- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] gfs2: Fix potential glock use-after-free on unmount
by Zeng Heng 12 Jul '24

12 Jul '24

From: Andreas Gruenbacher <agruenba(a)redhat.com> stable inclusion from stable-v6.6.33 commit 0636b34b44589b142700ac137b5f69802cfe2e37 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA74DQ Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit d98779e687726d8f8860f1c54b5687eec5f63a73 ] When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead. Fixes: fb6791d100d1b ("GFS2: skip dlm_unlock calls in unmount") Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> Cc: David Teigland <teigland(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/gfs2/glock.c fs/gfs2/glock.h [Resolve conflicts due to several refactor patches not merged.] Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- fs/gfs2/glock.c | 39 ++++++++++++++++++++++++++++++++++----- fs/gfs2/glock.h | 3 ++- fs/gfs2/incore.h | 1 + fs/gfs2/lock_dlm.c | 32 ++++++++++++++++++++++---------- fs/gfs2/ops_fstype.c | 1 + fs/gfs2/super.c | 3 --- 6 files changed, 60 insertions(+), 19 deletions(-) diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c index 4a280be229a6..7739e6198d75 100644 --- a/fs/gfs2/glock.c +++ b/fs/gfs2/glock.c @@ -166,19 +166,46 @@ static bool glock_blocked_by_withdraw(struct gfs2_glock *gl) return true; } -void gfs2_glock_free(struct gfs2_glock *gl) +static void __gfs2_glock_free(struct gfs2_glock *gl) { - struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; - gfs2_glock_assert_withdraw(gl, atomic_read(&gl->gl_revokes) == 0); rhashtable_remove_fast(&gl_hash_table, &gl->gl_node, ht_parms); smp_mb(); wake_up_glock(gl); call_rcu(&gl->gl_rcu, gfs2_glock_dealloc); +} + +void gfs2_glock_free(struct gfs2_glock *gl) { + struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; + + __gfs2_glock_free(gl); if (atomic_dec_and_test(&sdp->sd_glock_disposal)) wake_up(&sdp->sd_kill_wait); } +void gfs2_glock_free_later(struct gfs2_glock *gl) { + struct gfs2_sbd *sdp = gl->gl_name.ln_sbd; + + spin_lock(&lru_lock); + list_add(&gl->gl_lru, &sdp->sd_dead_glocks); + spin_unlock(&lru_lock); + if (atomic_dec_and_test(&sdp->sd_glock_disposal)) + wake_up(&sdp->sd_kill_wait); +} + +static void gfs2_free_dead_glocks(struct gfs2_sbd *sdp) +{ + struct list_head *list = &sdp->sd_dead_glocks; + + while(!list_empty(list)) { + struct gfs2_glock *gl; + + gl = list_first_entry(list, struct gfs2_glock, gl_lru); + list_del_init(&gl->gl_lru); + __gfs2_glock_free(gl); + } +} + /** * gfs2_glock_hold() - increment reference count on glock * @gl: The glock to hold @@ -467,7 +494,7 @@ int gfs2_instantiate(struct gfs2_holder *gh) /** * do_promote - promote as many requests as possible on the current queue * @gl: The glock - * + * * Returns true on success (i.e., progress was made or there are no waiters). */ @@ -1468,7 +1495,7 @@ static inline bool pid_is_meaningful(const struct gfs2_holder *gh) * Eventually we should move the recursive locking trap to a * debugging option or something like that. This is the fast * path and needs to have the minimum number of distractions. - * + * */ static inline void add_to_queue(struct gfs2_holder *gh) @@ -2193,6 +2220,8 @@ void gfs2_gl_hash_clear(struct gfs2_sbd *sdp) wait_event_timeout(sdp->sd_kill_wait, atomic_read(&sdp->sd_glock_disposal) == 0, HZ * 600); + gfs2_lm_unmount(sdp); + gfs2_free_dead_glocks(sdp); glock_hash_walk(dump_glock_func, sdp); } diff --git a/fs/gfs2/glock.h b/fs/gfs2/glock.h index c8685ca7d2a2..a5d793026de8 100644 --- a/fs/gfs2/glock.h +++ b/fs/gfs2/glock.h @@ -84,7 +84,7 @@ enum { #define GL_SKIP 0x0100 #define GL_NOPID 0x0200 #define GL_NOCACHE 0x0400 - + /* * lm_async_cb return flags * @@ -266,6 +266,7 @@ extern void gfs2_gl_dq_holders(struct gfs2_sbd *sdp); extern void gfs2_glock_thaw(struct gfs2_sbd *sdp); extern void gfs2_glock_add_to_lru(struct gfs2_glock *gl); extern void gfs2_glock_free(struct gfs2_glock *gl); +extern void gfs2_glock_free_later(struct gfs2_glock *gl); extern int __init gfs2_glock_init(void); extern void gfs2_glock_exit(void); diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h index a8c95c5293c6..d364daa87c81 100644 --- a/fs/gfs2/incore.h +++ b/fs/gfs2/incore.h @@ -838,6 +838,7 @@ struct gfs2_sbd { /* For quiescing the filesystem */ struct gfs2_holder sd_freeze_gh; struct mutex sd_freeze_mutex; + struct list_head sd_dead_glocks; char sd_fsname[GFS2_FSNAME_LEN + 3 * sizeof(int) + 2]; char sd_table_name[GFS2_FSNAME_LEN]; diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c index 59ab18c79889..0bde45fb4963 100644 --- a/fs/gfs2/lock_dlm.c +++ b/fs/gfs2/lock_dlm.c @@ -121,6 +121,11 @@ static void gdlm_ast(void *arg) struct gfs2_glock *gl = arg; unsigned ret = gl->gl_state; + /* If the glock is dead, we only react to a dlm_unlock() reply. */ + if (__lockref_is_dead(&gl->gl_lockref) && + gl->gl_lksb.sb_status != -DLM_EUNLOCK) + return; + gfs2_update_reply_times(gl); BUG_ON(gl->gl_lksb.sb_flags & DLM_SBF_DEMOTED); @@ -171,6 +176,9 @@ static void gdlm_bast(void *arg, int mode) { struct gfs2_glock *gl = arg; + if (__lockref_is_dead(&gl->gl_lockref)) + return; + switch (mode) { case DLM_LOCK_EX: gfs2_glock_cb(gl, LM_ST_UNLOCKED); @@ -291,8 +299,12 @@ static void gdlm_put_lock(struct gfs2_glock *gl) struct lm_lockstruct *ls = &sdp->sd_lockstruct; int error; - if (gl->gl_lksb.sb_lkid == 0) - goto out_free; + BUG_ON(!__lockref_is_dead(&gl->gl_lockref)); + + if (gl->gl_lksb.sb_lkid == 0) { + gfs2_glock_free(gl); + return; + } clear_bit(GLF_BLOCKING, &gl->gl_flags); gfs2_glstats_inc(gl, GFS2_LKS_DCOUNT); @@ -300,13 +312,17 @@ static void gdlm_put_lock(struct gfs2_glock *gl) gfs2_update_request_times(gl); /* don't want to call dlm if we've unmounted the lock protocol */ - if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) - goto out_free; + if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) { + gfs2_glock_free(gl); + return; + } /* don't want to skip dlm_unlock writing the lvb when lock has one */ if (test_bit(SDF_SKIP_DLM_UNLOCK, &sdp->sd_flags) && - !gl->gl_lksb.sb_lvbptr) - goto out_free; + !gl->gl_lksb.sb_lvbptr) { + gfs2_glock_free_later(gl); + return; + } again: error = dlm_unlock(ls->ls_dlm, gl->gl_lksb.sb_lkid, DLM_LKF_VALBLK, @@ -321,10 +337,6 @@ static void gdlm_put_lock(struct gfs2_glock *gl) gl->gl_name.ln_type, (unsigned long long)gl->gl_name.ln_number, error); } - return; - -out_free: - gfs2_glock_free(gl); } static void gdlm_cancel(struct gfs2_glock *gl) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index dd64140ae6d7..c5743f84a10d 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -136,6 +136,7 @@ static struct gfs2_sbd *init_sbd(struct super_block *sb) atomic_set(&sdp->sd_log_in_flight, 0); init_waitqueue_head(&sdp->sd_log_flush_wait); mutex_init(&sdp->sd_freeze_mutex); + INIT_LIST_HEAD(&sdp->sd_dead_glocks); return sdp; diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c index 5f4ebe279aaa..b590d435a6cb 100644 --- a/fs/gfs2/super.c +++ b/fs/gfs2/super.c @@ -646,10 +646,7 @@ static void gfs2_put_super(struct super_block *sb) gfs2_gl_hash_clear(sdp); truncate_inode_pages_final(&sdp->sd_aspace); gfs2_delete_debugfs_file(sdp); - /* Unmount the locking protocol */ - gfs2_lm_unmount(sdp); - /* At this point, we're through participating in the lockspace */ gfs2_sys_fs_del(sdp); free_sbd(sdp); } -- 2.25.1

2 1

[PATCH OLK-6.6 V3 0/2] Fix xfs file creation issue
by Zizhi Wo 12 Jul '24

12 Jul '24

V3: Add a fix tag that was missing from the second patch. V2: Add a fix tag that was missing from the first patch. V1: Fix main problem. Zizhi Wo (2): Revert "xfs: Fix file creation failure" xfs: Avoid races with cnt_btree lastrec updates fs/xfs/libxfs/xfs_alloc.c | 125 +++++++++++++++++++++++++++++--- fs/xfs/libxfs/xfs_alloc_btree.c | 72 ------------------ fs/xfs/libxfs/xfs_btree.c | 51 ------------- fs/xfs/libxfs/xfs_btree.h | 19 +---- 4 files changed, 115 insertions(+), 152 deletions(-) -- 2.39.2

2 3

[openeuler:OLK-5.10] BUILD SUCCESS 9bb2f255d4cf060692e6f5240ace43b12ac72246
by kernel test robot 12 Jul '24

12 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-5.10 branch HEAD: 9bb2f255d4cf060692e6f5240ace43b12ac72246 !9745 CVE-2024-39469 elapsed time: 732m configs tested: 34 configs skipped: 128 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240712 gcc-14.1.0 arm64 randconfig-002-20240712 gcc-14.1.0 arm64 randconfig-003-20240712 clang-19 arm64 randconfig-004-20240712 clang-17 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240712 clang-18 x86_64 buildonly-randconfig-002-20240712 clang-18 x86_64 buildonly-randconfig-003-20240712 clang-18 x86_64 buildonly-randconfig-004-20240712 clang-18 x86_64 buildonly-randconfig-005-20240712 clang-18 x86_64 buildonly-randconfig-006-20240712 clang-18 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240712 gcc-12 x86_64 randconfig-002-20240712 gcc-13 x86_64 randconfig-003-20240712 gcc-12 x86_64 randconfig-004-20240712 clang-18 x86_64 randconfig-005-20240712 gcc-13 x86_64 randconfig-006-20240712 clang-18 x86_64 randconfig-011-20240712 clang-18 x86_64 randconfig-012-20240712 clang-18 x86_64 randconfig-013-20240712 clang-18 x86_64 randconfig-014-20240712 gcc-13 x86_64 randconfig-015-20240712 clang-18 x86_64 randconfig-016-20240712 clang-18 x86_64 randconfig-071-20240712 gcc-13 x86_64 randconfig-072-20240712 gcc-11 x86_64 randconfig-073-20240712 clang-18 x86_64 randconfig-074-20240712 gcc-9 x86_64 randconfig-075-20240712 clang-18 x86_64 randconfig-076-20240712 clang-18 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 V2 0/2] Fix xfs file creation issue
by Zizhi Wo 12 Jul '24

12 Jul '24

V2: Add a fix tag that was missing from the first patch. V1: Fix main problem. Zizhi Wo (2): Revert "xfs: Fix file creation failure" xfs: Avoid races with cnt_btree lastrec updates fs/xfs/libxfs/xfs_alloc.c | 125 +++++++++++++++++++++++++++++--- fs/xfs/libxfs/xfs_alloc_btree.c | 72 ------------------ fs/xfs/libxfs/xfs_btree.c | 51 ------------- fs/xfs/libxfs/xfs_btree.h | 19 +---- 4 files changed, 115 insertions(+), 152 deletions(-) -- 2.39.2

2 3

[openeuler:openEuler-1.0-LTS] BUILD SUCCESS 8585cfc057fe5efb77b4d3582604b16fdf4ccc09
by kernel test robot 12 Jul '24

12 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: 8585cfc057fe5efb77b4d3582604b16fdf4ccc09 !9858 khugepaged: fix null-pointer dereference due to race elapsed time: 736m configs tested: 30 configs skipped: 128 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig gcc-14.1.0 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240712 gcc-14.1.0 arm64 randconfig-002-20240712 gcc-14.1.0 arm64 randconfig-003-20240712 gcc-14.1.0 arm64 randconfig-004-20240712 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240712 clang-18 x86_64 buildonly-randconfig-002-20240712 clang-18 x86_64 buildonly-randconfig-003-20240712 clang-18 x86_64 buildonly-randconfig-004-20240712 clang-18 x86_64 buildonly-randconfig-005-20240712 clang-18 x86_64 buildonly-randconfig-006-20240712 clang-18 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240712 gcc-12 x86_64 randconfig-002-20240712 gcc-13 x86_64 randconfig-003-20240712 gcc-12 x86_64 randconfig-004-20240712 clang-18 x86_64 randconfig-005-20240712 gcc-13 x86_64 randconfig-006-20240712 clang-18 x86_64 randconfig-011-20240712 clang-18 x86_64 randconfig-012-20240712 clang-18 x86_64 randconfig-013-20240712 clang-18 x86_64 randconfig-014-20240712 gcc-13 x86_64 randconfig-015-20240712 clang-18 x86_64 randconfig-016-20240712 clang-18 x86_64 randconfig-071-20240712 gcc-13 x86_64 randconfig-072-20240712 gcc-11 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 3761/10661] arch/loongarch/kvm/../../../virt/kvm/kvm_main.c:426:53: warning: 'kvmalloc_array' sizes specified with 'sizeof' in the earlier argument and not in the later argument
by kernel test robot 12 Jul '24

