- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] arm64/mpam: Synchronize MPAM Partid to kernel mode
by Zeng Heng 15 Dec '25

15 Dec '25

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/IDD55N -------------------------------- Currently, the MPAM implementation on Linux only applies isolation control to tasks' user-space, while resource allocation for execution in kernel mode is according to the root group's (Partid=0) policy. With MPAM adding L2 cache support, and given small L2 capacity, frequently switching partition policies between kernel and user space would cause L2 thrashing and degrade performance. Moreover, to support MPAM isolation for kernel-space processes, kernel space should adopt the same partition policy as user space. To ensure the Partid state is updated promptly after the CPU exits from low power mode, add wmb() barrier in the CPU_PM_EXIT flow to guarantee that. Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- arch/arm64/include/asm/mpam.h | 1 + arch/arm64/kernel/cpufeature.c | 2 +- arch/arm64/kernel/mpam.c | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/arch/arm64/include/asm/mpam.h b/arch/arm64/include/asm/mpam.h index 8caac70e22ed..db4d559e8936 100644 --- a/arch/arm64/include/asm/mpam.h +++ b/arch/arm64/include/asm/mpam.h @@ -161,6 +161,7 @@ static inline void mpam_thread_switch(struct task_struct *tsk) return; /* Synchronising this write is left until the ERET to EL0 */ + write_sysreg_s(regval, SYS_MPAM1_EL1); write_sysreg_s(regval, SYS_MPAM0_EL1); WRITE_ONCE(per_cpu(arm64_mpam_current, cpu), regval); } diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 414b9d28ecd1..4cc8691dc7d8 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -2425,7 +2425,7 @@ cpu_enable_mpam(const struct arm64_cpu_capabilities *entry) * where latency sensitive tasks have to wait for a task that has * been throttled to release the lock. */ - write_sysreg_s(0, SYS_MPAM1_EL1); + write_sysreg_s(regval, SYS_MPAM1_EL1); write_sysreg_s(regval, SYS_MPAM0_EL1); } diff --git a/arch/arm64/kernel/mpam.c b/arch/arm64/kernel/mpam.c index 3f070cbab420..008c44c96a75 100644 --- a/arch/arm64/kernel/mpam.c +++ b/arch/arm64/kernel/mpam.c @@ -40,9 +40,9 @@ static int mpam_pm_notifier(struct notifier_block *self, * value has changed under our feet. */ regval = READ_ONCE(per_cpu(arm64_mpam_current, cpu)); - write_sysreg_s(0, SYS_MPAM1_EL1); + write_sysreg_s(regval, SYS_MPAM1_EL1); write_sysreg_s(regval, SYS_MPAM0_EL1); - + wmb(); return NOTIFY_OK; default: return NOTIFY_DONE; -- 2.25.1

2 1

[PATCH OLK-6.6] xsched: prevent linked list corruption in RT priority updates
by Liu Kai 15 Dec '25

15 Dec '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IDB5TR ----------------------------------------- Add scheduling class validation in xsched_rt_prio_set() to ensure only RT-scheduled tasks can perform RT priority modifications. Previously, CFS tasks could trigger xse_rt_del() operations via sys_xsched_setattr, corrupting CFS runqueue linked lists. The fix checks xse->class == &rt_xsched_class before any RT scheduler operations, maintaining proper separation between CFS and RT scheduling domains. Fixes: 832cfa264d7c ("xsched: add xsched_{set,get}attr syscall") Signed-off-by: Liu Kai <liukai284(a)huawei.com> --- kernel/xsched/rt.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/kernel/xsched/rt.c b/kernel/xsched/rt.c index 498d5ac618a1..db7d97fed787 100644 --- a/kernel/xsched/rt.c +++ b/kernel/xsched/rt.c @@ -168,17 +168,20 @@ void xsched_rt_prio_set(pid_t tgid, unsigned int prio) mutex_lock(&xcu->xcu_lock); ctx = ctx_find_by_tgid_and_xcu(tgid, xcu); - if (ctx) { - xse = &ctx->xse; - xse->rt.prio = clamp_t(unsigned int, prio, XSE_PRIO_HIGH, XSE_PRIO_LOW); - if (xse->on_rq) { - xse_rt_del(xse); - xse_rt_add(xse, xcu); - } + if (!ctx || ctx->xse.class != &rt_xsched_class) { + mutex_unlock(&xcu->xcu_lock); + mutex_unlock(&xcu->ctx_list_lock); + continue; + } + + xse = &ctx->xse; + xse->rt.prio = clamp_t(unsigned int, prio, XSE_PRIO_HIGH, XSE_PRIO_LOW); + if (xse->on_rq) { + xse_rt_del(xse); + xse_rt_add(xse, xcu); } mutex_unlock(&xcu->xcu_lock); mutex_unlock(&xcu->ctx_list_lock); } } - -- 2.34.1

