- Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10 2974/2974] mm/hugetlb.c:6315:14: warning: no previous prototype for 'hugetlb_alloc_hugepage_nodemask'
by kernel test robot 20 Jun '25

20 Jun '25

Hi Chen, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 0bb9efd4883938dec34f710bce07ec3ecf5a04bd commit: 8deff3a60ce1a9dffb552210f065fc9ed6a55f84 [2974/2974] mm/sharepool: Add mg_sp_alloc_nodemask config: arm64-randconfig-003-20250620 (https://download.01.org/0day-ci/archive/20250620/202506200232.vO3LrsSJ-lkp@…) compiler: aarch64-linux-gcc (GCC) 11.5.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250620/202506200232.vO3LrsSJ-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202506200232.vO3LrsSJ-lkp@intel.com/ All warnings (new ones prefixed by >>): >> mm/hugetlb.c:6315:14: warning: no previous prototype for 'hugetlb_alloc_hugepage_nodemask' [-Wmissing-prototypes] 6315 | struct page *hugetlb_alloc_hugepage_nodemask(int nid, int flag, nodemask_t *nodemask) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/hugetlb_alloc_hugepage_nodemask +6315 mm/hugetlb.c 6311 6312 /* 6313 * Allocate hugepage without reserve 6314 */ > 6315 struct page *hugetlb_alloc_hugepage_nodemask(int nid, int flag, nodemask_t *nodemask) 6316 { 6317 struct hstate *h = &default_hstate; 6318 gfp_t gfp_mask = htlb_alloc_mask(h); 6319 struct page *page = NULL; 6320 6321 if (nid == NUMA_NO_NODE) 6322 nid = numa_mem_id(); 6323 6324 if (nid < 0 || nid >= MAX_NUMNODES) 6325 return NULL; 6326 6327 if (flag & ~HUGETLB_ALLOC_MASK) 6328 return NULL; 6329 6330 if (enable_charge_mighp) 6331 gfp_mask |= __GFP_ACCOUNT; 6332 6333 if (flag & HUGETLB_ALLOC_NORECLAIM) 6334 gfp_mask &= ~__GFP_RECLAIM; 6335 6336 if (flag & HUGETLB_ALLOC_NORMAL) 6337 page = hugetlb_alloc_hugepage_normal(h, gfp_mask, nid); 6338 else if (flag & HUGETLB_ALLOC_BUDDY) 6339 page = alloc_migrate_huge_page(h, gfp_mask, nid, nodemask); 6340 else 6341 page = alloc_huge_page_nodemask(h, nid, nodemask, gfp_mask); 6342 6343 return page; 6344 } 6345 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] cifs: fix mount deadlock by avoiding super block iteration in DFS reconnect
by Wang Zhaolong 19 Jun '25

