- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6 0/2] Fix CVE-2026-31709
by Zizhi Wo 03 Jun '26

03 Jun '26

Fix CVE-2026-31709 Michael Bommarito (2): smb: client: validate the whole DACL before rewriting it in cifsacl smb: client: scope end_of_dacl to CIFS_DEBUG2 use in parse_dacl fs/smb/client/cifsacl.c | 114 +++++++++++++++++++++++++++++----------- 1 file changed, 84 insertions(+), 30 deletions(-) -- 2.52.0

2 3

[PATCH OLK-6.6] smb: client: validate the whole DACL before rewriting it in cifsacl
by Zizhi Wo 03 Jun '26

03 Jun '26

From: Michael Bommarito <michael.bommarito(a)gmail.com> stable inclusion from stable-v7.0.2 commit b78db9bddc84136f6a0bb49e8883cf200dfb87a8 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14459 CVE: CVE-2026-31709 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit… -------------------------------- commit 0a8cf165566ba55a39fd0f4de172119dd646d39a upstream. build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security descriptor. The original fix only checked that the struct smb_acl header fits before reading dacl_ptr->size or dacl_ptr->num_aces. That avoids the immediate header-field OOB read, but the rewrite helpers still walk ACEs based on pdacl->num_aces with no structural validation of the incoming DACL body. A malicious server can return a truncated DACL that still contains a header, claims one or more ACEs, and then drive replace_sids_and_copy_aces() or set_chmod_dacl() past the validated extent while they compare or copy attacker-controlled ACEs. Factor the DACL structural checks into validate_dacl(), extend them to validate each ACE against the DACL bounds, and use the shared validator before the chmod/chown rebuild paths. parse_dacl() reuses the same validator so the read-side parser and write-side rewrite paths agree on what constitutes a well-formed incoming DACL. Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.") Cc: stable(a)vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito <michael.bommarito(a)gmail.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: fs/smb/client/cifsacl.c [Because of commit 64e1ae59edaf ("[Backport] smb: client: validate dacloffset before building DACL pointers") merged, introduce dacl_offset_valid(), lead to some context conflicts, not affect this patch.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/smb/client/cifsacl.c | 116 +++++++++++++++++++++++++++++----------- 1 file changed, 85 insertions(+), 31 deletions(-) diff --git a/fs/smb/client/cifsacl.c b/fs/smb/client/cifsacl.c index 7ec087896cac..4a82d11dfe4b 100644 --- a/fs/smb/client/cifsacl.c +++ b/fs/smb/client/cifsacl.c @@ -756,18 +756,89 @@ static void dump_ace(struct smb_ace *pace, char *end_of_acl) return; } #endif +static int validate_dacl(struct smb_acl *pdacl, char *end_of_acl) +{ + int i, ace_hdr_size, ace_size, min_ace_size; + u16 dacl_size, num_aces; + char *acl_base, *end_of_dacl; + struct smb_ace *pace; + + if (!pdacl) + return 0; + + if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl)) { + cifs_dbg(VFS, "ACL too small to parse DACL\n"); + return -EINVAL; + } + + dacl_size = le16_to_cpu(pdacl->size); + if (dacl_size < sizeof(struct smb_acl) || + end_of_acl < (char *)pdacl + dacl_size) { + cifs_dbg(VFS, "ACL too small to parse DACL\n"); + return -EINVAL; + } + + num_aces = le16_to_cpu(pdacl->num_aces); + if (!num_aces) + return 0; + + ace_hdr_size = offsetof(struct smb_ace, sid) + + offsetof(struct smb_sid, sub_auth); + min_ace_size = ace_hdr_size + sizeof(__le32); + if (num_aces > (dacl_size - sizeof(struct smb_acl)) / min_ace_size) { + cifs_dbg(VFS, "ACL too small to parse DACL\n"); + return -EINVAL; + } + + end_of_dacl = (char *)pdacl + dacl_size; + acl_base = (char *)pdacl; + ace_size = sizeof(struct smb_acl); + + for (i = 0; i < num_aces; ++i) { + if (end_of_dacl - acl_base < ace_size) { + cifs_dbg(VFS, "ACL too small to parse ACE\n"); + return -EINVAL; + } + + pace = (struct smb_ace *)(acl_base + ace_size); + acl_base = (char *)pace; + + if (end_of_dacl - acl_base < ace_hdr_size || + pace->sid.num_subauth == 0 || + pace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) { + cifs_dbg(VFS, "ACL too small to parse ACE\n"); + return -EINVAL; + } + + ace_size = ace_hdr_size + sizeof(__le32) * pace->sid.num_subauth; + if (end_of_dacl - acl_base < ace_size || + le16_to_cpu(pace->size) < ace_size) { + cifs_dbg(VFS, "ACL too small to parse ACE\n"); + return -EINVAL; + } + + ace_size = le16_to_cpu(pace->size); + if (end_of_dacl - acl_base < ace_size) { + cifs_dbg(VFS, "ACL too small to parse ACE\n"); + return -EINVAL; + } + } + + return 0; +} + static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, struct smb_sid *pownersid, struct smb_sid *pgrpsid, struct cifs_fattr *fattr, bool mode_from_special_sid) { int i; int num_aces = 0; int acl_size; - char *acl_base; + char *acl_base, *end_of_dacl; struct smb_ace **ppace; /* BB need to add parm so we can store the SID BB */ if (!pdacl) { @@ -775,63 +846,40 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, all the permissions for user/group/other */ fattr->cf_mode |= 0777; return; } - /* validate that we do not go past end of acl */ - if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) || - end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { - cifs_dbg(VFS, "ACL too small to parse DACL\n"); + if (validate_dacl(pdacl, end_of_acl)) return; - } cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n", le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size), le32_to_cpu(pdacl->num_aces)); /* reset rwx permissions for user/group/other. Also, if num_aces is 0 i.e. DACL has no ACEs, user/group/other have no permissions */ fattr->cf_mode &= ~(0777); + end_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size); acl_base = (char *)pdacl; acl_size = sizeof(struct smb_acl); num_aces = le32_to_cpu(pdacl->num_aces); if (num_aces > 0) { umode_t denied_mode = 0; - if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) / - (offsetof(struct smb_ace, sid) + - offsetof(struct smb_sid, sub_auth) + sizeof(__le16))) - return; - ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), GFP_KERNEL); if (!ppace) return; for (i = 0; i < num_aces; ++i) { - if (end_of_acl - acl_base < acl_size) - break; - ppace[i] = (struct smb_ace *) (acl_base + acl_size); - acl_base = (char *)ppace[i]; - acl_size = offsetof(struct smb_ace, sid) + - offsetof(struct smb_sid, sub_auth); - - if (end_of_acl - acl_base < acl_size || - ppace[i]->sid.num_subauth == 0 || - ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES || - (end_of_acl - acl_base < - acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) || - (le16_to_cpu(ppace[i]->size) < - acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth)) - break; #ifdef CONFIG_CIFS_DEBUG2 - dump_ace(ppace[i], end_of_acl); + dump_ace(ppace[i], end_of_dacl); #endif if (mode_from_special_sid && (compare_sids(&(ppace[i]->sid), &sid_unix_NFS_mode) == 0)) { /* @@ -869,10 +917,11 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, /* memcpy((void *)(&(cifscred->aces[i])), (void *)ppace[i], sizeof(struct smb_ace)); */ + acl_base = (char *)ppace[i]; acl_size = le16_to_cpu(ppace[i]->size); } kfree(ppace); } @@ -1314,14 +1363,13 @@ static int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *pnntsd, cifs_dbg(VFS, "Server returned illegal DACL offset\n"); return -EINVAL; } dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); - if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) { - cifs_dbg(VFS, "Server returned illegal ACL size\n"); - return -EINVAL; - } + rc = validate_dacl(dacl_ptr, end_of_acl); + if (rc) + return rc; } owner_sid_ptr = (struct smb_sid *)((char *)pntsd + le32_to_cpu(pntsd->osidoffset)); group_sid_ptr = (struct smb_sid *)((char *)pntsd + @@ -1694,10 +1742,16 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, rc = -EINVAL; goto id_mode_to_cifs_acl_exit; } dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); + rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen); + if (rc) { + kfree(pntsd); + cifs_put_tlink(tlink); + return rc; + } if (mode_from_sid) nsecdesclen += le32_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace); else /* cifsacl */ nsecdesclen += le16_to_cpu(dacl_ptr->size); -- 2.52.0