12 Jul '24

Hi Tianrui, First bad commit (maybe != root cause): tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 15f539c4a521c5ae892554d0046e24f050ec0e00 commit: 07db411edd838080fb7c42b9f56bc08dd60d9af6 [3761/10661] LoongArch: KVM: Enable kvm config and add the makefile config: loongarch-randconfig-001-20240711 (https://download.01.org/0day-ci/archive/20240712/202407120630.mHZS1KSZ-lkp@…) compiler: loongarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240712/202407120630.mHZS1KSZ-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407120630.mHZS1KSZ-lkp@intel.com/ All warnings (new ones prefixed by >>): arch/loongarch/kvm/../../../virt/kvm/kvm_main.c: In function '__kvm_mmu_topup_memory_cache': >> arch/loongarch/kvm/../../../virt/kvm/kvm_main.c:426:53: warning: 'kvmalloc_array' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args] 426 | mc->objects = kvmalloc_array(sizeof(void *), capacity, gfp); | ^~~~ arch/loongarch/kvm/../../../virt/kvm/kvm_main.c:426:53: note: earlier argument should specify number of elements, later size of each element vim +426 arch/loongarch/kvm/../../../virt/kvm/kvm_main.c 6926f95accee3f Sean Christopherson 2020-07-02 413 837f66c7120754 David Matlack 2022-06-22 414 int __kvm_mmu_topup_memory_cache(struct kvm_mmu_memory_cache *mc, int capacity, int min) 6926f95accee3f Sean Christopherson 2020-07-02 415 { 63f4b210414b65 Paolo Bonzini 2022-07-29 416 gfp_t gfp = mc->gfp_custom ? mc->gfp_custom : GFP_KERNEL_ACCOUNT; 6926f95accee3f Sean Christopherson 2020-07-02 417 void *obj; 6926f95accee3f Sean Christopherson 2020-07-02 418 6926f95accee3f Sean Christopherson 2020-07-02 419 if (mc->nobjs >= min) 6926f95accee3f Sean Christopherson 2020-07-02 420 return 0; 837f66c7120754 David Matlack 2022-06-22 421 837f66c7120754 David Matlack 2022-06-22 422 if (unlikely(!mc->objects)) { 837f66c7120754 David Matlack 2022-06-22 423 if (WARN_ON_ONCE(!capacity)) 837f66c7120754 David Matlack 2022-06-22 424 return -EIO; 837f66c7120754 David Matlack 2022-06-22 425 837f66c7120754 David Matlack 2022-06-22 @426 mc->objects = kvmalloc_array(sizeof(void *), capacity, gfp); 837f66c7120754 David Matlack 2022-06-22 427 if (!mc->objects) 837f66c7120754 David Matlack 2022-06-22 428 return -ENOMEM; 837f66c7120754 David Matlack 2022-06-22 429 837f66c7120754 David Matlack 2022-06-22 430 mc->capacity = capacity; 837f66c7120754 David Matlack 2022-06-22 431 } 837f66c7120754 David Matlack 2022-06-22 432 837f66c7120754 David Matlack 2022-06-22 433 /* It is illegal to request a different capacity across topups. */ 837f66c7120754 David Matlack 2022-06-22 434 if (WARN_ON_ONCE(mc->capacity != capacity)) 837f66c7120754 David Matlack 2022-06-22 435 return -EIO; 837f66c7120754 David Matlack 2022-06-22 436 837f66c7120754 David Matlack 2022-06-22 437 while (mc->nobjs < mc->capacity) { 837f66c7120754 David Matlack 2022-06-22 438 obj = mmu_memory_cache_alloc_obj(mc, gfp); 6926f95accee3f Sean Christopherson 2020-07-02 439 if (!obj) 6926f95accee3f Sean Christopherson 2020-07-02 440 return mc->nobjs >= min ? 0 : -ENOMEM; 6926f95accee3f Sean Christopherson 2020-07-02 441 mc->objects[mc->nobjs++] = obj; 6926f95accee3f Sean Christopherson 2020-07-02 442 } 6926f95accee3f Sean Christopherson 2020-07-02 443 return 0; 6926f95accee3f Sean Christopherson 2020-07-02 444 } 6926f95accee3f Sean Christopherson 2020-07-02 445 :::::: The code at line 426 was first introduced by commit :::::: 837f66c71207542283831d0762c5dca3db5b397a KVM: Allow for different capacities in kvm_mmu_memory_cache structs :::::: TO: David Matlack <dmatlack(a)google.com> :::::: CC: Paolo Bonzini <pbonzini(a)redhat.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6] BUILD REGRESSION 15f539c4a521c5ae892554d0046e24f050ec0e00
by kernel test robot 12 Jul '24

