- Kernel - mailweb.openeuler.org

[PATCH v2 openEuler-1.0-LTS 0/4] add mcs support for migrate pages
by Wupeng Ma 06 Jan '26

06 Jan '26

Backport the following patches for OLK-5.10: - e14f9d96acb7 mm/memory-failure: support disabling soft offline for HugeTLB pages - 2f0c01a690d1 mm/memory-failure: userspace controls soft-offlining pages - 9bb3fd60f91e arm64: mm: Add copy mc support for all migrate_page - 45dbef4c04f6 mm: page_eject: Add mc support during offline page - b7f5b9ef641a mm: Update PF_COREDUMP_MCS to PF_MCS - 17d08829674a mm/hwpoison: add migrate_page_mc_extra() - c10a520c4102 mm/hwpoison: introduce copy_mc_highpages - d689cd1c1479 mm/hwpoison: arm64: introduce copy_mc_highpage Add mcs support for migrate page & support disabling soft offline for HugeTLB pages. Since UCE kernel recovery is needed by this. This should be enable with the following step: - echo 1 > /proc/sys/kernel/uce_kernel_recovery Disable soft offline support for hugetlb with the following step: - echo 3 > /proc/sys/vm/enable_soft_offline Since ARCH_ENABLE_HUGEPAGE_MIGRATION is not enabled in openeuler_defconfig in arm64. There is no need to merge soft-offining related patches. Change log since v1: - add patch list from OLK-5.10 - add ARCH_ENABLE_HUGEPAGE_MIGRATION related comment - bugfix for __copy_huge_page Jiaqi Yan (1): mm/memory-failure: userspace controls soft-offlining pages Kyle Meyer (1): mm/memory-failure: support disabling soft offline for HugeTLB pages Wupeng Ma (2): uce: add copy_mc_highpage{s} arm64: mm: Add copy mc support for migrate_page .../ABI/testing/sysfs-memory-page-offline | 3 + include/linux/highmem.h | 55 +++++++++++++ include/linux/mm.h | 1 + kernel/sysctl.c | 9 +++ mm/memory-failure.c | 25 +++++- mm/migrate.c | 79 ++++++++++++++++--- 6 files changed, 162 insertions(+), 10 deletions(-) -- 2.43.0

2 5

[PATCH OLK-6.6 00/10] EEVDF null pointer
by Zicheng Qu 06 Jan '26

06 Jan '26

Fernand Sieber (1): sched/fair: Forfeit vruntime on yield Ingo Molnar (1): sched/balancing: Change comment formatting to not overlap Git conflict marker lines Peter Zijlstra (4): sched/fair: Avoid re-setting virtual deadline on 'migrations' sched/eevdf: Remove min_vruntime_copy sched/core: Add comment explaining force-idle vruntime snapshots sched/eevdf: Fix min_vruntime vs avg_vruntime Zicheng Qu (4): sched: Fix kabi breakage of struct sched_entity for on_rq and rel_deadline sched: Fix kabi breakage of struct cfs_rq for min_vruntime_copy Revert "sched/fair: Only increment deadline once on yield" sched: Fix kabi breakage of struct cfs_rq for zero_vruntime include/linux/sched.h | 4 +- kernel/sched/debug.c | 8 +- kernel/sched/fair.c | 277 ++++++++++++++++++++++++++++++---------- kernel/sched/features.h | 4 + kernel/sched/sched.h | 6 +- 5 files changed, 223 insertions(+), 76 deletions(-) -- 2.34.1

2 11

[PATCH OLK-5.10] i40e: add max boundary check for VF filters
by Fanhua Li 06 Jan '26

06 Jan '26

From: Lukasz Czapnik <lukasz.czapnik(a)intel.com> stable inclusion from stable-v5.10.245 commit e490d8c5a54e0dd1ab22417d72c3a7319cf0f030 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/7939 CVE: CVE-2025-39968 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit cb79fa7118c150c3c76a327894bb2eb878c02619 upstream. There is no check for max filters that VF can request. Add it. Fixes: e284fc280473 ("i40e: Add and delete cloud filter") Cc: stable(a)vger.kernel.org Signed-off-by: Lukasz Czapnik <lukasz.czapnik(a)intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> Signed-off-by: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Tested-by: Rafal Romanowski <rafal.romanowski(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Fanhua Li <lifanhua5(a)huawei.com> --- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c index 83a8130b68500..f29266685b810 100644 --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c @@ -3722,6 +3722,8 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) aq_ret); } +#define I40E_MAX_VF_CLOUD_FILTER 0xFF00 + /** * i40e_vc_add_cloud_filter * @vf: pointer to the VF info @@ -3761,6 +3763,14 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg) goto err_out; } + if (vf->num_cloud_filters >= I40E_MAX_VF_CLOUD_FILTER) { + dev_warn(&pf->pdev->dev, + "VF %d: Max number of filters reached, can't apply cloud filter\n", + vf->vf_id); + aq_ret = -ENOSPC; + goto err_out; + } + cfilter = kzalloc(sizeof(*cfilter), GFP_KERNEL); if (!cfilter) return -ENOMEM; -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] drm/client: Fix memory leak in drm_client_target_cloned
by Jinjiang Tu 06 Jan '26

06 Jan '26

From: Jocelyn Falempe <jfalempe(a)redhat.com> stable inclusion from stable-v4.19.291 commit a4b978249e8fa94956fce8b70a709f7797716f62 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12954 CVE: CVE-2023-54091 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 upstream. dmt_mode is allocated and never freed in this function. It was found with the ast driver, but most drivers using generic fbdev setup are probably affected. This fixes the following kmemleak report: backtrace: [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] [<00000000987f19bb>] local_pci_probe+0xdc/0x180 [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 [<0000000000b85301>] process_one_work+0x8b7/0x1540 [<000000003375b17c>] worker_thread+0x70a/0xed0 [<00000000b0d43cd9>] kthread+0x29f/0x340 [<000000008d770833>] ret_from_fork+0x1f/0x30 unreferenced object 0xff11000333089a00 (size 128): cc: <stable(a)vger.kernel.org> Fixes: 1d42bbc8f7f9 ("drm/fbdev: fix cloning on fbcon") Reported-by: Zhang Yi <yizhan(a)redhat.com> Signed-off-by: Jocelyn Falempe <jfalempe(a)redhat.com> Reviewed-by: Javier Martinez Canillas <javierm(a)redhat.com> Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-2-jfalem… Signed-off-by: Jocelyn Falempe <jfalempe(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- drivers/gpu/drm/drm_fb_helper.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index 4f5e3b3513d8..01ddedeb17fb 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -2228,6 +2228,9 @@ static bool drm_target_cloned(struct drm_fb_helper *fb_helper, can_clone = true; dmt_mode = drm_mode_find_dmt(fb_helper->dev, 1024, 768, 60, false); + if (!dmt_mode) + goto fail; + drm_fb_helper_for_each_connector(fb_helper, i) { if (!enabled[i]) continue; @@ -2244,11 +2247,13 @@ static bool drm_target_cloned(struct drm_fb_helper *fb_helper, if (!modes[i]) can_clone = false; } + kfree(dmt_mode); if (can_clone) { DRM_DEBUG_KMS("can clone using 1024x768\n"); return true; } +fail: DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); return false; } -- 2.43.0

2 1

[PATCH OLK-6.6] wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
by Fanhua Li 06 Jan '26