2 1

[openeuler:OLK-6.6 3542/3542] arch/x86/kernel/early-quirks.c:727:34: warning: no previous prototype for 'kh40000_get_direct_dma_ops'
by kernel test robot 15 Dec '25

15 Dec '25

Hi leoliu-oc, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 81b22958142c03b02c766c79cd1554ebfa142be4 commit: 11557c1ae4529f133483879b7ee00b7d8c653be7 [3542/3542] x86/cpu/zhaoxin: Encapsulate access to kh40000_dma_direct_ops within function config: x86_64-randconfig-161-20251215 (https://download.01.org/0day-ci/archive/20251215/202512151614.LDi8I6GA-lkp@…) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251215/202512151614.LDi8I6GA-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512151614.LDi8I6GA-lkp@intel.com/ All warnings (new ones prefixed by >>): arch/x86/kernel/early-quirks.c:722:6: warning: no previous prototype for 'is_zhaoxin_kh40000' [-Wmissing-prototypes] 722 | bool is_zhaoxin_kh40000(void) | ^~~~~~~~~~~~~~~~~~ >> arch/x86/kernel/early-quirks.c:727:34: warning: no previous prototype for 'kh40000_get_direct_dma_ops' [-Wmissing-prototypes] 727 | __weak const struct dma_map_ops *kh40000_get_direct_dma_ops(void) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/kh40000_get_direct_dma_ops +727 arch/x86/kernel/early-quirks.c 721 > 722 bool is_zhaoxin_kh40000(void) 723 { 724 return zhaoxin_kh40000; 725 } 726 > 727 __weak const struct dma_map_ops *kh40000_get_direct_dma_ops(void) 728 { 729 return dma_ops; 730 } 731 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 3542/3542] lib/test_hexdump.c:116:3: warning: 'strncpy' output truncated copying between 0 and 32 bytes from a string of length 32
by kernel test robot 15 Dec '25

