- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
by superdcc97＠163.com 04 Jun '26

04 Jun '26

From: Michal Kosiorek <mkosiorek121(a)gmail.com> mainline inclusion from mainline-v7.1-rc3 commit 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15365 CVE: CVE-2026-46116 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being: BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline] BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline] BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435 Workqueue: netns cleanup_net Call Trace: __hlist_del / hlist_del_rcu __xfrm_state_delete xfrm_state_delete xfrm_state_flush xfrm_state_fini ops_exit_list cleanup_net The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains. __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates: if (x->km.seq) hlist_del_rcu(&x->byseq); if (x->id.spi) hlist_del_rcu(&x->byspi); while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev. The defensive change here: - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst, bysrc, byseq and byspi so a second deletion is a no-op rather than a write through LIST_POISON pprev. The byseq/byspi nodes are already initialised in xfrm_state_alloc(). - Test hlist_unhashed() rather than the value predicate for byseq/byspi, so the unhash decision tracks list state rather than mutable scalar fields. Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash. Reproduction: - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal - 9 unique signatures collected in ~9h, all within xfrm_state lifecycle Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq") Fixes: 7b4dc3600e48 ("[XFRM]: Do not add a state whose SPI is zero to the SPI hash.") Reported-by: Michal Kosiorek <mkosiorek121(a)gmail.com> Tested-by: Michal Kosiorek <mkosiorek121(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Michal Kosiorek <mkosiorek121(a)gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Conflicts: net/xfrm/xfrm_state.c [The OLK-5.10 target lacks commit 3f01d9df5408 ("xfrm: insert a new per-socket policy to the per-socket list after the link is established") which introduced state_cache/state_cache_input unhashing in __xfrm_state_delete(). OLK-5.10 also lacks commit fe9f1d8779cb ("xfrm: add state hashtable keyed by seq") which introduced byseq hash and its unhashing. OLK-5.10 also lacks xfrm_nat_keepalive_state_updated() call. Adapted to only apply the defensive unhashing changes to bydst, bysrc, and byspi lists which are present in OLK-5.10.] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/xfrm/xfrm_state.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index e3e96606976b..35d26e410738 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -672,10 +672,10 @@ int __xfrm_state_delete(struct xfrm_state *x) x->km.state = XFRM_STATE_DEAD; spin_lock(&net->xfrm.xfrm_state_lock); list_del(&x->km.all); - hlist_del_rcu(&x->bydst); - hlist_del_rcu(&x->bysrc); - if (x->id.spi) - hlist_del_rcu(&x->byspi); + hlist_del_init_rcu(&x->bydst); + hlist_del_init_rcu(&x->bysrc); + if (!hlist_unhashed(&x->byspi)) + hlist_del_init_rcu(&x->byspi); net->xfrm.state_num--; spin_unlock(&net->xfrm.xfrm_state_lock); -- 2.43.0

2 1

[PATCH OLK-6.6 0/4] backport cpufreq patches from linux mainline.
by Lifeng Zheng 04 Jun '26

04 Jun '26

From: Hongye Lin <linhongye(a)h-partners.com> driver inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9163 ---------------------------------------------------------------------- Lifeng Zheng (1): cpufreq: conservative: Simplify frequency limit handling Pengjie Zhang (1): arm64: smp: Do not mark secondary CPUs possible under nosmp Viresh Kumar (2): cpufreq: Fix typo in comment cpufreq: Avoid redundant target() calls for unchanged limits arch/arm64/kernel/smp.c | 14 ++++++--- drivers/cpufreq/cpufreq.c | 31 +++++++++++++------ drivers/cpufreq/cpufreq_conservative.c | 12 +------ include/linux/cpufreq.h | 5 ++- 4 files changed, 37 insertions(+), 25 deletions(-) -- 2.33.0

2 5

[PATCH OLK-5.10] RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
by Chen Jinghuang 04 Jun '26

04 Jun '26

From: Jason Gunthorpe <jgg(a)nvidia.com> stable inclusion from stable-v5.10.258 commit 53fd4c03558672ccb167754fbacbf045c7ab335c category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15428 CVE: CVE-2026-46178 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit c54c7e4cb679c0aaa1cb489b9c3f2cd98e63a44c upstream. Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free(). Cc: stable(a)vger.kernel.org Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") Link: https://sashiko.dev/#/patchset/0-v1-e911b76a94d1%2B65d95-rdma_udata_rep_jgg… Link: https://patch.msgid.link/r/11-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia… Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Chen Jinghuang <chenjinghuang2(a)huawei.com> --- drivers/infiniband/hw/mlx4/srq.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/mlx4/srq.c b/drivers/infiniband/hw/mlx4/srq.c index bf618529e734..dd509ed35d95 100644 --- a/drivers/infiniband/hw/mlx4/srq.c +++ b/drivers/infiniband/hw/mlx4/srq.c @@ -189,13 +189,15 @@ int mlx4_ib_create_srq(struct ib_srq *ib_srq, if (udata) if (ib_copy_to_udata(udata, &srq->msrq.srqn, sizeof (__u32))) { err = -EFAULT; - goto err_wrid; + goto err_srq; } init_attr->attr.max_wr = srq->msrq.max - 1; return 0; +err_srq: + mlx4_srq_free(dev->dev, &srq->msrq); err_wrid: if (udata) mlx4_ib_db_unmap_user(ucontext, &srq->db); -- 2.34.1

2 2

[PATCH openEuler-1.0-LTS 0/3] *** revert CVE-2026-31527 ***
by Lin Ruifeng 04 Jun '26

04 Jun '26

*** revert CVE-2026-31527 *** Lin Ruifeng (3): Revert "driver/core: Fix kabi broken of platform_device/device/bus_type" Revert "driver core: platform: use generic driver_override infrastructure" Revert "driver core: generalize driver_override in struct device" drivers/base/bus.c | 49 +-------------------- drivers/base/core.c | 3 -- drivers/base/dd.c | 61 --------------------------- drivers/base/platform.c | 57 ++++++++++++++++++++++--- drivers/slimbus/qcom-ngd-ctrl.c | 12 +----- include/linux/device.h | 75 --------------------------------- include/linux/platform_device.h | 7 +-- 7 files changed, 55 insertions(+), 209 deletions(-) -- 2.43.0

2 5

[PATCH OLK-5.10] drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
by Hongtao Zhang 04 Jun '26

04 Jun '26

From: Ashutosh Desai <ashutoshdesai993(a)gmail.com> stable inclusion from stable-v6.6.140 commit 6b992591e04f2cce813bcf239b354f375bbf84d3 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15462 CVE: CVE-2026-46209 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3d4c2268bd7243c3780fe32bf24ff876da272acf upstream. drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division: unsigned int width = mode_cmd->width / (i ? info->hsub : 1); unsigned int height = mode_cmd->height / (i ? info->vsub : 1); However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations. For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds. Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check(). Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library") Cc: stable(a)vger.kernel.org # v4.14+ Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de> Signed-off-by: Ashutosh Desai <ashutoshdesai993(a)gmail.com> Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/gpu/drm/drm_gem_framebuffer_helper.c [Not merge bf39607c1614 and f2b816d78a94] Signed-off-by: Zhang Hongtao <zhanghongtao35(a)huawei.com> --- drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_framebuffer_helper.c b/drivers/gpu/drm/drm_gem_framebuffer_helper.c index 109d11fb4cd4..1253e7815d9b 100644 --- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c +++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c @@ -159,8 +159,8 @@ int drm_gem_fb_init_with_funcs(struct drm_device *dev, return -EINVAL; for (i = 0; i < info->num_planes; i++) { - unsigned int width = mode_cmd->width / (i ? info->hsub : 1); - unsigned int height = mode_cmd->height / (i ? info->vsub : 1); + unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i); + unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i); unsigned int min_size; objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]); -- 2.43.0

2 3

[PATCH OLK-5.10] ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
by superdcc97＠163.com 04 Jun '26

04 Jun '26

From: Yilin Zhu <zylzyl2333(a)gmail.com> mainline inclusion from mainline-v7.1-rc3 commit bc0fcb9823cd0894934cf968b525c575833d7078 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15406 CVE: CVE-2026-46172 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route. If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries. Release the dst before jumping to the drop path. Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP") Cc: stable(a)kernel.org Reported-by: Yifan Wu <yifanwucs(a)gmail.com> Reported-by: Juefei Pu <tomapufckgml(a)gmail.com> Co-developed-by: Yuan Tan <yuantan098(a)gmail.com> Signed-off-by: Yuan Tan <yuantan098(a)gmail.com> Suggested-by: Xin Liu <bird(a)lzu.edu.cn> Tested-by: Ruide Cao <caoruide123(a)gmail.com> Signed-off-by: Yilin Zhu <zylzyl2333(a)gmail.com> Signed-off-by: Ren Wei <n05ec(a)lzu.edu.cn> Reviewed-by: Simon Horman <horms(a)kernel.org> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/ipv6/xfrm6_protocol.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ipv6/xfrm6_protocol.c b/net/ipv6/xfrm6_protocol.c index ea2f805d3b01..9b586fcec485 100644 --- a/net/ipv6/xfrm6_protocol.c +++ b/net/ipv6/xfrm6_protocol.c @@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi, dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6, skb, flags); - if (dst->error) + if (dst->error) { + dst_release(dst); goto drop; + } skb_dst_set(skb, dst); } -- 2.43.0

2 1

[PATCH OLK-5.10] xfrm: ah: account for ESN high bits in async callbacks
by superdcc97＠163.com 04 Jun '26

04 Jun '26

From: Michael Bommarito <michael.bommarito(a)gmail.com> mainline inclusion from mainline-v7.1-rc3 commit ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15434 CVE: CVE-2026-46193 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent. With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift: ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24 ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36 Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot. Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine. Fixes: d4d573d0334d ("{IPv4,xfrm} Add ESN support for AH egress part") Fixes: d8b2a8600b0e ("{IPv4,xfrm} Add ESN support for AH ingress part") Fixes: 26dd70c3fad3 ("{IPv6,xfrm} Add ESN support for AH egress part") Fixes: 8d6da6f32557 ("{IPv6,xfrm} Add ESN support for AH ingress part") Cc: stable(a)vger.kernel.org Assisted-by: Codex:gpt-5-4 Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito <michael.bommarito(a)gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Conflicts: net/ipv4/ah4.c net/ipv6/ah6.c [commit ec54093e6a8f and e77f5dd70138 changed function signatures and ah_tmp_icv() parameter count that differ between mainline and OLK-5.10. Adapted to preserve OLK-5.10's struct crypto_async_request *base parameter and 3-arg ah_tmp_icv().] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/ipv4/ah4.c | 14 ++++++++++++-- net/ipv6/ah6.c | 16 +++++++++++++--- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index 36ed85bf2ad5..819e9f5ab3bc 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c @@ -127,9 +127,14 @@ static void ah_output_done(struct crypto_async_request *base, int err) struct iphdr *top_iph = ip_hdr(skb); struct ip_auth_hdr *ah = ip_auth_hdr(skb); int ihl = ip_hdrlen(skb); + int seqhi_len = 0; + __be32 *seqhi; + if (x->props.flags & XFRM_STATE_ESN) + seqhi_len = sizeof(*seqhi); iph = AH_SKB_CB(skb)->tmp; - icv = ah_tmp_icv(ahp->ahash, iph, ihl); + seqhi = (__be32 *)((char *)iph + ihl); + icv = ah_tmp_icv(ahp->ahash, seqhi, seqhi_len); memcpy(ah->auth_data, icv, ahp->icv_trunc_len); top_iph->tos = iph->tos; @@ -273,12 +278,17 @@ static void ah_input_done(struct crypto_async_request *base, int err) struct ip_auth_hdr *ah = ip_auth_hdr(skb); int ihl = ip_hdrlen(skb); int ah_hlen = (ah->hdrlen + 2) << 2; + int seqhi_len = 0; + __be32 *seqhi; if (err) goto out; + if (x->props.flags & XFRM_STATE_ESN) + seqhi_len = sizeof(*seqhi); work_iph = AH_SKB_CB(skb)->tmp; - auth_data = ah_tmp_auth(work_iph, ihl); + seqhi = (__be32 *)((char *)work_iph + ihl); + auth_data = ah_tmp_auth(seqhi, seqhi_len); icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len); err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0; diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index 080ee7f44c64..28cb2015ef08 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c @@ -295,14 +295,19 @@ static void ah6_output_done(struct crypto_async_request *base, int err) struct ipv6hdr *top_iph = ipv6_hdr(skb); struct ip_auth_hdr *ah = ip_auth_hdr(skb); struct tmp_ext *iph_ext; + int seqhi_len = 0; + __be32 *seqhi; extlen = skb_network_header_len(skb) - sizeof(struct ipv6hdr); if (extlen) extlen += sizeof(*iph_ext); + if (x->props.flags & XFRM_STATE_ESN) + seqhi_len = sizeof(*seqhi); iph_base = AH_SKB_CB(skb)->tmp; iph_ext = ah_tmp_ext(iph_base); - icv = ah_tmp_icv(ahp->ahash, iph_ext, extlen); + seqhi = (__be32 *)((char *)iph_ext + extlen); + icv = ah_tmp_icv(ahp->ahash, seqhi, seqhi_len); memcpy(ah->auth_data, icv, ahp->icv_trunc_len); memcpy(top_iph, iph_base, IPV6HDR_BASELEN); @@ -465,13 +470,18 @@ static void ah6_input_done(struct crypto_async_request *base, int err) struct ip_auth_hdr *ah = ip_auth_hdr(skb); int hdr_len = skb_network_header_len(skb); int ah_hlen = ipv6_authlen(ah); + int seqhi_len = 0; + __be32 *seqhi; if (err) goto out; + if (x->props.flags & XFRM_STATE_ESN) + seqhi_len = sizeof(*seqhi); work_iph = AH_SKB_CB(skb)->tmp; - auth_data = ah_tmp_auth(work_iph, hdr_len); - icv = ah_tmp_icv(ahp->ahash, auth_data, ahp->icv_trunc_len); + auth_data = ah_tmp_auth((u8 *)work_iph, hdr_len); + seqhi = (__be32 *)(auth_data + ahp->icv_trunc_len); + icv = ah_tmp_icv(ahp->ahash, seqhi, seqhi_len); err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0; if (err) -- 2.43.0

