- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] net: atlantic: fix fragment overflow handling in RX path
by Fanhua Li 19 Dec '25

19 Dec '25

From: Jiefeng Zhang <jiefeng.z.zhang(a)gmail.com> stable inclusion from stable-v5.10.247 commit 34147477eeab24077fcfe9649e282849347d760c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDDF5H CVE: CVE-2025-68301 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 5ffcb7b890f61541201461580bb6622ace405aec ] The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17) fragments when handling large multi-descriptor packets. This causes an out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic. The issue occurs because the driver doesn't check the total number of fragments before calling skb_add_rx_frag(). When a packet requires more than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds. Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for. And reusing the existing check to prevent the overflow earlier in the code path. This crash occurred in production with an Aquantia AQC113 10G NIC. Stack trace from production environment: ``` RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0 Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89 ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90 c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48 89 fa 83 RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287 RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX: fffffffe0a0c8000 RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI: 0000000000037a40 RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000021 R10: 0000000000000848 R11: 0000000000000000 R12: ffffa9bec02a8e24 R13: ffff925ad8615570 R14: 0000000000000000 R15: ffff925b22e80a00 FS: 0000000000000000(0000) GS:ffff925e47880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4: 0000000000f72ef0 PKRU: 55555554 Call Trace: <IRQ> aq_ring_rx_clean+0x175/0xe60 [atlantic] ? aq_ring_rx_clean+0x14d/0xe60 [atlantic] ? aq_ring_tx_clean+0xdf/0x190 [atlantic] ? kmem_cache_free+0x348/0x450 ? aq_vec_poll+0x81/0x1d0 [atlantic] ? __napi_poll+0x28/0x1c0 ? net_rx_action+0x337/0x420 ``` Fixes: 6aecbba12b5c ("net: atlantic: add check for MAX_SKB_FRAGS") Changes in v4: - Add Fixes: tag to satisfy patch validation requirements. Changes in v3: - Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for. Signed-off-by: Jiefeng Zhang <jiefeng.z.zhang(a)gmail.com> Link: https://patch.msgid.link/20251126032249.69358-1-jiefeng.z.zhang@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Fanhua Li <lifanhua5(a)huawei.com> --- drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c index a50f40eea778..10209a1ed2ea 100644 --- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c @@ -334,6 +334,11 @@ int aq_ring_rx_clean(struct aq_ring_s *self, if (!buff->is_eop) { unsigned int frag_cnt = 0U; + + /* There will be an extra fragment */ + if (buff->len > AQ_CFG_RX_HDR_SIZE) + frag_cnt++; + buff_ = buff; do { bool is_rsc_completed = true; -- 2.43.0

2 1

[openeuler:openEuler-1.0-LTS 1944/1944] drivers/net/bonding/bond_sysctl.o: warning: objtool: missing symbol for section .text
by kernel test robot 19 Dec '25

19 Dec '25

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 4e9c55920995d70b3e88b60c69753df54b03fdf4 commit: 0397c33121652647d544d4bcdceb9f2d868146af [1944/1944] anolis: bond: broadcast ARP or ND messages to all slaves config: x86_64-buildonly-randconfig-006-20251216 (https://download.01.org/0day-ci/archive/20251219/202512190947.4c8UaXQD-lkp@…) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 1335a05ab8bc8339ce24be3a9da89d8c3f4e0571) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251219/202512190947.4c8UaXQD-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512190947.4c8UaXQD-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/net/bonding/bond_sysctl.o: warning: objtool: missing symbol for section .text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1944/1944] arch/x86/kernel/unwind_orc.o: warning: objtool: missing symbol for section .text
by kernel test robot 19 Dec '25

19 Dec '25

Hi Shile, First bad commit (maybe != root cause): tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 4e9c55920995d70b3e88b60c69753df54b03fdf4 commit: badd79c400ed404df871e1d035bed971d20ead4c [1944/1944] x86/unwind/orc: Remove boot-time ORC unwind tables sorting config: x86_64-buildonly-randconfig-006-20251216 (https://download.01.org/0day-ci/archive/20251219/202512190624.AbYfKuZU-lkp@…) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 1335a05ab8bc8339ce24be3a9da89d8c3f4e0571) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251219/202512190624.AbYfKuZU-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512190624.AbYfKuZU-lkp@intel.com/ All warnings (new ones prefixed by >>): arch/x86/kernel/unwind_orc.c:179:13: warning: unused function 'orc_sort_swap' [-Wunused-function] 179 | static void orc_sort_swap(void *_a, void *_b, int size) | ^~~~~~~~~~~~~ arch/x86/kernel/unwind_orc.c:199:12: warning: unused function 'orc_sort_cmp' [-Wunused-function] 199 | static int orc_sort_cmp(const void *_a, const void *_b) | ^~~~~~~~~~~~ 2 warnings generated. >> arch/x86/kernel/unwind_orc.o: warning: objtool: missing symbol for section .text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1946/1946] drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c:53:32: error: 'struct pci_dev' has no member named 'physfn'; did you mean 'is_physfn'?
by kernel test robot 19 Dec '25