15 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 81b22958142c03b02c766c79cd1554ebfa142be4 commit: f04c0f3eb9b49427c273cd3e4d5a2ff895855b4b [3542/3542] make OPTIMIZE_INLINING config editable config: arm64-randconfig-004-20251215 (https://download.01.org/0day-ci/archive/20251215/202512151641.xBwOsIKs-lkp@…) compiler: aarch64-linux-gcc (GCC) 9.5.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251215/202512151641.xBwOsIKs-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512151641.xBwOsIKs-lkp@intel.com/ All warnings (new ones prefixed by >>): lib/test_hexdump.c: In function 'test_hexdump_prepare_test.isra.0': >> lib/test_hexdump.c:116:3: warning: 'strncpy' output truncated copying between 0 and 32 bytes from a string of length 32 [-Wstringop-truncation] 116 | strncpy(p, data_a, l); | ^~~~~~~~~~~~~~~~~~~~~ vim +/strncpy +116 lib/test_hexdump.c 7aaf4c3e1235cc lib/test_hexdump.c Andy Shevchenko 2016-01-20 66 87977ca6bcd051 lib/test_hexdump.c Andy Shevchenko 2016-01-20 67 static void __init test_hexdump_prepare_test(size_t len, int rowsize, 87977ca6bcd051 lib/test_hexdump.c Andy Shevchenko 2016-01-20 68 int groupsize, char *test, 87977ca6bcd051 lib/test_hexdump.c Andy Shevchenko 2016-01-20 69 size_t testlen, bool ascii) 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 70 { 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 71 char *p; 17974c054db303 lib/test-hexdump.c Linus Torvalds 2015-04-19 72 const char * const *result; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 73 size_t l = len; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 74 int gs = groupsize, rs = rowsize; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 75 unsigned int i; de9df3993cfffd lib/test_hexdump.c Christophe Leroy 2018-08-21 76 const bool is_be = IS_ENABLED(CONFIG_CPU_BIG_ENDIAN); 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 77 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 78 if (rs != 16 && rs != 32) 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 79 rs = 16; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 80 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 81 if (l > rs) 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 82 l = rs; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 83 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 84 if (!is_power_of_2(gs) || gs > 8 || (len % gs != 0)) 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 85 gs = 1; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 86 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 87 if (gs == 8) de9df3993cfffd lib/test_hexdump.c Christophe Leroy 2018-08-21 88 result = is_be ? test_data_8_be : test_data_8_le; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 89 else if (gs == 4) de9df3993cfffd lib/test_hexdump.c Christophe Leroy 2018-08-21 90 result = is_be ? test_data_4_be : test_data_4_le; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 91 else if (gs == 2) de9df3993cfffd lib/test_hexdump.c Christophe Leroy 2018-08-21 92 result = is_be ? test_data_2_be : test_data_2_le; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 93 else de9df3993cfffd lib/test_hexdump.c Christophe Leroy 2018-08-21 94 result = test_data_1; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 95 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 96 /* hex dump */ 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 97 p = test; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 98 for (i = 0; i < l / gs; i++) { 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 99 const char *q = *result++; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 100 size_t amount = strlen(q); 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 101 b1286ed7158e9b lib/test_hexdump.c Linus Torvalds 2018-11-30 102 memcpy(p, q, amount); 3db4a987180acf lib/test_hexdump.c Andy Shevchenko 2016-01-20 103 p += amount; 3db4a987180acf lib/test_hexdump.c Andy Shevchenko 2016-01-20 104 3db4a987180acf lib/test_hexdump.c Andy Shevchenko 2016-01-20 105 *p++ = ' '; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 106 } 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 107 if (i) 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 108 p--; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 109 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 110 /* ASCII part */ 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 111 if (ascii) { 3db4a987180acf lib/test_hexdump.c Andy Shevchenko 2016-01-20 112 do { 3db4a987180acf lib/test_hexdump.c Andy Shevchenko 2016-01-20 113 *p++ = ' '; 3db4a987180acf lib/test_hexdump.c Andy Shevchenko 2016-01-20 114 } while (p < test + rs * 2 + rs / gs + 1); 3db4a987180acf lib/test_hexdump.c Andy Shevchenko 2016-01-20 115 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 @116 strncpy(p, data_a, l); 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 117 p += l; 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 118 } 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 119 64d1d77a44697a lib/test-hexdump.c Andy Shevchenko 2015-02-12 120 *p = '\0'; 87977ca6bcd051 lib/test_hexdump.c Andy Shevchenko 2016-01-20 121 } 87977ca6bcd051 lib/test_hexdump.c Andy Shevchenko 2016-01-20 122 :::::: The code at line 116 was first introduced by commit :::::: 64d1d77a44697af8e314939ecef30642c68309cb hexdump: introduce test suite :::::: TO: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> :::::: CC: Linus Torvalds <torvalds(a)linux-foundation.org> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] iommu/arm-smmu-v3-sva: Fix mm use-after-free
by Zhang Yuwei 15 Dec '25

