- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] samples/bpf: Fix print issue in dump_swaps()
by Gu Bowen 23 Sep '25

23 Sep '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICA1GK -------------------------------- BPF_SEQ_PRINTF does not support the %*s format for printing, leading to missing print information, fix it. Fixes: be60b1123f28 ("samples/bpf: Add iterator program for swaps") Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- samples/bpf/bpf_rvi/bpf_rvi_swaps.bpf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/samples/bpf/bpf_rvi/bpf_rvi_swaps.bpf.c b/samples/bpf/bpf_rvi/bpf_rvi_swaps.bpf.c index db42929bc7d8..f3138321b17e 100644 --- a/samples/bpf/bpf_rvi/bpf_rvi_swaps.bpf.c +++ b/samples/bpf/bpf_rvi/bpf_rvi_swaps.bpf.c @@ -126,8 +126,8 @@ s64 dump_swaps(struct bpf_iter__generic_single *ctx) /* Reference: swap_show(). Aligned with LXCFS. */ BPF_SEQ_PRINTF(m, "Filename\t\t\t\tType\t\tSize\t\tUsed\t\tPriority\n"); if (swaptotal > 0) - BPF_SEQ_PRINTF(m, "none%*svirtual\t\t%llu\t%llu\t0\n", - 36, " ", swaptotal * kb_per_page, + BPF_SEQ_PRINTF(m, "none\t\t\t\tvirtual\t\t%llu\t\t%llu\t\t0\n", + swaptotal * kb_per_page, swapusage * kb_per_page); // in KB bpf_rcu_read_unlock(); -- 2.43.0

2 1

[openeuler:OLK-6.6 2909/2909] arch/arm64/kvm/virtcca_cvm.c:992:5: sparse: sparse: symbol 'kvm_cvm_vgic_nr_lr' was not declared. Should it be static?
by kernel test robot 23 Sep '25

