From: Guanrui Huang <guanrui.huang(a)linux.alibaba.com>
stable inclusion
from stable-v5.10.216
commit aa44d21574751a7d6bca892eb8e0e9ac68372e52
category: bugfix
bugzilla: 189928
CVE: CVE-2024-35847
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit c26591afd33adce296c022e3480dea4282b7ef91 upstream.
The error handling path in its_vpe_irq_domain_alloc() causes a double free
when its_vpe_init() fails after successfully allocating at least one
interrupt. This happens because its_vpe_irq_domain_free() frees the
interrupts along with the area bitmap and the vprop_page and
its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the
vprop_page again.
Fix this by unconditionally invoking its_vpe_irq_domain_free() which
handles all cases correctly and by removing the bitmap/vprop_page freeing
from its_vpe_irq_domain_alloc().
[ tglx: Massaged change log ]
Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown")
Signed-off-by: Guanrui Huang <guanrui.huang(a)linux.alibaba.com>
Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de>
Reviewed-by: Marc Zyngier <maz(a)kernel.org>
Reviewed-by: Zenghui Yu <yuzenghui(a)huawei.com>
Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/20240418061053.96803-2-guanrui.huang@linux.alibab…
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
drivers/irqchip/irq-gic-v3-its.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 806359f3376a..8a716da480b0 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -5210,13 +5210,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
set_bit(i, bitmap);
}
- if (err) {
- if (i > 0)
- its_vpe_irq_domain_free(domain, virq, i);
-
- its_lpi_free(bitmap, base, nr_ids);
- its_free_prop_table(vprop_page);
- }
+ if (err)
+ its_vpe_irq_domain_free(domain, virq, i);
return err;
}
--
2.25.1
From: Guanrui Huang <guanrui.huang(a)linux.alibaba.com>
stable inclusion
from stable-v5.10.216
commit aa44d21574751a7d6bca892eb8e0e9ac68372e52
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9HX
CVE: CVE-2024-35847
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit c26591afd33adce296c022e3480dea4282b7ef91 upstream.
The error handling path in its_vpe_irq_domain_alloc() causes a double free
when its_vpe_init() fails after successfully allocating at least one
interrupt. This happens because its_vpe_irq_domain_free() frees the
interrupts along with the area bitmap and the vprop_page and
its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the
vprop_page again.
Fix this by unconditionally invoking its_vpe_irq_domain_free() which
handles all cases correctly and by removing the bitmap/vprop_page freeing
from its_vpe_irq_domain_alloc().
[ tglx: Massaged change log ]
Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown")
Signed-off-by: Guanrui Huang <guanrui.huang(a)linux.alibaba.com>
Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de>
Reviewed-by: Marc Zyngier <maz(a)kernel.org>
Reviewed-by: Zenghui Yu <yuzenghui(a)huawei.com>
Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/20240418061053.96803-2-guanrui.huang@linux.alibab…
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
drivers/irqchip/irq-gic-v3-its.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 71e1689a32e7..1f157bf54ce1 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -3509,13 +3509,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
set_bit(i, bitmap);
}
- if (err) {
- if (i > 0)
- its_vpe_irq_domain_free(domain, virq, i);
-
- its_lpi_free(bitmap, base, nr_ids);
- its_free_prop_table(vprop_page);
- }
+ if (err)
+ its_vpe_irq_domain_free(domain, virq, i);
return err;
}
--
2.25.1
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9QRNR
CVE: NA
--------------------------------
In get_swap_pages(), we select the swap device based on the priority by
default. If two or more devices have the same priority, their positions
in the avail_lists will move in a circle in plist_requeue(). After set
memory.swapfile in a memory cgroup and the priority of the matched swap
is less than the priority of these swap, the loop will be confined to
these swaps with same priority and can't select the specified swap forever.
Fix the infinite loop by skip the unmatched swap before plist_requeue().
Fixes: 682fc25deeed ("mm/swapfile: introduce per-memcg swapfile control")
Signed-off-by: Liu Shixin <liushixin2(a)huawei.com>
---
mm/swapfile.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/mm/swapfile.c b/mm/swapfile.c
index 4aa7339bb365..a10c67728e46 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1173,15 +1173,13 @@ int get_swap_pages(int n_goal, swp_entry_t swp_entries[], int entry_size,
start_over:
node = numa_node_id();
plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) {
+ if (should_skip_swap_type(si->type, type))
+ goto nextsi;
+
/* requeue si to after same-priority siblings */
plist_requeue(&si->avail_lists[node], &swap_avail_heads[node]);
spin_unlock(&swap_avail_lock);
spin_lock(&si->lock);
- if (should_skip_swap_type(si->type, type)) {
- spin_unlock(&si->lock);
- spin_lock(&swap_avail_lock);
- goto nextsi;
- }
if (!si->highest_bit || !(si->flags & SWP_WRITEOK)) {
spin_lock(&swap_avail_lock);
if (plist_node_empty(&si->avail_lists[node])) {
--
2.25.1
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: bb74bc369fd2ab5f41a32c4ddc2e23bc76c3c550
commit: 4332dbb07181359cccca3ba757ef54e434fb1296 [9619/9669] Add kh40000_direct_dma_ops for KH-40000 platform
config: x86_64-rhel-8.3-rust (https://download.01.org/0day-ci/archive/20240520/202405201915.EtSGIZ33-lkp@…)
compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240520/202405201915.EtSGIZ33-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202405201915.EtSGIZ33-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> arch/x86/kernel/zhaoxin_kh40000.c:47:30: warning: bitwise or with non-zero value always evaluates to true [-Wtautological-bitwise-compare]
47 | if (ZHAOXIN_P2CW_NODE_CHECK | zhaoxin_patch_code)
| ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~
1 warning generated.
vim +47 arch/x86/kernel/zhaoxin_kh40000.c
36
37 static int __init zhaoxin_patch_code_setup(char *str)
38 {
39 int err = kstrtoul(str, 0, &zhaoxin_patch_code);
40
41 if (err || (zhaoxin_patch_code > ZHAOXIN_PATCH_CODE_MAX)) {
42 pr_err("cmdline 'zhaoxin_patch_bitmask=%s' inappropriate\n", str);
43 zhaoxin_patch_code = ZHAOXIN_PATCH_CODE_DEFAULT;
44 return err;
45 }
46
> 47 if (ZHAOXIN_P2CW_NODE_CHECK | zhaoxin_patch_code)
48 pr_info("zhaoxin dma patch node check is enabled\n");
49
50 return 0;
51 }
52 __setup("zhaoxin_patch_bitmask=", zhaoxin_patch_code_setup);
53
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki