- Kernel - mailweb.openeuler.org

[openeuler:OLK-6.6 2976/2976] ld: vgettimeofday.c:undefined reference to `__tsan_read4'
by kernel test robot 17 Oct '25

17 Oct '25

Hi Andrew, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 65461ffb14372269f333f0e18867775c14741e76 commit: f9b54a6714445cde83aeff0318cf767b3b81229d [2976/2976] arm64:ilp32: add ARM64_ILP32 to Kconfig config: arm64-randconfig-003-20251017 (https://download.01.org/0day-ci/archive/20251017/202510170226.DhWN6e8d-lkp@…) compiler: aarch64-linux-gcc (GCC) 15.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251017/202510170226.DhWN6e8d-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510170226.DhWN6e8d-lkp@intel.com/ All errors (new ones prefixed by >>): arch/arm64/kernel/vdso-ilp32/Makefile:84: FORCE prerequisite is missing arch/arm64/kernel/vdso-ilp32/Makefile:90: FORCE prerequisite is missing arch/arm64/kernel/vdso-ilp32/Makefile:87: FORCE prerequisite is missing cc1: warning: '-mabi=ilp32' is deprecated [-Wdeprecated] cc1: warning: '-mabi=ilp32' is deprecated [-Wdeprecated] cc1: warning: '-mabi=ilp32' is deprecated [-Wdeprecated] cc1: warning: '-mabi=ilp32' is deprecated [-Wdeprecated] arch/arm64/kernel/vdso-ilp32/Makefile:68: FORCE prerequisite is missing ld: arch/arm64/kernel/vdso-ilp32/vgettimeofday-ilp32.o: in function `__cvdso_gettimeofday_data.constprop.0': vgettimeofday.c:(.text+0x28): undefined reference to `__tsan_volatile_read4' >> ld: vgettimeofday.c:(.text+0x40): undefined reference to `__tsan_read4' >> ld: vgettimeofday.c:(.text+0x6c): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x78): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x84): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x94): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0xa4): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0xb0): undefined reference to `__tsan_read8' >> ld: vgettimeofday.c:(.text+0xc0): undefined reference to `__tsan_volatile_read4' >> ld: vgettimeofday.c:(.text+0x118): undefined reference to `__tsan_write4' ld: vgettimeofday.c:(.text+0x124): undefined reference to `__tsan_write4' ld: vgettimeofday.c:(.text+0x17c): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0x188): undefined reference to `__tsan_write4' ld: vgettimeofday.c:(.text+0x194): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0x1a0): undefined reference to `__tsan_write4' ld: arch/arm64/kernel/vdso-ilp32/vgettimeofday-ilp32.o: in function `__cvdso_clock_gettime_data.constprop.0': vgettimeofday.c:(.text+0x24c): undefined reference to `__tsan_volatile_read4' ld: vgettimeofday.c:(.text+0x264): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0x298): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x2a8): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x2b8): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x2c4): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0x2d4): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0x2e0): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x2f0): undefined reference to `__tsan_volatile_read4' >> ld: vgettimeofday.c:(.text+0x348): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x354): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x41c): undefined reference to `__tsan_volatile_read4' ld: vgettimeofday.c:(.text+0x430): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x43c): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x448): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x454): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x464): undefined reference to `__tsan_volatile_read4' ld: arch/arm64/kernel/vdso-ilp32/vgettimeofday-ilp32.o: in function `__kernel_clock_getres': vgettimeofday.c:(.text+0x584): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x590): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x5c0): undefined reference to `__tsan_volatile_read4' ld: arch/arm64/kernel/vdso-ilp32/vgettimeofday-ilp32.o: in function `_sub_I_00099_0': vgettimeofday.c:(.text.startup+0x8): undefined reference to `__tsan_init' collect2: error: ld returned 1 exit status make[3]: *** [arch/arm64/kernel/vdso-ilp32/Makefile:68: arch/arm64/kernel/vdso-ilp32/vdso-ilp32.so.dbg] Error 1 shuffle=3794859661 make[3]: Target 'include/generated/vdso-ilp32-offsets.h' not remade because of errors. make[2]: *** [arch/arm64/Makefile:201: vdso_prepare] Error 2 shuffle=3794859661 make[2]: Target 'prepare' not remade because of errors. make[1]: *** [Makefile:234: __sub-make] Error 2 shuffle=3794859661 make[1]: Target 'prepare' not remade because of errors. make: *** [Makefile:234: __sub-make] Error 2 shuffle=3794859661 make: Target 'prepare' not remade because of errors. -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 2976/2976] include/linux/virtcca_cvm_domain.h:69:51: warning: declaration of 'struct pci_dev' will not be visible outside of this function
by kernel test robot 17 Oct '25

