- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
by Wang Tao 11 Oct '25

11 Oct '25

From: Yu Liao <liaoyu15(a)huawei.com> stable inclusion from stable-v4.19.270 commit 5b0f81b0808235967868e01336c976e840217108 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID0VFP CVE: CVE-2022-50521 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 727cc0147f5066e359aca65cc6cc5e6d64cc15d8 ] The ACPI buffer memory (out.pointer) returned by wmi_evaluate_method() is not freed after the call, so it leads to memory leak. The method results in ACPI buffer is not used, so just pass NULL to wmi_evaluate_method() which fixes the memory leak. Fixes: 99b38b4acc0d ("platform/x86: add MXM WMI driver.") Signed-off-by: Yu Liao <liaoyu15(a)huawei.com> Link: https://lore.kernel.org/r/20221129011101.2042315-1-liaoyu15@huawei.com Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Tao <wangtao554(a)huawei.com> --- drivers/platform/x86/mxm-wmi.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/platform/x86/mxm-wmi.c b/drivers/platform/x86/mxm-wmi.c index 35d8b9a939f9..9c1893a703e6 100644 --- a/drivers/platform/x86/mxm-wmi.c +++ b/drivers/platform/x86/mxm-wmi.c @@ -48,13 +48,11 @@ int mxm_wmi_call_mxds(int adapter) .xarg = 1, }; struct acpi_buffer input = { (acpi_size)sizeof(args), &args }; - struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; acpi_status status; printk("calling mux switch %d\n", adapter); - status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, - &output); + status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, NULL); if (ACPI_FAILURE(status)) return status; @@ -73,13 +71,11 @@ int mxm_wmi_call_mxmx(int adapter) .xarg = 1, }; struct acpi_buffer input = { (acpi_size)sizeof(args), &args }; - struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL }; acpi_status status; printk("calling mux switch %d\n", adapter); - status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, - &output); + status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, NULL); if (ACPI_FAILURE(status)) return status; -- 2.34.1

2 1

[PATCH OLK-6.6 0/1] Fix CVE-2025-39715
by Hongbo Li 11 Oct '25

11 Oct '25

Fix CVE-2025-39715. John David Anglin (1): parisc: Revise gateway LWS calls to probe user read access arch/parisc/kernel/syscall.S | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) -- 2.34.1

2 2

[PATCH OLK-6.6] workqueue: Fix kabi broken of enum WORK_OFFQ_POOL_SHIFT
by Qi Xi 11 Oct '25

