- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] bpf: Free special fields when update [lru_,]percpu_hash maps
by Luo Gengkun 25 Dec '25

25 Dec '25

From: Leon Hwang <leon.hwang(a)linux.dev> mainline inclusion from mainline-v6.19-rc1 commit 6af6e49a76c9af7d42eb923703e7648cb2bf401a category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/12705 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the map gets freed. Fix this by calling 'bpf_obj_free_fields()' after 'copy_map_value[,_long]()' in 'pcpu_copy_value()'. Fixes: 65334e64a493 ("bpf: Support kptrs in percpu hashmap and percpu LRU hashmap") Signed-off-by: Leon Hwang <leon.hwang(a)linux.dev> Acked-by: Yonghong Song <yonghong.song(a)linux.dev> Link: https://lore.kernel.org/r/20251105151407.12723-2-leon.hwang@linux.dev Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- kernel/bpf/hashtab.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index fdc74aeaa164..46e833e5666b 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -957,15 +957,21 @@ static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) static void pcpu_copy_value(struct bpf_htab *htab, void __percpu *pptr, void *value, bool onallcpus) { + void *ptr; + if (!onallcpus) { /* copy true value_size bytes */ - copy_map_value(&htab->map, this_cpu_ptr(pptr), value); + ptr = this_cpu_ptr(pptr); + copy_map_value(&htab->map, ptr, value); + bpf_obj_free_fields(htab->map.record, ptr); } else { u32 size = round_up(htab->map.value_size, 8); int off = 0, cpu; for_each_possible_cpu(cpu) { - copy_map_value_long(&htab->map, per_cpu_ptr(pptr, cpu), value + off); + ptr = per_cpu_ptr(pptr, cpu); + copy_map_value_long(&htab->map, ptr, value + off); + bpf_obj_free_fields(htab->map.record, ptr); off += size; } } -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS 1942/1942] drivers/net/ethernet/microchip/lan743x_ptp.c:985:6: warning: no previous prototype for function 'lan743x_ptp_set_sync_ts_insert'
by kernel test robot 25 Dec '25

25 Dec '25

Hi Bryan, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 4e9c55920995d70b3e88b60c69753df54b03fdf4 commit: 07624df1c9efd4b7f2f6762581587c590b03c7a2 [1942/1942] lan743x: lan743x: Add PTP support config: x86_64-randconfig-071-20251213 (https://download.01.org/0day-ci/archive/20251225/202512250737.MecjkLdA-lkp@…) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 1335a05ab8bc8339ce24be3a9da89d8c3f4e0571) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512250737.MecjkLdA-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512250737.MecjkLdA-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from <built-in>:2: In file included from include/linux/compiler_types.h:78: include/linux/compiler-clang.h:25:9: warning: '__SANITIZE_ADDRESS__' macro redefined [-Wmacro-redefined] 25 | #define __SANITIZE_ADDRESS__ | ^ <built-in>:353:9: note: previous definition is here 353 | #define __SANITIZE_ADDRESS__ 1 | ^ drivers/net/ethernet/microchip/lan743x_ptp.c:781:28: error: no member named 'ptp_clock' in 'struct lan743x_ptp' 781 | ptp_schedule_worker(ptp->ptp_clock, 0); | ~~~ ^ drivers/net/ethernet/microchip/lan743x_ptp.c:879:6: warning: unused variable 'ret' [-Wunused-variable] 879 | int ret = -ENODEV; | ^~~ >> drivers/net/ethernet/microchip/lan743x_ptp.c:985:6: warning: no previous prototype for function 'lan743x_ptp_set_sync_ts_insert' [-Wmissing-prototypes] 985 | void lan743x_ptp_set_sync_ts_insert(struct lan743x_adapter *adapter, | ^ drivers/net/ethernet/microchip/lan743x_ptp.c:985:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 985 | void lan743x_ptp_set_sync_ts_insert(struct lan743x_adapter *adapter, | ^ | static 3 warnings and 1 error generated. vim +/lan743x_ptp_set_sync_ts_insert +985 drivers/net/ethernet/microchip/lan743x_ptp.c 984 > 985 void lan743x_ptp_set_sync_ts_insert(struct lan743x_adapter *adapter, 986 bool ts_insert_enable) 987 { 988 u32 ptp_tx_mod = lan743x_csr_read(adapter, PTP_TX_MOD); 989 990 if (ts_insert_enable) 991 ptp_tx_mod |= PTP_TX_MOD_TX_PTP_SYNC_TS_INSERT_; 992 else 993 ptp_tx_mod &= ~PTP_TX_MOD_TX_PTP_SYNC_TS_INSERT_; 994 995 lan743x_csr_write(adapter, PTP_TX_MOD, ptp_tx_mod); 996 } 997 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 3406/3406] kernel/cgroup/cgroup.c:6734: warning: Function parameter or member 'fd' not described in 'cgroup_get_from_fd_v2'
by kernel test robot 25 Dec '25

