- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
by Jiacheng Yu 02 Jun '26

02 Jun '26

From: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> mainline inclusion from mainline-v7.1-rc1 commit 2fc87d37be1b730a149b035f9375fdb8cc5333a5 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15257 CVE: CVE-2026-46006 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. Cc: Lyude Paul <lyude(a)redhat.com> Cc: Danilo Krummrich <dakr(a)kernel.org> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: David Airlie <airlied(a)gmail.com> Cc: Simona Vetter <simona(a)ffwll.ch> Reported-by: Anthropic Cc: stable <stable(a)kernel.org> Assisted-by: gkh_clanker_t1000 Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16") Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [ Add Fixes: tag. - Danilo ] Signed-off-by: Danilo Krummrich <dakr(a)kernel.org> Conflicts: drivers/gpu/drm/nouveau/nouveau_gem.c [Contest conflicts.] Signed-off-by: Jiacheng Yu <yujiacheng3(a)huawei.com> --- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c index b56524d343c3..177d53a44910 100644 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c @@ -633,7 +633,7 @@ nouveau_gem_pushbuf_reloc_apply(struct nouveau_cli *cli, } nvbo = (void *)(unsigned long)bo[r->reloc_bo_index].user_priv; - if (unlikely(r->reloc_bo_offset + 4 > + if (unlikely((u64)r->reloc_bo_offset + 4 > nvbo->bo.mem.num_pages << PAGE_SHIFT)) { NV_PRINTK(err, cli, "reloc outside of bo\n"); ret = -EINVAL; -- 2.34.1

2 1

[PATCH OLK-6.6 00/34] perf arm-spe: Extend branch operations
by Yushan Wang 02 Jun '26

02 Jun '26

From: Ying Jiang <jiangying44(a)h-partners.com> In Arm ARM (ARM DDI 0487, L.a), the section "D18.2.7 Operation Type packet", the branch subclass is extended for Call Return (CR), Guarded control stack data access (GCS). This commit adds support CR and GCS operations. The IND (indirect) operation is defined only in bit [1], its macro is updated accordingly. Move the COND (Conditional) macro into the same group with other operations for better maintenance. Anshuman Khandual (9): arm64: Handle BRBE booting requirements arm64/sysreg: Update register fields for ID_AA64MMFR0_EL1 arm64/sysreg: Add register fields for HDFGRTR2_EL2 arm64/sysreg: Add register fields for HDFGWTR2_EL2 arm64/sysreg: Add register fields for HFGITR2_EL2 arm64/sysreg: Add register fields for HFGRTR2_EL2 arm64/sysreg: Add register fields for HFGWTR2_EL2 arm64/sysreg: Update ID_DFR0_EL1 register fields arm64/boot: Enable EL2 requirements for FEAT_PMUv3p9 Dave Martin (1): arm64: el2_setup.h: Rename some labels to be more diff-friendly James Clark (12): perf: arm_spe: Add format option for discard mode arm64: sysreg: Add new PMSFCR_EL1 fields and PMSDSFR_EL1 register perf: arm_spe: Support FEAT_SPEv1p4 filters perf: arm_spe: Add support for FEAT_SPE_EFT extended filtering arm64/boot: Factor out a macro to check SPE version arm64/boot: Enable EL2 requirements for SPE_FEAT_FDS KVM: arm64: Add trap configs for PMSDSFR_EL1 perf: Add perf_event_attr::config4 perf: arm_spe: Add support for filtering on data source tools headers UAPI: Sync linux/perf_event.h with the kernel sources perf tools: Add support for perf_event_attr::config4 perf docs: arm-spe: Document new SPE filtering features Leo Yan (1): perf: arm_spe: Expose event filter Marc Zyngier (5): KVM: arm64: Shave a few bytes from the EL2 idmap code arm64/sysreg: Allow a 'Mapping' descriptor for system registers arm64: sysreg: Add registers trapped by HDFG{R,W}TR2_EL2 KVM: arm64: nv: Add include containing the VNCR_EL2 offsets arm64: sysreg: Update PMSIDR_EL1 description Rob Herring (Arm) (5): arm64: el2_setup.h: Make __init_el2_fgt labels consistent, again perf/arm_pmuv3: Add PMUv3.9 per counter EL0 access control perf: arm_pmu: Use of_property_present() perf: arm_pmu: Remove event index to counter remapping ARM: pmuv3: Add missing write_pmuacr() Yushan Wang (1): Revert "arm64/boot: Enable EL2 requirements for BRBE" Documentation/arch/arm64/booting.rst | 75 +++- arch/arm/include/asm/arm_pmuv3.h | 2 + arch/arm64/include/asm/el2_setup.h | 130 +++--- arch/arm64/include/asm/kvm_asm.h | 1 + arch/arm64/include/asm/sysreg.h | 19 +- arch/arm64/include/asm/vncr_mapping.h | 105 +++++ arch/arm64/kernel/asm-offsets.c | 1 + arch/arm64/kvm/emulate-nested.c | 1 + arch/arm64/kvm/hyp/nvhe/hyp-init.S | 52 ++- arch/arm64/kvm/pmu-emul.c | 6 +- arch/arm64/kvm/sys_regs.c | 1 + arch/arm64/tools/gen-sysreg.awk | 2 +- arch/arm64/tools/sysreg | 502 +++++++++++++++++++++- drivers/perf/apple_m1_cpu_pmu.c | 4 +- drivers/perf/arm_pmu.c | 11 +- drivers/perf/arm_pmu_platform.c | 2 +- drivers/perf/arm_pmuv3.c | 61 +-- drivers/perf/arm_spe_pmu.c | 170 +++++++- include/linux/perf/arm_pmu.h | 2 +- include/linux/perf/arm_pmuv3.h | 1 + include/uapi/linux/perf_event.h | 5 + tools/include/uapi/linux/perf_event.h | 2 + tools/perf/Documentation/perf-arm-spe.txt | 103 ++++- tools/perf/tests/parse-events.c | 14 +- tools/perf/util/parse-events.c | 11 + tools/perf/util/parse-events.h | 1 + tools/perf/util/parse-events.l | 1 + tools/perf/util/pmu.c | 3 + tools/perf/util/pmu.h | 1 + 29 files changed, 1099 insertions(+), 190 deletions(-) create mode 100644 arch/arm64/include/asm/vncr_mapping.h -- 2.33.0

1 34

[PATCH OLK-6.6 0/6] add min_slice and sched_runtime
by Chen Jinghuang 01 Jun '26

01 Jun '26

*** BLURB HERE *** Chen Jinghuang (1): sched: Fix kabi breakage in struct sched_entity Omar Sandoval (1): sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash Peter Zijlstra (3): sched/eevdf: Use sched_attr::sched_runtime to set request/slice suggestion sched/fair: Re-organize dequeue_task_fair() sched/eevdf: Propagate min_slice up the cgroup hierarchy Tianchen Ding (1): sched/eevdf: Force propagating min_slice of cfs_rq when {en,de}queue tasks include/linux/sched.h | 5 +- kernel/sched/core.c | 4 +- kernel/sched/debug.c | 3 +- kernel/sched/fair.c | 131 ++++++++++++++++++++++++++++++++-------- kernel/sched/syscalls.c | 29 +++++++-- 5 files changed, 137 insertions(+), 35 deletions(-) -- 2.34.1

2 7

[PATCH OLK-6.6] sched/cputime: Fix time overflow in cputime_adjust()
by Xia Fukun 01 Jun '26

