From: Omar Sandoval <osandov(a)fb.com>
stable inclusion
from stable-v6.1.94
commit 1ff2bd566fbcefcb892be85c493bdb92b911c428
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA8AFW
CVE: CVE-2024-37354
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
commit 9d274c19a71b3a276949933859610721a453946b upstream.
We have been seeing crashes on duplicate keys in
btrfs_set_item_key_safe():
BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)
------------[ cut here ]------------
kernel BUG at fs/btrfs/ctree.c:2620!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]
With the following stack trace:
#0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)
#1 btrfs_drop_extents (fs/btrfs/file.c:411:4)
#2 log_one_extent (fs/btrfs/tree-log.c:4732:9)
#3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)
#4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)
#5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)
#6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)
#7 btrfs_sync_file (fs/btrfs/file.c:1933:8)
#8 vfs_fsync_range (fs/sync.c:188:9)
#9 vfs_fsync (fs/sync.c:202:9)
#10 do_fsync (fs/sync.c:212:9)
#11 __do_sys_fdatasync (fs/sync.c:225:9)
#12 __se_sys_fdatasync (fs/sync.c:223:1)
#13 __x64_sys_fdatasync (fs/sync.c:223:1)
#14 do_syscall_x64 (arch/x86/entry/common.c:52:14)
#15 do_syscall_64 (arch/x86/entry/common.c:83:7)
#16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)
So we're logging a changed extent from fsync, which is splitting an
extent in the log tree. But this split part already exists in the tree,
triggering the BUG().
This is the state of the log tree at the time of the crash, dumped with
drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)
to get more details than btrfs_print_leaf() gives us:
>>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"])
leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610
leaf 33439744 flags 0x100000000000000
fs uuid e5bd3946-400c-4223-8923-190ef1f18677
chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da
item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160
generation 7 transid 9 size 8192 nbytes 8473563889606862198
block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
sequence 204 flags 0x10(PREALLOC)
atime 1716417703.220000000 (2024-05-22 15:41:43)
ctime 1716417704.983333333 (2024-05-22 15:41:44)
mtime 1716417704.983333333 (2024-05-22 15:41:44)
otime 17592186044416.000000000 (559444-03-08 01:40:16)
item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13
index 195 namelen 3 name: 193
item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37
location key (0 UNKNOWN.0 0) type XATTR
transid 7 data_len 1 name_len 6
name: user.a
data a
item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53
generation 9 type 1 (regular)
extent data disk byte 303144960 nr 12288
extent data offset 0 nr 4096 ram 12288
extent compression 0 (none)
item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53
generation 9 type 2 (prealloc)
prealloc data disk byte 303144960 nr 12288
prealloc data offset 4096 nr 8192
item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53
generation 9 type 2 (prealloc)
prealloc data disk byte 303144960 nr 12288
prealloc data offset 8192 nr 4096
...
So the real problem happened earlier: notice that items 4 (4k-12k) and 5
(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and
item 5 starts at i_size.
Here is the state of the filesystem tree at the time of the crash:
>>> root = prog.crashed_thread().stack_trace()[2]["inode"].root
>>> ret, nodes, slots = btrfs_search_slot(root, BtrfsKey(450, 0, 0))
>>> print_extent_buffer(nodes[0])
leaf 30425088 level 0 items 184 generation 9 owner 5
leaf 30425088 flags 0x100000000000000
fs uuid e5bd3946-400c-4223-8923-190ef1f18677
chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da
...
item 179 key (450 INODE_ITEM 0) itemoff 4907 itemsize 160
generation 7 transid 7 size 4096 nbytes 12288
block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
sequence 6 flags 0x10(PREALLOC)
atime 1716417703.220000000 (2024-05-22 15:41:43)
ctime 1716417703.220000000 (2024-05-22 15:41:43)
mtime 1716417703.220000000 (2024-05-22 15:41:43)
otime 1716417703.220000000 (2024-05-22 15:41:43)
item 180 key (450 INODE_REF 256) itemoff 4894 itemsize 13
index 195 namelen 3 name: 193
item 181 key (450 XATTR_ITEM 1640047104) itemoff 4857 itemsize 37
location key (0 UNKNOWN.0 0) type XATTR
transid 7 data_len 1 name_len 6
name: user.a
data a
item 182 key (450 EXTENT_DATA 0) itemoff 4804 itemsize 53
generation 9 type 1 (regular)
extent data disk byte 303144960 nr 12288
extent data offset 0 nr 8192 ram 12288
extent compression 0 (none)
item 183 key (450 EXTENT_DATA 8192) itemoff 4751 itemsize 53
generation 9 type 2 (prealloc)
prealloc data disk byte 303144960 nr 12288
prealloc data offset 8192 nr 4096
Item 5 in the log tree corresponds to item 183 in the filesystem tree,
but nothing matches item 4. Furthermore, item 183 is the last item in
the leaf.
btrfs_log_prealloc_extents() is responsible for logging prealloc extents
beyond i_size. It first truncates any previously logged prealloc extents
that start beyond i_size. Then, it walks the filesystem tree and copies
the prealloc extent items to the log tree.
