- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] mm: avoid unconditional one-tick sleep when swapcache_prepare fails
by Jinjiang Tu 28 Dec '24

28 Dec '24

From: Barry Song <v-songbaohua(a)oppo.com> mainline inclusion from mainline-v6.12-rc6 commit 01626a18230246efdcea322aa8f067e60ffe5ccd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB7294 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Commit 13ddaf26be32 ("mm/swap: fix race when skipping swapcache") introduced an unconditional one-tick sleep when `swapcache_prepare()` fails, which has led to reports of UI stuttering on latency-sensitive Android devices. To address this, we can use a waitqueue to wake up tasks that fail `swapcache_prepare()` sooner, instead of always sleeping for a full tick. While tasks may occasionally be woken by an unrelated `do_swap_page()`, this method is preferable to two scenarios: rapid re-entry into page faults, which can cause livelocks, and multiple millisecond sleeps, which visibly degrade user experience. Oven's testing shows that a single waitqueue resolves the UI stuttering issue. If a 'thundering herd' problem becomes apparent later, a waitqueue hash similar to `folio_wait_table[PAGE_WAIT_TABLE_SIZE]` for page bit locks can be introduced. [v-songbaohua(a)oppo.com: wake_up only when swapcache_wq waitqueue is active] Link: https://lkml.kernel.org/r/20241008130807.40833-1-21cnbao@gmail.com Link: https://lkml.kernel.org/r/20240926211936.75373-1-21cnbao@gmail.com Fixes: 13ddaf26be32 ("mm/swap: fix race when skipping swapcache") Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> Reported-by: Oven Liyang <liyangouwen1(a)oppo.com> Tested-by: Oven Liyang <liyangouwen1(a)oppo.com> Cc: Kairui Song <kasong(a)tencent.com> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Yosry Ahmed <yosryahmed(a)google.com> Cc: SeongJae Park <sj(a)kernel.org> Cc: Kalesh Singh <kaleshsingh(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Conflicts: mm/memory.c [Context conflicts.] Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- mm/memory.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index 20869d0cd5a1..f580b9c54247 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -3397,6 +3397,8 @@ void unmap_mapping_range(struct address_space *mapping, } EXPORT_SYMBOL(unmap_mapping_range); +static DECLARE_WAIT_QUEUE_HEAD(swapcache_wq); + /* * We enter with non-exclusive mmap_lock (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. @@ -3408,6 +3410,7 @@ EXPORT_SYMBOL(unmap_mapping_range); vm_fault_t do_swap_page(struct vm_fault *vmf) { struct vm_area_struct *vma = vmf->vma; + DECLARE_WAITQUEUE(wait, current); struct page *page = NULL, *swapcache; struct swap_info_struct *si = NULL; bool need_clear_cache = false; @@ -3475,7 +3478,9 @@ vm_fault_t do_swap_page(struct vm_fault *vmf) */ if (swapcache_prepare(entry)) { /* Relax a bit to prevent rapid repeated page faults */ + add_wait_queue(&swapcache_wq, &wait); schedule_timeout_uninterruptible(1); + remove_wait_queue(&swapcache_wq, &wait); goto out; } need_clear_cache = true; @@ -3650,8 +3655,11 @@ vm_fault_t do_swap_page(struct vm_fault *vmf) pte_unmap_unlock(vmf->pte, vmf->ptl); out: /* Clear the swap cache pin for direct swapin after PTL unlock */ - if (need_clear_cache) + if (need_clear_cache) { swapcache_clear(si, entry); + if (waitqueue_active(&swapcache_wq)) + wake_up(&swapcache_wq); + } if (si) put_swap_device(si); return ret; @@ -3665,8 +3673,11 @@ vm_fault_t do_swap_page(struct vm_fault *vmf) unlock_page(swapcache); put_page(swapcache); } - if (need_clear_cache) + if (need_clear_cache) { swapcache_clear(si, entry); + if (waitqueue_active(&swapcache_wq)) + wake_up(&swapcache_wq); + } if (si) put_swap_device(si); return ret; -- 2.34.1

