- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] net/mlx5: fw_tracer, Validate format string parameters
by Chen Ridong 02 Feb '26

02 Feb '26

From: Shay Drory <shayd(a)nvidia.com> stable inclusion from stable-v6.6.120 commit 8ac688c0e430dab19f6a9b70df94b1f635612c1a category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13368 CVE: CVE-2025-68816 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit b35966042d20b14e2d83330049f77deec5229749 ] Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (e.g., %s, %p, %n) that could lead to crashes, or other undefined behavior. Add mlx5_tracer_validate_params() to validate that all format specifiers in trace strings are limited to safe integer/hex formats (%x, %d, %i, %u, %llx, %lx, etc.). Reject strings containing other format types that could be used to access arbitrary memory or cause crashes. Invalid format strings are added to the trace output for visibility with "BAD_FORMAT: " prefix. Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support") Signed-off-by: Shay Drory <shayd(a)nvidia.com> Reviewed-by: Moshe Shemesh <moshe(a)nvidia.com> Reported-by: Breno Leitao <leitao(a)debian.org> Closes: https://lore.kernel.org/netdev/hanz6rzrb2bqbplryjrakvkbmv4y5jlmtthnvi3thg5s… Signed-off-by: Tariq Toukan <tariqt(a)nvidia.com> Link: https://patch.msgid.link/1765284977-1363052-4-git-send-email-tariqt@nvidia.… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Ridong <chenridong(a)huawei.com> --- .../mellanox/mlx5/core/diag/fw_tracer.c | 83 ++++++++++++++++--- .../mellanox/mlx5/core/diag/fw_tracer.h | 1 + 2 files changed, 74 insertions(+), 10 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c index 85d3bfa0780c6..197c306d350bf 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c @@ -33,6 +33,7 @@ #include "lib/eq.h" #include "fw_tracer.h" #include "fw_tracer_tracepoint.h" +#include <linux/ctype.h> static int mlx5_query_mtrc_caps(struct mlx5_fw_tracer *tracer) { @@ -358,6 +359,43 @@ static const char *VAL_PARM = "%llx"; static const char *REPLACE_64_VAL_PARM = "%x%x"; static const char *PARAM_CHAR = "%"; +static bool mlx5_is_valid_spec(const char *str) +{ + /* Parse format specifiers to find the actual type. + * Structure: %[flags][width][.precision][length]type + * Skip flags, width, precision & length. + */ + while (isdigit(*str) || *str == '#' || *str == '.' || *str == 'l') + str++; + + /* Check if it's a valid integer/hex specifier: + * Valid formats: %x, %d, %i, %u, etc. + */ + if (*str != 'x' && *str != 'X' && *str != 'd' && *str != 'i' && + *str != 'u' && *str != 'c') + return false; + + return true; +} + +static bool mlx5_tracer_validate_params(const char *str) +{ + const char *substr = str; + + if (!str) + return false; + + substr = strstr(substr, PARAM_CHAR); + while (substr) { + if (!mlx5_is_valid_spec(substr + 1)) + return false; + + substr = strstr(substr + 1, PARAM_CHAR); + } + + return true; +} + static int mlx5_tracer_message_hash(u32 message_id) { return jhash_1word(message_id, 0) & (MESSAGE_HASH_SIZE - 1); @@ -419,6 +457,10 @@ static int mlx5_tracer_get_num_of_params(char *str) char *substr, *pstr = str; int num_of_params = 0; + /* Validate that all parameters are valid before processing */ + if (!mlx5_tracer_validate_params(str)) + return -EINVAL; + /* replace %llx with %x%x */ substr = strstr(pstr, VAL_PARM); while (substr) { @@ -570,14 +612,17 @@ void mlx5_tracer_print_trace(struct tracer_string_format *str_frmt, { char tmp[512]; - snprintf(tmp, sizeof(tmp), str_frmt->string, - str_frmt->params[0], - str_frmt->params[1], - str_frmt->params[2], - str_frmt->params[3], - str_frmt->params[4], - str_frmt->params[5], - str_frmt->params[6]); + if (str_frmt->invalid_string) + snprintf(tmp, sizeof(tmp), "BAD_FORMAT: %s", str_frmt->string); + else + snprintf(tmp, sizeof(tmp), str_frmt->string, + str_frmt->params[0], + str_frmt->params[1], + str_frmt->params[2], + str_frmt->params[3], + str_frmt->params[4], + str_frmt->params[5], + str_frmt->params[6]); trace_mlx5_fw(dev->tracer, trace_timestamp, str_frmt->lost, str_frmt->event_id, tmp); @@ -609,6 +654,13 @@ static int mlx5_tracer_handle_raw_string(struct mlx5_fw_tracer *tracer, return 0; } +static void mlx5_tracer_handle_bad_format_string(struct mlx5_fw_tracer *tracer, + struct tracer_string_format *cur_string) +{ + cur_string->invalid_string = true; + list_add_tail(&cur_string->list, &tracer->ready_strings_list); +} + static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer, struct tracer_event *tracer_event) { @@ -619,12 +671,18 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer, if (!cur_string) return mlx5_tracer_handle_raw_string(tracer, tracer_event); - cur_string->num_of_params = mlx5_tracer_get_num_of_params(cur_string->string); - cur_string->last_param_num = 0; cur_string->event_id = tracer_event->event_id; cur_string->tmsn = tracer_event->string_event.tmsn; cur_string->timestamp = tracer_event->string_event.timestamp; cur_string->lost = tracer_event->lost_event; + cur_string->last_param_num = 0; + cur_string->num_of_params = mlx5_tracer_get_num_of_params(cur_string->string); + if (cur_string->num_of_params < 0) { + pr_debug("%s Invalid format string parameters\n", + __func__); + mlx5_tracer_handle_bad_format_string(tracer, cur_string); + return 0; + } if (cur_string->num_of_params == 0) /* trace with no params */ list_add_tail(&cur_string->list, &tracer->ready_strings_list); } else { @@ -634,6 +692,11 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer, __func__, tracer_event->string_event.tmsn); return mlx5_tracer_handle_raw_string(tracer, tracer_event); } + if (cur_string->num_of_params < 0) { + pr_debug("%s string parameter of invalid string, dumping\n", + __func__); + return 0; + } cur_string->last_param_num += 1; if (cur_string->last_param_num > TRACER_MAX_PARAMS) { pr_debug("%s Number of params exceeds the max (%d)\n", diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h index 5c548bb74f07b..30d0bcba88479 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h +++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h @@ -125,6 +125,7 @@ struct tracer_string_format { struct list_head list; u32 timestamp; bool lost; + bool invalid_string; }; enum mlx5_fw_tracer_ownership_state { -- 2.34.1