2 1

[PATCH OLK-5.10] dm-thin: fix metadata refcount underflow
by Zizhi Wo 03 Jun '26

03 Jun '26

From: Mikulas Patocka <mpatocka(a)redhat.com> stable inclusion from stable-v6.6.140 commit 12161e03d33afce781f68fa11cc6060538862fad category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15360 CVE: CVE-2026-46107 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit… -------------------------------- commit 09a65adc7d8bbfce06392cb6d375468e2728ead5 upstream. There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count. If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared. Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Fixes: 3241b1d3e0aa ("dm: add persistent data library") Cc: stable(a)vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/md/persistent-data/dm-transaction-manager.c drivers/md/persistent-data/dm-transaction-manager.h [This kernel version does not have dm_tm_block_is_shared() function as commit 4eafdb1515a7 ("dm btree: improve btree residency") not merged. So the functionality of this function was implemented manually.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- drivers/md/persistent-data/dm-btree-remove.c | 8 ++++++++ drivers/md/persistent-data/dm-transaction-manager.c | 9 +++++++++ drivers/md/persistent-data/dm-transaction-manager.h | 7 +++++++ 3 files changed, 24 insertions(+) diff --git a/drivers/md/persistent-data/dm-btree-remove.c b/drivers/md/persistent-data/dm-btree-remove.c index 63f2baed3c8a..1cf31861020b 100644 --- a/drivers/md/persistent-data/dm-btree-remove.c +++ b/drivers/md/persistent-data/dm-btree-remove.c @@ -413,16 +413,24 @@ static int rebalance_children(struct shadow_spine *s, n = dm_block_data(shadow_current(s)); if (le32_to_cpu(n->header.nr_entries) == 1) { struct dm_block *child; + int is_shared; dm_block_t b = value64(n, 0); + r = dm_tm_block_is_shared(info->tm, b, &is_shared); + if (r) + return r; + r = dm_tm_read_lock(info->tm, b, &btree_node_validator, &child); if (r) return r; + if (is_shared) + inc_children(info->tm, dm_block_data(child), vt); + memcpy(n, dm_block_data(child), dm_bm_block_size(dm_tm_get_bm(info->tm))); dm_tm_dec(info->tm, dm_block_location(child)); dm_tm_unlock(info->tm, child); diff --git a/drivers/md/persistent-data/dm-transaction-manager.c b/drivers/md/persistent-data/dm-transaction-manager.c index 73f57977b2e3..eda9d7a02008 100644 --- a/drivers/md/persistent-data/dm-transaction-manager.c +++ b/drivers/md/persistent-data/dm-transaction-manager.c @@ -380,10 +380,19 @@ int dm_tm_ref(struct dm_transaction_manager *tm, dm_block_t b, return -EWOULDBLOCK; return dm_sm_get_count(tm->sm, b, result); } +int dm_tm_block_is_shared(struct dm_transaction_manager *tm, dm_block_t b, + int *result) +{ + if (tm->is_clone) + return -EWOULDBLOCK; + + return dm_sm_count_is_more_than_one(tm->sm, b, result); +} + struct dm_block_manager *dm_tm_get_bm(struct dm_transaction_manager *tm) { return tm->bm; } diff --git a/drivers/md/persistent-data/dm-transaction-manager.h b/drivers/md/persistent-data/dm-transaction-manager.h index f3a18be68f30..dbc6e4b13b06 100644 --- a/drivers/md/persistent-data/dm-transaction-manager.h +++ b/drivers/md/persistent-data/dm-transaction-manager.h @@ -104,10 +104,17 @@ void dm_tm_inc(struct dm_transaction_manager *tm, dm_block_t b); void dm_tm_dec(struct dm_transaction_manager *tm, dm_block_t b); int dm_tm_ref(struct dm_transaction_manager *tm, dm_block_t b, uint32_t *result); +/* + * Finds out if a given block is shared (ie. has a reference count higher + * than one). + */ +int dm_tm_block_is_shared(struct dm_transaction_manager *tm, dm_block_t b, + int *result); + struct dm_block_manager *dm_tm_get_bm(struct dm_transaction_manager *tm); /* * If you're using a non-blocking clone the tm will build up a list of * requested blocks that weren't in core. This call will request those -- 2.52.0

2 2

[PATCH openEuler-1.0-LTS V1] RDMA/rxe: Fix double free in rxe_srq_from_init
by Cheng Yu 03 Jun '26

