August 2024 - Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] ACPI: processor_idle: Fix invalid comparison with insertion sort for latency
by liwei 29 Aug '24

29 Aug '24

From: Kuan-Wei Chiu <visitorckw(a)gmail.com> stable inclusion from stable-v4.19.319 commit c9d6e349f7aad4ab9c557047d357df256c15f25e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAMXCL CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- commit 233323f9b9f828cd7cd5145ad811c1990b692542 upstream. The acpi_cst_latency_cmp() comparison function currently used for sorting C-state latencies does not satisfy transitivity, causing incorrect sorting results. Specifically, if there are two valid acpi_processor_cx elements A and B and one invalid element C, it may occur that A < B, A = C, and B = C. Sorting algorithms assume that if A < B and A = C, then C < B, leading to incorrect ordering. Given the small size of the array (<=8), we replace the library sort function with a simple insertion sort that properly ignores invalid elements and sorts valid ones based on latency. This change ensures correct ordering of the C-state latencies. Fixes: 65ea8f2c6e23 ("ACPI: processor idle: Fix up C-state latency if not ordered") Reported-by: Julian Sikorski <belegdol(a)gmail.com> Closes: https://lore.kernel.org/lkml/70674dc7-5586-4183-8953-8095567e73df@gmail.com Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Tested-by: Julian Sikorski <belegdol(a)gmail.com> Cc: All applicable <stable(a)vger.kernel.org> Link: https://patch.msgid.link/20240701205639.117194-1-visitorckw@gmail.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: liwei <liwei728(a)huawei.com> --- drivers/acpi/processor_idle.c | 40 ++++++++++++++--------------------- 1 file changed, 16 insertions(+), 24 deletions(-) diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c index a17d4bfa9a37..190cf402f1c8 100644 --- a/drivers/acpi/processor_idle.c +++ b/drivers/acpi/processor_idle.c @@ -29,7 +29,6 @@ #include <linux/acpi.h> #include <linux/dmi.h> #include <linux/sched.h> /* need_resched() */ -#include <linux/sort.h> #include <linux/tick.h> #include <linux/cpuidle.h> #include <linux/cpu.h> @@ -407,28 +406,24 @@ static void acpi_processor_power_verify_c3(struct acpi_processor *pr, return; } -static int acpi_cst_latency_cmp(const void *a, const void *b) +static void acpi_cst_latency_sort(struct acpi_processor_cx *states, size_t length) { - const struct acpi_processor_cx *x = a, *y = b; + int i, j, k; - if (!(x->valid && y->valid)) - return 0; - if (x->latency > y->latency) - return 1; - if (x->latency < y->latency) - return -1; - return 0; -} -static void acpi_cst_latency_swap(void *a, void *b, int n) -{ - struct acpi_processor_cx *x = a, *y = b; - u32 tmp; + for (i = 1; i < length; i++) { + if (!states[i].valid) + continue; - if (!(x->valid && y->valid)) - return; - tmp = x->latency; - x->latency = y->latency; - y->latency = tmp; + for (j = i - 1, k = i; j >= 0; j--) { + if (!states[j].valid) + continue; + + if (states[j].latency > states[k].latency) + swap(states[j].latency, states[k].latency); + + k = j; + } + } } static int acpi_processor_power_verify(struct acpi_processor *pr) @@ -473,10 +468,7 @@ static int acpi_processor_power_verify(struct acpi_processor *pr) if (buggy_latency) { pr_notice("FW issue: working around C-state latencies out of order\n"); - sort(&pr->power.states[1], max_cstate, - sizeof(struct acpi_processor_cx), - acpi_cst_latency_cmp, - acpi_cst_latency_swap); + acpi_cst_latency_sort(&pr->power.states[1], max_cstate); } lapic_timer_propagate_broadcast(pr); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()
by Liu Jian 29 Aug '24

29 Aug '24

From: Zheyu Ma <zheyuma97(a)gmail.com> stable inclusion from stable-v4.19.233 commit b838add93e1dd98210482dc433768daaf752bdef category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALPV6 CVE: CVE-2022-48908 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- commit bd6f1fd5d33dfe5d1b4f2502d3694a7cc13f166d upstream. During driver initialization, the pointer of card info, i.e. the variable 'ci' is required. However, the definition of 'com20020pci_id_table' reveals that this field is empty for some devices, which will cause null pointer dereference when initializing these devices. The following log reveals it: [ 3.973806] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 3.973819] RIP: 0010:com20020pci_probe+0x18d/0x13e0 [com20020_pci] [ 3.975181] Call Trace: [ 3.976208] local_pci_probe+0x13f/0x210 [ 3.977248] pci_device_probe+0x34c/0x6d0 [ 3.977255] ? pci_uevent+0x470/0x470 [ 3.978265] really_probe+0x24c/0x8d0 [ 3.978273] __driver_probe_device+0x1b3/0x280 [ 3.979288] driver_probe_device+0x50/0x370 Fix this by checking whether the 'ci' is a null pointer first. Fixes: 8c14f9c70327 ("ARCNET: add com20020 PCI IDs with metadata") Signed-off-by: Zheyu Ma <zheyuma97(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/arcnet/com20020-pci.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c index eb7f76753c9c..9f44e2e458df 100644 --- a/drivers/net/arcnet/com20020-pci.c +++ b/drivers/net/arcnet/com20020-pci.c @@ -136,6 +136,9 @@ static int com20020pci_probe(struct pci_dev *pdev, return -ENOMEM; ci = (struct com20020_pci_card_info *)id->driver_data; + if (!ci) + return -EINVAL; + priv->ci = ci; mm = &ci->misc_map; -- 2.34.1