If it hits the end of a leaf, then it calls btrfs_next_leaf(), which
unlocks the tree and does another search. However, while the filesystem
tree is unlocked, an ordered extent completion may modify the tree. In
particular, it may insert an extent item that overlaps with an extent
item that was already copied to the log tree.
This may manifest in several ways depending on the exact scenario,
including an EEXIST error that is silently translated to a full sync,
overlapping items in the log tree, or this crash. This particular crash
is triggered by the following sequence of events:
- Initially, the file has i_size=4k, a regular extent from 0-4k, and a
prealloc extent beyond i_size from 4k-12k. The prealloc extent item is
the last item in its B-tree leaf.
- The file is fsync'd, which copies its inode item and both extent items
to the log tree.
- An xattr is set on the file, which sets the
BTRFS_INODE_COPY_EVERYTHING flag.
- The range 4k-8k in the file is written using direct I/O. i_size is
extended to 8k, but the ordered extent is still in flight.
- The file is fsync'd. Since BTRFS_INODE_COPY_EVERYTHING is set, this
calls copy_inode_items_to_log(), which calls
btrfs_log_prealloc_extents().
- btrfs_log_prealloc_extents() finds the 4k-12k prealloc extent in the
filesystem tree. Since it starts before i_size, it skips it. Since it
is the last item in its B-tree leaf, it calls btrfs_next_leaf().
- btrfs_next_leaf() unlocks the path.
- The ordered extent completion runs, which converts the 4k-8k part of
the prealloc extent to written and inserts the remaining prealloc part
from 8k-12k.
- btrfs_next_leaf() does a search and finds the new prealloc extent
8k-12k.
- btrfs_log_prealloc_extents() copies the 8k-12k prealloc extent into
the log tree. Note that it overlaps with the 4k-12k prealloc extent
that was copied to the log tree by the first fsync.
- fsync calls btrfs_log_changed_extents(), which tries to log the 4k-8k
extent that was written.
- This tries to drop the range 4k-8k in the log tree, which requires
adjusting the start of the 4k-12k prealloc extent in the log tree to
8k.
- btrfs_set_item_key_safe() sees that there is already an extent
starting at 8k in the log tree and calls BUG().
Fix this by detecting when we're about to insert an overlapping file
extent item in the log tree and truncating the part that would overlap.
CC: stable(a)vger.kernel.org # 6.1+
Reviewed-by: Filipe Manana <fdmanana(a)suse.com>
Signed-off-by: Omar Sandoval <osandov(a)fb.com>
Signed-off-by: David Sterba <dsterba(a)suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Conflicts:
fs/btrfs/tree-log.c
[Simple context adaptation is performed]
Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com>
---
fs/btrfs/tree-log.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 9a8dc16673b4..f7d1baff579f 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -4415,22 +4415,27 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans,
path->slots[0]++;
continue;
}
- if (!dropped_extents) {
- /*
- * Avoid logging extent items logged in past fsync calls
- * and leading to duplicate keys in the log tree.
- */
+ /*
+ * Avoid overlapping items in the log tree. The first time we
+ * get here, get rid of everything from a past fsync. After
+ * that, if the current extent starts before the end of the last
+ * extent we copied, truncate the last one. This can happen if
+ * an ordered extent completion modifies the subvolume tree
+ * while btrfs_next_leaf() has the tree unlocked.
+ */
+ if (!dropped_extents || key.offset < truncate_offset) {
do {
ret = btrfs_truncate_inode_items(trans,
root->log_root,
&inode->vfs_inode,
- truncate_offset,
+ min(key.offset, truncate_offset),
BTRFS_EXTENT_DATA_KEY);
} while (ret == -EAGAIN);
if (ret)
goto out;
dropped_extents = true;
}
+ truncate_offset = btrfs_file_extent_end(path);
if (ins_nr == 0)
start_slot = slot;
ins_nr++;
--
2.39.2
From: Omar Sandoval <osandov(a)fb.com>
stable inclusion
from stable-v6.1.94
commit 1ff2bd566fbcefcb892be85c493bdb92b911c428
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA8AFW
CVE: CVE-2024-37354
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
commit 9d274c19a71b3a276949933859610721a453946b upstream.
