- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] mm: vmscan: enable shrink_page_cache_work limit
by Wupeng Ma 23 Sep '25

23 Sep '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4SK3S CVE: NA -------------------------------- Commit 92cd2e7fa82d ("mm:vmscan: add the missing check of page_cache_over_limit") add limit check for shrink_page_cache_work to stop page cache below limit. However this limit is only checked iff memory reliable is enable, since page cache limit can be enabled without memory reliable. Enable this limit check in all scenarios. Fixes: 92cd2e7fa82d ("mm:vmscan: add the missing check of page_cache_over_limit") Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- mm/vmscan.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/mm/vmscan.c b/mm/vmscan.c index 6a649f02666f..fa08ffd043de 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -4060,8 +4060,7 @@ static void shrink_page_cache_work(struct work_struct *w) if (vm_cache_reclaim_s == 0 || !vm_cache_reclaim_enable) return; - if (mem_reliable_is_enabled() && - (!vm_cache_limit_mbytes || !page_cache_over_limit())) + if (!vm_cache_limit_mbytes || !page_cache_over_limit()) return; /* It should wait more time if we hardly reclaim the page cache */ -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] mm: vmscan: enable shrink_page_cache_work limit
by Wupeng Ma 23 Sep '25

23 Sep '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4SK3S CVE: NA -------------------------------- Commit 92cd2e7fa82d ("mm:vmscan: add the missing check of page_cache_over_limit") add limit check for shrink_page_cache_work to stop page cache below limit. However this limit is only checked iff memory reliable is enable, since page cache limit can be enabled without memory reliable. Enable this limit check in all scenarios. Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- mm/vmscan.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/mm/vmscan.c b/mm/vmscan.c index 6a649f02666f..fa08ffd043de 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -4060,8 +4060,7 @@ static void shrink_page_cache_work(struct work_struct *w) if (vm_cache_reclaim_s == 0 || !vm_cache_reclaim_enable) return; - if (mem_reliable_is_enabled() && - (!vm_cache_limit_mbytes || !page_cache_over_limit())) + if (!vm_cache_limit_mbytes || !page_cache_over_limit()) return; /* It should wait more time if we hardly reclaim the page cache */ -- 2.43.0

2 1

[openeuler:OLK-6.6 2909/2909] drivers/gpu/drm/phytium/phytium_gem.c:174:5: sparse: sparse: symbol 'phytium_gem_prime_mmap' was not declared. Should it be static?
by kernel test robot 23 Sep '25

23 Sep '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: be758a5796c3d280deb877699c41fd0cd04e1deb commit: 3b4a5906fa714bdc9a15fc04374942888737eb4c [2909/2909] drm/phytium: Fix Phytium DRM build fail config: arm64-randconfig-r121-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231756.bOMWC43K-lkp@…) compiler: clang version 16.0.6 (https://github.com/llvm/llvm-project 7cbf1a2591520c2491aa35339f227775f4d3adf6) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231756.bOMWC43K-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509231756.bOMWC43K-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) drivers/gpu/drm/phytium/phytium_gem.c: note: in included file (through arch/arm64/include/asm/cpufeature.h, arch/arm64/include/asm/ptrace.h, arch/arm64/include/asm/irqflags.h, ...): arch/arm64/include/asm/cputype.h:163:9: sparse: sparse: preprocessor token PHYTIUM_CPU_PART_FTC862 redefined arch/arm64/include/asm/cputype.h:110:9: sparse: this was the original definition drivers/gpu/drm/phytium/phytium_gem.c:22:5: sparse: sparse: symbol 'phytium_memory_pool_alloc' was not declared. Should it be static? drivers/gpu/drm/phytium/phytium_gem.c:37:6: sparse: sparse: symbol 'phytium_memory_pool_free' was not declared. Should it be static? drivers/gpu/drm/phytium/phytium_gem.c:161:5: sparse: sparse: symbol 'phytium_gem_prime_vmap' was not declared. Should it be static? drivers/gpu/drm/phytium/phytium_gem.c:170:6: sparse: sparse: symbol 'phytium_gem_prime_vunmap' was not declared. Should it be static? >> drivers/gpu/drm/phytium/phytium_gem.c:174:5: sparse: sparse: symbol 'phytium_gem_prime_mmap' was not declared. Should it be static? drivers/gpu/drm/phytium/phytium_gem.c:186:5: sparse: sparse: symbol 'phytium_dma_transfer' was not declared. Should it be static? vim +/phytium_gem_prime_mmap +174 drivers/gpu/drm/phytium/phytium_gem.c b80df10f845813 lishuo 2024-01-31 21 b80df10f845813 lishuo 2024-01-31 @22 int phytium_memory_pool_alloc(struct phytium_display_private *priv, void **pvaddr, b80df10f845813 lishuo 2024-01-31 23 phys_addr_t *phys_addr, uint64_t size) b80df10f845813 lishuo 2024-01-31 24 { b80df10f845813 lishuo 2024-01-31 25 unsigned long vaddr; b80df10f845813 lishuo 2024-01-31 26 b80df10f845813 lishuo 2024-01-31 27 vaddr = gen_pool_alloc(priv->memory_pool, size); b80df10f845813 lishuo 2024-01-31 28 if (!vaddr) b80df10f845813 lishuo 2024-01-31 29 return -ENOMEM; b80df10f845813 lishuo 2024-01-31 30 b80df10f845813 lishuo 2024-01-31 31 *phys_addr = gen_pool_virt_to_phys(priv->memory_pool, vaddr); b80df10f845813 lishuo 2024-01-31 32 b80df10f845813 lishuo 2024-01-31 33 *pvaddr = (void *)vaddr; b80df10f845813 lishuo 2024-01-31 34 return 0; b80df10f845813 lishuo 2024-01-31 35 } b80df10f845813 lishuo 2024-01-31 36 b80df10f845813 lishuo 2024-01-31 37 void phytium_memory_pool_free(struct phytium_display_private *priv, void *vaddr, uint64_t size) b80df10f845813 lishuo 2024-01-31 38 { b80df10f845813 lishuo 2024-01-31 39 gen_pool_free(priv->memory_pool, (unsigned long)vaddr, size); b80df10f845813 lishuo 2024-01-31 40 } b80df10f845813 lishuo 2024-01-31 41 b80df10f845813 lishuo 2024-01-31 42 int phytium_memory_pool_init(struct device *dev, struct phytium_display_private *priv) b80df10f845813 lishuo 2024-01-31 43 { b80df10f845813 lishuo 2024-01-31 44 int ret = 0; b80df10f845813 lishuo 2024-01-31 45 b80df10f845813 lishuo 2024-01-31 46 priv->memory_pool = gen_pool_create(VRAM_POOL_ALLOC_ORDER, -1); b80df10f845813 lishuo 2024-01-31 47 if (priv->memory_pool == NULL) { b80df10f845813 lishuo 2024-01-31 48 DRM_ERROR("fail to create memory pool\n"); b80df10f845813 lishuo 2024-01-31 49 ret = -1; b80df10f845813 lishuo 2024-01-31 50 goto failed_create_pool; b80df10f845813 lishuo 2024-01-31 51 } b80df10f845813 lishuo 2024-01-31 52 b80df10f845813 lishuo 2024-01-31 53 ret = gen_pool_add_virt(priv->memory_pool, (unsigned long)priv->pool_virt_addr, b80df10f845813 lishuo 2024-01-31 54 priv->pool_phys_addr, priv->pool_size, -1); b80df10f845813 lishuo 2024-01-31 55 if (ret) { b80df10f845813 lishuo 2024-01-31 56 DRM_ERROR("fail to add vram pool\n"); b80df10f845813 lishuo 2024-01-31 57 ret = -1; b80df10f845813 lishuo 2024-01-31 58 goto failed_add_pool_virt; b80df10f845813 lishuo 2024-01-31 59 } b80df10f845813 lishuo 2024-01-31 60 b80df10f845813 lishuo 2024-01-31 61 return 0; b80df10f845813 lishuo 2024-01-31 62 b80df10f845813 lishuo 2024-01-31 63 failed_add_pool_virt: b80df10f845813 lishuo 2024-01-31 64 gen_pool_destroy(priv->memory_pool); b80df10f845813 lishuo 2024-01-31 65 b80df10f845813 lishuo 2024-01-31 66 failed_create_pool: b80df10f845813 lishuo 2024-01-31 67 return ret; b80df10f845813 lishuo 2024-01-31 68 } b80df10f845813 lishuo 2024-01-31 69 b80df10f845813 lishuo 2024-01-31 70 void phytium_memory_pool_fini(struct device *dev, struct phytium_display_private *priv) b80df10f845813 lishuo 2024-01-31 71 { b80df10f845813 lishuo 2024-01-31 72 gen_pool_destroy(priv->memory_pool); b80df10f845813 lishuo 2024-01-31 73 } b80df10f845813 lishuo 2024-01-31 74 b80df10f845813 lishuo 2024-01-31 75 struct sg_table * b80df10f845813 lishuo 2024-01-31 76 phytium_gem_prime_get_sg_table(struct drm_gem_object *obj) b80df10f845813 lishuo 2024-01-31 77 { b80df10f845813 lishuo 2024-01-31 78 struct phytium_gem_object *phytium_gem_obj = to_phytium_gem_obj(obj); b80df10f845813 lishuo 2024-01-31 79 struct sg_table *sgt; b80df10f845813 lishuo 2024-01-31 80 struct drm_device *dev = obj->dev; b80df10f845813 lishuo 2024-01-31 81 int ret; b80df10f845813 lishuo 2024-01-31 82 struct page *page = NULL; b80df10f845813 lishuo 2024-01-31 83 b80df10f845813 lishuo 2024-01-31 84 sgt = kzalloc(sizeof(*sgt), GFP_KERNEL); b80df10f845813 lishuo 2024-01-31 85 if (!sgt) { b80df10f845813 lishuo 2024-01-31 86 DRM_DEBUG_KMS("malloc sgt fail\n"); b80df10f845813 lishuo 2024-01-31 87 return ERR_PTR(-ENOMEM); b80df10f845813 lishuo 2024-01-31 88 } b80df10f845813 lishuo 2024-01-31 89 8c04aa95ffa8ae Jiakun Shuai 2024-05-20 90 if ((phytium_gem_obj->memory_type == MEMORY_TYPE_VRAM_WC) || 8c04aa95ffa8ae Jiakun Shuai 2024-05-20 91 (phytium_gem_obj->memory_type == MEMORY_TYPE_VRAM_DEVICE) || b80df10f845813 lishuo 2024-01-31 92 (phytium_gem_obj->memory_type == MEMORY_TYPE_SYSTEM_CARVEOUT)) { b80df10f845813 lishuo 2024-01-31 93 ret = sg_alloc_table(sgt, 1, GFP_KERNEL); b80df10f845813 lishuo 2024-01-31 94 if (ret) { b80df10f845813 lishuo 2024-01-31 95 DRM_ERROR("failed to allocate sg\n"); b80df10f845813 lishuo 2024-01-31 96 goto sgt_free; b80df10f845813 lishuo 2024-01-31 97 } e2cdf30a3e12bb XuYan 2025-04-09 98 page = pfn_to_page(__phys_to_pfn(phytium_gem_obj->phys_addr)); b80df10f845813 lishuo 2024-01-31 99 sg_set_page(sgt->sgl, page, PAGE_ALIGN(phytium_gem_obj->size), 0); b80df10f845813 lishuo 2024-01-31 100 } else if (phytium_gem_obj->memory_type == MEMORY_TYPE_SYSTEM_UNIFIED) { b80df10f845813 lishuo 2024-01-31 101 ret = dma_get_sgtable_attrs(dev->dev, sgt, phytium_gem_obj->vaddr, b80df10f845813 lishuo 2024-01-31 102 phytium_gem_obj->iova, phytium_gem_obj->size, b80df10f845813 lishuo 2024-01-31 103 DMA_ATTR_WRITE_COMBINE); b80df10f845813 lishuo 2024-01-31 104 if (ret) { b80df10f845813 lishuo 2024-01-31 105 DRM_ERROR("failed to allocate sgt, %d\n", ret); b80df10f845813 lishuo 2024-01-31 106 goto sgt_free; b80df10f845813 lishuo 2024-01-31 107 } b80df10f845813 lishuo 2024-01-31 108 } b80df10f845813 lishuo 2024-01-31 109 b80df10f845813 lishuo 2024-01-31 110 return sgt; b80df10f845813 lishuo 2024-01-31 111 sgt_free: b80df10f845813 lishuo 2024-01-31 112 kfree(sgt); b80df10f845813 lishuo 2024-01-31 113 return ERR_PTR(ret); b80df10f845813 lishuo 2024-01-31 114 } b80df10f845813 lishuo 2024-01-31 115 b80df10f845813 lishuo 2024-01-31 116 struct drm_gem_object * b80df10f845813 lishuo 2024-01-31 117 phytium_gem_prime_import_sg_table(struct drm_device *dev, b80df10f845813 lishuo 2024-01-31 118 struct dma_buf_attachment *attach, b80df10f845813 lishuo 2024-01-31 119 struct sg_table *sgt) b80df10f845813 lishuo 2024-01-31 120 { b80df10f845813 lishuo 2024-01-31 121 struct phytium_gem_object *phytium_gem_obj = NULL; b80df10f845813 lishuo 2024-01-31 122 struct scatterlist *s; b80df10f845813 lishuo 2024-01-31 123 dma_addr_t expected; b80df10f845813 lishuo 2024-01-31 124 int ret, i; b80df10f845813 lishuo 2024-01-31 125 b80df10f845813 lishuo 2024-01-31 126 phytium_gem_obj = kzalloc(sizeof(*phytium_gem_obj), GFP_KERNEL); b80df10f845813 lishuo 2024-01-31 127 if (!phytium_gem_obj) { b80df10f845813 lishuo 2024-01-31 128 DRM_ERROR("failed to allocate phytium_gem_obj\n"); b80df10f845813 lishuo 2024-01-31 129 ret = -ENOMEM; b80df10f845813 lishuo 2024-01-31 130 goto failed_malloc; b80df10f845813 lishuo 2024-01-31 131 } b80df10f845813 lishuo 2024-01-31 132 b80df10f845813 lishuo 2024-01-31 133 ret = drm_gem_object_init(dev, &phytium_gem_obj->base, attach->dmabuf->size); b80df10f845813 lishuo 2024-01-31 134 if (ret) { b80df10f845813 lishuo 2024-01-31 135 DRM_ERROR("failed to initialize drm gem object: %d\n", ret); b80df10f845813 lishuo 2024-01-31 136 goto failed_object_init; b80df10f845813 lishuo 2024-01-31 137 } b80df10f845813 lishuo 2024-01-31 138 b80df10f845813 lishuo 2024-01-31 139 expected = sg_dma_address(sgt->sgl); b80df10f845813 lishuo 2024-01-31 140 for_each_sg(sgt->sgl, s, sgt->nents, i) { b80df10f845813 lishuo 2024-01-31 141 if (sg_dma_address(s) != expected) { b80df10f845813 lishuo 2024-01-31 142 DRM_ERROR("sg_table is not contiguous"); b80df10f845813 lishuo 2024-01-31 143 ret = -EINVAL; b80df10f845813 lishuo 2024-01-31 144 goto failed_check_continue; b80df10f845813 lishuo 2024-01-31 145 } b80df10f845813 lishuo 2024-01-31 146 expected = sg_dma_address(s) + sg_dma_len(s); b80df10f845813 lishuo 2024-01-31 147 } b80df10f845813 lishuo 2024-01-31 148 b80df10f845813 lishuo 2024-01-31 149 phytium_gem_obj->iova = sg_dma_address(sgt->sgl); b80df10f845813 lishuo 2024-01-31 150 phytium_gem_obj->sgt = sgt; b80df10f845813 lishuo 2024-01-31 151 b80df10f845813 lishuo 2024-01-31 152 return &phytium_gem_obj->base; b80df10f845813 lishuo 2024-01-31 153 failed_check_continue: b80df10f845813 lishuo 2024-01-31 154 drm_gem_object_release(&phytium_gem_obj->base); b80df10f845813 lishuo 2024-01-31 155 failed_object_init: b80df10f845813 lishuo 2024-01-31 156 kfree(phytium_gem_obj); b80df10f845813 lishuo 2024-01-31 157 failed_malloc: b80df10f845813 lishuo 2024-01-31 158 return ERR_PTR(ret); b80df10f845813 lishuo 2024-01-31 159 } b80df10f845813 lishuo 2024-01-31 160 b80df10f845813 lishuo 2024-01-31 161 int phytium_gem_prime_vmap(struct drm_gem_object *obj, struct iosys_map *map) b80df10f845813 lishuo 2024-01-31 162 { b80df10f845813 lishuo 2024-01-31 163 struct phytium_gem_object *phytium_obj = to_phytium_gem_obj(obj); b80df10f845813 lishuo 2024-01-31 164 b80df10f845813 lishuo 2024-01-31 165 iosys_map_set_vaddr(map, phytium_obj->vaddr); b80df10f845813 lishuo 2024-01-31 166 b80df10f845813 lishuo 2024-01-31 167 return 0; b80df10f845813 lishuo 2024-01-31 168 } b80df10f845813 lishuo 2024-01-31 169 b80df10f845813 lishuo 2024-01-31 170 void phytium_gem_prime_vunmap(struct drm_gem_object *obj, struct iosys_map *map) b80df10f845813 lishuo 2024-01-31 171 { e2cdf30a3e12bb XuYan 2025-04-09 172 } b80df10f845813 lishuo 2024-01-31 173 e2cdf30a3e12bb XuYan 2025-04-09 @174 int phytium_gem_prime_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma) e2cdf30a3e12bb XuYan 2025-04-09 175 { e2cdf30a3e12bb XuYan 2025-04-09 176 return phytium_gem_mmap_obj(obj, vma); b80df10f845813 lishuo 2024-01-31 177 } b80df10f845813 lishuo 2024-01-31 178 :::::: The code at line 174 was first introduced by commit :::::: e2cdf30a3e12bb55e76d60e99c0abd7db2917b5c drm/phytium: Fix some Bugs in Phytium Display Engine :::::: TO: XuYan <xuyan1481(a)phytium.com.cn> :::::: CC: xuyan <xuyan1481(a)phytium.com.cn> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] samples/bpf: Fix print issue in dump_swaps()
by Gu Bowen 23 Sep '25

23 Sep '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICA1GK -------------------------------- BPF_SEQ_PRINTF does not support the %*s format for printing, leading to missing print information, fix it. Fixes: be60b1123f28 ("samples/bpf: Add iterator program for swaps") Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- samples/bpf/bpf_rvi/bpf_rvi_swaps.bpf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/samples/bpf/bpf_rvi/bpf_rvi_swaps.bpf.c b/samples/bpf/bpf_rvi/bpf_rvi_swaps.bpf.c index db42929bc7d8..f3138321b17e 100644 --- a/samples/bpf/bpf_rvi/bpf_rvi_swaps.bpf.c +++ b/samples/bpf/bpf_rvi/bpf_rvi_swaps.bpf.c @@ -126,8 +126,8 @@ s64 dump_swaps(struct bpf_iter__generic_single *ctx) /* Reference: swap_show(). Aligned with LXCFS. */ BPF_SEQ_PRINTF(m, "Filename\t\t\t\tType\t\tSize\t\tUsed\t\tPriority\n"); if (swaptotal > 0) - BPF_SEQ_PRINTF(m, "none%*svirtual\t\t%llu\t%llu\t0\n", - 36, " ", swaptotal * kb_per_page, + BPF_SEQ_PRINTF(m, "none\t\t\t\tvirtual\t\t%llu\t\t%llu\t\t0\n", + swaptotal * kb_per_page, swapusage * kb_per_page); // in KB bpf_rcu_read_unlock(); -- 2.43.0

2 1

[openeuler:OLK-6.6 2909/2909] arch/arm64/kvm/virtcca_cvm.c:992:5: sparse: sparse: symbol 'kvm_cvm_vgic_nr_lr' was not declared. Should it be static?
by kernel test robot 23 Sep '25

23 Sep '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: be758a5796c3d280deb877699c41fd0cd04e1deb commit: 62c8d269e7acb9171be225e1f9ebd52c718a0cc0 [2909/2909] Reapply "VirtCCA: cvm support UEFI boot" config: arm64-randconfig-r121-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231602.0wZbxID6-lkp@…) compiler: clang version 16.0.6 (https://github.com/llvm/llvm-project 7cbf1a2591520c2491aa35339f227775f4d3adf6) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231602.0wZbxID6-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509231602.0wZbxID6-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) >> arch/arm64/kvm/virtcca_cvm.c:992:5: sparse: sparse: symbol 'kvm_cvm_vgic_nr_lr' was not declared. Should it be static? arch/arm64/kvm/virtcca_cvm.c:1311:5: sparse: sparse: symbol 'cvm_arm_smmu_domain_set_kvm' was not declared. Should it be static? vim +/kvm_cvm_vgic_nr_lr +992 arch/arm64/kvm/virtcca_cvm.c 67e11ee6347c43 Jingxian He 2024-08-03 824 86b9cab8c4752e gongchangsui 2025-03-03 @825 u64 virtcca_get_tmi_version(void) 86b9cab8c4752e gongchangsui 2025-03-03 826 { 86b9cab8c4752e gongchangsui 2025-03-03 827 u64 res = tmi_version(); 86b9cab8c4752e gongchangsui 2025-03-03 828 86b9cab8c4752e gongchangsui 2025-03-03 829 if (res == SMCCC_RET_NOT_SUPPORTED) 86b9cab8c4752e gongchangsui 2025-03-03 830 return 0; 86b9cab8c4752e gongchangsui 2025-03-03 831 return res; 86b9cab8c4752e gongchangsui 2025-03-03 832 } 86b9cab8c4752e gongchangsui 2025-03-03 833 67e11ee6347c43 Jingxian He 2024-08-03 834 static bool is_numa_ipa_range_valid(struct kvm_numa_info *numa_info) 67e11ee6347c43 Jingxian He 2024-08-03 835 { 67e11ee6347c43 Jingxian He 2024-08-03 836 unsigned long i; 67e11ee6347c43 Jingxian He 2024-08-03 837 struct kvm_numa_node *numa_node, *prev_numa_node; 67e11ee6347c43 Jingxian He 2024-08-03 838 67e11ee6347c43 Jingxian He 2024-08-03 839 prev_numa_node = NULL; 67e11ee6347c43 Jingxian He 2024-08-03 840 for (i = 0; i < numa_info->numa_cnt; i++) { 67e11ee6347c43 Jingxian He 2024-08-03 841 numa_node = &numa_info->numa_nodes[i]; 67e11ee6347c43 Jingxian He 2024-08-03 842 if (numa_node->ipa_start + numa_node->ipa_size < numa_node->ipa_start) 67e11ee6347c43 Jingxian He 2024-08-03 843 return false; 67e11ee6347c43 Jingxian He 2024-08-03 844 if (prev_numa_node && 67e11ee6347c43 Jingxian He 2024-08-03 845 numa_node->ipa_start < prev_numa_node->ipa_start + prev_numa_node->ipa_size) 67e11ee6347c43 Jingxian He 2024-08-03 846 return false; 67e11ee6347c43 Jingxian He 2024-08-03 847 prev_numa_node = numa_node; 67e11ee6347c43 Jingxian He 2024-08-03 848 } 67e11ee6347c43 Jingxian He 2024-08-03 849 if (numa_node->ipa_start + numa_node->ipa_size > CVM_IPA_MAX_VAL) 67e11ee6347c43 Jingxian He 2024-08-03 850 return false; 67e11ee6347c43 Jingxian He 2024-08-03 851 return true; 67e11ee6347c43 Jingxian He 2024-08-03 852 } 67e11ee6347c43 Jingxian He 2024-08-03 853 67773feaf93305 gongchangsui 2025-03-04 854 static inline bool is_dtb_info_has_extend_data(u64 dtb_info) 67773feaf93305 gongchangsui 2025-03-04 855 { 67773feaf93305 gongchangsui 2025-03-04 856 return dtb_info & 0x1; 67773feaf93305 gongchangsui 2025-03-04 857 } 67773feaf93305 gongchangsui 2025-03-04 858 67e11ee6347c43 Jingxian He 2024-08-03 859 int kvm_load_user_data(struct kvm *kvm, unsigned long arg) 67e11ee6347c43 Jingxian He 2024-08-03 860 { 67e11ee6347c43 Jingxian He 2024-08-03 861 struct kvm_user_data user_data; 67e11ee6347c43 Jingxian He 2024-08-03 862 void __user *argp = (void __user *)arg; 67e11ee6347c43 Jingxian He 2024-08-03 863 struct virtcca_cvm *cvm = kvm->arch.virtcca_cvm; 67e11ee6347c43 Jingxian He 2024-08-03 864 struct kvm_numa_info *numa_info; 67e11ee6347c43 Jingxian He 2024-08-03 865 befbde867291b5 He Jingxian 2025-04-07 866 if (!kvm_is_realm(kvm)) 67e11ee6347c43 Jingxian He 2024-08-03 867 return -EFAULT; 67e11ee6347c43 Jingxian He 2024-08-03 868 67e11ee6347c43 Jingxian He 2024-08-03 869 if (copy_from_user(&user_data, argp, sizeof(user_data))) 67e11ee6347c43 Jingxian He 2024-08-03 870 return -EINVAL; 67e11ee6347c43 Jingxian He 2024-08-03 871 67e11ee6347c43 Jingxian He 2024-08-03 872 numa_info = &user_data.numa_info; 67e11ee6347c43 Jingxian He 2024-08-03 873 if (numa_info->numa_cnt > MAX_NUMA_NODE) 67e11ee6347c43 Jingxian He 2024-08-03 874 return -EINVAL; 67e11ee6347c43 Jingxian He 2024-08-03 875 67e11ee6347c43 Jingxian He 2024-08-03 876 if (numa_info->numa_cnt > 0) { 67e11ee6347c43 Jingxian He 2024-08-03 877 unsigned long i, total_size = 0; 67e11ee6347c43 Jingxian He 2024-08-03 878 struct kvm_numa_node *numa_node = &numa_info->numa_nodes[0]; 67e11ee6347c43 Jingxian He 2024-08-03 879 unsigned long ipa_end = numa_node->ipa_start + numa_node->ipa_size; 67e11ee6347c43 Jingxian He 2024-08-03 880 67e11ee6347c43 Jingxian He 2024-08-03 881 if (!is_numa_ipa_range_valid(numa_info)) 67e11ee6347c43 Jingxian He 2024-08-03 882 return -EINVAL; 67773feaf93305 gongchangsui 2025-03-04 883 67773feaf93305 gongchangsui 2025-03-04 884 if ((user_data.loader_start != numa_node->ipa_start) || 67773feaf93305 gongchangsui 2025-03-04 885 (user_data.data_start + user_data.data_size < user_data.data_start)) 67e11ee6347c43 Jingxian He 2024-08-03 886 return -EINVAL; 67773feaf93305 gongchangsui 2025-03-04 887 67773feaf93305 gongchangsui 2025-03-04 888 if (is_dtb_info_has_extend_data(user_data.dtb_info)) { 67773feaf93305 gongchangsui 2025-03-04 889 /* Direct boot, check DTB address is in IPA range */ 67773feaf93305 gongchangsui 2025-03-04 890 if (user_data.data_start + user_data.data_size > ipa_end) 67773feaf93305 gongchangsui 2025-03-04 891 return -EINVAL; 67773feaf93305 gongchangsui 2025-03-04 892 } else { 67773feaf93305 gongchangsui 2025-03-04 893 /* 67773feaf93305 gongchangsui 2025-03-04 894 * UEFI boot, check MMIO address range is within the valid limit (less than 67773feaf93305 gongchangsui 2025-03-04 895 * loader_start) 67773feaf93305 gongchangsui 2025-03-04 896 */ 67773feaf93305 gongchangsui 2025-03-04 897 if (user_data.data_start + user_data.data_size > user_data.loader_start) 67773feaf93305 gongchangsui 2025-03-04 898 return -EINVAL; 67773feaf93305 gongchangsui 2025-03-04 899 } 67773feaf93305 gongchangsui 2025-03-04 900 67e11ee6347c43 Jingxian He 2024-08-03 901 for (i = 0; i < numa_info->numa_cnt; i++) 67e11ee6347c43 Jingxian He 2024-08-03 902 total_size += numa_info->numa_nodes[i].ipa_size; 67e11ee6347c43 Jingxian He 2024-08-03 903 if (total_size != user_data.ram_size) 67e11ee6347c43 Jingxian He 2024-08-03 904 return -EINVAL; 67e11ee6347c43 Jingxian He 2024-08-03 905 } 67e11ee6347c43 Jingxian He 2024-08-03 906 67773feaf93305 gongchangsui 2025-03-04 907 if (is_dtb_info_has_extend_data(user_data.dtb_info)) 67773feaf93305 gongchangsui 2025-03-04 908 cvm->dtb_end = user_data.data_start + user_data.data_size; 67773feaf93305 gongchangsui 2025-03-04 909 else { 67773feaf93305 gongchangsui 2025-03-04 910 cvm->dtb_end = user_data.loader_start + user_data.dtb_info; 67773feaf93305 gongchangsui 2025-03-04 911 cvm->mmio_start = user_data.data_start; 67773feaf93305 gongchangsui 2025-03-04 912 cvm->mmio_end = user_data.data_start + user_data.data_size; 67773feaf93305 gongchangsui 2025-03-04 913 } 67e11ee6347c43 Jingxian He 2024-08-03 914 67e11ee6347c43 Jingxian He 2024-08-03 915 cvm->loader_start = user_data.loader_start; 67e11ee6347c43 Jingxian He 2024-08-03 916 cvm->ram_size = user_data.ram_size; 67e11ee6347c43 Jingxian He 2024-08-03 917 memcpy(&cvm->numa_info, numa_info, sizeof(struct kvm_numa_info)); 67e11ee6347c43 Jingxian He 2024-08-03 918 67e11ee6347c43 Jingxian He 2024-08-03 919 return 0; 67e11ee6347c43 Jingxian He 2024-08-03 920 } 67e11ee6347c43 Jingxian He 2024-08-03 921 67e11ee6347c43 Jingxian He 2024-08-03 922 void kvm_cvm_vcpu_put(struct kvm_vcpu *vcpu) 67e11ee6347c43 Jingxian He 2024-08-03 923 { 67e11ee6347c43 Jingxian He 2024-08-03 924 kvm_timer_vcpu_put(vcpu); 67e11ee6347c43 Jingxian He 2024-08-03 925 kvm_vgic_put(vcpu); 67e11ee6347c43 Jingxian He 2024-08-03 926 vcpu->cpu = -1; 67e11ee6347c43 Jingxian He 2024-08-03 927 } 67e11ee6347c43 Jingxian He 2024-08-03 928 67e11ee6347c43 Jingxian He 2024-08-03 929 unsigned long cvm_psci_vcpu_affinity_info(struct kvm_vcpu *vcpu, 67e11ee6347c43 Jingxian He 2024-08-03 930 unsigned long target_affinity, unsigned long lowest_affinity_level) 67e11ee6347c43 Jingxian He 2024-08-03 931 { 67e11ee6347c43 Jingxian He 2024-08-03 932 struct kvm_vcpu *target_vcpu; 67e11ee6347c43 Jingxian He 2024-08-03 933 67e11ee6347c43 Jingxian He 2024-08-03 934 if (lowest_affinity_level != 0) 67e11ee6347c43 Jingxian He 2024-08-03 935 return PSCI_RET_INVALID_PARAMS; 67e11ee6347c43 Jingxian He 2024-08-03 936 67e11ee6347c43 Jingxian He 2024-08-03 937 target_vcpu = kvm_mpidr_to_vcpu(vcpu->kvm, target_affinity); 67e11ee6347c43 Jingxian He 2024-08-03 938 if (!target_vcpu) 67e11ee6347c43 Jingxian He 2024-08-03 939 return PSCI_RET_INVALID_PARAMS; 67e11ee6347c43 Jingxian He 2024-08-03 940 befbde867291b5 He Jingxian 2025-04-07 941 cvm_psci_complete(vcpu, target_vcpu, PSCI_RET_SUCCESS); 67e11ee6347c43 Jingxian He 2024-08-03 942 return PSCI_RET_SUCCESS; 67e11ee6347c43 Jingxian He 2024-08-03 943 } 67e11ee6347c43 Jingxian He 2024-08-03 944 67e11ee6347c43 Jingxian He 2024-08-03 945 int kvm_cvm_vcpu_set_events(struct kvm_vcpu *vcpu, 67e11ee6347c43 Jingxian He 2024-08-03 946 bool serror_pending, bool ext_dabt_pending) 67e11ee6347c43 Jingxian He 2024-08-03 947 { befbde867291b5 He Jingxian 2025-04-07 948 struct tmi_tec_run *run = vcpu->arch.tec.run; 67e11ee6347c43 Jingxian He 2024-08-03 949 if (serror_pending) 67e11ee6347c43 Jingxian He 2024-08-03 950 return -EINVAL; 67e11ee6347c43 Jingxian He 2024-08-03 951 67e11ee6347c43 Jingxian He 2024-08-03 952 if (ext_dabt_pending) { befbde867291b5 He Jingxian 2025-04-07 953 if (!(run->enter.flags & REC_ENTER_FLAG_EMULATED_MMIO)) 67e11ee6347c43 Jingxian He 2024-08-03 954 return -EINVAL; befbde867291b5 He Jingxian 2025-04-07 955 run->enter.flags &= ~REC_ENTER_FLAG_EMULATED_MMIO; befbde867291b5 He Jingxian 2025-04-07 956 run->enter.flags |= REC_ENTER_FLAG_INJECT_SEA; 67e11ee6347c43 Jingxian He 2024-08-03 957 } 67e11ee6347c43 Jingxian He 2024-08-03 958 return 0; 67e11ee6347c43 Jingxian He 2024-08-03 959 } 67e11ee6347c43 Jingxian He 2024-08-03 960 67e11ee6347c43 Jingxian He 2024-08-03 961 int kvm_init_cvm_vm(struct kvm *kvm) 67e11ee6347c43 Jingxian He 2024-08-03 962 { 67e11ee6347c43 Jingxian He 2024-08-03 963 struct tmi_cvm_params *params; 67e11ee6347c43 Jingxian He 2024-08-03 964 struct virtcca_cvm *cvm; 67e11ee6347c43 Jingxian He 2024-08-03 965 67e11ee6347c43 Jingxian He 2024-08-03 966 if (kvm->arch.virtcca_cvm) { 67e11ee6347c43 Jingxian He 2024-08-03 967 kvm_info("cvm already create.\n"); 67e11ee6347c43 Jingxian He 2024-08-03 968 return 0; 67e11ee6347c43 Jingxian He 2024-08-03 969 } 67e11ee6347c43 Jingxian He 2024-08-03 970 67e11ee6347c43 Jingxian He 2024-08-03 971 cvm = (struct virtcca_cvm *)kzalloc(sizeof(struct virtcca_cvm), GFP_KERNEL_ACCOUNT); 67e11ee6347c43 Jingxian He 2024-08-03 972 if (!cvm) 67e11ee6347c43 Jingxian He 2024-08-03 973 return -ENOMEM; 67e11ee6347c43 Jingxian He 2024-08-03 974 67e11ee6347c43 Jingxian He 2024-08-03 975 kvm->arch.virtcca_cvm = cvm; 67e11ee6347c43 Jingxian He 2024-08-03 976 params = kzalloc(PAGE_SIZE, GFP_KERNEL_ACCOUNT); 67e11ee6347c43 Jingxian He 2024-08-03 977 if (!params) { 67e11ee6347c43 Jingxian He 2024-08-03 978 kfree(kvm->arch.virtcca_cvm); 67e11ee6347c43 Jingxian He 2024-08-03 979 kvm->arch.virtcca_cvm = NULL; 67e11ee6347c43 Jingxian He 2024-08-03 980 return -ENOMEM; 67e11ee6347c43 Jingxian He 2024-08-03 981 } 67e11ee6347c43 Jingxian He 2024-08-03 982 67e11ee6347c43 Jingxian He 2024-08-03 983 cvm->params = params; 67e11ee6347c43 Jingxian He 2024-08-03 984 WRITE_ONCE(cvm->state, CVM_STATE_NONE); 67e11ee6347c43 Jingxian He 2024-08-03 985 befbde867291b5 He Jingxian 2025-04-07 986 kvm_enable_virtcca_cvm(kvm); 67e11ee6347c43 Jingxian He 2024-08-03 987 return 0; 67e11ee6347c43 Jingxian He 2024-08-03 988 } a8078c65197c6f yangxiangkai 2024-09-10 989 befbde867291b5 He Jingxian 2025-04-07 990 extern struct vgic_global kvm_vgic_global_state; befbde867291b5 He Jingxian 2025-04-07 991 befbde867291b5 He Jingxian 2025-04-07 @992 u32 kvm_cvm_vgic_nr_lr(void) befbde867291b5 He Jingxian 2025-04-07 993 { befbde867291b5 He Jingxian 2025-04-07 994 return kvm_vgic_global_state.nr_lr; befbde867291b5 He Jingxian 2025-04-07 995 } befbde867291b5 He Jingxian 2025-04-07 996 :::::: The code at line 992 was first introduced by commit :::::: befbde867291b5bb068a97b17086ad20484b6068 VirtCCA: Adapt virtcca operations by cca_base. :::::: TO: He Jingxian <hejingxian(a)huawei.com> :::::: CC: Xu Raoqing <xuraoqing(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
by Yi Yang 23 Sep '25

