- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] dlm: validate length in dlm_search_rsb_tree
by Gu Bowen 03 Jun '26

03 Jun '26

From: Ezrak1e <ezrakiez(a)gmail.com> mainline inclusion from mainline-v7.0-rc1 commit 080e5563f878c64e697b89e7439d730d0daad882 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14672 CVE: CVE-2026-43125 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm_search_rsb_tree(). Add length validation to prevent potential buffer overflow. Signed-off-by: Ezrak1e <ezrakiez(a)gmail.com> Signed-off-by: Alexander Aring <aahringo(a)redhat.com> Signed-off-by: David Teigland <teigland(a)redhat.com> Conflicts: fs/dlm/lock.c [Context conflicts due to commit 6c648035cbe7 ("dlm: switch to use rhashtable for rsbs") not merge.] Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- fs/dlm/lock.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c index 6712d733fc90..6c708ccbdf3c 100644 --- a/fs/dlm/lock.c +++ b/fs/dlm/lock.c @@ -444,6 +444,9 @@ int dlm_search_rsb_tree(struct rb_root *tree, const void *name, int len, struct dlm_rsb *r; int rc; + if (len > DLM_RESNAME_MAXLEN) + return -EINVAL; + while (node) { r = rb_entry(node, struct dlm_rsb, res_hashnode); rc = rsb_cmp(r, name, len); -- 2.43.0

2 2

[PATCH OLK-6.6] vsock: fix buffer size clamping order
by Wupeng Ma 03 Jun '26

03 Jun '26

From: Norbert Szetei <norbert(a)doyensec.com> stable inclusion from stable-v6.6.140 commit a998a7e250bf976539e05a00ec64a81292afecaa category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15478 CVE: CVE-2026-46234 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit d114bfdc9b76bf93b881e195b7ec957c14227bab upstream. In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint. This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size. Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size. Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core") Suggested-by: Stefano Garzarella <sgarzare(a)redhat.com> Signed-off-by: Norbert Szetei <norbert(a)doyensec.com> Reviewed-by: Stefano Garzarella <sgarzare(a)redhat.com> Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Cc: Luigi Leonardi <leonardi(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- net/vmw_vsock/af_vsock.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index ca1289e64bcc8..187cc259f820b 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -1728,12 +1728,12 @@ static void vsock_update_buffer_size(struct vsock_sock *vsk, const struct vsock_transport *transport, u64 val) { - if (val > vsk->buffer_max_size) - val = vsk->buffer_max_size; - if (val < vsk->buffer_min_size) val = vsk->buffer_min_size; + if (val > vsk->buffer_max_size) + val = vsk->buffer_max_size; + if (val != vsk->buffer_size && transport && transport->notify_buffer_size) transport->notify_buffer_size(vsk, &val); -- 2.43.0

2 2

[PATCH OLK-5.10] fbcon: Fix the issue of uninitialized charcount in the remaining consoles
by Luo Gengkun 03 Jun '26

03 Jun '26

From: Luo Gengkun <luogengkun(a)huaweicloud.com> HULK inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9126 CVE: NA ---------------------------------------------------------------------- After commit 054a54161b88 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") was merged, using alt+ctrl+f1 to switch the tty from tty0 to tty1 results in garbled display. The reason is the vc->vc_font.charcount is 0, it is clearly an uninitialized value. The mainline is fine because commit a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount") assigns the fvc->vc_font.charcount to vc->vc_font.charcount. Fixes: 06a0aaef1910 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/video/fbdev/core/fbcon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index d0a11b7543b6..d49dc3ef4f53 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1071,6 +1071,7 @@ static void fbcon_init(struct vc_data *vc, int init) fvc->vc_font.data); vc->vc_font.width = fvc->vc_font.width; vc->vc_font.height = fvc->vc_font.height; + vc->vc_font.charcount = fvc->vc_font.charcount; p->userfont = t->userfont; if (p->userfont) -- 2.34.1

2 2

[PATCH OLK-6.6] fbcon: Fix the issue of uninitialized charcount in the remaining consoles
by Luo Gengkun 03 Jun '26

03 Jun '26

From: Luo Gengkun <luogengkun(a)huaweicloud.com> HULK inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9126 CVE: NA ---------------------------------------------------------------------- After commit 054a54161b88 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") was merged, using alt+ctrl+f1 to switch the tty from tty0 to tty1 results in garbled display. The reason is the vc->vc_font.charcount is 0, it is clearly an uninitialized value. The mainline is fine because commit a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount") assigns the fvc->vc_font.charcount to vc->vc_font.charcount. Fixes: 06a0aaef1910 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/video/fbdev/core/fbcon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index d0a11b7543b6..d49dc3ef4f53 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1071,6 +1071,7 @@ static void fbcon_init(struct vc_data *vc, int init) fvc->vc_font.data); vc->vc_font.width = fvc->vc_font.width; vc->vc_font.height = fvc->vc_font.height; + vc->vc_font.charcount = fvc->vc_font.charcount; p->userfont = t->userfont; if (p->userfont) -- 2.34.1

2 1

[PATCH OLK-6.6] bpf: Avoid soft lockup in bpf_uprobe_unregister
by Pu Lehui 03 Jun '26

03 Jun '26

hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9318 -------------------------------- Syzkaller report a following issue: watchdog: BUG: soft lockup - CPU#0 stuck for 109s! [syz.0.555:3563] Modules linked in: CPU: 0 PID: 3563 Comm: syz.0.555 Not tainted 6.6.0+ #80 RIP: 0010:consumer_del kernel/events/uprobes.c:789 [inline] RIP: 0010:__uprobe_unregister+0x9e/0x260 kernel/events/uprobes.c:1107 RSP: 0018:ffff888143a47a58 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffffc900156aaf78 RCX: ffffffffa7128384 RDX: 1ffff92002ad55ef RSI: 0000000000000008 RDI: ffff888120c1e050 RBP: ffffc90015504a20 R08: 0000000000000001 R09: ffffed1024183c0a R10: ffff888120c1e057 R11: ffff888100e3a058 R12: dffffc0000000000 R13: ffff888120c1e000 R14: ffffc900156aaf20 R15: ffff888120c1e080 FS: 0000000000000000(0000) GS:ffff8881e1400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd57aa2048 CR3: 000000021a742006 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: <TASK> uprobe_unregister+0x62/0x90 kernel/events/uprobes.c:1131 bpf_uprobe_unregister kernel/trace/bpf_trace.c:3082 [inline] bpf_uprobe_multi_link_release+0xd5/0x1f0 kernel/trace/bpf_trace.c:3092 bpf_link_free+0x16b/0x2c0 kernel/bpf/syscall.c:2929 bpf_link_put_direct kernel/bpf/syscall.c:2969 [inline] bpf_link_release+0x68/0x80 kernel/bpf/syscall.c:2976 __fput+0x408/0xab0 fs/file_table.c:384 task_work_run+0x154/0x240 kernel/task_work.c:245 exit_task_work include/linux/task_work.h:45 [inline] do_exit+0x813/0x1140 kernel/exit.c:882 do_group_exit+0xcd/0x280 kernel/exit.c:1023 get_signal+0x185b/0x1910 kernel/signal.c:2908 arch_do_signal_or_restart+0x83/0x3b0 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x20b/0x220 kernel/entry/common.c:218 do_syscall_64+0x66/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The reason is that syzkaller attempts to unregister 287088 uprobes when CONFIG_PREEMPT_NONE. Let's add cond_resched to avoid soft lockup in bpf_uprobe_unregister. Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link") Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/trace/bpf_trace.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c index 768159fad93c..435f078782e2 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -3077,6 +3077,7 @@ static void bpf_uprobe_unregister(struct path *path, struct bpf_uprobe *uprobes, for (i = 0; i < cnt; i++) { uprobe_unregister(d_real_inode(path->dentry), uprobes[i].offset, &uprobes[i].consumer); + cond_resched(); } } -- 2.34.1

2 1

[PATCH OLK-5.10] netfilter: nft_ct: fix use-after-free in timeout object destroy
by superdcc97＠163.com 02 Jun '26