03 Jun '26

From: Jiasheng Jiang <jiashengjiangcool(a)gmail.com> mainline inclusion from mainline-v7.0-rc1 commit 0beefd0e15d962f497aad750b2d5e9c3570b66d1 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15105 CVE: CVE-2026-45852 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'. The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free. The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core] Fix this by moving 'srq->rq.queue = q' after copy_to_user. Fixes: aae0484e15f0 ("IB/rxe: avoid srq memory leak") Signed-off-by: Jiasheng Jiang <jiashengjiangcool(a)gmail.com> Link: https://patch.msgid.link/20260112015412.29458-1-jiashengjiangcool@gmail.com Reviewed-by: Zhu Yanjun <yanjun.Zhu(a)linux.dev> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Conflicts: drivers/infiniband/sw/rxe/rxe_srq.c [The conflict is caused by not having applied the patch cc28f351155d("RDMA/rxe: Fix rxe_modify_srq"). ] Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/infiniband/sw/rxe/rxe_srq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index c41a5fee81f7..ec564e7010c4 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -126,8 +126,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, return -ENOMEM; } - srq->rq.queue = q; - err = do_mmap_info(rxe, uresp ? &uresp->mi : NULL, context, q->buf, q->buf_size, &q->ip); if (err) { @@ -144,6 +142,8 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + return 0; } -- 2.25.1

2 1

[PATCH OLK-5.10] fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot
by Zizhi Wo 03 Jun '26

03 Jun '26

From: Jiasheng Jiang <jiashengjiangcool(a)gmail.com> stable inclusion from stable-v5.15.202 commit 36c03f7f177b34d51f1cf1d2304b1074607bf4b0 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15173 CVE: CVE-2026-45935 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit… -------------------------------- [ Upstream commit b2bc7c44ed1779fc9eaab9a186db0f0d01439622 ] In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the entry size ('esize') is retrieved from the log record without adequate bounds checking. Specifically, the code calculates the end of the entry ('e2') using: e2 = Add2Ptr(e1, esize); It then calculates the size for memmove using 'PtrOffset(e2, ...)', which subtracts the end pointer from the buffer limit. If 'esize' is maliciously large, 'e2' exceeds the used buffer size. This results in a negative offset which, when cast to size_t for memmove, interprets as a massive unsigned integer, leading to a heap buffer overflow. This commit adds a check to ensure that the entry size ('esize') strictly fits within the remaining used space of the index header before performing memory operations. Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal") Signed-off-by: Jiasheng Jiang <jiashengjiangcool(a)gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/ntfs3/fslog.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ntfs3/fslog.c b/fs/ntfs3/fslog.c index d1f48ffe846e..ef4e7dbc35cf 100644 --- a/fs/ntfs3/fslog.c +++ b/fs/ntfs3/fslog.c @@ -3435,10 +3435,13 @@ static int do_action(struct ntfs_log *log, struct OPEN_ATTR_ENRTY *oe, goto dirty_vol; } e1 = Add2Ptr(attr, le16_to_cpu(lrh->attr_off)); esize = le16_to_cpu(e1->size); + if (PtrOffset(e1, Add2Ptr(hdr, used)) < esize) + goto dirty_vol; + e2 = Add2Ptr(e1, esize); memmove(e1, e2, PtrOffset(e2, Add2Ptr(hdr, used))); le32_sub_cpu(&attr->res.data_size, esize); -- 2.52.0

2 1

[PATCH OLK-6.6 0/3] CVEs
by Liu Kai 03 Jun '26

03 Jun '26

CVEs Chiara Meiohas (1): RDMA/mlx5: Fix UMR hang in LAG error state unload Jonathan McDowell (1): hwrng: core - Allow runtime disabling of the HW RNG Lianjie Wang (1): hwrng: core - use RCU and work_struct to fix race condition drivers/char/hw_random/core.c | 178 +++++++++++++++++---------- drivers/infiniband/hw/mlx5/main.c | 75 +++++++++-- drivers/infiniband/hw/mlx5/mlx5_ib.h | 2 + include/linux/hw_random.h | 2 + 4 files changed, 184 insertions(+), 73 deletions(-) -- 2.34.1

2 4

[PATCH openEuler-1.0-LTS] ipv6: prevent possible UaF in addrconf_permanent_addr()
by Zhang Changzhong 03 Jun '26

