- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] drm/amd/pm: fix a double-free in si_dpm_init
by Baogen Shang 15 May '24

15 May '24

From: Zhipeng Lu <alexious(a)zju.edu.cn> stable inclusion from stable-v5.10.209 commit aeed2b4e4a70c7568d4a5eecd6a109713c0dfbf4 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9J6AL CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… ------------------------- [ Upstream commit ac16667237a82e2597e329eb9bc520d1cf9dff30 ] When the allocation of adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries fails, amdgpu_free_extended_power_table is called to free some fields of adev. However, when the control flow returns to si_dpm_sw_init, it goes to label dpm_failed and calls si_dpm_fini, which calls amdgpu_free_extended_power_table again and free those fields again. Thus a double-free is triggered. Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") Signed-off-by: Zhipeng Lu <alexious(a)zju.edu.cn> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Baogen Shang <baogen.shang(a)windriver.com> --- drivers/gpu/drm/amd/pm/powerplay/si_dpm.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c index d6544a6dabc7..6f0653c81f8f 100644 --- a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c +++ b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c @@ -7349,10 +7349,9 @@ static int si_dpm_init(struct amdgpu_device *adev) kcalloc(4, sizeof(struct amdgpu_clock_voltage_dependency_entry), GFP_KERNEL); - if (!adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries) { - amdgpu_free_extended_power_table(adev); + if (!adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries) return -ENOMEM; - } + adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.count = 4; adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries[0].clk = 0; adev->pm.dpm.dyn_state.vddc_dependency_on_dispclk.entries[0].v = 0; -- 2.33.0

1 0

[PATCH OLK-5.10] drm/amdgpu: Fix cat debugfs amdgpu_regs_didt causes kernel null pointer
by Baogen Shang 15 May '24

15 May '24

From: Lu Yao <yaolu(a)kylinos.cn> stable inclusion from stable-v5.10.209 commit 974f127fcf6552ecd5b76c36c7b107e77b2febf9 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9J6AL CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… ------------------------- [ Upstream commit 2161e09cd05a50d80736fe397145340d2e8f6c05 ] For 'AMDGPU_FAMILY_SI' family cards, in 'si_common_early_init' func, init 'didt_rreg' and 'didt_wreg' to 'NULL'. But in func 'amdgpu_debugfs_regs_didt_read/write', using 'RREG32_DIDT' 'WREG32_DIDT' lacks of relevant judgment. And other 'amdgpu_ip_block_version' that use these two definitions won't be added for 'AMDGPU_FAMILY_SI'. So, add null pointer judgment before calling. Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Lu Yao <yaolu(a)kylinos.cn> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Baogen Shang <baogen.shang(a)windriver.com> --- drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c index 48df32dd352e..3e573077368b 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c @@ -459,6 +459,9 @@ static ssize_t amdgpu_debugfs_regs_didt_read(struct file *f, char __user *buf, if (size & 0x3 || *pos & 0x3) return -EINVAL; + if (!adev->didt_rreg) + return -EOPNOTSUPP; + r = pm_runtime_get_sync(adev_to_drm(adev)->dev); if (r < 0) { pm_runtime_put_autosuspend(adev_to_drm(adev)->dev); @@ -518,6 +521,9 @@ static ssize_t amdgpu_debugfs_regs_didt_write(struct file *f, const char __user if (size & 0x3 || *pos & 0x3) return -EINVAL; + if (!adev->didt_wreg) + return -EOPNOTSUPP; + r = pm_runtime_get_sync(adev_to_drm(adev)->dev); if (r < 0) { pm_runtime_put_autosuspend(adev_to_drm(adev)->dev); -- 2.33.0

1 0

[PATCH OLK-5.10] drm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'
by Baogen Shang 15 May '24

