- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] tracing: Do not call map->ops->elt_free() if elt_alloc() fails
by Tengda Wu 25 Jun '26

25 Jun '26

From: "Masami Hiramatsu (Google)" <mhiramat(a)kernel.org> stable inclusion from stable-v6.6.142 commit f383cff9fb382139980bac1bcd3f3f5d59f68435 category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9478 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 8f0f5c4fb9df0e19a341e0c6ed8dc4fda9124f03 upstream. In paths where tracing_map_elt_alloc() failed to allocate objects, the map->ops->elt_alloc() call was never successful. In this case, map->ops->elt_free() should not be called. Link: https://sashiko.dev/#/patchset/20260520223101.34710-1-rosenp%40gmail.com Cc: stable(a)vger.kernel.org Cc: Tom Zanussi <tom.zanussi(a)linux.intel.com> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Rosen Penev <rosenp(a)gmail.com> Reported-by: Sashiko <sashiko-bot(a)kernel.org> Fixes: 2734b629525a ("tracing: Add per-element variable support to tracing_map") Link: https://patch.msgid.link/177933895460.108746.5396070821443932634.stgit@devn… Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt <rostedt(a)goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- kernel/trace/tracing_map.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/kernel/trace/tracing_map.c b/kernel/trace/tracing_map.c index 1921ade45be3..0e5b3ea49936 100644 --- a/kernel/trace/tracing_map.c +++ b/kernel/trace/tracing_map.c @@ -386,13 +386,11 @@ static void tracing_map_elt_init_fields(struct tracing_map_elt *elt) } } -static void tracing_map_elt_free(struct tracing_map_elt *elt) +static void __tracing_map_elt_free(struct tracing_map_elt *elt) { if (!elt) return; - if (elt->map->ops && elt->map->ops->elt_free) - elt->map->ops->elt_free(elt); kfree(elt->fields); kfree(elt->vars); kfree(elt->var_set); @@ -400,6 +398,17 @@ static void tracing_map_elt_free(struct tracing_map_elt *elt) kfree(elt); } +static void tracing_map_elt_free(struct tracing_map_elt *elt) +{ + if (!elt) + return; + + /* Only objects initialized with alloc_elt() should be passed to free_elt().*/ + if (elt->map->ops && elt->map->ops->elt_free) + elt->map->ops->elt_free(elt); + __tracing_map_elt_free(elt); +} + static struct tracing_map_elt *tracing_map_elt_alloc(struct tracing_map *map) { struct tracing_map_elt *elt; @@ -444,7 +453,7 @@ static struct tracing_map_elt *tracing_map_elt_alloc(struct tracing_map *map) } return elt; free: - tracing_map_elt_free(elt); + __tracing_map_elt_free(elt); return ERR_PTR(err); } -- 2.34.1

2 1

[PATCH OLK-5.10] bpf: Tighten cgroup storage cookie checks for prog arrays
by Pu Lehui 25 Jun '26

25 Jun '26

From: Daniel Borkmann <daniel(a)iogearbox.net> mainline inclusion from mainline-v7.2-rc1 commit 10627ddc0167aab5c1c390a10ef461e9937aba08 category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9479 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The fix in commit abad3d0bad72 ("bpf: Fix oob access in cgroup local storage") is still incomplete. The prog-array compatibility check treats a program with no cgroup storage as compatible with any stored storage cookie. This allows a storage-less program to bridge a tail call chain between an entry program and a storage-using callee even though cgroup local storage at runtime still follows the caller's context, that is, A -> B(no storage) -> C(storage) path. Requiring exact cookie equality would break the legitimate case of a storage-less leaf program being tail called from a storage-using one. Instead, only accept a zero storage cookie if the program cannot perform tail calls itself. This keeps A -> B(no storage) working while rejecting the A -> B(no storage) -> C(storage) bridge. Fixes: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage") Reported-by: Lin Ma <malin89(a)huawei.com> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Acked-by: Yonghong Song <yonghong.song(a)linux.dev> Link: https://lore.kernel.org/r/20260610105539.705887-1-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Conflicts: kernel/bpf/core.c [ctx conflicts] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/bpf/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index c2f5ff16b742..ba56d4c55bc2 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -1814,7 +1814,7 @@ bool bpf_prog_map_compatible(struct bpf_map *map, cookie = aux->cgroup_storage[i] ? aux->cgroup_storage[i]->cookie : 0; ret = map->owner->storage_cookie[i] == cookie || - !cookie; + (!cookie && !aux->tail_call_reachable); } if (ret && map->owner->attach_func_proto != aux->attach_func_proto) { -- 2.34.1

