- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS 0/3] CVE-2021-47182
by Li Nan 23 Apr '24

23 Apr '24

Damien Le Moal (1): scsi: core: Fix scsi_mode_sense() buffer length handling Hannes Reinecke (2): scsi: core: Fixup calling convention for scsi_mode_sense() scsi: core: Reshuffle response handling in scsi_mode_sense() drivers/scsi/scsi_lib.c | 100 ++++++++++++++++-------------- drivers/scsi/scsi_transport_sas.c | 9 ++- drivers/scsi/sd.c | 12 ++-- drivers/scsi/sr.c | 2 +- 4 files changed, 64 insertions(+), 59 deletions(-) -- 2.39.2

2 4

[PATCH openEuler-1.0-LTS V2 0/2] Fix CVE-2024-26869
by Zizhi Wo 23 Apr '24

23 Apr '24

V2: fix one missing issue in f2fs_invalidate_blocks() V1: fix main error Chao Yu (2): Revert: "f2fs: check last page index in cached bio to decide submission" f2fs: fix to truncate meta inode pages forcely fs/f2fs/checkpoint.c | 3 +-- fs/f2fs/data.c | 41 ++++++++++++++++++++--------------------- fs/f2fs/f2fs.h | 30 ++++++++++++++++++++++++++++-- fs/f2fs/gc.c | 3 +-- fs/f2fs/node.c | 11 +++++------ fs/f2fs/segment.c | 16 +++++++--------- include/linux/f2fs_fs.h | 1 + 7 files changed, 63 insertions(+), 42 deletions(-) -- 2.39.2

2 3

[PATCH openEuler-1.0-LTS 0/2] Fix CVE-2024-26869
by Zizhi Wo 23 Apr '24

23 Apr '24

Fix CVE-2024-26869 Chao Yu (2): Revert: "f2fs: check last page index in cached bio to decide submission" f2fs: fix to truncate meta inode pages forcely fs/f2fs/checkpoint.c | 3 +-- fs/f2fs/data.c | 41 ++++++++++++++++++++--------------------- fs/f2fs/f2fs.h | 30 ++++++++++++++++++++++++++++-- fs/f2fs/gc.c | 3 +-- fs/f2fs/node.c | 11 +++++------ fs/f2fs/segment.c | 14 ++++++-------- include/linux/f2fs_fs.h | 1 + 7 files changed, 62 insertions(+), 41 deletions(-) -- 2.39.2

2 3

[openeuler:OLK-5.10] BUILD REGRESSION b05f2de3edcf4fc1b98ced476a06a62b961d3cce
by kernel test robot 23 Apr '24

23 Apr '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-5.10 branch HEAD: b05f2de3edcf4fc1b98ced476a06a62b961d3cce !6279 Bluetooth: Avoid potential use-after-free in hci_error_reset Error/Warning reports: https://lore.kernel.org/oe-kbuild-all/202404230205.XJi54qVa-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202404230552.HyMsovr7-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202404230626.ETmTJeuy-lkp@intel.com Error/Warning: (recently discovered and may have been fixed) drivers/char/ipmi/ipmi_bt_sm.c:194:18: error: implicit declaration of function 'acpi_evaluate_integer'; did you mean 'acpi_evaluate_object'? [-Werror=implicit-function-declaration] drivers/ptp/ptp_hisi.c:731:36: warning: 'hisi_ptp_acpi_match' defined but not used [-Wunused-const-variable=] fs/proc/base.c:1454:6: warning: no previous prototype for 'pbha_bit0_hide_file' [-Wmissing-prototypes] Error/Warning ids grouped by kconfigs: gcc_recent_errors |-- arm64-allnoconfig | |-- arch-arm64-kernel-ipi_nmi.c:error:implicit-declaration-of-function-printk_safe_enter | |-- arch-arm64-kernel-ipi_nmi.c:error:implicit-declaration-of-function-printk_safe_exit | |-- kernel-sched-core.c:error:implicit-declaration-of-function-init_auto_affinity | |-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains | |-- kernel-sched-core.c:error:root_task_group-undeclared-(first-use-in-this-function) | |-- kernel-workqueue.c:error:implicit-declaration-of-function-printk_safe_enter | `-- kernel-workqueue.c:error:implicit-declaration-of-function-printk_safe_exit |-- arm64-randconfig-002-20240423 | |-- arch-arm64-kernel-ipi_nmi.c:error:implicit-declaration-of-function-printk_safe_enter | |-- arch-arm64-kernel-ipi_nmi.c:error:implicit-declaration-of-function-printk_safe_exit | |-- arch-arm64-kernel-vdso-ilp32-..-vdso-vgettimeofday.c:warning:no-previous-prototype-for-__kernel_clock_getres | |-- arch-arm64-kernel-vdso-ilp32-..-vdso-vgettimeofday.c:warning:no-previous-prototype-for-__kernel_clock_gettime | |-- arch-arm64-kernel-vdso-ilp32-..-vdso-vgettimeofday.c:warning:no-previous-prototype-for-__kernel_gettimeofday | |-- drivers-char-ipmi-ipmi_bt_sm.c:error:implicit-declaration-of-function-acpi_evaluate_integer | |-- drivers-ptp-ptp_hisi.c:warning:hisi_ptp_acpi_match-defined-but-not-used | |-- fs-proc-base.c:warning:no-previous-prototype-for-pbha_bit0_hide_file | |-- kernel-workqueue.c:error:implicit-declaration-of-function-printk_safe_enter | `-- kernel-workqueue.c:error:implicit-declaration-of-function-printk_safe_exit `-- x86_64-randconfig-076-20240422 |-- kernel-sched-core.c:error:implicit-declaration-of-function-init_auto_affinity |-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains `-- kernel-sched-core.c:error:root_task_group-undeclared-(first-use-in-this-function) clang_recent_errors |-- arm64-allyesconfig | |-- Documentation-devicetree-bindings-arm-cpu.yaml:properties:capacity-dmips-mhz:ref-should-not-be-valid-under-const:ref | |-- Documentation-devicetree-bindings-arm-cpu.yaml:title:ARM-CPUs-bindings-should-not-be-valid-under-pattern:(-Bb-inding-Ss-chema) | |-- Documentation-devicetree-bindings-arm-cpus.yaml:examples:cpus-arm-pbha-performance-only-bits-arm-pbha-no-aliases-bits-ncpu-device_type-cpu-compatible-arm-cortex-a57-...-n-is-not-of-type-array | |-- Documentation-devicetree-bindings-arm-cpus.yaml:maintainers-is-a-required-property | |-- description:Display-controller-reference-clock-source-is-not-of-type-object-boolean | |-- description:Display-controller-reference-clock-source-is-too-short | |-- description:Offset-and-length-of-the-memory-mapped-registers-is-too-short | |-- items-is-not-one-of-type-description-dependencies-dependentRequired-dependentSchemas-properties-patternProperties-additionalProperties-unevaluatedProperties-deprecated-required-not-allOf-anyOf-oneOf-r | `-- minItems-is-not-one-of-type-description-dependencies-dependentRequired-dependentSchemas-properties-patternProperties-additionalProperties-unevaluatedProperties-deprecated-required-not-allOf-anyOf-oneO |-- x86_64-allnoconfig | `-- drivers-net-ethernet-mucse-rnpm-rnpm_common.h:linux-version.h-not-needed. `-- x86_64-allyesconfig |-- drivers-net-ethernet-bzwx-nce-comm-txrx.c:fatal-error:ne6x_trace.h-file-not-found |-- drivers-net-ethernet-bzwx-nce-ne6x-ne6x.h:fatal-error:reg.h-file-not-found `-- drivers-net-ethernet-bzwx-nce-ne6x_vf-ne6xvf.h:fatal-error:reg.h-file-not-found elapsed time: 727m configs tested: 35 configs skipped: 149 tested configs: arm64 allmodconfig clang arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240423 clang arm64 randconfig-002-20240423 gcc arm64 randconfig-003-20240423 clang arm64 randconfig-004-20240423 clang x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240422 clang x86_64 buildonly-randconfig-002-20240422 gcc x86_64 buildonly-randconfig-003-20240422 gcc x86_64 buildonly-randconfig-004-20240422 clang x86_64 buildonly-randconfig-005-20240422 gcc x86_64 buildonly-randconfig-006-20240422 clang x86_64 defconfig gcc x86_64 randconfig-001-20240422 clang x86_64 randconfig-002-20240422 gcc x86_64 randconfig-003-20240422 clang x86_64 randconfig-004-20240422 gcc x86_64 randconfig-005-20240422 gcc x86_64 randconfig-006-20240422 clang x86_64 randconfig-011-20240422 gcc x86_64 randconfig-012-20240422 clang x86_64 randconfig-013-20240422 gcc x86_64 randconfig-014-20240422 clang x86_64 randconfig-015-20240422 gcc x86_64 randconfig-016-20240422 gcc x86_64 randconfig-071-20240422 clang x86_64 randconfig-072-20240422 gcc x86_64 randconfig-073-20240422 gcc x86_64 randconfig-074-20240422 gcc x86_64 randconfig-075-20240422 gcc x86_64 randconfig-076-20240422 gcc x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6] BUILD REGRESSION e95a0071898084171841e9f3695a02fc5f58fd0f
by kernel test robot 23 Apr '24

23 Apr '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: e95a0071898084171841e9f3695a02fc5f58fd0f !6256 [OLK-6.6] bugfix from upstream v6.9 for AMD EPYC perf Error/Warning reports: https://lore.kernel.org/oe-kbuild-all/202404222001.4hDpVvmd-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202404230016.B1zZMDXC-lkp@intel.com Error/Warning: (recently discovered and may have been fixed) include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' reading between 65 and 536870912 bytes from a region of size 64 [-Wstringop-overread] ld.lld: error: undefined symbol: __memcpy_mc Error/Warning ids grouped by kconfigs: gcc_recent_errors |-- arm64-allnoconfig | `-- arch-arm64-kernel-cpufeature.c:error:enable_pseudo_nmi-undeclared-(first-use-in-this-function) |-- arm64-randconfig-001-20240422 | `-- shadow.c:(.text):undefined-reference-to-__memcpy_mc |-- arm64-randconfig-003-20240422 | `-- include-linux-fortify-string.h:warning:__builtin_memcpy-reading-between-and-bytes-from-a-region-of-size |-- loongarch-allmodconfig | |-- drivers-net-ethernet-bzwx-nce-comm-txrx.c:fatal-error:ne6x_trace.h:No-such-file-or-directory | |-- drivers-net-ethernet-bzwx-nce-ne6x-ne6x.h:fatal-error:reg.h:No-such-file-or-directory | |-- drivers-net-ethernet-bzwx-nce-ne6x_vf-ne6xvf.h:fatal-error:reg.h:No-such-file-or-directory | |-- drivers-net-ethernet-mucse-rnp-rnp_main.c:warning:Function-parameter-or-member-netdev-not-described-in-rnp_netpoll | |-- drivers-net-ethernet-mucse-rnp-rnp_main.c:warning:expecting-prototype-for-Polling-interrupt-().-Prototype-was-for-rnp_netpoll()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:This-comment-starts-with-but-isn-t-a-kernel-doc-comment.-Refer-Documentation-doc-guide-kernel-doc.rst | |-- drivers-net-ethernet-mucse-rnpvf-rnpvf_main.c:warning:d-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and | `-- drivers-net-ethernet-mucse-rnpvf-rnpvf_main.c:warning:no-previous-prototype-for-rnpvf_alloc_rx_buffers `-- loongarch-randconfig-002-20240422 |-- arch-loongarch-kvm-exit.c:error:struct-sched_info-has-no-member-named-run_delay `-- arch-loongarch-kvm-vcpu.c:error:struct-sched_info-has-no-member-named-run_delay clang_recent_errors |-- arm64-allmodconfig | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwdev_init.c:warning:no-previous-prototype-for-function-sss_deinit_hwdev | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwdev_init.c:warning:no-previous-prototype-for-function-sss_hwdev_detach | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwdev_init.c:warning:no-previous-prototype-for-function-sss_hwdev_shutdown | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwdev_init.c:warning:no-previous-prototype-for-function-sss_hwdev_stop | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwdev_init.c:warning:no-previous-prototype-for-function-sss_init_hwdev | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwdev_init.c:warning:variable-fault_level-set-but-not-used | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwdev_init.c:warning:variable-pcie_src-set-but-not-used | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwdev_io_flush.c:warning:no-previous-prototype-for-function-sss_hwdev_flush_io | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwdev_mgmt_info.c:warning:no-previous-prototype-for-function-sss_deinit_mgmt_info | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwdev_mgmt_info.c:warning:no-previous-prototype-for-function-sss_init_mgmt_info | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_adm.c:warning:no-previous-prototype-for-function-sss_adm_msg_read | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_adm.c:warning:no-previous-prototype-for-function-sss_adm_msg_read_ack | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_adm.c:warning:no-previous-prototype-for-function-sss_adm_msg_write | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_adm.c:warning:no-previous-prototype-for-function-sss_adm_msg_write_nack | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_adm.c:warning:no-previous-prototype-for-function-sss_sync_send_adm_msg | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_adm_init.c:warning:no-previous-prototype-for-function-sss_complete_adm_event | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_adm_init.c:warning:no-previous-prototype-for-function-sss_destroy_adm_msg | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_adm_init.c:warning:no-previous-prototype-for-function-sss_hwif_deinit_adm | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_adm_init.c:warning:no-previous-prototype-for-function-sss_hwif_init_adm | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_ceq.c:warning:no-previous-prototype-for-function-sss_ceq_intr_handle | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_ceq.c:warning:no-previous-prototype-for-function-sss_init_ceqe_desc | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_ctrlq_init.c:warning:no-previous-prototype-for-function-sss_ctrlq_flush_sync_cmd | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_ctrlq_init.c:warning:no-previous-prototype-for-function-sss_deinit_ctrlq | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_ctrlq_init.c:warning:no-previous-prototype-for-function-sss_deinit_ctrlq_channel | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_ctrlq_init.c:warning:no-previous-prototype-for-function-sss_init_ctrlq_channel | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_ctrlq_init.c:warning:no-previous-prototype-for-function-sss_reinit_ctrlq_ctx | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_ctrlq_init.c:warning:no-previous-prototype-for-function-sss_wait_ctrlq_stop | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_alloc_db_addr | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_chip_set_msix_auto_mask | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_chip_set_msix_state | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_free_db_addr | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_get_func_id | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_get_func_type | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_get_glb_pf_vf_offset | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_get_global_func_id | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_get_pcie_itf_id | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_get_pf_id_of_vf | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_export.c:warning:no-previous-prototype-for-function-sss_get_ppf_id | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_irq.c:warning:no-previous-prototype-for-function-sss_deinit_irq_info | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_irq.c:warning:no-previous-prototype-for-function-sss_init_irq_info | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_mbx_init.c:warning:no-previous-prototype-for-function-sss_hwif_deinit_mbx | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_mbx_init.c:warning:no-previous-prototype-for-function-sss_hwif_init_mbx | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_mbx_init.c:warning:no-previous-prototype-for-function-sss_init_func_mbx_msg | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_mbx_init.c:warning:no-previous-prototype-for-function-sss_recv_mbx_aeq_handler | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_mgmt_init.c:warning:no-previous-prototype-for-function-sss_flush_mgmt_workq | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_mgmt_init.c:warning:no-previous-prototype-for-function-sss_force_complete_all | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_hwif_mgmt_init.c:warning:no-previous-prototype-for-function-sss_mgmt_msg_aeqe_handler | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_error.c:warning:no-previous-prototype-for-function-sss_detect_pci_error | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_global.c:warning:no-previous-prototype-for-function-sss_attach_is_enable | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_global.c:warning:no-previous-prototype-for-function-sss_get_uld_info | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_global.c:warning:no-previous-prototype-for-function-sss_get_uld_names | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_global.c:warning:no-previous-prototype-for-function-sss_init_uld_lock | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_global.c:warning:no-previous-prototype-for-function-sss_lock_uld | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_global.c:warning:no-previous-prototype-for-function-sss_unlock_uld | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_probe.c:warning:no-previous-prototype-for-function-sss_attach_uld_driver | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_probe.c:warning:no-previous-prototype-for-function-sss_pci_probe | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_remove.c:warning:no-previous-prototype-for-function-sss_deinit_adapter | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_remove.c:warning:no-previous-prototype-for-function-sss_deinit_function | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_remove.c:warning:no-previous-prototype-for-function-sss_deinit_pci_dev | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_remove.c:warning:no-previous-prototype-for-function-sss_detach_all_uld_driver | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_remove.c:warning:no-previous-prototype-for-function-sss_detach_uld_driver | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_remove.c:warning:no-previous-prototype-for-function-sss_dettach_uld_dev | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_remove.c:warning:no-previous-prototype-for-function-sss_pci_remove | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_remove.c:warning:no-previous-prototype-for-function-sss_unmap_pci_bar | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-sss_pci_shutdown.c:warning:no-previous-prototype-for-function-sss_pci_shutdown | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_chip.c:warning:no-previous-prototype-for-function-sss_tool_adm_csr_rd32 | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_chip.c:warning:no-previous-prototype-for-function-sss_tool_adm_csr_wr32 | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_chip.c:warning:no-previous-prototype-for-function-sss_tool_send_clp_msg | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_main.c:warning:no-previous-prototype-for-function-sss_tool_alloc_in_buf | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_main.c:warning:no-previous-prototype-for-function-sss_tool_alloc_out_buf | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_main.c:warning:no-previous-prototype-for-function-sss_tool_copy_to_user | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_main.c:warning:no-previous-prototype-for-function-sss_tool_free_in_buf | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_main.c:warning:no-previous-prototype-for-function-sss_tool_free_out_buf | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_sdk.c:warning:no-previous-prototype-for-function-sss_tool_get_func_id | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_sdk.c:warning:no-previous-prototype-for-function-sss_tool_get_func_type | |-- drivers-net-ethernet-3snic-sssnic-nic-..-hw-tool-sss_tool_sdk.c:warning:no-previous-prototype-for-function-sss_tool_get_hw_driver_stats | |-- drivers-net-ethernet-huawei-hinic-hinic_api_cmd.c:warning:expecting-prototype-for-prepare_cell().-Prototype-was-for-wait_for_resp_polling()-instead | |-- drivers-net-ethernet-huawei-hinic-hinic_cfg.c:warning:arithmetic-between-different-enumeration-types-(-enum-hinic_node_id-and-enum-hinic_fault_err_level-) | |-- drivers-net-ethernet-huawei-hinic-hinic_eqs.c:warning:expecting-prototype-for-hinic_aeq_register_sw_cb().-Prototype-was-for-hinic_aeq_register_swe_cb()-instead | |-- drivers-net-ethernet-huawei-hinic-hinic_eqs.c:warning:expecting-prototype-for-hinic_aeq_unregister_sw_cb().-Prototype-was-for-hinic_aeq_unregister_swe_cb()-instead | |-- drivers-net-ethernet-huawei-hinic-hinic_eqs.c:warning:expecting-prototype-for-hinic_ceq_register_sw_cb().-Prototype-was-for-hinic_ceq_register_cb()-instead | |-- drivers-net-ethernet-huawei-hinic-hinic_hwdev.c:warning:arithmetic-between-different-enumeration-types-(-enum-hinic_node_id-and-enum-hinic_fault_err_level-) | |-- drivers-net-ethernet-huawei-hinic-hinic_hwif.c:warning:This-comment-starts-with-but-isn-t-a-kernel-doc-comment.-Refer-Documentation-doc-guide-kernel-doc.rst | |-- drivers-net-ethernet-huawei-hinic-hinic_mbox.c:warning:expecting-prototype-for-hinic_unregister_ppf_mbox_cb().-Prototype-was-for-hinic_unregister_pf_mbox_cb()-instead | |-- drivers-net-ethernet-huawei-hinic-hinic_mbox.c:warning:expecting-prototype-for-hinic_unregister_ppf_mbox_cb().-Prototype-was-for-hinic_unregister_ppf_to_pf_mbox_cb()-instead | |-- drivers-net-ethernet-huawei-hinic-hinic_mgmt.c:warning:This-comment-starts-with-but-isn-t-a-kernel-doc-comment.-Refer-Documentation-doc-guide-kernel-doc.rst | |-- drivers-net-ethernet-huawei-hinic-hinic_nic_dbg.c:warning:arithmetic-between-different-enumeration-types-(-enum-hinic_node_id-and-enum-hinic_fault_err_level-) | |-- drivers-net-ethernet-huawei-hinic3-hw-hinic3_api_cmd.c:warning:expecting-prototype-for-alloc_cmd_buf().-Prototype-was-for-alloc_resp_buf()-instead | |-- drivers-net-ethernet-huawei-hinic3-hw-hinic3_api_cmd.c:warning:expecting-prototype-for-prepare_cell().-Prototype-was-for-wait_for_resp_polling()-instead | |-- drivers-net-ethernet-huawei-hinic3-hw-hinic3_devlink.c:warning:variable-pdev-set-but-not-used | |-- drivers-net-ethernet-huawei-hinic3-hw-hinic3_mbox.c:warning:expecting-prototype-for-hinic3_unregister_ppf_mbox_cb().-Prototype-was-for-hinic3_unregister_pf_mbox_cb()-instead | |-- drivers-net-ethernet-huawei-hinic3-hw-hinic3_mbox.c:warning:expecting-prototype-for-hinic3_unregister_ppf_mbox_cb().-Prototype-was-for-hinic3_unregister_ppf_to_pf_mbox_cb()-instead | |-- drivers-net-ethernet-huawei-hinic3-hw-hinic3_mgmt.c:warning:This-comment-starts-with-but-isn-t-a-kernel-doc-comment.-Refer-Documentation-doc-guide-kernel-doc.rst | |-- drivers-net-ethernet-huawei-hinic3-hw-hinic3_mgmt.c:warning:expecting-prototype-for-hinic_pf_to_mgmt_free().-Prototype-was-for-hinic3_pf_to_mgmt_free()-instead | |-- drivers-net-ethernet-huawei-hinic3-hw-hinic3_mgmt.c:warning:expecting-prototype-for-hinic_pf_to_mgmt_init().-Prototype-was-for-hinic3_pf_to_mgmt_init()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_main.c:warning:Function-parameter-or-member-netdev-not-described-in-rnp_netpoll | |-- drivers-net-ethernet-mucse-rnp-rnp_main.c:warning:expecting-prototype-for-Polling-interrupt-().-Prototype-was-for-rnp_netpoll()-instead | |-- drivers-net-ethernet-mucse-rnp-rnp_mbx_fw.c:warning:This-comment-starts-with-but-isn-t-a-kernel-doc-comment.-Refer-Documentation-doc-guide-kernel-doc.rst | |-- drivers-scsi-hisi_raid-hiraid_main.c:warning:expecting-prototype-for-hiraid_create_cq().-Prototype-was-for-hiraid_create_complete_queue()-instead | `-- drivers-scsi-hisi_raid-hiraid_main.c:warning:expecting-prototype-for-hiraid_create_sq().-Prototype-was-for-hiraid_create_send_queue()-instead `-- arm64-randconfig-002-20240422 `-- ld.lld:error:undefined-symbol:__memcpy_mc elapsed time: 725m configs tested: 40 configs skipped: 143 tested configs: arm64 allmodconfig clang arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240422 gcc arm64 randconfig-002-20240422 clang arm64 randconfig-003-20240422 gcc arm64 randconfig-004-20240422 gcc loongarch allmodconfig gcc loongarch allnoconfig gcc loongarch defconfig gcc loongarch randconfig-001-20240422 gcc loongarch randconfig-002-20240422 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240422 clang x86_64 buildonly-randconfig-002-20240422 gcc x86_64 buildonly-randconfig-003-20240422 gcc x86_64 buildonly-randconfig-004-20240422 clang x86_64 buildonly-randconfig-005-20240422 gcc x86_64 buildonly-randconfig-006-20240422 clang x86_64 defconfig gcc x86_64 randconfig-001-20240422 clang x86_64 randconfig-002-20240422 gcc x86_64 randconfig-003-20240422 clang x86_64 randconfig-004-20240422 gcc x86_64 randconfig-005-20240422 gcc x86_64 randconfig-006-20240422 clang x86_64 randconfig-011-20240422 gcc x86_64 randconfig-012-20240422 clang x86_64 randconfig-013-20240422 gcc x86_64 randconfig-014-20240422 clang x86_64 randconfig-015-20240422 gcc x86_64 randconfig-016-20240422 gcc x86_64 randconfig-071-20240422 clang x86_64 randconfig-072-20240422 gcc x86_64 randconfig-073-20240422 gcc x86_64 randconfig-074-20240422 gcc x86_64 randconfig-075-20240422 gcc x86_64 randconfig-076-20240422 gcc x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 28936/30000] fs/proc/base.c:1454:6: warning: no previous prototype for 'pbha_bit0_hide_file'
by kernel test robot 23 Apr '24

