- Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10 3406/3406] kernel/cgroup/cgroup.c:6734: warning: Function parameter or member 'fd' not described in 'cgroup_get_from_fd_v2'
by kernel test robot 12 Dec '25

12 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 58f07869576fac9de85244333864fb34fb7df411 commit: 56fee14453059f894b018d08071826d47e634800 [3406/3406] cgroup: make cgroup_bpf_prog_attach work when cgroup2 is not mounted config: arm64-randconfig-003-20251211 (https://download.01.org/0day-ci/archive/20251212/202512121532.9swcl8n5-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251212/202512121532.9swcl8n5-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512121532.9swcl8n5-lkp@intel.com/ All warnings (new ones prefixed by >>): kernel/cgroup/cgroup.c:6217: warning: Function parameter or member 'f' not described in 'cgroup_get_from_file' kernel/cgroup/cgroup.c:6369: warning: Function parameter or member 'kargs' not described in 'cgroup_can_fork' kernel/cgroup/cgroup.c:6430: warning: Function parameter or member 'kargs' not described in 'cgroup_post_fork' kernel/cgroup/cgroup.c:6716: warning: Function parameter or member 'fd' not described in 'cgroup_get_from_fd' >> kernel/cgroup/cgroup.c:6734: warning: Function parameter or member 'fd' not described in 'cgroup_get_from_fd_v2' vim +6734 kernel/cgroup/cgroup.c 6729 6730 /** 6731 * same with cgroup_get_from_fd, only add cgrp_dfl_visible check 6732 */ 6733 struct cgroup *cgroup_get_from_fd_v2(int fd) > 6734 { 6735 struct cgroup *cgrp = cgroup_v1v2_get_from_fd(fd); 6736 6737 if (IS_ERR(cgrp)) 6738 return ERR_CAST(cgrp); 6739 6740 if (!cgroup_on_dfl(cgrp)) { 6741 cgroup_put(cgrp); 6742 if (cgrp_dfl_visible) 6743 return ERR_PTR(-EBADF); 6744 6745 cgrp = &cgrp_dfl_root.cgrp; 6746 cgroup_get(cgrp); 6747 } 6748 return cgrp; 6749 } 6750 EXPORT_SYMBOL_GPL(cgroup_get_from_fd_v2); 6751 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] mmc: core: Fix kernel panic when remove non-standard SDIO card
by Cai Xinchen 12 Dec '25

12 Dec '25

From: Matthew Ma <mahongwei(a)zeku.com> stable inclusion from stable-v4.19.264 commit 1fb79478695d92bab1c120ad3dad05252b02a29d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBMTC CVE: CVE-2022-50640 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 9972e6b404884adae9eec7463e30d9b3c9a70b18 upstream. SDIO tuple is only allocated for standard SDIO card, especially it causes memory corruption issues when the non-standard SDIO card has removed, which is because the card device's reference counter does not increase for it at sdio_init_func(), but all SDIO card device reference counter gets decreased at sdio_release_func(). Fixes: 6f51be3d37df ("sdio: allow non-standard SDIO cards") Signed-off-by: Matthew Ma <mahongwei(a)zeku.com> Reviewed-by: Weizhao Ouyang <ouyangweizhao(a)zeku.com> Reviewed-by: John Wang <wangdayu(a)zeku.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20221014034951.2300386-1-ouyangweizhao@zeku.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/mmc/core/sdio_bus.c [Only context conflicts since the commit 605d9fb9556 ("mmc: sdio: fix possible resource leaks in some error paths") is merged.] Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/mmc/core/sdio_bus.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/mmc/core/sdio_bus.c b/drivers/mmc/core/sdio_bus.c index 2ee4822c9285..dd73e8e83c72 100644 --- a/drivers/mmc/core/sdio_bus.c +++ b/drivers/mmc/core/sdio_bus.c @@ -264,7 +264,8 @@ static void sdio_release_func(struct device *dev) { struct sdio_func *func = dev_to_sdio_func(dev); - sdio_free_func_cis(func); + if (!(func->card->quirks & MMC_QUIRK_NONSTD_SDIO)) + sdio_free_func_cis(func); /* * We have now removed the link to the tuples in the -- 2.34.1

1 0

[openeuler:OLK-6.6 3540/3540] drivers/net/ethernet/nebula-matrix/nbl/nbl_hw/nbl_vsi.c:63:24: warning: variable 'queue_mgt' set but not used
by kernel test robot 12 Dec '25

12 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: cd9eb9b4365b71652b2c2ac58293bea47c9f9302 commit: 69181c3c9413ccaa4dab458057d13efda520cb60 [3540/3540] Net: nebula_matrix: fix ci build warning config: x86_64-randconfig-103-20251212 (https://download.01.org/0day-ci/archive/20251212/202512121402.K1KWDJc7-lkp@…) compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251212/202512121402.K1KWDJc7-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512121402.K1KWDJc7-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from drivers/net/ethernet/nebula-matrix/nbl/nbl_hw/nbl_vsi.c:7: In file included from drivers/net/ethernet/nebula-matrix/nbl/nbl_hw/nbl_vsi.h:10: In file included from drivers/net/ethernet/nebula-matrix/nbl/nbl_hw/nbl_resource.h:10: In file included from drivers/net/ethernet/nebula-matrix/nbl/nbl_core.h:10: In file included from drivers/net/ethernet/nebula-matrix/nbl/nbl_include/nbl_product_base.h:10: In file included from drivers/net/ethernet/nebula-matrix/nbl/nbl_include/nbl_include.h:12: In file included from include/linux/pci.h:1669: In file included from include/linux/dmapool.h:14: In file included from include/linux/scatterlist.h:8: In file included from include/linux/mm.h:2247: include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 509 | item]; | ~~~~ include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 515 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 516 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 527 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 528 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 536 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 537 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ >> drivers/net/ethernet/nebula-matrix/nbl/nbl_hw/nbl_vsi.c:63:24: warning: variable 'queue_mgt' set but not used [-Wunused-but-set-variable] 63 | struct nbl_queue_mgt *queue_mgt; | ^ drivers/net/ethernet/nebula-matrix/nbl/nbl_hw/nbl_vsi.c:83:22: warning: variable 'vsi_mgt' set but not used [-Wunused-but-set-variable] 83 | struct nbl_vsi_mgt *vsi_mgt; | ^ drivers/net/ethernet/nebula-matrix/nbl/nbl_hw/nbl_vsi.c:84:22: warning: variable 'phy_ops' set but not used [-Wunused-but-set-variable] 84 | struct nbl_phy_ops *phy_ops; | ^ 8 warnings generated. vim +/queue_mgt +63 drivers/net/ethernet/nebula-matrix/nbl/nbl_hw/nbl_vsi.c bad535d287c9c1 Bennie Yan 2024-09-24 59 bad535d287c9c1 Bennie Yan 2024-09-24 60 static int nbl_res_vsi_init_chip_module(void *priv) bad535d287c9c1 Bennie Yan 2024-09-24 61 { bad535d287c9c1 Bennie Yan 2024-09-24 62 struct nbl_resource_mgt *res_mgt = (struct nbl_resource_mgt *)priv; bad535d287c9c1 Bennie Yan 2024-09-24 @63 struct nbl_queue_mgt *queue_mgt; bad535d287c9c1 Bennie Yan 2024-09-24 64 struct nbl_phy_ops *phy_ops; bad535d287c9c1 Bennie Yan 2024-09-24 65 int ret = 0; bad535d287c9c1 Bennie Yan 2024-09-24 66 bad535d287c9c1 Bennie Yan 2024-09-24 67 if (!res_mgt) bad535d287c9c1 Bennie Yan 2024-09-24 68 return -EINVAL; bad535d287c9c1 Bennie Yan 2024-09-24 69 bad535d287c9c1 Bennie Yan 2024-09-24 70 queue_mgt = NBL_RES_MGT_TO_QUEUE_MGT(res_mgt); bad535d287c9c1 Bennie Yan 2024-09-24 71 phy_ops = NBL_RES_MGT_TO_PHY_OPS(res_mgt); bad535d287c9c1 Bennie Yan 2024-09-24 72 bad535d287c9c1 Bennie Yan 2024-09-24 73 ret = phy_ops->init_chip_module(NBL_RES_MGT_TO_PHY_PRIV(res_mgt), bad535d287c9c1 Bennie Yan 2024-09-24 74 res_mgt->resource_info->board_info.eth_speed, bad535d287c9c1 Bennie Yan 2024-09-24 75 res_mgt->resource_info->board_info.eth_num); bad535d287c9c1 Bennie Yan 2024-09-24 76 bad535d287c9c1 Bennie Yan 2024-09-24 77 return ret; bad535d287c9c1 Bennie Yan 2024-09-24 78 } bad535d287c9c1 Bennie Yan 2024-09-24 79 :::::: The code at line 63 was first introduced by commit :::::: bad535d287c9c1056d99de3666be7da84de4a8fc Net:nbl_core: Add nbl_core-driver for nebula-matrix S1055AS series smart NIC. :::::: TO: Bennie Yan <bennie.yan(a)nebula-matrix.com> :::::: CC: Bennie Yan <bennie.yan(a)nebula-matrix.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
by Zhang Kunbo 12 Dec '25

12 Dec '25

From: Chen Yufeng <chenyufeng(a)iie.ac.cn> stable inclusion from stable-v6.6.117 commit ea37884097a0931abb8e11e40eacfb25e9fdb5e9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBAG6 CVE: CVE-2025-40314 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 87c5ff5615dc0a37167e8faf3adeeddc6f1344a3 ] In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct "del" and "put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure only after freeing endpoints"). Signed-off-by: Chen Yufeng <chenyufeng(a)iie.ac.cn> Link: https://lore.kernel.org/r/20250905094842.1232-1-chenyufeng@iie.ac.cn Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/usb/cdns3/cdnsp-gadget.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/usb/cdns3/cdnsp-gadget.c b/drivers/usb/cdns3/cdnsp-gadget.c index 4b67749edb99..25a2ec79c061 100644 --- a/drivers/usb/cdns3/cdnsp-gadget.c +++ b/drivers/usb/cdns3/cdnsp-gadget.c @@ -1931,7 +1931,10 @@ static int __cdnsp_gadget_init(struct cdns *cdns) return 0; del_gadget: - usb_del_gadget_udc(&pdev->gadget); + usb_del_gadget(&pdev->gadget); + cdnsp_gadget_free_endpoints(pdev); + usb_put_gadget(&pdev->gadget); + goto halt_pdev; free_endpoints: cdnsp_gadget_free_endpoints(pdev); halt_pdev: @@ -1953,8 +1956,9 @@ static void cdnsp_gadget_exit(struct cdns *cdns) devm_free_irq(pdev->dev, cdns->dev_irq, pdev); pm_runtime_mark_last_busy(cdns->dev); pm_runtime_put_autosuspend(cdns->dev); - usb_del_gadget_udc(&pdev->gadget); + usb_del_gadget(&pdev->gadget); cdnsp_gadget_free_endpoints(pdev); + usb_put_gadget(&pdev->gadget); cdnsp_mem_cleanup(pdev); kfree(pdev); cdns->gadget_dev = NULL; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] scsi: hpsa: Fix possible memory leak in hpsa_init_one()
by Zhang Kunbo 12 Dec '25

12 Dec '25

From: Yuan Can <yuancan(a)huawei.com> stable inclusion from stable-v4.19.270 commit f4d1c14e8b404766ff2bb8644bb19443d73965de category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBMU6 CVE: CVE-2022-50646 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 9c9ff300e0de07475796495d86f449340d454a0c ] The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to clean1 directly, which frees h and leaks the h->reply_map. Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead free h directly. Fixes: 8b834bff1b73 ("scsi: hpsa: fix selection of reply queue") Signed-off-by: Yuan Can <yuancan(a)huawei.com> Link: https://lore.kernel.org/r/20221122015751.87284-1-yuancan@huawei.com Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/scsi/hpsa.c [ Context difference due to not merged 0119208885b3faf2459de6d3fcc6d090580b906f ] Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/scsi/hpsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index dac636880b4d..32ec27b6ab18 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -8793,7 +8793,7 @@ static int hpsa_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) destroy_workqueue(h->rescan_ctlr_wq); h->rescan_ctlr_wq = NULL; } - kfree(h); + hpda_free_ctlr_info(h); return rc; } -- 2.34.1

2 1

[openeuler:OLK-5.10 3406/3406] kernel/task_work.c:84: warning: Function parameter or member 'data' not described in 'task_work_cancel_match'
by kernel test robot 12 Dec '25

12 Dec '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 58f07869576fac9de85244333864fb34fb7df411 commit: 8802b2dc61376ea4727dba6630f81697da540e85 [3406/3406] task_work: add helper for more targeted task_work canceling config: arm64-randconfig-003-20251211 (https://download.01.org/0day-ci/archive/20251212/202512121309.G9fDOety-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251212/202512121309.G9fDOety-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512121309.G9fDOety-lkp@intel.com/ All warnings (new ones prefixed by >>): >> kernel/task_work.c:84: warning: Function parameter or member 'data' not described in 'task_work_cancel_match' vim +84 kernel/task_work.c e73f8959af0439d Oleg Nesterov 2012-05-11 71 892f6668f3a7088 Oleg Nesterov 2013-09-11 72 /** 8802b2dc61376ea Jens Axboe 2023-02-28 73 * task_work_cancel_match - cancel a pending work added by task_work_add() 892f6668f3a7088 Oleg Nesterov 2013-09-11 74 * @task: the task which should execute the work 8802b2dc61376ea Jens Axboe 2023-02-28 75 * @match: match function to call 892f6668f3a7088 Oleg Nesterov 2013-09-11 76 * 892f6668f3a7088 Oleg Nesterov 2013-09-11 77 * RETURNS: 892f6668f3a7088 Oleg Nesterov 2013-09-11 78 * The found work or NULL if not found. 892f6668f3a7088 Oleg Nesterov 2013-09-11 79 */ 67d1214551e800f Al Viro 2012-06-27 80 struct callback_head * 8802b2dc61376ea Jens Axboe 2023-02-28 81 task_work_cancel_match(struct task_struct *task, 8802b2dc61376ea Jens Axboe 2023-02-28 82 bool (*match)(struct callback_head *, void *data), 8802b2dc61376ea Jens Axboe 2023-02-28 83 void *data) e73f8959af0439d Oleg Nesterov 2012-05-11 @84 { ac3d0da8f3290b3 Oleg Nesterov 2012-08-26 85 struct callback_head **pprev = &task->task_works; 205e550a0fb469a Oleg Nesterov 2013-09-11 86 struct callback_head *work; e73f8959af0439d Oleg Nesterov 2012-05-11 87 unsigned long flags; 61e96496d3c9497 Oleg Nesterov 2016-08-02 88 61e96496d3c9497 Oleg Nesterov 2016-08-02 89 if (likely(!task->task_works)) 61e96496d3c9497 Oleg Nesterov 2016-08-02 90 return NULL; ac3d0da8f3290b3 Oleg Nesterov 2012-08-26 91 /* ac3d0da8f3290b3 Oleg Nesterov 2012-08-26 92 * If cmpxchg() fails we continue without updating pprev. ac3d0da8f3290b3 Oleg Nesterov 2012-08-26 93 * Either we raced with task_work_add() which added the ac3d0da8f3290b3 Oleg Nesterov 2012-08-26 94 * new entry before this work, we will find it again. Or 9da33de62431c78 Oleg Nesterov 2012-08-26 95 * we raced with task_work_run(), *pprev == NULL/exited. ac3d0da8f3290b3 Oleg Nesterov 2012-08-26 96 */ e73f8959af0439d Oleg Nesterov 2012-05-11 97 raw_spin_lock_irqsave(&task->pi_lock, flags); 506458efaf153c1 Will Deacon 2017-10-24 98 while ((work = READ_ONCE(*pprev))) { 8802b2dc61376ea Jens Axboe 2023-02-28 99 if (!match(work, data)) ac3d0da8f3290b3 Oleg Nesterov 2012-08-26 100 pprev = &work->next; ac3d0da8f3290b3 Oleg Nesterov 2012-08-26 101 else if (cmpxchg(pprev, work, work->next) == work) 158e1645e07f3e9 Al Viro 2012-06-27 102 break; 158e1645e07f3e9 Al Viro 2012-06-27 103 } e73f8959af0439d Oleg Nesterov 2012-05-11 104 raw_spin_unlock_irqrestore(&task->pi_lock, flags); ac3d0da8f3290b3 Oleg Nesterov 2012-08-26 105 ac3d0da8f3290b3 Oleg Nesterov 2012-08-26 106 return work; e73f8959af0439d Oleg Nesterov 2012-05-11 107 } e73f8959af0439d Oleg Nesterov 2012-05-11 108 :::::: The code at line 84 was first introduced by commit :::::: e73f8959af0439d114847eab5a8a5ce48f1217c4 task_work_add: generic process-context callbacks :::::: TO: Oleg Nesterov <oleg(a)redhat.com> :::::: CC: Al Viro <viro(a)zeniv.linux.org.uk> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 3406/3406] fs/cachefiles/rdwr.c:860:6: warning: no previous prototype for function 'cachefiles_readpages_work_func'
by kernel test robot 12 Dec '25

12 Dec '25

Hi Jingbo, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 58f07869576fac9de85244333864fb34fb7df411 commit: 33ba25cc4869bab81ad31784e7bbb25e5da2a2ad [3406/3406] anolis: fscache,cachefiles: add fscache_prepare_read() helper config: x86_64-rhel-9.4-rust (https://download.01.org/0day-ci/archive/20251212/202512121252.aKzusfWQ-lkp@…) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 6ec8c4351cfc1d0627d1633b02ea787bd29c77d8) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251212/202512121252.aKzusfWQ-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512121252.aKzusfWQ-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/cachefiles/rdwr.c:860:6: warning: no previous prototype for function 'cachefiles_readpages_work_func' [-Wmissing-prototypes] 860 | void cachefiles_readpages_work_func(struct work_struct *work) | ^ fs/cachefiles/rdwr.c:860:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 860 | void cachefiles_readpages_work_func(struct work_struct *work) | ^ | static 1 warning generated. vim +/cachefiles_readpages_work_func +860 fs/cachefiles/rdwr.c 859 > 860 void cachefiles_readpages_work_func(struct work_struct *work) 861 { 862 struct cachefiles_kiocb *ki = container_of(work, struct cachefiles_kiocb, work); 863 int ret; 864 865 ret = vfs_iocb_iter_read(ki->iocb.ki_filp, &ki->iocb, &ki->iter); 866 /* complete the request if there's any progress or error occurred */ 867 if (ret != -EIOCBQUEUED) { 868 struct fscache_retrieval *op = ki->op; 869 unsigned int nr_pages = atomic_read(&op->n_pages); 870 unsigned int done_pages = 0; 871 int i, error; 872 873 if (ret > 0) 874 done_pages = ret / PAGE_SIZE; 875 876 for (i = 0; i < nr_pages; i++) { 877 error = i < done_pages ? 0 : -EIO; 878 fscache_end_io(op, ki->bvs[i].bv_page, error); 879 } 880 881 fscache_retrieval_complete(op, nr_pages); 882 fscache_put_retrieval(op); 883 kfree(ki); 884 } 885 } 886 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 3534/3534] security/integrity/ima/ima_tpm.c:19:6: warning: no previous prototype for 'ima_pcrread'
by kernel test robot 12 Dec '25

