- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] crypto: rng - Ensure set_ent is always present
by Gu Bowen 20 Nov '25

20 Nov '25

From: Herbert Xu <herbert(a)gondor.apana.org.au> stable inclusion from stable-v6.6.111 commit ab172f4f42626549b02bada05f09e3f2b0cc26ec category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID5OZT CVE: CVE-2025-40109 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit c0d36727bf39bb16ef0a67ed608e279535ebf0da upstream. Ensure that set_ent is always set since only drbg provides it. Fixes: 77ebdabe8de7 ("crypto: af_alg - add extra parameters for DRBG interface") Reported-by: Yiqi Sun <sunyiqixm(a)gmail.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- crypto/rng.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/crypto/rng.c b/crypto/rng.c index 279dffdebf59..e462031fef68 100644 --- a/crypto/rng.c +++ b/crypto/rng.c @@ -197,6 +197,11 @@ int crypto_del_default_rng(void) EXPORT_SYMBOL_GPL(crypto_del_default_rng); #endif +static void rng_default_set_ent(struct crypto_rng *tfm, const u8 *data, + unsigned int len) +{ +} + int crypto_register_rng(struct rng_alg *alg) { struct crypto_istat_rng *istat = rng_get_stat(alg); @@ -212,6 +217,9 @@ int crypto_register_rng(struct rng_alg *alg) if (IS_ENABLED(CONFIG_CRYPTO_STATS)) memset(istat, 0, sizeof(*istat)); + if (!alg->set_ent) + alg->set_ent = rng_default_set_ent; + return crypto_register_alg(base); } EXPORT_SYMBOL_GPL(crypto_register_rng); -- 2.43.0

2 1

[PATCH OLK-6.6] KVM: arm64: Fix access_actlr() build warning
by Jinjie Ruan 20 Nov '25

20 Nov '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/release-management/issues/IBV2E4 -------------------------------- If ACTLR_XCALL_XINT not set, the following issue occurs as val is not used without ACTLR_XCALL_XINT, so fix it by moving it into CONFIG_ACTLR_XCALL_XINT controlled code. arch/arm64/kvm/sys_regs.c: In function ‘access_actlr’: arch/arm64/kvm/sys_regs.c:283:26: warning: unused variable ‘val’ [-Wunused-variable] 283 | u64 mask, shift, val; | ^~~ Fixes: bd2967e62cdf ("arm64: Fix actlr_el1 can not set problem in guest") Signed-off-by: Jinjie Ruan <ruanjinjie(a)huawei.com> --- arch/arm64/kvm/sys_regs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c index 73d5102e7a10..ded8d28d10a8 100644 --- a/arch/arm64/kvm/sys_regs.c +++ b/arch/arm64/kvm/sys_regs.c @@ -280,11 +280,11 @@ static bool access_actlr(struct kvm_vcpu *vcpu, struct sys_reg_params *p, const struct sys_reg_desc *r) { - u64 mask, shift, val; + u64 mask, shift; #ifdef CONFIG_ACTLR_XCALL_XINT if (p->is_write) { - val = vcpu_read_sys_reg(vcpu, r->reg); + u64 val = vcpu_read_sys_reg(vcpu, r->reg); val &= ~(ACTLR_ELx_XCALL | ACTLR_ELx_XINT); val |= (p->regval & (ACTLR_ELx_XCALL | ACTLR_ELx_XINT)); vcpu_write_sys_reg(vcpu, val, r->reg); -- 2.34.1

2 1

[PATCH OLK-6.6] dm: fix NULL pointer dereference in __dm_suspend()
by Li Lingfeng 20 Nov '25

