- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] f2fs: fix to shrink read extent node in batches
by Yi Yang 17 Jan '25

17 Jan '25

From: Chao Yu <chao(a)kernel.org> stable inclusion from stable-v6.6.66 commit 295b50e95e900da31ff237e46e04525fa799b2cf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBHYTM CVE: CVE-2024-41935 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343 ] We use rwlock to protect core structure data of extent tree during its shrink, however, if there is a huge number of extent nodes in extent tree, during shrink of extent tree, it may hold rwlock for a very long time, which may trigger kernel hang issue. This patch fixes to shrink read extent node in batches, so that, critical region of the rwlock can be shrunk to avoid its extreme long time hold. Reported-by: Xiuhong Wang <xiuhong.wang(a)unisoc.com> Closes: https://lore.kernel.org/linux-f2fs-devel/20241112110627.1314632-1-xiuhong.w… Signed-off-by: Xiuhong Wang <xiuhong.wang(a)unisoc.com> Signed-off-by: Zhiguo Niu <zhiguo.niu(a)unisoc.com> Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- fs/f2fs/extent_cache.c | 69 +++++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 28 deletions(-) diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c index d6fb053b6dfb..bfa2d89dc9ea 100644 --- a/fs/f2fs/extent_cache.c +++ b/fs/f2fs/extent_cache.c @@ -347,21 +347,22 @@ static struct extent_tree *__grab_extent_tree(struct inode *inode, } static unsigned int __free_extent_tree(struct f2fs_sb_info *sbi, - struct extent_tree *et) + struct extent_tree *et, unsigned int nr_shrink) { struct rb_node *node, *next; struct extent_node *en; - unsigned int count = atomic_read(&et->node_cnt); + unsigned int count; node = rb_first_cached(&et->root); - while (node) { + + for (count = 0; node && count < nr_shrink; count++) { next = rb_next(node); en = rb_entry(node, struct extent_node, rb_node); __release_extent_node(sbi, et, en); node = next; } - return count - atomic_read(&et->node_cnt); + return count; } static void __drop_largest_extent(struct extent_tree *et, @@ -580,6 +581,30 @@ static struct extent_node *__insert_extent_tree(struct f2fs_sb_info *sbi, return en; } +static unsigned int __destroy_extent_node(struct inode *inode, + enum extent_type type) +{ + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct extent_tree *et = F2FS_I(inode)->extent_tree[type]; + unsigned int nr_shrink = type == EX_READ ? + READ_EXTENT_CACHE_SHRINK_NUMBER : + AGE_EXTENT_CACHE_SHRINK_NUMBER; + unsigned int node_cnt = 0; + + if (!et || !atomic_read(&et->node_cnt)) + return 0; + + while (atomic_read(&et->node_cnt)) { + write_lock(&et->lock); + node_cnt += __free_extent_tree(sbi, et, nr_shrink); + write_unlock(&et->lock); + } + + f2fs_bug_on(sbi, atomic_read(&et->node_cnt)); + + return node_cnt; +} + static void __update_extent_tree_range(struct inode *inode, struct extent_info *tei, enum extent_type type) { @@ -718,9 +743,6 @@ static void __update_extent_tree_range(struct inode *inode, } } - if (is_inode_flag_set(inode, FI_NO_EXTENT)) - __free_extent_tree(sbi, et); - if (et->largest_updated) { et->largest_updated = false; updated = true; @@ -738,6 +760,9 @@ static void __update_extent_tree_range(struct inode *inode, out_read_extent_cache: write_unlock(&et->lock); + if (is_inode_flag_set(inode, FI_NO_EXTENT)) + __destroy_extent_node(inode, EX_READ); + if (updated) f2fs_mark_inode_dirty_sync(inode, true); } @@ -902,10 +927,14 @@ static unsigned int __shrink_extent_tree(struct f2fs_sb_info *sbi, int nr_shrink list_for_each_entry_safe(et, next, &eti->zombie_list, list) { if (atomic_read(&et->node_cnt)) { write_lock(&et->lock); - node_cnt += __free_extent_tree(sbi, et); + node_cnt += __free_extent_tree(sbi, et, + nr_shrink - node_cnt - tree_cnt); write_unlock(&et->lock); } - f2fs_bug_on(sbi, atomic_read(&et->node_cnt)); + + if (atomic_read(&et->node_cnt)) + goto unlock_out; + list_del_init(&et->list); radix_tree_delete(&eti->extent_tree_root, et->ino); kmem_cache_free(extent_tree_slab, et); @@ -1044,23 +1073,6 @@ unsigned int f2fs_shrink_age_extent_tree(struct f2fs_sb_info *sbi, int nr_shrink return __shrink_extent_tree(sbi, nr_shrink, EX_BLOCK_AGE); } -static unsigned int __destroy_extent_node(struct inode *inode, - enum extent_type type) -{ - struct f2fs_sb_info *sbi = F2FS_I_SB(inode); - struct extent_tree *et = F2FS_I(inode)->extent_tree[type]; - unsigned int node_cnt = 0; - - if (!et || !atomic_read(&et->node_cnt)) - return 0; - - write_lock(&et->lock); - node_cnt = __free_extent_tree(sbi, et); - write_unlock(&et->lock); - - return node_cnt; -} - void f2fs_destroy_extent_node(struct inode *inode) { __destroy_extent_node(inode, EX_READ); @@ -1069,7 +1081,6 @@ void f2fs_destroy_extent_node(struct inode *inode) static void __drop_extent_tree(struct inode *inode, enum extent_type type) { - struct f2fs_sb_info *sbi = F2FS_I_SB(inode); struct extent_tree *et = F2FS_I(inode)->extent_tree[type]; bool updated = false; @@ -1077,7 +1088,6 @@ static void __drop_extent_tree(struct inode *inode, enum extent_type type) return; write_lock(&et->lock); - __free_extent_tree(sbi, et); if (type == EX_READ) { set_inode_flag(inode, FI_NO_EXTENT); if (et->largest.len) { @@ -1086,6 +1096,9 @@ static void __drop_extent_tree(struct inode *inode, enum extent_type type) } } write_unlock(&et->lock); + + __destroy_extent_node(inode, type); + if (updated) f2fs_mark_inode_dirty_sync(inode, true); } -- 2.25.1