2 2

[PATCH OLK-5.10] xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path
by superdcc97＠163.com 04 Jun '26

04 Jun '26

From: Jiayuan Chen <jiayuan.chen(a)shopee.com> mainline inclusion from mainline-v7.0-rc1 commit 81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15230 CVE: CVE-2026-45905 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- icmp_route_lookup() performs multiple route lookups to find a suitable route for sending ICMP error messages, with special handling for XFRM (IPsec) policies. The lookup sequence is: 1. First, lookup output route for ICMP reply (dst = original src) 2. Pass through xfrm_lookup() for policy check 3. If blocked (-EPERM) or dst is not local, enter "reverse path" 4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec which reverses the original packet's flow (saddr<->daddr swapped) 5. If fl4_dec.saddr is local (we are the original destination), use __ip_route_output_key() for output route lookup 6. If fl4_dec.saddr is NOT local (we are a forwarding node), use ip_route_input() to simulate the reverse packet's input path 7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag The bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr (original packet's source) as destination. If this address becomes local between the initial check and ip_route_input() call (e.g., due to concurrent "ip addr add"), ip_route_input() returns a LOCAL route with dst.output set to ip_rt_bug. This route is then used for ICMP output, causing dst_output() to call ip_rt_bug(), triggering a WARN_ON: ------------[ cut here ]------------ WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1 Call Trace: <TASK> ip_push_pending_frames+0x202/0x240 icmp_push_reply+0x30d/0x430 __icmp_send+0x1149/0x24f0 ip_options_compile+0xa2/0xd0 ip_rcv_finish_core+0x829/0x1950 ip_rcv+0x2d7/0x420 __netif_receive_skb_one_core+0x185/0x1f0 netif_receive_skb+0x90/0x450 tun_get_user+0x3413/0x3fb0 tun_chr_write_iter+0xe4/0x220 ... Fix this by checking rt2->rt_type after ip_route_input(). If it's RTN_LOCAL, the route cannot be used for output, so treat it as an error. The reproducer requires kernel modification to widen the race window, making it unsuitable as a selftest. It is available at: https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81 Reported-by: syzbot+e738404dcd14b620923c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000b1060905eada8881@google.com/T/ Closes: https://lore.kernel.org/r/20260128090523.356953-1-jiayuan.chen@linux.dev Fixes: 8b7817f3a959 ("[IPSEC]: Add ICMP host relookup support") Signed-off-by: Jiayuan Chen <jiayuan.chen(a)shopee.com> Signed-off-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Link: https://patch.msgid.link/20260206050220.59642-1-jiayuan.chen@linux.dev Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Conflicts: net/ipv4/icmp.c [commit e97e6a1830ddb ("net: Switch to skb_dstref_steal/skb_dstref_restore for ip_route_input callers") introduced skb_dstref_steal() / skb_dstref_restore() helpers which are not present in OLK-5.10.] Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/ipv4/icmp.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 6fdac117fe16..fbae7d556e24 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -555,6 +555,21 @@ static struct rtable *icmp_route_lookup(struct net *net, dst_release(&rt2->dst); rt2 = skb_rtable(skb_in); skb_in->_skb_refdst = orefdst; /* restore old refdst */ + + /* + * At this point, fl4_dec.daddr should NOT be local (we + * checked fl4_dec.saddr above). However, a race condition + * may occur if the address is added to the interface + * concurrently. In that case, ip_route_input() returns a + * LOCAL route with dst.output=ip_rt_bug, which must not + * be used for output. + */ + if (!err && rt2 && rt2->rt_type == RTN_LOCAL) { + net_warn_ratelimited("detected local route for %pI4 during ICMP sending, src %pI4\n", + &fl4_dec.daddr, &fl4_dec.saddr); + dst_release(&rt2->dst); + err = -EINVAL; + } } if (err) -- 2.43.0

