- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] RDMA/rxe: Fix "kernel NULL pointer dereference" error
by Ziming Du 25 Dec '25

25 Dec '25

From: Zhu Yanjun <yanjun.zhu(a)linux.dev> stable inclusion from stable-v4.19.262 commit 9c5dd6993c794703e74c6ba17ac78ca0211ef940 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11468 CVE: CVE-2022-50671 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a625ca30eff806395175ebad3ac1399014bdb280 ] When rxe_queue_init in the function rxe_qp_init_req fails, both qp->req.task.func and qp->req.task.arg are not initialized. Because of creation of qp fails, the function rxe_create_qp will call rxe_qp_do_cleanup to handle allocated resource. Before calling __rxe_do_task, both qp->req.task.func and qp->req.task.arg should be checked. Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20220822011615.805603-2-yanjun.zhu@linux.dev Reported-by: syzbot+ab99dc4c6e961eed8b8e(a)syzkaller.appspotmail.com Signed-off-by: Zhu Yanjun <yanjun.zhu(a)linux.dev> Reviewed-by: Li Zhijian <lizhijian(a)fujitsu.com> Reviewed-by: Bob Pearson <rpearsonhpe(a)gmail.com> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/infiniband/sw/rxe/rxe_qp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c index 21c28317fc8f..5d289a5df261 100644 --- a/drivers/infiniband/sw/rxe/rxe_qp.c +++ b/drivers/infiniband/sw/rxe/rxe_qp.c @@ -798,7 +798,9 @@ void rxe_qp_destroy(struct rxe_qp *qp) rxe_cleanup_task(&qp->comp.task); /* flush out any receive wr's or pending requests */ - __rxe_do_task(&qp->req.task); + if (qp->req.task.func) + __rxe_do_task(&qp->req.task); + if (qp->sq.queue) { __rxe_do_task(&qp->comp.task); __rxe_do_task(&qp->req.task); -- 2.43.0

2 1

[PATCH OLK-6.6] usbnet: Prevents free active kevent
by Ziming Du 25 Dec '25

25 Dec '25

From: Lizhi Xu <lizhi.xu(a)windriver.com> stable inclusion from stable-v6.6.117 commit 9a579d6a39513069d298eee70770bbac8a148565 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11499 CVE: CVE-2025-68312 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 420c84c330d1688b8c764479e5738bbdbf0a33de ] The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the "free active object (kevent)" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev(). Fixes: a69e617e533e ("usbnet: Fix linkwatch use-after-free on disconnect") Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://syzkaller.appspot.com/bug?extid=8bfd7bcc98f7300afb84 Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Link: https://patch.msgid.link/20251022024007.1831898-1-lizhi.xu@windriver.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ziming Du <duziming2(a)huawei.com> --- drivers/net/usb/usbnet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index c4134303d395..5f8606a55dbe 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1649,6 +1649,8 @@ void usbnet_disconnect (struct usb_interface *intf) net = dev->net; unregister_netdev (net); + cancel_work_sync(&dev->kevent); + while ((urb = usb_get_from_anchor(&dev->deferred))) { dev_kfree_skb(urb->context); kfree(urb->sg); -- 2.43.0

2 1

[openeuler:OLK-6.6 10/10] mm/share_pool.c:787: warning: Function parameter or member 'node_id' not described in 'sp_area_alloc'
by kernel test robot 25 Dec '25