23 Apr '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: b05f2de3edcf4fc1b98ced476a06a62b961d3cce commit: bea38841945a52bd03004240eb0da6a5115bae21 [28936/30000] arm64: mm: Hide pbha_bit0 in procfs if pbha is not enabled config: arm64-randconfig-002-20240423 (https://download.01.org/0day-ci/archive/20240423/202404230626.ETmTJeuy-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240423/202404230626.ETmTJeuy-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202404230626.ETmTJeuy-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/proc/base.c:1454:6: warning: no previous prototype for 'pbha_bit0_hide_file' [-Wmissing-prototypes] 1454 | bool pbha_bit0_hide_file(const char *name) | ^~~~~~~~~~~~~~~~~~~ vim +/pbha_bit0_hide_file +1454 fs/proc/base.c 1453 > 1454 bool pbha_bit0_hide_file(const char *name) 1455 { 1456 if (!system_support_pbha_bit0() && !strncmp("pbha_bit0", name, 9)) 1457 return true; 1458 1459 return false; 1460 } 1461 #else 1462 static bool pbha_bit0_hide_file(const char *name) { return false; } 1463 #endif 1464 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS] BUILD REGRESSION aaa8e73e6e85e82e5b0425d2039e1cbc57089fea
by kernel test robot 23 Apr '24

23 Apr '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: aaa8e73e6e85e82e5b0425d2039e1cbc57089fea !6203 ALSA: usb-audio: fix null pointer dereference on pointer cs_desc Error/Warning reports: https://lore.kernel.org/oe-kbuild-all/202404222359.bREYOZA3-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202404230151.AOKJ44d0-lkp@intel.com Error/Warning: (recently discovered and may have been fixed) drivers/edac/.tmp_i10nm_base.o: warning: objtool: missing symbol for section .exit.text drivers/edac/.tmp_skx_base.o: warning: objtool: missing symbol for section .exit.text Unverified Error/Warning (likely false positive, please contact us if interested): arch/x86/kernel/cpu/mce/therm_throt.c:366:13: sparse: sparse: cast removes address space '<asn:3>' of expression Error/Warning ids grouped by kconfigs: gcc_recent_errors |-- x86_64-buildonly-randconfig-002-20240422 | `-- arch-x86-include-asm-paravirt.h:warning:mcu_ctrl-may-be-used-uninitialized |-- x86_64-buildonly-randconfig-003-20240422 | |-- drivers-edac-.tmp_i10nm_base.o:warning:objtool:missing-symbol-for-section-.exit.text | `-- drivers-edac-.tmp_skx_base.o:warning:objtool:missing-symbol-for-section-.exit.text |-- x86_64-buildonly-randconfig-005-20240422 | |-- include-linux-list.h:warning:array-subscript-pfo_ret__-is-outside-array-bounds-of-struct-plist_node | |-- include-linux-plist.h:warning:array-subscript-pfo_ret__-is-outside-array-bounds-of-struct-plist_node | `-- mm-swapfile.c:warning:array-subscript-pfo_ret__-is-outside-array-bounds-of-struct-plist_node `-- x86_64-randconfig-122-20240423 |-- arch-x86-kernel-cpu-mce-therm_throt.c:sparse:sparse:cast-removes-address-space-asn-of-expression |-- drivers-md-bcache-request.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-const-noderef-asn-from-got-struct-set_bcache_status |-- drivers-md-bcache-request.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-noderef-asn-to-got-struct-get_bcache_status |-- drivers-pci-controller-hisi-pcie-customer-hisi_pcie_cae.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-noderef-asn-to-got-void |-- drivers-pci-rom.c:sparse:sparse:incorrect-type-in-return-expression-(different-address-spaces)-expected-void-noderef-asn-got-void |-- fs-io_uring.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-long-long-noderef-usertype-asn-off_in-got-long-long-usertype-assigned-poff_in |-- fs-io_uring.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-long-long-noderef-usertype-asn-off_out-got-long-long-usertype-assigned-poff_out |-- fs-io_uring.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-struct-file-assigned-file-got-struct-file-noderef-asn |-- fs-io_uring.c:sparse:sparse:incorrect-type-in-return-expression-(different-address-spaces)-expected-void-noderef-asn-got-struct-io_buffer-assigned-kbuf |-- include-linux-compiler.h:warning:array-subscript-index-is-outside-array-bounds-of-u32-aka-unsigned-int |-- include-linux-compiler.h:warning:array-subscript-unknown-is-outside-array-bounds-of-const-u32-aka-const-unsigned-int |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-noderef-asn-got-int-noderef-pmu_disable_count |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-noderef-asn-got-struct-perf_cpu_context-noderef-pmu_cpu_context |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-initializer-(different-address-spaces)-expected-void-const-noderef-asn-got-int |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-initializer-(different-address-spaces)-expected-void-const-noderef-asn-got-struct-perf_cpu_context `-- net-ipv4-arp.c:sparse:sparse:incompatible-types-in-comparison-expression-(different-type-sizes): clang_recent_errors |-- x86_64-buildonly-randconfig-006-20240422 | `-- net-ipv4-arp.c:warning:comparison-of-distinct-pointer-types-(-typeof-(dev-addr_len)-(aka-unsigned-char-)-and-typeof-(sizeof-(r-arp_ha.sa_data))-(aka-unsigned-long-)) |-- x86_64-randconfig-001-20240422 | `-- net-ipv4-arp.c:warning:comparison-of-distinct-pointer-types-(-typeof-(dev-addr_len)-(aka-unsigned-char-)-and-typeof-(sizeof-(r-arp_ha.sa_data))-(aka-unsigned-long-)) |-- x86_64-randconfig-003-20240422 | `-- net-ipv4-arp.c:warning:comparison-of-distinct-pointer-types-(-typeof-(dev-addr_len)-(aka-unsigned-char-)-and-typeof-(sizeof-(r-arp_ha.sa_data))-(aka-unsigned-long-)) |-- x86_64-randconfig-006-20240422 | `-- net-ipv4-arp.c:warning:comparison-of-distinct-pointer-types-(-typeof-(dev-addr_len)-(aka-unsigned-char-)-and-typeof-(sizeof-(r-arp_ha.sa_data))-(aka-unsigned-long-)) |-- x86_64-randconfig-012-20240422 | `-- net-ipv4-arp.c:warning:comparison-of-distinct-pointer-types-(-typeof-(dev-addr_len)-(aka-unsigned-char-)-and-typeof-(sizeof-(r-arp_ha.sa_data))-(aka-unsigned-long-)) |-- x86_64-randconfig-014-20240422 | `-- net-ipv4-arp.c:warning:comparison-of-distinct-pointer-types-(-typeof-(dev-addr_len)-(aka-unsigned-char-)-and-typeof-(sizeof-(r-arp_ha.sa_data))-(aka-unsigned-long-)) |-- x86_64-randconfig-071-20240422 | `-- net-ipv4-arp.c:warning:comparison-of-distinct-pointer-types-(-typeof-(dev-addr_len)-(aka-unsigned-char-)-and-typeof-(sizeof-(r-arp_ha.sa_data))-(aka-unsigned-long-)) |-- x86_64-randconfig-121-20240423 | |-- drivers-gpu-drm-nouveau-nouveau_fence.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-struct-nouveau_channel-chan-got-struct-nouveau_channel-noderef-asn-channel | |-- drivers-gpu-drm-radeon-radeon_bios.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-const-src-got-unsigned-char-noderef-usertype-asn-assigned-bios | |-- drivers-pci-controller-hisi-pcie-customer-hisi_pcie_cae.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-noderef-asn-to-got-void | |-- drivers-pci-rom.c:sparse:sparse:incorrect-type-in-return-expression-(different-address-spaces)-expected-void-noderef-asn-got-void | |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-noderef-asn-got-int-noderef-pmu_disable_count | |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-noderef-asn-got-struct-perf_cpu_context-noderef-pmu_cpu_context | |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-initializer-(different-address-spaces)-expected-void-const-noderef-asn-got-int | |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-initializer-(different-address-spaces)-expected-void-const-noderef-asn-got-struct-perf_cpu_context | |-- net-ipv4-arp.c:sparse:sparse:incompatible-types-in-comparison-expression-(different-type-sizes): | `-- net-ipv4-arp.c:warning:comparison-of-distinct-pointer-types-(-typeof-(dev-addr_len)-(aka-unsigned-char-)-and-typeof-(sizeof-(r-arp_ha.sa_data))-(aka-unsigned-long-)) `-- x86_64-randconfig-123-20240423 |-- drivers-pci-controller-hisi-pcie-customer-hisi_pcie_cae.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-noderef-asn-to-got-void |-- drivers-pci-rom.c:sparse:sparse:incorrect-type-in-return-expression-(different-address-spaces)-expected-void-noderef-asn-got-void |-- fs-io_uring.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-long-long-noderef-usertype-asn-off_in-got-long-long-usertype-assigned-poff_in |-- fs-io_uring.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-long-long-noderef-usertype-asn-off_out-got-long-long-usertype-assigned-poff_out |-- fs-io_uring.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-struct-file-assigned-file-got-struct-file-noderef-asn |-- fs-io_uring.c:sparse:sparse:incorrect-type-in-return-expression-(different-address-spaces)-expected-void-noderef-asn-got-struct-io_buffer-assigned-kbuf |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-noderef-asn-got-int-noderef-pmu_disable_count |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-void-noderef-asn-got-struct-perf_cpu_context-noderef-pmu_cpu_context |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-initializer-(different-address-spaces)-expected-void-const-noderef-asn-got-int |-- kernel-events-core.c:sparse:sparse:incorrect-type-in-initializer-(different-address-spaces)-expected-void-const-noderef-asn-got-struct-perf_cpu_context |-- net-ipv4-arp.c:sparse:sparse:incompatible-types-in-comparison-expression-(different-type-sizes): `-- net-ipv4-arp.c:warning:comparison-of-distinct-pointer-types-(-typeof-(dev-addr_len)-(aka-unsigned-char-)-and-typeof-(sizeof-(r-arp_ha.sa_data))-(aka-unsigned-long-)) elapsed time: 726m configs tested: 34 configs skipped: 148 tested configs: arm64 allmodconfig gcc arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240422 gcc arm64 randconfig-003-20240422 gcc arm64 randconfig-004-20240422 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240422 clang x86_64 buildonly-randconfig-002-20240422 gcc x86_64 buildonly-randconfig-003-20240422 gcc x86_64 buildonly-randconfig-004-20240422 clang x86_64 buildonly-randconfig-005-20240422 gcc x86_64 buildonly-randconfig-006-20240422 clang x86_64 defconfig gcc x86_64 randconfig-001-20240422 clang x86_64 randconfig-002-20240422 gcc x86_64 randconfig-003-20240422 clang x86_64 randconfig-004-20240422 gcc x86_64 randconfig-005-20240422 gcc x86_64 randconfig-006-20240422 clang x86_64 randconfig-011-20240422 gcc x86_64 randconfig-012-20240422 clang x86_64 randconfig-013-20240422 gcc x86_64 randconfig-014-20240422 clang x86_64 randconfig-015-20240422 gcc x86_64 randconfig-016-20240422 gcc x86_64 randconfig-071-20240422 clang x86_64 randconfig-072-20240422 gcc x86_64 randconfig-073-20240422 gcc x86_64 randconfig-074-20240422 gcc x86_64 randconfig-075-20240422 gcc x86_64 randconfig-076-20240422 gcc x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 24732/30000] drivers/char/ipmi/ipmi_bt_sm.c:194:18: error: implicit declaration of function 'acpi_evaluate_integer'; did you mean 'acpi_evaluate_object'?
by kernel test robot 23 Apr '24

23 Apr '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: b05f2de3edcf4fc1b98ced476a06a62b961d3cce commit: c1d32ce403f2c2b53138bfdba94c67cad8d137fd [24732/30000] ipmi: Errata workaround to prevent SMS message processing timeout config: arm64-randconfig-002-20240423 (https://download.01.org/0day-ci/archive/20240423/202404230552.HyMsovr7-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240423/202404230552.HyMsovr7-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202404230552.HyMsovr7-lkp@intel.com/ All errors (new ones prefixed by >>): drivers/char/ipmi/ipmi_bt_sm.c: In function 'get_sms_atn_quirk': >> drivers/char/ipmi/ipmi_bt_sm.c:194:18: error: implicit declaration of function 'acpi_evaluate_integer'; did you mean 'acpi_evaluate_object'? [-Werror=implicit-function-declaration] 194 | status = acpi_evaluate_integer(handle, "SATN", NULL, &tmp); | ^~~~~~~~~~~~~~~~~~~~~ | acpi_evaluate_object cc1: some warnings being treated as errors vim +194 drivers/char/ipmi/ipmi_bt_sm.c 177 178 #ifdef CONFIG_HISILICON_ERRATUM_162102203 179 /* 180 * To confirm whether the SMS_ATN flag needs to be stored and get 181 * quirk through the method reported by the BIOS. Because in special 182 * cases SMS_ATN flag bits may be lost before being processed. 183 */ 184 static bool get_sms_atn_quirk(struct si_sm_io *io) 185 { 186 acpi_handle handle; 187 acpi_status status; 188 unsigned long long tmp; 189 190 handle = ACPI_HANDLE(io->dev); 191 if (!handle) 192 return false; 193 > 194 status = acpi_evaluate_integer(handle, "SATN", NULL, &tmp); 195 if (ACPI_FAILURE(status)) 196 return false; 197 else if (tmp != 1) 198 return false; 199 200 return true; 201 } 202 #endif 203 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 20368/30000] drivers/ptp/ptp_hisi.c:731:36: warning: 'hisi_ptp_acpi_match' defined but not used
by kernel test robot 23 Apr '24