19 Dec '25

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 4e9c55920995d70b3e88b60c69753df54b03fdf4 commit: a6a7981cbf66d4951425d33cdce6ef39206eba83 [1946/1946] Net: ethernet: Support 3snic 3s9xx network card config: arm64-randconfig-r062-20251218 (https://download.01.org/0day-ci/archive/20251219/202512190528.ut6FEno8-lkp@…) compiler: aarch64-linux-gcc (GCC) 10.5.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251219/202512190528.ut6FEno8-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512190528.ut6FEno8-lkp@intel.com/ All errors (new ones prefixed by >>): drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c: In function 'sss_get_vf_load_state': >> drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c:53:32: error: 'struct pci_dev' has no member named 'physfn'; did you mean 'is_physfn'? 53 | dev = pdev->is_virtfn ? pdev->physfn : pdev; | ^~~~~~ | is_physfn drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c: At top level: drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c:276:5: error: no previous prototype for 'sss_attach_uld_driver' [-Werror=missing-prototypes] 276 | int sss_attach_uld_driver(struct sss_pci_adapter *adapter, | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c: In function 'sss_get_vf_service_load': drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c:319:39: error: 'struct pci_dev' has no member named 'physfn'; did you mean 'is_physfn'? 319 | dev = (pdev->is_virtfn != 0) ? pdev->physfn : pdev; | ^~~~~~ | is_physfn drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c: At top level: drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c:548:5: error: no previous prototype for 'sss_pci_probe' [-Werror=missing-prototypes] 548 | int sss_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) | ^~~~~~~~~~~~~ cc1: all warnings being treated as errors -- >> drivers/net/ethernet/3snic/sssnic/hw/sss_pci_sriov.c:40:13: error: 'sss_deinit_vf_hw' defined but not used [-Werror=unused-function] 40 | static void sss_deinit_vf_hw(void *hwdev, u16 vf_num) | ^~~~~~~~~~~~~~~~ >> drivers/net/ethernet/3snic/sssnic/hw/sss_pci_sriov.c:18:12: error: 'sss_init_vf_hw' defined but not used [-Werror=unused-function] 18 | static int sss_init_vf_hw(void *hwdev, u16 vf_num) | ^~~~~~~~~~~~~~ cc1: all warnings being treated as errors -- drivers/net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.c: In function 'sss_get_pci_bus_id': >> drivers/net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.c:234:30: error: 'struct pci_dev' has no member named 'physfn'; did you mean 'is_physfn'? 234 | pf_pdev = adapter->pcidev->physfn; | ^~~~~~ | is_physfn -- drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c: In function 'sss_nic_get_vlan_depth': >> drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:165:14: error: implicit declaration of function 'vlan_dev_priv'; did you mean 'netdev_priv'? [-Werror=implicit-function-declaration] 165 | vlan_dev = vlan_dev_priv(vlan_dev)->real_dev; | ^~~~~~~~~~~~~ | netdev_priv >> drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:165:37: error: invalid type argument of '->' (have 'int') 165 | vlan_dev = vlan_dev_priv(vlan_dev)->real_dev; | ^~ drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c: At top level: drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:878:6: error: no previous prototype for 'sss_nic_port_module_cable_plug' [-Werror=missing-prototypes] 878 | void sss_nic_port_module_cable_plug(struct sss_nic_dev *nic_dev, void *event_data) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:884:6: error: no previous prototype for 'sss_nic_port_module_cable_unplug' [-Werror=missing-prototypes] 884 | void sss_nic_port_module_cable_unplug(struct sss_nic_dev *nic_dev, void *event_data) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:890:6: error: no previous prototype for 'sss_nic_port_module_link_err' [-Werror=missing-prototypes] 890 | void sss_nic_port_module_link_err(struct sss_nic_dev *nic_dev, void *event_data) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/3snic/sssnic/nic/sss_nic_main.c:1029:22: error: no previous prototype for 'get_nic_uld_info' [-Werror=missing-prototypes] 1029 | struct sss_uld_info *get_nic_uld_info(void) | ^~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors cocci warnings: (new ones prefixed by >>) >> drivers/net/ethernet/3snic/sssnic/hw/sss_hwif_ctrlq_export.c:99:5-24: WARNING: atomic_dec_and_test variation before object free at line 103. -- >> drivers/net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.c:210:7-16: ERROR: iterator variable bound on line 209 cannot be NULL -- >> drivers/net/ethernet/3snic/sssnic/hw/tool/sss_tool_chip.c:700:8-15: WARNING opportunity for memdup_user -- >> drivers/net/ethernet/3snic/sssnic/hw/sss_hwdev_link.c:620:30-68: WARNING avoid newline at end of message in NL_SET_ERR_MSG_MOD -- >> drivers/net/ethernet/3snic/sssnic/nic/sss_nic_netdev_ops_api.c:1006:7-43: WARNING avoid newline at end of message in NL_SET_ERR_MSG_MOD -- >> drivers/net/ethernet/3snic/sssnic/nic/sss_nic_ethtool.c:284:5-25: opportunity for str_on_off(pauseparam -> rx_pause) >> drivers/net/ethernet/3snic/sssnic/nic/sss_nic_ethtool.c:284:42-62: opportunity for str_on_off(pauseparam -> tx_pause) -- >> drivers/net/ethernet/3snic/sssnic/nic/sss_nic_netdev_ops.c:456:5-17: opportunity for str_enable_disable(set_spoofchk) drivers/net/ethernet/3snic/sssnic/nic/sss_nic_netdev_ops.c:462:5-17: opportunity for str_enable_disable(set_spoofchk) -- >> drivers/net/ethernet/3snic/sssnic/nic/sss_nic_netdev_ops_api.c:419:6-16: opportunity for str_up_down(link_state) -- >> drivers/net/ethernet/3snic/sssnic/nic/tool/sss_tool_nic_phy_attr.c:132:5-16: opportunity for str_up_down(link_status) -- >> drivers/net/ethernet/3snic/sssnic/nic/sss_nic_ntuple.c:589:6-9: ERROR: invalid reference to the index variable of the iterator on line 583 drivers/net/ethernet/3snic/sssnic/nic/sss_nic_ntuple.c:589:13-16: ERROR: invalid reference to the index variable of the iterator on line 583 drivers/net/ethernet/3snic/sssnic/nic/sss_nic_ntuple.c:459:6-9: ERROR: invalid reference to the index variable of the iterator on line 453 drivers/net/ethernet/3snic/sssnic/nic/sss_nic_ntuple.c:459:13-16: ERROR: invalid reference to the index variable of the iterator on line 453 vim +53 drivers/net/ethernet/3snic/sssnic/hw/sss_pci_probe.c 33 34 #define SSS_CHECK_EVENT_INFO(event) \ 35 ((event)->service == SSS_EVENT_SRV_COMM && \ 36 (event)->type == SSS_EVENT_FAULT) 37 38 #define SSS_CHECK_FAULT_EVENT_INFO(hwdev, fault_event) \ 39 ((fault_event)->fault_level == SSS_FAULT_LEVEL_SERIOUS_FLR && \ 40 (fault_event)->info.chip.func_id < sss_get_max_pf_num(hwdev)) 41 42 #define SSS_GET_CFG_REG_BAR(pdev) (SSS_IS_VF_DEV(pdev) ? \ 43 SSS_VF_PCI_CFG_REG_BAR : SSS_PF_PCI_CFG_REG_BAR) 44 45 static bool sss_get_vf_load_state(struct pci_dev *pdev) 46 { 47 struct sss_pci_adapter *adapter = NULL; 48 struct pci_dev *dev = NULL; 49 50 if (pci_is_root_bus(pdev->bus)) 51 return false; 52 > 53 dev = pdev->is_virtfn ? pdev->physfn : pdev; 54 adapter = pci_get_drvdata(dev); 55 56 if (!adapter) { 57 sdk_err(&pdev->dev, "Invalid adapter, is null.\n"); 58 return false; 59 } 60 61 return true; 62 } 63 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()
by Xinyu Zheng 18 Dec '25