15 Dec '25

From: Jean-Philippe Brucker <jean-philippe(a)linaro.org> mainline inclusion from mainline-v5.19-rc1 commit cbd23144f7662b00bcde32a938c4a4057e476d68 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP4KI Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- We currently call arm64_mm_context_put() without holding a reference to the mm, which can result in use-after-free. Call mmgrab()/mmdrop() to ensure the mm only gets freed after we unpinned the ASID. Fixes: 32784a9562fb ("iommu/arm-smmu-v3: Implement iommu_sva_bind/unbind()") Signed-off-by: Jean-Philippe Brucker <jean-philippe(a)linaro.org> Tested-by: Zhangfei Gao <zhangfei.gao(a)linaro.org> Link: https://lore.kernel.org/r/20220426130444.300556-1-jean-philippe@linaro.org Signed-off-by: Will Deacon <will(a)kernel.org> Conflicts: drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c [commit 685ace6c824e merged for add trace event] Signed-off-by: Zhang Yuwei <zhangyuwei20(a)huawei.com> --- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c index afdfd10290be..0040294ad62d 100644 --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c @@ -6,6 +6,7 @@ #include <linux/mm.h> #include <linux/mmu_context.h> #include <linux/mmu_notifier.h> +#include <linux/sched/mm.h> #include <linux/slab.h> #include <trace/events/smmu.h> @@ -98,9 +99,14 @@ static struct arm_smmu_ctx_desc *arm_smmu_alloc_shared_cd(struct mm_struct *mm) struct arm_smmu_ctx_desc *cd; struct arm_smmu_ctx_desc *ret = NULL; + /* Don't free the mm until we release the ASID */ + mmgrab(mm); + asid = arm64_mm_context_get(mm); - if (!asid) - return ERR_PTR(-ESRCH); + if (!asid) { + err = -ESRCH; + goto out_drop_mm; + } cd = kzalloc(sizeof(*cd), GFP_KERNEL); if (!cd) { @@ -169,6 +175,8 @@ static struct arm_smmu_ctx_desc *arm_smmu_alloc_shared_cd(struct mm_struct *mm) kfree(cd); out_put_context: arm64_mm_context_put(mm); +out_drop_mm: + mmdrop(mm); return err < 0 ? ERR_PTR(err) : ret; } @@ -177,6 +185,7 @@ static void arm_smmu_free_shared_cd(struct arm_smmu_ctx_desc *cd) if (arm_smmu_free_asid(cd)) { /* Unpin ASID */ arm64_mm_context_put(cd->mm); + mmdrop(cd->mm); kfree(cd); } } -- 2.43.0

2 1

[openeuler:OLK-6.6 3542/3542] drivers/infiniband/hw/bnxt_re/ib_verbs.c:1685:24: warning: variable 'nq' set but not used
by kernel test robot 15 Dec '25