25 Dec '25

Hi Liu, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 1588d318a9e388d05b6cf5e2a63134c8beb6a355 commit: 56fee14453059f894b018d08071826d47e634800 [3406/3406] cgroup: make cgroup_bpf_prog_attach work when cgroup2 is not mounted config: arm64-randconfig-003-20251211 (https://download.01.org/0day-ci/archive/20251225/202512250139.hi51ZBjo-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512250139.hi51ZBjo-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512250139.hi51ZBjo-lkp@intel.com/ All warnings (new ones prefixed by >>): kernel/cgroup/cgroup.c:6217: warning: Function parameter or member 'f' not described in 'cgroup_get_from_file' kernel/cgroup/cgroup.c:6369: warning: Function parameter or member 'kargs' not described in 'cgroup_can_fork' kernel/cgroup/cgroup.c:6430: warning: Function parameter or member 'kargs' not described in 'cgroup_post_fork' kernel/cgroup/cgroup.c:6716: warning: Function parameter or member 'fd' not described in 'cgroup_get_from_fd' >> kernel/cgroup/cgroup.c:6734: warning: Function parameter or member 'fd' not described in 'cgroup_get_from_fd_v2' vim +6734 kernel/cgroup/cgroup.c 6729 6730 /** 6731 * same with cgroup_get_from_fd, only add cgrp_dfl_visible check 6732 */ 6733 struct cgroup *cgroup_get_from_fd_v2(int fd) > 6734 { 6735 struct cgroup *cgrp = cgroup_v1v2_get_from_fd(fd); 6736 6737 if (IS_ERR(cgrp)) 6738 return ERR_CAST(cgrp); 6739 6740 if (!cgroup_on_dfl(cgrp)) { 6741 cgroup_put(cgrp); 6742 if (cgrp_dfl_visible) 6743 return ERR_PTR(-EBADF); 6744 6745 cgrp = &cgrp_dfl_root.cgrp; 6746 cgroup_get(cgrp); 6747 } 6748 return cgrp; 6749 } 6750 EXPORT_SYMBOL_GPL(cgroup_get_from_fd_v2); 6751 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 3406/3406] kernel/task_work.c:84: warning: Function parameter or member 'data' not described in 'task_work_cancel_match'
by kernel test robot 25 Dec '25