2 1

[PATCH OLK-5.10 0/2] CVE-2022-50616
by Liu Mingrui 02 Feb '26

02 Feb '26

From: Mingrui Liu <liumingrui(a)huawei.com> CVE-2022-50616 ChiYuan Huang (2): regulator: core: Use different devices for resource allocation and DT lookup regulator: core: Fix resolve supply lookup issue drivers/regulator/core.c | 10 +++++----- drivers/regulator/devres.c | 2 +- drivers/regulator/dummy.c | 2 +- drivers/regulator/of_regulator.c | 2 +- drivers/regulator/stm32-vrefbuf.c | 2 +- drivers/staging/hikey9xx/hi6421v600-regulator.c | 2 +- include/linux/regulator/driver.h | 3 ++- 7 files changed, 12 insertions(+), 11 deletions(-) -- 2.34.1

2 3

[PATCH OLK-6.6 1/1] crypto: aspeed - fix double free caused by devm
by Liu Mingrui 02 Feb '26

02 Feb '26

From: Haotian Zhang <vulab(a)iscas.ac.cn> stable inclusion from stable-v6.6.117 commit 0dd6474ced33489076e6c0f3fe5077bf12e85b28 category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8287 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3c9bf72cc1ced1297b235f9422d62b613a3fdae9 ] The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove(). Fixes: 2f1cf4e50c95 ("crypto: aspeed - Add ACRY RSA driver") Signed-off-by: Haotian Zhang <vulab(a)iscas.ac.cn> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Mingrui Liu <liumingrui(a)huawei.com> --- drivers/crypto/aspeed/aspeed-acry.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/crypto/aspeed/aspeed-acry.c b/drivers/crypto/aspeed/aspeed-acry.c index 247c568aa8df..64facdfaff2a 100644 --- a/drivers/crypto/aspeed/aspeed-acry.c +++ b/drivers/crypto/aspeed/aspeed-acry.c @@ -789,7 +789,6 @@ static int aspeed_acry_probe(struct platform_device *pdev) err_engine_rsa_start: crypto_engine_exit(acry_dev->crypt_engine_rsa); clk_exit: - clk_disable_unprepare(acry_dev->clk); return rc; } @@ -801,7 +800,6 @@ static int aspeed_acry_remove(struct platform_device *pdev) aspeed_acry_unregister(acry_dev); crypto_engine_exit(acry_dev->crypt_engine_rsa); tasklet_kill(&acry_dev->done_task); - clk_disable_unprepare(acry_dev->clk); return 0; } -- 2.34.1

2 1

[PATCH OLK-5.10 0/4] CVE-2025-39744 fixup
by Jiacheng Yu 02 Feb '26

02 Feb '26

*** BLURB HERE *** Frederic Weisbecker (1): rcu: Fix racy re-initialization of irq_work causing hangs Joel Fernandes (1): rcu: Fix rcu_read_unlock() deadloop due to IRQ work Paul E. McKenney (1): rcu: Protect ->defer_qs_iw_pending from data race Zqiang (1): rcu: Use IRQ_WORK_INIT_HARD() to avoid rcu_read_unlock() hangs kernel/rcu/tree.c | 1 + kernel/rcu/tree.h | 14 +++++++++++++- kernel/rcu/tree_plugin.h | 39 +++++++++++++++++++++++++++++++++------ 3 files changed, 47 insertions(+), 7 deletions(-) -- 2.43.0

2 5

[PATCH OLK-6.6 0/3] CVE-2025-39744 fixup
by Jiacheng Yu 02 Feb '26

02 Feb '26

*** BLURB HERE *** Frederic Weisbecker (1): rcu: Fix racy re-initialization of irq_work causing hangs Joel Fernandes (1): rcu: Fix rcu_read_unlock() deadloop due to IRQ work Paul E. McKenney (1): rcu: Protect ->defer_qs_iw_pending from data race kernel/rcu/tree.c | 2 ++ kernel/rcu/tree.h | 14 ++++++++++++- kernel/rcu/tree_plugin.h | 44 ++++++++++++++++++++++++++++++---------- 3 files changed, 48 insertions(+), 12 deletions(-) -- 2.43.0

2 4

[PATCH OLK-5.10 0/2] CVE-2022-50616
by Liu Mingrui 02 Feb '26

02 Feb '26

From: Mingrui Liu <liumingrui(a)huawei.com> CVE-2022-50616 ChiYuan Huang (2): regulator: core: Use different devices for resource allocation and DT lookup regulator: core: Fix resolve supply lookup issue drivers/regulator/core.c | 10 +++++----- drivers/regulator/devres.c | 2 +- drivers/regulator/dummy.c | 2 +- drivers/regulator/of_regulator.c | 2 +- drivers/regulator/stm32-vrefbuf.c | 2 +- drivers/staging/hikey9xx/hi6421v600-regulator.c | 2 +- include/linux/regulator/driver.h | 3 ++- 7 files changed, 12 insertions(+), 11 deletions(-) -- 2.34.1

2 3

[PATCH OLK-6.6] Bluetooth: bcsp: receive data only if registered
by Yin Tirui 02 Feb '26

02 Feb '26

From: Ivan Pravdin <ipravdin.official(a)gmail.com> stable inclusion from stable-v6.6.117 commit 799cd62cbcc3f12ee04b33ef390ff7d41c37d671 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11320 CVE: CVE-2025-40308 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ca94b2b036c22556c3a66f1b80f490882deef7a6 ] Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH. Reported-by: syzbot+4ed6852d4da4606c93da(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4ed6852d4da4606c93da Tested-by: syzbot+4ed6852d4da4606c93da(a)syzkaller.appspotmail.com Signed-off-by: Ivan Pravdin <ipravdin.official(a)gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yin Tirui <yintirui(a)huawei.com> --- drivers/bluetooth/hci_bcsp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index 2a5a27d713f8..e991d9e62486 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c @@ -582,6 +582,9 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count) struct bcsp_struct *bcsp = hu->priv; const unsigned char *ptr; + if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) + return -EUNATCH; + BT_DBG("hu %p count %d rx_state %d rx_count %ld", hu, count, bcsp->rx_state, bcsp->rx_count); -- 2.43.0

