- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 18949/22827] mm/khugepaged.c:974:21: sparse: sparse: invalid assignment: |=
by kernel test robot 09 Jun '24

09 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 6a98543755cf2f636ae3169f3774d226d328d2cf commit: ff0fb9e816fac221fa24a1810dd895745406070b [18949/22827] mm: thp: Add memory reliable support for hugepaged collapse config: arm64-randconfig-r123-20240607 (https://download.01.org/0day-ci/archive/20240609/202406090419.Or3DQ4pF-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240609/202406090419.Or3DQ4pF-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406090419.Or3DQ4pF-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> mm/khugepaged.c:974:21: sparse: sparse: invalid assignment: |= mm/khugepaged.c:974:21: sparse: left side has type restricted gfp_t mm/khugepaged.c:974:21: sparse: right side has type unsigned int mm/khugepaged.c:1352:21: sparse: sparse: invalid assignment: |= mm/khugepaged.c:1352:21: sparse: left side has type restricted gfp_t mm/khugepaged.c:1352:21: sparse: right side has type unsigned int mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1409:56: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1409:56: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1409:56: sparse: got void **slot mm/khugepaged.c:1458:22: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1458:22: sparse: expected void **slot mm/khugepaged.c:1458:22: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1459:17: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1459:17: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1459:17: sparse: got void **slot mm/khugepaged.c:1483:60: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1483:60: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1483:60: sparse: got void **slot mm/khugepaged.c:1486:47: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1486:47: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1486:47: sparse: got void **slot mm/khugepaged.c:1486:22: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1486:22: sparse: expected void **slot mm/khugepaged.c:1486:22: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1378:9: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1378:9: sparse: got void **slot mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1597:68: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1597:68: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1597:68: sparse: got void **slot mm/khugepaged.c:1598:55: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1598:55: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1598:55: sparse: got void **slot mm/khugepaged.c:1598:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1598:30: sparse: expected void **slot mm/khugepaged.c:1598:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1578:17: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1578:17: sparse: got void **slot mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1637:46: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1637:46: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1637:46: sparse: got void **slot mm/khugepaged.c:1639:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1639:30: sparse: expected void **slot mm/khugepaged.c:1639:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1682:55: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1682:55: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1682:55: sparse: got void **slot mm/khugepaged.c:1682:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1682:30: sparse: expected void **slot mm/khugepaged.c:1682:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1633:9: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1633:9: sparse: got void **slot mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c: note: in included file (through include/linux/mm.h): include/linux/gfp.h:457:34: sparse: sparse: restricted gfp_t degrades to integer mm/khugepaged.c:1336: warning: Function parameter or member 'mm' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'mapping' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'start' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'hpage' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'node' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'reliable' not described in 'collapse_shmem' vim +974 mm/khugepaged.c 949 950 static void collapse_huge_page(struct mm_struct *mm, 951 unsigned long address, 952 struct page **hpage, 953 int node, int referenced, int unmapped, 954 bool reliable) 955 { 956 pmd_t *pmd, _pmd; 957 pte_t *pte; 958 pgtable_t pgtable; 959 struct page *new_page; 960 spinlock_t *pmd_ptl, *pte_ptl; 961 int isolated = 0, result = 0; 962 struct mem_cgroup *memcg; 963 struct vm_area_struct *vma; 964 unsigned long mmun_start; /* For mmu_notifiers */ 965 unsigned long mmun_end; /* For mmu_notifiers */ 966 gfp_t gfp; 967 968 VM_BUG_ON(address & ~HPAGE_PMD_MASK); 969 970 /* Only allocate