- Kernel - mailweb.openeuler.org

[openeuler:OLK-6.6 2976/2976] drivers/coda/coda.c:496:11: error: call to undeclared function 'dev_iommu_priv_get'; ISO C99 and later do not support implicit function declarations
by kernel test robot 17 Oct '25

17 Oct '25

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 65461ffb14372269f333f0e18867775c14741e76 commit: ad540a13eb8292fc92651b3bf281088a502a85f9 [2976/2976] virtcca feature: fix msi iova map config: arm64-randconfig-004-20251017 (https://download.01.org/0day-ci/archive/20251017/202510170815.7lnVu89P-lkp@…) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 754ebc6ebb9fb9fbee7aef33478c74ea74949853) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251017/202510170815.7lnVu89P-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510170815.7lnVu89P-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from drivers/coda/coda.c:5: In file included from include/linux/kvm_host.h:16: In file included from include/linux/mm.h:2243: include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ >> drivers/coda/coda.c:496:11: error: call to undeclared function 'dev_iommu_priv_get'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 496 | master = dev_iommu_priv_get(dev); | ^ drivers/coda/coda.c:496:11: note: did you mean 'dev_iommu_fwspec_get'? include/linux/iommu.h:1498:36: note: 'dev_iommu_fwspec_get' declared here 1498 | static inline struct iommu_fwspec *dev_iommu_fwspec_get(struct device *dev) | ^ >> drivers/coda/coda.c:496:9: error: incompatible integer to pointer conversion assigning to 'struct arm_smmu_master *' from 'int' [-Wint-conversion] 496 | master = dev_iommu_priv_get(dev); | ^ ~~~~~~~~~~~~~~~~~~~~~~~ drivers/coda/coda.c:478:5: warning: no previous prototype for function 'virtcca_secure_dev_operator' [-Wmissing-prototypes] 478 | int virtcca_secure_dev_operator(struct device *dev, void *domain) | ^ drivers/coda/coda.c:478:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 478 | int virtcca_secure_dev_operator(struct device *dev, void *domain) | ^ | static 2 warnings and 2 errors generated. -- In file included from drivers/coda/coda_vfio.c:5: In file included from include/linux/io-pgtable.h:6: In file included from include/linux/iommu.h:10: In file included from include/linux/scatterlist.h:8: In file included from include/linux/mm.h:2243: include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ >> drivers/coda/coda_vfio.c:171:12: error: call to undeclared function 'iommu_pgsize'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 171 | pgsize = iommu_pgsize(domain, iova, paddr, size, &count); | ^ >> drivers/coda/coda_vfio.c:192:21: error: incomplete definition of type 'const struct iommu_domain_ops' 192 | if (ret == 0 && ops->iotlb_sync_map) { | ~~~^ include/linux/iommu.h:39:8: note: forward declaration of 'struct iommu_domain_ops' 39 | struct iommu_domain_ops; | ^ drivers/coda/coda_vfio.c:193:12: error: incomplete definition of type 'const struct iommu_domain_ops' 193 | ret = ops->iotlb_sync_map(domain, iova, size); | ~~~^ include/linux/iommu.h:39:8: note: forward declaration of 'struct iommu_domain_ops' 39 | struct iommu_domain_ops; | ^ drivers/coda/coda_vfio.c:257:12: error: call to undeclared function 'iommu_pgsize'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 257 | pgsize = iommu_pgsize(domain, iova, iova, size - unmapped, &count); | ^ drivers/coda/coda_vfio.c:323:5: warning: no previous prototype for function 'virtcca_set_dev_msi_addr' [-Wmissing-prototypes] 323 | int virtcca_set_dev_msi_addr(struct device *dev, void *iova) | ^ drivers/coda/coda_vfio.c:323:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 323 | int virtcca_set_dev_msi_addr(struct device *dev, void *iova) | ^ | static 2 warnings and 4 errors generated. vim +/dev_iommu_priv_get +496 drivers/coda/coda.c 464 465 /** 466 * virtcca_secure_dev_operator - Implement security settings for corresponding devices 467 * targeting the secure smmu domain 468 * @domain: The handle of iommu_domain 469 * @dev: Secure device 470 * 471 * Returns: 472 * %0 if the domain does not need to enable secure or the domain 473 * successfully set up security features 474 * %-EINVAL if the smmu does not initialize secure state 475 * %-ENOMEM if the device create secure ste failed 476 * %-ENOENT if the device does not have fwspec 477 */ 478 int virtcca_secure_dev_operator(struct device *dev, void *domain) 479 { 480 int i, j; 481 int ret; 482 struct iommu_domain *iommu_domain = (struct iommu_domain *)domain; 483 struct iommu_fwspec *fwspec = NULL; 484 struct arm_smmu_device *smmu = NULL; 485 struct arm_smmu_domain *smmu_domain = NULL; 486 struct arm_smmu_master *master = NULL; 487 488 if (!is_virtcca_cvm_enable()) 489 return 0; 490 491 fwspec = dev_iommu_fwspec_get(dev); 492 if (!fwspec) 493 return -ENOENT; 494 495 smmu_domain = to_smmu_domain(iommu_domain); > 496 master = dev_iommu_priv_get(dev); 497 smmu = master->smmu; 498 499 if (!smmu && !virtcca_smmu_enable(smmu)) { 500 dev_err(smmu->dev, "CoDA: security smmu not initialized for the device\n"); 501 return -EINVAL; 502 } 503 504 ret = virtcca_enable_secure_dev(smmu_domain, master, dev); 505 if (ret) 506 return ret; 507 508 for (i = 0; i < master->num_streams; i++) { 509 u32 sid = master->streams[i].id; 510 /* Bridged PCI devices may end up with duplicated IDs */ 511 for (j = 0; j < i; j++) 512 if (master->streams[j].id == sid) 513 break; 514 if (j < i) 515 continue; 516 if (virtcca_secure_dev_ste_create(smmu, master, sid)) 517 return -ENOMEM; 518 } 519 520 dev_info(smmu->dev, "CoDA: attach confidential dev: %s", dev_name(dev)); 521 522 return ret; 523 } 524 EXPORT_SYMBOL_GPL(virtcca_secure_dev_operator); 525 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 2976/2976] mm/share_pool.c:1226:14: error: call to undeclared function 'huge_ptep_get'; ISO C99 and later do not support implicit function declarations
by kernel test robot 17 Oct '25

17 Oct '25

Hi Wang, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 65461ffb14372269f333f0e18867775c14741e76 commit: 549b1f40b56511536196f7522ffa4d7b3da42337 [2976/2976] mm/sharepool: Implement mg_sp_make_share_u2k() config: arm64-randconfig-004-20251017 (https://download.01.org/0day-ci/archive/20251017/202510170439.APHP7d94-lkp@…) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 754ebc6ebb9fb9fbee7aef33478c74ea74949853) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251017/202510170439.APHP7d94-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510170439.APHP7d94-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from mm/share_pool.c:21: In file included from include/linux/share_pool.h:5: In file included from include/linux/mman.h:5: In file included from include/linux/mm.h:2174: include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ >> mm/share_pool.c:1226:14: error: call to undeclared function 'huge_ptep_get'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] 1226 | pte_t pte = huge_ptep_get(ptep); | ^ >> mm/share_pool.c:1226:8: error: initializing 'pte_t' with an expression of incompatible type 'int' 1226 | pte_t pte = huge_ptep_get(ptep); | ^ ~~~~~~~~~~~~~~~~~~~ 1 warning and 2 errors generated. vim +/huge_ptep_get +1226 mm/share_pool.c 1221 1222 static int sp_hugetlb_entry(pte_t *ptep, unsigned long hmask, 1223 unsigned long addr, unsigned long next, 1224 struct mm_walk *walk) 1225 { > 1226 pte_t pte = huge_ptep_get(ptep); 1227 struct page *page = pte_page(pte); 1228 struct sp_walk_data *sp_walk_data; 1229 1230 if (unlikely(!pte_present(pte))) { 1231 pr_debug("the page of addr %lx unexpectedly not in RAM\n", (unsigned long)addr); 1232 return -EFAULT; 1233 } 1234 1235 sp_walk_data = walk->private; 1236 get_page(page); 1237 sp_walk_data->pages[sp_walk_data->page_count++] = page; 1238 return 0; 1239 } 1240 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 2976/2976] ld: vgettimeofday.c:undefined reference to `__tsan_read4'
by kernel test robot 17 Oct '25

