- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] net: ethernet: fix potential use-after-free in ec_bhf_remove
by Kaixiong Yu 18 Jun '24

18 Jun '24

From: Pavel Skripkin <paskripkin(a)gmail.com> stable inclusion from stable-v4.19.196 commit 0260916843cc74f3906acf8b6f256693e01530a2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4HZ CVE: CVE-2021-47235 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 9cca0c2d70149160407bda9a9446ce0c29b6e6c6 ] static void ec_bhf_remove(struct pci_dev *dev) { ... struct ec_bhf_priv *priv = netdev_priv(net_dev); unregister_netdev(net_dev); free_netdev(net_dev); pci_iounmap(dev, priv->dma_io); pci_iounmap(dev, priv->io); ... } priv is netdev private data, but it is used after free_netdev(). It can cause use-after-free when accessing priv pointer. So, fix it by moving free_netdev() after pci_iounmap() calls. Fixes: 6af55ff52b02 ("Driver for Beckhoff CX5020 EtherCAT master module.") Signed-off-by: Pavel Skripkin <paskripkin(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- drivers/net/ethernet/ec_bhf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c index d71cba0842c5..59dc20020c73 100644 --- a/drivers/net/ethernet/ec_bhf.c +++ b/drivers/net/ethernet/ec_bhf.c @@ -585,10 +585,12 @@ static void ec_bhf_remove(struct pci_dev *dev) struct ec_bhf_priv *priv = netdev_priv(net_dev); unregister_netdev(net_dev); - free_netdev(net_dev); pci_iounmap(dev, priv->dma_io); pci_iounmap(dev, priv->io); + + free_netdev(net_dev); + pci_release_regions(dev); pci_clear_master(dev); pci_disable_device(dev); -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] mm: swap: fix race between free_swap_and_cache() and swapoff()
by Jinjiang Tu 18 Jun '24

18 Jun '24

From: Ryan Roberts <ryan.roberts(a)arm.com> stable inclusion from stable-v5.10.215 commit d85c11c97ecf92d47a4b29e3faca714dc1f18d0d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4RJ CVE: CVE-2024-26960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 82b1c07a0af603e3c47b906c8e991dc96f01688e ] There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in "count == SWAP_HAS_CACHE". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<----- Link: https://lkml.kernel.org/r/20240306140356.3974886-1-ryan.roberts@arm.com Fixes: 7c00bafee87c ("mm/swap: free swap slots in batch") Closes: https://lore.kernel.org/linux-mm/65a66eb9-41f8-4790-8db2-0c70ea15979f@redha… Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- mm/swapfile.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/mm/swapfile.c b/mm/swapfile.c index a10c67728e46..2f8a099f014b 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -1373,6 +1373,11 @@ static unsigned char __swap_entry_free_locked(struct swap_info_struct *p, } /* + * Note that when only holding the PTL, swapoff might succeed immediately + * after freeing a swap entry. Therefore, immediately after + * __swap_entry_free(), the swap info might become stale and should not + * be touched without a prior get_swap_device(). + * * Check whether swap entry is valid in the swap device. If so, * return pointer to swap_info_struct, and keep the swap entry valid * via preventing the swap device from being swapoff, until @@ -1899,13 +1904,19 @@ int free_swap_and_cache(swp_entry_t entry) if (non_swap_entry(entry)) return 1; - p = _swap_info_get(entry); + p = get_swap_device(entry); if (p) { + if (WARN_ON(data_race(!p->swap_map[swp_offset(entry)]))) { + put_swap_device(p); + return 0; + } + count = __swap_entry_free(p, entry); if (count == SWAP_HAS_CACHE && !swap_page_trans_huge_swapped(p, entry)) __try_to_reclaim_swap(p, swp_offset(entry), TTRS_UNMAPPED | TTRS_FULL); + put_swap_device(p); } return p != NULL; } -- 2.25.1

2 1

[PATCH OLK-5.10] mm: swap: fix race between free_swap_and_cache() and swapoff()
by Jinjiang Tu 18 Jun '24

