From: Marc Zyngier <maz(a)kernel.org>
stable inclusion
from stable-v5.10.225
commit 15818af2f7aa55eff375333cb7689df15d3f24ef
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR5D2
CVE: CVE-2024-46707
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------------------------
commit 3e6245ebe7ef341639e9a7e402b3ade8ad45a19f upstream.
On a system with a GICv3, if a guest hasn't been configured with
GICv3 and that the host is not capable of GICv2 emulation,
a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2.
We therefore try to emulate the SGI access, only to hit a NULL
pointer as no private interrupt is allocated (no GIC, remember?).
The obvious fix is to give the guest what it deserves, in the
shape of a UNDEF exception.
Reported-by: Alexander Potapenko <glider(a)google.com>
Signed-off-by: Marc Zyngier <maz(a)kernel.org>
Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/20240820100349.3544850-2-maz@kernel.org
Signed-off-by: Oliver Upton <oliver.upton(a)linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Conflicts:
arch/arm64/kvm/vgic/vgic.h
[Code context change only]
Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com>
---
arch/arm64/kvm/sys_regs.c | 6 ++++++
arch/arm64/kvm/vgic/vgic.h | 7 +++++++
2 files changed, 13 insertions(+)
diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c
index 0cb9e4de5afd..1ee3c00ed8a0 100644
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -30,6 +30,7 @@
#include <trace/events/kvm.h>
#include "sys_regs.h"
+#include "vgic/vgic.h"
#include "trace.h"
@@ -275,6 +276,11 @@ static bool access_gic_sgi(struct kvm_vcpu *vcpu,
{
bool g1;
+ if (!kvm_has_gicv3(vcpu->kvm)) {
+ kvm_inject_undefined(vcpu);
+ return false;
+ }
+
if (!p->is_write)
return read_from_write_only(vcpu, p, r);
diff --git a/arch/arm64/kvm/vgic/vgic.h b/arch/arm64/kvm/vgic/vgic.h
index 47abce1ff89e..06564e8dd69b 100644
--- a/arch/arm64/kvm/vgic/vgic.h
+++ b/arch/arm64/kvm/vgic/vgic.h
@@ -330,4 +330,11 @@ void vgic_v4_configure_vsgis(struct kvm *kvm);
void vgic_v4_get_vlpi_state(struct vgic_irq *irq, bool *val);
void vgic_v4_configure_vtimer(struct kvm *kvm);
+static inline bool kvm_has_gicv3(struct kvm *kvm)
+{
+ return (static_branch_unlikely(&kvm_vgic_global_state.gicv3_cpuif) &&
+ irqchip_in_kernel(kvm) &&
+ kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3);
+}
+
#endif
--
2.17.1
From: Filipe Manana <fdmanana(a)suse.com>
mainline inclusion
from mainline-v6.11-rc1
commit 119474bdbac0858053cf367c8c932dd5c4bb4e85
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX0N
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
There are no callers of btrfs_lookup_extent_info() that pass a NULL value
for the transaction handle argument, so there's no point in having special
logic to deal with the NULL. The last caller that passed a NULL value was
removed in commit 19b546d7a1b2 ("btrfs: relocation:
Use btrfs_find_all_leafs to locate data extent parent tree leaves").
So remove the NULL handling from btrfs_lookup_extent_info().
Reported-by: kernel test robot <lkp(a)intel.com>
Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Closes: https://lore.kernel.org/r/202409271612.ikY68CAg-lkp@intel.com/
Reviewed-by: Qu Wenruo <wqu(a)suse.com>
Signed-off-by: Filipe Manana <fdmanana(a)suse.com>
Reviewed-by: David Sterba <dsterba(a)suse.com>
Signed-off-by: David Sterba <dsterba(a)suse.com>
Conflicts:
fs/btrfs/extent-tree.c
[Context differences.]
Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com>
---
fs/btrfs/extent-tree.c | 15 ++-------------
1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 9521cb45433f..4049405548ac 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -135,11 +135,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
if (!path)
return -ENOMEM;
- if (!trans) {
- path->skip_locking = 1;
- path->search_commit_root = 1;
- }
-
search_again:
key.objectid = bytenr;
key.offset = offset;
@@ -172,10 +167,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
if (unlikely(item_size < sizeof(*ei))) {
ret = -EINVAL;
btrfs_print_v0_err(fs_info);
- if (trans)
- btrfs_abort_transaction(trans, ret);
- else
- btrfs_handle_fs_error(fs_info, ret, NULL);
+ btrfs_abort_transaction(trans, ret);
goto out_free;
}
@@ -197,9 +189,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
ret = 0;
}
- if (!trans)
- goto out;
-
delayed_refs = &trans->transaction->delayed_refs;
spin_lock(&delayed_refs->lock);
head = btrfs_find_delayed_ref_head(delayed_refs, bytenr);
@@ -239,7 +228,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
mutex_unlock(&head->mutex);
}
spin_unlock(&delayed_refs->lock);
-out:
+
WARN_ON(num_refs == 0);
if (refs)
*refs = num_refs;
--
2.39.2
From: Filipe Manana <fdmanana(a)suse.com>
mainline inclusion
from mainline-v6.11-rc1
commit 119474bdbac0858053cf367c8c932dd5c4bb4e85
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX0N
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
There are no callers of btrfs_lookup_extent_info() that pass a NULL value
for the transaction handle argument, so there's no point in having special
logic to deal with the NULL. The last caller that passed a NULL value was
removed in commit 19b546d7a1b2 ("btrfs: relocation:
Use btrfs_find_all_leafs to locate data extent parent tree leaves").
So remove the NULL handling from btrfs_lookup_extent_info().
Reported-by: kernel test robot <lkp(a)intel.com>
Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Closes: https://lore.kernel.org/r/202409271612.ikY68CAg-lkp@intel.com/
Reviewed-by: Qu Wenruo <wqu(a)suse.com>
Signed-off-by: Filipe Manana <fdmanana(a)suse.com>
Reviewed-by: David Sterba <dsterba(a)suse.com>
Signed-off-by: David Sterba <dsterba(a)suse.com>
Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com>
---
fs/btrfs/extent-tree.c | 16 ++--------------
1 file changed, 2 insertions(+), 14 deletions(-)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 9bf1e4ac4de0..39afb1c46907 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -124,11 +124,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
if (!path)
return -ENOMEM;
- if (!trans) {
- path->skip_locking = 1;
- path->search_commit_root = 1;
- }
-
search_again:
key.objectid = bytenr;
key.offset = offset;
@@ -164,11 +159,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
btrfs_err(fs_info,
"unexpected extent item size, has %u expect >= %zu",
item_size, sizeof(*ei));
- if (trans)
- btrfs_abort_transaction(trans, ret);
- else
- btrfs_handle_fs_error(fs_info, ret, NULL);
-
+ btrfs_abort_transaction(trans, ret);
goto out_free;
}
@@ -189,9 +180,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
ret = 0;
}
- if (!trans)
- goto out;
-
delayed_refs = &trans->transaction->delayed_refs;
spin_lock(&delayed_refs->lock);
head = btrfs_find_delayed_ref_head(delayed_refs, bytenr);
@@ -231,7 +219,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
mutex_unlock(&head->mutex);
}
spin_unlock(&delayed_refs->lock);
-out:
+
WARN_ON(num_refs == 0);
if (refs)
*refs = num_refs;
--
2.39.2
From: Filipe Manana <fdmanana(a)suse.com>
mainline inclusion
from mainline-v6.11-rc1
commit 119474bdbac0858053cf367c8c932dd5c4bb4e85
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX0N
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
There are no callers of btrfs_lookup_extent_info() that pass a NULL value
for the transaction handle argument, so there's no point in having special
logic to deal with the NULL. The last caller that passed a NULL value was
removed in commit 19b546d7a1b2 ("btrfs: relocation:
Use btrfs_find_all_leafs to locate data extent parent tree leaves").
So remove the NULL handling from btrfs_lookup_extent_info().