17 Oct '25

Hi Andrew, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 65461ffb14372269f333f0e18867775c14741e76 commit: f9b54a6714445cde83aeff0318cf767b3b81229d [2976/2976] arm64:ilp32: add ARM64_ILP32 to Kconfig config: arm64-randconfig-003-20251017 (https://download.01.org/0day-ci/archive/20251017/202510170226.DhWN6e8d-lkp@…) compiler: aarch64-linux-gcc (GCC) 15.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251017/202510170226.DhWN6e8d-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510170226.DhWN6e8d-lkp@intel.com/ All errors (new ones prefixed by >>): arch/arm64/kernel/vdso-ilp32/Makefile:84: FORCE prerequisite is missing arch/arm64/kernel/vdso-ilp32/Makefile:90: FORCE prerequisite is missing arch/arm64/kernel/vdso-ilp32/Makefile:87: FORCE prerequisite is missing cc1: warning: '-mabi=ilp32' is deprecated [-Wdeprecated] cc1: warning: '-mabi=ilp32' is deprecated [-Wdeprecated] cc1: warning: '-mabi=ilp32' is deprecated [-Wdeprecated] cc1: warning: '-mabi=ilp32' is deprecated [-Wdeprecated] arch/arm64/kernel/vdso-ilp32/Makefile:68: FORCE prerequisite is missing ld: arch/arm64/kernel/vdso-ilp32/vgettimeofday-ilp32.o: in function `__cvdso_gettimeofday_data.constprop.0': vgettimeofday.c:(.text+0x28): undefined reference to `__tsan_volatile_read4' >> ld: vgettimeofday.c:(.text+0x40): undefined reference to `__tsan_read4' >> ld: vgettimeofday.c:(.text+0x6c): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x78): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x84): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x94): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0xa4): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0xb0): undefined reference to `__tsan_read8' >> ld: vgettimeofday.c:(.text+0xc0): undefined reference to `__tsan_volatile_read4' >> ld: vgettimeofday.c:(.text+0x118): undefined reference to `__tsan_write4' ld: vgettimeofday.c:(.text+0x124): undefined reference to `__tsan_write4' ld: vgettimeofday.c:(.text+0x17c): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0x188): undefined reference to `__tsan_write4' ld: vgettimeofday.c:(.text+0x194): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0x1a0): undefined reference to `__tsan_write4' ld: arch/arm64/kernel/vdso-ilp32/vgettimeofday-ilp32.o: in function `__cvdso_clock_gettime_data.constprop.0': vgettimeofday.c:(.text+0x24c): undefined reference to `__tsan_volatile_read4' ld: vgettimeofday.c:(.text+0x264): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0x298): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x2a8): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x2b8): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x2c4): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0x2d4): undefined reference to `__tsan_read4' ld: vgettimeofday.c:(.text+0x2e0): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x2f0): undefined reference to `__tsan_volatile_read4' >> ld: vgettimeofday.c:(.text+0x348): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x354): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x41c): undefined reference to `__tsan_volatile_read4' ld: vgettimeofday.c:(.text+0x430): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x43c): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x448): undefined reference to `__tsan_read8' ld: vgettimeofday.c:(.text+0x454): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x464): undefined reference to `__tsan_volatile_read4' ld: arch/arm64/kernel/vdso-ilp32/vgettimeofday-ilp32.o: in function `__kernel_clock_getres': vgettimeofday.c:(.text+0x584): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x590): undefined reference to `__tsan_write8' ld: vgettimeofday.c:(.text+0x5c0): undefined reference to `__tsan_volatile_read4' ld: arch/arm64/kernel/vdso-ilp32/vgettimeofday-ilp32.o: in function `_sub_I_00099_0': vgettimeofday.c:(.text.startup+0x8): undefined reference to `__tsan_init' collect2: error: ld returned 1 exit status make[3]: *** [arch/arm64/kernel/vdso-ilp32/Makefile:68: arch/arm64/kernel/vdso-ilp32/vdso-ilp32.so.dbg] Error 1 shuffle=3794859661 make[3]: Target 'include/generated/vdso-ilp32-offsets.h' not remade because of errors. make[2]: *** [arch/arm64/Makefile:201: vdso_prepare] Error 2 shuffle=3794859661 make[2]: Target 'prepare' not remade because of errors. make[1]: *** [Makefile:234: __sub-make] Error 2 shuffle=3794859661 make[1]: Target 'prepare' not remade because of errors. make: *** [Makefile:234: __sub-make] Error 2 shuffle=3794859661 make: Target 'prepare' not remade because of errors. -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 2976/2976] include/linux/virtcca_cvm_domain.h:69:51: warning: declaration of 'struct pci_dev' will not be visible outside of this function
by kernel test robot 17 Oct '25