from the target node */ 971 gfp = alloc_hugepage_khugepaged_gfpmask() | __GFP_THISNODE; 972 973 if (reliable) > 974 gfp |= ___GFP_RELIABILITY; 975 976 /* 977 * Before allocating the hugepage, release the mmap_sem read lock. 978 * The allocation can take potentially a long time if it involves 979 * sync compaction, and we do not need to hold the mmap_sem during 980 * that. We will recheck the vma after taking it again in write mode. 981 */ 982 up_read(&mm->mmap_sem); 983 new_page = khugepaged_alloc_page(hpage, gfp, node); 984 if (!new_page) { 985 result = SCAN_ALLOC_HUGE_PAGE_FAIL; 986 goto out_nolock; 987 } 988 989 if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) { 990 result = SCAN_CGROUP_CHARGE_FAIL; 991 goto out_nolock; 992 } 993 994 down_read(&mm->mmap_sem); 995 result = hugepage_vma_revalidate(mm, address, &vma); 996 if (result) { 997 mem_cgroup_cancel_charge(new_page, memcg, true); 998 up_read(&mm->mmap_sem); 999 goto out_nolock; 1000 } 1001 1002 pmd = mm_find_pmd(mm, address); 1003 if (!pmd) { 1004 result = SCAN_PMD_NULL; 1005 mem_cgroup_cancel_charge(new_page, memcg, true); 1006 up_read(&mm->mmap_sem); 1007 goto out_nolock; 1008 } 1009 1010 /* 1011 * __collapse_huge_page_swapin always returns with mmap_sem locked. 1012 * If it fails, we release mmap_sem and jump out_nolock. 1013 * Continuing to collapse causes inconsistency. 1014 */ 1015 if (unmapped && !__collapse_huge_page_swapin(mm, vma, address, 1016 pmd, referenced)) { 1017 mem_cgroup_cancel_charge(new_page, memcg, true); 1018 up_read(&mm->mmap_sem); 1019 goto out_nolock; 1020 } 1021 1022 up_read(&mm->mmap_sem); 1023 /* 1024 * Prevent all access to pagetables with the exception of 1025 * gup_fast later handled by the ptep_clear_flush and the VM 1026 * handled by the anon_vma lock + PG_lock. 1027 */ 1028 down_write(&mm->mmap_sem); 1029 result = hugepage_vma_revalidate(mm, address, &vma); 1030 if (result) 1031 goto out; 1032 /* check if the pmd is still valid */ 1033 if (mm_find_pmd(mm, address) != pmd) 1034 goto out; 1035 1036 anon_vma_lock_write(vma->anon_vma); 1037 1038 pte = pte_offset_map(pmd, address); 1039 pte_ptl = pte_lockptr(mm, pmd); 1040 1041 mmun_start = address; 1042 mmun_end = address + HPAGE_PMD_SIZE; 1043 mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end); 1044 pmd_ptl = pmd_lock(mm, pmd); /* probably unnecessary */ 1045 /* 1046 * After this gup_fast can't run anymore. This also removes 1047 * any huge TLB entry from the CPU so we won't allow 1048 * huge and small TLB entries for the same virtual address 1049 * to avoid the risk of CPU bugs in that area. 1050 */ 1051 _pmd = pmdp_collapse_flush(vma, address, pmd); 1052 spin_unlock(pmd_ptl); 1053 mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end); 1054 1055 spin_lock(pte_ptl); 1056 isolated = __collapse_huge_page_isolate(vma, address, pte); 1057 spin_unlock(pte_ptl); 1058 1059 if (unlikely(!isolated)) { 1060 pte_unmap(pte); 1061 spin_lock(pmd_ptl); 1062 BUG_ON(!pmd_none(*pmd)); 1063 /* 1064 * We can only use set_pmd_at when establishing 1065 * hugepmds and never for establishing regular pmds that 1066 * points to regular pagetables. Use pmd_populate for that 1067 */ 1068 pmd_populate(mm, pmd, pmd_pgtable(_pmd)); 1069 spin_unlock(pmd_ptl); 1070 anon_vma_unlock_write(vma->anon_vma); 1071 result = SCAN_FAIL; 1072 goto out; 1073 } 1074 1075 /* 1076 * All pages are isolated and locked so anon_vma rmap 1077 * can't run anymore. 1078 */ 1079 anon_vma_unlock_write(vma->anon_vma); 1080 1081 __collapse_huge_page_copy(pte, new_page, vma, address, pte_ptl); 1082 pte_unmap(pte); 1083 __SetPageUptodate(new_page); 1084 pgtable = pmd_pgtable(_pmd); 1085 1086 _pmd = mk_huge_pmd(new_page, vma->vm_page_prot); 1087 _pmd = maybe_pmd_mkwrite(pmd_mkdirty(_pmd), vma); 1088 1089 /* 1090 * spin_lock() below is not the equivalent of smp_wmb(), so 1091 * this is needed to avoid the copy_huge_page writes to become 1092 * visible after the set_pmd_at() write. 1093 */ 1094 smp_wmb(); 1095 1096 spin_lock(pmd_ptl); 1097 BUG_ON(!pmd_none(*pmd)); 1098 page_add_new_anon_rmap(new_page, vma, address, true); 1099 mem_cgroup_commit_charge(new_page, memcg, false, true); 1100 count_memcg_events(memcg, THP_COLLAPSE_ALLOC, 1); 1101 lru_cache_add_active_or_unevictable(new_page, vma); 1102 pgtable_trans_huge_deposit(mm, pmd, pgtable); 1103 set_pmd_at(mm, address, pmd, _pmd); 1104 update_mmu_cache_pmd(vma, address, pmd); 1105 spin_unlock(pmd_ptl); 1106 1107 *hpage = NULL; 1108 1109 khugepaged_pages_collapsed++; 1110 result = SCAN_SUCCEED; 1111 out_up_write: 1112 up_write(&mm->mmap_sem); 1113 out_nolock: 1114 trace_mm_collapse_huge_page(mm, isolated, result); 1115 return; 1116 out: 1117 mem_cgroup_cancel_charge(new_page, memcg, true); 1118 goto out_up_write; 1119 } 1120 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 5421/22827] drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: sparse: incorrect type in assignment (different address spaces)
by kernel test robot 09 Jun '24

