- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 1942/1942] drivers/net/ethernet/microchip/lan743x_ptp.c:985:6: warning: no previous prototype for function 'lan743x_ptp_set_sync_ts_insert'
by kernel test robot 25 Dec '25

25 Dec '25

Hi Bryan, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 4e9c55920995d70b3e88b60c69753df54b03fdf4 commit: 07624df1c9efd4b7f2f6762581587c590b03c7a2 [1942/1942] lan743x: lan743x: Add PTP support config: x86_64-randconfig-071-20251213 (https://download.01.org/0day-ci/archive/20251225/202512250737.MecjkLdA-lkp@…) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 1335a05ab8bc8339ce24be3a9da89d8c3f4e0571) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512250737.MecjkLdA-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512250737.MecjkLdA-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from <built-in>:2: In file included from include/linux/compiler_types.h:78: include/linux/compiler-clang.h:25:9: warning: '__SANITIZE_ADDRESS__' macro redefined [-Wmacro-redefined] 25 | #define __SANITIZE_ADDRESS__ | ^ <built-in>:353:9: note: previous definition is here 353 | #define __SANITIZE_ADDRESS__ 1 | ^ drivers/net/ethernet/microchip/lan743x_ptp.c:781:28: error: no member named 'ptp_clock' in 'struct lan743x_ptp' 781 | ptp_schedule_worker(ptp->ptp_clock, 0); | ~~~ ^ drivers/net/ethernet/microchip/lan743x_ptp.c:879:6: warning: unused variable 'ret' [-Wunused-variable] 879 | int ret = -ENODEV; | ^~~ >> drivers/net/ethernet/microchip/lan743x_ptp.c:985:6: warning: no previous prototype for function 'lan743x_ptp_set_sync_ts_insert' [-Wmissing-prototypes] 985 | void lan743x_ptp_set_sync_ts_insert(struct lan743x_adapter *adapter, | ^ drivers/net/ethernet/microchip/lan743x_ptp.c:985:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 985 | void lan743x_ptp_set_sync_ts_insert(struct lan743x_adapter *adapter, | ^ | static 3 warnings and 1 error generated. vim +/lan743x_ptp_set_sync_ts_insert +985 drivers/net/ethernet/microchip/lan743x_ptp.c 984 > 985 void lan743x_ptp_set_sync_ts_insert(struct lan743x_adapter *adapter, 986 bool ts_insert_enable) 987 { 988 u32 ptp_tx_mod = lan743x_csr_read(adapter, PTP_TX_MOD); 989 990 if (ts_insert_enable) 991 ptp_tx_mod |= PTP_TX_MOD_TX_PTP_SYNC_TS_INSERT_; 992 else 993 ptp_tx_mod &= ~PTP_TX_MOD_TX_PTP_SYNC_TS_INSERT_; 994 995 lan743x_csr_write(adapter, PTP_TX_MOD, ptp_tx_mod); 996 } 997 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 3406/3406] kernel/cgroup/cgroup.c:6734: warning: Function parameter or member 'fd' not described in 'cgroup_get_from_fd_v2'
by kernel test robot 25 Dec '25

25 Dec '25

Hi Liu, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 1588d318a9e388d05b6cf5e2a63134c8beb6a355 commit: 56fee14453059f894b018d08071826d47e634800 [3406/3406] cgroup: make cgroup_bpf_prog_attach work when cgroup2 is not mounted config: arm64-randconfig-003-20251211 (https://download.01.org/0day-ci/archive/20251225/202512250139.hi51ZBjo-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512250139.hi51ZBjo-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512250139.hi51ZBjo-lkp@intel.com/ All warnings (new ones prefixed by >>): kernel/cgroup/cgroup.c:6217: warning: Function parameter or member 'f' not described in 'cgroup_get_from_file' kernel/cgroup/cgroup.c:6369: warning: Function parameter or member 'kargs' not described in 'cgroup_can_fork' kernel/cgroup/cgroup.c:6430: warning: Function parameter or member 'kargs' not described in 'cgroup_post_fork' kernel/cgroup/cgroup.c:6716: warning: Function parameter or member 'fd' not described in 'cgroup_get_from_fd' >> kernel/cgroup/cgroup.c:6734: warning: Function parameter or member 'fd' not described in 'cgroup_get_from_fd_v2' vim +6734 kernel/cgroup/cgroup.c 6729 6730 /** 6731 * same with cgroup_get_from_fd, only add cgrp_dfl_visible check 6732 */ 6733 struct cgroup *cgroup_get_from_fd_v2(int fd) > 6734 { 6735 struct cgroup *cgrp = cgroup_v1v2_get_from_fd(fd); 6736 6737 if (IS_ERR(cgrp)) 6738 return ERR_CAST(cgrp); 6739 6740 if (!cgroup_on_dfl(cgrp)) { 6741 cgroup_put(cgrp); 6742 if (cgrp_dfl_visible) 6743 return ERR_PTR(-EBADF); 6744 6745 cgrp = &cgrp_dfl_root.cgrp; 6746 cgroup_get(cgrp); 6747 } 6748 return cgrp; 6749 } 6750 EXPORT_SYMBOL_GPL(cgroup_get_from_fd_v2); 6751 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 3406/3406] kernel/task_work.c:84: warning: Function parameter or member 'data' not described in 'task_work_cancel_match'
by kernel test robot 25 Dec '25

25 Dec '25

Hi Jens, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 1588d318a9e388d05b6cf5e2a63134c8beb6a355 commit: 8802b2dc61376ea4727dba6630f81697da540e85 [3406/3406] task_work: add helper for more targeted task_work canceling config: arm64-randconfig-003-20251211 (https://download.01.org/0day-ci/archive/20251225/202512250050.7RnKXs39-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512250050.7RnKXs39-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512250050.7RnKXs39-lkp@intel.com/ All warnings (new ones prefixed by >>): >> kernel/task_work.c:84: warning: Function parameter or member 'data' not described in 'task_work_cancel_match' vim +84 kernel/task_work.c e73f8959af0439 Oleg Nesterov 2012-05-11 71 892f6668f3a708 Oleg Nesterov 2013-09-11 72 /** 8802b2dc61376e Jens Axboe 2023-02-28 73 * task_work_cancel_match - cancel a pending work added by task_work_add() 892f6668f3a708 Oleg Nesterov 2013-09-11 74 * @task: the task which should execute the work 8802b2dc61376e Jens Axboe 2023-02-28 75 * @match: match function to call 892f6668f3a708 Oleg Nesterov 2013-09-11 76 * 892f6668f3a708 Oleg Nesterov 2013-09-11 77 * RETURNS: 892f6668f3a708 Oleg Nesterov 2013-09-11 78 * The found work or NULL if not found. 892f6668f3a708 Oleg Nesterov 2013-09-11 79 */ 67d1214551e800 Al Viro 2012-06-27 80 struct callback_head * 8802b2dc61376e Jens Axboe 2023-02-28 81 task_work_cancel_match(struct task_struct *task, 8802b2dc61376e Jens Axboe 2023-02-28 82 bool (*match)(struct callback_head *, void *data), 8802b2dc61376e Jens Axboe 2023-02-28 83 void *data) e73f8959af0439 Oleg Nesterov 2012-05-11 @84 { ac3d0da8f3290b Oleg Nesterov 2012-08-26 85 struct callback_head **pprev = &task->task_works; 205e550a0fb469 Oleg Nesterov 2013-09-11 86 struct callback_head *work; e73f8959af0439 Oleg Nesterov 2012-05-11 87 unsigned long flags; 61e96496d3c949 Oleg Nesterov 2016-08-02 88 61e96496d3c949 Oleg Nesterov 2016-08-02 89 if (likely(!task->task_works)) 61e96496d3c949 Oleg Nesterov 2016-08-02 90 return NULL; ac3d0da8f3290b Oleg Nesterov 2012-08-26 91 /* ac3d0da8f3290b Oleg Nesterov 2012-08-26 92 * If cmpxchg() fails we continue without updating pprev. ac3d0da8f3290b Oleg Nesterov 2012-08-26 93 * Either we raced with task_work_add() which added the ac3d0da8f3290b Oleg Nesterov 2012-08-26 94 * new entry before this work, we will find it again. Or 9da33de62431c7 Oleg Nesterov 2012-08-26 95 * we raced with task_work_run(), *pprev == NULL/exited. ac3d0da8f3290b Oleg Nesterov 2012-08-26 96 */ e73f8959af0439 Oleg Nesterov 2012-05-11 97 raw_spin_lock_irqsave(&task->pi_lock, flags); 506458efaf153c Will Deacon 2017-10-24 98 while ((work = READ_ONCE(*pprev))) { 8802b2dc61376e Jens Axboe 2023-02-28 99 if (!match(work, data)) ac3d0da8f3290b Oleg Nesterov 2012-08-26 100 pprev = &work->next; ac3d0da8f3290b Oleg Nesterov 2012-08-26 101 else if (cmpxchg(pprev, work, work->next) == work) 158e1645e07f3e Al Viro 2012-06-27 102 break; 158e1645e07f3e Al Viro 2012-06-27 103 } e73f8959af0439 Oleg Nesterov 2012-05-11 104 raw_spin_unlock_irqrestore(&task->pi_lock, flags); ac3d0da8f3290b Oleg Nesterov 2012-08-26 105 ac3d0da8f3290b Oleg Nesterov 2012-08-26 106 return work; e73f8959af0439 Oleg Nesterov 2012-05-11 107 } e73f8959af0439 Oleg Nesterov 2012-05-11 108 :::::: The code at line 84 was first introduced by commit :::::: e73f8959af0439d114847eab5a8a5ce48f1217c4 task_work_add: generic process-context callbacks :::::: TO: Oleg Nesterov <oleg(a)redhat.com> :::::: CC: Al Viro <viro(a)zeniv.linux.org.uk> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] [Backport] nvmet-fc: avoid scheduling association deletion twice
by Chen Jinghuang 24 Dec '25

