- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] RDMA/rxe: Clear all QP fields if creation failed
by Liu Jian 09 Mar '24

09 Mar '24

From: Leon Romanovsky <leonro(a)nvidia.com> stable inclusion from stable-v4.19.192 commit f3783c415bf6d2ead3d7aa2c38802bbe10723646 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I956GP CVE: CVE-2021-47078 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 67f29896fdc83298eed5a6576ff8f9873f709228 ] rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly created ones, but in case rxe_qp_from_init() failed it was filled with garbage and caused tot the following error. refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800 R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000 FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805 execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327 rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391 kref_put include/linux/kref.h:65 [inline] rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425 _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline] ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231 ib_create_qp include/rdma/ib_verbs.h:3644 [inline] create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920 ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline] ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092 add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717 enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331 ib_register_device drivers/infiniband/core/device.c:1413 [inline] ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365 rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147 rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247 rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503 rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline] rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250 nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555 rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/7bf8d548764d406dbbbaf4b574960ebfd5af8387.16207179… Reported-by: syzbot+36a7f280de4e11c6f04e(a)syzkaller.appspotmail.com Signed-off-by: Leon Romanovsky <leonro(a)nvidia.com> Reviewed-by: Zhu Yanjun <zyjzyj2000(a)gmail.com> Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/infiniband/sw/rxe/rxe_qp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c index c58452daffc7..4c0caca6da50 100644 --- a/drivers/infiniband/sw/rxe/rxe_qp.c +++ b/drivers/infiniband/sw/rxe/rxe_qp.c @@ -249,6 +249,7 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, if (err) { kvfree(qp->sq.queue->buf); kfree(qp->sq.queue); + qp->sq.queue = NULL; return err; } @@ -302,6 +303,7 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, if (err) { kvfree(qp->rq.queue->buf); kfree(qp->rq.queue); + qp->rq.queue = NULL; return err; } } @@ -362,6 +364,11 @@ int rxe_qp_from_init(struct rxe_dev *rxe, struct rxe_qp *qp, struct rxe_pd *pd, err2: rxe_queue_cleanup(qp->sq.queue); err1: + qp->pd = NULL; + qp->rcq = NULL; + qp->scq = NULL; + qp->srq = NULL; + if (srq) rxe_drop_ref(srq); rxe_drop_ref(scq); -- 2.34.1

2 1

[PATCH OLK-5.10] net: rds: Fix possible NULL-pointer dereference
by Zhengchao Shao 09 Mar '24

09 Mar '24

From: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> stable inclusion from stable-v5.10.198 commit f515112e833791001aaa8ab886af3ca78503617f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95ATK CVE: CVE-2023-52573 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f1d95df0f31048f1c59092648997686e3f7d9478 ] In rds_rdma_cm_event_handler_cmn() check, if conn pointer exists before dereferencing it as rdma_set_service_type() argument Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: fd261ce6a30e ("rds: rdma: update rdma transport for tos") Signed-off-by: Artem Chernyshev <artem.chernyshev(a)red-soft.ru> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/rds/rdma_transport.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/rds/rdma_transport.c b/net/rds/rdma_transport.c index 5f741e51b4ba..bb38124a5d3d 100644 --- a/net/rds/rdma_transport.c +++ b/net/rds/rdma_transport.c @@ -86,10 +86,12 @@ static int rds_rdma_cm_event_handler_cmn(struct rdma_cm_id *cm_id, break; case RDMA_CM_EVENT_ADDR_RESOLVED: - rdma_set_service_type(cm_id, conn->c_tos); - /* XXX do we need to clean up if this fails? */ - ret = rdma_resolve_route(cm_id, + if (conn) { + rdma_set_service_type(cm_id, conn->c_tos); + /* XXX do we need to clean up if this fails? */ + ret = rdma_resolve_route(cm_id, RDS_RDMA_RESOLVE_TIMEOUT_MS); + } break; case RDMA_CM_EVENT_ROUTE_RESOLVED: -- 2.34.1

2 1

[PATCH OLK-5.10] dccp: fix dccp_v4_err()/dccp_v6_err() again
by Ziyang Xuan 09 Mar '24