2 1

[PATCH OLK-6.6] Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet
by Tirui Yin 17 Jan '25

17 Jan '25

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> stable inclusion from stable-v6.6.66 commit 5e50d12cc6e95e1fde08f5db6992b616f714b0fb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANH CVE: CVE-2024-56590 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3fe288a8214e7dd784d1f9b7c9e448244d316b47 ] This fixes not checking if skb really contains an ACL header otherwise the code may attempt to access some uninitilized/invalid memory past the valid skb->data. Reported-by: syzbot+6ea290ba76d8c1eb1ac2(a)syzkaller.appspotmail.com Tested-by: syzbot+6ea290ba76d8c1eb1ac2(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6ea290ba76d8c1eb1ac2 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Tirui Yin <yintirui(a)huawei.com> Reviewed-by: yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/bluetooth/hci_core.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index d4e607bf35ba..b04e70aa1a86 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3735,18 +3735,22 @@ static void hci_tx_work(struct work_struct *work) /* ACL data packet */ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) { - struct hci_acl_hdr *hdr = (void *) skb->data; + struct hci_acl_hdr *hdr; struct hci_conn *conn; __u16 handle, flags; - skb_pull(skb, HCI_ACL_HDR_SIZE); + hdr = skb_pull_data(skb, sizeof(*hdr)); + if (!hdr) { + bt_dev_err(hdev, "ACL packet too small"); + goto drop; + } handle = __le16_to_cpu(hdr->handle); flags = hci_flags(handle); handle = hci_handle(handle); - BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len, - handle, flags); + bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len, + handle, flags); hdev->stat.acl_rx++; @@ -3767,6 +3771,7 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) handle); } +drop: kfree_skb(skb); } -- 2.22.0

2 1

[PATCH OLK-5.10] um: Fix potential integer overflow during physmem setup
by Tirui Yin 17 Jan '25

17 Jan '25

From: Tiwei Bie <tiwei.btw(a)antgroup.com> stable inclusion from stable-v5.10.231 commit e6102b72edc4eb8c0858df00ba74b5ce579c8fa2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGO CVE: CVE-2024-53145 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a98b7761f697e590ed5d610d87fa12be66f23419 ] This issue happens when the real map size is greater than LONG_MAX, which can be easily triggered on UML/i386. Fixes: fe205bdd1321 ("um: Print minimum physical memory requirement") Signed-off-by: Tiwei Bie <tiwei.btw(a)antgroup.com> Link: https://patch.msgid.link/20240916045950.508910-3-tiwei.btw@antgroup.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Tirui Yin <yintirui(a)huawei.com> Reviewed-by: yongqiang Liu <liuyongqiang13(a)huawei.com> --- arch/um/kernel/physmem.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/um/kernel/physmem.c b/arch/um/kernel/physmem.c index e7c7b53a1435..87b51089b061 100644 --- a/arch/um/kernel/physmem.c +++ b/arch/um/kernel/physmem.c @@ -80,10 +80,10 @@ void __init setup_physmem(unsigned long start, unsigned long reserve_end, unsigned long len, unsigned long long highmem) { unsigned long reserve = reserve_end - start; - long map_size = len - reserve; + unsigned long map_size = len - reserve; int err; - if(map_size <= 0) { + if (len <= reserve) { os_warn("Too few physical memory! Needed=%lu, given=%lu\n", reserve, len); exit(1); @@ -94,7 +94,7 @@ void __init setup_physmem(unsigned long start, unsigned long reserve_end, err = os_map_memory((void *) reserve_end, physmem_fd, reserve, map_size, 1, 1, 1); if (err < 0) { - os_warn("setup_physmem - mapping %ld bytes of memory at 0x%p " + os_warn("setup_physmem - mapping %lu bytes of memory at 0x%p " "failed - errno = %d\n", map_size, (void *) reserve_end, err); exit(1); -- 2.22.0

2 1

[PATCH OLK-6.6] um: Fix potential integer overflow during physmem setup
by Tirui Yin 17 Jan '25

17 Jan '25

From: Tiwei Bie <tiwei.btw(a)antgroup.com> stable inclusion from stable-v6.6.64 commit a875c023155ea92b75d6323977003e64d92ae7fc category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGO CVE: CVE-2024-53145 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a98b7761f697e590ed5d610d87fa12be66f23419 ] This issue happens when the real map size is greater than LONG_MAX, which can be easily triggered on UML/i386. Fixes: fe205bdd1321 ("um: Print minimum physical memory requirement") Signed-off-by: Tiwei Bie <tiwei.btw(a)antgroup.com> Link: https://patch.msgid.link/20240916045950.508910-3-tiwei.btw@antgroup.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Tirui Yin <yintirui(a)huawei.com> Reviewed-by: yongqiang Liu <liuyongqiang13(a)huawei.com> --- arch/um/kernel/physmem.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/um/kernel/physmem.c b/arch/um/kernel/physmem.c index 91485119ae67..4339580f5a4f 100644 --- a/arch/um/kernel/physmem.c +++ b/arch/um/kernel/physmem.c @@ -80,10 +80,10 @@ void __init setup_physmem(unsigned long start, unsigned long reserve_end, unsigned long len, unsigned long long highmem) { unsigned long reserve = reserve_end - start; - long map_size = len - reserve; + unsigned long map_size = len - reserve; int err; - if(map_size <= 0) { + if (len <= reserve) { os_warn("Too few physical memory! Needed=%lu, given=%lu\n", reserve, len); exit(1); @@ -94,7 +94,7 @@ void __init setup_physmem(unsigned long start, unsigned long reserve_end, err = os_map_memory((void *) reserve_end, physmem_fd, reserve, map_size, 1, 1, 1); if (err < 0) { - os_warn("setup_physmem - mapping %ld bytes of memory at 0x%p " + os_warn("setup_physmem - mapping %lu bytes of memory at 0x%p " "failed - errno = %d\n", map_size, (void *) reserve_end, err); exit(1); -- 2.22.0