2 1

[PATCH OLK-5.10] mm/khugepaged: fix ->anon_vma race
by Jinjiang Tu 28 Dec '24

28 Dec '24

From: Jann Horn <jannh(a)google.com> mainline inclusion from mainline-v6.2-rc7 commit 023f47a8250c6bdb4aebe744db4bf7f73414028b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IBE8BO Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merged an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access. Link: https://lore.kernel.org/linux-mm/CAG48ez3434wZBKFFbdx4M9j6eUwSUVPd4dxhzW_k_… Link: https://lkml.kernel.org/r/20230111133351.807024-1-jannh@google.com Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") Signed-off-by: Jann Horn <jannh(a)google.com> Reported-by: Zach O'Keefe <zokeefe(a)google.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)intel.linux.com> Reviewed-by: Yang Shi <shy828301(a)gmail.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Conflicts: mm/khugepaged.c [Conflicts due to 34488399fa08 ("mm/madvise: add file and shmem support to MADV_COLLAPSE") is not merged.] Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- mm/khugepaged.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 1d5a985ae4cd..a3f45bca187b 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1623,7 +1623,7 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) * has higher cost too. It would also probably require locking * the anon_vma. */ - if (vma->anon_vma) + if (READ_ONCE(vma->anon_vma)) continue; addr = vma->vm_start + ((pgoff - vma->vm_pgoff) << PAGE_SHIFT); if (addr & ~HPAGE_PMD_MASK) @@ -1642,6 +1642,18 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff) * reverse order. Trylock is a way to avoid deadlock. */ if (mmap_write_trylock(mm)) { + /* + * Re-check whether we have an ->anon_vma, because + * collapse_and_free_pmd() requires that either no + * ->anon_vma exists or the anon_vma is locked. + * We already checked ->anon_vma above, but that check + * is racy because ->anon_vma can be populated under the + * mmap lock in read mode. + */ + if (vma->anon_vma) { + mmap_write_unlock(mm); + continue; + } if (!khugepaged_test_exit(mm)) { struct mmu_notifier_range range; -- 2.34.1

2 1

[openeuler:OLK-5.10 2600/2600] kernel/sched/core.c:9822:6: sparse: sparse: symbol 'sched_setsteal' was not declared. Should it be static?
by kernel test robot 28 Dec '24