19 Jun '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICE4PV -------------------------------- A deadlock issue occurs when network interruption during mount triggers DFS reconnection logic that calls iterate_supers_type(). The detailed call process is as follows: mount.cifs cifsd path_mount do_new_mount vfs_get_tree legacy_get_tree cifs_smb3_do_mount sget alloc_super down_write_nested(&s->s_umount, ..); // hold lock cifs_read_super cifs_root_iget cifs_get_inode_info smb2_query_path_info smb2_compound_op compound_send_recv wait_for_response // wait for cifsd to wake it up cifs_demultiplex_thread cifs_read_from_socket cifs_readv_from_socket server_unresponsive cifs_reconnect cifs_get_tcp_super __cifs_get_super iterate_supers_type down_read(&sb->s_umount); // block mid->callback() cifs_wake_up_task wake_up_process // won't be executed do_new_mount_fc up_write(&sb->s_umount); // release lock here This patch fixes the problem by doing the following: - Add vfs_sb back-pointer to cifs_sb_info for direct access - Protect list traversal with existing tcon->sb_list_lock - Use atomic operations to safely manage super block references - Remove complex callback-based iteration in favor of simple loop Fixes: 93d5cb517db3 ("cifs: Add support for failover in cifs_reconnect()") Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/cifs/cifs_fs_sb.h | 1 + fs/cifs/cifsfs.c | 1 + fs/cifs/connect.c | 10 ++-- fs/cifs/misc.c | 125 ++++++++++++++++++++++--------------------- 4 files changed, 71 insertions(+), 66 deletions(-) diff --git a/fs/cifs/cifs_fs_sb.h b/fs/cifs/cifs_fs_sb.h index d14002d67b6a..d180ef3f9d89 100644 --- a/fs/cifs/cifs_fs_sb.h +++ b/fs/cifs/cifs_fs_sb.h @@ -58,10 +58,11 @@ struct cifs_sb_info { struct rb_root tlink_tree; struct list_head tcon_sb_link; spinlock_t tlink_tree_lock; + struct super_block *vfs_sb; struct tcon_link *master_tlink; struct nls_table *local_nls; unsigned int bsize; unsigned int rsize; unsigned int wsize; diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index dac20bbc2786..a86a1fb34e59 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c @@ -778,10 +778,11 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb) static int cifs_set_super(struct super_block *sb, void *data) { struct cifs_mnt_data *mnt_data = data; sb->s_fs_info = mnt_data->cifs_sb; + mnt_data->cifs_sb->vfs_sb = sb; return set_anon_super(sb, NULL); } static struct dentry * cifs_smb3_do_mount(struct file_system_type *fs_type, diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 56afed6d9ef8..23798ab5d5f1 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -405,16 +405,11 @@ cifs_reconnect(struct TCP_Server_Info *server) spin_lock(&GlobalMid_Lock); server->nr_targets = 1; #ifdef CONFIG_CIFS_DFS_UPCALL spin_unlock(&GlobalMid_Lock); sb = cifs_get_tcp_super(server); - if (IS_ERR(sb)) { - rc = PTR_ERR(sb); - cifs_dbg(FYI, "%s: will not do DFS failover: rc = %d\n", - __func__, rc); - sb = NULL; - } else { + if (sb) { cifs_sb = CIFS_SB(sb); rc = reconn_setup_dfs_targets(cifs_sb, &tgt_list); if (rc) { cifs_sb = NULL; if (rc != -EOPNOTSUPP) { @@ -422,10 +417,13 @@ cifs_reconnect(struct TCP_Server_Info *server) __func__); } } else { server->nr_targets = dfs_cache_get_nr_tgts(&tgt_list); } + } else { + cifs_dbg(FYI, "%s: will not do DFS failover\n", __func__); + rc = -EINVAL; } cifs_dbg(FYI, "%s: will retry %d target(s)\n", __func__, server->nr_targets); spin_lock(&GlobalMid_Lock); #endif diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index 12131a5d5073..802d792306a3 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c @@ -1034,66 +1034,55 @@ int copy_path_name(char *dst, const char *src) struct super_cb_data { void *data; struct super_block *sb; }; -static void tcp_super_cb(struct super_block *sb, void *arg) +struct super_block *cifs_get_tcp_super(struct TCP_Server_Info *server) { - struct super_cb_data *sd = arg; - struct TCP_Server_Info *server = sd->data; - struct cifs_sb_info *cifs_sb; + struct super_block *sb; + struct cifs_ses *ses; struct cifs_tcon *tcon; + struct cifs_sb_info *cifs_sb; - if (sd->sb) - return; + if (!server) + return NULL; - cifs_sb = CIFS_SB(sb); - tcon = cifs_sb_master_tcon(cifs_sb); - if (tcon->ses->server == server) - sd->sb = sb; -} + spin_lock(&cifs_tcp_ses_lock); + list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) { + list_for_each_entry(tcon, &ses->tcon_list, tcon_list) { + spin_lock(&tcon->sb_list_lock); + list_for_each_entry(cifs_sb, &tcon->cifs_sb_list, tcon_sb_link) { + if (!cifs_sb->vfs_sb) + continue; -static struct super_block *__cifs_get_super(void (*f)(struct super_block *, void *), - void *data) -{ - struct super_cb_data sd = { - .data = data, - .sb = NULL, - }; - struct file_system_type **fs_type = (struct file_system_type *[]) { - &cifs_fs_type, &smb3_fs_type, NULL, - }; - - for (; *fs_type; fs_type++) { - iterate_supers_type(*fs_type, f, &sd); - if (sd.sb) { - /* - * Grab an active reference in order to prevent automounts (DFS links) - * of expiring and then freeing up our cifs superblock pointer while - * we're doing failover. - */ - cifs_sb_active(sd.sb); - return sd.sb; + sb = cifs_sb->vfs_sb; + + /* Safely increment s_active only if it's not zero. + * + * When s_active == 0, the super block is being deactivated + * and should not be used. This prevents UAF scenarios + * where we might grab a reference to a super block that's + * in the middle of destruction. + */ + if (!atomic_add_unless(&sb->s_active, 1, 0)) + continue; + spin_unlock(&tcon->sb_list_lock); + spin_unlock(&cifs_tcp_ses_lock); + return sb; + } + spin_unlock(&tcon->sb_list_lock); } } - return ERR_PTR(-EINVAL); -} - -static void __cifs_put_super(struct super_block *sb) -{ - if (!IS_ERR_OR_NULL(sb)) - cifs_sb_deactive(sb); -} + spin_unlock(&cifs_tcp_ses_lock); -struct super_block *cifs_get_tcp_super(struct TCP_Server_Info *server) -{ - return __cifs_get_super(tcp_super_cb, server); + return NULL; } void cifs_put_tcp_super(struct super_block *sb) { - __cifs_put_super(sb); + if (!IS_ERR_OR_NULL(sb)) + deactivate_super(sb); } #ifdef CONFIG_CIFS_DFS_UPCALL int match_target_ip(struct TCP_Server_Info *server, const char *share, size_t share_len, @@ -1138,33 +1127,49 @@ int match_target_ip(struct TCP_Server_Info *server, kfree(tip); return rc; } -static void tcon_super_cb(struct super_block *sb, void *arg) +static inline struct super_block *cifs_get_tcon_super(struct cifs_tcon *tcon) { - struct super_cb_data *sd = arg; - struct cifs_tcon *tcon = sd->data; struct cifs_sb_info *cifs_sb; + struct super_block *sb = ERR_PTR(-EINVAL); + + if (!tcon && list_empty(&tcon->cifs_sb_list)) + return sb; + + spin_lock(&tcon->sb_list_lock); + list_for_each_entry(cifs_sb, &tcon->cifs_sb_list, tcon_sb_link) { + if (!cifs_sb->vfs_sb) + continue; + + sb = cifs_sb->vfs_sb; + + if (!tcon->dfs_path) + continue; + if (!cifs_sb->origin_fullpath) + continue; + if (strcasecmp(tcon->dfs_path, cifs_sb->origin_fullpath)) + continue; + /* + * Use atomic_add_unless to safely increment s_active. + * This ensures we don't add a reference to a super block + * that has s_active == 0 (being destroyed). + */ + if (!atomic_add_unless(&sb->s_active, 1, 0)) + continue; + break; + } + spin_unlock(&tcon->sb_list_lock); - if (sd->sb) - return; - - cifs_sb = CIFS_SB(sb); - if (tcon->dfs_path && cifs_sb->origin_fullpath && - !strcasecmp(tcon->dfs_path, cifs_sb->origin_fullpath)) - sd->sb = sb; -} - -static inline struct super_block *cifs_get_tcon_super(struct cifs_tcon *tcon) -{ - return __cifs_get_super(tcon_super_cb, tcon); + return sb; } static inline void cifs_put_tcon_super(struct super_block *sb) { - __cifs_put_super(sb); + if (!IS_ERR_OR_NULL(sb)) + deactivate_super(sb); } #else static inline struct super_block *cifs_get_tcon_super(struct cifs_tcon *tcon) { return ERR_PTR(-EOPNOTSUPP); -- 2.34.3