25 Dec '25

Hi Jens, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 1588d318a9e388d05b6cf5e2a63134c8beb6a355 commit: 8802b2dc61376ea4727dba6630f81697da540e85 [3406/3406] task_work: add helper for more targeted task_work canceling config: arm64-randconfig-003-20251211 (https://download.01.org/0day-ci/archive/20251225/202512250050.7RnKXs39-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512250050.7RnKXs39-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512250050.7RnKXs39-lkp@intel.com/ All warnings (new ones prefixed by >>): >> kernel/task_work.c:84: warning: Function parameter or member 'data' not described in 'task_work_cancel_match' vim +84 kernel/task_work.c e73f8959af0439 Oleg Nesterov 2012-05-11 71 892f6668f3a708 Oleg Nesterov 2013-09-11 72 /** 8802b2dc61376e Jens Axboe 2023-02-28 73 * task_work_cancel_match - cancel a pending work added by task_work_add() 892f6668f3a708 Oleg Nesterov 2013-09-11 74 * @task: the task which should execute the work 8802b2dc61376e Jens Axboe 2023-02-28 75 * @match: match function to call 892f6668f3a708 Oleg Nesterov 2013-09-11 76 * 892f6668f3a708 Oleg Nesterov 2013-09-11 77 * RETURNS: 892f6668f3a708 Oleg Nesterov 2013-09-11 78 * The found work or NULL if not found. 892f6668f3a708 Oleg Nesterov 2013-09-11 79 */ 67d1214551e800 Al Viro 2012-06-27 80 struct callback_head * 8802b2dc61376e Jens Axboe 2023-02-28 81 task_work_cancel_match(struct task_struct *task, 8802b2dc61376e Jens Axboe 2023-02-28 82 bool (*match)(struct callback_head *, void *data), 8802b2dc61376e Jens Axboe 2023-02-28 83 void *data) e73f8959af0439 Oleg Nesterov 2012-05-11 @84 { ac3d0da8f3290b Oleg Nesterov 2012-08-26 85 struct callback_head **pprev = &task->task_works; 205e550a0fb469 Oleg Nesterov 2013-09-11 86 struct callback_head *work; e73f8959af0439 Oleg Nesterov 2012-05-11 87 unsigned long flags; 61e96496d3c949 Oleg Nesterov 2016-08-02 88 61e96496d3c949 Oleg Nesterov 2016-08-02 89 if (likely(!task->task_works)) 61e96496d3c949 Oleg Nesterov 2016-08-02 90 return NULL; ac3d0da8f3290b Oleg Nesterov 2012-08-26 91 /* ac3d0da8f3290b Oleg Nesterov 2012-08-26 92 * If cmpxchg() fails we continue without updating pprev. ac3d0da8f3290b Oleg Nesterov 2012-08-26 93 * Either we raced with task_work_add() which added the ac3d0da8f3290b Oleg Nesterov 2012-08-26 94 * new entry before this work, we will find it again. Or 9da33de62431c7 Oleg Nesterov 2012-08-26 95 * we raced with task_work_run(), *pprev == NULL/exited. ac3d0da8f3290b Oleg Nesterov 2012-08-26 96 */ e73f8959af0439 Oleg Nesterov 2012-05-11 97 raw_spin_lock_irqsave(&task->pi_lock, flags); 506458efaf153c Will Deacon 2017-10-24 98 while ((work = READ_ONCE(*pprev))) { 8802b2dc61376e Jens Axboe 2023-02-28 99 if (!match(work, data)) ac3d0da8f3290b Oleg Nesterov 2012-08-26 100 pprev = &work->next; ac3d0da8f3290b Oleg Nesterov 2012-08-26 101 else if (cmpxchg(pprev, work, work->next) == work) 158e1645e07f3e Al Viro 2012-06-27 102 break; 158e1645e07f3e Al Viro 2012-06-27 103 } e73f8959af0439 Oleg Nesterov 2012-05-11 104 raw_spin_unlock_irqrestore(&task->pi_lock, flags); ac3d0da8f3290b Oleg Nesterov 2012-08-26 105 ac3d0da8f3290b Oleg Nesterov 2012-08-26 106 return work; e73f8959af0439 Oleg Nesterov 2012-05-11 107 } e73f8959af0439 Oleg Nesterov 2012-05-11 108 :::::: The code at line 84 was first introduced by commit :::::: e73f8959af0439d114847eab5a8a5ce48f1217c4 task_work_add: generic process-context callbacks :::::: TO: Oleg Nesterov <oleg(a)redhat.com> :::::: CC: Al Viro <viro(a)zeniv.linux.org.uk> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] [Backport] nvmet-fc: avoid scheduling association deletion twice
by Chen Jinghuang 24 Dec '25

24 Dec '25

From: Daniel Wagner <wagi(a)kernel.org> stable inclusion from stable-v6.6.117 commit 601ed47b2363c24d948d7bac0c23abc8bd459570 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11412 CVE: CVE-2025-40343 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- [ Upstream commit f2537be4f8421f6495edfa0bc284d722f253841d ] When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted. Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Closes: https://lore.kernel.org/all/rsdinhafrtlguauhesmrrzkybpnvwantwmyfq2ih5areggh… Reviewed-by: Hannes Reinecke <hare(a)suse.de> Signed-off-by: Daniel Wagner <wagi(a)kernel.org> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Jinghuang <chenjinghuang2(a)huawei.com> --- drivers/nvme/target/fc.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c index a15e764bae35..188b9f1bdaca 100644 --- a/drivers/nvme/target/fc.c +++ b/drivers/nvme/target/fc.c @@ -1090,6 +1090,14 @@ nvmet_fc_delete_assoc_work(struct work_struct *work) static void nvmet_fc_schedule_delete_assoc(struct nvmet_fc_tgt_assoc *assoc) { + int terminating; + + terminating = atomic_xchg(&assoc->terminating, 1); + + /* if already terminating, do nothing */ + if (terminating) + return; + nvmet_fc_tgtport_get(assoc->tgtport); if (!queue_work(nvmet_wq, &assoc->del_work)) nvmet_fc_tgtport_put(assoc->tgtport); @@ -1209,13 +1217,7 @@ nvmet_fc_delete_target_assoc(struct nvmet_fc_tgt_assoc *assoc) { struct nvmet_fc_tgtport *tgtport = assoc->tgtport; unsigned long flags; - int i, terminating; - - terminating = atomic_xchg(&assoc->terminating, 1); - - /* if already terminating, do nothing */ - if (terminating) - return; + int i; spin_lock_irqsave(&tgtport->lock, flags); list_del_rcu(&assoc->a_list); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] md/raid10: fix null-ptr-deref in raid10_sync_request
by Zheng Qixing 24 Dec '25