06 Jan '26

From: Seungjin Bae <eeodqql09(a)gmail.com> mainline inclusion from mainline-v6.19-rc1 commit b647d2574e4583c2e3b0ab35568f60c88e910840 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12718 CVE: CVE-2025-68362 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- The rtl8187_rx_cb() calculates the rx descriptor header address by subtracting its size from the skb tail pointer. However, it does not validate if the received packet (skb->len from urb->actual_length) is large enough to contain this header. If a truncated packet is received, this will lead to a buffer underflow, reading memory before the start of the skb data area, and causing a kernel panic. Add length checks for both rtl8187 and rtl8187b descriptor headers before attempting to access them, dropping the packet cleanly if the check fails. Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)") Signed-off-by: Seungjin Bae <eeodqql09(a)gmail.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://patch.msgid.link/20251118013258.1789949-2-eeodqql09@gmail.com Signed-off-by: Fanhua Li <lifanhua5(a)huawei.com> --- .../wireless/realtek/rtl818x/rtl8187/dev.c | 27 +++++++++++++------ 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c index 04945f905d6d0..29ef2cf01b6fc 100644 --- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c @@ -338,14 +338,16 @@ static void rtl8187_rx_cb(struct urb *urb) spin_unlock_irqrestore(&priv->rx_queue.lock, f); skb_put(skb, urb->actual_length); - if (unlikely(urb->status)) { - dev_kfree_skb_irq(skb); - return; - } + if (unlikely(urb->status)) + goto free_skb; if (!priv->is_rtl8187b) { - struct rtl8187_rx_hdr *hdr = - (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr)); + struct rtl8187_rx_hdr *hdr; + + if (skb->len < sizeof(struct rtl8187_rx_hdr)) + goto free_skb; + + hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr)); flags = le32_to_cpu(hdr->flags); /* As with the RTL8187B below, the AGC is used to calculate * signal strength. In this case, the scaling @@ -355,8 +357,12 @@ static void rtl8187_rx_cb(struct urb *urb) rx_status.antenna = (hdr->signal >> 7) & 1; rx_status.mactime = le64_to_cpu(hdr->mac_time); } else { - struct rtl8187b_rx_hdr *hdr = - (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr)); + struct rtl8187b_rx_hdr *hdr; + + if (skb->len < sizeof(struct rtl8187b_rx_hdr)) + goto free_skb; + + hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr)); /* The Realtek datasheet for the RTL8187B shows that the RX * header contains the following quantities: signal quality, * RSSI, AGC, the received power in dB, and the measured SNR. @@ -409,6 +415,11 @@ static void rtl8187_rx_cb(struct urb *urb) skb_unlink(skb, &priv->rx_queue); dev_kfree_skb_irq(skb); } + return; + +free_skb: + dev_kfree_skb_irq(skb); + return; } static int rtl8187_init_urbs(struct ieee80211_hw *dev) -- 2.43.0

2 1

[PATCH] hw/rtc/mc146818rtc: Fix get_guest_rtc_ns() overflow bug
by Jinjie Ruan 06 Jan '26

06 Jan '26

In get_guest_rtc_ns(), "s->base_rtc" is uint64_t, which multiplied by "NANOSECONDS_PER_SECOND" may overflow the uint64_t type. Fix it by avoiding adding s->base_rtc in get_guest_rtc_ns_offset(), because get_guest_rtc_ns() is used either take the remainder of NANOSECONDS_PER_SECOND or take the quotient of NANOSECONDS_PER_SECOND. Fixes: 56038ef6234e ("RTC: Update the RTC clock only when reading it") Signed-off-by: Jinjie Ruan <ruanjinjie(a)huawei.com> --- hw/rtc/mc146818rtc.c | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/hw/rtc/mc146818rtc.c b/hw/rtc/mc146818rtc.c index ccbb279716..0311d567a9 100644 --- a/hw/rtc/mc146818rtc.c +++ b/hw/rtc/mc146818rtc.c @@ -77,12 +77,9 @@ static inline bool rtc_running(MC146818RtcState *s) (s->cmos_data[RTC_REG_A] & 0x70) <= 0x20); } -static uint64_t get_guest_rtc_ns(MC146818RtcState *s) +static uint64_t get_guest_rtc_ns_offset(MC146818RtcState *s) { - uint64_t guest_clock = qemu_clock_get_ns(rtc_clock); - - return s->base_rtc * NANOSECONDS_PER_SECOND + - guest_clock - s->last_update + s->offset; + return qemu_clock_get_ns(rtc_clock) - s->last_update + s->offset; } static void rtc_coalesced_timer_update(MC146818RtcState *s) @@ -258,7 +255,7 @@ static void check_update_timer(MC146818RtcState *s) return; } - guest_nsec = get_guest_rtc_ns(s) % NANOSECONDS_PER_SECOND; + guest_nsec = get_guest_rtc_ns_offset(s) % NANOSECONDS_PER_SECOND; next_update_time = qemu_clock_get_ns(rtc_clock) + NANOSECONDS_PER_SECOND - guest_nsec; @@ -510,7 +507,7 @@ static void cmos_ioport_write(void *opaque, hwaddr addr, /* if disabling set mode, update the time */ if ((s->cmos_data[RTC_REG_B] & REG_B_SET) && (s->cmos_data[RTC_REG_A] & 0x70) <= 0x20) { - s->offset = get_guest_rtc_ns(s) % NANOSECONDS_PER_SECOND; + s->offset = get_guest_rtc_ns_offset(s) % NANOSECONDS_PER_SECOND; rtc_set_time(s); } } @@ -623,10 +620,8 @@ static void rtc_update_time(MC146818RtcState *s) { struct tm ret; time_t guest_sec; - int64_t guest_nsec; - guest_nsec = get_guest_rtc_ns(s); - guest_sec = guest_nsec / NANOSECONDS_PER_SECOND; + guest_sec = s->base_rtc + get_guest_rtc_ns_offset(s) / NANOSECONDS_PER_SECOND; gmtime_r(&guest_sec, &ret); /* Is SET flag of Register B disabled? */ @@ -637,8 +632,6 @@ static void rtc_update_time(MC146818RtcState *s) static int update_in_progress(MC146818RtcState *s) { - int64_t guest_nsec; - if (!rtc_running(s)) { return 0; } @@ -652,9 +645,8 @@ static int update_in_progress(MC146818RtcState *s) } } - guest_nsec = get_guest_rtc_ns(s); /* UIP bit will be set at last 244us of every second. */ - if ((guest_nsec % NANOSECONDS_PER_SECOND) >= + if ((get_guest_rtc_ns_offset(s) % NANOSECONDS_PER_SECOND) >= (NANOSECONDS_PER_SECOND - UIP_HOLD_LENGTH)) { return 1; } -- 2.34.1

1 0

[PATCH OLK-6.6 0/2] Fix SDEI state machine issue during reboot process
by Bowen You 06 Jan '26

06 Jan '26

Bowen You (2): [Huawei] Add sdei interface to check event status [Huawei] Fix SDEI state machine issue during reboot process arch/arm64/kernel/watchdog_sdei.c | 21 ++++++++++++++++++++- drivers/firmware/arm_sdei.c | 6 ++++++ include/linux/arm_sdei.h | 1 + 3 files changed, 27 insertions(+), 1 deletion(-) -- 2.34.1

2 3

[PATCH openEuler-1.0-LTS] scsi: ipr: Fix WARNING in ipr_init()
by Luo Gengkun 06 Jan '26

06 Jan '26

From: Shang XiaoJing <shangxiaojing(a)huawei.com> stable inclusion from stable-v4.19.270 commit 5debd337f534b122f7c5eac6557a41b5636c9b51 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13173 CVE: CVE-2022-50850 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- [ Upstream commit e6f108bffc3708ddcff72324f7d40dfcd0204894 ] ipr_init() will not call unregister_reboot_notifier() when pci_register_driver() fails, which causes a WARNING. Call unregister_reboot_notifier() when pci_register_driver() fails. notifier callback ipr_halt [ipr] already registered WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29 notifier_chain_register+0x16d/0x230 Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks agpgart cfbft CPU: 3 PID: 299 Comm: modprobe Tainted: G W 6.1.0-rc1-00190-g39508d23b672-dirty #332 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:notifier_chain_register+0x16d/0x230 Call Trace: <TASK> __blocking_notifier_chain_register+0x73/0xb0 ipr_init+0x30/0x1000 [ipr] do_one_initcall+0xdb/0x480 do_init_module+0x1cf/0x680 load_module+0x6a50/0x70a0 __do_sys_finit_module+0x12f/0x1c0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: f72919ec2bbb ("[SCSI] ipr: implement shutdown changes and remove obsolete write cache parameter") Signed-off-by: Shang XiaoJing <shangxiaojing(a)huawei.com> Link: https://lore.kernel.org/r/20221113064513.14028-1-shangxiaojing@huawei.com Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/scsi/ipr.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c index 0e6ca809c0d4..9681c9f4f6ab 100644 --- a/drivers/scsi/ipr.c +++ b/drivers/scsi/ipr.c @@ -10855,11 +10855,19 @@ static struct notifier_block ipr_notifier = { **/ static int __init ipr_init(void) { + int rc; + ipr_info("IBM Power RAID SCSI Device Driver version: %s %s\n", IPR_DRIVER_VERSION, IPR_DRIVER_DATE); register_reboot_notifier(&ipr_notifier); - return pci_register_driver(&ipr_driver); + rc = pci_register_driver(&ipr_driver); + if (rc) { + unregister_reboot_notifier(&ipr_notifier); + return rc; + } + + return 0; } /** -- 2.34.1