12 Dec '25

Hi GONG, FYI, the error/warning was bisected to this commit, please ignore it if it's irrelevant. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: cd9eb9b4365b71652b2c2ac58293bea47c9f9302 commit: 40151ef24c1a0f35c5e0442834eb776877e66683 [3534/3534] ima: rot: Prepare TPM as an RoT config: x86_64-allnoconfig-bpf (https://download.01.org/0day-ci/archive/20251212/202512120507.yBtcWN2k-lkp@…) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251212/202512120507.yBtcWN2k-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512120507.yBtcWN2k-lkp@intel.com/ All warnings (new ones prefixed by >>): >> security/integrity/ima/ima_tpm.c:19:6: warning: no previous prototype for 'ima_pcrread' [-Wmissing-prototypes] 19 | void ima_pcrread(u32 idx, struct tpm_digest *d) | ^~~~~~~~~~~ security/integrity/ima/ima_tpm.c:28:5: warning: no previous prototype for 'ima_pcr_extend' [-Wmissing-prototypes] 28 | int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr) | ^~~~~~~~~~~~~~ >> security/integrity/ima/ima_tpm.c:41:5: warning: no previous prototype for 'ima_tpm_init' [-Wmissing-prototypes] 41 | int ima_tpm_init(struct ima_rot *rot) | ^~~~~~~~~~~~ >> security/integrity/ima/ima_tpm.c:53:5: warning: no previous prototype for 'ima_tpm_extend' [-Wmissing-prototypes] 53 | int ima_tpm_extend(struct tpm_digest *digests_arg, const void *args) | ^~~~~~~~~~~~~~ >> security/integrity/ima/ima_tpm.c:60:5: warning: no previous prototype for 'ima_tpm_calc_boot_aggregate' [-Wmissing-prototypes] 60 | int ima_tpm_calc_boot_aggregate(struct ima_digest_data *hash) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/ima_pcrread +19 security/integrity/ima/ima_tpm.c 18 > 19 void ima_pcrread(u32 idx, struct tpm_digest *d) 20 { 21 if (!ima_tpm_chip) 22 return; 23 24 if (tpm_pcr_read(ima_tpm_chip, idx, d) != 0) 25 pr_err("Error Communicating to TPM chip\n"); 26 } 27 28 int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr) 29 { 30 int result = 0; 31 32 if (!ima_tpm_chip) 33 return result; 34 35 result = tpm_pcr_extend(ima_tpm_chip, pcr, digests_arg); 36 if (result != 0) 37 pr_err("Error Communicating to TPM chip, result: %d\n", result); 38 return result; 39 } 40 > 41 int ima_tpm_init(struct ima_rot *rot) 42 { 43 ima_tpm_chip = tpm_default_chip(); 44 if (!ima_tpm_chip) 45 return -ENODEV; 46 47 rot->nr_allocated_banks = ima_tpm_chip->nr_allocated_banks; 48 rot->allocated_banks = ima_tpm_chip->allocated_banks; 49 50 return 0; 51 } 52 > 53 int ima_tpm_extend(struct tpm_digest *digests_arg, const void *args) 54 { 55 const int pcr = *(const int *)args; 56 57 return ima_pcr_extend(digests_arg, pcr); 58 } 59 > 60 int ima_tpm_calc_boot_aggregate(struct ima_digest_data *hash) -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
by Fanhua Li 12 Dec '25

