- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS 0/3] CVE-2022-49647
by Chen Ridong 08 Apr '25

08 Apr '25

CVE-2022-49647 Chen Ridong (2): cgroup: fix kabi for css_set cgroup: disable cgroup.type Tejun Heo (1): cgroup: Use separate src/dst nodes when preloading css_sets for migration include/linux/cgroup-defs.h | 13 +++++++++++ kernel/cgroup/cgroup.c | 43 +++++++++++++++++++++++++------------ 2 files changed, 42 insertions(+), 14 deletions(-) -- 2.34.1

2 4

[PATCH OLK-5.10] drm/drm_vma_manager: Add drm_vma_node_allow_once()
by Yang Yingliang 08 Apr '25

08 Apr '25

From: Nirmoy Das <nirmoy.das(a)intel.com> mainline inclusion from mainline-v6.2-rc6 commit 899d3a3c19ac0e5da013ce34833dccb97d19b5e4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVX3 CVE: CVE-2023-53001 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Currently there is no easy way for a drm driver to safely check and allow drm_vma_offset_node for a drm file just once. Allow drm drivers to call non-refcounted version of drm_vma_node_allow() so that a driver doesn't need to keep track of each drm_vma_node_allow() to call subsequent drm_vma_node_revoke() to prevent memory leak. Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: Tvrtko Ursulin <tvrtko.ursulin(a)linux.intel.com> Cc: Andi Shyti <andi.shyti(a)linux.intel.com> Suggested-by: Chris Wilson <chris.p.wilson(a)intel.com> Signed-off-by: Nirmoy Das <nirmoy.das(a)intel.com> Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin(a)intel.com> Reviewed-by: Andi Shyti <andi.shyti(a)linux.intel.com> Link: https://lore.kernel.org/r/20230117175236.22317-1-nirmoy.das@intel.com Signed-off-by: Maxime Ripard <maxime(a)cerno.tech> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/gpu/drm/drm_vma_manager.c | 76 ++++++++++++++++++++++--------- include/drm/drm_vma_manager.h | 1 + 2 files changed, 55 insertions(+), 22 deletions(-) diff --git a/drivers/gpu/drm/drm_vma_manager.c b/drivers/gpu/drm/drm_vma_manager.c index 4565319fa6b3..7f0dc56321ae 100644 --- a/drivers/gpu/drm/drm_vma_manager.c +++ b/drivers/gpu/drm/drm_vma_manager.c @@ -240,27 +240,8 @@ void drm_vma_offset_remove(struct drm_vma_offset_manager *mgr, } EXPORT_SYMBOL(drm_vma_offset_remove); -/** - * drm_vma_node_allow - Add open-file to list of allowed users - * @node: Node to modify - * @tag: Tag of file to remove - * - * Add @tag to the list of allowed open-files for this node. If @tag is - * already on this list, the ref-count is incremented. - * - * The list of allowed-users is preserved across drm_vma_offset_add() and - * drm_vma_offset_remove() calls. You may even call it if the node is currently - * not added to any offset-manager. - * - * You must remove all open-files the same number of times as you added them - * before destroying the node. Otherwise, you will leak memory. - * - * This is locked against concurrent access internally. - * - * RETURNS: - * 0 on success, negative error code on internal failure (out-of-mem) - */ -int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag) +static int vma_node_allow(struct drm_vma_offset_node *node, + struct drm_file *tag, bool ref_counted) { struct rb_node **iter; struct rb_node *parent = NULL; @@ -282,7 +263,8 @@ int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag) entry = rb_entry(*iter, struct drm_vma_offset_file, vm_rb); if (tag == entry->vm_tag) { - entry->vm_count++; + if (ref_counted) + entry->vm_count++; goto unlock; } else if (tag > entry->vm_tag) { iter = &(*iter)->rb_right; @@ -307,8 +289,58 @@ int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag) kfree(new); return ret; } + +/** + * drm_vma_node_allow - Add open-file to list of allowed users + * @node: Node to modify + * @tag: Tag of file to remove + * + * Add @tag to the list of allowed open-files for this node. If @tag is + * already on this list, the ref-count is incremented. + * + * The list of allowed-users is preserved across drm_vma_offset_add() and + * drm_vma_offset_remove() calls. You may even call it if the node is currently + * not added to any offset-manager. + * + * You must remove all open-files the same number of times as you added them + * before destroying the node. Otherwise, you will leak memory. + * + * This is locked against concurrent access internally. + * + * RETURNS: + * 0 on success, negative error code on internal failure (out-of-mem) + */ +int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag) +{ + return vma_node_allow(node, tag, true); +} EXPORT_SYMBOL(drm_vma_node_allow); +/** + * drm_vma_node_allow_once - Add open-file to list of allowed users + * @node: Node to modify + * @tag: Tag of file to remove + * + * Add @tag to the list of allowed open-files for this node. + * + * The list of allowed-users is preserved across drm_vma_offset_add() and + * drm_vma_offset_remove() calls. You may even call it if the node is currently + * not added to any offset-manager. + * + * This is not ref-counted unlike drm_vma_node_allow() hence drm_vma_node_revoke() + * should only be called once after this. + * + * This is locked against concurrent access internally. + * + * RETURNS: + * 0 on success, negative error code on internal failure (out-of-mem) + */ +int drm_vma_node_allow_once(struct drm_vma_offset_node *node, struct drm_file *tag) +{ + return vma_node_allow(node, tag, false); +} +EXPORT_SYMBOL(drm_vma_node_allow_once); + /** * drm_vma_node_revoke - Remove open-file from list of allowed users * @node: Node to modify diff --git a/include/drm/drm_vma_manager.h b/include/drm/drm_vma_manager.h index 76ac5e97a559..ed54bce9a005 100644 --- a/include/drm/drm_vma_manager.h +++ b/include/drm/drm_vma_manager.h @@ -74,6 +74,7 @@ void drm_vma_offset_remove(struct drm_vma_offset_manager *mgr, struct drm_vma_offset_node *node); int drm_vma_node_allow(struct drm_vma_offset_node *node, struct drm_file *tag); +int drm_vma_node_allow_once(struct drm_vma_offset_node *node, struct drm_file *tag); void drm_vma_node_revoke(struct drm_vma_offset_node *node, struct drm_file *tag); bool drm_vma_node_is_allowed(struct drm_vma_offset_node *node, -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS 0/3] CVE-2022-49647
by Chen Ridong 08 Apr '25

08 Apr '25

CVE-2022-49647 Chen Ridong (2): cgroup: fix kabi for css_set cgroup: disable cgroup.type Tejun Heo (1): cgroup: Use separate src/dst nodes when preloading css_sets for migration include/linux/cgroup-defs.h | 13 +++++++++++ kernel/cgroup/cgroup.c | 43 +++++++++++++++++++++++++------------ 2 files changed, 42 insertions(+), 14 deletions(-) -- 2.34.1

2 4

[openeuler:openEuler-1.0-LTS 1568/1568] drivers/spi/spi-phytium-plat.c:122:8: error: implicit declaration of function 'gpiod_count'
by kernel test robot 08 Apr '25

08 Apr '25

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 3191c9e4e7c581bfe0a40ee198ffcbd5c3dea53e commit: e8483fcd43fc1dbb8d21bb7eacce804cbab6a7c6 [1568/1568] spi: add phytium spi support config: x86_64-randconfig-104-20250408 (https://download.01.org/0day-ci/archive/20250408/202504081227.W3mx0ZSS-lkp@…) compiler: clang version 20.1.2 (https://github.com/llvm/llvm-project 58df0ef89dd64126512e4ee27b4ac3fd8ddf6247) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250408/202504081227.W3mx0ZSS-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202504081227.W3mx0ZSS-lkp@intel.com/ All errors (new ones prefixed by >>): >> drivers/spi/spi-phytium-plat.c:122:8: error: implicit declaration of function 'gpiod_count' [-Werror,-Wimplicit-function-declaration] 122 | n = gpiod_count(&pdev->dev, "cs"); | ^ drivers/spi/spi-phytium-plat.c:122:8: note: did you mean 'cpuid_count'? arch/x86/include/asm/processor.h:620:20: note: 'cpuid_count' declared here 620 | static inline void cpuid_count(unsigned int op, int count, | ^ >> drivers/spi/spi-phytium-plat.c:128:12: error: implicit declaration of function 'devm_gpiod_get_index_optional' [-Werror,-Wimplicit-function-declaration] 128 | gpiod = devm_gpiod_get_index_optional(&pdev->dev, | ^ >> drivers/spi/spi-phytium-plat.c:129:17: error: use of undeclared identifier 'GPIOD_OUT_LOW' 129 | "cs", i, GPIOD_OUT_LOW); | ^ >> drivers/spi/spi-phytium-plat.c:136:14: error: implicit declaration of function 'desc_to_gpio' [-Werror,-Wimplicit-function-declaration] 136 | cs_gpio = desc_to_gpio(gpiod); | ^ drivers/spi/spi-phytium-plat.c:136:14: note: did you mean 'irq_to_gpio'? include/linux/gpio.h:236:19: note: 'irq_to_gpio' declared here 236 | static inline int irq_to_gpio(unsigned irq) | ^ 4 errors generated. Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for SPI_PHYTIUM Depends on [n]: SPI [=y] && SPI_MASTER [=y] && (ARCH_PHYTIUM || COMPILE_TEST [=n]) Selected by [m]: - SPI_PHYTIUM_PLAT [=m] && SPI [=y] && SPI_MASTER [=y] vim +/gpiod_count +122 drivers/spi/spi-phytium-plat.c 37 38 static int phytium_spi_probe(struct platform_device *pdev) 39 { 40 struct phytium_spi_clk *ftsc; 41 struct phytium_spi *fts; 42 struct resource *mem; 43 int ret; 44 int num_cs; 45 int cs_gpio; 46 int global_cs; 47 int i; 48 49 ftsc = devm_kzalloc(&pdev->dev, sizeof(struct phytium_spi_clk), 50 GFP_KERNEL); 51 if (!ftsc) 52 return -ENOMEM; 53 54 fts = &ftsc->fts; 55 56 mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); 57 if (!mem) { 58 dev_err(&pdev->dev, "no mem resource?\n"); 59 return -EINVAL; 60 } 61 62 fts->regs = devm_ioremap_resource(&pdev->dev, mem); 63 if (IS_ERR(fts->regs)) { 64 dev_err(&pdev->dev, "SPI region map failed\n"); 65 return PTR_ERR(fts->regs); 66 } 67 68 fts->irq = platform_get_irq(pdev, 0); 69 if (fts->irq < 0) { 70 dev_err(&pdev->dev, "no irq resource?\n"); 71 return fts->irq; /* -ENXIO */ 72 } 73 74 if (pdev->dev.of_node) { 75 ftsc->clk = devm_clk_get(&pdev->dev, NULL); 76 77 if (IS_ERR(ftsc->clk)) 78 return PTR_ERR(ftsc->clk); 79 ret = clk_prepare_enable(ftsc->clk); 80 if (ret) 81 return ret; 82 83 fts->max_freq = clk_get_rate(ftsc->clk); 84 } else if (has_acpi_companion(&pdev->dev)) { 85 fts->max_freq = 48000000; 86 } 87 88 fts->bus_num = pdev->id; 89 device_property_read_u32(&pdev->dev, 90 "reg-io-width", &fts->reg_io_width); 91 92 num_cs = 4; 93 94 device_property_read_u32(&pdev->dev, "num-cs", &num_cs); 95 96 fts->num_cs = num_cs; 97 98 if (pdev->dev.of_node) { 99 int i; 100 101 for (i = 0; i < fts->num_cs; i++) { 102 cs_gpio = of_get_named_gpio(pdev->dev.of_node, 103 "cs-gpios", i); 104 105 if (cs_gpio == -EPROBE_DEFER) { 106 ret = cs_gpio; 107 goto out; 108 } 109 110 if (gpio_is_valid(cs_gpio)) { 111 ret = devm_gpio_request(&pdev->dev, cs_gpio, 112 dev_name(&pdev->dev)); 113 if (ret) 114 goto out; 115 } 116 } 117 } else if (has_acpi_companion(&pdev->dev)) { 118 int n; 119 int *cs; 120 struct gpio_desc *gpiod; 121 > 122 n = gpiod_count(&pdev->dev, "cs"); 123 124 cs = devm_kcalloc(&pdev->dev, n, sizeof(int), GFP_KERNEL); 125 fts->cs = cs; 126 127 for (i = 0; i < n; i++) { > 128 gpiod = devm_gpiod_get_index_optional(&pdev->dev, > 129 "cs", i, GPIOD_OUT_LOW); 130 131 if (IS_ERR(gpiod)) { 132 ret = PTR_ERR(gpiod); 133 goto out; 134 } 135 > 136 cs_gpio = desc_to_gpio(gpiod); 137 cs[i] = cs_gpio; 138 } 139 } 140 141 device_property_read_u32(&pdev->dev, "global-cs", &global_cs); 142 fts->global_cs = global_cs; 143 144 ret = phytium_spi_add_host(&pdev->dev, fts); 145 if (ret) 146 goto out; 147 148 platform_set_drvdata(pdev, ftsc); 149 return 0; 150 151 out: 152 clk_disable_unprepare(ftsc->clk); 153 return ret; 154 } 155 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] RDMA/mlx5: Fix a WARN during dereg_mr for DM type
by Yi Yang 08 Apr '25

