- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1 V1] drm/vmwgfx: Fix invalid reads in fence signaled events
by Cheng Yu 09 Jun '24

09 Jun '24

From: Zack Rusin <zack.rusin(a)broadcom.com> mainline inclusion from mainline-v6.9-rc7 commit a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UNUO CVE: CVE-2024-36960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action") Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-23566 Cc: David Airlie <airlied(a)gmail.com> CC: Daniel Vetter <daniel(a)ffwll.ch> Cc: Zack Rusin <zack.rusin(a)broadcom.com> Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: linux-kernel(a)vger.kernel.org Cc: <stable(a)vger.kernel.org> # v3.4+ Reviewed-by: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> Reviewed-by: Martin Krastev <martin.krastev(a)broadcom.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240425192748.1761522-1-zack… Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c index 8bc41ec97d71..6bacdb7583df 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c @@ -1066,7 +1066,7 @@ static int vmw_event_fence_action_create(struct drm_file *file_priv, } event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED; - event->event.base.length = sizeof(*event); + event->event.base.length = sizeof(event->event); event->event.user_data = user_data; ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS V1] drm/vmwgfx: Fix invalid reads in fence signaled events
by Cheng Yu 09 Jun '24

09 Jun '24

From: Zack Rusin <zack.rusin(a)broadcom.com> mainline inclusion from mainline-v6.9-rc7 commit a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UNUO CVE: CVE-2024-36960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action") Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-23566 Cc: David Airlie <airlied(a)gmail.com> CC: Daniel Vetter <daniel(a)ffwll.ch> Cc: Zack Rusin <zack.rusin(a)broadcom.com> Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: linux-kernel(a)vger.kernel.org Cc: <stable(a)vger.kernel.org> # v3.4+ Reviewed-by: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> Reviewed-by: Martin Krastev <martin.krastev(a)broadcom.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240425192748.1761522-1-zack… Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c index 72a75316d472..e1b4f9612f5a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c @@ -1064,7 +1064,7 @@ static int vmw_event_fence_action_create(struct drm_file *file_priv, } event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED; - event->event.base.length = sizeof(*event); + event->event.base.length = sizeof(event->event); event->event.user_data = user_data; ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS V1] drm/vmwgfx: Fix invalid reads in fence signaled events
by Cheng Yu 09 Jun '24

09 Jun '24

From: Zack Rusin <zack.rusin(a)broadcom.com> mainline inclusion from mainline-v6.9-rc7 commit a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UNUO CVE: CVE-2024-36960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action") Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-23566 Cc: David Airlie <airlied(a)gmail.com> CC: Daniel Vetter <daniel(a)ffwll.ch> Cc: Zack Rusin <zack.rusin(a)broadcom.com> Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: linux-kernel(a)vger.kernel.org Cc: <stable(a)vger.kernel.org> # v3.4+ Reviewed-by: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> Reviewed-by: Martin Krastev <martin.krastev(a)broadcom.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240425192748.1761522-1-zack… Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c index 72a75316d472..e1b4f9612f5a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c @@ -1064,7 +1064,7 @@ static int vmw_event_fence_action_create(struct drm_file *file_priv, } event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED; - event->event.base.length = sizeof(*event); + event->event.base.length = sizeof(event->event); event->event.user_data = user_data; ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base); -- 2.25.1

2 1

[PATCH OLK-6.6] xdp: use flags field to disambiguate broadcast redirect
by Ziyang Xuan 09 Jun '24

09 Jun '24

From: Toke Høiland-Jørgensen <toke(a)redhat.com> stable inclusion from stable-v6.6.31 commit e22e25820fa04ea5eaac4ef7ee200e9923f466a4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UM46 CVE: CVE-2024-36937 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 5bcf0dcbf9066348058b88a510c57f70f384c92c ] When redirecting a packet using XDP, the bpf_redirect_map() helper will set up the redirect destination information in struct bpf_redirect_info (using the __bpf_xdp_redirect_map() helper function), and the xdp_do_redirect() function will read this information after the XDP program returns and pass the frame on to the right redirect destination. When using the BPF_F_BROADCAST flag to do multicast redirect to a whole map, __bpf_xdp_redirect_map() sets the 'map' pointer in struct bpf_redirect_info to point to the destination map to be broadcast. And xdp_do_redirect() reacts to the value of this map pointer to decide whether it's dealing with a broadcast or a single-value redirect. However, if the destination map is being destroyed before xdp_do_redirect() is called, the map pointer will be cleared out (by bpf_clear_redirect_map()) without waiting for any XDP programs to stop running. This causes xdp_do_redirect() to think that the redirect was to a single target, but the target pointer is also NULL (since broadcast redirects don't have a single target), so this causes a crash when a NULL pointer is passed to dev_map_enqueue(). To fix this, change xdp_do_redirect() to react directly to the presence of the BPF_F_BROADCAST flag in the 'flags' value in struct bpf_redirect_info to disambiguate between a single-target and a broadcast redirect. And only read the 'map' pointer if the broadcast flag is set, aborting if that has been cleared out in the meantime. This prevents the crash, while keeping the atomic (cmpxchg-based) clearing of the map pointer itself, and without adding any more checks in the non-broadcast fast path. Fixes: e624d4ed4aa8 ("xdp: Extend xdp_redirect_map with broadcast support") Reported-and-tested-by: syzbot+af9492708df9797198d6(a)syzkaller.appspotmail.com Signed-off-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Acked-by: Stanislav Fomichev <sdf(a)google.com> Reviewed-by: Hangbin Liu <liuhangbin(a)gmail.com> Acked-by: Jesper Dangaard Brouer <hawk(a)kernel.org> Link: https://lore.kernel.org/r/20240418071840.156411-1-toke@redhat.com Signed-off-by: Martin KaFai Lau <martin.lau(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- net/core/filter.c | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index 81cd6493c7d10..6ec353bf36f38 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -4334,10 +4334,12 @@ static __always_inline int __xdp_do_redirect_frame(struct bpf_redirect_info *ri, enum bpf_map_type map_type = ri->map_type; void *fwd = ri->tgt_value; u32 map_id = ri->map_id; + u32 flags = ri->flags; struct bpf_map *map; int err; ri->map_id = 0; /* Valid map id idr range: [1,INT_MAX[ */ + ri->flags = 0; ri->map_type = BPF_MAP_TYPE_UNSPEC; if (unlikely(!xdpf)) { @@ -4349,11 +4351,20 @@ static __always_inline int __xdp_do_redirect_frame(struct bpf_redirect_info *ri, case BPF_MAP_TYPE_DEVMAP: fallthrough; case BPF_MAP_TYPE_DEVMAP_HASH: - map = READ_ONCE(ri->map); - if (unlikely(map)) { + if (unlikely(flags & BPF_F_BROADCAST)) { + map = READ_ONCE(ri->map); + + /* The map pointer is cleared when the map is being torn + * down by bpf_clear_redirect_map() + */ + if (unlikely(!map)) { + err = -ENOENT; + break; + } + WRITE_ONCE(ri->map, NULL); err = dev_map_enqueue_multi(xdpf, dev, map, - ri->flags & BPF_F_EXCLUDE_INGRESS); + flags & BPF_F_EXCLUDE_INGRESS); } else { err = dev_map_enqueue(fwd, xdpf, dev); } @@ -4416,9 +4427,9 @@ EXPORT_SYMBOL_GPL(xdp_do_redirect_frame); static int xdp_do_generic_redirect_map(struct net_device *dev, struct sk_buff *skb, struct xdp_buff *xdp, - struct bpf_prog *xdp_prog, - void *fwd, - enum bpf_map_type map_type, u32 map_id) + struct bpf_prog *xdp_prog, void *fwd, + enum bpf_map_type map_type, u32 map_id, + u32 flags) { struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info); struct bpf_map *map; @@ -4428,11 +4439,20 @@ static int xdp_do_generic_redirect_map(struct net_device *dev, case BPF_MAP_TYPE_DEVMAP: fallthrough; case BPF_MAP_TYPE_DEVMAP_HASH: - map = READ_ONCE(ri->map); - if (unlikely(map)) { + if (unlikely(flags & BPF_F_BROADCAST)) { + map = READ_ONCE(ri->map); + + /* The map pointer is cleared when the map is being torn + * down by bpf_clear_redirect_map() + */ + if (unlikely(!map)) { + err = -ENOENT; + break; + } + WRITE_ONCE(ri->map, NULL); err = dev_map_redirect_multi(dev, skb, xdp_prog, map, - ri->flags & BPF_F_EXCLUDE_INGRESS); + flags & BPF_F_EXCLUDE_INGRESS); } else { err = dev_map_generic_redirect(fwd, skb, xdp_prog); } @@ -4469,9 +4489,11 @@ int xdp_do_generic_redirect(struct net_device *dev, struct sk_buff *skb, enum bpf_map_type map_type = ri->map_type; void *fwd = ri->tgt_value; u32 map_id = ri->map_id; + u32 flags = ri->flags; int err; ri->map_id = 0; /* Valid map id idr range: [1,INT_MAX[ */ + ri->flags = 0; ri->map_type = BPF_MAP_TYPE_UNSPEC; if (map_type == BPF_MAP_TYPE_UNSPEC && map_id == INT_MAX) { @@ -4491,7 +4513,7 @@ int xdp_do_generic_redirect(struct net_device *dev, struct sk_buff *skb, return 0; } - return xdp_do_generic_redirect_map(dev, skb, xdp, xdp_prog, fwd, map_type, map_id); + return xdp_do_generic_redirect_map(dev, skb, xdp, xdp_prog, fwd, map_type, map_id, flags); err: _trace_xdp_redirect_err(dev, xdp_prog, ri->tgt_index, err); return err; -- 2.25.1