17 Oct '25

Hi yxk, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 65461ffb14372269f333f0e18867775c14741e76 commit: c5161d7e11a7e30755b2ec55aaebfd500193cbbc [2976/2976] virtCCA supports SR-IOV in CoDA scenarios. config: x86_64-buildonly-randconfig-001-20251016 (https://download.01.org/0day-ci/archive/20251017/202510170107.BBlmteyz-lkp@…) compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251017/202510170107.BBlmteyz-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510170107.BBlmteyz-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from net/sunrpc/sched.c:24: >> include/linux/virtcca_cvm_domain.h:69:51: warning: declaration of 'struct pci_dev' will not be visible outside of this function [-Wvisibility] 69 | static inline int virtcca_add_coda_pci_dev(struct pci_dev *pdev) | ^ 1 warning generated. vim +69 include/linux/virtcca_cvm_domain.h 68 > 69 static inline int virtcca_add_coda_pci_dev(struct pci_dev *pdev) 70 { 71 return 0; 72 } 73 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-5.10 3233/3233] arch/x86/kvm/x86.c:8661:5: warning: no previous prototype for '__kvm_vcpu_halt'
by kernel test robot 16 Oct '25

16 Oct '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 55f16e7a2a3e273da30ccadd01b074c054ceb6fe commit: c499a3120204c834ff963c43d90a5ff33194b34c [3233/3233] KVM: SVM: Add support for booting APs in an SEV-ES guest config: x86_64-randconfig-161-20251016 (https://download.01.org/0day-ci/archive/20251016/202510161956.PnDe2iFY-lkp@…) compiler: gcc-14 (Debian 14.2.0-19) 14.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251016/202510161956.PnDe2iFY-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202510161956.PnDe2iFY-lkp@intel.com/ All warnings (new ones prefixed by >>): arch/x86/kvm/x86.c:809:5: warning: no previous prototype for 'kvm_read_guest_page_mmu' [-Wmissing-prototypes] 809 | int kvm_read_guest_page_mmu(struct kvm_vcpu *vcpu, struct kvm_mmu *mmu, | ^~~~~~~~~~~~~~~~~~~~~~~ >> arch/x86/kvm/x86.c:8661:5: warning: no previous prototype for '__kvm_vcpu_halt' [-Wmissing-prototypes] 8661 | int __kvm_vcpu_halt(struct kvm_vcpu *vcpu, int state, int reason) | ^~~~~~~~~~~~~~~ vim +/__kvm_vcpu_halt +8661 arch/x86/kvm/x86.c 8660 > 8661 int __kvm_vcpu_halt(struct kvm_vcpu *vcpu, int state, int reason) 8662 { 8663 ++vcpu->stat.halt_exits; 8664 if (lapic_in_kernel(vcpu)) { 8665 vcpu->arch.mp_state = state; 8666 return 1; 8667 } else { 8668 vcpu->run->exit_reason = reason; 8669 return 0; 8670 } 8671 } 8672 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
by Zicheng Qu 16 Oct '25