09 Mar '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v5.10.198 commit 60d73c62e3e4464f375758b6f2459c13d46465b6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95AT6 CVE: CVE-2023-52577 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 6af289746a636f71f4c0535a9801774118486c7a ] dh->dccph_x is the 9th byte (offset 8) in "struct dccp_hdr", not in the "byte 7" as Jann claimed. We need to make sure the ICMP messages are big enough, using more standard ways (no more assumptions). syzbot reported: BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline] BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline] BUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94 pskb_may_pull_reason include/linux/skbuff.h:2667 [inline] pskb_may_pull include/linux/skbuff.h:2681 [inline] dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94 icmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867 icmpv6_rcv+0x19d5/0x30d0 ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:304 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:468 [inline] ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:304 [inline] ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5523 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 netif_receive_skb_internal net/core/dev.c:5723 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5782 tun_rx_batched+0x83b/0x920 tun_get_user+0x564c/0x6940 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:1985 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x15c0 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x318/0x740 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313 sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795 tun_alloc_skb drivers/net/tun.c:1531 [inline] tun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:1985 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x15c0 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd CPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Fixes: 977ad86c2a1b ("dccp: Fix out of bounds access in DCCP error handler") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Jann Horn <jannh(a)google.com> Reviewed-by: Jann Horn <jannh(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- net/dccp/ipv4.c | 9 ++------- net/dccp/ipv6.c | 9 ++------- 2 files changed, 4 insertions(+), 14 deletions(-) diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index 398dc3e47d0c8..f2a0a4e6dd748 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -243,13 +243,8 @@ static int dccp_v4_err(struct sk_buff *skb, u32 info) int err; struct net *net = dev_net(skb->dev); - /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x, - * which is in byte 7 of the dccp header. - * Our caller (icmp_socket_deliver()) already pulled 8 bytes for us. - * - * Later on, we want to access the sequence number fields, which are - * beyond 8 bytes, so we have to pskb_may_pull() ourselves. - */ + if (!pskb_may_pull(skb, offset + sizeof(*dh))) + return -EINVAL; dh = (struct dccp_hdr *)(skb->data + offset); if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh))) return -EINVAL; diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index bfe11e96af7c9..6d6bbd43a1419 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -76,13 +76,8 @@ static int dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt, __u64 seq; struct net *net = dev_net(skb->dev); - /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x, - * which is in byte 7 of the dccp header. - * Our caller (icmpv6_notify()) already pulled 8 bytes for us. - * - * Later on, we want to access the sequence number fields, which are - * beyond 8 bytes, so we have to pskb_may_pull() ourselves. - */ + if (!pskb_may_pull(skb, offset + sizeof(*dh))) + return -EINVAL; dh = (struct dccp_hdr *)(skb->data + offset); if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh))) return -EINVAL; -- 2.25.1

2 1

[PATCH OLK-5.10] team: fix null-ptr-deref when team device type is changed
by Ziyang Xuan 09 Mar '24

