- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
by Yi Yang 19 May '26

19 May '26

From: Joonwon Kang <joonwonkang(a)google.com> mainline inclusion from mainline-v7.0-rc1 commit fcd7f96c783626c07ee3ed75fa3739a8a2052310 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14824 CVE: CVE-2026-43281 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function. Cc: stable(a)vger.kernel.org Signed-off-by: Joonwon Kang <joonwonkang(a)google.com> Signed-off-by: Jassi Brar <jassisinghbrar(a)gmail.com> Conflicts: drivers/mailbox/mailbox.c [Commit ba879dfc0574 ("mailbox: Allow controller specific mapping using fwnode") was not merged. Context conflicts.] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/mailbox/mailbox.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c index adf36c05fa43..19eefdf99058 100644 --- a/drivers/mailbox/mailbox.c +++ b/drivers/mailbox/mailbox.c @@ -507,12 +507,10 @@ static struct mbox_chan * of_mbox_index_xlate(struct mbox_controller *mbox, const struct of_phandle_args *sp) { - int ind = sp->args[0]; - - if (ind >= mbox->num_chans) + if (sp->args_count < 1 || sp->args[0] >= mbox->num_chans) return ERR_PTR(-EINVAL); - return &mbox->chans[ind]; + return &mbox->chans[sp->args[0]]; } /** -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
by Yi Yang 19 May '26

19 May '26

From: Joonwon Kang <joonwonkang(a)google.com> mainline inclusion from mainline-v7.0-rc1 commit fcd7f96c783626c07ee3ed75fa3739a8a2052310 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14824 CVE: CVE-2026-43281 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function. Cc: stable(a)vger.kernel.org Signed-off-by: Joonwon Kang <joonwonkang(a)google.com> Signed-off-by: Jassi Brar <jassisinghbrar(a)gmail.com> Conflicts: drivers/mailbox/mailbox.c [Commit ba879dfc0574 ("mailbox: Allow controller specific mapping using fwnode") was not merged. Context conflicts.] Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/mailbox/mailbox.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c index 055c90b8253c..275119136bde 100644 --- a/drivers/mailbox/mailbox.c +++ b/drivers/mailbox/mailbox.c @@ -432,12 +432,10 @@ static struct mbox_chan * of_mbox_index_xlate(struct mbox_controller *mbox, const struct of_phandle_args *sp) { - int ind = sp->args[0]; - - if (ind >= mbox->num_chans) + if (sp->args_count < 1 || sp->args[0] >= mbox->num_chans) return ERR_PTR(-EINVAL); - return &mbox->chans[ind]; + return &mbox->chans[sp->args[0]]; } /** -- 2.25.1

2 2

[PATCH OLK-5.10 0/2] *** Fix CVE-2026-43428 ***
by Zhang Kunbo 19 May '26

19 May '26

*** Fix CVE-2026-43428 *** Alan Stern (2): USB: usbcore: Introduce usb_bulk_msg_killable() USB: core: Limit the length of unkillable synchronous timeouts drivers/usb/core/message.c | 97 ++++++++++++++++++++++++++++++-------- include/linux/usb.h | 8 +++- 2 files changed, 84 insertions(+), 21 deletions(-) -- 2.34.1

2 3

[PATCH OLK-6.6] USB: core: Limit the length of unkillable synchronous timeouts
by Zhang Kunbo 19 May '26

19 May '26

From: Alan Stern <stern(a)rowland.harvard.edu> stable inclusion from stable-v6.6.130 commit 659c0c7d50a4b0f6aa197c4c098cfd91daf63862 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14986 CVE: CVE-2026-43428 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 1015c27a5e1a63efae2b18a9901494474b4d1dc3 upstream. The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these unkillable timeouts. The limit chosen here, somewhat arbitrarily, is 60 seconds. On many systems (although not all) this is short enough to avoid triggering the kernel's hung-task detector. In addition, clear up the ambiguity of negative timeout values by treating them the same as 0, i.e., using the maximum allowed timeout. Signed-off-by: Alan Stern <stern(a)rowland.harvard.edu> Link: https://lore.kernel.org/linux-usb/3acfe838-6334-4f6d-be7c-4bb01704b33d@rowl… Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") CC: stable(a)vger.kernel.org Link: https://patch.msgid.link/15fc9773-a007-47b0-a703-df89a8cf83dd@rowland.harva… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/usb/core/message.c | 27 +++++++++++++-------------- include/linux/usb.h | 3 +++ 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 858436862cbf..119d07c4c62b 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -45,6 +45,8 @@ static void usb_api_blocking_completion(struct urb *urb) * Starts urb and waits for completion or timeout. * Whether or not the wait is killable depends on the flag passed in. * For example, compare usb_bulk_msg() and usb_bulk_msg_killable(). + * + * For non-killable waits, we enforce a maximum limit on the timeout value. */ static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length, bool killable) @@ -61,7 +63,9 @@ static int usb_start_wait_urb(struct urb *urb, int timeout, int *actual_length, if (unlikely(retval)) goto out; - expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT; + if (!killable && (timeout <= 0 || timeout > USB_MAX_SYNCHRONOUS_TIMEOUT)) + timeout = USB_MAX_SYNCHRONOUS_TIMEOUT; + expire = (timeout > 0) ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT; if (killable) rc = wait_for_completion_killable_timeout(&ctx.done, expire); else @@ -127,8 +131,7 @@ static int usb_internal_control_msg(struct usb_device *usb_dev, * @index: USB message index value * @data: pointer to the data to send * @size: length in bytes of the data to send - * @timeout: time in msecs to wait for the message to complete before timing - * out (if 0 the wait is forever) + * @timeout: time in msecs to wait for the message to complete before timing out * * Context: task context, might sleep. * @@ -183,8 +186,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg); * @index: USB message index value * @driver_data: pointer to the data to send * @size: length in bytes of the data to send - * @timeout: time in msecs to wait for the message to complete before timing - * out (if 0 the wait is forever) + * @timeout: time in msecs to wait for the message to complete before timing out * @memflags: the flags for memory allocation for buffers * * Context: !in_interrupt () @@ -242,8 +244,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_send); * @index: USB message index value * @driver_data: pointer to the data to be filled in by the message * @size: length in bytes of the data to be received - * @timeout: time in msecs to wait for the message to complete before timing - * out (if 0 the wait is forever) + * @timeout: time in msecs to wait for the message to complete before timing out * @memflags: the flags for memory allocation for buffers * * Context: !in_interrupt () @@ -314,8 +315,7 @@ EXPORT_SYMBOL_GPL(usb_control_msg_recv); * @len: length in bytes of the data to send * @actual_length: pointer to a location to put the actual length transferred * in bytes - * @timeout: time in msecs to wait for the message to complete before - * timing out (if 0 the wait is forever) + * @timeout: time in msecs to wait for the message to complete before timing out * * Context: task context, might sleep. * @@ -347,8 +347,7 @@ EXPORT_SYMBOL_GPL(usb_interrupt_msg); * @len: length in bytes of the data to send * @actual_length: pointer to a location to put the actual length transferred * in bytes - * @timeout: time in msecs to wait for the message to complete before - * timing out (if 0 the wait is forever) + * @timeout: time in msecs to wait for the message to complete before timing out * * Context: task context, might sleep. * @@ -408,12 +407,12 @@ EXPORT_SYMBOL_GPL(usb_bulk_msg); * @actual_length: pointer to a location to put the actual length transferred * in bytes * @timeout: time in msecs to wait for the message to complete before - * timing out (if 0 the wait is forever) + * timing out (if <= 0, the wait is as long as possible) * * Context: task context, might sleep. * - * This function is just like usb_blk_msg() except that it waits in a - * killable state. + * This function is just like usb_blk_msg(), except that it waits in a + * killable state and there is no limit on the timeout length. * * Return: * If successful, 0. Otherwise a negative error number. The number of actual diff --git a/include/linux/usb.h b/include/linux/usb.h index a3261427d6e0..6e6e32067148 100644 --- a/include/linux/usb.h +++ b/include/linux/usb.h @@ -1843,6 +1843,9 @@ void usb_buffer_unmap_sg(const struct usb_device *dev, int is_in, * SYNCHRONOUS CALL SUPPORT * *-------------------------------------------------------------------*/ +/* Maximum value allowed for timeout in synchronous routines below */ +#define USB_MAX_SYNCHRONOUS_TIMEOUT 60000 /* ms */ + extern int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request, __u8 requesttype, __u16 value, __u16 index, void *data, __u16 size, int timeout); -- 2.34.1

2 1

[PATCH OLK-6.6 00/24] backport cpuidle patches from linux mainline
by Huisong Li 19 May '26