24 Dec '25

From: Li Nan <linan122(a)huawei.com> stable inclusion from stable-v4.19.283 commit 38d33593260536840b49fd1dcac9aedfd14a9d42 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBOQL CVE: CVE-2023-53832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------ commit a405c6f0229526160aa3f177f65e20c86fce84c5 upstream. init_resync() inits mempool and sets conf->have_replacemnt at the beginning of sync, close_sync() frees the mempool when sync is completed. After [1] recovery might be skipped and init_resync() is called but close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio. The following is one way to reproduce the issue. 1) create a array, wait for resync to complete, mddev->recovery_cp is set to MaxSector. 2) recovery is woken and it is skipped. conf->have_replacement is set to 0 in init_resync(). close_sync() not called. 3) some io errors and rdev A is set to WantReplacement. 4) a new device is added and set to A's replacement. 5) recovery is woken, A have replacement, but conf->have_replacemnt is 0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref occurs. Fix it by not calling init_resync() if recovery skipped. [1] commit 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled") Fixes: 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled") Cc: stable(a)vger.kernel.org Signed-off-by: Li Nan <linan122(a)huawei.com> Signed-off-by: Song Liu <song(a)kernel.org> Link: https://lore.kernel.org/r/20230222041000.3341651-3-linan666@huaweicloud.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/md/raid10.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 5f0a20174979..67493be59f7f 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -2989,10 +2989,6 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, sector_t chunk_mask = conf->geo.chunk_mask; int page_idx = 0; - if (!mempool_initialized(&conf->r10buf_pool)) - if (init_resync(conf)) - return 0; - /* * Allow skipping a full rebuild for incremental assembly * of a clean array, like RAID1 does. @@ -3008,6 +3004,10 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, return mddev->dev_sectors - sector_nr; } + if (!mempool_initialized(&conf->r10buf_pool)) + if (init_resync(conf)) + return 0; + skipped: max_sector = mddev->dev_sectors; if (test_bit(MD_RECOVERY_SYNC, &mddev->recovery) || -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] scsi: sg: Do not sleep in atomic context
by Zheng Qixing 24 Dec '25

24 Dec '25

From: Bart Van Assche <bvanassche(a)acm.org> mainline inclusion from mainline-v6.18-rc7 commit 90449f2d1e1f020835cba5417234636937dd657e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDATPD CVE: CVE-2025-40259 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------ sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google… Cc: Hannes Reinecke <hare(a)suse.de> Cc: stable(a)vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sg.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 7c9c63be214d..4698b79a62ff 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2208,9 +2208,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) write_lock_irqsave(&sfp->rq_list_lock, iflags); while (!list_empty(&sfp->rq_list)) { srp = list_first_entry(&sfp->rq_list, Sg_request, entry); - sg_finish_rem_req(srp); list_del(&srp->entry); + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + sg_finish_rem_req(srp); + /* + * sg_rq_end_io() uses srp->parentfp. Hence, only clear + * srp->parentfp after blk_mq_free_request() has been called. + */ srp->parentfp = NULL; + + write_lock_irqsave(&sfp->rq_list_lock, iflags); } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -- 2.39.2

2 1

[PATCH OLK-5.10] scsi: sg: Do not sleep in atomic context
by Zheng Qixing 24 Dec '25