09 Mar '24

stable inclusion from stable-v5.10.198 commit b44dd92e2afd89eb6e9d27616858e72a67bdc1a7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95ATZ CVE: CVE-2023-52574 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 492032760127251e5540a5716a70996bacf2a3fd ] Get a null-ptr-deref bug as follows with reproducer [1]. BUG: kernel NULL pointer dereference, address: 0000000000000228 ... RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q] ... Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x82/0x150 ? exc_page_fault+0x69/0x150 ? asm_exc_page_fault+0x26/0x30 ? vlan_dev_hard_header+0x35/0x140 [8021q] ? vlan_dev_hard_header+0x8e/0x140 [8021q] neigh_connected_output+0xb2/0x100 ip6_finish_output2+0x1cb/0x520 ? nf_hook_slow+0x43/0xc0 ? ip6_mtu+0x46/0x80 ip6_finish_output+0x2a/0xb0 mld_sendpack+0x18f/0x250 mld_ifc_work+0x39/0x160 process_one_work+0x1e6/0x3f0 worker_thread+0x4d/0x2f0 ? __pfx_worker_thread+0x10/0x10 kthread+0xe5/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 [1] $ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}' $ ip link add name t-dummy type dummy $ ip link add link t-dummy name t-dummy.100 type vlan id 100 $ ip link add name t-nlmon type nlmon $ ip link set t-nlmon master team0 $ ip link set t-nlmon nomaster $ ip link set t-dummy up $ ip link set team0 up $ ip link set t-dummy.100 down $ ip link set t-dummy.100 master team0 When enslave a vlan device to team device and team device type is changed from non-ether to ether, header_ops of team device is changed to vlan_header_ops. That is incorrect and will trigger null-ptr-deref for vlan->real_dev in vlan_dev_hard_header() because team device is not a vlan device. Cache eth_header_ops in team_setup(), then assign cached header_ops to header_ops of team net device when its type is changed from non-ether to ether to fix the bug. Fixes: 1d76efe1577b ("team: add support for non-ethernet devices") Suggested-by: Hangbin Liu <liuhangbin(a)gmail.com> Reviewed-by: Hangbin Liu <liuhangbin(a)gmail.com> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> Reviewed-by: Jiri Pirko <jiri(a)nvidia.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20230918123011.1884401-1-william.xuanziyang@huawe… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- drivers/net/team/team.c | 10 +++++++++- include/linux/if_team.h | 2 ++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c index 721b536ce8861..97a77dabed64c 100644 --- a/drivers/net/team/team.c +++ b/drivers/net/team/team.c @@ -2122,7 +2122,12 @@ static const struct ethtool_ops team_ethtool_ops = { static void team_setup_by_port(struct net_device *dev, struct net_device *port_dev) { - dev->header_ops = port_dev->header_ops; + struct team *team = netdev_priv(dev); + + if (port_dev->type == ARPHRD_ETHER) + dev->header_ops = team->header_ops_cache; + else + dev->header_ops = port_dev->header_ops; dev->type = port_dev->type; dev->hard_header_len = port_dev->hard_header_len; dev->needed_headroom = port_dev->needed_headroom; @@ -2169,8 +2174,11 @@ static int team_dev_type_check_change(struct net_device *dev, static void team_setup(struct net_device *dev) { + struct team *team = netdev_priv(dev); + ether_setup(dev); dev->max_mtu = ETH_MAX_MTU; + team->header_ops_cache = dev->header_ops; dev->netdev_ops = &team_netdev_ops; dev->ethtool_ops = &team_ethtool_ops; diff --git a/include/linux/if_team.h b/include/linux/if_team.h index 5dd1657947b75..762c77d13e7dd 100644 --- a/include/linux/if_team.h +++ b/include/linux/if_team.h @@ -189,6 +189,8 @@ struct team { struct net_device *dev; /* associated netdevice */ struct team_pcpu_stats __percpu *pcpu_stats; + const struct header_ops *header_ops_cache; + struct mutex lock; /* used for overall locking, e.g. port lists write */ /* -- 2.25.1

2 1

[openeuler:openEuler-1.0-LTS] BUILD SUCCESS eac3c6a044aaf481751d9f7fb4b6096ae431e167
by kernel test robot 09 Mar '24

09 Mar '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: eac3c6a044aaf481751d9f7fb4b6096ae431e167 !5046 usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. Warning reports: https://lore.kernel.org/oe-kbuild-all/202403090244.2pF6BywY-lkp@intel.com Unverified Warning (likely false positive, please contact us if interested): drivers/tty/n_gsm.c:2067:2-8: preceding lock on line 2044 Warning ids grouped by kconfigs: clang_recent_errors |-- x86_64-randconfig-103-20240308 | `-- drivers-tty-n_gsm.c:preceding-lock-on-line `-- x86_64-randconfig-r131-20240304 |-- kernel-sched-topology.c:sparse:sparse:incorrect-type-in-argument-(different-base-types)-expected-restricted-gfp_t-usertype-flags-got-int-flags `-- kernel-sched-topology.c:sparse:sparse:incorrect-type-in-initializer-(different-base-types)-expected-int-flags-got-restricted-gfp_t elapsed time: 881m configs tested: 11 configs skipped: 131 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig gcc arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240309 gcc arm64 randconfig-002-20240309 gcc arm64 randconfig-003-20240309 gcc arm64 randconfig-004-20240309 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 defconfig gcc x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 15642/21783] kernel/sched/topology.c:1624:32: sparse: sparse: incorrect type in initializer (different base types)
by kernel test robot 09 Mar '24