24 Dec '25

From: Daniel Wagner <wagi(a)kernel.org> stable inclusion from stable-v6.6.117 commit 601ed47b2363c24d948d7bac0c23abc8bd459570 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11412 CVE: CVE-2025-40343 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- [ Upstream commit f2537be4f8421f6495edfa0bc284d722f253841d ] When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted. Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Closes: https://lore.kernel.org/all/rsdinhafrtlguauhesmrrzkybpnvwantwmyfq2ih5areggh… Reviewed-by: Hannes Reinecke <hare(a)suse.de> Signed-off-by: Daniel Wagner <wagi(a)kernel.org> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Jinghuang <chenjinghuang2(a)huawei.com> --- drivers/nvme/target/fc.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c index a15e764bae35..188b9f1bdaca 100644 --- a/drivers/nvme/target/fc.c +++ b/drivers/nvme/target/fc.c @@ -1090,6 +1090,14 @@ nvmet_fc_delete_assoc_work(struct work_struct *work) static void nvmet_fc_schedule_delete_assoc(struct nvmet_fc_tgt_assoc *assoc) { + int terminating; + + terminating = atomic_xchg(&assoc->terminating, 1); + + /* if already terminating, do nothing */ + if (terminating) + return; + nvmet_fc_tgtport_get(assoc->tgtport); if (!queue_work(nvmet_wq, &assoc->del_work)) nvmet_fc_tgtport_put(assoc->tgtport); @@ -1209,13 +1217,7 @@ nvmet_fc_delete_target_assoc(struct nvmet_fc_tgt_assoc *assoc) { struct nvmet_fc_tgtport *tgtport = assoc->tgtport; unsigned long flags; - int i, terminating; - - terminating = atomic_xchg(&assoc->terminating, 1); - - /* if already terminating, do nothing */ - if (terminating) - return; + int i; spin_lock_irqsave(&tgtport->lock, flags); list_del_rcu(&assoc->a_list); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] md/raid10: fix null-ptr-deref in raid10_sync_request
by Zheng Qixing 24 Dec '25

24 Dec '25

From: Li Nan <linan122(a)huawei.com> stable inclusion from stable-v4.19.283 commit 38d33593260536840b49fd1dcac9aedfd14a9d42 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBOQL CVE: CVE-2023-53832 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------ commit a405c6f0229526160aa3f177f65e20c86fce84c5 upstream. init_resync() inits mempool and sets conf->have_replacemnt at the beginning of sync, close_sync() frees the mempool when sync is completed. After [1] recovery might be skipped and init_resync() is called but close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio. The following is one way to reproduce the issue. 1) create a array, wait for resync to complete, mddev->recovery_cp is set to MaxSector. 2) recovery is woken and it is skipped. conf->have_replacement is set to 0 in init_resync(). close_sync() not called. 3) some io errors and rdev A is set to WantReplacement. 4) a new device is added and set to A's replacement. 5) recovery is woken, A have replacement, but conf->have_replacemnt is 0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref occurs. Fix it by not calling init_resync() if recovery skipped. [1] commit 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled") Fixes: 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled") Cc: stable(a)vger.kernel.org Signed-off-by: Li Nan <linan122(a)huawei.com> Signed-off-by: Song Liu <song(a)kernel.org> Link: https://lore.kernel.org/r/20230222041000.3341651-3-linan666@huaweicloud.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/md/raid10.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c index 5f0a20174979..67493be59f7f 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -2989,10 +2989,6 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, sector_t chunk_mask = conf->geo.chunk_mask; int page_idx = 0; - if (!mempool_initialized(&conf->r10buf_pool)) - if (init_resync(conf)) - return 0; - /* * Allow skipping a full rebuild for incremental assembly * of a clean array, like RAID1 does. @@ -3008,6 +3004,10 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, return mddev->dev_sectors - sector_nr; } + if (!mempool_initialized(&conf->r10buf_pool)) + if (init_resync(conf)) + return 0; + skipped: max_sector = mddev->dev_sectors; if (test_bit(MD_RECOVERY_SYNC, &mddev->recovery) || -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] scsi: sg: Do not sleep in atomic context
by Zheng Qixing 24 Dec '25