19 May '26

From: Hongye Lin <linhongye(a)h-partners.com> driver inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9134 ---------------------------------------------------------------------- backport cpuidle patches from linux mainline Andy Shevchenko (1): ACPI: processor: idle: Replace strlcat() with better alternative Breno Leitao (1): ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states Huisong Li (18): ACPI: processor: idle: Relocate state flags initialization ACPI: processor: idle: Drop redundant C-state count checks ACPI: processor: idle: Optimize ACPI idle driver registration ACPI: processor: Remove unused empty stubs of some functions ACPI: processor: idle: Rearrange declarations in header file ACPI: processor: Do not expose global variable acpi_idle_driver ACPI: processor: idle: Add debug log for states with invalid entry methods ACPI: processor: idle: Convert acpi_processor_setup_cpuidle_states() to void ACPI: processor: idle: Convert acpi_processor_setup_cpuidle_dev() to void ACPI: processor: idle: Rework the handling of acpi_processor_ffh_lpi_probe() ACPI: processor: idle: Remove redundant cstate check in acpi_processor_power_init ACPI: processor: idle: Move max_cstate update out of the loop ACPI: processor: idle: Remove redundant static variable and rename cstate check function ACPI: processor: idle: Reset power_setup_done flag on initialization failure ACPI: processor: idle: Fix NULL pointer dereference in hotplug path cpuidle: Simplify cpuidle_register_device() with guard() cpuidle: Extract and export no-lock variants of cpuidle_unregister_device() ACPI: processor: idle: Reset cpuidle on C-state list changes Jingkai Tan (1): ACPI: processor: idle: Add missing bounds check in flatten_lpi_states() Rafael J. Wysocki (3): ACPI: processor: idle: Eliminate static ACPI: processor: idle: Redefine two functions as void ACPI: processor: Update cpuidle driver check in __acpi_processor_start() arch/arm64/kernel/cpuidle.c | 10 +- drivers/acpi/processor_driver.c | 12 +- drivers/acpi/processor_idle.c | 297 +++++++++++++++++--------------- drivers/cpuidle/cpuidle.c | 34 ++-- include/acpi/processor.h | 35 +--- include/linux/cpuidle.h | 2 + 6 files changed, 200 insertions(+), 190 deletions(-) -- 2.33.0

2 25

[PATCH OLK-6.6] e1000/e1000e: Fix leak in DMA error cleanup
by Pan Taixi 19 May '26

19 May '26

From: Matt Vollrath <tactii(a)gmail.com> stable inclusion from stable-v6.6.130 commit 0a1fc25deabab4efce64610e3c449485c4fa8f5f category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15003 CVE: CVE-2026-43445 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ] If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful mapping, exactly one DMA mapping would leak. In these commits, a faulty while condition caused an infinite loop in dma_error: Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e driver") Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") fixed the infinite loop, but introduced the off-by-one error. This issue may still exist in the igbvf driver, but I did not address it in this patch. Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") Assisted-by: Claude:claude-4.6-opus Signed-off-by: Matt Vollrath <tactii(a)gmail.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yuan Can <yuancan(a)huawei.com> Signed-off-by: Pan Taixi <pantaixi1(a)huawei.com> --- drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -- drivers/net/ethernet/intel/e1000e/netdev.c | 2 -- 2 files changed, 4 deletions(-) diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c index d015a0a85f07..8dcb5d7c5a4b 100644 --- a/drivers/net/ethernet/intel/e1000/e1000_main.c +++ b/drivers/net/ethernet/intel/e1000/e1000_main.c @@ -2951,8 +2951,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter, dma_error: dev_err(&pdev->dev, "TX DMA map failed\n"); buffer_info->dma = 0; - if (count) - count--; while (count--) { if (i == 0) diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c index 7e4fea0e186b..9e9138ccac42 100644 --- a/drivers/net/ethernet/intel/e1000e/netdev.c +++ b/drivers/net/ethernet/intel/e1000e/netdev.c @@ -5633,8 +5633,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb, dma_error: dev_err(&pdev->dev, "Tx DMA map failed\n"); buffer_info->dma = 0; - if (count) - count--; while (count--) { if (i == 0) -- 2.34.1

2 1

[PATCH OLK-6.6 V3] io_uring: validate user-controlled cq.head in io_cqe_cache_refill()
by Zizhi Wo 18 May '26