15 May '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> stable inclusion from stable-v5.10.214 commit 330caa061af53ea6d287d7c43d0703714e510e08 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9J6AL CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… ------------------------- [ Upstream commit 9ccfe80d022df7c595f1925afb31de2232900656 ] The 'stream' pointer is used in dcn10_set_output_transfer_func() before the check if 'stream' is NULL. Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875) Fixes: ddef02de0d71 ("drm/amd/display: add null checks before logging") Cc: Wyatt Wood <wyatt.wood(a)amd.com> Cc: Anthony Koo <Anthony.Koo(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Anthony Koo <Anthony.Koo(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Baogen Shang <baogen.shang(a)windriver.com> --- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c index 1c669f115dd8..8cf6e307ae36 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c @@ -1669,6 +1669,9 @@ bool dcn10_set_output_transfer_func(struct dc *dc, struct pipe_ctx *pipe_ctx, { struct dpp *dpp = pipe_ctx->plane_res.dpp; + if (!stream) + return false; + if (dpp == NULL) return false; @@ -1691,8 +1694,8 @@ bool dcn10_set_output_transfer_func(struct dc *dc, struct pipe_ctx *pipe_ctx, } else dpp->funcs->dpp_program_regamma_pwl(dpp, NULL, OPP_REGAMMA_BYPASS); - if (stream != NULL && stream->ctx != NULL && - stream->out_transfer_func != NULL) { + if (stream->ctx && + stream->out_transfer_func) { log_tf(stream->ctx, stream->out_transfer_func, dpp->regamma_params.hw_points_num); -- 2.33.0

1 0

[PATCH OLK-5.10] drm/amd/display: Fix memory leak in dm_sw_fini()
by Baogen Shang 15 May '24

15 May '24

From: Armin Wolf <W_Armin(a)gmx.de> stable inclusion from stable-v5.10.211 commit b49b022f7dfce85eb77d0d987008fde5c01d7857 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9J6AL CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… ------------------------- [ Upstream commit bae67893578d608e35691dcdfa90c4957debf1d3 ] After destroying dmub_srv, the memory associated with it is not freed, causing a memory leak: unreferenced object 0xffff896302b45800 (size 1024): comm "(udev-worker)", pid 222, jiffies 4294894636 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 6265fd77): [<ffffffff993495ed>] kmalloc_trace+0x29d/0x340 [<ffffffffc0ea4a94>] dm_dmub_sw_init+0xb4/0x450 [amdgpu] [<ffffffffc0ea4e55>] dm_sw_init+0x15/0x2b0 [amdgpu] [<ffffffffc0ba8557>] amdgpu_device_init+0x1417/0x24e0 [amdgpu] [<ffffffffc0bab285>] amdgpu_driver_load_kms+0x15/0x190 [amdgpu] [<ffffffffc0ba09c7>] amdgpu_pci_probe+0x187/0x4e0 [amdgpu] [<ffffffff9968fd1e>] local_pci_probe+0x3e/0x90 [<ffffffff996918a3>] pci_device_probe+0xc3/0x230 [<ffffffff99805872>] really_probe+0xe2/0x480 [<ffffffff99805c98>] __driver_probe_device+0x78/0x160 [<ffffffff99805daf>] driver_probe_device+0x1f/0x90 [<ffffffff9980601e>] __driver_attach+0xce/0x1c0 [<ffffffff99803170>] bus_for_each_dev+0x70/0xc0 [<ffffffff99804822>] bus_add_driver+0x112/0x210 [<ffffffff99807245>] driver_register+0x55/0x100 [<ffffffff990012d1>] do_one_initcall+0x41/0x300 Fix this by freeing dmub_srv after destroying it. Fixes: 743b9786b14a ("drm/amd/display: Hook up the DMUB service in DM") Signed-off-by: Armin Wolf <W_Armin(a)gmx.de> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Baogen Shang <baogen.shang(a)windriver.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 54d6b4128721..3578e3b3536e 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -1456,6 +1456,7 @@ static int dm_sw_fini(void *handle) if (adev->dm.dmub_srv) { dmub_srv_destroy(adev->dm.dmub_srv); + kfree(adev->dm.dmub_srv); adev->dm.dmub_srv = NULL; } -- 2.33.0

1 0

[PATCH OLK-5.10] smart_grid: introducing rebuild_affinity_domain
by Yipeng Zou 15 May '24

