- Kernel - mailweb.openeuler.org

[PATCH 1/2] Update kernel headers
by Chengchang Tang 22 Feb '24

22 Feb '24

From: Yixing Liu <liuyixing1(a)huawei.com> To commit ?? ("RDMA/hns: Support DSCP of userspace"). Signed-off-by: Yixing Liu <liuyixing1(a)huawei.com> --- kernel-headers/rdma/hns-abi.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/kernel-headers/rdma/hns-abi.h b/kernel-headers/rdma/hns-abi.h index c996e15..f77697c 100644 --- a/kernel-headers/rdma/hns-abi.h +++ b/kernel-headers/rdma/hns-abi.h @@ -95,6 +95,12 @@ struct hns_roce_ib_create_qp_resp { __aligned_u64 dwqe_mmap_key; }; +struct hns_roce_ib_modify_qp_resp { + __u8 tc_mode; + __u8 priority; + __u8 reserved[6]; +}; + enum { HNS_ROCE_EXSGE_FLAGS = 1 << 0, HNS_ROCE_RQ_INLINE_FLAGS = 1 << 1, @@ -127,7 +133,8 @@ struct hns_roce_ib_alloc_pd_resp { struct hns_roce_ib_create_ah_resp { __u8 dmac[6]; - __u8 reserved[2]; + __u8 priority; + __u8 tc_mode; }; #endif /* HNS_ABI_USER_H */ -- 2.30.0

1 1

[OLK-6.6 v3 1/2] RDMA/hns: Append SCC context to the raw dump of QP Resource
by Chengchang Tang 22 Feb '24