2 1

[PATCH OLK-6.6] net: renesas: rswitch: avoid use-after-put for a device tree node
by Bowen You 17 Jan '25

17 Jan '25

From: Nikita Yushchenko <nikita.yoush(a)cogentembedded.com> stable inclusion from stable-v6.6.67 commit bf8c6755f02029d1eddc3ff19b870240f054afc7 category: bugfix bugzilla: 190470 CVE: CVE-2024-55639 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 66b7e9f85b8459c823b11e9af69dbf4be5eb6be8 ] The device tree node saved in the rswitch_device structure is used at several driver locations. So passing this node to of_node_put() after the first use is wrong. Move of_node_put() for this node to exit paths. Fixes: b46f1e579329 ("net: renesas: rswitch: Simplify struct phy * handling") Signed-off-by: Nikita Yushchenko <nikita.yoush(a)cogentembedded.com> Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Link: https://patch.msgid.link/20241208095004.69468-5-nikita.yoush@cogentembedded… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- drivers/net/ethernet/renesas/rswitch.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c index ae9d8722b76f..5e3c0e24a1bc 100644 --- a/drivers/net/ethernet/renesas/rswitch.c +++ b/drivers/net/ethernet/renesas/rswitch.c @@ -1741,7 +1741,6 @@ static int rswitch_device_alloc(struct rswitch_private *priv, int index) rdev->np_port = rswitch_get_port_node(rdev); rdev->disabled = !rdev->np_port; err = of_get_ethdev_address(rdev->np_port, ndev); - of_node_put(rdev->np_port); if (err) { if (is_valid_ether_addr(rdev->etha->mac_addr)) eth_hw_addr_set(ndev, rdev->etha->mac_addr); @@ -1771,6 +1770,7 @@ static int rswitch_device_alloc(struct rswitch_private *priv, int index) out_rxdmac: out_get_params: + of_node_put(rdev->np_port); netif_napi_del(&rdev->napi); free_netdev(ndev); @@ -1784,6 +1784,7 @@ static void rswitch_device_free(struct rswitch_private *priv, int index) rswitch_txdmac_free(ndev); rswitch_rxdmac_free(ndev); + of_node_put(rdev->np_port); netif_napi_del(&rdev->napi); free_netdev(ndev); } -- 2.34.1

2 1

[openeuler:OLK-5.10] BUILD SUCCESS WITH WARNING 08e54ea5e4a4948874ca30d91be3e5cca4ecbeec
by kernel test robot 17 Jan '25