We have been seeing crashes on duplicate keys in
btrfs_set_item_key_safe():
BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)
------------[ cut here ]------------
kernel BUG at fs/btrfs/ctree.c:2620!
invalid opcode: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]
With the following stack trace:
#0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)
#1 btrfs_drop_extents (fs/btrfs/file.c:411:4)
#2 log_one_extent (fs/btrfs/tree-log.c:4732:9)
#3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)
#4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)
#5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)
#6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)
#7 btrfs_sync_file (fs/btrfs/file.c:1933:8)
#8 vfs_fsync_range (fs/sync.c:188:9)
#9 vfs_fsync (fs/sync.c:202:9)
#10 do_fsync (fs/sync.c:212:9)
#11 __do_sys_fdatasync (fs/sync.c:225:9)
#12 __se_sys_fdatasync (fs/sync.c:223:1)
#13 __x64_sys_fdatasync (fs/sync.c:223:1)
#14 do_syscall_x64 (arch/x86/entry/common.c:52:14)
#15 do_syscall_64 (arch/x86/entry/common.c:83:7)
#16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)
So we're logging a changed extent from fsync, which is splitting an
extent in the log tree. But this split part already exists in the tree,
triggering the BUG().
This is the state of the log tree at the time of the crash, dumped with
drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)
to get more details than btrfs_print_leaf() gives us:
>>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"])
leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610
leaf 33439744 flags 0x100000000000000
fs uuid e5bd3946-400c-4223-8923-190ef1f18677
chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da
item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160
generation 7 transid 9 size 8192 nbytes 8473563889606862198
block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
sequence 204 flags 0x10(PREALLOC)
atime 1716417703.220000000 (2024-05-22 15:41:43)
ctime 1716417704.983333333 (2024-05-22 15:41:44)
mtime 1716417704.983333333 (2024-05-22 15:41:44)
otime 17592186044416.000000000 (559444-03-08 01:40:16)
item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13
index 195 namelen 3 name: 193
item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37
location key (0 UNKNOWN.0 0) type XATTR
transid 7 data_len 1 name_len 6
name: user.a
data a
item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53
generation 9 type 1 (regular)
extent data disk byte 303144960 nr 12288
extent data offset 0 nr 4096 ram 12288
extent compression 0 (none)
item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53
generation 9 type 2 (prealloc)
prealloc data disk byte 303144960 nr 12288
prealloc data offset 4096 nr 8192
item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53
generation 9 type 2 (prealloc)
prealloc data disk byte 303144960 nr 12288
prealloc data offset 8192 nr 4096
...
So the real problem happened earlier: notice that items 4 (4k-12k) and 5
(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and
item 5 starts at i_size.
Here is the state of the filesystem tree at the time of the crash:
>>> root = prog.crashed_thread().stack_trace()[2]["inode"].root
>>> ret, nodes, slots = btrfs_search_slot(root, BtrfsKey(450, 0, 0))
>>> print_extent_buffer(nodes[0])
leaf 30425088 level 0 items 184 generation 9 owner 5
leaf 30425088 flags 0x100000000000000
fs uuid e5bd3946-400c-4223-8923-190ef1f18677
chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da
...
item 179 key (450 INODE_ITEM 0) itemoff 4907 itemsize 160
generation 7 transid 7 size 4096 nbytes 12288
block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
sequence 6 flags 0x10(PREALLOC)
atime 1716417703.220000000 (2024-05-22 15:41:43)
ctime 1716417703.220000000 (2024-05-22 15:41:43)
mtime 1716417703.220000000 (2024-05-22 15:41:43)
otime 1716417703.220000000 (2024-05-22 15:41:43)
item 180 key (450 INODE_REF 256) itemoff 4894 itemsize 13
index 195 namelen 3 name: 193
item 181 key (450 XATTR_ITEM 1640047104) itemoff 4857 itemsize 37
location key (0 UNKNOWN.0 0) type XATTR
transid 7 data_len 1 name_len 6
name: user.a
data a
item 182 key (450 EXTENT_DATA 0) itemoff 4804 itemsize 53
generation 9 type 1 (regular)
extent data disk byte 303144960 nr 12288
extent data offset 0 nr 8192 ram 12288
extent compression 0 (none)
item 183 key (450 EXTENT_DATA 8192) itemoff 4751 itemsize 53
generation 9 type 2 (prealloc)
prealloc data disk byte 303144960 nr 12288
prealloc data offset 8192 nr 4096
Item 5 in the log tree corresponds to item 183 in the filesystem tree,
but nothing matches item 4. Furthermore, item 183 is the last item in
the leaf.