08 Apr '25

From: Yishai Hadas <yishaih(a)nvidia.com> mainline inclusion from mainline-v6.14-rc5 commit abc7b3f1f056d69a8f11d6dceecc0c9549ace770 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVSX CVE: CVE-2025-21888 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Memory regions (MR) of type DM (device memory) do not have an associated umem. In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code incorrectly takes the wrong branch, attempting to call dma_unmap_single() on a DMA address that is not mapped. This results in a WARN [1], as shown below. The issue is resolved by properly accounting for the DM type and ensuring the correct branch is selected in mlx5_free_priv_descs(). [1] WARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90 Modules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core CPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00 RSP: 0018:ffffc90001913a10 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x84/0x190 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0xf8/0x1c0 ? handle_bug+0x55/0x90 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 dma_unmap_page_attrs+0xe6/0x290 mlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib] __mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib] ? _raw_spin_unlock_irq+0x24/0x40 ? wait_for_completion+0xfe/0x130 ? rdma_restrack_put+0x63/0xe0 [ib_core] ib_dereg_mr_user+0x5f/0x120 [ib_core] ? lock_release+0xc6/0x280 destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs] uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs] uobj_destroy+0x3f/0x70 [ib_uverbs] ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs] ? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs] ? lock_acquire+0xc1/0x2f0 ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs] ? lock_release+0xc6/0x280 ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs] ? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs] __x64_sys_ioctl+0x1b0/0xa70 do_syscall_64+0x6b/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f537adaf17b Code: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b RDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003 RBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270 R10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190 R13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450 </TASK> Fixes: f18ec4223117 ("RDMA/mlx5: Use a union inside mlx5_ib_mr") Signed-off-by: Yishai Hadas <yishaih(a)nvidia.com> Link: https://patch.msgid.link/2039c22cfc3df02378747ba4d623a558b53fc263.173858707… Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Conflicts: drivers/infiniband/hw/mlx5/mr.c [Conflicts due to commits de8f847a5114 ("RDMA/mlx5: Add support for DMABUF MR registrations with Data-direct") not merged.] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/infiniband/hw/mlx5/mr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c index 90d468b00256..5881d8e69aa4 100644 --- a/drivers/infiniband/hw/mlx5/mr.c +++ b/drivers/infiniband/hw/mlx5/mr.c @@ -1818,7 +1818,7 @@ mlx5_alloc_priv_descs(struct ib_device *device, static void mlx5_free_priv_descs(struct mlx5_ib_mr *mr) { - if (!mr->umem && mr->descs) { + if (!mr->umem && mr->ibmr.type != IB_MR_TYPE_DM && mr->descs) { struct ib_device *device = mr->ibmr.device; int size = mr->max_descs * mr->desc_size; struct mlx5_ib_dev *dev = to_mdev(device); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove()
by Tirui Yin 08 Apr '25

08 Apr '25

From: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> mainline inclusion from mainline-v5.19-rc3 commit 928ea98252ad75118950941683893cf904541da9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP74W CVE: CVE-2022-49711 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io triggers KASAN use-after-free. To avoid the use-after-free, keep the reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to fsl_destroy_mc_io(). This patch needs rework to apply to kernels older than v5.15. Fixes: f93627146f0e ("staging: fsl-mc: fix asymmetry in destroy of mc_io") Cc: stable(a)vger.kernel.org # v5.15+ Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Link: https://lore.kernel.org/r/20220601105159.87752-1-shinichiro.kawasaki@wdc.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Tirui Yin <yintirui(a)huawei.com> Reviewed-by: Weilong Chen <chenweilong(a)huawei.com> --- drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c index 5d8266c6571f..3512341c3038 100644 --- a/drivers/bus/fsl-mc/fsl-mc-bus.c +++ b/drivers/bus/fsl-mc/fsl-mc-bus.c @@ -878,14 +878,14 @@ static int fsl_mc_bus_probe(struct platform_device *pdev) static int fsl_mc_bus_remove(struct platform_device *pdev) { struct fsl_mc *mc = platform_get_drvdata(pdev); + struct fsl_mc_io *mc_io; if (!fsl_mc_is_root_dprc(&mc->root_mc_bus_dev->dev)) return -EINVAL; + mc_io = mc->root_mc_bus_dev->mc_io; fsl_mc_device_remove(mc->root_mc_bus_dev); - - fsl_destroy_mc_io(mc->root_mc_bus_dev->mc_io); - mc->root_mc_bus_dev->mc_io = NULL; + fsl_destroy_mc_io(mc_io); return 0; } -- 2.22.0