28 Dec '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 053a6b6f8e4c86200cdb20bc80c063c3bb119859 commit: b7772972a0a76efac27078392f3f706914fe2af7 [2600/2600] sched/core: Add cpu.steal_task in cgroup v1 cpu subsystem config: arm64-randconfig-r133-20241227 (https://download.01.org/0day-ci/archive/20241228/202412280954.LFjWVbbl-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce: (https://download.01.org/0day-ci/archive/20241228/202412280954.LFjWVbbl-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412280954.LFjWVbbl-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) kernel/sched/core.c:635:39: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct task_struct *task @@ got struct task_struct [noderef] __rcu *curr @@ kernel/sched/core.c:635:39: sparse: expected struct task_struct *task kernel/sched/core.c:635:39: sparse: got struct task_struct [noderef] __rcu *curr kernel/sched/core.c:705:48: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected struct task_struct *p @@ got struct task_struct [noderef] __rcu *curr @@ kernel/sched/core.c:705:48: sparse: expected struct task_struct *p kernel/sched/core.c:705:48: sparse: got struct task_struct [noderef] __rcu *curr kernel/sched/core.c:959:38: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected struct task_struct *curr @@ got struct task_struct [noderef] __rcu *curr @@ kernel/sched/core.c:959:38: sparse: expected struct task_struct *curr kernel/sched/core.c:959:38: sparse: got struct task_struct [noderef] __rcu *curr kernel/sched/core.c:1014:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct sched_domain *[assigned] sd @@ got struct sched_domain [noderef] __rcu *parent @@ kernel/sched/core.c:1014:9: sparse: expected struct sched_domain *[assigned] sd kernel/sched/core.c:1014:9: sparse: got struct sched_domain [noderef] __rcu *parent kernel/sched/core.c:2067:33: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct task_struct *p @@ got struct task_struct [noderef] __rcu *curr @@ kernel/sched/core.c:2067:33: sparse: expected struct task_struct *p kernel/sched/core.c:2067:33: sparse: got struct task_struct [noderef] __rcu *curr kernel/sched/core.c:2067:68: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct task_struct *tsk @@ got struct task_struct [noderef] __rcu *curr @@ kernel/sched/core.c:2067:68: sparse: expected struct task_struct *tsk kernel/sched/core.c:2067:68: sparse: got struct task_struct [noderef] __rcu *curr kernel/sched/core.c:2809:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct sched_domain *[assigned] sd @@ got struct sched_domain [noderef] __rcu *parent @@ kernel/sched/core.c:2809:17: sparse: expected struct sched_domain *[assigned] sd kernel/sched/core.c:2809:17: sparse: got struct sched_domain [noderef] __rcu *parent kernel/sched/core.c:3010:36: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct task_struct const *p @@ got struct task_struct [noderef] __rcu *curr @@ kernel/sched/core.c:3010:36: sparse: expected struct task_struct const *p kernel/sched/core.c:3010:36: sparse: got struct task_struct [noderef] __rcu *curr kernel/sched/core.c:4447:38: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected struct task_struct *curr @@ got struct task_struct [noderef] __rcu *curr @@ kernel/sched/core.c:4447:38: sparse: expected struct task_struct *curr kernel/sched/core.c:4447:38: sparse: got struct task_struct [noderef] __rcu *curr kernel/sched/core.c:5341:14: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct task_struct *prev @@ got struct task_struct [noderef] __rcu *curr @@ kernel/sched/core.c:5341:14: sparse: expected struct task_struct *prev kernel/sched/core.c:5341:14: sparse: got struct task_struct [noderef] __rcu *curr kernel/sched/core.c:6010:17: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/core.c:6010:17: sparse: struct task_struct * kernel/sched/core.c:6010:17: sparse: struct task_struct [noderef] __rcu * kernel/sched/core.c:6208:22: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/core.c:6208:22: sparse: struct task_struct [noderef] __rcu * kernel/sched/core.c:6208:22: sparse: struct task_struct * >> kernel/sched/core.c:9822:6: sparse: sparse: symbol 'sched_setsteal' was not declared. Should it be static? >> kernel/sched/core.c:9854:5: sparse: sparse: symbol 'tg_change_steal' was not declared. Should it be static? kernel/sched/core.c:10398:25: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct task_struct *p @@ got struct task_struct [noderef] __rcu *curr @@ kernel/sched/core.c:10398:25: sparse: expected struct task_struct *p kernel/sched/core.c:10398:25: sparse: got struct task_struct [noderef] __rcu *curr kernel/sched/core.c: note: in included file: kernel/sched/sched.h:1411:17: sparse: sparse: self-comparison always evaluates to true kernel/sched/core.c:460:6: sparse: sparse: context imbalance in 'raw_spin_rq_lock_nested' - wrong count at exit kernel/sched/sched.h:1411:17: sparse: sparse: self-comparison always evaluates to true kernel/sched/core.c:493:23: sparse: sparse: context imbalance in 'raw_spin_rq_trylock' - wrong count at exit kernel/sched/core.c:509:6: sparse: sparse: context imbalance in 'raw_spin_rq_unlock' - unexpected unlock kernel/sched/core.c:547:36: sparse: sparse: context imbalance in '__task_rq_lock' - wrong count at exit kernel/sched/core.c:588:36: sparse: sparse: context imbalance in 'task_rq_lock' - wrong count at exit kernel/sched/core.c: note: in