- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 1525/1525] drivers/char/svm.c:366:43: sparse: sparse: incorrect type in argument 1 (different address spaces)
by kernel test robot 28 Mar '25

28 Mar '25

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 4d1e247486ffeef035a5a55a97f2659f68177357 commit: 51d0e1a742714b2599d54fd92a71bd2998b01084 [1525/1525] support multiple node for getting phys interface config: arm64-randconfig-r112-20250328 (https://download.01.org/0day-ci/archive/20250328/202503281546.GkxeQtL3-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.2.0 reproduce: (https://download.01.org/0day-ci/archive/20250328/202503281546.GkxeQtL3-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202503281546.GkxeQtL3-lkp@intel.com/ sparse warnings: (new ones prefixed by >>) drivers/char/svm.c:248:20: sparse: sparse: symbol 'svm_find_mem_reg_node' was not declared. Should it be static? drivers/char/svm.c:325:14: sparse: sparse: incorrect type in assignment (different address spaces) @@ expected struct svm_va2pa_slot *slot @@ got void [noderef] __iomem * @@ drivers/char/svm.c:325:14: sparse: expected struct svm_va2pa_slot *slot drivers/char/svm.c:325:14: sparse: got void [noderef] __iomem * >> drivers/char/svm.c:366:43: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected void volatile [noderef] __iomem *addr @@ got struct svm_va2pa_slot *slots @@ drivers/char/svm.c:366:43: sparse: expected void volatile [noderef] __iomem *addr drivers/char/svm.c:366:43: sparse: got struct svm_va2pa_slot *slots drivers/char/svm.c:449:6: sparse: sparse: symbol 'sysrq_sched_debug_show_export' was not declared. Should it be static? drivers/char/svm.c:1272:35: sparse: sparse: Using plain integer as NULL pointer drivers/char/svm.c:248:21: warning: no previous prototype for 'svm_find_mem_reg_node' [-Wmissing-prototypes] 248 | struct device_node *svm_find_mem_reg_node(struct device *dev, const char *compat) | ^~~~~~~~~~~~~~~~~~~~~ drivers/char/svm.c:449:6: warning: no previous prototype for 'sysrq_sched_debug_show_export' [-Wmissing-prototypes] 449 | void sysrq_sched_debug_show_export(void) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/char/svm.c:1476:5: warning: no previous prototype for 'svm_get_pasid' [-Wmissing-prototypes] 1476 | int svm_get_pasid(pid_t vpid, int dev_id __maybe_unused) | ^~~~~~~~~~~~~ drivers/char/svm.c:2269:36: warning: 'svm_acpi_match' defined but not used [-Wunused-const-variable=] 2269 | static const struct acpi_device_id svm_acpi_match[] = { | ^~~~~~~~~~~~~~ In file included from arch/arm64/include/asm/atomic.h:34, from include/linux/atomic.h:7, from include/asm-generic/bitops/atomic.h:5, from arch/arm64/include/asm/bitops.h:37, from include/linux/bitops.h:19, from include/linux/kernel.h:11, from include/asm-generic/bug.h:18, from arch/arm64/include/asm/bug.h:37, from arch/arm64/include/asm/memory.h:27, from arch/arm64/include/asm/esr.h:21, from drivers/char/svm.c:10: In function '__cmpxchg_case_mb_4', inlined from '__cmpxchg_mb' at arch/arm64/include/asm/cmpxchg.h:143:1, inlined from 'svm_proc_load_flag' at drivers/char/svm.c:1805:12: arch/arm64/include/asm/atomic_lse.h:492:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'atomic_t[1]' [-Warray-bounds=] 492 | asm volatile( 39- | ^~~ arch/arm64/include/asm/atomic_lse.h:523:1: note: in expansion of macro '__CMPXCHG_CASE' 523 | __CMPXCHG_CASE(w, , mb_4, al, "memory") | ^~~~~~~~~~~~~~ drivers/char/svm.c: In function 'svm_proc_load_flag': drivers/char/svm.c:1796:25: note: object 'l2buf_load_flag' of size 4 1796 | static atomic_t l2buf_load_flag = ATOMIC_INIT(0); | ^~~~~~~~~~~~~~~ In function '__cmpxchg_case_mb_4', inlined from '__cmpxchg_mb' at arch/arm64/include/asm/cmpxchg.h:143:1, inlined from 'svm_proc_load_flag' at drivers/char/svm.c:1805:12: arch/arm64/include/asm/atomic_lse.h:492:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'atomic_t[1]' [-Warray-bounds=] 492 | asm volatile( 52- | ^~~ arch/arm64/include/asm/atomic_lse.h:523:1: note: in expansion of macro '__CMPXCHG_CASE' 523 | __CMPXCHG_CASE(w, , mb_4, al, "memory") | ^~~~~~~~~~~~~~ drivers/char/svm.c: In function 'svm_proc_load_flag': drivers/char/svm.c:1796:25: note: object 'l2buf_load_flag' of size 4 1796 | static atomic_t l2buf_load_flag = ATOMIC_INIT(0); | ^~~~~~~~~~~~~~~ vim +366 drivers/char/svm.c 357 358 static void svm_remove_trunk(struct device *dev) 359 { 360 int count; 361 362 for (count = 0; count < SVM_VA2PA_TRUNK_COUNT_MAX; count++) { 363 if (!va2pa_trunk[count].base) 364 break; 365 > 366 iounmap(va2pa_trunk[count].slots); 367 kvfree(va2pa_trunk[count].bitmap); 368 va2pa_trunk[count].slots = NULL; 369 va2pa_trunk[count].bitmap = NULL; 370 } 371 } 372 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10 V1] list: fix a data-race around ep->rdllist
by Zicheng Qu 28 Mar '25