12 Dec '25

From: Gokul Sivakumar <gokulkumar.sivakumar(a)infineon.com> stable inclusion from stable-v6.6.117 commit 64e3175d1c8a3bea02032e7c9d1befd5f43786fa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBAJ5 CVE: CVE-2025-40321 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3776c685ebe5f43e9060af06872661de55e80b9a upstream. Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. Cc: stable(a)vger.kernel.org Fixes: 18e2f61db3b7 ("brcmfmac: P2P action frame tx") Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar(a)infineon.com> Acked-by: Arend van Spriel <arend.vanspriel(a)broadcom.com> Link: https://patch.msgid.link/20251013102819.9727-1-gokulkumar.sivakumar@infineo… [Cc stable] Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Fanhua Li <lifanhua5(a)huawei.com> --- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 3 +- .../broadcom/brcm80211/brcmfmac/p2p.c | 28 +++++++------------ .../broadcom/brcm80211/brcmfmac/p2p.h | 3 +- 3 files changed, 12 insertions(+), 22 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c index c708ae91c3ce..2c6cc88bbe61 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -5594,8 +5594,7 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, brcmf_dbg(TRACE, "Action frame, cookie=%lld, len=%d, freq=%d\n", *cookie, le16_to_cpu(action_frame->len), freq); - ack = brcmf_p2p_send_action_frame(cfg, cfg_to_ndev(cfg), - af_params); + ack = brcmf_p2p_send_action_frame(vif->ifp, af_params); cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, ack, GFP_KERNEL); diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c index d4492d02e4ea..33f27c83c33e 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c @@ -1529,6 +1529,7 @@ int brcmf_p2p_notify_action_tx_complete(struct brcmf_if *ifp, /** * brcmf_p2p_tx_action_frame() - send action frame over fil. * + * @ifp: interface to transmit on. * @p2p: p2p info struct for vif. * @af_params: action frame data/info. * @@ -1538,12 +1539,11 @@ int brcmf_p2p_notify_action_tx_complete(struct brcmf_if *ifp, * The WLC_E_ACTION_FRAME_COMPLETE event will be received when the action * frame is transmitted. */ -static s32 brcmf_p2p_tx_action_frame(struct brcmf_p2p_info *p2p, +static s32 brcmf_p2p_tx_action_frame(struct brcmf_if *ifp, + struct brcmf_p2p_info *p2p, struct brcmf_fil_af_params_le *af_params) { struct brcmf_pub *drvr = p2p->cfg->pub; - struct brcmf_cfg80211_vif *vif; - struct brcmf_p2p_action_frame *p2p_af; s32 err = 0; brcmf_dbg(TRACE, "Enter\n"); @@ -1552,14 +1552,7 @@ static s32 brcmf_p2p_tx_action_frame(struct brcmf_p2p_info *p2p, clear_bit(BRCMF_P2P_STATUS_ACTION_TX_COMPLETED, &p2p->status); clear_bit(BRCMF_P2P_STATUS_ACTION_TX_NOACK, &p2p->status); - /* check if it is a p2p_presence response */ - p2p_af = (struct brcmf_p2p_action_frame *)af_params->action_frame.data; - if (p2p_af->subtype == P2P_AF_PRESENCE_RSP) - vif = p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif; - else - vif = p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif; - - err = brcmf_fil_bsscfg_data_set(vif->ifp, "actframe", af_params, + err = brcmf_fil_bsscfg_data_set(ifp, "actframe", af_params, sizeof(*af_params)); if (err) { bphy_err(drvr, " sending action frame has failed\n"); @@ -1711,16 +1704,14 @@ static bool brcmf_p2p_check_dwell_overflow(u32 requested_dwell, /** * brcmf_p2p_send_action_frame() - send action frame . * - * @cfg: driver private data for cfg80211 interface. - * @ndev: net device to