24 Dec '25

From: Bart Van Assche <bvanassche(a)acm.org> stable inclusion from stable-v5.10.247 commit db6ac8703ab2b473e1ec845f57f6dd961a388d9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDATPD CVE: CVE-2025-40259 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------ commit 90449f2d1e1f020835cba5417234636937dd657e upstream. sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google… Cc: Hannes Reinecke <hare(a)suse.de> Cc: stable(a)vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sg.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index fbd973b184bb..98baa9cd46bf 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2235,9 +2235,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) write_lock_irqsave(&sfp->rq_list_lock, iflags); while (!list_empty(&sfp->rq_list)) { srp = list_first_entry(&sfp->rq_list, Sg_request, entry); - sg_finish_rem_req(srp); list_del(&srp->entry); + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + sg_finish_rem_req(srp); + /* + * sg_rq_end_io() uses srp->parentfp. Hence, only clear + * srp->parentfp after blk_mq_free_request() has been called. + */ srp->parentfp = NULL; + + write_lock_irqsave(&sfp->rq_list_lock, iflags); } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -- 2.39.2

2 1

[PATCH OLK-6.6] scsi: sg: Do not sleep in atomic context
by Zheng Qixing 24 Dec '25

24 Dec '25

From: Bart Van Assche <bvanassche(a)acm.org> stable inclusion from stable-v6.6.118 commit b343cee5df7e750d9033fba33e96fc4399fa88a5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDATPD CVE: CVE-2025-40259 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------ commit 90449f2d1e1f020835cba5417234636937dd657e upstream. sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google… Cc: Hannes Reinecke <hare(a)suse.de> Cc: stable(a)vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sg.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 62574886a911..9258a1a8c23c 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2212,9 +2212,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) write_lock_irqsave(&sfp->rq_list_lock, iflags); while (!list_empty(&sfp->rq_list)) { srp = list_first_entry(&sfp->rq_list, Sg_request, entry); - sg_finish_rem_req(srp); list_del(&srp->entry); + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + sg_finish_rem_req(srp); + /* + * sg_rq_end_io() uses srp->parentfp. Hence, only clear + * srp->parentfp after blk_mq_free_request() has been called. + */ srp->parentfp = NULL; + + write_lock_irqsave(&sfp->rq_list_lock, iflags); } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -- 2.39.2

2 1

[PATCH] [Backport] nvmet-fc: avoid scheduling association deletion twice
by Chen Jinghuang 24 Dec '25

24 Dec '25

From: Daniel Wagner <wagi(a)kernel.org> stable inclusion from stable-v6.6.117 commit 601ed47b2363c24d948d7bac0c23abc8bd459570 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11412 CVE: CVE-2025-40343 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- [ Upstream commit f2537be4f8421f6495edfa0bc284d722f253841d ] When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted. Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Closes: https://lore.kernel.org/all/rsdinhafrtlguauhesmrrzkybpnvwantwmyfq2ih5areggh… Reviewed-by: Hannes Reinecke <hare(a)suse.de> Signed-off-by: Daniel Wagner <wagi(a)kernel.org> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Jinghuang <chenjinghuang2(a)huawei.com> --- drivers/nvme/target/fc.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c index a15e764bae35..188b9f1bdaca 100644 --- a/drivers/nvme/target/fc.c +++ b/drivers/nvme/target/fc.c @@ -1090,6 +1090,14 @@ nvmet_fc_delete_assoc_work(struct work_struct *work) static void nvmet_fc_schedule_delete_assoc(struct nvmet_fc_tgt_assoc *assoc) { + int terminating; + + terminating = atomic_xchg(&assoc->terminating, 1); + + /* if already terminating, do nothing */ + if (terminating) + return; + nvmet_fc_tgtport_get(assoc->tgtport); if (!queue_work(nvmet_wq, &assoc->del_work)) nvmet_fc_tgtport_put(assoc->tgtport); @@ -1209,13 +1217,7 @@ nvmet_fc_delete_target_assoc(struct nvmet_fc_tgt_assoc *assoc) { struct nvmet_fc_tgtport *tgtport = assoc->tgtport; unsigned long flags; - int i, terminating; - - terminating = atomic_xchg(&assoc->terminating, 1); - - /* if already terminating, do nothing */ - if (terminating) - return; + int i; spin_lock_irqsave(&tgtport->lock, flags); list_del_rcu(&assoc->a_list); -- 2.34.1

1 0