2 1

[PATCH OLK-6.6] Bluetooth: bcsp: receive data only if registered
by Yin Tirui 02 Feb '26

02 Feb '26

From: Ivan Pravdin <ipravdin.official(a)gmail.com> stable inclusion from stable-v6.6.117 commit 799cd62cbcc3f12ee04b33ef390ff7d41c37d671 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDBAE0 CVE: CVE-2025-40308 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ca94b2b036c22556c3a66f1b80f490882deef7a6 ] Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH. Reported-by: syzbot+4ed6852d4da4606c93da(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4ed6852d4da4606c93da Tested-by: syzbot+4ed6852d4da4606c93da(a)syzkaller.appspotmail.com Signed-off-by: Ivan Pravdin <ipravdin.official(a)gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yin Tirui <yintirui(a)huawei.com> --- drivers/bluetooth/hci_bcsp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index 2a5a27d713f8..e991d9e62486 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c @@ -582,6 +582,9 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count) struct bcsp_struct *bcsp = hu->priv; const unsigned char *ptr; + if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) + return -EUNATCH; + BT_DBG("hu %p count %d rx_state %d rx_count %ld", hu, count, bcsp->rx_state, bcsp->rx_count); -- 2.43.0

2 1

[PATCH OLK-6.6] XSched: Update XSched manual
by Liu Kai 02 Feb '26

02 Feb '26

hulk inclusion category: doc bugzilla: https://atomgit.com/openeuler/kernel/issues/8423 -------------------------------- Update the patch link Signed-off-by: Liu Kai <liukai284(a)huawei.com> --- Documentation/scheduler/xsched.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Documentation/scheduler/xsched.md b/Documentation/scheduler/xsched.md index 89ef01d42fc0..11dc0c964e0a 100644 --- a/Documentation/scheduler/xsched.md +++ b/Documentation/scheduler/xsched.md @@ -84,7 +84,7 @@ mkdir <new_driver_dir> ./Ascend-hdk-910b-npu-driver_xx.x.x_linux-aarch64.run --tar -xvf -C <new_driver_dir> ``` -下载驱动补丁 [XSched driver patch](https://gitee.com/openeuler/kernel/commit/8d50448f11b697a177b63d3ccb… 适配 NPU 驱动 +下载驱动补丁 [XSched driver patch](https://gitcode.com/openeuler/kernel/commit/58e645cf8fd8d96573b70153… 适配 NPU 驱动 ```shell cp 0001-Adapt-910b-npu-driver-for-xsched.patch <new_driver_dir>/driver/kernel/ @@ -94,8 +94,10 @@ cd <new_driver_dir>/driver/kernel/ git init git add . git commit -m "npu init" +# 使用下载的 patch 文件 +git am 58e645cf8fd8d96573b7015385bf52522ebfee67.patch --reject # 如果有冲突则根据 .rej 文件适配冲突代码 -git am 0001-Adapt-910b-npu-driver-for-xsched.patch --reject +git am drivers/xcu/0001-Adapt-910_93-npu-driver-for-xsched.txt --reject ``` #### 1.3.2 替换驱动 -- 2.34.1

2 1

[PATCH OLK-6.6 0/3] adapt LTS patch 5ba723cc37230e616fe47ec19d441ba3168b4c4c
by Quanmin Yan 02 Feb '26

02 Feb '26

The original LTS patch is incompatible with the atomic mode of the mm counter. Therefore, the patch needs to be reverted and adapted again. Baolin Wang (1): mm: fix the inaccurate memory statistics issue for users Quanmin Yan (2): Revert "mm: fix the inaccurate memory statistics issue for users" mm: add config option for atomic mode in mm counter arch/arm64/configs/openeuler_defconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 + include/linux/mm.h | 53 ++++++++++++++++++++------ include/trace/events/kmem.h | 2 +- kernel/fork.c | 26 ++++++++++--- mm/Kconfig | 12 ++++++ 6 files changed, 78 insertions(+), 17 deletions(-) -- 2.43.0

2 4