- Kernel - mailweb.openeuler.org

[openeuler:OLK-6.6 2464/2464] kismet: WARNING: unmet direct dependencies detected for ACPI_HOTPLUG_IGNORE_OSC when selected by X86
by kernel test robot 05 Jul '25

05 Jul '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: a9f7917e90ec872036160e2cb3a1d3c1856cb406 commit: 362f33cba6a04a09bcfc47ade55ace95e8a51c5b [2464/2464] ACPI: Add _OSC bits to advertise OS support for toggling CPU present/enabled config: x86_64-kismet-CONFIG_ACPI_HOTPLUG_IGNORE_OSC-CONFIG_X86-0-0 (https://download.01.org/0day-ci/archive/20250705/202507052222.OKOdFMzt-lkp@…) reproduce: (https://download.01.org/0day-ci/archive/20250705/202507052222.OKOdFMzt-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202507052222.OKOdFMzt-lkp@intel.com/ kismet warnings: (new ones prefixed by >>) >> kismet: WARNING: unmet direct dependencies detected for ACPI_HOTPLUG_IGNORE_OSC when selected by X86 WARNING: unmet direct dependencies detected for ACPI_HOTPLUG_IGNORE_OSC Depends on [n]: ACPI [=y] && ACPI_HOTPLUG_PRESENT_CPU [=n] Selected by [y]: - X86 [=y] && ACPI [=y] && HOTPLUG_CPU [=y] -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] Fix compile problem for psi_grained
by Lu Jialin 05 Jul '25

05 Jul '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAA9B8 -------------------------------- Fix two compile problems for psi_grained: 1) When CONFIG_PSI_FINE_GRAINED=n 2) When CONFIG_QOS_SCHED=n Fixes: 4a69b56540f4 ("sched/psi: Introduce pressure.stat in psi") Fixes: 654944510822 ("sched/psi: add cpu fine grained stall tracking in pressure.stat") Signed-off-by: Lu Jialin <lujialin4(a)huawei.com> --- kernel/cgroup/cgroup.c | 4 +++- kernel/sched/psi.c | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c index b88950623814..8275ae1a3a95 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -4017,14 +4017,16 @@ struct cftype cgroup_v1_psi_files[] = { .release = cgroup_pressure_release, }, #endif +#ifdef CONFIG_PSI_FINE_GRAINED { .name = "pressure.stat", .flags = CFTYPE_NO_PREFIX, .seq_show = cgroup_psi_stat_show, }, +#endif /*CONFIG_PSI_FINE_GRAINED*/ { } /* terminate */ }; -#endif +#endif /*CONFIG_PSI_CGROUP_V1*/ #else /* CONFIG_PSI */ bool cgroup_psi_enabled(void) { diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c index 1c8b1f997513..32ebbc50f2ed 100644 --- a/kernel/sched/psi.c +++ b/kernel/sched/psi.c @@ -376,8 +376,8 @@ static void record_stat_times(struct psi_group_cpu *groupc, u32 delta) #ifdef CONFIG_QOS_SCHED else if (groupc->prev_throttle == QOS_THROTTLED) groupc->fine_grained_times[PSI_CPU_QOS_FULL] += delta; - } #endif + } #endif } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] PCI/GPU: fix hard lockup in vga_arb_release
by Zhang Yuwei 05 Jul '25

05 Jul '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICCT8Z CVE: NA -------------------------------- Commit deb2d2ecd43df ("PCI/GPU: implement VGA arbitration on Linux") In the vga_arb_release(), it iterates through the vga_arb_user_card array held by the user to release io_cnt and mem_cnt resources one by one. If the values of io_cnt or mem_cnt are excessively large, prolonged CPU occupation may occur, leading to hard lock. lock protection is only added when deleting entries from the list, also add cond_resched() during the release of io_cnt and mem_cnt. Fixes: deb2d2ecd43d ("PCI/GPU: implement VGA arbitration on Linux") Reviewed-by: Chen Jun <chenjun102(a)huawei.com> Signed-off-by: Zhang Yuwei <zhangyuwei20(a)huawei.com> --- drivers/gpu/vga/vgaarb.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c index c61b04555779..db21ae342bd8 100644 --- a/drivers/gpu/vga/vgaarb.c +++ b/drivers/gpu/vga/vgaarb.c @@ -1312,18 +1312,22 @@ static int vga_arb_release(struct inode *inode, struct file *file) spin_lock_irqsave(&vga_user_lock, flags); list_del(&priv->list); + spin_unlock_irqrestore(&vga_user_lock, flags); for (i = 0; i < MAX_USER_CARDS; i++) { uc = &priv->cards[i]; if (uc->pdev == NULL) continue; vgaarb_dbg(&uc->pdev->dev, "uc->io_cnt == %d, uc->mem_cnt == %d\n", uc->io_cnt, uc->mem_cnt); - while (uc->io_cnt--) + while (uc->io_cnt--) { vga_put(uc->pdev, VGA_RSRC_LEGACY_IO); - while (uc->mem_cnt--) + cond_resched(); + } + while (uc->mem_cnt--) { vga_put(uc->pdev, VGA_RSRC_LEGACY_MEM); + cond_resched(); + } } - spin_unlock_irqrestore(&vga_user_lock, flags); kfree(priv); -- 2.22.0

2 1

[PATCH openEuler-1.0-LTS] PCI/GPU: fix hard lockup in vga_arb_release
by Zhang Yuwei 05 Jul '25

05 Jul '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICCT8Z CVE: NA -------------------------------- Commit deb2d2ecd43df ("PCI/GPU: implement VGA arbitration on Linux") In the vga_arb_release(), it iterates through the vga_arb_user_card array held by the user to release io_cnt and mem_cnt resources one by one. If the values of io_cnt or mem_cnt are excessively large, prolonged CPU occupation may occur, leading to hard lock. lock protection is only added when deleting entries from the list, also add cond_resched() during the release of io_cnt and mem_cnt. Fixes: deb2d2ecd43df ("PCI/GPU: implement VGA arbitration on Linux") Reviewed-by: Chen Jun <chenjun102(a)huawei.com> Signed-off-by: Zhang Yuwei <zhangyuwei20(a)huawei.com> --- drivers/gpu/vga/vgaarb.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c index c61b04555779..db21ae342bd8 100644 --- a/drivers/gpu/vga/vgaarb.c +++ b/drivers/gpu/vga/vgaarb.c @@ -1312,18 +1312,22 @@ static int vga_arb_release(struct inode *inode, struct file *file) spin_lock_irqsave(&vga_user_lock, flags); list_del(&priv->list); + spin_unlock_irqrestore(&vga_user_lock, flags); for (i = 0; i < MAX_USER_CARDS; i++) { uc = &priv->cards[i]; if (uc->pdev == NULL) continue; vgaarb_dbg(&uc->pdev->dev, "uc->io_cnt == %d, uc->mem_cnt == %d\n", uc->io_cnt, uc->mem_cnt); - while (uc->io_cnt--) + while (uc->io_cnt--) { vga_put(uc->pdev, VGA_RSRC_LEGACY_IO); - while (uc->mem_cnt--) + cond_resched(); + } + while (uc->mem_cnt--) { vga_put(uc->pdev, VGA_RSRC_LEGACY_MEM); + cond_resched(); + } } - spin_unlock_irqrestore(&vga_user_lock, flags); kfree(priv); -- 2.22.0

2 1

[PATCH openEuler-1.0-LTS] mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
by Jinjiang Tu 05 Jul '25

05 Jul '25

From: Jann Horn <jannh(a)google.com> mainline inclusion from mainline-v6.16-rc1 commit 1013af4f585fccc4d3e5c5824d174de2257f7d6d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICIQAF CVE: CVE-2025-38085 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse. Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-2-1329349bad1… Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-2-f4136f5ec58… Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Jann Horn <jannh(a)google.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Conflicts: mm/hugetlb.c [Context conflicts.] Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- mm/hugetlb.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index ac6f18afdf76..96b00c399538 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -6493,6 +6493,13 @@ int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma, return 0; pud_clear(pud); + /* + * Once our caller drops the rmap lock, some other process might be + * using this page table as a normal, non-hugetlb page table. + * Wait for pending gup_fast() in other threads to finish before letting + * that happen. + */ + tlb_remove_table_sync_one(); page_pmd_pts_dec(virt_to_page(ptep)); mm_dec_nr_pmds(mm); *addr = ALIGN(*addr, HPAGE_SIZE * PTRS_PER_PTE) - HPAGE_SIZE; -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] PCI/GPU: fix hard lockup in vga_arb_release
by Zhang Yuwei 05 Jul '25

05 Jul '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICCT8Z CVE: NA -------------------------------- Commit deb2d2ecd43df ("PCI/GPU: implement VGA arbitration on Linux") In the vga_arb_release(), it iterates through the vga_arb_user_card array held by the user to release io_cnt and mem_cnt resources one by one. If the values of io_cnt or mem_cnt are excessively large, prolonged CPU occupation may occur, leading to hard lock. lock protection is only added when deleting entries from the list, also add cond_resched() during the release of io_cnt and mem_cnt. Fixes: deb2d2ecd43df ("PCI/GPU: implement VGA arbitration on Linux") Reviewed-by: Chen Jun <chenjun102(a)huawei.com> Signed-off-by: Zhang Yuwei <zhangyuwei20(a)huawei.com> --- drivers/gpu/vga/vgaarb.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/vga/vgaarb.c b/drivers/gpu/vga/vgaarb.c index c61b04555779..db21ae342bd8 100644 --- a/drivers/gpu/vga/vgaarb.c +++ b/drivers/gpu/vga/vgaarb.c @@ -1312,18 +1312,22 @@ static int vga_arb_release(struct inode *inode, struct file *file) spin_lock_irqsave(&vga_user_lock, flags); list_del(&priv->list); + spin_unlock_irqrestore(&vga_user_lock, flags); for (i = 0; i < MAX_USER_CARDS; i++) { uc = &priv->cards[i]; if (uc->pdev == NULL) continue; vgaarb_dbg(&uc->pdev->dev, "uc->io_cnt == %d, uc->mem_cnt == %d\n", uc->io_cnt, uc->mem_cnt); - while (uc->io_cnt--) + while (uc->io_cnt--) { vga_put(uc->pdev, VGA_RSRC_LEGACY_IO); - while (uc->mem_cnt--) + cond_resched(); + } + while (uc->mem_cnt--) { vga_put(uc->pdev, VGA_RSRC_LEGACY_MEM); + cond_resched(); + } } - spin_unlock_irqrestore(&vga_user_lock, flags); kfree(priv); -- 2.22.0

2 1

[PATCH OLK-6.6] crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()
by Chen Ridong 05 Jul '25

05 Jul '25

From: Lukas Wunner <lukas(a)wunner.de> mainline inclusion from mainline-v6.15-rc1 commit b16510a530d1e6ab9683f04f8fb34f2e0f538275 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC9953 CVE: CVE-2025-37984 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------------------------------------------- Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa implementation's ->key_size() callback returns an unusually large value. Herbert instead suggests (for a division by 8): X / 8 + !!(X & 7) Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and use it in lieu of DIV_ROUND_UP() for ->key_size() return values. Additionally, use the macro in ecc_digits_from_bytes(), whose "nbytes" parameter is a ->key_size() return value in some instances, or a user-specified ASN.1 length in the case of ecdsa_get_signature_rs(). Link: https://lore.kernel.org/r/Z3iElsILmoSu6FuC@gondor.apana.org.au/ Signed-off-by: Lukas Wunner <lukas(a)wunner.de> Signed-off-by: Lukas Wunner <lukas(a)wunner.de> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Conflicts: crypto/ecdsa-p1363.c crypto/ecdsa-x962.c [p1363 and x932 are not merged] Signed-off-by: Chen Ridong <chenridong(a)huawei.com> --- crypto/ecc.c | 2 +- include/linux/math.h | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/crypto/ecc.c b/crypto/ecc.c index 21504280aca2e..27fcecf3a61fb 100644 --- a/crypto/ecc.c +++ b/crypto/ecc.c @@ -69,7 +69,7 @@ EXPORT_SYMBOL(ecc_get_curve); void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes, u64 *out, unsigned int ndigits) { - int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64)); + int diff = ndigits - DIV_ROUND_UP_POW2(nbytes, sizeof(u64)); unsigned int o = nbytes & 7; __be64 msd = 0; diff --git a/include/linux/math.h b/include/linux/math.h index dd4152711de7d..ee754ec3dc929 100644 --- a/include/linux/math.h +++ b/include/linux/math.h @@ -34,6 +34,18 @@ */ #define round_down(x, y) ((x) & ~__round_mask(x, y)) +/** + * DIV_ROUND_UP_POW2 - divide and round up + * @n: numerator + * @d: denominator (must be a power of 2) + * + * Divides @n by @d and rounds up to next multiple of @d (which must be a power + * of 2). Avoids integer overflows that may occur with __KERNEL_DIV_ROUND_UP(). + * Performance is roughly equivalent to __KERNEL_DIV_ROUND_UP(). + */ +#define DIV_ROUND_UP_POW2(n, d) \ + ((n) / (d) + !!((n) & ((d) - 1))) + #define DIV_ROUND_UP __KERNEL_DIV_ROUND_UP #define DIV_ROUND_DOWN_ULL(ll, d) \ -- 2.34.1

