- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS 0/2] Fix CVE-2023-54179
by Yi Yang 16 Jan '26

16 Jan '26

scsi: qla2xxx: Array index may go out of bound Stable-dep-of: d721b591b95c ("scsi: qla2xxx: Array index may go out of bound") Nilesh Javali (1): scsi: qla2xxx: Array index may go out of bound Ye Bin (1): scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c drivers/scsi/qla2xxx/qla_os.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.25.1

2 3

[PATCH OLK-6.6] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
by Yi Yang 16 Jan '26

16 Jan '26

From: Long Li <leo.lilong(a)huawei.com> stable inclusion from stable-v6.6.120 commit 61abf8c3162d155b4fd0fb251f08557093363a0a category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12749 CVE: CVE-2025-68367 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f ] The following warning appears when running syzkaller, and this issue also exists in the mainline code. ------------[ cut here ]------------ list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__list_add_valid_or_report+0xf7/0x130 RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817 RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001 RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100 R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48 FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <TASK> input_register_handler+0xb3/0x210 mac_hid_start_emulation+0x1c5/0x290 mac_hid_toggle_emumouse+0x20a/0x240 proc_sys_call_handler+0x4c2/0x6e0 new_sync_write+0x1b1/0x2d0 vfs_write+0x709/0x950 ksys_write+0x12a/0x250 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The WARNING occurs when two processes concurrently write to the mac-hid emulation sysctl, causing a race condition in mac_hid_toggle_emumouse(). Both processes read old_val=0, then both try to register the input handler, leading to a double list_add of the same handler. CPU0 CPU1 ------------------------- ------------------------- vfs_write() //write 1 vfs_write() //write 1 proc_sys_write() proc_sys_write() mac_hid_toggle_emumouse() mac_hid_toggle_emumouse() old_val = *valp // old_val=0 old_val = *valp // old_val=0 mutex_lock_killable() proc_dointvec() // *valp=1 mac_hid_start_emulation() input_register_handler() mutex_unlock() mutex_lock_killable() proc_dointvec() mac_hid_start_emulation() input_register_handler() //Trigger Warning mutex_unlock() Fix this by moving the old_val read inside the mutex lock region. Fixes: 99b089c3c38a ("Input: Mac button emulation - implement as an input filter") Signed-off-by: Long Li <leo.lilong(a)huawei.com> Signed-off-by: Madhavan Srinivasan <maddy(a)linux.ibm.com> Link: https://patch.msgid.link/20250819091035.2263329-1-leo.lilong@huaweicloud.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/macintosh/mac_hid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/macintosh/mac_hid.c b/drivers/macintosh/mac_hid.c index d8c4d5664145..44e332ee99d3 100644 --- a/drivers/macintosh/mac_hid.c +++ b/drivers/macintosh/mac_hid.c @@ -186,13 +186,14 @@ static int mac_hid_toggle_emumouse(struct ctl_table *table, int write, void *buffer, size_t *lenp, loff_t *ppos) { int *valp = table->data; - int old_val = *valp; + int old_val; int rc; rc = mutex_lock_killable(&mac_hid_emumouse_mutex); if (rc) return rc; + old_val = *valp; rc = proc_dointvec(table, write, buffer, lenp, ppos); if (rc == 0 && write && *valp != old_val) { -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] mmc: via-sdmmc: fix return value check of mmc_add_host()
by Yi Yang 16 Jan '26

16 Jan '26

From: Yang Yingliang <yangyingliang(a)huawei.com> stable inclusion from stable-v4.19.270 commit 95025a8dd0ec015872f6c16473fe04d6264e68ca category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13164 CVE: CVE-2022-50846 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e4e46fb61e3bb4628170810d3f2b996b709b90d9 ] mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path which will call mmc_free_host(). Fixes: f0bf7f61b840 ("mmc: Add new via-sdmmc host controller driver") Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Link: https://lore.kernel.org/r/20221108130949.1067699-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/mmc/host/via-sdmmc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c index 32c4211506fc..a86e4b3b4060 100644 --- a/drivers/mmc/host/via-sdmmc.c +++ b/drivers/mmc/host/via-sdmmc.c @@ -1158,7 +1158,9 @@ static int via_sd_probe(struct pci_dev *pcidev, pcidev->subsystem_device == 0x3891) sdhost->quirks = VIA_CRDR_QUIRK_300MS_PWRDELAY; - mmc_add_host(mmc); + ret = mmc_add_host(mmc); + if (ret) + goto unmap; return 0; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] fbcon: Fix the issue of uninitialized charcount in the remaining consoles
by Luo Gengkun 15 Jan '26

15 Jan '26

HULK inclusion category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12587 CVE: NA ---------------------------------------------------------------------- After commit 054a54161b88 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") was merged, using alt+ctrl+f1 to switch the tty from tty0 to tty1 results in garbled display. The reason is the vc->vc_font.charcount is 0, it is clearly an uninitialized value. The mainline is fine because commit a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount") assigns the fvc->vc_font.charcount to vc->vc_font.charcount. Fixes: f9a6134c4b54 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/video/fbdev/core/fbcon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 83a4949e2497..4043b0b19140 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1032,6 +1032,7 @@ static void fbcon_init(struct vc_data *vc, int init) fvc->vc_font.data); vc->vc_font.width = fvc->vc_font.width; vc->vc_font.height = fvc->vc_font.height; + vc->vc_font.charcount = fvc->vc_font.charcount; p->userfont = t->userfont; if (p->userfont) -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] fbcon: Fix the issue of uninitialized charcount in the remaining consoles
by Luo Gengkun 15 Jan '26

15 Jan '26

Offering: HULK hulk inclusion category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12587 ---------------------------------------------------------------------- After commit 054a54161b88 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") was merged, using alt+ctrl+f1 to switch the tty from tty0 to tty1 results in garbled display. The reason is the vc->vc_font.charcount is 0, it is clearly an uninitialized value. The mainline is fine because commit a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount") assigns the fvc->vc_font.charcount to vc->vc_font.charcount. Fixes: f9a6134c4b54 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/video/fbdev/core/fbcon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 83a4949e2497..4043b0b19140 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1032,6 +1032,7 @@ static void fbcon_init(struct vc_data *vc, int init) fvc->vc_font.data); vc->vc_font.width = fvc->vc_font.width; vc->vc_font.height = fvc->vc_font.height; + vc->vc_font.charcount = fvc->vc_font.charcount; p->userfont = t->userfont; if (p->userfont) -- 2.34.1

2 1

[PATCH] mfs: fix the compile error of use demo tool mdsd_prefetch
by Kuang Kai 15 Jan '26

15 Jan '26

From: kuangkai <kuangkai(a)kylinos.cn> kylin inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8354 CVE: NA -------------------------- Commit daa2c7d2bbd0 ("mfs: Add prefetch demo") use the pthread_create but not declared and linked, this cause compile mfs/tool with make fail: # cd tools/mfs && make mfsd_prefetch.cpp:118:23: error: 'pthread_create' was not declared in this scope Signed-off-by: kuangkai <kuangkai(a)kylinos.cn> --- tools/mfs/Makefile | 2 +- tools/mfs/mfsd_prefetch.cpp | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/mfs/Makefile b/tools/mfs/Makefile index f99c9cde828f..3fc331c7ebde 100644 --- a/tools/mfs/Makefile +++ b/tools/mfs/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 # Makefile for mfs demo -CFLAGS = -Wall -Wextra +CFLAGS = -Wall -Wextra -lpthread PROGS := mfsd mfsd_prefetch diff --git a/tools/mfs/mfsd_prefetch.cpp b/tools/mfs/mfsd_prefetch.cpp index d35aeb31941a..a26b271b3a00 100644 --- a/tools/mfs/mfsd_prefetch.cpp +++ b/tools/mfs/mfsd_prefetch.cpp @@ -23,6 +23,7 @@ #include <sys/statfs.h> #include <sys/stat.h> #include <sys/mman.h> +#include <pthread.h> #include <map> #include <string> -- 2.39.2 (Apple Git-143)

1 0

[PATCH OLK-6.6 0/1] cpufreq/sched: Explicitly synchronize limits_changed flag handling
by Lifeng Zheng 15 Jan '26

15 Jan '26

From: Hongye Lin <linhongye(a)h-partners.com> driver inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8343 ---------------------------------------------------------------------- Rafael J. Wysocki (1): cpufreq/sched: Explicitly synchronize limits_changed flag handling kernel/sched/cpufreq_schedutil.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) -- 2.33.0

2 2

[PATCH OLK-5.10 0/2] kmemleak: Fix kmemleak false warnings
by Qi Xi 15 Jan '26

15 Jan '26

This series fixes kmemleak false warnings when reserving crash kernel memory. Patch 1 moves kmemleak_ignore_phys() to reserve_crashkernel_high() where memory is actually tracked by kmemleak. Patch 2 ensures kmemleak_ignore_phys() is only called when new memory is allocated, not when crash_base is pre-set via cmdline. ZhangPeng (2): arm64: kdump: fix kmemleak unknown object warning arm64: kdump: fix kmemleak unknown object warning when crash base is set kernel/crash_core.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) -- 2.33.0

2 3

[PATCH OLK-6.6] armv8_pmuv3: Keep event consistency of hw_metric events
by Yushan Wang 15 Jan '26

15 Jan '26

driver inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8310 CVE: NA ----------------------------------------------- hw_metric events should have same pmus. Check the event types and event pmus for event consistency. Signed-off-by: Yushan Wang <wangyushan12(a)huawei.com> Signed-off-by: Ying Jiang <jiangying44(a)h-partners.com> Signed-off-by: jiangying <jiangying44(a)h-partners.com> --- drivers/perf/arm_pmuv3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/perf/arm_pmuv3.c b/drivers/perf/arm_pmuv3.c index 5d750678a70e..4f27c75cfdfa 100644 --- a/drivers/perf/arm_pmuv3.c +++ b/drivers/perf/arm_pmuv3.c @@ -1159,7 +1159,8 @@ static int armv8pmu_check_hw_metric_event(struct pmu_hw_events *cpuc, if (event == leader) return 0; - if (!armv8pmu_event_is_hw_metric(leader)) + if (leader->pmu != event->pmu || + !armv8pmu_event_is_hw_metric(leader)) return -EINVAL; for_each_sibling_event(sibling, leader) { -- 2.33.0

2 1

[PATCH OLK-5.10 0/4] fix kmemleak false warning
by Qi Xi 15 Jan '26

15 Jan '26

Patch #1 introduces the OBJECT_PHYS flag and create_object_phys() for physical address-allocated kmemleak objects. Patch #2 adds object_phys_tree_root to store physical address objects and uses raw physical addresses instead of virtual addresses. Patch #3 fixes false positives in KFENCE by using kmemleak_ignore_phys() for early memblock-allocated pools. Patch #4 fixes similar false positives in percpu by replacing kmemleak_free() with kmemleak_ignore_phys(). Patrick Wang (3): mm: kmemleak: add OBJECT_PHYS flag for objects allocated with physical address mm: kmemleak: add rbtree and store physical address for objects allocated with PA mm: percpu: use kmemleak_ignore_phys() instead of kmemleak_free() Yee Lee (1): mm: kfence: apply kmemleak_ignore_phys on early allocated pool mm/kfence/core.c | 18 ++--- mm/kmemleak.c | 166 +++++++++++++++++++++++++++++++++-------------- mm/percpu.c | 6 +- 3 files changed, 131 insertions(+), 59 deletions(-) -- 2.33.0

2 5