28 Mar '25

From: Kuniyuki Iwashima <kuniyu(a)amazon.co.jp> stable inclusion from stable-v5.15.46 commit 5d5d993f16be15d124be7b8ec71b28ef7b7dc3af category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP6RN CVE: CVE-2022-49443 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/comm… -------------------------------- [ Upstream commit d679ae94fdd5d3ab00c35078f5af5f37e068b03d ] ep_poll() first calls ep_events_available() with no lock held and checks if ep->rdllist is empty by list_empty_careful(), which reads rdllist->prev. Thus all accesses to it need some protection to avoid store/load-tearing. Note INIT_LIST_HEAD_RCU() already has the annotation for both prev and next. Commit bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket fds.") added the first lockless ep_events_available(), and commit c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()") made some ep_events_available() calls lockless and added single call under a lock, finally commit e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") made the last ep_events_available() lockless. BUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0: INIT_LIST_HEAD include/linux/list.h:38 [inline] list_splice_init include/linux/list.h:492 [inline] ep_start_scan fs/eventpoll.c:622 [inline] ep_send_events fs/eventpoll.c:1656 [inline] ep_poll fs/eventpoll.c:1806 [inline] do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234 do_epoll_pwait fs/eventpoll.c:2268 [inline] __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline] __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275 __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1: list_empty_careful include/linux/list.h:329 [inline] ep_events_available fs/eventpoll.c:381 [inline] ep_poll fs/eventpoll.c:1797 [inline] do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234 do_epoll_pwait fs/eventpoll.c:2268 [inline] __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline] __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275 __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0xffff88810480c7d0 -> 0xffff888103c15098 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Link: https://lkml.kernel.org/r/20220322002653.33865-3-kuniyu@amazon.co.jp Fixes: e59d3c64cba6 ("epoll: eliminate unnecessary lock for zero timeout") Fixes: c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()") Fixes: bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket fds.") Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.co.jp> Reported-by: syzbot+bdd6e38a1ed5ee58d8bd(a)syzkaller.appspotmail.com Cc: Al Viro <viro(a)zeniv.linux.org.uk>, Andrew Morton <akpm(a)linux-foundation.org> Cc: Kuniyuki Iwashima <kuniyu(a)amazon.co.jp> Cc: Kuniyuki Iwashima <kuni1840(a)gmail.com> Cc: "Soheil Hassas Yeganeh" <soheil(a)google.com> Cc: Davidlohr Bueso <dave(a)stgolabs.net> Cc: "Sridhar Samudrala" <sridhar.samudrala(a)intel.com> Cc: Alexander Duyck <alexander.h.duyck(a)intel.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: include/linux/list.h [This patch lacks the prerequisite patch for the list_is_head(). Therefore, only keep the current version of "next == head" as is and only modify the READ_ONCE() additions introduced by this patch.] Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- include/linux/list.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/linux/list.h b/include/linux/list.h index fa9f691f2553..aab9705902ed 100644 --- a/include/linux/list.h +++ b/include/linux/list.h @@ -33,7 +33,7 @@ static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); - list->prev = list; + WRITE_ONCE(list->prev, list); } #ifdef CONFIG_DEBUG_LIST @@ -296,7 +296,7 @@ static inline int list_empty(const struct list_head *head) static inline void list_del_init_careful(struct list_head *entry) { __list_del_entry(entry); - entry->prev = entry; + WRITE_ONCE(entry->prev, entry); smp_store_release(&entry->next, entry); } @@ -316,7 +316,7 @@ static inline void list_del_init_careful(struct list_head *entry) static inline int list_empty_careful(const struct list_head *head) { struct list_head *next = smp_load_acquire(&head->next); - return (next == head) && (next == head->prev); + return (next == head) && (next == READ_ONCE(head->prev)); } /** -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS V1] drm: msm: fix possible memory leak in mdp5_crtc_cursor_set()
by Zicheng Qu 28 Mar '25