11 Oct '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ID0EGV -------------------------------- Fix kabi broken of enum WORK_OFFQ_POOL_SHIFT Fixes: ff86423eddff ("workqueue: Implement disable/enable for (delayed) work items") Signed-off-by: Qi Xi <xiqi2(a)huawei.com> --- include/linux/workqueue.h | 11 ++++++----- kernel/workqueue.c | 12 ++++++------ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h index 3f1c3e699266..50ff1d28fb31 100644 --- a/include/linux/workqueue.h +++ b/include/linux/workqueue.h @@ -72,15 +72,14 @@ enum { * data contains off-queue information when !WORK_STRUCT_PWQ. * * MSB - * [ pool ID ] [ disable depth ] [ OFFQ flags ] [ STRUCT flags ] - * 16 bits 1 bit 4 or 5 bits + * [ disable depth ] [ pool ID ] [ OFFQ flags ] [ STRUCT flags ] + * 16 bits 1 bit 4 or 5 bits */ WORK_OFFQ_FLAG_SHIFT = WORK_STRUCT_FLAG_BITS, WORK_OFFQ_CANCELING_BIT = WORK_OFFQ_FLAG_SHIFT, WORK_OFFQ_FLAG_END, WORK_OFFQ_FLAG_BITS = WORK_OFFQ_FLAG_END - WORK_OFFQ_FLAG_SHIFT, - WORK_OFFQ_DISABLE_SHIFT = WORK_OFFQ_FLAG_SHIFT + WORK_OFFQ_FLAG_BITS, WORK_OFFQ_DISABLE_BITS = 16, /* @@ -88,10 +87,12 @@ enum { * and the last pool it was on. Cap pool ID to 31 bits and use the * highest number to indicate that no pool is associated. */ - WORK_OFFQ_POOL_SHIFT = WORK_OFFQ_DISABLE_SHIFT + WORK_OFFQ_DISABLE_BITS, - WORK_OFFQ_LEFT = BITS_PER_LONG - WORK_OFFQ_POOL_SHIFT, + WORK_OFFQ_POOL_SHIFT = WORK_OFFQ_FLAG_SHIFT + WORK_OFFQ_FLAG_BITS, + WORK_OFFQ_LEFT = BITS_PER_LONG - WORK_OFFQ_POOL_SHIFT - WORK_OFFQ_DISABLE_BITS, WORK_OFFQ_POOL_BITS = WORK_OFFQ_LEFT <= 31 ? WORK_OFFQ_LEFT : 31, + WORK_OFFQ_DISABLE_SHIFT = WORK_OFFQ_POOL_SHIFT + WORK_OFFQ_POOL_BITS, + /* bit mask for work_busy() return values */ WORK_BUSY_PENDING = 1 << 0, WORK_BUSY_RUNNING = 1 << 1, diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 81615eb5562e..fe1afd7fad31 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -722,6 +722,11 @@ static struct pool_workqueue *get_work_pwq(struct work_struct *work) return NULL; } +static unsigned long shift_and_mask(unsigned long v, u32 shift, u32 bits) +{ + return (v >> shift) & ((1U << bits) - 1); +} + /** * get_work_pool - return the worker_pool a given work was associated with * @work: the work item of interest @@ -747,18 +752,13 @@ static struct worker_pool *get_work_pool(struct work_struct *work) if (data & WORK_STRUCT_PWQ) return work_struct_pwq(data)->pool; - pool_id = data >> WORK_OFFQ_POOL_SHIFT; + pool_id = shift_and_mask(data, WORK_OFFQ_POOL_SHIFT, WORK_OFFQ_POOL_BITS); if (pool_id == WORK_OFFQ_POOL_NONE) return NULL; return idr_find(&worker_pool_idr, pool_id); } -static unsigned long shift_and_mask(unsigned long v, u32 shift, u32 bits) -{ - return (v >> shift) & ((1U << bits) - 1); -} - static void work_offqd_unpack(struct work_offq_data *offqd, unsigned long data) { WARN_ON_ONCE(data & WORK_STRUCT_PWQ); -- CodeHub

2 1

[PATCH OLK-6.6] workqueue: Fix kabi broken of enum WORK_OFFQ_POOL_SHIFT
by Qi Xi 11 Oct '25