12 Jul '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: 15f539c4a521c5ae892554d0046e24f050ec0e00 !5260 [OLK-6.6] Support live migration for CSV/CSV2 guest, and support rebooting CSV/CSV2 guest Error/Warning reports: https://lore.kernel.org/oe-kbuild-all/202407120045.vP3mrDfe-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202407120236.foVeyRg9-lkp@intel.com Error/Warning: (recently discovered and may have been fixed) drivers/char/virtio_console.c:1460:63: warning: '%u' directive output may be truncated writing between 1 and 10 bytes into a region of size between 0 and 9 [-Wformat-truncation=] loongarch64-linux-ld: ls2k500sfb.c:(.text+0x1030): undefined reference to `fg_console' ls2k500sfb.c:(.text+0x102c): undefined reference to `fg_console' Error/Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | `-- clang:warning:no-such-include-directory:drivers-infiniband-hw-hiroce3-include-mag |-- arm64-randconfig-003-20240711 | `-- drivers-char-virtio_console.c:warning:u-directive-output-may-be-truncated-writing-between-and-bytes-into-a-region-of-size-between-and `-- loongarch-randconfig-r133-20240711 |-- loongarch64-linux-ld:ls2k500sfb.c:(.text):undefined-reference-to-fg_console `-- ls2k500sfb.c:(.text):undefined-reference-to-fg_console elapsed time: 737m configs tested: 38 configs skipped: 107 tested configs: arm64 allmodconfig clang-19 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20240711 clang-19 arm64 randconfig-002-20240711 gcc-14.1.0 arm64 randconfig-003-20240711 gcc-14.1.0 arm64 randconfig-004-20240711 gcc-14.1.0 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 loongarch randconfig-001-20240711 gcc-14.1.0 loongarch randconfig-002-20240711 gcc-14.1.0 x86_64 allnoconfig clang-18 x86_64 allyesconfig clang-18 x86_64 buildonly-randconfig-001-20240711 clang-18 x86_64 buildonly-randconfig-002-20240711 clang-18 x86_64 buildonly-randconfig-003-20240711 clang-18 x86_64 buildonly-randconfig-004-20240711 clang-18 x86_64 buildonly-randconfig-005-20240711 gcc-13 x86_64 buildonly-randconfig-006-20240711 gcc-13 x86_64 defconfig gcc-13 x86_64 randconfig-001-20240711 gcc-13 x86_64 randconfig-002-20240711 gcc-13 x86_64 randconfig-003-20240711 gcc-11 x86_64 randconfig-004-20240711 gcc-9 x86_64 randconfig-005-20240711 clang-18 x86_64 randconfig-006-20240711 gcc-13 x86_64 randconfig-011-20240711 gcc-13 x86_64 randconfig-012-20240711 clang-18 x86_64 randconfig-013-20240711 gcc-13 x86_64 randconfig-014-20240711 clang-18 x86_64 randconfig-015-20240711 clang-18 x86_64 randconfig-016-20240711 gcc-10 x86_64 randconfig-071-20240711 gcc-13 x86_64 randconfig-072-20240711 gcc-13 x86_64 randconfig-073-20240711 clang-18 x86_64 randconfig-074-20240711 gcc-13 x86_64 randconfig-075-20240711 clang-18 x86_64 randconfig-076-20240711 gcc-8 x86_64 rhel-8.3-rust clang-18 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 2431/10661] drivers/char/virtio_console.c:1460:63: warning: '%u' directive output may be truncated writing between 1 and 10 bytes into a region of size between 0 and 9
by kernel test robot 12 Jul '24