23 Sep '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: be758a5796c3d280deb877699c41fd0cd04e1deb commit: 62c8d269e7acb9171be225e1f9ebd52c718a0cc0 [2909/2909] Reapply "VirtCCA: cvm support UEFI boot" config: arm64-randconfig-r121-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231602.0wZbxID6-lkp@…) compiler: clang version 16.0.6 (https://github.com/llvm/llvm-project 7cbf1a2591520c2491aa35339f227775f4d3adf6) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231602.0wZbxID6-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509231602.0wZbxID6-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> arch/arm64/kvm/virtcca_cvm.c:992:5: sparse: sparse: symbol 'kvm_cvm_vgic_nr_lr' was not declared. Should it be static? arch/arm64/kvm/virtcca_cvm.c:1311:5: sparse: sparse: symbol 'cvm_arm_smmu_domain_set_kvm' was not declared. Should it be static? vim +/kvm_cvm_vgic_nr_lr +992 arch/arm64/kvm/virtcca_cvm.c 67e11ee6347c43 Jingxian He 2024-08-03 824 86b9cab8c4752e gongchangsui 2025-03-03 @825 u64 virtcca_get_tmi_version(void) 86b9cab8c4752e gongchangsui 2025-03-03 826 { 86b9cab8c4752e gongchangsui 2025-03-03 827 u64 res = tmi_version(); 86b9cab8c4752e gongchangsui 2025-03-03 828 86b9cab8c4752e gongchangsui 2025-03-03 829 if (res == SMCCC_RET_NOT_SUPPORTED) 86b9cab8c4752e gongchangsui 2025-03-03 830 return 0; 86b9cab8c4752e gongchangsui 2025-03-03 831 return res; 86b9cab8c4752e gongchangsui 2025-03-03 832 } 86b9cab8c4752e gongchangsui 2025-03-03 833 67e11ee6347c43 Jingxian He 2024-08-03 834 static bool is_numa_ipa_range_valid(struct kvm_numa_info *numa_info) 67e11ee6347c43 Jingxian He 2024-08-03 835 { 67e11ee6347c43 Jingxian He 2024-08-03 836 unsigned long i; 67e11ee6347c43 Jingxian He 2024-08-03 837 struct kvm_numa_node *numa_node, *prev_numa_node; 67e11ee6347c43 Jingxian He 2024-08-03 838 67e11ee6347c43 Jingxian He 2024-08-03 839 prev_numa_node = NULL; 67e11ee6347c43 Jingxian He 2024-08-03 840 for (i = 0; i < numa_info->numa_cnt; i++) { 67e11ee6347c43 Jingxian He 2024-08-03 841 numa_node = &numa_info->numa_nodes[i]; 67e11ee6347c43 Jingxian He 2024-08-03 842 if (numa_node->ipa_start + numa_node->ipa_size < numa_node->ipa_start) 67e11ee6347c43 Jingxian He 2024-08-03 843 return false; 67e11ee6347c43 Jingxian He 2024-08-03 844 if (prev_numa_node && 67e11ee6347c43 Jingxian He 2024-08-03 845 numa_node->ipa_start < prev_numa_node->ipa_start + prev_numa_node->ipa_size) 67e11ee6347c43 Jingxian He 2024-08-03 846 return false; 67e11ee6347c43 Jingxian He 2024-08-03 847 prev_numa_node = numa_node; 67e11ee6347c43 Jingxian He 2024-08-03 848 } 67e11ee6347c43 Jingxian He 2024-08-03 849 if (numa_node->ipa_start + numa_node->ipa_size > CVM_IPA_MAX_VAL) 67e11ee6347c43 Jingxian He 2024-08-03 850 return false; 67e11ee6347c43 Jingxian He 2024-08-03 851 return true; 67e11ee6347c43 Jingxian He 2024-08-03 852 } 67e11ee6347c43 Jingxian He 2024-08-03 853 67773feaf93305 gongchangsui 2025-03-04 854 static inline bool is_dtb_info_has_extend_data(u64 dtb_info) 67773feaf93305 gongchangsui 2025-03-04 855 { 67773feaf93305 gongchangsui 2025-03-04 856 return dtb_info & 0x1; 67773feaf93305 gongchangsui 2025-03-04 857 } 67773feaf93305 gongchangsui 2025-03-04 858 67e11ee6347c43 Jingxian He 2024-08-03 859 int kvm_load_user_data(struct kvm *kvm, unsigned long arg) 67e11ee6347c43 Jingxian He 2024-08-03 860 { 67e11ee6347c43 Jingxian He 2024-08-03 861 struct kvm_user_data user_data; 67e11ee6347c43 Jingxian He 2024-08-03 862 void __user *argp = (void __user *)arg; 67e11ee6347c43 Jingxian He 2024-08-03 863 struct virtcca_cvm *cvm = kvm->arch.virtcca_cvm; 67e11ee6347c43 Jingxian He 2024-08-03 864 struct kvm_numa_info *numa_info; 67e11ee6347c43 Jingxian He 2024-08-03 865 befbde867291b5 He Jingxian 2025-04-07 866 if (!kvm_is_realm(kvm)) 67e11ee6347c43 Jingxian He 2024-08-03 867 return -EFAULT; 67e11ee6347c43 Jingxian He 2024-08-03 868 67e11ee6347c43 Jingxian He 2024-08-03 869 if (copy_from_user(&user_data, argp, sizeof(user_data))) 67e11ee6347c43 Jingxian He 2024-08-03 870 return -EINVAL; 67e11ee6347c43 Jingxian He 2024-08-03 871 67e11ee6347c43 Jingxian He 2024-08-03 872 numa_info = &user_data.numa_info; 67e11ee6347c43 Jingxian He 2024-08-03 873 if (numa_info->numa_cnt > MAX_NUMA_NODE) 67e11ee6347c43 Jingxian He 2024-08-03 874 return -EINVAL; 67e11ee6347c43 Jingxian He 2024-08-03 875 67e11ee6347c43 Jingxian He 2024-08-03 876 if (numa_info->numa_cnt > 0) { 67e11ee6347c43 Jingxian He 2024-08-03 877 unsigned long i, total_size = 0; 67e11ee6347c43 Jingxian He 2024-08-03 878 struct kvm_numa_node *numa_node = &numa_info->numa_nodes[0]; 67e11ee6347c43 Jingxian He 2024-08-03 879 unsigned long ipa_end = numa_node->ipa_start + numa_node->ipa_size; 67e11ee6347c43 Jingxian He 2024-08-03 880 67e11ee6347c43 Jingxian He 2024-08-03 881 if (!is_numa_ipa_range_valid(numa_info)) 67e11ee6347c43 Jingxian He 2024-08-03 882 return -EINVAL; 67773feaf93305 gongchangsui 2025-03-04 883 67773feaf93305 gongchangsui 2025-03-04 884 if ((user_data.loader_start != numa_node->ipa_start) || 67773feaf93305 gongchangsui 2025-03-04 885 (user_data.data_start + user_data.data_size < user_data.data_start)) 67e11ee6347c43 Jingxian He 2024-08-03 886 return -EINVAL; 67773feaf93305 gongchangsui 2025-03-04 887 67773feaf93305 gongchangsui 2025-03-04 888 if (is_dtb_info_has_extend_data(user_data.dtb_info)) { 67773feaf93305 gongchangsui 2025-03-04 889 /* Direct boot, check DTB address is in IPA range */ 67773feaf93305 gongchangsui 2025-03-04 890 if (user_data.data_start + user_data.data_size > ipa_end) 67773feaf93305 gongchangsui 2025-03-04 891 return -EINVAL; 67773feaf93305 gongchangsui 2025-03-04 892 } else { 67773feaf93305 gongchangsui 2025-03-04 893 /* 67773feaf93305 gongchangsui 2025-03-04 894 * UEFI boot, check MMIO address range is within the valid limit (less than 67773feaf93305 gongchangsui 2025-03-04 895 * loader_start) 67773feaf93305 gongchangsui 2025-03-04 896 */ 67773feaf93305 gongchangsui 2025-03-04 897 if (user_data.data_start + user_data.data_size > user_data.loader_start) 67773feaf93305 gongchangsui 2025-03-04 898 return -EINVAL; 67773feaf93305 gongchangsui 2025-03-04 899 } 67773feaf93305 gongchangsui 2025-03-04 900 67e11ee6347c43 Jingxian He 2024-08-03 901 for (i = 0; i < numa_info->numa_cnt; i++) 67e11ee6347c43 Jingxian He 2024-08-03 902 total_size += numa_info->numa_nodes[i].ipa_size; 67e11ee6347c43 Jingxian He 2024-08-03 903 if (total_size != user_data.ram_size) 67e11ee6347c43 Jingxian He 2024-08-03 904 return -EINVAL; 67e11ee6347c43 Jingxian He 2024-08-03 905 } 67e11ee6347c43 Jingxian He 2024-08-03 906 67773feaf93305 gongchangsui 2025-03-04 907 if (is_dtb_info_has_extend_data(user_data.dtb_info)) 67773feaf93305 gongchangsui 2025-03-04 908 cvm->dtb_end = user_data.data_start + user_data.data_size; 67773feaf93305 gongchangsui 2025-03-04 909 else { 67773feaf93305 gongchangsui 2025-03-04 910 cvm->dtb_end = user_data.loader_start + user_data.dtb_info; 67773feaf93305 gongchangsui 2025-03-04 911 cvm->mmio_start = user_data.data_start; 67773feaf93305 gongchangsui 2025-03-04 912 cvm->mmio_end = user_data.data_start + user_data.data_size; 67773feaf93305 gongchangsui 2025-03-04 913 } 67e11ee6347c43 Jingxian He 2024-08-03 914 67e11ee6347c43 Jingxian He 2024-08-03 915 cvm->loader_start = user_data.loader_start; 67e11ee6347c43 Jingxian He 2024-08-03 916 cvm->ram_size = user_data.ram_size; 67e11ee6347c43 Jingxian He 2024-08-03 917 memcpy(&cvm->numa_info, numa_info, sizeof(struct kvm_numa_info)); 67e11ee6347c43 Jingxian He 2024-08-03 918 67e11ee6347c43 Jingxian He 2024-08-03 919 return 0; 67e11ee6347c43 Jingxian He 2024-08-03 920 } 67e11ee6347c43 Jingxian He 2024-08-03 921 67e11ee6347c43 Jingxian He 2024-08-03 922 void kvm_cvm_vcpu_put(struct kvm_vcpu *vcpu) 67e11ee6347c43 Jingxian He 2024-08-03 923 { 67e11ee6347c43 Jingxian He 2024-08-03 924 kvm_timer_vcpu_put(vcpu); 67e11ee6347c43 Jingxian He 2024-08-03 925 kvm_vgic_put(vcpu); 67e11ee6347c43 Jingxian He 2024-08-03 926 vcpu->cpu = -1; 67e11ee6347c43 Jingxian He 2024-08-03 927 } 67e11ee6347c43 Jingxian He 2024-08-03 928 67e11ee6347c43 Jingxian He 2024-08-03 929 unsigned long cvm_psci_vcpu_affinity_info(struct kvm_vcpu *vcpu, 67e11ee6347c43 Jingxian He 2024-08-03 930 unsigned long target_affinity, unsigned long lowest_affinity_level) 67e11ee6347c43 Jingxian He 2024-08-03 931 { 67e11ee6347c43 Jingxian He 2024-08-03 932 struct kvm_vcpu *target_vcpu; 67e11ee6347c43 Jingxian He 2024-08-03 933 67e11ee6347c43 Jingxian He 2024-08-03 934 if (lowest_affinity_level != 0) 67e11ee6347c43 Jingxian He 2024-08-03 935 return PSCI_RET_INVALID_PARAMS; 67e11ee6347c43 Jingxian He 2024-08-03 936 67e11ee6347c43 Jingxian He 2024-08-03 937 target_vcpu = kvm_mpidr_to_vcpu(vcpu->kvm, target_affinity); 67e11ee6347c43 Jingxian He 2024-08-03 938 if (!target_vcpu) 67e11ee6347c43 Jingxian He 2024-08-03 939 return PSCI_RET_INVALID_PARAMS; 67e11ee6347c43 Jingxian He 2024-08-03 940 befbde867291b5 He Jingxian 2025-04-07 941 cvm_psci_complete(vcpu, target_vcpu, PSCI_RET_SUCCESS); 67e11ee6347c43 Jingxian He 2024-08-03 942 return PSCI_RET_SUCCESS; 67e11ee6347c43 Jingxian He 2024-08-03 943 } 67e11ee6347c43 Jingxian He 2024-08-03 944 67e11ee6347c43 Jingxian He 2024-08-03 945 int kvm_cvm_vcpu_set_events(struct kvm_vcpu *vcpu, 67e11ee6347c43 Jingxian He 2024-08-03 946 bool serror_pending, bool ext_dabt_pending) 67e11ee6347c43 Jingxian He 2024-08-03 947 { befbde867291b5 He Jingxian 2025-04-07 948 struct tmi_tec_run *run = vcpu->arch.tec.run; 67e11ee6347c43 Jingxian He 2024-08-03 949 if (serror_pending) 67e11ee6347c43 Jingxian He 2024-08-03 950 return -EINVAL; 67e11ee6347c43 Jingxian He 2024-08-03 951 67e11ee6347c43 Jingxian He 2024-08-03 952 if (ext_dabt_pending) { befbde867291b5 He Jingxian 2025-04-07 953 if (!(run->enter.flags & REC_ENTER_FLAG_EMULATED_MMIO)) 67e11ee6347c43 Jingxian He 2024-08-03 954 return -EINVAL; befbde867291b5 He Jingxian 2025-04-07 955 run->enter.flags &= ~REC_ENTER_FLAG_EMULATED_MMIO; befbde867291b5 He Jingxian 2025-04-07 956 run->enter.flags |= REC_ENTER_FLAG_INJECT_SEA; 67e11ee6347c43 Jingxian He 2024-08-03 957 } 67e11ee6347c43 Jingxian He 2024-08-03 958 return 0; 67e11ee6347c43 Jingxian He 2024-08-03 959 } 67e11ee6347c43 Jingxian He 2024-08-03 960 67e11ee6347c43 Jingxian He 2024-08-03 961 int kvm_init_cvm_vm(struct kvm *kvm) 67e11ee6347c43 Jingxian He 2024-08-03 962 { 67e11ee6347c43 Jingxian He 2024-08-03 963 struct tmi_cvm_params *params; 67e11ee6347c43 Jingxian He 2024-08-03 964 struct virtcca_cvm *cvm; 67e11ee6347c43 Jingxian He 2024-08-03 965 67e11ee6347c43 Jingxian He 2024-08-03 966 if (kvm->arch.virtcca_cvm) { 67e11ee6347c43 Jingxian He 2024-08-03 967 kvm_info("cvm already create.\n"); 67e11ee6347c43 Jingxian He 2024-08-03 968 return 0; 67e11ee6347c43 Jingxian He 2024-08-03 969 } 67e11ee6347c43 Jingxian He 2024-08-03 970 67e11ee6347c43 Jingxian He 2024-08-03 971 cvm = (struct virtcca_cvm *)kzalloc(sizeof(struct virtcca_cvm), GFP_KERNEL_ACCOUNT); 67e11ee6347c43 Jingxian He 2024-08-03 972 if (!cvm) 67e11ee6347c43 Jingxian He 2024-08-03 973 return -ENOMEM; 67e11ee6347c43 Jingxian He 2024-08-03 974 67e11ee6347c43 Jingxian He 2024-08-03 975 kvm->arch.virtcca_cvm = cvm; 67e11ee6347c43 Jingxian He 2024-08-03 976 params = kzalloc(PAGE_SIZE, GFP_KERNEL_ACCOUNT); 67e11ee6347c43 Jingxian He 2024-08-03 977 if (!params) { 67e11ee6347c43 Jingxian He 2024-08-03 978 kfree(kvm->arch.virtcca_cvm); 67e11ee6347c43 Jingxian He 2024-08-03 979 kvm->arch.virtcca_cvm = NULL; 67e11ee6347c43 Jingxian He 2024-08-03 980 return -ENOMEM; 67e11ee6347c43 Jingxian He 2024-08-03 981 } 67e11ee6347c43 Jingxian He 2024-08-03 982 67e11ee6347c43 Jingxian He 2024-08-03 983 cvm->params = params; 67e11ee6347c43 Jingxian He 2024-08-03 984 WRITE_ONCE(cvm->state, CVM_STATE_NONE); 67e11ee6347c43 Jingxian He 2024-08-03 985 befbde867291b5 He Jingxian 2025-04-07 986 kvm_enable_virtcca_cvm(kvm); 67e11ee6347c43 Jingxian He 2024-08-03 987 return 0; 67e11ee6347c43 Jingxian He 2024-08-03 988 } a8078c65197c6f yangxiangkai 2024-09-10 989 befbde867291b5 He Jingxian 2025-04-07 990 extern struct vgic_global kvm_vgic_global_state; befbde867291b5 He Jingxian 2025-04-07 991 befbde867291b5 He Jingxian 2025-04-07 @992 u32 kvm_cvm_vgic_nr_lr(void) befbde867291b5 He Jingxian 2025-04-07 993 { befbde867291b5 He Jingxian 2025-04-07 994 return kvm_vgic_global_state.nr_lr; befbde867291b5 He Jingxian 2025-04-07 995 } befbde867291b5 He Jingxian 2025-04-07 996 :::::: The code at line 992 was first introduced by commit :::::: befbde867291b5bb068a97b17086ad20484b6068 VirtCCA: Adapt virtcca operations by cca_base. :::::: TO: He Jingxian <hejingxian(a)huawei.com> :::::: CC: Xu Raoqing <xuraoqing(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
by Yi Yang 23 Sep '25

23 Sep '25

From: Zhang Shurong <zhang_shurong(a)foxmail.com> stable inclusion from stable-v4.19.295 commit adcb73f8ce9aec48b1f85223f401c1574015d8d2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICY49I CVE: CVE-2023-53220 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 1047f9343011f2cedc73c64829686206a7e9fc3f ] In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong <zhang_shurong(a)foxmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c index 746926364535..6bcf30218e51 100644 --- a/drivers/media/usb/dvb-usb-v2/az6007.c +++ b/drivers/media/usb/dvb-usb-v2/az6007.c @@ -795,6 +795,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", addr, msgs[i].len); + if (msgs[i].len < 1) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_WR; index = msgs[i].buf[0]; value = addr | (1 << 8); @@ -809,6 +813,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n", addr, msgs[i].len); + if (msgs[i].len < 1) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_RD; index = msgs[i].buf[0]; value = addr; -- 2.25.1

2 1

[openeuler:OLK-6.6 2910/2910] mm/swap.h:66:26: error: implicit declaration of function 'swp_offset'; did you mean 'pud_offset'?
by kernel test robot 23 Sep '25

23 Sep '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: be758a5796c3d280deb877699c41fd0cd04e1deb commit: 5a72d2e54e8ff7c7f9510de875cf201ad18f36c4 [2910/2910] mm/shmem, swap: fix softlockup with mTHP swapin config: x86_64-buildonly-randconfig-002-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231547.ijXKrDIl-lkp@…) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231547.ijXKrDIl-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509231547.ijXKrDIl-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from mm/shmem.c:43: mm/swap.h: In function 'non_swapcache_batch': >> mm/swap.h:66:26: error: implicit declaration of function 'swp_offset'; did you mean 'pud_offset'? [-Wimplicit-function-declaration] 66 | pgoff_t offset = swp_offset(entry); | ^~~~~~~~~~ | pud_offset In file included from mm/shmem.c:68: include/linux/swapops.h: At top level: >> include/linux/swapops.h:107:23: error: conflicting types for 'swp_offset'; have 'long unsigned int(swp_entry_t)' 107 | static inline pgoff_t swp_offset(swp_entry_t entry) | ^~~~~~~~~~ mm/swap.h:66:26: note: previous implicit declaration of 'swp_offset' with type 'int()' 66 | pgoff_t offset = swp_offset(entry); | ^~~~~~~~~~ Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for ACPI_HOTPLUG_IGNORE_OSC Depends on [n]: ACPI [=y] && ACPI_HOTPLUG_CPU [=n] Selected by [y]: - X86 [=y] && ACPI [=y] && HOTPLUG_CPU [=y] vim +66 mm/swap.h 62 63 static inline int non_swapcache_batch(swp_entry_t entry, int max_nr) 64 { 65 struct swap_info_struct *si = swp_swap_info(entry); > 66 pgoff_t offset = swp_offset(entry); 67 int i; 68 69 /* 70 * While allocating a large folio and doing mTHP swapin, we need to 71 * ensure all entries are not cached, otherwise, the mTHP folio will 72 * be in conflict with the folio in swap cache. 73 */ 74 for (i = 0; i < max_nr; i++) { 75 if ((si->swap_map[offset + i] & SWAP_HAS_CACHE)) 76 return i; 77 } 78 79 return i; 80 } 81 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] tee: fix NULL pointer dereference in tee_shm_put
by Xiaomeng Zhang 23 Sep '25