2 1

[PATCH OLK-6.6] bpf: Tighten cgroup storage cookie checks for prog arrays
by Pu Lehui 25 Jun '26

25 Jun '26

From: Daniel Borkmann <daniel(a)iogearbox.net> mainline inclusion from mainline-v7.2-rc1 commit 10627ddc0167aab5c1c390a10ef461e9937aba08 category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9479 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The fix in commit abad3d0bad72 ("bpf: Fix oob access in cgroup local storage") is still incomplete. The prog-array compatibility check treats a program with no cgroup storage as compatible with any stored storage cookie. This allows a storage-less program to bridge a tail call chain between an entry program and a storage-using callee even though cgroup local storage at runtime still follows the caller's context, that is, A -> B(no storage) -> C(storage) path. Requiring exact cookie equality would break the legitimate case of a storage-less leaf program being tail called from a storage-using one. Instead, only accept a zero storage cookie if the program cannot perform tail calls itself. This keeps A -> B(no storage) working while rejecting the A -> B(no storage) -> C(storage) bridge. Fixes: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage") Reported-by: Lin Ma <malin89(a)huawei.com> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Acked-by: Yonghong Song <yonghong.song(a)linux.dev> Link: https://lore.kernel.org/r/20260610105539.705887-1-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/bpf/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index ff20567bbb78..f1dfff8dab07 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -2368,7 +2368,7 @@ bool bpf_prog_map_compatible(struct bpf_map *map, cookie = aux->cgroup_storage[i] ? aux->cgroup_storage[i]->cookie : 0; ret = map->owner->storage_cookie[i] == cookie || - !cookie; + (!cookie && !aux->tail_call_reachable); } if (ret && map->owner->attach_func_proto != aux->attach_func_proto) { -- 2.34.1

2 1

[PATCH OLK-6.6] fsnotify: fix inode reference leak in fsnotify_recalc_mask()
by Zizhi Wo 25 Jun '26