2 1

[PATCH OLK-5.10 V1] drm/vmwgfx: Fix invalid reads in fence signaled events
by Cheng Yu 09 Jun '24

09 Jun '24

From: Zack Rusin <zack.rusin(a)broadcom.com> mainline inclusion from mainline-v6.9-rc7 commit a37ef7613c00f2d72c8fc08bd83fb6cc76926c8c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UNUO CVE: CVE-2024-36960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: 8b7de6aa8468 ("vmwgfx: Rework fence event action") Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-23566 Cc: David Airlie <airlied(a)gmail.com> CC: Daniel Vetter <daniel(a)ffwll.ch> Cc: Zack Rusin <zack.rusin(a)broadcom.com> Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: linux-kernel(a)vger.kernel.org Cc: <stable(a)vger.kernel.org> # v3.4+ Reviewed-by: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> Reviewed-by: Martin Krastev <martin.krastev(a)broadcom.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240425192748.1761522-1-zack… Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c index 8bc41ec97d71..6bacdb7583df 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c @@ -1066,7 +1066,7 @@ static int vmw_event_fence_action_create(struct drm_file *file_priv, } event->event.base.type = DRM_VMW_EVENT_FENCE_SIGNALED; - event->event.base.length = sizeof(*event); + event->event.base.length = sizeof(event->event); event->event.user_data = user_data; ret = drm_event_reserve_init(dev, file_priv, &event->base, &event->event.base); -- 2.25.1

2 1

[openeuler:openEuler-1.0-LTS 18952/22827] mm/shmem.c:1601:19: sparse: sparse: invalid assignment: |=
by kernel test robot 09 Jun '24

09 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 6a98543755cf2f636ae3169f3774d226d328d2cf commit: 3a3a1f75d885bc1d1a25bb753dd2cf9111c457f7 [18952/22827] shmem: Introduce shmem reliable config: arm64-randconfig-r123-20240607 (https://download.01.org/0day-ci/archive/20240609/202406090739.J3hAY6q8-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240609/202406090739.J3hAY6q8-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406090739.J3hAY6q8-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> mm/shmem.c:1601:19: sparse: sparse: invalid assignment: |= mm/shmem.c:1601:19: sparse: left side has type restricted gfp_t mm/shmem.c:1601:19: sparse: right side has type unsigned int mm/shmem.c: note: in included file (through include/linux/percpu_counter.h, include/linux/quota.h, include/linux/fs.h): include/linux/gfp.h:457:34: sparse: sparse: restricted gfp_t degrades to integer mm/shmem.c: In function 'shmem_fh_to_dentry': mm/shmem.c:3403:24: warning: array subscript 2 is outside array bounds of '__u32[0]' {aka 'unsigned int[]'} [-Warray-bounds=] 3403 | inum = fid->raw[2]; | ~~~~~~~~^~~ In file included from mm/shmem.c:53: include/linux/exportfs.h:129:23: note: while referencing 'raw' 129 | __u32 raw[0]; | ^~~ mm/shmem.c:3404:39: warning: array subscript 1 is outside array bounds of '__u32[0]' {aka 'unsigned int[]'} [-Warray-bounds=] 3404 | inum = (inum << 32) | fid->raw[1]; | ~~~~~~~~^~~ include/linux/exportfs.h:129:23: note: while referencing 'raw' 129 | __u32 raw[0]; | ^~~ mm/shmem.c:3406:61: warning: array subscript 0 is outside array bounds of '__u32[0]' {aka 'unsigned int[]'} [-Warray-bounds=] 3406 | inode = ilookup5(sb, (unsigned long)(inum + fid->raw[0]), | ~~~~~~~~^~~ include/linux/exportfs.h:129:23: note: while referencing 'raw' 129 | __u32 raw[0]; | ^~~ vim +1601 mm/shmem.c 1595 1596 static inline void shmem_prepare_alloc(gfp_t *gfp_mask) 1597 { 1598 if (!shmem_reliable_is_enabled()) 1599 return; 1600 > 1601 *gfp_mask |= ___GFP_RELIABILITY; 1602 } 1603 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS] BUILD REGRESSION 6a98543755cf2f636ae3169f3774d226d328d2cf
by kernel test robot 09 Jun '24

09 Jun '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: 6a98543755cf2f636ae3169f3774d226d328d2cf !8628 erspan: make sure erspan_base_hdr is present in skb->head Error/Warning reports: https://lore.kernel.org/oe-kbuild-all/202406081538.GZO9E4bP-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202406090015.Dx2VIQ1d-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202406090419.Or3DQ4pF-lkp@intel.com Error/Warning: (recently discovered and may have been fixed) mm/khugepaged.c:974:21: sparse: sparse: invalid assignment: |= Unverified Error/Warning (likely false positive, please contact us if interested): drivers/scsi/ufs/ufs-qcom.c:1665: error: Cannot parse struct or union! super.c:(.exit.text+0x7c): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `netlink_kernel_release' super.c:(.init.text+0x6b38): relocation truncated to fit: R_AARCH64_ADR_PREL_PG_HI21 against undefined symbol `init_net' super.c:(.init.text+0x6b48): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `__netlink_kernel_create' super.c:(.text+0x130dc): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `__alloc_skb' super.c:(.text+0x13144): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `__nlmsg_put' super.c:(.text+0x131b4): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `netlink_broadcast' super.c:(.text+0x131d8): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `kfree_skb' Error/Warning ids grouped by kconfigs: gcc_recent_errors |-- arm64-allmodconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code |-- arm64-defconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code |-- arm64-randconfig-004-20240608 | |-- drivers-scsi-ufs-ufs-qcom.c:error:Cannot-parse-struct-or-union | |-- super.c:(.exit.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-netlink_kernel_release | |-- super.c:(.init.text):relocation-truncated-to-fit:R_AARCH64_ADR_PREL_PG_HI21-against-undefined-symbol-init_net | |-- super.c:(.init.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-__netlink_kernel_create | |-- super.c:(.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-__alloc_skb | |-- super.c:(.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-__nlmsg_put | |-- super.c:(.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-kfree_skb | `-- super.c:(.text):relocation-truncated-to-fit:R_AARCH64_CALL26-against-undefined-symbol-netlink_broadcast |-- arm64-randconfig-r123-20240607 | |-- drivers-remoteproc-qcom_adsp_pil.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-void-mem_region-got-void-noderef-asn | |-- drivers-remoteproc-qcom_q6v5_pil.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-void-mba_region-got-void-noderef-asn | |-- drivers-remoteproc-qcom_q6v5_pil.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-void-mpss_region-got-void-noderef-asn | |-- drivers-remoteproc-qcom_wcnss.c:sparse:sparse:incorrect-type-in-assignment-(different-address-spaces)-expected-void-mem_region-got-void-noderef-asn | |-- mm-khugepaged.c:sparse:sparse:invalid-assignment: | `-- net-netfilter-nft_counter.c:sparse:sparse:incorrect-type-in-argument-(different-address-spaces)-expected-struct-nft_counter_percpu_priv-noderef-asn-priv-got-struct-nft_counter_percpu_priv-priv |-- x86_64-buildonly-randconfig-004-20240609 | `-- fs-f2fs-.tmp_recovery.o:warning:objtool:missing-symbol-for-section-.init.text |-- x86_64-buildonly-randconfig-006-20240609 | |-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code | `-- fs-f2fs-recovery.o:warning:objtool:missing-symbol-for-section-.init.text `-- x86_64-randconfig-001-20240609 `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code clang_recent_errors |-- x86_64-allyesconfig | |-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension | `-- fs-f2fs-.tmp_recovery.o:warning:objtool:missing-symbol-for-section-.init.text |-- x86_64-buildonly-randconfig-002-20240609 | `-- fs-f2fs-recovery.o:warning:objtool:missing-symbol-for-section-.init.text `-- x86_64-buildonly-randconfig-005-20240609 |-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension `-- fs-f2fs-recovery.o:warning:objtool:missing-symbol-for-section-.init.text elapsed time: 1126m configs tested: 16 configs skipped: 131 tested configs: arm64 allmodconfig gcc arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-003-20240609 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240609 clang x86_64 buildonly-randconfig-002-20240609 clang x86_64 buildonly-randconfig-003-20240609 clang x86_64 buildonly-randconfig-004-20240609 gcc x86_64 buildonly-randconfig-005-20240609 clang x86_64 buildonly-randconfig-006-20240609 gcc x86_64 defconfig gcc x86_64 randconfig-001-20240609 gcc x86_64 randconfig-002-20240609 clang x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 18949/22827] mm/khugepaged.c:974:21: sparse: sparse: invalid assignment: |=
by kernel test robot 09 Jun '24

09 Jun '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 6a98543755cf2f636ae3169f3774d226d328d2cf commit: ff0fb9e816fac221fa24a1810dd895745406070b [18949/22827] mm: thp: Add memory reliable support for hugepaged collapse config: arm64-randconfig-r123-20240607 (https://download.01.org/0day-ci/archive/20240609/202406090419.Or3DQ4pF-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240609/202406090419.Or3DQ4pF-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406090419.Or3DQ4pF-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> mm/khugepaged.c:974:21: sparse: sparse: invalid assignment: |= mm/khugepaged.c:974:21: sparse: left side has type restricted gfp_t mm/khugepaged.c:974:21: sparse: right side has type unsigned int mm/khugepaged.c:1352:21: sparse: sparse: invalid assignment: |= mm/khugepaged.c:1352:21: sparse: left side has type restricted gfp_t mm/khugepaged.c:1352:21: sparse: right side has type unsigned int mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1409:56: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1409:56: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1409:56: sparse: got void **slot mm/khugepaged.c:1458:22: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1458:22: sparse: expected void **slot mm/khugepaged.c:1458:22: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1459:17: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1459:17: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1459:17: sparse: got void **slot mm/khugepaged.c:1483:60: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1483:60: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1483:60: sparse: got void **slot mm/khugepaged.c:1486:47: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1486:47: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1486:47: sparse: got void **slot mm/khugepaged.c:1486:22: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1486:22: sparse: expected void **slot mm/khugepaged.c:1486:22: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1378:9: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1378:9: sparse: got void **slot mm/khugepaged.c:1378:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1378:9: sparse: expected void **slot mm/khugepaged.c:1378:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1597:68: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1597:68: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1597:68: sparse: got void **slot mm/khugepaged.c:1598:55: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1598:55: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1598:55: sparse: got void **slot mm/khugepaged.c:1598:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1598:30: sparse: expected void **slot mm/khugepaged.c:1598:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1578:17: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1578:17: sparse: got void **slot mm/khugepaged.c:1578:17: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1578:17: sparse: expected void **slot mm/khugepaged.c:1578:17: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1637:46: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1637:46: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1637:46: sparse: got void **slot mm/khugepaged.c:1639:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1639:30: sparse: expected void **slot mm/khugepaged.c:1639:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1682:55: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1682:55: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1682:55: sparse: got void **slot mm/khugepaged.c:1682:30: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1682:30: sparse: expected void **slot mm/khugepaged.c:1682:30: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void [noderef] <asn:4> **slot @@ got void **slot @@ mm/khugepaged.c:1633:9: sparse: expected void [noderef] <asn:4> **slot mm/khugepaged.c:1633:9: sparse: got void **slot mm/khugepaged.c:1633:9: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void **slot @@ got void [noderef] <asn:4> ** @@ mm/khugepaged.c:1633:9: sparse: expected void **slot mm/khugepaged.c:1633:9: sparse: got void [noderef] <asn:4> ** mm/khugepaged.c: note: in included file (through include/linux/mm.h): include/linux/gfp.h:457:34: sparse: sparse: restricted gfp_t degrades to integer mm/khugepaged.c:1336: warning: Function parameter or member 'mm' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'mapping' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'start' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'hpage' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'node' not described in 'collapse_shmem' mm/khugepaged.c:1336: warning: Function parameter or member 'reliable' not described in 'collapse_shmem' vim +974 mm/khugepaged.c 949 950 static void collapse_huge_page(struct mm_struct *mm, 951 unsigned long address, 952 struct page **hpage, 953 int node, int referenced, int unmapped, 954 bool reliable) 955 { 956 pmd_t *pmd, _pmd; 957 pte_t *pte; 958 pgtable_t pgtable; 959 struct page *new_page; 960 spinlock_t *pmd_ptl, *pte_ptl; 961 int isolated = 0, result = 0; 962 struct mem_cgroup *memcg; 963 struct vm_area_struct *vma; 964 unsigned long mmun_start; /* For mmu_notifiers */ 965 unsigned long mmun_end; /* For mmu_notifiers */ 966 gfp_t gfp; 967 968 VM_BUG_ON(address & ~HPAGE_PMD_MASK); 969 970 /* Only allocate from the target node */ 971 gfp = alloc_hugepage_khugepaged_gfpmask() | __GFP_THISNODE; 972 973 if (reliable) > 974 gfp |= ___GFP_RELIABILITY; 975 976 /* 977 * Before allocating the hugepage, release the mmap_sem read lock. 978 * The allocation can take potentially a long time if it involves 979 * sync compaction, and we do not need to hold the mmap_sem during 980 * that. We will recheck the vma after taking it again in write mode. 981 */ 982 up_read(&mm->mmap_sem); 983 new_page = khugepaged_alloc_page(hpage, gfp, node); 984 if (!new_page) { 985 result = SCAN_ALLOC_HUGE_PAGE_FAIL; 986 goto out_nolock; 987 } 988 989 if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) { 990 result = SCAN_CGROUP_CHARGE_FAIL; 991 goto out_nolock; 992 } 993 994 down_read(&mm->mmap_sem); 995 result = hugepage_vma_revalidate(mm, address, &vma); 996 if (result) { 997 mem_cgroup_cancel_charge(new_page, memcg, true); 998 up_read(&mm->mmap_sem); 999 goto out_nolock; 1000 } 1001 1002 pmd = mm_find_pmd(mm, address); 1003 if (!pmd) { 1004 result = SCAN_PMD_NULL; 1005 mem_cgroup_cancel_charge(new_page, memcg, true); 1006 up_read(&mm->mmap_sem); 1007 goto out_nolock; 1008 } 1009 1010 /* 1011 * __collapse_huge_page_swapin always returns with mmap_sem locked. 1012 * If it fails, we release mmap_sem and jump out_nolock. 1013 * Continuing to collapse causes inconsistency. 1014 */ 1015 if (unmapped && !__collapse_huge_page_swapin(mm, vma, address, 1016 pmd, referenced)) { 1017 mem_cgroup_cancel_charge(new_page, memcg, true); 1018 up_read(&mm->mmap_sem); 1019 goto out_nolock; 1020 } 1021 1022 up_read(&mm->mmap_sem); 1023 /* 1024 * Prevent all access to pagetables with the exception of 1025 * gup_fast later handled by the ptep_clear_flush and the VM 1026 * handled by the anon_vma lock + PG_lock. 1027 */ 1028 down_write(&mm->mmap_sem); 1029 result = hugepage_vma_revalidate(mm, address, &vma); 1030 if (result) 1031 goto out; 1032 /* check if the pmd is still valid */ 1033 if (mm_find_pmd(mm, address) != pmd) 1034 goto out; 1035 1036 anon_vma_lock_write(vma->anon_vma); 1037 1038 pte = pte_offset_map(pmd, address); 1039 pte_ptl = pte_lockptr(mm, pmd); 1040 1041 mmun_start = address; 1042 mmun_end = address + HPAGE_PMD_SIZE; 1043 mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end); 1044 pmd_ptl = pmd_lock(mm, pmd); /* probably unnecessary */ 1045 /* 1046 * After this gup_fast can't run anymore. This also removes 1047 * any huge TLB entry from the CPU so we won't allow 1048 * huge and small TLB entries for the same virtual address 1049 * to avoid the risk of CPU bugs in that area. 1050 */ 1051 _pmd = pmdp_collapse_flush(vma, address, pmd); 1052 spin_unlock(pmd_ptl); 1053 mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end); 1054 1055 spin_lock(pte_ptl); 1056 isolated = __collapse_huge_page_isolate(vma, address, pte); 1057 spin_unlock(pte_ptl); 1058 1059 if (unlikely(!isolated)) { 1060 pte_unmap(pte); 1061 spin_lock(pmd_ptl); 1062 BUG_ON(!pmd_none(*pmd)); 1063 /* 1064 * We can only use set_pmd_at when establishing 1065 * hugepmds and never for establishing regular pmds that 1066 * points to regular pagetables. Use pmd_populate for that 1067 */ 1068 pmd_populate(mm, pmd, pmd_pgtable(_pmd)); 1069 spin_unlock(pmd_ptl); 1070 anon_vma_unlock_write(vma->anon_vma); 1071 result = SCAN_FAIL; 1072 goto out; 1073 } 1074 1075 /* 1076 * All pages are isolated and locked so anon_vma rmap 1077 * can't run anymore. 1078 */ 1079 anon_vma_unlock_write(vma->anon_vma); 1080 1081 __collapse_huge_page_copy(pte, new_page, vma, address, pte_ptl); 1082 pte_unmap(pte); 1083 __SetPageUptodate(new_page); 1084 pgtable = pmd_pgtable(_pmd); 1085 1086 _pmd = mk_huge_pmd(new_page, vma->vm_page_prot); 1087 _pmd = maybe_pmd_mkwrite(pmd_mkdirty(_pmd), vma); 1088 1089 /* 1090 * spin_lock() below is not the equivalent of smp_wmb(), so 1091 * this is needed to avoid the copy_huge_page writes to become 1092 * visible after the set_pmd_at() write. 1093 */ 1094 smp_wmb(); 1095 1096 spin_lock(pmd_ptl); 1097 BUG_ON(!pmd_none(*pmd)); 1098 page_add_new_anon_rmap(new_page, vma, address, true); 1099 mem_cgroup_commit_charge(new_page, memcg, false, true); 1100 count_memcg_events(memcg, THP_COLLAPSE_ALLOC, 1); 1101 lru_cache_add_active_or_unevictable(new_page, vma); 1102 pgtable_trans_huge_deposit(mm, pmd, pgtable); 1103 set_pmd_at(mm, address, pmd, _pmd); 1104 update_mmu_cache_pmd(vma, address, pmd); 1105 spin_unlock(pmd_ptl); 1106 1107 *hpage = NULL; 1108 1109 khugepaged_pages_collapsed++; 1110 result = SCAN_SUCCEED; 1111 out_up_write: 1112 up_write(&mm->mmap_sem); 1113 out_nolock: 1114 trace_mm_collapse_huge_page(mm, isolated, result); 1115 return; 1116 out: 1117 mem_cgroup_cancel_charge(new_page, memcg, true); 1118 goto out_up_write; 1119 } 1120 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 5421/22827] drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: sparse: incorrect type in assignment (different address spaces)
by kernel test robot 09 Jun '24

09 Jun '24

Hi Paulo, First bad commit (maybe != root cause): tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 6a98543755cf2f636ae3169f3774d226d328d2cf commit: 71e217e85c3dff8a9151707ed3afc7b4b054a2d4 [5421/22827] selinux: use kernel linux/socket.h for genheaders and mdp config: arm64-randconfig-r123-20240607 (https://download.01.org/0day-ci/archive/20240609/202406090015.Dx2VIQ1d-lkp@…) compiler: aarch64-linux-gcc (GCC) 13.2.0 reproduce: (https://download.01.org/0day-ci/archive/20240609/202406090015.Dx2VIQ1d-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202406090015.Dx2VIQ1d-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mem_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: expected void *mem_region drivers/remoteproc/qcom_adsp_pil.c:246:26: sparse: got void [noderef] <asn:2> * -- >> drivers/remoteproc/qcom_q6v5_pil.c:1096:27: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mba_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_q6v5_pil.c:1096:27: sparse: expected void *mba_region drivers/remoteproc/qcom_q6v5_pil.c:1096:27: sparse: got void [noderef] <asn:2> * >> drivers/remoteproc/qcom_q6v5_pil.c:1114:28: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mpss_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_q6v5_pil.c:1114:28: sparse: expected void *mpss_region drivers/remoteproc/qcom_q6v5_pil.c:1114:28: sparse: got void [noderef] <asn:2> * drivers/remoteproc/qcom_q6v5_pil.c: In function 'q6v5_mpss_load': drivers/remoteproc/qcom_q6v5_pil.c:741:70: warning: '%02d' directive output may be truncated writing between 2 and 11 bytes into a region of size 3 [-Wformat-truncation=] 741 | snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i); | ^~~~ drivers/remoteproc/qcom_q6v5_pil.c:741:62: note: directive argument in the range [-2147483641, 65534] 741 | snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i); | ^~~~~~~~~~~~~ drivers/remoteproc/qcom_q6v5_pil.c:741:25: note: 'snprintf' output between 10 and 19 bytes into a destination of size 10 741 | snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- >> drivers/remoteproc/qcom_wcnss.c:456:27: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected void *mem_region @@ got void [noderef] <asn:2> * @@ drivers/remoteproc/qcom_wcnss.c:456:27: sparse: expected void *mem_region drivers/remoteproc/qcom_wcnss.c:456:27: sparse: got void [noderef] <asn:2> * -- >> net/netfilter/nft_counter.c:158:35: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected struct nft_counter_percpu_priv [noderef] <asn:3> *priv @@ got struct nft_counter_percpu_priv *priv @@ net/netfilter/nft_counter.c:158:35: sparse: expected struct nft_counter_percpu_priv [noderef] <asn:3> *priv net/netfilter/nft_counter.c:158:35: sparse: got struct nft_counter_percpu_priv *priv net/netfilter/nft_counter.c:113:20: sparse: sparse: dereference of noderef expression vim +246 drivers/remoteproc/qcom_adsp_pil.c b9e718e950c3df Bjorn Andersson 2016-08-22 227 b9e718e950c3df Bjorn Andersson 2016-08-22 228 static int adsp_alloc_memory_region(struct qcom_adsp *adsp) b9e718e950c3df Bjorn Andersson 2016-08-22 229 { b9e718e950c3df Bjorn Andersson 2016-08-22 230 struct device_node *node; b9e718e950c3df Bjorn Andersson 2016-08-22 231 struct resource r; b9e718e950c3df Bjorn Andersson 2016-08-22 232 int ret; b9e718e950c3df Bjorn Andersson 2016-08-22 233 b9e718e950c3df Bjorn Andersson 2016-08-22 234 node = of_parse_phandle(adsp->dev->of_node, "memory-region", 0); b9e718e950c3df Bjorn Andersson 2016-08-22 235 if (!node) { b9e718e950c3df Bjorn Andersson 2016-08-22 236 dev_err(adsp->dev, "no memory-region specified\n"); b9e718e950c3df Bjorn Andersson 2016-08-22 237 return -EINVAL; b9e718e950c3df Bjorn Andersson 2016-08-22 238 } b9e718e950c3df Bjorn Andersson 2016-08-22 239 b9e718e950c3df Bjorn Andersson 2016-08-22 240 ret = of_address_to_resource(node, 0, &r); b9e718e950c3df Bjorn Andersson 2016-08-22 241 if (ret) b9e718e950c3df Bjorn Andersson 2016-08-22 242 return ret; b9e718e950c3df Bjorn Andersson 2016-08-22 243 b9e718e950c3df Bjorn Andersson 2016-08-22 244 adsp->mem_phys = adsp->mem_reloc = r.start; b9e718e950c3df Bjorn Andersson 2016-08-22 245 adsp->mem_size = resource_size(&r); b9e718e950c3df Bjorn Andersson 2016-08-22 @246 adsp->mem_region = devm_ioremap_wc(adsp->dev, adsp->mem_phys, adsp->mem_size); b9e718e950c3df Bjorn Andersson 2016-08-22 247 if (!adsp->mem_region) { b9e718e950c3df Bjorn Andersson 2016-08-22 248 dev_err(adsp->dev, "unable to map memory region: %pa+%zx\n", b9e718e950c3df Bjorn Andersson 2016-08-22 249 &r.start, adsp->mem_size); b9e718e950c3df Bjorn Andersson 2016-08-22 250 return -EBUSY; b9e718e950c3df Bjorn Andersson 2016-08-22 251 } b9e718e950c3df Bjorn Andersson 2016-08-22 252 b9e718e950c3df Bjorn Andersson 2016-08-22 253 return 0; b9e718e950c3df Bjorn Andersson 2016-08-22 254 } b9e718e950c3df Bjorn Andersson 2016-08-22 255 :::::: The code at line 246 was first introduced by commit :::::: b9e718e950c3dfa458bbf9180a8d8691e55413ae remoteproc: Introduce Qualcomm ADSP PIL :::::: TO: Bjorn Andersson <bjorn.andersson(a)sonymobile.com> :::::: CC: Bjorn Andersson <bjorn.andersson(a)linaro.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue
by Liu Jian 08 Jun '24

