July 2025 - Kernel - mailweb.openeuler.org

[PATCH OLK-6.6 0/2] modify xcall xint proc file permissions
by Yuntao Liu 15 Jul '25

15 Jul '25

modify xcall xint proc file permissions from 644 to 640 Yuntao Liu (2): modify xint proc file permissions to 640 modify xcall proc file permissions to 640 drivers/irqchip/irq-gic-v3.c | 2 +- fs/proc/base.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- 2.34.1

2 3

[PATCH OLK-5.10 0/2] modify xcall xint proc file permissions
by Yuntao Liu 15 Jul '25

15 Jul '25

modify xcall xint proc file permissions from 644 to 640 Yuntao Liu (2): modify xint proc file permissions to 640 modify xcall proc file permissions to 640 drivers/irqchip/irq-gic-v3.c | 2 +- fs/proc/base.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- 2.34.1

2 3

[PATCH openEuler-1.0-LTS] fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
by Xia Fukun 15 Jul '25

15 Jul '25

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> mainline inclusion from mainline-v6.16-rc1 commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICLGDL CVE: CVE-2025-38312 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support") Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Signed-off-by: Helge Deller <deller(a)gmx.de> Signed-off-by: Xia Fukun <xiafukun(a)huawei.com> --- drivers/video/fbdev/core/fbcvt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c index 55d2bd0ce5c0..0b391c78467d 100644 --- a/drivers/video/fbdev/core/fbcvt.c +++ b/drivers/video/fbdev/core/fbcvt.c @@ -323,7 +323,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb) cvt.f_refresh = cvt.refresh; cvt.interlace = 1; - if (!cvt.xres || !cvt.yres || !cvt.refresh) { + if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) { printk(KERN_INFO "fbcvt: Invalid input parameters\n"); return 1; } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] ipc: fix to protect IPCS lookups using RCU
by Xia Fukun 15 Jul '25

15 Jul '25

From: Jeongjun Park <aha310510(a)gmail.com> mainline inclusion from mainline-v6.16-rc1 commit d66adabe91803ef34a8b90613c81267b5ded1472 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICK4NN CVE: CVE-2025-38212 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned(). Link: https://lkml.kernel.org/r/20250424143322.18830-1-aha310510@gmail.com Fixes: b34a6b1da371 ("ipc: introduce shm_rmid_forced sysctl") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot+a2b84e569d06ca3a949c(a)syzkaller.appspotmail.com Cc: Jeongjun Park <aha310510(a)gmail.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Vasiliy Kulikov <segoon(a)openwall.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Xia Fukun <xiafukun(a)huawei.com> --- ipc/shm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipc/shm.c b/ipc/shm.c index 0a5053f5726f..14282b7f9800 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -417,8 +417,11 @@ static int shm_try_destroy_orphaned(int id, void *p, void *data) void shm_destroy_orphaned(struct ipc_namespace *ns) { down_write(&shm_ids(ns).rwsem); - if (shm_ids(ns).in_use) + if (shm_ids(ns).in_use) { + rcu_read_lock(); idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns); + rcu_read_unlock(); + } up_write(&shm_ids(ns).rwsem); } -- 2.34.1

2 1

[PATCH OLK-6.6 0/6] hns3: Fix debugfs inconsistency and optimize driver code (stack usage, timer init, readability)
by Donghua Huang 15 Jul '25

15 Jul '25

This patchset fixes debugfs query inconsistencies and optimizes the hns3 driver by reducing stack usage, improving timer initialization, and enhancing array handling readability. These changes improve the reliability and maintainability of the hns3 networking driver. Arnd Bergmann (1): net: hns3: reduce stack usage in hclge_dbg_dump_tm_pri() Hao Lan (1): net: hns3: Resolved the issue that the debugfs query result is inconsistent. Jian Shen (1): net: hns3: initialize reset_timer before hclgevf_misc_irq_init() Zhang Zekun (1): net: hns3: Use ARRAY_SIZE() to improve readability huangdonghua (2): Revert "net: hns3: initialize reset_timer before hclgevf_misc_irq_init()" Revert "net: hns3: Resolved the issue that the debugfs query result is inconsistent." drivers/net/ethernet/hisilicon/hns3/hnae3.h | 3 - .../ethernet/hisilicon/hns3/hns3_debugfs.c | 98 ++++++------------- .../hisilicon/hns3/hns3pf/hclge_debugfs.c | 21 ++-- .../hisilicon/hns3/hns3vf/hclgevf_main.c | 2 + .../hisilicon/hns3/hns3vf/hclgevf_regs.c | 8 +- 5 files changed, 51 insertions(+), 81 deletions(-) -- 2.33.0

2 7

[PATCH OLK-6.6 0/6] hns3: Fix debugfs inconsistency and optimize driver code (stack usage, timer init, readability)
by Donghua Huang 15 Jul '25

15 Jul '25

This patchset fixes debugfs query inconsistencies and optimizes the hns3 driver by reducing stack usage, improving timer initialization, and enhancing array handling readability. These changes improve the reliability and maintainability of the hns3 networking driver. Arnd Bergmann (1): net: hns3: reduce stack usage in hclge_dbg_dump_tm_pri() Hao Lan (1): net: hns3: Resolved the issue that the debugfs query result is inconsistent. Jian Shen (1): net: hns3: initialize reset_timer before hclgevf_misc_irq_init() Zhang Zekun (1): net: hns3: Use ARRAY_SIZE() to improve readability huangdonghua (2): Revert "net: hns3: initialize reset_timer before hclgevf_misc_irq_init()" Revert "net: hns3: Resolved the issue that the debugfs query result is inconsistent." drivers/net/ethernet/hisilicon/hns3/hnae3.h | 3 - .../ethernet/hisilicon/hns3/hns3_debugfs.c | 98 ++++++------------- .../hisilicon/hns3/hns3pf/hclge_debugfs.c | 21 ++-- .../hisilicon/hns3/hns3vf/hclgevf_main.c | 2 + .../hisilicon/hns3/hns3vf/hclgevf_regs.c | 8 +- 5 files changed, 51 insertions(+), 81 deletions(-) -- 2.33.0

2 7

[PATCH OLK-6.6] EDAC/skx_common: Fix general protection fault
by Xiaomeng Zhang 15 Jul '25

15 Jul '25

From: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> mainline inclusion from mainline-v6.16-rc1 commit 20d2d476b3ae18041be423671a8637ed5ffd6958 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICLGFA CVE: CVE-2025-38298 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- After loading i10nm_edac (which automatically loads skx_edac_common), if unload only i10nm_edac, then reload it and perform error injection testing, a general protection fault may occur: mce: [Hardware Error]: Machine check events logged Oops: general protection fault ... ... Workqueue: events mce_gen_pool_process RIP: 0010:string+0x53/0xe0 ... Call Trace: <TASK> ? die_addr+0x37/0x90 ? exc_general_protection+0x1e7/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? string+0x53/0xe0 vsnprintf+0x23e/0x4c0 snprintf+0x4d/0x70 skx_adxl_decode+0x16a/0x330 [skx_edac_common] skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] skx_mce_check_error+0x17/0x20 [skx_edac_common] ... The issue arose was because the variable 'adxl_component_count' (inside skx_edac_common), which counts the ADXL components, was not reset. During the reloading of i10nm_edac, the count was incremented by the actual number of ADXL components again, resulting in a count that was double the real number of ADXL components. This led to an out-of-bounds reference to the ADXL component array, causing the general protection fault above. Fix this issue by resetting the 'adxl_component_count' in adxl_put(), which is called during the unloading of {skx,i10nm}_edac. Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module") Reported-by: Feng Xu <feng.f.xu(a)intel.com> Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> Signed-off-by: Tony Luck <tony.luck(a)intel.com> Tested-by: Feng Xu <feng.f.xu(a)intel.com> Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/edac/skx_common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c index 0b8aaf5f77d9..bef81976867e 100644 --- a/drivers/edac/skx_common.c +++ b/drivers/edac/skx_common.c @@ -115,6 +115,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get); void skx_adxl_put(void) { + adxl_component_count = 0; kfree(adxl_values); kfree(adxl_msg); } -- 2.34.1

2 1

[PATCH OLK-5.10] EDAC/skx_common: Fix general protection fault
by Xiaomeng Zhang 15 Jul '25

15 Jul '25

From: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> mainline inclusion from mainline-v6.16-rc1 commit 20d2d476b3ae18041be423671a8637ed5ffd6958 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICLGFA CVE: CVE-2025-38298 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- After loading i10nm_edac (which automatically loads skx_edac_common), if unload only i10nm_edac, then reload it and perform error injection testing, a general protection fault may occur: mce: [Hardware Error]: Machine check events logged Oops: general protection fault ... ... Workqueue: events mce_gen_pool_process RIP: 0010:string+0x53/0xe0 ... Call Trace: <TASK> ? die_addr+0x37/0x90 ? exc_general_protection+0x1e7/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? string+0x53/0xe0 vsnprintf+0x23e/0x4c0 snprintf+0x4d/0x70 skx_adxl_decode+0x16a/0x330 [skx_edac_common] skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] skx_mce_check_error+0x17/0x20 [skx_edac_common] ... The issue arose was because the variable 'adxl_component_count' (inside skx_edac_common), which counts the ADXL components, was not reset. During the reloading of i10nm_edac, the count was incremented by the actual number of ADXL components again, resulting in a count that was double the real number of ADXL components. This led to an out-of-bounds reference to the ADXL component array, causing the general protection fault above. Fix this issue by resetting the 'adxl_component_count' in adxl_put(), which is called during the unloading of {skx,i10nm}_edac. Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module") Reported-by: Feng Xu <feng.f.xu(a)intel.com> Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> Signed-off-by: Tony Luck <tony.luck(a)intel.com> Tested-by: Feng Xu <feng.f.xu(a)intel.com> Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/edac/skx_common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c index 534d035c4ee8..3d912671d4a3 100644 --- a/drivers/edac/skx_common.c +++ b/drivers/edac/skx_common.c @@ -115,6 +115,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get); void skx_adxl_put(void) { + adxl_component_count = 0; kfree(adxl_values); kfree(adxl_msg); } -- 2.34.1

2 1

[PATCH OLK-6.6] crypto: algif_hash - fix double free in hash_accept
by Gu Bowen 15 Jul '25

15 Jul '25

From: Ivan Pravdin <ipravdin.official(a)gmail.com> stable inclusion from stable-v6.6.93 commit 134daaba93193df9e988524b5cd2f52d15eb1993 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICGACQ CVE: CVE-2025-38079 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b2df03ed4052e97126267e8c13ad4204ea6ba9b6 upstream. If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations") Cc: <stable(a)vger.kernel.org> Signed-off-by: Ivan Pravdin <ipravdin.official(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- crypto/algif_hash.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index e24c829d7a01..5ab7441734b8 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -265,10 +265,6 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags, goto out_free_state; err = crypto_ahash_import(&ctx2->req, state); - if (err) { - sock_orphan(sk2); - sock_put(sk2); - } out_free_state: kfree_sensitive(state); -- 2.25.1

2 1

[PATCH OLK-5.10] crypto: algif_hash - fix double free in hash_accept
by Gu Bowen 15 Jul '25

15 Jul '25

From: Ivan Pravdin <ipravdin.official(a)gmail.com> stable inclusion from stable-v5.10.238 commit bf7bba75b91539e93615f560893a599c1e1c98bf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICGACQ CVE: CVE-2025-38079 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b2df03ed4052e97126267e8c13ad4204ea6ba9b6 upstream. If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations") Cc: <stable(a)vger.kernel.org> Signed-off-by: Ivan Pravdin <ipravdin.official(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- crypto/algif_hash.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index 50f7b22f1b48..be21cfdc6dbc 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -262,10 +262,6 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags, return err; err = crypto_ahash_import(&ctx2->req, state); - if (err) { - sock_orphan(sk2); - sock_put(sk2); - } return err; } -- 2.25.1

2 1