16 Oct '25

From: Oleg Nesterov <oleg(a)redhat.com> mainline inclusion from mainline-v6.18-rc1 commit a15f37a40145c986cdf289a4b88390f35efdecc4 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ID25DZ Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prlimit64() can race with mt-exec which changes ->group_leader. In this case do_prlimit() may take the wrong lock, or (worse) ->group_leader may change between task_lock() and task_unlock(). Change sys_prlimit64() to take tasklist_lock when necessary. This is not nice, but I don't see a better fix for -stable. Link: https://lkml.kernel.org/r/20250915120917.GA27702@redhat.com Fixes: 18c91bb2d872 ("prlimit: do not grab the tasklist_lock") Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jiri Slaby <jirislaby(a)kernel.org> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- kernel/sys.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/kernel/sys.c b/kernel/sys.c index 355de0b65c23..47cb10a16b00 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1689,6 +1689,7 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, struct rlimit old, new; struct task_struct *tsk; unsigned int checkflags = 0; + bool need_tasklist; int ret; if (old_rlim) @@ -1715,8 +1716,25 @@ SYSCALL_DEFINE4(prlimit64, pid_t, pid, unsigned int, resource, get_task_struct(tsk); rcu_read_unlock(); - ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, - old_rlim ? &old : NULL); + need_tasklist = !same_thread_group(tsk, current); + if (need_tasklist) { + /* + * Ensure we can't race with group exit or de_thread(), + * so tsk->group_leader can't be freed or changed until + * read_unlock(tasklist_lock) below. + */ + read_lock(&tasklist_lock); + if (!pid_alive(tsk)) + ret = -ESRCH; + } + + if (!ret) { + ret = do_prlimit(tsk, resource, new_rlim ? &new : NULL, + old_rlim ? &old : NULL); + } + + if (need_tasklist) + read_unlock(&tasklist_lock); if (!ret && old_rlim) { rlim_to_rlim64(&old, &old64); -- 2.34.1

2 1

[PATCH OLK-6.6] Bluetooth: btrtl: Prevent potential NULL dereference
by Xiaomeng Zhang 16 Oct '25

16 Oct '25

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v6.6.88 commit 3db6605043b50c8bb768547b23e0222f67ceef3e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5BMX CVE: CVE-2025-37792 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ] The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/bluetooth/btrtl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c index 1e7c1f9db9e4..7f67e460f7f4 100644 --- a/drivers/bluetooth/btrtl.c +++ b/drivers/bluetooth/btrtl.c @@ -1194,6 +1194,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, rtl_dev_err(hdev, "mandatory config file %s not found", btrtl_dev->ic_info->cfg_name); ret = btrtl_dev->cfg_len; + if (!ret) + ret = -EINVAL; goto err_free; } } -- 2.34.1

2 1

[PATCH OLK-5.10] Bluetooth: btrtl: Prevent potential NULL dereference
by Xiaomeng Zhang 16 Oct '25

16 Oct '25

From: Dan Carpenter <dan.carpenter(a)linaro.org> stable inclusion from stable-v5.10.237 commit 73dc99c0ea94abd22379b2d82cacbc73f3e18ec1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5BMX CVE: CVE-2025-37792 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ] The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts") Signed-off-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com> --- drivers/bluetooth/btrtl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c index 3a9afc905f24..77de43d8d796 100644 --- a/drivers/bluetooth/btrtl.c +++ b/drivers/bluetooth/btrtl.c @@ -625,6 +625,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev, rtl_dev_err(hdev, "mandatory config file %s not found", btrtl_dev->ic_info->cfg_name); ret = btrtl_dev->cfg_len; + if (!ret) + ret = -EINVAL; goto err_free; } } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] scsi: qla4xxx: Add length check when parsing nlattrs
by Pu Lehui 16 Oct '25