18 May '26

mainline inclusion from mainline-v7.1-rc4 commit f44d38a31f1802b7222adaea9ee69f9d280f698a category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9154 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A fuzzing run reproduced an unkillable io_uring task stuck at ~100% CPU: [root@fedora io_uring_stress]# ps -ef | grep io_uring root 1240 1 99 13:36 ? 00:01:35 [io_uring_stress] <defunct> The task loops inside io_cqring_wait() and never returns to userspace, and SIGKILL has no effect. This is caused by the CQ ring exposing rings->cq.head to userspace as writable, while the authoritative tail lives in kernel-private ctx->cached_cq_tail. io_cqe_cache_refill() computes free space as an unsigned subtraction: free = ctx->cq_entries - min(tail - head, ctx->cq_entries); If userspace keeps head within [0, tail], the subtraction is well defined and min() just acts as a defensive clamp. But if userspace advances head past tail, (tail - head) wraps to a huge value, free becomes 0, and io_cqe_cache_refill() fails. The CQE is pushed onto the overflow list and IO_CHECK_CQ_OVERFLOW_BIT is set. The wait loop in io_cqring_wait() relies on an invariant: refill() only fails when the CQ is *physically* full, in which case rings->cq.tail has been advanced to iowq->cq_tail and io_should_wake() returns true. The tampered head breaks this: refill() fails while the ring is not full, no OCQE is copied in, rings->cq.tail never catches up, io_should_wake() stays false, and io_cqring_wait_schedule() keeps returning early because IO_CHECK_CQ_OVERFLOW_BIT is still set. The result is a tight retry loop that never returns to userspace. Introduce io_cqring_queued() as the single point that converts the (tail, head) pair into a trustworthy queued count. Since the real head/tail distance is bounded by cq_entries (far below 2^31), a signed comparison reliably detects userspace moving head past tail; in that case treat the queue as empty so callers see the full cache as free and forward progress is preserved. Suggested-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> Link: https://patch.msgid.link/20260514021847.4062782-1-wozizhi@huaweicloud.com [axboe: fixup commit message, kill 'queued' var, and keep it all in io_uring.c] Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: io_uring/io_uring.c [Not has io_fill_nop_cqe(), not affect this patch.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- io_uring/io_uring.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 20a657c8d625..b5565b76414f 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -835,32 +835,44 @@ void io_req_cqe_overflow(struct io_kiocb *req) req->cqe.res, req->cqe.flags, req->big_cqe.extra1, req->big_cqe.extra2); memset(&req->big_cqe, 0, sizeof(req->big_cqe)); } +/* + * Compute queued CQEs for free-space calculation, clamped to cq_entries. + */ +static unsigned int io_cqring_queued(struct io_ring_ctx *ctx) +{ + struct io_rings *rings = ctx->rings; + int diff; + + diff = (int)(ctx->cached_cq_tail - READ_ONCE(rings->cq.head)); + if (diff >= 0) + return min((unsigned int)diff, ctx->cq_entries); + return 0; +} + /* * writes to the cq entry need to come after reading head; the * control dependency is enough as we're using WRITE_ONCE to * fill the cq entry */ bool io_cqe_cache_refill(struct io_ring_ctx *ctx, bool overflow) { struct io_rings *rings = ctx->rings; unsigned int off = ctx->cached_cq_tail & (ctx->cq_entries - 1); - unsigned int free, queued, len; + unsigned int free, len; /* * Posting into the CQ when there are pending overflowed CQEs may break * ordering guarantees, which will affect links, F_MORE users and more. * Force overflow the completion. */ if (!overflow && (ctx->check_cq & BIT(IO_CHECK_CQ_OVERFLOW_BIT))) return false; - /* userspace may cheat modifying the tail, be safe and do min */ - queued = min(__io_cqring_events(ctx), ctx->cq_entries); - free = ctx->cq_entries - queued; + free = ctx->cq_entries - io_cqring_queued(ctx); /* we need a contiguous range, limit based on the current array offset */ len = min(free, ctx->cq_entries - off); if (!len) return false; -- 2.52.0

2 1

[PATCH OLK-6.6 V2] io_uring: validate user-controlled cq.head in io_cqe_cache_refill()
by Zizhi Wo 18 May '26