24 Dec '25

From: Bart Van Assche <bvanassche(a)acm.org> mainline inclusion from mainline-v6.18-rc7 commit 90449f2d1e1f020835cba5417234636937dd657e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDATPD CVE: CVE-2025-40259 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------ sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google… Cc: Hannes Reinecke <hare(a)suse.de> Cc: stable(a)vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sg.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 7c9c63be214d..4698b79a62ff 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2208,9 +2208,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) write_lock_irqsave(&sfp->rq_list_lock, iflags); while (!list_empty(&sfp->rq_list)) { srp = list_first_entry(&sfp->rq_list, Sg_request, entry); - sg_finish_rem_req(srp); list_del(&srp->entry); + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + sg_finish_rem_req(srp); + /* + * sg_rq_end_io() uses srp->parentfp. Hence, only clear + * srp->parentfp after blk_mq_free_request() has been called. + */ srp->parentfp = NULL; + + write_lock_irqsave(&sfp->rq_list_lock, iflags); } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -- 2.39.2

2 1

[PATCH OLK-5.10] scsi: sg: Do not sleep in atomic context
by Zheng Qixing 24 Dec '25

24 Dec '25

From: Bart Van Assche <bvanassche(a)acm.org> stable inclusion from stable-v5.10.247 commit db6ac8703ab2b473e1ec845f57f6dd961a388d9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDATPD CVE: CVE-2025-40259 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------ commit 90449f2d1e1f020835cba5417234636937dd657e upstream. sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google… Cc: Hannes Reinecke <hare(a)suse.de> Cc: stable(a)vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sg.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index fbd973b184bb..98baa9cd46bf 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2235,9 +2235,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) write_lock_irqsave(&sfp->rq_list_lock, iflags); while (!list_empty(&sfp->rq_list)) { srp = list_first_entry(&sfp->rq_list, Sg_request, entry); - sg_finish_rem_req(srp); list_del(&srp->entry); + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + sg_finish_rem_req(srp); + /* + * sg_rq_end_io() uses srp->parentfp. Hence, only clear + * srp->parentfp after blk_mq_free_request() has been called. + */ srp->parentfp = NULL; + + write_lock_irqsave(&sfp->rq_list_lock, iflags); } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -- 2.39.2

2 1

[PATCH OLK-6.6] scsi: sg: Do not sleep in atomic context
by Zheng Qixing 24 Dec '25

24 Dec '25

From: Bart Van Assche <bvanassche(a)acm.org> stable inclusion from stable-v6.6.118 commit b343cee5df7e750d9033fba33e96fc4399fa88a5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDATPD CVE: CVE-2025-40259 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------ commit 90449f2d1e1f020835cba5417234636937dd657e upstream. sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google… Cc: Hannes Reinecke <hare(a)suse.de> Cc: stable(a)vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sg.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 62574886a911..9258a1a8c23c 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2212,9 +2212,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) write_lock_irqsave(&sfp->rq_list_lock, iflags); while (!list_empty(&sfp->rq_list)) { srp = list_first_entry(&sfp->rq_list, Sg_request, entry); - sg_finish_rem_req(srp); list_del(&srp->entry); + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + sg_finish_rem_req(srp); + /* + * sg_rq_end_io() uses srp->parentfp. Hence, only clear + * srp->parentfp after blk_mq_free_request() has been called. + */ srp->parentfp = NULL; + + write_lock_irqsave(&sfp->rq_list_lock, iflags); } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -- 2.39.2

2 1

[PATCH] [Backport] nvmet-fc: avoid scheduling association deletion twice
by Chen Jinghuang 24 Dec '25