09 Jun '24

Hi Paulo, First bad commit (maybe != root cause): tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 6a98543755cf2f636ae3169f3774d226d328d2cf commit: 71e217e85c3dff8a9151707ed3afc7b4b054a2d4 [5421/22827] selinux: use kernel linux/socket.h for genheaders and mdp config: arm64-randconfig-r123-20240607 (https://download.01.org/0day-ci/archive/20240609/202406090015.Dx2VIQ1d-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240609/202406090015.Dx2VIQ1d-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406090015.Dx2VIQ1d-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mem_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: expected void *mem_region drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: got void [noderef] <asn:2> * -- >> drivers/remoteproc/qcom_q6v5_pil.c:1096:27: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mba_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_q6v5_pil.c:1096:27: sparse: expected void *mba_region drivers/remoteproc/qcom_q6v5_pil.c:1096:27: sparse: got void [noderef] <asn:2> * >> drivers/remoteproc/qcom_q6v5_pil.c:1114:28: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mpss_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_q6v5_pil.c:1114:28: sparse: expected void *mpss_region drivers/remoteproc/qcom_q6v5_pil.c:1114:28: sparse: got void [noderef] <asn:2> * drivers/remoteproc/qcom_q6v5_pil.c: In function 'q6v5_mpss_load': drivers/remoteproc/qcom_q6v5_pil.c:741:70: warning: '%02d' directive output may be truncated writing between 2 and 11 bytes into a region of size 3 [-Wformat-truncation=] 741 | snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i); | ^~~~ drivers/remoteproc/qcom_q6v5_pil.c:741:62: note: directive argument in the range [-2147483641, 65534] 741 | snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i); | ^~~~~~~~~~~~~ drivers/remoteproc/qcom_q6v5_pil.c:741:25: note: 'snprintf' output between 10 and 19 bytes into a destination of size 10 741 | snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- >> drivers/remoteproc/qcom_wcnss.c:456:27: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mem_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_wcnss.c:456:27: sparse: expected void *mem_region drivers/remoteproc/qcom_wcnss.c:456:27: sparse: got void [noderef] <asn:2> * -- >> net/netfilter/nft_counter.c:158:35: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct nft_counter_percpu_priv [noderef] <asn:3> *priv @@ got struct nft_counter_percpu_priv *priv @@ net/netfilter/nft_counter.c:158:35: sparse: expected struct nft_counter_percpu_priv [noderef] <asn:3> *priv net/netfilter/nft_counter.c:158:35: sparse: got struct nft_counter_percpu_priv *priv net/netfilter/nft_counter.c:113:20: sparse: sparse: dereference of noderef expression vim +246 drivers/remoteproc/qcom_adsp_pil.c b9e718e950c3df Bjorn Andersson 2016-08-22 227 b9e718e950c3df Bjorn Andersson 2016-08-22 228 static int adsp_alloc_memory_region(struct qcom_adsp *adsp) b9e718e950c3df Bjorn Andersson 2016-08-22 229 { b9e718e950c3df Bjorn Andersson 2016-08-22 230 struct device_node *node; b9e718e950c3df Bjorn Andersson 2016-08-22 231 struct resource r; b9e718e950c3df Bjorn Andersson 2016-08-22 232 int ret; b9e718e950c3df Bjorn Andersson 2016-08-22 233 b9e718e950c3df Bjorn Andersson 2016-08-22 234 node = of_parse_phandle(adsp->dev->of_node, "memory-region", 0); b9e718e950c3df Bjorn Andersson 2016-08-22 235 if (!node) { b9e718e950c3df Bjorn Andersson 2016-08-22 236 dev_err(adsp->dev, "no memory-region specified\n"); b9e718e950c3df Bjorn Andersson 2016-08-22 237 return -EINVAL; b9e718e950c3df Bjorn Andersson 2016-08-22 238 } b9e718e950c3df Bjorn Andersson 2016-08-22 239 b9e718e950c3df Bjorn Andersson 2016-08-22 240 ret = of_address_to_resource(node, 0, &r); b9e718e950c3df Bjorn Andersson 2016-08-22 241 if (ret) b9e718e950c3df Bjorn Andersson 2016-08-22 242 return ret; b9e718e950c3df Bjorn Andersson 2016-08-22 243 b9e718e950c3df Bjorn Andersson 2016-08-22 244 adsp->mem_phys = adsp->mem_reloc = r.start; b9e718e950c3df Bjorn Andersson 2016-08-22 245 adsp->mem_size = resource_size(&r); b9e718e950c3df Bjorn Andersson 2016-08-22 @246 adsp->mem_region = devm_ioremap_wc(adsp->dev, adsp->mem_phys, adsp->mem_size); b9e718e950c3df Bjorn Andersson 2016-08-22 247 if (!adsp->mem_region) { b9e718e950c3df Bjorn Andersson 2016-08-22 248 dev_err(adsp->dev, "unable to map memory region: %pa+%zx\n", b9e718e950c3df Bjorn Andersson 2016-08-22 249 &r.start, adsp->mem_size); b9e718e950c3df Bjorn Andersson 2016-08-22 250 return -EBUSY; b9e718e950c3df Bjorn Andersson 2016-08-22 251 } b9e718e950c3df Bjorn Andersson 2016-08-22 252 b9e718e950c3df Bjorn Andersson 2016-08-22 253 return 0; b9e718e950c3df Bjorn Andersson 2016-08-22 254 } b9e718e950c3df Bjorn Andersson 2016-08-22 255 :::::: The code at line 246 was first introduced by commit :::::: b9e718e950c3dfa458bbf9180a8d8691e55413ae remoteproc: Introduce Qualcomm ADSP PIL :::::: TO: Bjorn Andersson <bjorn.andersson(a)sonymobile.com> :::::: CC: Bjorn Andersson <bjorn.andersson(a)linaro.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue
by Liu Jian 08 Jun '24