Reported-by: kernel test robot <lkp(a)intel.com>
Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Closes: https://lore.kernel.org/r/202409271612.ikY68CAg-lkp@intel.com/
Reviewed-by: Qu Wenruo <wqu(a)suse.com>
Signed-off-by: Filipe Manana <fdmanana(a)suse.com>
Reviewed-by: David Sterba <dsterba(a)suse.com>
Signed-off-by: David Sterba <dsterba(a)suse.com>
Conflicts:
fs/btrfs/extent-tree.c
[Context differences.]
Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com>
---
fs/btrfs/extent-tree.c | 15 ++-------------
1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 054785ffacf7..ae6625aa2c4a 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -135,11 +135,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
if (!path)
return -ENOMEM;
- if (!trans) {
- path->skip_locking = 1;
- path->search_commit_root = 1;
- }
-
search_again:
key.objectid = bytenr;
key.offset = offset;
@@ -172,10 +167,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
if (unlikely(item_size < sizeof(*ei))) {
ret = -EINVAL;
btrfs_print_v0_err(fs_info);
- if (trans)
- btrfs_abort_transaction(trans, ret);
- else
- btrfs_handle_fs_error(fs_info, ret, NULL);
+ btrfs_abort_transaction(trans, ret);
goto out_free;
}
@@ -197,9 +189,6 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
ret = 0;
}
- if (!trans)
- goto out;
-
delayed_refs = &trans->transaction->delayed_refs;
spin_lock(&delayed_refs->lock);
head = btrfs_find_delayed_ref_head(delayed_refs, bytenr);
@@ -239,7 +228,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
mutex_unlock(&head->mutex);
}
spin_unlock(&delayed_refs->lock);
-out:
+
WARN_ON(num_refs == 0);
if (refs)
*refs = num_refs;
--
2.39.2
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 3841d75a6dcd12d108aaf56560b99431d18169e4
commit: ac084b72b429b1bc0378add3abecfe107a732b7a [5940/23799] iommu: introduce device fault report API
config: arm64-randconfig-r133-20240926 (https://download.01.org/0day-ci/archive/20240929/202409290930.qkB2O1Kz-lkp@…)
compiler: aarch64-linux-gcc (GCC) 14.1.0
reproduce: (https://download.01.org/0day-ci/archive/20240929/202409290930.qkB2O1Kz-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409290930.qkB2O1Kz-lkp@intel.com/
sparse warnings: (new ones prefixed by >>)
>> drivers/iommu/iommu.c:979:31: sparse: sparse: dubious: !x | !y
drivers/iommu/iommu.c: In function 'iommu_unregister_device_fault_handler':
drivers/iommu/iommu.c:937:13: warning: variable 'ret' set but not used [-Wunused-but-set-variable]
937 | int ret = 0;
| ^~~
vim +979 drivers/iommu/iommu.c
960
961
962 /**
963 * iommu_report_device_fault() - Report fault event to device
964 * @dev: the device
965 * @evt: fault event data
966 *
967 * Called by IOMMU model specific drivers when fault is detected, typically
968 * in a threaded IRQ handler.
969 *
970 * Return 0 on success, or an error.
971 */
972 int iommu_report_device_fault(struct device *dev, struct iommu_fault_event *evt)
973 {
974 int ret = 0;
975 struct iommu_fault_event *evt_pending;
976 struct iommu_fault_param *fparam;
977
978 /* iommu_param is allocated when device is added to group */
> 979 if (!dev->iommu_param | !evt)
980 return -EINVAL;
981 /* we only report device fault if there is a handler registered */
982 mutex_lock(&dev->iommu_param->lock);
983 if (!dev->iommu_param->fault_param ||
984 !dev->iommu_param->fault_param->handler) {
985 ret = -EINVAL;
986 goto done_unlock;
987 }
988 fparam = dev->iommu_param->fault_param;
989 if (evt->type == IOMMU_FAULT_PAGE_REQ && evt->last_req) {
990 evt_pending = kzalloc(sizeof(*evt_pending), GFP_ATOMIC);
991 if (!evt_pending) {
992 ret = -ENOMEM;
993 goto done_unlock;
994 }
995 memcpy(evt_pending, evt, sizeof(struct iommu_fault_event));
996 mutex_lock(&fparam->lock);
997 list_add_tail(&evt_pending->list, &fparam->faults);
998 mutex_unlock(&fparam->lock);
999 }
1000 ret = fparam->handler(evt, fparam->data);
1001 done_unlock:
1002 mutex_unlock(&dev->iommu_param->lock);
1003 return ret;
1004 }
1005 EXPORT_SYMBOL_GPL(iommu_report_device_fault);
1006
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git OLK-5.10
head: bef6f06e039b8929481350d15d6d8c3ba81c6fd2
commit: 7dad816cb1f8841fda526c0978c10a94793f1178 [21579/30000] anolis: net/smc: Resolve the race between SMC-R link access and clear
config: arm64-randconfig-r131-20240925 (https://download.01.org/0day-ci/archive/20240929/202409290926.Ll8zQyOY-lkp@…)
compiler: aarch64-linux-gcc (GCC) 14.1.0
reproduce: (https://download.01.org/0day-ci/archive/20240929/202409290926.Ll8zQyOY-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409290926.Ll8zQyOY-lkp@intel.com/
sparse warnings: (new ones prefixed by >>)
>> net/smc/smc_core.c:770:6: sparse: sparse: symbol '__smcr_link_clear' was not declared. Should it be static?