12 Jul '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 15f539c4a521c5ae892554d0046e24f050ec0e00 commit: f04c0f3eb9b49427c273cd3e4d5a2ff895855b4b [2431/10661] make OPTIMIZE_INLINING config editable config: arm64-randconfig-003-20240711 (https://download.01.org/0day-ci/archive/20240712/202407120236.foVeyRg9-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240712/202407120236.foVeyRg9-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407120236.foVeyRg9-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/char/virtio_console.c: In function 'add_port.isra': >> drivers/char/virtio_console.c:1460:63: warning: '%u' directive output may be truncated writing between 1 and 10 bytes into a region of size between 0 and 9 [-Wformat-truncation=] 1460 | snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u", | ^~ drivers/char/virtio_console.c:1460:54: note: directive argument in the range [0, 4294967294] 1460 | snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u", | ^~~~~~~~~~~~ drivers/char/virtio_console.c:1460:9: note: 'snprintf' output between 9 and 27 bytes into a destination of size 16 1460 | snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1461 | port->portdev->vdev->index, id); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +1460 drivers/char/virtio_console.c 3eae0adea949d8 Amit Shah 2010-09-02 1354 c446f8fcc9fba3 Amit Shah 2010-05-19 1355 static int add_port(struct ports_device *portdev, u32 id) c446f8fcc9fba3 Amit Shah 2010-05-19 1356 { c446f8fcc9fba3 Amit Shah 2010-05-19 1357 char debugfs_name[16]; c446f8fcc9fba3 Amit Shah 2010-05-19 1358 struct port *port; c446f8fcc9fba3 Amit Shah 2010-05-19 1359 dev_t devt; c446f8fcc9fba3 Amit Shah 2010-05-19 1360 int err; c446f8fcc9fba3 Amit Shah 2010-05-19 1361 c446f8fcc9fba3 Amit Shah 2010-05-19 1362 port = kmalloc(sizeof(*port), GFP_KERNEL); c446f8fcc9fba3 Amit Shah 2010-05-19 1363 if (!port) { c446f8fcc9fba3 Amit Shah 2010-05-19 1364 err = -ENOMEM; c446f8fcc9fba3 Amit Shah 2010-05-19 1365 goto fail; c446f8fcc9fba3 Amit Shah 2010-05-19 1366 } b353a6b8216270 Amit Shah 2010-09-02 1367 kref_init(&port->kref); c446f8fcc9fba3 Amit Shah 2010-05-19 1368 c446f8fcc9fba3 Amit Shah 2010-05-19 1369 port->portdev = portdev; c446f8fcc9fba3 Amit Shah 2010-05-19 1370 port->id = id; c446f8fcc9fba3 Amit Shah 2010-05-19 1371 c446f8fcc9fba3 Amit Shah 2010-05-19 1372 port->name = NULL; c446f8fcc9fba3 Amit Shah 2010-05-19 1373 port->inbuf = NULL; c446f8fcc9fba3 Amit Shah 2010-05-19 1374 port->cons.hvc = NULL; 3eae0adea949d8 Amit Shah 2010-09-02 1375 port->async_queue = NULL; c446f8fcc9fba3 Amit Shah 2010-05-19 1376 9778829cffd4d8 Amit Shah 2010-05-06 1377 port->cons.ws.ws_row = port->cons.ws.ws_col = 0; 4b0a2c5ff72152 Pankaj Gupta 2019-03-19 1378 port->cons.vtermno = 0; 9778829cffd4d8 Amit Shah 2010-05-06 1379 c446f8fcc9fba3 Amit Shah 2010-05-19 1380 port->host_connected = port->guest_connected = false; 17e5b4f20adbe2 Amit Shah 2011-09-14 1381 port->stats = (struct port_stats) { 0 }; c446f8fcc9fba3 Amit Shah 2010-05-19 1382 cdfadfc1adb87f Amit Shah 2010-05-19 1383 port->outvq_full = false; cdfadfc1adb87f Amit Shah 2010-05-19 1384 c446f8fcc9fba3 Amit Shah 2010-05-19 1385 port->in_vq = portdev->in_vqs[port->id]; c446f8fcc9fba3 Amit Shah 2010-05-19 1386 port->out_vq = portdev->out_vqs[port->id]; c446f8fcc9fba3 Amit Shah 2010-05-19 1387 d22a69892bd8f2 Amit Shah 2010-09-02 1388 port->cdev = cdev_alloc(); d22a69892bd8f2 Amit Shah 2010-09-02 1389 if (!port->cdev) { d22a69892bd8f2 Amit Shah 2010-09-02 1390 dev_err(&port->portdev->vdev->dev, "Error allocating cdev\n"); d22a69892bd8f2 Amit Shah 2010-09-02 1391 err = -ENOMEM; d22a69892bd8f2 Amit Shah 2010-09-02 1392 goto free_port; d22a69892bd8f2 Amit Shah 2010-09-02 1393 } d22a69892bd8f2 Amit Shah 2010-09-02 1394 port->cdev->ops = &port_fops; c446f8fcc9fba3 Amit Shah 2010-05-19 1395 c446f8fcc9fba3 Amit Shah 2010-05-19 1396 devt = MKDEV(portdev->chr_major, id); d22a69892bd8f2 Amit Shah 2010-09-02 1397 err = cdev_add(port->cdev, devt, 1); c446f8fcc9fba3 Amit Shah 2010-05-19 1398 if (err < 0) { c446f8fcc9fba3 Amit Shah 2010-05-19 1399 dev_err(&port->portdev->vdev->dev, c446f8fcc9fba3 Amit Shah 2010-05-19 1400 "Error %d adding cdev for port %u\n", err, id); d22a69892bd8f2 Amit Shah 2010-09-02 1401 goto free_cdev; c446f8fcc9fba3 Amit Shah 2010-05-19 1402 } 11680fdf29cec5 Ivan Orlov 2023-06-20 1403 port->dev = device_create(&port_class, &port->portdev->vdev->dev, c446f8fcc9fba3 Amit Shah 2010-05-19 1404 devt, port, "vport%up%u", dc18f0800f5f16 Sjur Brændeland 2013-02-12 1405 port->portdev->vdev->index, id); c446f8fcc9fba3 Amit Shah 2010-05-19 1406 if (IS_ERR(port->dev)) { c446f8fcc9fba3 Amit Shah 2010-05-19 1407 err = PTR_ERR(port->dev); c446f8fcc9fba3 Amit Shah 2010-05-19 1408 dev_err(&port->portdev->vdev->dev, c446f8fcc9fba3 Amit Shah 2010-05-19 1409 "Error %d creating device for port %u\n", c446f8fcc9fba3 Amit Shah 2010-05-19 1410 err, id); c446f8fcc9fba3 Amit Shah 2010-05-19 1411 goto free_cdev; c446f8fcc9fba3 Amit Shah 