25 Jun '26

From: Amir Goldstein <amir73il(a)gmail.com> stable inclusion from stable-v6.12.91 commit 8c8afa6444e6bdc145d2bf2f3aeeca6da3e36b42 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15692 Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit… -------------------------------- [ Upstream commit 4aca914ac152f5d055ddcb36704d1e539ac08977 ] fsnotify_recalc_mask() fails to handle the return value of __fsnotify_recalc_mask(), which may return an inode pointer that needs to be released via fsnotify_drop_object() when the connector's HAS_IREF flag transitions from set to cleared. This manifests as a hung task with the following call trace: INFO: task umount:1234 blocked for more than 120 seconds. Call Trace: __schedule schedule fsnotify_sb_delete generic_shutdown_super kill_anon_super cleanup_mnt task_work_run do_exit do_group_exit The race window that triggers the iref leak: Thread A (adding mark) Thread B (removing mark) ────────────────────── ──────────────────────── fsnotify_add_mark_locked(): fsnotify_add_mark_list(): spin_lock(conn->lock) add mark_B(evictable) to list spin_unlock(conn->lock) return /* ---- gap: no lock held ---- */ fsnotify_detach_mark(mark_A): spin_lock(mark_A->lock) clear ATTACHED flag on mark_A spin_unlock(mark_A->lock) fsnotify_put_mark(mark_A) fsnotify_recalc_mask(): spin_lock(conn->lock) __fsnotify_recalc_mask(): /* mark_A skipped: ATTACHED cleared */ /* only mark_B(evictable) remains */ want_iref = false has_iref = true /* not yet cleared */ -> HAS_IREF transitions true -> false -> returns inode pointer spin_unlock(conn->lock) /* BUG: return value discarded! * iput() and fsnotify_put_sb_watched_objects() * are never called */ Fix this by deferring the transition true -> false of HAS_IREF flag from fsnotify_recalc_mask() (Thread A) to fsnotify_put_mark() (thread B). Fixes: c3638b5b1374 ("fsnotify: allow adding an inode mark without pinning inode") Signed-off-by: Xin Yin <yinxin.x(a)bytedance.com> Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> Link: https://patch.msgid.link/CAOQ4uxiPsbHb0o5voUKyPFMvBsDkG914FYDcs4C5UpBMNm0Vc… Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/notify/mark.c [Commit 35ceae44742e ("fsnotify: Avoid data race between fsnotify_recalc_mask() and fsnotify_object_watched()") has not mergfed, not affect to this patch.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/notify/mark.c | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/fs/notify/mark.c b/fs/notify/mark.c index b419a5ccf192..951d7de29f82 100644 --- a/fs/notify/mark.c +++ b/fs/notify/mark.c @@ -151,11 +151,16 @@ static struct inode *fsnotify_update_iref(struct fsnotify_mark_connector *conn, } return inode; } -static void *__fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) +/* + * Calculate mask of events for a list of marks. + * + * Return true if any of the attached marks want to hold an inode reference. + */ +static bool __fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) { u32 new_mask = 0; bool want_iref = false; struct fsnotify_mark *mark; @@ -171,10 +176,38 @@ static void *__fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) !(mark->flags & FSNOTIFY_MARK_FLAG_NO_IREF)) want_iref = true; } *fsnotify_conn_mask_p(conn) = new_mask; + return want_iref; +} + +/* + * Calculate mask of events for a list of marks after attach/modify mark + * and get an inode reference for the connector if needed. + * + * A concurrent add of evictable mark and detach of non-evictable mark can + * lead to __fsnotify_recalc_mask() returning false want_iref, but in this + * case we defer clearing iref to fsnotify_recalc_mask_clear_iref() called + * from fsnotify_put_mark(). + */ +static void fsnotify_recalc_mask_set_iref(struct fsnotify_mark_connector *conn) +{ + bool has_iref = conn->flags & FSNOTIFY_CONN_FLAG_HAS_IREF; + bool want_iref = __fsnotify_recalc_mask(conn) || has_iref; + + (void) fsnotify_update_iref(conn, want_iref); +} + +/* + * Calculate mask of events for a list of marks after detach mark + * and return the inode object if its reference is no longer needed. + */ +static void *fsnotify_recalc_mask_clear_iref(struct fsnotify_mark_connector *conn) +{ + bool want_iref = __fsnotify_recalc_mask(conn); + return fsnotify_update_iref(conn, want_iref); } static bool fsnotify_conn_watches_children( struct fsnotify_mark_connector *conn) @@ -207,11 +240,11 @@ void fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) if (!conn) return; spin_lock(&conn->lock); update_children = !fsnotify_conn_watches_children(conn); - __fsnotify_recalc_mask(conn); + fsnotify_recalc_mask_set_iref(conn); update_children &= fsnotify_conn_watches_children(conn); spin_unlock(&conn->lock); /* * Set children's PARENT_WATCHED flags only if parent started watching. * When parent stops watching, we clear false positive PARENT_WATCHED @@ -340,11 +373,11 @@ void fsnotify_put_mark(struct fsnotify_mark *mark) hlist_del_init_rcu(&mark->obj_list); if (hlist_empty(&conn->list)) { objp = fsnotify_detach_connector_from_object(conn, &type); free_conn = true; } else { - objp = __fsnotify_recalc_mask(conn); + objp = fsnotify_recalc_mask_clear_iref(conn); type = conn->type; } WRITE_ONCE(mark->connector, NULL); spin_unlock(&conn->lock); -- 2.52.0

2 1

[PATCH OLK-6.6] net:yt6801: fix the panic of call fxgmac_shutdown after ndo_stop (fxgmac_close)
by Frank_Sae 25 Jun '26