15 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 81b22958142c03b02c766c79cd1554ebfa142be4 commit: 978eee07aea817a830a9146bd90f0506ac2f8482 [3542/3542] RDMA/bnxt_re: Fix budget handling of notification queue config: x86_64-buildonly-randconfig-005-20251215 (https://download.01.org/0day-ci/archive/20251215/202512151653.mAEBFOna-lkp@…) compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251215/202512151653.mAEBFOna-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512151653.mAEBFOna-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/infiniband/hw/bnxt_re/ib_verbs.c:1685:24: warning: variable 'nq' set but not used [-Wunused-but-set-variable] 1685 | struct bnxt_qplib_nq *nq = NULL; | ^ drivers/infiniband/hw/bnxt_re/ib_verbs.c:1732:24: warning: variable 'nq' set but not used [-Wunused-but-set-variable] 1732 | struct bnxt_qplib_nq *nq = NULL; | ^ drivers/infiniband/hw/bnxt_re/ib_verbs.c:2933:24: warning: variable 'nq' set but not used [-Wunused-but-set-variable] 2933 | struct bnxt_qplib_nq *nq; | ^ 3 warnings generated. Kconfig warnings: (for reference only) WARNING: unmet direct dependencies detected for PTP_1588_CLOCK Depends on [n]: NET [=y] && POSIX_TIMERS [=n] Selected by [y]: - SXE [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_LINKDATA [=y] && (X86 [=y] || ARM64) && PCI [=y] - SXE_VF [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_LINKDATA [=y] && (X86 [=y] || ARM64) && PCI [=y] vim +/nq +1685 drivers/infiniband/hw/bnxt_re/ib_verbs.c 1ac5a404797523 Selvin Xavier 2017-02-10 1677 37cb11acf1f72a Devesh Sharma 2018-01-11 1678 /* Shared Receive Queues */ 119181d1d4327d Leon Romanovsky 2020-09-07 1679 int bnxt_re_destroy_srq(struct ib_srq *ib_srq, struct ib_udata *udata) 37cb11acf1f72a Devesh Sharma 2018-01-11 1680 { 37cb11acf1f72a Devesh Sharma 2018-01-11 1681 struct bnxt_re_srq *srq = container_of(ib_srq, struct bnxt_re_srq, 37cb11acf1f72a Devesh Sharma 2018-01-11 1682 ib_srq); 37cb11acf1f72a Devesh Sharma 2018-01-11 1683 struct bnxt_re_dev *rdev = srq->rdev; 37cb11acf1f72a Devesh Sharma 2018-01-11 1684 struct bnxt_qplib_srq *qplib_srq = &srq->qplib_srq; 37cb11acf1f72a Devesh Sharma 2018-01-11 @1685 struct bnxt_qplib_nq *nq = NULL; 37cb11acf1f72a Devesh Sharma 2018-01-11 1686 37cb11acf1f72a Devesh Sharma 2018-01-11 1687 if (qplib_srq->cq) 37cb11acf1f72a Devesh Sharma 2018-01-11 1688 nq = qplib_srq->cq->nq; 68e326dea1dba9 Leon Romanovsky 2019-04-03 1689 bnxt_qplib_destroy_srq(&rdev->qplib_res, qplib_srq); 37cb11acf1f72a Devesh Sharma 2018-01-11 1690 ib_umem_release(srq->umem); 063975feedb143 Chandramohan Akula 2023-07-26 1691 atomic_dec(&rdev->stats.res.srq_count); 119181d1d4327d Leon Romanovsky 2020-09-07 1692 return 0; 37cb11acf1f72a Devesh Sharma 2018-01-11 1693 } 37cb11acf1f72a Devesh Sharma 2018-01-11 1694 :::::: The code at line 1685 was first introduced by commit :::::: 37cb11acf1f72a007a85894a6dd2ec93932bde46 RDMA/bnxt_re: Add SRQ support for Broadcom adapters :::::: TO: Devesh Sharma <devesh.sharma(a)broadcom.com> :::::: CC: Doug Ledford <dledford(a)redhat.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] iommu/arm-smmu-v3-sva: Fix mm use-after-free
by Zhang Yuwei 15 Dec '25

15 Dec '25

From: Jean-Philippe Brucker <jean-philippe(a)linaro.org> mainline inclusion from mainline-v5.19-rc1 commit cbd23144f7662b00bcde32a938c4a4057e476d68 category: bugfix bugzilla: 190104 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- We currently call arm64_mm_context_put() without holding a reference to the mm, which can result in use-after-free. Call mmgrab()/mmdrop() to ensure the mm only gets freed after we unpinned the ASID. Fixes: 32784a9562fb ("iommu/arm-smmu-v3: Implement iommu_sva_bind/unbind()") Signed-off-by: Jean-Philippe Brucker <jean-philippe(a)linaro.org> Tested-by: Zhangfei Gao <zhangfei.gao(a)linaro.org> Link: https://lore.kernel.org/r/20220426130444.300556-1-jean-philippe@linaro.org Signed-off-by: Will Deacon <will(a)kernel.org> Conflicts: drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c [commit 685ace6c824e merged for add trace event] Signed-off-by: Zhang Yuwei <zhangyuwei20(a)huawei.com> --- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c index afdfd10290be..0040294ad62d 100644 --- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c +++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3-sva.c @@ -6,6 +6,7 @@ #include <linux/mm.h> #include <linux/mmu_context.h> #include <linux/mmu_notifier.h> +#include <linux/sched/mm.h> #include <linux/slab.h> #include <trace/events/smmu.h> @@ -98,9 +99,14 @@ static struct arm_smmu_ctx_desc *arm_smmu_alloc_shared_cd(struct mm_struct *mm) struct arm_smmu_ctx_desc *cd; struct arm_smmu_ctx_desc *ret = NULL; + /* Don't free the mm until we release the ASID */ + mmgrab(mm); + asid = arm64_mm_context_get(mm); - if (!asid) - return ERR_PTR(-ESRCH); + if (!asid) { + err = -ESRCH; + goto out_drop_mm; + } cd = kzalloc(sizeof(*cd), GFP_KERNEL); if (!cd) { @@ -169,6 +175,8 @@ static struct arm_smmu_ctx_desc *arm_smmu_alloc_shared_cd(struct mm_struct *mm) kfree(cd); out_put_context: arm64_mm_context_put(mm); +out_drop_mm: + mmdrop(mm); return err < 0 ? ERR_PTR(err) : ret; } @@ -177,6 +185,7 @@ static void arm_smmu_free_shared_cd(struct arm_smmu_ctx_desc *cd) if (arm_smmu_free_asid(cd)) { /* Unpin ASID */ arm64_mm_context_put(cd->mm); + mmdrop(cd->mm); kfree(cd); } } -- 2.43.0