11 Oct '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ID0EGV -------------------------------- Fix kabi broken of enum WORK_OFFQ_POOL_SHIFT Fixes: ff86423eddf ("[Backport] workqueue: Implement disable/enable for (delayed) work items") Signed-off-by: Qi Xi <xiqi2(a)huawei.com> --- include/linux/workqueue.h | 11 ++++++----- kernel/workqueue.c | 12 ++++++------ 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/include/linux/workqueue.h b/include/linux/workqueue.h index 3f1c3e699266..50ff1d28fb31 100644 --- a/include/linux/workqueue.h +++ b/include/linux/workqueue.h @@ -72,15 +72,14 @@ enum { * data contains off-queue information when !WORK_STRUCT_PWQ. * * MSB - * [ pool ID ] [ disable depth ] [ OFFQ flags ] [ STRUCT flags ] - * 16 bits 1 bit 4 or 5 bits + * [ disable depth ] [ pool ID ] [ OFFQ flags ] [ STRUCT flags ] + * 16 bits 1 bit 4 or 5 bits */ WORK_OFFQ_FLAG_SHIFT = WORK_STRUCT_FLAG_BITS, WORK_OFFQ_CANCELING_BIT = WORK_OFFQ_FLAG_SHIFT, WORK_OFFQ_FLAG_END, WORK_OFFQ_FLAG_BITS = WORK_OFFQ_FLAG_END - WORK_OFFQ_FLAG_SHIFT, - WORK_OFFQ_DISABLE_SHIFT = WORK_OFFQ_FLAG_SHIFT + WORK_OFFQ_FLAG_BITS, WORK_OFFQ_DISABLE_BITS = 16, /* @@ -88,10 +87,12 @@ enum { * and the last pool it was on. Cap pool ID to 31 bits and use the * highest number to indicate that no pool is associated. */ - WORK_OFFQ_POOL_SHIFT = WORK_OFFQ_DISABLE_SHIFT + WORK_OFFQ_DISABLE_BITS, - WORK_OFFQ_LEFT = BITS_PER_LONG - WORK_OFFQ_POOL_SHIFT, + WORK_OFFQ_POOL_SHIFT = WORK_OFFQ_FLAG_SHIFT + WORK_OFFQ_FLAG_BITS, + WORK_OFFQ_LEFT = BITS_PER_LONG - WORK_OFFQ_POOL_SHIFT - WORK_OFFQ_DISABLE_BITS, WORK_OFFQ_POOL_BITS = WORK_OFFQ_LEFT <= 31 ? WORK_OFFQ_LEFT : 31, + WORK_OFFQ_DISABLE_SHIFT = WORK_OFFQ_POOL_SHIFT + WORK_OFFQ_POOL_BITS, + /* bit mask for work_busy() return values */ WORK_BUSY_PENDING = 1 << 0, WORK_BUSY_RUNNING = 1 << 1, diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 81615eb5562e..fe1afd7fad31 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -722,6 +722,11 @@ static struct pool_workqueue *get_work_pwq(struct work_struct *work) return NULL; } +static unsigned long shift_and_mask(unsigned long v, u32 shift, u32 bits) +{ + return (v >> shift) & ((1U << bits) - 1); +} + /** * get_work_pool - return the worker_pool a given work was associated with * @work: the work item of interest @@ -747,18 +752,13 @@ static struct worker_pool *get_work_pool(struct work_struct *work) if (data & WORK_STRUCT_PWQ) return work_struct_pwq(data)->pool; - pool_id = data >> WORK_OFFQ_POOL_SHIFT; + pool_id = shift_and_mask(data, WORK_OFFQ_POOL_SHIFT, WORK_OFFQ_POOL_BITS); if (pool_id == WORK_OFFQ_POOL_NONE) return NULL; return idr_find(&worker_pool_idr, pool_id); } -static unsigned long shift_and_mask(unsigned long v, u32 shift, u32 bits) -{ - return (v >> shift) & ((1U << bits) - 1); -} - static void work_offqd_unpack(struct work_offq_data *offqd, unsigned long data) { WARN_ON_ONCE(data & WORK_STRUCT_PWQ); -- CodeHub

2 1

[PATCH openEuler-1.0-LTS 0/2] CVE-2023-53254
by Zhang Qilong 11 Oct '25

11 Oct '25

K Prateek Nayak (1): drivers: base: cacheinfo: Fix shared_cpu_map changes in event of CPU hotplug Yong-Xuan Wang (1): cacheinfo: Fix shared_cpu_map to handle shared caches at different levels drivers/base/cacheinfo.c | 46 ++++++++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 9 deletions(-) -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
by Cui GaoSheng 11 Oct '25

11 Oct '25

From: Chen Zhongjin <chenzhongjin(a)huawei.com> stable inclusion from stable-v4.19.270 commit cf74d1197c0e3d2f353faa333e9e2847c73713f1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICYQRO CVE: CVE-2022-50414 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4155658cee394b22b24c6d64e49247bf26d95b92 ] fcoe_init() calls fcoe_transport_attach(&fcoe_sw_transport), but when fcoe_if_init() fails, &fcoe_sw_transport is not detached and leaves freed &fcoe_sw_transport on fcoe_transports list. This causes panic when reinserting module. BUG: unable to handle page fault for address: fffffbfff82e2213 RIP: 0010:fcoe_transport_attach+0xe1/0x230 [libfcoe] Call Trace: <TASK> do_one_initcall+0xd0/0x4e0 load_module+0x5eee/0x7210 ... Fixes: 78a582463c1e ("[SCSI] fcoe: convert fcoe.ko to become an fcoe transport provider driver") Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> Link: https://lore.kernel.org/r/20221115092442.133088-1-chenzhongjin@huawei.com Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Cui GaoSheng <cuigaosheng1(a)huawei.com> --- drivers/scsi/fcoe/fcoe.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/fcoe/fcoe.c b/drivers/scsi/fcoe/fcoe.c index 6768b2e8148a..c5c4805435f6 100644 --- a/drivers/scsi/fcoe/fcoe.c +++ b/drivers/scsi/fcoe/fcoe.c @@ -2519,6 +2519,7 @@ static int __init fcoe_init(void) out_free: mutex_unlock(&fcoe_config_mutex); + fcoe_transport_detach(&fcoe_sw_transport); out_destroy: destroy_workqueue(fcoe_wq); return rc; -- 2.34.1