btrfs_log_prealloc_extents() is responsible for logging prealloc extents
beyond i_size. It first truncates any previously logged prealloc extents
that start beyond i_size. Then, it walks the filesystem tree and copies
the prealloc extent items to the log tree.
If it hits the end of a leaf, then it calls btrfs_next_leaf(), which
unlocks the tree and does another search. However, while the filesystem
tree is unlocked, an ordered extent completion may modify the tree. In
particular, it may insert an extent item that overlaps with an extent
item that was already copied to the log tree.
This may manifest in several ways depending on the exact scenario,
including an EEXIST error that is silently translated to a full sync,
overlapping items in the log tree, or this crash. This particular crash
is triggered by the following sequence of events:
- Initially, the file has i_size=4k, a regular extent from 0-4k, and a
prealloc extent beyond i_size from 4k-12k. The prealloc extent item is
the last item in its B-tree leaf.
- The file is fsync'd, which copies its inode item and both extent items
to the log tree.
- An xattr is set on the file, which sets the
BTRFS_INODE_COPY_EVERYTHING flag.
- The range 4k-8k in the file is written using direct I/O. i_size is
extended to 8k, but the ordered extent is still in flight.
- The file is fsync'd. Since BTRFS_INODE_COPY_EVERYTHING is set, this
calls copy_inode_items_to_log(), which calls
btrfs_log_prealloc_extents().
- btrfs_log_prealloc_extents() finds the 4k-12k prealloc extent in the
filesystem tree. Since it starts before i_size, it skips it. Since it
is the last item in its B-tree leaf, it calls btrfs_next_leaf().
- btrfs_next_leaf() unlocks the path.
- The ordered extent completion runs, which converts the 4k-8k part of
the prealloc extent to written and inserts the remaining prealloc part
from 8k-12k.
- btrfs_next_leaf() does a search and finds the new prealloc extent
8k-12k.
- btrfs_log_prealloc_extents() copies the 8k-12k prealloc extent into
the log tree. Note that it overlaps with the 4k-12k prealloc extent
that was copied to the log tree by the first fsync.
- fsync calls btrfs_log_changed_extents(), which tries to log the 4k-8k
extent that was written.
- This tries to drop the range 4k-8k in the log tree, which requires
adjusting the start of the 4k-12k prealloc extent in the log tree to
8k.
- btrfs_set_item_key_safe() sees that there is already an extent
starting at 8k in the log tree and calls BUG().
Fix this by detecting when we're about to insert an overlapping file
extent item in the log tree and truncating the part that would overlap.
CC: stable(a)vger.kernel.org # 6.1+
Reviewed-by: Filipe Manana <fdmanana(a)suse.com>
Signed-off-by: Omar Sandoval <osandov(a)fb.com>
Signed-off-by: David Sterba <dsterba(a)suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Conflicts:
fs/btrfs/tree-log.c
[Simple context adaptation is performed]
Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com>
---
fs/btrfs/tree-log.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 10a0913ffb49..73e507aa9a5a 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -4415,22 +4415,27 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans,
path->slots[0]++;
continue;
}
- if (!dropped_extents) {
- /*
- * Avoid logging extent items logged in past fsync calls
- * and leading to duplicate keys in the log tree.
- */
+ /*
+ * Avoid overlapping items in the log tree. The first time we
+ * get here, get rid of everything from a past fsync. After
+ * that, if the current extent starts before the end of the last
+ * extent we copied, truncate the last one. This can happen if
+ * an ordered extent completion modifies the subvolume tree
+ * while btrfs_next_leaf() has the tree unlocked.