25 Dec '25

Hi Wang, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 610575a82bdf3c3be06ce9559609d5bfa65472e8 commit: b39fcd51ad1b62c99ed0932ad0d2f89dfdc17aaa [10/10] mm/sharepool: Add sp_area management code config: arm64-allmodconfig (https://download.01.org/0day-ci/archive/20251225/202512251841.ZhY8a5Eu-lkp@…) compiler: clang version 19.1.7 (https://github.com/llvm/llvm-project cd708029e0b2869e80abe31ddb175f7c35361f90) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512251841.ZhY8a5Eu-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512251841.ZhY8a5Eu-lkp@intel.com/ All warnings (new ones prefixed by >>): mm/share_pool.c:685: warning: expecting prototype for mp_sp_group_id_by_pid(). Prototype was for mg_sp_group_id_by_pid() instead >> mm/share_pool.c:787: warning: Function parameter or member 'node_id' not described in 'sp_area_alloc' mm/share_pool.c:1110: warning: duplicate section name 'Return' mm/share_pool.c:1145: warning: Function parameter or member 'spg_id' not described in 'mg_sp_unshare' vim +787 mm/share_pool.c 773 774 /** 775 * sp_area_alloc() - Allocate a region of VA from the share pool. 776 * @size: the size of VA to allocate. 777 * @flags: how to allocate the memory. 778 * @spg: the share group that the memory is allocated to. 779 * @type: the type of the region. 780 * @applier: the tgid of the task which allocates the region. 781 * 782 * Return: a valid pointer for success, NULL on failure. 783 */ 784 static struct sp_area *sp_area_alloc(unsigned long size, unsigned long flags, 785 struct sp_group *spg, enum spa_type type, 786 pid_t applier, int node_id) > 787 { 788 int device_id; 789 struct sp_area *spa, *first, *err; 790 struct rb_node *n; 791 unsigned long vstart; 792 unsigned long vend; 793 unsigned long addr; 794 unsigned long size_align = ALIGN(size, PMD_SIZE); /* va aligned to 2M */ 795 struct sp_mapping *mapping; 796 797 device_id = sp_flags_device_id(flags); 798 if (device_id < 0 || device_id >= MAX_DEVID) { 799 pr_err("invalid device id %d\n", device_id); 800 return ERR_PTR(-EINVAL); 801 } 802 803 if (flags & SP_PROT_FOCUS) { 804 if ((flags & (SP_DVPP | SP_PROT_RO)) != SP_PROT_RO) { 805 pr_err("invalid sp_flags [%lx]\n", flags); 806 return ERR_PTR(-EINVAL); 807 } 808 mapping = spg->mapping[SP_MAPPING_RO]; 809 } else if (flags & SP_DVPP) { 810 mapping = spg->mapping[SP_MAPPING_DVPP]; 811 } else { 812 mapping = spg->mapping[SP_MAPPING_NORMAL]; 813 } 814 815 if (!mapping) { 816 pr_err_ratelimited("non DVPP spg, id %d\n", spg->id); 817 return ERR_PTR(-EINVAL); 818 } 819 820 vstart = mapping->start[device_id]; 821 vend = mapping->end[device_id]; 822 spa = kmalloc(sizeof(struct sp_area), GFP_KERNEL); 823 if (unlikely(!spa)) 824 return ERR_PTR(-ENOMEM); 825 826 spin_lock(&mapping->sp_mapping_lock); 827 828 /* 829 * Invalidate cache if we have more permissive parameters. 830 * cached_hole_size notes the largest hole noticed _below_ 831 * the sp_area cached in free_area_cache: if size fits 832 * into that hole, we want to scan from vstart to reuse 833 * the hole instead of allocating above free_area_cache. 834 * Note that sp_area_free may update free_area_cache 835 * without updating cached_hole_size. 836 */ 837 if (!mapping->free_area_cache || size_align < mapping->cached_hole_size || 838 vstart != mapping->cached_vstart) { 839 mapping->cached_hole_size = 0; 840 mapping->free_area_cache = NULL; 841 } 842 843 /* record if we encounter less permissive parameters */ 844 mapping->cached_vstart = vstart; 845 846 /* find starting point for our search */ 847 if (mapping->free_area_cache) { 848 first = rb_entry(mapping->free_area_cache, struct sp_area, rb_node); 849 addr = first->va_end; 850 if (addr + size_align < addr) { 851 err = ERR_PTR(-EOVERFLOW); 852 goto error; 853 } 854 } else { 855 addr = vstart; 856 if (addr + size_align < addr) { 857 err = ERR_PTR(-EOVERFLOW); 858 goto error; 859 } 860 861 n = mapping->area_root.rb_node; 862 first = NULL; 863 864 while (n) { 865 struct sp_area *tmp; 866 867 tmp = rb_entry(n, struct sp_area, rb_node); 868 if (tmp->va_end >= addr) { 869 first = tmp; 870 if (tmp->va_start <= addr) 871 break; 872 n = n->rb_left; 873 } else 874 n = n->rb_right; 875 } 876 877 if (!first) 878 goto found; 879 } 880 881 /* from the starting point, traverse areas until a suitable hole is found */ 882 while (addr + size_align > first->va_start && addr + size_align <= vend) { 883 if (addr + mapping->cached_hole_size < first->va_start) 884 mapping->cached_hole_size = first->va_start - addr; 885 addr = first->va_end; 886 if (addr + size_align < addr) { 887 err = ERR_PTR(-EOVERFLOW); 888 goto error; 889 } 890 891 n = rb_next(&first->rb_node); 892 if (n) 893 first = rb_entry(n, struct sp_area, rb_node); 894 else 895 goto found; 896 } 897 898 found: 899 if (addr + size_align > vend) { 900 err = ERR_PTR(-EOVERFLOW); 901 goto error; 902 } 903 904 spa->va_start = addr; 905 spa->va_end = addr + size_align; 906 spa->real_size = size; 907 spa->region_vstart = vstart; 908 spa->flags = flags; 909 spa->is_hugepage = (flags & SP_HUGEPAGE); 910 spa->spg = spg; 911 spa->spm = mapping; 912 spa->type = type; 913 spa->kva = 0; /* NULL pointer */ 914 spa->applier = applier; 915 spa->preferred_node_id = node_id; 916 atomic_set(&spa->use_count, 1); 917 918 /* the link location could be saved before, to be optimized */ 919 spm_insert_area(mapping, spa); 920 mapping->free_area_cache = &spa->rb_node; 921 922 spin_unlock(&mapping->sp_mapping_lock); 923 sp_group_insert_area(spg, spa); 924 925 return spa; 926 927 error: 928 spin_unlock(&mapping->sp_mapping_lock); 929 kfree(spa); 930 return err; 931 } 932 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 10/10] mm/page_cache_limit.c:94:5: warning: no previous prototype for function 'cache_limit_mbytes_sysctl_handler'
by kernel test robot 25 Dec '25

25 Dec '25

Hi Ze, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 610575a82bdf3c3be06ce9559609d5bfa65472e8 commit: 7d1031b36ebd6c273d9aad316fd9e3e2daa01a85 [10/10] mm: support pagecache limit config: loongarch-allmodconfig (https://download.01.org/0day-ci/archive/20251225/202512251734.Tln5GDz4-lkp@…) compiler: clang version 19.1.7 (https://github.com/llvm/llvm-project cd708029e0b2869e80abe31ddb175f7c35361f90) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512251734.Tln5GDz4-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512251734.Tln5GDz4-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from mm/page_cache_limit.c:6: In file included from include/linux/mm.h:2181: include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 509 | item]; | ~~~~ include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 515 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 516 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 527 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 528 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 536 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 537 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ mm/page_cache_limit.c:61:5: warning: no previous prototype for function 'cache_reclaim_enable_handler' [-Wmissing-prototypes] 61 | int cache_reclaim_enable_handler(struct ctl_table *table, int write, | ^ mm/page_cache_limit.c:61:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 61 | int cache_reclaim_enable_handler(struct ctl_table *table, int write, | ^ | static mm/page_cache_limit.c:77:5: warning: no previous prototype for function 'cache_reclaim_sysctl_handler' [-Wmissing-prototypes] 77 | int cache_reclaim_sysctl_handler(struct ctl_table *table, int write, | ^ mm/page_cache_limit.c:77:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 77 | int cache_reclaim_sysctl_handler(struct ctl_table *table, int write, | ^ | static >> mm/page_cache_limit.c:94:5: warning: no previous prototype for function 'cache_limit_mbytes_sysctl_handler' [-Wmissing-prototypes] 94 | int cache_limit_mbytes_sysctl_handler(struct ctl_table *table, int write, | ^ mm/page_cache_limit.c:94:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 94 | int cache_limit_mbytes_sysctl_handler(struct ctl_table *table, int write, | ^ | static 8 warnings generated. vim +/cache_limit_mbytes_sysctl_handler +94 mm/page_cache_limit.c 93 > 94 int cache_limit_mbytes_sysctl_handler(struct ctl_table *table, int write, 95 void __user *buffer, size_t *length, loff_t *ppos) 96 { 97 int ret; 98 unsigned long vm_cache_limit_mbytes_max; 99 unsigned long origin_mbytes = vm_cache_limit_mbytes; 100 int nr_retries = MAX_RECLAIM_RETRIES; 101 102 vm_cache_limit_mbytes_max = totalram_pages() >> (20 - PAGE_SHIFT); 103 ret = proc_doulongvec_minmax(table, write, buffer, length, ppos); 104 if (ret || !write) 105 return ret; 106 107 if (vm_cache_limit_mbytes > vm_cache_limit_mbytes_max) { 108 vm_cache_limit_mbytes = origin_mbytes; 109 return -EINVAL; 110 } 111 112 if (write) { 113 while (should_reclaim_page_cache() && page_cache_over_limit() && 114 nr_retries--) { 115 if (signal_pending(current)) 116 return -EINTR; 117 118 shrink_memory(node_reclaim_num(), false); 119 } 120 } 121 122 return 0; 123 } 124 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1942/1942] drivers/scsi/huawei/hifc/hifc_hba.c:762:37: warning: default initialization of an object of type 'struct unf_low_level_function_op_s' with const member leaves the object uninitialized
by kernel test robot 25 Dec '25

25 Dec '25

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 4e9c55920995d70b3e88b60c69753df54b03fdf4 commit: 7fc993d55d1b54ae40e29dfac825a18d04d644c6 [1942/1942] scsi/hifc: add hifc driver FC service module config: x86_64-randconfig-071-20251213 (https://download.01.org/0day-ci/archive/20251225/202512251713.lhlEoibn-lkp@…) compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 1335a05ab8bc8339ce24be3a9da89d8c3f4e0571) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512251713.lhlEoibn-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512251713.lhlEoibn-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from <built-in>:2: In file included from include/linux/compiler_types.h:59: include/linux/compiler-clang.h:20:9: warning: '__SANITIZE_ADDRESS__' macro redefined [-Wmacro-redefined] 20 | #define __SANITIZE_ADDRESS__ | ^ <built-in>:353:9: note: previous definition is here 353 | #define __SANITIZE_ADDRESS__ 1 | ^ drivers/scsi/huawei/hifc/hifc_hba.c:343:6: warning: no previous prototype for function 'hifc_flush_root_ctx' [-Wmissing-prototypes] 343 | void hifc_flush_root_ctx(struct hifc_hba_s *v_hba) | ^ drivers/scsi/huawei/hifc/hifc_hba.c:343:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 343 | void hifc_flush_root_ctx(struct hifc_hba_s *v_hba) | ^ | static drivers/scsi/huawei/hifc/hifc_hba.c:406:6: warning: no previous prototype for function 'hifc_flush_srq_ctx' [-Wmissing-prototypes] 406 | void hifc_flush_srq_ctx(struct hifc_hba_s *v_hba) | ^ drivers/scsi/huawei/hifc/hifc_hba.c:406:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 406 | void hifc_flush_srq_ctx(struct hifc_hba_s *v_hba) | ^ | static >> drivers/scsi/huawei/hifc/hifc_hba.c:762:37: warning: default initialization of an object of type 'struct unf_low_level_function_op_s' with const member leaves the object uninitialized [-Wdefault-const-init-field-unsafe] 762 | struct unf_low_level_function_op_s low_level_fun; | ^ drivers/scsi/huawei/hifc/unf_common.h:1779:21: note: member 'xchg_mgr_type' declared 'const' here 1779 | const unsigned int xchg_mgr_type; | ^ drivers/scsi/huawei/hifc/hifc_hba.c:786:6: warning: no previous prototype for function 'hifc_release_probe_index' [-Wmissing-prototypes] 786 | void hifc_release_probe_index(unsigned int probe_index) | ^ drivers/scsi/huawei/hifc/hifc_hba.c:786:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 786 | void hifc_release_probe_index(unsigned int probe_index) | ^ | static drivers/scsi/huawei/hifc/hifc_hba.c:1016:14: warning: no previous prototype for function 'hifc_assign_probe_index' [-Wmissing-prototypes] 1016 | unsigned int hifc_assign_probe_index(unsigned int *v_probe_index) | ^ drivers/scsi/huawei/hifc/hifc_hba.c:1016:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1016 | unsigned int hifc_assign_probe_index(unsigned int *v_probe_index) | ^ | static drivers/scsi/huawei/hifc/hifc_hba.c:1038:5: warning: no previous prototype for function 'hifc_probe' [-Wmissing-prototypes] 1038 | int hifc_probe(struct hifc_lld_dev *lld_dev, void **uld_dev, char *uld_dev_name) | ^ drivers/scsi/huawei/hifc/hifc_hba.c:1038:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1038 | int hifc_probe(struct hifc_lld_dev *lld_dev, void **uld_dev, char *uld_dev_name) | ^ | static drivers/scsi/huawei/hifc/hifc_hba.c:1497:6: warning: no previous prototype for function 'hifc_remove' [-Wmissing-prototypes] 1497 | void hifc_remove(struct hifc_lld_dev *lld_dev, void *uld_dev) | ^ drivers/scsi/huawei/hifc/hifc_hba.c:1497:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1497 | void hifc_remove(struct hifc_lld_dev *lld_dev, void *uld_dev) | ^ | static drivers/scsi/huawei/hifc/hifc_hba.c:1570:6: warning: no previous prototype for function 'hifc_event' [-Wmissing-prototypes] 1570 | void hifc_event(struct hifc_lld_dev *lld_dev, void *uld_dev, | ^ drivers/scsi/huawei/hifc/hifc_hba.c:1570:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1570 | void hifc_event(struct hifc_lld_dev *lld_dev, void *uld_dev, | ^ | static 9 warnings generated. vim +762 drivers/scsi/huawei/hifc/hifc_hba.c 31015b9ad992c4 Chenguangli 2020-11-16 758 31015b9ad992c4 Chenguangli 2020-11-16 759 static unsigned int hifc_create_lport(struct hifc_hba_s *v_hba) 31015b9ad992c4 Chenguangli 2020-11-16 760 { 31015b9ad992c4 Chenguangli 2020-11-16 761 void *lport = NULL; 31015b9ad992c4 Chenguangli 2020-11-16 @762 struct unf_low_level_function_op_s low_level_fun; 31015b9ad992c4 Chenguangli 2020-11-16 763 31015b9ad992c4 Chenguangli 2020-11-16 764 HIFC_CHECK(INVALID_VALUE32, v_hba, return UNF_RETURN_ERROR); 31015b9ad992c4 Chenguangli 2020-11-16 765 hifc_fun_op.dev = v_hba->pci_dev; 31015b9ad992c4 Chenguangli 2020-11-16 766 memcpy(&low_level_fun, &hifc_fun_op, 31015b9ad992c4 Chenguangli 2020-11-16 767 sizeof(struct unf_low_level_function_op_s)); 31015b9ad992c4 Chenguangli 2020-11-16 768 31015b9ad992c4 Chenguangli 2020-11-16 769 /* Update port configuration table */ 31015b9ad992c4 Chenguangli 2020-11-16 770 hifc_update_lport_config(v_hba, &low_level_fun); 31015b9ad992c4 Chenguangli 2020-11-16 771 31015b9ad992c4 Chenguangli 2020-11-16 772 /* Apply for lport resources */ 31015b9ad992c4 Chenguangli 2020-11-16 773 UNF_LOWLEVEL_ALLOC_LPORT(lport, v_hba, &low_level_fun); 31015b9ad992c4 Chenguangli 2020-11-16 774 if (!lport) { 31015b9ad992c4 Chenguangli 2020-11-16 775 HIFC_TRACE(UNF_EVTLOG_DRIVER_ERR, UNF_LOG_REG_ATT, UNF_ERR, 31015b9ad992c4 Chenguangli 2020-11-16 776 "[err]Port(0x%x) can't allocate Lport", 31015b9ad992c4 Chenguangli 2020-11-16 777 v_hba->port_cfg.port_id); 31015b9ad992c4 Chenguangli 2020-11-16 778 31015b9ad992c4 Chenguangli 2020-11-16 779 return UNF_RETURN_ERROR; 31015b9ad992c4 Chenguangli 2020-11-16 780 } 31015b9ad992c4 Chenguangli 2020-11-16 781 v_hba->lport = lport; 31015b9ad992c4 Chenguangli 2020-11-16 782 31015b9ad992c4 Chenguangli 2020-11-16 783 return RETURN_OK; 31015b9ad992c4 Chenguangli 2020-11-16 784 } 31015b9ad992c4 Chenguangli 2020-11-16 785 :::::: The code at line 762 was first introduced by commit :::::: 31015b9ad992c40fc0db81055932bbabe74f2533 scsi/hifc: add hifc driver port resource module :::::: TO: Chenguangli <chenguangli2(a)huawei.com> :::::: CC: Yang Yingliang <yangyingliang(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 10/10] mm/share_pool.c:68: warning: expecting prototype for mp_sp_group_id_by_pid(). Prototype was for mg_sp_group_id_by_pid() instead
by kernel test robot 25 Dec '25

