- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0] tty: vt: Fix vc_origin buffer copy overflow in fbcon_prepare_logo()
by Chen Jun 03 Nov '25

03 Nov '25

From: Wang ShaoBo <bobo.shaobowang(a)huawei.com> Offering: HULK hulk inclusion category: bugfix bugzilla: NA CVE: NA ---------------------------------------------------------------------- I got some KASAN report as below: BUG: KASAN: slab-use-after-free in fbcon_prepare_logo+0x61e/0xc90 Read of size 14 at addr ffff88812c9a4c38 by task syz.0.3549/19016 CPU: 0 PID: 19016 Comm: syz.0.3549 Not tainted 6.6.0+ #80 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x72/0xa0 print_address_description.constprop.0+0x6b/0x3d0 ? fbcon_prepare_logo+0x61e/0xc90 print_report+0xba/0x280 ? fbcon_prepare_logo+0x61e/0xc90 ? kasan_addr_to_slab+0xd/0xa0 ? fbcon_prepare_logo+0x61e/0xc90 kasan_report+0xaf/0xe0 ? fbcon_prepare_logo+0x61e/0xc90 kasan_check_range+0x100/0x1c0 __asan_memcpy+0x23/0x60 fbcon_prepare_logo+0x61e/0xc90 fbcon_init+0xeb9/0x1db0 ? __pfx_drm_fb_helper_set_par+0x10/0x10 visual_init+0x310/0x5c0 do_bind_con_driver.isra.0+0x627/0xbd0 store_bind+0x60b/0x710 ? __pfx_store_bind+0x10/0x10 dev_attr_store+0x5a/0x90 ? __pfx_dev_attr_store+0x10/0x10 sysfs_kf_write+0x145/0x1b0 kernfs_fop_write_iter+0x367/0x580 ? __pfx_sysfs_kf_write+0x10/0x10 new_sync_write+0x1b1/0x2d0 ? __pfx_new_sync_write+0x10/0x10 ? rb_commit+0x121/0x910 ? avc_policy_seqno+0xe/0x20 ? selinux_file_permission+0x129/0x5d0 ? security_file_permission+0xa8/0x700 vfs_write+0x71a/0x960 ksys_write+0x12e/0x260 fbcon_init() -> vc_resize() //success resize vc_origin buffer size=224=7(cols)*2*16(rows) -> bcon_prepare_logo(vc, info, old_cols, old_rows, new_cols, new_rows) //old_cols=256，old_rows=4，new_cols=7，new_rows=16 There happened to be a vc_origin buffer copy overflow error in fbcon_prepare_logo(), scrolling screen down when using old cols after vc resize would trigger out of lower bound of vc_origin buffer. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Wang ShaoBo <bobo.shaobowang(a)huawei.com> Acked-by: Thomas Zimmermann <tzimmermann(a)suse.de> --- drivers/video/fbdev/core/fbcon.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index f5178eefec64..83a4949e2497 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -592,6 +592,8 @@ static void fbcon_prepare_logo(struct vc_data *vc, struct fb_info *info, /* We can scroll screen down */ r = q - step - cols; for (cnt = rows - logo_lines; cnt > 0; cnt--) { + if (r < (unsigned short *) vc->vc_origin) + break; scr_memcpyw(r + step, r, vc->vc_size_row); r -= cols; } -- 2.22.0

1 0

[PATCH OLK-6.6 0/2] *** SUBJECT HERE ***
by Zhao Yipeng 03 Nov '25

03 Nov '25

*** BLURB HERE *** Michael Chan (1): bnxt_en: Fix possible crash after creating sw mqprio TCs Sreekanth Reddy (1): bnxt_en: Fix memory corruption when FW resources change during ifdown drivers/net/ethernet/broadcom/bnxt/bnxt.c | 32 +++++++++++++------ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 + drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 +- .../net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 +-- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +- 5 files changed, 28 insertions(+), 13 deletions(-) -- 2.34.1

2 3

[PATCH OLK-5.10 0/5] CVE-2022-49722
by Xiaomeng Zhang 03 Nov '25

03 Nov '25

Jacob Keller (2): ice: convert ice_reset_vf to standard error codes ice: convert ice_reset_vf to take flags Michal Jaron (1): ice: Fix call trace with null VSI during VF reset Norbert Zulinski (1): ice: Fix spurious interrupt during removal of trusted VF Przemyslaw Patynowski (1): ice: Fix memory corruption in VF driver drivers/net/ethernet/intel/ice/ice_base.c | 4 +- drivers/net/ethernet/intel/ice/ice_lib.c | 25 +++++++++ drivers/net/ethernet/intel/ice/ice_lib.h | 1 + drivers/net/ethernet/intel/ice/ice_main.c | 2 +- .../net/ethernet/intel/ice/ice_virtchnl_pf.c | 52 ++++++++++++++----- .../net/ethernet/intel/ice/ice_virtchnl_pf.h | 14 +++-- 6 files changed, 79 insertions(+), 19 deletions(-) -- 2.34.1