23 Apr '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: b05f2de3edcf4fc1b98ced476a06a62b961d3cce commit: c64545e1e5fa4e09603149e918f306562a22a60a [20368/30000] net: hns3: add support for Hisilicon ptp sync device config: arm64-randconfig-002-20240423 (https://download.01.org/0day-ci/archive/20240423/202404230205.XJi54qVa-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240423/202404230205.XJi54qVa-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202404230205.XJi54qVa-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/ptp/ptp_hisi.c:731:36: warning: 'hisi_ptp_acpi_match' defined but not used [-Wunused-const-variable=] 731 | static const struct acpi_device_id hisi_ptp_acpi_match[] = { | ^~~~~~~~~~~~~~~~~~~ vim +/hisi_ptp_acpi_match +731 drivers/ptp/ptp_hisi.c 730 > 731 static const struct acpi_device_id hisi_ptp_acpi_match[] = { 732 { "HISI0411", 0 }, 733 { } 734 }; 735 MODULE_DEVICE_TABLE(acpi, hisi_ptp_acpi_match); 736 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 17815/22166] drivers/edac/.tmp_i10nm_base.o: warning: objtool: missing symbol for section .exit.text
by kernel test robot 23 Apr '24

23 Apr '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: aaa8e73e6e85e82e5b0425d2039e1cbc57089fea commit: 3b7ad71a0a415eb51fb41ddc01ef538a7e163de4 [17815/22166] Intel: EDAC, i10nm: Add a driver for Intel 10nm server processors config: x86_64-buildonly-randconfig-003-20240422 (https://download.01.org/0day-ci/archive/20240423/202404230151.AOKJ44d0-lkp@…) compiler: gcc-13 (Ubuntu 13.2.0-4ubuntu3) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240423/202404230151.AOKJ44d0-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202404230151.AOKJ44d0-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/edac/.tmp_i10nm_base.o: warning: objtool: missing symbol for section .exit.text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 7446/7483] ld.lld: error: undefined symbol: __memcpy_mc
by kernel test robot 23 Apr '24

23 Apr '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: e95a0071898084171841e9f3695a02fc5f58fd0f commit: b991780c836ceb9a479c6c6e385e914b487e353a [7446/7483] arm64: introduce copy_mc_to_kernel() implementation config: arm64-randconfig-002-20240422 (https://download.01.org/0day-ci/archive/20240423/202404230016.B1zZMDXC-lkp@…) compiler: clang version 19.0.0git (https://github.com/llvm/llvm-project 7089c359a3845323f6f30c44a47dd901f2edfe63) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240423/202404230016.B1zZMDXC-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202404230016.B1zZMDXC-lkp@intel.com/ All errors (new ones prefixed by >>): >> ld.lld: error: undefined symbol: __memcpy_mc >>> referenced by shadow.c >>> mm/kasan/shadow.o:(memcpy_mc) in archive vmlinux.a -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 17814/22166] drivers/edac/.tmp_skx_base.o: warning: objtool: missing symbol for section .exit.text
by kernel test robot 22 Apr '24

22 Apr '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: aaa8e73e6e85e82e5b0425d2039e1cbc57089fea commit: e34047f6dc606c123911c6db8fa424bb4a035262 [17814/22166] EDAC, skx_edac: Delete duplicated code config: x86_64-buildonly-randconfig-003-20240422 (https://download.01.org/0day-ci/archive/20240422/202404222359.bREYOZA3-lkp@…) compiler: gcc-13 (Ubuntu 13.2.0-4ubuntu3) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240422/202404222359.bREYOZA3-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202404222359.bREYOZA3-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/edac/.tmp_skx_base.o: warning: objtool: missing symbol for section .exit.text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock
by Dong Chenchen 22 Apr '24

22 Apr '24

From: Ziqi Zhao <astrajoan(a)yahoo.com> mainline inclusion from mainline-v6.8-rc5 commit 6cdedc18ba7b9dacc36466e27e3267d201948c8d category: bugfix bugzilla: 189774, https://gitee.com/src-openeuler/kernel/issues/I9E2GX CVE: CVE-2023-52638 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The following 3 locks would race against each other, causing the deadlock situation in the Syzbot bug report: - j1939_socks_lock - active_session_list_lock - sk_session_queue_lock A reasonable fix is to change j1939_socks_lock to an rwlock, since in the rare situations where a write lock is required for the linked list that j1939_socks_lock is protecting, the code does not attempt to acquire any more locks. This would break the circular lock dependency, where, for example, the current thread already locks j1939_socks_lock and attempts to acquire sk_session_queue_lock, and at the same time, another thread attempts to acquire j1939_socks_lock while holding sk_session_queue_lock. NOTE: This patch along does not fix the unregister_netdevice bug reported by Syzbot; instead, it solves a deadlock situation to prepare for one or more further patches to actually fix the Syzbot bug, which appears to be a reference counting problem within the j1939 codebase. Reported-by: <syzbot+1591462f226d9cbf0564(a)syzkaller.appspotmail.com> Signed-off-by: Ziqi Zhao <astrajoan(a)yahoo.com> Reviewed-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Acked-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Link: https://lore.kernel.org/all/20230721162226.8639-1-astrajoan@yahoo.com [mkl: remove unrelated newline change] Cc: stable(a)vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Conflicts: net/can/j1939/socket.c Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/can/j1939/j1939-priv.h | 2 +- net/can/j1939/main.c | 2 +- net/can/j1939/socket.c | 20 ++++++++++---------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/net/can/j1939/j1939-priv.h b/net/can/j1939/j1939-priv.h index c8f469a7e7d9..4f4e0228ad7f 100644 --- a/net/can/j1939/j1939-priv.h +++ b/net/can/j1939/j1939-priv.h @@ -83,7 +83,7 @@ struct j1939_priv { unsigned int tp_max_packet_size; /* lock for j1939_socks list */ - spinlock_t j1939_socks_lock; + rwlock_t j1939_socks_lock; struct list_head j1939_socks; struct kref rx_kref; diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c index 137054bff9ec..fed1de256827 100644 --- a/net/can/j1939/main.c +++ b/net/can/j1939/main.c @@ -262,7 +262,7 @@ struct j1939_priv *j1939_netdev_start(struct net_device *ndev) return ERR_PTR(-ENOMEM); j1939_tp_init(priv); - spin_lock_init(&priv->j1939_socks_lock); + rwlock_init(&priv->j1939_socks_lock); INIT_LIST_HEAD(&priv->j1939_socks); spin_lock(&j1939_netdev_lock); diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c index ebff753076a9..89013808d908 100644 --- a/net/can/j1939/socket.c +++ b/net/can/j1939/socket.c @@ -79,16 +79,16 @@ static void j1939_jsk_add(struct j1939_priv *priv, struct j1939_sock *jsk) jsk->state |= J1939_SOCK_BOUND; j1939_priv_get(priv); - spin_lock_bh(&priv->j1939_socks_lock); + write_lock_bh(&priv->j1939_socks_lock); list_add_tail(&jsk->list, &priv->j1939_socks); - spin_unlock_bh(&priv->j1939_socks_lock); + write_unlock_bh(&priv->j1939_socks_lock); } static void j1939_jsk_del(struct j1939_priv *priv, struct j1939_sock *jsk) { - spin_lock_bh(&priv->j1939_socks_lock); + write_lock_bh(&priv->j1939_socks_lock); list_del_init(&jsk->list); - spin_unlock_bh(&priv->j1939_socks_lock); + write_unlock_bh(&priv->j1939_socks_lock); j1939_priv_put(priv); jsk->state &= ~J1939_SOCK_BOUND; @@ -336,13 +336,13 @@ bool j1939_sk_recv_match(struct j1939_priv *priv, struct j1939_sk_buff_cb *skcb) struct j1939_sock *jsk; bool match = false; - spin_lock_bh(&priv->j1939_socks_lock); + read_lock_bh(&priv->j1939_socks_lock); list_for_each_entry(jsk, &priv->j1939_socks, list) { match = j1939_sk_recv_match_one(jsk, skcb); if (match) break; } - spin_unlock_bh(&priv->j1939_socks_lock); + read_unlock_bh(&priv->j1939_socks_lock); return match; } @@ -351,11 +351,11 @@ void j1939_sk_recv(struct j1939_priv *priv, struct sk_buff *skb) { struct j1939_sock *jsk; - spin_lock_bh(&priv->j1939_socks_lock); + read_lock_bh(&priv->j1939_socks_lock); list_for_each_entry(jsk, &priv->j1939_socks, list) { j1939_sk_recv_one(jsk, skb); } - spin_unlock_bh(&priv->j1939_socks_lock); + read_unlock_bh(&priv->j1939_socks_lock); } static void j1939_sk_sock_destruct(struct sock *sk) @@ -1185,7 +1185,7 @@ void j1939_sk_netdev_event_netdown(struct j1939_priv *priv) struct j1939_sock *jsk; int error_code = ENETDOWN; - spin_lock_bh(&priv->j1939_socks_lock); + read_lock_bh(&priv->j1939_socks_lock); list_for_each_entry(jsk, &priv->j1939_socks, list) { jsk->sk.sk_err = error_code; if (!sock_flag(&jsk->sk, SOCK_DEAD)) @@ -1193,7 +1193,7 @@ void j1939_sk_netdev_event_netdown(struct j1939_priv *priv) j1939_sk_queue_drop_all(priv, jsk, error_code); } - spin_unlock_bh(&priv->j1939_socks_lock); + read_unlock_bh(&priv->j1939_socks_lock); } static int j1939_sk_no_ioctlcmd(struct socket *sock, unsigned int cmd, -- 2.25.1

2 1

[PATCH OLK-6.6 0/2] optimize the osq_lock to reduce cache miss
by Zheng Zengkai 22 Apr '24

22 Apr '24

Avoid reading node->prev in vcpu_is_preempted in osq_lock to reduce cache miss for bare-metal environment. Guo Hui (1): x86/paravirt: useless assignment instructions cause Unixbench full core performance degradation Zheng Zengkai (1): arm64/paravirt: disable vcpu_has_preemption if PV sched can't be used arch/arm64/kernel/paravirt.c | 3 +++ arch/x86/kernel/paravirt-spinlocks.c | 4 ++++ kernel/locking/osq_lock.c | 19 ++++++++++++++++++- 3 files changed, 25 insertions(+), 1 deletion(-) -- 2.20.1

2 3

[PATCH OLK-5.10] f2fs: fix to truncate meta inode pages forcely
by Zizhi Wo 22 Apr '24

22 Apr '24

From: Chao Yu <chao(a)kernel.org> stable inclusion from stable-v6.6.23 commit c92f2927df860a60ba815d3ee610a944b92a8694 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HKE5 CVE: CVE-2024-26869 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 9f0c4a46be1fe9b97dbe66d49204c1371e3ece65 ] Below race case can cause data corruption: Thread A GC thread - gc_data_segment - ra_data_block - locked meta_inode page - f2fs_inplace_write_data - invalidate_mapping_pages : fail to invalidate meta_inode page due to lock failure or dirty|writeback status - f2fs_submit_page_bio : write last dirty data to old blkaddr - move_data_block - load old data from meta_inode page - f2fs_submit_page_write : write old data to new blkaddr Because invalidate_mapping_pages() will skip invalidating page which has unclear status including locked, dirty, writeback and so on, so we need to use truncate_inode_pages_range() instead of invalidate_mapping_pages() to make sure meta_inode page will be dropped. Fixes: 6aa58d8ad20a ("f2fs: readahead encrypted block during GC") Fixes: e3b49ea36802 ("f2fs: invalidate META_MAPPING before IPU/DIO write") Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/f2fs/data.c fs/f2fs/gc.c fs/f2fs/segment.c fs/f2fs/f2fs.h Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/f2fs/checkpoint.c | 5 +++-- fs/f2fs/data.c | 3 +-- fs/f2fs/f2fs.h | 26 ++++++++++++++++++++++++++ fs/f2fs/gc.c | 3 +-- fs/f2fs/segment.c | 8 +++----- include/linux/f2fs_fs.h | 1 + 6 files changed, 35 insertions(+), 11 deletions(-) diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c index 8ca549cc975e..8a94bf3611d3 100644 --- a/fs/f2fs/checkpoint.c +++ b/fs/f2fs/checkpoint.c @@ -1551,8 +1551,9 @@ static int do_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc) */ if (f2fs_sb_has_encrypt(sbi) || f2fs_sb_has_verity(sbi) || f2fs_sb_has_compression(sbi)) - invalidate_mapping_pages(META_MAPPING(sbi), - MAIN_BLKADDR(sbi), MAX_BLKADDR(sbi) - 1); + f2fs_bug_on(sbi, + invalidate_inode_pages2_range(META_MAPPING(sbi), + MAIN_BLKADDR(sbi), MAX_BLKADDR(sbi) - 1)); f2fs_release_ino_entry(sbi, false); diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index e0533cffbb07..2f526fddabf3 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -1421,8 +1421,7 @@ static int __allocate_data_block(struct dnode_of_data *dn, int seg_type) f2fs_allocate_data_block(sbi, NULL, old_blkaddr, &dn->data_blkaddr, &sum, seg_type, NULL); if (GET_SEGNO(sbi, old_blkaddr) != NULL_SEGNO) - invalidate_mapping_pages(META_MAPPING(sbi), - old_blkaddr, old_blkaddr); + f2fs_truncate_meta_inode_pages(sbi, old_blkaddr, 1); f2fs_update_data_blkaddr(dn, dn->data_blkaddr); /* diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 83ebc860508b..29e11997bdbc 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -4126,6 +4126,32 @@ static inline bool is_journalled_quota(struct f2fs_sb_info *sbi) return false; } +static inline void f2fs_truncate_meta_inode_pages(struct f2fs_sb_info *sbi, + block_t blkaddr, unsigned int cnt) +{ + bool need_submit = false; + int i = 0; + + do { + struct page *page; + + page = find_get_page(META_MAPPING(sbi), blkaddr + i); + if (page) { + if (PageWriteback(page)) + need_submit = true; + f2fs_put_page(page, 0); + } + } while (++i < cnt && !need_submit); + + if (need_submit) + f2fs_submit_merged_write_cond(sbi, sbi->meta_inode, + NULL, 0, DATA); + + truncate_inode_pages_range(META_MAPPING(sbi), + F2FS_BLK_TO_BYTES((loff_t)blkaddr), + F2FS_BLK_END_BYTES((loff_t)(blkaddr + cnt - 1))); +} + #define EFSBADCRC EBADMSG /* Bad CRC detected */ #define EFSCORRUPTED EUCLEAN /* Filesystem is corrupted */ diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index b908dfaafc9c..65f1363b3608 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1257,8 +1257,7 @@ static int move_data_block(struct inode *inode, block_t bidx, memcpy(page_address(fio.encrypted_page), page_address(mpage), PAGE_SIZE); f2fs_put_page(mpage, 1); - invalidate_mapping_pages(META_MAPPING(fio.sbi), - fio.old_blkaddr, fio.old_blkaddr); + f2fs_truncate_meta_inode_pages(fio.sbi, fio.old_blkaddr, 1); set_page_dirty(fio.encrypted_page); if (clear_page_dirty_for_io(fio.encrypted_page)) diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c index a27a93429271..88c9e0df087b 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c @@ -2311,7 +2311,7 @@ void f2fs_invalidate_blocks(struct f2fs_sb_info *sbi, block_t addr) if (addr == NEW_ADDR || addr == COMPRESS_ADDR) return; - invalidate_mapping_pages(META_MAPPING(sbi), addr, addr); + f2fs_truncate_meta_inode_pages(sbi, addr, 1); /* add it into sit main buffer */ down_write(&sit_i->sentry_lock); @@ -3468,8 +3468,7 @@ static void do_write_page(struct f2fs_summary *sum, struct f2fs_io_info *fio) f2fs_allocate_data_block(fio->sbi, fio->page, fio->old_blkaddr, &fio->new_blkaddr, sum, type, fio); if (GET_SEGNO(fio->sbi, fio->old_blkaddr) != NULL_SEGNO) - invalidate_mapping_pages(META_MAPPING(fio->sbi), - fio->old_blkaddr, fio->old_blkaddr); + f2fs_truncate_meta_inode_pages(fio->sbi, fio->old_blkaddr, 1); /* writeout dirty page into bdev */ f2fs_submit_page_write(fio); @@ -3640,8 +3639,7 @@ void f2fs_do_replace_block(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, update_sit_entry(sbi, new_blkaddr, 1); } if (GET_SEGNO(sbi, old_blkaddr) != NULL_SEGNO) { - invalidate_mapping_pages(META_MAPPING(sbi), - old_blkaddr, old_blkaddr); + f2fs_truncate_meta_inode_pages(sbi, old_blkaddr, 1); if (!from_gc) update_segment_mtime(sbi, old_blkaddr, 0); update_sit_entry(sbi, old_blkaddr, -1); diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h index a5dbb57a687f..7fd4bea6be64 100644 --- a/include/linux/f2fs_fs.h +++ b/include/linux/f2fs_fs.h @@ -27,6 +27,7 @@ #define F2FS_BYTES_TO_BLK(bytes) ((bytes) >> F2FS_BLKSIZE_BITS) #define F2FS_BLK_TO_BYTES(blk) ((blk) << F2FS_BLKSIZE_BITS) +#define F2FS_BLK_END_BYTES(blk) (F2FS_BLK_TO_BYTES(blk + 1) - 1) /* 0, 1(node nid), 2(meta nid) are reserved node id */ #define F2FS_RESERVED_NODE_NUM 3 -- 2.39.2

2 1

[PATCH OLK-6.6 0/2] Fix CVE-2024-26869
by Zizhi Wo 22 Apr '24

22 Apr '24

Fix CVE-2024-26869. Chao Yu (2): f2fs: introduce f2fs_invalidate_internal_cache() for cleanup f2fs: fix to truncate meta inode pages forcely fs/f2fs/checkpoint.c | 5 +++-- fs/f2fs/data.c | 8 +++----- fs/f2fs/f2fs.h | 33 +++++++++++++++++++++++++++++++++ fs/f2fs/gc.c | 5 ++--- fs/f2fs/segment.c | 19 ++++++------------- include/linux/f2fs_fs.h | 1 + 6 files changed, 48 insertions(+), 23 deletions(-) -- 2.39.2

2 3

[PATCH OLK-6.6] f2fs: fix NULL pointer dereference in f2fs_submit_page_write()
by Yifan Qiao 22 Apr '24

