From: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com>
mainline inclusion
from mainline-v6.11-rc7
commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARY1L
CVE: CVE-2024-46738
Reference: https://lore.kernel.org/lkml/20240828154338.754746-1-david.fernandez.gonzal…
--------------------------------
When removing a resource from vmci_resource_table in
vmci_resource_remove(), the search is performed using the resource
handle by comparing context and resource fields.
It is possible though to create two resources with different types
but same handle (same context and resource fields).
When trying to remove one of the resources, vmci_resource_remove()
may not remove the intended one, but the object will still be freed
as in the case of the datagram type in vmci_datagram_destroy_handle().
vmci_resource_table will still hold a pointer to this freed resource
leading to a use-after-free vulnerability.
BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106
print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239
__kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425
kasan_report+0x38/0x51 mm/kasan/report.c:442
vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182
ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444
kref_put include/linux/kref.h:65 [inline]
vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]
vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195
vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143
__fput+0x261/0xa34 fs/file_table.c:282
task_work_run+0xf0/0x194 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187
exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220
__syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]
syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313
do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x6e/0x0
This change ensures the type is also checked when removing
the resource from vmci_resource_table in vmci_resource_remove().
Fixes: bc63dedb7d46 ("VMCI: resource object implementation.")
Cc: stable(a)vger.kernel.org
Reported-by: George Kennedy <george.kennedy(a)oracle.com>
Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com>
Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com>
---
drivers/misc/vmw_vmci/vmci_resource.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/vmw_vmci/vmci_resource.c b/drivers/misc/vmw_vmci/vmci_resource.c
index 692daa9eff34..19c9d2cdd277 100644
--- a/drivers/misc/vmw_vmci/vmci_resource.c
+++ b/drivers/misc/vmw_vmci/vmci_resource.c
@@ -144,7 +144,8 @@ void vmci_resource_remove(struct vmci_resource *resource)
spin_lock(&vmci_resource_table.lock);
hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) {
- if (vmci_handle_is_equal(r->handle, resource->handle)) {
+ if (vmci_handle_is_equal(r->handle, resource->handle) &&
+ resource->type == r->type) {
hlist_del_init_rcu(&r->node);
break;
}
--
2.34.1
From: Stephen Hemminger <stephen(a)networkplumber.org>
stable inclusion
from stable-v5.10.226
commit 98c75d76187944296068d685dfd8a1e9fd8c4fdc
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX29
CVE: CVE-2024-46800
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit 3b3a2a9c6349e25a025d2330f479bc33a6ccb54a upstream.
If netem_dequeue() enqueues packet to inner qdisc and that qdisc
returns __NET_XMIT_STOLEN. The packet is dropped but
qdisc_tree_reduce_backlog() is not called to update the parent's
q.qlen, leading to the similar use-after-free as Commit
e04991a48dbaf382 ("netem: fix return value if duplicate enqueue
fails")
Commands to trigger KASAN UaF:
ip link add type dummy
ip link set lo up
ip link set dummy0 up
tc qdisc add dev lo parent root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2: handle 3: drr
tc filter add dev lo parent 3: basic classid 3:1 action mirred egress
redirect dev dummy0
tc class add dev lo classid 3:1 drr
ping -c1 -W0.01 localhost # Trigger bug
tc class del dev lo classid 1:1
tc class add dev lo classid 1:1 drr
ping -c1 -W0.01 localhost # UaF
Fixes: 50612537e9ab ("netem: fix classful handling")
Reported-by: Budimir Markovic <markovicbudimir(a)gmail.com>
Signed-off-by: Stephen Hemminger <stephen(a)networkplumber.org>
Link: https://patch.msgid.link/20240901182438.4992-1-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Wang Liang <wangliang74(a)huawei.com>
---
net/sched/sch_netem.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index b72b308fe406..8321ab36357c 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -722,11 +722,10 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
err = qdisc_enqueue(skb, q->qdisc, &to_free);
kfree_skb_list(to_free);
- if (err != NET_XMIT_SUCCESS &&
- net_xmit_drop_count(err)) {
- qdisc_qstats_drop(sch);
- qdisc_tree_reduce_backlog(sch, 1,
- pkt_len);
+ if (err != NET_XMIT_SUCCESS) {
+ if (net_xmit_drop_count(err))
+ qdisc_qstats_drop(sch);
+ qdisc_tree_reduce_backlog(sch, 1, pkt_len);
}
goto tfifo_dequeue;
}
--
2.34.1
From: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com>
mainline inclusion
from mainline-v6.11-rc7
commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARY1L
CVE: CVE-2024-46738
Reference: https://lore.kernel.org/lkml/20240828154338.754746-1-david.fernandez.gonzal…
--------------------------------
When removing a resource from vmci_resource_table in
vmci_resource_remove(), the search is performed using the resource
handle by comparing context and resource fields.
It is possible though to create two resources with different types
but same handle (same context and resource fields).
When trying to remove one of the resources, vmci_resource_remove()
may not remove the intended one, but the object will still be freed
as in the case of the datagram type in vmci_datagram_destroy_handle().
vmci_resource_table will still hold a pointer to this freed resource
leading to a use-after-free vulnerability.
BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106
print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239
__kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425
kasan_report+0x38/0x51 mm/kasan/report.c:442
vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182
ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444
kref_put include/linux/kref.h:65 [inline]
vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]
vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195
vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143
__fput+0x261/0xa34 fs/file_table.c:282
task_work_run+0xf0/0x194 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187
exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220
__syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]
syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313
do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x6e/0x0
This change ensures the type is also checked when removing
the resource from vmci_resource_table in vmci_resource_remove().
Fixes: bc63dedb7d46 ("VMCI: resource object implementation.")
Cc: stable(a)vger.kernel.org
Reported-by: George Kennedy <george.kennedy(a)oracle.com>
Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com>
Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com>
---
drivers/misc/vmw_vmci/vmci_resource.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/vmw_vmci/vmci_resource.c b/drivers/misc/vmw_vmci/vmci_resource.c
index 692daa9eff34..19c9d2cdd277 100644
--- a/drivers/misc/vmw_vmci/vmci_resource.c
+++ b/drivers/misc/vmw_vmci/vmci_resource.c
@@ -144,7 +144,8 @@ void vmci_resource_remove(struct vmci_resource *resource)
spin_lock(&vmci_resource_table.lock);
hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) {
- if (vmci_handle_is_equal(r->handle, resource->handle)) {
+ if (vmci_handle_is_equal(r->handle, resource->handle) &&
+ resource->type == r->type) {
hlist_del_init_rcu(&r->node);
break;
}
--
2.34.1
From: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com>
mainline inclusion
from mainline-v6.11-rc7
commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARY1L
CVE: CVE-2024-46738
Reference: https://lore.kernel.org/lkml/20240828154338.754746-1-david.fernandez.gonzal…
--------------------------------
When removing a resource from vmci_resource_table in
vmci_resource_remove(), the search is performed using the resource
handle by comparing context and resource fields.
It is possible though to create two resources with different types
but same handle (same context and resource fields).
When trying to remove one of the resources, vmci_resource_remove()
may not remove the intended one, but the object will still be freed
as in the case of the datagram type in vmci_datagram_destroy_handle().
vmci_resource_table will still hold a pointer to this freed resource
leading to a use-after-free vulnerability.
BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106
print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239
__kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425
kasan_report+0x38/0x51 mm/kasan/report.c:442
vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182
ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444
kref_put include/linux/kref.h:65 [inline]
vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]
vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195
vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143
__fput+0x261/0xa34 fs/file_table.c:282
task_work_run+0xf0/0x194 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187
exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220
__syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]
syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313
do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x6e/0x0
This change ensures the type is also checked when removing
the resource from vmci_resource_table in vmci_resource_remove().
Fixes: bc63dedb7d46 ("VMCI: resource object implementation.")
Cc: stable(a)vger.kernel.org
Reported-by: George Kennedy <george.kennedy(a)oracle.com>
Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com>
Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com>
---
drivers/misc/vmw_vmci/vmci_resource.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/vmw_vmci/vmci_resource.c b/drivers/misc/vmw_vmci/vmci_resource.c
index 692daa9eff34..19c9d2cdd277 100644
--- a/drivers/misc/vmw_vmci/vmci_resource.c
+++ b/drivers/misc/vmw_vmci/vmci_resource.c
@@ -144,7 +144,8 @@ void vmci_resource_remove(struct vmci_resource *resource)
spin_lock(&vmci_resource_table.lock);
hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) {
- if (vmci_handle_is_equal(r->handle, resource->handle)) {
+ if (vmci_handle_is_equal(r->handle, resource->handle) &&
+ resource->type == r->type) {
hlist_del_init_rcu(&r->node);
break;
}
--
2.34.1
From: Stephen Hemminger <stephen(a)networkplumber.org>
stable inclusion
from stable-v4.19.322
commit f0bddb4de043399f16d1969dad5ee5b984a64e7b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARX29
CVE: CVE-2024-46800
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit 3b3a2a9c6349e25a025d2330f479bc33a6ccb54a upstream.
If netem_dequeue() enqueues packet to inner qdisc and that qdisc
returns __NET_XMIT_STOLEN. The packet is dropped but
qdisc_tree_reduce_backlog() is not called to update the parent's
q.qlen, leading to the similar use-after-free as Commit
e04991a48dbaf382 ("netem: fix return value if duplicate enqueue
fails")
Commands to trigger KASAN UaF:
ip link add type dummy
ip link set lo up
ip link set dummy0 up
tc qdisc add dev lo parent root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2: handle 3: drr
tc filter add dev lo parent 3: basic classid 3:1 action mirred egress
redirect dev dummy0
tc class add dev lo classid 3:1 drr
ping -c1 -W0.01 localhost # Trigger bug
tc class del dev lo classid 1:1
tc class add dev lo classid 1:1 drr
ping -c1 -W0.01 localhost # UaF
Fixes: 50612537e9ab ("netem: fix classful handling")
Reported-by: Budimir Markovic <markovicbudimir(a)gmail.com>
Signed-off-by: Stephen Hemminger <stephen(a)networkplumber.org>
Link: https://patch.msgid.link/20240901182438.4992-1-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Wang Liang <wangliang74(a)huawei.com>
---
net/sched/sch_netem.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 95832934e965..8e33bcd69edd 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -697,11 +697,10 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
err = qdisc_enqueue(skb, q->qdisc, &to_free);
kfree_skb_list(to_free);
- if (err != NET_XMIT_SUCCESS &&
- net_xmit_drop_count(err)) {
- qdisc_qstats_drop(sch);
- qdisc_tree_reduce_backlog(sch, 1,
- pkt_len);
+ if (err != NET_XMIT_SUCCESS) {
+ if (net_xmit_drop_count(err))
+ qdisc_qstats_drop(sch);
+ qdisc_tree_reduce_backlog(sch, 1, pkt_len);
}
goto tfifo_dequeue;
}
--
2.34.1
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: d25e57f47750555950b12145f98d5168319e6712
commit: 3ce4cb81ef2b148f6c830c7debb4405e26cded1c [13560/14103] drivers/crypto/ccp: support TKM run on CSV
config: x86_64-buildonly-randconfig-006-20240925 (https://download.01.org/0day-ci/archive/20240925/202409250819.8xNdiVIP-lkp@…)
compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240925/202409250819.8xNdiVIP-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409250819.8xNdiVIP-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from arch/x86/kvm/svm/svm.c:25:
>> include/linux/psp-hygon.h:257:1: error: conflicting types for 'vpsp_try_do_cmd'
257 | vpsp_try_do_cmd(int cmd, phys_addr_t phy_addr,
| ^
include/linux/psp-hygon.h:253:1: note: previous definition is here
253 | vpsp_try_do_cmd(uint32_t vid, int cmd,
| ^
include/linux/psp-hygon.h:285:5: warning: no previous prototype for function 'psp_register_cmd_notifier' [-Wmissing-prototypes]
285 | int psp_register_cmd_notifier(uint32_t cmd_id, p2c_notifier_t notifier) { return -ENODEV; }
| ^
include/linux/psp-hygon.h:285:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
285 | int psp_register_cmd_notifier(uint32_t cmd_id, p2c_notifier_t notifier) { return -ENODEV; }
| ^
| static
include/linux/psp-hygon.h:286:5: warning: no previous prototype for function 'psp_unregister_cmd_notifier' [-Wmissing-prototypes]
286 | int psp_unregister_cmd_notifier(uint32_t cmd_id, p2c_notifier_t notifier) { return -ENODEV; }
| ^
include/linux/psp-hygon.h:286:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
286 | int psp_unregister_cmd_notifier(uint32_t cmd_id, p2c_notifier_t notifier) { return -ENODEV; }
| ^
| static
2 warnings and 1 error generated.