2010-05-19 1412 } c446f8fcc9fba3 Amit Shah 2010-05-19 1413 c446f8fcc9fba3 Amit Shah 2010-05-19 1414 spin_lock_init(&port->inbuf_lock); cdfadfc1adb87f Amit Shah 2010-05-19 1415 spin_lock_init(&port->outvq_lock); c446f8fcc9fba3 Amit Shah 2010-05-19 1416 init_waitqueue_head(&port->waitqueue); c446f8fcc9fba3 Amit Shah 2010-05-19 1417 d791cfcbf98191 Laurent Vivier 2019-11-14 1418 /* We can safely ignore ENOSPC because it means d791cfcbf98191 Laurent Vivier 2019-11-14 1419 * the queue already has buffers. Buffers are removed d791cfcbf98191 Laurent Vivier 2019-11-14 1420 * only by virtcons_remove(), not by unplug_port() d791cfcbf98191 Laurent Vivier 2019-11-14 1421 */ d791cfcbf98191 Laurent Vivier 2019-11-14 1422 err = fill_queue(port->in_vq, &port->inbuf_lock); d791cfcbf98191 Laurent Vivier 2019-11-14 1423 if (err < 0 && err != -ENOSPC) { c446f8fcc9fba3 Amit Shah 2010-05-19 1424 dev_err(port->dev, "Error allocating inbufs\n"); c446f8fcc9fba3 Amit Shah 2010-05-19 1425 goto free_device; c446f8fcc9fba3 Amit Shah 2010-05-19 1426 } c446f8fcc9fba3 Amit Shah 2010-05-19 1427 1b6370463e88b0 Sjur Brændeland 2012-12-14 1428 if (is_rproc_serial(port->portdev->vdev)) c446f8fcc9fba3 Amit Shah 2010-05-19 1429 /* 1b6370463e88b0 Sjur Brændeland 2012-12-14 1430 * For rproc_serial assume remote processor is connected. 1b6370463e88b0 Sjur Brændeland 2012-12-14 1431 * rproc_serial does not want the console port, only 1b6370463e88b0 Sjur Brændeland 2012-12-14 1432 * the generic port implementation. 1b6370463e88b0 Sjur Brændeland 2012-12-14 1433 */ aabd6a8fa5a933 Sjur BrÃ¦ndeland 2013-03-18 1434 port->host_connected = true; 1b6370463e88b0 Sjur Brændeland 2012-12-14 1435 else if (!use_multiport(port->portdev)) { c446f8fcc9fba3 Amit Shah 2010-05-19 1436 /* 1b6370463e88b0 Sjur Brændeland 2012-12-14 1437 * If we're not using multiport support, 1b6370463e88b0 Sjur Brændeland 2012-12-14 1438 * this has to be a console port. c446f8fcc9fba3 Amit Shah 2010-05-19 1439 */ c446f8fcc9fba3 Amit Shah 2010-05-19 1440 err = init_port_console(port); c446f8fcc9fba3 Amit Shah 2010-05-19 1441 if (err) c446f8fcc9fba3 Amit Shah 2010-05-19 1442 goto free_inbufs; c446f8fcc9fba3 Amit Shah 2010-05-19 1443 } c446f8fcc9fba3 Amit Shah 2010-05-19 1444 c446f8fcc9fba3 Amit Shah 2010-05-19 1445 spin_lock_irq(&portdev->ports_lock); c446f8fcc9fba3 Amit Shah 2010-05-19 1446 list_add_tail(&port->list, &port->portdev->ports); c446f8fcc9fba3 Amit Shah 2010-05-19 1447 spin_unlock_irq(&portdev->ports_lock); c446f8fcc9fba3 Amit Shah 2010-05-19 1448 c446f8fcc9fba3 Amit Shah 2010-05-19 1449 /* c446f8fcc9fba3 Amit Shah 2010-05-19 1450 * Tell the Host we're set so that it can send us various c446f8fcc9fba3 Amit Shah 2010-05-19 1451 * configuration parameters for this port (eg, port name, c446f8fcc9fba3 Amit Shah 2010-05-19 1452 * caching, whether this is a console port, etc.) c446f8fcc9fba3 Amit Shah 2010-05-19 1453 */ c446f8fcc9fba3 Amit Shah 2010-05-19 1454 send_control_msg(port, VIRTIO_CONSOLE_PORT_READY, 1); c446f8fcc9fba3 Amit Shah 2010-05-19 1455 c446f8fcc9fba3 Amit Shah 2010-05-19 1456 /* c446f8fcc9fba3 Amit Shah 2010-05-19 1457 * Finally, create the debugfs file that we can use to c446f8fcc9fba3 Amit Shah 2010-05-19 1458 * inspect a port's state at any time c446f8fcc9fba3 Amit Shah 2010-05-19 1459 */ db1700685c0ad2 Dan Carpenter 2015-05-08 @1460 snprintf(debugfs_name, sizeof(debugfs_name), "vport%up%u", dc18f0800f5f16 Sjur Brændeland 2013-02-12 1461 port->portdev->vdev->index, id); c446f8fcc9fba3 Amit Shah 2010-05-19 1462 port->debugfs_file = debugfs_create_file(debugfs_name, 0444, c446f8fcc9fba3 Amit Shah 2010-05-19 1463 pdrvdata.debugfs_dir, fb11de92ac6e4a Greg Kroah-Hartman 2021-02-16 1464 port, &port_debugfs_fops); c446f8fcc9fba3 Amit Shah 2010-05-19 1465 return 0; c446f8fcc9fba3 Amit Shah 2010-05-19 1466 c446f8fcc9fba3 Amit Shah 2010-05-19 1467 free_inbufs: c446f8fcc9fba3 Amit Shah 2010-05-19 1468 free_device: 11680fdf29cec5 Ivan Orlov 2023-06-20 1469 device_destroy(&port_class, port->dev->devt); c446f8fcc9fba3 Amit Shah 2010-05-19 1470 free_cdev: d22a69892bd8f2 Amit Shah 2010-09-02 1471 cdev_del(port->cdev); c446f8fcc9fba3 Amit Shah 2010-05-19 1472 free_port: c446f8fcc9fba3 Amit Shah 2010-05-19 1473 kfree(port); c446f8fcc9fba3 Amit Shah 2010-05-19 1474 fail: c446f8fcc9fba3 Amit Shah 2010-05-19 1475 /* The host might want to notify management sw about port add failure */ 0643e4c6e4fd67 Julia Lawall 2010-05-15 1476 __send_control_msg(portdev, id, VIRTIO_CONSOLE_PORT_READY, 0); c446f8fcc9fba3 Amit Shah 2010-05-19 1477 return err; c446f8fcc9fba3 Amit Shah 2010-05-19 1478 } c446f8fcc9fba3 Amit Shah 2010-05-19 1479 :::::: The code at line 1460 was first introduced by commit :::::: db1700685c0ad2ecb9e42af6a568435a03bbc3fd virtio_console: silence a static checker warning :::::: TO: Dan Carpenter <dan.carpenter(a)oracle.com> :::::: CC: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 1625/10661] ls2k500sfb.c:undefined reference to `fg_console'
by kernel test robot 12 Jul '24