2 1

[PATCH 01/23] mm: add bdi_set_strict_limit() function
by Yifan Qiao 29 Aug '24

29 Aug '24

From: Stefan Roesch <shr(a)devkernel.io> mainline inclusion from mainline-v6.2-rc1 commit 8e9d5ead865a1a7af74a444d2f00f1ef4539bfba category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAN96I Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Patch series "mm/block: add bdi sysfs knobs", v4. At meta network block devices (nbd) are used to implement remote block storage. In testing and during production it has been observed that these network block devices can consume a huge portion of the dirty writeback cache and writeback can take a considerable time. To be able to give stricter limits, I'm proposing the following changes: 1) introduce strictlimit knob Currently the max_ratio knob exists to limit the dirty_memory. However this knob only applies once (dirty_ratio + dirty_background_ratio) / 2 has been reached. With the BDI_CAP_STRICTLIMIT flag, the max_ratio can be applied without reaching that limit. This change exposes that knob. This knob can also be useful for NFS, fuse filesystems and USB devices. 2) Use part of 1000000 internal calculation The max_ratio is based on percentage. With the current machine sizes percentage values can be very high (1% of a 256GB main memory is already 2.5GB). This change uses part of 1000000 instead of percentages for the internal calculations. 3) Introduce two new sysfs knobs: min_bytes and max_bytes. Currently all calculations are based on ratio, but for a user it often more convenient to specify a limit in bytes. The new knobs will not store bytes values, instead they will translate the byte value to a corresponding ratio. As the internal values are now part of 1000, the ratio is closer to the specified value. However the value should be more seen as an approximation as it can fluctuate over time. 3) Introduce two new sysfs knobs: min_ratio_fine and max_ratio_fine. The granularity for the existing sysfs bdi knobs min_ratio and max_ratio is based on percentage values. The new sysfs bdi knobs min_ratio_fine and max_ratio_fine allow to specify the ratio as part of 1 million. This patch (of 20): This adds the bdi_set_strict_limit function to be able to set/unset the BDI_CAP_STRICTLIMIT flag. Link: https://lkml.kernel.org/r/20221119005215.3052436-1-shr@devkernel.io Link: https://lkml.kernel.org/r/20221119005215.3052436-2-shr@devkernel.io Signed-off-by: Stefan Roesch <shr(a)devkernel.io> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Chris Mason <clm(a)meta.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- include/linux/backing-dev.h | 1 + mm/page-writeback.c | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/include/linux/backing-dev.h b/include/linux/backing-dev.h index a689a21abe10..c67129defa3a 100644 --- a/include/linux/backing-dev.h +++ b/include/linux/backing-dev.h @@ -106,6 +106,7 @@ static inline unsigned long wb_stat_error(void) int bdi_set_min_ratio(struct backing_dev_info *bdi, unsigned int min_ratio); int bdi_set_max_ratio(struct backing_dev_info *bdi, unsigned int max_ratio); +int bdi_set_strict_limit(struct backing_dev_info *bdi, unsigned int strict_limit); /* * Flags in backing_dev_info::capability diff --git a/mm/page-writeback.c b/mm/page-writeback.c index 0d7cc65c6367..1f6104775a43 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -724,6 +724,21 @@ int bdi_set_max_ratio(struct backing_dev_info *bdi, unsigned max_ratio) } EXPORT_SYMBOL(bdi_set_max_ratio); +int bdi_set_strict_limit(struct backing_dev_info *bdi, unsigned int strict_limit) +{ + if (strict_limit > 1) + return -EINVAL; + + spin_lock_bh(&bdi_lock); + if (strict_limit) + bdi->capabilities |= BDI_CAP_STRICTLIMIT; + else + bdi->capabilities &= ~BDI_CAP_STRICTLIMIT; + spin_unlock_bh(&bdi_lock); + + return 0; +} + static unsigned long dirty_freerun_ceiling(unsigned long thresh, unsigned long bg_thresh) { -- 2.39.2

1 22

[openeuler:OLK-5.10 20743/30000] arch/x86/events/zhaoxin/uncore.c:1722:28: warning: 'cluster_id' is used uninitialized
by kernel test robot 29 Aug '24