18 Jun '24

From: Ryan Roberts <ryan.roberts(a)arm.com> stable inclusion from stable-v5.10.215 commit d85c11c97ecf92d47a4b29e3faca714dc1f18d0d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4RJ CVE: CVE-2024-26960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 82b1c07a0af603e3c47b906c8e991dc96f01688e ] There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in "count == SWAP_HAS_CACHE". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<----- Link: https://lkml.kernel.org/r/20240306140356.3974886-1-ryan.roberts@arm.com Fixes: 7c00bafee87c ("mm/swap: free swap slots in batch") Closes: https://lore.kernel.org/linux-mm/65a66eb9-41f8-4790-8db2-0c70ea15979f@redha… Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- mm/swapfile.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/mm/swapfile.c b/mm/swapfile.c index a10c67728e46..2f8a099f014b 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -1373,6 +1373,11 @@ static unsigned char __swap_entry_free_locked(struct swap_info_struct *p, } /* + * Note that when only holding the PTL, swapoff might succeed immediately + * after freeing a swap entry. Therefore, immediately after + * __swap_entry_free(), the swap info might become stale and should not + * be touched without a prior get_swap_device(). + * * Check whether swap entry is valid in the swap device. If so, * return pointer to swap_info_struct, and keep the swap entry valid * via preventing the swap device from being swapoff, until @@ -1899,13 +1904,19 @@ int free_swap_and_cache(swp_entry_t entry) if (non_swap_entry(entry)) return 1; - p = _swap_info_get(entry); + p = get_swap_device(entry); if (p) { + if (WARN_ON(data_race(!p->swap_map[swp_offset(entry)]))) { + put_swap_device(p); + return 0; + } + count = __swap_entry_free(p, entry); if (count == SWAP_HAS_CACHE && !swap_page_trans_huge_swapped(p, entry)) __try_to_reclaim_swap(p, swp_offset(entry), TTRS_UNMAPPED | TTRS_FULL); + put_swap_device(p); } return p != NULL; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses
by Jinjiang Tu 18 Jun '24

18 Jun '24

From: Yongqiang Liu <liuyongqiang13(a)huawei.com> mainline inclusion from mainline-v6.9-rc1 commit 0c66c6f4e21cb22220cbd8821c5c73fc157d20dc category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5E2 CVE: CVE-2024-26947 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Since commit a4d5613c4dc6 ("arm: extend pfn_valid to take into account freed memory map alignment") changes the semantics of pfn_valid() to check presence of the memory map for a PFN. A valid page for an address which is reserved but not mapped by the kernel[1], the system crashed during some uio test with the following memory layout: node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff] node 0: [mem 0x00000000d0000000-0x00000000da1fffff] the uio layout is：0xc0900000, 0x100000 the crash backtrace like: Unable to handle kernel paging request at virtual address bff00000 [...] CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1 Hardware name: Generic DT based system PC is at b15_flush_kern_dcache_area+0x24/0x3c LR is at __sync_icache_dcache+0x6c/0x98 [...] (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98) (__sync_icache_dcache) from (set_pte_at+0x28/0x54) (set_pte_at) from (remap_pfn_range+0x1a0/0x274) (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio]) (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4) (__mmap_region) from (__do_mmap_mm+0x3ec/0x440) (__do_mmap_mm) from (do_mmap+0x50/0x58) (do_mmap) from (vm_mmap_pgoff+0xfc/0x188) (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4) (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c) Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e) ---[ end trace 09cf0734c3805d52 ]--- Kernel panic - not syncing: Fatal exception So check if PG_reserved was set to solve this issue. [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/ Fixes: a4d5613c4dc6 ("arm: extend pfn_valid to take into account freed memory map alignment") Suggested-by: Mike Rapoport <rppt(a)linux.ibm.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> Signed-off-by: Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> Conflicts: arch/arm/mm/flush.c [Conflicts due to folio api.] Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- arch/arm/mm/flush.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm/mm/flush.c b/arch/arm/mm/flush.c index 6d89db7895d1..ef848bf0df28 100644 --- a/arch/arm/mm/flush.c +++ b/arch/arm/mm/flush.c @@ -280,6 +280,9 @@ void __sync_icache_dcache(pte_t pteval) return; page = pfn_to_page(pfn); + if (PageReserved(page)) + return; + if (cache_is_vipt_aliasing()) mapping = page_mapping_file(page); else -- 2.25.1

2 1

[PATCH OLK-5.10] ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses
by Jinjiang Tu 18 Jun '24

18 Jun '24

From: Yongqiang Liu <liuyongqiang13(a)huawei.com> mainline inclusion from mainline-v6.9-rc1 commit 0c66c6f4e21cb22220cbd8821c5c73fc157d20dc category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5E2 CVE: CVE-2024-26947 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Since commit a4d5613c4dc6 ("arm: extend pfn_valid to take into account freed memory map alignment") changes the semantics of pfn_valid() to check presence of the memory map for a PFN. A valid page for an address which is reserved but not mapped by the kernel[1], the system crashed during some uio test with the following memory layout: node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff] node 0: [mem 0x00000000d0000000-0x00000000da1fffff] the uio layout is：0xc0900000, 0x100000 the crash backtrace like: Unable to handle kernel paging request at virtual address bff00000 [...] CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1 Hardware name: Generic DT based system PC is at b15_flush_kern_dcache_area+0x24/0x3c LR is at __sync_icache_dcache+0x6c/0x98 [...] (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98) (__sync_icache_dcache) from (set_pte_at+0x28/0x54) (set_pte_at) from (remap_pfn_range+0x1a0/0x274) (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio]) (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4) (__mmap_region) from (__do_mmap_mm+0x3ec/0x440) (__do_mmap_mm) from (do_mmap+0x50/0x58) (do_mmap) from (vm_mmap_pgoff+0xfc/0x188) (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4) (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c) Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e) ---[ end trace 09cf0734c3805d52 ]--- Kernel panic - not syncing: Fatal exception So check if PG_reserved was set to solve this issue. [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/ Fixes: a4d5613c4dc6 ("arm: extend pfn_valid to take into account freed memory map alignment") Suggested-by: Mike Rapoport <rppt(a)linux.ibm.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> Signed-off-by: Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> Conflicts: arch/arm/mm/flush.c [Conflicts due to folio api.] Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- arch/arm/mm/flush.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm/mm/flush.c b/arch/arm/mm/flush.c index 6d89db7895d1..ef848bf0df28 100644 --- a/arch/arm/mm/flush.c +++ b/arch/arm/mm/flush.c @@ -280,6 +280,9 @@ void __sync_icache_dcache(pte_t pteval) return; page = pfn_to_page(pfn); + if (PageReserved(page)) + return; + if (cache_is_vipt_aliasing()) mapping = page_mapping_file(page); else -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] hsr: Prevent use after free in prp_create_tagged_frame()
by Yue Haibing 18 Jun '24

18 Jun '24

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v5.10.201 commit ddf4e04e946aaa6c458b8b6829617cc44af2bffd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9DFT4 CVE: CVE-2023-52846 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 876f8ab52363f649bcc74072157dfd7adfbabc0d ] The prp_fill_rct() function can fail. In that situation, it frees the skb and returns NULL. Meanwhile on the success path, it returns the original skb. So it's straight forward to fix bug by using the returned value. Fixes: 451d8123f897 ("net: prp: add packet handling support") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Acked-by: Paolo Abeni <pabeni(a)redhat.com> Link: https://lore.kernel.org/r/57af1f28-7f57-4a96-bcd3-b7a0f2340845@moroto.mount… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: sanglipeng <sanglipeng1(a)jd.com> Signed-off-by: Yue Haibing <yuehaibing(a)huawei.com> --- net/hsr/hsr_forward.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c index baf4765be6d7..4d1a2a48cf3f 100644 --- a/net/hsr/hsr_forward.c +++ b/net/hsr/hsr_forward.c @@ -294,9 +294,7 @@ struct sk_buff *prp_create_tagged_frame(struct hsr_frame_info *frame, skb = skb_copy_expand(frame->skb_std, 0, skb_tailroom(frame->skb_std) + HSR_HLEN, GFP_ATOMIC); - prp_fill_rct(skb, frame, port); - - return skb; + return prp_fill_rct(skb, frame, port); } static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev, -- 2.34.1

2 1

[PATCH OLK-6.6] arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process
by Wei Li 18 Jun '24

18 Jun '24

mainline inclusion from mainline-v6.10-rc3 commit 14951beaec93696b092a906baa0f29322cf34004 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA67DS Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?i… -------------------------------- The function run_all_insn_set_hw_mode() is registered as startup callback of 'CPUHP_AP_ARM64_ISNDEP_STARTING', it invokes set_hw_mode() methods of all emulated instructions. As the STARTING callbacks are not expected to fail, if one of the set_hw_mode() fails, e.g. due to el0 mixed-endian is not supported for 'setend', it will report a warning: ``` CPU[2] cannot support the emulation of setend CPU 2 UP state arm64/isndep:starting (136) failed (-22) CPU2: Booted secondary processor 0x0000000002 [0x414fd0c1] ``` To fix it, add a check for INSN_UNAVAILABLE status and skip the process. Signed-off-by: Wei Li <liwei391(a)huawei.com> Tested-by: Huisong Li <lihuisong(a)huawei.com> Link: https://lore.kernel.org/r/20240423093501.3460764-1-liwei391@huawei.com Signed-off-by: Will Deacon <will(a)kernel.org> --- arch/arm64/kernel/armv8_deprecated.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c index fd0f291e215e..87ac0b9c0b4f 100644 --- a/arch/arm64/kernel/armv8_deprecated.c +++ b/arch/arm64/kernel/armv8_deprecated.c @@ -464,6 +464,9 @@ static int run_all_insn_set_hw_mode(unsigned int cpu) for (int i = 0; i < ARRAY_SIZE(insn_emulations); i++) { struct insn_emulation *insn = insn_emulations[i]; bool enable = READ_ONCE(insn->current_mode) == INSN_HW; + if (insn->status == INSN_UNAVAILABLE) + continue; + if (insn->set_hw_mode && insn->set_hw_mode(enable)) { pr_warn("CPU[%u] cannot support the emulation of %s", cpu, insn->name); -- 2.25.1

2 1

[PATCH OLK-5.10] arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process
by Wei Li 18 Jun '24

18 Jun '24

mainline inclusion from mainline-v6.10-rc3 commit 14951beaec93696b092a906baa0f29322cf34004 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA67DS Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?i… -------------------------------- The function run_all_insn_set_hw_mode() is registered as startup callback of 'CPUHP_AP_ARM64_ISNDEP_STARTING', it invokes set_hw_mode() methods of all emulated instructions. As the STARTING callbacks are not expected to fail, if one of the set_hw_mode() fails, e.g. due to el0 mixed-endian is not supported for 'setend', it will report a warning: ``` CPU[2] cannot support the emulation of setend CPU 2 UP state arm64/isndep:starting (136) failed (-22) CPU2: Booted secondary processor 0x0000000002 [0x414fd0c1] ``` To fix it, add a check for INSN_UNAVAILABLE status and skip the process. Signed-off-by: Wei Li <liwei391(a)huawei.com> Tested-by: Huisong Li <lihuisong(a)huawei.com> Link: https://lore.kernel.org/r/20240423093501.3460764-1-liwei391@huawei.com Signed-off-by: Will Deacon <will(a)kernel.org> --- arch/arm64/kernel/armv8_deprecated.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c index 637e57a4868e..cc736c5309fd 100644 --- a/arch/arm64/kernel/armv8_deprecated.c +++ b/arch/arm64/kernel/armv8_deprecated.c @@ -471,6 +471,9 @@ static int run_all_insn_set_hw_mode(unsigned int cpu) for (i = 0; i < ARRAY_SIZE(insn_emulations); i++) { struct insn_emulation *insn = insn_emulations[i]; bool enable = READ_ONCE(insn->current_mode) == INSN_HW; + if (insn->status == INSN_UNAVAILABLE) + continue; + if (insn->set_hw_mode && insn->set_hw_mode(enable)) { pr_warn("CPU[%u] cannot support the emulation of %s", cpu, insn->name); -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1 0/3] CVE-2024-36971
by Liu Jian 18 Jun '24

18 Jun '24

CVE-2024-36971 Eric Dumazet (2): net: annotate data-races around sk->sk_dst_pending_confirm net: fix __dst_negative_advice() race Liu Jian (1): net: fix kabi breakage in struct dst_ops include/net/dst_ops.h | 4 ++++ include/net/sock.h | 17 +++++------------ net/core/sock.c | 2 +- net/ipv4/route.c | 22 ++++++++-------------- net/ipv4/tcp_output.c | 2 +- net/ipv6/route.c | 29 +++++++++++++++-------------- net/xfrm/xfrm_policy.c | 11 +++-------- 7 files changed, 37 insertions(+), 50 deletions(-) -- 2.34.1

2 4

[openeuler:openEuler-1.0-LTS 18309/22959] mm/share_pool.c:3736:12: warning: 'proc_overview_show' defined but not used
by kernel test robot 18 Jun '24