25 Jun '26

driver inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9393 -------------------------------- If NetworkManager let nic down, it call ndo_stop (fxgmac_close). Then do "kexec -l /boot/vmlinuz-6.6.0-156.0.0.146.oe2403sp4.loongarch64 --initrd=/boot/initramfs-6.6.0-156.0.0.146.oe2403sp4.loongarch64.img kexec -e", it will call the fxgmac_disable_rx in fxgmac_shutdown, cause a panic: Unable to handle kernel paging request at virtual address 0000000000000398 Fixes: 6460d9d3c42d ("yt6801: Add Motorcomm yt6801 PCIe driver") Signed-off-by: Frank_Sae <Frank.Sae(a)motor-comm.com> --- drivers/net/ethernet/motorcomm/yt6801/yt6801_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/motorcomm/yt6801/yt6801_main.c b/drivers/net/ethernet/motorcomm/yt6801/yt6801_main.c index 4f2f82293125..b0f56d9d4991 100644 --- a/drivers/net/ethernet/motorcomm/yt6801/yt6801_main.c +++ b/drivers/net/ethernet/motorcomm/yt6801/yt6801_main.c @@ -1429,6 +1429,10 @@ static int fxgmac_net_powerdown(struct fxgmac_pdata *priv) return 0; /* do nothing if already down */ __clear_bit(FXGMAC_POWER_STATE_UP, &priv->power_state); + + if (priv->dev_state == FXGMAC_DEV_CLOSE) + return 0; /* do nothing if already close */ + netif_tx_stop_all_queues(ndev); /* Shut off incoming Tx traffic */ /* Call carrier off first to avoid false dev_watchdog timeouts */ -- 2.30.2

2 1

[PATCH OLK-5.10 v2] xfs: remove xfs_attr_leaf_hasname
by Long Li 25 Jun '26

25 Jun '26

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-v6.19-rc6 commit 3a65ea768b8094e4699e72f9ab420eb9e0f3f568 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14700 CVE: CVE-2026-43153 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The calling convention of xfs_attr_leaf_hasname() is problematic, because it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfs_attr3_leaf_lookup_int fails with other error values. Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so that the buffer release code is done by each caller of xfs_attr3_leaf_read. Cc: stable(a)vger.kernel.org # v5.19+ Fixes: 07120f1abdff ("xfs: Add xfs_has_attr and subroutines") Reported-by: Mark Tinguely <mark.tinguely(a)oracle.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Carlos Maiolino <cem(a)kernel.org> Conflicts: fs/xfs/libxfs/xfs_attr.c [Context config] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/xfs/libxfs/xfs_attr.c | 81 ++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 52 deletions(-) diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c index 13213c8b1285..818b6bf127de 100644 --- a/fs/xfs/libxfs/xfs_attr.c +++ b/fs/xfs/libxfs/xfs_attr.c @@ -46,7 +46,6 @@ STATIC int xfs_attr_shortform_addname(xfs_da_args_t *args); STATIC int xfs_attr_leaf_get(xfs_da_args_t *args); STATIC int xfs_attr_leaf_addname(xfs_da_args_t *args); STATIC int xfs_attr_leaf_removename(xfs_da_args_t *args); -STATIC int xfs_attr_leaf_hasname(struct xfs_da_args *args, struct xfs_buf **bp); /* * Internal routines when attribute list is more than one block. @@ -349,11 +348,12 @@ xfs_attr_lookup( } if (xfs_bmap_one_block(dp, XFS_ATTR_FORK)) { - error = xfs_attr_leaf_hasname(args, &bp); - - if (bp) - xfs_trans_brelse(args->trans, bp); - + error = xfs_attr3_leaf_read(args->trans, args->dp, + 0, &bp); + if (error) + return error; + error = xfs_attr3_leaf_lookup_int(bp, args); + xfs_trans_brelse(args->trans, bp); return error; } @@ -624,9 +624,13 @@ xfs_attr_leaf_try_add( * Look up the given attribute in the leaf block. Figure out if * the given flags produce an error or call for an atomic rename. */ - retval = xfs_attr_leaf_hasname(args, &bp); - if (retval != -ENOATTR && retval != -EEXIST) + retval = xfs_attr3_leaf_read(args->trans, args->dp, 0, &bp); + if (retval) return retval; + + retval = xfs_attr3_leaf_lookup_int(bp, args); + if (retval != -ENOATTR && retval != -EEXIST) + goto out_brelse; if (retval == -ENOATTR && (args->attr_flags & XATTR_REPLACE)) goto out_brelse; if (retval == -EEXIST) { @@ -768,27 +772,6 @@ xfs_attr_leaf_addname( return error; } -/* - * Return EEXIST if attr is found, or ENOATTR if not - */ -STATIC int -xfs_attr_leaf_hasname( - struct xfs_da_args *args, - struct xfs_buf **bp) -{ - int error = 0; - - error = xfs_attr3_leaf_read(args->trans, args->dp, 0, bp); - if (error) - return error; - - error = xfs_attr3_leaf_lookup_int(*bp, args); - if (error != -ENOATTR && error != -EEXIST) - xfs_trans_brelse(args->trans, *bp); - - return error; -} - /* * Remove a name from the leaf attribute list structure * @@ -799,24 +782,21 @@ STATIC int xfs_attr_leaf_removename( struct xfs_da_args *args) { - struct xfs_inode *dp; - struct xfs_buf *bp; + struct xfs_inode *dp = args->dp; int error, forkoff; + struct xfs_buf *bp; trace_xfs_attr_leaf_removename(args); - /* - * Remove the attribute. - */ - dp = args->dp; - error = xfs_attr_leaf_hasname(args, &bp); - - if (error == -ENOATTR) { + error = xfs_attr3_leaf_read(args->trans, args->dp, 0, &bp); + if (error) + return error; + error = xfs_attr3_leaf_lookup_int(bp, args); + if (error != -EEXIST) { xfs_trans_brelse(args->trans, bp); return error; - } else if (error != -EEXIST) - return error; + } xfs_attr3_leaf_remove(bp, args); @@ -840,23 +820,20 @@ xfs_attr_leaf_removename( * Returns 0 on successful retrieval, otherwise an error. */ STATIC int -xfs_attr_leaf_get(xfs_da_args_t *args) +xfs_attr_leaf_get( + struct xfs_da_args *args) { - struct xfs_buf *bp; - int error; + struct xfs_buf *bp; + int error; trace_xfs_attr_leaf_get(args); - error = xfs_attr_leaf_hasname(args, &bp); - - if (error == -ENOATTR) { - xfs_trans_brelse(args->trans, bp); + error = xfs_attr3_leaf_read(args->trans, args->dp, 0, &bp); + if (error) return error; - } else if (error != -EEXIST) - return error; - - - error = xfs_attr3_leaf_getvalue(bp, args); + error = xfs_attr3_leaf_lookup_int(bp, args); + if (error == -EEXIST) + error = xfs_attr3_leaf_getvalue(bp, args); xfs_trans_brelse(args->trans, bp); return error; } -- 2.52.0

2 1

[PATCH openEuler-24.03-LTS-SP4] net:yt6801: fix the panic of call fxgmac_shutdown after ndo_stop (fxgmac_close)
by Frank_Sae 25 Jun '26

25 Jun '26

driver inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9393 -------------------------------- If NetworkManager let nic down, it call ndo_stop (fxgmac_close). Then do "kexec -l /boot/vmlinuz-6.6.0-156.0.0.146.oe2403sp4.loongarch64 --initrd=/boot/initramfs-6.6.0-156.0.0.146.oe2403sp4.loongarch64.img kexec -e", it will call the fxgmac_disable_rx in fxgmac_shutdown, cause a panic: Unable to handle kernel paging request at virtual address 0000000000000398 Fixes: 6460d9d3c42d ("yt6801: Add Motorcomm yt6801 PCIe driver") Signed-off-by: Frank_Sae <Frank.Sae(a)motor-comm.com> --- drivers/net/ethernet/motorcomm/yt6801/yt6801_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/motorcomm/yt6801/yt6801_main.c b/drivers/net/ethernet/motorcomm/yt6801/yt6801_main.c index 4f2f82293125..b0f56d9d4991 100644 --- a/drivers/net/ethernet/motorcomm/yt6801/yt6801_main.c +++ b/drivers/net/ethernet/motorcomm/yt6801/yt6801_main.c @@ -1429,6 +1429,10 @@ static int fxgmac_net_powerdown(struct fxgmac_pdata *priv) return 0; /* do nothing if already down */ __clear_bit(FXGMAC_POWER_STATE_UP, &priv->power_state); + + if (priv->dev_state == FXGMAC_DEV_CLOSE) + return 0; /* do nothing if already close */ + netif_tx_stop_all_queues(ndev); /* Shut off incoming Tx traffic */ /* Call carrier off first to avoid false dev_watchdog timeouts */ -- 2.30.2

1 0

[PATCH OLK-6.6] mm/numa_remote: fix variable undeclared error when CONFIG_MEMORY_RELIABLE isn't enabled
by Jinjiang Tu 25 Jun '26

25 Jun '26

hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/9474 ---------------------------------------- when CONFIG_MEMORY_RELIABLE isn't enabled, linux/oom.h isn't included by numa_remote.c, leading to sysctl_oom_kill_cpuless_numa_allocating_task undeclared error. Fix it by including the header explicitly. Fixes: 479dbd03bbf0 ("mm/numa_remote: enable oom_kill_cpuless_numa_allocating_task when numa_remote is enabled") Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> --- drivers/base/numa_remote.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/base/numa_remote.c b/drivers/base/numa_remote.c index fed37dc20391..f924d7867394 100644 --- a/drivers/base/numa_remote.c +++ b/drivers/base/numa_remote.c @@ -11,6 +11,7 @@ #include <linux/page-isolation.h> #include <linux/memory.h> #include <linux/numa_remote.h> +#include <linux/oom.h> #include "../../mm/hugetlb_vmemmap.h" #include "../../mm/internal.h" -- 2.43.0

2 1

[PATCH OLK-5.10] xfs: remove xfs_attr_leaf_hasname
by Long Li 25 Jun '26

25 Jun '26

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-v6.19-rc6 commit 3a65ea768b8094e4699e72f9ab420eb9e0f3f568 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14700 CVE: CVE-2026-43153 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The calling convention of xfs_attr_leaf_hasname() is problematic, because it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfs_attr3_leaf_lookup_int fails with other error values. Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so that the buffer release code is done by each caller of xfs_attr3_leaf_read. Cc: stable(a)vger.kernel.org # v5.19+ Fixes: 07120f1abdff ("xfs: Add xfs_has_attr and subroutines") Reported-by: Mark Tinguely <mark.tinguely(a)oracle.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Carlos Maiolino <cem(a)kernel.org> Conflicts: fs/xfs/libxfs/xfs_attr.c [Context config] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/xfs/libxfs/xfs_attr.c | 83 +++++++++++++++------------------------- 1 file changed, 31 insertions(+), 52 deletions(-) diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c index 13213c8b1285..9045084a4361 100644 --- a/fs/xfs/libxfs/xfs_attr.c +++ b/fs/xfs/libxfs/xfs_attr.c @@ -46,7 +46,6 @@ STATIC int xfs_attr_shortform_addname(xfs_da_args_t *args); STATIC int xfs_attr_leaf_get(xfs_da_args_t *args); STATIC int xfs_attr_leaf_addname(xfs_da_args_t *args); STATIC int xfs_attr_leaf_removename(xfs_da_args_t *args); -STATIC int xfs_attr_leaf_hasname(struct xfs_da_args *args, struct xfs_buf **bp); /* * Internal routines when attribute list is more than one block. @@ -349,11 +348,12 @@ xfs_attr_lookup( } if (xfs_bmap_one_block(dp, XFS_ATTR_FORK)) { - error = xfs_attr_leaf_hasname(args, &bp); - - if (bp) - xfs_trans_brelse(args->trans, bp); - + error = xfs_attr3_leaf_read(args->trans, args->dp, + 0, &bp); + if (error) + return error; + error = xfs_attr3_leaf_lookup_int(bp, args); + xfs_trans_brelse(args->trans, bp); return error; } @@ -624,9 +624,13 @@ xfs_attr_leaf_try_add( * Look up the given attribute in the leaf block. Figure out if * the given flags produce an error or call for an atomic rename. */ - retval = xfs_attr_leaf_hasname(args, &bp); - if (retval != -ENOATTR && retval != -EEXIST) + retval = xfs_attr3_leaf_read(args->trans, args->dp, 0, &bp); + if (retval) return retval; + + retval = xfs_attr3_leaf_lookup_int(bp, args); + if (retval != -ENOATTR && retval != -EEXIST) + goto out_brelse; if (retval == -ENOATTR && (args->attr_flags & XATTR_REPLACE)) goto out_brelse; if (retval == -EEXIST) { @@ -768,27 +772,6 @@ xfs_attr_leaf_addname( return error; } -/* - * Return EEXIST if attr is found, or ENOATTR if not - */ -STATIC int -xfs_attr_leaf_hasname( - struct xfs_da_args *args, - struct xfs_buf **bp) -{ - int error = 0; - - error = xfs_attr3_leaf_read(args->trans, args->dp, 0, bp); - if (error) - return error; - - error = xfs_attr3_leaf_lookup_int(*bp, args); - if (error != -ENOATTR && error != -EEXIST) - xfs_trans_brelse(args->trans, *bp); - - return error; -} - /* * Remove a name from the leaf attribute list structure * @@ -799,24 +782,23 @@ STATIC int xfs_attr_leaf_removename( struct xfs_da_args *args) { - struct xfs_inode *dp; - struct xfs_buf *bp; + struct xfs_inode *dp = args->dp; int error, forkoff; + struct xfs_buf *bp; trace_xfs_attr_leaf_removename(args); - /* - * Remove the attribute. - */ - dp = args->dp; - error = xfs_attr_leaf_hasname(args, &bp); - - if (error == -ENOATTR) { + error = xfs_attr3_leaf_read(args->trans, args->dp, 0, &bp); + if (error) + return error; + error = xfs_attr3_leaf_lookup_int(bp, args); + if (error != -EEXIST) { xfs_trans_brelse(args->trans, bp); + if (error == -ENOATTR) + return 0; return error; - } else if (error != -EEXIST) - return error; + } xfs_attr3_leaf_remove(bp, args); @@ -840,23 +822,20 @@ xfs_attr_leaf_removename( * Returns 0 on successful retrieval, otherwise an error. */ STATIC int -xfs_attr_leaf_get(xfs_da_args_t *args) +xfs_attr_leaf_get( + struct xfs_da_args *args) { - struct xfs_buf *bp; - int error; + struct xfs_buf *bp; + int error; trace_xfs_attr_leaf_get(args); - error = xfs_attr_leaf_hasname(args, &bp); - - if (error == -ENOATTR) { - xfs_trans_brelse(args->trans, bp); + error = xfs_attr3_leaf_read(args->trans, args->dp, 0, &bp); + if (error) return error; - } else if (error != -EEXIST) - return error; - - - error = xfs_attr3_leaf_getvalue(bp, args); + error = xfs_attr3_leaf_lookup_int(bp, args); + if (error == -EEXIST) + error = xfs_attr3_leaf_getvalue(bp, args); xfs_trans_brelse(args->trans, bp); return error; } -- 2.52.0

