- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
by Wupeng Ma 16 Jan '26

16 Jan '26

From: Duoming Zhou <duoming(a)zju.edu.cn> stable inclusion from stable-v5.10.150 commit a9e5176ead6de64f572ad5c87a72825d9d3c82ae category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/8336 CVE: CVE-2022-50422 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 46ba53c30666717cb06c2b3c5d896301cd00d0c0 ] When executing SMP task failed, the smp_execute_task_sg() calls del_timer() to delete "slow_task->timer". However, if the timer handler sas_task_internal_timedout() is running, the del_timer() in smp_execute_task_sg() will not stop it and a UAF will happen. The process is shown below: (thread 1) | (thread 2) smp_execute_task_sg() | sas_task_internal_timedout() ... | del_timer() | ... | ... sas_free_task(task) | kfree(task->slow_task) //FREE| | task->slow_task->... //USE Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure the timer handler have finished before the "task->slow_task" is deallocated. Link: https://lore.kernel.org/r/20220920144213.10536-1-duoming@zju.edu.cn Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") Reviewed-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/scsi/libsas/sas_expander.c [Wupeng Ma: context conflicts] Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- drivers/scsi/libsas/sas_expander.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c index 911d0e1e8e3fc..7b46f3b2b7710 100644 --- a/drivers/scsi/libsas/sas_expander.c +++ b/drivers/scsi/libsas/sas_expander.c @@ -98,7 +98,7 @@ static int smp_execute_task_sg(struct domain_device *dev, res = i->dft->lldd_execute_task(task, GFP_KERNEL); if (res) { - del_timer(&task->slow_task->timer); + del_timer_sync(&task->slow_task->timer); SAS_DPRINTK("executing SMP task failed:%d\n", res); break; } -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS 0/2] Fix CVE-2023-54179
by Yi Yang 16 Jan '26

16 Jan '26

scsi: qla2xxx: Array index may go out of bound Stable-dep-of: d721b591b95c ("scsi: qla2xxx: Array index may go out of bound") Nilesh Javali (1): scsi: qla2xxx: Array index may go out of bound Ye Bin (1): scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c drivers/scsi/qla2xxx/qla_os.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.25.1

2 3

[PATCH OLK-6.6] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
by Yi Yang 16 Jan '26

16 Jan '26

From: Long Li <leo.lilong(a)huawei.com> stable inclusion from stable-v6.6.120 commit 61abf8c3162d155b4fd0fb251f08557093363a0a category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12749 CVE: CVE-2025-68367 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f ] The following warning appears when running syzkaller, and this issue also exists in the mainline code. ------------[ cut here ]------------ list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__list_add_valid_or_report+0xf7/0x130 RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817 RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001 RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100 R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48 FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <TASK> input_register_handler+0xb3/0x210 mac_hid_start_emulation+0x1c5/0x290 mac_hid_toggle_emumouse+0x20a/0x240 proc_sys_call_handler+0x4c2/0x6e0 new_sync_write+0x1b1/0x2d0 vfs_write+0x709/0x950 ksys_write+0x12a/0x250 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The WARNING occurs when two processes concurrently write to the mac-hid emulation sysctl, causing a race condition in mac_hid_toggle_emumouse(). Both processes read old_val=0, then both try to register the input handler, leading to a double list_add of the same handler. CPU0 CPU1 ------------------------- ------------------------- vfs_write() //write 1 vfs_write() //write 1 proc_sys_write() proc_sys_write() mac_hid_toggle_emumouse() mac_hid_toggle_emumouse() old_val = *valp // old_val=0 old_val = *valp // old_val=0 mutex_lock_killable() proc_dointvec() // *valp=1 mac_hid_start_emulation() input_register_handler() mutex_unlock() mutex_lock_killable() proc_dointvec() mac_hid_start_emulation() input_register_handler() //Trigger Warning mutex_unlock() Fix this by moving the old_val read inside the mutex lock region. Fixes: 99b089c3c38a ("Input: Mac button emulation - implement as an input filter") Signed-off-by: Long Li <leo.lilong(a)huawei.com> Signed-off-by: Madhavan Srinivasan <maddy(a)linux.ibm.com> Link: https://patch.msgid.link/20250819091035.2263329-1-leo.lilong@huaweicloud.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/macintosh/mac_hid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/macintosh/mac_hid.c b/drivers/macintosh/mac_hid.c index d8c4d5664145..44e332ee99d3 100644 --- a/drivers/macintosh/mac_hid.c +++ b/drivers/macintosh/mac_hid.c @@ -186,13 +186,14 @@ static int mac_hid_toggle_emumouse(struct ctl_table *table, int write, void *buffer, size_t *lenp, loff_t *ppos) { int *valp = table->data; - int old_val = *valp; + int old_val; int rc; rc = mutex_lock_killable(&mac_hid_emumouse_mutex); if (rc) return rc; + old_val = *valp; rc = proc_dointvec(table, write, buffer, lenp, ppos); if (rc == 0 && write && *valp != old_val) { -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] mmc: via-sdmmc: fix return value check of mmc_add_host()
by Yi Yang 16 Jan '26