17 Oct '25

Hi yxk, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 65461ffb14372269f333f0e18867775c14741e76 commit: c5161d7e11a7e30755b2ec55aaebfd500193cbbc [2976/2976] virtCCA supports SR-IOV in CoDA scenarios. config: x86_64-buildonly-randconfig-001-20251016 (https://download.01.org/0day-ci/archive/20251017/202510170107.BBlmteyz-lkp@…) compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251017/202510170107.BBlmteyz-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510170107.BBlmteyz-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from net/sunrpc/sched.c:24: >> include/linux/virtcca_cvm_domain.h:69:51: warning: declaration of 'struct pci_dev' will not be visible outside of this function [-Wvisibility] 69 | static inline int virtcca_add_coda_pci_dev(struct pci_dev *pdev) | ^ 1 warning generated. vim +69 include/linux/virtcca_cvm_domain.h 68 > 69 static inline int virtcca_add_coda_pci_dev(struct pci_dev *pdev) 70 { 71 return 0; 72 } 73 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 3233/3233] arch/x86/kvm/x86.c:8661:5: warning: no previous prototype for '__kvm_vcpu_halt'
by kernel test robot 16 Oct '25

16 Oct '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 55f16e7a2a3e273da30ccadd01b074c054ceb6fe commit: c499a3120204c834ff963c43d90a5ff33194b34c [3233/3233] KVM: SVM: Add support for booting APs in an SEV-ES guest config: x86_64-randconfig-161-20251016 (https://download.01.org/0day-ci/archive/20251016/202510161956.PnDe2iFY-lkp@…) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251016/202510161956.PnDe2iFY-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510161956.PnDe2iFY-lkp@intel.com/ All warnings (new ones prefixed by >>): arch/x86/kvm/x86.c:809:5: warning: no previous prototype for 'kvm_read_guest_page_mmu' [-Wmissing-prototypes] 809 | int kvm_read_guest_page_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, | ^~~~~~~~~~~~~~~~~~~~~~~ >> arch/x86/kvm/x86.c:8661:5: warning: no previous prototype for '__kvm_vcpu_halt' [-Wmissing-prototypes] 8661 | int __kvm_vcpu_halt(struct kvm_vcpu *vcpu, int state, int reason) | ^~~~~~~~~~~~~~~ vim +/__kvm_vcpu_halt +8661 arch/x86/kvm/x86.c 8660 > 8661 int __kvm_vcpu_halt(struct kvm_vcpu *vcpu, int state, int reason) 8662 { 8663 ++vcpu->stat.halt_exits; 8664 if (lapic_in_kernel(vcpu)) { 8665 vcpu->arch.mp_state = state; 8666 return 1; 8667 } else { 8668 vcpu->run->exit_reason = reason; 8669 return 0; 8670 } 8671 } 8672 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
by Zicheng Qu 16 Oct '25

16 Oct '25

From: Oleg Nesterov <oleg(a)redhat.com> mainline inclusion from mainline-v6.18-rc1 commit a15f37a40145c986cdf289a4b88390f35efdecc4 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ID25DZ Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prlimit64() can race with mt-exec which changes ->group_leader. In this case do_prlimit() may take the wrong lock, or (worse) ->group_leader may change between task_lock() and task_unlock(). Change sys_prlimit64() to take tasklist_lock when necessary. This is not nice, but I don't see a better fix for -stable. Link: https://lkml.kernel.org/r/20250915120917.GA27702@redhat.com Fixes: 18c91bb2d872 ("prlimit: do not grab the tasklist_lock") Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jiri Slaby <jirislaby(a)kernel.org> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- kernel/sys.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index 355de0b65c23..47cb10a16b00 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1689,6 +1689,7 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, struct rlimit old, new; struct task_struct *tsk; unsigned int checkflags = 0; + bool need_tasklist; int ret; if (old_rlim) @@ -1715,8 +1716,25 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, get_task_struct(tsk); rcu_read_unlock(); - ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, - old_rlim ? &old : NULL); + need_tasklist = !same_thread_group(tsk, current); + if (need_tasklist) { + /* + * Ensure we can't race with group exit or de_thread(), + * so tsk->group_leader can't be freed or changed until + * read_unlock(tasklist_lock) below. + */ + read_lock(&tasklist_lock); + if (!pid_alive(tsk)) + ret = -ESRCH; + } + + if (!ret) { + ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, + old_rlim ? &old : NULL); + } + + if (need_tasklist) + read_unlock(&tasklist_lock); if (!ret && old_rlim) { rlim_to_rlim64(&old, &old64); -- 2.34.1

2 1

[PATCH OLK-6.6] Bluetooth: btrtl: Prevent potential NULL dereference
by Xiaomeng Zhang 16 Oct '25

16 Oct '25

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v6.6.88 commit 3db6605043b50c8bb768547b23e0222f67ceef3e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5BMX CVE: CVE-2025-37792 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ] The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/bluetooth/btrtl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c index 1e7c1f9db9e4..7f67e460f7f4 100644 --- a/drivers/bluetooth/btrtl.c +++ b/drivers/bluetooth/btrtl.c @@ -1194,6 +1194,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, rtl_dev_err(hdev, "mandatory config file %s not found", btrtl_dev->ic_info->cfg_name); ret = btrtl_dev->cfg_len; + if (!ret) + ret = -EINVAL; goto err_free; } } -- 2.34.1

2 1

[PATCH OLK-5.10] Bluetooth: btrtl: Prevent potential NULL dereference
by Xiaomeng Zhang 16 Oct '25

16 Oct '25

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v5.10.237 commit 73dc99c0ea94abd22379b2d82cacbc73f3e18ec1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5BMX CVE: CVE-2025-37792 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ] The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/bluetooth/btrtl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c index 3a9afc905f24..77de43d8d796 100644 --- a/drivers/bluetooth/btrtl.c +++ b/drivers/bluetooth/btrtl.c @@ -625,6 +625,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, rtl_dev_err(hdev, "mandatory config file %s not found", btrtl_dev->ic_info->cfg_name); ret = btrtl_dev->cfg_len; + if (!ret) + ret = -EINVAL; goto err_free; } } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] scsi: qla4xxx: Add length check when parsing nlattrs
by Pu Lehui 16 Oct '25

16 Oct '25

From: Lin Ma <linma(a)zju.edu.cn> stable inclusion from stable-v4.19.295 commit 5925e224cc6edfef57b20447f18323208461309b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID0REH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 47cd3770e31df942e2bb925a9a855c79ed0662eb ] There are three places that qla4xxx parses nlattrs: - qla4xxx_set_chap_entry() - qla4xxx_iface_set_param() - qla4xxx_sysfs_ddb_set_param() and each of them directly converts the nlattr to specific pointer of structure without length checking. This could be dangerous as those attributes are not validated and a malformed nlattr (e.g., length 0) could result in an OOB read that leaks heap dirty data. Add the nla_len check before accessing the nlattr data and return EINVAL if the length check fails. Fixes: 26ffd7b45fe9 ("[SCSI] qla4xxx: Add support to set CHAP entries") Fixes: 1e9e2be3ee03 ("[SCSI] qla4xxx: Add flash node mgmt support") Fixes: 00c31889f751 ("[SCSI] qla4xxx: fix data alignment and use nl helpers") Signed-off-by: Lin Ma <linma(a)zju.edu.cn> Link: https://lore.kernel.org/r/20230723080053.3714534-1-linma@zju.edu.cn Reviewed-by: Chris Leech <cleech(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/scsi/qla4xxx/ql4_os.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c index f8acf101af3d..8d42f20ba7e5 100644 --- a/drivers/scsi/qla4xxx/ql4_os.c +++ b/drivers/scsi/qla4xxx/ql4_os.c @@ -940,6 +940,11 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len) memset(&chap_rec, 0, sizeof(chap_rec)); nla_for_each_attr(attr, data, len, rem) { + if (nla_len(attr) < sizeof(*param_info)) { + rc = -EINVAL; + goto exit_set_chap; + } + param_info = nla_data(attr); switch (param_info->param) { @@ -2724,6 +2729,11 @@ qla4xxx_iface_set_param(struct Scsi_Host *shost, void *data, uint32_t len) } nla_for_each_attr(attr, data, len, rem) { + if (nla_len(attr) < sizeof(*iface_param)) { + rval = -EINVAL; + goto exit_init_fw_cb; + } + iface_param = nla_data(attr); if (iface_param->param_type == ISCSI_NET_PARAM) { @@ -8098,6 +8108,11 @@ qla4xxx_sysfs_ddb_set_param(struct iscsi_bus_flash_session *fnode_sess, memset((void *)&chap_tbl, 0, sizeof(chap_tbl)); nla_for_each_attr(attr, data, len, rem) { + if (nla_len(attr) < sizeof(*fnode_param)) { + rc = -EINVAL; + goto exit_set_param; + } + fnode_param = nla_data(attr); switch (fnode_param->param) { -- 2.34.1

2 1

[PATCH OLK-5.10] scsi: target: target_core_configfs: Add length check to avoid buffer overflow
by Li Lingfeng 16 Oct '25

16 Oct '25

From: Wang Haoran <haoranwangsec(a)gmail.com> mainline inclusion from mainline-v6.18-rc1 commit 27e06650a5eafe832a90fd2604f0c5e920857fae category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID22Q7 CVE: CVE-2025-39998 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow. Reported-by: Wang Haoran <haoranwangsec(a)gmail.com> Reported-by: ziiiro <yuanmingbuaa(a)gmail.com> Signed-off-by: Wang Haoran <haoranwangsec(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/target/target_core_configfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c index 4d2fbe1429b6..e6996428c07d 100644 --- a/drivers/target/target_core_configfs.c +++ b/drivers/target/target_core_configfs.c @@ -2637,7 +2637,7 @@ static ssize_t target_lu_gp_members_show(struct config_item *item, char *page) config_item_name(&dev->dev_group.cg_item)); cur_len++; /* Extra byte for NULL terminator */ - if ((cur_len + len) > PAGE_SIZE) { + if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) { pr_warn("Ran out of lu_gp_show_attr" "_members buffer\n"); break; -- 2.46.1

2 1

[PATCH openEuler-1.0-LTS] scsi: target: target_core_configfs: Add length check to avoid buffer overflow
by Li Lingfeng 16 Oct '25

16 Oct '25

From: Wang Haoran <haoranwangsec(a)gmail.com> mainline inclusion from mainline-v6.18-rc1 commit 27e06650a5eafe832a90fd2604f0c5e920857fae category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID22Q7 CVE: CVE-2025-39998 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow. Reported-by: Wang Haoran <haoranwangsec(a)gmail.com> Reported-by: ziiiro <yuanmingbuaa(a)gmail.com> Signed-off-by: Wang Haoran <haoranwangsec(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/target/target_core_configfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c index f6b1549f4142..1fd4a9ed4c61 100644 --- a/drivers/target/target_core_configfs.c +++ b/drivers/target/target_core_configfs.c @@ -2345,7 +2345,7 @@ static ssize_t target_lu_gp_members_show(struct config_item *item, char *page) config_item_name(&dev->dev_group.cg_item)); cur_len++; /* Extra byte for NULL terminator */ - if ((cur_len + len) > PAGE_SIZE) { + if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) { pr_warn("Ran out of lu_gp_show_attr" "_members buffer\n"); break; -- 2.31.1

2 1

[PATCH OLK-6.6] scsi: target: target_core_configfs: Add length check to avoid buffer overflow
by Li Lingfeng 16 Oct '25

16 Oct '25

From: Wang Haoran <haoranwangsec(a)gmail.com> mainline inclusion from mainline-v6.18-rc1 commit 27e06650a5eafe832a90fd2604f0c5e920857fae category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID22Q7 CVE: CVE-2025-39998 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow. Reported-by: Wang Haoran <haoranwangsec(a)gmail.com> Reported-by: ziiiro <yuanmingbuaa(a)gmail.com> Signed-off-by: Wang Haoran <haoranwangsec(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/target/target_core_configfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c index 9a88774836c9..eddcfd09c05b 100644 --- a/drivers/target/target_core_configfs.c +++ b/drivers/target/target_core_configfs.c @@ -2738,7 +2738,7 @@ static ssize_t target_lu_gp_members_show(struct config_item *item, char *page) config_item_name(&dev->dev_group.cg_item)); cur_len++; /* Extra byte for NULL terminator */ - if ((cur_len + len) > PAGE_SIZE) { + if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) { pr_warn("Ran out of lu_gp_show_attr" "_members buffer\n"); break; -- 2.46.1

2 1