17 Jan '25

tree/branch: https://gitee.com/openeuler/kernel.git OLK-5.10 branch HEAD: 08e54ea5e4a4948874ca30d91be3e5cca4ecbeec !14862 drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check Warning (recently discovered and may have been fixed): https://lore.kernel.org/oe-kbuild-all/202501170155.aI4YWysc-lkp@intel.com include/linux/backing-dev.h:418:49: warning: declaration of 'struct cgroup_subsys' will not be visible outside of this function [-Wvisibility] Warning ids grouped by kconfigs: recent_errors |-- arm64-randconfig-001-20250117 | `-- crypto-af_alg.c:warning:Function-parameter-or-member-min-not-described-in-af_alg_wait_for_data |-- arm64-randconfig-004-20250117 | |-- fs-cachefiles-rdwr.c:warning:no-previous-prototype-for-cachefiles_readpages_work_func | |-- fs-cachefiles-xattr.c:warning:no-previous-prototype-for-cachefiles_check_old_object_xattr | |-- fs-fscache-main.c:warning:fscache_min_object_max_active-defined-but-not-used | `-- fs-fscache-main.c:warning:fscache_min_op_max_active-defined-but-not-used |-- arm64-randconfig-054-20250117 | `-- from-schema-id:http:devicetree.org-meta-schemas-base.yaml-Documentation-devicetree-bindings-net-ti-k3-am654-cpsw-nuss.yaml:properties:compatible:oneOf:const:ti-am654-cpsw-nuss-const:ti-j721e-cpsw-nuss |-- x86_64-allnoconfig | |-- include-linux-backing-dev.h:warning:declaration-of-struct-cgroup_subsys-will-not-be-visible-outside-of-this-function | `-- samples-bpf-hbm.c:bpf-bpf.h-is-included-more-than-once. |-- x86_64-allyesconfig | |-- crypto-af_alg.c:warning:Function-parameter-or-member-min-not-described-in-af_alg_wait_for_data | |-- fs-cachefiles-rdwr.c:warning:no-previous-prototype-for-function-cachefiles_readpages_work_func | `-- fs-cachefiles-xattr.c:warning:no-previous-prototype-for-function-cachefiles_check_old_object_xattr |-- x86_64-buildonly-randconfig-001-20250117 | |-- block-genhd.c:warning:d-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and | |-- block-genhd.c:warning:snprintf-output-may-be-truncated-before-the-last-format-character | |-- fs-cachefiles-rdwr.c:warning:no-previous-prototype-for-cachefiles_readpages_work_func | |-- fs-cachefiles-xattr.c:warning:no-previous-prototype-for-cachefiles_check_old_object_xattr | |-- fs-fscache-main.c:warning:fscache_min_object_max_active-defined-but-not-used | `-- fs-fscache-main.c:warning:fscache_min_op_max_active-defined-but-not-used |-- x86_64-buildonly-randconfig-002-20250117 | |-- block-genhd.c:warning:d-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and | |-- block-genhd.c:warning:snprintf-output-may-be-truncated-before-the-last-format-character | |-- fs-cachefiles-rdwr.c:warning:no-previous-prototype-for-cachefiles_readpages_work_func | |-- fs-cachefiles-xattr.c:warning:no-previous-prototype-for-cachefiles_check_old_object_xattr | |-- fs-fscache-main.c:warning:fscache_min_object_max_active-defined-but-not-used | `-- fs-fscache-main.c:warning:fscache_min_op_max_active-defined-but-not-used |-- x86_64-buildonly-randconfig-003-20250117 | |-- crypto-af_alg.c:warning:Function-parameter-or-member-min-not-described-in-af_alg_wait_for_data | |-- fs-fscache-main.c:warning:fscache_min_object_max_active-defined-but-not-used | `-- fs-fscache-main.c:warning:fscache_min_op_max_active-defined-but-not-used |-- x86_64-buildonly-randconfig-004-20250117 | `-- crypto-af_alg.c:warning:Function-parameter-or-member-min-not-described-in-af_alg_wait_for_data `-- x86_64-buildonly-randconfig-005-20250117 |-- block-genhd.c:warning:d-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and |-- block-genhd.c:warning:snprintf-output-may-be-truncated-before-the-last-format-character |-- crypto-af_alg.c:warning:Function-parameter-or-member-min-not-described-in-af_alg_wait_for_data |-- fs-cachefiles-ondemand.c:warning:implicit-conversion-from-enum-cachefiles_obj_ref_trace-to-enum-fscache_obj_ref_trace |-- fs-cachefiles-rdwr.c:warning:no-previous-prototype-for-cachefiles_readpages_work_func `-- fs-cachefiles-xattr.c:warning:no-previous-prototype-for-cachefiles_check_old_object_xattr elapsed time: 731m configs tested: 15 configs skipped: 102 tested configs: arm64 allmodconfig clang-18 arm64 allnoconfig gcc-14.2.0 arm64 randconfig-001-20250117 gcc-14.2.0 arm64 randconfig-002-20250117 clang-18 arm64 randconfig-003-20250117 clang-20 arm64 randconfig-004-20250117 gcc-14.2.0 x86_64 allnoconfig clang-19 x86_64 allyesconfig clang-19 x86_64 buildonly-randconfig-001-20250117 gcc-12 x86_64 buildonly-randconfig-002-20250117 gcc-12 x86_64 buildonly-randconfig-003-20250117 gcc-12 x86_64 buildonly-randconfig-004-20250117 gcc-12 x86_64 buildonly-randconfig-005-20250117 gcc-12 x86_64 buildonly-randconfig-006-20250117 clang-19 x86_64 defconfig gcc-11 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 2707/2707] include/linux/backing-dev.h:418:49: warning: declaration of 'struct cgroup_subsys' will not be visible outside of this function
by kernel test robot 17 Jan '25

