From: Guanrui Huang <guanrui.huang(a)linux.alibaba.com>
stable inclusion
from stable-v5.10.216
commit aa44d21574751a7d6bca892eb8e0e9ac68372e52
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9HX
CVE: CVE-2024-35847
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit c26591afd33adce296c022e3480dea4282b7ef91 upstream.
The error handling path in its_vpe_irq_domain_alloc() causes a double free
when its_vpe_init() fails after successfully allocating at least one
interrupt. This happens because its_vpe_irq_domain_free() frees the
interrupts along with the area bitmap and the vprop_page and
its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the
vprop_page again.
Fix this by unconditionally invoking its_vpe_irq_domain_free() which
handles all cases correctly and by removing the bitmap/vprop_page freeing
from its_vpe_irq_domain_alloc().
[ tglx: Massaged change log ]
Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown")
Signed-off-by: Guanrui Huang <guanrui.huang(a)linux.alibaba.com>
Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de>
Reviewed-by: Marc Zyngier <maz(a)kernel.org>
Reviewed-by: Zenghui Yu <yuzenghui(a)huawei.com>
Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/20240418061053.96803-2-guanrui.huang@linux.alibab…
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
drivers/irqchip/irq-gic-v3-its.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 806359f3376a..8a716da480b0 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -5210,13 +5210,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
set_bit(i, bitmap);
}
- if (err) {
- if (i > 0)
- its_vpe_irq_domain_free(domain, virq, i);
-
- its_lpi_free(bitmap, base, nr_ids);
- its_free_prop_table(vprop_page);
- }
+ if (err)
+ its_vpe_irq_domain_free(domain, virq, i);
return err;
}
--
2.25.1
From: Guanrui Huang <guanrui.huang(a)linux.alibaba.com>
stable inclusion
from stable-v5.10.216
commit aa44d21574751a7d6bca892eb8e0e9ac68372e52
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9HX
CVE: CVE-2024-35847
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit c26591afd33adce296c022e3480dea4282b7ef91 upstream.
The error handling path in its_vpe_irq_domain_alloc() causes a double free
when its_vpe_init() fails after successfully allocating at least one
interrupt. This happens because its_vpe_irq_domain_free() frees the
interrupts along with the area bitmap and the vprop_page and
its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the
vprop_page again.
Fix this by unconditionally invoking its_vpe_irq_domain_free() which
handles all cases correctly and by removing the bitmap/vprop_page freeing
from its_vpe_irq_domain_alloc().
[ tglx: Massaged change log ]
Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown")
Signed-off-by: Guanrui Huang <guanrui.huang(a)linux.alibaba.com>
Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de>
Reviewed-by: Marc Zyngier <maz(a)kernel.org>
Reviewed-by: Zenghui Yu <yuzenghui(a)huawei.com>
Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/20240418061053.96803-2-guanrui.huang@linux.alibab…
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
drivers/irqchip/irq-gic-v3-its.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 806359f3376a..8a716da480b0 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -5210,13 +5210,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
set_bit(i, bitmap);
}
- if (err) {
- if (i > 0)
- its_vpe_irq_domain_free(domain, virq, i);
-
- its_lpi_free(bitmap, base, nr_ids);
- its_free_prop_table(vprop_page);
- }
+ if (err)
+ its_vpe_irq_domain_free(domain, virq, i);
return err;
}
--
2.25.1
From: Guanrui Huang <guanrui.huang(a)linux.alibaba.com>
stable inclusion
from stable-v5.10.216
commit aa44d21574751a7d6bca892eb8e0e9ac68372e52
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9HX
CVE: CVE-2024-35847
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit c26591afd33adce296c022e3480dea4282b7ef91 upstream.
The error handling path in its_vpe_irq_domain_alloc() causes a double free
when its_vpe_init() fails after successfully allocating at least one
interrupt. This happens because its_vpe_irq_domain_free() frees the
interrupts along with the area bitmap and the vprop_page and
its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the
vprop_page again.