15 May '24

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9OJK9 CVE: NA ---------------------------------------- Here are many scenarios we tested with smart_grid, we found that the first domain level is key to the benchmark. The reason is that there are many things such as interrupt affinity, memory affinity factor that can have a big impact on the test. Before this patch, the first domain level is unchangeable after creation. This patch introduce the 'cpu.rebuild_affinity_domain' to dynamically reconfigure all domain levels. Typical use cases: echo $cpu_id > cpu.rebuild_affinity_domain The cpu_id means which cpu we want to set first level. If we set cpu_id = 34, we can see some change like: ---------------- ----------------- | level 0 (0-31) | | level 0 (32-63) | ---------------- ----------------- v v ------------------- ------------------ | level 1 (0-63) | | level 1 (0-63) | ------------------- ------------------ v --> v --------------------- -------------------- | level 2 (0-95) | | level 2 (0-95) | --------------------- -------------------- v v ------------------------ ---------------------- | level 3 (0-127) | | level 3 (0-127) | ------------------------ ---------------------- There are number of constraints on the rebuild feature: 1. Only rebuild domain while auto mode disabled. (cpu.dynamic_affinity_mode == 1) 2. Only rebuild on active and housekeeping cpu. (Offline and isolate CPUs are forbidden) 3. This file is write only. Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> --- kernel/sched/core.c | 13 +++++++++++++ kernel/sched/fair.c | 43 +++++++++++++++++++++++++++++++++++++++++++ kernel/sched/sched.h | 1 + 3 files changed, 57 insertions(+) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index fa71c7c51196..77dc6e0e3f8b 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -9690,6 +9690,15 @@ static int cpu_affinity_stat_show(struct seq_file *sf, void *v) return 0; } + +static int cpu_rebuild_affinity_domain_u64(struct cgroup_subsys_state *css, + struct cftype *cftype, + u64 cpu) +{ + struct task_group *tg = css_tg(css); + + return tg_rebuild_affinity_domains(cpu, tg->auto_affinity); +} #endif /* CONFIG_QOS_SCHED_SMART_GRID */ #ifdef CONFIG_QOS_SCHED @@ -9873,6 +9882,10 @@ static struct cftype cpu_legacy_files[] = { .name = "affinity_stat", .seq_show = cpu_affinity_stat_show, }, + { + .name = "rebuild_affinity_domain", + .write_u64 = cpu_rebuild_affinity_domain_u64, + }, #endif #ifdef CONFIG_CFS_BANDWIDTH { diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index f39e7547523c..1458878f5464 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -6242,6 +6242,49 @@ static void destroy_auto_affinity(struct task_group *tg) kfree(tg->auto_affinity); tg->auto_affinity = NULL; } + +int tg_rebuild_affinity_domains(int cpu, struct auto_affinity *auto_affi) +{ + int ret = 0; + int level = 0; + struct sched_domain *tmp; + + if (unlikely(!auto_affi)) + return -EPERM; + + mutex_lock(&smart_grid_used_mutex); + raw_spin_lock_irq(&auto_affi->lock); + /* Only build domain while auto mode disabled */ + if (auto_affi->mode) { + ret = -EPERM; + goto unlock_all; + } + + /* Only build on active and housekeeping cpu */ + if (!cpu_active(cpu) || !housekeeping_cpu(cpu, HK_FLAG_DOMAIN)) { + ret = -EINVAL; + goto unlock_all; + } + + for_each_domain(cpu, tmp) { + if (!auto_affi->ad.domains[level] || !auto_affi->ad.domains_orig[level]) + continue; + + /* rebuild domain[,_orig] and reset schedstat counter */ + cpumask_copy(auto_affi->ad.domains[level], sched_domain_span(tmp)); + cpumask_copy(auto_affi->ad.domains_orig[level], auto_affi->ad.domains[level]); + __schedstat_set(auto_affi->ad.stay_cnt[level], 0); + level++; + } + + /* trigger to update smart grid zone */ + sched_grid_zone_update(false); + +unlock_all: + raw_spin_unlock_irq(&auto_affi->lock); + mutex_unlock(&smart_grid_used_mutex); + return ret; +} #else static void destroy_auto_affinity(struct task_group *tg) {} diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h index e6f934af7062..e10f65a7f87f 100644 --- a/kernel/sched/sched.h +++ b/kernel/sched/sched.h @@ -580,6 +580,7 @@ extern void start_auto_affinity(struct auto_affinity *auto_affi); extern void stop_auto_affinity(struct auto_affinity *auto_affi); extern int init_auto_affinity(struct task_group *tg); extern void tg_update_affinity_domains(int cpu, int online); +extern int tg_rebuild_affinity_domains(int cpu, struct auto_affinity *auto_affi); #else static inline int init_auto_affinity(struct task_group *tg) -- 2.34.1