08 Jun '24

From: Jason Xing <kernelxing(a)tencent.com> stable inclusion from stable-v6.6.31 commit b397a0ab8582c533ec0c6b732392f141fc364f87 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U1UZ CVE: CVE-2024-3693 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 6648e613226e18897231ab5e42ffc29e63fa3365 ] Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which syzbot reported [1]. [1] BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [inline] sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843 sk_psock_put include/linux/skmsg.h:459 [inline] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: sk_psock_data_ready include/linux/skmsg.h:464 [inline] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [inline] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x312/0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 value changed: 0xffffffff83d7feb0 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer similarly due to no protection of saved_data_ready. Here is another different caller causing the same issue because of the same reason. So we should protect it with sk_callback_lock read lock because the writer side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);". To avoid errors that could happen in future, I move those two pairs of lock into the sk_psock_data_ready(), which is suggested by John Fastabend. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Reported-by: syzbot+aa8c8ec2538929f18f2d(a)syzkaller.appspotmail.com Signed-off-by: Jason Xing <kernelxing(a)tencent.com> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Reviewed-by: John Fastabend <john.fastabend(a)gmail.com> Closes: https://syzkaller.appspot.com/bug?extid=aa8c8ec2538929f18f2d Link: https://lore.kernel.org/all/20240329134037.92124-1-kerneljasonxing@gmail.com Link: https://lore.kernel.org/bpf/20240404021001.94815-1-kerneljasonxing@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- include/linux/skmsg.h | 2 ++ net/core/skmsg.c | 5 +---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h index f69af3de0da0..fdedb7a29c0e 100644 --- a/include/linux/skmsg.h +++ b/include/linux/skmsg.h @@ -467,10 +467,12 @@ static inline void sk_psock_put(struct sock *sk, struct sk_psock *psock) static inline void sk_psock_data_ready(struct sock *sk, struct sk_psock *psock) { + read_lock_bh(&sk->sk_callback_lock); if (psock->saved_data_ready) psock->saved_data_ready(sk); else sk->sk_data_ready(sk); + read_unlock_bh(&sk->sk_callback_lock); } static inline void psock_set_prog(struct bpf_prog **pprog, diff --git a/net/core/skmsg.c b/net/core/skmsg.c index 6f774de8f6b2..f2e7ce81fef0 100644 --- a/net/core/skmsg.c +++ b/net/core/skmsg.c @@ -1234,11 +1234,8 @@ static void sk_psock_verdict_data_ready(struct sock *sk) rcu_read_lock(); psock = sk_psock(sk); - if (psock) { - read_lock_bh(&sk->sk_callback_lock); + if (psock) sk_psock_data_ready(sk, psock); - read_unlock_bh(&sk->sk_callback_lock); - } rcu_read_unlock(); } } -- 2.34.1

2 1

[PATCH OLK-6.6] ipv6: prevent NULL dereference in ip6_output()
by Liu Jian 08 Jun '24

08 Jun '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.9 commit 4db783d68b9b39a411a96096c10828ff5dfada7a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UO9S CVE: CVE-2024-36901 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 778d80be5269 ("ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Larysa Zaremba <larysa.zaremba(a)intel.com> Link: https://lore.kernel.org/r/20240507161842.773961-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ipv6/ip6_output.c [Did not backport d289ab65b89c.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 53fe1375b147..412a16932341 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -227,7 +227,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) skb->protocol = htons(ETH_P_IPV6); skb->dev = dev; - if (unlikely(idev->cnf.disable_ipv6)) { + if (unlikely(!idev || idev->cnf.disable_ipv6)) { IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); kfree_skb_reason(skb, SKB_DROP_REASON_IPV6DISABLED); return 0; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] ipv6: prevent NULL dereference in ip6_output()
by Liu Jian 08 Jun '24

08 Jun '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.9 commit 4db783d68b9b39a411a96096c10828ff5dfada7a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UO9S CVE: CVE-2024-36901 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 778d80be5269 ("ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Larysa Zaremba <larysa.zaremba(a)intel.com> Link: https://lore.kernel.org/r/20240507161842.773961-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ipv6/ip6_output.c [Did not backport d289ab65b89c.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 968b2602c400..179fe599efba 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -206,7 +206,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) skb->protocol = htons(ETH_P_IPV6); skb->dev = dev; - if (unlikely(idev->cnf.disable_ipv6)) { + if (unlikely(!idev || idev->cnf.disable_ipv6)) { IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); kfree_skb(skb); return 0; -- 2.34.1

2 1

[PATCH OLK-5.10] ipv6: prevent NULL dereference in ip6_output()
by Liu Jian 08 Jun '24

08 Jun '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.9 commit 4db783d68b9b39a411a96096c10828ff5dfada7a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UO9S CVE: CVE-2024-36901 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 778d80be5269 ("ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Larysa Zaremba <larysa.zaremba(a)intel.com> Link: https://lore.kernel.org/r/20240507161842.773961-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ipv6/ip6_output.c [Did not backport d289ab65b89c.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 6adf0b536473..6d9571cb317d 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -240,7 +240,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) skb->protocol = htons(ETH_P_IPV6); skb->dev = dev; - if (unlikely(idev->cnf.disable_ipv6)) { + if (unlikely(!idev || idev->cnf.disable_ipv6)) { IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); kfree_skb(skb); return 0; -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ipv6: prevent NULL dereference in ip6_output()
by Liu Jian 08 Jun '24

08 Jun '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.9 commit 4db783d68b9b39a411a96096c10828ff5dfada7a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UO9S CVE: CVE-2024-36901 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 778d80be5269 ("ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Larysa Zaremba <larysa.zaremba(a)intel.com> Link: https://lore.kernel.org/r/20240507161842.773961-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ipv6/ip6_output.c [Did not backport d289ab65b89c.] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index f30cc72887a3..f0c94aaa039f 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -234,7 +234,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb) skb->protocol = htons(ETH_P_IPV6); skb->dev = dev; - if (unlikely(idev->cnf.disable_ipv6)) { + if (unlikely(!idev || idev->cnf.disable_ipv6)) { IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); kfree_skb(skb); return 0; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] staging: rtl8712: fix use-after-free in rtl8712_dl_fw
by Jialin Zhang 08 Jun '24

08 Jun '24

From: Pavel Skripkin <paskripkin(a)gmail.com> mainline inclusion from mainline-v5.16-rc1 commit c052cc1a069c3e575619cf64ec427eb41176ca70 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RCV5 CVE: CVE-2021-47479 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Syzbot reported use-after-free in rtl8712_dl_fw(). The problem was in race condition between r871xu_dev_remove() ->ndo_open() callback. It's easy to see from crash log, that driver accesses released firmware in ->ndo_open() callback. It may happen, since driver was releasing firmware _before_ unregistering netdev. Fix it by moving unregister_netdev() before cleaning up resources. Call Trace: ... rtl871x_open_fw drivers/staging/rtl8712/hal_init.c:83 [inline] rtl8712_dl_fw+0xd95/0xe10 drivers/staging/rtl8712/hal_init.c:170 rtl8712_hal_init drivers/staging/rtl8712/hal_init.c:330 [inline] rtl871x_hal_init+0xae/0x180 drivers/staging/rtl8712/hal_init.c:394 netdev_open+0xe6/0x6c0 drivers/staging/rtl8712/os_intfs.c:380 __dev_open+0x2bc/0x4d0 net/core/dev.c:1484 Freed by task 1306: ... release_firmware+0x1b/0x30 drivers/base/firmware_loader/main.c:1053 r871xu_dev_remove+0xcc/0x2c0 drivers/staging/rtl8712/usb_intf.c:599 usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458 Fixes: 8c213fa59199 ("staging: r8712u: Use asynchronous firmware loading") Cc: stable <stable(a)vger.kernel.org> Reported-and-tested-by: syzbot+c55162be492189fb4f51(a)syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin <paskripkin(a)gmail.com> Link: https://lore.kernel.org/r/20211019211718.26354-1-paskripkin@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/staging/rtl8712/usb_intf.c [The conflict occurs because commit b4383c971bc5("staging: rtl8712: handle firmware load failure") is not merged] Signed-off-by: Jialin Zhang <zhangjialin11(a)huawei.com> --- drivers/staging/rtl8712/usb_intf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c index 5e2cdc25401b..709d687180bf 100644 --- a/drivers/staging/rtl8712/usb_intf.c +++ b/drivers/staging/rtl8712/usb_intf.c @@ -623,13 +623,13 @@ static void r871xu_dev_remove(struct usb_interface *pusb_intf) if (pnetdev) { struct _adapter *padapter = netdev_priv(pnetdev); + unregister_netdev(pnetdev); /* will call netdev_close() */ usb_set_intfdata(pusb_intf, NULL); release_firmware(padapter->fw); /* never exit with a firmware callback pending */ wait_for_completion(&padapter->rtl8712_fw_ready); if (drvpriv.drv_registered) padapter->bSurpriseRemoved = true; - unregister_netdev(pnetdev); /* will call netdev_close() */ flush_scheduled_work(); udelay(1); /* Stop driver mlme relation timer */ -- 2.25.1

2 1

[PATCH OLK-6.6] tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
by Zhengchao Shao 08 Jun '24