20 Nov '25

From: Zheng Qixing <zhengqixing(a)huawei.com> mainline inclusion from mainline-v6.18-rc1 commit 8d33a030c566e1f105cd5bf27f37940b6367f3be category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID6B5Z CVE: CVE-2025-40134 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: <TASK> blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 T2 dm_suspend table_load __dm_suspend dm_setup_md_queue dm_mq_init_request_queue blk_mq_init_allocated_queue => q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer! (2) => q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences. Fixes: c4576aed8d85 ("dm: fix request-based dm's use of dm_wait_for_completion") Cc: stable(a)vger.kernel.org Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Conflicts: drivers/md/dm.c [Commit 7f597c2cdb9d ("dm: fix queue start/stop imbalance under suspend/load/resume races") add setting of DMF_QUEUE_STOPPED in __dm_suspend.] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/md/dm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm.c b/drivers/md/dm.c index ffa469ececb9..5b2e2909f48f 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2688,7 +2688,7 @@ static int __dm_suspend(struct mapped_device *md, struct dm_table *map, { bool do_lockfs = suspend_flags & DM_SUSPEND_LOCKFS_FLAG; bool noflush = suspend_flags & DM_SUSPEND_NOFLUSH_FLAG; - int r; + int r = 0; lockdep_assert_held(&md->suspend_lock); @@ -2740,7 +2740,7 @@ static int __dm_suspend(struct mapped_device *md, struct dm_table *map, * Stop md->queue before flushing md->wq in case request-based * dm defers requests to md->wq from md->queue. */ - if (dm_request_based(md)) + if (map && dm_request_based(md)) dm_stop_queue(md->queue); flush_workqueue(md->wq); @@ -2750,7 +2750,8 @@ static int __dm_suspend(struct mapped_device *md, struct dm_table *map, * We call dm_wait_for_completion to wait for all existing requests * to finish. */ - r = dm_wait_for_completion(md, task_state); + if (map) + r = dm_wait_for_completion(md, task_state); if (!r) set_bit(dmf_suspended_flag, &md->flags); -- 2.46.1

2 1

[PATCH OLK-6.6] nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
by Yifan Qiao 20 Nov '25

20 Nov '25

From: Daniel Wagner <wagi(a)kernel.org> stable inclusion from stable-v6.6.112 commit 060ecc81240ef9d60d9485a3a5eb55a0d6e7a25c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID6BC6 CVE: CVE-2025-40171 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit db5a5406fb7e5337a074385c7a3e53c77f2c1bd3 ] It’s possible for more than one async command to be in flight from __nvmet_fc_send_ls_req. For each command, a tgtport reference is taken. In the current code, only one put work item is queued at a time, which results in a leaked reference. To fix this, move the work item to the nvmet_fc_ls_req_op struct, which already tracks all resources related to the command. Fixes: 710c69dbaccd ("nvmet-fc: avoid deadlock on delete association path") Reviewed-by: Hannes Reinecke <hare(a)suse.de> Signed-off-by: Daniel Wagner <wagi(a)kernel.org> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- drivers/nvme/target/fc.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c index 8a02ed63b156..8c0082466d0c 100644 --- a/drivers/nvme/target/fc.c +++ b/drivers/nvme/target/fc.c @@ -54,6 +54,8 @@ struct nvmet_fc_ls_req_op { /* for an LS RQST XMT */ int ls_error; struct list_head lsreq_list; /* tgtport->ls_req_list */ bool req_queued; + + struct work_struct put_work; }; @@ -111,8 +113,6 @@ struct nvmet_fc_tgtport { struct nvmet_fc_port_entry *pe; struct kref ref; u32 max_sg_cnt; - - struct work_struct put_work; }; struct nvmet_fc_port_entry { @@ -250,12 +250,13 @@ static int nvmet_fc_tgt_a_get(struct nvmet_fc_tgt_assoc *assoc); static void nvmet_fc_tgt_q_put(struct nvmet_fc_tgt_queue *queue); static int nvmet_fc_tgt_q_get(struct nvmet_fc_tgt_queue *queue); static void nvmet_fc_tgtport_put(struct nvmet_fc_tgtport *tgtport); -static void nvmet_fc_put_tgtport_work(struct work_struct *work) +static void nvmet_fc_put_lsop_work(struct work_struct *work) { - struct nvmet_fc_tgtport *tgtport = - container_of(work, struct nvmet_fc_tgtport, put_work); + struct nvmet_fc_ls_req_op *lsop = + container_of(work, struct nvmet_fc_ls_req_op, put_work); - nvmet_fc_tgtport_put(tgtport); + nvmet_fc_tgtport_put(lsop->tgtport); + kfree(lsop); } static int nvmet_fc_tgtport_get(struct nvmet_fc_tgtport *tgtport); static void nvmet_fc_handle_fcp_rqst(struct nvmet_fc_tgtport *tgtport, @@ -382,7 +383,7 @@ __nvmet_fc_finish_ls_req(struct nvmet_fc_ls_req_op *lsop) DMA_BIDIRECTIONAL); out_putwork: - queue_work(nvmet_wq, &tgtport->put_work); + queue_work(nvmet_wq, &lsop->put_work); } static int @@ -403,6 +404,7 @@ __nvmet_fc_send_ls_req(struct nvmet_fc_tgtport *tgtport, lsreq->done = done; lsop->req_queued = false; INIT_LIST_HEAD(&lsop->lsreq_list); + INIT_WORK(&lsop->put_work, nvmet_fc_put_lsop_work); lsreq->rqstdma = fc_dma_map_single(tgtport->dev, lsreq->rqstaddr, lsreq->rqstlen + lsreq->rsplen, @@ -462,8 +464,6 @@ nvmet_fc_disconnect_assoc_done(struct nvmefc_ls_req *lsreq, int status) __nvmet_fc_finish_ls_req(lsop); /* fc-nvme target doesn't care about success or failure of cmd */ - - kfree(lsop); } /* @@ -1428,7 +1428,6 @@ nvmet_fc_register_targetport(struct nvmet_fc_port_info *pinfo, kref_init(&newrec->ref); ida_init(&newrec->assoc_cnt); newrec->max_sg_cnt = template->max_sgl_segments; - INIT_WORK(&newrec->put_work, nvmet_fc_put_tgtport_work); ret = nvmet_fc_alloc_ls_iodlist(newrec); if (ret) { -- 2.39.2

2 1

[PATCH OLK-6.6 0/2] CVE-2025-40198
by Yongjian Sun 20 Nov '25

20 Nov '25

Fedor Pchelkin (1): ext4: fix string copying in parse_apply_sb_mount_options() Theodore Ts'o (1): ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() fs/ext4/super.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) -- 2.39.2

2 3

[PATCH OLK-6.6 0/3] CVE-2025-40179
by Yongjian Sun 20 Nov '25

20 Nov '25

Jan Kara (2): ext4: verify orphan file size is not too big ext4: free orphan info with kvfree Liao Yuanhong (1): ext4: use kmalloc_array() for array space allocation fs/ext4/orphan.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) -- 2.39.2

2 4

[PATCH OLK-6.6 0/3] CVE-2025-40179
by Yongjian Sun 20 Nov '25

20 Nov '25

Jan Kara (2): ext4: verify orphan file size is not too big ext4: free orphan info with kvfree Liao Yuanhong (1): ext4: use kmalloc_array() for array space allocation fs/ext4/orphan.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) -- 2.39.2

1 0

[openeuler:OLK-6.6 3269/3269] htmldocs: Documentation/misc-devices/zcopy.rst:18: WARNING: Title underline too short.
by kernel test robot 20 Nov '25

20 Nov '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: dfb9bd9242c2350c127d51a126976ed386e9cc48 commit: 3a1e43e597d3d6f872dd786af8dad22947c8239a [3269/3269] zcopy: Add ZCOPY documentation reproduce: (https://download.01.org/0day-ci/archive/20251120/202511200347.5qevtABT-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202511200347.5qevtABT-lkp@intel.com/ All warnings (new ones prefixed by >>): WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 -function HID quirks ./include/linux/hid.h' failed with return code 1 WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 ./include/linux/i2c-atr.h' failed with return code 1 WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 -internal ./include/linux/mutex.h' failed with return code 2 WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 -function klp_patch -function klp_object -function klp_func -function klp_callbacks -function klp_state ./include/linux/livepatch.h' failed with return code 1 WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 ./include/linux/seqlock.h' failed with return code 1 >> Documentation/misc-devices/zcopy.rst:18: WARNING: Title underline too short. -- Key features ----------- [docutils] >> Documentation/misc-devices/zcopy.rst:18: WARNING: Title underline too short. -- WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 ./include/linux/fprobe.h' failed with return code 1 WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 -internal ./include/linux/mutex.h' failed with return code 2 Documentation/translations/zh_TW/dev-tools/index.rst:21: WARNING: toctree contains reference to nonexisting document 'translations/zh_TW/dev-tools/sparse' [toc.not_readable] WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 ./include/linux/fwctl.h' failed with return code 1 Documentation/arch/x86/hygon-secure-virtualization.rst: WARNING: document isn't included in any toctree [toc.not_included] >> Documentation/misc-devices/zcopy.rst: WARNING: document isn't included in any toctree [toc.not_included] Documentation/mm/dynamic_hugetlb.rst: WARNING: document isn't included in any toctree [toc.not_included] Documentation/networking/device_drivers/ethernet/nebula-matrix/m18120.rst: WARNING: document isn't included in any toctree [toc.not_included] Documentation/networking/hinic3.rst: WARNING: document isn't included in any toctree [toc.not_included] Documentation/scsi/hisi_raid.rst: WARNING: document isn't included in any toctree [toc.not_included] Documentation/scsi/sssraid.rst: WARNING: document isn't included in any toctree [toc.not_included] -- Important constraints and requirements --------------------- [docutils] Documentation/misc-devices/zcopy.rst:61: ERROR: Unexpected indentation. [docutils] >> Documentation/misc-devices/zcopy.rst:58: WARNING: Inline emphasis start-string without end-string. [docutils] Documentation/misc-devices/zcopy.rst:61: WARNING: Inline emphasis start-string without end-string. [docutils] >> Documentation/misc-devices/zcopy.rst:64: WARNING: Block quote ends without a blank line; unexpected unindent. [docutils] WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 ./include/linux/damon.h' failed with return code 1 WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 ./include/linux/highmem.h' failed with return code 1 WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 ./include/linux/highmem-internal.h' failed with return code 1 WARNING: kernel-doc './scripts/kernel-doc -rst -enable-lineno -sphinx-version 8.2.3 ./include/linux/migrate.h' failed with return code 1 Documentation/networking/device_drivers/ethernet/3snic/sssnic.rst:42: WARNING: Enumerated list ends without a blank line; unexpected unindent. [docutils] vim +18 Documentation/misc-devices/zcopy.rst 15 16 17 Key features > 18 ----------- 19 - Supports zero-copy communication between intra-node processes. 20 - Handles both PTE-level small pages and PMD-level huge pages. 21 - Preserves the read/write permissions of the source page in the target address space. 22 23 24 Important constraints and requirements 25 --------------------- 26 1. Callers must ensure the source address is already mapped to physical pages, 27 while the destination address is unused (no existing mappings). If exists 28 old mappings, the return value is -EAGAIN. For this case, caller should free 29 the old dst_addr, and alloc a new one to try again. 30 31 2. No internal locking is implemented in the PageAttach interface; Callers 32 must manage memory mapping and release order to avoid race conditions. 33 34 3. Source and destination must be different processes (not threads of the same process). 35 36 4. Only user-space addresses are supported; kernel addresses cannot be mapped. 37 38 5. Both source and destination processes must remain alive during the mapping operation. 39 40 6. PUD-level huge pages are not supported in current implementation. 41 42 7. The start address and size of both source and destination must be PMD-size-aligned. 43 44 8. Callers are responsible for ensuring safe access to mapped pages after attachment, 45 as permissions are inherited from the source. 46 47 48 Use 49 --- 50 Process a 51 src_addr= aligned_alloc(ALIGN_SIZE_2M, size); 52 memset(src_addr, 0, size); 53 54 Process b 55 #define ALIGN_SIZE_2M 2097152 56 int fd = open(SLS_DEVICE, O_RDWR); 57 > 58 dst_addr= aligned_alloc(ALIGN_SIZE_2M, size); 59 res = zcopy(fd, (void *)src_addr, dst_addr, src_pid, dst_pid, size); 60 while(res.ret == -EAGAIN && retry--) { 61 free(dst_addr); 62 dst_addr= aligned_alloc(ALIGN_SIZE_2M, size); 63 res = zcopy(fd, (void *)src_addr, dst_addr, src_pid, dst_pid, aligned_size); > 64 } -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 0/2] Fix CVE-2025-40123
by Tengda Wu 20 Nov '25

20 Nov '25

Fix CVE-2025-40123. Daniel Borkmann (2): bpf: Enforce expected_attach_type for tailcall compatibility selftests/bpf: Add test case for different expected_attach_type include/linux/bpf.h | 1 + kernel/bpf/core.c | 5 +++ .../bpf/prog_tests/xdp_devmap_attach.c | 31 ++++++++++++++++++- .../bpf/progs/test_xdp_devmap_tailcall.c | 29 +++++++++++++++++ 4 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/bpf/progs/test_xdp_devmap_tailcall.c -- 2.34.1

2 3

[PATCH OLK-5.10 0/2] Fix CVE-2025-40123
by Tengda Wu 20 Nov '25

20 Nov '25

Fix CVE-2025-40123. Daniel Borkmann (2): bpf: Enforce expected_attach_type for tailcall compatibility selftests/bpf: Add test case for different expected_attach_type include/linux/bpf.h | 1 + kernel/bpf/core.c | 5 ++ .../bpf/prog_tests/xdp_devmap_attach.c | 62 ++++++++++++++++++- .../bpf/progs/test_xdp_devmap_tailcall.c | 18 ++++++ .../selftests/bpf/progs/xdp_tailcall_devmap.c | 19 ++++++ 5 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/bpf/progs/test_xdp_devmap_tailcall.c create mode 100644 tools/testing/selftests/bpf/progs/xdp_tailcall_devmap.c -- 2.34.1

2 3