2 1

[PATCH OLK-5.10 v2] scsi: sr: Do not leak information in ioctl
by Li Lingfeng 15 May '24

15 May '24

From: Tom Rix <trix(a)redhat.com> mainline inclusion from mainline-v5.18-rc4 commit faad6cebded8e0fd902b672f220449b93db479eb category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9PGWG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- sr_ioctl.c uses this pattern: result = sr_do_ioctl(cd, &cgc); to-user = buffer[]; kfree(buffer); return result; Use of a buffer without checking leaks information. Check result and jump over the use of buffer if there is an error. result = sr_do_ioctl(cd, &cgc); if (result) goto err; to-user = buffer[]; err: kfree(buffer); return result; Additionally, initialize the buffer to zero. This problem can be seen in the 2.4.0 kernel. Link: https://lore.kernel.org/r/20220411174756.2418435-1-trix@redhat.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Tom Rix <trix(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Conflicts: drivers/scsi/sr_ioctl.c [Commit aaff5ebaa269 ("scsi: remove the unchecked_isa_dma flag") remove the unchecked_isa_dma flag] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- v1->v2: Correct commit message. drivers/scsi/sr_ioctl.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c index 4c1de11e69fb..0808217f2d7b 100644 --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -45,7 +45,7 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; @@ -59,10 +59,13 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, cgc.data_direction = DMA_FROM_DEVICE; result = sr_do_ioctl(cd, &cgc); + if (result) + goto err; tochdr->cdth_trk0 = buffer[2]; tochdr->cdth_trk1 = buffer[3]; +err: kfree(buffer); return result; } @@ -75,7 +78,7 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; @@ -90,6 +93,8 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, cgc.data_direction = DMA_FROM_DEVICE; result = sr_do_ioctl(cd, &cgc); + if (result) + goto err; tocentry->cdte_ctrl = buffer[5] & 0xf; tocentry->cdte_adr = buffer[5] >> 4; @@ -102,6 +107,7 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, tocentry->cdte_addr.lba = (((((buffer[8] << 8) + buffer[9]) << 8) + buffer[10]) << 8) + buffer[11]; +err: kfree(buffer); return result; } @@ -388,7 +394,7 @@ int sr_get_mcn(struct cdrom_device_info *cdi, struct cdrom_mcn *mcn) { Scsi_CD *cd = cdi->handle; struct packet_command cgc; - char *buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + char *buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); int result; if (!buffer) @@ -404,10 +410,13 @@ int sr_get_mcn(struct cdrom_device_info *cdi, struct cdrom_mcn *mcn) cgc.data_direction = DMA_FROM_DEVICE; cgc.timeout = IOCTL_TIMEOUT; result = sr_do_ioctl(cd, &cgc); + if (result) + goto err; memcpy(mcn->medium_catalog_number, buffer + 9, 13); mcn->medium_catalog_number[13] = 0; +err: kfree(buffer); return result; } -- 2.31.1

2 1

[PATCH openEuler-1.0-LTS v2] scsi: sr: Do not leak information in ioctl
by Li Lingfeng 15 May '24