29 Aug '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: b3492b88408a530f644afcd9e80b98cbf9883a82 commit: 2bb7fd043b4123c569fbbde1f18e98d7565a4997 [20743/30000] x86/perf: Update PMU support for more Zhaoxin CPU config: x86_64-randconfig-074-20240829 (https://download.01.org/0day-ci/archive/20240829/202408291024.7rvSMXcC-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240829/202408291024.7rvSMXcC-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408291024.7rvSMXcC-lkp@intel.com/ All warnings (new ones prefixed by >>): arch/x86/events/zhaoxin/uncore.c: In function 'uncore_change_context.constprop': >> arch/x86/events/zhaoxin/uncore.c:1722:28: warning: 'cluster_id' is used uninitialized [-Wuninitialized] 1722 | int i, package_id, cluster_id, subnode_id; | ^~~~~~~~~~ >> arch/x86/events/zhaoxin/uncore.c:1722:40: warning: 'subnode_id' is used uninitialized [-Wuninitialized] 1722 | int i, package_id, cluster_id, subnode_id; | ^~~~~~~~~~ vim +/cluster_id +1722 arch/x86/events/zhaoxin/uncore.c 1716 1717 static void uncore_change_type_ctx(struct zhaoxin_uncore_type *type, int old_cpu, 1718 int new_cpu) 1719 { 1720 struct zhaoxin_uncore_pmu *pmu = type->pmus; 1721 struct zhaoxin_uncore_box *box; > 1722 int i, package_id, cluster_id, subnode_id; 1723 1724 package_id = zx_topology_package_id(old_cpu < 0 ? new_cpu : old_cpu); 1725 if (boot_cpu_data.x86_model == ZHAOXIN_FAM7_YONGFENG) { 1726 cluster_id = zx_topology_cluster_id(old_cpu < 0 ? new_cpu : old_cpu); 1727 subnode_id = zx_topology_subnode_id(old_cpu < 0 ? new_cpu : old_cpu); 1728 } 1729 1730 for (i = 0; i < type->num_boxes; i++, pmu++) { 1731 if (boot_cpu_data.x86_model == ZHAOXIN_FAM7_YONGFENG) { 1732 if (!strcmp(type->name, "llc")) { 1733 box = pmu->boxes[cluster_id]; 1734 if (!box) 1735 continue; 1736 } else { 1737 box = pmu->boxes[subnode_id]; 1738 if (!box) 1739 continue; 1740 } 1741 } else { 1742 box = pmu->boxes[package_id]; 1743 if (!box) 1744 continue; 1745 } 1746 1747 if (old_cpu < 0) { 1748 WARN_ON_ONCE(box->cpu != -1); 1749 box->cpu = new_cpu; 1750 continue; 1751 } 1752 WARN_ON_ONCE(box->cpu != old_cpu); 1753 box->cpu = -1; 1754 if (new_cpu < 0) 1755 continue; 1756 1757 uncore_pmu_cancel_hrtimer(box); 1758 perf_pmu_migrate_context(&pmu->pmu, old_cpu, new_cpu); 1759 box->cpu = new_cpu; 1760 } 1761 } 1762 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE tasks
by He Yujie 29 Aug '24