28 Mar '25

From: Hangyu Hua <hbh25y(a)gmail.com> stable inclusion from stable-v4.19.247 commit f8cd192752a1f613b14eee77783c6f0aebb49691 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP1JW CVE: CVE-2022-49467 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 947a844bb3ebff0f4736d244d792ce129f6700d7 ] drm_gem_object_lookup will call drm_gem_object_get inside. So cursor_bo needs to be put when msm_gem_get_and_pin_iova fails. Fixes: e172d10a9c4a ("drm/msm/mdp5: Add hardware cursor support") Signed-off-by: Hangyu Hua <hbh25y(a)gmail.com> Link: https://lore.kernel.org/r/20220509061125.18585-1-hbh25y@gmail.com Signed-off-by: Rob Clark <robdclark(a)chromium.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c index b1da9ce54379..11d0e810b409 100644 --- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c +++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c @@ -905,8 +905,10 @@ static int mdp5_crtc_cursor_set(struct drm_crtc *crtc, ret = msm_gem_get_iova(cursor_bo, kms->aspace, &mdp5_crtc->cursor.iova); - if (ret) + if (ret) { + drm_gem_object_put(cursor_bo); return -EINVAL; + } pm_runtime_get_sync(&pdev->dev); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS V1] regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt
by Zicheng Qu 28 Mar '25

28 Mar '25

From: Miaoqian Lin <linmq006(a)gmail.com> stable inclusion from stable-v4.19.247 commit 984cfef0675ed7398814e14af2c5323911723e1c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP43Y CVE: CVE-2022-49481 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit afaa7b933ef00a2d3262f4d1252087613fb5c06d ] of_node_get() returns a node with refcount incremented. Calling of_node_put() to drop the reference when not needed anymore. Fixes: 3784b6d64dc5 ("regulator: pfuze100: add pfuze100 regulator driver") Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Link: https://lore.kernel.org/r/20220511113506.45185-1-linmq006@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- drivers/regulator/pfuze100-regulator.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c index 69a377ab2604..3248c194624f 100644 --- a/drivers/regulator/pfuze100-regulator.c +++ b/drivers/regulator/pfuze100-regulator.c @@ -495,6 +495,7 @@ static int pfuze_parse_regulators_dt(struct pfuze_chip *chip) parent = of_get_child_by_name(np, "regulators"); if (!parent) { dev_err(dev, "regulators node not found\n"); + of_node_put(np); return -EINVAL; } @@ -524,6 +525,7 @@ static int pfuze_parse_regulators_dt(struct pfuze_chip *chip) } of_node_put(parent); + of_node_put(np); if (ret < 0) { dev_err(dev, "Error parsing regulator init data: %d\n", ret); -- 2.34.1