vim +/__smcr_link_clear +770 net/smc/smc_core.c
769
> 770 void __smcr_link_clear(struct smc_link *lnk)
771 {
772 smc_wr_free_link_mem(lnk);
773 smc_lgr_put(lnk->lgr); /* lgr_hold in smcr_link_init() */
774 memset(lnk, 0, sizeof(struct smc_link));
775 lnk->state = SMC_LNK_UNUSED;
776 }
777
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 3841d75a6dcd12d108aaf56560b99431d18169e4
commit: fb4c3a2751ebf142fecc61eea8c738573ec3bf10 [4008/23799] staging: erofs: fix race when the managed cache is enabled
config: arm64-randconfig-r133-20240926 (https://download.01.org/0day-ci/archive/20240929/202409290639.uZftDFPU-lkp@…)
compiler: aarch64-linux-gcc (GCC) 14.1.0
reproduce: (https://download.01.org/0day-ci/archive/20240929/202409290639.uZftDFPU-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409290639.uZftDFPU-lkp@intel.com/
sparse warnings: (new ones prefixed by >>)
>> drivers/staging/erofs/utils.c:138:6: sparse: sparse: symbol 'erofs_try_to_release_workgroup' was not declared. Should it be static?
drivers/staging/erofs/utils.c:138:6: warning: no previous prototype for 'erofs_try_to_release_workgroup' [-Wmissing-prototypes]
138 | bool erofs_try_to_release_workgroup(struct erofs_sb_info *sbi,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/erofs_try_to_release_workgroup +138 drivers/staging/erofs/utils.c
137
> 138 bool erofs_try_to_release_workgroup(struct erofs_sb_info *sbi,
139 struct erofs_workgroup *grp,
140 bool cleanup)
141 {
142 void *entry;
143
144 /*
145 * for managed cache enabled, the refcount of workgroups
146 * themselves could be < 0 (freezed). So there is no guarantee
147 * that all refcount > 0 if managed cache is enabled.
148 */
149 if (!erofs_workgroup_try_to_freeze(grp, 1))
150 return false;
151
152 /*
153 * note that all cached pages should be unlinked
154 * before delete it from the radix tree.
155 * Otherwise some cached pages of an orphan old workgroup
156 * could be still linked after the new one is available.
157 */
158 if (erofs_try_to_free_all_cached_pages(sbi, grp)) {
159 erofs_workgroup_unfreeze(grp, 1);
160 return false;
161 }
162
163 /*
164 * it is impossible to fail after the workgroup is freezed,
165 * however in order to avoid some race conditions, add a
166 * DBG_BUGON to observe this in advance.
167 */
168 entry = radix_tree_delete(&sbi->workstn_tree, grp->index);
169 DBG_BUGON((void *)((unsigned long)entry &
170 ~RADIX_TREE_EXCEPTIONAL_ENTRY) != grp);
171
172 /*
173 * if managed cache is enable, the last refcount
174 * should indicate the related workstation.
175 */
176 erofs_workgroup_unfreeze_final(grp);
177 return true;
178 }
179
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki