- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] vt: Clear selection before changing the font
by Yi Yang 01 Jul '25

01 Jul '25

From: Helge Deller <deller(a)gmx.de> stable inclusion from stable-v4.19.258 commit f74b4a41c5d7c9522469917e3072e55d435efd9e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICG8T5 CVE: CVE-2022-49948 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 566f9c9f89337792070b5a6062dff448b3e7977f upstream. When changing the console font with ioctl(KDFONTOP) the new font size can be bigger than the previous font. A previous selection may thus now be outside of the new screen size and thus trigger out-of-bounds accesses to graphics memory if the selection is removed in vc_do_resize(). Prevent such out-of-memory accesses by dropping the selection before the various con_font_set() console handlers are called. Reported-by: syzbot+14b0e8f3fd1612e35350(a)syzkaller.appspotmail.com Cc: stable <stable(a)kernel.org> Tested-by: Khalid Masum <khalid.masum.92(a)gmail.com> Signed-off-by: Helge Deller <deller(a)gmx.de> Link: https://lore.kernel.org/r/YuV9apZGNmGfjcor@p100 Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/vt/vt.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index e547669c1471..abcacd377e09 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -4518,9 +4518,11 @@ static int con_font_set(struct vc_data *vc, struct console_font_op *op) console_lock(); if (vc->vc_mode != KD_TEXT) rc = -EINVAL; - else if (vc->vc_sw->con_font_set) + else if (vc->vc_sw->con_font_set) { + if (vc_is_sel(vc)) + clear_selection(); rc = vc->vc_sw->con_font_set(vc, &font, op->flags); - else + } else rc = -ENOSYS; console_unlock(); kfree(font.data); @@ -4547,9 +4549,11 @@ static int con_font_default(struct vc_data *vc, struct console_font_op *op) console_unlock(); return -EINVAL; } - if (vc->vc_sw->con_font_default) + if (vc->vc_sw->con_font_default) { + if (vc_is_sel(vc)) + clear_selection(); rc = vc->vc_sw->con_font_default(vc, &font, s); - else + } else rc = -ENOSYS; console_unlock(); if (!rc) { -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] drivers:md:fix a potential use-after-free bug
by Gu Bowen 01 Jul '25

01 Jul '25

From: Wentao_Liang <Wentao_Liang_g(a)163.com> stable inclusion from stable-v4.19.256 commit e5b3dd2d92c4511e81f6e4ec9c5bb7ad25e03d13 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICG8TZ CVE: CVE-2022-50022 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 104212471b1c1817b311771d817fb692af983173 ] In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and may cause sh to be released. However, sh is subsequently used in lines 2886 "if (sh->batch_head && sh != sh->batch_head)". This may result in an use-after-free bug. It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of the function. Signed-off-by: Wentao_Liang <Wentao_Liang_g(a)163.com> Signed-off-by: Song Liu <song(a)kernel.org> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- drivers/md/raid5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c index b2b35cdabac5..0ccc733436fa 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -2670,10 +2670,10 @@ static void raid5_end_write_request(struct bio *bi) if (!test_and_clear_bit(R5_DOUBLE_LOCKED, &sh->dev[i].flags)) clear_bit(R5_LOCKED, &sh->dev[i].flags); set_bit(STRIPE_HANDLE, &sh->state); - raid5_release_stripe(sh); if (sh->batch_head && sh != sh->batch_head) raid5_release_stripe(sh->batch_head); + raid5_release_stripe(sh); } static void raid5_error(struct mddev *mddev, struct md_rdev *rdev) -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS,V2] vt: Clear selection before changing the font
by Yi Yang 01 Jul '25

01 Jul '25

From: Helge Deller <deller(a)gmx.de> stable inclusion from stable-v4.19.258 commit f74b4a41c5d7c9522469917e3072e55d435efd9e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICG8T5 CVE: CVE-2022-49948 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 566f9c9f89337792070b5a6062dff448b3e7977f upstream. When changing the console font with ioctl(KDFONTOP) the new font size can be bigger than the previous font. A previous selection may thus now be outside of the new screen size and thus trigger out-of-bounds accesses to graphics memory if the selection is removed in vc_do_resize(). Prevent such out-of-memory accesses by dropping the selection before the various con_font_set() console handlers are called. Reported-by: syzbot+14b0e8f3fd1612e35350(a)syzkaller.appspotmail.com Cc: stable <stable(a)kernel.org> Tested-by: Khalid Masum <khalid.masum.92(a)gmail.com> Signed-off-by: Helge Deller <deller(a)gmx.de> Link: https://lore.kernel.org/r/YuV9apZGNmGfjcor@p100 Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/vt/vt.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index e547669c1471..abcacd377e09 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -4518,9 +4518,11 @@ static int con_font_set(struct vc_data *vc, struct console_font_op *op) console_lock(); if (vc->vc_mode != KD_TEXT) rc = -EINVAL; - else if (vc->vc_sw->con_font_set) + else if (vc->vc_sw->con_font_set) { + if (vc_is_sel(vc)) + clear_selection(); rc = vc->vc_sw->con_font_set(vc, &font, op->flags); - else + } else rc = -ENOSYS; console_unlock(); kfree(font.data); @@ -4547,9 +4549,11 @@ static int con_font_default(struct vc_data *vc, struct console_font_op *op) console_unlock(); return -EINVAL; } - if (vc->vc_sw->con_font_default) + if (vc->vc_sw->con_font_default) { + if (vc_is_sel(vc)) + clear_selection(); rc = vc->vc_sw->con_font_default(vc, &font, s); - else + } else rc = -ENOSYS; console_unlock(); if (!rc) { -- 2.25.1

1 0

[PATCH OLK-6.6 v2] mempolicy: optimize queue_folios_pte_range by PTE batching
by Tong Tiangen 01 Jul '25

01 Jul '25

From: Dev Jain <dev.jain(a)arm.com> mainline inclusion from mainline-v6.16-rc1 commit 4a34c584d8cd13d2b721d21cf629f77c60bfb4a4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICF4UI CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------- After the check for queue_folio_required(), the code only cares about the folio in the for loop, i.e the PTEs are redundant. Therefore, optimize this loop by skipping over a PTE batch mapping the same folio. With a test program migrating pages of the calling process, which includes a mapped VMA of size 4GB with pte-mapped large folios of order-9, and migrating once back and forth node-0 and node-1, the average execution time reduces from 7.5 to 4 seconds, giving an approx 47% speedup. Link: https://lkml.kernel.org/r/20250416053048.96479-1-dev.jain@arm.com Signed-off-by: Dev Jain <dev.jain(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Vishal Moola (Oracle) <vishal.moola(a)gmail.com> Cc: Yang Shi <yang(a)os.amperecomputing.com> Cc: Zi Yan <ziy(a)nvidia.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Conflicts: mm/mempolicy.c [qp->nr_failed is introduced in 1cb5d11a370f, which is not merged.] Signed-off-by: Tong Tiangen <tongtiangen(a)huawei.com> --- v2: fix commit message checkformat warning. mm/mempolicy.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/mm/mempolicy.c b/mm/mempolicy.c index 88f0bb008efd..1587efaf777e 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -508,6 +508,7 @@ static int queue_folios_pmd(pmd_t *pmd, spinlock_t *ptl, unsigned long addr, static int queue_folios_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, struct mm_walk *walk) { + const fpb_t fpb_flags = FPB_IGNORE_DIRTY | FPB_IGNORE_SOFT_DIRTY; struct vm_area_struct *vma = walk->vma; struct folio *folio; struct queue_pages *qp = walk->private; @@ -515,6 +516,7 @@ static int queue_folios_pte_range(pmd_t *pmd, unsigned long addr, pte_t *pte, *mapped_pte; pte_t ptent; spinlock_t *ptl; + int max_nr, nr; ptl = pmd_trans_huge_lock(pmd, vma); if (ptl) @@ -525,13 +527,19 @@ static int queue_folios_pte_range(pmd_t *pmd, unsigned long addr, walk->action = ACTION_AGAIN; return 0; } - for (; addr != end; pte++, addr += PAGE_SIZE) { + for (; addr != end; pte += nr, addr += nr * PAGE_SIZE) { + max_nr = (end - addr) >> PAGE_SHIFT; + nr = 1; ptent = ptep_get(pte); if (!pte_present(ptent)) continue; folio = vm_normal_folio(vma, addr, ptent); if (!folio || folio_is_zone_device(folio)) continue; + if (folio_test_large(folio) && max_nr != 1) + nr = folio_pte_batch(folio, addr, pte, ptent, + max_nr, fpb_flags, + NULL, NULL, NULL); /* * vm_normal_folio() filters out zero pages, but there might * still be reserved folios to skip, perhaps in a VDSO. -- 2.25.1

2 1

[PATCH OLK-5.10,V2] nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()
by Yi Yang 01 Jul '25

01 Jul '25

From: Maurizio Lombardi <mlombard(a)redhat.com> mainline inclusion from mainline-v6.14 commit ad95bab0cd28ed77c2c0d0b6e76e03e031391064 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBY43W CVE: CVE-2025-21927 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length. Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver") Signed-off-by: Maurizio Lombardi <mlombard(a)redhat.com> Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Conflicts: drivers/nvme/host/tcp.c [Confilcts dues to no backport of 363895767fbf("nvme-tcp: sanitize TLS key handling") and 84e009042d0f("nvme-tcp: add basic support for the C2HTermReq PDU")] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/nvme/host/tcp.c | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c index 7be1da41081d..2ffb4df56d11 100644 --- a/drivers/nvme/host/tcp.c +++ b/drivers/nvme/host/tcp.c @@ -185,6 +185,19 @@ static inline int nvme_tcp_queue_id(struct nvme_tcp_queue *queue) return queue - queue->ctrl->queues; } +static inline bool nvme_tcp_recv_pdu_supported(enum nvme_tcp_pdu_type type) +{ + switch (type) { + case nvme_tcp_c2h_term: + case nvme_tcp_c2h_data: + case nvme_tcp_r2t: + case nvme_tcp_rsp: + return true; + default: + return false; + } +} + static inline struct blk_mq_tags *nvme_tcp_tagset(struct nvme_tcp_queue *queue) { u32 queue_idx = nvme_tcp_queue_id(queue); @@ -700,6 +713,16 @@ static int nvme_tcp_recv_pdu(struct nvme_tcp_queue *queue, struct sk_buff *skb, return 0; hdr = queue->pdu; + if (unlikely(hdr->hlen != sizeof(struct nvme_tcp_rsp_pdu))) { + if (!nvme_tcp_recv_pdu_supported(hdr->type)) + goto unsupported_pdu; + + dev_err(queue->ctrl->ctrl.device, + "pdu type %d has unexpected header length (%d)\n", + hdr->type, hdr->hlen); + return -EPROTO; + } + if (queue->hdr_digest) { ret = nvme_tcp_verify_hdgst(queue, queue->pdu, hdr->hlen); if (unlikely(ret)) @@ -723,10 +746,13 @@ static int nvme_tcp_recv_pdu(struct nvme_tcp_queue *queue, struct sk_buff *skb, nvme_tcp_init_recv_ctx(queue); return nvme_tcp_handle_r2t(queue, (void *)queue->pdu); default: - dev_err(queue->ctrl->ctrl.device, - "unsupported pdu type (%d)\n", hdr->type); - return -EINVAL; + goto unsupported_pdu; } + +unsupported_pdu: + dev_err(queue->ctrl->ctrl.device, + "unsupported pdu type (%d)\n", hdr->type); + return -EINVAL; } static inline void nvme_tcp_end_request(struct request *rq, u16 status) -- 2.25.1

1 0

[openeuler:OLK-5.10 2989/2989] arch/x86/lib/copy_highpages.o: warning: objtool: sysctl_hugepage_nocache_copy()+0x130: unreachable instruction
by kernel test robot 01 Jul '25

01 Jul '25

Hi Kemeng, First bad commit (maybe != root cause): tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 0655af1b703c5ae3de3a1ba80e5e31690ccfae93 commit: 50d5bf1b6da9f74bf93f9dec601c09d45d6d8406 [2989/2989] x86: hugepage: use nt copy hugepage to AEP in x86 config: x86_64-buildonly-randconfig-002-20250628 (https://download.01.org/0day-ci/archive/20250701/202507011409.e2CKDnmq-lkp@…) compiler: clang version 20.1.7 (https://github.com/llvm/llvm-project 6146a88f60492b520a36f8f8f3231e15f3cc6082) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250701/202507011409.e2CKDnmq-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202507011409.e2CKDnmq-lkp@intel.com/ All warnings (new ones prefixed by >>): >> arch/x86/lib/copy_highpages.o: warning: objtool: sysctl_hugepage_nocache_copy()+0x130: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 2412/2412] mm/memory.c:5277:24: warning: variable 'nr_pages' set but not used
by kernel test robot 01 Jul '25

01 Jul '25

Hi Zi, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: e96d124d2a240f32fce75ac0f187b6be1d53e7f1 commit: 3bfa35ccde9e52ca74fed047eb4d89be32dd9e5e [2412/2412] mm/numa: no task_numa_fault() call if PTE is changed config: loongarch-randconfig-001-20250701 (https://download.01.org/0day-ci/archive/20250701/202507011307.oRLSFbBZ-lkp@…) compiler: loongarch64-linux-gcc (GCC) 13.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250701/202507011307.oRLSFbBZ-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202507011307.oRLSFbBZ-lkp@intel.com/ All warnings (new ones prefixed by >>): mm/memory.c: In function 'do_numa_page': >> mm/memory.c:5277:24: warning: variable 'nr_pages' set but not used [-Wunused-but-set-variable] 5277 | int flags = 0, nr_pages; | ^~~~~~~~ vim +/nr_pages +5277 mm/memory.c f569661eacc258 Baolin Wang 2024-05-11 5266 2b7403035459c7 Souptick Joarder 2018-08-23 5267 static vm_fault_t do_numa_page(struct vm_fault *vmf) d10e63f29488b0 Mel Gorman 2012-10-25 5268 { 82b0f8c39a3869 Jan Kara 2016-12-14 5269 struct vm_area_struct *vma = vmf->vma; d5e6c8d5790088 Kefeng Wang 2023-11-27 5270 struct folio *folio = NULL; d5e6c8d5790088 Kefeng Wang 2023-11-27 5271 int nid = NUMA_NO_NODE; 2cb37064a2b82c Baolin Wang 2024-06-22 5272 bool writable = false, ignore_writable = false; 2cb37064a2b82c Baolin Wang 2024-06-22 5273 bool pte_write_upgrade = vma_wants_manual_pte_write_upgrade(vma); 90572890d20252 Peter Zijlstra 2013-10-07 5274 int last_cpupid; cbee9f88ec1b8d Peter Zijlstra 2012-10-25 5275 int target_nid; 04a8645304500b Aneesh Kumar K.V 2019-03-05 5276 pte_t pte, old_pte; 2cb37064a2b82c Baolin Wang 2024-06-22 @5277 int flags = 0, nr_pages; d10e63f29488b0 Mel Gorman 2012-10-25 5278 d10e63f29488b0 Mel Gorman 2012-10-25 5279 /* e2491c31fb10ae John Hubbard 2024-05-25 5280 * The pte cannot be used safely until we verify, while holding the page e2491c31fb10ae John Hubbard 2024-05-25 5281 * table lock, that its contents have not changed during fault handling. d10e63f29488b0 Mel Gorman 2012-10-25 5282 */ 82b0f8c39a3869 Jan Kara 2016-12-14 5283 spin_lock(vmf->ptl); e2491c31fb10ae John Hubbard 2024-05-25 5284 /* Read the live PTE from the page tables: */ e2491c31fb10ae John Hubbard 2024-05-25 5285 old_pte = ptep_get(vmf->pte); e2491c31fb10ae John Hubbard 2024-05-25 5286 e2491c31fb10ae John Hubbard 2024-05-25 5287 if (unlikely(!pte_same(old_pte, vmf->orig_pte))) { 82b0f8c39a3869 Jan Kara 2016-12-14 5288 pte_unmap_unlock(vmf->pte, vmf->ptl); 3bfa35ccde9e52 Zi Yan 2024-08-09 5289 return 0; 4daae3b4b9e49b Mel Gorman 2012-11-02 5290 } 4daae3b4b9e49b Mel Gorman 2012-11-02 5291 04a8645304500b Aneesh Kumar K.V 2019-03-05 5292 pte = pte_modify(old_pte, vma->vm_page_prot); d10e63f29488b0 Mel Gorman 2012-10-25 5293 6a56ccbcf6c695 David Hildenbrand 2022-11-08 5294 /* 6a56ccbcf6c695 David Hildenbrand 2022-11-08 5295 * Detect now whether the PTE could be writable; this information 6a56ccbcf6c695 David Hildenbrand 2022-11-08 5296 * is only valid while holding the PT lock. 6a56ccbcf6c695 David Hildenbrand 2022-11-08 5297 */ 6a56ccbcf6c695 David Hildenbrand 2022-11-08 5298 writable = pte_write(pte); 2cb37064a2b82c Baolin Wang 2024-06-22 5299 if (!writable && pte_write_upgrade && 6a56ccbcf6c695 David Hildenbrand 2022-11-08 5300 can_change_pte_writable(vma, vmf->address, pte)) 6a56ccbcf6c695 David Hildenbrand 2022-11-08 5301 writable = true; 6a56ccbcf6c695 David Hildenbrand 2022-11-08 5302 d5e6c8d5790088 Kefeng Wang 2023-11-27 5303 folio = vm_normal_folio(vma, vmf->address, pte); d5e6c8d5790088 Kefeng Wang 2023-11-27 5304 if (!folio || folio_is_zone_device(folio)) b99a342d4f11a5 Huang Ying 2021-04-29 5305 goto out_map; d10e63f29488b0 Mel Gorman 2012-10-25 5306 6688cc05473b36 Peter Zijlstra 2013-10-07 5307 /* bea66fbd11af1c Mel Gorman 2015-03-25 5308 * Avoid grouping on RO pages in general. RO pages shouldn't hurt as bea66fbd11af1c Mel Gorman 2015-03-25 5309 * much anyway since they can be in shared cache state. This misses bea66fbd11af1c Mel Gorman 2015-03-25 5310 * the case where a mapping is writable but the process never writes bea66fbd11af1c Mel Gorman 2015-03-25 5311 * to it but pte_write gets cleared during protection updates and bea66fbd11af1c Mel Gorman 2015-03-25 5312 * pte_dirty has unpredictable behaviour between PTE scan updates, bea66fbd11af1c Mel Gorman 2015-03-25 5313 * background writeback, dirty balancing and application behaviour. bea66fbd11af1c Mel Gorman 2015-03-25 5314 */ 6a56ccbcf6c695 David Hildenbrand 2022-11-08 5315 if (!writable) 6688cc05473b36 Peter Zijlstra 2013-10-07 5316 flags |= TNF_NO_GROUP; 6688cc05473b36 Peter Zijlstra 2013-10-07 5317 dabe1d992414a6 Rik van Riel 2013-10-07 5318 /* d5e6c8d5790088 Kefeng Wang 2023-11-27 5319 * Flag if the folio is shared between multiple address spaces. This dabe1d992414a6 Rik van Riel 2013-10-07 5320 * is later used when determining whether to group tasks together dabe1d992414a6 Rik van Riel 2013-10-07 5321 */ b8eba2d7e4a309 David Hildenbrand 2024-05-11 5322 if (folio_likely_mapped_shared(folio) && (vma->vm_flags & VM_SHARED)) dabe1d992414a6 Rik van Riel 2013-10-07 5323 flags |= TNF_SHARED; dabe1d992414a6 Rik van Riel 2013-10-07 5324 d5e6c8d5790088 Kefeng Wang 2023-11-27 5325 nid = folio_nid(folio); 2cb37064a2b82c Baolin Wang 2024-06-22 5326 nr_pages = folio_nr_pages(folio); 33024536bafd91 Huang Ying 2022-07-13 5327 /* 33024536bafd91 Huang Ying 2022-07-13 5328 * For memory tiering mode, cpupid of slow memory page is used 33024536bafd91 Huang Ying 2022-07-13 5329 * to record page access time. So use default value. 33024536bafd91 Huang Ying 2022-07-13 5330 */ 33024536bafd91 Huang Ying 2022-07-13 5331 if ((sysctl_numa_balancing_mode & NUMA_BALANCING_MEMORY_TIERING) && d5e6c8d5790088 Kefeng Wang 2023-11-27 5332 !node_is_toptier(nid)) 33024536bafd91 Huang Ying 2022-07-13 5333 last_cpupid = (-1 & LAST_CPUPID_MASK); 33024536bafd91 Huang Ying 2022-07-13 5334 else 28e1ec746768bb Kefeng Wang 2023-11-27 5335 last_cpupid = folio_last_cpupid(folio); bf7c2ab764599b Kefeng Wang 2023-11-27 5336 target_nid = numa_migrate_prep(folio, vma, vmf->address, nid, &flags); 98fa15f34cb379 Anshuman Khandual 2019-03-05 5337 if (target_nid == NUMA_NO_NODE) { d5e6c8d5790088 Kefeng Wang 2023-11-27 5338 folio_put(folio); b99a342d4f11a5 Huang Ying 2021-04-29 5339 goto out_map; 4daae3b4b9e49b Mel Gorman 2012-11-02 5340 } b99a342d4f11a5 Huang Ying 2021-04-29 5341 pte_unmap_unlock(vmf->pte, vmf->ptl); 6a56ccbcf6c695 David Hildenbrand 2022-11-08 5342 writable = false; 2cb37064a2b82c Baolin Wang 2024-06-22 5343 ignore_writable = true; 4daae3b4b9e49b Mel Gorman 2012-11-02 5344 4daae3b4b9e49b Mel Gorman 2012-11-02 5345 /* Migrate to the requested node */ d5e6c8d5790088 Kefeng Wang 2023-11-27 5346 if (migrate_misplaced_folio(folio, vma, target_nid)) { d5e6c8d5790088 Kefeng Wang 2023-11-27 5347 nid = target_nid; 6688cc05473b36 Peter Zijlstra 2013-10-07 5348 flags |= TNF_MIGRATED; 3bfa35ccde9e52 Zi Yan 2024-08-09 5349 task_numa_fault(last_cpupid, nid, 1, flags); 3bfa35ccde9e52 Zi Yan 2024-08-09 5350 return 0; 3bfa35ccde9e52 Zi Yan 2024-08-09 5351 } 3bfa35ccde9e52 Zi Yan 2024-08-09 5352 074c238177a75f Mel Gorman 2015-03-25 5353 flags |= TNF_MIGRATE_FAIL; c7ad08804fae5b Hugh Dickins 2023-06-08 5354 vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, c7ad08804fae5b Hugh Dickins 2023-06-08 5355 vmf->address, &vmf->ptl); c7ad08804fae5b Hugh Dickins 2023-06-08 5356 if (unlikely(!vmf->pte)) 3bfa35ccde9e52 Zi Yan 2024-08-09 5357 return 0; c33c794828f212 Ryan Roberts 2023-06-12 5358 if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { b99a342d4f11a5 Huang Ying 2021-04-29 5359 pte_unmap_unlock(vmf->pte, vmf->ptl); d10e63f29488b0 Mel Gorman 2012-10-25 5360 return 0; 3bfa35ccde9e52 Zi Yan 2024-08-09 5361 } b99a342d4f11a5 Huang Ying 2021-04-29 5362 out_map: b99a342d4f11a5 Huang Ying 2021-04-29 5363 /* b99a342d4f11a5 Huang Ying 2021-04-29 5364 * Make it present again, depending on how arch implements b99a342d4f11a5 Huang Ying 2021-04-29 5365 * non-accessible ptes, some can allow access by kernel mode. b99a342d4f11a5 Huang Ying 2021-04-29 5366 */ 2cb37064a2b82c Baolin Wang 2024-06-22 5367 if (folio && folio_test_large(folio)) 2cb37064a2b82c Baolin Wang 2024-06-22 5368 numa_rebuild_large_mapping(vmf, vma, folio, pte, ignore_writable, 2cb37064a2b82c Baolin Wang 2024-06-22 5369 pte_write_upgrade); 2cb37064a2b82c Baolin Wang 2024-06-22 5370 else 2cb37064a2b82c Baolin Wang 2024-06-22 5371 numa_rebuild_single_mapping(vmf, vma, vmf->address, vmf->pte, 2cb37064a2b82c Baolin Wang 2024-06-22 5372 writable); b99a342d4f11a5 Huang Ying 2021-04-29 5373 pte_unmap_unlock(vmf->pte, vmf->ptl); 3bfa35ccde9e52 Zi Yan 2024-08-09 5374 3bfa35ccde9e52 Zi Yan 2024-08-09 5375 if (nid != NUMA_NO_NODE) 3bfa35ccde9e52 Zi Yan 2024-08-09 5376 task_numa_fault(last_cpupid, nid, 1, flags); 3bfa35ccde9e52 Zi Yan 2024-08-09 5377 return 0; d10e63f29488b0 Mel Gorman 2012-10-25 5378 } d10e63f29488b0 Mel Gorman 2012-10-25 5379 :::::: The code at line 5277 was first introduced by commit :::::: 2cb37064a2b82cd8ebeeaaed21259b5912dff51d mm: support multi-size THP numa balancing :::::: TO: Baolin Wang <baolin.wang(a)linux.alibaba.com> :::::: CC: Liu Shixin <liushixin2(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 2882/2882] mm/vmalloc.c:3632: warning: Function parameter or member 'pgoff' not described in 'remap_vmalloc_hugepage_range_partial'
by kernel test robot 01 Jul '25

01 Jul '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 0655af1b703c5ae3de3a1ba80e5e31690ccfae93 commit: a3425d4173784e41644abc3cc70d41aa2aef16fd [2882/2882] vmalloc: Extend for hugepages mapping config: x86_64-randconfig-2002-20250501 (https://download.01.org/0day-ci/archive/20250701/202507010521.S5M6UUnr-lkp@…) compiler: clang version 20.1.2 (https://github.com/llvm/llvm-project 58df0ef89dd64126512e4ee27b4ac3fd8ddf6247) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250701/202507010521.S5M6UUnr-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202507010521.S5M6UUnr-lkp@intel.com/ All warnings (new ones prefixed by >>): >> mm/vmalloc.c:3632: warning: Function parameter or member 'pgoff' not described in 'remap_vmalloc_hugepage_range_partial' mm/vmalloc.c:3760: warning: Function parameter or member 'align' not described in 'pvm_determine_end_from_reverse' vim +3632 mm/vmalloc.c 3612 3613 /** 3614 * remap_vmalloc_hugepage_range_partial - map vmalloc hugepages 3615 * to userspace 3616 * @vma: vma to cover 3617 * @uaddr: target user address to start at 3618 * @kaddr: virtual address of vmalloc hugepage kernel memory 3619 * @size: size of map area 3620 * 3621 * Returns: 0 for success, -Exxx on failure 3622 * 3623 * This function checks that @kaddr is a valid vmalloc'ed area, 3624 * and that it is big enough to cover the range starting at 3625 * @uaddr in @vma. Will return failure if that criteria isn't 3626 * met. 3627 * 3628 * Similar to remap_pfn_range() (see mm/memory.c) 3629 */ 3630 int remap_vmalloc_hugepage_range_partial(struct vm_area_struct *vma, unsigned long uaddr, 3631 void *kaddr, unsigned long pgoff, unsigned long size) > 3632 { 3633 struct vm_struct *area; 3634 unsigned long off; 3635 unsigned long end_index; 3636 3637 if (check_shl_overflow(pgoff, PMD_SHIFT, &off)) 3638 return -EINVAL; 3639 3640 size = PMD_ALIGN(size); 3641 3642 if (!PMD_ALIGNED(uaddr) || !PMD_ALIGNED(kaddr)) 3643 return -EINVAL; 3644 3645 area = find_vm_area(kaddr); 3646 if (!area) 3647 return -EINVAL; 3648 3649 if (!(area->flags & VM_USERMAP)) 3650 return -EINVAL; 3651 3652 if (check_add_overflow(size, off, &end_index) || 3653 end_index > get_vm_area_size(area)) 3654 return -EINVAL; 3655 kaddr += off; 3656 3657 do { 3658 struct page *page = vmalloc_to_page(kaddr); 3659 int ret; 3660 3661 ret = hugetlb_insert_hugepage_pte_by_pa(vma->vm_mm, uaddr, 3662 vma->vm_page_prot, page_to_phys(page)); 3663 if (ret) 3664 return ret; 3665 3666 uaddr += PMD_SIZE; 3667 kaddr += PMD_SIZE; 3668 size -= PMD_SIZE; 3669 } while (size > 0); 3670 3671 vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; 3672 3673 return 0; 3674 } 3675 EXPORT_SYMBOL(remap_vmalloc_hugepage_range_partial); 3676 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] pci:vga fix race condition in vga_arb_write
by Yuntao Liu 01 Jul '25

01 Jul '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICCYVI CVE: NA -------------------------------- The following code has a race condition under concurrency. if (io_state & VGA_RSRC_LEGACY_IO) uc->io_cnt--; in race condition: pre: uc->io_cnt = 1 post: uc->io_cnt = 4294967295 move vga_put code below changing uc->io_cnt code. Fixes: deb2d2ecd43d ("PCI/GPU: implement VGA arbitration on Linux") Signed-off-by: Yuntao Liu <liuyuntao12(a)huawei.com> --- drivers/pci/vgaarb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/pci/vgaarb.c b/drivers/pci/vgaarb.c index 5e6b1eb54c64..ed37fd3dcdef 100644 --- a/drivers/pci/vgaarb.c +++ b/drivers/pci/vgaarb.c @@ -1261,13 +1261,13 @@ static ssize_t vga_arb_write(struct file *file, const char __user *buf, goto done; } - vga_put(pdev, io_state); - if (io_state & VGA_RSRC_LEGACY_IO) uc->io_cnt--; if (io_state & VGA_RSRC_LEGACY_MEM) uc->mem_cnt--; + vga_put(pdev, io_state); + ret_val = count; goto done; } else if (strncmp(curr_pos, "trylock ", 8) == 0) { -- 2.34.1

2 1

[PATCH OLK-6.6] sched/fair: Avoid offline tasks starve to death for priority load balance
by Lu Jialin 01 Jul '25

01 Jul '25

From: Song Zhang <zhangsong34(a)huawei.com> euleros inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICIG0E CVE: NA -------------------- When priority load balance enabled for online/offline tasks co-location, offline tasks maybe starve to death by load balance detach_tasks() if env->loop exceed env->loop_max and can not be migrate to idle cpus. So we should set env->loop to 0 and detach offline tasks again. Signed-off-by: Song Zhang <zhangsong34(a)huawei.com> Confict: kernel/sched/fair.c Patch adaptation due to context changes Signed-off-by: yangjiaqi <yangjiaqi16(a)huawei.com> --- kernel/sched/fair.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index c4c3afa6e7b4..ea3be1ff723e 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -11024,6 +11024,13 @@ static int detach_tasks(struct lb_env *env) #ifdef CONFIG_QOS_SCHED_PRIO_LB if (sysctl_sched_prio_load_balance_enabled && env->imbalance > 0) { + /* + * Avoid offline tasks starve to death if env->loop exceed + * env->loop_max, so we should set env->loop to 0 and detach + * offline tasks again. + */ + if (env->loop > env->loop_max) + env->loop = 0; loop++; if (loop == 1) { tasks = &env->src_rq->cfs_offline_tasks; -- 2.33.0

2 1