08 Jun '24

From: Kuniyuki Iwashima <kuniyu(a)amazon.com> stable inclusion from stable-v6.6.31 commit 6e48faad92be13166184d21506e4e54c79c13adc category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U4LA CVE: CVE-2024-36904 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f2db7230f73a80dbb179deab78f88a7947f0ab7e ] Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's sk_refcnt after putting it into ehash and releasing the bucket lock. Thus, there is a small race window where other threads could try to reuse the port during connect() and call sock_hold() in tcp_twsk_unique() for the TIME-WAIT socket with zero refcnt. If that happens, the refcnt taken by tcp_twsk_unique() is overwritten and sock_put() will cause underflow, triggering a real use-after-free somewhere else. To avoid the use-after-free, we need to use refcount_inc_not_zero() in tcp_twsk_unique() and give up on reusing the port if it returns false. [0]: refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1 Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023 RIP: 0010:refcount_warn_saturate+0xe5/0x110 Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8 RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027 RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0 RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84 R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <TASK> ? refcount_warn_saturate+0xe5/0x110 ? __warn+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110 ? report_bug+0x171/0x1a0 ? refcount_warn_saturate+0xe5/0x110 ? handle_bug+0x3c/0x80 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_established+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_established+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0x83/0x170 entry_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7f62c11a885d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0 </TASK> Fixes: ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance") Reported-by: Anderson Nascimento <anderson(a)allelesecurity.com> Closes: https://lore.kernel.org/netdev/37a477a6-d39e-486b-9577-3463f655a6b7@alleles… Suggested-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20240501213145.62261-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ipv4/tcp_ipv4.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 39f324bdd576..fce757159ad5 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -154,6 +154,12 @@ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) if (tcptw->tw_ts_recent_stamp && (!twp || (reuse && time_after32(ktime_get_seconds(), tcptw->tw_ts_recent_stamp)))) { + /* inet_twsk_hashdance() sets sk_refcnt after putting twsk + * and releasing the bucket lock. + */ + if (unlikely(!refcount_inc_not_zero(&sktw->sk_refcnt))) + return 0; + /* In case of repair and re-using TIME-WAIT sockets we still * want to be sure that it is safe as above but honor the * sequence numbers and time stamps set as part of the repair @@ -174,7 +180,7 @@ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) tp->rx_opt.ts_recent = tcptw->tw_ts_recent; tp->rx_opt.ts_recent_stamp = tcptw->tw_ts_recent_stamp; } - sock_hold(sktw); + return 1; } -- 2.34.1

2 1

[PATCH OLK-6.6 v2] blk-iocost: do not WARN if iocg was already offlined
by Li Nan 08 Jun '24

08 Jun '24

mainline inclusion from mainline-v6.9-rc5 commit 01bc4fda9ea0a6b52f12326486f07a4910666cf6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UABH CVE: CVE-2024-36908 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In iocg_pay_debt(), warn is triggered if 'active_list' is empty, which is intended to confirm iocg is active when it has debt. However, warn can be triggered during a blkcg or disk removal, if iocg_waitq_timer_fn() is run at that time: WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402 iocg_pay_debt+0x14c/0x190 Call trace: iocg_pay_debt+0x14c/0x190 iocg_kick_waitq+0x438/0x4c0 iocg_waitq_timer_fn+0xd8/0x130 __run_hrtimer+0x144/0x45c __hrtimer_run_queues+0x16c/0x244 hrtimer_interrupt+0x2cc/0x7b0 The warn in this situation is meaningless. Since this iocg is being removed, the state of the 'active_list' is irrelevant, and 'waitq_timer' is canceled after removing 'active_list' in ioc_pd_free(), which ensures iocg is freed after iocg_waitq_timer_fn() returns. Therefore, add the check if iocg was already offlined to avoid warn when removing a blkcg or disk. Signed-off-by: Li Nan <linan122(a)huawei.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Acked-by: Tejun Heo <tj(a)kernel.org> Link: https://lore.kernel.org/r/20240419093257.3004211-1-linan666@huaweicloud.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflict: block/blk-iocost.c Mainline checks 'pd.online', but there is no member online of pd in 5.10. Check 'iocg->online' instead. Signed-off-by: Li Nan <linan122(a)huawei.com> --- v2: fix bugzilla block/blk-iocost.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/block/blk-iocost.c b/block/blk-iocost.c index 6a3e8a21c0fc..3b9710ce77e5 100644 --- a/block/blk-iocost.c +++ b/block/blk-iocost.c @@ -1439,8 +1439,11 @@ static void iocg_pay_debt(struct ioc_gq *iocg, u64 abs_vpay, lockdep_assert_held(&iocg->ioc->lock); lockdep_assert_held(&iocg->waitq.lock); - /* make sure that nobody messed with @iocg */ - WARN_ON_ONCE(list_empty(&iocg->active_list)); + /* + * make sure that nobody messed with @iocg. Check iocg->online + * to avoid warn when removing blkcg or disk. + */ + WARN_ON_ONCE(list_empty(&iocg->active_list) && iocg->online); WARN_ON_ONCE(iocg->inuse > 1); iocg->abs_vdebt -= min(abs_vpay, iocg->abs_vdebt); -- 2.39.2

2 1