22 Feb '24

From: wenglianfa <wenglianfa(a)huawei.com> driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8B8HH -------------------------------------------------------------------------- SCCC (SCC Context) is a context with QP granularity that contains information about congestion control. Dump SCCC and QPC together to improve troubleshooting. When dumping raw QPC with rdmatool, there will be a total of 576B data output, where the first 512B is QPC and the last 64B is SCCC. When congestion control is disabled, the 64B SCCC will be all 0. Example: $rdma res show qp -jpr [ { "ifindex": 0, "ifname": "hns_0", "data": [ 67,0,0,0... 512bytes 4,0,2... 64bytes] },... } ] Signed-off-by: wenglianfa <wenglianfa(a)huawei.com> --- drivers/infiniband/hw/hns/hns_roce_cmd.h | 3 +++ drivers/infiniband/hw/hns/hns_roce_device.h | 1 + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 25 +++++++++++++++++++ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 6 +++++ drivers/infiniband/hw/hns/hns_roce_restrack.c | 24 +++++++++++++++--- 5 files changed, 56 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/hw/hns/hns_roce_cmd.h b/drivers/infiniband/hw/hns/hns_roce_cmd.h index 052a3d60905a..11dbbabebdc9 100644 --- a/drivers/infiniband/hw/hns/hns_roce_cmd.h +++ b/drivers/infiniband/hw/hns/hns_roce_cmd.h @@ -108,6 +108,9 @@ enum { HNS_ROCE_CMD_QUERY_CEQC = 0x92, HNS_ROCE_CMD_DESTROY_CEQC = 0x93, + /* SCC CTX commands */ + HNS_ROCE_CMD_QUERY_SCCC = 0xa2, + /* SCC CTX BT commands */ HNS_ROCE_CMD_READ_SCCC_BT0 = 0xa4, HNS_ROCE_CMD_WRITE_SCCC_BT0 = 0xa5, diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h index 1a8516019516..2de432ebf711 100644 --- a/drivers/infiniband/hw/hns/hns_roce_device.h +++ b/drivers/infiniband/hw/hns/hns_roce_device.h @@ -944,6 +944,7 @@ struct hns_roce_hw { int (*query_cqc)(struct hns_roce_dev *hr_dev, u32 cqn, void *buffer); int (*query_qpc)(struct hns_roce_dev *hr_dev, u32 qpn, void *buffer); int (*query_mpt)(struct hns_roce_dev *hr_dev, u32 key, void *buffer); + int (*query_sccc)(struct hns_roce_dev *hr_dev, u32 qpn, void *buffer); int (*query_srqc)(struct hns_roce_dev *hr_dev, u32 srqn, void *buffer); int (*query_hw_counter)(struct hns_roce_dev *hr_dev, u64 *stats, u32 port, int *hw_counters); diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index de56dc6e3226..9dc5957c0d2f 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -5321,6 +5321,30 @@ static int hns_roce_v2_query_srqc(struct hns_roce_dev *hr_dev, u32 srqn, return ret; } +static int hns_roce_v2_query_sccc(struct hns_roce_dev *hr_dev, u32 qpn, + void *buffer) +{ + struct hns_roce_v2_scc_context *context; + struct hns_roce_cmd_mailbox *mailbox; + int ret; + + mailbox = hns_roce_alloc_cmd_mailbox(hr_dev); + if (IS_ERR(mailbox)) + return PTR_ERR(mailbox); + + ret = hns_roce_cmd_mbox(hr_dev, 0, mailbox->dma, HNS_ROCE_CMD_QUERY_SCCC, + qpn); + if (ret) + goto out; + + context = mailbox->buf; + memcpy(buffer, context, sizeof(*context)); + +out: + hns_roce_free_cmd_mailbox(hr_dev, mailbox); + return ret; +} + static u8 get_qp_timeout_attr(struct hns_roce_dev *hr_dev, struct hns_roce_v2_qp_context *context) { @@ -6712,6 +6736,7 @@ static const struct hns_roce_hw hns_roce_hw_v2 = { .query_cqc = hns_roce_v2_query_cqc, .query_qpc = hns_roce_v2_query_qpc, .query_mpt = hns_roce_v2_query_mpt, + .query_sccc = hns_roce_v2_query_sccc, .query_srqc = hns_roce_v2_query_srqc, .query_hw_counter = hns_roce_hw_v2_query_counter, .hns_roce_dev_ops = &hns_roce_v2_dev_ops, diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h index cd97cbee682a..3fe2d9467612 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h @@ -646,6 +646,12 @@ struct hns_roce_v2_qp_context { #define QPCEX_SQ_RQ_NOT_FORBID_EN QPCEX_FIELD_LOC(23, 23) #define QPCEX_STASH QPCEX_FIELD_LOC(82, 82) +#define SCC_CONTEXT_SIZE 16 + +struct hns_roce_v2_scc_context { + __le32 data[SCC_CONTEXT_SIZE]; +}; + #define V2_QP_RWE_S 1 /* rdma write enable */ #define V2_QP_RRE_S 2 /* rdma read enable */ #define V2_QP_ATE_S 3 /* rdma atomic enable */ diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c index f7f3c4cc7426..34b8e4f85961 100644 --- a/drivers/infiniband/hw/hns/hns_roce_restrack.c +++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c @@ -97,16 +97,34 @@ int hns_roce_fill_res_qp_entry_raw(struct sk_buff *msg, struct ib_qp *ib_qp) { struct hns_roce_dev *hr_dev = to_hr_dev(ib_qp->device); struct hns_roce_qp *hr_qp = to_hr_qp(ib_qp); - struct hns_roce_v2_qp_context context; + struct hns_roce_full_qp_ctx { + struct hns_roce_v2_qp_context qpc; + struct hns_roce_v2_scc_context sccc; + } context = {}; int ret; if (!hr_dev->hw->query_qpc) return -EINVAL; - ret = hr_dev->hw->query_qpc(hr_dev, hr_qp->qpn, &context); + ret = hr_dev->hw->query_qpc(hr_dev, hr_qp->qpn, &context.qpc); if (ret) - return -EINVAL; + return ret; + + if (!(hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_FLOW_CTRL) || + !hr_dev->hw->query_sccc) + goto out; + + /* The scc may not exist. If the scc query fails, + * only the qpc content is displayed, and the + * scc value is all 0. + */ + ret = hr_dev->hw->query_sccc(hr_dev, hr_qp->qpn, &context.sccc); + if (ret) + ibdev_warn_ratelimited(&hr_dev->ib_dev, + "failed to query SCCC, ret = %d.\n", + ret); +out: ret = nla_put(msg, RDMA_NLDEV_ATTR_RES_RAW, sizeof(context), &context); return ret; -- 2.30.0

1 1

[PATCH OLK-5.10] arm64/mpam: update reminder message about MBHDL option
by Zeng Heng 22 Feb '24