included file: kernel/sched/pelt.h:78:13: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct task_struct const *p @@ got struct task_struct [noderef] __rcu *curr @@ kernel/sched/pelt.h:78:13: sparse: expected struct task_struct const *p kernel/sched/pelt.h:78:13: sparse: got struct task_struct [noderef] __rcu *curr kernel/sched/core.c:705:11: sparse: sparse: dereference of noderef expression kernel/sched/core.c:2058:33: sparse: sparse: dereference of noderef expression kernel/sched/core.c:2059:19: sparse: sparse: dereference of noderef expression kernel/sched/core.c:2060:37: sparse: sparse: dereference of noderef expression kernel/sched/core.c: note: in included file: kernel/sched/sched.h:2163:25: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2163:25: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2163:25: sparse: struct task_struct * kernel/sched/sched.h:2314:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2314:9: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2314:9: sparse: struct task_struct * kernel/sched/core.c:2033:38: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/core.c:2033:38: sparse: struct task_struct [noderef] __rcu * kernel/sched/core.c:2033:38: sparse: struct task_struct const * kernel/sched/sched.h:2163:25: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2163:25: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2163:25: sparse: struct task_struct * kernel/sched/sched.h:2314:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2314:9: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2314:9: sparse: struct task_struct * kernel/sched/sched.h:2314:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2314:9: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2314:9: sparse: struct task_struct * kernel/sched/sched.h:2163:25: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2163:25: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2163:25: sparse: struct task_struct * kernel/sched/sched.h:2314:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2314:9: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2314:9: sparse: struct task_struct * kernel/sched/sched.h:2163:25: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2163:25: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2163:25: sparse: struct task_struct * kernel/sched/sched.h:2314:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2314:9: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2314:9: sparse: struct task_struct * kernel/sched/sched.h:2163:25: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2163:25: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2163:25: sparse: struct task_struct * kernel/sched/sched.h:2314:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2314:9: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2314:9: sparse: struct task_struct * kernel/sched/sched.h:2163:25: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2163:25: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2163:25: sparse: struct task_struct * kernel/sched/sched.h:2314:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2314:9: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2314:9: sparse: struct task_struct * kernel/sched/sched.h:2163:25: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2163:25: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2163:25: sparse: struct task_struct * kernel/sched/sched.h:2314:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2314:9: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2314:9: sparse: struct task_struct * kernel/sched/sched.h:2163:25: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2163:25: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2163:25: sparse: struct task_struct * kernel/sched/sched.h:2314:9: sparse: sparse: incompatible types in comparison expression (different address spaces): kernel/sched/sched.h:2314:9: sparse: struct task_struct [noderef] __rcu * kernel/sched/sched.h:2314:9: sparse: struct task_struct * vim +/sched_setsteal +9822 kernel/sched/core.c 9821 > 9822 void sched_setsteal(struct task_struct *tsk, s64 steal_task) 9823 { 9824 struct sched_entity *se = &tsk->se; 9825 int queued, running, queue_flags = 9826 DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK; 9827 struct rq_flags rf; 9828 struct rq *rq; 9829 9830 if (se->steal_task == steal_task) 9831 return; 9832 9833 rq = task_rq_lock(tsk, &rf); 9834 9835 running = task_current(rq, tsk); 9836 queued = task_on_rq_queued(tsk); 9837 9838 update_rq_clock(rq); 9839 if (queued) 9840 dequeue_task(rq, tsk, queue_flags); 9841 if (running) 9842 put_prev_task(rq, tsk); 9843 9844 se->steal_task = steal_task; 9845 9846 if (queued) 9847 enqueue_task(rq, tsk, queue_flags); 9848 if (running) 9849 set_next_task(rq, tsk); 9850 9851 task_rq_unlock(rq, tsk, &rf); 9852 } 9853 > 9854 int tg_change_steal(struct task_group *tg, void *data) 9855 { 9856 struct css_task_iter it; 9857 struct task_struct *tsk; 9858 s64 steal_task = *(s64 *)data; 9859 struct cgroup_subsys_state *css = &tg->css; 9860 9861 tg->steal_task = steal_task; 9862 9863 css_task_iter_start(css, 0, &it); 9864 while ((tsk = css_task_iter_next(&it))) 9865 sched_setsteal(tsk, steal_task); 9866 css_task_iter_end(&it); 9867 9868 return 0; 9869 } 9870 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH] ALSA: usb-audio: Fix out of bounds reads when finding clock sources
by Luo Gengkun 28 Dec '24

