- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] s390/cpum_sf: Handle CPU hotplug remove during sampling
by Heyuan Wang 17 Jan '25

17 Jan '25

From: Thomas Richter <tmricht(a)linux.ibm.com> stable inclusion from stable-v6.6.66 commit a69752f1e5de817941a2ea0609254f6f25acd274 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBI7GX CVE: CVE-2024-57849 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a0bd7dacbd51c632b8e2c0500b479af564afadf3 ] CPU hotplug remove handling triggers the following function call sequence: CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu() ... CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu() The s390 CPUMF sampling CPU hotplug handler invokes: s390_pmu_sf_offline_cpu() +--> cpusf_pmu_setup() +--> setup_pmc_cpu() +--> deallocate_buffers() This function de-allocates all sampling data buffers (SDBs) allocated for that CPU at event initialization. It also clears the PMU_F_RESERVED bit. The CPU is gone and can not be sampled. With the event still being active on the removed CPU, the CPU event hotplug support in kernel performance subsystem triggers the following function calls on the removed CPU: perf_event_exit_cpu() +--> perf_event_exit_cpu_context() +--> __perf_event_exit_context() +--> __perf_remove_from_context() +--> event_sched_out() +--> cpumsf_pmu_del() +--> cpumsf_pmu_stop() +--> hw_perf_event_update() to stop and remove the event. During removal of the event, the sampling device driver tries to read out the remaining samples from the sample data buffers (SDBs). But they have already been freed (and may have been re-assigned). This may lead to a use after free situation in which case the samples are most likely invalid. In the best case the memory has not been reassigned and still contains valid data. Remedy this situation and check if the CPU is still in reserved state (bit PMU_F_RESERVED set). In this case the SDBs have not been released an contain valid data. This is always the case when the event is removed (and no CPU hotplug off occured). If the PMU_F_RESERVED bit is not set, the SDB buffers are gone. Signed-off-by: Thomas Richter <tmricht(a)linux.ibm.com> Reviewed-by: Hendrik Brueckner <brueckner(a)linux.ibm.com> Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Heyuan Wang <wangheyuan2(a)h-partners.com> --- arch/s390/kernel/perf_cpum_sf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c index a3169193775f..e52c89739bc9 100644 --- a/arch/s390/kernel/perf_cpum_sf.c +++ b/arch/s390/kernel/perf_cpum_sf.c @@ -1922,7 +1922,9 @@ static void cpumsf_pmu_stop(struct perf_event *event, int flags) event->hw.state |= PERF_HES_STOPPED; if ((flags & PERF_EF_UPDATE) && !(event->hw.state & PERF_HES_UPTODATE)) { - hw_perf_event_update(event, 1); + /* CPU hotplug off removes SDBs. No samples to extract. */ + if (cpuhw->flags & PMU_F_RESERVED) + hw_perf_event_update(event, 1); event->hw.state |= PERF_HES_UPTODATE; } perf_pmu_enable(event->pmu); -- 2.25.1

2 1

[PATCH OLK-5.10] s390/cpum_sf: Handle CPU hotplug remove during sampling
by Heyuan Wang 17 Jan '25

17 Jan '25

From: Thomas Richter <tmricht(a)linux.ibm.com> stable inclusion from stable-v5.10.231 commit 99192c735ed4bfdff0d215ec85c8a87a677cb898 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBI7GX CVE: CVE-2024-57849 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a0bd7dacbd51c632b8e2c0500b479af564afadf3 ] CPU hotplug remove handling triggers the following function call sequence: CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu() ... CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu() The s390 CPUMF sampling CPU hotplug handler invokes: s390_pmu_sf_offline_cpu() +--> cpusf_pmu_setup() +--> setup_pmc_cpu() +--> deallocate_buffers() This function de-allocates all sampling data buffers (SDBs) allocated for that CPU at event initialization. It also clears the PMU_F_RESERVED bit. The CPU is gone and can not be sampled. With the event still being active on the removed CPU, the CPU event hotplug support in kernel performance subsystem triggers the following function calls on the removed CPU: perf_event_exit_cpu() +--> perf_event_exit_cpu_context() +--> __perf_event_exit_context() +--> __perf_remove_from_context() +--> event_sched_out() +--> cpumsf_pmu_del() +--> cpumsf_pmu_stop() +--> hw_perf_event_update() to stop and remove the event. During removal of the event, the sampling device driver tries to read out the remaining samples from the sample data buffers (SDBs). But they have already been freed (and may have been re-assigned). This may lead to a use after free situation in which case the samples are most likely invalid. In the best case the memory has not been reassigned and still contains valid data. Remedy this situation and check if the CPU is still in reserved state (bit PMU_F_RESERVED set). In this case the SDBs have not been released an contain valid data. This is always the case when the event is removed (and no CPU hotplug off occured). If the PMU_F_RESERVED bit is not set, the SDB buffers are gone. Signed-off-by: Thomas Richter <tmricht(a)linux.ibm.com> Reviewed-by: Hendrik Brueckner <brueckner(a)linux.ibm.com> Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Heyuan Wang <wangheyuan2(a)h-partners.com> --- arch/s390/kernel/perf_cpum_sf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c index bcd31e0b4edb..af41550d34b9 100644 --- a/arch/s390/kernel/perf_cpum_sf.c +++ b/arch/s390/kernel/perf_cpum_sf.c @@ -1900,7 +1900,9 @@ static void cpumsf_pmu_stop(struct perf_event *event, int flags) event->hw.state |= PERF_HES_STOPPED; if ((flags & PERF_EF_UPDATE) && !(event->hw.state & PERF_HES_UPTODATE)) { - hw_perf_event_update(event, 1); + /* CPU hotplug off removes SDBs. No samples to extract. */ + if (cpuhw->flags & PMU_F_RESERVED) + hw_perf_event_update(event, 1); event->hw.state |= PERF_HES_UPTODATE; } perf_pmu_enable(event->pmu); -- 2.25.1

2 1

[openeuler:OLK-5.10 2709/2709] fs/buffer.o: warning: objtool: __breadahead_gfp()+0x9b: unreachable instruction
by kernel test robot 17 Jan '25

17 Jan '25

Hi Zhang, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 08e54ea5e4a4948874ca30d91be3e5cca4ecbeec commit: 1ee722823d036ae6478e6bdb1afb12abff10a907 [2709/2709] fs/buffer: replace ll_rw_block() config: x86_64-randconfig-161-20250117 (https://download.01.org/0day-ci/archive/20250117/202501171739.hW4TwhmP-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250117/202501171739.hW4TwhmP-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501171739.hW4TwhmP-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/buffer.o: warning: objtool: __breadahead_gfp()+0x9b: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init()
by Liu Jian 17 Jan '25

17 Jan '25

From: Jinghao Jia <jinghao7(a)illinois.edu> stable inclusion from stable-v6.6.66 commit 124834133b32f9386bb2d8581d9ab92f65e951e4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBICKD CVE: CVE-2024-53680 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit 146b6f1112eb30a19776d6c323c994e9d67790db ] Under certain kernel configurations when building with Clang/LLVM, the compiler does not generate a return or jump as the terminator instruction for ip_vs_protocol_init(), triggering the following objtool warning during build time: vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6() At runtime, this either causes an oops when trying to load the ipvs module or a boot-time panic if ipvs is built-in. This same issue has been reported by the Intel kernel test robot previously. Digging deeper into both LLVM and the kernel code reveals this to be a undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer of 64 chars to store the registered protocol names and leaves it uninitialized after definition. The function calls strnlen() when concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE strnlen() performs an extra step to check whether the last byte of the input char buffer is a null character (commit 3009f891bb9f ("fortify: Allow strlen() and strnlen() to pass compile-time known lengths")). This, together with possibly other configurations, cause the following IR to be generated: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 { %1 = alloca [64 x i8], align 16 ... 14: ; preds = %11 %15 = getelementptr inbounds i8, ptr %1, i64 63 %16 = load i8, ptr %15, align 1 %17 = tail call i1 @llvm.is.constant.i8(i8 %16) %18 = icmp eq i8 %16, 0 %19 = select i1 %17, i1 %18, i1 false br i1 %19, label %20, label %23 20: ; preds = %14 %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23 ... 23: ; preds = %14, %11, %20 %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24 ... } The above code calculates the address of the last char in the buffer (value %15) and then loads from it (value %16). Because the buffer is never initialized, the LLVM GVN pass marks value %16 as undefined: %13 = getelementptr inbounds i8, ptr %1, i64 63 br i1 undef, label %14, label %17 This gives later passes (SCCP, in particular) more DCE opportunities by propagating the undef value further, and eventually removes everything after the load on the uninitialized stack location: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section ".init.text" align 16 !kcfi_type !11 { %1 = alloca [64 x i8], align 16 ... 12: ; preds = %11 %13 = getelementptr inbounds i8, ptr %1, i64 63 unreachable } In this way, the generated native code will just fall through to the next function, as LLVM does not generate any code for the unreachable IR instruction and leaves the function without a terminator. Zero the on-stack buffer to avoid this possible UB. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202402100205.PWXIz1ZK-lkp@intel.com/ Co-developed-by: Ruowen Qin <ruqin(a)redhat.com> Signed-off-by: Ruowen Qin <ruqin(a)redhat.com> Signed-off-by: Jinghao Jia <jinghao7(a)illinois.edu> Acked-by: Julian Anastasov <ja(a)ssi.bg> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/netfilter/ipvs/ip_vs_proto.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_proto.c b/net/netfilter/ipvs/ip_vs_proto.c index f100da4ba3bc..a9fd1d3fc2cb 100644 --- a/net/netfilter/ipvs/ip_vs_proto.c +++ b/net/netfilter/ipvs/ip_vs_proto.c @@ -340,7 +340,7 @@ void __net_exit ip_vs_protocol_net_cleanup(struct netns_ipvs *ipvs) int __init ip_vs_protocol_init(void) { - char protocols[64]; + char protocols[64] = { 0 }; #define REGISTER_PROTOCOL(p) \ do { \ register_ip_vs_protocol(p); \ @@ -348,8 +348,6 @@ int __init ip_vs_protocol_init(void) strcat(protocols, (p)->name); \ } while (0) - protocols[0] = '\0'; - protocols[2] = '\0'; #ifdef CONFIG_IP_VS_PROTO_TCP REGISTER_PROTOCOL(&ip_vs_protocol_tcp); #endif -- 2.34.1

2 1

[PATCH OLK-6.6 0/2] clk: ralink: mtmips: clock fixes for Ralink SoCs
by Tirui Yin 17 Jan '25

17 Jan '25

The following series contains two patches that address clock-related issues in the Ralink SoC family: - The first patch introduces a missing 'periph' clock to the RT3883 SoC's clock plan. This corrects issues with peripherals such as UART, I2C, I2S, and UARTlite, which previously relied on an undefined 'periph' clock. - The second patch ensures proper probe order of base clocks for older Ralink SoCs (RT2880, RT305x, and RT3883) by defining the 'xtal' clock first. This eliminates boot warnings and ensures that dependent clocks are set up correctly from the start. Sergio Paracuellos (2): clk: ralink: mtmips: fix clock plan for Ralink SoC RT3883 clk: ralink: mtmips: fix clocks probe order in oldest ralink SoCs drivers/clk/ralink/clk-mtmips.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) -- 2.22.0

2 3

[PATCH OLK-6.6 1/2] clk: ralink: mtmips: fix clock plan for Ralink SoC RT3883
by Tirui Yin 17 Jan '25

17 Jan '25

From: Sergio Paracuellos <sergio.paracuellos(a)gmail.com> stable inclusion from stable-v6.6.64 commit f85a1d06afbcc57ac44176db8f9d7a934979952c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAEQ CVE: CVE-2024-53223 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 33239152305567b3e9bf052f71fd4baecd626341 ] Clock plan for Ralink SoC RT3883 needs an extra 'periph' clock to properly set some peripherals that has this clock as their parent. When this driver was mainlined we could not find any active users of this SoC so we cannot perform any real tests for it. Now, one user of a Belkin f9k1109 version 1 device which uses this SoC appear and reported some issues in openWRT: - https://github.com/openwrt/openwrt/issues/16054 The peripherals that are wrong are 'uart', 'i2c', 'i2s' and 'uartlite' which has a not defined 'periph' clock as parent. Hence, introduce it to have a properly working clock plan for this SoC. Fixes: 6f3b15586eef ("clk: ralink: add clock and reset driver for MTMIPS SoCs") Signed-off-by: Sergio Paracuellos <sergio.paracuellos(a)gmail.com> Link: https://lore.kernel.org/r/20240910044024.120009-2-sergio.paracuellos@gmail.… Signed-off-by: Stephen Boyd <sboyd(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com> Signed-off-by: Tirui Yin <yintirui(a)huawei.com> Reviewed-by: yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/clk/ralink/clk-mtmips.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/clk/ralink/clk-mtmips.c b/drivers/clk/ralink/clk-mtmips.c index 50a443bf79ec..62f9801ecd3a 100644 --- a/drivers/clk/ralink/clk-mtmips.c +++ b/drivers/clk/ralink/clk-mtmips.c @@ -267,6 +267,11 @@ static struct mtmips_clk_fixed rt305x_fixed_clocks[] = { CLK_FIXED("xtal", NULL, 40000000) }; +static struct mtmips_clk_fixed rt3883_fixed_clocks[] = { + CLK_FIXED("xtal", NULL, 40000000), + CLK_FIXED("periph", "xtal", 40000000) +}; + static struct mtmips_clk_fixed rt3352_fixed_clocks[] = { CLK_FIXED("periph", "xtal", 40000000) }; @@ -779,8 +784,8 @@ static const struct mtmips_clk_data rt3352_clk_data = { static const struct mtmips_clk_data rt3883_clk_data = { .clk_base = rt3883_clks_base, .num_clk_base = ARRAY_SIZE(rt3883_clks_base), - .clk_fixed = rt305x_fixed_clocks, - .num_clk_fixed = ARRAY_SIZE(rt305x_fixed_clocks), + .clk_fixed = rt3883_fixed_clocks, + .num_clk_fixed = ARRAY_SIZE(rt3883_fixed_clocks), .clk_factor = NULL, .num_clk_factor = 0, .clk_periph = rt5350_pherip_clks, -- 2.22.0

2 3

[openeuler:openEuler-1.0-LTS 1408/1408] include/linux/list.h:583:14: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]'
by kernel test robot 17 Jan '25

17 Jan '25

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 52349611d09c6a9a2b558b3ce1cb1dca0d47dbe8 commit: 08c9196f65d268e1f8dccde138d4644c427bde76 [1408/1408] mm/swap: use nr_node_ids for avail_lists in swap_info_struct config: arm64-randconfig-004-20250117 (https://download.01.org/0day-ci/archive/20250117/202501171519.TpEUKk9L-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250117/202501171519.TpEUKk9L-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501171519.TpEUKk9L-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from arch/arm64/include/asm/bug.h:37, from include/linux/bug.h:5, from include/linux/mmdebug.h:5, from include/linux/mm.h:9, from mm/swapfile.c:8: In function 'add_to_avail_list', inlined from 'swap_range_free.constprop' at mm/swapfile.c:667:4: mm/swapfile.c:648:43: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 648 | WARN_ON(!plist_node_empty(&p->avail_lists[nid])); | ^~~~~~~~~~~~~~~~~~~~ include/asm-generic/bug.h:191:32: note: in definition of macro 'WARN_ON' 191 | int __ret_warn_on = !!(condition); \ | ^~~~~~~~~ In file included from mm/swapfile.c:15: include/linux/swap.h: In function 'swap_range_free.constprop': include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ mm/swapfile.c: In function '_enable_swap_info': mm/swapfile.c:2458:47: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 2458 | p->avail_lists[i].prio = 1; | ~~~~~~~~~~~~~~^~~ include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ mm/swapfile.c:2460:47: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 2460 | p->avail_lists[i].prio = -p->prio; | ~~~~~~~~~~~~~~^~~ include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ mm/swapfile.c:2455:39: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 2455 | p->avail_lists[i].prio = -p->prio; | ~~~~~~~~~~~~~~^~~ include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In function 'add_to_avail_list', inlined from '_enable_swap_info' at mm/swapfile.c:2481:2: mm/swapfile.c:648:43: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 648 | WARN_ON(!plist_node_empty(&p->avail_lists[nid])); | ^~~~~~~~~~~~~~~~~~~~ include/asm-generic/bug.h:191:32: note: in definition of macro 'WARN_ON' 191 | int __ret_warn_on = !!(condition); \ | ^~~~~~~~~ include/linux/swap.h: In function '_enable_swap_info': include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In function '__del_from_avail_list', inlined from 'del_from_avail_list' at mm/swapfile.c:621:2, inlined from 'swap_range_alloc' at mm/swapfile.c:638:3, inlined from 'scan_swap_map_slots' at mm/swapfile.c:802:2: mm/swapfile.c:615:17: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 615 | plist_del(&p->avail_lists[nid], &swap_avail_heads[nid]); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/swap.h: In function 'scan_swap_map_slots': include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In file included from include/asm-generic/bug.h:18: mm/swapfile.c: In function 'get_swap_pages': mm/swapfile.c:970:81: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 970 | plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) { include/linux/kernel.h:996:33: note: in definition of macro 'container_of' 996 | void *__mptr = (void *)(ptr); \ | ^~~ include/linux/list.h:440:9: note: in expansion of macro 'list_entry' 440 | list_entry((pos)->member.next, typeof(*(pos)), member) | ^~~~~~~~~~ include/linux/list.h:582:21: note: in expansion of macro 'list_next_entry' 582 | n = list_next_entry(pos, member); \ | ^~~~~~~~~~~~~~~ include/linux/plist.h:206:9: note: in expansion of macro 'list_for_each_entry_safe' 206 | list_for_each_entry_safe(pos, n, &(head)->node_list, m.node_list) | ^~~~~~~~~~~~~~~~~~~~~~~~ mm/swapfile.c:970:9: note: in expansion of macro 'plist_for_each_entry_safe' 970 | plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) { | ^~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In file included from include/linux/preempt.h:11, from include/linux/spinlock.h:51, from include/linux/mmzone.h:8, from include/linux/gfp.h:6, from include/linux/mm.h:10: >> include/linux/list.h:583:14: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 583 | &pos->member != (head); \ include/linux/plist.h:206:9: note: in expansion of macro 'list_for_each_entry_safe' 206 | list_for_each_entry_safe(pos, n, &(head)->node_list, m.node_list) | ^~~~~~~~~~~~~~~~~~~~~~~~ mm/swapfile.c:970:9: note: in expansion of macro 'plist_for_each_entry_safe' 970 | plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) { | ^~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ mm/swapfile.c:972:17: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 972 | plist_requeue(&si->avail_lists[node], &swap_avail_heads[node]); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ mm/swapfile.c:970:81: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 970 | plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) { include/linux/kernel.h:996:33: note: in definition of macro 'container_of' 996 | void *__mptr = (void *)(ptr); \ | ^~~ include/linux/list.h:440:9: note: in expansion of macro 'list_entry' 440 | list_entry((pos)->member.next, typeof(*(pos)), member) | ^~~~~~~~~~ include/linux/list.h:584:27: note: in expansion of macro 'list_next_entry' 584 | pos = n, n = list_next_entry(n, member)) | ^~~~~~~~~~~~~~~ include/linux/plist.h:206:9: note: in expansion of macro 'list_for_each_entry_safe' 206 | list_for_each_entry_safe(pos, n, &(head)->node_list, m.node_list) | ^~~~~~~~~~~~~~~~~~~~~~~~ mm/swapfile.c:970:9: note: in expansion of macro 'plist_for_each_entry_safe' 970 | plist_for_each_entry_safe(si, next, &swap_avail_heads[node], avail_lists[node]) { | ^~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In function '__del_from_avail_list', inlined from 'del_from_avail_list' at mm/swapfile.c:621:2, inlined from '__do_sys_swapoff' at mm/swapfile.c:2566:2, inlined from '__se_sys_swapoff' at mm/swapfile.c:2517:1: mm/swapfile.c:615:17: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 615 | plist_del(&p->avail_lists[nid], &swap_avail_heads[nid]); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/swap.h: In function '__se_sys_swapoff': include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In function '__do_sys_swapoff', inlined from '__se_sys_swapoff' at mm/swapfile.c:2517:1: mm/swapfile.c:2576:52: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 2576 | if (si->avail_lists[nid].prio != 1) | ~~~~~~~~~~~~~~~^~~~~ include/linux/swap.h: In function '__se_sys_swapoff': include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In function '__do_sys_swapoff', inlined from '__se_sys_swapoff' at mm/swapfile.c:2517:1: mm/swapfile.c:2577:56: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 2577 | si->avail_lists[nid].prio--; | ~~~~~~~~~~~~~~~^~~~~ include/linux/swap.h: In function '__se_sys_swapoff': include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In function 'alloc_swap_info', inlined from '__do_sys_swapon' at mm/swapfile.c:3125:6, inlined from '__se_sys_swapon' at mm/swapfile.c:3097:1: mm/swapfile.c:2860:17: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 2860 | plist_node_init(&p->avail_lists[i], 0); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/swap.h: In function '__se_sys_swapon': include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In function 'alloc_swap_info', inlined from '__do_sys_swapon' at mm/swapfile.c:3125:6, inlined from '__se_sys_swapon' at mm/swapfile.c:3097:1: mm/swapfile.c:2860:48: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 2860 | plist_node_init(&p->avail_lists[i], 0); | ~~~~~~~~~~~~~~^~~ include/linux/swap.h: In function '__se_sys_swapon': include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In file included from include/linux/sched.h:19, from arch/arm64/include/asm/pgtable.h:46, from include/linux/memremap.h:7, from include/linux/mm.h:27: In function 'plist_node_init', inlined from 'alloc_swap_info' at mm/swapfile.c:2860:3, inlined from '__do_sys_swapon' at mm/swapfile.c:3125:6, inlined from '__se_sys_swapon' at mm/swapfile.c:3097:1: >> include/linux/plist.h:137:9: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 137 | INIT_LIST_HEAD(&node->prio_list); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/swap.h: In function '__se_sys_swapon': include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ In function 'plist_node_init', inlined from 'alloc_swap_info' at mm/swapfile.c:2860:3, inlined from '__do_sys_swapon' at mm/swapfile.c:3125:6, inlined from '__se_sys_swapon' at mm/swapfile.c:3097:1: include/linux/plist.h:138:9: warning: array subscript 0 is outside array bounds of 'struct plist_node[0]' [-Warray-bounds=] 138 | INIT_LIST_HEAD(&node->node_list); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/swap.h: In function '__se_sys_swapon': include/linux/swap.h:275:27: note: while referencing 'avail_lists' 275 | struct plist_node avail_lists[0]; /* | ^~~~~~~~~~~ vim +583 include/linux/list.h 6d7581e62f8be4 Jiri Pirko 2013-05-29 433 008208c6b26f21 Oleg Nesterov 2013-11-12 434 /** 008208c6b26f21 Oleg Nesterov 2013-11-12 435 * list_next_entry - get the next element in list 008208c6b26f21 Oleg Nesterov 2013-11-12 436 * @pos: the type * to cursor 3943f42c11896c Andrey Utkin 2014-11-14 437 * @member: the name of the list_head within the struct. 008208c6b26f21 Oleg Nesterov 2013-11-12 438 */ 008208c6b26f21 Oleg Nesterov 2013-11-12 439 #define list_next_entry(pos, member) \ 008208c6b26f21 Oleg Nesterov 2013-11-12 440 list_entry((pos)->member.next, typeof(*(pos)), member) 008208c6b26f21 Oleg Nesterov 2013-11-12 441 008208c6b26f21 Oleg Nesterov 2013-11-12 442 /** 008208c6b26f21 Oleg Nesterov 2013-11-12 443 * list_prev_entry - get the prev element in list 008208c6b26f21 Oleg Nesterov 2013-11-12 444 * @pos: the type * to cursor 3943f42c11896c Andrey Utkin 2014-11-14 445 * @member: the name of the list_head within the struct. 008208c6b26f21 Oleg Nesterov 2013-11-12 446 */ 008208c6b26f21 Oleg Nesterov 2013-11-12 447 #define list_prev_entry(pos, member) \ 008208c6b26f21 Oleg Nesterov 2013-11-12 448 list_entry((pos)->member.prev, typeof(*(pos)), member) 008208c6b26f21 Oleg Nesterov 2013-11-12 449 ^1da177e4c3f41 Linus Torvalds 2005-04-16 450 /** ^1da177e4c3f41 Linus Torvalds 2005-04-16 451 * list_for_each - iterate over a list 8e3a67a99231f9 Randy Dunlap 2006-06-25 452 * @pos: the &struct list_head to use as a loop cursor. ^1da177e4c3f41 Linus Torvalds 2005-04-16 453 * @head: the head for your list. ^1da177e4c3f41 Linus Torvalds 2005-04-16 454 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 455 #define list_for_each(pos, head) \ e66eed651fd18a Linus Torvalds 2011-05-19 456 for (pos = (head)->next; pos != (head); pos = pos->next) ^1da177e4c3f41 Linus Torvalds 2005-04-16 457 ^1da177e4c3f41 Linus Torvalds 2005-04-16 458 /** ^1da177e4c3f41 Linus Torvalds 2005-04-16 459 * list_for_each_prev - iterate over a list backwards 8e3a67a99231f9 Randy Dunlap 2006-06-25 460 * @pos: the &struct list_head to use as a loop cursor. ^1da177e4c3f41 Linus Torvalds 2005-04-16 461 * @head: the head for your list. ^1da177e4c3f41 Linus Torvalds 2005-04-16 462 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 463 #define list_for_each_prev(pos, head) \ e66eed651fd18a Linus Torvalds 2011-05-19 464 for (pos = (head)->prev; pos != (head); pos = pos->prev) ^1da177e4c3f41 Linus Torvalds 2005-04-16 465 ^1da177e4c3f41 Linus Torvalds 2005-04-16 466 /** ^1da177e4c3f41 Linus Torvalds 2005-04-16 467 * list_for_each_safe - iterate over a list safe against removal of list entry 8e3a67a99231f9 Randy Dunlap 2006-06-25 468 * @pos: the &struct list_head to use as a loop cursor. ^1da177e4c3f41 Linus Torvalds 2005-04-16 469 * @n: another &struct list_head to use as temporary storage ^1da177e4c3f41 Linus Torvalds 2005-04-16 470 * @head: the head for your list. ^1da177e4c3f41 Linus Torvalds 2005-04-16 471 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 472 #define list_for_each_safe(pos, n, head) \ ^1da177e4c3f41 Linus Torvalds 2005-04-16 473 for (pos = (head)->next, n = pos->next; pos != (head); \ ^1da177e4c3f41 Linus Torvalds 2005-04-16 474 pos = n, n = pos->next) ^1da177e4c3f41 Linus Torvalds 2005-04-16 475 37c42524d60906 Denis V. Lunev 2007-10-16 476 /** 8f731f7d83d6c6 Randy Dunlap 2007-10-18 477 * list_for_each_prev_safe - iterate over a list backwards safe against removal of list entry 37c42524d60906 Denis V. Lunev 2007-10-16 478 * @pos: the &struct list_head to use as a loop cursor. 37c42524d60906 Denis V. Lunev 2007-10-16 479 * @n: another &struct list_head to use as temporary storage 37c42524d60906 Denis V. Lunev 2007-10-16 480 * @head: the head for your list. 37c42524d60906 Denis V. Lunev 2007-10-16 481 */ 37c42524d60906 Denis V. Lunev 2007-10-16 482 #define list_for_each_prev_safe(pos, n, head) \ 37c42524d60906 Denis V. Lunev 2007-10-16 483 for (pos = (head)->prev, n = pos->prev; \ e66eed651fd18a Linus Torvalds 2011-05-19 484 pos != (head); \ 37c42524d60906 Denis V. Lunev 2007-10-16 485 pos = n, n = pos->prev) 37c42524d60906 Denis V. Lunev 2007-10-16 486 ^1da177e4c3f41 Linus Torvalds 2005-04-16 487 /** ^1da177e4c3f41 Linus Torvalds 2005-04-16 488 * list_for_each_entry - iterate over list of given type 8e3a67a99231f9 Randy Dunlap 2006-06-25 489 * @pos: the type * to use as a loop cursor. ^1da177e4c3f41 Linus Torvalds 2005-04-16 490 * @head: the head for your list. 3943f42c11896c Andrey Utkin 2014-11-14 491 * @member: the name of the list_head within the struct. ^1da177e4c3f41 Linus Torvalds 2005-04-16 492 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 493 #define list_for_each_entry(pos, head, member) \ 93be3c2eb3371f Oleg Nesterov 2013-11-12 494 for (pos = list_first_entry(head, typeof(*pos), member); \ e66eed651fd18a Linus Torvalds 2011-05-19 495 &pos->member != (head); \ 8120e2e5141a42 Oleg Nesterov 2013-11-12 496 pos = list_next_entry(pos, member)) ^1da177e4c3f41 Linus Torvalds 2005-04-16 497 ^1da177e4c3f41 Linus Torvalds 2005-04-16 498 /** ^1da177e4c3f41 Linus Torvalds 2005-04-16 499 * list_for_each_entry_reverse - iterate backwards over list of given type. 8e3a67a99231f9 Randy Dunlap 2006-06-25 500 * @pos: the type * to use as a loop cursor. ^1da177e4c3f41 Linus Torvalds 2005-04-16 501 * @head: the head for your