22 Feb '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I91YTV CVE: NA ---------------------------------------- Corrected debugging reminder information about MBHDL option of schemata interface. # echo "MBHDL:1=2" > schemata -bash: echo: write error: Invalid argument # cat info/last_cmd_status MB value 2 exceed 1 Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- arch/arm64/kernel/mpam/mpam_resctrl.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/arch/arm64/kernel/mpam/mpam_resctrl.c b/arch/arm64/kernel/mpam/mpam_resctrl.c index 174f84893ee5..bc314b181132 100644 --- a/arch/arm64/kernel/mpam/mpam_resctrl.c +++ b/arch/arm64/kernel/mpam/mpam_resctrl.c @@ -340,15 +340,16 @@ parse_bw(char *buf, struct resctrl_resource *r, return -EINVAL; } + if (kstrtoul(buf, rr->ctrl_features[type].base, &data)) { + rdt_last_cmd_printf("Non-decimal digit in MB value %s\n", buf); + return -EINVAL; + } + switch (rr->ctrl_features[type].evt) { case QOS_MBA_MAX_EVENT_ID: case QOS_MBA_PBM_EVENT_ID: case QOS_MBA_MIN_EVENT_ID: - if (kstrtoul(buf, rr->ctrl_features[type].base, &data)) { - rdt_last_cmd_printf("Non-decimal digit in MB value %s\n", buf); - return -EINVAL; - } - if (data < r->mbw.min_bw) { + if (data < r->mbw.min_bw || data >= rr->ctrl_features[type].max_wd) { rdt_last_cmd_printf("MB value %ld out of range [%d,%d]\n", data, r->mbw.min_bw, rr->ctrl_features[type].max_wd - 1); return -EINVAL; @@ -356,19 +357,14 @@ parse_bw(char *buf, struct resctrl_resource *r, data = roundup(data, r->mbw.bw_gran); break; default: - if (kstrtoul(buf, rr->ctrl_features[type].base, &data)) { - rdt_last_cmd_printf("Non-decimal digit in MB value %s\n", buf); + if (data >= rr->ctrl_features[type].max_wd) { + rdt_last_cmd_printf("MB value %ld exceed %d\n", data, + rr->ctrl_features[type].max_wd - 1); return -EINVAL; } break; } - if (data >= rr->ctrl_features[type].max_wd) { - rdt_last_cmd_printf("MB value %ld out of range [%d,%d]\n", data, - r->mbw.min_bw, rr->ctrl_features[type].max_wd - 1); - return -EINVAL; - } - cfg->new_ctrl[type] = data; cfg->ctrl_updated[type] = true; cfg->have_new_ctrl = true; -- 2.25.1

2 1

[openeuler:openEuler-1.0-LTS 5071/21630] net/appletalk/sysctl_net_atalk.o: warning: objtool: missing symbol for section .init.text
by kernel test robot 22 Feb '24

22 Feb '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: caea2096c89e8d8cbaffde0d33f3c6d748c4d0c5 commit: 26179c0fe28fb046069105a0069632eb8e36a5ea [5071/21630] appletalk: Fix use-after-free in atalk_proc_exit config: x86_64-buildonly-randconfig-004-20240220 (https://download.01.org/0day-ci/archive/20240222/202402221413.OLVDezAt-lkp@…) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240222/202402221413.OLVDezAt-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202402221413.OLVDezAt-lkp@intel.com/ All warnings (new ones prefixed by >>): >> net/appletalk/sysctl_net_atalk.o: warning: objtool: missing symbol for section .init.text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 01/14] LoongArch: fix compile error caused by arch_trigger_cpumask_backtrace
by Hongchen Zhang 22 Feb '24