2 1

[PATCH openEuler-1.0-LTS] dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init
by Tirui Yin 08 Apr '25

08 Apr '25

From: Hui Wang <hui.wang(a)canonical.com> stable inclusion from stable-v4.19.272 commit 80ee99e52936b2c04cc37b17a14b2ae2f9d282ac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVWT CVE: CVE-2022-49746 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 1417f59ac0b02130ee56c0c50794b9b257be3d17 ] If the function sdma_load_context() fails, the sdma_desc will be freed, but the allocated desc->bd is forgot to be freed. We already met the sdma_load_context() failure case and the log as below: [ 450.699064] imx-sdma 30bd0000.dma-controller: Timeout waiting for CH0 ready ... In this case, the desc->bd will not be freed without this change. Signed-off-by: Hui Wang <hui.wang(a)canonical.com> Reviewed-by: Sascha Hauer <s.hauer(a)pengutronix.de> Link: https://lore.kernel.org/r/20221130090800.102035-1-hui.wang@canonical.com Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Tirui Yin <yintirui(a)huawei.com> Reviewed-by: Weilong Chen <chenweilong(a)huawei.com> --- drivers/dma/imx-sdma.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c index 3f5a01cb4ab4..b9e6d276df4c 100644 --- a/drivers/dma/imx-sdma.c +++ b/drivers/dma/imx-sdma.c @@ -1353,10 +1353,12 @@ static struct sdma_desc *sdma_transfer_init(struct sdma_channel *sdmac, sdma_config_ownership(sdmac, false, true, false); if (sdma_load_context(sdmac)) - goto err_desc_out; + goto err_bd_out; return desc; +err_bd_out: + sdma_free_bd(desc); err_desc_out: kfree(desc); err_out: -- 2.22.0

2 1

[openeuler:openEuler-1.0-LTS 1568/1568] kernel/uid16.o: warning: objtool: __x64_sys_getuid16.cold()+0x0: unreachable instruction
by kernel test robot 08 Apr '25

08 Apr '25

Hi Josh, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 3191c9e4e7c581bfe0a40ee198ffcbd5c3dea53e commit: 56bc1719652e7a937bc9856f76f0c0fbf8ce1b23 [1568/1568] objtool: Support GCC 9 cold subfunction naming scheme config: x86_64-randconfig-103-20250408 (https://download.01.org/0day-ci/archive/20250408/202504081156.eLZp36Hb-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250408/202504081156.eLZp36Hb-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202504081156.eLZp36Hb-lkp@intel.com/ All warnings (new ones prefixed by >>): >> kernel/uid16.o: warning: objtool: __x64_sys_getuid16.cold()+0x0: unreachable instruction -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1365/1365] drivers/acpi/cppc_acpi.c:614:3-8: WARNING: NULL check before some freeing functions is not needed.
by kernel test robot 08 Apr '25

08 Apr '25

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 3191c9e4e7c581bfe0a40ee198ffcbd5c3dea53e commit: b8815fbbe89b0d15fa3296c3e57d2197a92f5bc0 [1365/1365] ACPI: CPPC: Fix cppc_cpufreq_init failed in CPU Hotplug situation config: x86_64-randconfig-102-20250103 (https://download.01.org/0day-ci/archive/20250408/202504081127.rMMmKSGb-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202504081127.rMMmKSGb-lkp@intel.com/ cocci warnings: (new ones prefixed by >>) >> drivers/acpi/cppc_acpi.c:614:3-8: WARNING: NULL check before some freeing functions is not needed. vim +614 drivers/acpi/cppc_acpi.c 576 577 int acpi_get_psd_map(struct cppc_cpudata **all_cpu_data) 578 { 579 struct cpc_desc **cpc_pptr, *cpc_ptr; 580 int parsed_core_num = 0; 581 int i, ret; 582 583 cpc_pptr = kcalloc(num_possible_cpus(), sizeof(void *), GFP_KERNEL); 584 if (!cpc_pptr) 585 return -ENOMEM; 586 for_each_possible_cpu(i) { 587 cpc_pptr[i] = kzalloc(sizeof(struct cpc_desc), GFP_KERNEL); 588 if (!cpc_pptr[i]) { 589 ret = -ENOMEM; 590 goto out; 591 } 592 } 593 594 /* 595 * We can not use acpi_get_devices() to walk the processor devices 596 * because some processor device is not present. 597 */ 598 ret = acpi_walk_namespace(ACPI_TYPE_DEVICE, ACPI_ROOT_OBJECT, 599 ACPI_UINT32_MAX, acpi_parse_cpc, NULL, 600 cpc_pptr, (void **)&parsed_core_num); 601 if (ret) 602 goto out; 603 if (parsed_core_num != num_possible_cpus()) { 604 ret = -EINVAL; 605 goto out; 606 } 607 608 ret = __acpi_get_psd_map(all_cpu_data, cpc_pptr); 609 610 out: 611 for_each_possible_cpu(i) { 612 cpc_ptr = cpc_pptr[i]; 613 if (cpc_ptr) > 614 kfree(cpc_ptr); 615 } 616 kfree(cpc_pptr); 617 618 return ret; 619 } 620 EXPORT_SYMBOL_GPL(acpi_get_psd_map); 621 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1334/1334] kernel/hung_task.c:148:7: error: use of undeclared identifier 'sysctl_hung_task_all_cpu_backtrace'
by kernel test robot 08 Apr '25