02 Jun '26

From: Tuan Do <tuan(a)calif.io> stable inclusion from stable-v5.10.253 commit c458fc1c278a65ad5381083121d39a479973ebed category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14407 CVE: CVE-2026-31665 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit f8dca15a1b190787bbd03285304b569631160eda upstream. nft_ct_timeout_obj_destroy() frees the timeout object with kfree() immediately after nf_ct_untimeout(), without waiting for an RCU grace period. Concurrent packet processing on other CPUs may still hold RCU-protected references to the timeout object obtained via rcu_dereference() in nf_ct_timeout_data(). Add an rcu_head to struct nf_ct_timeout and use kfree_rcu() to defer freeing until after an RCU grace period, matching the approach already used in nfnetlink_cttimeout.c. KASAN report: BUG: KASAN: slab-use-after-free in nf_conntrack_tcp_packet+0x1381/0x29d0 Read of size 4 at addr ffff8881035fe19c by task exploit/80 Call Trace: nf_conntrack_tcp_packet+0x1381/0x29d0 nf_conntrack_in+0x612/0x8b0 nf_hook_slow+0x70/0x100 __ip_local_out+0x1b2/0x210 tcp_sendmsg_locked+0x722/0x1580 __sys_sendto+0x2d8/0x320 Allocated by task 75: nft_ct_timeout_obj_init+0xf6/0x290 nft_obj_init+0x107/0x1b0 nf_tables_newobj+0x680/0x9c0 nfnetlink_rcv_batch+0xc29/0xe00 Freed by task 26: nft_obj_destroy+0x3f/0xa0 nf_tables_trans_destroy_work+0x51c/0x5c0 process_one_work+0x2c4/0x5a0 Fixes: 7e0b2b57f01d ("netfilter: nft_ct: add ct timeout support") Cc: stable(a)vger.kernel.org Signed-off-by: Tuan Do <tuan(a)calif.io> Signed-off-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- include/net/netfilter/nf_conntrack_timeout.h | 1 + net/netfilter/nft_ct.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h index 659b0ea25b4d..16e024ca1587 100644 --- a/include/net/netfilter/nf_conntrack_timeout.h +++ b/include/net/netfilter/nf_conntrack_timeout.h @@ -14,6 +14,7 @@ struct nf_ct_timeout { __u16 l3num; const struct nf_conntrack_l4proto *l4proto; + struct rcu_head rcu; char data[]; }; diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index e0fa3e73fed4..2ac4c6b16459 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -934,7 +934,7 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, nf_queue_nf_hook_drop(ctx->net); nf_ct_untimeout(ctx->net, timeout); nf_ct_netns_put(ctx->net, ctx->family); - kfree(priv->timeout); + kfree_rcu(priv->timeout, rcu); } static int nft_ct_timeout_obj_dump(struct sk_buff *skb, -- 2.43.0

2 1

[PATCH OLK-6.6] vsock: fix buffer size clamping order
by Wupeng Ma 02 Jun '26

02 Jun '26

From: Norbert Szetei <norbert(a)doyensec.com> stable inclusion from stable-v6.6.140 commit a998a7e250bf976539e05a00ec64a81292afecaa category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9194 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit d114bfdc9b76bf93b881e195b7ec957c14227bab upstream. In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint. This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size. Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size. Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core") Suggested-by: Stefano Garzarella <sgarzare(a)redhat.com> Signed-off-by: Norbert Szetei <norbert(a)doyensec.com> Reviewed-by: Stefano Garzarella <sgarzare(a)redhat.com> Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Cc: Luigi Leonardi <leonardi(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yuan Can <yuancan(a)huawei.com> --- net/vmw_vsock/af_vsock.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index ca1289e64bcc8..187cc259f820b 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -1728,12 +1728,12 @@ static void vsock_update_buffer_size(struct vsock_sock *vsk, const struct vsock_transport *transport, u64 val) { - if (val > vsk->buffer_max_size) - val = vsk->buffer_max_size; - if (val < vsk->buffer_min_size) val = vsk->buffer_min_size; + if (val > vsk->buffer_max_size) + val = vsk->buffer_max_size; + if (val != vsk->buffer_size && transport && transport->notify_buffer_size) transport->notify_buffer_size(vsk, &val); -- 2.43.0

2 1

[PATCH OLK-5.10] xfrm: prevent policy_hthresh.work from racing with netns teardown
by superdcc97＠163.com 02 Jun '26

02 Jun '26

From: Minwoo Ra <raminwo0202(a)gmail.com> mainline inclusion from mainline-v7.0-rc6 commit 29fe3a61bcdce398ee3955101c39f89c01a8a77e category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14251 CVE: CVE-2026-31516 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. xfrm_policy_fini() already flushes policy_hash_work during teardown, but it does not synchronize policy_hthresh.work. Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net. Fixes: 880a6fab8f6b ("xfrm: configure policy hash table thresholds by netlink") Signed-off-by: Minwoo Ra <raminwo0202(a)gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/xfrm/xfrm_policy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index c7a827d4265c..98a8f2623ec7 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -4113,6 +4113,8 @@ static void xfrm_policy_fini(struct net *net) unsigned int sz; int dir; + cancel_work_sync(&net->xfrm.policy_hthresh.work); + flush_work(&net->xfrm.policy_hash_work); #ifdef CONFIG_XFRM_SUB_POLICY xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false); -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] xfrm: prevent policy_hthresh.work from racing with netns teardown
by superdcc97＠163.com 02 Jun '26

02 Jun '26

From: Minwoo Ra <raminwo0202(a)gmail.com> mainline inclusion from mainline-v7.0-rc6 commit 29fe3a61bcdce398ee3955101c39f89c01a8a77e category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14251 CVE: CVE-2026-31516 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. xfrm_policy_fini() already flushes policy_hash_work during teardown, but it does not synchronize policy_hthresh.work. Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net. Fixes: 880a6fab8f6b ("xfrm: configure policy hash table thresholds by netlink") Signed-off-by: Minwoo Ra <raminwo0202(a)gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Conflicts: net/xfrm/xfrm_policy.c [openEuler-1.0-LTS does not have disable_work_sync() API, use cancel_work_sync() instead. The target kernel's xfrm_policy_fini() function lacks struct xfrm_pol_inexact_bin related code which exists in mainline.] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/xfrm/xfrm_policy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 5d635f005ab7..9057e806c890 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2878,6 +2878,8 @@ static void xfrm_policy_fini(struct net *net) unsigned int sz; int dir; + cancel_work_sync(&net->xfrm.policy_hthresh.work); + flush_work(&net->xfrm.policy_hash_work); #ifdef CONFIG_XFRM_SUB_POLICY xfrm_policy_flush(net, XFRM_POLICY_TYPE_SUB, false); -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
by superdcc97＠163.com 02 Jun '26

02 Jun '26

From: Koichiro Den <den(a)valinux.co.jp> mainline inclusion from mainline-v7.0-rc3 commit 7f083faf59d14c04e01ec05a7507f036c965acf8 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13941 CVE: CVE-2026-23340 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for queues which will no longer be used. qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with qdisc_lock(). However, for lockless qdiscs, the dequeue path is serialized by qdisc_run_begin/end() using qdisc->seqlock instead, so qdisc_reset() can run concurrently with __qdisc_run() and free skbs while they are still being dequeued, leading to UAF. This can easily be reproduced on e.g. virtio-net by imposing heavy traffic while frequently changing the number of queue pairs: iperf3 -ub0 -c $peer -t 0 & while :; do ethtool -L eth0 combined 1 ethtool -L eth0 combined 2 done With KASAN enabled, this leads to reports like: BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760 ... Call Trace: <TASK> ... __qdisc_run+0x133f/0x1760 __dev_queue_xmit+0x248f/0x3550 ip_finish_output2+0xa42/0x2110 ip_output+0x1a7/0x410 ip_send_skb+0x2e6/0x480 udp_send_skb+0xb0a/0x1590 udp_sendmsg+0x13c9/0x1fc0 ... </TASK> Allocated by task 1270 on cpu 5 at 44.558414s: ... alloc_skb_with_frags+0x84/0x7c0 sock_alloc_send_pskb+0x69a/0x830 __ip_append_data+0x1b86/0x48c0 ip_make_skb+0x1e8/0x2b0 udp_sendmsg+0x13a6/0x1fc0 ... Freed by task 1306 on cpu 3 at 44.558445s: ... kmem_cache_free+0x117/0x5e0 pfifo_fast_reset+0x14d/0x580 qdisc_reset+0x9e/0x5f0 netif_set_real_num_tx_queues+0x303/0x840 virtnet_set_channels+0x1bf/0x260 [virtio_net] ethnl_set_channels+0x684/0xae0 ethnl_default_set_doit+0x31a/0x890 ... Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by taking qdisc->seqlock for TCQ_F_NOLOCK qdiscs, matching the serialization model already used by dev_reset_queue(). Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state reflects an empty queue, avoiding needless re-scheduling. Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking") Signed-off-by: Koichiro Den <den(a)valinux.co.jp> Link: https://patch.msgid.link/20260228145307.3955532-1-den@valinux.co.jp Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: include/net/sch_generic.h [Omitted clear_bit(__QDISC_STATE_MISSED) and clear_bit(__QDISC_STATE_DRAINING) as these states do not exist in openEuler-1.0-LTS.] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- include/net/sch_generic.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h index cb9c6f1a9569..19abc08b305e 100644 --- a/include/net/sch_generic.h +++ b/include/net/sch_generic.h @@ -629,13 +629,20 @@ static inline bool skb_skip_tc_classify(struct sk_buff *skb) static inline void qdisc_reset_all_tx_gt(struct net_device *dev, unsigned int i) { struct Qdisc *qdisc; + bool nolock; for (; i < dev->num_tx_queues; i++) { qdisc = rtnl_dereference(netdev_get_tx_queue(dev, i)->qdisc); if (qdisc) { + nolock = qdisc->flags & TCQ_F_NOLOCK; + + if (nolock) + spin_lock_bh(&qdisc->seqlock); spin_lock_bh(qdisc_lock(qdisc)); qdisc_reset(qdisc); spin_unlock_bh(qdisc_lock(qdisc)); + if (nolock) + spin_unlock_bh(&qdisc->seqlock); } } } -- 2.43.0

2 1