22 Feb '24

LoongArch inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9187I -------------------------------- Fixes: 491a30c1b02f ("nmi: backtrace: Allow runtime arch specific override") Signed-off-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> --- arch/loongarch/include/asm/irq.h | 2 +- arch/loongarch/kernel/process.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/loongarch/include/asm/irq.h b/arch/loongarch/include/asm/irq.h index 722eb1aa726f..e1b0195e0edf 100644 --- a/arch/loongarch/include/asm/irq.h +++ b/arch/loongarch/include/asm/irq.h @@ -40,7 +40,7 @@ void spurious_interrupt(void); #define NR_IRQS_LEGACY 16 #define arch_trigger_cpumask_backtrace arch_trigger_cpumask_backtrace -void arch_trigger_cpumask_backtrace(const struct cpumask *mask, int exclude_cpu); +bool arch_trigger_cpumask_backtrace(const struct cpumask *mask, int exclude_cpu); #define MAX_IO_PICS 2 #define NR_IRQS (64 + (256 * MAX_IO_PICS)) diff --git a/arch/loongarch/kernel/process.c b/arch/loongarch/kernel/process.c index 767d94cce0de..5342338e2075 100644 --- a/arch/loongarch/kernel/process.c +++ b/arch/loongarch/kernel/process.c @@ -348,9 +348,10 @@ static void raise_backtrace(cpumask_t *mask) } } -void arch_trigger_cpumask_backtrace(const cpumask_t *mask, int exclude_cpu) +bool arch_trigger_cpumask_backtrace(const cpumask_t *mask, int exclude_cpu) { nmi_trigger_cpumask_backtrace(mask, exclude_cpu, raise_backtrace); + return true; } #ifdef CONFIG_64BIT -- 2.33.0

2 15

[PATCH OLK-5.10] binder: fix use-after-free in shinker's callback
by Ze Zuo 22 Feb '24

22 Feb '24

From: Carlos Llamas <cmllamas(a)google.com> stable inclusion from stable-v5.10.209 commit c8c1158ffb007197f31f9d9170cf13e4f34cbb5c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I92HXG CVE: CVE-2023-52438 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3f489c2067c5824528212b0fc18b28d51332d906 upstream. The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway. Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") Cc: stable(a)vger.kernel.org Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Minchan Kim <minchan(a)kernel.org> Reviewed-by: Alice Ryhl <aliceryhl(a)google.com> Signed-off-by: Carlos Llamas <cmllamas(a)google.com> Link: https://lore.kernel.org/r/20231201172212.1813387-3-cmllamas@google.com [cmllamas: use find_vma() instead of vma_lookup() as commit ce6d42f2e4a2 is missing in v5.10. This only works because we check the vma against our cached alloc->vma pointer.] Signed-off-by: Carlos Llamas <cmllamas(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Ze Zuo <zuoze1(a)huawei.com> --- drivers/android/binder_alloc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c index a77ed66425f2..3c93e6c05c4d 100644 --- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -1002,7 +1002,9 @@ enum lru_status binder_alloc_free_page(struct list_head *item, goto err_mmget; if (!mmap_read_trylock(mm)) goto err_mmap_read_lock_failed; - vma = binder_alloc_get_vma(alloc); + vma = find_vma(mm, page_addr); + if (vma && vma != binder_alloc_get_vma(alloc)) + goto err_invalid_vma; list_lru_isolate(lru, item); spin_unlock(lock); @@ -1028,6 +1030,8 @@ enum lru_status binder_alloc_free_page(struct list_head *item, mutex_unlock(&alloc->mutex); return LRU_REMOVED_RETRY; +err_invalid_vma: + mmap_read_unlock(mm); err_mmap_read_lock_failed: mmput_async(mm); err_mmget: -- 2.25.1

2 1

[openeuler:openEuler-1.0-LTS 2828/21630] net/mac80211/rx.c:574:29: sparse: sparse: dubious: x & !y
by kernel test robot 22 Feb '24