+ */
+ if (!dropped_extents || key.offset < truncate_offset) {
do {
ret = btrfs_truncate_inode_items(trans,
root->log_root,
&inode->vfs_inode,
- truncate_offset,
+ min(key.offset, truncate_offset),
BTRFS_EXTENT_DATA_KEY);
} while (ret == -EAGAIN);
if (ret)
goto out;
dropped_extents = true;
}
+ truncate_offset = btrfs_file_extent_end(path);
if (ins_nr == 0)
start_slot = slot;
ins_nr++;
--
2.39.2
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: c55d99182a85f38a964fe23a2db2ddf42739a151
commit: b8815fbbe89b0d15fa3296c3e57d2197a92f5bc0 [18534/23123] ACPI: CPPC: Fix cppc_cpufreq_init failed in CPU Hotplug situation
config: x86_64-randconfig-103-20240609
compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202406302227.jm9BopPY-lkp@intel.com/
cocci warnings: (new ones prefixed by >>)
>> drivers/acpi/cppc_acpi.c:614:3-8: WARNING: NULL check before some freeing functions is not needed.
vim +614 drivers/acpi/cppc_acpi.c
576
577 int acpi_get_psd_map(struct cppc_cpudata **all_cpu_data)
578 {
579 struct cpc_desc **cpc_pptr, *cpc_ptr;
580 int parsed_core_num = 0;
581 int i, ret;
582
583 cpc_pptr = kcalloc(num_possible_cpus(), sizeof(void *), GFP_KERNEL);
584 if (!cpc_pptr)
585 return -ENOMEM;
586 for_each_possible_cpu(i) {
587 cpc_pptr[i] = kzalloc(sizeof(struct cpc_desc), GFP_KERNEL);
588 if (!cpc_pptr[i]) {
589 ret = -ENOMEM;
590 goto out;
591 }
592 }
593
594 /*
595 * We can not use acpi_get_devices() to walk the processor devices
596 * because some processor device is not present.
597 */
598 ret = acpi_walk_namespace(ACPI_TYPE_DEVICE, ACPI_ROOT_OBJECT,
599 ACPI_UINT32_MAX, acpi_parse_cpc, NULL,
600 cpc_pptr, (void **)&parsed_core_num);
601 if (ret)
602 goto out;
603 if (parsed_core_num != num_possible_cpus()) {
604 ret = -EINVAL;
605 goto out;
606 }
607
608 ret = __acpi_get_psd_map(all_cpu_data, cpc_pptr);
609
610 out:
611 for_each_possible_cpu(i) {
612 cpc_ptr = cpc_pptr[i];
613 if (cpc_ptr)
> 614 kfree(cpc_ptr);
615 }
616 kfree(cpc_pptr);
617
618 return ret;
619 }
620 EXPORT_SYMBOL_GPL(acpi_get_psd_map);
621
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Malloy,
FYI, the error/warning still remains.
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: c55d99182a85f38a964fe23a2db2ddf42739a151
commit: e8483fcd43fc1dbb8d21bb7eacce804cbab6a7c6 [21291/23123] spi: add phytium spi support
config: x86_64-randconfig-005-20240420
compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
reproduce (this is a W=1 build):
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202406301902.JqosVzpZ-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/spi/spi-phytium-plat.c:186:34: warning: unused variable 'phytium_spi_of_match' [-Wunused-const-variable]
186 | static const struct of_device_id phytium_spi_of_match[] = {
| ^~~~~~~~~~~~~~~~~~~~
1 warning generated.
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for SPI_PHYTIUM
Depends on [n]: SPI [=y] && SPI_MASTER [=y] && (ARCH_PHYTIUM || COMPILE_TEST [=n])
Selected by [y]:
- SPI_PHYTIUM_PLAT [=y] && SPI [=y] && SPI_MASTER [=y]
vim +/phytium_spi_of_match +186 drivers/spi/spi-phytium-plat.c
185
> 186 static const struct of_device_id phytium_spi_of_match[] = {
187 { .compatible = "phytium,spi", .data = (void *)0 },
188 { /* end of table */}
189 };
190 MODULE_DEVICE_TABLE(of, phytium_spi_of_match);
191
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Cheng,
FYI, the error/warning still remains.