01 Jun '26

hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8331 ------------------ When a process has hundreds of threads and runs for an extended period, the aggregated stime or utime of its thread group can become extremely large. Accessing /proc/xx/stat then triggers a divide error like the following: divide error: 0000 [#1] SMP NOPTI CPU: 273 PID: 4619 Comm: ... Tainted: 5.10.0 x86_64 RIP: 0010:cputime_adjust+0x55/0xb0 RSP: 0018:ffffae408e07bbc8 EFLAGS: 00010807 ... Call Trace: thread_group_cputime_adjusted+0x4b/0x70 do_task_stat+0x2d8/0xdc0 This is due to overflow in stime + utime, which causes mul_u64_u64_div_u64() to trigger a divide error. Add overflow detection logic and, upon overflow, right-shift the values before computation. This fixes the issue while preserving the original calculation semantics. Fixes: 3dc167ba5729 ("sched/cputime: Improve cputime_adjust()") Signed-off-by: Xia Fukun <xiafukun(a)huawei.com> --- kernel/sched/cputime.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/kernel/sched/cputime.c b/kernel/sched/cputime.c index e560426f23bd..773b9411007c 100644 --- a/kernel/sched/cputime.c +++ b/kernel/sched/cputime.c @@ -564,6 +564,7 @@ void cputime_adjust(struct task_cputime *curr, struct prev_cputime *prev, u64 *ut, u64 *st) { u64 rtime, stime, utime; + u64 s, u, sum; unsigned long flags; /* Serialize concurrent callers such that we can honour our guarantees */ @@ -599,7 +600,23 @@ void cputime_adjust(struct task_cputime *curr, struct prev_cputime *prev, goto update; } - stime = mul_u64_u64_div_u64(stime, rtime, stime + utime); + s = stime; + u = utime; + sum = s + u; + + /* + * Detect unsigned overflow: if sum < either operand, + * overflow occurred. A single right shift is sufficient + * to guarantee that the new sum won't overflow. + */ + if (unlikely(sum < s)) { + s >>= 1; + u >>= 1; + sum = s + u; + stime = mul_u64_u64_div_u64(s, rtime, sum); + } else { + stime = mul_u64_u64_div_u64(stime, rtime, stime + utime); + } /* * Because mul_u64_u64_div_u64() can approximate on some * achitectures; enforce the constraint that: a*b/(b+c) <= a. -- 2.34.1

2 1

[PATCH OLK-6.6] netfilter: x_tables: guard option walkers against 1-byte tail reads
by superdcc97＠163.com 01 Jun '26

01 Jun '26

From: David Dull <monderasdor(a)gmail.com> stable inclusion from stable-v6.6.130 commit 9b94f0e42ed248eb31929da84ed9f5310d7ff540 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15010 CVE: CVE-2026-43452 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ] When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") Signed-off-by: David Dull <monderasdor(a)gmail.com> Signed-off-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/netfilter/xt_dccp.c | 4 ++-- net/netfilter/xt_tcpudp.c | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c index e5a13ecbe67a..037ab93e25d0 100644 --- a/net/netfilter/xt_dccp.c +++ b/net/netfilter/xt_dccp.c @@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option, return true; } - if (op[i] < 2) + if (op[i] < 2 || i == optlen - 1) i++; else - i += op[i+1]?:1; + i += op[i + 1] ? : 1; } spin_unlock_bh(&dccp_buflock); diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c index e8991130a3de..f76cf18f1a24 100644 --- a/net/netfilter/xt_tcpudp.c +++ b/net/netfilter/xt_tcpudp.c @@ -59,8 +59,10 @@ tcp_find_option(u_int8_t option, for (i = 0; i < optlen; ) { if (op[i] == option) return !invert; - if (op[i] < 2) i++; - else i += op[i+1]?:1; + if (op[i] < 2 || i == optlen - 1) + i++; + else + i += op[i + 1] ? : 1; } return invert; -- 2.43.0

2 1

[PATCH OLK-5.10] sched/cputime: Fix time overflow in cputime_adjust()
by Xia Fukun 01 Jun '26