24 Dec '25

From: Daniel Wagner <wagi(a)kernel.org> stable inclusion from stable-v6.6.117 commit 601ed47b2363c24d948d7bac0c23abc8bd459570 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11412 CVE: CVE-2025-40343 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- [ Upstream commit f2537be4f8421f6495edfa0bc284d722f253841d ] When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted. Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Closes: https://lore.kernel.org/all/rsdinhafrtlguauhesmrrzkybpnvwantwmyfq2ih5areggh… Reviewed-by: Hannes Reinecke <hare(a)suse.de> Signed-off-by: Daniel Wagner <wagi(a)kernel.org> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Jinghuang <chenjinghuang2(a)huawei.com> --- drivers/nvme/target/fc.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c index a15e764bae35..188b9f1bdaca 100644 --- a/drivers/nvme/target/fc.c +++ b/drivers/nvme/target/fc.c @@ -1090,6 +1090,14 @@ nvmet_fc_delete_assoc_work(struct work_struct *work) static void nvmet_fc_schedule_delete_assoc(struct nvmet_fc_tgt_assoc *assoc) { + int terminating; + + terminating = atomic_xchg(&assoc->terminating, 1); + + /* if already terminating, do nothing */ + if (terminating) + return; + nvmet_fc_tgtport_get(assoc->tgtport); if (!queue_work(nvmet_wq, &assoc->del_work)) nvmet_fc_tgtport_put(assoc->tgtport); @@ -1209,13 +1217,7 @@ nvmet_fc_delete_target_assoc(struct nvmet_fc_tgt_assoc *assoc) { struct nvmet_fc_tgtport *tgtport = assoc->tgtport; unsigned long flags; - int i, terminating; - - terminating = atomic_xchg(&assoc->terminating, 1); - - /* if already terminating, do nothing */ - if (terminating) - return; + int i; spin_lock_irqsave(&tgtport->lock, flags); list_del_rcu(&assoc->a_list); -- 2.34.1

1 0

[PATCH OLK-6.6] bpf: Fix invalid prog->stats access when update_effective_progs fails
by Pu Lehui 24 Dec '25

24 Dec '25

mainline inclusion from mainline-v6.19-rc1 commit 7dc211c1159d991db609bdf4b0fb9033c04adcbc category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8294 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog ---softirq start--- __do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) ---softirq end--- static_branch_dec(&cgroup_bpf_enabled_key[atype]) The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access. To fix it, skip updating stats when stats is NULL. Fixes: 492ecee892c2 ("bpf: enable program stats") Signed-off-by: Pu Lehui <pulehui(a)huawei.com> Link: https://lore.kernel.org/r/20251115102343.2200727-1-pulehui@huaweicloud.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Conflicts: include/linux/filter.h [The conflicts were due to not merge ce09cbdd9888] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- include/linux/filter.h | 12 +++++++----- kernel/bpf/syscall.c | 3 +++ 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/include/linux/filter.h b/include/linux/filter.h index a7c0caa8b7ad..b324f264fc14 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -603,11 +603,13 @@ static __always_inline u32 __bpf_prog_run(const struct bpf_prog *prog, unsigned long flags; ret = dfunc(ctx, prog->insnsi, prog->bpf_func); - stats = this_cpu_ptr(prog->stats); - flags = u64_stats_update_begin_irqsave(&stats->syncp); - u64_stats_inc(&stats->cnt); - u64_stats_add(&stats->nsecs, sched_clock() - start); - u64_stats_update_end_irqrestore(&stats->syncp, flags); + if (likely(prog->stats)) { + stats = this_cpu_ptr(prog->stats); + flags = u64_stats_update_begin_irqsave(&stats->syncp); + u64_stats_inc(&stats->cnt); + u64_stats_add(&stats->nsecs, sched_clock() - start); + u64_stats_update_end_irqrestore(&stats->syncp, flags); + } } else { ret = dfunc(ctx, prog->insnsi, prog->bpf_func); } diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 091234d93d2b..2c8a655db26a 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -2226,6 +2226,9 @@ void notrace bpf_prog_inc_misses_counter(struct bpf_prog *prog) struct bpf_prog_stats *stats; unsigned int flags; + if (unlikely(!prog->stats)) + return; + stats = this_cpu_ptr(prog->stats); flags = u64_stats_update_begin_irqsave(&stats->syncp); u64_stats_inc(&stats->misses); -- 2.34.1

2 1