2 6

[PATCH openEuler-1.0-LTS 0/5] *** CVE-2023-53199 ***
by Ziming Du 03 Nov '25

03 Nov '25

*** BLURB HERE *** Arnd Bergmann (1): wifi: ath9k: use proper statements in conditionals Fedor Pchelkin (1): wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails Pavel Skripkin (1): ath9k: htc: clean up statistics macros Wan Jiabing (1): ath9k: hif_usb: simplify if-if to if-else Zekun Shen (1): ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c | 63 ++++++++++++------- drivers/net/wireless/ath/ath9k/htc.h | 32 +++++----- drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 +-- 3 files changed, 64 insertions(+), 41 deletions(-) -- 2.43.0

2 6

[PATCH OLK-6.6] fs: udf: fix OOB read in lengthAllocDescs handling
by Yifan Qiao 03 Nov '25

03 Nov '25

From: Larshin Sergey <Sergey.Larshin(a)kaspersky.com> mainline inclusion from mainline-v6.18-rc1 commit 3bd5e45c2ce30e239d596becd5db720f7eb83c99 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID3WJ5 CVE: CVE-2025-40044 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+8743fca924afed42f93e(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Larshin Sergey <Sergey.Larshin(a)kaspersky.com> Link: https://patch.msgid.link/20250922131358.745579-1-Sergey.Larshin@kaspersky.c… Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/udf/inode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index e98c198f85b9..8b842d33a9e0 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2264,6 +2264,9 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos, if (check_add_overflow(sizeof(struct allocExtDesc), le32_to_cpu(header->lengthAllocDescs), &alen)) return -1; + + if (alen > epos->bh->b_size) + return -1; } switch (iinfo->i_alloc_type) { -- 2.39.2

2 1

[PATCH OLK-5.10] fs: udf: fix OOB read in lengthAllocDescs handling
by Yifan Qiao 03 Nov '25

03 Nov '25

From: Larshin Sergey <Sergey.Larshin(a)kaspersky.com> mainline inclusion from mainline-v6.18-rc1 commit 3bd5e45c2ce30e239d596becd5db720f7eb83c99 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID3WJ5 CVE: CVE-2025-40044 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+8743fca924afed42f93e(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Larshin Sergey <Sergey.Larshin(a)kaspersky.com> Link: https://patch.msgid.link/20250922131358.745579-1-Sergey.Larshin@kaspersky.c… Signed-off-by: Jan Kara <jack(a)suse.cz> Conflicts: fs/udf/inode.c [Context difference] Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/udf/inode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 6ff9cc8adb26..2e4ada655995 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2193,6 +2193,9 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, if (check_add_overflow((int)sizeof(struct allocExtDesc), (int)le32_to_cpu(header->lengthAllocDescs), &alen)) return -1; + + if (alen > epos->bh->b_size) + return -1; } switch (iinfo->i_alloc_type) { -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] fs: udf: fix OOB read in lengthAllocDescs handling
by Yifan Qiao 03 Nov '25

03 Nov '25

From: Larshin Sergey <Sergey.Larshin(a)kaspersky.com> mainline inclusion from mainline-v6.18-rc1 commit 3bd5e45c2ce30e239d596becd5db720f7eb83c99 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID3WJ5 CVE: CVE-2025-40044 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Validate the computed total length against epos->bh->b_size. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+8743fca924afed42f93e(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Larshin Sergey <Sergey.Larshin(a)kaspersky.com> Link: https://patch.msgid.link/20250922131358.745579-1-Sergey.Larshin@kaspersky.c… Signed-off-by: Jan Kara <jack(a)suse.cz> Conflict: fs/udf/inode.c [Context difference] Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/udf/inode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 11f104931254..108a1fd75024 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2129,6 +2129,9 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, alen = sizeof(struct allocExtDesc) + le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)-> lengthAllocDescs); + + if (alen > epos->bh->b_size) + return -1; } switch (iinfo->i_alloc_type) { -- 2.39.2

2 1

[PATCH OLK-6.6] KVM: arm64: Prevent access to vCPU events before init
by Pu Lehui 03 Nov '25

03 Nov '25

From: Oliver Upton <oliver.upton(a)linux.dev> mainline inclusion from mainline-v6.18-rc2 commit 0aa1b76fe1429629215a7c79820e4b96233ac4a3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID4A6U CVE: CVE-2025-40102 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state. Cc: stable(a)vger.kernel.org # 6.17 Fixes: b7b27facc7b5 ("arm/arm64: KVM: Add KVM_GET/SET_VCPU_EVENTS") Signed-off-by: Oliver Upton <oliver.upton(a)linux.dev> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- arch/arm64/kvm/arm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c index d3831c273843..412c12b22914 100644 --- a/arch/arm64/kvm/arm.c +++ b/arch/arm64/kvm/arm.c @@ -1916,6 +1916,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, case KVM_GET_VCPU_EVENTS: { struct kvm_vcpu_events events; + if (!kvm_vcpu_initialized(vcpu)) + return -ENOEXEC; + if (kvm_arm_vcpu_get_events(vcpu, &events)) return -EINVAL; @@ -1927,6 +1930,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, case KVM_SET_VCPU_EVENTS: { struct kvm_vcpu_events events; + if (!kvm_vcpu_initialized(vcpu)) + return -ENOEXEC; + if (copy_from_user(&events, argp, sizeof(events))) return -EFAULT; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS V1] drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
by Cheng Yu 03 Nov '25