2 1

[PATCH OLK-5.10 V1] sched/fair: Optimize the dynamic smt
by Cheng Yu 28 Mar '25

28 Mar '25

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/IBWWUI CVE: NA -------------------------------- The optimizations are as follows: 1. A more reasonable algorithm for obtaining load values; 2. Limit the maximum value of sysctl_sched_util_ratio to 100; 3. If the value of sysctl_sched_util_ratio is 100, the other smt of the core will not be used. Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- arch/arm64/Kconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 - init/Kconfig | 7 +++++++ kernel/sched/fair.c | 7 +++++-- kernel/sysctl.c | 1 + 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 2591707024d4..93ced97f8c6c 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -78,6 +78,7 @@ config ARM64 select ARCH_SUPPORTS_ATOMIC_RMW select ARCH_SUPPORTS_INT128 if CC_HAS_INT128 && (GCC_VERSION >= 50000 || CC_IS_CLANG) select ARCH_SUPPORTS_NUMA_BALANCING + select ARCH_SUPPORTS_SCHED_KEEP_ON_CORE select ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH select ARCH_WANT_COMPAT_IPC_PARSE_VERSION if COMPAT select ARCH_WANT_DEFAULT_BPF_JIT diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index 20bd8ac25791..e008e119e7a4 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -194,7 +194,6 @@ CONFIG_USER_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y CONFIG_SCHED_STEAL=y -# CONFIG_SCHED_KEEP_ON_CORE is not set CONFIG_CHECKPOINT_RESTORE=y CONFIG_SCHED_AUTOGROUP=y # CONFIG_SYSFS_DEPRECATED is not set diff --git a/init/Kconfig b/init/Kconfig index be284bca406c..3a6a14e66acd 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1370,8 +1370,15 @@ config SCHED_STEAL If unsure, say N here. +# +# For architectures that want to enable the support for SCHED_KEEP_ON_CORE +# +config ARCH_SUPPORTS_SCHED_KEEP_ON_CORE + bool + config SCHED_KEEP_ON_CORE bool "Prefer physical cores when migrating tasks" + depends on ARCH_SUPPORTS_SCHED_KEEP_ON_CORE depends on SCHED_SMT default n help diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index a518d636f07f..5fc8d6a25b9a 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -7330,13 +7330,16 @@ static int select_idle_core(struct task_struct *p, int core, struct cpumask *cpu #ifdef CONFIG_SCHED_KEEP_ON_CORE int sysctl_sched_util_ratio = 100; -static int core_has_spare(int cpu) +static bool core_has_spare(int cpu) { int core_id = cpumask_first(cpu_smt_mask(cpu)); struct rq *rq = cpu_rq(core_id); - unsigned long util = rq->cfs.avg.util_avg; + unsigned long util = cpu_util(cpu); unsigned long capacity = rq->cpu_capacity; + if (sysctl_sched_util_ratio == 100) + return true; + return util * 100 < capacity * sysctl_sched_util_ratio; } #endif diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 0d4d83da4b30..b4b36f8a3149 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2828,6 +2828,7 @@ static struct ctl_table kern_table[] = { .mode = 0644, .proc_handler = proc_dointvec_minmax, .extra1 = SYSCTL_ZERO, + .extra2 = &one_hundred, }, #endif #ifdef CONFIG_SCHED_STEAL -- 2.25.1

2 1

[PATCH OLK-5.10] arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
by Wupeng Ma 28 Mar '25

28 Mar '25

From: Radu Rendec <rrendec(a)redhat.com> stable inclusion from stable-v5.10.235 commit e4fde33107351ec33f1a64188612fbc6ca659284 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IBPC4K CVE: CVE-2025-21785 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 875d742cf5327c93cba1f11e12b08d3cce7a88d2 ] The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). Fixes: 5d425c186537 ("arm64: kernel: add support for cpu cache information") Signed-off-by: Radu Rendec <rrendec(a)redhat.com> Link: https://lore.kernel.org/r/20250206174420.2178724-1-rrendec@redhat.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- arch/arm64/kernel/cacheinfo.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/arch/arm64/kernel/cacheinfo.c b/arch/arm64/kernel/cacheinfo.c index 97c42be71338..1510f457b615 100644 --- a/arch/arm64/kernel/cacheinfo.c +++ b/arch/arm64/kernel/cacheinfo.c @@ -87,16 +87,18 @@ int populate_cache_leaves(unsigned int cpu) unsigned int level, idx; enum cache_type type; struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); - struct cacheinfo *this_leaf = this_cpu_ci->info_list; + struct cacheinfo *infos = this_cpu_ci->info_list; for (idx = 0, level = 1; level <= this_cpu_ci->num_levels && - idx < this_cpu_ci->num_leaves; idx++, level++) { + idx < this_cpu_ci->num_leaves; level++) { type = get_cache_type(level); if (type == CACHE_TYPE_SEPARATE) { - ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level); - ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level); + if (idx + 1 >= this_cpu_ci->num_leaves) + break; + ci_leaf_init(&infos[idx++], CACHE_TYPE_DATA, level); + ci_leaf_init(&infos[idx++], CACHE_TYPE_INST, level); } else { - ci_leaf_init(this_leaf++, type, level); + ci_leaf_init(&infos[idx++], type, level); } } return 0; -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
by Wupeng Ma 28 Mar '25