08 Apr '25

Hi Guilherme, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 3191c9e4e7c581bfe0a40ee198ffcbd5c3dea53e commit: 190aae97bcddbed131a203f829257b168f5058ce [1334/1334] kernel/hung_task.c: introduce sysctl to print all traces when a hung task is detected config: x86_64-randconfig-103-20241218 (https://download.01.org/0day-ci/archive/20250408/202504081025.oeT4D3sO-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250408/202504081025.oeT4D3sO-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202504081025.oeT4D3sO-lkp@intel.com/ All errors (new ones prefixed by >>): >> kernel/hung_task.c:148:7: error: use of undeclared identifier 'sysctl_hung_task_all_cpu_backtrace' 148 | if (sysctl_hung_task_all_cpu_backtrace) | ^ kernel/hung_task.c:235:5: warning: no previous prototype for function 'proc_dohung_task_timeout_secs' [-Wmissing-prototypes] 235 | int proc_dohung_task_timeout_secs(struct ctl_table *table, int write, | ^ kernel/hung_task.c:235:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 235 | int proc_dohung_task_timeout_secs(struct ctl_table *table, int write, | ^ | static 1 warning and 1 error generated. vim +/sysctl_hung_task_all_cpu_backtrace +148 kernel/hung_task.c 94 95 static void check_hung_task(struct task_struct *t, unsigned long timeout) 96 { 97 unsigned long switch_count = t->nvcsw + t->nivcsw; 98 99 /* 100 * Ensure the task is not frozen. 101 * Also, skip vfork and any other user process that freezer should skip. 102 */ 103 if (unlikely(t->flags & (PF_FROZEN | PF_FREEZER_SKIP))) 104 return; 105 106 /* 107 * When a freshly created task is scheduled once, changes its state to 108 * TASK_UNINTERRUPTIBLE without having ever been switched out once, it 109 * musn't be checked. 110 */ 111 if (unlikely(!switch_count)) 112 return; 113 114 if (switch_count != t->last_switch_count) { 115 t->last_switch_count = switch_count; 116 t->last_switch_time = jiffies; 117 return; 118 } 119 if (time_is_after_jiffies(t->last_switch_time + timeout * HZ)) 120 return; 121 122 trace_sched_process_hang(t); 123 124 if (sysctl_hung_task_panic) { 125 console_verbose(); 126 hung_task_show_lock = true; 127 hung_task_call_panic = true; 128 } 129 130 /* 131 * Ok, the task did not get scheduled for more than 2 minutes, 132 * complain: 133 */ 134 if (sysctl_hung_task_warnings) { 135 if (sysctl_hung_task_warnings > 0) 136 sysctl_hung_task_warnings--; 137 pr_err("INFO: task %s:%d blocked for more than %ld seconds.\n", 138 t->comm, t->pid, timeout); 139 pr_err(" %s %s %.*s\n", 140 print_tainted(), init_utsname()->release, 141 (int)strcspn(init_utsname()->version, " "), 142 init_utsname()->version); 143 pr_err("\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\"" 144 " disables this message.\n"); 145 sched_show_task(t); 146 hung_task_show_lock = true; 147 > 148 if (sysctl_hung_task_all_cpu_backtrace) 149 hung_task_show_all_bt = true; 150 } 151 152 touch_nmi_watchdog(); 153 } 154 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0