vim +/vpsp_try_do_cmd +257 include/linux/psp-hygon.h
247
248 static inline int
249 vpsp_try_get_result(uint8_t prio,
250 uint32_t index, phys_addr_t phy_addr, struct vpsp_ret *psp_ret) { return -ENODEV; }
251
252 static inline int
253 vpsp_try_do_cmd(uint32_t vid, int cmd,
254 void *data, struct vpsp_ret *psp_ret) { return -ENODEV; }
255
256 static inline int
> 257 vpsp_try_do_cmd(int cmd, phys_addr_t phy_addr,
258 struct vpsp_ret *psp_ret) { return -ENODEV; }
259
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: d25e57f47750555950b12145f98d5168319e6712
commit: 3ce4cb81ef2b148f6c830c7debb4405e26cded1c [13560/14103] drivers/crypto/ccp: support TKM run on CSV
config: x86_64-rhel-8.3 (https://download.01.org/0day-ci/archive/20240925/202409250631.b3SgU0xM-lkp@…)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240925/202409250631.b3SgU0xM-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409250631.b3SgU0xM-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/crypto/ccp/hygon/vpsp.c:91: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst
* Copy the guest data to the host kernel buffer
>> drivers/crypto/ccp/hygon/vpsp.c:294: warning: Cannot understand * @brief Directly convert the gpa address into hpa and forward it to PSP,
on line 294 - I thought it was a doc line
>> drivers/crypto/ccp/hygon/vpsp.c:381: warning: Cannot understand * @brief copy data in gpa to host memory and send it to psp for processing.
on line 381 - I thought it was a doc line
vim +91 drivers/crypto/ccp/hygon/vpsp.c
89
90 /**
> 91 * Copy the guest data to the host kernel buffer
92 * and record the host buffer address in 'hbuf'.
93 * This 'hbuf' is used to restore context information
94 * during asynchronous processing.
95 */
96 static int kvm_pv_psp_cmd_pre_op(struct kvm_vpsp *vpsp, gpa_t data_gpa,
97 struct vpsp_hbuf_wrapper *hbuf)
98 {
99 int ret = 0;
100 void *data = NULL;
101 struct psp_cmdresp_head psp_head;
102 uint32_t data_size;
103
104 if (unlikely(vpsp->read_guest(vpsp->kvm, data_gpa, &psp_head,
105 sizeof(struct psp_cmdresp_head))))
106 return -EFAULT;
107
108 data_size = psp_head.buf_size;
109 if (check_psp_mem_range(NULL, data_gpa, data_size))
110 return -EFAULT;
111
112 data = kzalloc(data_size, GFP_KERNEL);
113 if (!data)
114 return -ENOMEM;
115
116 if (unlikely(vpsp->read_guest(vpsp->kvm, data_gpa, data, data_size))) {
117 ret = -EFAULT;
118 goto end;
119 }
120
121 hbuf->data = data;
122 hbuf->data_size = data_size;
123
124 end:
125 return ret;
126 }
127
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: d25e57f47750555950b12145f98d5168319e6712
commit: 0195654dac59fc8953825bf947cd62040cc0c040 [13559/14103] drivers/crypto/ccp: remove multi-level pointers processing for vpsp
config: x86_64-rhel-8.3 (https://download.01.org/0day-ci/archive/20240925/202409250431.vVzeCQ88-lkp@…)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240925/202409250431.vVzeCQ88-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409250431.vVzeCQ88-lkp@intel.com/
All warnings (new ones prefixed by >>):
drivers/crypto/ccp/hygon/csv-dev.c:942:5: warning: no previous prototype for '__vpsp_do_cmd_locked' [-Wmissing-prototypes]
942 | int __vpsp_do_cmd_locked(uint32_t vid, int cmd, void *data, int *psp_ret)