23 Sep '25

From: Zhang Shurong <zhang_shurong(a)foxmail.com> stable inclusion from stable-v4.19.295 commit adcb73f8ce9aec48b1f85223f401c1574015d8d2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICY49I CVE: CVE-2023-53220 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 1047f9343011f2cedc73c64829686206a7e9fc3f ] In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong <zhang_shurong(a)foxmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c index 746926364535..6bcf30218e51 100644 --- a/drivers/media/usb/dvb-usb-v2/az6007.c +++ b/drivers/media/usb/dvb-usb-v2/az6007.c @@ -795,6 +795,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n", addr, msgs[i].len); + if (msgs[i].len < 1) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_WR; index = msgs[i].buf[0]; value = addr | (1 << 8); @@ -809,6 +813,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], if (az6007_xfer_debug) printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n", addr, msgs[i].len); + if (msgs[i].len < 1) { + ret = -EIO; + goto err; + } req = AZ6007_I2C_RD; index = msgs[i].buf[0]; value = addr; -- 2.25.1

2 1

[openeuler:OLK-6.6 2910/2910] mm/swap.h:66:26: error: implicit declaration of function 'swp_offset'; did you mean 'pud_offset'?
by kernel test robot 23 Sep '25

23 Sep '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: be758a5796c3d280deb877699c41fd0cd04e1deb commit: 5a72d2e54e8ff7c7f9510de875cf201ad18f36c4 [2910/2910] mm/shmem, swap: fix softlockup with mTHP swapin config: x86_64-buildonly-randconfig-002-20250923 (https://download.01.org/0day-ci/archive/20250923/202509231547.ijXKrDIl-lkp@…) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250923/202509231547.ijXKrDIl-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202509231547.ijXKrDIl-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from mm/shmem.c:43: mm/swap.h: In function 'non_swapcache_batch': >> mm/swap.h:66:26: error: implicit declaration of function 'swp_offset'; did you mean 'pud_offset'? [-Wimplicit-function-declaration] 66 | pgoff_t offset = swp_offset(entry); | ^~~~~~~~~~ | pud_offset In file included from mm/shmem.c:68: include/linux/swapops.h: At top level: >> include/linux/swapops.h:107:23: error: conflicting types for 'swp_offset'; have 'long unsigned int(swp_entry_t)' 107 | static inline pgoff_t swp_offset(swp_entry_t entry) | ^~~~~~~~~~ mm/swap.h:66:26: note: previous implicit declaration of 'swp_offset' with type 'int()' 66 | pgoff_t offset = swp_offset(entry); | ^~~~~~~~~~ Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for ACPI_HOTPLUG_IGNORE_OSC Depends on [n]: ACPI [=y] && ACPI_HOTPLUG_CPU [=n] Selected by [y]: - X86 [=y] && ACPI [=y] && HOTPLUG_CPU [=y] vim +66 mm/swap.h 62 63 static inline int non_swapcache_batch(swp_entry_t entry, int max_nr) 64 { 65 struct swap_info_struct *si = swp_swap_info(entry); > 66 pgoff_t offset = swp_offset(entry); 67 int i; 68 69 /* 70 * While allocating a large folio and doing mTHP swapin, we need to 71 * ensure all entries are not cached, otherwise, the mTHP folio will 72 * be in conflict with the folio in swap cache. 73 */ 74 for (i = 0; i < max_nr; i++) { 75 if ((si->swap_map[offset + i] & SWAP_HAS_CACHE)) 76 return i; 77 } 78 79 return i; 80 } 81 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] tee: fix NULL pointer dereference in tee_shm_put
by Xiaomeng Zhang 23 Sep '25

23 Sep '25

From: Pei Xiao <xiaopei01(a)kylinos.cn> stable inclusion from stable-v6.6.105 commit add1ecc8f3ad8df22e3599c5c88d7907cc2a3079 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYXVF CVE: CVE-2025-39865 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e4a718a3a47e89805c3be9d46a84de1949a98d5d ] tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15 Fixes: dfd0743f1d9e ("tee: handle lookup of shm with reference count 0") Signed-off-by: Pei Xiao <xiaopei01(a)kylinos.cn> Reviewed-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/tee/tee_shm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 673cf0359494..426b818f2dd7 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -489,9 +489,13 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); */ void tee_shm_put(struct tee_shm *shm) { - struct tee_device *teedev = shm->ctx->teedev; + struct tee_device *teedev; bool do_release = false; + if (!shm || !shm->ctx || !shm->ctx->teedev) + return; + + teedev = shm->ctx->teedev; mutex_lock(&teedev->mutex); if (refcount_dec_and_test(&shm->refcount)) { /* -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
by Cai Xinchen 23 Sep '25