2 1

[PATCH OLK-5.10] xfs: fix undersized l_iclog_roundoff values
by Long Li 25 Jun '26

25 Jun '26

From: "Darrick J. Wong" <djwong(a)kernel.org> mainline inclusion from mainline-v7.0-rc1 commit 52a8a1ba883defbfe3200baa22cf4cd21985d51a category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14924 CVE: CVE-2026-43365 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If the superblock doesn't list a log stripe unit, we set the incore log roundoff value to 512. This leads to corrupt logs and unmountable filesystems in generic/617 on a disk with 4k physical sectors... XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. XFS (sda1): failed to locate log tail XFS (sda1): log mount/recovery failed: error -74 XFS (sda1): log mount failed XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Ending clean mount ...on the current xfsprogs for-next which has a broken mkfs. xfs_info shows this... meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks = sectsz=4096 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=1 = reflink=1 bigtime=1 inobtcount=1 nrext64=1 = exchange=1 metadir=1 data = bsize=4096 blocks=2579968, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1 log =internal log bsize=4096 blocks=16384, version=2 = sectsz=4096 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 = rgcount=0 rgsize=268435456 extents = zoned=0 start=0 reserved=0 ...observe that the log section has sectsz=4096 sunit=0, which means that the roundoff factor is 512, not 4096 as you'd expect. We should fix mkfs not to generate broken filesystems, but anyone can fuzz the ondisk superblock so we should be more cautious. I think the inadequate logic predates commit a6a65fef5ef8d0, but that's clearly going to require a different backport. Cc: stable(a)vger.kernel.org # v5.14 Fixes: a6a65fef5ef8d0 ("xfs: log stripe roundoff is a property of the log") Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Carlos Maiolino <cem(a)kernel.org> Conflicts: fs/xfs/xfs_log.c [context conflicts] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/xfs/xfs_log.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c index f8cf48d3aaf7..e25151ec9de2 100644 --- a/fs/xfs/xfs_log.c +++ b/fs/xfs/xfs_log.c @@ -1407,6 +1407,8 @@ xlog_alloc_log( if (xfs_has_logv2(mp) && mp->m_sb.sb_logsunit > 1) log->l_iclog_roundoff = mp->m_sb.sb_logsunit; + else if (mp->m_sb.sb_logsectsize > 0) + log->l_iclog_roundoff = mp->m_sb.sb_logsectsize; else log->l_iclog_roundoff = BBSIZE; -- 2.52.0

2 1