- Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10 3233/3233] arch/x86/kvm/x86.c:8661:5: warning: no previous prototype for '__kvm_vcpu_halt'
by kernel test robot 16 Oct '25

16 Oct '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 55f16e7a2a3e273da30ccadd01b074c054ceb6fe commit: c499a3120204c834ff963c43d90a5ff33194b34c [3233/3233] KVM: SVM: Add support for booting APs in an SEV-ES guest config: x86_64-randconfig-161-20251016 (https://download.01.org/0day-ci/archive/20251016/202510161956.PnDe2iFY-lkp@…) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251016/202510161956.PnDe2iFY-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510161956.PnDe2iFY-lkp@intel.com/ All warnings (new ones prefixed by >>): arch/x86/kvm/x86.c:809:5: warning: no previous prototype for 'kvm_read_guest_page_mmu' [-Wmissing-prototypes] 809 | int kvm_read_guest_page_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, | ^~~~~~~~~~~~~~~~~~~~~~~ >> arch/x86/kvm/x86.c:8661:5: warning: no previous prototype for '__kvm_vcpu_halt' [-Wmissing-prototypes] 8661 | int __kvm_vcpu_halt(struct kvm_vcpu *vcpu, int state, int reason) | ^~~~~~~~~~~~~~~ vim +/__kvm_vcpu_halt +8661 arch/x86/kvm/x86.c 8660 > 8661 int __kvm_vcpu_halt(struct kvm_vcpu *vcpu, int state, int reason) 8662 { 8663 ++vcpu->stat.halt_exits; 8664 if (lapic_in_kernel(vcpu)) { 8665 vcpu->arch.mp_state = state; 8666 return 1; 8667 } else { 8668 vcpu->run->exit_reason = reason; 8669 return 0; 8670 } 8671 } 8672 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
by Zicheng Qu 16 Oct '25

16 Oct '25

From: Oleg Nesterov <oleg(a)redhat.com> mainline inclusion from mainline-v6.18-rc1 commit a15f37a40145c986cdf289a4b88390f35efdecc4 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ID25DZ Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prlimit64() can race with mt-exec which changes ->group_leader. In this case do_prlimit() may take the wrong lock, or (worse) ->group_leader may change between task_lock() and task_unlock(). Change sys_prlimit64() to take tasklist_lock when necessary. This is not nice, but I don't see a better fix for -stable. Link: https://lkml.kernel.org/r/20250915120917.GA27702@redhat.com Fixes: 18c91bb2d872 ("prlimit: do not grab the tasklist_lock") Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jiri Slaby <jirislaby(a)kernel.org> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- kernel/sys.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index 355de0b65c23..47cb10a16b00 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1689,6 +1689,7 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, struct rlimit old, new; struct task_struct *tsk; unsigned int checkflags = 0; + bool need_tasklist; int ret; if (old_rlim) @@ -1715,8 +1716,25 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, get_task_struct(tsk); rcu_read_unlock(); - ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, - old_rlim ? &old : NULL); + need_tasklist = !same_thread_group(tsk, current); + if (need_tasklist) { + /* + * Ensure we can't race with group exit or de_thread(), + * so tsk->group_leader can't be freed or changed until + * read_unlock(tasklist_lock) below. + */ + read_lock(&tasklist_lock); + if (!pid_alive(tsk)) + ret = -ESRCH; + } + + if (!ret) { + ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, + old_rlim ? &old : NULL); + } + + if (need_tasklist) + read_unlock(&tasklist_lock); if (!ret && old_rlim) { rlim_to_rlim64(&old, &old64); -- 2.34.1

2 1

[PATCH OLK-6.6] Bluetooth: btrtl: Prevent potential NULL dereference
by Xiaomeng Zhang 16 Oct '25

16 Oct '25

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v6.6.88 commit 3db6605043b50c8bb768547b23e0222f67ceef3e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5BMX CVE: CVE-2025-37792 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ] The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/bluetooth/btrtl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c index 1e7c1f9db9e4..7f67e460f7f4 100644 --- a/drivers/bluetooth/btrtl.c +++ b/drivers/bluetooth/btrtl.c @@ -1194,6 +1194,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, rtl_dev_err(hdev, "mandatory config file %s not found", btrtl_dev->ic_info->cfg_name); ret = btrtl_dev->cfg_len; + if (!ret) + ret = -EINVAL; goto err_free; } } -- 2.34.1

2 1

[PATCH OLK-5.10] Bluetooth: btrtl: Prevent potential NULL dereference
by Xiaomeng Zhang 16 Oct '25

16 Oct '25

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v5.10.237 commit 73dc99c0ea94abd22379b2d82cacbc73f3e18ec1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5BMX CVE: CVE-2025-37792 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ] The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/bluetooth/btrtl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c index 3a9afc905f24..77de43d8d796 100644 --- a/drivers/bluetooth/btrtl.c +++ b/drivers/bluetooth/btrtl.c @@ -625,6 +625,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, rtl_dev_err(hdev, "mandatory config file %s not found", btrtl_dev->ic_info->cfg_name); ret = btrtl_dev->cfg_len; + if (!ret) + ret = -EINVAL; goto err_free; } } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] scsi: qla4xxx: Add length check when parsing nlattrs
by Pu Lehui 16 Oct '25

16 Oct '25

From: Lin Ma <linma(a)zju.edu.cn> stable inclusion from stable-v4.19.295 commit 5925e224cc6edfef57b20447f18323208461309b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID0REH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 47cd3770e31df942e2bb925a9a855c79ed0662eb ] There are three places that qla4xxx parses nlattrs: - qla4xxx_set_chap_entry() - qla4xxx_iface_set_param() - qla4xxx_sysfs_ddb_set_param() and each of them directly converts the nlattr to specific pointer of structure without length checking. This could be dangerous as those attributes are not validated and a malformed nlattr (e.g., length 0) could result in an OOB read that leaks heap dirty data. Add the nla_len check before accessing the nlattr data and return EINVAL if the length check fails. Fixes: 26ffd7b45fe9 ("[SCSI] qla4xxx: Add support to set CHAP entries") Fixes: 1e9e2be3ee03 ("[SCSI] qla4xxx: Add flash node mgmt support") Fixes: 00c31889f751 ("[SCSI] qla4xxx: fix data alignment and use nl helpers") Signed-off-by: Lin Ma <linma(a)zju.edu.cn> Link: https://lore.kernel.org/r/20230723080053.3714534-1-linma@zju.edu.cn Reviewed-by: Chris Leech <cleech(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/scsi/qla4xxx/ql4_os.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c index f8acf101af3d..8d42f20ba7e5 100644 --- a/drivers/scsi/qla4xxx/ql4_os.c +++ b/drivers/scsi/qla4xxx/ql4_os.c @@ -940,6 +940,11 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len) memset(&chap_rec, 0, sizeof(chap_rec)); nla_for_each_attr(attr, data, len, rem) { + if (nla_len(attr) < sizeof(*param_info)) { + rc = -EINVAL; + goto exit_set_chap; + } + param_info = nla_data(attr); switch (param_info->param) { @@ -2724,6 +2729,11 @@ qla4xxx_iface_set_param(struct Scsi_Host *shost, void *data, uint32_t len) } nla_for_each_attr(attr, data, len, rem) { + if (nla_len(attr) < sizeof(*iface_param)) { + rval = -EINVAL; + goto exit_init_fw_cb; + } + iface_param = nla_data(attr); if (iface_param->param_type == ISCSI_NET_PARAM) { @@ -8098,6 +8108,11 @@ qla4xxx_sysfs_ddb_set_param(struct iscsi_bus_flash_session *fnode_sess, memset((void *)&chap_tbl, 0, sizeof(chap_tbl)); nla_for_each_attr(attr, data, len, rem) { + if (nla_len(attr) < sizeof(*fnode_param)) { + rc = -EINVAL; + goto exit_set_param; + } + fnode_param = nla_data(attr); switch (fnode_param->param) { -- 2.34.1

2 1

[PATCH OLK-5.10] scsi: target: target_core_configfs: Add length check to avoid buffer overflow
by Li Lingfeng 16 Oct '25

16 Oct '25

From: Wang Haoran <haoranwangsec(a)gmail.com> mainline inclusion from mainline-v6.18-rc1 commit 27e06650a5eafe832a90fd2604f0c5e920857fae category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID22Q7 CVE: CVE-2025-39998 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow. Reported-by: Wang Haoran <haoranwangsec(a)gmail.com> Reported-by: ziiiro <yuanmingbuaa(a)gmail.com> Signed-off-by: Wang Haoran <haoranwangsec(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/target/target_core_configfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c index 4d2fbe1429b6..e6996428c07d 100644 --- a/drivers/target/target_core_configfs.c +++ b/drivers/target/target_core_configfs.c @@ -2637,7 +2637,7 @@ static ssize_t target_lu_gp_members_show(struct config_item *item, char *page) config_item_name(&dev->dev_group.cg_item)); cur_len++; /* Extra byte for NULL terminator */ - if ((cur_len + len) > PAGE_SIZE) { + if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) { pr_warn("Ran out of lu_gp_show_attr" "_members buffer\n"); break; -- 2.46.1

2 1

[PATCH openEuler-1.0-LTS] scsi: target: target_core_configfs: Add length check to avoid buffer overflow
by Li Lingfeng 16 Oct '25

