- Kernel - mailweb.openeuler.org

[openeuler:OLK-6.6 2910/2910] mm/swap.h:66:26: error: implicit declaration of function 'swp_offset'; did you mean 'pud_offset'?
by kernel test robot 23 Sep '25

23 Sep '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: be758a5796c3d280deb877699c41fd0cd04e1deb commit: 5a72d2e54e8ff7c7f9510de875cf201ad18f36c4 [2910/2910] mm/shmem, swap: fix softlockup with mTHP swapin config: x86_64-buildonly-randconfig-002-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231547.ijXKrDIl-lkp@…) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231547.ijXKrDIl-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509231547.ijXKrDIl-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from mm/shmem.c:43: mm/swap.h: In function 'non_swapcache_batch': >> mm/swap.h:66:26: error: implicit declaration of function 'swp_offset'; did you mean 'pud_offset'? [-Wimplicit-function-declaration] 66 | pgoff_t offset = swp_offset(entry); | ^~~~~~~~~~ | pud_offset In file included from mm/shmem.c:68: include/linux/swapops.h: At top level: >> include/linux/swapops.h:107:23: error: conflicting types for 'swp_offset'; have 'long unsigned int(swp_entry_t)' 107 | static inline pgoff_t swp_offset(swp_entry_t entry) | ^~~~~~~~~~ mm/swap.h:66:26: note: previous implicit declaration of 'swp_offset' with type 'int()' 66 | pgoff_t offset = swp_offset(entry); | ^~~~~~~~~~ Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for ACPI_HOTPLUG_IGNORE_OSC Depends on [n]: ACPI [=y] && ACPI_HOTPLUG_CPU [=n] Selected by [y]: - X86 [=y] && ACPI [=y] && HOTPLUG_CPU [=y] vim +66 mm/swap.h 62 63 static inline int non_swapcache_batch(swp_entry_t entry, int max_nr) 64 { 65 struct swap_info_struct *si = swp_swap_info(entry); > 66 pgoff_t offset = swp_offset(entry); 67 int i; 68 69 /* 70 * While allocating a large folio and doing mTHP swapin, we need to 71 * ensure all entries are not cached, otherwise, the mTHP folio will 72 * be in conflict with the folio in swap cache. 73 */ 74 for (i = 0; i < max_nr; i++) { 75 if ((si->swap_map[offset + i] & SWAP_HAS_CACHE)) 76 return i; 77 } 78 79 return i; 80 } 81 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] tee: fix NULL pointer dereference in tee_shm_put
by Xiaomeng Zhang 23 Sep '25

23 Sep '25

From: Pei Xiao <xiaopei01(a)kylinos.cn> stable inclusion from stable-v6.6.105 commit add1ecc8f3ad8df22e3599c5c88d7907cc2a3079 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYXVF CVE: CVE-2025-39865 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e4a718a3a47e89805c3be9d46a84de1949a98d5d ] tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15 Fixes: dfd0743f1d9e ("tee: handle lookup of shm with reference count 0") Signed-off-by: Pei Xiao <xiaopei01(a)kylinos.cn> Reviewed-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/tee/tee_shm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 673cf0359494..426b818f2dd7 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -489,9 +489,13 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); */ void tee_shm_put(struct tee_shm *shm) { - struct tee_device *teedev = shm->ctx->teedev; + struct tee_device *teedev; bool do_release = false; + if (!shm || !shm->ctx || !shm->ctx->teedev) + return; + + teedev = shm->ctx->teedev; mutex_lock(&teedev->mutex); if (refcount_dec_and_test(&shm->refcount)) { /* -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
by Cai Xinchen 23 Sep '25

23 Sep '25

From: Alexander Coffin <alex.coffin(a)matician.com> stable inclusion from stable-v4.19.262 commit d79f4d903e14dde822c60b5fd3bedc5a289d25df category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYQPC CVE: CVE-2022-50408 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ] > ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); may be schedule, and then complete before the line > ndev->stats.tx_bytes += skb->len; [ 46.912801] ================================================================== [ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 [ 46.935991] [ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 [ 46.947255] Hardware name: [REDACTED] [ 46.954568] Call trace: [ 46.957037] dump_backtrace+0x0/0x2b8 [ 46.960719] show_stack+0x24/0x30 [ 46.964052] dump_stack+0x128/0x194 [ 46.967557] print_address_description.isra.0+0x64/0x380 [ 46.972877] __kasan_report+0x1d4/0x240 [ 46.976723] kasan_report+0xc/0x18 [ 46.980138] __asan_report_load4_noabort+0x18/0x20 [ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.990613] dev_hard_start_xmit+0x1bc/0xda0 [ 46.994894] sch_direct_xmit+0x198/0xd08 [ 46.998827] __qdisc_run+0x37c/0x1dc0 [ 47.002500] __dev_queue_xmit+0x1528/0x21f8 [ 47.006692] dev_queue_xmit+0x24/0x30 [ 47.010366] neigh_resolve_output+0x37c/0x678 [ 47.014734] ip_finish_output2+0x598/0x2458 [ 47.018927] __ip_finish_output+0x300/0x730 [ 47.023118] ip_output+0x2e0/0x430 [ 47.026530] ip_local_out+0x90/0x140 [ 47.030117] igmpv3_sendpack+0x14c/0x228 [ 47.034049] igmpv3_send_cr+0x384/0x6b8 [ 47.037895] igmp_ifc_timer_expire+0x4c/0x118 [ 47.042262] call_timer_fn+0x1cc/0xbe8 [ 47.046021] __run_timers+0x4d8/0xb28 [ 47.049693] run_timer_softirq+0x24/0x40 [ 47.053626] __do_softirq+0x2c0/0x117c [ 47.057387] irq_exit+0x2dc/0x388 [ 47.060715] __handle_domain_irq+0xb4/0x158 [ 47.064908] gic_handle_irq+0x58/0xb0 [ 47.068581] el0_irq_naked+0x50/0x5c [ 47.072162] [ 47.073665] Allocated by task 328: [ 47.077083] save_stack+0x24/0xb0 [ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0 [ 47.084776] kasan_slab_alloc+0x14/0x20 [ 47.088622] kmem_cache_alloc+0x15c/0x468 [ 47.092643] __alloc_skb+0xa4/0x498 [ 47.096142] igmpv3_newpack+0x158/0xd78 [ 47.099987] add_grhead+0x210/0x288 [ 47.103485] add_grec+0x6b0/0xb70 [ 47.106811] igmpv3_send_cr+0x2e0/0x6b8 [ 47.110657] igmp_ifc_timer_expire+0x4c/0x118 [ 47.115027] call_timer_fn+0x1cc/0xbe8 [ 47.118785] __run_timers+0x4d8/0xb28 [ 47.122457] run_timer_softirq+0x24/0x40 [ 47.126389] __do_softirq+0x2c0/0x117c [ 47.130142] [ 47.131643] Freed by task 180: [ 47.134712] save_stack+0x24/0xb0 [ 47.138041] __kasan_slab_free+0x108/0x180 [ 47.142146] kasan_slab_free+0x10/0x18 [ 47.145904] slab_free_freelist_hook+0xa4/0x1b0 [ 47.150444] kmem_cache_free+0x8c/0x528 [ 47.154292] kfree_skbmem+0x94/0x108 [ 47.157880] consume_skb+0x10c/0x5a8 [ 47.161466] __dev_kfree_skb_any+0x88/0xa0 [ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil] [ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac] [ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac] [ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac] [ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac] [ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac] [ 47.197859] process_one_work+0x7fc/0x1a80 [ 47.201965] worker_thread+0x31c/0xc40 [ 47.205726] kthread+0x2d8/0x370 [ 47.208967] ret_from_fork+0x10/0x18 [ 47.212546] [ 47.214051] The buggy address belongs to the object at ffffff803f588280 [ 47.214051] which belongs to the cache skbuff_head_cache of size 208 [ 47.227086] The buggy address is located 104 bytes inside of [ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) [ 47.238814] The buggy address belongs to the page: [ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0 [ 47.255007] flags: 0x10200(slab|head) [ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800 [ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000 [ 47.274180] page dumped because: kasan: bad access detected [ 47.279752] [ 47.281251] Memory state around the buggy address: [ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.307723] ^ [ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 47.328789] ================================================================== Signed-off-by: Alexander Coffin <alex.coffin(a)matician.com> Signed-off-by: Kalle Valo <kvalo(a)kernel.org> Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c index 584e05fdca6a..5de20e5d67b6 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c @@ -270,6 +270,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, struct brcmf_pub *drvr = ifp->drvr; struct ethhdr *eh; int head_delta; + unsigned int tx_bytes = skb->len; brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx); @@ -341,7 +342,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, ndev->stats.tx_dropped++; } else { ndev->stats.tx_packets++; - ndev->stats.tx_bytes += skb->len; + ndev->stats.tx_bytes += tx_bytes; } /* Return ok: we always eat the packet */ -- 2.34.1

2 1

[PATCH OLK-5.10] tee: fix NULL pointer dereference in tee_shm_put
by Xiaomeng Zhang 23 Sep '25

23 Sep '25

From: Pei Xiao <xiaopei01(a)kylinos.cn> stable inclusion from stable-v5.10.243 commit f266188603c34e6e234fb0dfc3185f0ba98d71b7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYXVF CVE: CVE-2025-39865 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e4a718a3a47e89805c3be9d46a84de1949a98d5d ] tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15 Fixes: dfd0743f1d9e ("tee: handle lookup of shm with reference count 0") Signed-off-by: Pei Xiao <xiaopei01(a)kylinos.cn> Reviewed-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/tee/tee_shm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 6fb4400333fb..6d2db6cc247b 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -438,9 +438,13 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); */ void tee_shm_put(struct tee_shm *shm) { - struct tee_device *teedev = shm->ctx->teedev; + struct tee_device *teedev; bool do_release = false; + if (!shm || !shm->ctx || !shm->ctx->teedev) + return; + + teedev = shm->ctx->teedev; mutex_lock(&teedev->mutex); if (refcount_dec_and_test(&shm->refcount)) { /* -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] mmc: vub300: fix return value check of mmc_add_host()
by Yi Yang 23 Sep '25

23 Sep '25

From: Yang Yingliang <yangyingliang(a)huawei.com> stable inclusion from stable-v4.19.270 commit a46e681151bbdacdf6b89ee8c4e5bad0555142bb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICY475 CVE: CVE-2022-50251 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 0613ad2401f88bdeae5594c30afe318e93b14676 ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, the timer added before mmc_add_host() needs be del. And this patch fixes another missing call mmc_free_host() if usb_control_msg() fails. Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Link: https://lore.kernel.org/r/20221101063023.1664968-9-yangyingliang@huawei.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/mmc/host/vub300.c [Commit 99641238575c ("mmc: vub300: fix control-message timeouts") was not merged.] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/mmc/host/vub300.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c index 1fe68137a30f..12ca9d37f149 100644 --- a/drivers/mmc/host/vub300.c +++ b/drivers/mmc/host/vub300.c @@ -2309,14 +2309,14 @@ static int vub300_probe(struct usb_interface *interface, 0x0000, 0x0000, &vub300->system_port_status, sizeof(vub300->system_port_status), HZ); if (retval < 0) { - goto error4; + goto error5; } else if (sizeof(vub300->system_port_status) == retval) { vub300->card_present = (0x0001 & vub300->system_port_status.port_flags) ? 1 : 0; vub300->read_only = (0x0010 & vub300->system_port_status.port_flags) ? 1 : 0; } else { - goto error4; + goto error5; } usb_set_intfdata(interface, vub300); INIT_DELAYED_WORK(&vub300->pollwork, vub300_pollwork_thread); @@ -2339,8 +2339,13 @@ static int vub300_probe(struct usb_interface *interface, "USB vub300 remote SDIO host controller[%d]" "connected with no SD/SDIO card inserted\n", interface_to_InterfaceNumber(interface)); - mmc_add_host(mmc); + retval = mmc_add_host(mmc); + if (retval) + goto error6; + return 0; +error6: + del_timer_sync(&vub300->inactivity_timer); error5: mmc_free_host(mmc); /* -- 2.25.1

2 1

[openeuler:OLK-6.6 2909/2909] mm/mem_sampling.c:293:1: sparse: sparse: symbol 'mm_damon_mem_sampling' was not declared. Should it be static?
by kernel test robot 23 Sep '25

23 Sep '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: be758a5796c3d280deb877699c41fd0cd04e1deb commit: 2e9ef6c3ea086c85d489898471e527aeb3f7460b [2909/2909] mm/damon/vaddr: Support hardware-assisted memory access sampling config: arm64-randconfig-r121-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231424.83tDZFT5-lkp@…) compiler: clang version 16.0.6 (https://github.com/llvm/llvm-project 7cbf1a2591520c2491aa35339f227775f4d3adf6) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231424.83tDZFT5-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509231424.83tDZFT5-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) mm/mem_sampling.c:48:33: sparse: sparse: symbol 'mem_sampling_saved_state' was not declared. Should it be static? mm/mem_sampling.c:61:1: sparse: sparse: symbol 'mem_sampling_record_cb_list' was not declared. Should it be static? mm/mem_sampling.c:69:6: sparse: sparse: symbol 'mem_sampling_record_cb_register' was not declared. Should it be static? mm/mem_sampling.c:86:6: sparse: sparse: symbol 'mem_sampling_record_cb_unregister' was not declared. Should it be static? >> mm/mem_sampling.c:293:1: sparse: sparse: symbol 'mm_damon_mem_sampling' was not declared. Should it be static? vim +/mm_damon_mem_sampling +293 mm/mem_sampling.c 292 > 293 DEFINE_STATIC_KEY_FALSE(mm_damon_mem_sampling); 294 #ifdef CONFIG_DAMON_MEM_SAMPLING 295 static void damon_mem_sampling_record_cb(struct mem_sampling_record *record) 296 { 297 struct damon_mem_sampling_fifo *damon_fifo; 298 struct damon_mem_sampling_record domon_record; 299 struct task_struct *task = NULL; 300 struct mm_struct *mm; 301 302 /* Discard kernel address accesses */ 303 if (record->virt_addr & (1UL << 63)) 304 return; 305 306 task = find_get_task_by_vpid((pid_t)record->context_id); 307 if (!task) 308 return; 309 310 mm = get_task_mm(task); 311 put_task_struct(task); 312 if (!mm) 313 return; 314 315 damon_fifo = mm->damon_fifo; 316 mmput(mm); 317 318 domon_record.vaddr = record->virt_addr; 319 320 /* only the proc under monitor now has damon_fifo */ 321 if (damon_fifo) { 322 if (kfifo_is_full(&damon_fifo->rx_kfifo)) 323 return; 324 325 kfifo_in_locked(&damon_fifo->rx_kfifo, &domon_record, 326 sizeof(struct damon_mem_sampling_record), 327 &damon_fifo->rx_kfifo_lock); 328 return; 329 } 330 } 331 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
by Yi Yang 23 Sep '25

23 Sep '25

From: Zhang Shurong <zhang_shurong(a)foxmail.com> stable inclusion from stable-v4.19.21 commit adcb73f8ce9aec48b1f85223f401c1574015d8d2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICY49I CVE: CVE-2023-53220 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 1047f9343011f2cedc73c64829686206a7e9fc3f ] In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong <zhang_shurong(a)foxmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c index 746926364535..6bcf30218e51 100644 --- a/drivers/media/usb/dvb-usb-v2/az6007.c +++ b/drivers/media/usb/dvb-usb-v2/az6007.c @@ -795,6 +795,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", addr, msgs[i].len); + if (msgs[i].len < 1) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_WR; index = msgs[i].buf[0]; value = addr | (1 << 8); @@ -809,6 +813,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n", addr, msgs[i].len); + if (msgs[i].len < 1) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_RD; index = msgs[i].buf[0]; value = addr; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] recordmcount: Fix memory leaks in the uwrite function
by Liu Kai 23 Sep '25

23 Sep '25

From: Hao Zeng <zenghao(a)kylinos.cn> stable inclusion from stable-v4.19.284 commit 444ec005404cead222ebce2561a9451c9ee5ad89 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYBVX CVE: CVE-2023-53318 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit fa359d068574d29e7d2f0fdd0ebe4c6a12b5cfb9 ] Common realloc mistake: 'file_append' nulled but not freed upon failure Link: https://lkml.kernel.org/r/20230426010527.703093-1-zenghao@kylinos.cn Signed-off-by: Hao Zeng <zenghao(a)kylinos.cn> Suggested-by: Steven Rostedt <rostedt(a)goodmis.org> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Kai <liukai284(a)huawei.com> --- scripts/recordmcount.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c index 4182274a5ab28..ff481b4ae85fa 100644 --- a/scripts/recordmcount.c +++ b/scripts/recordmcount.c @@ -128,6 +128,7 @@ uwrite(int const fd, void const *const buf, size_t const count) { size_t cnt = count; off_t idx = 0; + void *p = NULL; file_updated = 1; @@ -135,7 +136,10 @@ uwrite(int const fd, void const *const buf, size_t const count) off_t aoffset = (file_ptr + count) - file_end; if (aoffset > file_append_size) { - file_append = realloc(file_append, aoffset); + p = realloc(file_append, aoffset); + if (!p) + free(file_append); + file_append = p; file_append_size = aoffset; } if (!file_append) { -- 2.34.1

2 1

[openeuler:OLK-6.6 2909/2909] mm/mem_sampling.c:35:18: warning: unused variable 'mem_sampling_min_value'
by kernel test robot 23 Sep '25

23 Sep '25

Hi Ze, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: be758a5796c3d280deb877699c41fd0cd04e1deb commit: 390982f28c5796a1e590381044630b768e6b9696 [2909/2909] mm/mem_sampling: Add sysctl control for NUMA balancing integration config: arm64-randconfig-r121-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231319.810I86nl-lkp@…) compiler: clang version 16.0.6 (https://github.com/llvm/llvm-project 7cbf1a2591520c2491aa35339f227775f4d3adf6) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231319.810I86nl-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509231319.810I86nl-lkp@intel.com/ All warnings (new ones prefixed by >>): mm/mem_sampling.c:68:6: warning: no previous prototype for function 'mem_sampling_record_cb_register' [-Wmissing-prototypes] void mem_sampling_record_cb_register(mem_sampling_record_cb_type cb) ^ mm/mem_sampling.c:68:1: note: declare 'static' if the function is not intended to be used outside of this translation unit void mem_sampling_record_cb_register(mem_sampling_record_cb_type cb) ^ static mm/mem_sampling.c:85:6: warning: no previous prototype for function 'mem_sampling_record_cb_unregister' [-Wmissing-prototypes] void mem_sampling_record_cb_unregister(mem_sampling_record_cb_type cb) ^ mm/mem_sampling.c:85:1: note: declare 'static' if the function is not intended to be used outside of this translation unit void mem_sampling_record_cb_unregister(mem_sampling_record_cb_type cb) ^ static >> mm/mem_sampling.c:35:18: warning: unused variable 'mem_sampling_min_value' [-Wunused-const-variable] static const int mem_sampling_min_value = MEM_SAMPLING_MIN_VALUE; ^ >> mm/mem_sampling.c:36:18: warning: unused variable 'mem_sampling_max_value' [-Wunused-const-variable] static const int mem_sampling_max_value = MEM_SAMPLING_MAX_VALUE; ^ 4 warnings generated. Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for ARM_SPE_MEM_SAMPLING Depends on [n]: ARM_SPE_PMU [=n] Selected by [y]: - MEM_SAMPLING [=y] && ARM64 [=y] vim +/mem_sampling_min_value +35 mm/mem_sampling.c 34 > 35 static const int mem_sampling_min_value = MEM_SAMPLING_MIN_VALUE; > 36 static const int mem_sampling_max_value = MEM_SAMPLING_MAX_VALUE; 37 38 /* keep track of who use the SPE */ 39 DEFINE_PER_CPU(enum arm_spe_user_e, arm_spe_user); 40 EXPORT_PER_CPU_SYMBOL_GPL(arm_spe_user); 41 42 enum mem_sampling_saved_state_e { 43 MEM_SAMPLING_STATE_ENABLE, 44 MEM_SAMPLING_STATE_DISABLE, 45 MEM_SAMPLING_STATE_EMPTY, 46 }; 47 enum mem_sampling_saved_state_e mem_sampling_saved_state = MEM_SAMPLING_STATE_EMPTY; 48 49 /* 50 * Callbacks should be registered using mem_sampling_record_cb_register() 51 * by NUMA, DAMON and etc during their initialisation. 52 * Callbacks will be invoked on new hardware pmu records caputured. 53 */ 54 typedef void (*mem_sampling_record_cb_type)(struct mem_sampling_record *record); 55 56 struct mem_sampling_record_cb_list_entry { 57 struct list_head list; 58 mem_sampling_record_cb_type cb; 59 }; 60 LIST_HEAD(mem_sampling_record_cb_list); 61 62 struct mem_sampling_numa_access_work { 63 struct callback_head work; 64 u64 vaddr, paddr; 65 int cpu; 66 }; 67 68 void mem_sampling_record_cb_register(mem_sampling_record_cb_type cb) 69 { 70 struct mem_sampling_record_cb_list_entry *cb_entry, *tmp; 71 72 list_for_each_entry_safe(cb_entry, tmp, &mem_sampling_record_cb_list, list) { 73 if (cb_entry->cb == cb) 74 return; 75 } 76 77 cb_entry = kmalloc(sizeof(struct mem_sampling_record_cb_list_entry), GFP_KERNEL); 78 if (!cb_entry) 79 return; 80 81 cb_entry->cb = cb; 82 list_add(&(cb_entry->list), &mem_sampling_record_cb_list); 83 } 84 > 85 void mem_sampling_record_cb_unregister(mem_sampling_record_cb_type cb) 86 { 87 struct mem_sampling_record_cb_list_entry *cb_entry, *tmp; 88 89 list_for_each_entry_safe(cb_entry, tmp, &mem_sampling_record_cb_list, list) { 90 if (cb_entry->cb == cb) { 91 list_del(&cb_entry->list); 92 kfree(cb_entry); 93 return; 94 } 95 } 96 } 97 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 2909/2909] mm/mem_sampling.c:38:33: sparse: sparse: symbol 'mem_sampling_saved_state' was not declared. Should it be static?
by kernel test robot 23 Sep '25

23 Sep '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: be758a5796c3d280deb877699c41fd0cd04e1deb commit: 02f32cc0235e33f7fc3e4910a80d386bc600935c [2909/2909] mm/mem_sampling:: Add proc and cmdline interface to control sampling enable config: arm64-randconfig-r121-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231143.zSdArtSF-lkp@…) compiler: clang version 16.0.6 (https://github.com/llvm/llvm-project 7cbf1a2591520c2491aa35339f227775f4d3adf6) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231143.zSdArtSF-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509231143.zSdArtSF-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> mm/mem_sampling.c:38:33: sparse: sparse: symbol 'mem_sampling_saved_state' was not declared. Should it be static? mm/mem_sampling.c:51:1: sparse: sparse: symbol 'mem_sampling_record_cb_list' was not declared. Should it be static? mm/mem_sampling.c:53:6: sparse: sparse: symbol 'mem_sampling_record_cb_register' was not declared. Should it be static? mm/mem_sampling.c:70:6: sparse: sparse: symbol 'mem_sampling_record_cb_unregister' was not declared. Should it be static? mm/mem_sampling.c:83:1: sparse: sparse: symbol 'mem_sampling_access_hints' was not declared. Should it be static? vim +/mem_sampling_saved_state +38 mm/mem_sampling.c 32 33 enum mem_sampling_saved_state_e { 34 MEM_SAMPLING_STATE_ENABLE, 35 MEM_SAMPLING_STATE_DISABLE, 36 MEM_SAMPLING_STATE_EMPTY, 37 }; > 38 enum mem_sampling_saved_state_e mem_sampling_saved_state = MEM_SAMPLING_STATE_EMPTY; 39 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0