28 Dec '24

From: Takashi Iwai <tiwai(a)suse.de> stable inclusion from stable-v5.10.231 commit 45a92cbc88e4013bfed7fd2ccab3ade45f8e896b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGG CVE: CVE-2024-53150 Reference: https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b -------------------------------- commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 upstream. The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check. Reported-by: Benoît Sevens <bsevens(a)google.com> Cc: <stable(a)vger.kernel.org> Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Benoît Sevens <bsevens(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- sound/usb/clock.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/sound/usb/clock.c b/sound/usb/clock.c index 95b019f15224..6ccea6d1727f 100644 --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -21,6 +21,10 @@ #include "clock.h" #include "quirks.h" +/* check whether the descriptor bLength has the minimal length */ +#define DESC_LENGTH_CHECK(p) \ + (p->bLength >= sizeof(*p)) + static void *find_uac_clock_desc(struct usb_host_interface *iface, int id, bool (*validator)(void *, int), u8 type) { @@ -38,36 +42,60 @@ static void *find_uac_clock_desc(struct usb_host_interface *iface, int id, static bool validate_clock_source_v2(void *p, int id) { struct uac_clock_source_descriptor *cs = p; + if (!DESC_LENGTH_CHECK(cs)) + return false; return cs->bClockID == id; } static bool validate_clock_source_v3(void *p, int id) { struct uac3_clock_source_descriptor *cs = p; + if (!DESC_LENGTH_CHECK(cs)) + return false; return cs->bClockID == id; } static bool validate_clock_selector_v2(void *p, int id) { struct uac_clock_selector_descriptor *cs = p; - return cs->bClockID == id; + if (!DESC_LENGTH_CHECK(cs)) + return false; + if (cs->bClockID != id) + return false; + /* additional length check for baCSourceID array (in bNrInPins size) + * and two more fields (which sizes depend on the protocol) + */ + return cs->bLength >= sizeof(*cs) + cs->bNrInPins + + 1 /* bmControls */ + 1 /* iClockSelector */; } static bool validate_clock_selector_v3(void *p, int id) { struct uac3_clock_selector_descriptor *cs = p; - return cs->bClockID == id; + if (!DESC_LENGTH_CHECK(cs)) + return false; + if (cs->bClockID != id) + return false; + /* additional length check for baCSourceID array (in bNrInPins size) + * and two more fields (which sizes depend on the protocol) + */ + return cs->bLength >= sizeof(*cs) + cs->bNrInPins + + 4 /* bmControls */ + 2 /* wCSelectorDescrStr */; } static bool validate_clock_multiplier_v2(void *p, int id) { struct uac_clock_multiplier_descriptor *cs = p; + if (!DESC_LENGTH_CHECK(cs)) + return false; return cs->bClockID == id; } static bool validate_clock_multiplier_v3(void *p, int id) { struct uac3_clock_multiplier_descriptor *cs = p; + if (!DESC_LENGTH_CHECK(cs)) + return false; return cs->bClockID == id; } -- 2.34.1

1 0

[PATCH] ALSA: usb-audio: Fix out of bounds reads when finding clock sources
by Luo Gengkun 28 Dec '24