23 Sep '25

From: Pei Xiao <xiaopei01(a)kylinos.cn> stable inclusion from stable-v6.6.105 commit add1ecc8f3ad8df22e3599c5c88d7907cc2a3079 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYXVF CVE: CVE-2025-39865 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e4a718a3a47e89805c3be9d46a84de1949a98d5d ] tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15 Fixes: dfd0743f1d9e ("tee: handle lookup of shm with reference count 0") Signed-off-by: Pei Xiao <xiaopei01(a)kylinos.cn> Reviewed-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/tee/tee_shm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 673cf0359494..426b818f2dd7 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -489,9 +489,13 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); */ void tee_shm_put(struct tee_shm *shm) { - struct tee_device *teedev = shm->ctx->teedev; + struct tee_device *teedev; bool do_release = false; + if (!shm || !shm->ctx || !shm->ctx->teedev) + return; + + teedev = shm->ctx->teedev; mutex_lock(&teedev->mutex); if (refcount_dec_and_test(&shm->refcount)) { /* -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
by Cai Xinchen 23 Sep '25

23 Sep '25

From: Alexander Coffin <alex.coffin(a)matician.com> stable inclusion from stable-v4.19.262 commit d79f4d903e14dde822c60b5fd3bedc5a289d25df category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYQPC CVE: CVE-2022-50408 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ] > ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); may be schedule, and then complete before the line > ndev->stats.tx_bytes += skb->len; [ 46.912801] ================================================================== [ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 [ 46.935991] [ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 [ 46.947255] Hardware name: [REDACTED] [ 46.954568] Call trace: [ 46.957037] dump_backtrace+0x0/0x2b8 [ 46.960719] show_stack+0x24/0x30 [ 46.964052] dump_stack+0x128/0x194 [ 46.967557] print_address_description.isra.0+0x64/0x380 [ 46.972877] __kasan_report+0x1d4/0x240 [ 46.976723] kasan_report+0xc/0x18 [ 46.980138] __asan_report_load4_noabort+0x18/0x20 [ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.990613] dev_hard_start_xmit+0x1bc/0xda0 [ 46.994894] sch_direct_xmit+0x198/0xd08 [ 46.998827] __qdisc_run+0x37c/0x1dc0 [ 47.002500] __dev_queue_xmit+0x1528/0x21f8 [ 47.006692] dev_queue_xmit+0x24/0x30 [ 47.010366] neigh_resolve_output+0x37c/0x678 [ 47.014734] ip_finish_output2+0x598/0x2458 [ 47.018927] __ip_finish_output+0x300/0x730 [ 47.023118] ip_output+0x2e0/0x430 [ 47.026530] ip_local_out+0x90/0x140 [ 47.030117] igmpv3_sendpack+0x14c/0x228 [ 47.034049] igmpv3_send_cr+0x384/0x6b8 [ 47.037895] igmp_ifc_timer_expire+0x4c/0x118 [ 47.042262] call_timer_fn+0x1cc/0xbe8 [ 47.046021] __run_timers+0x4d8/0xb28 [ 47.049693] run_timer_softirq+0x24/0x40 [ 47.053626] __do_softirq+0x2c0/0x117c [ 47.057387] irq_exit+0x2dc/0x388 [ 47.060715] __handle_domain_irq+0xb4/0x158 [ 47.064908] gic_handle_irq+0x58/0xb0 [ 47.068581] el0_irq_naked+0x50/0x5c [ 47.072162] [ 47.073665] Allocated by task 328: [ 47.077083] save_stack+0x24/0xb0 [ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0 [ 47.084776] kasan_slab_alloc+0x14/0x20 [ 47.088622] kmem_cache_alloc+0x15c/0x468 [ 47.092643] __alloc_skb+0xa4/0x498 [ 47.096142] igmpv3_newpack+0x158/0xd78 [ 47.099987] add_grhead+0x210/0x288 [ 47.103485] add_grec+0x6b0/0xb70 [ 47.106811] igmpv3_send_cr+0x2e0/0x6b8 [ 47.110657] igmp_ifc_timer_expire+0x4c/0x118 [ 47.115027] call_timer_fn+0x1cc/0xbe8 [ 47.118785] __run_timers+0x4d8/0xb28 [ 47.122457] run_timer_softirq+0x24/0x40 [ 47.126389] __do_softirq+0x2c0/0x117c [ 47.130142] [ 47.131643] Freed by task 180: [ 47.134712] save_stack+0x24/0xb0 [ 47.138041] __kasan_slab_free+0x108/0x180 [ 47.142146] kasan_slab_free+0x10/0x18 [ 47.145904] slab_free_freelist_hook+0xa4/0x1b0 [ 47.150444] kmem_cache_free+0x8c/0x528 [ 47.154292] kfree_skbmem+0x94/0x108 [ 47.157880] consume_skb+0x10c/0x5a8 [ 47.161466] __dev_kfree_skb_any+0x88/0xa0 [ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil] [ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac] [ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac] [ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac] [ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac] [ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac] [ 47.197859] process_one_work+0x7fc/0x1a80 [ 47.201965] worker_thread+0x31c/0xc40 [ 47.205726] kthread+0x2d8/0x370 [ 47.208967] ret_from_fork+0x10/0x18 [ 47.212546] [ 47.214051] The buggy address belongs to the object at ffffff803f588280 [ 47.214051] which belongs to the cache skbuff_head_cache of size 208 [ 47.227086] The buggy address is located 104 bytes inside of [ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) [ 47.238814] The buggy address belongs to the page: [ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0 [ 47.255007] flags: 0x10200(slab|head) [ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800 [ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000 [ 47.274180] page dumped because: kasan: bad access detected [ 47.279752] [ 47.281251] Memory state around the buggy address: [ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.307723] ^ [ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 47.328789] ================================================================== Signed-off-by: Alexander Coffin <alex.coffin(a)matician.com> Signed-off-by: Kalle Valo <kvalo(a)kernel.org> Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c index 584e05fdca6a..5de20e5d67b6 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c @@ -270,6 +270,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, struct brcmf_pub *drvr = ifp->drvr; struct ethhdr *eh; int head_delta; + unsigned int tx_bytes = skb->len; brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx); @@ -341,7 +342,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, ndev->stats.tx_dropped++; } else { ndev->stats.tx_packets++; - ndev->stats.tx_bytes += skb->len; + ndev->stats.tx_bytes += tx_bytes; } /* Return ok: we always eat the packet */ -- 2.34.1

2 1

[PATCH OLK-5.10] tee: fix NULL pointer dereference in tee_shm_put
by Xiaomeng Zhang 23 Sep '25

23 Sep '25

From: Pei Xiao <xiaopei01(a)kylinos.cn> stable inclusion from stable-v5.10.243 commit f266188603c34e6e234fb0dfc3185f0ba98d71b7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYXVF CVE: CVE-2025-39865 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e4a718a3a47e89805c3be9d46a84de1949a98d5d ] tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15 Fixes: dfd0743f1d9e ("tee: handle lookup of shm with reference count 0") Signed-off-by: Pei Xiao <xiaopei01(a)kylinos.cn> Reviewed-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/tee/tee_shm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 6fb4400333fb..6d2db6cc247b 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -438,9 +438,13 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); */ void tee_shm_put(struct tee_shm *shm) { - struct tee_device *teedev = shm->ctx->teedev; + struct tee_device *teedev; bool do_release = false; + if (!shm || !shm->ctx || !shm->ctx->teedev) + return; + + teedev = shm->ctx->teedev; mutex_lock(&teedev->mutex); if (refcount_dec_and_test(&shm->refcount)) { /* -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] mmc: vub300: fix return value check of mmc_add_host()
by Yi Yang 23 Sep '25

23 Sep '25

From: Yang Yingliang <yangyingliang(a)huawei.com> stable inclusion from stable-v4.19.270 commit a46e681151bbdacdf6b89ee8c4e5bad0555142bb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICY475 CVE: CVE-2022-50251 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 0613ad2401f88bdeae5594c30afe318e93b14676 ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, the timer added before mmc_add_host() needs be del. And this patch fixes another missing call mmc_free_host() if usb_control_msg() fails. Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Link: https://lore.kernel.org/r/20221101063023.1664968-9-yangyingliang@huawei.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/mmc/host/vub300.c [Commit 99641238575c ("mmc: vub300: fix control-message timeouts") was not merged.] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/mmc/host/vub300.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c index 1fe68137a30f..12ca9d37f149 100644 --- a/drivers/mmc/host/vub300.c +++ b/drivers/mmc/host/vub300.c @@ -2309,14 +2309,14 @@ static int vub300_probe(struct usb_interface *interface, 0x0000, 0x0000, &vub300->system_port_status, sizeof(vub300->system_port_status), HZ); if (retval < 0) { - goto error4; + goto error5; } else if (sizeof(vub300->system_port_status) == retval) { vub300->card_present = (0x0001 & vub300->system_port_status.port_flags) ? 1 : 0; vub300->read_only = (0x0010 & vub300->system_port_status.port_flags) ? 1 : 0; } else { - goto error4; + goto error5; } usb_set_intfdata(interface, vub300); INIT_DELAYED_WORK(&vub300->pollwork, vub300_pollwork_thread); @@ -2339,8 +2339,13 @@ static int vub300_probe(struct usb_interface *interface, "USB vub300 remote SDIO host controller[%d]" "connected with no SD/SDIO card inserted\n", interface_to_InterfaceNumber(interface)); - mmc_add_host(mmc); + retval = mmc_add_host(mmc); + if (retval) + goto error6; + return 0; +error6: + del_timer_sync(&vub300->inactivity_timer); error5: mmc_free_host(mmc); /* -- 2.25.1