2 1

[PATCH OLK-6.6 0/2] Fix SDEI state machine issue during reboot process
by Bowen You 06 Jan '26

06 Jan '26

Bowen You (2): [Huawei] Add sdei interface to check event status [Huawei] Fix SDEI state machine issue during reboot process arch/arm64/kernel/watchdog_sdei.c | 21 ++++++++++++++++++++- drivers/firmware/arm_sdei.c | 6 ++++++ include/linux/arm_sdei.h | 1 + 3 files changed, 27 insertions(+), 1 deletion(-) -- 2.34.1

2 3

[PATCH openEuler-1.0-LTS] ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
by Wang Zhaolong 05 Jan '26

05 Jan '26

From: Zhihao Cheng <chengzhihao1(a)huawei.com> stable inclusion from stable-v4.19.276 commit 84250da1c63cb7d421a3b4812b5c2ce2e47d31a1 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11452 CVE: CVE-2023-53826 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a240bc5c43130c6aa50831d7caaa02a1d84e1bce ] Wear-leveling entry could be freed in error path, which may be accessed again in eraseblk_count_seq_show(), for example: __erase_worker eraseblk_count_seq_show wl = ubi->lookuptbl[*block_number] if (wl) wl_entry_destroy ubi->lookuptbl[e->pnum] = NULL kmem_cache_free(ubi_wl_entry_slab, e) erase_count = wl->ec // UAF! Wear-leveling entry updating/accessing in ubi->lookuptbl should be protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize wl entry accessing between wl_entry_destroy() and eraseblk_count_seq_show(). Fetch a reproducer in [Link]. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216305 Fixes: 7bccd12d27b7e3 ("ubi: Add debugfs file for tracking PEB state") Fixes: 801c135ce73d5d ("UBI: Unsorted Block Images") Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Richard Weinberger <richard(a)nod.at> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> --- drivers/mtd/ubi/wl.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c index c6b62bc16114..5905f5a9ced7 100644 --- a/drivers/mtd/ubi/wl.c +++ b/drivers/mtd/ubi/wl.c @@ -876,12 +876,15 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, ubi->move_to_put = ubi->wl_scheduled = 0; spin_unlock(&ubi->wl_lock); err = do_sync_erase(ubi, e1, vol_id, lnum, 0); if (err) { - if (e2) + if (e2) { + spin_lock(&ubi->wl_lock); wl_entry_destroy(ubi, e2); + spin_unlock(&ubi->wl_lock); + } goto out_ro; } if (e2) { /* @@ -1101,18 +1104,22 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk) int err1; /* Re-schedule the LEB for erasure */ err1 = schedule_erase(ubi, e, vol_id, lnum, 0, false); if (err1) { + spin_lock(&ubi->wl_lock); wl_entry_destroy(ubi, e); + spin_unlock(&ubi->wl_lock); err = err1; goto out_ro; } return err; } + spin_lock(&ubi->wl_lock); wl_entry_destroy(ubi, e); + spin_unlock(&ubi->wl_lock); if (err != -EIO) /* * If this is not %-EIO, we have no idea what to do. Scheduling * this physical eraseblock for erasure again would cause * errors again and again. Well, lets switch to R/O mode. -- 2.34.3

2 1