15 May '24

From: Tom Rix <trix(a)redhat.com> mainline inclusion from mainline-v5.18-rc4 commit faad6cebded8e0fd902b672f220449b93db479eb category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9PGWG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- sr_ioctl.c uses this pattern: result = sr_do_ioctl(cd, &cgc); to-user = buffer[]; kfree(buffer); return result; Use of a buffer without checking leaks information. Check result and jump over the use of buffer if there is an error. result = sr_do_ioctl(cd, &cgc); if (result) goto err; to-user = buffer[]; err: kfree(buffer); return result; Additionally, initialize the buffer to zero. This problem can be seen in the 2.4.0 kernel. Link: https://lore.kernel.org/r/20220411174756.2418435-1-trix@redhat.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Tom Rix <trix(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Conflicts: drivers/scsi/sr_ioctl.c [Commit aaff5ebaa269 ("scsi: remove the unchecked_isa_dma flag") remove the unchecked_isa_dma flag] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- v1->v2: Correct commit message. drivers/scsi/sr_ioctl.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c index 335cfdde0cf0..85ed1c6be6ce 100644 --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -45,7 +45,7 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; @@ -59,10 +59,13 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, cgc.data_direction = DMA_FROM_DEVICE; result = sr_do_ioctl(cd, &cgc); + if (result) + goto err; tochdr->cdth_trk0 = buffer[2]; tochdr->cdth_trk1 = buffer[3]; +err: kfree(buffer); return result; } @@ -75,7 +78,7 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; @@ -90,6 +93,8 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, cgc.data_direction = DMA_FROM_DEVICE; result = sr_do_ioctl(cd, &cgc); + if (result) + goto err; tocentry->cdte_ctrl = buffer[5] & 0xf; tocentry->cdte_adr = buffer[5] >> 4; @@ -102,6 +107,7 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, tocentry->cdte_addr.lba = (((((buffer[8] << 8) + buffer[9]) << 8) + buffer[10]) << 8) + buffer[11]; +err: kfree(buffer); return result; } @@ -389,7 +395,7 @@ int sr_get_mcn(struct cdrom_device_info *cdi, struct cdrom_mcn *mcn) { Scsi_CD *cd = cdi->handle; struct packet_command cgc; - char *buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + char *buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); int result; if (!buffer) @@ -405,10 +411,13 @@ int sr_get_mcn(struct cdrom_device_info *cdi, struct cdrom_mcn *mcn) cgc.data_direction = DMA_FROM_DEVICE; cgc.timeout = IOCTL_TIMEOUT; result = sr_do_ioctl(cd, &cgc); + if (result) + goto err; memcpy(mcn->medium_catalog_number, buffer + 9, 13); mcn->medium_catalog_number[13] = 0; +err: kfree(buffer); return result; } -- 2.31.1

2 1

[PATCH OLK-6.6] mm: prepare to support weighted interleaving mempolicy
by Ze Zuo 15 May '24

15 May '24

hulk inclusion category: feature https://gitee.com/openeuler/kernel/issues/I9PD4G ---------------------------------------------------------------------- To support weighted interleaving mempolicy, we need to round up two series of patch sets, patch set one is "mempolicy: cleanups leading to NUMA mpol without vma" and patch set two is "mm/mempolicy: weighted interleave mempolicy and sysfs extension", however, where commit ddc1a5cbc05d ("mempolicy: alloc_pages_mpol() for NUMA policy without vma") for patch set one and commit fa3bea4e1f82 ("mm/mempolicy: introduce MPOL_ WEIGHTED_INTERLEAVE for weighted interleaving") will see kabi changes for whitelisted structures, for which the KABI field needs to be reserved in advance for the mempolicy's relevant data structures. Signed-off-by: Ze Zuo <zuoze1(a)huawei.com> --- fs/kernfs/file.c | 4 ++-- include/linux/mm.h | 2 +- include/linux/sched.h | 1 + include/uapi/linux/mempolicy.h | 1 + ipc/shm.c | 4 ++-- mm/mempolicy.c | 6 +++--- mm/shmem.c | 2 +- 7 files changed, 11 insertions(+), 9 deletions(-) diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c index 1cbf9a44422e..4df293c645e1 100644 --- a/fs/kernfs/file.c +++ b/fs/kernfs/file.c @@ -456,7 +456,7 @@ static int kernfs_vma_set_policy(struct vm_area_struct *vma, } static struct mempolicy *kernfs_vma_get_policy(struct vm_area_struct *vma, - unsigned long addr) + unsigned long addr, pgoff_t *ilx) { struct file *file = vma->vm_file; struct kernfs_open_file *of = kernfs_of(file); @@ -470,7 +470,7 @@ static struct mempolicy *kernfs_vma_get_policy(struct vm_area_struct *vma, pol = vma->vm_policy; if (of->vm_ops->get_policy) - pol = of->vm_ops->get_policy(vma, addr); + pol = of->vm_ops->get_policy(vma, addr, NULL); kernfs_put_active(of->kn); return pol; diff --git a/include/linux/mm.h b/include/linux/mm.h index f86fd573a4a1..49f4fac2dcf7 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -640,7 +640,7 @@ struct vm_operations_struct { * policy. */ struct mempolicy *(*get_policy)(struct vm_area_struct *vma, - unsigned long addr); + unsigned long addr, pgoff_t *ilx); #endif /* * Called by vm_normal_page() for special PTEs to find the diff --git a/include/linux/sched.h b/include/linux/sched.h index b65d74c5e765..f40411aa7b70 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1285,6 +1285,7 @@ struct task_struct { /* Protected by alloc_lock: */ struct mempolicy *mempolicy; short il_prev; + u8 il_weight; short pref_node_fork; #endif #ifdef CONFIG_NUMA_BALANCING diff --git a/include/uapi/linux/mempolicy.h b/include/uapi/linux/mempolicy.h index 046d0ccba4cd..8494de333376 100644 --- a/include/uapi/linux/mempolicy.h +++ b/include/uapi/linux/mempolicy.h @@ -23,6 +23,7 @@ enum { MPOL_INTERLEAVE, MPOL_LOCAL, MPOL_PREFERRED_MANY, + MPOL_WEIGHTED_INTERLEAVE, MPOL_MAX, /* always last member of enum */ }; diff --git a/ipc/shm.c b/ipc/shm.c index 576a543b7cff..0a02bc6d7cdf 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -574,14 +574,14 @@ static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new) } static struct mempolicy *shm_get_policy(struct vm_area_struct *vma, - unsigned long addr) + unsigned long addr, pgoff_t *ilx) { struct file *file = vma->vm_file; struct shm_file_data *sfd = shm_file_data(file); struct mempolicy *pol = NULL; if (sfd->vm_ops->get_policy) - pol = sfd->vm_ops->get_policy(vma, addr); + pol = sfd->vm_ops->get_policy(vma, addr, NULL); else if (vma->vm_policy) pol = vma->vm_policy; diff --git a/mm/mempolicy.c b/mm/mempolicy.c index a80f99751904..17aadb5ca5f7 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -970,7 +970,7 @@ static long do_get_mempolicy(int *policy, nodemask_t *nmask, return -EFAULT; } if (vma->vm_ops && vma->vm_ops->get_policy) - pol = vma->vm_ops->get_policy(vma, addr); + pol = vma->vm_ops->get_policy(vma, addr, NULL); else pol = vma->vm_policy; } else if (addr) @@ -1778,7 +1778,7 @@ struct mempolicy *__get_vma_policy(struct vm_area_struct *vma, if (vma) { if (vma->vm_ops && vma->vm_ops->get_policy) { - pol = vma->vm_ops->get_policy(vma, addr); + pol = vma->vm_ops->get_policy(vma, addr, NULL); } else if (vma->vm_policy) { pol = vma->vm_policy; @@ -1826,7 +1826,7 @@ bool vma_policy_mof(struct vm_area_struct *vma) if (vma->vm_ops && vma->vm_ops->get_policy) { bool ret = false; - pol = vma->vm_ops->get_policy(vma, vma->vm_start); + pol = vma->vm_ops->get_policy(vma, vma->vm_start, NULL); if (pol && (pol->flags & MPOL_F_MOF)) ret = true; mpol_cond_put(pol); diff --git a/mm/shmem.c b/mm/shmem.c index a7550982a13d..cf27e1785f80 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2352,7 +2352,7 @@ static int shmem_set_policy(struct vm_area_struct *vma, struct mempolicy *mpol) } static struct mempolicy *shmem_get_policy(struct vm_area_struct *vma, - unsigned long addr) + unsigned long addr, pgoff_t *ilx) { struct inode *inode = file_inode(vma->vm_file); pgoff_t index; -- 2.33.0

2 1

[openeuler:OLK-6.6 3971/9610] drivers/net/ethernet/huawei/hinic/hinic_hwif.c:46:16: sparse: sparse: incorrect type in argument 1 (different base types)
by kernel test robot 15 May '24

15 May '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 7c6c7d83d2bc788cd9aef8983afa59eae25e148e commit: 9c1c9598010fbb9daa1e2a67d23830092fb6246a [3971/9610] net/hinic: Update Huawei Intelligent Network Card Driver: hinic config: arm64-randconfig-r132-20240515 (https://download.01.org/0day-ci/archive/20240515/202405151557.G5fbOVUN-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240515/202405151557.G5fbOVUN-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202405151557.G5fbOVUN-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) drivers/net/ethernet/huawei/hinic/hinic_hwif.c:40:16: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:40:16: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:40:16: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:40:16: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:40:16: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:40:16: sparse: sparse: cast to restricted __be32 >> drivers/net/ethernet/huawei/hinic/hinic_hwif.c:46:16: sparse: sparse: incorrect type in argument 1 (different base types) @@ expected unsigned int [usertype] value @@ got restricted __be32 [usertype] @@ drivers/net/ethernet/huawei/hinic/hinic_hwif.c:46:16: sparse: expected unsigned int [usertype] value drivers/net/ethernet/huawei/hinic/hinic_hwif.c:46:16: sparse: got restricted __be32 [usertype] drivers/net/ethernet/huawei/hinic/hinic_hwif.c:592:29: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected unsigned char [noderef] [usertype] __iomem *cfg_regs_base @@ got void *cfg_reg_base @@ drivers/net/ethernet/huawei/hinic/hinic_hwif.c:592:29: sparse: expected unsigned char [noderef] [usertype] __iomem *cfg_regs_base drivers/net/ethernet/huawei/hinic/hinic_hwif.c:592:29: sparse: got void *cfg_reg_base drivers/net/ethernet/huawei/hinic/hinic_hwif.c:593:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected unsigned char [noderef] [usertype] __iomem *intr_regs_base @@ got void *intr_reg_base @@ drivers/net/ethernet/huawei/hinic/hinic_hwif.c:593:30: sparse: expected unsigned char [noderef] [usertype] __iomem *intr_regs_base drivers/net/ethernet/huawei/hinic/hinic_hwif.c:593:30: sparse: got void *intr_reg_base drivers/net/ethernet/huawei/hinic/hinic_hwif.c:596:23: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected unsigned char [noderef] [usertype] __iomem *db_base @@ got void *db_base @@ drivers/net/ethernet/huawei/hinic/hinic_hwif.c:596:23: sparse: expected unsigned char [noderef] [usertype] __iomem *db_base drivers/net/ethernet/huawei/hinic/hinic_hwif.c:596:23: sparse: got void *db_base >> drivers/net/ethernet/huawei/hinic/hinic_hwif.c:597:28: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void [noderef] __iomem *dwqe_mapping @@ got void *dwqe_mapping @@ drivers/net/ethernet/huawei/hinic/hinic_hwif.c:597:28: sparse: expected void [noderef] __iomem *dwqe_mapping drivers/net/ethernet/huawei/hinic/hinic_hwif.c:597:28: sparse: got void *dwqe_mapping drivers/net/ethernet/huawei/hinic/hinic_hwif.c:664:64: sparse: sparse: incorrect type in argument 4 (different base types) @@ expected restricted gfp_t [usertype] gfp @@ got unsigned int flag @@ drivers/net/ethernet/huawei/hinic/hinic_hwif.c:664:64: sparse: expected restricted gfp_t [usertype] gfp drivers/net/ethernet/huawei/hinic/hinic_hwif.c:664:64: sparse: got unsigned int flag drivers/net/ethernet/huawei/hinic/hinic_hwif.c:679:64: sparse: sparse: incorrect type in argument 4 (different base types) @@ expected restricted gfp_t [usertype] gfp @@ got unsigned int flag @@ drivers/net/ethernet/huawei/hinic/hinic_hwif.c:679:64: sparse: expected restricted gfp_t [usertype] gfp drivers/net/ethernet/huawei/hinic/hinic_hwif.c:679:64: sparse: got unsigned int flag drivers/net/ethernet/huawei/hinic/hinic_hwif.c:984:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:984:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:984:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:984:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:984:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:984:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:993:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:993:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:993:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:993:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:993:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c:993:17: sparse: sparse: cast to restricted __be32 drivers/net/ethernet/huawei/hinic/hinic_hwif.c: note: in included file (through include/linux/mmzone.h, include/linux/gfp.h, include/linux/xarray.h, ...): include/linux/page-flags.h:245:46: sparse: sparse: self-comparison always evaluates to false vim +46 drivers/net/ethernet/huawei/hinic/hinic_hwif.c 42 43 /* For UEFI driver, this function can only write BAR0 */ 44 void hinic_hwif_write_reg(struct hinic_hwif *hwif, u32 reg, u32 val) 45 { > 46 writel(cpu_to_be32(val), hwif->cfg_regs_base + reg); 47 } 48 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] scsi: sr: Do not leak information in ioctl
by Li Lingfeng 15 May '24

15 May '24

From: Tom Rix <trix(a)redhat.com> stable inclusion from stable-v5.18-rc4 commit faad6cebded8e0fd902b672f220449b93db479eb category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9PGWG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- sr_ioctl.c uses this pattern: result = sr_do_ioctl(cd, &cgc); to-user = buffer[]; kfree(buffer); return result; Use of a buffer without checking leaks information. Check result and jump over the use of buffer if there is an error. result = sr_do_ioctl(cd, &cgc); if (result) goto err; to-user = buffer[]; err: kfree(buffer); return result; Additionally, initialize the buffer to zero. This problem can be seen in the 2.4.0 kernel. Link: https://lore.kernel.org/r/20220411174756.2418435-1-trix@redhat.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Tom Rix <trix(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Conflicts: drivers/scsi/sr_ioctl.c [Commit aaff5ebaa269 ("scsi: remove the unchecked_isa_dma flag") remove the unchecked_isa_dma flag] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/scsi/sr_ioctl.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/sr_ioctl.c b/drivers/scsi/sr_ioctl.c index 4c1de11e69fb..0808217f2d7b 100644 --- a/drivers/scsi/sr_ioctl.c +++ b/drivers/scsi/sr_ioctl.c @@ -45,7 +45,7 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; @@ -59,10 +59,13 @@ static int sr_read_tochdr(struct cdrom_device_info *cdi, cgc.data_direction = DMA_FROM_DEVICE; result = sr_do_ioctl(cd, &cgc); + if (result) + goto err; tochdr->cdth_trk0 = buffer[2]; tochdr->cdth_trk1 = buffer[3]; +err: kfree(buffer); return result; } @@ -75,7 +78,7 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, int result; unsigned char *buffer; - buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); if (!buffer) return -ENOMEM; @@ -90,6 +93,8 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, cgc.data_direction = DMA_FROM_DEVICE; result = sr_do_ioctl(cd, &cgc); + if (result) + goto err; tocentry->cdte_ctrl = buffer[5] & 0xf; tocentry->cdte_adr = buffer[5] >> 4; @@ -102,6 +107,7 @@ static int sr_read_tocentry(struct cdrom_device_info *cdi, tocentry->cdte_addr.lba = (((((buffer[8] << 8) + buffer[9]) << 8) + buffer[10]) << 8) + buffer[11]; +err: kfree(buffer); return result; } @@ -388,7 +394,7 @@ int sr_get_mcn(struct cdrom_device_info *cdi, struct cdrom_mcn *mcn) { Scsi_CD *cd = cdi->handle; struct packet_command cgc; - char *buffer = kmalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); + char *buffer = kzalloc(32, GFP_KERNEL | SR_GFP_DMA(cd)); int result; if (!buffer) @@ -404,10 +410,13 @@ int sr_get_mcn(struct cdrom_device_info *cdi, struct cdrom_mcn *mcn) cgc.data_direction = DMA_FROM_DEVICE; cgc.timeout = IOCTL_TIMEOUT; result = sr_do_ioctl(cd, &cgc); + if (result) + goto err; memcpy(mcn->medium_catalog_number, buffer + 9, 13); mcn->medium_catalog_number[13] = 0; +err: kfree(buffer); return result; } -- 2.31.1

2 1