18 May '26

mainline inclusion from mainline-v7.1-rc4 commit f44d38a31f1802b7222adaea9ee69f9d280f698a category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9154 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A fuzzing run reproduced an unkillable io_uring task stuck at ~100% CPU: [root@fedora io_uring_stress]# ps -ef | grep io_uring root 1240 1 99 13:36 ? 00:01:35 [io_uring_stress] <defunct> The task loops inside io_cqring_wait() and never returns to userspace, and SIGKILL has no effect. This is caused by the CQ ring exposing rings->cq.head to userspace as writable, while the authoritative tail lives in kernel-private ctx->cached_cq_tail. io_cqe_cache_refill() computes free space as an unsigned subtraction: free = ctx->cq_entries - min(tail - head, ctx->cq_entries); If userspace keeps head within [0, tail], the subtraction is well defined and min() just acts as a defensive clamp. But if userspace advances head past tail, (tail - head) wraps to a huge value, free becomes 0, and io_cqe_cache_refill() fails. The CQE is pushed onto the overflow list and IO_CHECK_CQ_OVERFLOW_BIT is set. The wait loop in io_cqring_wait() relies on an invariant: refill() only fails when the CQ is *physically* full, in which case rings->cq.tail has been advanced to iowq->cq_tail and io_should_wake() returns true. The tampered head breaks this: refill() fails while the ring is not full, no OCQE is copied in, rings->cq.tail never catches up, io_should_wake() stays false, and io_cqring_wait_schedule() keeps returning early because IO_CHECK_CQ_OVERFLOW_BIT is still set. The result is a tight retry loop that never returns to userspace. Introduce io_cqring_queued() as the single point that converts the (tail, head) pair into a trustworthy queued count. Since the real head/tail distance is bounded by cq_entries (far below 2^31), a signed comparison reliably detects userspace moving head past tail; in that case treat the queue as empty so callers see the full cache as free and forward progress is preserved. Suggested-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> Link: https://patch.msgid.link/20260514021847.4062782-1-wozizhi@huaweicloud.com [axboe: fixup commit message, kill 'queued' var, and keep it all in io_uring.c] Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: io_uring/io_uring.c [Not has io_fill_nop_cqe(), not affect this patch.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- io_uring/io_uring.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 20a657c8d625..898749d522a9 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -835,32 +835,44 @@ void io_req_cqe_overflow(struct io_kiocb *req) req->cqe.res, req->cqe.flags, req->big_cqe.extra1, req->big_cqe.extra2); memset(&req->big_cqe, 0, sizeof(req->big_cqe)); } +/* + Compute queued CQEs for free-space calculation, clamped to cq_entries. + */ +static unsigned int io_cqring_queued(struct io_ring_ctx *ctx) +{ + struct io_rings *rings = ctx->rings; + int diff; + + diff = (int)(ctx->cached_cq_tail - READ_ONCE(rings->cq.head)); + if (diff >= 0) + return min((unsigned int)diff, ctx->cq_entries); + return 0; +} + /* * writes to the cq entry need to come after reading head; the * control dependency is enough as we're using WRITE_ONCE to * fill the cq entry */ bool io_cqe_cache_refill(struct io_ring_ctx *ctx, bool overflow) { struct io_rings *rings = ctx->rings; unsigned int off = ctx->cached_cq_tail & (ctx->cq_entries - 1); - unsigned int free, queued, len; + unsigned int free, len; /* * Posting into the CQ when there are pending overflowed CQEs may break * ordering guarantees, which will affect links, F_MORE users and more. * Force overflow the completion. */ if (!overflow && (ctx->check_cq & BIT(IO_CHECK_CQ_OVERFLOW_BIT))) return false; - /* userspace may cheat modifying the tail, be safe and do min */ - queued = min(__io_cqring_events(ctx), ctx->cq_entries); - free = ctx->cq_entries - queued; + free = ctx->cq_entries - io_cqring_queued(ctx); /* we need a contiguous range, limit based on the current array offset */ len = min(free, ctx->cq_entries - off); if (!len) return false; -- 2.52.0

2 2

[PATCH OLK-6.6] io_uring: validate user-controlled cq.head in io_cqe_cache_refill()
by Zizhi Wo 18 May '26