18 Dec '25

From: Guangshuo Li <lgs201920130244(a)gmail.com> stable inclusion from stable-v6.12.58 commit 35f3fb86bb0158a298d6834e7e110dcaf07f490c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IDDEV5 CVE: CVE-2025-68190 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- [ Upstream commit cc9a8e238e42c1f43b98c097995137d644b69245 ] kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference. Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpu/drm/amd/amdgpu/atom.c [context conflict] Signed-off-by: Xinyu Zheng <zhengxinyu6(a)huawei.com> --- drivers/gpu/drm/amd/amdgpu/atom.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c index 4cfc786699c7..b3acfc943184 100644 --- a/drivers/gpu/drm/amd/amdgpu/atom.c +++ b/drivers/gpu/drm/amd/amdgpu/atom.c @@ -1225,10 +1225,15 @@ static int amdgpu_atom_execute_table_locked(struct atom_context *ctx, int index, ectx.ps = params; ectx.abort = false; ectx.last_jump = 0; - if (ws) + if (ws) { ectx.ws = kcalloc(4, ws, GFP_KERNEL); - else + if (!ectx.ws) { + ret = -ENOMEM; + goto free; + } + } else { ectx.ws = NULL; + } debug_depth++; while (1) { -- 2.34.1

2 1

[PATCH OLK-6.6] xsched: move xsched types to user-accessible headers
by Liu Kai 18 Dec '25

18 Dec '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ID9IFI ----------------------------------------- Fix xsched syscall compilation by resolving declaration conflicts and ensuring user-space access to parameter types. - Move include/linux/xsched_types.h -> include/uapi/linux/xsched for user-space visibility - Move include/uapi/linux/xcu_vstream.h -> include/uapi/linux/xsched - Fixes errors: "conflicting types" and "struct not visible" Fixes: 832cfa264d7c ("xsched: add xsched_{set,get}attr syscall") Signed-off-by: Liu Kai <liukai284(a)huawei.com> --- include/linux/sched.h | 2 +- include/linux/vstream.h | 2 +- include/linux/xcu_group.h | 2 +- include/linux/xsched.h | 4 ++-- .../xsched_types.h => uapi/linux/xsched/types.h} | 14 ++++++++------ include/uapi/linux/{ => xsched}/xcu_vstream.h | 6 +++--- init/init_task.c | 2 +- 7 files changed, 17 insertions(+), 15 deletions(-) rename include/{linux/xsched_types.h => uapi/linux/xsched/types.h} (59%) rename include/uapi/linux/{ => xsched}/xcu_vstream.h (92%) diff --git a/include/linux/sched.h b/include/linux/sched.h index bb23790fd2d3..321abdc384da 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -42,7 +42,7 @@ #include <linux/kabi.h> #ifdef CONFIG_XCU_SCHEDULER -#include <linux/xsched_types.h> +#include <uapi/linux/xsched/types.h> #endif /* task_struct member predeclarations (sorted alphabetically): */ diff --git a/include/linux/vstream.h b/include/linux/vstream.h index 7d99e416624f..227bbf77085e 100644 --- a/include/linux/vstream.h +++ b/include/linux/vstream.h @@ -2,7 +2,7 @@ #ifndef _LINUX_VSTREAM_H #define _LINUX_VSTREAM_H -#include <uapi/linux/xcu_vstream.h> +#include <uapi/linux/xsched/xcu_vstream.h> #include <linux/ktime.h> #define MAX_VSTREAM_SIZE 2048 diff --git a/include/linux/xcu_group.h b/include/linux/xcu_group.h index c129dca32c51..d7d6972e7f5c 100644 --- a/include/linux/xcu_group.h +++ b/include/linux/xcu_group.h @@ -3,7 +3,7 @@ #define __XSCHED_XCU_GROUP_H__ #include <linux/idr.h> -#include <uapi/linux/xcu_vstream.h> +#include <uapi/linux/xsched/xcu_vstream.h> #ifndef CONFIG_XSCHED_NR_CUS #define CONFIG_XSCHED_NR_CUS 128 diff --git a/include/linux/xsched.h b/include/linux/xsched.h index 46fe6ae2bc77..86b248a18f97 100644 --- a/include/linux/xsched.h +++ b/include/linux/xsched.h @@ -4,10 +4,10 @@ #include <linux/cgroup.h> #include <linux/kref.h> +#include <linux/math64.h> #include <linux/vstream.h> #include <linux/xcu_group.h> -#include <linux/xsched_types.h> -#include <linux/math64.h> +#include <uapi/linux/xsched/types.h> #define XSCHED_LOG_PREFIX "XSched" #define XSCHED_INFO(fmt, ...) \ diff --git a/include/linux/xsched_types.h b/include/uapi/linux/xsched/types.h similarity index 59% rename from include/linux/xsched_types.h rename to include/uapi/linux/xsched/types.h index f52fe32d5198..e5f11a2973e8 100644 --- a/include/linux/xsched_types.h +++ b/include/uapi/linux/xsched/types.h @@ -1,13 +1,15 @@ -/* SPDX-License-Identifier: GPL-2.0 */ -#ifndef _XSCHED_TYPE_H -#define _XSCHED_TYPE_H +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +#ifndef _UAPI_LINUX_XSCHED_TYPES_H +#define _UAPI_LINUX_XSCHED_TYPES_H + +#include <linux/types.h> struct xsched_attr { /* Scheduling class type, from enum xcu_sched_class */ - unsigned int xsched_class; + __u32 xsched_class; /* RT scheduling priority, from enum xse_prio */ - unsigned int xsched_priority; + __u32 xsched_priority; }; enum xcu_sched_class { @@ -24,4 +26,4 @@ enum xse_prio { XSE_PRIO_DFLT = XSE_PRIO_LOW }; -#endif /* ! _XSCHED_TYPE_H */ +#endif /* _UAPI_LINUX_XSCHED_TYPES_H */ diff --git a/include/uapi/linux/xcu_vstream.h b/include/uapi/linux/xsched/xcu_vstream.h similarity index 92% rename from include/uapi/linux/xcu_vstream.h rename to include/uapi/linux/xsched/xcu_vstream.h index b60c0e0e15f5..4b3abf386a1c 100644 --- a/include/uapi/linux/xcu_vstream.h +++ b/include/uapi/linux/xsched/xcu_vstream.h @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ -#ifndef _UAPI_XCU_VSTREAM_H -#define _UAPI_XCU_VSTREAM_H +#ifndef _UAPI_LINUX_XSCHED_XCU_VSTREAM_H +#define _UAPI_LINUX_XSCHED_XCU_VSTREAM_H #include <linux/types.h> @@ -74,4 +74,4 @@ typedef struct vstream_args { KABI_RESERVE_BYTES(2, 8); } vstream_args_t; -#endif /* _UAPI_LINUX_SCHED_H */ +#endif /* _UAPI_LINUX_XSCHED_XCU_VSTREAM_H */ diff --git a/init/init_task.c b/init/init_task.c index 61a6345708c8..9fd44251b8b7 100644 --- a/init/init_task.c +++ b/init/init_task.c @@ -15,7 +15,7 @@ #include <linux/uaccess.h> #ifdef CONFIG_XCU_SCHEDULER -#include <linux/xsched_types.h> +#include <uapi/linux/xsched/types.h> #endif static struct signal_struct init_signals = { -- 2.34.1

2 1

[PATCH OLK-5.10] locking/rwsem: Optimize down_read_trylock() under highly contended case
by Tengda Wu 18 Dec '25

18 Dec '25

From: Muchun Song <songmuchun(a)bytedance.com> mainline inclusion from mainline-v5.16-rc3 commit 14c24048841151548a3f4d9e218510c844c1b737 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IDE51T Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- We found that a process with 10 thousnads threads has been encountered a regression problem from Linux-v4.14 to Linux-v5.4. It is a kind of workload which will concurrently allocate lots of memory in different threads sometimes. In this case, we will see the down_read_trylock() with a high hotspot. Therefore, we suppose that rwsem has a regression at least since Linux-v5.4. In order to easily debug this problem, we write a simply benchmark to create the similar situation lile the following. ```c++ #include <sys/mman.h> #include <sys/time.h> #include <sys/resource.h> #include <sched.h> #include <cstdio> #include <cassert> #include <thread> #include <vector> #include <chrono> volatile int mutex; void trigger(int cpu, char* ptr, std::size_t sz) { cpu_set_t set; CPU_ZERO(&set); CPU_SET(cpu, &set); assert(pthread_setaffinity_np(pthread_self(), sizeof(set), &set) == 0); while (mutex); for (std::size_t i = 0; i < sz; i += 4096) { *ptr = '\0'; ptr += 4096; } } int main(int argc, char* argv[]) { std::size_t sz = 100; if (argc > 1) sz = atoi(argv[1]); auto nproc = std::thread::hardware_concurrency(); std::vector<std::thread> thr; sz <<= 30; auto* ptr = mmap(nullptr, sz, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0); assert(ptr != MAP_FAILED); char* cptr = static_cast<char*>(ptr); auto run = sz / nproc; run = (run >> 12) << 12; mutex = 1; for (auto i = 0U; i < nproc; ++i) { thr.emplace_back(std::thread([i, cptr, run]() { trigger(i, cptr, run); })); cptr += run; } rusage usage_start; getrusage(RUSAGE_SELF, &usage_start); auto start = std::chrono::system_clock::now(); mutex = 0; for (auto& t : thr) t.join(); rusage usage_end; getrusage(RUSAGE_SELF, &usage_end); auto end = std::chrono::system_clock::now(); timeval utime; timeval stime; timersub(&usage_end.ru_utime, &usage_start.ru_utime, &utime); timersub(&usage_end.ru_stime, &usage_start.ru_stime, &stime); printf("usr: %ld.%06ld\n", utime.tv_sec, utime.tv_usec); printf("sys: %ld.%06ld\n", stime.tv_sec, stime.tv_usec); printf("real: %lu\n", std::chrono::duration_cast<std::chrono::milliseconds>(end - start).count()); return 0; } ``` The functionality of above program is simply which creates `nproc` threads and each of them are trying to touch memory (trigger page fault) on different CPU. Then we will see the similar profile by `perf top`. 25.55% [kernel] [k] down_read_trylock 14.78% [kernel] [k] handle_mm_fault 13.45% [kernel] [k] up_read 8.61% [kernel] [k] clear_page_erms 3.89% [kernel] [k] __do_page_fault The highest hot instruction, which accounts for about 92%, in down_read_trylock() is cmpxchg like the following. 91.89 │ lock cmpxchg %rdx,(%rdi) Sice the problem is found by migrating from Linux-v4.14 to Linux-v5.4, so we easily found that the commit ddb20d1d3aed ("locking/rwsem: Optimize down_read_trylock()") caused the regression. The reason is that the commit assumes the rwsem is not contended at all. But it is not always true for mmap lock which could be contended with thousands threads. So most threads almost need to run at least 2 times of "cmpxchg" to acquire the lock. The overhead of atomic operation is higher than non-atomic instructions, which caused the regression. By using the above benchmark, the real executing time on a x86-64 system before and after the patch were: Before Patch After Patch # of Threads real real reduced by ------------ ------ ------ ---------- 1 65,373 65,206 ~0.0% 4 15,467 15,378 ~0.5% 40 6,214 5,528 ~11.0% For the uncontended case, the new down_read_trylock() is the same as before. For the contended cases, the new down_read_trylock() is faster than before. The more contended, the more fast. Signed-off-by: Muchun Song <songmuchun(a)bytedance.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Acked-by: Waiman Long <longman(a)redhat.com> Link: https://lore.kernel.org/r/20211118094455.9068-1-songmuchun@bytedance.com Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- kernel/locking/rwsem.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c index cc5cc889b5b7..e32587c141a1 100644 --- a/kernel/locking/rwsem.c +++ b/kernel/locking/rwsem.c @@ -1375,17 +1375,14 @@ static inline int __down_read_trylock(struct rw_semaphore *sem) DEBUG_RWSEMS_WARN_ON(sem->magic != sem, sem); - /* - * Optimize for the case when the rwsem is not locked at all. - */ - tmp = RWSEM_UNLOCKED_VALUE; - do { + tmp = atomic_long_read(&sem->count); + while (!(tmp & RWSEM_READ_FAILED_MASK)) { if (atomic_long_try_cmpxchg_acquire(&sem->count, &tmp, - tmp + RWSEM_READER_BIAS)) { + tmp + RWSEM_READER_BIAS)) { rwsem_set_reader_owned(sem); return 1; } - } while (!(tmp & RWSEM_READ_FAILED_MASK)); + } return 0; } -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS] BUILD SUCCESS 4e9c55920995d70b3e88b60c69753df54b03fdf4
by kernel test robot 18 Dec '25