17 Jan '25

Hi wangyigen, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 08e54ea5e4a4948874ca30d91be3e5cca4ecbeec commit: 13e5c52d7cec7621f78bce452b78785e689ed0b2 [2707/2707] cgroup_writeback: bind blkcg and memcg config: x86_64-allnoconfig (https://download.01.org/0day-ci/archive/20250117/202501170155.aI4YWysc-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250117/202501170155.aI4YWysc-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202501170155.aI4YWysc-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from mm/filemap.c:15: In file included from include/linux/dax.h:6: In file included from include/linux/mm.h:1581: include/linux/vmstat.h:431:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 431 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ In file included from mm/filemap.c:32: >> include/linux/backing-dev.h:418:49: warning: declaration of 'struct cgroup_subsys' will not be visible outside of this function [-Wvisibility] 418 | static inline void bind_memcg_blkcg_link(struct cgroup_subsys *ss, | ^ mm/filemap.c:823:14: warning: no previous prototype for function '__add_to_page_cache_locked' [-Wmissing-prototypes] 823 | noinline int __add_to_page_cache_locked(struct page *page, | ^ mm/filemap.c:823:10: note: declare 'static' if the function is not intended to be used outside of this translation unit 823 | noinline int __add_to_page_cache_locked(struct page *page, | ^ | static 3 warnings generated. -- In file included from mm/fadvise.c:14: In file included from include/linux/mm.h:1581: include/linux/vmstat.h:431:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 431 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ In file included from mm/fadvise.c:16: >> include/linux/backing-dev.h:418:49: warning: declaration of 'struct cgroup_subsys' will not be visible outside of this function [-Wvisibility] 418 | static inline void bind_memcg_blkcg_link(struct cgroup_subsys *ss, | ^ 2 warnings generated. -- In file included from mm/page-writeback.c:19: In file included from include/linux/mm.h:1581: include/linux/vmstat.h:431:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 431 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ In file included from mm/page-writeback.c:25: >> include/linux/backing-dev.h:418:49: warning: declaration of 'struct cgroup_subsys' will not be visible outside of this function [-Wvisibility] 418 | static inline void bind_memcg_blkcg_link(struct cgroup_subsys *ss, | ^ In file included from mm/page-writeback.c:40: include/linux/mm_inline.h:34:41: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 34 | __mod_lruvec_state(lruvec, NR_LRU_BASE + lru, nr_pages); | ~~~~~~~~~~~ ^ ~~~ include/linux/mm_inline.h:36:22: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 36 | NR_ZONE_LRU_BASE + lru, nr_pages); | ~~~~~~~~~~~~~~~~ ^ ~~~ 4 warnings generated. -- In file included from mm/swap.c:17: In file included from include/linux/mm.h:1581: include/linux/vmstat.h:431:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 431 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ In file included from mm/swap.c:26: include/linux/mm_inline.h:34:41: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 34 | __mod_lruvec_state(lruvec, NR_LRU_BASE + lru, nr_pages); | ~~~~~~~~~~~ ^ ~~~ include/linux/mm_inline.h:36:22: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 36 | NR_ZONE_LRU_BASE + lru, nr_pages); | ~~~~~~~~~~~~~~~~ ^ ~~~ In file included from mm/swap.c:32: >> include/linux/backing-dev.h:418:49: warning: declaration of 'struct cgroup_subsys' will not be visible outside of this function [-Wvisibility] 418 | static inline void bind_memcg_blkcg_link(struct cgroup_subsys *ss, | ^ 4 warnings generated. -- In file included from mm/vmscan.c:17: In file included from include/linux/mm.h:1581: include/linux/vmstat.h:431:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 431 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ In file included from mm/vmscan.c:33: include/linux/mm_inline.h:34:41: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 34 | __mod_lruvec_state(lruvec, NR_LRU_BASE + lru, nr_pages); | ~~~~~~~~~~~ ^ ~~~ include/linux/mm_inline.h:36:22: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 36 | NR_ZONE_LRU_BASE + lru, nr_pages); | ~~~~~~~~~~~~~~~~ ^ ~~~ In file included from mm/vmscan.c:34: >> include/linux/backing-dev.h:418:49: warning: declaration of 'struct cgroup_subsys' will not be visible outside of this function [-Wvisibility] 418 | static inline void bind_memcg_blkcg_link(struct cgroup_subsys *ss, | ^ mm/vmscan.c:569:51: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 569 | size += zone_page_state(zone, NR_ZONE_LRU_BASE + lru); | ~~~~~~~~~~~~~~~~ ^ ~~~ mm/vmscan.c:1936:4: warning: arithmetic between different enumeration types ('enum vm_event_item' and 'enum zone_type') [-Wenum-enum-conversion] 1936 | __count_zid_vm_events(PGSCAN_SKIP, zid, nr_skipped[zid]); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:135:34: note: expanded from macro '__count_zid_vm_events' 135 | __count_vm_events(item##_NORMAL - ZONE_NORMAL + zid, delta) | ~~~~~~~~~~~~~ ^ ~~~~~~~~~~~ mm/vmscan.c:2430:51: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 2430 | inactive = lruvec_page_state(lruvec, NR_LRU_BASE + inactive_lru); | ~~~~~~~~~~~ ^ ~~~~~~~~~~~~ mm/vmscan.c:2431:49: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 2431 | active = lruvec_page_state(lruvec, NR_LRU_BASE + active_lru); | ~~~~~~~~~~~ ^ ~~~~~~~~~~ mm/vmscan.c:3263:3: warning: arithmetic between different enumeration types ('enum vm_event_item' and 'enum zone_type') [-Wenum-enum-conversion] 3263 | __count_zid_vm_events(ALLOCSTALL, sc->reclaim_idx, 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:135:34: note: expanded from macro '__count_zid_vm_events' 135 | __count_vm_events(item##_NORMAL - ZONE_NORMAL + zid, delta) | ~~~~~~~~~~~~~ ^ ~~~~~~~~~~~ 9 warnings generated. -- In file included from mm/page_alloc.c:19: In file included from include/linux/mm.h:1581: include/linux/vmstat.h:431:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 431 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ In file included from mm/page_alloc.c:50: >> include/linux/backing-dev.h:418:49: warning: declaration of 'struct cgroup_subsys' will not be visible outside of this function [-Wvisibility] 418 | static inline void bind_memcg_blkcg_link(struct cgroup_subsys *ss, | ^ In file included from mm/page_alloc.c:59: include/linux/mm_inline.h:34:41: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 34 | __mod_lruvec_state(lruvec, NR_LRU_BASE + lru, nr_pages); | ~~~~~~~~~~~ ^ ~~~ include/linux/mm_inline.h:36:22: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 36 | NR_ZONE_LRU_BASE + lru, nr_pages); | ~~~~~~~~~~~~~~~~ ^ ~~~ mm/page_alloc.c:2609:5: warning: no previous prototype for function 'find_suitable_fallback' [-Wmissing-prototypes] 2609 | int find_suitable_fallback(struct free_area *area, unsigned int order, | ^ mm/page_alloc.c:2609:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 2609 | int find_suitable_fallback(struct free_area *area, unsigned int order, | ^ | static mm/page_alloc.c:3040:6: warning: no previous prototype for function '__drain_all_pages' [-Wmissing-prototypes] 3040 | void __drain_all_pages(struct zone *zone, bool force_all_cpus) | ^ mm/page_alloc.c:3040:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 3040 | void __drain_all_pages(struct zone *zone, bool force_all_cpus) | ^ | static mm/page_alloc.c:3449:3: warning: arithmetic between different enumeration types ('enum vm_event_item' and 'enum zone_type') [-Wenum-enum-conversion] 3449 | __count_zid_vm_events(PGALLOC, page_zonenum(page), 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:135:34: note: expanded from macro '__count_zid_vm_events' 135 | __count_vm_events(item##_NORMAL - ZONE_NORMAL + zid, delta) | ~~~~~~~~~~~~~ ^ ~~~~~~~~~~~ mm/page_alloc.c:3510:2: warning: arithmetic between different enumeration types ('enum vm_event_item' and 'enum zone_type') [-Wenum-enum-conversion] 3510 | __count_zid_vm_events(PGALLOC, page_zonenum(page), 1 << order); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:135:34: note: expanded from macro '__count_zid_vm_events' 135 | __count_vm_events(item##_NORMAL - ZONE_NORMAL + zid, delta) | ~~~~~~~~~~~~~ ^ ~~~~~~~~~~~ mm/page_alloc.c:3603:15: warning: no previous prototype for function 'should_fail_alloc_page' [-Wmissing-prototypes] 3603 | noinline bool should_fail_alloc_page(gfp_t gfp_mask, unsigned int order) | ^ mm/page_alloc.c:3603:10: note: declare 'static' if the function is not intended to be used outside of this translation unit 3603 | noinline bool should_fail_alloc_page(gfp_t gfp_mask, unsigned int order) | ^ | static mm/page_alloc.c:5221:3: warning: arithmetic between different enumeration types ('enum vm_event_item' and 'enum zone_type') [-Wenum-enum-conversion] 5221 | __count_zid_vm_events(PGALLOC, zone_idx(zone), 1); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:135:34: note: expanded from macro '__count_zid_vm_events' 135 | __count_vm_events(item##_NORMAL - ZONE_NORMAL + zid, delta) | ~~~~~~~~~~~~~ ^ ~~~~~~~~~~~ mm/page_alloc.c:6753:20: warning: no previous prototype for function 'memmap_init' [-Wmissing-prototypes] 6753 | void __init __weak memmap_init(void) | ^ mm/page_alloc.c:6753:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 6753 | void __init __weak memmap_init(void) | ^ | static mm/page_alloc.c:6791:23: warning: no previous prototype for function 'arch_memmap_init' [-Wmissing-prototypes] 6791 | void __meminit __weak arch_memmap_init(unsigned long size, int nid, | ^ mm/page_alloc.c:6791:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 6791 | void __meminit __weak arch_memmap_init(unsigned long size, int nid, | ^ | static mm/page_alloc.c:6909:6: warning: no previous prototype for function '__zone_set_pageset_high_and_batch' [-Wmissing-prototypes] 6909 | void __zone_set_pageset_high_and_batch(struct zone *zone, unsigned long high, | ^ mm/page_alloc.c:6909:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 6909 | void __zone_set_pageset_high_and_batch(struct zone *zone, unsigned long high, | ^ | static 13 warnings generated. vim +418 include/linux/backing-dev.h 417 > 418 static inline void bind_memcg_blkcg_link(struct cgroup_subsys *ss, 419 struct css_set *cset) 420 { 421 } 422 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] usb: typec: fix potential array underflow in ucsi_ccg_sync_control()
by GONG Ruiqi 16 Jan '25