09 Mar '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: eac3c6a044aaf481751d9f7fb4b6096ae431e167 commit: b3cf6ed8fbc01dda9fe93f5d4c1877a68d344678 [15642/21783] sched/topology: Provide cfs_overload_cpus bitmap config: x86_64-randconfig-r131-20240304 (https://download.01.org/0day-ci/archive/20240309/202403090244.2pF6BywY-lkp@…) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240309/202403090244.2pF6BywY-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202403090244.2pF6BywY-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) kernel/sched/topology.c:11:15: sparse: sparse: symbol 'sched_domains_tmpmask' was not declared. Should it be static? kernel/sched/topology.c:12:15: sparse: sparse: symbol 'sched_domains_tmpmask2' was not declared. Should it be static? >> kernel/sched/topology.c:1624:32: sparse: sparse: incorrect type in initializer (different base types) @@ expected int flags @@ got restricted gfp_t @@ kernel/sched/topology.c:1624:32: sparse: expected int flags kernel/sched/topology.c:1624:32: sparse: got restricted gfp_t >> kernel/sched/topology.c:1632:61: sparse: sparse: incorrect type in argument 3 (different base types) @@ expected restricted gfp_t [usertype] flags @@ got int flags @@ kernel/sched/topology.c:1632:61: sparse: expected restricted gfp_t [usertype] flags kernel/sched/topology.c:1632:61: sparse: got int flags kernel/sched/topology.c:428:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/topology.c:428:9: sparse: struct sparsemask [noderef] __rcu * kernel/sched/topology.c:428:9: sparse: struct sparsemask * kernel/sched/topology.c:429:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/topology.c:429:9: sparse: struct sched_domain [noderef] __rcu * kernel/sched/topology.c:429:9: sparse: struct sched_domain * kernel/sched/topology.c:432:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/topology.c:432:9: sparse: struct sched_domain_shared [noderef] __rcu * kernel/sched/topology.c:432:9: sparse: struct sched_domain_shared * kernel/sched/topology.c:435:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/topology.c:435:9: sparse: struct sched_domain [noderef] __rcu * kernel/sched/topology.c:435:9: sparse: struct sched_domain * kernel/sched/topology.c:438:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/topology.c:438:9: sparse: struct sched_domain [noderef] __rcu * kernel/sched/topology.c:438:9: sparse: struct sched_domain * kernel/sched/topology.c:485:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/topology.c:485:9: sparse: struct sched_domain [noderef] __rcu * kernel/sched/topology.c:485:9: sparse: struct sched_domain * kernel/sched/topology.c: note: in included file: kernel/sched/sched.h:1206:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:1206:9: sparse: struct sched_domain [noderef] __rcu * kernel/sched/sched.h:1206:9: sparse: struct sched_domain * kernel/sched/sched.h:1219:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:1219:9: sparse: struct sched_domain [noderef] __rcu * kernel/sched/sched.h:1219:9: sparse: struct sched_domain * kernel/sched/sched.h:1206:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:1206:9: sparse: struct sched_domain [noderef] __rcu * kernel/sched/sched.h:1206:9: sparse: struct sched_domain * In file included from kernel/sched/topology.c:5: In file included from kernel/sched/sched.h:39: In file included from include/linux/blkdev.h:16: include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict] 425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from kernel/sched/topology.c:5: kernel/sched/sched.h:1169:15: warning: cast from 'void (*)(struct rq *)' to 'void (*)(struct callback_head *)' converts to incompatible function type [-Wcast-function-type-strict] 1169 | head->func = (void (*)(struct callback_head *))func; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2 warnings generated. vim +1624 kernel/sched/topology.c 1618 1619 static int sd_llc_alloc(struct sched_domain *sd) 1620 { 1621 struct sched_domain_shared *sds = sd->shared; 1622 struct cpumask *span = sched_domain_span(sd); 1623 int nid = cpu_to_node(cpumask_first(span)); > 1624 int flags = __GFP_ZERO | GFP_KERNEL; 1625 struct sparsemask *mask; 1626 1627 /* 1628 * Allocate the bitmap if not already allocated. This is called for 1629 * every CPU in the LLC but only allocates once per sd_llc_shared. 1630 */ 1631 if (!sds->cfs_overload_cpus) { > 1632 mask = sparsemask_alloc_node(nr_cpu_ids, 3, flags, nid); 1633 if (!mask) 1634 return 1; 1635 sds->cfs_overload_cpus = mask; 1636 } 1637 1638 return 0; 1639 } 1640 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6] BUILD REGRESSION bba41c2321f7449ec0a8140042c2ba34a0bef88d
by kernel test robot 09 Mar '24

09 Mar '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: bba41c2321f7449ec0a8140042c2ba34a0bef88d !5021 LoongArch: fix some known issue and update defconfig Error/Warning ids grouped by kconfigs: gcc_recent_errors |-- arm64-defconfig | |-- aarch64-linux-ld:arch-arm64-include-asm-kvm_mmu.h:(.hyp.text):undefined-reference-to-__kvm_nvhe_kvm_ncsnp_support | |-- aarch64-linux-ld:arch-arm64-kvm-hyp-nvhe-..-pgtable.c:(.hyp.text):undefined-reference-to-__kvm_nvhe_kvm_ncsnp_support | |-- arch-arm64-include-asm-kvm_mmu.h:(.hyp.text):dangerous-relocation:unsupported-relocation | |-- arch-arm64-include-asm-kvm_mmu.h:(.hyp.text):undefined-reference-to-__kvm_nvhe_kvm_ncsnp_support | |-- arch-arm64-kvm-hyp-nvhe-..-pgtable.c:(.hyp.text):dangerous-relocation:unsupported-relocation | |-- arch-arm64-kvm-hyp-nvhe-..-pgtable.c:(.hyp.text):undefined-reference-to-__kvm_nvhe_kvm_ncsnp_support | `-- drivers-irqchip-irq-mbigen.c:warning:expecting-prototype-for-Due-to-the-existence-of-hyper().-Prototype-was-for-GICR_LENGTH()-instead |-- arm64-randconfig-004-20240308 | `-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device |-- arm64-randconfig-r111-20240227 | `-- kernel-sched-fair.c:sparse:sparse:symbol-qos_smt_expell_switch-was-not-declared.-Should-it-be-static |-- loongarch-allmodconfig | |-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device | |-- drivers-i2c-busses-i2c-hisi.c:warning:expecting-prototype-for-i2c_dw_acpi_pin_mux_change().-Prototype-was-for-i2c_hisi_pin_mux_change()-instead | |-- drivers-infiniband-hw-hns-hns_roce_hw_v2.c:warning:no-previous-prototype-for-hns_roce_hw_v2_get_dscp | |-- drivers-net-ethernet-mucse-rnp-rnp_ethtool.c:warning:expecting-prototype-for-rnp_set_rxfh().-Prototype-was-for-rnp_set_rxnfc()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_ethtool.c:warning:expecting-prototype-for-rnp_tet_rxfh().-Prototype-was-for-rnp_get_rxfh()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_main.c:warning:directive-output-may-be-truncated-writing-byte-into-a-region-of-size-between-and | |-- drivers-net-ethernet-mucse-rnp-rnp_main.c:warning:expecting-prototype-for-rnp_write_eitr().-Prototype-was-for-rnp_write_eitr_rx()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:expecting-prototype-for-rnp_mbx_link_event_eanble().-Prototype-was-for-rnp_mbx_link_event_enable()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:expecting-prototype-for-rnp_mbx_stat_mark().-Prototype-was-for-rnp_link_stat_mark()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:no-previous-prototype-for-rnp_mbx_lldp_all_ports_enable | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnp_fc_mode_n10().-Prototype-was-for-rnp_mac_fc_mode_n10()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnp_init_hw_n10().-Prototype-was-for-rnp_init_hw_ops_n10()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnp_write_uc_addr_list().-Prototype-was-for-rnp_write_uc_addr_list_n10()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnpm_device_supports_autoneg_fc().-Prototype-was-for-rnp_device_supports_autoneg_fc()-instead | |-- loongson3-acpi-cpufreq.c:(.text):undefined-reference-to-acpi_processor_register_performance | |-- loongson3-acpi-cpufreq.c:(.text):undefined-reference-to-acpi_processor_unregister_performance | `-- security-integrity-ima-ima_appraise.c:warning:no-previous-prototype-for-ima_get_hash_algo |-- loongarch-defconfig | `-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device |-- loongarch-randconfig-002-20240308 | `-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device |-- x86_64-buildonly-randconfig-003-20240308 | `-- drivers-i2c-busses-i2c-hisi.c:warning:expecting-prototype-for-i2c_dw_acpi_pin_mux_change().-Prototype-was-for-i2c_hisi_pin_mux_change()-instead |-- x86_64-buildonly-randconfig-005-20240308 | `-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device |-- x86_64-buildonly-randconfig-006-20240308 | `-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device `-- x86_64-randconfig-001-20240308 `-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device clang_recent_errors |-- arm64-allmodconfig | |-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device | |-- drivers-i2c-busses-i2c-hisi.c:warning:expecting-prototype-for-i2c_dw_acpi_pin_mux_change().