18 Dec '25

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: 4e9c55920995d70b3e88b60c69753df54b03fdf4 !19703 ppp: associate skb with a device at tx elapsed time: 1467m configs tested: 36 configs skipped: 10 The following configs have been built successfully. More configs may be tested in the coming days. tested configs: arm64 allmodconfig gcc-15.1.0 arm64 allnoconfig gcc-15.1.0 arm64 defconfig gcc-15.1.0 arm64 randconfig-001-20251218 gcc-5.5.0 arm64 randconfig-002-20251218 gcc-10.5.0 arm64 randconfig-003-20251218 gcc-14.3.0 arm64 randconfig-004-20251218 gcc-5.5.0 x86_64 allmodconfig clang-22 x86_64 allnoconfig clang-22 x86_64 allyesconfig clang-22 x86_64 buildonly-randconfig-001-20251218 gcc-14 x86_64 buildonly-randconfig-002-20251218 gcc-14 x86_64 buildonly-randconfig-003-20251218 clang-22 x86_64 buildonly-randconfig-004-20251218 gcc-14 x86_64 buildonly-randconfig-005-20251218 gcc-14 x86_64 buildonly-randconfig-006-20251218 gcc-14 x86_64 defconfig gcc-14 x86_64 randconfig-001-20251218 clang-22 x86_64 randconfig-002-20251218 clang-22 x86_64 randconfig-003-20251218 clang-22 x86_64 randconfig-004-20251218 clang-22 x86_64 randconfig-005-20251218 clang-22 x86_64 randconfig-006-20251218 clang-22 x86_64 randconfig-011-20251218 gcc-14 x86_64 randconfig-012-20251218 gcc-14 x86_64 randconfig-013-20251218 clang-22 x86_64 randconfig-014-20251218 gcc-12 x86_64 randconfig-015-20251218 gcc-14 x86_64 randconfig-016-20251218 gcc-14 x86_64 randconfig-071-20251218 gcc-14 x86_64 randconfig-072-20251218 gcc-14 x86_64 randconfig-073-20251218 gcc-12 x86_64 randconfig-074-20251218 clang-22 x86_64 randconfig-075-20251218 gcc-12 x86_64 randconfig-076-20251218 clang-22 x86_64 rhel-9.4-rust clang-22 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] timers: Fix NULL function pointer race in timer_shutdown_sync()
by Jinjie Ruan 18 Dec '25