16 Jan '25

From: Dan Carpenter <dan.carpenter(a)linaro.org> mainline inclusion from mainline-v6.13-rc1 commit e56aac6e5a25630645607b6856d4b2a17b2311a5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAFV CVE: CVE-2024-53203 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The "command" variable can be controlled by the user via debugfs. The worry is that if con_index is zero then "&uc->ucsi->connector[con_index - 1]" would be an array underflow. Fixes: 170a6726d0e2 ("usb: typec: ucsi: add support for separate DP altmode devices") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://lore.kernel.org/r/c69ef0b3-61b0-4dde-98dd-97b97f81d912@stanley.moun… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/usb/typec/ucsi/ucsi_ccg.c [It comes from two reasons: 1. the lack of commit 13f2ec3115c8, which refactors ucsi_ccg_sync_write() to ucsi_ccg_sync_control(); 2. a possible error within the original upstream patch, causing the imbalance of pm_runtime_{get,put}_sync().] Signed-off-by: GONG Ruiqi <gongruiqi1(a)huawei.com> --- drivers/usb/typec/ucsi/ucsi_ccg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/typec/ucsi/ucsi_ccg.c b/drivers/usb/typec/ucsi/ucsi_ccg.c index cf3c8e552def..acbc4def45e6 100644 --- a/drivers/usb/typec/ucsi/ucsi_ccg.c +++ b/drivers/usb/typec/ucsi/ucsi_ccg.c @@ -585,6 +585,10 @@ static int ucsi_ccg_sync_write(struct ucsi *ucsi, unsigned int offset, uc->has_multiple_dp) { con_index = (uc->last_cmd_sent >> 16) & UCSI_CMD_CONNECTOR_MASK; + if (con_index == 0) { + ret = -EINVAL; + goto err_clear_bit; + } con = &uc->ucsi->connector[con_index - 1]; ucsi_ccg_update_set_new_cam_cmd(uc, con, (u64 *)val); } -- 2.25.1

2 1

[PATCH OLK-6.6] btrfs: don't take dev_replace rwsem on task already holding it
by Yifan Qiao 16 Jan '25