16 Oct '25

From: Lin Ma <linma(a)zju.edu.cn> stable inclusion from stable-v4.19.295 commit 5925e224cc6edfef57b20447f18323208461309b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID0REH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 47cd3770e31df942e2bb925a9a855c79ed0662eb ] There are three places that qla4xxx parses nlattrs: - qla4xxx_set_chap_entry() - qla4xxx_iface_set_param() - qla4xxx_sysfs_ddb_set_param() and each of them directly converts the nlattr to specific pointer of structure without length checking. This could be dangerous as those attributes are not validated and a malformed nlattr (e.g., length 0) could result in an OOB read that leaks heap dirty data. Add the nla_len check before accessing the nlattr data and return EINVAL if the length check fails. Fixes: 26ffd7b45fe9 ("[SCSI] qla4xxx: Add support to set CHAP entries") Fixes: 1e9e2be3ee03 ("[SCSI] qla4xxx: Add flash node mgmt support") Fixes: 00c31889f751 ("[SCSI] qla4xxx: fix data alignment and use nl helpers") Signed-off-by: Lin Ma <linma(a)zju.edu.cn> Link: https://lore.kernel.org/r/20230723080053.3714534-1-linma@zju.edu.cn Reviewed-by: Chris Leech <cleech(a)redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/scsi/qla4xxx/ql4_os.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c index f8acf101af3d..8d42f20ba7e5 100644 --- a/drivers/scsi/qla4xxx/ql4_os.c +++ b/drivers/scsi/qla4xxx/ql4_os.c @@ -940,6 +940,11 @@ static int qla4xxx_set_chap_entry(struct Scsi_Host *shost, void *data, int len) memset(&chap_rec, 0, sizeof(chap_rec)); nla_for_each_attr(attr, data, len, rem) { + if (nla_len(attr) < sizeof(*param_info)) { + rc = -EINVAL; + goto exit_set_chap; + } + param_info = nla_data(attr); switch (param_info->param) { @@ -2724,6 +2729,11 @@ qla4xxx_iface_set_param(struct Scsi_Host *shost, void *data, uint32_t len) } nla_for_each_attr(attr, data, len, rem) { + if (nla_len(attr) < sizeof(*iface_param)) { + rval = -EINVAL; + goto exit_init_fw_cb; + } + iface_param = nla_data(attr); if (iface_param->param_type == ISCSI_NET_PARAM) { @@ -8098,6 +8108,11 @@ qla4xxx_sysfs_ddb_set_param(struct iscsi_bus_flash_session *fnode_sess, memset((void *)&chap_tbl, 0, sizeof(chap_tbl)); nla_for_each_attr(attr, data, len, rem) { + if (nla_len(attr) < sizeof(*fnode_param)) { + rc = -EINVAL; + goto exit_set_param; + } + fnode_param = nla_data(attr); switch (fnode_param->param) { -- 2.34.1

2 1

[PATCH OLK-5.10] scsi: target: target_core_configfs: Add length check to avoid buffer overflow
by Li Lingfeng 16 Oct '25

16 Oct '25

From: Wang Haoran <haoranwangsec(a)gmail.com> mainline inclusion from mainline-v6.18-rc1 commit 27e06650a5eafe832a90fd2604f0c5e920857fae category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID22Q7 CVE: CVE-2025-39998 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow. Reported-by: Wang Haoran <haoranwangsec(a)gmail.com> Reported-by: ziiiro <yuanmingbuaa(a)gmail.com> Signed-off-by: Wang Haoran <haoranwangsec(a)gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/target/target_core_configfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c index 4d2fbe1429b6..e6996428c07d 100644 --- a/drivers/target/target_core_configfs.c +++ b/drivers/target/target_core_configfs.c @@ -2637,7 +2637,7 @@ static ssize_t target_lu_gp_members_show(struct config_item *item, char *page) config_item_name(&dev->dev_group.cg_item)); cur_len++; /* Extra byte for NULL terminator */ - if ((cur_len + len) > PAGE_SIZE) { + if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) { pr_warn("Ran out of lu_gp_show_attr" "_members buffer\n"); break; -- 2.46.1

2 1