22 Apr '24

From: Wenjie Qi <qwjhust(a)gmail.com> mainline inclusion from mainline-v6.9-rc1 commit c2034ef6192a65a986a45c2aa2ed05824fdc0e9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HKBD CVE: CVE-2024-26871 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- BUG: kernel NULL pointer dereference, address: 0000000000000014 RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs] Call Trace: <TASK> ? show_regs+0x6e/0x80 ? __die+0x29/0x70 ? page_fault_oops+0x154/0x4a0 ? prb_read_valid+0x20/0x30 ? __irq_work_queue_local+0x39/0xd0 ? irq_work_queue+0x36/0x70 ? do_user_addr_fault+0x314/0x6c0 ? exc_page_fault+0x7d/0x190 ? asm_exc_page_fault+0x2b/0x30 ? f2fs_submit_page_write+0x6cf/0x780 [f2fs] ? f2fs_submit_page_write+0x736/0x780 [f2fs] do_write_page+0x50/0x170 [f2fs] f2fs_outplace_write_data+0x61/0xb0 [f2fs] f2fs_do_write_data_page+0x3f8/0x660 [f2fs] f2fs_write_single_data_page+0x5bb/0x7a0 [f2fs] f2fs_write_cache_pages+0x3da/0xbe0 [f2fs] ... It is possible that other threads have added this fio to io->bio and submitted the io->bio before entering f2fs_submit_page_write(). At this point io->bio = NULL. If is_end_zone_blkaddr(sbi, fio->new_blkaddr) of this fio is true, then an NULL pointer dereference error occurs at bio_get(io->bio). The original code for determining zone end was after "out:", which would have missed some fio who is zone end. I've moved this code before "skip:" to make sure it's done for each fio. Fixes: e067dc3c6b9c ("f2fs: maintain six open zones for zoned devices") Signed-off-by: Wenjie Qi <qwjhust(a)gmail.com> Reviewed-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/f2fs/data.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index f5f33926acf8..8ab19498dcd7 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -1080,10 +1080,6 @@ void f2fs_submit_page_write(struct f2fs_io_info *fio) io->last_block_in_bio = fio->new_blkaddr; trace_f2fs_submit_page_write(fio->page, fio); -skip: - if (fio->in_list) - goto next; -out: #ifdef CONFIG_BLK_DEV_ZONED if (f2fs_sb_has_blkzoned(sbi) && btype < META && is_end_zone_blkaddr(sbi, fio->new_blkaddr)) { @@ -1096,6 +1092,10 @@ void f2fs_submit_page_write(struct f2fs_io_info *fio) __submit_merged_bio(io); } #endif +skip: + if (fio->in_list) + goto next; +out: if (is_sbi_flag_set(sbi, SBI_IS_SHUTDOWN) || !f2fs_is_checkpoint_ready(sbi)) __submit_merged_bio(io); -- 2.39.2

2 1

[openeuler:OLK-6.6 2431/7479] include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' reading between 65 and 536870912 bytes from a region of size 64
by kernel test robot 22 Apr '24

22 Apr '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: e95a0071898084171841e9f3695a02fc5f58fd0f commit: f04c0f3eb9b49427c273cd3e4d5a2ff895855b4b [2431/7479] make OPTIMIZE_INLINING config editable config: arm64-randconfig-003-20240422 (https://download.01.org/0day-ci/archive/20240422/202404222001.4hDpVvmd-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240422/202404222001.4hDpVvmd-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202404222001.4hDpVvmd-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from include/linux/string.h:294, from include/linux/bitmap.h:11, from include/linux/cpumask.h:12, from include/linux/smp.h:13, from include/linux/lockdep.h:14, from include/linux/spinlock.h:63, from include/linux/swait.h:7, from include/linux/completion.h:12, from kernel/padata.c:14: In function 'bitmap_copy', inlined from 'cpumask_copy' at include/linux/cpumask.h:740:2, inlined from '__padata_set_cpumasks' at kernel/padata.c:709:2: >> include/linux/fortify-string.h:57:33: warning: '__builtin_memcpy' reading between 65 and 536870912 bytes from a region of size 64 [-Wstringop-overread] 57 | #define __underlying_memcpy __builtin_memcpy | ^ include/linux/fortify-string.h:648:9: note: in expansion of macro '__underlying_memcpy' 648 | __underlying_##op(p, q, __fortify_size); \ | ^~~~~~~~~~~~~ include/linux/fortify-string.h:693:26: note: in expansion of macro '__fortify_memcpy_chk' 693 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \ | ^~~~~~~~~~~~~~~~~~~~ include/linux/bitmap.h:268:17: note: in expansion of macro 'memcpy' 268 | memcpy(dst, src, len); | ^~~~~~ kernel/padata.c: In function '__padata_set_cpumasks': kernel/padata.c:692:48: note: source object 'pcpumask' of size [0, 64] 692 | cpumask_var_t pcpumask, | ~~~~~~~~~~~~~~^~~~~~~~ vim +/__builtin_memcpy +57 include/linux/fortify-string.h 78a498c3a227f2 Alexander Potapenko 2022-10-24 46 78a498c3a227f2 Alexander Potapenko 2022-10-24 47 #if defined(__SANITIZE_MEMORY__) 78a498c3a227f2 Alexander Potapenko 2022-10-24 48 /* 78a498c3a227f2 Alexander Potapenko 2022-10-24 49 * For KMSAN builds all memcpy/memset/memmove calls should be replaced by the 78a498c3a227f2 Alexander Potapenko 2022-10-24 50 * corresponding __msan_XXX functions. 78a498c3a227f2 Alexander Potapenko 2022-10-24 51 */ 78a498c3a227f2 Alexander Potapenko 2022-10-24 52 #include <linux/kmsan_string.h> 78a498c3a227f2 Alexander Potapenko 2022-10-24 53 #define __underlying_memcpy __msan_memcpy 78a498c3a227f2 Alexander Potapenko 2022-10-24 54 #define __underlying_memmove __msan_memmove 78a498c3a227f2 Alexander Potapenko 2022-10-24 55 #define __underlying_memset __msan_memset 78a498c3a227f2 Alexander Potapenko 2022-10-24 56 #else a28a6e860c6cf2 Francis Laniel 2021-02-25 @57 #define __underlying_memcpy __builtin_memcpy a28a6e860c6cf2 Francis Laniel 2021-02-25 58 #define __underlying_memmove __builtin_memmove a28a6e860c6cf2 Francis Laniel 2021-02-25 59 #define __underlying_memset __builtin_memset 78a498c3a227f2 Alexander Potapenko 2022-10-24 60 #endif 78a498c3a227f2 Alexander Potapenko 2022-10-24 61 :::::: The code at line 57 was first introduced by commit :::::: a28a6e860c6cf231cf3c5171c75c342adcd00406 string.h: move fortified functions definitions in a dedicated header. :::::: TO: Francis Laniel <laniel_francis(a)privacyrequired.com> :::::: CC: Linus Torvalds <torvalds(a)linux-foundation.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] scsi: pm80xx: Fix memory leak during rmmod
by Li Lingfeng 22 Apr '24

22 Apr '24

From: Ajish Koshy <Ajish.Koshy(a)microchip.com> mainline inclusion from mainline-v5.16-rc1 commit 51e6ed83bb4ade7c360551fa4ae55c4eacea354b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9FNET CVE: CVE-2021-47193 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Driver failed to release all memory allocated. This would lead to memory leak during driver removal. Properly free memory when the module is removed. Link: https://lore.kernel.org/r/20210906170404.5682-5-Ajish.Koshy@microchip.com Acked-by: Jack Wang <jinpu.wang(a)ionos.com> Signed-off-by: Ajish Koshy <Ajish.Koshy(a)microchip.com> Signed-off-by: Viswas G <Viswas.G(a)microchip.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Conflict: drivers/scsi/pm8001/pm8001_init.c Commit 27a34943bd89("scsi: pm8001: Remove typecast for pointer returned by kcalloc()") remove typecast for pointer returned by kcalloc(). Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/scsi/pm8001/pm8001_init.c | 11 +++++++++++ drivers/scsi/pm8001/pm8001_sas.h | 1 + 2 files changed, 12 insertions(+) diff --git a/drivers/scsi/pm8001/pm8001_init.c b/drivers/scsi/pm8001/pm8001_init.c index f40db6f40b1d..45bffa49f876 100644 --- a/drivers/scsi/pm8001/pm8001_init.c +++ b/drivers/scsi/pm8001/pm8001_init.c @@ -1166,6 +1166,7 @@ pm8001_init_ccb_tag(struct pm8001_hba_info *pm8001_ha, struct Scsi_Host *shost, goto err_out; /* Memory region for ccb_info*/ + pm8001_ha->ccb_count = ccb_count; pm8001_ha->ccb_info = (struct pm8001_ccb_info *) kcalloc(ccb_count, sizeof(struct pm8001_ccb_info), GFP_KERNEL); if (!pm8001_ha->ccb_info) { @@ -1226,6 +1227,16 @@ static void pm8001_pci_remove(struct pci_dev *pdev) tasklet_kill(&pm8001_ha->tasklet[j]); #endif scsi_host_put(pm8001_ha->shost); + + for (i = 0; i < pm8001_ha->ccb_count; i++) { + dma_free_coherent(&pm8001_ha->pdev->dev, + sizeof(struct pm8001_prd) * PM8001_MAX_DMA_SG, + pm8001_ha->ccb_info[i].buf_prd, + pm8001_ha->ccb_info[i].ccb_dma_handle); + } + kfree(pm8001_ha->ccb_info); + kfree(pm8001_ha->devices); + pm8001_free(pm8001_ha); kfree(sha->sas_phy); kfree(sha->sas_port); diff --git a/drivers/scsi/pm8001/pm8001_sas.h b/drivers/scsi/pm8001/pm8001_sas.h index 5cd6fe6a7d2d..74099d82e436 100644 --- a/drivers/scsi/pm8001/pm8001_sas.h +++ b/drivers/scsi/pm8001/pm8001_sas.h @@ -515,6 +515,7 @@ struct pm8001_hba_info { u32 iomb_size; /* SPC and SPCV IOMB size */ struct pm8001_device *devices; struct pm8001_ccb_info *ccb_info; + u32 ccb_count; #ifdef PM8001_USE_MSIX int number_of_intr;/*will be used in remove()*/ char intr_drvname[PM8001_MAX_MSIX_VEC] -- 2.31.1

2 1

[PATCH openEuler-1.0-LTS] scsi: lpfc: Fix link down processing to address NULL pointer dereference
by dinglongwei 22 Apr '24

22 Apr '24

From: James Smart <jsmart2021(a)gmail.com> mainline inclusion from mainline-v5.16-rc1 commit 1854f53ccd88ad4e7568ddfafafffe71f1ceb0a6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9FNFF CVE: CVE-2021-47183 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If an FC link down transition while PLOGIs are outstanding to fabric well known addresses, outstanding ABTS requests may result in a NULL pointer dereference. Driver unload requests may hang with repeated "2878" log messages. The Link down processing results in ABTS requests for outstanding ELS requests. The Abort WQEs are sent for the ELSs before the driver had set the link state to down. Thus the driver is sending the Abort with the expectation that an ABTS will be sent on the wire. The Abort request is stalled waiting for the link to come up. In some conditions the driver may auto-complete the ELSs thus if the link does come up, the Abort completions may reference an invalid structure. Fix by ensuring that Abort set the flag to avoid link traffic if issued due to conditions where the link failed. Link: https://lore.kernel.org/r/20211020211417.88754-7-jsmart2021@gmail.com Co-developed-by: Justin Tee <justin.tee(a)broadcom.com> Signed-off-by: Justin Tee <justin.tee(a)broadcom.com> Signed-off-by: James Smart <jsmart2021(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> --- drivers/scsi/lpfc/lpfc_sli.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c index 6c775a8bf..86d31fe32 100644 --- a/drivers/scsi/lpfc/lpfc_sli.c +++ b/drivers/scsi/lpfc/lpfc_sli.c @@ -10839,10 +10839,12 @@ lpfc_sli_abort_iotag_issue(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, if (cmdiocb->iocb_flag & LPFC_IO_FOF) abtsiocbp->iocb_flag |= LPFC_IO_FOF; - if (phba->link_state >= LPFC_LINK_UP) - iabt->ulpCommand = CMD_ABORT_XRI_CN; - else + if (phba->link_state < LPFC_LINK_UP || + (phba->sli_rev == LPFC_SLI_REV4 && + phba->sli4_hba.link_state.status == LPFC_FC_LA_TYPE_LINK_DOWN)) iabt->ulpCommand = CMD_CLOSE_XRI_CN; + else + iabt->ulpCommand = CMD_ABORT_XRI_CN; abtsiocbp->iocb_cmpl = lpfc_sli_abort_els_cmpl; abtsiocbp->vport = vport; -- 2.17.1

2 1

[PATCH OLK-6.6 v3 0/2] m: convert mm's rss stats to use atomic mode
by Peng Zhang 22 Apr '24

22 Apr '24

From: ZhangPeng <zhangpeng362(a)huawei.com> Since commit f1a7941243c1 ("mm: convert mm's rss stats into percpu_counter"), the rss_stats have converted into percpu_counter, which convert the error margin from (nr_threads * 64) to approximately (nr_cpus ^ 2). However, the new percpu allocation in mm_init() causes a performance regression on fork/exec/shell. Even after commit 14ef95be6f55 ("kernel/fork: group allocation/free of per-cpu counters for mm struct"), the performance of fork/exec/shell is still poor compared to previous kernel versions. To mitigate performance regression, we delay the allocation of percpu memory for rss_stats. Therefore, we convert mm's rss stats to use percpu_counter atomic mode. For single-thread processes, rss_stat is in atomic mode, which reduces the memory consumption and performance regression caused by using percpu. For multiple-thread processes, rss_stat is switched to the percpu mode to reduce the error margin. We convert rss_stats from atomic mode to percpu mode only when the second thread is created. After lmbench test, we can get 2% ~ 4% performance improvement for lmbench fork_proc/exec_proc/shell_proc and 6.7% performance improvement for lmbench page_fault (before batch mode[1]). The test results are as follows: base base+revert base+this patch fork_proc 416.3ms 400.0ms (3.9%) 398.6ms (4.2%) exec_proc 2095.9ms 2061.1ms (1.7%) 2047.7ms (2.3%) shell_proc 3028.2ms 2954.7ms (2.4%) 2961.2ms (2.2%) page_fault 0.3603ms 0.3358ms (6.8%) 0.3361ms (6.7%) [1] https://lore.kernel.org/all/20240412064751.119015-1-wangkefeng.wang@huawei.… ChangeLog: v2->v3: - remove patch 3. v1->v2: - Split patch 2 into two patches. ZhangPeng (2): percpu_counter: introduce atomic mode for percpu_counter mm: convert mm's rss stats to use atomic mode include/linux/mm.h | 50 +++++++++++++++++++++++++++++----- include/linux/percpu_counter.h | 48 ++++++++++++++++++++++++++++++-- include/trace/events/kmem.h | 4 +-- kernel/fork.c | 20 ++++++++------ lib/percpu_counter.c | 35 ++++++++++++++++++++++-- 5 files changed, 135 insertions(+), 22 deletions(-) -- 2.25.1

2 3

[PATCH OLK-6.6] dm: call the resume method on internal suspend
by Li Lingfeng 22 Apr '24

22 Apr '24

From: Mikulas Patocka <mpatocka(a)redhat.com> mainline inclusion from mainline-v6.9-rc1 commit 65e8fbde64520001abf1c8d0e573561b4746ef38 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJXV CVE: CVE-2024-26880 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is this reported crash when experimenting with the lvm2 testsuite. The list corruption is caused by the fact that the postsuspend and resume methods were not paired correctly; there were two consecutive calls to the origin_postsuspend function. The second call attempts to remove the "hash_list" entry from a list, while it was already removed by the first call. Fix __dm_internal_resume so that it calls the preresume and resume methods of the table's targets. If a preresume method of some target fails, we are in a tricky situation. We can't return an error because dm_internal_resume isn't supposed to return errors. We can't return success, because then the "resume" and "postsuspend" methods would not be paired correctly. So, we set the DMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace tools, but it won't cause a kernel crash. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:56! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0 <snip> RSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282 RAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff RBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058 R10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001 R13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0 FS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0 Call Trace: <TASK> ? die+0x2d/0x80 ? do_trap+0xeb/0xf0 ? __list_del_entry_valid_or_report+0x77/0xc0 ? do_error_trap+0x60/0x80 ? __list_del_entry_valid_or_report+0x77/0xc0 ? exc_invalid_op+0x49/0x60 ? __list_del_entry_valid_or_report+0x77/0xc0 ? asm_exc_invalid_op+0x16/0x20 ? table_deps+0x1b0/0x1b0 [dm_mod] ? __list_del_entry_valid_or_report+0x77/0xc0 origin_postsuspend+0x1a/0x50 [dm_snapshot] dm_table_postsuspend_targets+0x34/0x50 [dm_mod] dm_suspend+0xd8/0xf0 [dm_mod] dev_suspend+0x1f2/0x2f0 [dm_mod] ? table_deps+0x1b0/0x1b0 [dm_mod] ctl_ioctl+0x300/0x5f0 [dm_mod] dm_compat_ctl_ioctl+0x7/0x10 [dm_mod] __x64_compat_sys_ioctl+0x104/0x170 do_syscall_64+0x184/0x1b0 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0xf7e6aead <snip> ---[ end trace 0000000000000000 ]--- Fixes: ffcc39364160 ("dm: enhance internal suspend and resume interface") Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/md/dm.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/drivers/md/dm.c b/drivers/md/dm.c index f7212e8fc27f..6fa1dfe72ddb 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2920,6 +2920,9 @@ static void __dm_internal_suspend(struct mapped_device *md, unsigned int suspend static void __dm_internal_resume(struct mapped_device *md) { + int r; + struct dm_table *map; + BUG_ON(!md->internal_suspend_count); if (--md->internal_suspend_count) @@ -2928,12 +2931,23 @@ static void __dm_internal_resume(struct mapped_device *md) if (dm_suspended_md(md)) goto done; /* resume from nested suspend */ - /* - * NOTE: existing callers don't need to call dm_table_resume_targets - * (which may fail -- so best to avoid it for now by passing NULL map) - */ - (void) __dm_resume(md, NULL); - + map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); + r = __dm_resume(md, map); + if (r) { + /* + * If a preresume method of some target failed, we are in a + * tricky situation. We can't return an error to the caller. We + * can't fake success because then the "resume" and + * "postsuspend" methods would not be paired correctly, and it + * would break various targets, for example it would cause list + * corruption in the "origin" target. + * + * So, we fake normal suspend here, to make sure that the + * "resume" and "postsuspend" methods will be paired correctly. + */ + DMERR("Preresume method failed: %d", r); + set_bit(DMF_SUSPENDED, &md->flags); + } done: clear_bit(DMF_SUSPENDED_INTERNALLY, &md->flags); smp_mb__after_atomic(); -- 2.31.1