18 Dec '25

From: Yipeng Zou <zouyipeng(a)huawei.com> stable inclusion from stable-v6.6.118 commit 6665fbd7730b26d770c232b20d1b907e6a67a914 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDDEZ3 CVE: CVE-2025-68214 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 20739af07383e6eb1ec59dcd70b72ebfa9ac362c upstream. There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers(). The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this: CPU0 CPU1 <SOFTIRQ> lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger <SOFTIRQ> expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers(). Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running. Fixes: 0cc04e80458a ("timers: Add shutdown mechanism to the internal functions") Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20251122093942.301559-1-zouyipeng@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Jinjie Ruan <ruanjinjie(a)huawei.com> --- kernel/time/timer.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kernel/time/timer.c b/kernel/time/timer.c index 63a8ce7177dd..4a2aeaa85af3 100644 --- a/kernel/time/timer.c +++ b/kernel/time/timer.c @@ -1413,10 +1413,11 @@ static int __try_to_del_timer_sync(struct timer_list *timer, bool shutdown) base = lock_timer_base(timer, &flags); - if (base->running_timer != timer) + if (base->running_timer != timer) { ret = detach_if_pending(timer, base, true); - if (shutdown) - timer->function = NULL; + if (shutdown) + timer->function = NULL; + } raw_spin_unlock_irqrestore(&base->lock, flags); -- 2.34.1

2 1

[PATCH OLK-5.10] timers: Fix NULL function pointer race in timer_shutdown_sync()
by Jinjie Ruan 18 Dec '25

18 Dec '25

From: Yipeng Zou <zouyipeng(a)huawei.com> stable inclusion from stable-v6.6.118 commit 6665fbd7730b26d770c232b20d1b907e6a67a914 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IDDEZ3 CVE: CVE-2025-68214 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 20739af07383e6eb1ec59dcd70b72ebfa9ac362c upstream. There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers(). The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this: CPU0 CPU1 <SOFTIRQ> lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger <SOFTIRQ> expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers(). Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running. Fixes: 0cc04e80458a ("timers: Add shutdown mechanism to the internal functions") Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20251122093942.301559-1-zouyipeng@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Jinjie Ruan <ruanjinjie(a)huawei.com> --- kernel/time/timer.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kernel/time/timer.c b/kernel/time/timer.c index c1b52dab3951..472c97733b2b 100644 --- a/kernel/time/timer.c +++ b/kernel/time/timer.c @@ -1374,10 +1374,11 @@ static int __try_to_del_timer_sync(struct timer_list *timer, bool shutdown) base = lock_timer_base(timer, &flags); - if (base->running_timer != timer) + if (base->running_timer != timer) { ret = detach_if_pending(timer, base, true); - if (shutdown) - timer->function = NULL; + if (shutdown) + timer->function = NULL; + } raw_spin_unlock_irqrestore(&base->lock, flags); -- 2.34.1

2 1