22 Feb '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: caea2096c89e8d8cbaffde0d33f3c6d748c4d0c5 commit: 9baadf685a5618364776aed92067526bb40c137d [2828/21630] build_bug.h: remove most of dummy BUILD_BUG_ON stubs for Sparse config: x86_64-randconfig-123-20240220 (https://download.01.org/0day-ci/archive/20240222/202402221156.4n4BOuxm-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240222/202402221156.4n4BOuxm-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202402221156.4n4BOuxm-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> net/mac80211/rx.c:574:29: sparse: sparse: dubious: x & !y net/mac80211/rx.c: In function 'ieee80211_handle_mu_mimo_mon': net/mac80211/rx.c:224:9: warning: alignment 1 of 'struct <anonymous>' is less than 2 [-Wpacked-not-aligned] 224 | } __packed action; | ^ net/mac80211/rx.c: In function 'ieee80211_add_rx_radiotap_header': net/mac80211/rx.c:307:22: warning: taking address of packed member of 'struct ieee80211_radiotap_header' may result in an unaligned pointer value [-Waddress-of-packed-member] 307 | it_present = &rthdr->it_present; | ^~~~~~~~~~~~~~~~~~ net/mac80211/rx.o: warning: objtool: sta_ps_start()+0x30f: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_process_sa_query_req()+0x7a8: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_rx_h_decrypt()+0xb52: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_rx_h_defragment()+0x118c: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_rx_h_mesh_fwding()+0x83a: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_deliver_skb()+0x6ce: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_rx_h_action()+0x99c: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_add_rx_radiotap_header()+0x1c1c: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_rx_monitor()+0x98: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_release_reorder_frame.constprop.0()+0x9c2: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_sta_reorder_release.isra.0()+0xbe: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_release_reorder_frames.isra.0()+0xee: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_sta_manage_reorder_buf.isra.0()+0x16a: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_rx_reorder_ampdu()+0x1db: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_rx_h_ctrl()+0x52f: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_accept_frame()+0x991: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_rx_handlers()+0x1b2: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_prepare_and_rx_handle()+0x144: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_rx_napi()+0x13a: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_mark_rx_ba_filtered_frames()+0x44d: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_release_reorder_timeout()+0x3fc: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_check_fast_rx()+0x592: sibling call from callable instruction with modified stack frame net/mac80211/rx.o: warning: objtool: ieee80211_clear_fast_rx()+0x28: sibling call from callable instruction with modified stack frame vim +574 net/mac80211/rx.c 41cbb0f5a29592 Luca Coelho 2018-06-09 554 41cbb0f5a29592 Luca Coelho 2018-06-09 555 if (status->enc_flags & RX_ENC_FLAG_STBC_MASK) { 41cbb0f5a29592 Luca Coelho 2018-06-09 556 he.data6 |= HE_PREP(DATA6_NSTS, 41cbb0f5a29592 Luca Coelho 2018-06-09 557 FIELD_GET(RX_ENC_FLAG_STBC_MASK, 41cbb0f5a29592 Luca Coelho 2018-06-09 558 status->enc_flags)); 41cbb0f5a29592 Luca Coelho 2018-06-09 559 he.data3 |= HE_PREP(DATA3_STBC, 1); 41cbb0f5a29592 Luca Coelho 2018-06-09 560 } else { 41cbb0f5a29592 Luca Coelho 2018-06-09 561 he.data6 |= HE_PREP(DATA6_NSTS, status->nss); 41cbb0f5a29592 Luca Coelho 2018-06-09 562 } 41cbb0f5a29592 Luca Coelho 2018-06-09 563 41cbb0f5a29592 Luca Coelho 2018-06-09 564 #define CHECK_GI(s) \ 41cbb0f5a29592 Luca Coelho 2018-06-09 565 BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_GI_##s != \ 41cbb0f5a29592 Luca Coelho 2018-06-09 566 (int)NL80211_RATE_INFO_HE_GI_##s) 41cbb0f5a29592 Luca Coelho 2018-06-09 567 41cbb0f5a29592 Luca Coelho 2018-06-09 568 CHECK_GI(0_8); 41cbb0f5a29592 Luca Coelho 2018-06-09 569 CHECK_GI(1_6); 41cbb0f5a29592 Luca Coelho 2018-06-09 570 CHECK_GI(3_2); 41cbb0f5a29592 Luca Coelho 2018-06-09 571 41cbb0f5a29592 Luca Coelho 2018-06-09 572 he.data3 |= HE_PREP(DATA3_DATA_MCS, status->rate_idx); 41cbb0f5a29592 Luca Coelho 2018-06-09 573 he.data3 |= HE_PREP(DATA3_DATA_DCM, status->he_dcm); 41cbb0f5a29592 Luca Coelho 2018-06-09 @574 he.data3 |= HE_PREP(DATA3_CODING, 41cbb0f5a29592 Luca Coelho 2018-06-09 575 !!(status->enc_flags & RX_ENC_FLAG_LDPC)); 41cbb0f5a29592 Luca Coelho 2018-06-09 576 41cbb0f5a29592 Luca Coelho 2018-06-09 577 he.data5 |= HE_PREP(DATA5_GI, status->he_gi); 41cbb0f5a29592 Luca Coelho 2018-06-09 578 41cbb0f5a29592 Luca Coelho 2018-06-09 579 switch (status->bw) { 41cbb0f5a29592 Luca Coelho 2018-06-09 580 case RATE_INFO_BW_20: 41cbb0f5a29592 Luca Coelho 2018-06-09 581 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC, 41cbb0f5a29592 Luca Coelho 2018-06-09 582 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_20MHZ); 41cbb0f5a29592 Luca Coelho 2018-06-09 583 break; 41cbb0f5a29592 Luca Coelho 2018-06-09 584 case RATE_INFO_BW_40: 41cbb0f5a29592 Luca Coelho 2018-06-09 585 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC, 41cbb0f5a29592 Luca Coelho 2018-06-09 586 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_40MHZ); 41cbb0f5a29592 Luca Coelho 2018-06-09 587 break; 41cbb0f5a29592 Luca Coelho 2018-06-09 588 case RATE_INFO_BW_80: 41cbb0f5a29592 Luca Coelho 2018-06-09 589 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC, 41cbb0f5a29592 Luca Coelho 2018-06-09 590 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_80MHZ); 41cbb0f5a29592 Luca Coelho 2018-06-09 591 break; 41cbb0f5a29592 Luca Coelho 2018-06-09 592 case RATE_INFO_BW_160: 41cbb0f5a29592 Luca Coelho 2018-06-09 593 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC, 41cbb0f5a29592 Luca Coelho 2018-06-09 594 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_160MHZ); 41cbb0f5a29592 Luca Coelho 2018-06-09 595 break; 41cbb0f5a29592 Luca Coelho 2018-06-09 596 case RATE_INFO_BW_HE_RU: 41cbb0f5a29592 Luca Coelho 2018-06-09 597 #define CHECK_RU_ALLOC(s) \ 41cbb0f5a29592 Luca Coelho 2018-06-09 598 BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_##s##T != \ 41cbb0f5a29592 Luca Coelho 2018-06-09 599 NL80211_RATE_INFO_HE_RU_ALLOC_##s + 4) 41cbb0f5a29592 Luca Coelho 2018-06-09 600 41cbb0f5a29592 Luca Coelho 2018-06-09 601 CHECK_RU_ALLOC(26); 41cbb0f5a29592 Luca Coelho 2018-06-09 602 CHECK_RU_ALLOC(52); 41cbb0f5a29592 Luca Coelho 2018-06-09 603 CHECK_RU_ALLOC(106); 41cbb0f5a29592 Luca Coelho 2018-06-09 604 CHECK_RU_ALLOC(242); 41cbb0f5a29592 Luca Coelho 2018-06-09 605 CHECK_RU_ALLOC(484); 41cbb0f5a29592 Luca Coelho 2018-06-09 606 CHECK_RU_ALLOC(996); 41cbb0f5a29592 Luca Coelho 2018-06-09 607 CHECK_RU_ALLOC(2x996); 41cbb0f5a29592 Luca Coelho 2018-06-09 608 41cbb0f5a29592 Luca Coelho 2018-06-09 609 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC, 41cbb0f5a29592 Luca Coelho 2018-06-09 610 status->he_ru + 4); 41cbb0f5a29592 Luca Coelho 2018-06-09 611 break; 41cbb0f5a29592 Luca Coelho 2018-06-09 612 default: 41cbb0f5a29592 Luca Coelho 2018-06-09 613 WARN_ONCE(1, "Invalid SU BW %d\n", status->bw); 41cbb0f5a29592 Luca Coelho 2018-06-09 614 } 41cbb0f5a29592 Luca Coelho 2018-06-09 615 41cbb0f5a29592 Luca Coelho 2018-06-09 616 /* ensure 2 byte alignment */ 41cbb0f5a29592 Luca Coelho 2018-06-09 617 while ((pos - (u8 *)rthdr) & 1) 41cbb0f5a29592 Luca Coelho 2018-06-09 618 pos++; 41cbb0f5a29592 Luca Coelho 2018-06-09 619 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE); 41cbb0f5a29592 Luca Coelho 2018-06-09 620 memcpy(pos, &he, sizeof(he)); 41cbb0f5a29592 Luca Coelho 2018-06-09 621 pos += sizeof(he); 41cbb0f5a29592 Luca Coelho 2018-06-09 622 } 41cbb0f5a29592 Luca Coelho 2018-06-09 623 41cbb0f5a29592 Luca Coelho 2018-06-09 624 if (status->encoding == RX_ENC_HE && 41cbb0f5a29592 Luca Coelho 2018-06-09 625 status->flag & RX_FLAG_RADIOTAP_HE_MU) { 41cbb0f5a29592 Luca Coelho 2018-06-09 626 /* ensure 2 byte alignment */ 41cbb0f5a29592 Luca Coelho 2018-06-09 627 while ((pos - (u8 *)rthdr) & 1) 41cbb0f5a29592 Luca Coelho 2018-06-09 628 pos++; 41cbb0f5a29592 Luca Coelho 2018-06-09 629 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE_MU); 41cbb0f5a29592 Luca Coelho 2018-06-09 630 memcpy(pos, &he_mu, sizeof(he_mu)); 41cbb0f5a29592 Luca Coelho 2018-06-09 631 pos += sizeof(he_mu); 41cbb0f5a29592 Luca Coelho 2018-06-09 632 } 41cbb0f5a29592 Luca Coelho 2018-06-09 633 a144f378a489b5 Johannes Berg 2013-07-03 634 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) { a144f378a489b5 Johannes Berg 2013-07-03 635 *pos++ = status->chain_signal[chain]; a144f378a489b5 Johannes Berg 2013-07-03 636 *pos++ = chain; a144f378a489b5 Johannes Berg 2013-07-03 637 } 1f7bba79af57ce Johannes Berg 2014-11-06 638 1f7bba79af57ce Johannes Berg 2014-11-06 639 if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) { 1f7bba79af57ce Johannes Berg 2014-11-06 640 /* ensure 2 byte alignment for the vendor field as required */ 1f7bba79af57ce Johannes Berg 2014-11-06 641 if ((pos - (u8 *)rthdr) & 1) 1f7bba79af57ce Johannes Berg 2014-11-06 642 *pos++ = 0; 1f7bba79af57ce Johannes Berg 2014-11-06 643 *pos++ = rtap.oui[0]; 1f7bba79af57ce Johannes Berg 2014-11-06 644 *pos++ = rtap.oui[1]; 1f7bba79af57ce Johannes Berg 2014-11-06 645 *pos++ = rtap.oui[2]; 1f7bba79af57ce Johannes Berg 2014-11-06 646 *pos++ = rtap.subns; 1f7bba79af57ce Johannes Berg 2014-11-06 647 put_unaligned_le16(rtap.len, pos); 1f7bba79af57ce Johannes Berg 2014-11-06 648 pos += 2; 1f7bba79af57ce Johannes Berg 2014-11-06 649 /* align the actual payload as requested */ 1f7bba79af57ce Johannes Berg 2014-11-06 650 while ((pos - (u8 *)rthdr) & (rtap.align - 1)) 1f7bba79af57ce Johannes Berg 2014-11-06 651 *pos++ = 0; 1f7bba79af57ce Johannes Berg 2014-11-06 652 /* data (and possible padding) already follows */ 1f7bba79af57ce Johannes Berg 2014-11-06 653 } 601ae7f25aea58 Bruno Randolf 2008-05-08 654 } 601ae7f25aea58 Bruno Randolf 2008-05-08 655 :::::: The code at line 574 was first introduced by commit :::::: 41cbb0f5a29592874355e4159489eb08337cd50e mac80211: add support for HE :::::: TO: Luca Coelho <luciano.coelho(a)intel.com> :::::: CC: Johannes Berg <johannes.berg(a)intel.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 00/14] LoongArch: fix some known issue and update defconfig
by Hongchen Zhang 22 Feb '24