12 Jul '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 15f539c4a521c5ae892554d0046e24f050ec0e00 commit: 8248d42b7c5f4338a54f26d8efebec8614b43466 [1625/10661] fbdev: add ls2k500sfb driver for ls2k500 bmc. config: loongarch-randconfig-r133-20240711 (https://download.01.org/0day-ci/archive/20240712/202407120045.vP3mrDfe-lkp@…) compiler: loongarch64-linux-gcc (GCC) 13.3.0 reproduce: (https://download.01.org/0day-ci/archive/20240712/202407120045.vP3mrDfe-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202407120045.vP3mrDfe-lkp@intel.com/ All errors (new ones prefixed by >>): loongarch64-linux-ld: drivers/video/fbdev/ls2k500sfb.o: in function `.L131': >> ls2k500sfb.c:(.text+0x102c): undefined reference to `fg_console' >> loongarch64-linux-ld: ls2k500sfb.c:(.text+0x1030): undefined reference to `fg_console' -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
by Ye Bin 11 Jul '24

11 Jul '24

From: Herbert Xu <herbert(a)gondor.apana.org.au> mainline inclusion from mainline-v6.10-rc1 commit d3b17c6d9dddc2db3670bc9be628b122416a3d26 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAC3MY CVE: CVE-2024-39493 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- Using completion_done to determine whether the caller has gone away only works after a complete call. Furthermore it's still possible that the caller has not yet called wait_for_completion, resulting in another potential UAF. Fix this by making the caller use cancel_work_sync and then freeing the memory safely. Fixes: 7d42e097607c ("crypto: qat - resolve race condition during AER recovery") Cc: <stable(a)vger.kernel.org> #6.8+ Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Conflicts: drivers/crypto/qat/qat_common/adf_aer.c drivers/crypto/intel/qat/qat_common/adf_aer.c [Fix context diff] Signed-off-by: Ye Bin <yebin10(a)huawei.com> --- drivers/crypto/qat/qat_common/adf_aer.c | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/drivers/crypto/qat/qat_common/adf_aer.c b/drivers/crypto/qat/qat_common/adf_aer.c index 7242a1ee86de..3811ca0b6e0b 100644 --- a/drivers/crypto/qat/qat_common/adf_aer.c +++ b/drivers/crypto/qat/qat_common/adf_aer.c @@ -139,8 +139,7 @@ static void adf_device_reset_worker(struct work_struct *work) if (adf_dev_init(accel_dev) || adf_dev_start(accel_dev)) { /* The device hanged and we can't restart it so stop here */ dev_err(&GET_DEV(accel_dev), "Restart device failed\n"); - if (reset_data->mode == ADF_DEV_RESET_ASYNC || - completion_done(&reset_data->compl)) + if (reset_data->mode == ADF_DEV_RESET_ASYNC) kfree(reset_data); WARN(1, "QAT: device restart failed. Device is unusable\n"); return; @@ -148,16 +147,8 @@ static void adf_device_reset_worker(struct work_struct *work) adf_dev_restarted_notify(accel_dev); clear_bit(ADF_STATUS_RESTARTING, &accel_dev->status); - /* - * The dev is back alive. Notify the caller if in sync mode - * - * If device restart will take a more time than expected, - * the schedule_reset() function can timeout and exit. This can be - * detected by calling the completion_done() function. In this case - * the reset_data structure needs to be freed here. - */ - if (reset_data->mode == ADF_DEV_RESET_ASYNC || - completion_done(&reset_data->compl)) + /* The dev is back alive. Notify the caller if in sync mode */ + if (reset_data->mode == ADF_DEV_RESET_ASYNC) kfree(reset_data); else complete(&reset_data->compl); @@ -192,10 +183,10 @@ static int adf_dev_aer_schedule_reset(struct adf_accel_dev *accel_dev, if (!timeout) { dev_err(&GET_DEV(accel_dev), "Reset device timeout expired\n"); + cancel_work_sync(&reset_data->reset_work); ret = -EFAULT; - } else { - kfree(reset_data); } + kfree(reset_data); return ret; } return 0; -- 2.31.1

2 1