23 Sep '25

From: Alexander Coffin <alex.coffin(a)matician.com> stable inclusion from stable-v4.19.262 commit d79f4d903e14dde822c60b5fd3bedc5a289d25df category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYQPC CVE: CVE-2022-50408 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ] > ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); may be schedule, and then complete before the line > ndev->stats.tx_bytes += skb->len; [ 46.912801] ================================================================== [ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 [ 46.935991] [ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 [ 46.947255] Hardware name: [REDACTED] [ 46.954568] Call trace: [ 46.957037] dump_backtrace+0x0/0x2b8 [ 46.960719] show_stack+0x24/0x30 [ 46.964052] dump_stack+0x128/0x194 [ 46.967557] print_address_description.isra.0+0x64/0x380 [ 46.972877] __kasan_report+0x1d4/0x240 [ 46.976723] kasan_report+0xc/0x18 [ 46.980138] __asan_report_load4_noabort+0x18/0x20 [ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.990613] dev_hard_start_xmit+0x1bc/0xda0 [ 46.994894] sch_direct_xmit+0x198/0xd08 [ 46.998827] __qdisc_run+0x37c/0x1dc0 [ 47.002500] __dev_queue_xmit+0x1528/0x21f8 [ 47.006692] dev_queue_xmit+0x24/0x30 [ 47.010366] neigh_resolve_output+0x37c/0x678 [ 47.014734] ip_finish_output2+0x598/0x2458 [ 47.018927] __ip_finish_output+0x300/0x730 [ 47.023118] ip_output+0x2e0/0x430 [ 47.026530] ip_local_out+0x90/0x140 [ 47.030117] igmpv3_sendpack+0x14c/0x228 [ 47.034049] igmpv3_send_cr+0x384/0x6b8 [ 47.037895] igmp_ifc_timer_expire+0x4c/0x118 [ 47.042262] call_timer_fn+0x1cc/0xbe8 [ 47.046021] __run_timers+0x4d8/0xb28 [ 47.049693] run_timer_softirq+0x24/0x40 [ 47.053626] __do_softirq+0x2c0/0x117c [ 47.057387] irq_exit+0x2dc/0x388 [ 47.060715] __handle_domain_irq+0xb4/0x158 [ 47.064908] gic_handle_irq+0x58/0xb0 [ 47.068581] el0_irq_naked+0x50/0x5c [ 47.072162] [ 47.073665] Allocated by task 328: [ 47.077083] save_stack+0x24/0xb0 [ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0 [ 47.084776] kasan_slab_alloc+0x14/0x20 [ 47.088622] kmem_cache_alloc+0x15c/0x468 [ 47.092643] __alloc_skb+0xa4/0x498 [ 47.096142] igmpv3_newpack+0x158/0xd78 [ 47.099987] add_grhead+0x210/0x288 [ 47.103485] add_grec+0x6b0/0xb70 [ 47.106811] igmpv3_send_cr+0x2e0/0x6b8 [ 47.110657] igmp_ifc_timer_expire+0x4c/0x118 [ 47.115027] call_timer_fn+0x1cc/0xbe8 [ 47.118785] __run_timers+0x4d8/0xb28 [ 47.122457] run_timer_softirq+0x24/0x40 [ 47.126389] __do_softirq+0x2c0/0x117c [ 47.130142] [ 47.131643] Freed by task 180: [ 47.134712] save_stack+0x24/0xb0 [ 47.138041] __kasan_slab_free+0x108/0x180 [ 47.142146] kasan_slab_free+0x10/0x18 [ 47.145904] slab_free_freelist_hook+0xa4/0x1b0 [ 47.150444] kmem_cache_free+0x8c/0x528 [ 47.154292] kfree_skbmem+0x94/0x108 [ 47.157880] consume_skb+0x10c/0x5a8 [ 47.161466] __dev_kfree_skb_any+0x88/0xa0 [ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil] [ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac] [ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac] [ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac] [ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac] [ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac] [ 47.197859] process_one_work+0x7fc/0x1a80 [ 47.201965] worker_thread+0x31c/0xc40 [ 47.205726] kthread+0x2d8/0x370 [ 47.208967] ret_from_fork+0x10/0x18 [ 47.212546] [ 47.214051] The buggy address belongs to the object at ffffff803f588280 [ 47.214051] which belongs to the cache skbuff_head_cache of size 208 [ 47.227086] The buggy address is located 104 bytes inside of [ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) [ 47.238814] The buggy address belongs to the page: [ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0 [ 47.255007] flags: 0x10200(slab|head) [ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800 [ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000 [ 47.274180] page dumped because: kasan: bad access detected [ 47.279752] [ 47.281251] Memory state around the buggy address: [ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.307723] ^ [ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 47.328789] ================================================================== Signed-off-by: Alexander Coffin <alex.coffin(a)matician.com> Signed-off-by: Kalle Valo <kvalo(a)kernel.org> Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c index 584e05fdca6a..5de20e5d67b6 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c @@ -270,6 +270,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, struct brcmf_pub *drvr = ifp->drvr; struct ethhdr *eh; int head_delta; + unsigned int tx_bytes = skb->len; brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx); @@ -341,7 +342,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, ndev->stats.tx_dropped++; } else { ndev->stats.tx_packets++; - ndev->stats.tx_bytes += skb->len; + ndev->stats.tx_bytes += tx_bytes; } /* Return ok: we always eat the packet */ -- 2.34.1

2 1

[PATCH OLK-5.10] tee: fix NULL pointer dereference in tee_shm_put
by Xiaomeng Zhang 23 Sep '25

23 Sep '25

From: Pei Xiao <xiaopei01(a)kylinos.cn> stable inclusion from stable-v5.10.243 commit f266188603c34e6e234fb0dfc3185f0ba98d71b7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYXVF CVE: CVE-2025-39865 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e4a718a3a47e89805c3be9d46a84de1949a98d5d ] tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000 [0000000000100cca] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ---- 6.6.0-39-generic #38 Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07 Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0 10/26/2022 pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tee_shm_put+0x24/0x188 lr : tee_shm_free+0x14/0x28 sp : ffff001f98f9faf0 x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000 x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048 x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88 x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003 x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101 x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca Call trace: tee_shm_put+0x24/0x188 tee_shm_free+0x14/0x28 __optee_disable_shm_cache+0xa8/0x108 optee_shutdown+0x28/0x38 platform_shutdown+0x28/0x40 device_shutdown+0x144/0x2b0 kernel_power_off+0x3c/0x80 hibernate+0x35c/0x388 state_store+0x64/0x80 kobj_attr_store+0x14/0x28 sysfs_kf_write+0x48/0x60 kernfs_fop_write_iter+0x128/0x1c0 vfs_write+0x270/0x370 ksys_write+0x6c/0x100 __arm64_sys_write+0x20/0x30 invoke_syscall+0x4c/0x120 el0_svc_common.constprop.0+0x44/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x24/0x88 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x14c/0x15 Fixes: dfd0743f1d9e ("tee: handle lookup of shm with reference count 0") Signed-off-by: Pei Xiao <xiaopei01(a)kylinos.cn> Reviewed-by: Sumit Garg <sumit.garg(a)oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/tee/tee_shm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/tee/tee_shm.c b/drivers/tee/tee_shm.c index 6fb4400333fb..6d2db6cc247b 100644 --- a/drivers/tee/tee_shm.c +++ b/drivers/tee/tee_shm.c @@ -438,9 +438,13 @@ EXPORT_SYMBOL_GPL(tee_shm_get_from_id); */ void tee_shm_put(struct tee_shm *shm) { - struct tee_device *teedev = shm->ctx->teedev; + struct tee_device *teedev; bool do_release = false; + if (!shm || !shm->ctx || !shm->ctx->teedev) + return; + + teedev = shm->ctx->teedev; mutex_lock(&teedev->mutex); if (refcount_dec_and_test(&shm->refcount)) { /* -- 2.34.1

2 1