29 Aug '24

From: Tejun Heo <tj(a)kernel.org> stable inclusion from stable-v5.10.224 commit cf0c713c6946413b712c2311c6666d11a73ae4c2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAN96W CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit d329605287020c3d1c3b0dadc63d8208e7251382 upstream. When a task's weight is being changed, set_load_weight() is called with @update_load set. As weight changes aren't trivial for the fair class, set_load_weight() calls fair.c::reweight_task() for fair class tasks. However, set_load_weight() first tests task_has_idle_policy() on entry and skips calling reweight_task() for SCHED_IDLE tasks. This is buggy as SCHED_IDLE tasks are just fair tasks with a very low weight and they would incorrectly skip load, vlag and position updates. Fix it by updating reweight_task() to take struct load_weight as idle weight can't be expressed with prio and making set_load_weight() call reweight_task() for SCHED_IDLE tasks too when @update_load is set. Fixes: 9059393e4ec1 ("sched/fair: Use reweight_entity() for set_user_nice()") Suggested-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Tejun Heo <tj(a)kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org # v4.15+ Link: http://lkml.kernel.org/r/20240624102331.GI31592@noisy.programming.kicks-ass… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: He Yujie <coka.heyujie(a)huawei.com> --- kernel/sched/core.c | 24 ++++++++++-------------- kernel/sched/fair.c | 7 +++---- kernel/sched/sched.h | 2 +- 3 files changed, 14 insertions(+), 19 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 770d3e7ace4f..5edb6e200369 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -1195,29 +1195,25 @@ int tg_nop(struct task_group *tg, void *data) static void set_load_weight(struct task_struct *p) { - bool update_load = !(READ_ONCE(p->state) & TASK_NEW); int prio = p->static_prio - MAX_RT_PRIO; - struct load_weight *load = &p->se.load; + struct load_weight lw; - /* - * SCHED_IDLE tasks get minimal weight: - */ if (task_has_idle_policy(p)) { - load->weight = scale_load(WEIGHT_IDLEPRIO); - load->inv_weight = WMULT_IDLEPRIO; - return; + lw.weight = scale_load(WEIGHT_IDLEPRIO); + lw.inv_weight = WMULT_IDLEPRIO; + } else { + lw.weight = scale_load(sched_prio_to_weight[prio]); + lw.inv_weight = sched_prio_to_wmult[prio]; } /* * SCHED_OTHER tasks have to update their load when changing their * weight */ - if (update_load && p->sched_class == &fair_sched_class) { - reweight_task(p, prio); - } else { - load->weight = scale_load(sched_prio_to_weight[prio]); - load->inv_weight = sched_prio_to_wmult[prio]; - } + if (update_load && p->sched_class == &fair_sched_class) + reweight_task(p, &lw); + else + p->se.load = lw; } #ifdef CONFIG_UCLAMP_TASK diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 7f56800b17da..3905cb70d232 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -3288,15 +3288,14 @@ static void reweight_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, } -void reweight_task(struct task_struct *p, int prio) +void reweight_task(struct task_struct *p, const struct load_weight *lw) { struct sched_entity *se = &p->se; struct cfs_rq *cfs_rq = cfs_rq_of(se); struct load_weight *load = &se->load; - unsigned long weight = scale_load(sched_prio_to_weight[prio]); - reweight_entity(cfs_rq, se, weight); - load->inv_weight = sched_prio_to_wmult[prio]; + reweight_entity(cfs_rq, se, lw->weight); + load->inv_weight = lw->inv_weight; } #ifdef CONFIG_FAIR_GROUP_SCHED diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h index 14d48f6380fa..cdbd4e2e5ee3 100644 --- a/kernel/sched/sched.h +++ b/kernel/sched/sched.h @@ -2385,7 +2385,7 @@ extern void init_sched_dl_class(void); extern void init_sched_rt_class(void); extern void init_sched_fair_class(void); -extern void reweight_task(struct task_struct *p, int prio); +extern void reweight_task(struct task_struct *p, const struct load_weight *lw); extern void resched_curr(struct rq *rq); extern void resched_cpu(int cpu); -- 2.34.1

2 1

[openeuler:OLK-6.6] BUILD REGRESSION b5ee721d44c0bf7990c1af7cf8285eff0444d91f
by kernel test robot 29 Aug '24

29 Aug '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: b5ee721d44c0bf7990c1af7cf8285eff0444d91f !11228 Bluetooth: MGMT: Add error handling to pair_device() Error/Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | |-- arch-arm64-kernel-virtcca_cvm_tsi.c:warning:variable-ver-is-uninitialized-when-used-here | |-- arch-arm64-kvm-arm.c:warning:variable-r-is-used-uninitialized-whenever-if-condition-is-false | |-- arch-arm64-kvm-tmi.c:warning:no-previous-prototype-for-function-tmi_tmm_inf_test | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_create_ttt_levels | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_get_num_brps | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_get_num_wrps | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_ipa_limit | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_populate_par_region | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_supports_pmu | `-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_supports_sve |-- x86_64-buildonly-randconfig-002-20240829 | `-- kernel-sched-isolation.c:error:setup_max_cpus-undeclared-(first-use-in-this-function) |-- x86_64-buildonly-randconfig-005-20240829 | `-- kernel-sched-isolation.c:error:setup_max_cpus-undeclared-(first-use-in-this-function) |-- x86_64-buildonly-randconfig-006-20240829 | `-- kernel-sched-isolation.c:error:setup_max_cpus-undeclared-(first-use-in-this-function) |-- x86_64-randconfig-002-20240829 | |-- include-linux-psp-hygon.h:warning:no-previous-prototype-for-function-psp_register_cmd_notifier | `-- include-linux-psp-hygon.h:warning:no-previous-prototype-for-function-psp_unregister_cmd_notifier |-- x86_64-randconfig-004-20240829 | |-- include-linux-psp-hygon.h:warning:no-previous-prototype-for-function-psp_register_cmd_notifier | `-- include-linux-psp-hygon.h:warning:no-previous-prototype-for-function-psp_unregister_cmd_notifier |-- x86_64-randconfig-005-20240829 | `-- drivers-crypto-ccp-hygon-tdm-kernel-guard.c:error:use-of-undeclared-identifier-NR_syscalls `-- x86_64-randconfig-016-20240829 `-- drivers-crypto-ccp-hygon-tdm-kernel-guard.c:error:NR_syscalls-undeclared-(first-use-in-this-function) elapsed time: 828m configs tested: 37 configs skipped: 135 tested configs: arm64 allmodconfig clang-20 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240829 gcc-14.1.0 arm64 randconfig-002-20240829 gcc-14.1.0 arm64 randconfig-004-20240829 gcc-14.1.0 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 loongarch randconfig-001-20240829 gcc-14.1.0 loongarch randconfig-002-20240829 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240829 clang-18 x86_64 buildonly-randconfig-002-20240829 gcc-12 x86_64 buildonly-randconfig-003-20240829 clang-18 x86_64 buildonly-randconfig-004-20240829 gcc-12 x86_64 buildonly-randconfig-005-20240829 gcc-12 x86_64 buildonly-randconfig-006-20240829 gcc-12 x86_64 defconfig gcc-11 x86_64 randconfig-001-20240829 clang-18 x86_64 randconfig-002-20240829 clang-18 x86_64 randconfig-003-20240829 gcc-12 x86_64 randconfig-004-20240829 clang-18 x86_64 randconfig-005-20240829 clang-18 x86_64 randconfig-006-20240829 gcc-12 x86_64 randconfig-011-20240829 gcc-12 x86_64 randconfig-012-20240829 gcc-12 x86_64 randconfig-013-20240829 clang-18 x86_64 randconfig-014-20240829 gcc-12 x86_64 randconfig-015-20240829 gcc-12 x86_64 randconfig-016-20240829 gcc-12 x86_64 randconfig-071-20240829 clang-18 x86_64 randconfig-072-20240829 gcc-12 x86_64 randconfig-073-20240829 gcc-12 x86_64 randconfig-074-20240829 gcc-12 x86_64 randconfig-075-20240829 gcc-12 x86_64 randconfig-076-20240829 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] kobject_uevent: Fix OOB access within zap_modalias_env()
by He Yujie 29 Aug '24