-Prototype-was-for-i2c_hisi_pin_mux_change()-instead | |-- drivers-iommu-arm-arm-smmu-v3-arm-smmu-v3.c:warning:variable-pre_addr-is-uninitialized-when-used-here | |-- drivers-irqchip-irq-mbigen.c:warning:expecting-prototype-for-Due-to-the-existence-of-hyper().-Prototype-was-for-GICR_LENGTH()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_ethtool.c:warning:expecting-prototype-for-rnp_set_rxfh().-Prototype-was-for-rnp_set_rxnfc()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_ethtool.c:warning:expecting-prototype-for-rnp_tet_rxfh().-Prototype-was-for-rnp_get_rxfh()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_main.c:warning:expecting-prototype-for-rnp_write_eitr().-Prototype-was-for-rnp_write_eitr_rx()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:expecting-prototype-for-rnp_mbx_link_event_eanble().-Prototype-was-for-rnp_mbx_link_event_enable()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:expecting-prototype-for-rnp_mbx_stat_mark().-Prototype-was-for-rnp_link_stat_mark()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:no-previous-prototype-for-function-rnp_mbx_lldp_all_ports_enable | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnp_fc_mode_n10().-Prototype-was-for-rnp_mac_fc_mode_n10()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnp_init_hw_n10().-Prototype-was-for-rnp_init_hw_ops_n10()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnp_write_uc_addr_list().-Prototype-was-for-rnp_write_uc_addr_list_n10()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnpm_device_supports_autoneg_fc().-Prototype-was-for-rnp_device_supports_autoneg_fc()-instead | |-- mm-mem_reliable.c:warning:arithmetic-between-different-enumeration-types-(-enum-node_stat_item-and-enum-lru_list-) | |-- security-integrity-ima-ima_appraise.c:warning:no-previous-prototype-for-function-ima_get_hash_algo | `-- security-integrity-ima-ima_fs.c:warning:variable-ret-is-used-uninitialized-whenever-if-condition-is-true |-- arm64-randconfig-001-20240308 | |-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device | |-- drivers-i2c-busses-i2c-hisi.c:warning:expecting-prototype-for-i2c_dw_acpi_pin_mux_change().-Prototype-was-for-i2c_hisi_pin_mux_change()-instead | `-- drivers-irqchip-irq-mbigen.c:warning:expecting-prototype-for-Due-to-the-existence-of-hyper().-Prototype-was-for-GICR_LENGTH()-instead |-- arm64-randconfig-002-20240308 | |-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device | |-- drivers-i2c-busses-i2c-hisi.c:warning:expecting-prototype-for-i2c_dw_acpi_pin_mux_change().-Prototype-was-for-i2c_hisi_pin_mux_change()-instead | `-- drivers-irqchip-irq-mbigen.c:warning:expecting-prototype-for-Due-to-the-existence-of-hyper().-Prototype-was-for-GICR_LENGTH()-instead |-- arm64-randconfig-003-20240308 | |-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device | `-- drivers-i2c-busses-i2c-hisi.c:warning:expecting-prototype-for-i2c_dw_acpi_pin_mux_change().-Prototype-was-for-i2c_hisi_pin_mux_change()-instead |-- x86_64-allyesconfig | |-- drivers-crypto-montage-tsse-tsse_dev_mgr.c:warning:no-previous-prototype-for-function-tsse_stop_dev | |-- drivers-crypto-montage-tsse-tsse_dev_mgr.c:warning:variable-ptr-is-used-uninitialized-whenever-for-loop-exits-because-its-condition-is-false | |-- drivers-crypto-montage-tsse-tsse_fw_service.c:warning:no-previous-prototype-for-function-fw_free | |-- drivers-crypto-montage-tsse-tsse_fw_service.c:warning:no-previous-prototype-for-function-fw_send_msg | |-- drivers-crypto-montage-tsse-tsse_ipc.c:warning:no-previous-prototype-for-function-get_msginf | |-- drivers-crypto-montage-tsse-tsse_ipc.c:warning:no-previous-prototype-for-function-ipc_hw_init | |-- drivers-crypto-montage-tsse-tsse_ipc.c:warning:no-previous-prototype-for-function-ipc_init_msg | |-- drivers-crypto-montage-tsse-tsse_ipc.c:warning:no-previous-prototype-for-function-ipc_recieve_msg | |-- drivers-crypto-montage-tsse-tsse_ipc.c:warning:no-previous-prototype-for-function-ipc_send_msg | |-- drivers-crypto-montage-tsse-tsse_ipc.c:warning:no-previous-prototype-for-function-msg_rout | |-- drivers-crypto-montage-tsse-tsse_service.c:warning:no-previous-prototype-for-function-service_rout | |-- drivers-crypto-montage-tsse-tsse_service.c:warning:variable-ret-set-but-not-used | |-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device | |-- drivers-i2c-busses-i2c-hisi.c:warning:expecting-prototype-for-i2c_dw_acpi_pin_mux_change().