2 1

[PATCH OLK-6.6] jbd2: prevent softlockup in jbd2_log_do_checkpoint()
by Yongjian Sun 11 Oct '25

11 Oct '25

From: Baokun Li <libaokun1(a)huawei.com> mainline inclusion from mainline-v6.17-rc3 commit 9d98cf4632258720f18265a058e62fde120c0151 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICXMB0 CVE: CVE-2025-39782 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after processing a batch of buffers to avoid long hold times on the j_list_lock. However, since both functions contend for j_list_lock, the combined time spent waiting and processing can be significant. jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when need_resched() is true to avoid softlockups during prolonged operations. But jbd2_log_do_checkpoint() only exits its loop when need_resched() is true, relying on potentially sleeping functions like __flush_batch() or wait_on_buffer() to trigger rescheduling. If those functions do not sleep, the kernel may hit a softlockup. watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373] CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10 Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017 Workqueue: writeback wb_workfn (flush-7:2) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : native_queued_spin_lock_slowpath+0x358/0x418 lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] Call trace: native_queued_spin_lock_slowpath+0x358/0x418 jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2] add_transaction_credits+0x3bc/0x418 [jbd2] start_this_handle+0xf8/0x560 [jbd2] jbd2__journal_start+0x118/0x228 [jbd2] __ext4_journal_start_sb+0x110/0x188 [ext4] ext4_do_writepages+0x3dc/0x740 [ext4] ext4_writepages+0xa4/0x190 [ext4] do_writepages+0x94/0x228 __writeback_single_inode+0x48/0x318 writeback_sb_inodes+0x204/0x590 __writeback_inodes_wb+0x54/0xf8 wb_writeback+0x2cc/0x3d8 wb_do_writeback+0x2e0/0x2f8 wb_workfn+0x80/0x2a8 process_one_work+0x178/0x3e8 worker_thread+0x234/0x3b8 kthread+0xf0/0x108 ret_from_fork+0x10/0x20 So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid softlockup. Cc: stable(a)kernel.org Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Link: https://patch.msgid.link/20250812063752.912130-1-libaokun@huaweicloud.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Yongjian Sun <sunyongjian1(a)huawei.com> --- fs/jbd2/checkpoint.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/jbd2/checkpoint.c b/fs/jbd2/checkpoint.c index 8fda66c98a61..368ae50d8a59 100644 --- a/fs/jbd2/checkpoint.c +++ b/fs/jbd2/checkpoint.c @@ -285,6 +285,7 @@ int jbd2_log_do_checkpoint(journal_t *journal) retry: if (batch_count) __flush_batch(journal, &batch_count); + cond_resched(); spin_lock(&journal->j_list_lock); goto restart; } -- 2.46.1

2 1

[PATCH openEuler-1.0-LTS 2/2] drivers: base: cacheinfo: Fix shared_cpu_map changes in event of CPU hotplug
by Zhang Qilong 11 Oct '25