29 Aug '24

From: Zijun Hu <quic_zijuhu(a)quicinc.com> stable inclusion from stable-v5.10.224 commit 648d5490460d38436640da0812bf7f6351c150d2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAN70V CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit dd6e9894b451e7c85cceb8e9dc5432679a70e7dc upstream. zap_modalias_env() wrongly calculates size of memory block to move, so will cause OOB memory access issue if variable MODALIAS is not the last one within its @env parameter, fixed by correcting size to memmove. Fixes: 9b3fa47d4a76 ("kobject: fix suppressing modalias in uevents delivered over netlink") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> Reviewed-by: Lk Sii <lk_sii(a)163.com> Link: https://lore.kernel.org/r/1717074877-11352-1-git-send-email-quic_zijuhu@qui… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: He Yujie <coka.heyujie(a)huawei.com> --- lib/kobject_uevent.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c index 8056def4c028..c0214080e233 100644 --- a/lib/kobject_uevent.c +++ b/lib/kobject_uevent.c @@ -432,8 +432,23 @@ static void zap_modalias_env(struct kobj_uevent_env *env) len = strlen(env->envp[i]) + 1; if (i != env->envp_idx - 1) { + /* @env->envp[] contains pointers to @env->buf[] + * with @env->buflen chars, and we are removing + * variable MODALIAS here pointed by @env->envp[i] + * with length @len as shown below: + * + * 0 @env->buf[] @env->buflen + * --------------------------------------------- + * ^ ^ ^ ^ + * | |-> @len <-| target block | + * @env->envp[0] @env->envp[i] @env->envp[i + 1] + * + * so the "target block" indicated above is moved + * backward by @len, and its right size is + * @env->buflen - (@env->envp[i + 1] - @env->envp[0]). + */ memmove(env->envp[i], env->envp[i + 1], - env->buflen - len); + env->buflen - (env->envp[i + 1] - env->envp[0])); for (j = i; j < env->envp_idx - 1; j++) env->envp[j] = env->envp[j + 1] - len; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] mm: avoid overflows in dirty throttling logic
by Wupeng Ma 29 Aug '24