16 Jan '26

From: Yang Yingliang <yangyingliang(a)huawei.com> stable inclusion from stable-v4.19.270 commit 95025a8dd0ec015872f6c16473fe04d6264e68ca category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13164 CVE: CVE-2022-50846 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e4e46fb61e3bb4628170810d3f2b996b709b90d9 ] mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path which will call mmc_free_host(). Fixes: f0bf7f61b840 ("mmc: Add new via-sdmmc host controller driver") Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Link: https://lore.kernel.org/r/20221108130949.1067699-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/mmc/host/via-sdmmc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c index 32c4211506fc..a86e4b3b4060 100644 --- a/drivers/mmc/host/via-sdmmc.c +++ b/drivers/mmc/host/via-sdmmc.c @@ -1158,7 +1158,9 @@ static int via_sd_probe(struct pci_dev *pcidev, pcidev->subsystem_device == 0x3891) sdhost->quirks = VIA_CRDR_QUIRK_300MS_PWRDELAY; - mmc_add_host(mmc); + ret = mmc_add_host(mmc); + if (ret) + goto unmap; return 0; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] fbcon: Fix the issue of uninitialized charcount in the remaining consoles
by Luo Gengkun 15 Jan '26

15 Jan '26

HULK inclusion category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12587 CVE: NA ---------------------------------------------------------------------- After commit 054a54161b88 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") was merged, using alt+ctrl+f1 to switch the tty from tty0 to tty1 results in garbled display. The reason is the vc->vc_font.charcount is 0, it is clearly an uninitialized value. The mainline is fine because commit a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount") assigns the fvc->vc_font.charcount to vc->vc_font.charcount. Fixes: f9a6134c4b54 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/video/fbdev/core/fbcon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 83a4949e2497..4043b0b19140 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1032,6 +1032,7 @@ static void fbcon_init(struct vc_data *vc, int init) fvc->vc_font.data); vc->vc_font.width = fvc->vc_font.width; vc->vc_font.height = fvc->vc_font.height; + vc->vc_font.charcount = fvc->vc_font.charcount; p->userfont = t->userfont; if (p->userfont) -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] fbcon: Fix the issue of uninitialized charcount in the remaining consoles
by Luo Gengkun 15 Jan '26

15 Jan '26

Offering: HULK hulk inclusion category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12587 ---------------------------------------------------------------------- After commit 054a54161b88 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") was merged, using alt+ctrl+f1 to switch the tty from tty0 to tty1 results in garbled display. The reason is the vc->vc_font.charcount is 0, it is clearly an uninitialized value. The mainline is fine because commit a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount") assigns the fvc->vc_font.charcount to vc->vc_font.charcount. Fixes: f9a6134c4b54 ("fbdev: bitblit: bound-check glyph index in bit_putcs*") Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/video/fbdev/core/fbcon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 83a4949e2497..4043b0b19140 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1032,6 +1032,7 @@ static void fbcon_init(struct vc_data *vc, int init) fvc->vc_font.data); vc->vc_font.width = fvc->vc_font.width; vc->vc_font.height = fvc->vc_font.height; + vc->vc_font.charcount = fvc->vc_font.charcount; p->userfont = t->userfont; if (p->userfont) -- 2.34.1

2 1

[PATCH] mfs: fix the compile error of use demo tool mdsd_prefetch
by Kuang Kai 15 Jan '26

15 Jan '26

From: kuangkai <kuangkai(a)kylinos.cn> kylin inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8354 CVE: NA -------------------------- Commit daa2c7d2bbd0 ("mfs: Add prefetch demo") use the pthread_create but not declared and linked, this cause compile mfs/tool with make fail: # cd tools/mfs && make mfsd_prefetch.cpp:118:23: error: 'pthread_create' was not declared in this scope Signed-off-by: kuangkai <kuangkai(a)kylinos.cn> --- tools/mfs/Makefile | 2 +- tools/mfs/mfsd_prefetch.cpp | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/mfs/Makefile b/tools/mfs/Makefile index f99c9cde828f..3fc331c7ebde 100644 --- a/tools/mfs/Makefile +++ b/tools/mfs/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 # Makefile for mfs demo -CFLAGS = -Wall -Wextra +CFLAGS = -Wall -Wextra -lpthread PROGS := mfsd mfsd_prefetch diff --git a/tools/mfs/mfsd_prefetch.cpp b/tools/mfs/mfsd_prefetch.cpp index d35aeb31941a..a26b271b3a00 100644 --- a/tools/mfs/mfsd_prefetch.cpp +++ b/tools/mfs/mfsd_prefetch.cpp @@ -23,6 +23,7 @@ #include <sys/statfs.h> #include <sys/stat.h> #include <sys/mman.h> +#include <pthread.h> #include <map> #include <string> -- 2.39.2 (Apple Git-143)

1 0

[PATCH OLK-6.6 0/1] cpufreq/sched: Explicitly synchronize limits_changed flag handling
by Lifeng Zheng 15 Jan '26

15 Jan '26

From: Hongye Lin <linhongye(a)h-partners.com> driver inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8343 ---------------------------------------------------------------------- Rafael J. Wysocki (1): cpufreq/sched: Explicitly synchronize limits_changed flag handling kernel/sched/cpufreq_schedutil.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) -- 2.33.0

2 2

[PATCH OLK-5.10 0/2] kmemleak: Fix kmemleak false warnings
by Qi Xi 15 Jan '26

15 Jan '26

This series fixes kmemleak false warnings when reserving crash kernel memory. Patch 1 moves kmemleak_ignore_phys() to reserve_crashkernel_high() where memory is actually tracked by kmemleak. Patch 2 ensures kmemleak_ignore_phys() is only called when new memory is allocated, not when crash_base is pre-set via cmdline. ZhangPeng (2): arm64: kdump: fix kmemleak unknown object warning arm64: kdump: fix kmemleak unknown object warning when crash base is set kernel/crash_core.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) -- 2.33.0

2 3

[PATCH OLK-6.6] armv8_pmuv3: Keep event consistency of hw_metric events
by Yushan Wang 15 Jan '26

15 Jan '26

driver inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8310 CVE: NA ----------------------------------------------- hw_metric events should have same pmus. Check the event types and event pmus for event consistency. Signed-off-by: Yushan Wang <wangyushan12(a)huawei.com> Signed-off-by: Ying Jiang <jiangying44(a)h-partners.com> Signed-off-by: jiangying <jiangying44(a)h-partners.com> --- drivers/perf/arm_pmuv3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/perf/arm_pmuv3.c b/drivers/perf/arm_pmuv3.c index 5d750678a70e..4f27c75cfdfa 100644 --- a/drivers/perf/arm_pmuv3.c +++ b/drivers/perf/arm_pmuv3.c @@ -1159,7 +1159,8 @@ static int armv8pmu_check_hw_metric_event(struct pmu_hw_events *cpuc, if (event == leader) return 0; - if (!armv8pmu_event_is_hw_metric(leader)) + if (leader->pmu != event->pmu || + !armv8pmu_event_is_hw_metric(leader)) return -EINVAL; for_each_sibling_event(sibling, leader) { -- 2.33.0

2 1