2 1

[PATCH OLK-5.10] Bluetooth: bcsp: receive data only if registered
by Yin Tirui 15 Dec '25

15 Dec '25

From: Ivan Pravdin <ipravdin.official(a)gmail.com> stable inclusion from stable-v5.10.247 commit 164586725b47f9d61912e6bf17dbaffeff11710b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBAE0 CVE: CVE-2025-40308 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ca94b2b036c22556c3a66f1b80f490882deef7a6 ] Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH. Reported-by: syzbot+4ed6852d4da4606c93da(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4ed6852d4da4606c93da Tested-by: syzbot+4ed6852d4da4606c93da(a)syzkaller.appspotmail.com Signed-off-by: Ivan Pravdin <ipravdin.official(a)gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yin Tirui <yintirui(a)huawei.com> --- drivers/bluetooth/hci_bcsp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index 8055f63603f4..8ff69111ceed 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c @@ -582,6 +582,9 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count) struct bcsp_struct *bcsp = hu->priv; const unsigned char *ptr; + if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) + return -EUNATCH; + BT_DBG("hu %p count %d rx_state %d rx_count %ld", hu, count, bcsp->rx_state, bcsp->rx_count); -- 2.43.0

2 1

[PATCH OLK-6.6] Bluetooth: bcsp: receive data only if registered
by Yin Tirui 15 Dec '25

15 Dec '25

From: Ivan Pravdin <ipravdin.official(a)gmail.com> stable inclusion from stable-v6.6.117 commit 799cd62cbcc3f12ee04b33ef390ff7d41c37d671 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBAE0 CVE: CVE-2025-40308 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ca94b2b036c22556c3a66f1b80f490882deef7a6 ] Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH. Reported-by: syzbot+4ed6852d4da4606c93da(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4ed6852d4da4606c93da Tested-by: syzbot+4ed6852d4da4606c93da(a)syzkaller.appspotmail.com Signed-off-by: Ivan Pravdin <ipravdin.official(a)gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yin Tirui <yintirui(a)huawei.com> --- drivers/bluetooth/hci_bcsp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index 2a5a27d713f8..e991d9e62486 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c @@ -582,6 +582,9 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count) struct bcsp_struct *bcsp = hu->priv; const unsigned char *ptr; + if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) + return -EUNATCH; + BT_DBG("hu %p count %d rx_state %d rx_count %ld", hu, count, bcsp->rx_state, bcsp->rx_count); -- 2.43.0

2 1

[openeuler:OLK-6.6 3542/3542] drivers/ata/libahci.c:210:5: warning: no previous prototype for function 'get_ahci_em_messages'
by kernel test robot 15 Dec '25