18 May '26

mainline inclusion from mainline-v7.1-rc4 commit f44d38a31f1802b7222adaea9ee69f9d280f698a category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9154 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A fuzzing run reproduced an unkillable io_uring task stuck at ~100% CPU: [root@fedora io_uring_stress]# ps -ef | grep io_uring root 1240 1 99 13:36 ? 00:01:35 [io_uring_stress] <defunct> The task loops inside io_cqring_wait() and never returns to userspace, and SIGKILL has no effect. This is caused by the CQ ring exposing rings->cq.head to userspace as writable, while the authoritative tail lives in kernel-private ctx->cached_cq_tail. io_cqe_cache_refill() computes free space as an unsigned subtraction: free = ctx->cq_entries - min(tail - head, ctx->cq_entries); If userspace keeps head within [0, tail], the subtraction is well defined and min() just acts as a defensive clamp. But if userspace advances head past tail, (tail - head) wraps to a huge value, free becomes 0, and io_cqe_cache_refill() fails. The CQE is pushed onto the overflow list and IO_CHECK_CQ_OVERFLOW_BIT is set. The wait loop in io_cqring_wait() relies on an invariant: refill() only fails when the CQ is *physically* full, in which case rings->cq.tail has been advanced to iowq->cq_tail and io_should_wake() returns true. The tampered head breaks this: refill() fails while the ring is not full, no OCQE is copied in, rings->cq.tail never catches up, io_should_wake() stays false, and io_cqring_wait_schedule() keeps returning early because IO_CHECK_CQ_OVERFLOW_BIT is still set. The result is a tight retry loop that never returns to userspace. Introduce io_cqring_queued() as the single point that converts the (tail, head) pair into a trustworthy queued count. Since the real head/tail distance is bounded by cq_entries (far below 2^31), a signed comparison reliably detects userspace moving head past tail; in that case treat the queue as empty so callers see the full cache as free and forward progress is preserved. Suggested-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> Link: https://patch.msgid.link/20260514021847.4062782-1-wozizhi@huaweicloud.com [axboe: fixup commit message, kill 'queued' var, and keep it all in io_uring.c] Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Conflicts: io_uring/io_uring.c [Not has io_fill_nop_cqe(), not affect this patch.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- io_uring/io_uring.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 20a657c8d625..4b7927f92389 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -835,32 +835,44 @@ void io_req_cqe_overflow(struct io_kiocb *req) req->cqe.res, req->cqe.flags, req->big_cqe.extra1, req->big_cqe.extra2); memset(&req->big_cqe, 0, sizeof(req->big_cqe)); } +/* + Compute queued CQEs for free-space calculation, clamped to cq_entries. + */ +static unsigned int io_cqring_queued(struct io_ring_ctx *ctx) +{ + struct io_rings *rings = io_get_rings(ctx); + int diff; + + diff = (int)(ctx->cached_cq_tail - READ_ONCE(rings->cq.head)); + if (diff >= 0) + return min((unsigned int)diff, ctx->cq_entries); + return 0; +} + /* * writes to the cq entry need to come after reading head; the * control dependency is enough as we're using WRITE_ONCE to * fill the cq entry */ bool io_cqe_cache_refill(struct io_ring_ctx *ctx, bool overflow) { struct io_rings *rings = ctx->rings; unsigned int off = ctx->cached_cq_tail & (ctx->cq_entries - 1); - unsigned int free, queued, len; + unsigned int free, len; /* * Posting into the CQ when there are pending overflowed CQEs may break * ordering guarantees, which will affect links, F_MORE users and more. * Force overflow the completion. */ if (!overflow && (ctx->check_cq & BIT(IO_CHECK_CQ_OVERFLOW_BIT))) return false; - /* userspace may cheat modifying the tail, be safe and do min */ - queued = min(__io_cqring_events(ctx), ctx->cq_entries); - free = ctx->cq_entries - queued; + free = ctx->cq_entries - io_cqring_queued(ctx); /* we need a contiguous range, limit based on the current array offset */ len = min(free, ctx->cq_entries - off); if (!len) return false; -- 2.52.0

2 1

[PATCH OLK-6.6 00/36] perf arm-spe: Extend branch operations
by Yushan Wang 18 May '26