28 Mar '25

From: Radu Rendec <rrendec(a)redhat.com> stable inclusion from stable-v5.10.235 commit e4fde33107351ec33f1a64188612fbc6ca659284 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPC4K CVE: CVE-2025-21785 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 875d742cf5327c93cba1f11e12b08d3cce7a88d2 ] The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). Fixes: 5d425c186537 ("arm64: kernel: add support for cpu cache information") Signed-off-by: Radu Rendec <rrendec(a)redhat.com> Link: https://lore.kernel.org/r/20250206174420.2178724-1-rrendec@redhat.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- arch/arm64/kernel/cacheinfo.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/arch/arm64/kernel/cacheinfo.c b/arch/arm64/kernel/cacheinfo.c index 0c0cd4d26b87..80a4ab1c43fd 100644 --- a/arch/arm64/kernel/cacheinfo.c +++ b/arch/arm64/kernel/cacheinfo.c @@ -96,16 +96,18 @@ static int __populate_cache_leaves(unsigned int cpu) unsigned int level, idx; enum cache_type type; struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu); - struct cacheinfo *this_leaf = this_cpu_ci->info_list; + struct cacheinfo *infos = this_cpu_ci->info_list; for (idx = 0, level = 1; level <= this_cpu_ci->num_levels && - idx < this_cpu_ci->num_leaves; idx++, level++) { + idx < this_cpu_ci->num_leaves; level++) { type = get_cache_type(level); if (type == CACHE_TYPE_SEPARATE) { - ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level); - ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level); + if (idx + 1 >= this_cpu_ci->num_leaves) + break; + ci_leaf_init(&infos[idx++], CACHE_TYPE_DATA, level); + ci_leaf_init(&infos[idx++], CACHE_TYPE_INST, level); } else { - ci_leaf_init(this_leaf++, type, level); + ci_leaf_init(&infos[idx++], type, level); } } return 0; -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] PM / devfreq: rk3399_dmc: Disable edev on remove()
by Wupeng Ma 28 Mar '25

28 Mar '25

From: Brian Norris <briannorris(a)chromium.org> stable inclusion from stable-v4.19.247 commit 664736e2cc09e504ce58ec61164d029d1f2651bb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP6Y5 CVE: CVE-2022-49460 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 2fccf9e6050e0e3b8b4cd275d41daf7f7fa22804 ] Otherwise we hit an unablanced enable-count when unbinding the DFI device: [ 1279.659119] ------------[ cut here ]------------ [ 1279.659179] WARNING: CPU: 2 PID: 5638 at drivers/devfreq/devfreq-event.c:360 devfreq_event_remove_edev+0x84/0x8c ... [ 1279.659352] Hardware name: Google Kevin (DT) [ 1279.659363] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO BTYPE=--) [ 1279.659371] pc : devfreq_event_remove_edev+0x84/0x8c [ 1279.659380] lr : devm_devfreq_event_release+0x1c/0x28 ... [ 1279.659571] Call trace: [ 1279.659582] devfreq_event_remove_edev+0x84/0x8c [ 1279.659590] devm_devfreq_event_release+0x1c/0x28 [ 1279.659602] release_nodes+0x1cc/0x244 [ 1279.659611] devres_release_all+0x44/0x60 [ 1279.659621] device_release_driver_internal+0x11c/0x1ac [ 1279.659629] device_driver_detach+0x20/0x2c [ 1279.659641] unbind_store+0x7c/0xb0 [ 1279.659650] drv_attr_store+0x2c/0x40 [ 1279.659663] sysfs_kf_write+0x44/0x58 [ 1279.659672] kernfs_fop_write_iter+0xf4/0x190 [ 1279.659684] vfs_write+0x2b0/0x2e4 [ 1279.659693] ksys_write+0x80/0xec [ 1279.659701] __arm64_sys_write+0x24/0x30 [ 1279.659714] el0_svc_common+0xf0/0x1d8 [ 1279.659724] do_el0_svc_compat+0x28/0x3c [ 1279.659738] el0_svc_compat+0x10/0x1c [ 1279.659746] el0_sync_compat_handler+0xa8/0xcc [ 1279.659758] el0_sync_compat+0x188/0x1c0 [ 1279.659768] ---[ end trace cec200e5094155b4 ]--- Signed-off-by: Brian Norris <briannorris(a)chromium.org> Signed-off-by: Chanwoo Choi <cw00.choi(a)samsung.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wupeng Ma <mawupeng1(a)huawei.com> --- drivers/devfreq/rk3399_dmc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/devfreq/rk3399_dmc.c b/drivers/devfreq/rk3399_dmc.c index e795ad2b3f6b..eefda6edc89c 100644 --- a/drivers/devfreq/rk3399_dmc.c +++ b/drivers/devfreq/rk3399_dmc.c @@ -411,6 +411,8 @@ static int rk3399_dmcfreq_remove(struct platform_device *pdev) { struct rk3399_dmcfreq *dmcfreq = dev_get_drvdata(&pdev->dev); + devfreq_event_disable_edev(dmcfreq->edev); + /* * Before remove the opp table we need to unregister the opp notifier. */ -- 2.43.0