28 Dec '24

From: Takashi Iwai <tiwai(a)suse.de> stable inclusion from stable-v6.6.64 commit 74cb86e1006c5437b1d90084d22018da30fddc77 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGG CVE: CVE-2024-53150 Reference: https://git.kernel.org/stable/c/74cb86e1006c5437b1d90084d22018da30fddc77 commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 upstream. The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check. Reported-by: Benoît Sevens <bsevens(a)google.com> Cc: <stable(a)vger.kernel.org> Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- sound/usb/clock.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/sound/usb/clock.c b/sound/usb/clock.c index a676ad093d18..f0f1e445cc56 100644 --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -36,6 +36,12 @@ union uac23_clock_multiplier_desc { struct uac_clock_multiplier_descriptor v3; }; +/* check whether the descriptor bLength has the minimal length */ +#define DESC_LENGTH_CHECK(p, proto) \ + ((proto) == UAC_VERSION_3 ? \ + ((p)->v3.bLength >= sizeof((p)->v3)) : \ + ((p)->v2.bLength >= sizeof((p)->v2))) + #define GET_VAL(p, proto, field) \ ((proto) == UAC_VERSION_3 ? (p)->v3.field : (p)->v2.field) @@ -58,6 +64,8 @@ static bool validate_clock_source(void *p, int id, int proto) { union uac23_clock_source_desc *cs = p; + if (!DESC_LENGTH_CHECK(cs, proto)) + return false; return GET_VAL(cs, proto, bClockID) == id; } @@ -65,13 +73,27 @@ static bool validate_clock_selector(void *p, int id, int proto) { union uac23_clock_selector_desc *cs = p; - return GET_VAL(cs, proto, bClockID) == id; + if (!DESC_LENGTH_CHECK(cs, proto)) + return false; + if (GET_VAL(cs, proto, bClockID) != id) + return false; + /* additional length check for baCSourceID array (in bNrInPins size) + * and two more fields (which sizes depend on the protocol) + */ + if (proto == UAC_VERSION_3) + return cs->v3.bLength >= sizeof(cs->v3) + cs->v3.bNrInPins + + 4 /* bmControls */ + 2 /* wCSelectorDescrStr */; + else + return cs->v2.bLength >= sizeof(cs->v2) + cs->v2.bNrInPins + + 1 /* bmControls */ + 1 /* iClockSelector */; } static bool validate_clock_multiplier(void *p, int id, int proto) { union uac23_clock_multiplier_desc *cs = p; + if (!DESC_LENGTH_CHECK(cs, proto)) + return false; return GET_VAL(cs, proto, bClockID) == id; } -- 2.34.1

1 0

[PATCH] ALSA: usb-audio: Fix out of bounds reads when finding clock sources
by Luo Gengkun 28 Dec '24

28 Dec '24

From: Takashi Iwai <tiwai(a)suse.de> stable inclusion from stable-v5.10.231 commit 45a92cbc88e4013bfed7fd2ccab3ade45f8e896b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGG CVE: CVE-2024-53150 Reference: https://git.kernel.org/stable/c/45a92cbc88e4013bfed7fd2ccab3ade45f8e896b -------------------------------- commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 upstream. The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check. Reported-by: Benoît Sevens <bsevens(a)google.com> Cc: <stable(a)vger.kernel.org> Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Benoît Sevens <bsevens(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- sound/usb/clock.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/sound/usb/clock.c b/sound/usb/clock.c index 95b019f15224..6ccea6d1727f 100644 --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -21,6 +21,10 @@ #include "clock.h" #include "quirks.h" +/* check whether the descriptor bLength has the minimal length */ +#define DESC_LENGTH_CHECK(p) \ + (p->bLength >= sizeof(*p)) + static void *find_uac_clock_desc(struct usb_host_interface *iface, int id, bool (*validator)(void *, int), u8 type) { @@ -38,36 +42,60 @@ static void *find_uac_clock_desc(struct usb_host_interface *iface, int id, static bool validate_clock_source_v2(void *p, int id) { struct uac_clock_source_descriptor *cs = p; + if (!DESC_LENGTH_CHECK(cs)) + return false; return cs->bClockID == id; } static bool validate_clock_source_v3(void *p, int id) { struct uac3_clock_source_descriptor *cs = p; + if (!DESC_LENGTH_CHECK(cs)) + return false; return cs->bClockID == id; } static bool validate_clock_selector_v2(void *p, int id) { struct uac_clock_selector_descriptor *cs = p; - return cs->bClockID == id; + if (!DESC_LENGTH_CHECK(cs)) + return false; + if (cs->bClockID != id) + return false; + /* additional length check for baCSourceID array (in bNrInPins size) + * and two more fields (which sizes depend on the protocol) + */ + return cs->bLength >= sizeof(*cs) + cs->bNrInPins + + 1 /* bmControls */ + 1 /* iClockSelector */; } static bool validate_clock_selector_v3(void *p, int id) { struct uac3_clock_selector_descriptor *cs = p; - return cs->bClockID == id; + if (!DESC_LENGTH_CHECK(cs)) + return false; + if (cs->bClockID != id) + return false; + /* additional length check for baCSourceID array (in bNrInPins size) + * and two more fields (which sizes depend on the protocol) + */ + return cs->bLength >= sizeof(*cs) + cs->bNrInPins + + 4 /* bmControls */ + 2 /* wCSelectorDescrStr */; } static bool validate_clock_multiplier_v2(void *p, int id) { struct uac_clock_multiplier_descriptor *cs = p; + if (!DESC_LENGTH_CHECK(cs)) + return false; return cs->bClockID == id; } static bool validate_clock_multiplier_v3(void *p, int id) { struct uac3_clock_multiplier_descriptor *cs = p; + if (!DESC_LENGTH_CHECK(cs)) + return false; return cs->bClockID == id; } -- 2.34.1