22 Feb '24

Bibo Mao (1): LoongArch: Implement constant timer shutdown interface Chong Qiao (1): irqchip/loongson-pch-pic: 7a1000 int_clear reg must use 64bit write. Hongchen Zhang (3): LoongArch: fix compile error caused by arch_trigger_cpumask_backtrace usb: xhci: add XHCI_NO_SOFT_RETRY quirk for EJ188 net: stmmac: fix potential double free of dma descriptor resources Huacai Chen (1): drm/radeon: Workaround radeon driver bug for Loongson Jianmin Lv (1): LoongArch: Remove generic irq migration Tianli Xiong (1): irqchip/loongson-liointc: Set different isr for differnt core Yingkun Meng (1): LoongArch: defconfig: Enable a large number of configurations Youling Tang (4): LoongArch: kdump: Add memory reservation for old kernel LoongArch: kexec: Add compatibility with old interfaces LoongArch: Fix kdump failure on v40 interface specification LoongArch: kdump: Add high memory reservation zhangtianyang (1): LoongArch: Adapted SECTION_SIZE_BITS with page size arch/loongarch/Kconfig | 1 - arch/loongarch/configs/loongson3_defconfig | 1577 +++++++++++++++-- arch/loongarch/include/asm/irq.h | 3 +- arch/loongarch/include/asm/sparsemem.h | 2 +- arch/loongarch/kernel/irq.c | 36 + arch/loongarch/kernel/machine_kexec.c | 45 +- arch/loongarch/kernel/process.c | 3 +- arch/loongarch/kernel/setup.c | 94 +- arch/loongarch/kernel/smp.c | 3 +- arch/loongarch/kernel/time.c | 23 +- drivers/gpu/drm/radeon/cik.c | 3 + drivers/gpu/drm/radeon/evergreen.c | 3 + drivers/gpu/drm/radeon/r600.c | 3 + drivers/gpu/drm/radeon/si.c | 3 + drivers/irqchip/irq-loongson-liointc.c | 4 +- drivers/irqchip/irq-loongson-pch-pic.c | 16 +- .../net/ethernet/stmicro/stmmac/stmmac_main.c | 11 + drivers/usb/host/xhci-pci.c | 6 + kernel/irq/Kconfig | 4 +- 19 files changed, 1639 insertions(+), 201 deletions(-) -- 2.33.0

1 13

[PATCH OLK-5.10] f2fs: explicitly null-terminate the xattr list
by Zizhi Wo 22 Feb '24

22 Feb '24

From: Eric Biggers <ebiggers(a)google.com> mainline inclusion from mainline-v6.8-rc1 commit e26b6d39270f5eab0087453d9b544189a38c8564 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I92HXK CVE: CVE-2023-52436 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed. Signed-off-by: Eric Biggers <ebiggers(a)google.com> Reviewed-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/f2fs/xattr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c index f44c60114379..dd50b747b671 100644 --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -741,6 +741,12 @@ static int __f2fs_setxattr(struct inode *inode, int index, memcpy(pval, value, size); last->e_value_size = cpu_to_le16(size); new_hsize += newsize; + /* + * Explicitly add the null terminator. The unused xattr space + * is supposed to always be zeroed, which would make this + * unnecessary, but don't depend on that. + */ + *(u32 *)((u8 *)last + newsize) = 0; } error = write_all_xattrs(inode, new_hsize, base_addr, ipage); -- 2.39.2

2 1

[PATCH OLK-6.6] f2fs: explicitly null-terminate the xattr list
by Zizhi Wo 22 Feb '24

22 Feb '24

From: Eric Biggers <ebiggers(a)google.com> mainline inclusion from mainline-v6.8-rc1 commit e26b6d39270f5eab0087453d9b544189a38c8564 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I92HXK CVE: CVE-2023-52436 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed. Signed-off-by: Eric Biggers <ebiggers(a)google.com> Reviewed-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/f2fs/xattr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c index 465d145360de..e197657db36b 100644 --- a/fs/f2fs/xattr.c +++ b/fs/f2fs/xattr.c @@ -754,6 +754,12 @@ static int __f2fs_setxattr(struct inode *inode, int index, memcpy(pval, value, size); last->e_value_size = cpu_to_le16(size); new_hsize += newsize; + /* + * Explicitly add the null terminator. The unused xattr space + * is supposed to always be zeroed, which would make this + * unnecessary, but don't depend on that. + */ + *(u32 *)((u8 *)last + newsize) = 0; } error = write_all_xattrs(inode, new_hsize, base_addr, ipage); -- 2.39.2

2 1

2024

2023

2022

2021

2020

2019

Kernel