2 1

[openeuler:OLK-6.6 2909/2909] mm/mem_sampling.c:293:1: sparse: sparse: symbol 'mm_damon_mem_sampling' was not declared. Should it be static?
by kernel test robot 23 Sep '25

23 Sep '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: be758a5796c3d280deb877699c41fd0cd04e1deb commit: 2e9ef6c3ea086c85d489898471e527aeb3f7460b [2909/2909] mm/damon/vaddr: Support hardware-assisted memory access sampling config: arm64-randconfig-r121-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231424.83tDZFT5-lkp@…) compiler: clang version 16.0.6 (https://github.com/llvm/llvm-project 7cbf1a2591520c2491aa35339f227775f4d3adf6) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231424.83tDZFT5-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509231424.83tDZFT5-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) mm/mem_sampling.c:48:33: sparse: sparse: symbol 'mem_sampling_saved_state' was not declared. Should it be static? mm/mem_sampling.c:61:1: sparse: sparse: symbol 'mem_sampling_record_cb_list' was not declared. Should it be static? mm/mem_sampling.c:69:6: sparse: sparse: symbol 'mem_sampling_record_cb_register' was not declared. Should it be static? mm/mem_sampling.c:86:6: sparse: sparse: symbol 'mem_sampling_record_cb_unregister' was not declared. Should it be static? >> mm/mem_sampling.c:293:1: sparse: sparse: symbol 'mm_damon_mem_sampling' was not declared. Should it be static? vim +/mm_damon_mem_sampling +293 mm/mem_sampling.c 292 > 293 DEFINE_STATIC_KEY_FALSE(mm_damon_mem_sampling); 294 #ifdef CONFIG_DAMON_MEM_SAMPLING 295 static void damon_mem_sampling_record_cb(struct mem_sampling_record *record) 296 { 297 struct damon_mem_sampling_fifo *damon_fifo; 298 struct damon_mem_sampling_record domon_record; 299 struct task_struct *task = NULL; 300 struct mm_struct *mm; 301 302 /* Discard kernel address accesses */ 303 if (record->virt_addr & (1UL << 63)) 304 return; 305 306 task = find_get_task_by_vpid((pid_t)record->context_id); 307 if (!task) 308 return; 309 310 mm = get_task_mm(task); 311 put_task_struct(task); 312 if (!mm) 313 return; 314 315 damon_fifo = mm->damon_fifo; 316 mmput(mm); 317 318 domon_record.vaddr = record->virt_addr; 319 320 /* only the proc under monitor now has damon_fifo */ 321 if (damon_fifo) { 322 if (kfifo_is_full(&damon_fifo->rx_kfifo)) 323 return; 324 325 kfifo_in_locked(&damon_fifo->rx_kfifo, &domon_record, 326 sizeof(struct damon_mem_sampling_record), 327 &damon_fifo->rx_kfifo_lock); 328 return; 329 } 330 } 331 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
by Yi Yang 23 Sep '25

23 Sep '25

From: Zhang Shurong <zhang_shurong(a)foxmail.com> stable inclusion from stable-v4.19.21 commit adcb73f8ce9aec48b1f85223f401c1574015d8d2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICY49I CVE: CVE-2023-53220 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 1047f9343011f2cedc73c64829686206a7e9fc3f ] In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong <zhang_shurong(a)foxmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c index 746926364535..6bcf30218e51 100644 --- a/drivers/media/usb/dvb-usb-v2/az6007.c +++ b/drivers/media/usb/dvb-usb-v2/az6007.c @@ -795,6 +795,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", addr, msgs[i].len); + if (msgs[i].len < 1) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_WR; index = msgs[i].buf[0]; value = addr | (1 << 8); @@ -809,6 +813,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n", addr, msgs[i].len); + if (msgs[i].len < 1) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_RD; index = msgs[i].buf[0]; value = addr; -- 2.25.1

2 1