2 1

[PATCH OLK-5.10] dm: call the resume method on internal suspend
by Li Lingfeng 22 Apr '24

22 Apr '24

From: Mikulas Patocka <mpatocka(a)redhat.com> mainline inclusion from mainline-v6.9-rc1 commit 65e8fbde64520001abf1c8d0e573561b4746ef38 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJXV CVE: CVE-2024-26880 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is this reported crash when experimenting with the lvm2 testsuite. The list corruption is caused by the fact that the postsuspend and resume methods were not paired correctly; there were two consecutive calls to the origin_postsuspend function. The second call attempts to remove the "hash_list" entry from a list, while it was already removed by the first call. Fix __dm_internal_resume so that it calls the preresume and resume methods of the table's targets. If a preresume method of some target fails, we are in a tricky situation. We can't return an error because dm_internal_resume isn't supposed to return errors. We can't return success, because then the "resume" and "postsuspend" methods would not be paired correctly. So, we set the DMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace tools, but it won't cause a kernel crash. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:56! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0 <snip> RSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282 RAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff RBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058 R10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001 R13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0 FS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0 Call Trace: <TASK> ? die+0x2d/0x80 ? do_trap+0xeb/0xf0 ? __list_del_entry_valid_or_report+0x77/0xc0 ? do_error_trap+0x60/0x80 ? __list_del_entry_valid_or_report+0x77/0xc0 ? exc_invalid_op+0x49/0x60 ? __list_del_entry_valid_or_report+0x77/0xc0 ? asm_exc_invalid_op+0x16/0x20 ? table_deps+0x1b0/0x1b0 [dm_mod] ? __list_del_entry_valid_or_report+0x77/0xc0 origin_postsuspend+0x1a/0x50 [dm_snapshot] dm_table_postsuspend_targets+0x34/0x50 [dm_mod] dm_suspend+0xd8/0xf0 [dm_mod] dev_suspend+0x1f2/0x2f0 [dm_mod] ? table_deps+0x1b0/0x1b0 [dm_mod] ctl_ioctl+0x300/0x5f0 [dm_mod] dm_compat_ctl_ioctl+0x7/0x10 [dm_mod] __x64_compat_sys_ioctl+0x104/0x170 do_syscall_64+0x184/0x1b0 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0xf7e6aead <snip> ---[ end trace 0000000000000000 ]--- Fixes: ffcc39364160 ("dm: enhance internal suspend and resume interface") Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/md/dm.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 1c79eaede4df..e90b3e96fafc 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2707,6 +2707,9 @@ static void __dm_internal_suspend(struct mapped_device *md, unsigned suspend_fla static void __dm_internal_resume(struct mapped_device *md) { + int r; + struct dm_table *map; + BUG_ON(!md->internal_suspend_count); if (--md->internal_suspend_count) @@ -2715,12 +2718,23 @@ static void __dm_internal_resume(struct mapped_device *md) if (dm_suspended_md(md)) goto done; /* resume from nested suspend */ - /* - * NOTE: existing callers don't need to call dm_table_resume_targets - * (which may fail -- so best to avoid it for now by passing NULL map) - */ - (void) __dm_resume(md, NULL); - + map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); + r = __dm_resume(md, map); + if (r) { + /* + * If a preresume method of some target failed, we are in a + * tricky situation. We can't return an error to the caller. We + * can't fake success because then the "resume" and + * "postsuspend" methods would not be paired correctly, and it + * would break various targets, for example it would cause list + * corruption in the "origin" target. + * + * So, we fake normal suspend here, to make sure that the + * "resume" and "postsuspend" methods will be paired correctly. + */ + DMERR("Preresume method failed: %d", r); + set_bit(DMF_SUSPENDED, &md->flags); + } done: clear_bit(DMF_SUSPENDED_INTERNALLY, &md->flags); smp_mb__after_atomic(); -- 2.31.1

2 1

[PATCH openEuler-1.0-LTS] dm: call the resume method on internal suspend
by Li Lingfeng 22 Apr '24

22 Apr '24

From: Mikulas Patocka <mpatocka(a)redhat.com> mainline inclusion from mainline-v6.9-rc1 commit 65e8fbde64520001abf1c8d0e573561b4746ef38 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HJXV CVE: CVE-2024-26880 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is this reported crash when experimenting with the lvm2 testsuite. The list corruption is caused by the fact that the postsuspend and resume methods were not paired correctly; there were two consecutive calls to the origin_postsuspend function. The second call attempts to remove the "hash_list" entry from a list, while it was already removed by the first call. Fix __dm_internal_resume so that it calls the preresume and resume methods of the table's targets. If a preresume method of some target fails, we are in a tricky situation. We can't return an error because dm_internal_resume isn't supposed to return errors. We can't return success, because then the "resume" and "postsuspend" methods would not be paired correctly. So, we set the DMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace tools, but it won't cause a kernel crash. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:56! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0 <snip> RSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282 RAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff RBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058 R10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001 R13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0 FS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0 Call Trace: <TASK> ? die+0x2d/0x80 ? do_trap+0xeb/0xf0 ? __list_del_entry_valid_or_report+0x77/0xc0 ? do_error_trap+0x60/0x80 ? __list_del_entry_valid_or_report+0x77/0xc0 ? exc_invalid_op+0x49/0x60 ? __list_del_entry_valid_or_report+0x77/0xc0 ? asm_exc_invalid_op+0x16/0x20 ? table_deps+0x1b0/0x1b0 [dm_mod] ? __list_del_entry_valid_or_report+0x77/0xc0 origin_postsuspend+0x1a/0x50 [dm_snapshot] dm_table_postsuspend_targets+0x34/0x50 [dm_mod] dm_suspend+0xd8/0xf0 [dm_mod] dev_suspend+0x1f2/0x2f0 [dm_mod] ? table_deps+0x1b0/0x1b0 [dm_mod] ctl_ioctl+0x300/0x5f0 [dm_mod] dm_compat_ctl_ioctl+0x7/0x10 [dm_mod] __x64_compat_sys_ioctl+0x104/0x170 do_syscall_64+0x184/0x1b0 entry_SYSCALL_64_after_hwframe+0x46/0x4e RIP: 0033:0xf7e6aead <snip> ---[ end trace 0000000000000000 ]--- Fixes: ffcc39364160 ("dm: enhance internal suspend and resume interface") Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/md/dm.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/drivers/md/dm.c b/drivers/md/dm.c index f964a0818ddf..469aefecfe0b 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2848,6 +2848,9 @@ static void __dm_internal_suspend(struct mapped_device *md, unsigned suspend_fla static void __dm_internal_resume(struct mapped_device *md) { + int r; + struct dm_table *map; + BUG_ON(!md->internal_suspend_count); if (--md->internal_suspend_count) @@ -2856,12 +2859,23 @@ static void __dm_internal_resume(struct mapped_device *md) if (dm_suspended_md(md)) goto done; /* resume from nested suspend */ - /* - * NOTE: existing callers don't need to call dm_table_resume_targets - * (which may fail -- so best to avoid it for now by passing NULL map) - */ - (void) __dm_resume(md, NULL); - + map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock)); + r = __dm_resume(md, map); + if (r) { + /* + * If a preresume method of some target failed, we are in a + * tricky situation. We can't return an error to the caller. We + * can't fake success because then the "resume" and + * "postsuspend" methods would not be paired correctly, and it + * would break various targets, for example it would cause list + * corruption in the "origin" target. + * + * So, we fake normal suspend here, to make sure that the + * "resume" and "postsuspend" methods will be paired correctly. + */ + DMERR("Preresume method failed: %d", r); + set_bit(DMF_SUSPENDED, &md->flags); + } done: clear_bit(DMF_SUSPENDED_INTERNALLY, &md->flags); smp_mb__after_atomic(); -- 2.31.1

2 1

[PATCH OLK-6.6 v2 0/3] mm: convert mm's rss stats to use atomic mode
by Peng Zhang 22 Apr '24

22 Apr '24

From: ZhangPeng <zhangpeng362(a)huawei.com> Since commit f1a7941243c1 ("mm: convert mm's rss stats into percpu_counter"), the rss_stats have converted into percpu_counter, which convert the error margin from (nr_threads * 64) to approximately (nr_cpus ^ 2). However, the new percpu allocation in mm_init() causes a performance regression on fork/exec/shell. Even after commit 14ef95be6f55 ("kernel/fork: group allocation/free of per-cpu counters for mm struct"), the performance of fork/exec/shell is still poor compared to previous kernel versions. To mitigate performance regression, we delay the allocation of percpu memory for rss_stats. Therefore, we convert mm's rss stats to use percpu_counter atomic mode. For single-thread processes, rss_stat is in atomic mode, which reduces the memory consumption and performance regression caused by using percpu. For multiple-thread processes, rss_stat is switched to the percpu mode to reduce the error margin. We convert rss_stats from atomic mode to percpu mode only when the second thread is created. After lmbench test, we can get 2% ~ 4% performance improvement for lmbench fork_proc/exec_proc/shell_proc and 6.7% performance improvement for lmbench page_fault (before batch mode[1]). The test results are as follows: base base+revert base+this patch fork_proc 416.3ms 400.0ms (3.9%) 398.6ms (4.2%) exec_proc 2095.9ms 2061.1ms (1.7%) 2047.7ms (2.3%) shell_proc 3028.2ms 2954.7ms (2.4%) 2961.2ms (2.2%) page_fault 0.3603ms 0.3358ms (6.8%) 0.3361ms (6.7%) [1] https://lore.kernel.org/all/20240412064751.119015-1-wangkefeng.wang@huawei.… ChangeLog: v1->v2: - Split patch 2 into two patches. ZhangPeng (3): percpu_counter: introduce atomic mode for percpu_counter mm: convert mm's rss stats to use atomic mode mm: introduce cmdline to disable mm counter atomic mode include/linux/mm.h | 50 +++++++++++++++++++++++++++++----- include/linux/percpu_counter.h | 48 ++++++++++++++++++++++++++++++-- include/trace/events/kmem.h | 4 +-- kernel/fork.c | 46 ++++++++++++++++++++++++++++--- lib/percpu_counter.c | 35 ++++++++++++++++++++++-- 5 files changed, 165 insertions(+), 18 deletions(-) -- 2.25.1

2 4

[PATCH OLK-5.10] net/sched: flower: Fix unable to handle page fault bug in fl_init
by Zhengchao Shao 22 Apr '24

22 Apr '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9IQLI CVE: NA -------------------------------- The tmplt_reoffload function pointer is of the const type, and the value is assigned to the constant in fl_init. As a result, the following issue occurs. BUG: unable to handle page fault for address: ffffffff98715da0 PF: supervisor write access in kernel mode PF: error_code(0x0003) - permissions violation PGD ec0d067 P4D ec0d067 PUD ec0e063 PMD 800000000e0001e1 Oops: 0003 [#1] SMP PTI CPU: 20 PID: 7533 Comm: tc Kdump: loaded Not tainted 5.10.0+ #40 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:fl_init+0xcf/0x100 RSP: 0018:ffffb6e7c0fe7978 EFLAGS: 00010202 RAX: 0000000000000049 RBX: ffff99c6b3580480 RCX: 0000000000000027 RDX: 0000000000000000 RSI: ffffffff98718740 RDI: ffff99c6a359f800 RBP: ffff99c6a359f800 R08: ffff99cfdce1fe50 R09: ffffb6e7c0fe77a0 R10: ffffb6e7c0fe7798 R11: ffffffff9967d5a8 R12: ffff99c6b3580480 R13: ffffb6e7c0fe7b80 R14: 0000000000000001 R15: ffffb6e7c0fe7ab0 FS: 00007fbaef7b1800(0000) GS:ffff99cfdce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff98715da0 CR3: 000000011299c000 CR4: 00000000000006e0 Call Trace: tcf_proto_create.cold+0x66/0x9e tc_new_tfilter+0x611/0xa70 rtnetlink_rcv_msg+0x406/0x560 netlink_rcv_skb+0x64/0x180 rtnetlink_rcv+0x19/0x30 netlink_unicast_kernel+0x7b/0x180 netlink_unicast+0x13d/0x230 netlink_sendmsg+0x432/0x610 __sock_sendmsg+0xc6/0xd0 ____sys_sendmsg+0x1f5/0x380 ___sys_sendmsg+0x82/0xe Fixes: fbc634d37f5a ("net/sched: flower: Fix kabi change") Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/sched/cls_api.c | 4 ++-- net/sched/cls_flower.c | 5 +---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 7801d8c552c9..b6dd697a3d5f 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -1397,8 +1397,8 @@ void tcf_block_put(struct tcf_block *block) EXPORT_SYMBOL(tcf_block_put); -void (* const tmplt_reoffload)(struct tcf_chain *chain, bool add, - flow_setup_cb_t *cb, void *cb_priv); +void (*tmplt_reoffload)(struct tcf_chain *chain, bool add, + flow_setup_cb_t *cb, void *cb_priv); EXPORT_SYMBOL(tmplt_reoffload); static void cls_tmplt_reoffload(struct tcf_chain *chain, bool add, diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index 3a1c139c426e..d15729328aef 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -356,8 +356,6 @@ static int fl_init(struct tcf_proto *tp) rcu_assign_pointer(tp->root, head); idr_init(&head->handle_idr); - tmplt_reoffload = &fl_tmplt_reoffload; - return rhashtable_init(&head->ht, &mask_ht_params); } @@ -596,8 +594,6 @@ static void fl_destroy(struct tcf_proto *tp, bool rtnl_held, __module_get(THIS_MODULE); tcf_queue_work(&head->rwork, fl_destroy_sleepable); - - tmplt_reoffload = NULL; } static void fl_put(struct tcf_proto *tp, void *arg) @@ -3250,6 +3246,7 @@ static struct tcf_proto_ops cls_fl_ops __read_mostly = { static int __init cls_fl_init(void) { + tmplt_reoffload = &fl_tmplt_reoffload; return register_tcf_proto_ops(&cls_fl_ops); } -- 2.34.1

2 1

[PATCH OLK-6.6 0/2] mm/migrate: correct nr_failed in migrate_pages_sync()
by Liu Shixin 22 Apr '24

22 Apr '24

Correct nr_failed in migrate_pages_sync(). Zi Yan (2): mm/migrate: correct nr_failed in migrate_pages_sync() mm/migrate: add nr_split to trace_mm_migrate_pages stats. include/trace/events/migrate.h | 24 ++++++++++++++---------- mm/migrate.c | 19 +++++++++++++++---- 2 files changed, 29 insertions(+), 14 deletions(-) -- 2.25.1

2 3

[PATCH OLK-5.10] tracing/trigger: Fix to return error if failed to alloc snapshot
by Zheng Yejian 22 Apr '24

22 Apr '24

From: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> stable inclusion from stable-v5.10.210 commit 56cfbe60710772916a5ba092c99542332b48e870 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HL6U CVE: CVE-2024-26920 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 0958b33ef5a04ed91f61cef4760ac412080c4e08 upstream. Fix register_snapshot_trigger() to return error code if it failed to allocate a snapshot instead of 0 (success). Unless that, it will register snapshot trigger without an error. Link: https://lore.kernel.org/linux-trace-kernel/170622977792.270660.278929864275… Fixes: 0bbe7f719985 ("tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation") Cc: stable(a)vger.kernel.org Cc: Vincent Donnefort <vdonnefort(a)google.com> Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- kernel/trace/trace_events_trigger.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c index 3c6229f16e81..64abc66b82e5 100644 --- a/kernel/trace/trace_events_trigger.c +++ b/kernel/trace/trace_events_trigger.c @@ -1140,8 +1140,10 @@ register_snapshot_trigger(char *glob, struct event_trigger_ops *ops, struct event_trigger_data *data, struct trace_event_file *file) { - if (tracing_alloc_snapshot_instance(file->tr) != 0) - return 0; + int ret = tracing_alloc_snapshot_instance(file->tr); + + if (ret < 0) + return ret; return register_trigger(glob, ops, data, file); } -- 2.25.1

2 1

[PATCH OLK-5.10] RDMA/mlx5: Fix fortify source warning while accessing Eth segment
by Ziyang Xuan 22 Apr '24

22 Apr '24

From: Leon Romanovsky <leonro(a)nvidia.com> stable inclusion from stable-v5.10.214 commit d27c48dc309da72c3b46351a1205d89687272baa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK6L CVE: CVE-2024-26907 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4d5e86a56615cc387d21c629f9af8fb0e958d350 ] ------------[ cut here ]------------ memcpy: detected field-spanning write (size 56) of single field "eseg->inline_hdr.start" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2) WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy [last unloaded: mlx_compat(OE)] CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7 RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8 R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80 FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x72/0x90 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? __warn+0x8d/0x160 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] ? report_bug+0x1bb/0x1d0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x19/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib] mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib] ipoib_send+0x2ec/0x770 [ib_ipoib] ipoib_start_xmit+0x5a0/0x770 [ib_ipoib] dev_hard_start_xmit+0x8e/0x1e0 ? validate_xmit_skb_list+0x4d/0x80 sch_direct_xmit+0x116/0x3a0 __dev_xmit_skb+0x1fd/0x580 __dev_queue_xmit+0x284/0x6b0 ? _raw_spin_unlock_irq+0xe/0x50 ? __flush_work.isra.0+0x20d/0x370 ? push_pseudo_header+0x17/0x40 [ib_ipoib] neigh_connected_output+0xcd/0x110 ip_finish_output2+0x179/0x480 ? __smp_call_single_queue+0x61/0xa0 __ip_finish_output+0xc3/0x190 ip_finish_output+0x2e/0xf0 ip_output+0x78/0x110 ? __pfx_ip_finish_output+0x10/0x10 ip_local_out+0x64/0x70 __ip_queue_xmit+0x18a/0x460 ip_queue_xmit+0x15/0x30 __tcp_transmit_skb+0x914/0x9c0 tcp_write_xmit+0x334/0x8d0 tcp_push_one+0x3c/0x60 tcp_sendmsg_locked+0x2e1/0xac0 tcp_sendmsg+0x2d/0x50 inet_sendmsg+0x43/0x90 sock_sendmsg+0x68/0x80 sock_write_iter+0x93/0x100 vfs_write+0x326/0x3c0 ksys_write+0xbd/0xf0 ? do_syscall_64+0x69/0x90 __x64_sys_write+0x19/0x30 do_syscall_64+0x59/0x90 ? do_user_addr_fault+0x1d0/0x640 ? exit_to_user_mode_prepare+0x3b/0xd0 ? irqentry_exit_to_user_mode+0x9/0x20 ? irqentry_exit+0x43/0x50 ? exc_page_fault+0x92/0x1b0 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7fc03ad14a37 Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 RSP: 002b:00007ffdf8697fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000008024 RCX: 00007fc03ad14a37 RDX: 0000000000008024 RSI: 0000556f46bd8270 RDI: 0000000000000003 RBP: 0000556f46bb1800 R08: 0000000000007fe3 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 0000556f46bc66b0 R14: 000000000000000a R15: 0000556f46bb2f50 </TASK> ---[ end trace 0000000000000000 ]--- Link: https://lore.kernel.org/r/8228ad34bd1a25047586270f7b1fb4ddcd046282.17064339… Signed-off-by: Leon Romanovsky <leonro(a)nvidia.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- drivers/infiniband/hw/mlx5/wr.c | 2 +- include/linux/mlx5/qp.h | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/hw/mlx5/wr.c b/drivers/infiniband/hw/mlx5/wr.c index d6038fb6c50c..19fd440a6ce3 100644 --- a/drivers/infiniband/hw/mlx5/wr.c +++ b/drivers/infiniband/hw/mlx5/wr.c @@ -128,7 +128,7 @@ static void set_eth_seg(const struct ib_send_wr *wr, struct mlx5_ib_qp *qp, */ copysz = min_t(u64, *cur_edge - (void *)eseg->inline_hdr.start, left); - memcpy(eseg->inline_hdr.start, pdata, copysz); + memcpy(eseg->inline_hdr.data, pdata, copysz); stride = ALIGN(sizeof(struct mlx5_wqe_eth_seg) - sizeof(eseg->inline_hdr.start) + copysz, 16); *size += stride / 16; diff --git a/include/linux/mlx5/qp.h b/include/linux/mlx5/qp.h index d75ef8aa8fac..28d44061d670 100644 --- a/include/linux/mlx5/qp.h +++ b/include/linux/mlx5/qp.h @@ -261,7 +261,10 @@ struct mlx5_wqe_eth_seg { union { struct { __be16 sz; - u8 start[2]; + union { + u8 start[2]; + DECLARE_FLEX_ARRAY(u8, data); + }; } inline_hdr; struct { __be16 type; -- 2.25.1