18 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: f79871cf083fa1da67dce06a8cc2301cdddeab1b commit: 1cfc25ccec44c17c19c892bd31d00d8f6fb23f9b [18309/22959] share_pool: Add proc node to show process overview info config: arm64-randconfig-001-20240618 (https://download.01.org/0day-ci/archive/20240618/202406180519.p1XL1enF-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240618/202406180519.p1XL1enF-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406180519.p1XL1enF-lkp@intel.com/ All warnings (new ones prefixed by >>): mm/share_pool.c: In function 'sp_group_id_by_pid': mm/share_pool.c:840:29: warning: ordered comparison of pointer with integer zero [-Wextra] 840 | if (!spg_ids || num <= 0) | ^~ mm/share_pool.c: In function 'sp_hugetlb_entry': mm/share_pool.c:2688:21: error: implicit declaration of function 'huge_ptep_get' [-Werror=implicit-function-declaration] 2688 | pte_t pte = huge_ptep_get(ptep); | ^~~~~~~~~~~~~ mm/share_pool.c:2688:21: error: invalid initializer mm/share_pool.c: In function 'sharepool_no_page': mm/share_pool.c:3824:30: error: implicit declaration of function 'huge_pte_none'; did you mean 'huge_pte_lock'? [-Werror=implicit-function-declaration] 3824 | if (!huge_pte_none(huge_ptep_get(ptep))) { | ^~~~~~~~~~~~~ | huge_pte_lock mm/share_pool.c:3837:23: error: implicit declaration of function 'huge_add_to_page_cache'; did you mean 'add_to_page_cache'? [-Werror=implicit-function-declaration] 3837 | err = huge_add_to_page_cache(page, mapping, idx); | ^~~~~~~~~~~~~~~~~~~~~~ | add_to_page_cache mm/share_pool.c:3859:9: error: implicit declaration of function 'set_huge_pte_at'; did you mean 'set_huge_swap_pte_at'? [-Werror=implicit-function-declaration] 3859 | set_huge_pte_at(mm, haddr, ptep, new_pte); | ^~~~~~~~~~~~~~~ | set_huge_swap_pte_at mm/share_pool.c:3861:9: error: implicit declaration of function 'hugetlb_count_add'; did you mean 'hugetlb_count_sub'? [-Werror=implicit-function-declaration] 3861 | hugetlb_count_add(pages_per_huge_page(h), mm); | ^~~~~~~~~~~~~~~~~ | hugetlb_count_sub mm/share_pool.c:3797:13: warning: variable 'node_id' set but not used [-Wunused-but-set-variable] 3797 | int node_id; | ^~~~~~~ mm/share_pool.c: In function 'sp_alloc_pages': mm/share_pool.c:4018:24: error: implicit declaration of function 'hugetlb_alloc_hugepage'; did you mean 'vmalloc_hugepage'? [-Werror=implicit-function-declaration] 4018 | page = hugetlb_alloc_hugepage(NUMA_NO_NODE, HUGETLB_ALLOC_NONE); | ^~~~~~~~~~~~~~~~~~~~~~ | vmalloc_hugepage mm/share_pool.c:4018:61: error: 'HUGETLB_ALLOC_NONE' undeclared (first use in this function); did you mean 'HUGETLB_ANON_FILE'? 4018 | page = hugetlb_alloc_hugepage(NUMA_NO_NODE, HUGETLB_ALLOC_NONE); | ^~~~~~~~~~~~~~~~~~ | HUGETLB_ANON_FILE mm/share_pool.c:4018:61: note: each undeclared identifier is reported only once for each function it appears in mm/share_pool.c: At top level: >> mm/share_pool.c:3736:12: warning: 'proc_overview_show' defined but not used [-Wunused-function] 3736 | static int proc_overview_show(struct seq_file *seq, void *offset) | ^~~~~~~~~~~~~~~~~~ mm/share_pool.c:3693:12: warning: 'proc_stat_show' defined but not used [-Wunused-function] 3693 | static int proc_stat_show(struct seq_file *seq, void *offset) | ^~~~~~~~~~~~~~ mm/share_pool.c:3635:12: warning: 'spa_stat_show' defined but not used [-Wunused-function] 3635 | static int spa_stat_show(struct seq_file *seq, void *offset) | ^~~~~~~~~~~~~ cc1: some warnings being treated as errors vim +/proc_overview_show +3736 mm/share_pool.c 3735 > 3736 static int proc_overview_show(struct seq_file *seq, void *offset) 3737 { 3738 seq_printf(seq, "%-8s %-16s %-9s %-9s %-9s %-10s %-10s %-8s\n", 3739 "PID", "COMM", "SP_ALLOC", "SP_K2U", "SP_RES", "Non-SP_RES", 3740 "Non-SP_Shm", "VIRT"); 3741 3742 down_read(&sp_proc_stat_sem); 3743 idr_for_each(&sp_proc_stat_idr, idr_proc_overview_cb, seq); 3744 up_read(&sp_proc_stat_sem); 3745 return 0; 3746 } 3747 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0