11 Oct '25

From: K Prateek Nayak <kprateek.nayak(a)amd.com> stable inclusion from stable-v6.1.33 commit 4d776371127ec55590d49eea7579e77f555548ad category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICY4B5 CVE: CVE-2023-53254 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 126310c9f669c9a8c875a3e5c2292299ca90225d ] While building the shared_cpu_map, check if the cache level and cache type matches. On certain systems that build the cache topology based on the instance ID, there are cases where the same ID may repeat across multiple cache levels, leading inaccurate topology. In event of CPU offlining, the cache_shared_cpu_map_remove() does not consider if IDs at same level are being compared. As a result, when same IDs repeat across different cache levels, the CPU going offline is not removed from all the shared_cpu_map. Below is the output of cache topology of CPU8 and it's SMT sibling after CPU8 is offlined on a dual socket 3rd Generation AMD EPYC processor (2 x 64C/128T) running kernel release v6.3: # for i in /sys/devices/system/cpu/cpu8/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done /sys/devices/system/cpu/cpu8/cache/index0/shared_cpu_list: 8,136 /sys/devices/system/cpu/cpu8/cache/index1/shared_cpu_list: 8,136 /sys/devices/system/cpu/cpu8/cache/index2/shared_cpu_list: 8,136 /sys/devices/system/cpu/cpu8/cache/index3/shared_cpu_list: 8-15,136-143 # echo 0 > /sys/devices/system/cpu/cpu8/online # for i in /sys/devices/system/cpu/cpu136/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done /sys/devices/system/cpu/cpu136/cache/index0/shared_cpu_list: 136 /sys/devices/system/cpu/cpu136/cache/index1/shared_cpu_list: 8,136 /sys/devices/system/cpu/cpu136/cache/index2/shared_cpu_list: 8,136 /sys/devices/system/cpu/cpu136/cache/index3/shared_cpu_list: 9-15,136-143 CPU8 is removed from index0 (L1i) but remains in the shared_cpu_list of index1 (L1d) and index2 (L2). Since L1i, L1d, and L2 are shared by the SMT siblings, and they have the same cache instance ID, CPU 2 is only removed from the first index with matching ID which is index1 (L1i) in this case. With this fix, the results are as expected when performing the same experiment on the same system: # for i in /sys/devices/system/cpu/cpu8/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done /sys/devices/system/cpu/cpu8/cache/index0/shared_cpu_list: 8,136 /sys/devices/system/cpu/cpu8/cache/index1/shared_cpu_list: 8,136 /sys/devices/system/cpu/cpu8/cache/index2/shared_cpu_list: 8,136 /sys/devices/system/cpu/cpu8/cache/index3/shared_cpu_list: 8-15,136-143 # echo 0 > /sys/devices/system/cpu/cpu8/online # for i in /sys/devices/system/cpu/cpu136/cache/index*/shared_cpu_list; do echo -n "$i: "; cat $i; done /sys/devices/system/cpu/cpu136/cache/index0/shared_cpu_list: 136 /sys/devices/system/cpu/cpu136/cache/index1/shared_cpu_list: 136 /sys/devices/system/cpu/cpu136/cache/index2/shared_cpu_list: 136 /sys/devices/system/cpu/cpu136/cache/index3/shared_cpu_list: 9-15,136-143 When rebuilding topology, the same problem appears as cache_shared_cpu_map_setup() implements a similar logic. Consider the same 3rd Generation EPYC processor: CPUs in Core 1, that share the L1 and L2 caches, have L1 and L2 instance ID as 1. For all the CPUs on the second chiplet, the L3 ID is also 1 leading to grouping on CPUs from Core 1 (1, 17) and the entire second chiplet (8-15, 24-31) as CPUs sharing one cache domain. This went undetected since x86 processors depended on arch specific populate_cache_leaves() method to repopulate the shared_cpus_map when CPU came back online until kernel release v6.3-rc5. Fixes: 198102c9103f ("cacheinfo: Fix shared_cpu_map to handle shared caches at different levels") Signed-off-by: K Prateek Nayak <kprateek.nayak(a)amd.com> Reviewed-by: Sudeep Holla <sudeep.holla(a)arm.com> Link: https://lore.kernel.org/r/20230508084115.1157-2-kprateek.nayak@amd.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/base/cacheinfo.c [conflict due to code line difference] Signed-off-by: Zhang Qilong <zhangqilong3(a)huawei.com> --- drivers/base/cacheinfo.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c index 0709d03ffe3b..c415519f8db2 100644 --- a/drivers/base/cacheinfo.c +++ b/drivers/base/cacheinfo.c @@ -285,10 +285,20 @@ static int cache_shared_cpu_map_setup(unsigned int cpu) if (i == cpu || !sib_cpu_ci->info_list) continue;/* skip if itself or no cacheinfo */ for (sib_index = 0; sib_index < cache_leaves(i); sib_index++) { sib_leaf = sib_cpu_ci->info_list + sib_index; + + /* + * Comparing cache IDs only makes sense if the leaves + * belong to the same cache level of same type. Skip + * the check if level and type do not match. + */ + if (sib_leaf->level != this_leaf->level || + sib_leaf->type != this_leaf->type) + continue; + if (cache_leaves_are_shared(this_leaf, sib_leaf)) { cpumask_set_cpu(cpu, &sib_leaf->shared_cpu_map); cpumask_set_cpu(i, &this_leaf->shared_cpu_map); break; } @@ -320,10 +330,20 @@ static void cache_shared_cpu_map_remove(unsigned int cpu) if (!sib_cpu_ci->info_list) continue; for (sib_index = 0; sib_index < cache_leaves(sibling); sib_index++) { sib_leaf = sib_cpu_ci->info_list + sib_index; + + /* + * Comparing cache IDs only makes sense if the leaves + * belong to the same cache level of same type. Skip + * the check if level and type do not match. + */ + if (sib_leaf->level != this_leaf->level || + sib_leaf->type != this_leaf->type) + continue; + if (cache_leaves_are_shared(this_leaf, sib_leaf)) { cpumask_clear_cpu(cpu, &sib_leaf->shared_cpu_map); cpumask_clear_cpu(sibling, &this_leaf->shared_cpu_map); break; } -- 2.43.0