list. 3943f42c11896c Andrey Utkin 2014-11-14 502 * @member: the name of the list_head within the struct. ^1da177e4c3f41 Linus Torvalds 2005-04-16 503 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 504 #define list_for_each_entry_reverse(pos, head, member) \ 93be3c2eb3371f Oleg Nesterov 2013-11-12 505 for (pos = list_last_entry(head, typeof(*pos), member); \ e66eed651fd18a Linus Torvalds 2011-05-19 506 &pos->member != (head); \ 8120e2e5141a42 Oleg Nesterov 2013-11-12 507 pos = list_prev_entry(pos, member)) ^1da177e4c3f41 Linus Torvalds 2005-04-16 508 ^1da177e4c3f41 Linus Torvalds 2005-04-16 509 /** 72fd4a35a82433 Robert P. J. Day 2007-02-10 510 * list_prepare_entry - prepare a pos entry for use in list_for_each_entry_continue() ^1da177e4c3f41 Linus Torvalds 2005-04-16 511 * @pos: the type * to use as a start point ^1da177e4c3f41 Linus Torvalds 2005-04-16 512 * @head: the head of the list 3943f42c11896c Andrey Utkin 2014-11-14 513 * @member: the name of the list_head within the struct. fe96e57d77481c Randy Dunlap 2006-06-25 514 * 72fd4a35a82433 Robert P. J. Day 2007-02-10 515 * Prepares a pos entry for use as a start point in list_for_each_entry_continue(). ^1da177e4c3f41 Linus Torvalds 2005-04-16 516 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 517 #define list_prepare_entry(pos, head, member) \ ^1da177e4c3f41 Linus Torvalds 2005-04-16 518 ((pos) ? : list_entry(head, typeof(*pos), member)) ^1da177e4c3f41 Linus Torvalds 2005-04-16 519 ^1da177e4c3f41 Linus Torvalds 2005-04-16 520 /** fe96e57d77481c Randy Dunlap 2006-06-25 521 * list_for_each_entry_continue - continue iteration over list of given type 8e3a67a99231f9 Randy Dunlap 2006-06-25 522 * @pos: the type * to use as a loop cursor. ^1da177e4c3f41 Linus Torvalds 2005-04-16 523 * @head: the head for your list. 3943f42c11896c Andrey Utkin 2014-11-14 524 * @member: the name of the list_head within the struct. fe96e57d77481c Randy Dunlap 2006-06-25 525 * fe96e57d77481c Randy Dunlap 2006-06-25 526 * Continue to iterate over list of given type, continuing after fe96e57d77481c Randy Dunlap 2006-06-25 527 * the current position. ^1da177e4c3f41 Linus Torvalds 2005-04-16 528 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 529 #define list_for_each_entry_continue(pos, head, member) \ 8120e2e5141a42 Oleg Nesterov 2013-11-12 530 for (pos = list_next_entry(pos, member); \ e66eed651fd18a Linus Torvalds 2011-05-19 531 &pos->member != (head); \ 8120e2e5141a42 Oleg Nesterov 2013-11-12 532 pos = list_next_entry(pos, member)) ^1da177e4c3f41 Linus Torvalds 2005-04-16 533 768f3591e2b1cc Pavel Emelyanov 2007-09-18 534 /** 768f3591e2b1cc Pavel Emelyanov 2007-09-18 535 * list_for_each_entry_continue_reverse - iterate backwards from the given point 768f3591e2b1cc Pavel Emelyanov 2007-09-18 536 * @pos: the type * to use as a loop cursor. 768f3591e2b1cc Pavel Emelyanov 2007-09-18 537 * @head: the head for your list. 3943f42c11896c Andrey Utkin 2014-11-14 538 * @member: the name of the list_head within the struct. 768f3591e2b1cc Pavel Emelyanov 2007-09-18 539 * 768f3591e2b1cc Pavel Emelyanov 2007-09-18 540 * Start to iterate over list of given type backwards, continuing after 768f3591e2b1cc Pavel Emelyanov 2007-09-18 541 * the current position. 768f3591e2b1cc Pavel Emelyanov 2007-09-18 542 */ 768f3591e2b1cc Pavel Emelyanov 2007-09-18 543 #define list_for_each_entry_continue_reverse(pos, head, member) \ 8120e2e5141a42 Oleg Nesterov 2013-11-12 544 for (pos = list_prev_entry(pos, member); \ e66eed651fd18a Linus Torvalds 2011-05-19 545 &pos->member != (head); \ 8120e2e5141a42 Oleg Nesterov 2013-11-12 546 pos = list_prev_entry(pos, member)) 768f3591e2b1cc Pavel Emelyanov 2007-09-18 547 e229c2fb3370a0 Arnaldo Carvalho de Melo 2006-03-20 548 /** fe96e57d77481c Randy Dunlap 2006-06-25 549 * list_for_each_entry_from - iterate over list of given type from the current point 8e3a67a99231f9 Randy Dunlap 2006-06-25 550 * @pos: the type * to use as a loop cursor. e229c2fb3370a0 Arnaldo Carvalho de Melo 2006-03-20 551 * @head: the head for your list. 3943f42c11896c Andrey Utkin 2014-11-14 552 * @member: the name of the list_head within the struct. fe96e57d77481c Randy Dunlap 2006-06-25 553 * fe96e57d77481c Randy Dunlap 2006-06-25 554 * Iterate over list of given type, continuing from current position. e229c2fb3370a0 Arnaldo Carvalho de Melo 2006-03-20 555 */ e229c2fb3370a0 Arnaldo Carvalho de Melo 2006-03-20 556 #define list_for_each_entry_from(pos, head, member) \ e66eed651fd18a Linus Torvalds 2011-05-19 557 for (; &pos->member != (head); \ 8120e2e5141a42 Oleg Nesterov 2013-11-12 558 pos = list_next_entry(pos, member)) e229c2fb3370a0 Arnaldo Carvalho de Melo 2006-03-20 559 b862815c3ee7b4 Jiri Pirko 2017-02-03 560 /** b862815c3ee7b4 Jiri Pirko 2017-02-03 561 * list_for_each_entry_from_reverse - iterate backwards over list of given type b862815c3ee7b4 Jiri Pirko 2017-02-03 562 * from the current point b862815c3ee7b4 Jiri Pirko 2017-02-03 563 * @pos: the type * to use as a loop cursor. b862815c3ee7b4 Jiri Pirko 2017-02-03 564 * @head: the head for your list. b862815c3ee7b4 Jiri Pirko 2017-02-03 565 * @member: the name of the list_head within the struct. b862815c3ee7b4 Jiri Pirko 2017-02-03 566 * b862815c3ee7b4 Jiri Pirko 2017-02-03 567 * Iterate backwards over list of given type, continuing from current position. b862815c3ee7b4 Jiri Pirko 2017-02-03 568 */ b862815c3ee7b4 Jiri Pirko 2017-02-03 569 #define list_for_each_entry_from_reverse(pos, head, member) \ b862815c3ee7b4 Jiri Pirko 2017-02-03 570 for (; &pos->member != (head); \ b862815c3ee7b4 Jiri Pirko 2017-02-03 571 pos = list_prev_entry(pos, member)) b862815c3ee7b4 Jiri Pirko 2017-02-03 572 ^1da177e4c3f41 Linus Torvalds 2005-04-16 573 /** ^1da177e4c3f41 Linus Torvalds 2005-04-16 574 * list_for_each_entry_safe - iterate over list of given type safe against removal of list entry 8e3a67a99231f9 Randy Dunlap 2006-06-25 575 * @pos: the type * to use as a loop cursor. ^1da177e4c3f41 Linus Torvalds 2005-04-16 576 * @n: another type * to use as temporary storage ^1da177e4c3f41 Linus Torvalds 2005-04-16 577 * @head: the head for your list. 3943f42c11896c Andrey Utkin 2014-11-14 578 * @member: the name of the list_head within the struct. ^1da177e4c3f41 Linus Torvalds 2005-04-16 579 */ ^1da177e4c3f41 Linus Torvalds 2005-04-16 580 #define list_for_each_entry_safe(pos, n, head, member) \ 93be3c2eb3371f Oleg Nesterov 2013-11-12 581 for (pos = list_first_entry(head, typeof(*pos), member), \ 8120e2e5141a42 Oleg Nesterov 2013-11-12 582 n = list_next_entry(pos, member); \ ^1da177e4c3f41 Linus Torvalds 2005-04-16 @583 &pos->member != (head); \ 8120e2e5141a42 Oleg Nesterov 2013-11-12 584 pos = n, n = list_next_entry(n, member)) ^1da177e4c3f41 Linus Torvalds 2005-04-16 585 :::::: The code at line 583 was first introduced by commit :::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2 :::::: TO: Linus Torvalds <torvalds(a)ppc970.osdl.org> :::::: CC: Linus Torvalds <torvalds(a)ppc970.osdl.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] usb: dwc3: gadget: Fix looping of queued SG entries
by Tirui Yin 17 Jan '25

17 Jan '25

From: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> stable inclusion from stable-v6.6.64 commit 1534f6f69393aac773465d80d31801b554352627 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEDP9 CVE: CVE-2024-56698 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b7fc65f5141c24785dc8c19249ca4efcf71b3524 upstream. The dwc3_request->num_queued_sgs is decremented on completion. If a partially completed request is handled, then the dwc3_request->num_queued_sgs no longer reflects the total number of num_queued_sgs (it would be cleared). Correctly check the number of request SG entries remained to be prepare and queued. Failure to do this may cause null pointer dereference when accessing non-existent SG entry. Cc: stable(a)vger.kernel.org Fixes: c96e6725db9d ("usb: dwc3: gadget: Correct the logic for queuing sgs") Signed-off-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Link: https://lore.kernel.org/r/d07a7c4aa0fcf746cdca0515150dbe5c52000af7.17315457… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Tirui Yin <yintirui(a)huawei.com> Reviewed-by: yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/usb/dwc3/gadget.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 867000cdeb96..e7f6be12e401 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -1433,8 +1433,8 @@ static int dwc3_prepare_trbs_sg(struct dwc3_ep *dep, struct scatterlist *s; int i; unsigned int length = req->request.length; - unsigned int remaining = req->request.num_mapped_sgs - - req->num_queued_sgs; + unsigned int remaining = req->num_pending_sgs; + unsigned int num_queued_sgs = req->request.num_mapped_sgs - remaining; unsigned int num_trbs = req->num_trbs; bool needs_extra_trb = dwc3_needs_extra_trb(dep, req); @@ -1442,7 +1442,7 @@ static int dwc3_prepare_trbs_sg(struct dwc3_ep *dep, * If we resume preparing the request, then get the remaining length of * the request and resume where we left off. */ - for_each_sg(req->request.sg, s, req->num_queued_sgs, i) + for_each_sg(req->request.sg, s, num_queued_sgs, i) length -= sg_dma_len(s); for_each_sg(sg, s, remaining, i) { -- 2.22.0

2 1

[PATCH OLK-6.6] f2fs: fix to shrink read extent node in batches
by Yi Yang 17 Jan '25

17 Jan '25

From: Chao Yu <chao(a)kernel.org> stable inclusion from stable-v6.6.66 commit 295b50e95e900da31ff237e46e04525fa799b2cf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBHYTM CVE: CVE-2024-41935 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343 ] We use rwlock to protect core structure data of extent tree during its shrink, however, if there is a huge number of extent nodes in extent tree, during shrink of extent tree, it may hold rwlock for a very long time, which may trigger kernel hang issue. This patch fixes to shrink read extent node in batches, so that, critical region of the rwlock can be shrunk to avoid its extreme long time hold. Reported-by: Xiuhong Wang <xiuhong.wang(a)unisoc.com> Closes: https://lore.kernel.org/linux-f2fs-devel/20241112110627.1314632-1-xiuhong.w… Signed-off-by: Xiuhong Wang <xiuhong.wang(a)unisoc.com> Signed-off-by: Zhiguo Niu <zhiguo.niu(a)unisoc.com> Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- fs/f2fs/extent_cache.c | 69 +++++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 28 deletions(-) diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c index d6fb053b6dfb..bfa2d89dc9ea 100644 --- a/fs/f2fs/extent_cache.c +++ b/fs/f2fs/extent_cache.c @@ -347,21 +347,22 @@ static struct extent_tree *__grab_extent_tree(struct inode *inode, } static unsigned int __free_extent_tree(struct f2fs_sb_info *sbi, - struct extent_tree *et) + struct extent_tree *et, unsigned int nr_shrink) { struct rb_node *node, *next; struct extent_node *en; - unsigned int count = atomic_read(&et->node_cnt); + unsigned int count; node = rb_first_cached(&et->root); - while (node) { + + for (count = 0; node && count < nr_shrink; count++) { next = rb_next(node); en = rb_entry(node, struct extent_node, rb_node); __release_extent_node(sbi, et, en); node = next; } - return count - atomic_read(&et->node_cnt); + return count; } static void __drop_largest_extent(struct extent_tree *et, @@ -580,6 +581,30 @@ static struct extent_node *__insert_extent_tree(struct f2fs_sb_info *sbi, return en; } +static unsigned int __destroy_extent_node(struct inode *inode, + enum extent_type type) +{ + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct extent_tree *et = F2FS_I(inode)->extent_tree[type]; + unsigned int nr_shrink = type == EX_READ ? + READ_EXTENT_CACHE_SHRINK_NUMBER : + AGE_EXTENT_CACHE_SHRINK_NUMBER; + unsigned int node_cnt = 0; + + if (!et || !atomic_read(&et->node_cnt)) + return 0; + + while (atomic_read(&et->node_cnt)) { + write_lock(&et->lock); + node_cnt += __free_extent_tree(sbi, et, nr_shrink); + write_unlock(&et->lock); + } + + f2fs_bug_on(sbi, atomic_read(&et->node_cnt)); + + return node_cnt; +} + static void __update_extent_tree_range(struct inode *inode, struct extent_info *tei, enum extent_type type) { @@ -718,9 +743,6 @@ static void __update_extent_tree_range(struct inode *inode, } } - if (is_inode_flag_set(inode, FI_NO_EXTENT)) - __free_extent_tree(sbi, et); - if (et->largest_updated) { et->largest_updated = false; updated = true; @@ -738,6 +760,9 @@ static void __update_extent_tree_range(struct inode *inode, out_read_extent_cache: write_unlock(&et->lock); + if (is_inode_flag_set(inode, FI_NO_EXTENT)) + __destroy_extent_node(inode, EX_READ); + if (updated) f2fs_mark_inode_dirty_sync(inode, true); } @@ -902,10 +927,14 @@ static unsigned int __shrink_extent_tree(struct f2fs_sb_info *sbi, int nr_shrink list_for_each_entry_safe(et, next, &eti->zombie_list, list) { if (atomic_read(&et->node_cnt)) { write_lock(&et->lock); - node_cnt += __free_extent_tree(sbi, et); + node_cnt += __free_extent_tree(sbi, et, + nr_shrink - node_cnt - tree_cnt); write_unlock(&et->lock); } - f2fs_bug_on(sbi, atomic_read(&et->node_cnt)); + + if (atomic_read(&et->node_cnt)) + goto unlock_out; + list_del_init(&et->list); radix_tree_delete(&eti->extent_tree_root, et->ino); kmem_cache_free(extent_tree_slab, et); @@ -1044,23 +1073,6 @@ unsigned int f2fs_shrink_age_extent_tree(struct f2fs_sb_info *sbi, int nr_shrink return __shrink_extent_tree(sbi, nr_shrink, EX_BLOCK_AGE); } -static unsigned int __destroy_extent_node(struct inode *inode, - enum extent_type type) -{ - struct f2fs_sb_info *sbi = F2FS_I_SB(inode); - struct extent_tree *et = F2FS_I(inode)->extent_tree[type]; - unsigned int node_cnt = 0; - - if (!et || !atomic_read(&et->node_cnt)) - return 0; - - write_lock(&et->lock); - node_cnt = __free_extent_tree(sbi, et); - write_unlock(&et->lock); - - return node_cnt; -} - void f2fs_destroy_extent_node(struct inode *inode) { __destroy_extent_node(inode, EX_READ); @@ -1069,7 +1081,6 @@ void f2fs_destroy_extent_node(struct inode *inode) static void __drop_extent_tree(struct inode *inode, enum extent_type type) { - struct f2fs_sb_info *sbi = F2FS_I_SB(inode); struct extent_tree *et = F2FS_I(inode)->extent_tree[type]; bool updated = false; @@ -1077,7 +1088,6 @@ static void __drop_extent_tree(struct inode *inode, enum extent_type type) return; write_lock(&et->lock); - __free_extent_tree(sbi, et); if (type == EX_READ) { set_inode_flag(inode, FI_NO_EXTENT); if (et->largest.len) { @@ -1086,6 +1096,9 @@ static void __drop_extent_tree(struct inode *inode, enum extent_type type) } } write_unlock(&et->lock); + + __destroy_extent_node(inode, type); + if (updated) f2fs_mark_inode_dirty_sync(inode, true); } -- 2.25.1

2 1

[PATCH OLK-6.6] Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet
by Tirui Yin 17 Jan '25

17 Jan '25

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> stable inclusion from stable-v6.6.66 commit 5e50d12cc6e95e1fde08f5db6992b616f714b0fb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANH CVE: CVE-2024-56590 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3fe288a8214e7dd784d1f9b7c9e448244d316b47 ] This fixes not checking if skb really contains an ACL header otherwise the code may attempt to access some uninitilized/invalid memory past the valid skb->data. Reported-by: syzbot+6ea290ba76d8c1eb1ac2(a)syzkaller.appspotmail.com Tested-by: syzbot+6ea290ba76d8c1eb1ac2(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6ea290ba76d8c1eb1ac2 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Tirui Yin <yintirui(a)huawei.com> Reviewed-by: yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/bluetooth/hci_core.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index d4e607bf35ba..b04e70aa1a86 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3735,18 +3735,22 @@ static void hci_tx_work(struct work_struct *work) /* ACL data packet */ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) { - struct hci_acl_hdr *hdr = (void *) skb->data; + struct hci_acl_hdr *hdr; struct hci_conn *conn; __u16 handle, flags; - skb_pull(skb, HCI_ACL_HDR_SIZE); + hdr = skb_pull_data(skb, sizeof(*hdr)); + if (!hdr) { + bt_dev_err(hdev, "ACL packet too small"); + goto drop; + } handle = __le16_to_cpu(hdr->handle); flags = hci_flags(handle); handle = hci_handle(handle); - BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len, - handle, flags); + bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len, + handle, flags); hdev->stat.acl_rx++; @@ -3767,6 +3771,7 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) handle); } +drop: kfree_skb(skb); } -- 2.22.0

2 1