-Prototype-was-for-i2c_hisi_pin_mux_change()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_ethtool.c:warning:expecting-prototype-for-rnp_set_rxfh().-Prototype-was-for-rnp_set_rxnfc()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_ethtool.c:warning:expecting-prototype-for-rnp_tet_rxfh().-Prototype-was-for-rnp_get_rxfh()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_main.c:warning:expecting-prototype-for-rnp_write_eitr().-Prototype-was-for-rnp_write_eitr_rx()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:expecting-prototype-for-rnp_mbx_link_event_eanble().-Prototype-was-for-rnp_mbx_link_event_enable()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:expecting-prototype-for-rnp_mbx_stat_mark().-Prototype-was-for-rnp_link_stat_mark()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:no-previous-prototype-for-function-rnp_mbx_lldp_all_ports_enable | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnp_fc_mode_n10().-Prototype-was-for-rnp_mac_fc_mode_n10()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnp_init_hw_n10().-Prototype-was-for-rnp_init_hw_ops_n10()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnp_write_uc_addr_list().-Prototype-was-for-rnp_write_uc_addr_list_n10()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_n10.c:warning:expecting-prototype-for-rnpm_device_supports_autoneg_fc().-Prototype-was-for-rnp_device_supports_autoneg_fc()-instead | |-- drivers-pinctrl-zhaoxin-pinctrl-zhaoxin.c:warning:variable-base_offset-set-but-not-used | |-- drivers-pinctrl-zhaoxin-pinctrl-zhaoxin.c:warning:variable-pin-set-but-not-used | |-- drivers-pinctrl-zhaoxin-pinctrl-zhaoxin.c:warning:variable-value_back-set-but-not-used | |-- drivers-pinctrl-zhaoxin-pinctrl-zhaoxin.c:warning:variable-value_read-set-but-not-used | |-- security-integrity-ima-ima_appraise.c:warning:no-previous-prototype-for-function-ima_get_hash_algo | `-- security-integrity-ima-ima_fs.c:warning:variable-ret-is-used-uninitialized-whenever-if-condition-is-true |-- x86_64-buildonly-randconfig-001-20240308 | `-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device |-- x86_64-buildonly-randconfig-004-20240308 | |-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device | `-- drivers-i2c-busses-i2c-hisi.c:warning:expecting-prototype-for-i2c_dw_acpi_pin_mux_change().-Prototype-was-for-i2c_hisi_pin_mux_change()-instead |-- x86_64-randconfig-002-20240308 | `-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device `-- x86_64-rhel-8.3-rust `-- drivers-dax-super.c:warning:Function-parameter-or-member-KABI_RESERVE(-not-described-in-dax_device elapsed time: 723m configs tested: 24 configs skipped: 126 tested configs: arm64 allmodconfig clang arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240308 clang arm64 randconfig-002-20240308 clang arm64 randconfig-003-20240308 clang arm64 randconfig-004-20240308 gcc loongarch allmodconfig gcc loongarch allnoconfig gcc loongarch defconfig gcc loongarch randconfig-001-20240308 gcc loongarch randconfig-002-20240308 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240308 clang x86_64 buildonly-randconfig-002-20240308 gcc x86_64 buildonly-randconfig-003-20240308 gcc x86_64 buildonly-randconfig-004-20240308 clang x86_64 buildonly-randconfig-005-20240308 gcc x86_64 buildonly-randconfig-006-20240308 gcc x86_64 defconfig gcc x86_64 randconfig-001-20240308 gcc x86_64 randconfig-002-20240308 clang x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] net: fix possible store tearing in neigh_periodic_work()
by Zhengchao Shao 08 Mar '24