25 Dec '25

Hi Wang, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 610575a82bdf3c3be06ce9559609d5bfa65472e8 commit: fb31808921b891789a2f6cbfc7e277fd0918144a [10/10] mm/sharepool: Add base framework for share_pool config: arm64-allmodconfig (https://download.01.org/0day-ci/archive/20251225/202512251747.a9usmhG0-lkp@…) compiler: clang version 19.1.7 (https://github.com/llvm/llvm-project cd708029e0b2869e80abe31ddb175f7c35361f90) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512251747.a9usmhG0-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512251747.a9usmhG0-lkp@intel.com/ All warnings (new ones prefixed by >>): >> mm/share_pool.c:68: warning: expecting prototype for mp_sp_group_id_by_pid(). Prototype was for mg_sp_group_id_by_pid() instead >> mm/share_pool.c:176: warning: duplicate section name 'Return' >> mm/share_pool.c:211: warning: Function parameter or member 'spg_id' not described in 'mg_sp_unshare' vim +68 mm/share_pool.c 54 55 /** 56 * mp_sp_group_id_by_pid() - Get the sp_group ID array of a process. 57 * @tgid: tgid of target process. 58 * @spg_ids: point to an array to save the group ids the process belongs to 59 * @num: input the spg_ids array size; output the spg number of the process 60 * 61 * Return: 62 * >0 - the sp_group ID. 63 * -ENODEV - target process doesn't belong to any sp_group. 64 * -EINVAL - spg_ids or num is NULL. 65 * -E2BIG - the num of groups process belongs to is larger than *num 66 */ 67 int mg_sp_group_id_by_pid(int tgid, int *spg_ids, int *num) > 68 { 69 return -EOPNOTSUPP; 70 } 71 EXPORT_SYMBOL_GPL(mg_sp_group_id_by_pid); 72 73 /** 74 * mg_sp_group_add_task() - Add a process to an share group (sp_group). 75 * @tgid: the tgid of the task to be added. 76 * @prot: the prot of task for this spg. 77 * @spg_id: the ID of the sp_group. 78 * 79 * Return: A postive group number for success, -errno on failure. 80 * 81 * Valid @spg_id: 82 * [SPG_ID_MIN, SPG_ID_MAX]: 83 * the task would be added to the group with @spg_id, if the 84 * group doesn't exist, just create it. 85 * [SPG_ID_AUTO_MIN, SPG_ID_AUTO_MAX]: 86 * the task would be added to the group with @spg_id, if it 87 * doesn't exist ,return failed. 88 * SPG_ID_AUTO: 89 * the task would be added into a new group with a new id in range 90 * [SPG_ID_AUTO_MIN, SPG_ID_AUTO_MAX]. 91 * 92 * This function can be taken into four parts: 93 * 1. Check and initlize the task specified by @tgid properly. 94 * 2. Create or get the spg specified by @spg_id. 95 * 3. Check the spg and task together and link the task into the spg if 96 * everything looks good. 97 * 4. Map the existing sp_area from the spg into the new task. 98 */ 99 int mg_sp_group_add_task(int tgid, unsigned long prot, int spg_id) 100 { 101 return -EOPNOTSUPP; 102 } 103 EXPORT_SYMBOL_GPL(mg_sp_group_add_task); 104 105 int mg_sp_id_of_current(void) 106 { 107 return -EOPNOTSUPP; 108 } 109 EXPORT_SYMBOL_GPL(mg_sp_id_of_current); 110 111 /** 112 * mg_sp_free() - Free the memory allocated by mg_sp_alloc() or 113 * mg_sp_alloc_nodemask(). 114 * 115 * @addr: the starting VA of the memory. 116 * @id: Address space identifier, which is used to distinguish the addr. 117 * 118 * Return: 119 * * 0 - success. 120 * * -EINVAL - the memory can't be found or was not allocated by share pool. 121 * * -EPERM - the caller has no permision to free the memory. 122 */ 123 int mg_sp_free(unsigned long addr, int id) 124 { 125 return -EOPNOTSUPP; 126 } 127 EXPORT_SYMBOL_GPL(mg_sp_free); 128 129 static void __init proc_sharepool_init(void) 130 { 131 if (!proc_mkdir("sharepool", NULL)) 132 return; 133 } 134 135 void *mg_sp_alloc_nodemask(unsigned long size, unsigned long sp_flags, int spg_id, 136 nodemask_t nodemask) 137 { 138 return ERR_PTR(-EOPNOTSUPP); 139 } 140 EXPORT_SYMBOL_GPL(mg_sp_alloc_nodemask); 141 142 /** 143 * mg_sp_alloc() - Allocate shared memory for all the processes in a sp_group. 144 * @size: the size of memory to allocate. 145 * @sp_flags: how to allocate the memory. 146 * @spg_id: the share group that the memory is allocated to. 147 * 148 * Use pass through allocation if spg_id == SPG_ID_DEFAULT in multi-group mode. 149 * 150 * Return: 151 * * if succeed, return the starting address of the shared memory. 152 * * if fail, return the pointer of -errno. 153 */ 154 void *mg_sp_alloc(unsigned long size, unsigned long sp_flags, int spg_id) 155 { 156 return ERR_PTR(-EOPNOTSUPP); 157 } 158 EXPORT_SYMBOL_GPL(mg_sp_alloc); 159 160 /** 161 * mg_sp_make_share_k2u() - Share kernel memory to current process or an sp_group. 162 * @kva: the VA of shared kernel memory. 163 * @size: the size of shared kernel memory. 164 * @sp_flags: how to allocate the memory. We only support SP_DVPP. 165 * @tgid: the tgid of the specified process (Not currently in use). 166 * @spg_id: the share group that the memory is shared to. 167 * 168 * Return: the shared target user address to start at 169 * 170 * Share kernel memory to current task if spg_id == SPG_ID_NONE 171 * or SPG_ID_DEFAULT in multi-group mode. 172 * 173 * Return: 174 * * if succeed, return the shared user address to start at. 175 * * if fail, return the pointer of -errno. > 176 */ 177 void *mg_sp_make_share_k2u(unsigned long kva, unsigned long size, 178 unsigned long sp_flags, int tgid, int spg_id) 179 { 180 return ERR_PTR(-EOPNOTSUPP); 181 } 182 EXPORT_SYMBOL_GPL(mg_sp_make_share_k2u); 183 184 /** 185 * mg_sp_make_share_u2k() - Share user memory of a specified process to kernel. 186 * @uva: the VA of shared user memory 187 * @size: the size of shared user memory 188 * @tgid: the tgid of the specified process(Not currently in use) 189 * 190 * Return: 191 * * if success, return the starting kernel address of the shared memory. 192 * * if failed, return the pointer of -errno. 193 */ 194 void *mg_sp_make_share_u2k(unsigned long uva, unsigned long size, int tgid) 195 { 196 return ERR_PTR(-EOPNOTSUPP); 197 } 198 EXPORT_SYMBOL_GPL(mg_sp_make_share_u2k); 199 200 /** 201 * mg_sp_unshare() - Unshare the kernel or user memory which shared by calling 202 * sp_make_share_{k2u,u2k}(). 203 * @va: the specified virtual address of memory 204 * @size: the size of unshared memory 205 * 206 * Use spg_id of current thread if spg_id == SPG_ID_DEFAULT. 207 * 208 * Return: 0 for success, -errno on failure. 209 */ 210 int mg_sp_unshare(unsigned long va, unsigned long size, int spg_id) > 211 { 212 return -EOPNOTSUPP; 213 } 214 EXPORT_SYMBOL_GPL(mg_sp_unshare); 215 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 10/10] mm/page_cache_limit.c:35:5: warning: no previous prototype for function 'cache_reclaim_enable_handler'
by kernel test robot 25 Dec '25

25 Dec '25

Hi Ze, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 610575a82bdf3c3be06ce9559609d5bfa65472e8 commit: 621647ce254f1d347ae9bc3d328c09cbb2732487 [10/10] mm: support periodical memory reclaim config: loongarch-allmodconfig (https://download.01.org/0day-ci/archive/20251225/202512251637.3XaOXOTN-lkp@…) compiler: clang version 19.1.7 (https://github.com/llvm/llvm-project cd708029e0b2869e80abe31ddb175f7c35361f90) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20251225/202512251637.3XaOXOTN-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202512251637.3XaOXOTN-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from mm/page_cache_limit.c:6: In file included from include/linux/mm.h:2181: include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 509 | item]; | ~~~~ include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 515 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 516 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 527 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 528 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 536 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 537 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ >> mm/page_cache_limit.c:35:5: warning: no previous prototype for function 'cache_reclaim_enable_handler' [-Wmissing-prototypes] 35 | int cache_reclaim_enable_handler(struct ctl_table *table, int write, | ^ mm/page_cache_limit.c:35:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 35 | int cache_reclaim_enable_handler(struct ctl_table *table, int write, | ^ | static >> mm/page_cache_limit.c:51:5: warning: no previous prototype for function 'cache_reclaim_sysctl_handler' [-Wmissing-prototypes] 51 | int cache_reclaim_sysctl_handler(struct ctl_table *table, int write, | ^ mm/page_cache_limit.c:51:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 51 | int cache_reclaim_sysctl_handler(struct ctl_table *table, int write, | ^ | static 7 warnings generated. vim +/cache_reclaim_enable_handler +35 mm/page_cache_limit.c 34 > 35 int cache_reclaim_enable_handler(struct ctl_table *table, int write, 36 void *buffer, size_t *length, loff_t *ppos) 37 { 38 int ret; 39 40 ret = proc_dointvec_minmax(table, write, buffer, length, ppos); 41 if (ret || !write) 42 return ret; 43 44 if (should_periodical_reclaim()) 45 schedule_delayed_work(&shepherd, round_jiffies_relative( 46 (unsigned long)vm_cache_reclaim_s * HZ)); 47 48 return 0; 49 } 50 > 51 int cache_reclaim_sysctl_handler(struct ctl_table *table, int write, 52 void *buffer, size_t *length, loff_t *ppos) 53 { 54 int ret; 55 56 ret = proc_dointvec_minmax(table, write, buffer, length, ppos); 57 if (ret || !write) 58 return ret; 59 60 if (should_periodical_reclaim()) 61 mod_delayed_work(system_unbound_wq, &shepherd, 62 round_jiffies_relative( 63 (unsigned long)vm_cache_reclaim_s * HZ)); 64 65 return ret; 66 } 67 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] scsi: sg: Do not sleep in atomic context
by Zheng Qixing 25 Dec '25