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: c55d99182a85f38a964fe23a2db2ddf42739a151
commit: 7e2ab91ea07673f855f16b54b7c6e6853b2efc1c [13138/23123] livepatch/x86: support livepatch without ftrace
config: x86_64-randconfig-073-20240521
compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
reproduce (this is a W=1 build):
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202406301639.M9qvyoyY-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> kernel/livepatch/core.c:75:16: warning: no previous prototype for function 'klp_check_patch_kprobed' [-Wmissing-prototypes]
75 | struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch)
| ^
kernel/livepatch/core.c:75:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
75 | struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch)
| ^
| static
kernel/livepatch/core.c:402:5: warning: no previous prototype for function 'klp_try_disable_patch' [-Wmissing-prototypes]
402 | int klp_try_disable_patch(void *data)
| ^
kernel/livepatch/core.c:402:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
402 | int klp_try_disable_patch(void *data)
| ^
| static
kernel/livepatch/core.c:441:13: warning: no previous prototype for function 'arch_klp_code_modify_prepare' [-Wmissing-prototypes]
441 | void __weak arch_klp_code_modify_prepare(void)
| ^
kernel/livepatch/core.c:441:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
441 | void __weak arch_klp_code_modify_prepare(void)
| ^
| static
kernel/livepatch/core.c:445:13: warning: no previous prototype for function 'arch_klp_code_modify_post_process' [-Wmissing-prototypes]
445 | void __weak arch_klp_code_modify_post_process(void)
| ^
kernel/livepatch/core.c:445:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
445 | void __weak arch_klp_code_modify_post_process(void)
| ^
| static
kernel/livepatch/core.c:617:5: warning: no previous prototype for function 'klp_try_enable_patch' [-Wmissing-prototypes]
617 | int klp_try_enable_patch(void *data)
| ^
kernel/livepatch/core.c:617:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
617 | int klp_try_enable_patch(void *data)
| ^
| static
kernel/livepatch/core.c:1013:12: warning: no previous prototype for function 'arch_klp_func_can_patch' [-Wmissing-prototypes]
1013 | int __weak arch_klp_func_can_patch(struct klp_func *func)
| ^
kernel/livepatch/core.c:1013:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
1013 | int __weak arch_klp_func_can_patch(struct klp_func *func)
| ^
| static
6 warnings generated.
vim +/klp_check_patch_kprobed +75 kernel/livepatch/core.c
7e8d223e3ef865 Cheng Jian 2019-01-28 69
c8f9d7a3aae362 Cheng Jian 2019-01-28 70 #ifdef CONFIG_LIVEPATCH_RESTRICT_KPROBE
c8f9d7a3aae362 Cheng Jian 2019-01-28 71 /*
c8f9d7a3aae362 Cheng Jian 2019-01-28 72 * Check whether a function has been registered with kprobes before patched.
c8f9d7a3aae362 Cheng Jian 2019-01-28 73 * We can't patched this function util we unregisted the kprobes.
c8f9d7a3aae362 Cheng Jian 2019-01-28 74 */
c8f9d7a3aae362 Cheng Jian 2019-01-28 @75 struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch)
c8f9d7a3aae362 Cheng Jian 2019-01-28 76 {
c8f9d7a3aae362 Cheng Jian 2019-01-28 77 struct klp_object *obj;
c8f9d7a3aae362 Cheng Jian 2019-01-28 78 struct klp_func *func;
c8f9d7a3aae362 Cheng Jian 2019-01-28 79 struct kprobe *kp;
c8f9d7a3aae362 Cheng Jian 2019-01-28 80 int i;
c8f9d7a3aae362 Cheng Jian 2019-01-28 81
c8f9d7a3aae362 Cheng Jian 2019-01-28 82 klp_for_each_object(patch, obj) {
c8f9d7a3aae362 Cheng Jian 2019-01-28 83 klp_for_each_func(obj, func) {
c8f9d7a3aae362 Cheng Jian 2019-01-28 84 for (i = 0; i < func->old_size; i++) {
c8f9d7a3aae362 Cheng Jian 2019-01-28 85 kp = get_kprobe((void *)func->old_addr + i);
c8f9d7a3aae362 Cheng Jian 2019-01-28 86 if (kp) {
c8f9d7a3aae362 Cheng Jian 2019-01-28 87 pr_err("func %s has been probed, (un)patch failed\n",
c8f9d7a3aae362 Cheng Jian 2019-01-28 88 func->old_name);
c8f9d7a3aae362 Cheng Jian 2019-01-28 89 return kp;
c8f9d7a3aae362 Cheng Jian 2019-01-28 90 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 91 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 92 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 93 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 94
c8f9d7a3aae362 Cheng Jian 2019-01-28 95 return NULL;
c8f9d7a3aae362 Cheng Jian 2019-01-28 96 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 97 #else
c8f9d7a3aae362 Cheng Jian 2019-01-28 98 static inline struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch)
c8f9d7a3aae362 Cheng Jian 2019-01-28 99 {
c8f9d7a3aae362 Cheng Jian 2019-01-28 100 return NULL;
c8f9d7a3aae362 Cheng Jian 2019-01-28 101 }
c8f9d7a3aae362 Cheng Jian 2019-01-28 102 #endif /* CONFIG_LIVEPATCH_RESTRICT_KPROBE */
c8f9d7a3aae362 Cheng Jian 2019-01-28 103
:::::: The code at line 75 was first introduced by commit
:::::: c8f9d7a3aae362482f81ba7c6819d410d66619ab livepatch/core: Restrict livepatch patched/unpatched when plant kprobe
:::::: TO: Cheng Jian <cj.chengjian(a)huawei.com>
:::::: CC: Xie XiuQi <xiexiuqi(a)huawei.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: c55d99182a85f38a964fe23a2db2ddf42739a151
commit: 7fc993d55d1b54ae40e29dfac825a18d04d644c6 [14777/23123] scsi/hifc: add hifc driver FC service module
config: x86_64-buildonly-randconfig-001-20240627
compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
reproduce (this is a W=1 build):
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202406301629.78CQgAev-lkp@intel.com/
All warnings (new ones prefixed by >>):