1 0

[openeuler:OLK-5.10 2601/2601] drivers/vdpa/vdpa.c:759:19: sparse: sparse: cast to restricted __le16
by kernel test robot 28 Dec '24

28 Dec '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 053a6b6f8e4c86200cdb20bc80c063c3bb119859 commit: 661b972e802c8e252911361538651db906c084bb [2601/2601] vdpa: Introduce query of device config layout config: x86_64-randconfig-121-20241228 (https://download.01.org/0day-ci/archive/20241228/202412280838.dtwJgjlH-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241228/202412280838.dtwJgjlH-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412280838.dtwJgjlH-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> drivers/vdpa/vdpa.c:759:19: sparse: sparse: cast to restricted __le16 >> drivers/vdpa/vdpa.c:759:19: sparse: sparse: cast from restricted __virtio16 drivers/vdpa/vdpa.c:775:19: sparse: sparse: cast to restricted __le16 drivers/vdpa/vdpa.c:775:19: sparse: sparse: cast from restricted __virtio16 drivers/vdpa/vdpa.c:779:19: sparse: sparse: cast to restricted __le16 drivers/vdpa/vdpa.c:779:19: sparse: sparse: cast from restricted __virtio16 vim +759 drivers/vdpa/vdpa.c 749 750 static int vdpa_dev_net_mq_config_fill(struct vdpa_device *vdev, 751 struct sk_buff *msg, u64 features, 752 const struct virtio_net_config *config) 753 { 754 u16 val_u16; 755 756 if ((features & (1ULL << VIRTIO_NET_F_MQ)) == 0) 757 return 0; 758 > 759 val_u16 = le16_to_cpu(config->max_virtqueue_pairs); 760 return nla_put_u16(msg, VDPA_ATTR_DEV_NET_CFG_MAX_VQP, val_u16); 761 } 762 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1327/1327] arch/x86/kernel/unwind_orc.o: warning: objtool: missing symbol for section .text
by kernel test robot 28 Dec '24

28 Dec '24

Hi Shile, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: a8a9daf97ebc8e303e039402fe784e7bd4e5a9bb commit: badd79c400ed404df871e1d035bed971d20ead4c [1327/1327] x86/unwind/orc: Remove boot-time ORC unwind tables sorting config: x86_64-buildonly-randconfig-004-20241216 (https://download.01.org/0day-ci/archive/20241228/202412280732.HThqDDS9-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241228/202412280732.HThqDDS9-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412280732.HThqDDS9-lkp@intel.com/ All warnings (new ones prefixed by >>): arch/x86/kernel/unwind_orc.c:179:13: warning: unused function 'orc_sort_swap' [-Wunused-function] 179 | static void orc_sort_swap(void *_a, void *_b, int size) | ^~~~~~~~~~~~~ arch/x86/kernel/unwind_orc.c:199:12: warning: unused function 'orc_sort_cmp' [-Wunused-function] 199 | static int orc_sort_cmp(const void *_a, const void *_b) | ^~~~~~~~~~~~ 2 warnings generated. >> arch/x86/kernel/unwind_orc.o: warning: objtool: missing symbol for section .text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 2600/2600] mm/hugetlb.c:6315:13: sparse: sparse: symbol 'hugetlb_alloc_hugepage_nodemask' was not declared. Should it be static?
by kernel test robot 28 Dec '24

