- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 1782/1782] mm/page_alloc.c:3005: warning: Function parameter or member 'mt' not described in '__putback_isolated_page'
by kernel test robot 15 Sep '25

15 Sep '25

Hi Alexander, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 8975e9a49fdd2f6402cc5fe68bc08d3c2b7a35a5 commit: 91bac2310ae7eca9d9869222c96fcc3d02851eea [1782/1782] mm: add function __putback_isolated_page config: arm64-allnoconfig (https://download.01.org/0day-ci/archive/20250915/202509152248.Glnloqtx-lkp@…) compiler: aarch64-linux-gcc (GCC) 15.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250915/202509152248.Glnloqtx-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509152248.Glnloqtx-lkp@intel.com/ All warnings (new ones prefixed by >>): In function '__cmpxchg_case_acq_4', inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1, inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8, inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2, inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2, inlined from 'spin_lock' at include/linux/spinlock.h:329:2, inlined from '__build_all_zonelists' at mm/page_alloc.c:5529:2: arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=] 259 | asm volatile( \ | ^~~ arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE' 283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory") | ^~~~~~~~~~~~~~ mm/page_alloc.c: In function '__build_all_zonelists': mm/page_alloc.c:5527:32: note: object 'lock' of size 4 5527 | static DEFINE_SPINLOCK(lock); | ^~~~ include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK' 81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x) | ^ In function '__cmpxchg_case_acq_4', inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1, inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8, inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2, inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2, inlined from 'spin_lock' at include/linux/spinlock.h:329:2, inlined from 'adjust_managed_page_count' at mm/page_alloc.c:7188:2: arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=] 259 | asm volatile( \ | ^~~ arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE' 283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory") | ^~~~~~~~~~~~~~ mm/page_alloc.c: In function 'adjust_managed_page_count': mm/page_alloc.c:127:24: note: object 'managed_page_count_lock' of size 4 127 | static DEFINE_SPINLOCK(managed_page_count_lock); | ^~~~~~~~~~~~~~~~~~~~~~~ include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK' 81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x) | ^ In function '__cmpxchg_case_acq_4', inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1, inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8, inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2, inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2, inlined from 'spin_lock' at include/linux/spinlock.h:329:2, inlined from 'adjust_managed_page_count' at mm/page_alloc.c:7188:2: arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=] 259 | asm volatile( \ | ^~~ arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE' 283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory") | ^~~~~~~~~~~~~~ mm/page_alloc.c: In function 'adjust_managed_page_count': mm/page_alloc.c:127:24: note: object 'managed_page_count_lock' of size 4 127 | static DEFINE_SPINLOCK(managed_page_count_lock); | ^~~~~~~~~~~~~~~~~~~~~~~ include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK' 81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x) | ^ In function '__cmpxchg_case_acq_4', inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1, inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8, inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2, inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2, inlined from 'spin_lock' at include/linux/spinlock.h:329:2, inlined from 'setup_per_zone_wmarks' at mm/page_alloc.c:7504:2: arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=] 259 | asm volatile( \ | ^~~ arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE' 283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory") | ^~~~~~~~~~~~~~ mm/page_alloc.c: In function 'setup_per_zone_wmarks': mm/page_alloc.c:7502:32: note: object 'lock' of size 4 7502 | static DEFINE_SPINLOCK(lock); | ^~~~ include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK' 81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x) | ^ In function '__cmpxchg_case_acq_4', inlined from '__cmpxchg_acq' at arch/arm64/include/asm/cmpxchg.h:141:1, inlined from 'queued_spin_lock' at include/asm-generic/qspinlock.h:85:8, inlined from 'do_raw_spin_lock' at include/linux/spinlock.h:180:2, inlined from '__raw_spin_lock' at include/linux/spinlock_api_smp.h:143:2, inlined from 'spin_lock' at include/linux/spinlock.h:329:2, inlined from 'setup_per_zone_wmarks' at mm/page_alloc.c:7504:2: arch/arm64/include/asm/atomic_ll_sc.h:259:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'spinlock_t[1]' {aka 'struct spinlock[1]'} [-Warray-bounds=] 259 | asm volatile( \ | ^~~ arch/arm64/include/asm/atomic_ll_sc.h:283:1: note: in expansion of macro '__CMPXCHG_CASE' 283 | __CMPXCHG_CASE(w, , acq_4, , a, , "memory") | ^~~~~~~~~~~~~~ mm/page_alloc.c: In function 'setup_per_zone_wmarks': mm/page_alloc.c:7502:32: note: object 'lock' of size 4 7502 | static DEFINE_SPINLOCK(lock); | ^~~~ include/linux/spinlock_types.h:81:44: note: in definition of macro 'DEFINE_SPINLOCK' 81 | #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x) | ^ >> mm/page_alloc.c:3005: warning: Function parameter or member 'mt' not described in '__putback_isolated_page' vim +3005 mm/page_alloc.c 2995 2996 /** 2997 * __putback_isolated_page - Return a now-isolated page back where we got it 2998 * @page: Page that was isolated 2999 * @order: Order of the isolated page 3000 * 3001 * This function is meant to return a page pulled from the free lists via 3002 * __isolate_free_page back to the free lists they were pulled from. 3003 */ 3004 void __putback_isolated_page(struct page *page, unsigned int order, int mt) > 3005 { 3006 struct zone *zone = page_zone(page); 3007 3008 /* zone lock should be held when this function is called */ 3009 lockdep_assert_held(&zone->lock); 3010 3011 /* Return isolated page to tail of freelist. */ 3012 __free_one_page(page, page_to_pfn(page), zone, order, mt); 3013 } 3014 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] pNFS: Fix uninited ptr deref in block/scsi layout
by Chen Jinghuang 15 Sep '25

15 Sep '25

From: Sergey Bashirov <sergeybashirov(a)gmail.com> [ Upstream commit 9768797c219326699778fba9cd3b607b2f1e7950 ] stable inclusion form stable-v6.6.103 commit 24334f3cf8a294f253071b5bf22d754dbb6d0f2d categpry: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICWGG2 CVE: CVE-2025-38691 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?24… -------------------------------- The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. But ext_tree_free_commitdata() is called on every iteration and tries to put pages in the array, thus dereferencing uninitialized pointers. An additional problem is that there is no limit on the maximum possible buffer_size. When there are too many extents, the client may create a layoutcommit that is larger than the maximum possible RPC size accepted by the server. During testing, we observed two typical scenarios. First, one memory page for extents is enough when we work with small files, append data to the end of the file, or preallocate extents before writing. But when we fill a new large file without preallocating, the number of extents can be huge, and counting the number of written extents in ext_tree_encode_commit() does not help much. Since this number increases even more between unlocking and locking of ext_tree, the reallocated buffer may not be large enough again and again. Co-developed-by: Konstantin Evtushenko <koevtushenko(a)yandex.com> Signed-off-by: Konstantin Evtushenko <koevtushenko(a)yandex.com> Signed-off-by: Sergey Bashirov <sergeybashirov(a)gmail.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://lore.kernel.org/r/20250630183537.196479-2-sergeybashirov@gmail.com Signed-off-by: Trond Myklebust <trond.myklebust(a)hammerspace.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Jinghuang <chenjinghuang2(a)huawei.com> --- fs/nfs/blocklayout/extent_tree.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/fs/nfs/blocklayout/extent_tree.c b/fs/nfs/blocklayout/extent_tree.c index 7a57ff2528af..055ec818eaaa 100644 --- a/fs/nfs/blocklayout/extent_tree.c +++ b/fs/nfs/blocklayout/extent_tree.c @@ -552,6 +552,15 @@ static int ext_tree_encode_commit(struct pnfs_block_layout *bl, __be32 *p, return ret; } +/** + * ext_tree_prepare_commit - encode extents that need to be committed + * @arg: layout commit data + * + * Return values: + * %0: Success, all required extents are encoded + * %-ENOSPC: Some extents are encoded, but not all, due to RPC size limit + * %-ENOMEM: Out of memory, extents not encoded + */ int ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) { @@ -568,12 +577,12 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) start_p = page_address(arg->layoutupdate_page); arg->layoutupdate_pages = &arg->layoutupdate_page; -retry: - ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, &count, &arg->lastbytewritten); + ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, + &count, &arg->lastbytewritten); if (unlikely(ret)) { ext_tree_free_commitdata(arg, buffer_size); - buffer_size = ext_tree_layoutupdate_size(bl, count); + buffer_size = NFS_SERVER(arg->inode)->wsize; count = 0; arg->layoutupdate_pages = @@ -588,7 +597,8 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) return -ENOMEM; } - goto retry; + ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, + &count, &arg->lastbytewritten); } *start_p = cpu_to_be32(count); @@ -608,7 +618,7 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) } dprintk("%s found %zu ranges\n", __func__, count); - return 0; + return ret; } void -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
by Zheng Qixing 15 Sep '25

15 Sep '25

From: Showrya M N <showrya(a)chelsio.com> mainline inclusion from mainline-v6.17-rc1 commit 3ea3a256ed81f95ab0f3281a0e234b01a9cae605 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICWGGE CVE: CVE-2025-38700 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------ In case of an ib_fast_reg_mr allocation failure during iSER setup, the machine hits a panic because iscsi_conn->dd_data is initialized unconditionally, even when no memory is allocated (dd_size == 0). This leads invalid pointer dereference during connection teardown. Fix by setting iscsi_conn->dd_data only if memory is actually allocated. Panic trace: ------------ iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers BUG: unable to handle page fault for address: fffffffffffffff8 RIP: 0010:swake_up_locked.part.5+0xa/0x40 Call Trace: complete+0x31/0x40 iscsi_iser_conn_stop+0x88/0xb0 [ib_iser] iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi] iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi] iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi] ? netlink_lookup+0x12f/0x1b0 ? netlink_deliver_tap+0x2c/0x200 netlink_unicast+0x1ab/0x280 netlink_sendmsg+0x257/0x4f0 ? _copy_from_user+0x29/0x60 sock_sendmsg+0x5f/0x70 Signed-off-by: Showrya M N <showrya(a)chelsio.com> Signed-off-by: Potnuri Bharat Teja <bharat(a)chelsio.com> Link: https://lore.kernel.org/r/20250627112329.19763-1-showrya@chelsio.com Reviewed-by: Chris Leech <cleech(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Conflicts: drivers/scsi/libiscsi.c [Due to not merging commit ebfe3e0c5e80 ("scsi: libiscsi: Remove unnecessary memset() in iscsi_conn_setup()").] Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/libiscsi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index 82975fa7e7f0..cce3def6daff 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -3105,7 +3105,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size, conn = cls_conn->dd_data; memset(conn, 0, sizeof(*conn) + dd_size); - conn->dd_data = cls_conn->dd_data + sizeof(*conn); + if (dd_size) + conn->dd_data = cls_conn->dd_data + sizeof(*conn); conn->session = session; conn->cls_conn = cls_conn; conn->c_stage = ISCSI_CONN_INITIAL_STAGE; -- 2.39.2

2 1

[PATCH OLK-5.10] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
by Zheng Qixing 15 Sep '25

15 Sep '25

From: Showrya M N <showrya(a)chelsio.com> mainline inclusion from mainline-v6.17-rc1 commit 3ea3a256ed81f95ab0f3281a0e234b01a9cae605 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICWGGE CVE: CVE-2025-38700 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------ In case of an ib_fast_reg_mr allocation failure during iSER setup, the machine hits a panic because iscsi_conn->dd_data is initialized unconditionally, even when no memory is allocated (dd_size == 0). This leads invalid pointer dereference during connection teardown. Fix by setting iscsi_conn->dd_data only if memory is actually allocated. Panic trace: ------------ iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers BUG: unable to handle page fault for address: fffffffffffffff8 RIP: 0010:swake_up_locked.part.5+0xa/0x40 Call Trace: complete+0x31/0x40 iscsi_iser_conn_stop+0x88/0xb0 [ib_iser] iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi] iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi] iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi] ? netlink_lookup+0x12f/0x1b0 ? netlink_deliver_tap+0x2c/0x200 netlink_unicast+0x1ab/0x280 netlink_sendmsg+0x257/0x4f0 ? _copy_from_user+0x29/0x60 sock_sendmsg+0x5f/0x70 Signed-off-by: Showrya M N <showrya(a)chelsio.com> Signed-off-by: Potnuri Bharat Teja <bharat(a)chelsio.com> Link: https://lore.kernel.org/r/20250627112329.19763-1-showrya@chelsio.com Reviewed-by: Chris Leech <cleech(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Conflicts: drivers/scsi/libiscsi.c [Due to not merging commit ebfe3e0c5e80 ("scsi: libiscsi: Remove unnecessary memset() in iscsi_conn_setup()").] Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/libiscsi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index f1809282b67f..989a5adb9082 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -3068,7 +3068,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size, conn = cls_conn->dd_data; memset(conn, 0, sizeof(*conn) + dd_size); - conn->dd_data = cls_conn->dd_data + sizeof(*conn); + if (dd_size) + conn->dd_data = cls_conn->dd_data + sizeof(*conn); conn->session = session; conn->cls_conn = cls_conn; conn->c_stage = ISCSI_CONN_INITIAL_STAGE; -- 2.39.2

2 1

[PATCH OLK-6.6] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
by Zheng Qixing 15 Sep '25

15 Sep '25

From: Showrya M N <showrya(a)chelsio.com> mainline inclusion from mainline-v6.17-rc1 commit 3ea3a256ed81f95ab0f3281a0e234b01a9cae605 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICWGGE CVE: CVE-2025-38700 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------ In case of an ib_fast_reg_mr allocation failure during iSER setup, the machine hits a panic because iscsi_conn->dd_data is initialized unconditionally, even when no memory is allocated (dd_size == 0). This leads invalid pointer dereference during connection teardown. Fix by setting iscsi_conn->dd_data only if memory is actually allocated. Panic trace: ------------ iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers BUG: unable to handle page fault for address: fffffffffffffff8 RIP: 0010:swake_up_locked.part.5+0xa/0x40 Call Trace: complete+0x31/0x40 iscsi_iser_conn_stop+0x88/0xb0 [ib_iser] iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi] iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi] iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi] ? netlink_lookup+0x12f/0x1b0 ? netlink_deliver_tap+0x2c/0x200 netlink_unicast+0x1ab/0x280 netlink_sendmsg+0x257/0x4f0 ? _copy_from_user+0x29/0x60 sock_sendmsg+0x5f/0x70 Signed-off-by: Showrya M N <showrya(a)chelsio.com> Signed-off-by: Potnuri Bharat Teja <bharat(a)chelsio.com> Link: https://lore.kernel.org/r/20250627112329.19763-1-showrya@chelsio.com Reviewed-by: Chris Leech <cleech(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/libiscsi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index edb732d60c90..55c38a38910c 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -3201,7 +3201,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size, return NULL; conn = cls_conn->dd_data; - conn->dd_data = cls_conn->dd_data + sizeof(*conn); + if (dd_size) + conn->dd_data = cls_conn->dd_data + sizeof(*conn); conn->session = session; conn->cls_conn = cls_conn; conn->c_stage = ISCSI_CONN_INITIAL_STAGE; -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] gfs2: Validate i_depth for exhash directories
by Zizhi Wo 15 Sep '25

15 Sep '25

From: Andrew Price <anprice(a)redhat.com> stable inclusion from stable-v6.12.43 commit 53a0249d68a210c16e961b83adfa82f94ee0a53d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICWGGP CVE: CVE-2025-38710 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 557c024ca7250bb65ae60f16c02074106c2f197b ] A fuzzer test introduced corruption that ends up with a depth of 0 in dir_e_read(), causing an undefined shift by 32 at: index = hash >> (32 - dip->i_depth); As calculated in an open-coded way in dir_make_exhash(), the minimum depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time. So we can avoid the undefined behaviour by checking for depth values lower than the minimum in gfs2_dinode_in(). Values greater than the maximum are already being checked for there. Also switch the calculation in dir_make_exhash() to use ilog2() to clarify how the depth is calculated. Tested with the syzkaller repro.c and xfstests '-g quick'. Reported-by: syzbot+4708579bb230a0582a57(a)syzkaller.appspotmail.com Fixes: b3b94faa5fe5 ("[GFS2] The core of GFS2") Signed-off-by: Andrew Price <anprice(a)redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/gfs2/glops.c [Simple context conflicts do not affect this patch.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/gfs2/dir.c | 6 ++---- fs/gfs2/glops.c | 5 +++++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c index e37002560c11..0cf704b2b08a 100644 --- a/fs/gfs2/dir.c +++ b/fs/gfs2/dir.c @@ -63,6 +63,7 @@ #include <linux/crc32.h> #include <linux/vmalloc.h> #include <linux/bio.h> +#include <linux/log2.h> #include "gfs2.h" #include "incore.h" @@ -914,7 +915,6 @@ static int dir_make_exhash(struct inode *inode) struct qstr args; struct buffer_head *bh, *dibh; struct gfs2_leaf *leaf; - int y; u32 x; __be64 *lp; u64 bn; @@ -981,9 +981,7 @@ static int dir_make_exhash(struct inode *inode) i_size_write(inode, sdp->sd_sb.sb_bsize / 2); gfs2_add_inode_blocks(&dip->i_inode, 1); dip->i_diskflags |= GFS2_DIF_EXHASH; - - for (x = sdp->sd_hash_ptrs, y = -1; x; x >>= 1, y++) ; - dip->i_depth = y; + dip->i_depth = ilog2(sdp->sd_hash_ptrs); gfs2_dinode_out(dip, dibh->b_data); diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c index c63bee9adb6a..be6839451aaf 100644 --- a/fs/gfs2/glops.c +++ b/fs/gfs2/glops.c @@ -14,6 +14,7 @@ #include <linux/bio.h> #include <linux/posix_acl.h> #include <linux/security.h> +#include <linux/log2.h> #include "gfs2.h" #include "incore.h" @@ -337,6 +338,7 @@ static int inode_go_demote_ok(const struct gfs2_glock *gl) static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) { + struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); const struct gfs2_dinode *str = buf; struct timespec64 atime; u16 height, depth; @@ -383,6 +385,9 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) depth = be16_to_cpu(str->di_depth); if (unlikely(depth > GFS2_DIR_MAX_DEPTH)) goto corrupt; + if ((ip->i_diskflags & GFS2_DIF_EXHASH) && + depth < ilog2(sdp->sd_hash_ptrs)) + goto corrupt; ip->i_depth = (u8)depth; ip->i_entries = be32_to_cpu(str->di_entries); -- 2.39.2

2 1

[PATCH OLK-6.6] arm64: Do not enable hardware xcall/xint in guest temporarily
by Jinjie Ruan 15 Sep '25

15 Sep '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/release-management/issues/IBV2E4 -------------------------------- Hardware xcall/xint in guest need ID register to do Virtual Machine migration, but currently 1650 do not use the ID register to identify hardware xcall/xint feature, which will be supported by AIDR_EL1.xcall in the next generation, so check the bit in EL1 to avoid the problem in guest. Fixes: 7f2e02718bba ("arm64: entry: Support hardware xcall and xint") Signed-off-by: Jinjie Ruan <ruanjinjie(a)huawei.com> --- arch/arm64/kernel/cpufeature.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 5c9d2f98e488..a71dbd3aa489 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -2443,14 +2443,25 @@ static void mpam_extra_caps(void) #include <asm/xcall.h> DEFINE_STATIC_KEY_FALSE(xcall_enable); +#define AIDR_ELx_XCALL_SHIFT 32 +#define AIDR_ELx_XCALL (UL(1) << AIDR_ELx_XCALL_SHIFT) + static bool is_arch_xcall_xint_support(void) { + u64 aidr_el1 = read_sysreg_s(SYS_AIDR_EL1); + u64 el = read_sysreg(CurrentEL); + /* List of CPUs that support Xcall/Xint */ static const struct midr_range xcall_xint_cpus[] = { MIDR_ALL_VERSIONS(MIDR_HISI_HIP12), { /* sentinel */ } }; + if (el == CurrentEL_EL1) { + if (!(aidr_el1 & AIDR_ELx_XCALL)) + return false; + } + if (is_midr_in_range_list(read_cpuid_id(), xcall_xint_cpus)) return true; -- 2.34.1

2 1

[PATCH OLK-6.6] gfs2: Validate i_depth for exhash directories
by Zizhi Wo 15 Sep '25

15 Sep '25

From: Andrew Price <anprice(a)redhat.com> stable inclusion from stable-v6.12.43 commit 53a0249d68a210c16e961b83adfa82f94ee0a53d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICWGGP CVE: CVE-2025-38710 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 557c024ca7250bb65ae60f16c02074106c2f197b ] A fuzzer test introduced corruption that ends up with a depth of 0 in dir_e_read(), causing an undefined shift by 32 at: index = hash >> (32 - dip->i_depth); As calculated in an open-coded way in dir_make_exhash(), the minimum depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time. So we can avoid the undefined behaviour by checking for depth values lower than the minimum in gfs2_dinode_in(). Values greater than the maximum are already being checked for there. Also switch the calculation in dir_make_exhash() to use ilog2() to clarify how the depth is calculated. Tested with the syzkaller repro.c and xfstests '-g quick'. Reported-by: syzbot+4708579bb230a0582a57(a)syzkaller.appspotmail.com Fixes: b3b94faa5fe5 ("[GFS2] The core of GFS2") Signed-off-by: Andrew Price <anprice(a)redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/gfs2/glops.c [Simple context conflicts do not affect this patch.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/gfs2/dir.c | 6 ++---- fs/gfs2/glops.c | 4 ++++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c index 3a2a10d6d43d..162e7ef972be 100644 --- a/fs/gfs2/dir.c +++ b/fs/gfs2/dir.c @@ -60,6 +60,7 @@ #include <linux/crc32.h> #include <linux/vmalloc.h> #include <linux/bio.h> +#include <linux/log2.h> #include "gfs2.h" #include "incore.h" @@ -909,7 +910,6 @@ static int dir_make_exhash(struct inode *inode) struct qstr args; struct buffer_head *bh, *dibh; struct gfs2_leaf *leaf; - int y; u32 x; __be64 *lp; u64 bn; @@ -976,9 +976,7 @@ static int dir_make_exhash(struct inode *inode) i_size_write(inode, sdp->sd_sb.sb_bsize / 2); gfs2_add_inode_blocks(&dip->i_inode, 1); dip->i_diskflags |= GFS2_DIF_EXHASH; - - for (x = sdp->sd_hash_ptrs, y = -1; x; x >>= 1, y++) ; - dip->i_depth = y; + dip->i_depth = ilog2(sdp->sd_hash_ptrs); gfs2_dinode_out(dip, dibh->b_data); diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c index 1c854d4e2d49..21fbe6f5a780 100644 --- a/fs/gfs2/glops.c +++ b/fs/gfs2/glops.c @@ -11,6 +11,7 @@ #include <linux/bio.h> #include <linux/posix_acl.h> #include <linux/security.h> +#include <linux/log2.h> #include "gfs2.h" #include "incore.h" @@ -458,6 +459,9 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) depth = be16_to_cpu(str->di_depth); if (unlikely(depth > GFS2_DIR_MAX_DEPTH)) goto corrupt; + if ((ip->i_diskflags & GFS2_DIF_EXHASH) && + depth < ilog2(sdp->sd_hash_ptrs)) + goto corrupt; ip->i_depth = (u8)depth; ip->i_entries = be32_to_cpu(str->di_entries); -- 2.39.2

2 1

[PATCH OLK-5.10] gfs2: Validate i_depth for exhash directories
by Zizhi Wo 15 Sep '25

15 Sep '25

From: Andrew Price <anprice(a)redhat.com> stable inclusion from stable-v6.12.43 commit 53a0249d68a210c16e961b83adfa82f94ee0a53d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICWGGP CVE: CVE-2025-38710 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 557c024ca7250bb65ae60f16c02074106c2f197b ] A fuzzer test introduced corruption that ends up with a depth of 0 in dir_e_read(), causing an undefined shift by 32 at: index = hash >> (32 - dip->i_depth); As calculated in an open-coded way in dir_make_exhash(), the minimum depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time. So we can avoid the undefined behaviour by checking for depth values lower than the minimum in gfs2_dinode_in(). Values greater than the maximum are already being checked for there. Also switch the calculation in dir_make_exhash() to use ilog2() to clarify how the depth is calculated. Tested with the syzkaller repro.c and xfstests '-g quick'. Reported-by: syzbot+4708579bb230a0582a57(a)syzkaller.appspotmail.com Fixes: b3b94faa5fe5 ("[GFS2] The core of GFS2") Signed-off-by: Andrew Price <anprice(a)redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/gfs2/glops.c [Simple context conflicts do not affect this patch.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/gfs2/dir.c | 6 ++---- fs/gfs2/glops.c | 4 ++++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c index c0f2875c946c..a0c7be449271 100644 --- a/fs/gfs2/dir.c +++ b/fs/gfs2/dir.c @@ -60,6 +60,7 @@ #include <linux/crc32.h> #include <linux/vmalloc.h> #include <linux/bio.h> +#include <linux/log2.h> #include "gfs2.h" #include "incore.h" @@ -911,7 +912,6 @@ static int dir_make_exhash(struct inode *inode) struct qstr args; struct buffer_head *bh, *dibh; struct gfs2_leaf *leaf; - int y; u32 x; __be64 *lp; u64 bn; @@ -978,9 +978,7 @@ static int dir_make_exhash(struct inode *inode) i_size_write(inode, sdp->sd_sb.sb_bsize / 2); gfs2_add_inode_blocks(&dip->i_inode, 1); dip->i_diskflags |= GFS2_DIF_EXHASH; - - for (x = sdp->sd_hash_ptrs, y = -1; x; x >>= 1, y++) ; - dip->i_depth = y; + dip->i_depth = ilog2(sdp->sd_hash_ptrs); gfs2_dinode_out(dip, dibh->b_data); diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c index 87f811088466..a4050468fecc 100644 --- a/fs/gfs2/glops.c +++ b/fs/gfs2/glops.c @@ -11,6 +11,7 @@ #include <linux/bio.h> #include <linux/posix_acl.h> #include <linux/security.h> +#include <linux/log2.h> #include "gfs2.h" #include "incore.h" @@ -452,6 +453,9 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf) depth = be16_to_cpu(str->di_depth); if (unlikely(depth > GFS2_DIR_MAX_DEPTH)) goto corrupt; + if ((ip->i_diskflags & GFS2_DIF_EXHASH) && + depth < ilog2(sdp->sd_hash_ptrs)) + goto corrupt; ip->i_depth = (u8)depth; ip->i_entries = be32_to_cpu(str->di_entries); -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS 0/3] fix CVE-2025-38449
by Wupeng Ma 15 Sep '25

15 Sep '25

Fix CVE-2025-38449 for openEuler-1.0-LTS. Pankaj Bharadiya (1): drm/print: introduce new struct drm_device based WARN* macros Thomas Zimmermann (1): drm/gem: Acquire references on GEM handles for framebuffers Wupeng Ma (1): drm: fix kabi for struct drm_framebuffer drivers/gpu/drm/drm_framebuffer.c | 31 +++++++++++++- drivers/gpu/drm/drm_gem.c | 67 ++++++++++++++++++++++++++----- drivers/gpu/drm/drm_internal.h | 2 + include/drm/drm_framebuffer.h | 11 +++++ include/drm/drm_print.h | 29 +++++++++++++ 5 files changed, 129 insertions(+), 11 deletions(-) -- 2.43.0

2 4