03 Nov '25

From: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> stable inclusion from stable-v4.19.270 commit 1079df6acf56f99d86b0081a38c84701412cc90e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID0VFO CVE: CVE-2022-50520 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 725a521a18734f65de05b8d353b5bd0d3ca4c37a ] As comment of pci_get_class() says, it returns a pci_device with its refcount increased and decreased the refcount for the input parameter @from if it is not NULL. If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we need to call pci_dev_put() to decrease the refcount. Add the missing pci_dev_put() to avoid refcount leak. Fixes: d8ade3526b2a ("drm/radeon: handle non-VGA class pci devices with ATRM") Fixes: c61e2775873f ("drm/radeon: split ATRM support out from the ATPX handler (v3)") Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/gpu/drm/radeon/radeon_bios.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c index 80562aeb8149..92f50b26e4c9 100644 --- a/drivers/gpu/drm/radeon/radeon_bios.c +++ b/drivers/gpu/drm/radeon/radeon_bios.c @@ -215,6 +215,7 @@ static bool radeon_atrm_get_bios(struct radeon_device *rdev) if (!found) return false; + pci_dev_put(pdev); rdev->bios = kmalloc(size, GFP_KERNEL); if (!rdev->bios) { -- 2.25.1

2 1

[openeuler:OLK-6.6 3083/3083] drivers/gpu/drm/phytium/phytium_platform.c:348:34: warning: unused variable 'display_of_match'
by kernel test robot 03 Nov '25

03 Nov '25

Hi xuyan, First bad commit (maybe != root cause): tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 923d7e38d0e74b4ae16ccb56d089c2210d2ea5d3 commit: 3b4a5906fa714bdc9a15fc04374942888737eb4c [3083/3083] drm/phytium: Fix Phytium DRM build fail config: x86_64-randconfig-123-20251103 (https://download.01.org/0day-ci/archive/20251103/202511031139.BP8204ku-lkp@…) compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251103/202511031139.BP8204ku-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202511031139.BP8204ku-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/gpu/drm/phytium/phytium_platform.c:22:5: warning: no previous prototype for function 'phytium_platform_carveout_mem_init' [-Wmissing-prototypes] 22 | int phytium_platform_carveout_mem_init(struct platform_device *pdev, | ^ drivers/gpu/drm/phytium/phytium_platform.c:22:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 22 | int phytium_platform_carveout_mem_init(struct platform_device *pdev, | ^ | static drivers/gpu/drm/phytium/phytium_platform.c:63:6: warning: no previous prototype for function 'phytium_platform_carveout_mem_fini' [-Wmissing-prototypes] 63 | void phytium_platform_carveout_mem_fini(struct platform_device *pdev, | ^ drivers/gpu/drm/phytium/phytium_platform.c:63:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 63 | void phytium_platform_carveout_mem_fini(struct platform_device *pdev, | ^ | static >> drivers/gpu/drm/phytium/phytium_platform.c:348:34: warning: unused variable 'display_of_match' [-Wunused-const-variable] 348 | static const struct of_device_id display_of_match[] = { | ^~~~~~~~~~~~~~~~ 3 warnings generated. vim +/display_of_match +348 drivers/gpu/drm/phytium/phytium_platform.c b80df10f845813 lishuo 2024-01-31 347 b80df10f845813 lishuo 2024-01-31 @348 static const struct of_device_id display_of_match[] = { b80df10f845813 lishuo 2024-01-31 349 { b80df10f845813 lishuo 2024-01-31 350 .compatible = "phytium,dc", b80df10f845813 lishuo 2024-01-31 351 .data = &pe220x_info, b80df10f845813 lishuo 2024-01-31 352 }, b80df10f845813 lishuo 2024-01-31 353 { } b80df10f845813 lishuo 2024-01-31 354 }; e2cdf30a3e12bb XuYan 2025-04-09 355 MODULE_DEVICE_TABLE(of, display_of_match); b80df10f845813 lishuo 2024-01-31 356 :::::: The code at line 348 was first introduced by commit :::::: b80df10f845813bb4fc2002b5386ecdfa8be5f6c DRM: Phytium display DRM driver :::::: TO: lishuo <lishuo(a)phytium.com.cn> :::::: CC: lishuo <lishuo(a)phytium.com.cn> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0