29 Aug '24

From: Jan Kara <jack(a)suse.cz> stable inclusion from stable-v4.19.320 commit 2b2d2b8766db028bd827af34075f221ae9e9efff category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGRLH CVE: CVE-2024-42131 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 385d838df280eba6c8680f9777bfa0d0bfe7e8b2 ] The dirty throttling logic is interspersed with assumptions that dirty limits in PAGE_SIZE units fit into 32-bit (so that various multiplications fit into 64-bits). If limits end up being larger, we will hit overflows, possible divisions by 0 etc. Fix these problems by never allowing so large dirty limits as they have dubious practical value anyway. For dirty_bytes / dirty_background_bytes interfaces we can just refuse to set so large limits. For dirty_ratio / dirty_background_ratio it isn't so simple as the dirty limit is computed from the amount of available memory which can change due to memory hotplug etc. So when converting dirty limits from ratios to numbers of pages, we just don't allow the result to exceed UINT_MAX. This is root-only triggerable problem which occurs when the operator sets dirty limits to >16 TB. Link: https://lkml.kernel.org/r/20240621144246.11148-2-jack@suse.cz Signed-off-by: Jan Kara <jack(a)suse.cz> Reported-by: Zach O'Keefe <zokeefe(a)google.com> Reviewed-By: Zach O'Keefe <zokeefe(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- mm/page-writeback.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/mm/page-writeback.c b/mm/page-writeback.c index 43e83930ce44..06d8242a926e 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -432,13 +432,20 @@ static void domain_dirty_limits(struct dirty_throttle_control *dtc) else bg_thresh = (bg_ratio * available_memory) / PAGE_SIZE; - if (bg_thresh >= thresh) - bg_thresh = thresh / 2; tsk = current; if (tsk->flags & PF_LESS_THROTTLE || rt_task(tsk)) { bg_thresh += bg_thresh / 4 + global_wb_domain.dirty_limit / 32; thresh += thresh / 4 + global_wb_domain.dirty_limit / 32; } + /* + * Dirty throttling logic assumes the limits in page units fit into + * 32-bits. This gives 16TB dirty limits max which is hopefully enough. + */ + if (thresh > UINT_MAX) + thresh = UINT_MAX; + /* This makes sure bg_thresh is within 32-bits as well */ + if (bg_thresh >= thresh) + bg_thresh = thresh / 2; dtc->thresh = thresh; dtc->bg_thresh = bg_thresh; @@ -488,7 +495,11 @@ static unsigned long node_dirty_limit(struct pglist_data *pgdat) if (tsk->flags & PF_LESS_THROTTLE || rt_task(tsk)) dirty += dirty / 4; - return dirty; + /* + * Dirty throttling logic assumes the limits in page units fit into + * 32-bits. This gives 16TB dirty limits max which is hopefully enough. + */ + return min_t(unsigned long, dirty, UINT_MAX); } /** @@ -527,10 +538,17 @@ int dirty_background_bytes_handler(struct ctl_table *table, int write, loff_t *ppos) { int ret; + unsigned long old_bytes = dirty_background_bytes; ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); - if (ret == 0 && write) + if (ret == 0 && write) { + if (DIV_ROUND_UP(dirty_background_bytes, PAGE_SIZE) > + UINT_MAX) { + dirty_background_bytes = old_bytes; + return -ERANGE; + } dirty_background_ratio = 0; + } return ret; } @@ -558,6 +576,10 @@ int dirty_bytes_handler(struct ctl_table *table, int write, ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); if (ret == 0 && write && vm_dirty_bytes != old_bytes) { + if (DIV_ROUND_UP(vm_dirty_bytes, PAGE_SIZE) > UINT_MAX) { + vm_dirty_bytes = old_bytes; + return -ERANGE; + } writeback_set_ratelimit(); vm_dirty_ratio = 0; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1 0/1] CVE-2024-43892
by Chen Ridong 29 Aug '24

29 Aug '24

CVE-2024-43892 Shakeel Butt (1): memcg: protect concurrent access to mem_cgroup_idr mm/memcontrol.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) -- 2.34.1

2 2

[openeuler:OLK-5.10 26497/30000] arch/arm64/kvm/cvm.c:71:6: warning: no previous prototype for 'kvm_cvm_supports_sve'
by kernel test robot 29 Aug '24