transmit on. + * @ifp: interface to transmit on. * @af_params: configuration data for action frame. */ -bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg, - struct net_device *ndev, +bool brcmf_p2p_send_action_frame(struct brcmf_if *ifp, struct brcmf_fil_af_params_le *af_params) { + struct brcmf_cfg80211_info *cfg = ifp->drvr->config; struct brcmf_p2p_info *p2p = &cfg->p2p; - struct brcmf_if *ifp = netdev_priv(ndev); struct brcmf_fil_action_frame_le *action_frame; struct brcmf_config_af_params config_af_params; struct afx_hdl *afx_hdl = &p2p->afx_hdl; @@ -1857,7 +1848,7 @@ bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg, if (af_params->channel) msleep(P2P_AF_RETRY_DELAY_TIME); - ack = !brcmf_p2p_tx_action_frame(p2p, af_params); + ack = !brcmf_p2p_tx_action_frame(ifp, p2p, af_params); tx_retry++; dwell_overflow = brcmf_p2p_check_dwell_overflow(requested_dwell, dwell_jiffies); @@ -2217,7 +2208,6 @@ static struct wireless_dev *brcmf_p2p_create_p2pdev(struct brcmf_p2p_info *p2p, WARN_ON(p2p_ifp->bsscfgidx != bsscfgidx); - init_completion(&p2p->send_af_done); INIT_WORK(&p2p->afx_hdl.afx_work, brcmf_p2p_afx_handler); init_completion(&p2p->afx_hdl.act_frm_scan); init_completion(&p2p->wait_next_af); @@ -2513,6 +2503,8 @@ s32 brcmf_p2p_attach(struct brcmf_cfg80211_info *cfg, bool p2pdev_forced) pri_ifp = brcmf_get_ifp(cfg->pub, 0); p2p->bss_idx[P2PAPI_BSSCFG_PRIMARY].vif = pri_ifp->vif; + init_completion(&p2p->send_af_done); + if (p2pdev_forced) { err_ptr = brcmf_p2p_create_p2pdev(p2p, NULL, NULL); if (IS_ERR(err_ptr)) { diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h index d2ecee565bf2..d3137ebd7158 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h @@ -168,8 +168,7 @@ int brcmf_p2p_notify_action_frame_rx(struct brcmf_if *ifp, int brcmf_p2p_notify_action_tx_complete(struct brcmf_if *ifp, const struct brcmf_event_msg *e, void *data); -bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg, - struct net_device *ndev, +bool brcmf_p2p_send_action_frame(struct brcmf_if *ifp, struct brcmf_fil_af_params_le *af_params); bool brcmf_p2p_scan_finding_common_channel(struct brcmf_cfg80211_info *cfg, struct brcmf_bss_info_le *bi); -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] scsi: hpsa: Fix possible memory leak in hpsa_init_one()
by Zhang Kunbo 12 Dec '25

12 Dec '25

From: Yuan Can <yuancan(a)huawei.com> stable inclusion from stable-v4.19.270 commit f4d1c14e8b404766ff2bb8644bb19443d73965de category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBMU6 CVE: CVE-2022-50646 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 9c9ff300e0de07475796495d86f449340d454a0c ] The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to clean1 directly, which frees h and leaks the h->reply_map. Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead free h directly. Fixes: 8b834bff1b73 ("scsi: hpsa: fix selection of reply queue") Signed-off-by: Yuan Can <yuancan(a)huawei.com> Link: https://lore.kernel.org/r/20221122015751.87284-1-yuancan@huawei.com Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/scsi/hpsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index dac636880b4d..32ec27b6ab18 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -8793,7 +8793,7 @@ static int hpsa_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) destroy_workqueue(h->rescan_ctlr_wq); h->rescan_ctlr_wq = NULL; } - kfree(h); + hpda_free_ctlr_info(h); return rc; } -- 2.34.1

2 1