2 1

[PATCH] drm: phytium: fix NULL dereference issue in drm_gem_object_free
by Li Chen 19 Jun '25

19 Jun '25

From: Li Chen <chenl311(a)chinatelecom.cn> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICGG2A ---------------------------------------------------------------------- Syzkaller crashed kernel in drm path. The root cause is that phytium_drm_gem_object_funcs is not assigned before phytium_gem_create_object enters the failed_dma_alloc label. Let's fix this issue by assigning the function earlier. Below is the crash log: ``` [ 9042.703078] [drm:phytium_gem_create_object [phytium_dc_drm]] *ERROR* fail to allocate vram buffer with size 3de4000 [ 9042.717862] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 9042.727173] fuse: Unknown parameter '0xffffffffffffffff<r00000000000000000000' [ 9042.730383] Mem abort info: [ 9042.745443] ESR = 0x0000000096000006 [ 9042.745446] EC = 0x25: DABT (current EL), IL = 32 bits [ 9042.745448] SET = 0, FnV = 0 [ 9042.745450] EA = 0, S1PTW = 0 [ 9042.745451] FSC = 0x06: level 2 translation fault [ 9042.745453] Data abort info: [ 9042.745455] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 9042.745457] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 9042.745459] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 9042.745462] user pgtable: 4k pages, 48-bit VAs, pgdp=00003000894ca000 [ 9042.745464] [0000000000000000] pgd=08003000894cb403, p4d=08003000894cb403, pud=0800300085320403, pmd=0000000000000000 [ 9042.830042] Internal error: Oops: 0000000096000006 [#1] SMP [ 9042.838310] Modules linked in: cramfs camellia_generic serpent_generic blowfish_generic blowfish_common cast5_generic cast_common des_generic libdes rmd160 tcp_bic unix_diag ansi_cprng tcp_dctcp ppp_synctty ip_set_hash_ip n_hdlc cmac pps_ldisc n_gsm nfnetlink_log slcan tcp_diag nfnetlink_cthelper atm nfsd auth_rpcgss nfs_acl twofish_generic twofish_common ccm md4 ppp_async msdos nfs lockd grace fscache crc32_generic netfs smc_diag tcp_westwood smc nfnetlink_osf vfio_iommu_type1 vfio vhost_vsock iommufd squashfs ib_core gfs2 snd_timer snd soundcore uhid nfnetlink_cttimeout pppoe ip_vs cuse can_bcm loop can_raw can vsock_loopback inet_diag vmw_vsock_virtio_transport_common vhost_net vhost ieee802154_socket vsock cfg80211 uinput ieee802154 vhost_iotlb pptp crypto_user l2tp_ppp pppox sctp ppp_generic slhc af_key ip6_vti ip_vti ipip sit geneve macvtap tap ipvlan macvlan hsr xfrm_interface xfrm6_tunnel tunnel4 wireguard libchacha20poly1305 chacha_neon poly1305_neon libcurve25519_generic libchacha nlmon team vcan can_dev tun [ 9042.838608] xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_addrtype nft_compat nf_tables overlay nfnetlink_queue authenc echainiv cls_matchall esp6 l2tp_ip6 l2tp_eth l2tp_ip l2tp_netlink l2tp_core br_netfilter sch_etf sch_fq dccp_ipv6 dccp_ipv4 dccp sch_ingress act_mirred cls_basic veth bonding tls esp4_offload esp4 psample macsec vxlan ip6_udp_tunnel udp_tunnel vrf 8021q garp mrp ip6_gre ip6_tunnel tunnel6 ip_gre ip_tunnel gre cls_u32 sch_htb dummy binfmt_misc bridge stp llc rfkill ip_set libcrc32c sunrpc vfat fat ipmi_si ipmi_devintf phytium_dc_drm ses enclosure ipmi_msghandler drm_display_helper scsi_transport_sas cec drm_kms_helper cppc_cpufreq sg drm fuse nfnetlink ext4 mbcache jbd2 sd_mod t10_pi crc64_rocksoft_generic crc64_rocksoft crc64 crct10dif_ce ghash_ce sm4_ce_gcm sm4_ce_ccm sm4_ce sm4_ce_cipher sm4 sm3_ce sha3_ce sha512_ce ahci sha512_arm64 sha2_ce libahci sha256_arm64 ice sha1_ce igb sbsa_gwdt libata megaraid_sas i2c_algo_bit i2c_core [ 9042.958095] dm_mirror dm_region_hash dm_log dm_multipath dm_mod aes_neon_bs aes_neon_blk aes_ce_blk aes_ce_cipher [last unloaded: nf_tables] [ 9043.094331] CPU: 39 PID: 127275 Comm: syz-executor.3 Kdump: loaded Not tainted 6.6.0-0001.rc3.ctl4.aarch64 #1 [ 9043.108430] Hardware name: vclusters VSFT5000 B/VSFT5000 B, BIOS KL4.2A.RC.D.170.240314.D.DX 03/14/2024 18:01:48 [ 9043.122832] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 9043.132983] pc : drm_gem_object_free+0xc/0x40 [drm] [ 9043.140480] lr : phytium_gem_create_object+0x2ac/0x338 [phytium_dc_drm] [ 9043.150238] sp : ffff80009cd83bd0 [ 9043.155639] x29: ffff80009cd83bd0 x28: 00000000000000b2 x27: ffff80009cd83ce8 [ 9043.166023] x26: 0000000000000020 x25: 0000000000000020 x24: ffff80007b4b2d78 [ 9043.176292] x23: ffff00ff8de5b000 x22: 0000000003de4000 x21: 0000000000000000 [ 9043.186548] x20: ffff00ff8df94c80 x19: fffffffffffffff4 x18: ffffffffffffffff [ 9043.196768] x17: 6f74206c69616620 x16: 2a524f5252452a20 x15: 5d5d6d72645f6364 [ 9043.207193] x14: 5f6d756974796870 x13: 205d353732373231 x12: 545b5d3837303330 [ 9043.217647] x11: 00000000ffff7fff x10: ffff80008223b900 x9 : ffff80007b5cdcb4 [ 9043.228070] x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 00000000002bffa8 [ 9043.238522] x5 : ffff80008345bd08 x4 : 0000000000000000 x3 : 0000000000000000 [ 9043.248718] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff200014f5b800 [ 9043.258874] Call trace: [ 9043.263132] drm_gem_object_free+0xc/0x40 [drm] [ 9043.270239] phytium_gem_dumb_create+0x60/0x160 [phytium_dc_drm] [ 9043.279194] drm_mode_create_dumb_ioctl+0x98/0xc0 [drm] [ 9043.287188] drm_ioctl_kernel+0xdc/0x188 [drm] [ 9043.294188] drm_ioctl+0x274/0x540 [drm] [ 9043.300456] __arm64_sys_ioctl+0xb4/0x100 [ 9043.306777] invoke_syscall+0x50/0x128 [ 9043.312774] el0_svc_common.constprop.0+0xc8/0xf0 [ 9043.319953] do_el0_svc+0x24/0x38 [ 9043.325324] el0_svc+0x44/0x1b8 [ 9043.330517] el0t_64_sync_handler+0x100/0x130 [ 9043.337369] el0t_64_sync+0x188/0x190 [ 9043.343315] Code: ffff00ff aa1e03e9 952fe875 f940a001 (f9400021) [ 9043.352351] SMP: stopping secondary CPUs [ 9043.412513] Starting crashdump kernel... [ 9044.001381] Bye! ``` Disassembler drm_gem_object_free: ``` 0xffff80007b437398 <drm_gem_object_free>: mov x9, x30 0xffff80007b43739c <drm_gem_object_free+4>: bl 0xffff800080031570 <ftrace_caller> 0xffff80007b4373a0 <drm_gem_object_free+8>: ldr x1, [x0, #320] 0xffff80007b4373a4 <drm_gem_object_free+12>: ldr x1, [x1] 0xffff80007b4373a8 <drm_gem_object_free+16>: cbz x1, 0xffff80007b4373c8 <drm_gem_object_free+48> 0xffff80007b4373ac <drm_gem_object_free+20>: paciasp 0xffff80007b4373b0 <drm_gem_object_free+24>: stp x29, x30, [sp, #-16]! 0xffff80007b4373b4 <drm_gem_object_free+28>: mov x29, sp 0xffff80007b4373b8 <drm_gem_object_free+32>: blr x1 0xffff80007b4373bc <drm_gem_object_free+36>: ldp x29, x30, [sp], #16 0xffff80007b4373c0 <drm_gem_object_free+40>: autiasp 0xffff80007b4373c4 <drm_gem_object_free+44>: ret 0xffff80007b4373c8 <drm_gem_object_free+48>: brk #0x800 0xffff80007b4373cc <drm_gem_object_free+52>: ret 0xffff80007b4373d0 <drm_gem_object_free+56>: .inst 0x865baea8 ; undefined 0xffff80007b4373d4 <drm_gem_object_free+60>: .inst 0xffff00ff ; undefined ``` ldr x1, [x1] <-- trapping instruction Signed-off-by: Li Chen <chenl311(a)chinatelecom.cn> Reviewed-by: Bin Lai <laib2(a)chinatelecom.cn> Reviewed-by: Shuo Li <lishuo(a)phytium.com.cn> --- drivers/gpu/drm/phytium/phytium_gem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/phytium/phytium_gem.c b/drivers/gpu/drm/phytium/phytium_gem.c index 2cbbcd9fbd112..95b6b0360c065 100644 --- a/drivers/gpu/drm/phytium/phytium_gem.c +++ b/drivers/gpu/drm/phytium/phytium_gem.c @@ -432,6 +432,8 @@ struct phytium_gem_object *phytium_gem_create_object(struct drm_device *dev, uns goto failed_object_init; } + phytium_gem_obj->base.funcs = &phytium_drm_gem_object_funcs; + if (priv->support_memory_type & (MEMORY_TYPE_VRAM_WC | MEMORY_TYPE_VRAM_DEVICE)) { ret = phytium_memory_pool_alloc(priv, &phytium_gem_obj->vaddr, &phytium_gem_obj->phys_addr, size); @@ -475,8 +477,6 @@ struct phytium_gem_object *phytium_gem_create_object(struct drm_device *dev, uns goto failed_dma_alloc; } - phytium_gem_obj->base.funcs = &phytium_drm_gem_object_funcs; - phytium_gem_obj->size = size; list_add_tail(&phytium_gem_obj->list, &priv->gem_list_head); DRM_DEBUG_KMS("phytium_gem_obj iova:0x%pa size:0x%lx\n", -- 2.49.0