01 Jun '26

hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8331 ------------------ When a process has hundreds of threads and runs for an extended period, the aggregated stime or utime of its thread group can become extremely large. Accessing /proc/xx/stat then triggers a divide error like the following: divide error: 0000 [#1] SMP NOPTI CPU: 273 PID: 4619 Comm: ... Tainted: 5.10.0 x86_64 RIP: 0010:cputime_adjust+0x55/0xb0 RSP: 0018:ffffae408e07bbc8 EFLAGS: 00010807 ... Call Trace: thread_group_cputime_adjusted+0x4b/0x70 do_task_stat+0x2d8/0xdc0 This is due to overflow in stime + utime, which causes mul_u64_u64_div_u64() to trigger a divide error. Add overflow detection logic and, upon overflow, right-shift the values before computation. This fixes the issue while preserving the original calculation semantics. Fixes: 3dc167ba5729 ("sched/cputime: Improve cputime_adjust()") Signed-off-by: Xia Fukun <xiafukun(a)huawei.com> --- kernel/sched/cputime.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/kernel/sched/cputime.c b/kernel/sched/cputime.c index f03b3af2fb79..38cb82382730 100644 --- a/kernel/sched/cputime.c +++ b/kernel/sched/cputime.c @@ -543,6 +543,7 @@ void cputime_adjust(struct task_cputime *curr, struct prev_cputime *prev, u64 *ut, u64 *st) { u64 rtime, stime, utime; + u64 s, u, sum; unsigned long flags; /* Serialize concurrent callers such that we can honour our guarantees */ @@ -578,7 +579,23 @@ void cputime_adjust(struct task_cputime *curr, struct prev_cputime *prev, goto update; } - stime = mul_u64_u64_div_u64(stime, rtime, stime + utime); + s = stime; + u = utime; + sum = s + u; + + /* + * Detect unsigned overflow: if sum < either operand, + * overflow occurred. A single right shift is sufficient + * to guarantee that the new sum won't overflow. + */ + if (unlikely(sum < s)) { + s >>= 1; + u >>= 1; + sum = s + u; + stime = mul_u64_u64_div_u64(s, rtime, sum); + } else { + stime = mul_u64_u64_div_u64(stime, rtime, stime + utime); + } /* * Because mul_u64_u64_div_u64() can approximate on some * achitectures; enforce the constraint that: a*b/(b+c) <= a. -- 2.34.1

2 1

[PATCH OLK-5.10] netfilter: x_tables: guard option walkers against 1-byte tail reads
by superdcc97＠163.com 01 Jun '26

01 Jun '26

From: David Dull <monderasdor(a)gmail.com> stable inclusion from stable-v5.10.253 commit c2a445367a496a3c25dbc940c10c8bd1cfd4c14a category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15010 CVE: CVE-2026-43452 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ] When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") Signed-off-by: David Dull <monderasdor(a)gmail.com> Signed-off-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/netfilter/xt_dccp.c | 4 ++-- net/netfilter/xt_tcpudp.c | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c index e5a13ecbe67a..037ab93e25d0 100644 --- a/net/netfilter/xt_dccp.c +++ b/net/netfilter/xt_dccp.c @@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option, return true; } - if (op[i] < 2) + if (op[i] < 2 || i == optlen - 1) i++; else - i += op[i+1]?:1; + i += op[i + 1] ? : 1; } spin_unlock_bh(&dccp_buflock); diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c index 11ec2abf0c72..73f50dc01b19 100644 --- a/net/netfilter/xt_tcpudp.c +++ b/net/netfilter/xt_tcpudp.c @@ -56,8 +56,10 @@ tcp_find_option(u_int8_t option, for (i = 0; i < optlen; ) { if (op[i] == option) return !invert; - if (op[i] < 2) i++; - else i += op[i+1]?:1; + if (op[i] < 2 || i == optlen - 1) + i++; + else + i += op[i + 1] ? : 1; } return invert; -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] netfilter: x_tables: guard option walkers against 1-byte tail reads
by superdcc97＠163.com 01 Jun '26

01 Jun '26

From: David Dull <monderasdor(a)gmail.com> mainline inclusion from mainline-v7.0-rc4 commit cfe770220ac2dbd3e104c6b45094037455da81d4 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15010 CVE: CVE-2026-43452 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") Signed-off-by: David Dull <monderasdor(a)gmail.com> Signed-off-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/netfilter/xt_dccp.c | 4 ++-- net/netfilter/xt_tcpudp.c | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c index b63d2a3d80ba..b74f6b76d3ca 100644 --- a/net/netfilter/xt_dccp.c +++ b/net/netfilter/xt_dccp.c @@ -65,10 +65,10 @@ dccp_find_option(u_int8_t option, return true; } - if (op[i] < 2) + if (op[i] < 2 || i == optlen - 1) i++; else - i += op[i+1]?:1; + i += op[i + 1] ? : 1; } spin_unlock_bh(&dccp_buflock); diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c index ade024c90f4f..8d620f84795d 100644 --- a/net/netfilter/xt_tcpudp.c +++ b/net/netfilter/xt_tcpudp.c @@ -55,8 +55,10 @@ tcp_find_option(u_int8_t option, for (i = 0; i < optlen; ) { if (op[i] == option) return !invert; - if (op[i] < 2) i++; - else i += op[i+1]?:1; + if (op[i] < 2 || i == optlen - 1) + i++; + else + i += op[i + 1] ? : 1; } return invert; -- 2.43.0

2 1

[PATCH openEuler-1.0-LTS] xfrm: Wait for RCU readers during policy netns exit
by superdcc97＠163.com 01 Jun '26

01 Jun '26

From: Steffen Klassert <steffen.klassert(a)secunet.com> mainline inclusion from mainline-v7.1-rc1 commit 069daad4f2ae9c5c108131995529d5f02392c446 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14643 CVE: CVE-2026-43091 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- xfrm_policy_fini() frees the policy_bydst hash tables after flushing the policy work items and deleting all policies, but it does not wait for concurrent RCU readers to leave their read-side critical sections first. The policy_bydst tables are published via rcu_assign_pointer() and are looked up through rcu_dereference_check(), so netns teardown must also wait for an RCU grace period before freeing the table memory. Fix this by adding synchronize_rcu() before freeing the policy hash tables. Fixes: e1e551bc5630 ("xfrm: policy: prepare policy_bydst hash for rcu lookups") Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Reviewed-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/xfrm/xfrm_policy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index f0c4571b128a..5d635f005ab7 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2884,6 +2884,8 @@ static void xfrm_policy_fini(struct net *net) #endif xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, false); + synchronize_rcu(); + WARN_ON(!list_empty(&net->xfrm.policy_all)); for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { -- 2.43.0

2 1

[PATCH OLK-5.10] ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
by Zhang Yuwei 01 Jun '26

01 Jun '26

From: Ziqing Chen <chenziqing(a)xiaomi.com> stable inclusion from stable-v6.6.140 commit 1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15330 CVE: CVE-2026-46088 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e0da8a8cac74f4b9f577979d131f0d2b88a84487 upstream. snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone. Fixes: 8d448162bda5 ("ALSA: control: add support for ENUMERATED user space controls") Cc: stable(a)vger.kernel.org Signed-off-by: Ziqing Chen <chenziqing(a)xiaomi.com> Link: https://patch.msgid.link/20260414132437.261304-1-chenziqing@xiaomi.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yuan Can <yuancan(a)huawei.com> Conflicts: sound/core/control.c [context conflict] Signed-off-by: Zhang Yuwei <zhangyuwei20(a)huawei.com> --- sound/core/control.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/core/control.c b/sound/core/control.c index 732eb515d2f5..640bafb6605a 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1387,6 +1387,10 @@ static int snd_ctl_elem_init_enum_names(struct user_element *ue) buf_len = ue->info.value.enumerated.names_length; p = names; for (i = 0; i < ue->info.value.enumerated.items; ++i) { + if (buf_len == 0) { + kvfree(names); + return -EINVAL; + } name_len = strnlen(p, buf_len); if (name_len == 0 || name_len >= 64 || name_len == buf_len) { kvfree(names); -- 2.22.0

2 1