16 Oct '25

From: Wang Haoran <haoranwangsec(a)gmail.com> mainline inclusion from mainline-v6.18-rc1 commit 27e06650a5eafe832a90fd2604f0c5e920857fae category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID22Q7 CVE: CVE-2025-39998 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow. Reported-by: Wang Haoran <haoranwangsec(a)gmail.com> Reported-by: ziiiro <yuanmingbuaa(a)gmail.com> Signed-off-by: Wang Haoran <haoranwangsec(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/target/target_core_configfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c index f6b1549f4142..1fd4a9ed4c61 100644 --- a/drivers/target/target_core_configfs.c +++ b/drivers/target/target_core_configfs.c @@ -2345,7 +2345,7 @@ static ssize_t target_lu_gp_members_show(struct config_item *item, char *page) config_item_name(&dev->dev_group.cg_item)); cur_len++; /* Extra byte for NULL terminator */ - if ((cur_len + len) > PAGE_SIZE) { + if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) { pr_warn("Ran out of lu_gp_show_attr" "_members buffer\n"); break; -- 2.31.1

2 1

[PATCH OLK-6.6] scsi: target: target_core_configfs: Add length check to avoid buffer overflow
by Li Lingfeng 16 Oct '25

16 Oct '25

From: Wang Haoran <haoranwangsec(a)gmail.com> mainline inclusion from mainline-v6.18-rc1 commit 27e06650a5eafe832a90fd2604f0c5e920857fae category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID22Q7 CVE: CVE-2025-39998 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow. Reported-by: Wang Haoran <haoranwangsec(a)gmail.com> Reported-by: ziiiro <yuanmingbuaa(a)gmail.com> Signed-off-by: Wang Haoran <haoranwangsec(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/target/target_core_configfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c index 9a88774836c9..eddcfd09c05b 100644 --- a/drivers/target/target_core_configfs.c +++ b/drivers/target/target_core_configfs.c @@ -2738,7 +2738,7 @@ static ssize_t target_lu_gp_members_show(struct config_item *item, char *page) config_item_name(&dev->dev_group.cg_item)); cur_len++; /* Extra byte for NULL terminator */ - if ((cur_len + len) > PAGE_SIZE) { + if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) { pr_warn("Ran out of lu_gp_show_attr" "_members buffer\n"); break; -- 2.46.1

2 1

[PATCH openEuler-1.0-LTS] ALSA: ac97: fix possible memory leak in snd_ac97_dev_register()
by Tengda Wu 16 Oct '25

16 Oct '25

From: Yang Yingliang <yangyingliang(a)huawei.com> stable inclusion from stable-v4.19.264 commit ee8bf0946f62ef00e5db4b613a9f664ac567259a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID0RAE CVE: CVE-2022-50427 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4881bda5ea05c8c240fc8afeaa928e2bc43f61fa ] If device_register() fails in snd_ac97_dev_register(), it should call put_device() to give up reference, or the name allocated in dev_set_name() is leaked. Fixes: 0ca06a00e206 ("[ALSA] AC97 bus interface for ad-hoc drivers") Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Link: https://lore.kernel.org/r/20221019093025.1179475-1-yangyingliang@huawei.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- sound/pci/ac97/ac97_codec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c index 27b468f057dd..fee9ffecd584 100644 --- a/sound/pci/ac97/ac97_codec.c +++ b/sound/pci/ac97/ac97_codec.c @@ -1965,6 +1965,7 @@ static int snd_ac97_dev_register(struct snd_device *device) snd_ac97_get_short_name(ac97)); if ((err = device_register(&ac97->dev)) < 0) { ac97_err(ac97, "Can't register ac97 bus\n"); + put_device(&ac97->dev); ac97->dev.bus = NULL; return err; } -- 2.34.1

2 1

[openeuler:OLK-6.6 2972/2972] mm/memcontrol.c:8068:35: sparse: sparse: incorrect type in initializer (incompatible argument 3 (different address spaces))
by kernel test robot 16 Oct '25