1 0

[PATCH OLK-5.10] objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
by Liu Mingrui 19 Jun '25

19 Jun '25

From: Josh Poimboeuf <jpoimboe(a)kernel.org> stable inclusion from stable-v5.10.236 commit 976a85782246a29ba0f6d411a7a4f524cb9ea987 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC9910 CVE: CVE-2025-37937 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e63d465f59011dede0a0f1d21718b59a64c3ff5c ] If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result is a divide-by-zero. Prevent that from happening. Fixes the following warning with an UBSAN kernel: drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx() Fixes: 173a64cb3fcf ("[media] dib8000: enhancement") Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Josh Poimboeuf <jpoimboe(a)kernel.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Cc: Mauro Carvalho Chehab <mchehab(a)kernel.org> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/r/bd1d504d930ae3f073b1e071bcf62cae7708773c.17428528… Closes: https://lore.kernel.org/r/202503210602.fvH5DO1i-lkp@intel.com/ Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- drivers/media/dvb-frontends/dib8000.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c index d67f2dd997d0..3cdf8de3f1c5 100644 --- a/drivers/media/dvb-frontends/dib8000.c +++ b/drivers/media/dvb-frontends/dib8000.c @@ -2701,8 +2701,11 @@ static void dib8000_set_dds(struct dib8000_state *state, s32 offset_khz) u8 ratio; if (state->revision == 0x8090) { + u32 internal = dib8000_read32(state, 23) / 1000; + ratio = 4; - unit_khz_dds_val = (1<<26) / (dib8000_read32(state, 23) / 1000); + + unit_khz_dds_val = (1<<26) / (internal ?: 1); if (offset_khz < 0) dds = (1 << 26) - (abs_offset_khz * unit_khz_dds_val); else -- 2.25.1

2 1

[PATCH OLK-6.6] objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
by Liu Mingrui 19 Jun '25

19 Jun '25

From: Josh Poimboeuf <jpoimboe(a)kernel.org> stable inclusion from stable-v6.6.87 commit 75b42dfe87657ede3da3f279bd6b1b16d69af954 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IC8J7I CVE: CVE-2025-37937 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e63d465f59011dede0a0f1d21718b59a64c3ff5c ] If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result is a divide-by-zero. Prevent that from happening. Fixes the following warning with an UBSAN kernel: drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx() Fixes: 173a64cb3fcf ("[media] dib8000: enhancement") Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Josh Poimboeuf <jpoimboe(a)kernel.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Cc: Mauro Carvalho Chehab <mchehab(a)kernel.org> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/r/bd1d504d930ae3f073b1e071bcf62cae7708773c.17428528… Closes: https://lore.kernel.org/r/202503210602.fvH5DO1i-lkp@intel.com/ Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- drivers/media/dvb-frontends/dib8000.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c index 2f5165918163..cfe59c3255f7 100644 --- a/drivers/media/dvb-frontends/dib8000.c +++ b/drivers/media/dvb-frontends/dib8000.c @@ -2701,8 +2701,11 @@ static void dib8000_set_dds(struct dib8000_state *state, s32 offset_khz) u8 ratio; if (state->revision == 0x8090) { + u32 internal = dib8000_read32(state, 23) / 1000; + ratio = 4; - unit_khz_dds_val = (1<<26) / (dib8000_read32(state, 23) / 1000); + + unit_khz_dds_val = (1<<26) / (internal ?: 1); if (offset_khz < 0) dds = (1 << 26) - (abs_offset_khz * unit_khz_dds_val); else -- 2.25.1