2 1

[PATCH OLK-6.6] ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
by Yifan Qiao 28 Mar '25

28 Mar '25

From: Vasiliy Kovalev <kovalev(a)altlinux.org> mainline inclusion from mainline-v6.14-rc5 commit c84e125fff2615b4d9c259e762596134eddd2f27 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVT6 CVE: CVE-2025-21887 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK> Fixes: b07d5cc93e1b ("ovl: update of dentry revalidate flags after copy up") Reported-by: syzbot+316db8a1191938280eb6(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=316db8a1191938280eb6 Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> Link: https://lore.kernel.org/r/20250214215148.761147-1-kovalev@altlinux.org Reviewed-by: Amir Goldstein <amir73il(a)gmail.com> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/overlayfs/copy_up.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index 18e018cb1811..dbf7b3cd70ca 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -570,7 +570,6 @@ static int ovl_link_up(struct ovl_copy_up_ctx *c) err = PTR_ERR(upper); if (!IS_ERR(upper)) { err = ovl_do_link(ofs, ovl_dentry_upper(c->dentry), udir, upper); - dput(upper); if (!err) { /* Restore timestamps on parent (best effort) */ @@ -578,6 +577,7 @@ static int ovl_link_up(struct ovl_copy_up_ctx *c) ovl_dentry_set_upper_alias(c->dentry); ovl_dentry_update_reval(c->dentry, upper); } + dput(upper); } inode_unlock(udir); if (err) -- 2.39.2

2 1

[PATCH OLK-5.10] ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
by Yifan Qiao 28 Mar '25

28 Mar '25

From: Vasiliy Kovalev <kovalev(a)altlinux.org> mainline inclusion from mainline-v6.14-rc5 commit c84e125fff2615b4d9c259e762596134eddd2f27 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBWVT6 CVE: CVE-2025-21887 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK> Fixes: b07d5cc93e1b ("ovl: update of dentry revalidate flags after copy up") Reported-by: syzbot+316db8a1191938280eb6(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=316db8a1191938280eb6 Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> Link: https://lore.kernel.org/r/20250214215148.761147-1-kovalev@altlinux.org Reviewed-by: Amir Goldstein <amir73il(a)gmail.com> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/overlayfs/copy_up.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index 65ac504595ba..a1ec45fc77d8 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -469,7 +469,6 @@ static int ovl_link_up(struct ovl_copy_up_ctx *c) err = PTR_ERR(upper); if (!IS_ERR(upper)) { err = ovl_do_link(ovl_dentry_upper(c->dentry), udir, upper); - dput(upper); if (!err) { /* Restore timestamps on parent (best effort) */ @@ -477,6 +476,7 @@ static int ovl_link_up(struct ovl_copy_up_ctx *c) ovl_dentry_set_upper_alias(c->dentry); ovl_dentry_update_reval(c->dentry, upper); } + dput(upper); } inode_unlock(udir); if (err) -- 2.39.2

2 1