1 0

[PATCH openEuler-1.0-LTS 1/2] cacheinfo: Fix shared_cpu_map to handle shared caches at different levels
by Zhang Qilong 11 Oct '25

11 Oct '25

From: Yong-Xuan Wang <yongxuan.wang(a)sifive.com> stable inclusion from stable-v6.1.18 commit 2f588d0345d69a35e451077afed428fd057a5e34 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICY4B5 CVE: CVE-2023-53254 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 198102c9103fc78d8478495971947af77edb05c1 ] The cacheinfo sets up the shared_cpu_map by checking whether the caches with the same index are shared between CPUs. However, this will trigger slab-out-of-bounds access if the CPUs do not have the same cache hierarchy. Another problem is the mismatched shared_cpu_map when the shared cache does not have the same index between CPUs. CPU0 I D L3 index 0 1 2 x ^ ^ ^ ^ index 0 1 2 3 CPU1 I D L2 L3 This patch checks each cache is shared with all caches on other CPUs. Reviewed-by: Pierre Gondois <pierre.gondois(a)arm.com> Signed-off-by: Yong-Xuan Wang <yongxuan.wang(a)sifive.com> Link: https://lore.kernel.org/r/20230117105133.4445-2-yongxuan.wang@sifive.com Signed-off-by: Sudeep Holla <sudeep.holla(a)arm.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/base/cacheinfo.c [conflict due to commit b14e8d21f7 ("cacheinfo: Add helper to access any cache index for a given CPU") is not backport] Signed-off-by: Zhang Qilong <zhangqilong3(a)huawei.com> --- drivers/base/cacheinfo.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/drivers/base/cacheinfo.c b/drivers/base/cacheinfo.c index 91a7e2b22e98..0709d03ffe3b 100644 --- a/drivers/base/cacheinfo.c +++ b/drivers/base/cacheinfo.c @@ -255,11 +255,11 @@ unsigned int coherency_max_size; static int cache_shared_cpu_map_setup(unsigned int cpu) { struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); struct cacheinfo *this_leaf, *sib_leaf; - unsigned int index; + unsigned int index, sib_index; int ret = 0; if (this_cpu_ci->cpu_map_populated) return 0; @@ -283,14 +283,17 @@ static int cache_shared_cpu_map_setup(unsigned int cpu) for_each_online_cpu(i) { struct cpu_cacheinfo *sib_cpu_ci = get_cpu_cacheinfo(i); if (i == cpu || !sib_cpu_ci->info_list) continue;/* skip if itself or no cacheinfo */ - sib_leaf = sib_cpu_ci->info_list + index; - if (cache_leaves_are_shared(this_leaf, sib_leaf)) { - cpumask_set_cpu(cpu, &sib_leaf->shared_cpu_map); - cpumask_set_cpu(i, &this_leaf->shared_cpu_map); + for (sib_index = 0; sib_index < cache_leaves(i); sib_index++) { + sib_leaf = sib_cpu_ci->info_list + sib_index; + if (cache_leaves_are_shared(this_leaf, sib_leaf)) { + cpumask_set_cpu(cpu, &sib_leaf->shared_cpu_map); + cpumask_set_cpu(i, &this_leaf->shared_cpu_map); + break; + } } } /* record the maximum cache line size */ if (this_leaf->coherency_line_size > coherency_max_size) coherency_max_size = this_leaf->coherency_line_size; @@ -301,11 +304,11 @@ static int cache_shared_cpu_map_setup(unsigned int cpu) static void cache_shared_cpu_map_remove(unsigned int cpu) { struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); struct cacheinfo *this_leaf, *sib_leaf; - unsigned int sibling, index; + unsigned int sibling, index, sib_index; for (index = 0; index < cache_leaves(cpu); index++) { this_leaf = this_cpu_ci->info_list + index; for_each_cpu(sibling, &this_leaf->shared_cpu_map) { struct cpu_cacheinfo *sib_cpu_ci; @@ -315,13 +318,18 @@ static void cache_shared_cpu_map_remove(unsigned int cpu) sib_cpu_ci = get_cpu_cacheinfo(sibling); if (!sib_cpu_ci->info_list) continue; - sib_leaf = sib_cpu_ci->info_list + index; - cpumask_clear_cpu(cpu, &sib_leaf->shared_cpu_map); - cpumask_clear_cpu(sibling, &this_leaf->shared_cpu_map); + for (sib_index = 0; sib_index < cache_leaves(sibling); sib_index++) { + sib_leaf = sib_cpu_ci->info_list + sib_index; + if (cache_leaves_are_shared(this_leaf, sib_leaf)) { + cpumask_clear_cpu(cpu, &sib_leaf->shared_cpu_map); + cpumask_clear_cpu(sibling, &this_leaf->shared_cpu_map); + break; + } + } } if (of_have_populated_dt()) of_node_put(this_leaf->fw_token); } } -- 2.43.0