16 Oct '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: f974d7dec2997dfe2d417f1c9cc0e2a6adb2d25c commit: 65b18684d289783f92db2eb97d60bf24c9200cf7 [2972/2972] memcg: introduce memcg swap qos feature config: x86_64-randconfig-r121-20251016 (https://download.01.org/0day-ci/archive/20251016/202510160946.S2au7i5E-lkp@…) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251016/202510160946.S2au7i5E-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510160946.S2au7i5E-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) mm/memcontrol.c:4255:50: sparse: sparse: incorrect type in argument 3 (different address spaces) @@ expected void * @@ got void [noderef] __user *buffer @@ mm/memcontrol.c:4255:50: sparse: expected void * mm/memcontrol.c:4255:50: sparse: got void [noderef] __user *buffer mm/memcontrol.c:4516:21: sparse: sparse: incompatible types in comparison expression (different address spaces): mm/memcontrol.c:4516:21: sparse: struct mem_cgroup_threshold_ary [noderef] __rcu * mm/memcontrol.c:4516:21: sparse: struct mem_cgroup_threshold_ary * mm/memcontrol.c:4518:21: sparse: sparse: incompatible types in comparison expression (different address spaces): mm/memcontrol.c:4518:21: sparse: struct mem_cgroup_threshold_ary [noderef] __rcu * mm/memcontrol.c:4518:21: sparse: struct mem_cgroup_threshold_ary * mm/memcontrol.c:4674:9: sparse: sparse: incompatible types in comparison expression (different address spaces): mm/memcontrol.c:4674:9: sparse: struct mem_cgroup_threshold_ary [noderef] __rcu * mm/memcontrol.c:4674:9: sparse: struct mem_cgroup_threshold_ary * mm/memcontrol.c:4768:9: sparse: sparse: incompatible types in comparison expression (different address spaces): mm/memcontrol.c:4768:9: sparse: struct mem_cgroup_threshold_ary [noderef] __rcu * mm/memcontrol.c:4768:9: sparse: struct mem_cgroup_threshold_ary * mm/memcontrol.c:6811:23: sparse: sparse: incompatible types in comparison expression (different address spaces): mm/memcontrol.c:6811:23: sparse: struct task_struct [noderef] __rcu * mm/memcontrol.c:6811:23: sparse: struct task_struct * mm/memcontrol.c:7028:52: sparse: sparse: incompatible types in comparison expression (different address spaces): mm/memcontrol.c:7028:52: sparse: struct task_struct [noderef] __rcu * mm/memcontrol.c:7028:52: sparse: struct task_struct * >> mm/memcontrol.c:8068:35: sparse: sparse: incorrect type in initializer (incompatible argument 3 (different address spaces)) @@ expected int ( [usertype] *proc_handler )( ... ) @@ got int ( * )( ... ) @@ mm/memcontrol.c:8068:35: sparse: expected int ( [usertype] *proc_handler )( ... ) mm/memcontrol.c:8068:35: sparse: got int ( * )( ... ) mm/memcontrol.c: note: in included file: include/linux/memcontrol.h:786:9: sparse: sparse: context imbalance in 'folio_lruvec_lock' - wrong count at exit include/linux/memcontrol.h:786:9: sparse: sparse: context imbalance in 'folio_lruvec_lock_irq' - wrong count at exit include/linux/memcontrol.h:786:9: sparse: sparse: context imbalance in 'folio_lruvec_lock_irqsave' - wrong count at exit mm/memcontrol.c:2135:6: sparse: sparse: context imbalance in 'folio_memcg_lock' - wrong count at exit mm/memcontrol.c:2182:17: sparse: sparse: context imbalance in '__folio_memcg_unlock' - unexpected unlock mm/memcontrol.c:6671:9: sparse: sparse: context imbalance in 'mem_cgroup_count_precharge_pte_range' - unexpected unlock mm/memcontrol.c:6939:9: sparse: sparse: context imbalance in 'mem_cgroup_move_charge_pte_range' - unexpected unlock vim +8068 mm/memcontrol.c 8044 8045 #ifdef CONFIG_SYSCTL 8046 static struct ctl_table mem_cgroup_sysctls[] = { 8047 #ifdef CONFIG_MEMCG_OOM_PRIORITY 8048 { 8049 /* 8050 * This sysctl is used to control memcg oom priority 8051 * feature, the sysctl name is for compatibility. 8052 */ 8053 .procname = "memcg_qos_enable", 8054 .data = &sysctl_memcg_oom_prio, 8055 .maxlen = sizeof(int), 8056 .mode = 0644, 8057 .proc_handler = sysctl_memcg_oom_prio_handler, 8058 .extra1 = SYSCTL_ZERO, 8059 .extra2 = SYSCTL_ONE, 8060 }, 8061 #endif 8062 #ifdef CONFIG_MEMCG_SWAP_QOS 8063 { 8064 .procname = "memcg_swap_qos_enable", 8065 .data = &sysctl_memcg_swap_qos_stat, 8066 .maxlen = sizeof(int), 8067 .mode = 0644, > 8068 .proc_handler = sysctl_memcg_swap_qos_handler, 8069 .extra1 = SYSCTL_ZERO, 8070 .extra2 = SYSCTL_ONE, 8071 }, 8072 #endif 8073 }; 8074 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0