25 Dec '25

From: Bart Van Assche <bvanassche(a)acm.org> mainline inclusion from mainline-v6.18-rc7 commit 90449f2d1e1f020835cba5417234636937dd657e category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11214 CVE: CVE-2025-40259 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------ sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google… Cc: Hannes Reinecke <hare(a)suse.de> Cc: stable(a)vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sg.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 7c9c63be214d..4698b79a62ff 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2208,9 +2208,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) write_lock_irqsave(&sfp->rq_list_lock, iflags); while (!list_empty(&sfp->rq_list)) { srp = list_first_entry(&sfp->rq_list, Sg_request, entry); - sg_finish_rem_req(srp); list_del(&srp->entry); + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + sg_finish_rem_req(srp); + /* + * sg_rq_end_io() uses srp->parentfp. Hence, only clear + * srp->parentfp after blk_mq_free_request() has been called. + */ srp->parentfp = NULL; + + write_lock_irqsave(&sfp->rq_list_lock, iflags); } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -- 2.39.2

2 1

[PATCH OLK-5.10] scsi: sg: Do not sleep in atomic context
by Zheng Qixing 25 Dec '25

25 Dec '25

From: Bart Van Assche <bvanassche(a)acm.org> stable inclusion from stable-v5.10.247 commit db6ac8703ab2b473e1ec845f57f6dd961a388d9f category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11214 CVE: CVE-2025-40259 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------ commit 90449f2d1e1f020835cba5417234636937dd657e upstream. sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google… Cc: Hannes Reinecke <hare(a)suse.de> Cc: stable(a)vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sg.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index fbd973b184bb..98baa9cd46bf 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2235,9 +2235,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) write_lock_irqsave(&sfp->rq_list_lock, iflags); while (!list_empty(&sfp->rq_list)) { srp = list_first_entry(&sfp->rq_list, Sg_request, entry); - sg_finish_rem_req(srp); list_del(&srp->entry); + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + sg_finish_rem_req(srp); + /* + * sg_rq_end_io() uses srp->parentfp. Hence, only clear + * srp->parentfp after blk_mq_free_request() has been called. + */ srp->parentfp = NULL; + + write_lock_irqsave(&sfp->rq_list_lock, iflags); } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -- 2.39.2

2 1

[PATCH OLK-6.6] scsi: sg: Do not sleep in atomic context
by Zheng Qixing 25 Dec '25

25 Dec '25

From: Bart Van Assche <bvanassche(a)acm.org> stable inclusion from stable-v6.6.118 commit b343cee5df7e750d9033fba33e96fc4399fa88a5 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/11214 CVE: CVE-2025-40259 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------ commit 90449f2d1e1f020835cba5417234636937dd657e upstream. sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. Reported-by: syzbot+c01f8e6e73f20459912e(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-scsi/691560c4.a70a0220.3124cb.001a.GAE@google… Cc: Hannes Reinecke <hare(a)suse.de> Cc: stable(a)vger.kernel.org Fixes: 97d27b0dd015 ("scsi: sg: close race condition in sg_remove_sfp_usercontext()") Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> Link: https://patch.msgid.link/20251113181643.1108973-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sg.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index 62574886a911..9258a1a8c23c 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -2212,9 +2212,17 @@ sg_remove_sfp_usercontext(struct work_struct *work) write_lock_irqsave(&sfp->rq_list_lock, iflags); while (!list_empty(&sfp->rq_list)) { srp = list_first_entry(&sfp->rq_list, Sg_request, entry); - sg_finish_rem_req(srp); list_del(&srp->entry); + write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + sg_finish_rem_req(srp); + /* + * sg_rq_end_io() uses srp->parentfp. Hence, only clear + * srp->parentfp after blk_mq_free_request() has been called. + */ srp->parentfp = NULL; + + write_lock_irqsave(&sfp->rq_list_lock, iflags); } write_unlock_irqrestore(&sfp->rq_list_lock, iflags); -- 2.39.2

2 1