2 1

[PATCH OLK-6.6 0/2] mm: pcp: increase pcp->free_count threshold to trigger free_high
by Jinjiang Tu 19 Jun '25

19 Jun '25

Nikhil Dhama (1): mm: pcp: increase pcp->free_count threshold to trigger free_high Songtang Liu (1): mm: page_alloc: remove redundant READ_ONCE mm/page_alloc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.43.0

2 3

[PATCH OLK-6.6] mm:userswap: change VM_USWAP_BIT to bit 61
by Wupeng Ma 19 Jun '25

19 Jun '25

Offering: HULK hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8KESX -------------------------------- During introduce userswap to 6.6, bit VM_USWAP is change to 62 by mistake. This is different with the existing bit in 5.10. Change this bit to bit 61 to fix this problem. Fixes: ec6250211515 ("mm/userswap: add VM_USWAP and SWP_USERSWAP_ENTRY") Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- include/linux/mm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index d24d6115a9bf0..77a7d7c4c88c5 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -323,7 +323,7 @@ extern unsigned int kobjsize(const void *objp); #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */ #ifdef CONFIG_USERSWAP -# define VM_USWAP_BIT 62 +# define VM_USWAP_BIT 61 #define VM_USWAP BIT(VM_USWAP_BIT) #else /* !CONFIG_USERSWAP */ #define VM_USWAP VM_NONE -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] video: fbdev: amba-clcd: Fix refcount leak bugs
by Liu Chuang 19 Jun '25

19 Jun '25

From: Liang He <windhl(a)126.com> stable inclusion from stable-v4.19.256 commit a97ff8a949dbf41be89f436b2b1a2b3d794493df category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICGA5H CVE: CVE-2022-50109 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 26c2b7d9fac42eb8317f3ceefa4c1a9a9170ca69 ] In clcdfb_of_init_display(), we should call of_node_put() for the references returned by of_graph_get_next_endpoint() and of_graph_get_remote_port_parent() which have increased the refcount. Besides, we should call of_node_put() both in fail path or when the references are not used anymore. Fixes: d10715be03bd ("video: ARM CLCD: Add DT support") Signed-off-by: Liang He <windhl(a)126.com> Signed-off-by: Helge Deller <deller(a)gmx.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/video/fbdev/amba-clcd.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/drivers/video/fbdev/amba-clcd.c b/drivers/video/fbdev/amba-clcd.c index 38c1f324ce15..20eb93871630 100644 --- a/drivers/video/fbdev/amba-clcd.c +++ b/drivers/video/fbdev/amba-clcd.c @@ -772,8 +772,10 @@ static int clcdfb_of_init_display(struct clcd_fb *fb) return -ENODEV; panel = of_graph_get_remote_port_parent(endpoint); - if (!panel) - return -ENODEV; + if (!panel) { + err = -ENODEV; + goto out_endpoint_put; + } if (fb->vendor->init_panel) { err = fb->vendor->init_panel(fb, panel); @@ -783,11 +785,11 @@ static int clcdfb_of_init_display(struct clcd_fb *fb) err = clcdfb_of_get_backlight(panel, fb->panel); if (err) - return err; + goto out_panel_put; err = clcdfb_of_get_mode(&fb->dev->dev, panel, fb->panel); if (err) - return err; + goto out_panel_put; err = of_property_read_u32(fb->dev->dev.of_node, "max-memory-bandwidth", &max_bandwidth); @@ -816,11 +818,21 @@ static int clcdfb_of_init_display(struct clcd_fb *fb) if (of_property_read_u32_array(endpoint, "arm,pl11x,tft-r0g0b0-pads", - tft_r0b0g0, ARRAY_SIZE(tft_r0b0g0)) != 0) - return -ENOENT; + tft_r0b0g0, ARRAY_SIZE(tft_r0b0g0)) != 0) { + err = -ENOENT; + goto out_panel_put; + } + + of_node_put(panel); + of_node_put(endpoint); return clcdfb_of_init_tft_panel(fb, tft_r0b0g0[0], tft_r0b0g0[1], tft_r0b0g0[2]); +out_panel_put: + of_node_put(panel); +out_endpoint_put: + of_node_put(endpoint); + return err; } static int clcdfb_of_vram_setup(struct clcd_fb *fb) -- 2.34.1