2 2

[PATCH openEuler-1.0-LTS] mm: slab: fix double destroy of kmem_cache
by Jinjiang Tu 04 Jun '26

04 Jun '26

hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9324 ---------------------------------------- When destroying kmem_cache A races with creating and destroying kmem_cache B which is mergeable with kmem_cache A, kmem_cache A may be destroyed twice, leading to NULL-ptr dereference. The race is as follows. CPU1 CPU2 destroy kmem_cache A create kmem_cache B refcount 1->0 __kmem_cache_alias A refcount 0->1 destroy kmem_cache B refcount 1->0 shutdown_cache shutdown_cache To fix it, check if s->memcg_params.dying is set when dropping refcount to zero, and only destroy the kmem_cache when s->memcg_params.dying isn't set. Fixes: d0ffe36fdd12 ("mm: slab: fix kmem_cache_create failed when sysfs node not destroyed") Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- mm/slab_common.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index 89c2bb08a099..ad5b3a2cf2bb 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -837,11 +837,17 @@ static int shutdown_memcg_caches(struct kmem_cache *s) return 0; } -static void memcg_set_kmem_cache_dying(struct kmem_cache *s) +static int memcg_test_and_set_kmem_cache_dying(struct kmem_cache *s) { + int ret; + spin_lock_irq(&memcg_kmem_wq_lock); - s->memcg_params.dying = true; + ret = s->memcg_params.dying; + if (!ret) + s->memcg_params.dying = true; spin_unlock_irq(&memcg_kmem_wq_lock); + + return ret; } static void flush_memcg_workqueue(struct kmem_cache *s) @@ -890,7 +896,9 @@ void kmem_cache_destroy(struct kmem_cache *s) goto out_unlock; #ifdef CONFIG_MEMCG_KMEM - memcg_set_kmem_cache_dying(s); + err = memcg_test_and_set_kmem_cache_dying(s); + if (err) + goto out_unlock; mutex_unlock(&slab_mutex); -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS 0/3] *** fix CVE-2026-31527 ***
by Lin Ruifeng 04 Jun '26

04 Jun '26

*** fix CVE-2026-31527 *** Lin Ruifeng (3): Revert "driver/core: Fix kabi broken of platform_device/device/bus_type" Revert "driver core: platform: use generic driver_override infrastructure" Revert "driver core: generalize driver_override in struct device" drivers/base/bus.c | 49 +-------------------- drivers/base/core.c | 3 -- drivers/base/dd.c | 61 --------------------------- drivers/base/platform.c | 57 ++++++++++++++++++++++--- drivers/slimbus/qcom-ngd-ctrl.c | 12 +----- include/linux/device.h | 75 --------------------------------- include/linux/platform_device.h | 7 +-- 7 files changed, 55 insertions(+), 209 deletions(-) -- 2.43.0

2 4