03 Jun '26

From: Paolo Abeni <pabeni(a)redhat.com> mainline inclusion from mainline-v7.0-rc7 commit fd63f185979b047fb22a0dfc6bd94d0cab6a6a70 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14897 CVE: CVE-2026-43339 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The mentioned helper try to warn the user about an exceptional condition, but the message is delivered too late, accessing the ipv6 after its possible deletion. Reorder the statement to avoid the possible UaF; while at it, place the warning outside the idev->lock as it needs no protection. Reported-by: Jakub Kicinski <kuba(a)kernel.org> Closes: https://sashiko.dev/#/patchset/8c8bfe2e1a324e501f0e15fef404a77443fd8caf.177… Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional") Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Link: https://patch.msgid.link/ef973c3a8cb4f8f1787ed469f3e5391b9fe95aa0.177460154… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Zhang Changzhong <zhangchangzhong(a)huawei.com> --- net/ipv6/addrconf.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 6c76c0c..98a24b5 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -3421,12 +3421,12 @@ static void addrconf_permanent_addr(struct net *net, struct net_device *dev) if ((ifp->flags & IFA_F_PERMANENT) && fixup_permanent_addr(net, idev, ifp) < 0) { write_unlock_bh(&idev->lock); - in6_ifa_hold(ifp); - ipv6_del_addr(ifp); - write_lock_bh(&idev->lock); net_info_ratelimited("%s: Failed to add prefix route for address %pI6c; dropping\n", idev->dev->name, &ifp->addr); + in6_ifa_hold(ifp); + ipv6_del_addr(ifp); + write_lock_bh(&idev->lock); } } -- 2.9.5

2 1

[PATCH OLK-6.6 0/6] Fix CVE-2026-46242
by Zizhi Wo 03 Jun '26

03 Jun '26

Fix CVE-2026-46242 Christian Brauner (6): eventpoll: use hlist_is_singular_node() in __ep_remove() eventpoll: split __ep_remove() eventpoll: kill __ep_remove() eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}() eventpoll: move epi_fget() up eventpoll: fix ep_remove struct eventpoll / struct file UAF fs/eventpoll.c | 128 ++++++++++++++++++++++++++++--------------------- 1 file changed, 73 insertions(+), 55 deletions(-) -- 2.52.0

2 7

[PATCH openEuler-1.0-LTS 0/7] backport some zram bugfixes
by Jinjiang Tu 03 Jun '26

03 Jun '26

Georgi Djakov (1): mm/page_io: use pr_alert_ratelimited for swap read/write errors Ming Lei (3): zram: fix race between zram_reset_device() and disksize_store() zram: don't fail to remove zram during unloading module zram: avoid race between zram_remove and disksize_store Rokudo Yan (1): zsmalloc: account the number of compacted pages correctly Sergey Senozhatsky (2): zram: do not lookup algorithm in backends table drivers/block/zram/zram_drv.c: do not keep dangling zcomp pointer after zram reset drivers/block/zram/zcomp.c | 11 ++++---- drivers/block/zram/zram_drv.c | 53 ++++++++++++++++++++++++----------- include/linux/zsmalloc.h | 2 +- mm/page_io.c | 12 ++++---- mm/zsmalloc.c | 17 +++++++---- 5 files changed, 59 insertions(+), 36 deletions(-) -- 2.43.0

2 8

[PATCH OLK-6.6 v2] bpf: Remove smap argument from bpf_selem_free()
by Pu Lehui 03 Jun '26