29 Aug '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: b3492b88408a530f644afcd9e80b98cbf9883a82 commit: ae80c7e2f5cd3e50d1f360c387a33088310d54a0 [26497/30000] kvm: add cvm host feature config: arm64-defconfig (https://download.01.org/0day-ci/archive/20240829/202408290909.DJ1gYyO6-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240829/202408290909.DJ1gYyO6-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408290909.DJ1gYyO6-lkp@intel.com/ All warnings (new ones prefixed by >>): arch/arm64/kvm/cvm.c:42:5: warning: no previous prototype for 'cvm_phys_to_phys' [-Wmissing-prototypes] 42 | u64 cvm_phys_to_phys(u64 phys) | ^~~~~~~~~~~~~~~~ >> arch/arm64/kvm/cvm.c:71:6: warning: no previous prototype for 'kvm_cvm_supports_sve' [-Wmissing-prototypes] 71 | bool kvm_cvm_supports_sve(void) | ^~~~~~~~~~~~~~~~~~~~ >> arch/arm64/kvm/cvm.c:76:6: warning: no previous prototype for 'kvm_cvm_supports_pmu' [-Wmissing-prototypes] 76 | bool kvm_cvm_supports_pmu(void) | ^~~~~~~~~~~~~~~~~~~~ >> arch/arm64/kvm/cvm.c:81:5: warning: no previous prototype for 'kvm_cvm_ipa_limit' [-Wmissing-prototypes] 81 | u32 kvm_cvm_ipa_limit(void) | ^~~~~~~~~~~~~~~~~ >> arch/arm64/kvm/cvm.c:86:5: warning: no previous prototype for 'kvm_cvm_get_num_brps' [-Wmissing-prototypes] 86 | u32 kvm_cvm_get_num_brps(void) | ^~~~~~~~~~~~~~~~~~~~ >> arch/arm64/kvm/cvm.c:91:5: warning: no previous prototype for 'kvm_cvm_get_num_wrps' [-Wmissing-prototypes] 91 | u32 kvm_cvm_get_num_wrps(void) | ^~~~~~~~~~~~~~~~~~~~ >> arch/arm64/kvm/cvm.c:240:5: warning: no previous prototype for 'kvm_cvm_create_ttt_levels' [-Wmissing-prototypes] 240 | int kvm_cvm_create_ttt_levels(struct kvm *kvm, struct cvm *cvm, | ^~~~~~~~~~~~~~~~~~~~~~~~~ >> arch/arm64/kvm/cvm.c:301:5: warning: no previous prototype for 'kvm_cvm_populate_par_region' [-Wmissing-prototypes] 301 | int kvm_cvm_populate_par_region(struct kvm *kvm, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/kvm_cvm_supports_sve +71 arch/arm64/kvm/cvm.c 70 > 71 bool kvm_cvm_supports_sve(void) 72 { 73 return tmm_supports(TMI_FEATURE_REGISTER_0_SVE_EN); 74 } 75 > 76 bool kvm_cvm_supports_pmu(void) 77 { 78 return tmm_supports(TMI_FEATURE_REGISTER_0_PMU_EN); 79 } 80 > 81 u32 kvm_cvm_ipa_limit(void) 82 { 83 return u64_get_bits(tmm_feat_reg0, TMI_FEATURE_REGISTER_0_S2SZ); 84 } 85 > 86 u32 kvm_cvm_get_num_brps(void) 87 { 88 return u64_get_bits(tmm_feat_reg0, TMI_FEATURE_REGISTER_0_NUM_BPS); 89 } 90 > 91 u32 kvm_cvm_get_num_wrps(void) 92 { 93 return u64_get_bits(tmm_feat_reg0, TMI_FEATURE_REGISTER_0_NUM_WPS); 94 } 95 96 static int cvm_vmid_reserve(void) 97 { 98 int ret; 99 unsigned int vmid_count = 1 << kvm_get_vmid_bits(); 100 101 spin_lock(&cvm_vmid_lock); 102 ret = bitmap_find_free_region(cvm_vmid_bitmap, vmid_count, 0); 103 spin_unlock(&cvm_vmid_lock); 104 105 return ret; 106 } 107 108 static void cvm_vmid_release(unsigned int vmid) 109 { 110 spin_lock(&cvm_vmid_lock); 111 bitmap_release_region(cvm_vmid_bitmap, vmid, 0); 112 spin_unlock(&cvm_vmid_lock); 113 } 114 115 static u32 __kvm_pgd_page_idx(struct kvm_pgtable *pgt, u64 addr) 116 { 117 u64 shift = ARM64_HW_PGTABLE_LEVEL_SHIFT(pgt->start_level - 1); 118 u64 mask = BIT(pgt->ia_bits) - 1; 119 120 return (addr & mask) >> shift; 121 } 122 123 static u32 kvm_pgd_pages(u32 ia_bits, u32 start_level) 124 { 125 struct kvm_pgtable pgt = { 126 .ia_bits = ia_bits, 127 .start_level = start_level, 128 }; 129 return __kvm_pgd_page_idx(&pgt, -1ULL) + 1; 130 } 131 132 int kvm_arm_create_cvm(struct kvm *kvm) 133 { 134 int ret; 135 struct kvm_pgtable *pgt = kvm->arch.mmu.pgt; 136 unsigned int pgd_sz; 137 138 if (!kvm_is_cvm(kvm) || kvm_cvm_state(kvm) != CVM_STATE_NONE) 