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/huawei/hifc/unf_npiv.c:173:14: warning: no previous prototype for function 'unf_alloc_vp_index' [-Wmissing-prototypes]
173 | unsigned int unf_alloc_vp_index(struct unf_vport_pool_s *v_vport_pool,
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:173:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
173 | unsigned int unf_alloc_vp_index(struct unf_vport_pool_s *v_vport_pool,
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:229:6: warning: no previous prototype for function 'unf_free_vp_index' [-Wmissing-prototypes]
229 | void unf_free_vp_index(struct unf_vport_pool_s *v_vport_pool,
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:229:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
229 | void unf_free_vp_index(struct unf_vport_pool_s *v_vport_pool,
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:255:21: warning: no previous prototype for function 'unf_get_free_vport' [-Wmissing-prototypes]
255 | struct unf_lport_s *unf_get_free_vport(struct unf_lport_s *v_lport)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:255:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
255 | struct unf_lport_s *unf_get_free_vport(struct unf_lport_s *v_lport)
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:287:6: warning: no previous prototype for function 'unf_vport_back_to_pool' [-Wmissing-prototypes]
287 | void unf_vport_back_to_pool(void *v_vport)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:287:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
287 | void unf_vport_back_to_pool(void *v_vport)
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:312:6: warning: no previous prototype for function 'unf_init_vport_from_lport' [-Wmissing-prototypes]
312 | void unf_init_vport_from_lport(struct unf_lport_s *v_vport,
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:312:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
312 | void unf_init_vport_from_lport(struct unf_lport_s *v_vport,
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:339:6: warning: no previous prototype for function 'unf_check_vport_pool_status' [-Wmissing-prototypes]
339 | void unf_check_vport_pool_status(struct unf_lport_s *v_lport)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:339:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
339 | void unf_check_vport_pool_status(struct unf_lport_s *v_lport)
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:366:6: warning: no previous prototype for function 'unf_vport_deinit' [-Wmissing-prototypes]
366 | void unf_vport_deinit(void *v_vport)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:366:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
366 | void unf_vport_deinit(void *v_vport)
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:410:14: warning: no previous prototype for function 'unf_vport_init' [-Wmissing-prototypes]
410 | unsigned int unf_vport_init(void *v_vport)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:410:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
410 | unsigned int unf_vport_init(void *v_vport)
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:928:6: warning: no previous prototype for function 'unf_vport_abort_all_sfs_exch' [-Wmissing-prototypes]
928 | void unf_vport_abort_all_sfs_exch(struct unf_lport_s *vport)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:928:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
928 | void unf_vport_abort_all_sfs_exch(struct unf_lport_s *vport)
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:979:6: warning: no previous prototype for function 'unf_vport_abort_ini_io_exch' [-Wmissing-prototypes]
979 | void unf_vport_abort_ini_io_exch(struct unf_lport_s *vport)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:979:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
979 | void unf_vport_abort_ini_io_exch(struct unf_lport_s *vport)
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:1028:6: warning: no previous prototype for function 'unf_vport_abort_all_exch' [-Wmissing-prototypes]
1028 | void unf_vport_abort_all_exch(struct unf_lport_s *vport)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:1028:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
1028 | void unf_vport_abort_all_exch(struct unf_lport_s *vport)
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:1037:14: warning: no previous prototype for function 'unf_vport_wait_all_exch_removed' [-Wmissing-prototypes]
1037 | unsigned int unf_vport_wait_all_exch_removed(struct unf_lport_s *vport)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:1037:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
1037 | unsigned int unf_vport_wait_all_exch_removed(struct unf_lport_s *vport)
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:1114:14: warning: no previous prototype for function 'unf_vport_wait_rports_removed' [-Wmissing-prototypes]
1114 | unsigned int unf_vport_wait_rports_removed(struct unf_lport_s *vport)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:1114:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
1114 | unsigned int unf_vport_wait_rports_removed(struct unf_lport_s *vport)
| ^
| static
drivers/scsi/huawei/hifc/unf_npiv.c:1303:5: warning: no previous prototype for function 'unf_process_vports_linkup' [-Wmissing-prototypes]
1303 | int unf_process_vports_linkup(void *v_arg_in, void *v_arg_out)
| ^
drivers/scsi/huawei/hifc/unf_npiv.c:1303:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
1303 | int unf_process_vports_linkup(void *v_arg_in, void *v_arg_out)
| ^
| static
15 warnings generated.