16 Jan '25

From: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> mainline inclusion from mainline-v6.11-rc6 commit 8cca35cb29f81eba3e96ec44dad8696c8a2f9138 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBHLEX CVE: CVE-2024-48875 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Running fstests btrfs/011 with MKFS_OPTIONS="-O rst" to force the usage of the RAID stripe-tree, we get the following splat from lockdep: BTRFS info (device sdd): dev_replace from /dev/sdd (devid 1) to /dev/sdb started ============================================ WARNING: possible recursive locking detected 6.11.0-rc3-btrfs-for-next #599 Not tainted -------------------------------------------- btrfs/2326 is trying to acquire lock: ffff88810f215c98 (&fs_info->dev_replace.rwsem){++++}-{3:3}, at: btrfs_map_block+0x39f/0x2250 but task is already holding lock: ffff88810f215c98 (&fs_info->dev_replace.rwsem){++++}-{3:3}, at: btrfs_map_block+0x39f/0x2250 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&fs_info->dev_replace.rwsem); lock(&fs_info->dev_replace.rwsem); *** DEADLOCK *** May be due to missing lock nesting notation 1 lock held by btrfs/2326: #0: ffff88810f215c98 (&fs_info->dev_replace.rwsem){++++}-{3:3}, at: btrfs_map_block+0x39f/0x2250 stack backtrace: CPU: 1 UID: 0 PID: 2326 Comm: btrfs Not tainted 6.11.0-rc3-btrfs-for-next #599 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x5b/0x80 __lock_acquire+0x2798/0x69d0 ? __pfx___lock_acquire+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 lock_acquire+0x19d/0x4a0 ? btrfs_map_block+0x39f/0x2250 ? __pfx_lock_acquire+0x10/0x10 ? find_held_lock+0x2d/0x110 ? lock_is_held_type+0x8f/0x100 down_read+0x8e/0x440 ? btrfs_map_block+0x39f/0x2250 ? __pfx_down_read+0x10/0x10 ? do_raw_read_unlock+0x44/0x70 ? _raw_read_unlock+0x23/0x40 btrfs_map_block+0x39f/0x2250 ? btrfs_dev_replace_by_ioctl+0xd69/0x1d00 ? btrfs_bio_counter_inc_blocked+0xd9/0x2e0 ? __kasan_slab_alloc+0x6e/0x70 ? __pfx_btrfs_map_block+0x10/0x10 ? __pfx_btrfs_bio_counter_inc_blocked+0x10/0x10 ? kmem_cache_alloc_noprof+0x1f2/0x300 ? mempool_alloc_noprof+0xed/0x2b0 btrfs_submit_chunk+0x28d/0x17e0 ? __pfx_btrfs_submit_chunk+0x10/0x10 ? bvec_alloc+0xd7/0x1b0 ? bio_add_folio+0x171/0x270 ? __pfx_bio_add_folio+0x10/0x10 ? __kasan_check_read+0x20/0x20 btrfs_submit_bio+0x37/0x80 read_extent_buffer_pages+0x3df/0x6c0 btrfs_read_extent_buffer+0x13e/0x5f0 read_tree_block+0x81/0xe0 read_block_for_search+0x4bd/0x7a0 ? __pfx_read_block_for_search+0x10/0x10 btrfs_search_slot+0x78d/0x2720 ? __pfx_btrfs_search_slot+0x10/0x10 ? lock_is_held_type+0x8f/0x100 ? kasan_save_track+0x14/0x30 ? __kasan_slab_alloc+0x6e/0x70 ? kmem_cache_alloc_noprof+0x1f2/0x300 btrfs_get_raid_extent_offset+0x181/0x820 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_btrfs_get_raid_extent_offset+0x10/0x10 ? down_read+0x194/0x440 ? __pfx_down_read+0x10/0x10 ? do_raw_read_unlock+0x44/0x70 ? _raw_read_unlock+0x23/0x40 btrfs_map_block+0x5b5/0x2250 ? __pfx_btrfs_map_block+0x10/0x10 scrub_submit_initial_read+0x8fe/0x11b0 ? __pfx_scrub_submit_initial_read+0x10/0x10 submit_initial_group_read+0x161/0x3a0 ? lock_release+0x20e/0x710 ? __pfx_submit_initial_group_read+0x10/0x10 ? __pfx_lock_release+0x10/0x10 scrub_simple_mirror.isra.0+0x3eb/0x580 scrub_stripe+0xe4d/0x1440 ? lock_release+0x20e/0x710 ? __pfx_scrub_stripe+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? do_raw_read_unlock+0x44/0x70 ? _raw_read_unlock+0x23/0x40 scrub_chunk+0x257/0x4a0 scrub_enumerate_chunks+0x64c/0xf70 ? __mutex_unlock_slowpath+0x147/0x5f0 ? __pfx_scrub_enumerate_chunks+0x10/0x10 ? bit_wait_timeout+0xb0/0x170 ? __up_read+0x189/0x700 ? scrub_workers_get+0x231/0x300 ? up_write+0x490/0x4f0 btrfs_scrub_dev+0x52e/0xcd0 ? create_pending_snapshots+0x230/0x250 ? __pfx_btrfs_scrub_dev+0x10/0x10 btrfs_dev_replace_by_ioctl+0xd69/0x1d00 ? lock_acquire+0x19d/0x4a0 ? __pfx_btrfs_dev_replace_by_ioctl+0x10/0x10 ? lock_release+0x20e/0x710 ? btrfs_ioctl+0xa09/0x74f0 ? __pfx_lock_release+0x10/0x10 ? do_raw_spin_lock+0x11e/0x240 ? __pfx_do_raw_spin_lock+0x10/0x10 btrfs_ioctl+0xa14/0x74f0 ? lock_acquire+0x19d/0x4a0 ? find_held_lock+0x2d/0x110 ? __pfx_btrfs_ioctl+0x10/0x10 ? lock_release+0x20e/0x710 ? do_sigaction+0x3f0/0x860 ? __pfx_do_vfs_ioctl+0x10/0x10 ? do_raw_spin_lock+0x11e/0x240 ? lockdep_hardirqs_on_prepare+0x270/0x3e0 ? _raw_spin_unlock_irq+0x28/0x50 ? do_sigaction+0x3f0/0x860 ? __pfx_do_sigaction+0x10/0x10 ? __x64_sys_rt_sigaction+0x18e/0x1e0 ? __pfx___x64_sys_rt_sigaction+0x10/0x10 ? __x64_sys_close+0x7c/0xd0 __x64_sys_ioctl+0x137/0x190 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f0bd1114f9b Code: Unable to access opcode bytes at 0x7f0bd1114f71. RSP: 002b:00007ffc8a8c3130 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0bd1114f9b RDX: 00007ffc8a8c35e0 RSI: 00000000ca289435 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000007 R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffc8a8c6c85 R13: 00000000398e72a0 R14: 0000000000004361 R15: 0000000000000004 </TASK> This happens because on RAID stripe-tree filesystems we recurse back into btrfs_map_block() on scrub to perform the logical to device physical mapping. But as the device replace task is already holding the dev_replace::rwsem we deadlock. So don't take the dev_replace::rwsem in case our task is the task performing the device replace. Suggested-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/btrfs/fs.h | 2 ++ fs/btrfs/dev-replace.c | 2 ++ fs/btrfs/volumes.c | 8 +++++--- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/fs.h b/fs/btrfs/fs.h index a523d64d5491..d24d41f7811a 100644 --- a/fs/btrfs/fs.h +++ b/fs/btrfs/fs.h @@ -271,6 +271,8 @@ struct btrfs_dev_replace { struct percpu_counter bio_counter; wait_queue_head_t replace_wait; + + struct task_struct *replace_task; }; /* diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c index f87e6ba66462..df230ddf71fc 100644 --- a/fs/btrfs/dev-replace.c +++ b/fs/btrfs/dev-replace.c @@ -646,6 +646,7 @@ static int btrfs_dev_replace_start(struct btrfs_fs_info *fs_info, return ret; down_write(&dev_replace->rwsem); + dev_replace->replace_task = current; switch (dev_replace->replace_state) { case BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED: case BTRFS_IOCTL_DEV_REPLACE_STATE_FINISHED: @@ -978,6 +979,7 @@ static int btrfs_dev_replace_finishing(struct btrfs_fs_info *fs_info, list_add(&tgt_device->dev_alloc_list, &fs_devices->alloc_list); fs_devices->rw_devices++; + dev_replace->replace_task = NULL; up_write(&dev_replace->rwsem); btrfs_rm_dev_replace_blocked(fs_info); diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index 093c5a3ef079..7436044549cf 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -6317,13 +6317,15 @@ int btrfs_map_block(struct btrfs_fs_info *fs_info, enum btrfs_map_op op, &stripe_offset, &raid56_full_stripe_start); *length = min_t(u64, em->len - map_offset, max_len); - down_read(&dev_replace->rwsem); + if (dev_replace->replace_task != current) + down_read(&dev_replace->rwsem); + dev_replace_is_ongoing = btrfs_dev_replace_is_ongoing(dev_replace); /* * Hold the semaphore for read during the whole operation, write is * requested at commit time but must wait. */ - if (!dev_replace_is_ongoing) + if (!dev_replace_is_ongoing && dev_replace->replace_task != current) up_read(&dev_replace->rwsem); num_stripes = 1; @@ -6513,7 +6515,7 @@ int btrfs_map_block(struct btrfs_fs_info *fs_info, enum btrfs_map_op op, bioc->mirror_num = mirror_num; out: - if (dev_replace_is_ongoing) { + if (dev_replace_is_ongoing && dev_replace->replace_task != current) { lockdep_assert_held(&dev_replace->rwsem); /* Unlock and let waiting writers proceed */ up_read(&dev_replace->rwsem); -- 2.39.2