Fix this by unconditionally invoking its_vpe_irq_domain_free() which
handles all cases correctly and by removing the bitmap/vprop_page freeing
from its_vpe_irq_domain_alloc().
[ tglx: Massaged change log ]
Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown")
Signed-off-by: Guanrui Huang <guanrui.huang(a)linux.alibaba.com>
Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de>
Reviewed-by: Marc Zyngier <maz(a)kernel.org>
Reviewed-by: Zenghui Yu <yuzenghui(a)huawei.com>
Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/20240418061053.96803-2-guanrui.huang@linux.alibab…
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
drivers/irqchip/irq-gic-v3-its.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 806359f3376a..8a716da480b0 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -5210,13 +5210,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
set_bit(i, bitmap);
}
- if (err) {
- if (i > 0)
- its_vpe_irq_domain_free(domain, virq, i);
-
- its_lpi_free(bitmap, base, nr_ids);
- its_free_prop_table(vprop_page);
- }
+ if (err)
+ its_vpe_irq_domain_free(domain, virq, i);
return err;
}
--
2.25.1
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: bb74bc369fd2ab5f41a32c4ddc2e23bc76c3c550
commit: ef20808db09987137fba30519fb94a6b12b63ee7 [9620/9669] Add kh40000_iommu_dma_ops for KH-40000 platform
config: x86_64-buildonly-randconfig-002-20240520 (https://download.01.org/0day-ci/archive/20240520/202405202248.hKgUtGVI-lkp@…)
compiler: gcc-11 (Ubuntu 11.4.0-4ubuntu1) 11.4.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240520/202405202248.hKgUtGVI-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202405202248.hKgUtGVI-lkp@intel.com/
All errors (new ones prefixed by >>):
arch/x86/kernel/zhaoxin_kh40000.c: In function 'kh40000_set_iommu_dma_ops':
>> arch/x86/kernel/zhaoxin_kh40000.c:348:16: error: 'struct device' has no member named 'dma_ops'
348 | if (dev->dma_ops) {
| ^~
arch/x86/kernel/zhaoxin_kh40000.c:349:36: error: 'struct device' has no member named 'dma_ops'
349 | iommu_dma_ops = dev->dma_ops;
| ^~
vim +348 arch/x86/kernel/zhaoxin_kh40000.c
345
346 void kh40000_set_iommu_dma_ops(struct device *dev)
347 {
> 348 if (dev->dma_ops) {
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: bb74bc369fd2ab5f41a32c4ddc2e23bc76c3c550
commit: ef20808db09987137fba30519fb94a6b12b63ee7 [9620/9669] Add kh40000_iommu_dma_ops for KH-40000 platform
config: x86_64-buildonly-randconfig-001-20240520 (https://download.01.org/0day-ci/archive/20240520/202405202228.Trf7bvHA-lkp@…)
compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240520/202405202228.Trf7bvHA-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202405202228.Trf7bvHA-lkp@intel.com/
All errors (new ones prefixed by >>):
arch/x86/kernel/zhaoxin_kh40000.c:47:30: warning: bitwise or with non-zero value always evaluates to true [-Wtautological-bitwise-compare]
47 | if (ZHAOXIN_P2CW_NODE_CHECK | zhaoxin_patch_code)
| ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~
arch/x86/kernel/zhaoxin_kh40000.c:87:33: error: call to undeclared function 'iommu_get_dma_domain'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
87 | struct iommu_domain *domain = iommu_get_dma_domain(dev);
| ^
arch/x86/kernel/zhaoxin_kh40000.c:87:33: note: did you mean 'iommu_is_dma_domain'?
include/linux/iommu.h:273:20: note: 'iommu_is_dma_domain' declared here
273 | static inline bool iommu_is_dma_domain(struct iommu_domain *domain)
| ^
arch/x86/kernel/zhaoxin_kh40000.c:87:24: error: incompatible integer to pointer conversion initializing 'struct iommu_domain *' with an expression of type 'int' [-Wint-conversion]
87 | struct iommu_domain *domain = iommu_get_dma_domain(dev);
| ^ ~~~~~~~~~~~~~~~~~~~~~~~~~
>> arch/x86/kernel/zhaoxin_kh40000.c:348:11: error: no member named 'dma_ops' in 'struct device'
348 | if (dev->dma_ops) {
| ~~~ ^
arch/x86/kernel/zhaoxin_kh40000.c:349:24: error: no member named 'dma_ops' in 'struct device'
349 | iommu_dma_ops = dev->dma_ops;
| ~~~ ^
1 warning and 4 errors generated.
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for CRYPTO_CRC32C_INTEL
Depends on [n]: CRYPTO [=y] && !KMSAN [=y] && X86 [=y]
Selected by [y]:
- ISCSI_TARGET [=y] && TARGET_CORE [=y] && INET [=y] && X86 [=y]
vim +348 arch/x86/kernel/zhaoxin_kh40000.c
345
346 void kh40000_set_iommu_dma_ops(struct device *dev)
347 {
> 348 if (dev->dma_ops) {
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
hulk inclusion
category: performance
bugzilla: https://gitee.com/openeuler/kernel/issues/I9QSJ5
CVE: NA
--------------------------------
jbd2_transaction_committed() is used to check whether a transaction with
the given tid has already committed, it holds j_state_lock in read mode
and check the tid of current running transaction and committing
transaction, but holding the j_state_lock is expensive.
We have already stored the sequence number of the most recently
committed transaction in journal t->j_commit_sequence, we could do this
check by comparing it with the given tid instead. If the given tid isn't
smaller than j_commit_sequence, we can ensure that the given transaction
has been committed. That way we could drop the expensive lock and
achieve about 10% ~ 20% performance gains in concurrent DIOs on may
virtual machine with 100G ramdisk.
fio -filename=/mnt/foo -direct=1 -iodepth=10 -rw=$rw -ioengine=libaio \
-bs=4k -size=10G -numjobs=10 -runtime=60 -overwrite=1 -name=test \
-group_reporting
Before:
overwrite IOPS=88.2k, BW=344MiB/s
read IOPS=95.7k, BW=374MiB/s
rand overwrite IOPS=98.7k, BW=386MiB/s
randread IOPS=102k, BW=397MiB/s
After:
overwrite IOPS=105k, BW=410MiB/s
read IOPS=112k, BW=436MiB/s
rand overwrite IOPS=104k, BW=404MiB/s
randread IOPS=111k, BW=432MiB/s
CC: Dave Chinner <david(a)fromorbit.com>
Suggested-by: Dave Chinner <david(a)fromorbit.com>
Link: https://lore.kernel.org/linux-ext4/ZjILCPNZRHeazSqV@dread.disaster.area/
Signed-off-by: Zhang Yi <yi.zhang(a)huawei.com>
Reviewed-by: Jan Kara <jack(a)suse.cz>
---
fs/jbd2/commit.c | 2 +-
fs/jbd2/journal.c | 12 +-----------
2 files changed, 2 insertions(+), 12 deletions(-)
diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
index 5e122586e06e..8244cab17688 100644
--- a/fs/jbd2/commit.c
+++ b/fs/jbd2/commit.c
@@ -1108,7 +1108,7 @@ void jbd2_journal_commit_transaction(journal_t *journal)
commit_transaction->t_state = T_COMMIT_CALLBACK;
J_ASSERT(commit_transaction == journal->j_committing_transaction);
- journal->j_commit_sequence = commit_transaction->t_tid;
+ WRITE_ONCE(journal->j_commit_sequence, commit_transaction->t_tid);
journal->j_committing_transaction = NULL;
commit_time = ktime_to_ns(ktime_sub(ktime_get(), start_time));
diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
index 19c69229ac6e..fc4c7a2bf6d5 100644
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -789,17 +789,7 @@ EXPORT_SYMBOL(jbd2_fc_end_commit_fallback);
/* Return 1 when transaction with given tid has already committed. */
int jbd2_transaction_committed(journal_t *journal, tid_t tid)
{
- int ret = 1;
-
- read_lock(&journal->j_state_lock);
- if (journal->j_running_transaction &&
- journal->j_running_transaction->t_tid == tid)