>> drivers/scsi/huawei/hifc/unf_npiv.o: warning: objtool: missing symbol for section .text
--
In file included from drivers/scsi/huawei/hifc/unf_io_abnormal.c:8:
In file included from drivers/scsi/huawei/hifc/unf_exchg.h:9:
In file included from drivers/scsi/huawei/hifc/unf_scsi_common.h:10:
In file included from drivers/scsi/huawei/hifc/hifc_knl_adp.h:30:
In file included from include/scsi/scsi_host.h:12:
In file included from include/linux/blk-mq.h:5:
In file included from include/linux/blkdev.h:16:
include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict]
425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage;
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/scsi/huawei/hifc/unf_io_abnormal.c:445:5: warning: no previous prototype for function 'unf_send_scsi_mgmt_cmnd' [-Wmissing-prototypes]
445 | int unf_send_scsi_mgmt_cmnd(struct unf_xchg_s *v_xchg,
| ^
drivers/scsi/huawei/hifc/unf_io_abnormal.c:445:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
445 | int unf_send_scsi_mgmt_cmnd(struct unf_xchg_s *v_xchg,
| ^
| static
2 warnings generated.
>> drivers/scsi/huawei/hifc/unf_io_abnormal.o: warning: objtool: missing symbol for section .text
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
From: Fedor Pchelkin <pchelkin(a)ispras.ru>
mainline inclusion
from mainline-v6.10-rc2
commit e64746e74f717961250a155e14c156616fcd981f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7DCL
CVE: CVE-2024-39277
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
cpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()
resulting in the following sanitizer report:
UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28
index -1 is out of range for type 'cpumask [64][1]'
CPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:117)
ubsan_epilogue (lib/ubsan.c:232)
__ubsan_handle_out_of_bounds (lib/ubsan.c:429)
cpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]
do_map_benchmark (kernel/dma/map_benchmark.c:104)
map_benchmark_ioctl (kernel/dma/map_benchmark.c:246)
full_proxy_unlocked_ioctl (fs/debugfs/file.c:333)
__x64_sys_ioctl (fs/ioctl.c:890)
do_syscall_64 (arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Use cpumask_of_node() in place when binding a kernel thread to a cpuset
of a particular node.
Note that the provided node id is checked inside map_benchmark_ioctl().
It's just a NUMA_NO_NODE case which is not handled properly later.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 65789daa8087 ("dma-mapping: add benchmark support for streaming DMA APIs")
Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru>
Acked-by: Barry Song <baohua(a)kernel.org>
Signed-off-by: Christoph Hellwig <hch(a)lst.de>
Signed-off-by: Liu Shixin <liushixin2(a)huawei.com>
---
kernel/dma/map_benchmark.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/dma/map_benchmark.c b/kernel/dma/map_benchmark.c
index e0e64f8b0739..c2d225e1cd47 100644
--- a/kernel/dma/map_benchmark.c
+++ b/kernel/dma/map_benchmark.c
@@ -121,7 +121,6 @@ static int do_map_benchmark(struct map_benchmark_data *map)
struct task_struct **tsk;
int threads = map->bparam.threads;
int node = map->bparam.node;
- const cpumask_t *cpu_mask = cpumask_of_node(node);
u64 loops;
int ret = 0;
int i;
@@ -142,7 +141,7 @@ static int do_map_benchmark(struct map_benchmark_data *map)
}
if (node != NUMA_NO_NODE)
- kthread_bind_mask(tsk[i], cpu_mask);
+ kthread_bind_mask(tsk[i], cpumask_of_node(node));
}
/* clear the old value in the previous benchmark */
--
2.25.1