| ^~~~~~~~~~~~~~~~~~~~
>> drivers/crypto/ccp/hygon/csv-dev.c:1009:5: warning: no previous prototype for 'vpsp_do_cmd' [-Wmissing-prototypes]
1009 | int vpsp_do_cmd(uint32_t vid, int cmd, void *data, int *psp_ret)
| ^~~~~~~~~~~
vim +/vpsp_do_cmd +1009 drivers/crypto/ccp/hygon/csv-dev.c
1008
> 1009 int vpsp_do_cmd(uint32_t vid, int cmd, void *data, int *psp_ret)
1010 {
1011 int rc;
1012 int mutex_enabled = READ_ONCE(hygon_psp_hooks.psp_mutex_enabled);
1013
1014 if (is_vendor_hygon() && mutex_enabled) {
1015 if (psp_mutex_lock_timeout(&hygon_psp_hooks.psp_misc->data_pg_aligned->mb_mutex,
1016 PSP_MUTEX_TIMEOUT) != 1) {
1017 return -EBUSY;
1018 }
1019 } else {
1020 mutex_lock(hygon_psp_hooks.sev_cmd_mutex);
1021 }
1022
1023 rc = __vpsp_do_cmd_locked(vid, cmd, data, psp_ret);
1024
1025 if (is_vendor_hygon() && mutex_enabled)
1026 psp_mutex_unlock(&hygon_psp_hooks.psp_misc->data_pg_aligned->mb_mutex);
1027 else
1028 mutex_unlock(hygon_psp_hooks.sev_cmd_mutex);
1029
1030 return rc;
1031 }
1032
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git OLK-6.6
head: d25e57f47750555950b12145f98d5168319e6712
commit: 0195654dac59fc8953825bf947cd62040cc0c040 [13559/14103] drivers/crypto/ccp: remove multi-level pointers processing for vpsp
config: x86_64-rhel-8.3-rust (https://download.01.org/0day-ci/archive/20240925/202409250445.Ywn782u5-lkp@…)
compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240925/202409250445.Ywn782u5-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409250445.Ywn782u5-lkp@intel.com/
All warnings (new ones prefixed by >>):
drivers/crypto/ccp/hygon/csv-dev.c:942:5: warning: no previous prototype for function '__vpsp_do_cmd_locked' [-Wmissing-prototypes]
942 | int __vpsp_do_cmd_locked(uint32_t vid, int cmd, void *data, int *psp_ret)
| ^
drivers/crypto/ccp/hygon/csv-dev.c:942:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
942 | int __vpsp_do_cmd_locked(uint32_t vid, int cmd, void *data, int *psp_ret)
| ^
| static
>> drivers/crypto/ccp/hygon/csv-dev.c:1009:5: warning: no previous prototype for function 'vpsp_do_cmd' [-Wmissing-prototypes]
1009 | int vpsp_do_cmd(uint32_t vid, int cmd, void *data, int *psp_ret)
| ^
drivers/crypto/ccp/hygon/csv-dev.c:1009:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
1009 | int vpsp_do_cmd(uint32_t vid, int cmd, void *data, int *psp_ret)
| ^
| static
2 warnings generated.
vim +/vpsp_do_cmd +1009 drivers/crypto/ccp/hygon/csv-dev.c
1008
> 1009 int vpsp_do_cmd(uint32_t vid, int cmd, void *data, int *psp_ret)
1010 {
1011 int rc;
1012 int mutex_enabled = READ_ONCE(hygon_psp_hooks.psp_mutex_enabled);
1013
1014 if (is_vendor_hygon() && mutex_enabled) {
1015 if (psp_mutex_lock_timeout(&hygon_psp_hooks.psp_misc->data_pg_aligned->mb_mutex,
1016 PSP_MUTEX_TIMEOUT) != 1) {
1017 return -EBUSY;
1018 }
1019 } else {
1020 mutex_lock(hygon_psp_hooks.sev_cmd_mutex);
1021 }
1022
1023 rc = __vpsp_do_cmd_locked(vid, cmd, data, psp_ret);
1024
1025 if (is_vendor_hygon() && mutex_enabled)
1026 psp_mutex_unlock(&hygon_psp_hooks.psp_misc->data_pg_aligned->mb_mutex);
1027 else
1028 mutex_unlock(hygon_psp_hooks.sev_cmd_mutex);
1029
1030 return rc;
1031 }
1032
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki