CONFIG_DEBUG_INFO_BTF_MODULES unsigned int btf_data_size; void *btf_data; +#else + KABI_DEPRECATE(unsigned int, btf_data_size) + KABI_DEPRECATE(void *, btf_data) #endif #ifdef CONFIG_JUMP_LABEL struct jump_entry *jump_entries; -- 2.34.1

2 1

[PATCH OLK-6.6] ext4: fix slab-use-after-free in ext4_split_extent_at()
by Baokun Li 31 Oct '24

31 Oct '24

stable inclusion from stable-v6.6.55 commit 8fe117790b37c84c651e2bad9efc0e7fda73c0e3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9L CVE: CVE-2024-49884 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f upstream. We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates. Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code") Cc: stable(a)kernel.org Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Reviewed-by: Ojaswin Mujoo <ojaswin(a)linux.ibm.com> Tested-by: Ojaswin Mujoo <ojaswin(a)linux.ibm.com> Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> --- fs/ext4/extents.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index d618ff9b6b94..f5052f99b2f8 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3241,6 +3241,25 @@ static int ext4_split_extent_at(handle_t *handle, if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM) goto out; + /* + * Update path is required because previous ext4_ext_insert_extent() + * may have freed or reallocated the path. Using EXT4_EX_NOFAIL + * guarantees that ext4_find_extent() will not return -ENOMEM, + * otherwise -ENOMEM will cause a retry in do_writepages(), and a + * WARN_ON may be triggered in ext4_da_update_reserve_space() due to + * an incorrect ee_len causing the i_reserved_data_blocks exception. + */ + path = ext4_find_extent(inode, ee_block, ppath, + flags | EXT4_EX_NOFAIL); + if (IS_ERR(path)) { + EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld", + split, PTR_ERR(path)); + return PTR_ERR(path); + } + depth = ext_depth(inode); + ex = path[depth].p_ext; + *ppath = path; + if (EXT4_EXT_MAY_ZEROOUT & split_flag) { if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { if (split_flag & EXT4_EXT_DATA_VALID1) { @@ -3293,7 +3312,7 @@ static int ext4_split_extent_at(handle_t *handle, ext4_ext_dirty(handle, inode, path + path->p_depth); return err; out: - ext4_ext_show_leaf(inode, path); + ext4_ext_show_leaf(inode, *ppath); return err; } -- 2.46.1

2 2

2024

2023

2022

2021

2020

2019

Kernel October 2024