2 1

[PATCH OLK-5.10] net/sched: flower: Fix unable to handle page fault bug in fl_init
by Zhengchao Shao 22 Apr '24

22 Apr '24

hulk inclusion category: bugfix bugzilla: 189807 CVE: NA -------------------------------- The tmplt_reoffload function pointer is of the const type, and the value is assigned to the constant in fl_init. As a result, the following issue occurs. BUG: unable to handle page fault for address: ffffffff98715da0 PF: supervisor write access in kernel mode PF: error_code(0x0003) - permissions violation PGD ec0d067 P4D ec0d067 PUD ec0e063 PMD 800000000e0001e1 Oops: 0003 [#1] SMP PTI CPU: 20 PID: 7533 Comm: tc Kdump: loaded Not tainted 5.10.0+ #40 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:fl_init+0xcf/0x100 RSP: 0018:ffffb6e7c0fe7978 EFLAGS: 00010202 RAX: 0000000000000049 RBX: ffff99c6b3580480 RCX: 0000000000000027 RDX: 0000000000000000 RSI: ffffffff98718740 RDI: ffff99c6a359f800 RBP: ffff99c6a359f800 R08: ffff99cfdce1fe50 R09: ffffb6e7c0fe77a0 R10: ffffb6e7c0fe7798 R11: ffffffff9967d5a8 R12: ffff99c6b3580480 R13: ffffb6e7c0fe7b80 R14: 0000000000000001 R15: ffffb6e7c0fe7ab0 FS: 00007fbaef7b1800(0000) GS:ffff99cfdce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff98715da0 CR3: 000000011299c000 CR4: 00000000000006e0 Call Trace: tcf_proto_create.cold+0x66/0x9e tc_new_tfilter+0x611/0xa70 rtnetlink_rcv_msg+0x406/0x560 netlink_rcv_skb+0x64/0x180 rtnetlink_rcv+0x19/0x30 netlink_unicast_kernel+0x7b/0x180 netlink_unicast+0x13d/0x230 netlink_sendmsg+0x432/0x610 __sock_sendmsg+0xc6/0xd0 ____sys_sendmsg+0x1f5/0x380 ___sys_sendmsg+0x82/0xe Fixes: fbc634d37f5a ("net/sched: flower: Fix kabi change") Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/sched/cls_api.c | 4 ++-- net/sched/cls_flower.c | 5 +---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 7801d8c552c9..b6dd697a3d5f 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -1397,8 +1397,8 @@ void tcf_block_put(struct tcf_block *block) EXPORT_SYMBOL(tcf_block_put); -void (* const tmplt_reoffload)(struct tcf_chain *chain, bool add, - flow_setup_cb_t *cb, void *cb_priv); +void (*tmplt_reoffload)(struct tcf_chain *chain, bool add, + flow_setup_cb_t *cb, void *cb_priv); EXPORT_SYMBOL(tmplt_reoffload); static void cls_tmplt_reoffload(struct tcf_chain *chain, bool add, diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index 3a1c139c426e..d15729328aef 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -356,8 +356,6 @@ static int fl_init(struct tcf_proto *tp) rcu_assign_pointer(tp->root, head); idr_init(&head->handle_idr); - tmplt_reoffload = &fl_tmplt_reoffload; - return rhashtable_init(&head->ht, &mask_ht_params); } @@ -596,8 +594,6 @@ static void fl_destroy(struct tcf_proto *tp, bool rtnl_held, __module_get(THIS_MODULE); tcf_queue_work(&head->rwork, fl_destroy_sleepable); - - tmplt_reoffload = NULL; } static void fl_put(struct tcf_proto *tp, void *arg) @@ -3250,6 +3246,7 @@ static struct tcf_proto_ops cls_fl_ops __read_mostly = { static int __init cls_fl_init(void) { + tmplt_reoffload = &fl_tmplt_reoffload; return register_tcf_proto_ops(&cls_fl_ops); } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] tty: fix read of tty->pgrp outside of ctrl_lock
by Yi Yang 22 Apr '24

22 Apr '24

From: David Emett <dave(a)sp4m.net> mainline inclusion from mainline-v5.2-rc1 commit cf90c06f8115016fa4a94644a26a4ba093f0055e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9IPML CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The intention was clearly to use the tty_pgrp local variable rather than re-read tty->pgrp outside of ctrl_lock, so do that. This bug was introduced by commit 2812d9e9fd94 ("tty: Combine SIGTTOU/SIGTTIN handling"). Signed-off-by: David Emett <dave(a)sp4m.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/tty_jobctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/tty_jobctrl.c b/drivers/tty/tty_jobctrl.c index 73fdd55c6bef..5a87f6149876 100644 --- a/drivers/tty/tty_jobctrl.c +++ b/drivers/tty/tty_jobctrl.c @@ -44,7 +44,7 @@ int __tty_check_change(struct tty_struct *tty, int sig) tty_pgrp = tty->pgrp; spin_unlock_irqrestore(&tty->ctrl_lock, flags); - if (tty_pgrp && pgrp != tty->pgrp) { + if (tty_pgrp && pgrp != tty_pgrp) { if (is_ignored(sig)) { if (sig == SIGTTIN) ret = -EIO; -- 2.25.1

2 1

[PATCH OLK-5.10] net/sched: flower: Fix unable to handle page fault bug in fl_init
by Zhengchao Shao 22 Apr '24

22 Apr '24

hulk inclusion category: bugfix bugzilla: 189807 CVE: NA -------------------------------- The tmplt_reoffload function pointer is of the const type, and the value is assigned to the constant in fl_init. As a result, the following issue occurs. BUG: unable to handle page fault for address: ffffffff98715da0 PF: supervisor write access in kernel mode PF: error_code(0x0003) - permissions violation PGD ec0d067 P4D ec0d067 PUD ec0e063 PMD 800000000e0001e1 Oops: 0003 [#1] SMP PTI CPU: 20 PID: 7533 Comm: tc Kdump: loaded Not tainted 5.10.0+ #40 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:fl_init+0xcf/0x100 RSP: 0018:ffffb6e7c0fe7978 EFLAGS: 00010202 RAX: 0000000000000049 RBX: ffff99c6b3580480 RCX: 0000000000000027 RDX: 0000000000000000 RSI: ffffffff98718740 RDI: ffff99c6a359f800 RBP: ffff99c6a359f800 R08: ffff99cfdce1fe50 R09: ffffb6e7c0fe77a0 R10: ffffb6e7c0fe7798 R11: ffffffff9967d5a8 R12: ffff99c6b3580480 R13: ffffb6e7c0fe7b80 R14: 0000000000000001 R15: ffffb6e7c0fe7ab0 FS: 00007fbaef7b1800(0000) GS:ffff99cfdce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff98715da0 CR3: 000000011299c000 CR4: 00000000000006e0 Call Trace: tcf_proto_create.cold+0x66/0x9e tc_new_tfilter+0x611/0xa70 rtnetlink_rcv_msg+0x406/0x560 netlink_rcv_skb+0x64/0x180 rtnetlink_rcv+0x19/0x30 netlink_unicast_kernel+0x7b/0x180 netlink_unicast+0x13d/0x230 netlink_sendmsg+0x432/0x610 __sock_sendmsg+0xc6/0xd0 ____sys_sendmsg+0x1f5/0x380 ___sys_sendmsg+0x82/0xe Fixes: beb4e9f0ea13 ("net/sched: flower: Fix kabi change") Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/sched/cls_api.c | 4 ++-- net/sched/cls_flower.c | 5 +---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c index 7801d8c552c9..b6dd697a3d5f 100644 --- a/net/sched/cls_api.c +++ b/net/sched/cls_api.c @@ -1397,8 +1397,8 @@ void tcf_block_put(struct tcf_block *block) EXPORT_SYMBOL(tcf_block_put); -void (* const tmplt_reoffload)(struct tcf_chain *chain, bool add, - flow_setup_cb_t *cb, void *cb_priv); +void (*tmplt_reoffload)(struct tcf_chain *chain, bool add, + flow_setup_cb_t *cb, void *cb_priv); EXPORT_SYMBOL(tmplt_reoffload); static void cls_tmplt_reoffload(struct tcf_chain *chain, bool add, diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index 3a1c139c426e..d15729328aef 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -356,8 +356,6 @@ static int fl_init(struct tcf_proto *tp) rcu_assign_pointer(tp->root, head); idr_init(&head->handle_idr); - tmplt_reoffload = &fl_tmplt_reoffload; - return rhashtable_init(&head->ht, &mask_ht_params); } @@ -596,8 +594,6 @@ static void fl_destroy(struct tcf_proto *tp, bool rtnl_held, __module_get(THIS_MODULE); tcf_queue_work(&head->rwork, fl_destroy_sleepable); - - tmplt_reoffload = NULL; } static void fl_put(struct tcf_proto *tp, void *arg) @@ -3250,6 +3246,7 @@ static struct tcf_proto_ops cls_fl_ops __read_mostly = { static int __init cls_fl_init(void) { + tmplt_reoffload = &fl_tmplt_reoffload; return register_tcf_proto_ops(&cls_fl_ops); } -- 2.34.1

2 1

[PATCH OLK-6.6] media: pvrusb2: fix uaf in pvr2_context_set_notify
by Zhu Wang 22 Apr '24

22 Apr '24

From: Edward Adam Davis <eadavis(a)qq.com> mainline inclusion from mainline-v6.9-rc1 commit 0a0b79ea55de8514e1750884e5fec77f9fdd01ee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK8R CVE: CVE-2024-26875 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [Syzbot reported] BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26 CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline] pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272 Freed by task 906: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inline] slab_free mm/slub.c:4299 [inline] kfree+0x105/0x340 mm/slub.c:4409 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline] pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 [Analyze] Task A set disconnect_flag = !0, which resulted in Task B's condition being met and releasing mp, leading to this issue. [Fix] Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect() to avoid this issue. Reported-and-tested-by: syzbot+ce750e124675d4599449(a)syzkaller.appspotmail.com Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Zhu Wang <wangzhu9(a)huawei.com> --- drivers/media/usb/pvrusb2/pvrusb2-context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c index 1764674de98b..e93bca93ce4c 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-context.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c @@ -267,9 +267,9 @@ static void pvr2_context_exit(struct pvr2_context *mp) void pvr2_context_disconnect(struct pvr2_context *mp) { pvr2_hdw_disconnect(mp->hdw); - mp->disconnect_flag = !0; if (!pvr2_context_shutok()) pvr2_context_notify(mp); + mp->disconnect_flag = !0; } -- 2.34.1

2 1

[PATCH OLK-5.10] media: pvrusb2: fix uaf in pvr2_context_set_notify
by Zhu Wang 22 Apr '24

22 Apr '24

From: Edward Adam Davis <eadavis(a)qq.com> mainline inclusion from mainline-v6.9-rc1 commit 0a0b79ea55de8514e1750884e5fec77f9fdd01ee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK8R CVE: CVE-2024-26875 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [Syzbot reported] BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26 CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline] pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272 Freed by task 906: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inline] slab_free mm/slub.c:4299 [inline] kfree+0x105/0x340 mm/slub.c:4409 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline] pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 [Analyze] Task A set disconnect_flag = !0, which resulted in Task B's condition being met and releasing mp, leading to this issue. [Fix] Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect() to avoid this issue. Reported-and-tested-by: syzbot+ce750e124675d4599449(a)syzkaller.appspotmail.com Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Zhu Wang <wangzhu9(a)huawei.com> --- drivers/media/usb/pvrusb2/pvrusb2-context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c index 1764674de98b..e93bca93ce4c 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-context.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c @@ -267,9 +267,9 @@ static void pvr2_context_exit(struct pvr2_context *mp) void pvr2_context_disconnect(struct pvr2_context *mp) { pvr2_hdw_disconnect(mp->hdw); - mp->disconnect_flag = !0; if (!pvr2_context_shutok()) pvr2_context_notify(mp); + mp->disconnect_flag = !0; } -- 2.34.1

2 1

[PATCH OLK-5.10] media: pvrusb2: fix uaf in pvr2_context_set_notify
by Zhu Wang 22 Apr '24

22 Apr '24

From: Edward Adam Davis <eadavis(a)qq.com> [Syzbot reported] BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26 CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline] pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272 Freed by task 906: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inline] slab_free mm/slub.c:4299 [inline] kfree+0x105/0x340 mm/slub.c:4409 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline] pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 [Analyze] Task A set disconnect_flag = !0, which resulted in Task B's condition being met and releasing mp, leading to this issue. [Fix] Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect() to avoid this issue. Reported-and-tested-by: syzbot+ce750e124675d4599449(a)syzkaller.appspotmail.com Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> --- drivers/media/usb/pvrusb2/pvrusb2-context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c index 1764674de98b..e93bca93ce4c 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-context.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c @@ -267,9 +267,9 @@ static void pvr2_context_exit(struct pvr2_context *mp) void pvr2_context_disconnect(struct pvr2_context *mp) { pvr2_hdw_disconnect(mp->hdw); - mp->disconnect_flag = !0; if (!pvr2_context_shutok()) pvr2_context_notify(mp); + mp->disconnect_flag = !0; } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] media: pvrusb2: fix uaf in pvr2_context_set_notify
by Zhu Wang 22 Apr '24

22 Apr '24

From: Edward Adam Davis <eadavis(a)qq.com> mainline inclusion from mainline-v6.9-rc1 commit 0a0b79ea55de8514e1750884e5fec77f9fdd01ee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK8R CVE: CVE-2024-26875 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [Syzbot reported] BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 Read of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26 CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline] pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272 Freed by task 906: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inline] slab_free mm/slub.c:4299 [inline] kfree+0x105/0x340 mm/slub.c:4409 pvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline] pvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158 [Analyze] Task A set disconnect_flag = !0, which resulted in Task B's condition being met and releasing mp, leading to this issue. [Fix] Place the disconnect_flag assignment operation after all code in pvr2_context_disconnect() to avoid this issue. Reported-and-tested-by: syzbot+ce750e124675d4599449(a)syzkaller.appspotmail.com Fixes: e5be15c63804 ("V4L/DVB (7711): pvrusb2: Fix race on module unload") Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Zhu Wang <wangzhu9(a)huawei.com> --- drivers/media/usb/pvrusb2/pvrusb2-context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/pvrusb2/pvrusb2-context.c b/drivers/media/usb/pvrusb2/pvrusb2-context.c index 9236463ba269..89897cb7d29b 100644 --- a/drivers/media/usb/pvrusb2/pvrusb2-context.c +++ b/drivers/media/usb/pvrusb2/pvrusb2-context.c @@ -276,9 +276,9 @@ static void pvr2_context_exit(struct pvr2_context *mp) void pvr2_context_disconnect(struct pvr2_context *mp) { pvr2_hdw_disconnect(mp->hdw); - mp->disconnect_flag = !0; if (!pvr2_context_shutok()) pvr2_context_notify(mp); + mp->disconnect_flag = !0; } -- 2.34.1

2 1

[PATCH OLK-5.10] wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()
by Ziyang Xuan 22 Apr '24

22 Apr '24

From: Xingyuan Mo <hdthky0(a)gmail.com> stable inclusion from stable-v5.10.214 commit e1dc7aa814a95aeeb1b2c05be2b62af8423b15cc category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8QF9K CVE: CVE-2023-7042 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ad25ee36f00172f7d53242dc77c69fff7ced0755 ] We should check whether the WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT tlv is present before accessing it, otherwise a null pointer deference error will occur. Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") Signed-off-by: Xingyuan Mo <hdthky0(a)gmail.com> Acked-by: Jeff Johnson <quic_jjohnson(a)quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo(a)quicinc.com> Link: https://msgid.link/20231208043433.271449-1-hdthky0@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c index 4f2fbc610d79..0eeb74245372 100644 --- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c +++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c @@ -844,6 +844,10 @@ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev(struct ath10k *ar, struct sk_buff *skb, } ev = tb[WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT]; + if (!ev) { + kfree(tb); + return -EPROTO; + } arg->desc_id = ev->desc_id; arg->status = ev->status; -- 2.25.1

2 1

[PATCH] LoongArch: fix boot error caused by ioremap_page_range error
by Hongchen Zhang 22 Apr '24

22 Apr '24

LoongArch inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9IJVV ------------------------------------------ use vmap_page_range to map pci address space instead of ioremap_page_range. Fixes: ae528eb14e9a ("mm: Introduce vmap_page_range() to map pages in PCI address space") Signed-off-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> --- arch/loongarch/kernel/legacy_boot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/loongarch/kernel/legacy_boot.c b/arch/loongarch/kernel/legacy_boot.c index 35a0a118486f..29fdeb93dfd5 100644 --- a/arch/loongarch/kernel/legacy_boot.c +++ b/arch/loongarch/kernel/legacy_boot.c @@ -436,7 +436,7 @@ static int __init add_legacy_isa_io(struct fwnode_handle *fwnode, unsigned long } vaddr = (unsigned long)(PCI_IOBASE + range->io_start); - ret = ioremap_page_range(vaddr, vaddr + range->size, range->hw_start, + ret = vmap_page_range(vaddr, vaddr + range->size, range->hw_start, pgprot_device(PAGE_KERNEL)); return ret; } -- 2.33.0

1 0

[PATCH openEuler-1.0-LTS] wifi: ath10k: fix NULL pointer dereference in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()
by Ziyang Xuan 22 Apr '24