18 May '26

From: Ying Jiang<jiangying44(a)h-partners.com> In Arm ARM (ARM DDI 0487, L.a), the section "D18.2.7 Operation Type packet", the branch subclass is extended for Call Return (CR), Guarded control stack data access (GCS). This commit adds support CR and GCS operations. The IND (indirect) operation is defined only in bit [1], its macro is updated accordingly. Move the COND (Conditional) macro into the same group with other operations for better maintenance. Anshuman Khandual (9): arm64: Handle BRBE booting requirements arm64/sysreg: Update register fields for ID_AA64MMFR0_EL1 arm64/sysreg: Add register fields for HDFGRTR2_EL2 arm64/sysreg: Add register fields for HDFGWTR2_EL2 arm64/sysreg: Add register fields for HFGITR2_EL2 arm64/sysreg: Add register fields for HFGRTR2_EL2 arm64/sysreg: Add register fields for HFGWTR2_EL2 arm64/sysreg: Update ID_DFR0_EL1 register fields arm64/boot: Enable EL2 requirements for FEAT_PMUv3p9 Dave Martin (1): arm64: el2_setup.h: Rename some labels to be more diff-friendly James Clark (12): perf: arm_spe: Add format option for discard mode arm64: sysreg: Add new PMSFCR_EL1 fields and PMSDSFR_EL1 register perf: arm_spe: Support FEAT_SPEv1p4 filters perf: arm_spe: Add support for FEAT_SPE_EFT extended filtering arm64/boot: Factor out a macro to check SPE version arm64/boot: Enable EL2 requirements for SPE_FEAT_FDS KVM: arm64: Add trap configs for PMSDSFR_EL1 perf: Add perf_event_attr::config4 perf: arm_spe: Add support for filtering on data source tools headers UAPI: Sync linux/perf_event.h with the kernel sources perf tools: Add support for perf_event_attr::config4 perf docs: arm-spe: Document new SPE filtering features Leo Yan (1): perf: arm_spe: Expose event filter Marc Zyngier (5): KVM: arm64: Shave a few bytes from the EL2 idmap code arm64/sysreg: Allow a 'Mapping' descriptor for system registers arm64: sysreg: Add registers trapped by HDFG{R,W}TR2_EL2 KVM: arm64: nv: Add include containing the VNCR_EL2 offsets arm64: sysreg: Update PMSIDR_EL1 description Rob Herring (Arm) (4): arm64: el2_setup.h: Make __init_el2_fgt labels consistent, again perf/arm_pmuv3: Add PMUv3.9 per counter EL0 access control perf: arm_pmu: Use of_property_present() perf: arm_pmu: Remove event index to counter remapping Yushan Wang (4): Revert "arm64/boot: Enable EL2 requirements for BRBE" perf: Fix hw_metric event idx config perf: Keep event consistency of hw_metric events arm_pmuv3: hw_metric: Remove unnecessary check of event type Documentation/arch/arm64/booting.rst | 75 +++- arch/arm64/include/asm/el2_setup.h | 130 +++--- arch/arm64/include/asm/kvm_asm.h | 1 + arch/arm64/include/asm/sysreg.h | 19 +- arch/arm64/include/asm/vncr_mapping.h | 105 +++++ arch/arm64/kernel/asm-offsets.c | 1 + arch/arm64/kvm/emulate-nested.c | 1 + arch/arm64/kvm/hyp/nvhe/hyp-init.S | 52 ++- arch/arm64/kvm/pmu-emul.c | 6 +- arch/arm64/kvm/sys_regs.c | 1 + arch/arm64/tools/gen-sysreg.awk | 2 +- arch/arm64/tools/sysreg | 502 +++++++++++++++++++++- drivers/perf/apple_m1_cpu_pmu.c | 4 +- drivers/perf/arm_pmu.c | 11 +- drivers/perf/arm_pmu_platform.c | 2 +- drivers/perf/arm_pmuv3.c | 68 +-- drivers/perf/arm_spe_pmu.c | 170 +++++++- include/linux/perf/arm_pmu.h | 2 +- include/linux/perf/arm_pmuv3.h | 1 + include/uapi/linux/perf_event.h | 4 + tools/include/uapi/linux/perf_event.h | 2 + tools/perf/Documentation/perf-arm-spe.txt | 103 ++++- tools/perf/tests/parse-events.c | 14 +- tools/perf/util/parse-events.c | 11 + tools/perf/util/parse-events.h | 1 + tools/perf/util/parse-events.l | 1 + tools/perf/util/pmu.c | 3 + tools/perf/util/pmu.h | 1 + 28 files changed, 1098 insertions(+), 195 deletions(-) create mode 100644 arch/arm64/include/asm/vncr_mapping.h -- 2.33.0

2 37