139 return 0; 140 141 ret = cvm_vmid_reserve(); 142 if (ret < 0) 143 return ret; 144 145 kvm->arch.cvm.cvm_vmid = ret; 146 147 pgd_sz = kvm_pgd_pages(pgt->ia_bits, pgt->start_level); 148 149 kvm->arch.cvm.params->ttt_base = phys_to_cvm_phys(kvm->arch.mmu.pgd_phys); 150 kvm->arch.cvm.params->measurement_algo = 0; 151 kvm->arch.cvm.params->ttt_level_start = kvm->arch.mmu.pgt->start_level; 152 kvm->arch.cvm.params->ttt_num_start = pgd_sz; 153 kvm->arch.cvm.params->s2sz = VTCR_EL2_IPA(kvm->arch.vtcr); 154 kvm->arch.cvm.params->vmid = kvm->arch.cvm.cvm_vmid; 155 kvm->arch.cvm.params->ns_vtcr = kvm->arch.vtcr; 156 kvm->arch.cvm.params->vttbr_el2 = kvm->arch.mmu.pgd_phys; 157 ret = tmi_cvm_create(kvm->arch.cvm.rd, __pa(kvm->arch.cvm.params)); 158 if (!ret) 159 kvm_info("KVM creates cVM: %d\n", kvm->arch.cvm.cvm_vmid); 160 161 WRITE_ONCE(kvm->arch.cvm.state, CVM_STATE_NEW); 162 kfree(kvm->arch.cvm.params); 163 kvm->arch.cvm.params = NULL; 164 return ret; 165 } 166 167 int cvm_create_rd(struct kvm *kvm) 168 { 169 if (!static_key_enabled(&kvm_cvm_is_available)) 170 return -EFAULT; 171 172 kvm->arch.cvm.rd = tmi_mem_alloc(kvm->arch.cvm.rd, NO_NUMA, 173 TMM_MEM_TYPE_RD, TMM_MEM_MAP_SIZE_MAX); 174 if (!kvm->arch.cvm.rd) { 175 kvm_err("tmi_mem_alloc for cvm rd failed: %d\n", kvm->arch.cvm.cvm_vmid); 176 return -ENOMEM; 177 } 178 kvm->arch.is_cvm = true; 179 return 0; 180 } 181 182 void kvm_free_rd(struct kvm *kvm) 183 { 184 int ret; 185 186 if (!kvm->arch.cvm.rd) 187 return; 188 189 ret = tmi_mem_free(kvm->arch.cvm.rd, NO_NUMA, TMM_MEM_TYPE_RD, TMM_MEM_MAP_SIZE_MAX); 190 if (ret) 191 kvm_err("tmi_mem_free for cvm rd failed: %d\n", kvm->arch.cvm.cvm_vmid); 192 else 193 kvm->arch.cvm.rd = 0; 194 } 195 196 void kvm_destroy_cvm(struct kvm *kvm) 197 { 198 uint32_t cvm_vmid = kvm->arch.cvm.cvm_vmid; 199 200 kfree(kvm->arch.cvm.params); 201 kvm->arch.cvm.params = NULL; 202 203 if (kvm_cvm_state(kvm) == CVM_STATE_NONE) 204 return; 205 206 cvm_vmid_release(cvm_vmid); 207 208 WRITE_ONCE(kvm->arch.cvm.state, CVM_STATE_DYING); 209 210 if (!tmi_cvm_destroy(kvm->arch.cvm.rd)) 211 kvm_info("KVM has destroyed cVM: %d\n", kvm->arch.cvm.cvm_vmid); 212 213 kvm_free_rd(kvm); 214 } 215 216 static int kvm_get_host_numa_node_by_ipa(uint64_t ipa, struct kvm_vcpu *vcpu) 217 { 218 int i; 219 struct kvm_numa_info *numa_info = &vcpu->kvm->arch.cvm.numa_info; 220 221 for (i = 0; i < numa_info->numa_cnt && i < MAX_NUMA_NODE; i++) { 222 struct kvm_numa_node *numa_node = &numa_info->numa_nodes[i]; 223 224 if (ipa >= numa_node->ipa_start && 225 ipa < (numa_node->ipa_start + numa_node->ipa_size)) 226 return numa_node->host_numa_node; 227 } 228 return NO_NUMA; 229 } 230 231 static int kvm_cvm_ttt_create(struct cvm *cvm, 232 unsigned long addr, 233 int level, 234 phys_addr_t phys) 235 { 236 addr = ALIGN_DOWN(addr, cvm_ttt_level_mapsize(level - 1)); 237 return tmi_ttt_create(phys, cvm->rd, addr, level); 238 } 239 > 240 int kvm_cvm_create_ttt_levels(struct kvm *kvm, struct cvm *cvm, 241 unsigned long ipa, 242 int level, 243 int max_level, 244 struct kvm_mmu_memory_cache *mc) 245 { 246 if (WARN_ON(level == max_level)) 247 return 0; 248 249 while (level++ < max_level) { 250 phys_addr_t ttt; 251 252 ttt = tmi_mem_alloc(cvm->rd, NO_NUMA, 253 TMM_MEM_TYPE_TTT, TMM_MEM_MAP_SIZE_MAX); 254 if (ttt == 0) 255 return -ENOMEM; 256 257 if (kvm_cvm_ttt_create(cvm, ipa, level, ttt)) { 258 (void)tmi_mem_free(ttt, NO_NUMA, TMM_MEM_TYPE_TTT, TMM_MEM_MAP_SIZE_MAX); 259 return -ENXIO; 260 } 261 } 262 263 return 0; 264 } 265 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

2024

2023

2022

2021

2020

2019

Kernel August 2024