15 Dec '25

Hi leoliu-oc, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 81b22958142c03b02c766c79cd1554ebfa142be4 commit: fb43492008c11fe89e510dd63383a2d37ea3cf8e [3542/3542] ata: ahci: Add support for AHCI SGPIO Enclosure Management config: x86_64-buildonly-randconfig-002-20251215 (https://download.01.org/0day-ci/archive/20251215/202512151453.z27gHP7d-lkp@…) compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251215/202512151453.z27gHP7d-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512151453.z27gHP7d-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from drivers/ata/libahci.c:24: In file included from include/linux/blkdev.h:9: In file included from include/linux/blk_types.h:10: In file included from include/linux/bvec.h:10: In file included from include/linux/highmem.h:8: In file included from include/linux/cacheflush.h:5: In file included from arch/x86/include/asm/cacheflush.h:5: In file included from include/linux/mm.h:2235: include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ >> drivers/ata/libahci.c:210:5: warning: no previous prototype for function 'get_ahci_em_messages' [-Wmissing-prototypes] 210 | int get_ahci_em_messages(void) | ^ drivers/ata/libahci.c:210:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 210 | int get_ahci_em_messages(void) | ^ | static 2 warnings generated. -- In file included from drivers/ata/ahci_zhaoxin_sgpio.c:10: In file included from include/linux/blkdev.h:9: In file included from include/linux/blk_types.h:10: In file included from include/linux/bvec.h:10: In file included from include/linux/highmem.h:8: In file included from include/linux/cacheflush.h:5: In file included from arch/x86/include/asm/cacheflush.h:5: In file included from include/linux/mm.h:2235: include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ >> drivers/ata/ahci_zhaoxin_sgpio.c:31:5: warning: no previous prototype for function 'ahci_wait_em_reset' [-Wmissing-prototypes] 31 | int ahci_wait_em_reset(struct sgpio_zhaoxin *sgpio_zhaoxin, u32 retry) | ^ drivers/ata/ahci_zhaoxin_sgpio.c:31:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 31 | int ahci_wait_em_reset(struct sgpio_zhaoxin *sgpio_zhaoxin, u32 retry) | ^ | static >> drivers/ata/ahci_zhaoxin_sgpio.c:55:6: warning: no previous prototype for function 'ahci_zhaoxin_set_em_sgpio' [-Wmissing-prototypes] 55 | void ahci_zhaoxin_set_em_sgpio(struct sgpio_zhaoxin *sgpio_zhaoxin) | ^ drivers/ata/ahci_zhaoxin_sgpio.c:55:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 55 | void ahci_zhaoxin_set_em_sgpio(struct sgpio_zhaoxin *sgpio_zhaoxin) | ^ | static >> drivers/ata/ahci_zhaoxin_sgpio.c:99:6: warning: no previous prototype for function 'ahci_zhaoxin_set_em_sgpio_gpmode' [-Wmissing-prototypes] 99 | void ahci_zhaoxin_set_em_sgpio_gpmode(struct sgpio_zhaoxin *sgpio_zhaoxin) | ^ drivers/ata/ahci_zhaoxin_sgpio.c:99:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 99 | void ahci_zhaoxin_set_em_sgpio_gpmode(struct sgpio_zhaoxin *sgpio_zhaoxin) | ^ | static >> drivers/ata/ahci_zhaoxin_sgpio.c:601:6: warning: no previous prototype for function 'set_em_messages' [-Wmissing-prototypes] 601 | void set_em_messages(struct sgpio_zhaoxin *sgpio_zhaoxin) | ^ drivers/ata/ahci_zhaoxin_sgpio.c:601:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 601 | void set_em_messages(struct sgpio_zhaoxin *sgpio_zhaoxin) | ^ | static >> drivers/ata/ahci_zhaoxin_sgpio.c:621:5: warning: no previous prototype for function 'add_sgpio_zhaoxin' [-Wmissing-prototypes] 621 | int add_sgpio_zhaoxin(void) | ^ drivers/ata/ahci_zhaoxin_sgpio.c:621:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 621 | int add_sgpio_zhaoxin(void) | ^ | static drivers/ata/ahci_zhaoxin_sgpio.c:673:6: warning: no previous prototype for function 'remove_sgpio_zhaoxin' [-Wmissing-prototypes] 673 | void remove_sgpio_zhaoxin(void) | ^ drivers/ata/ahci_zhaoxin_sgpio.c:673:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 673 | void remove_sgpio_zhaoxin(void) | ^ | static 7 warnings generated. vim +/get_ahci_em_messages +210 drivers/ata/libahci.c 209 > 210 int get_ahci_em_messages(void) 211 { 212 return ahci_em_messages; 213 } 214 EXPORT_SYMBOL_GPL(get_ahci_em_messages); 215 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0