28 Dec '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 053a6b6f8e4c86200cdb20bc80c063c3bb119859 commit: 8deff3a60ce1a9dffb552210f065fc9ed6a55f84 [2600/2600] mm/sharepool: Add mg_sp_alloc_nodemask config: arm64-randconfig-r133-20241227 (https://download.01.org/0day-ci/archive/20241228/202412280705.ftg9AAMV-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce: (https://download.01.org/0day-ci/archive/20241228/202412280705.ftg9AAMV-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412280705.ftg9AAMV-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> mm/hugetlb.c:6315:13: sparse: sparse: symbol 'hugetlb_alloc_hugepage_nodemask' was not declared. Should it be static? mm/hugetlb.c:446:12: sparse: sparse: context imbalance in 'allocate_file_region_entries' - wrong count at exit mm/hugetlb.c:519:13: sparse: sparse: context imbalance in 'region_add' - wrong count at exit mm/hugetlb.c:587:13: sparse: sparse: context imbalance in 'region_chg' - wrong count at exit mm/hugetlb.c: note: in included file (through include/linux/mmzone.h, include/linux/gfp.h, include/linux/mm.h): include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false mm/hugetlb.c: note: in included file: include/linux/mm.h:1232:21: sparse: sparse: context imbalance in 'hugetlb_cow' - unexpected unlock mm/hugetlb.c: note: in included file (through include/linux/mmzone.h, include/linux/gfp.h, include/linux/mm.h): include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false mm/hugetlb.c:5402:25: sparse: sparse: context imbalance in 'follow_hugetlb_page' - different lock contexts for basic block include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false include/linux/page-flags.h:263:46: sparse: sparse: self-comparison always evaluates to false vim +/hugetlb_alloc_hugepage_nodemask +6315 mm/hugetlb.c 6311 6312 /* 6313 * Allocate hugepage without reserve 6314 */ > 6315 struct page *hugetlb_alloc_hugepage_nodemask(int nid, int flag, nodemask_t *nodemask) 6316 { 6317 struct hstate *h = &default_hstate; 6318 gfp_t gfp_mask = htlb_alloc_mask(h); 6319 struct page *page = NULL; 6320 6321 if (nid == NUMA_NO_NODE) 6322 nid = numa_mem_id(); 6323 6324 if (nid < 0 || nid >= MAX_NUMNODES) 6325 return NULL; 6326 6327 if (flag & ~HUGETLB_ALLOC_MASK) 6328 return NULL; 6329 6330 if (enable_charge_mighp) 6331 gfp_mask |= __GFP_ACCOUNT; 6332 6333 if (flag & HUGETLB_ALLOC_NORECLAIM) 6334 gfp_mask &= ~__GFP_RECLAIM; 6335 6336 if (flag & HUGETLB_ALLOC_NORMAL) 6337 page = hugetlb_alloc_hugepage_normal(h, gfp_mask, nid); 6338 else if (flag & HUGETLB_ALLOC_BUDDY) 6339 page = alloc_migrate_huge_page(h, gfp_mask, nid, nodemask); 6340 else 6341 page = alloc_huge_page_nodemask(h, nid, nodemask, gfp_mask); 6342 6343 return page; 6344 } 6345 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 2600/2600] arch/arm64/mm/init.c:730:6: sparse: sparse: symbol 'ascend_enable_all_features' was not declared. Should it be static?
by kernel test robot 28 Dec '24

28 Dec '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 053a6b6f8e4c86200cdb20bc80c063c3bb119859 commit: 66ae8ddda388386daea0623a65ea2ac85c24ca00 [2600/2600] ascend/arm64: Add ascend_enable_all kernel parameter config: arm64-randconfig-r133-20241227 (https://download.01.org/0day-ci/archive/20241228/202412280553.3KEHilDu-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce: (https://download.01.org/0day-ci/archive/20241228/202412280553.3KEHilDu-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412280553.3KEHilDu-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) arch/arm64/mm/init.c:746:9: sparse: sparse: mixing declarations and code >> arch/arm64/mm/init.c:730:6: sparse: sparse: symbol 'ascend_enable_all_features' was not declared. Should it be static? vim +/ascend_enable_all_features +730 arch/arm64/mm/init.c 729 > 730 void ascend_enable_all_features(void) 731 { 732 if (IS_ENABLED(CONFIG_ASCEND_DVPP_MMAP)) 733 enable_mmap_dvpp = 1; 734 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

2025

2024

2023

2022

2021

2020

2019

Kernel