An update for kernel is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-2410 Final 1.0 1.0 2025-10-11 Initial 2025-10-11 2025-10-11 openEuler SA Tool V1.0 2025-10-11 kernel security update An update for kernel is now available for openEuler-24.03-LTS-SP1 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock. It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional locking. In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above.(CVE-2024-57889) In the Linux kernel, the following vulnerability has been resolved: mm/smaps: fix race between smaps_hugetlb_range and migration smaps_hugetlb_range() handles the pte without holdling ptl, and may be concurrenct with migration, leaing to BUG_ON in pfn_swap_entry_to_page(). The race is as follows. smaps_hugetlb_range migrate_pages huge_ptep_get remove_migration_ptes folio_unlock pfn_swap_entry_folio BUG_ON To fix it, hold ptl lock in smaps_hugetlb_range().(CVE-2025-39754) An update for kernel is now available for openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2410 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-57889 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-39754 https://nvd.nist.gov/vuln/detail/CVE-2024-57889 https://nvd.nist.gov/vuln/detail/CVE-2025-39754 openEuler-24.03-LTS-SP1 kernel-6.6.0-111.0.0.114.oe2403sp1.src.rpm bpftool-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm bpftool-debuginfo-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm kernel-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm kernel-debuginfo-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm kernel-debugsource-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm kernel-devel-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm kernel-headers-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm kernel-source-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm kernel-tools-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm kernel-tools-debuginfo-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm kernel-tools-devel-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm perf-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm perf-debuginfo-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm python3-perf-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm python3-perf-debuginfo-6.6.0-111.0.0.114.oe2403sp1.aarch64.rpm bpftool-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm bpftool-debuginfo-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm kernel-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm kernel-debuginfo-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm kernel-debugsource-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm kernel-devel-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm kernel-headers-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm kernel-source-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm kernel-tools-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm kernel-tools-debuginfo-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm kernel-tools-devel-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm perf-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm perf-debuginfo-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm python3-perf-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm python3-perf-debuginfo-6.6.0-111.0.0.114.oe2403sp1.x86_64.rpm In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking If a device uses MCP23xxx IO expander to receive IRQs, the following bug can happen: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, ... preempt_count: 1, expected: 0 ... Call Trace: ... __might_resched+0x104/0x10e __might_sleep+0x3e/0x62 mutex_lock+0x20/0x4c regmap_lock_mutex+0x10/0x18 regmap_update_bits_base+0x2c/0x66 mcp23s08_irq_set_type+0x1ae/0x1d6 __irq_set_trigger+0x56/0x172 __setup_irq+0x1e6/0x646 request_threaded_irq+0xb6/0x160 ... We observed the problem while experimenting with a touchscreen driver which used MCP23017 IO expander (I2C). The regmap in the pinctrl-mcp23s08 driver uses a mutex for protection from concurrent accesses, which is the default for regmaps without .fast_io, .disable_locking, etc. mcp23s08_irq_set_type() calls regmap_update_bits_base(), and the latter locks the mutex. However, __setup_irq() locks desc->lock spinlock before calling these functions. As a result, the system tries to lock the mutex whole holding the spinlock. It seems, the internal regmap locks are not needed in this driver at all. mcp->lock seems to protect the regmap from concurrent accesses already, except, probably, in mcp_pinconf_get/set. mcp23s08_irq_set_type() and mcp23s08_irq_mask/unmask() are called under chip_bus_lock(), which calls mcp23s08_irq_bus_lock(). The latter takes mcp->lock and enables regmap caching, so that the potentially slow I2C accesses are deferred until chip_bus_unlock(). The accesses to the regmap from mcp23s08_probe_one() do not need additional locking. In all remaining places where the regmap is accessed, except mcp_pinconf_get/set(), the driver already takes mcp->lock. This patch adds locking in mcp_pinconf_get/set() and disables internal locking in the regmap config. Among other things, it fixes the sleeping in atomic context described above. 2025-10-11 CVE-2024-57889 openEuler-24.03-LTS-SP1 Low 2.6 AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L kernel security update 2025-10-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2410 In the Linux kernel, the following vulnerability has been resolved: mm/smaps: fix race between smaps_hugetlb_range and migration smaps_hugetlb_range() handles the pte without holdling ptl, and may be concurrenct with migration, leaing to BUG_ON in pfn_swap_entry_to_page(). The race is as follows. smaps_hugetlb_range migrate_pages huge_ptep_get remove_migration_ptes folio_unlock pfn_swap_entry_folio BUG_ON To fix it, hold ptl lock in smaps_hugetlb_range(). 2025-10-11 CVE-2025-39754 openEuler-24.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-10-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2410