2 1

[PATCH OLK-6.6] pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking
by Pu Lehui 16 Jan '25

16 Jan '25

From: Evgenii Shatokhin <e.shatokhin(a)yadro.com> stable inclusion from stable-v6.6.70 commit 8c6fd5803b988a5e78c9b9e42c70a936d7cfc6ec category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBI4HE CVE: CVE-2024-57889 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit a37eecb705f33726f1fb7cd2a67e514a15dfe693 upstream. If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock. It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional locking. In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above. Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") Cc: stable(a)vger.kernel.org Signed-off-by: Evgenii Shatokhin <e.shatokhin(a)yadro.com> Link: https://lore.kernel.org/20241209074659.1442898-1-e.shatokhin@yadro.com Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/pinctrl/pinctrl-mcp23s08.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c index 4551575e4e7d..fd97b6ee2a8d 100644 --- a/drivers/pinctrl/pinctrl-mcp23s08.c +++ b/drivers/pinctrl/pinctrl-mcp23s08.c @@ -86,6 +86,7 @@ const struct regmap_config mcp23x08_regmap = { .num_reg_defaults = ARRAY_SIZE(mcp23x08_defaults), .cache_type = REGCACHE_FLAT, .max_register = MCP_OLAT, + .disable_locking = true, /* mcp->lock protects the regmap */ }; EXPORT_SYMBOL_GPL(mcp23x08_regmap); @@ -132,6 +133,7 @@ const struct regmap_config mcp23x17_regmap = { .num_reg_defaults = ARRAY_SIZE(mcp23x17_defaults), .cache_type = REGCACHE_FLAT, .val_format_endian = REGMAP_ENDIAN_LITTLE, + .disable_locking = true, /* mcp->lock protects the regmap */ }; EXPORT_SYMBOL_GPL(mcp23x17_regmap); @@ -228,7 +230,9 @@ static int mcp_pinconf_get(struct pinctrl_dev *pctldev, unsigned int pin, switch (param) { case PIN_CONFIG_BIAS_PULL_UP: + mutex_lock(&mcp->lock); ret = mcp_read(mcp, MCP_GPPU, &data); + mutex_unlock(&mcp->lock); if (ret < 0) return ret; status = (data & BIT(pin)) ? 1 : 0; @@ -257,7 +261,9 @@ static int mcp_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin, switch (param) { case PIN_CONFIG_BIAS_PULL_UP: + mutex_lock(&mcp->lock); ret = mcp_set_bit(mcp, MCP_GPPU, pin, arg); + mutex_unlock(&mcp->lock); break; default: dev_dbg(mcp->dev, "Invalid config param %04x\n", param); -- 2.34.1

2 1