2 1

[PATCH OLK-6.6] KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
by Chen Ridong 05 Jul '25

05 Jul '25

From: Sean Christopherson <seanjc(a)google.com> stable inclusion from stable-v6.6.88 commit 8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IC8J7I CVE: CVE-2025-23141 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit ef01cac401f18647d62720cf773d7bb0541827da upstream. Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and emuating the nested VM-Exit can access guest memory. The splat was originally hit by syzkaller on a Google-internal kernel, and reproduced on an upstream kernel by hacking the triple_fault_event_test selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. ============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted ----------------------------- include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by triple_fault_ev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x144/0x190 kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] read_and_check_msr_entry+0x2e/0x180 [kvm_intel] __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] kvm_check_nested_events+0x1b/0x30 [kvm] kvm_apic_accept_events+0x33/0x100 [kvm] kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] __x64_sys_ioctl+0x8b/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> Cc: stable(a)vger.kernel.org Signed-off-by: Sean Christopherson <seanjc(a)google.com> Message-ID: <20250401150504.829812-1-seanjc(a)google.com> Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Chen Ridong <chenridong(a)huawei.com> --- arch/x86/kvm/x86.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 3e9d6f368eed2..7864c501b312d 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11553,6 +11553,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu, if (kvm_mpx_supported()) kvm_load_guest_fpu(vcpu); + kvm_vcpu_srcu_read_lock(vcpu); + r = kvm_apic_accept_events(vcpu); if (r < 0) goto out; @@ -11566,6 +11568,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu, mp_state->mp_state = vcpu->arch.mp_state; out: + kvm_vcpu_srcu_read_unlock(vcpu); + if (kvm_mpx_supported()) kvm_put_guest_fpu(vcpu); vcpu_put(vcpu); -- 2.34.1

2 1

[PATCH OLK-6.6] arm64: Don't call NULL in do_compat_alignment_fixup()
by Chen Ridong 05 Jul '25

05 Jul '25

From: Angelos Oikonomopoulos <angelos(a)igalia.com> stable inclusion from stable-v6.6.87 commit 617a4b0084a547917669fef2b54253cc9c064990 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC1QTP CVE: CVE-2025-22033 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit c28f31deeacda307acfee2f18c0ad904e5123aac upstream. do_alignment_t32_to_handler() only fixes up alignment faults for specific instructions; it returns NULL otherwise (e.g. LDREX). When that's the case, signal to the caller that it needs to proceed with the regular alignment fault handling (i.e. SIGBUS). Without this patch, the kernel panics: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000006 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000800164aa000 [0000000000000000] pgd=0800081fdbd22003, p4d=0800081fdbd22003, pud=08000815d51c6003, pmd=0000000000000000 Internal error: Oops: 0000000086000006 [#1] SMP Modules linked in: cfg80211 rfkill xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat br_netfilter veth nvme_fa> libcrc32c crc32c_generic raid0 multipath linear dm_mod dax raid1 md_mod xhci_pci nvme xhci_hcd nvme_core t10_pi usbcore igb crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_ce crct10dif_common usb_common i2c_algo_bit i2c> CPU: 2 PID: 3932954 Comm: WPEWebProcess Not tainted 6.1.0-31-arm64 #1 Debian 6.1.128-1 Hardware name: GIGABYTE MP32-AR1-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : do_compat_alignment_fixup+0xd8/0x3dc sp : ffff80000f973dd0 x29: ffff80000f973dd0 x28: ffff081b42526180 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000004 x22: 0000000000000000 x21: 0000000000000001 x20: 00000000e8551f00 x19: ffff80000f973eb0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffaebc949bc488 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000400000 x4 : 0000fffffffffffe x3 : 0000000000000000 x2 : ffff80000f973eb0 x1 : 00000000e8551f00 x0 : 0000000000000001 Call trace: 0x0 do_alignment_fault+0x40/0x50 do_mem_abort+0x4c/0xa0 el0_da+0x48/0xf0 el0t_32_sync_handler+0x110/0x140 el0t_32_sync+0x190/0x194 Code: bad PC value ---[ end trace 0000000000000000 ]--- Signed-off-by: Angelos Oikonomopoulos <angelos(a)igalia.com> Fixes: 3fc24ef32d3b ("arm64: compat: Implement misalignment fixups for multiword loads") Cc: <stable(a)vger.kernel.org> # 6.1.x Reviewed-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Link: https://lore.kernel.org/r/20250401085150.148313-1-angelos@igalia.com Signed-off-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Chen Ridong <chenridong(a)huawei.com> --- arch/arm64/kernel/compat_alignment.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/kernel/compat_alignment.c b/arch/arm64/kernel/compat_alignment.c index 934cea87cfd5f..40b56dc8d8e59 100644 --- a/arch/arm64/kernel/compat_alignment.c +++ b/arch/arm64/kernel/compat_alignment.c @@ -368,6 +368,8 @@ int do_compat_alignment_fixup(unsigned long addr, struct pt_regs *regs) return 1; } + if (!handler) + return 1; type = handler(addr, instr, regs); if (type == TYPE_ERROR || type == TYPE_FAULT) -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level
by Wupeng Ma 05 Jul '25

05 Jul '25

From: Sudeep Holla <sudeep.holla(a)arm.com> stable inclusion from stable-v4.19.256 commit c3396c1c8b87510f2ac2a674948156577559d42d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICG9EE CVE: CVE-2022-49964 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit e75d18cecbb3805895d8ed64da4f78575ec96043 ] Though acpi_find_last_cache_level() always returned signed value and the document states it will return any errors caused by lack of a PPTT table, it never returned negative values before. Commit 0c80f9e165f8 ("ACPI: PPTT: Leave the table mapped for the runtime usage") however changed it by returning -ENOENT if no PPTT was found. The value returned from acpi_find_last_cache_level() is then assigned to unsigned fw_level. It will result in the number of cache leaves calculated incorrectly as a huge value which will then cause the following warning from __alloc_pages as the order would be great than MAX_ORDER because of incorrect and huge cache leaves value. | WARNING: CPU: 0 PID: 1 at mm/page_alloc.c:5407 __alloc_pages+0x74/0x314 | Modules linked in: | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-10393-g7c2a8d3ac4c0 #73 | pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : __alloc_pages+0x74/0x314 | lr : alloc_pages+0xe8/0x318 | Call trace: | __alloc_pages+0x74/0x314 | alloc_pages+0xe8/0x318 | kmalloc_order_trace+0x68/0x1dc | __kmalloc+0x240/0x338 | detect_cache_attributes+0xe0/0x56c | update_siblings_masks+0x38/0x284 | store_cpu_topology+0x78/0x84 | smp_prepare_cpus+0x48/0x134 | kernel_init_freeable+0xc4/0x14c | kernel_init+0x2c/0x1b4 | ret_from_fork+0x10/0x20 Fix the same by changing fw_level to be signed integer and return the error from init_cache_level() early in case of error. Reported-and-Tested-by: Bruno Goncalves <bgoncalv(a)redhat.com> Signed-off-by: Sudeep Holla <sudeep.holla(a)arm.com> Link: https://lore.kernel.org/r/20220808084640.3165368-1-sudeep.holla@arm.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- arch/arm64/kernel/cacheinfo.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kernel/cacheinfo.c b/arch/arm64/kernel/cacheinfo.c index 80a4ab1c43fd..be11effcb090 100644 --- a/arch/arm64/kernel/cacheinfo.c +++ b/arch/arm64/kernel/cacheinfo.c @@ -58,7 +58,8 @@ static void ci_leaf_init(struct cacheinfo *this_leaf, static int __init_cache_level(unsigned int cpu) { - unsigned int ctype, level, leaves, fw_level; + unsigned int ctype, level, leaves; + int fw_level; struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); for (level = 1, leaves = 0; level <= MAX_CACHE_LEVEL; level++) { @@ -76,6 +77,9 @@ static int __init_cache_level(unsigned int cpu) else fw_level = acpi_find_last_cache_level(cpu); + if (fw_level < 0) + return fw_level; + if (level < fw_level) { /* * some external caches not specified in CLIDR_EL1 -- 2.43.0

2 1