22 Apr '24

From: Xingyuan Mo <hdthky0(a)gmail.com> stable inclusion from stable-v4.19.311 commit 0cd3b0a1dc987697cba1fe93c784365aa1f8a230 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8QF9K CVE: CVE-2023-7042 -------------------------------- [ Upstream commit ad25ee36f00172f7d53242dc77c69fff7ced0755 ] We should check whether the WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT tlv is present before accessing it, otherwise a null pointer deference error will occur. Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") Signed-off-by: Xingyuan Mo <hdthky0(a)gmail.com> Acked-by: Jeff Johnson <quic_jjohnson(a)quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo(a)quicinc.com> Link: https://msgid.link/20231208043433.271449-1-hdthky0@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c index cdc1e64d52ad..275ca020c4d6 100644 --- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c +++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c @@ -678,6 +678,10 @@ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev(struct ath10k *ar, struct sk_buff *skb, } ev = tb[WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT]; + if (!ev) { + kfree(tb); + return -EPROTO; + } arg->desc_id = ev->desc_id; arg->status = ev->status; -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS] iommu/arm-smmu-v3: fix using uninitialized or unchecked symbol
by Zhang Zekun 22 Apr '24

22 Apr '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9EEIG -------------------------------------- This commit fix the following errors in the code: 1. The arm_smmu_aux_attach_dev function returns an uncertain return value ret when all conditions are not met. In this case, the cd table is not initialized. Therefore, a new default exception value is added. 2. In arm_smmu_ecmdq_probe(), the parameter pre_addr is used in the loop but it is not initialed yet. Also, the parameter "ecmdq" is used before check if it is NULL. Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c index 98b5bce5bfc4..c341fdd00ea3 100644 --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c @@ -3584,6 +3584,9 @@ static int arm_smmu_aux_attach_dev(struct iommu_domain *domain, struct device *d dev_err(dev, "cannot attach aux domain with different parent\n"); ret = -EINVAL; goto out_unlock; + } else { + ret = -EINVAL; + goto out_unlock; } /* FIXME: serialize against arm_smmu_share_asid() */ @@ -4802,7 +4805,7 @@ static int arm_smmu_ecmdq_probe(struct arm_smmu_device *smmu) int ret, cpu; u32 i, nump, numq, gap; u32 reg, shift_increment; - u64 addr, smmu_dma_base; + u64 addr, smmu_dma_base, val, pre_addr; void __iomem *cp_regs, *cp_base; /* IDR6 */ @@ -4818,8 +4821,6 @@ static int arm_smmu_ecmdq_probe(struct arm_smmu_device *smmu) return -ENOMEM; for (i = 0; i < nump; i++) { - u64 val, pre_addr; - val = readq_relaxed(cp_regs + 32 * i); if (!(val & ECMDQ_CP_PRESET)) { iounmap(cp_regs); @@ -4859,7 +4860,6 @@ static int arm_smmu_ecmdq_probe(struct arm_smmu_device *smmu) struct arm_smmu_queue *q; ecmdq = *per_cpu_ptr(smmu->ecmdq, cpu); - q = &ecmdq->cmdq.q; /* * The boot option "maxcpus=" can limit the number of online @@ -4871,6 +4871,8 @@ static int arm_smmu_ecmdq_probe(struct arm_smmu_device *smmu) */ if (!ecmdq || (q->ecmdq_prod & ECMDQ_PROD_EN)) continue; + + q = &ecmdq->cmdq.q; ecmdq->base = cp_base + addr; q->llq.max_n_shift = ECMDQ_MAX_SZ_SHIFT + shift_increment; -- 2.17.1

2 1

[PATCH OLK-6.6] iommu/arm-smmu-v3: fix using uninitialized or unchecked symbol
by Zhang Zekun 22 Apr '24

22 Apr '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9EEIG -------------------------------------- In arm_smmu_ecmdq_probe(), the parameter pre_addr is used in the loop but it is not initialed yet. Also, the parameter "ecmdq" is used before check if it is NULL. Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c index 4b006590ae05..87f9bed391ec 100644 --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c @@ -4078,7 +4078,7 @@ static int arm_smmu_ecmdq_probe(struct arm_smmu_device *smmu) int ret, cpu; u32 i, nump, numq, gap; u32 reg, shift_increment; - u64 addr, smmu_dma_base; + u64 addr, smmu_dma_base, val, pre_addr; void __iomem *cp_regs, *cp_base; /* IDR6 */ @@ -4096,8 +4096,6 @@ static int arm_smmu_ecmdq_probe(struct arm_smmu_device *smmu) return -ENOMEM; for (i = 0; i < nump; i++) { - u64 val, pre_addr; - val = readq_relaxed(cp_regs + 32 * i); if (!(val & ECMDQ_CP_PRESET)) { iounmap(cp_regs); @@ -4137,7 +4135,6 @@ static int arm_smmu_ecmdq_probe(struct arm_smmu_device *smmu) struct arm_smmu_queue *q; ecmdq = *per_cpu_ptr(smmu->ecmdqs, cpu); - q = &ecmdq->cmdq.q; /* * The boot option "maxcpus=" can limit the number of online @@ -4150,6 +4147,8 @@ static int arm_smmu_ecmdq_probe(struct arm_smmu_device *smmu) */ if (!ecmdq || (ecmdq != per_cpu_ptr(smmu->ecmdq, cpu))) continue; + + q = &ecmdq->cmdq.q; ecmdq->base = cp_base + addr; q->llq.max_n_shift = ECMDQ_MAX_SZ_SHIFT + shift_increment; -- 2.17.1

2 1

[PATCH OLK-6.6] bpf: Add missing BPF_LINK_TYPE invocations
by Pu Lehui 22 Apr '24

22 Apr '24

From: Jiri Olsa <jolsa(a)kernel.org> mainline inclusion from mainline-v6.7-rc7 commit 117211aa739a926e6555cfea883be84bee6f1695 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9IMXD CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Pengfei Xu reported [1] Syzkaller/KASAN issue found in bpf_link_show_fdinfo. The reason is missing BPF_LINK_TYPE invocation for uprobe multi link and for several other links, adding that. [1] https://lore.kernel.org/bpf/ZXptoKRSLspnk2ie@xpf.sh.intel.com/ Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link") Fixes: e420bed02507 ("bpf: Add fd-based tcx multi-prog infra with link support") Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs") Fixes: 35dfaad7188c ("netkit, bpf: Add bpf programmable net device") Reported-by: Pengfei Xu <pengfei.xu(a)intel.com> Signed-off-by: Jiri Olsa <jolsa(a)kernel.org> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Tested-by: Pengfei Xu <pengfei.xu(a)intel.com> Acked-by: Hou Tao <houtao1(a)huawei.com> Link: https://lore.kernel.org/bpf/20231215230502.2769743-1-jolsa@kernel.org Conflicts: include/linux/bpf_types.h Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- include/linux/bpf_types.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h index dd79463eea4e..f5cdd5a9e268 100644 --- a/include/linux/bpf_types.h +++ b/include/linux/bpf_types.h @@ -146,9 +146,12 @@ BPF_LINK_TYPE(BPF_LINK_TYPE_ITER, iter) #ifdef CONFIG_NET BPF_LINK_TYPE(BPF_LINK_TYPE_NETNS, netns) BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp) +BPF_LINK_TYPE(BPF_LINK_TYPE_NETFILTER, netfilter) +BPF_LINK_TYPE(BPF_LINK_TYPE_TCX, tcx) #endif #ifdef CONFIG_PERF_EVENTS BPF_LINK_TYPE(BPF_LINK_TYPE_PERF_EVENT, perf) #endif BPF_LINK_TYPE(BPF_LINK_TYPE_KPROBE_MULTI, kprobe_multi) BPF_LINK_TYPE(BPF_LINK_TYPE_STRUCT_OPS, struct_ops) +BPF_LINK_TYPE(BPF_LINK_TYPE_UPROBE_MULTI, uprobe_multi) -- 2.34.1

2 1

[PATCH OLK-5.10] btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve
by Zizhi Wo 22 Apr '24

22 Apr '24

From: Filipe Manana <fdmanana(a)suse.com> stable inclusion from stable-v5.4.273 commit 2daa2a8e895e6dc2395f8628c011bcf1e019040d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK4U CVE: CVE-2024-26904 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c7bb26b847e5b97814f522686068c5628e2b3646 ] At btrfs_use_block_rsv() we read the size of a block reserve without locking its spinlock, which makes KCSAN complain because the size of a block reserve is always updated while holding its spinlock. The report from KCSAN is the following: [653.313148] BUG: KCSAN: data-race in btrfs_update_delayed_refs_rsv [btrfs] / btrfs_use_block_rsv [btrfs] [653.314755] read to 0x000000017f5871b8 of 8 bytes by task 7519 on cpu 0: [653.314779] btrfs_use_block_rsv+0xe4/0x2f8 [btrfs] [653.315606] btrfs_alloc_tree_block+0xdc/0x998 [btrfs] [653.316421] btrfs_force_cow_block+0x220/0xe38 [btrfs] [653.317242] btrfs_cow_block+0x1ac/0x568 [btrfs] [653.318060] btrfs_search_slot+0xda2/0x19b8 [btrfs] [653.318879] btrfs_del_csums+0x1dc/0x798 [btrfs] [653.319702] __btrfs_free_extent.isra.0+0xc24/0x2028 [btrfs] [653.320538] __btrfs_run_delayed_refs+0xd3c/0x2390 [btrfs] [653.321340] btrfs_run_delayed_refs+0xae/0x290 [btrfs] [653.322140] flush_space+0x5e4/0x718 [btrfs] [653.322958] btrfs_preempt_reclaim_metadata_space+0x102/0x2f8 [btrfs] [653.323781] process_one_work+0x3b6/0x838 [653.323800] worker_thread+0x75e/0xb10 [653.323817] kthread+0x21a/0x230 [653.323836] __ret_from_fork+0x6c/0xb8 [653.323855] ret_from_fork+0xa/0x30 [653.323887] write to 0x000000017f5871b8 of 8 bytes by task 576 on cpu 3: [653.323906] btrfs_update_delayed_refs_rsv+0x1a4/0x250 [btrfs] [653.324699] btrfs_add_delayed_data_ref+0x468/0x6d8 [btrfs] [653.325494] btrfs_free_extent+0x76/0x120 [btrfs] [653.326280] __btrfs_mod_ref+0x6a8/0x6b8 [btrfs] [653.327064] btrfs_dec_ref+0x50/0x70 [btrfs] [653.327849] walk_up_proc+0x236/0xa50 [btrfs] [653.328633] walk_up_tree+0x21c/0x448 [btrfs] [653.329418] btrfs_drop_snapshot+0x802/0x1328 [btrfs] [653.330205] btrfs_clean_one_deleted_snapshot+0x184/0x238 [btrfs] [653.330995] cleaner_kthread+0x2b0/0x2f0 [btrfs] [653.331781] kthread+0x21a/0x230 [653.331800] __ret_from_fork+0x6c/0xb8 [653.331818] ret_from_fork+0xa/0x30 So add a helper to get the size of a block reserve while holding the lock. Reading the field while holding the lock instead of using the data_race() annotation is used in order to prevent load tearing. Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/btrfs/block-rsv.h Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/btrfs/block-rsv.c | 2 +- fs/btrfs/block-rsv.h | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/block-rsv.c b/fs/btrfs/block-rsv.c index eb41dc2f6b40..190b3355a41e 100644 --- a/fs/btrfs/block-rsv.c +++ b/fs/btrfs/block-rsv.c @@ -485,7 +485,7 @@ struct btrfs_block_rsv *btrfs_use_block_rsv(struct btrfs_trans_handle *trans, block_rsv = get_block_rsv(trans, root); - if (unlikely(block_rsv->size == 0)) + if (unlikely(btrfs_block_rsv_size(block_rsv) == 0)) goto try_reserve; again: ret = btrfs_block_rsv_use_bytes(block_rsv, blocksize); diff --git a/fs/btrfs/block-rsv.h b/fs/btrfs/block-rsv.h index 0b6ae5302837..6c8f07e2794d 100644 --- a/fs/btrfs/block-rsv.h +++ b/fs/btrfs/block-rsv.h @@ -90,4 +90,20 @@ static inline void btrfs_unuse_block_rsv(struct btrfs_fs_info *fs_info, btrfs_block_rsv_release(fs_info, block_rsv, 0, NULL); } +/* + * Get the size of a block reserve in a context where getting a stale value is + * acceptable, instead of accessing it directly and trigger data race warning + * from KCSAN. + */ +static inline u64 btrfs_block_rsv_size(struct btrfs_block_rsv *rsv) +{ + u64 ret; + + spin_lock(&rsv->lock); + ret = rsv->size; + spin_unlock(&rsv->lock); + + return ret; +} + #endif /* BTRFS_BLOCK_RSV_H */ -- 2.39.2

2 1

[PATCH OLK-6.6] btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve
by Zizhi Wo 22 Apr '24

22 Apr '24

From: Filipe Manana <fdmanana(a)suse.com> stable inclusion from stable-v6.6.23 commit f6d4d29a12655b42a13cec038c2902bb7efc50ed category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK4U CVE: CVE-2024-26904 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c7bb26b847e5b97814f522686068c5628e2b3646 ] At btrfs_use_block_rsv() we read the size of a block reserve without locking its spinlock, which makes KCSAN complain because the size of a block reserve is always updated while holding its spinlock. The report from KCSAN is the following: [653.313148] BUG: KCSAN: data-race in btrfs_update_delayed_refs_rsv [btrfs] / btrfs_use_block_rsv [btrfs] [653.314755] read to 0x000000017f5871b8 of 8 bytes by task 7519 on cpu 0: [653.314779] btrfs_use_block_rsv+0xe4/0x2f8 [btrfs] [653.315606] btrfs_alloc_tree_block+0xdc/0x998 [btrfs] [653.316421] btrfs_force_cow_block+0x220/0xe38 [btrfs] [653.317242] btrfs_cow_block+0x1ac/0x568 [btrfs] [653.318060] btrfs_search_slot+0xda2/0x19b8 [btrfs] [653.318879] btrfs_del_csums+0x1dc/0x798 [btrfs] [653.319702] __btrfs_free_extent.isra.0+0xc24/0x2028 [btrfs] [653.320538] __btrfs_run_delayed_refs+0xd3c/0x2390 [btrfs] [653.321340] btrfs_run_delayed_refs+0xae/0x290 [btrfs] [653.322140] flush_space+0x5e4/0x718 [btrfs] [653.322958] btrfs_preempt_reclaim_metadata_space+0x102/0x2f8 [btrfs] [653.323781] process_one_work+0x3b6/0x838 [653.323800] worker_thread+0x75e/0xb10 [653.323817] kthread+0x21a/0x230 [653.323836] __ret_from_fork+0x6c/0xb8 [653.323855] ret_from_fork+0xa/0x30 [653.323887] write to 0x000000017f5871b8 of 8 bytes by task 576 on cpu 3: [653.323906] btrfs_update_delayed_refs_rsv+0x1a4/0x250 [btrfs] [653.324699] btrfs_add_delayed_data_ref+0x468/0x6d8 [btrfs] [653.325494] btrfs_free_extent+0x76/0x120 [btrfs] [653.326280] __btrfs_mod_ref+0x6a8/0x6b8 [btrfs] [653.327064] btrfs_dec_ref+0x50/0x70 [btrfs] [653.327849] walk_up_proc+0x236/0xa50 [btrfs] [653.328633] walk_up_tree+0x21c/0x448 [btrfs] [653.329418] btrfs_drop_snapshot+0x802/0x1328 [btrfs] [653.330205] btrfs_clean_one_deleted_snapshot+0x184/0x238 [btrfs] [653.330995] cleaner_kthread+0x2b0/0x2f0 [btrfs] [653.331781] kthread+0x21a/0x230 [653.331800] __ret_from_fork+0x6c/0xb8 [653.331818] ret_from_fork+0xa/0x30 So add a helper to get the size of a block reserve while holding the lock. Reading the field while holding the lock instead of using the data_race() annotation is used in order to prevent load tearing. Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/btrfs/block-rsv.h Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/btrfs/block-rsv.c | 2 +- fs/btrfs/block-rsv.h | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/block-rsv.c b/fs/btrfs/block-rsv.c index 77684c5e0c8b..db8da4e7b228 100644 --- a/fs/btrfs/block-rsv.c +++ b/fs/btrfs/block-rsv.c @@ -486,7 +486,7 @@ struct btrfs_block_rsv *btrfs_use_block_rsv(struct btrfs_trans_handle *trans, block_rsv = get_block_rsv(trans, root); - if (unlikely(block_rsv->size == 0)) + if (unlikely(btrfs_block_rsv_size(block_rsv) == 0)) goto try_reserve; again: ret = btrfs_block_rsv_use_bytes(block_rsv, blocksize); diff --git a/fs/btrfs/block-rsv.h b/fs/btrfs/block-rsv.h index b0bd12b8652f..7e13579f182d 100644 --- a/fs/btrfs/block-rsv.h +++ b/fs/btrfs/block-rsv.h @@ -101,4 +101,20 @@ static inline bool btrfs_block_rsv_full(const struct btrfs_block_rsv *rsv) return data_race(rsv->full); } +/* + * Get the size of a block reserve in a context where getting a stale value is + * acceptable, instead of accessing it directly and trigger data race warning + * from KCSAN. + */ +static inline u64 btrfs_block_rsv_size(struct btrfs_block_rsv *rsv) +{ + u64 ret; + + spin_lock(&rsv->lock); + ret = rsv->size; + spin_unlock(&rsv->lock); + + return ret; +} + #endif /* BTRFS_BLOCK_RSV_H */ -- 2.39.2

2 1

[PATCH OLK-5.10] wifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces
by Zhengchao Shao 22 Apr '24

22 Apr '24

From: Alexis Lothoré <alexis.lothore(a)bootlin.com> stable inclusion from stable-v5.10.214 commit 5956f4203b6cdd0755bbdd21b45f3933c7026208 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HKEH CVE: CVE-2024-26895 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit cb5942b77c05d54310a0420cac12935e9b6aa21c ] wilc_netdev_cleanup currently triggers a KASAN warning, which can be observed on interface registration error path, or simply by removing the module/unbinding device from driver: echo spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind ================================================================== BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc Read of size 4 at addr c54d1ce8 by task sh/86 CPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117 Hardware name: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x58 dump_stack_lvl from print_report+0x154/0x500 print_report from kasan_report+0xac/0xd8 kasan_report from wilc_netdev_cleanup+0x508/0x5cc wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec wilc_bus_remove from spi_remove+0x8c/0xac spi_remove from device_release_driver_internal+0x434/0x5f8 device_release_driver_internal from unbind_store+0xbc/0x108 unbind_store from kernfs_fop_write_iter+0x398/0x584 kernfs_fop_write_iter from vfs_write+0x728/0xf88 vfs_write from ksys_write+0x110/0x1e4 ksys_write from ret_fast_syscall+0x0/0x1c [...] Allocated by task 1: kasan_save_track+0x30/0x5c __kasan_kmalloc+0x8c/0x94 __kmalloc_node+0x1cc/0x3e4 kvmalloc_node+0x48/0x180 alloc_netdev_mqs+0x68/0x11dc alloc_etherdev_mqs+0x28/0x34 wilc_netdev_ifc_init+0x34/0x8ec wilc_cfg80211_init+0x690/0x910 wilc_bus_probe+0xe0/0x4a0 spi_probe+0x158/0x1b0 really_probe+0x270/0xdf4 __driver_probe_device+0x1dc/0x580 driver_probe_device+0x60/0x140 __driver_attach+0x228/0x5d4 bus_for_each_dev+0x13c/0x1a8 bus_add_driver+0x2a0/0x608 driver_register+0x24c/0x578 do_one_initcall+0x180/0x310 kernel_init_freeable+0x424/0x484 kernel_init+0x20/0x148 ret_from_fork+0x14/0x28 Freed by task 86: kasan_save_track+0x30/0x5c kasan_save_free_info+0x38/0x58 __kasan_slab_free+0xe4/0x140 kfree+0xb0/0x238 device_release+0xc0/0x2a8 kobject_put+0x1d4/0x46c netdev_run_todo+0x8fc/0x11d0 wilc_netdev_cleanup+0x1e4/0x5cc wilc_bus_remove+0xc8/0xec spi_remove+0x8c/0xac device_release_driver_internal+0x434/0x5f8 unbind_store+0xbc/0x108 kernfs_fop_write_iter+0x398/0x584 vfs_write+0x728/0xf88 ksys_write+0x110/0x1e4 ret_fast_syscall+0x0/0x1c [...] David Mosberger-Tan initial investigation [1] showed that this use-after-free is due to netdevice unregistration during vif list traversal. When unregistering a net device, since the needs_free_netdev has been set to true during registration, the netdevice object is also freed, and as a consequence, the corresponding vif object too, since it is attached to it as private netdevice data. The next occurrence of the loop then tries to access freed vif pointer to the list to move forward in the list. Fix this use-after-free thanks to two mechanisms: - navigate in the list with list_for_each_entry_safe, which allows to safely modify the list as we go through each element. For each element, remove it from the list with list_del_rcu - make sure to wait for RCU grace period end after each vif removal to make sure it is safe to free the corresponding vif too (through unregister_netdev) Since we are in a RCU "modifier" path (not a "reader" path), and because such path is expected not to be concurrent to any other modifier (we are using the vif_mutex lock), we do not need to use RCU list API, that's why we can benefit from list_for_each_entry_safe. [1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af9… Fixes: 8399918f3056 ("staging: wilc1000: use RCU list to maintain vif interfaces list") Signed-off-by: Alexis Lothoré <alexis.lothore(a)bootlin.com> Signed-off-by: Kalle Valo <kvalo(a)kernel.org> Link: https://msgid.link/20240212-wilc_rework_deinit-v1-1-9203ae56c27f@bootlin.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/net/wireless/microchip/wilc1000/netdev.c Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- .../net/wireless/microchip/wilc1000/netdev.c | 28 +++++-------------- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.c b/drivers/net/wireless/microchip/wilc1000/netdev.c index c508f429984a..2c92bf257b00 100644 --- a/drivers/net/wireless/microchip/wilc1000/netdev.c +++ b/drivers/net/wireless/microchip/wilc1000/netdev.c @@ -821,8 +821,7 @@ static const struct net_device_ops wilc_netdev_ops = { void wilc_netdev_cleanup(struct wilc *wilc) { - struct wilc_vif *vif; - int srcu_idx, ifc_cnt = 0; + struct wilc_vif *vif, *vif_tmp; if (!wilc) return; @@ -832,33 +831,20 @@ void wilc_netdev_cleanup(struct wilc *wilc) wilc->firmware = NULL; } - srcu_idx = srcu_read_lock(&wilc->srcu); - list_for_each_entry_rcu(vif, &wilc->vif_list, list) { + list_for_each_entry_safe(vif, vif_tmp, &wilc->vif_list, list) { + mutex_lock(&wilc->vif_mutex); + list_del_rcu(&vif->list); + wilc->vif_num--; + mutex_unlock(&wilc->vif_mutex); + synchronize_srcu(&wilc->srcu); if (vif->ndev) unregister_netdev(vif->ndev); } - srcu_read_unlock(&wilc->srcu, srcu_idx); wilc_wfi_deinit_mon_interface(wilc, false); flush_workqueue(wilc->hif_workqueue); destroy_workqueue(wilc->hif_workqueue); - while (ifc_cnt < WILC_NUM_CONCURRENT_IFC) { - mutex_lock(&wilc->vif_mutex); - if (wilc->vif_num <= 0) { - mutex_unlock(&wilc->vif_mutex); - break; - } - vif = wilc_get_wl_to_vif(wilc); - if (!IS_ERR(vif)) - list_del_rcu(&vif->list); - - wilc->vif_num--; - mutex_unlock(&wilc->vif_mutex); - synchronize_srcu(&wilc->srcu); - ifc_cnt++; - } - wilc_wlan_cfg_deinit(wilc); wlan_deinit_locks(wilc); kfree(wilc->bus_data); -- 2.34.1

2 1

[PATCH OLK-6.6] f2fs: fix NULL pointer dereference in f2fs_submit_page_write()
by Yifan Qiao 22 Apr '24

22 Apr '24

From: Wenjie Qi <qwjhust(a)gmail.com> mainline inclusion from mainline-v6.9-rc1 commit c2034ef6192a65a986a45c2aa2ed05824fdc0e9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HKBD CVE: CVE-2024-26871 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- BUG: kernel NULL pointer dereference, address: 0000000000000014 RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs] Call Trace: <TASK> ? show_regs+0x6e/0x80 ? __die+0x29/0x70 ? page_fault_oops+0x154/0x4a0 ? prb_read_valid+0x20/0x30 ? __irq_work_queue_local+0x39/0xd0 ? irq_work_queue+0x36/0x70 ? do_user_addr_fault+0x314/0x6c0 ? exc_page_fault+0x7d/0x190 ? asm_exc_page_fault+0x2b/0x30 ? f2fs_submit_page_write+0x6cf/0x780 [f2fs] ? f2fs_submit_page_write+0x736/0x780 [f2fs] do_write_page+0x50/0x170 [f2fs] f2fs_outplace_write_data+0x61/0xb0 [f2fs] f2fs_do_write_data_page+0x3f8/0x660 [f2fs] f2fs_write_single_data_page+0x5bb/0x7a0 [f2fs] f2fs_write_cache_pages+0x3da/0xbe0 [f2fs] ... It is possible that other threads have added this fio to io->bio and submitted the io->bio before entering f2fs_submit_page_write(). At this point io->bio = NULL. If is_end_zone_blkaddr(sbi, fio->new_blkaddr) of this fio is true, then an NULL pointer dereference error occurs at bio_get(io->bio). The original code for determining zone end was after "out:", which would have missed some fio who is zone end. I've moved this code before "skip:" to make sure it's done for each fio. Fixes: e067dc3c6b9c ("f2fs: maintain six open zones for zoned devices") Signed-off-by: Wenjie Qi <qwjhust(a)gmail.com> Reviewed-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/f2fs/data.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index f5f33926acf8..8ab19498dcd7 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -1080,10 +1080,6 @@ void f2fs_submit_page_write(struct f2fs_io_info *fio) io->last_block_in_bio = fio->new_blkaddr; trace_f2fs_submit_page_write(fio->page, fio); -skip: - if (fio->in_list) - goto next; -out: #ifdef CONFIG_BLK_DEV_ZONED if (f2fs_sb_has_blkzoned(sbi) && btype < META && is_end_zone_blkaddr(sbi, fio->new_blkaddr)) { @@ -1096,6 +1092,10 @@ void f2fs_submit_page_write(struct f2fs_io_info *fio) __submit_merged_bio(io); } #endif +skip: + if (fio->in_list) + goto next; +out: if (is_sbi_flag_set(sbi, SBI_IS_SHUTDOWN) || !f2fs_is_checkpoint_ready(sbi)) __submit_merged_bio(io); -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] btrfs: fix data race at btrfs_use_block_rsv() when accessing block reserve
by Zizhi Wo 22 Apr '24

22 Apr '24

From: Filipe Manana <fdmanana(a)suse.com> stable inclusion from stable-v5.4.273 commit 2daa2a8e895e6dc2395f8628c011bcf1e019040d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK4U CVE: CVE-2024-26904 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c7bb26b847e5b97814f522686068c5628e2b3646 ] At btrfs_use_block_rsv() we read the size of a block reserve without locking its spinlock, which makes KCSAN complain because the size of a block reserve is always updated while holding its spinlock. The report from KCSAN is the following: [653.313148] BUG: KCSAN: data-race in btrfs_update_delayed_refs_rsv [btrfs] / btrfs_use_block_rsv [btrfs] [653.314755] read to 0x000000017f5871b8 of 8 bytes by task 7519 on cpu 0: [653.314779] btrfs_use_block_rsv+0xe4/0x2f8 [btrfs] [653.315606] btrfs_alloc_tree_block+0xdc/0x998 [btrfs] [653.316421] btrfs_force_cow_block+0x220/0xe38 [btrfs] [653.317242] btrfs_cow_block+0x1ac/0x568 [btrfs] [653.318060] btrfs_search_slot+0xda2/0x19b8 [btrfs] [653.318879] btrfs_del_csums+0x1dc/0x798 [btrfs] [653.319702] __btrfs_free_extent.isra.0+0xc24/0x2028 [btrfs] [653.320538] __btrfs_run_delayed_refs+0xd3c/0x2390 [btrfs] [653.321340] btrfs_run_delayed_refs+0xae/0x290 [btrfs] [653.322140] flush_space+0x5e4/0x718 [btrfs] [653.322958] btrfs_preempt_reclaim_metadata_space+0x102/0x2f8 [btrfs] [653.323781] process_one_work+0x3b6/0x838 [653.323800] worker_thread+0x75e/0xb10 [653.323817] kthread+0x21a/0x230 [653.323836] __ret_from_fork+0x6c/0xb8 [653.323855] ret_from_fork+0xa/0x30 [653.323887] write to 0x000000017f5871b8 of 8 bytes by task 576 on cpu 3: [653.323906] btrfs_update_delayed_refs_rsv+0x1a4/0x250 [btrfs] [653.324699] btrfs_add_delayed_data_ref+0x468/0x6d8 [btrfs] [653.325494] btrfs_free_extent+0x76/0x120 [btrfs] [653.326280] __btrfs_mod_ref+0x6a8/0x6b8 [btrfs] [653.327064] btrfs_dec_ref+0x50/0x70 [btrfs] [653.327849] walk_up_proc+0x236/0xa50 [btrfs] [653.328633] walk_up_tree+0x21c/0x448 [btrfs] [653.329418] btrfs_drop_snapshot+0x802/0x1328 [btrfs] [653.330205] btrfs_clean_one_deleted_snapshot+0x184/0x238 [btrfs] [653.330995] cleaner_kthread+0x2b0/0x2f0 [btrfs] [653.331781] kthread+0x21a/0x230 [653.331800] __ret_from_fork+0x6c/0xb8 [653.331818] ret_from_fork+0xa/0x30 So add a helper to get the size of a block reserve while holding the lock. Reading the field while holding the lock instead of using the data_race() annotation is used in order to prevent load tearing. Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/btrfs/ctree.h fs/btrfs/extent-tree.c Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/btrfs/ctree.h | 16 ++++++++++++++++ fs/btrfs/extent-tree.c | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h index 3d8c699e44ea..abe1e1242d7b 100644 --- a/fs/btrfs/ctree.h +++ b/fs/btrfs/ctree.h @@ -2815,6 +2815,22 @@ u64 add_new_free_space(struct btrfs_block_group_cache *block_group, u64 start, u64 end); void btrfs_mark_bg_unused(struct btrfs_block_group_cache *bg); +/* + * Get the size of a block reserve in a context where getting a stale value is + * acceptable, instead of accessing it directly and trigger data race warning + * from KCSAN. + */ +static inline u64 btrfs_block_rsv_size(struct btrfs_block_rsv *rsv) +{ + u64 ret; + + spin_lock(&rsv->lock); + ret = rsv->size; + spin_unlock(&rsv->lock); + + return ret; +} + /* ctree.c */ int btrfs_bin_search(struct extent_buffer *eb, const struct btrfs_key *key, int level, int *slot); diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index dcbb76b62a0b..e579e19ebd4b 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -8188,7 +8188,7 @@ use_block_rsv(struct btrfs_trans_handle *trans, block_rsv = get_block_rsv(trans, root); - if (unlikely(block_rsv->size == 0)) + if (unlikely(btrfs_block_rsv_size(block_rsv) == 0)) goto try_reserve; again: ret = block_rsv_use_bytes(block_rsv, blocksize); -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] tracing/trigger: Fix to return error if failed to alloc snapshot
by Zheng Yejian 22 Apr '24

22 Apr '24

From: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> stable inclusion from stable-v4.19.307 commit bcf4a115a5068f3331fafb8c176c1af0da3d8b19 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HL6U CVE: CVE-2024-26920 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 0958b33ef5a04ed91f61cef4760ac412080c4e08 upstream. Fix register_snapshot_trigger() to return error code if it failed to allocate a snapshot instead of 0 (success). Unless that, it will register snapshot trigger without an error. Link: https://lore.kernel.org/linux-trace-kernel/170622977792.270660.278929864275… Fixes: 0bbe7f719985 ("tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation") Cc: stable(a)vger.kernel.org Cc: Vincent Donnefort <vdonnefort(a)google.com> Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- kernel/trace/trace_events_trigger.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c index 4288f4240fee..697cc52cc37e 100644 --- a/kernel/trace/trace_events_trigger.c +++ b/kernel/trace/trace_events_trigger.c @@ -1074,8 +1074,10 @@ register_snapshot_trigger(char *glob, struct event_trigger_ops *ops, struct event_trigger_data *data, struct trace_event_file *file) { - if (tracing_alloc_snapshot_instance(file->tr) != 0) - return 0; + int ret = tracing_alloc_snapshot_instance(file->tr); + + if (ret < 0) + return ret; return register_trigger(glob, ops, data, file); } -- 2.25.1

2 1

[PATCH OLK-6.6] nfs: fix panic when nfs4_ff_layout_prepare_ds() fails
by Zhihao Cheng 22 Apr '24

22 Apr '24

From: Josef Bacik <josef(a)toxicpanda.com> mainline inclusion from mainline-v6.9-rc1 commit 719fcafe07c12646691bd62d7f8d94d657fa0766 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HK3B CVE: CVE-2024-26868 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- We've been seeing the following panic in production BUG: kernel NULL pointer dereference, address: 0000000000000065 PGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0 RIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] Call Trace: <TASK> ? __die+0x78/0xc0 ? page_fault_oops+0x286/0x380 ? __rpc_execute+0x2c3/0x470 [sunrpc] ? rpc_new_task+0x42/0x1c0 [sunrpc] ? exc_page_fault+0x5d/0x110 ? asm_exc_page_fault+0x22/0x30 ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles] ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles] pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4] pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4] ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles] nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles] ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles] __nfs_pageio_add_request+0x154/0x6c0 [nfs] nfs_pageio_add_request+0x26b/0x380 [nfs] nfs_do_writepage+0x111/0x1e0 [nfs] nfs_writepages_callback+0xf/0x30 [nfs] write_cache_pages+0x17f/0x380 ? nfs_pageio_init_write+0x50/0x50 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] ? nfs_writepages+0x6d/0x210 [nfs] nfs_writepages+0x125/0x210 [nfs] do_writepages+0x67/0x220 ? generic_perform_write+0x14b/0x210 filemap_fdatawrite_wbc+0x5b/0x80 file_write_and_wait_range+0x6d/0xc0 nfs_file_fsync+0x81/0x170 [nfs] ? nfs_file_mmap+0x60/0x60 [nfs] __x64_sys_fsync+0x53/0x90 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Inspecting the core with drgn I was able to pull this >>> prog.crashed_thread().stack_trace()[0] #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27 >>> prog.crashed_thread().stack_trace()[0]['idx'] (u32)1 >>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds (struct nfs4_ff_layout_ds *)0xffffffffffffffed This is clear from the stack trace, we call nfs4_ff_layout_prepare_ds() which could error out initializing the mirror_ds, and then we go to clean it all up and our check is only for if (!mirror->mirror_ds). This is inconsistent with the rest of the users of mirror_ds, which have if (IS_ERR_OR_NULL(mirror_ds)) to keep from tripping over this exact scenario. Fix this up in ff_layout_cancel_io() to make sure we don't panic when we get an error. I also spot checked all the other instances of checking mirror_ds and we appear to be doing the correct checks everywhere, only unconditionally dereferencing mirror_ds when we know it would be valid. Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Fixes: b739a5bd9d9f ("NFSv4/flexfiles: Cancel I/O if the layout is recalled or revoked") Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> --- fs/nfs/flexfilelayout/flexfilelayout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c index ef817a0475ff..3e724cb7ef01 100644 --- a/fs/nfs/flexfilelayout/flexfilelayout.c +++ b/fs/nfs/flexfilelayout/flexfilelayout.c @@ -2016,7 +2016,7 @@ static void ff_layout_cancel_io(struct pnfs_layout_segment *lseg) for (idx = 0; idx < flseg->mirror_array_cnt; idx++) { mirror = flseg->mirror_array[idx]; mirror_ds = mirror->mirror_ds; - if (!mirror_ds) + if (IS_ERR_OR_NULL(mirror_ds)) continue; ds = mirror->mirror_ds->ds; if (!ds) -- 2.31.1

2 1

[PATCH OLK-5.10] tracing/trigger: Fix to return error if failed to alloc snapshot
by Zheng Yejian 22 Apr '24

22 Apr '24

From: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> stable inclusion from stable-v5.10.210 commit 56cfbe60710772916a5ba092c99542332b48e870 category: bugfix bugzilla: 189268 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 0958b33ef5a04ed91f61cef4760ac412080c4e08 upstream. Fix register_snapshot_trigger() to return error code if it failed to allocate a snapshot instead of 0 (success). Unless that, it will register snapshot trigger without an error. Link: https://lore.kernel.org/linux-trace-kernel/170622977792.270660.278929864275… Fixes: 0bbe7f719985 ("tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation") Cc: stable(a)vger.kernel.org Cc: Vincent Donnefort <vdonnefort(a)google.com> Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- kernel/trace/trace_events_trigger.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c index 3c6229f16e81..64abc66b82e5 100644 --- a/kernel/trace/trace_events_trigger.c +++ b/kernel/trace/trace_events_trigger.c @@ -1140,8 +1140,10 @@ register_snapshot_trigger(char *glob, struct event_trigger_ops *ops, struct event_trigger_data *data, struct trace_event_file *file) { - if (tracing_alloc_snapshot_instance(file->tr) != 0) - return 0; + int ret = tracing_alloc_snapshot_instance(file->tr); + + if (ret < 0) + return ret; return register_trigger(glob, ops, data, file); } -- 2.25.1

2 1