1 0

[openeuler:openEuler-1.0-LTS 1740/1740] mm/mem_reliable.c:401:5: sparse: sparse: symbol 'reliable_pagecache_max_bytes_write' was not declared. Should it be static?
by kernel test robot 11 Oct '25

11 Oct '25

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 0e7e343932646d9a28d9b5f8b025d781051fa52a commit: 6943b93b464351cbc35aa002e86bac48e08b1c3f [1740/1740] mm: add support for limiting the usage of reliable memory in pagecache config: arm64-randconfig-r121-20250729 (https://download.01.org/0day-ci/archive/20251011/202510110718.TQCEC66v-lkp@…) compiler: aarch64-linux-gcc (GCC) 15.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251011/202510110718.TQCEC66v-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510110718.TQCEC66v-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) mm/mem_reliable.c:39:1: sparse: sparse: symbol 'pagecache_reliable_pages' was not declared. Should it be static? mm/mem_reliable.c:67:14: sparse: sparse: restricted gfp_t degrades to integer mm/mem_reliable.c:250:5: sparse: sparse: symbol 'reliable_limit_handler' was not declared. Should it be static? mm/mem_reliable.c:323:5: sparse: sparse: symbol 'reliable_debug_handler' was not declared. Should it be static? mm/mem_reliable.c:356:5: sparse: sparse: symbol 'reliable_reserve_size_handler' was not declared. Should it be static? >> mm/mem_reliable.c:401:5: sparse: sparse: symbol 'reliable_pagecache_max_bytes_write' was not declared. Should it be static? >> mm/mem_reliable.c:487:14: sparse: sparse: invalid assignment: |= mm/mem_reliable.c:487:14: sparse: left side has type restricted gfp_t mm/mem_reliable.c:487:14: sparse: right side has type unsigned int mm/mem_reliable.c:491:14: sparse: sparse: invalid assignment: &= mm/mem_reliable.c:491:14: sparse: left side has type restricted gfp_t mm/mem_reliable.c:491:14: sparse: right side has type unsigned int mm/mem_reliable.c:250:5: warning: no previous prototype for 'reliable_limit_handler' [-Wmissing-prototypes] 250 | int reliable_limit_handler(struct ctl_table *table, int write, | ^~~~~~~~~~~~~~~~~~~~~~ mm/mem_reliable.c:323:5: warning: no previous prototype for 'reliable_debug_handler' [-Wmissing-prototypes] 323 | int reliable_debug_handler(struct ctl_table *table, int write, | ^~~~~~~~~~~~~~~~~~~~~~ mm/mem_reliable.c:356:5: warning: no previous prototype for 'reliable_reserve_size_handler' [-Wmissing-prototypes] 356 | int reliable_reserve_size_handler(struct ctl_table *table, int write, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mm/mem_reliable.c:401:5: warning: no previous prototype for 'reliable_pagecache_max_bytes_write' [-Wmissing-prototypes] 401 | int reliable_pagecache_max_bytes_write(struct ctl_table *table, int write, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/reliable_pagecache_max_bytes_write +401 mm/mem_reliable.c 400 > 401 int reliable_pagecache_max_bytes_write(struct ctl_table *table, int write, 402 void __user *buffer, size_t *length, loff_t *ppos) 403 { 404 unsigned long old_value = reliable_pagecache_max_bytes; 405 int ret; 406 407 ret = proc_doulongvec_minmax(table, write, buffer, length, ppos); 408 if (!ret && write) { 409 if (reliable_pagecache_max_bytes > total_reliable_mem_sz()) { 410 reliable_pagecache_max_bytes = old_value; 411 return -EINVAL; 412 } 413 } 414 415 return ret; 416 } 417 418 static struct ctl_table reliable_ctl_table[] = { 419 { 420 .procname = "task_reliable_limit", 421 .data = &task_reliable_limit, 422 .maxlen = sizeof(task_reliable_limit), 423 .mode = 0644, 424 .proc_handler = reliable_limit_handler, 425 }, 426 { 427 .procname = "reliable_debug", 428 .data = &mem_reliable_ctrl_bits, 429 .maxlen = sizeof(mem_reliable_ctrl_bits), 430 .mode = 0600, 431 .proc_handler = reliable_debug_handler, 432 }, 433 { 434 .procname = "reliable_reserve_size", 435 .data = &sysctl_reliable_reserve_size, 436 .maxlen = sizeof(sysctl_reliable_reserve_size), 437 .mode = 0644, 438 .proc_handler = reliable_reserve_size_handler, 439 }, 440 #ifdef CONFIG_SHMEM 441 { 442 .procname = "shmem_reliable_bytes_limit", 443 .data = &sysctl_shmem_reliable_bytes_limit, 444 .maxlen = sizeof(sysctl_shmem_reliable_bytes_limit), 445 .mode = 0644, 446 .proc_handler = reliable_shmem_bytes_limit_handler, 447 }, 448 #endif 449 { 450 .procname = "reliable_pagecache_max_bytes", 451 .data = &reliable_pagecache_max_bytes, 452 .maxlen = sizeof(reliable_pagecache_max_bytes), 453 .mode = 0644, 454 .proc_handler = reliable_pagecache_max_bytes_write, 455 .extra1 = &zero, 456 }, 457 {} 458 }; 459 460 static struct ctl_table reliable_dir_table[] = { 461 { 462 .procname = "vm", 463 .maxlen = 0, 464 .mode = 0555, 465 .child = reliable_ctl_table, 466 }, 467 {} 468 }; 469 470 void page_cache_prepare_alloc(gfp_t *gfp) 471 { 472 long nr_reliable = 0; 473 int cpu; 474 475 if (!mem_reliable_is_enabled()) 476 return; 477 478 for_each_possible_cpu(cpu) 479 nr_reliable += this_cpu_read(pagecache_reliable_pages); 480 481 if (nr_reliable < 0) 482 goto no_reliable; 483 484 if (nr_reliable > reliable_pagecache_max_bytes >> PAGE_SHIFT) 485 goto no_reliable; 486 > 487 *gfp |= ___GFP_RELIABILITY; 488 return; 489 490 no_reliable: 491 *gfp &= ~___GFP_RELIABILITY; 492 } 493 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0