03 Jun '26

From: Amery Hung <ameryhung(a)gmail.com> mainline inclusion from mainline-v6.19-rc1 commit e76a33e1c7186526c2c133af73ea70da9275e1ba category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9328 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Since selem already saves a pointer to smap, use it instead of an additional argument in bpf_selem_free(). This requires moving the SDATA(selem)->smap assignment from bpf_selem_link_map() to bpf_selem_alloc() since bpf_selem_free() may be called without the selem being linked to smap in bpf_local_storage_update(). Signed-off-by: Amery Hung <ameryhung(a)gmail.com> Reviewed-by: Martin KaFai Lau <martin.lau(a)kernel.org> Link: https://lore.kernel.org/r/20251114201329.3275875-3-ameryhung@gmail.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Fixes: 499c90ae60d8 ("bpf: Convert bpf_selem_unlink_map to failable") Conflicts: include/linux/bpf_local_storage.h kernel/bpf/bpf_local_storage.c net/core/bpf_sk_storage.c [Not merged bpf_selem_free_list] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- include/linux/bpf_local_storage.h | 1 - kernel/bpf/bpf_local_storage.c | 14 +++++++++----- net/core/bpf_sk_storage.c | 4 ++-- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/include/linux/bpf_local_storage.h b/include/linux/bpf_local_storage.h index cec87412cef9..05153bc722ba 100644 --- a/include/linux/bpf_local_storage.h +++ b/include/linux/bpf_local_storage.h @@ -170,7 +170,6 @@ bpf_selem_alloc(struct bpf_local_storage_map *smap, void *owner, void *value, bool charge_mem, gfp_t gfp_flags); void bpf_selem_free(struct bpf_local_storage_elem *selem, - struct bpf_local_storage_map *smap, bool reuse_now); int diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c index 8b1280bef364..c27d8f75a2dc 100644 --- a/kernel/bpf/bpf_local_storage.c +++ b/kernel/bpf/bpf_local_storage.c @@ -89,6 +89,8 @@ bpf_selem_alloc(struct bpf_local_storage_map *smap, void *owner, } if (selem) { + RCU_INIT_POINTER(SDATA(selem)->smap, smap); + if (value) copy_map_value(&smap->map, SDATA(selem)->data, value); /* No need to call check_and_init_map_value as memory is zero init */ @@ -213,9 +215,12 @@ static void bpf_selem_free_trace_rcu(struct rcu_head *rcu) } void bpf_selem_free(struct bpf_local_storage_elem *selem, - struct bpf_local_storage_map *smap, bool reuse_now) { + struct bpf_local_storage_map *smap; + + smap = rcu_dereference_check(SDATA(selem)->smap, bpf_rcu_lock_held()); + bpf_obj_free_fields(smap->map.record, SDATA(selem)->data); if (!smap->bpf_ma) { @@ -286,7 +291,7 @@ static bool bpf_selem_unlink_storage_nolock(struct bpf_local_storage *local_stor SDATA(selem)) RCU_INIT_POINTER(local_storage->cache[smap->cache_idx], NULL); - bpf_selem_free(selem, smap, reuse_now); + bpf_selem_free(selem, reuse_now); if (rcu_access_pointer(local_storage->smap) == smap) RCU_INIT_POINTER(local_storage->smap, NULL); @@ -368,7 +373,6 @@ int bpf_selem_link_map(struct bpf_local_storage_map *smap, b = select_bucket(smap, local_storage); raw_spin_lock_irqsave(&b->lock, flags); - RCU_INIT_POINTER(SDATA(selem)->smap, smap); hlist_add_head_rcu(&selem->map_node, &b->list); raw_spin_unlock_irqrestore(&b->lock, flags); @@ -600,7 +604,7 @@ bpf_local_storage_update(void *owner, struct bpf_local_storage_map *smap, err = bpf_local_storage_alloc(owner, smap, selem, gfp_flags); if (err) { - bpf_selem_free(selem, smap, true); + bpf_selem_free(selem, true); mem_uncharge(smap, owner, smap->elem_size); return ERR_PTR(err); } @@ -680,7 +684,7 @@ bpf_local_storage_update(void *owner, struct bpf_local_storage_map *smap, raw_spin_unlock_irqrestore(&local_storage->lock, flags); if (alloc_selem) { mem_uncharge(smap, owner, smap->elem_size); - bpf_selem_free(alloc_selem, smap, true); + bpf_selem_free(alloc_selem, true); } return err ? ERR_PTR(err) : SDATA(selem); } diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c index 626d0aa79751..35bbd8b372df 100644 --- a/net/core/bpf_sk_storage.c +++ b/net/core/bpf_sk_storage.c @@ -192,7 +192,7 @@ int bpf_sk_storage_clone(const struct sock *sk, struct sock *newsk) if (new_sk_storage) { ret = bpf_selem_link_map(smap, new_sk_storage, copy_selem); if (ret) { - bpf_selem_free(copy_selem, smap, true); + bpf_selem_free(copy_selem, true); atomic_sub(smap->elem_size, &newsk->sk_omem_alloc); bpf_map_put(map); @@ -202,7 +202,7 @@ int bpf_sk_storage_clone(const struct sock *sk, struct sock *newsk) } else { ret = bpf_local_storage_alloc(newsk, smap, copy_selem, GFP_ATOMIC); if (ret) { - bpf_selem_free(copy_selem, smap, true); + bpf_selem_free(copy_selem, true); atomic_sub(smap->elem_size, &newsk->sk_omem_alloc); bpf_map_put(map); -- 2.34.1

2 1