2 1

[PATCH OLK-6.6] nfs: handle failure of nfs_get_lock_context in unlock path
by Li Lingfeng 19 Jun '25

19 Jun '25

stable inclusion from stable-v6.6.92 commit a6879a076b98c99c9fe747816fe1c29543442441 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICGAL9 CVE: CVE-2025-38023 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c457dc1ec770a22636b473ce5d35614adfe97636 ] When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: <TASK> __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference. Fixes: f30cb757f680 ("NFS: Always wait for I/O completion before unlock") Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Link: https://lore.kernel.org/r/20250417072508.3850532-1-lilingfeng3@huawei.com Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfs/nfs4proc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 4b12e45f5753..c140427e322c 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -6880,10 +6880,18 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl, struct nfs4_unlockdata *p; struct nfs4_state *state = lsp->ls_state; struct inode *inode = state->inode; + struct nfs_lock_context *l_ctx; p = kzalloc(sizeof(*p), GFP_KERNEL); if (p == NULL) return NULL; + l_ctx = nfs_get_lock_context(ctx); + if (!IS_ERR(l_ctx)) { + p->l_ctx = l_ctx; + } else { + kfree(p); + return NULL; + } p->arg.fh = NFS_FH(inode); p->arg.fl = &p->fl; p->arg.seqid = seqid; @@ -6891,7 +6899,6 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl, p->lsp = lsp; /* Ensure we don't close file until we're done freeing locks! */ p->ctx = get_nfs_open_context(ctx); - p->l_ctx = nfs_get_lock_context(ctx); locks_init_lock(&p->fl); locks_copy_lock(&p->fl, fl); p->server = NFS_SERVER(inode); -- 2.46.1

2 1

[PATCH OLK-5.10] nfs: handle failure of nfs_get_lock_context in unlock path
by Li Lingfeng 19 Jun '25

19 Jun '25

stable inclusion from stable-v5.10.238 commit 4c189fd40a09a03f9a900bedb2d9064f1734d72a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICGAL9 CVE: CVE-2025-38023 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c457dc1ec770a22636b473ce5d35614adfe97636 ] When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid and proceed to execute rpc_run_task(), this will trigger a NULL pointer dereference in nfs4_locku_prepare. For example: BUG: kernel NULL pointer dereference, address: 000000000000000c PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 Workqueue: rpciod rpc_async_schedule RIP: 0010:nfs4_locku_prepare+0x35/0xc2 Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 Call Trace: <TASK> __rpc_execute+0xbc/0x480 rpc_async_schedule+0x2f/0x40 process_one_work+0x232/0x5d0 worker_thread+0x1da/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x240 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: CR2: 000000000000000c ---[ end trace 0000000000000000 ]--- Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and return NULL to terminate subsequent rpc_run_task, preventing NULL pointer dereference. Fixes: f30cb757f680 ("NFS: Always wait for I/O completion before unlock") Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Link: https://lore.kernel.org/r/20250417072508.3850532-1-lilingfeng3@huawei.com Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfs/nfs4proc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 8dc77a194c62..349994e18fd6 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -6726,10 +6726,18 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl, struct nfs4_unlockdata *p; struct nfs4_state *state = lsp->ls_state; struct inode *inode = state->inode; + struct nfs_lock_context *l_ctx; p = kzalloc(sizeof(*p), GFP_NOFS); if (p == NULL) return NULL; + l_ctx = nfs_get_lock_context(ctx); + if (!IS_ERR(l_ctx)) { + p->l_ctx = l_ctx; + } else { + kfree(p); + return NULL; + } p->arg.fh = NFS_FH(inode); p->arg.fl = &p->fl; p->arg.seqid = seqid; @@ -6737,7 +6745,6 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl, p->lsp = lsp; /* Ensure we don't close file until we're done freeing locks! */ p->ctx = get_nfs_open_context(ctx); - p->l_ctx = nfs_get_lock_context(ctx); locks_init_lock(&p->fl); locks_copy_lock(&p->fl, fl); p->server = NFS_SERVER(inode); -- 2.46.1

2 1