08 Mar '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.6-rc5 commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95AWK CVE: CVE-2023-52522 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- While looking at a related syzbot report involving neigh_periodic_work(), I found that I forgot to add an annotation when deleting an RCU protected item from a list. Readers use rcu_deference(*np), we need to use either rcu_assign_pointer() or WRITE_ONCE() on writer side to prevent store tearing. I use rcu_assign_pointer() to have lockdep support, this was the choice made in neigh_flush_dev(). Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: David Ahern <dsahern(a)kernel.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: net/core/neighbour.c Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/core/neighbour.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 778be5866d0a..3f1520755282 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -855,7 +855,9 @@ static void neigh_periodic_work(struct work_struct *work) if (refcount_read(&n->refcnt) == 1 && (state == NUD_FAILED || time_after(jiffies, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) { - *np = n->next; + rcu_assign_pointer(*np, + rcu_dereference_protected(n->next, + lockdep_is_held(&tbl->lock))); n->dead = 1; write_unlock(&n->lock); neigh_cleanup_and_release(n); -- 2.34.1

2 1

[PATCH OLK-6.6] dm: limit the number of targets and parameter size area
by Li Lingfeng 08 Mar '24

08 Mar '24

From: Mikulas Patocka <mpatocka(a)redhat.com> mainline inclusion from mainline-v6.8-rc3 commit bd504bcfec41a503b32054da5472904b404341a4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YCAG CVE: CVE-2024-23851 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The kvmalloc function fails with a warning if the size is larger than INT_MAX. The warning was triggered by a syscall testing robot. In order to avoid the warning, this commit limits the number of targets to 1048576 and the size of the parameter area to 1073741824. Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/md/dm-core.h | 2 ++ drivers/md/dm-ioctl.c | 3 ++- drivers/md/dm-table.c | 9 +++++++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h index 095b9b49aa82..e6757a30dcca 100644 --- a/drivers/md/dm-core.h +++ b/drivers/md/dm-core.h @@ -22,6 +22,8 @@ #include "dm-ima.h" #define DM_RESERVED_MAX_IOS 1024 +#define DM_MAX_TARGETS 1048576 +#define DM_MAX_TARGET_PARAMS 1024 struct dm_io; diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 5efe0193b2e8..3bda85ad73ec 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1952,7 +1952,8 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern minimum_data_size - sizeof(param_kernel->version))) return -EFAULT; - if (param_kernel->data_size < minimum_data_size) { + if (unlikely(param_kernel->data_size < minimum_data_size) || + unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS)) { DMERR("Invalid data size in the ioctl structure: %u", param_kernel->data_size); return -EINVAL; diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 37b48f63ae6a..fd84e06670e8 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -129,7 +129,12 @@ static int alloc_targets(struct dm_table *t, unsigned int num) int dm_table_create(struct dm_table **result, blk_mode_t mode, unsigned int num_targets, struct mapped_device *md) { - struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL); + struct dm_table *t; + + if (num_targets > DM_MAX_TARGETS) + return -EOVERFLOW; + + t = kzalloc(sizeof(*t), GFP_KERNEL); if (!t) return -ENOMEM; @@ -144,7 +149,7 @@ int dm_table_create(struct dm_table **result, blk_mode_t mode, if (!num_targets) { kfree(t); - return -ENOMEM; + return -EOVERFLOW; } if (alloc_targets(t, num_targets)) { -- 2.31.1

2 1

[PATCH OLK-5.10] net: fix possible store tearing in neigh_periodic_work()
by Zhengchao Shao 08 Mar '24

08 Mar '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v5.10.198 commit 2ea52a2fb8e87067e26bbab4efb8872639240eb0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95AWK CVE: CVE-2023-52522 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd ] While looking at a related syzbot report involving neigh_periodic_work(), I found that I forgot to add an annotation when deleting an RCU protected item from a list. Readers use rcu_deference(*np), we need to use either rcu_assign_pointer() or WRITE_ONCE() on writer side to prevent store tearing. I use rcu_assign_pointer() to have lockdep support, this was the choice made in neigh_flush_dev(). Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: David Ahern <dsahern(a)kernel.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/core/neighbour.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 3b642c412cf3..15267428c4f8 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -935,7 +935,9 @@ static void neigh_periodic_work(struct work_struct *work) (state == NUD_FAILED || !time_in_range_open(jiffies, n->used, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) { - *np = n->next; + rcu_assign_pointer(*np, + rcu_dereference_protected(n->next, + lockdep_is_held(&tbl->lock))); neigh_mark_dead(n); write_unlock(&n->lock); neigh_cleanup_and_release(n); -- 2.34.1

2 1