08 Jun '24

From: Jason Xing <kernelxing(a)tencent.com> stable inclusion from stable-v6.6.31 commit b397a0ab8582c533ec0c6b732392f141fc364f87 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U1UZ CVE: CVE-2024-3693 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 6648e613226e18897231ab5e42ffc29e63fa3365 ] Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which syzbot reported [1]. [1] BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [inline] sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843 sk_psock_put include/linux/skmsg.h:459 [inline] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: sk_psock_data_ready include/linux/skmsg.h:464 [inline] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [inline] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x312/0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 value changed: 0xffffffff83d7feb0 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer similarly due to no protection of saved_data_ready. Here is another different caller causing the same issue because of the same reason. So we should protect it with sk_callback_lock read lock because the writer side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);". To avoid errors that could happen in future, I move those two pairs of lock into the sk_psock_data_ready(), which is suggested by John Fastabend. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Reported-by: syzbot+aa8c8ec2538929f18f2d(a)syzkaller.appspotmail.com Signed-off-by: Jason Xing <kernelxing(a)tencent.com> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Reviewed-by: John Fastabend <john.fastabend(a)gmail.com> Closes: https://syzkaller.appspot.com/bug?extid=aa8c8ec2538929f18f2d Link: https://lore.kernel.org/all/20240329134037.92124-1-kerneljasonxing@gmail.com Link: https://lore.kernel.org/bpf/20240404021001.94815-1-kerneljasonxing@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- include/linux/skmsg.h | 2 ++ net/core/skmsg.c | 5 +---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h index f69af3de0da0..fdedb7a29c0e 100644 --- a/include/linux/skmsg.h +++ b/include/linux/skmsg.h @@ -467,10 +467,12 @@ static inline void sk_psock_put(struct sock *sk, struct sk_psock *psock) static inline void sk_psock_data_ready(struct sock *sk, struct sk_psock *psock) { + read_lock_bh(&sk->sk_callback_lock); if (psock->saved_data_ready) psock->saved_data_ready(sk); else sk->sk_data_ready(sk); + read_unlock_bh(&sk->sk_callback_lock); } static inline void psock_set_prog(struct bpf_prog **pprog, diff --git a/net/core/skmsg.c b/net/core/skmsg.c index 6f774de8f6b2..f2e7ce81fef0 100644 --- a/net/core/skmsg.c +++ b/net/core/skmsg.c @@ -1234,11 +1234,8 @@ static void sk_psock_verdict_data_ready(struct sock *sk) rcu_read_lock(); psock = sk_psock(sk); - if (psock) { - read_lock_bh(&sk->sk_callback_lock); + if (psock) sk_psock_data_ready(sk, psock); - read_unlock_bh(&sk->sk_callback_lock); - } rcu_read_unlock(); } } -- 2.34.1

2 1