- ret = 0;
- if (journal->j_committing_transaction &&
- journal->j_committing_transaction->t_tid == tid)
- ret = 0;
- read_unlock(&journal->j_state_lock);
- return ret;
+ return tid_geq(READ_ONCE(journal->j_commit_sequence), tid);
}
EXPORT_SYMBOL(jbd2_transaction_committed);
--
2.39.2
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: bb74bc369fd2ab5f41a32c4ddc2e23bc76c3c550
commit: 4332dbb07181359cccca3ba757ef54e434fb1296 [9619/9669] Add kh40000_direct_dma_ops for KH-40000 platform
config: x86_64-buildonly-randconfig-002-20240520 (https://download.01.org/0day-ci/archive/20240520/202405202102.9bImbUvA-lkp@…)
compiler: gcc-11 (Ubuntu 11.4.0-4ubuntu1) 11.4.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240520/202405202102.9bImbUvA-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202405202102.9bImbUvA-lkp@intel.com/
All errors (new ones prefixed by >>):
kernel/dma/contiguous.c: In function 'dma_contiguous_reserve':
>> kernel/dma/contiguous.c:228:13: error: 'is_zhaoxin_kh40000' undeclared (first use in this function)
228 | if (is_zhaoxin_kh40000)
| ^~~~~~~~~~~~~~~~~~
kernel/dma/contiguous.c:228:13: note: each undeclared identifier is reported only once for each function it appears in
vim +/is_zhaoxin_kh40000 +228 kernel/dma/contiguous.c
208
209 /**
210 * dma_contiguous_reserve() - reserve area(s) for contiguous memory handling
211 * @limit: End address of the reserved memory (optional, 0 for any).
212 *
213 * This function reserves memory from early allocator. It should be
214 * called by arch specific code once the early allocator (memblock or bootmem)
215 * has been activated and all other subsystems have already allocated/reserved
216 * memory.
217 */
218 void __init dma_contiguous_reserve(phys_addr_t limit)
219 {
220 phys_addr_t selected_size = 0;
221 phys_addr_t selected_base = 0;
222 phys_addr_t selected_limit = limit;
223 bool fixed = false;
224
225 dma_numa_cma_reserve();
226
227 #if defined(CONFIG_X86_64) && defined(CONFIG_PCI)
> 228 if (is_zhaoxin_kh40000)
229 return;
230 #endif
231 pr_debug("%s(limit %08lx)\n", __func__, (unsigned long)limit);
232
233 if (size_cmdline != -1) {
234 selected_size = size_cmdline;
235 selected_base = base_cmdline;
236 selected_limit = min_not_zero(limit_cmdline, limit);
237 if (base_cmdline + size_cmdline == limit_cmdline)
238 fixed = true;
239 } else {
240 #ifdef CONFIG_CMA_SIZE_SEL_MBYTES
241 selected_size = size_bytes;
242 #elif defined(CONFIG_CMA_SIZE_SEL_PERCENTAGE)
243 selected_size = cma_early_percent_memory();
244 #elif defined(CONFIG_CMA_SIZE_SEL_MIN)
245 selected_size = min(size_bytes, cma_early_percent_memory());
246 #elif defined(CONFIG_CMA_SIZE_SEL_MAX)
247 selected_size = max(size_bytes, cma_early_percent_memory());
248 #endif
249 }
250
251 if (selected_size && !dma_contiguous_default_area) {
252 pr_debug("%s: reserving %ld MiB for global area\n", __func__,
253 (unsigned long)selected_size / SZ_1M);
254
255 dma_contiguous_reserve_area(selected_size, selected_base,
256 selected_limit,
257 &dma_contiguous_default_area,
258 fixed);
259 }
260 }
261
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki