- 10 8月, 2023 4 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Hui Tang <tanghui20@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/25WFMRKCSRO72P3FCQ5FNDCGWK6GYMAZ/ https://gitee.com/openeuler/kernel/issues/I526XC Link:https://gitee.com/openeuler/kernel/pulls/1630 Reviewed-by: Zucheng Zheng <zhengzucheng@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Zhengchao Shao <shaozhengchao@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/B3ZSS336JXNQSPFJCYBONSQZLLYXKGQ2/ https://gitee.com/src-openeuler/kernel/issues/I7NYWN Link:https://gitee.com/openeuler/kernel/pulls/1711 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Guo Mengqi <guomengqi3@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/AYXIAD7WTNXTTOHZT4J7NYVFK2CC3GKH/ Andy Shevchenko (1): lib/cmdline: fix get_option() for strings starting with hyphen Huang Shijie (1): lib/genalloc.c: change return type to unsigned long for bitmap_set_ll Saravana Kannan (1): driver core: Update device link status properly for device_bind_driver() Sumera Priyadarsini (1): bus: arm-integrator-lm: Add of_node_put() before return statement -- 2.17.1 https://gitee.com/openeuler/kernel/issues/I7R8MK Link:https://gitee.com/openeuler/kernel/pulls/1707 Reviewed-by: Weilong Chen <chenweilong@huawei.com> Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @zhangwei123171 /sys/fs/cgroup/cpu/cpu.qos_level is not needed, and easy to cause misunderstanding. Link:https://gitee.com/openeuler/kernel/pulls/1660 Reviewed-by: zhao xiaoqiang <zhaoxiaoqiang11@jd.com> Reviewed-by: Zucheng Zheng <zhengzucheng@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> Acked-by: Xie XiuQi <xiexiuqi@huawei.com>
-
- 09 8月, 2023 6 次提交
-
-
由 Lin Ma 提交于
mainline inclusion from mainline-v6.5-rc3 commit 00374d9b6d9f932802b55181be9831aa948e5b7c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7NYWN CVE: CVE-2023-3772 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=00374d9b6d9f932802b55181be9831aa948e5b7c -------------------------------- Normally, x->replay_esn and x->preplay_esn should be allocated at xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the xfrm_update_ae_params(...) is okay to update them. However, the current implementation of xfrm_new_ae(...) allows a malicious user to directly dereference a NULL pointer and crash the kernel like below. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774d #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 RIP: 0010:memcpy_orig+0xad/0x140 Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c RSP: 0018:ffff888008f57658 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 Call Trace: <TASK> ? __die+0x1f/0x70 ? page_fault_oops+0x1e8/0x500 ? __pfx_is_prefetch.constprop.0+0x10/0x10 ? __pfx_page_fault_oops+0x10/0x10 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? fixup_exception+0x36/0x460 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? exc_page_fault+0x5e/0xc0 ? asm_exc_page_fault+0x26/0x30 ? xfrm_update_ae_params+0xd1/0x260 ? memcpy_orig+0xad/0x140 ? __pfx__raw_spin_lock_bh+0x10/0x10 xfrm_update_ae_params+0xe7/0x260 xfrm_new_ae+0x298/0x4e0 ? __pfx_xfrm_new_ae+0x10/0x10 ? __pfx_xfrm_new_ae+0x10/0x10 xfrm_user_rcv_msg+0x25a/0x410 ? __pfx_xfrm_user_rcv_msg+0x10/0x10 ? __alloc_skb+0xcf/0x210 ? stack_trace_save+0x90/0xd0 ? filter_irq_stacks+0x1c/0x70 ? __stack_depot_save+0x39/0x4e0 ? __kasan_slab_free+0x10a/0x190 ? kmem_cache_free+0x9c/0x340 ? netlink_recvmsg+0x23c/0x660 ? sock_recvmsg+0xeb/0xf0 ? __sys_recvfrom+0x13c/0x1f0 ? __x64_sys_recvfrom+0x71/0x90 ? do_syscall_64+0x3f/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc ? copyout+0x3e/0x50 netlink_rcv_skb+0xd6/0x210 ? __pfx_xfrm_user_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_sock_has_perm+0x10/0x10 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 xfrm_netlink_rcv+0x44/0x50 netlink_unicast+0x36f/0x4c0 ? __pfx_netlink_unicast+0x10/0x10 ? netlink_recvmsg+0x500/0x660 netlink_sendmsg+0x3b7/0x700 This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit adds additional NULL check in xfrm_update_ae_params to fix the NPD. Fixes: d8647b79 ("xfrm: Add user interface for esn and big anti-replay windows") Signed-off-by: NLin Ma <linma@zju.edu.cn> Reviewed-by: NLeon Romanovsky <leonro@nvidia.com> Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com> Conflicts: net/xfrm/xfrm_user.c Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @Hongchen_Zhang LoongArch: fix the following configs not defined: CONFIG_ZONE_DMA32 CONFIG_TRACE_IRQFLAGS_SUPPORT CONFIG_HAVE_SETUP_PER_CPU_AREA CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK Link:https://gitee.com/openeuler/kernel/pulls/1618 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 Saravana Kannan 提交于
mainline inclusion from mainline-v5.13-rc1 commit b6f617df category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8MK CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b6f617df4fa936c1ab1831c2b23563f6c1add6c4 -------------------------------- Device link status was not getting updated correctly when device_bind_driver() is called on a device. This causes a warning[1]. Fix this by updating device links that can be updated and dropping device links that can't be updated to a sensible state. [1] - https://lore.kernel.org/lkml/56f7d032-ba5a-a8c7-23de-2969d98c527e@nvidia.com/Tested-by: NJon Hunter <jonathanh@nvidia.com> Signed-off-by: NSaravana Kannan <saravanak@google.com> Link: https://lore.kernel.org/r/20210302211133.2244281-3-saravanak@google.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
-
由 Huang Shijie 提交于
mainline inclusion from mainline-v5.12-rc1 commit 0e24465d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8MK CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0e24465d3313832e82f8bd9ee2439da1367dd2e5 -------------------------------- Just as bitmap_clear_ll(), change return type to unsigned long for bitmap_set_ll to avoid the possible overflow in future. Link: https://lkml.kernel.org/r/20210105031644.2771-1-sjhuang@iluvatar.aiSigned-off-by: NHuang Shijie <sjhuang@iluvatar.ai> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
-
由 Sumera Priyadarsini 提交于
mainline inclusion from mainline-v5.11-rc6 commit 1740e673 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8MK CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1740e6736922cc1a5d061cc4240d08eacfbbaa71 -------------------------------- Every iteration of for_each_available_child_of_node() decrements the reference count of the previous node, however when control is transferred from the middle of the loop, as in the case of a return or break or goto, there is no decrement thus ultimately resulting in a memory leak. Fix a potential memory leak in arm-integrator-lm.c by inserting of_node_put() before a return statement. Issue found with Coccinelle. Signed-off-by: NSumera Priyadarsini <sylphrenadin@gmail.com> Signed-off-by: NLinus Walleij <linus.walleij@linaro.org> Link: https://lore.kernel.org/r/20200829174154.GA9319@Kaladin Link: https://lore.kernel.org/r/20210112092549.251548-1-linus.walleij@linaro.org' Signed-off-by: NArnd Bergmann <arnd@arndb.de> Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
-
由 Andy Shevchenko 提交于
mainline inclusion from mainline-v5.11-rc1 commit e291851d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8MK CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e291851d65495739e4eede33b6bc387bb546a19b -------------------------------- When string doesn't have an integer and starts from hyphen get_option() may return interesting results. Fix it to return 0. The simple_strtoull() is used due to absence of simple_strtoul() in a boot code on some architectures. Note, the Fixes tag below is rather for anthropological curiosity. Link: https://lkml.kernel.org/r/20201112180732.75589-4-andriy.shevchenko@linux.intel.com Fixes: f68565831e72 ("Import 2.4.0-test2pre3") Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com> Cc: Brendan Higgins <brendanhiggins@google.com> Cc: David Gow <davidgow@google.com> Cc: Mark Brown <broonie@kernel.org> Cc: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com> Cc: Shuah Khan <skhan@linuxfoundation.org> Cc: Vitor Massaru Iha <vitor@massaru.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
-
- 08 8月, 2023 3 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Lu Wei <luwei32@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/XHWCN4LVCI4W4ZNP4NXSYHBEYGDNGBUG/ https://gitee.com/src-openeuler/kernel/issues/I7P3TK Link:https://gitee.com/openeuler/kernel/pulls/1682 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Weili Qian <qianweili@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/KHHPZOD3JVABJQY57SZLORLNLITIPA3M/ https://gitee.com/openeuler/kernel/issues/I7R6TQ Link:https://gitee.com/openeuler/kernel/pulls/1690 Reviewed-by: Yang Shen <shenyang39@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 Kai Ye 提交于
driver inclusion category: cleanup bugzilla: https://gitee.com/openeuler/kernel/issues/I7R6TQ CVE: NA ---------------------------------------------------------------------- Deleted the kernel pointer address printing by the security check. Signed-off-by: NKai Ye <yekai13@huawei.com> Signed-off-by: NJiangShui Yang <yangjiangshui@h-partners.com>
-
- 07 8月, 2023 12 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Yi Yang <yiyang13@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/F3MDGNSS4NARSSKD53VIBRG3ZXPCVNL4/ https://gitee.com/openeuler/kernel/issues/I7LEZX Link:https://gitee.com/openeuler/kernel/pulls/1672 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1070 Fix some reset problem for accelerator drivers. Weili Qian (5): crypto: hisilicon/qm - flush all work before driver removed. crypto: hisilicon/hpre - enable sva error interrupt event crypto: hisilicon/qm - remove duplicate assignment and release crypto: hisilicon/qm - disable same error report before resetting crypto: hisilicon/qm - disable error report before flr Link:https://gitee.com/openeuler/kernel/pulls/1268 Reviewed-by: Yang Shen <shenyang39@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 Florian Westphal 提交于
stable inclusion from stable-v5.10.188 commit 3a91099ecd59a42d1632fcb152bf7222f268ea2b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7P3TK CVE: CVE-2023-4004 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3a91099ecd59a42d1632fcb152bf7222f268ea2b --------------------------- [ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ] end key should be equal to start unless NFT_SET_EXT_KEY_END is present. Its possible to add elements that only have a start key ("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. Insertion treats this via: if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) end = (const u8 *)nft_set_ext_key_end(ext)->data; else end = start; but removal side always uses nft_set_ext_key_end(). This is wrong and leads to garbage remaining in the set after removal next lookup/insert attempt will give: BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 Call Trace: kasan_report+0x105/0x140 pipapo_get+0x8eb/0xb90 nft_pipapo_insert+0x1dc/0x1710 nf_tables_newsetelem+0x31f5/0x4e00 .. Fixes: 3c4287f6 ("nf_tables: Add set type for arbitrary concatenation of ranges") Reported-by: Nlonial con <kongln9170@gmail.com> Reviewed-by: NStefano Brivio <sbrivio@redhat.com> Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NLu Wei <luwei32@huawei.com>
-
由 Yi Yang 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7LEZX -------------------------------- There is memleak in alloc_pid: ------------------------------ unreferenced object 0xffff88810c181940 (size 224): comm "sshd", pid 8191, jiffies 4294946950 (age 524.570s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........ backtrace: [<ffffffff814774e6>] kmem_cache_alloc+0x5c6/0x9b0 [<ffffffff81177342>] alloc_pid+0x72/0x570 [<ffffffff81140ac4>] copy_process+0x1374/0x2470 [<ffffffff81141d77>] kernel_clone+0xb7/0x900 [<ffffffff81142645>] __se_sys_clone+0x85/0xb0 [<ffffffff8114269b>] __x64_sys_clone+0x2b/0x30 [<ffffffff83965a72>] do_syscall_64+0x32/0x80 [<ffffffff83a00085>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 The pid memleak is triggered by the following race: task[sshd] task[bash] ----------------------- ----------------------- do_exit(); disassociate_ctty(); spin_lock_irq(¤t->sighand->siglock); put_pid(current->signal->tty_old_pgrp); current->signal->tty_old_pgrp = NULL; tty = tty_kref_get(current->signal->tty); //tty is not NULL spin_unlock_irq(¤t->sighand->siglock); tty_vhangup(); tty_lock(tty); ... tty_signal_session_leader(); spin_lock_irq(&p->sighand->siglock); ... p->signal->tty_old_pgrp = get_pid(tty->pgrp); // tty_old_pgrp reassign spin_unlock_irq(&p->sighand->siglock); ... tty_unlock(tty); if (tty) { tty_lock(tty); ... put_pid(tty->pgrp); tty->pgrp = NULL;// It's too late ... tty_unlock(tty); } in task[bash], tty_old_pgrp is released by disassociate_ctty(), then it's reassigned by tty_signal_session_leader() in task[sshd], cause memleak. fix the memleak by add put_pid() in disassociate_ctty() after tty_old_pgrp is reassigned. Fixes: c8bcd9c5 ("tty: Fix ->session locking") Signed-off-by: NYi Yang <yiyang13@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @did-you-collect-the-wool-today virt inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7QPGW CVE: NA ------------------------------------------------------------------ In probe_vendor_drivers, all registered vendor drivers are traversed. This is not a good idea. If a vendor driver is not implemented well enough, it may cause the system to panic. Use the vendor id and device id to select a proper driver. In the pervious device registration logic, since the live migration operation ops of the three accelerator devices is the same. Therefore, only one driver entity will be registered. As a result, only the first sec will be loaded successfully, while hpre and zip cannot be loaded. The acc live migration driver needs to be adapted. Signed-off-by: NLongfang Liu <liulongfang@huawei.com> Signed-off-by: NKunkun Jiang <jiangkunkun@huawei.com> Link:https://gitee.com/openeuler/kernel/pulls/1659 Reviewed-by: Zenghui Yu <yuzenghui@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Ruan Jinjie <ruanjinjie@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/DMKZQARD2PWAP2YXIKY6D454ZNKTEVT3/ Backport CVE-2023-4132 fix commits. Duoming Zhou (2): media: usb: siano: Fix use after free bugs caused by do_submit_urb media: usb: siano: Fix warning due to null work_func_t function pointer -- 2.34.1 https://gitee.com/openeuler/kernel/issues/I7QTMZ Link:https://gitee.com/openeuler/kernel/pulls/1657 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @kwb0523 We'd like to be able to identify netns from sock_ops and sk_msg hooks to accelerate local process communication form different netns. Link:https://gitee.com/openeuler/kernel/pulls/1522 Reviewed-by: Jackie Liu <liuyun01@kylinos.cn> Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 zhangwei123171 提交于
jingdong inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7R399 ----------------------------------------------------- /sys/fs/cgroup/cpu/cpu.qos_level is not needed, and easy to cause misunderstanding. Signed-off-by: Nzhangwei123171 <zhangwei123171@jd.com> Reviewed-by: Nzhaoxiaoqiang11 <zhaoxiaoqiang11@jd.com>
-
由 Kunkun Jiang 提交于
virt inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7QPGW CVE: NA ------------------------------------------------------------------ In probe_vendor_drivers, all registered vendor drivers are traversed. This is not a good idea. If a vendor driver is not implemented well enough, it may cause the system to panic. Use the vendor id and device id to select a proper driver. In the pervious device registration logic, since the live migration operation ops of the three accelerator devices is the same. Therefore, only one driver entity will be registered. As a result, only the first sec will be loaded successfully, while hpre and zip cannot be loaded. The acc live migration driver needs to be adapted. Signed-off-by: NLongfang Liu <liulongfang@huawei.com> Signed-off-by: NKunkun Jiang <jiangkunkun@huawei.com>
-
由 Duoming Zhou 提交于
mainline inclusion from mainline-v6.5-rc1 commit 6f489a966fbeb0da63d45c2c66a8957eab604bf6 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7QTMZ CVE: CVE-2023-4132 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6f489a966fbeb0da63d45c2c66a8957eab604bf6 -------------------------------- The previous commit ebad8e73 ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") adds cancel_work_sync() in smsusb_stop_streaming(). But smsusb_stop_streaming() may be called, even if the work_struct surb->wq has not been initialized. As a result, the warning will occur. One of the processes that could lead to warning is shown below: smsusb_probe() smsusb_init_device() if (!dev->in_ep || !dev->out_ep || align < 0) { smsusb_term_device(intf); smsusb_stop_streaming() cancel_work_sync(&dev->surbs[i].wq); __cancel_work_timer() __flush_work() if (WARN_ON(!work->func)) // work->func is null The log reported by syzbot is shown below: WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063 Modules linked in: CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0 RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066 ... RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246 RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8 RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8 R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160 smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline] smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344 smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419 smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567 ... This patch adds check before cancel_work_sync(). If surb->wq has not been initialized, the cancel_work_sync() will not be executed. Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com Fixes: ebad8e73 ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn> Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: NRuan Jinjie <ruanjinjie@huawei.com>
-
由 Duoming Zhou 提交于
mainline inclusion from mainline-v6.3-rc1 commit ebad8e73 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7QTMZ CVE: CVE-2023-4132 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ebad8e731c1c06adf04621d6fd327b860c0861b5 -------------------------------- There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237a-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] <TASK> [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] </TASK> [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+0x34c/0x5b0 [ 36.517396] worker_thread+0x4b7/0x890 [ 36.518591] kthread+0x166/0x190 [ 36.519599] ret_from_fork+0x22/0x30 [ 36.520851] [ 36.521405] Last potentially related work creation: [ 36.523143] kasan_save_stack+0x3f/0x60 [ 36.524275] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.525831] insert_work+0x25/0x130 [ 36.527039] __queue_work+0x4d4/0x620 [ 36.528236] queue_work_on+0x72/0xb0 [ 36.529344] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.530819] dummy_timer+0x350/0x1a40 [ 36.532149] call_timer_fn+0x2c/0x190 [ 36.533567] expire_timers+0x69/0x1f0 [ 36.534736] __run_timers+0x289/0x2d0 [ 36.535841] run_timer_softirq+0x2d/0x60 [ 36.537110] __do_softirq+0x116/0x380 [ 36.538377] [ 36.538950] Second to last potentially related work creation: [ 36.540855] kasan_save_stack+0x3f/0x60 [ 36.542084] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.543592] insert_work+0x25/0x130 [ 36.544891] __queue_work+0x4d4/0x620 [ 36.546168] queue_work_on+0x72/0xb0 [ 36.547328] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.548805] dummy_timer+0x350/0x1a40 [ 36.550116] call_timer_fn+0x2c/0x190 [ 36.551570] expire_timers+0x69/0x1f0 [ 36.552762] __run_timers+0x289/0x2d0 [ 36.553916] run_timer_softirq+0x2d/0x60 [ 36.555118] __do_softirq+0x116/0x380 [ 36.556239] [ 36.556807] The buggy address belongs to the object at ffff888005960000 [ 36.556807] which belongs to the cache kmalloc-4k of size 4096 [ 36.560652] The buggy address is located 232 bytes inside of [ 36.560652] 4096-byte region [ffff888005960000, ffff888005961000) [ 36.564791] [ 36.565355] The buggy address belongs to the physical page: [ 36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00 [ 36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0 [ 36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000 [ 36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 36.580175] page dumped because: kasan: bad access detected [ 36.581994] [ 36.582548] Memory state around the buggy address: [ 36.583983] ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.586240] ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.591071] ^ [ 36.593295] ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.595705] ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.598026] ================================================================== [ 36.600224] Disabling lock debugging due to kernel taint [ 36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I [ 36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G B 6.2.0-rc3-15798-8 [ 36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.615026] Workqueue: events do_submit_urb [ 36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.636438] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.639092] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.643411] Call Trace: [ 36.644215] <TASK> [ 36.644902] smscore_getbuffer+0x3e/0x1e0 [ 36.646147] do_submit_urb+0x4f/0x190 [ 36.647449] process_one_work+0x34c/0x5b0 [ 36.648777] worker_thread+0x4b7/0x890 [ 36.649984] ? worker_clr_flags+0x90/0x90 [ 36.651166] kthread+0x166/0x190 [ 36.652151] ? kthread_blkcg+0x50/0x50 [ 36.653547] ret_from_fork+0x22/0x30 [ 36.655051] </TASK> [ 36.655733] Modules linked in: [ 36.656787] ---[ end trace 0000000000000000 ]--- [ 36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.679184] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.681655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.685733] Kernel panic - not syncing: Fatal exception [ 36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff) [ 36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]--- When the siano device is plugged in, it may call the following functions to initialize the device. smsusb_probe()-->smsusb_init_device()-->smscore_start_device(). When smscore_start_device() gets failed, the function smsusb_term_device() will be called and smsusb_device_t will be deallocated. Although we use usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests and wait for them to finish, the worker threads that are scheduled by smsusb_onresponse() may be still running. As a result, the UAF bugs could happen. We add cancel_work_sync() in smsusb_stop_streaming() in order that the worker threads could finish before the smsusb_device_t is deallocated. Fixes: dd47fbd4 ("[media] smsusb: don't sleep while atomic") Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn> Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: NMauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: NRuan Jinjie <ruanjinjie@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Li Lingfeng <lilingfeng3@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/MKD6POKWLXC45KXPZXCZ7N52MPOZMNAR/ https://gitee.com/src-openeuler/kernel/issues/I7LU2Q Link:https://gitee.com/openeuler/kernel/pulls/1596 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
- 04 8月, 2023 3 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Li Nan <linan122@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/PLIYRODHJZO5O3JJ5LZMDZ5VC2QZZXUQ/ Li Nan (1): ksmbd: define SMB2_COMPRESSION_TRANSFORM_ID in fs/ksmbd/smb2pdu.h Namjae Jeon (1): ksmbd: validate smb request protocol id -- 2.39.2 https://gitee.com/openeuler/kernel/issues/I7LU2S Link:https://gitee.com/openeuler/kernel/pulls/1605 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Li Nan <linan122@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/ZPU6DOWXQ62ZYWCTSJSULWSJFG2MUIKX/ https://gitee.com/openeuler/kernel/issues/I7LU2I Link:https://gitee.com/openeuler/kernel/pulls/1551 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Zheng Yejian <zhengyejian1@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/XXAG5MRMLFEHC4YUSC53DLXBTHM4DVET/ https://gitee.com/openeuler/kernel/issues/I7P78X Link:https://gitee.com/openeuler/kernel/pulls/1580 Reviewed-by: Xu Kuohai <xukuohai@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
- 03 8月, 2023 7 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Ziyang Xuan <william.xuanziyang@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5LGGZAJFGQ7GMAJWNGCSQVWZZ2K26FKH/ Backport CVE-2023-3863 fix commits. v2: - Resend the patchset. Krzysztof Kozlowski (1): nfc: llcp: simplify llcp_sock_connect() error paths Lin Ma (1): net: nfc: Fix use-after-free caused by nfc_llcp_find_local -- 2.25.1 https://gitee.com/src-openeuler/kernel/issues/I7NLJR Link:https://gitee.com/openeuler/kernel/pulls/1604 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
!1555 net: hns3: fix setting wrong tx_timeout value issue and synchronizes the differences between the kernel and openeuler Merge Pull Request from: @svishen This patch fix setting wrong tx_timeout value issue and fix some tc bug issue: https://gitee.com/openeuler/kernel/issues/I7OL9R Link:https://gitee.com/openeuler/kernel/pulls/1555 Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Hui Tang <tanghui20@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6VOVLX7JNJMSBWIH6TBFRFMXDKVTP6ME/ https://gitee.com/openeuler/kernel/issues/I7PNAF Link:https://gitee.com/openeuler/kernel/pulls/1611 Reviewed-by: Zucheng Zheng <zhengzucheng@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 Hui Tang 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I526XC -------------------------------- If the feature enabled, util_avg of bottom-level tg is used, otherwise, util_avg of rq's cfs_rq is used. Signed-off-by: NHui Tang <tanghui20@huawei.com>
-
由 Jijie Shao 提交于
mainline inclusion from mainline-v6.5-rc2 commit 882481b1c55fc44861d7e2d54b4e0936b1b39f2c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7OL9R CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=882481b1c55fc44861d7e2d54b4e0936b1b39f2c ---------------------------------------------------------------------- In dwrr mode, the default bandwidth weight of disabled tc is set to 0. If the bandwidth weight is 0, the mode will change to sp. Therefore, disabled tc default bandwidth weight need changed to 1, and 0 is returned when query the bandwidth weight of disabled tc. In addition, driver need stop configure bandwidth weight if tc is disabled. Fixes: 84844054 ("net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver") Signed-off-by: NJie Wang <wangjie125@huawei.com> Signed-off-by: NJijie Shao <shaojijie@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
由 Jijie Shao 提交于
mainline inclusion from mainline-v6.5-rc2 commit 116d9f732eef634abbd871f2c6f613a5b4677742 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7OL9R CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=116d9f732eef634abbd871f2c6f613a5b4677742 ---------------------------------------------------------------------- Currently, the weight saved by the driver is used as the query result, which may be different from the actual weight in the register. Therefore, the register value read from the firmware is used as the query result Fixes: 0e32038d ("net: hns3: refactor dump tc of debugfs") Signed-off-by: NJijie Shao <shaojijie@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: ZhaoLong Wang <wangzhaolong1@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6ETLQBKJNMKNALJRDIYCV27MJA2XG66X/ mainline patch f5c779b7("ksmbd: fix racy issue from session setup and logoff") It fixes three CVEs: CVE-2023-32250 CVE-2023-32252 CVE-2023-32257 In order to successfully apply the patch, we chose to incorporate the related pre-installed bugfix patch. Colin Ian King (1): ksmbd: Fix spelling mistake "excceed" -> "exceeded" Dawei Li (1): ksmbd: Implements sess->ksmbd_chann_list as xarray Namjae Jeon (2): ksmbd: limit pdu length size according to connection status ksmbd: fix racy issue from session setup and logoff -- 2.34.3 https://gitee.com/src-openeuler/kernel/issues/I7BG0L https://gitee.com/openeuler/kernel/issues/I7CETC Link:https://gitee.com/openeuler/kernel/pulls/1621 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
- 02 8月, 2023 5 次提交
-
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-v6.4-rc1 commit f5c779b7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7BG0L CVE: CVE-2023-32250,CVE-2023-32252,CVE-2023-32257 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5c779b7ddbda30866cf2a27c63e34158f858c73 -------------------------------- This racy issue is triggered by sending concurrent session setup and logoff requests. This patch does not set connection status as KSMBD_SESS_GOOD if state is KSMBD_SESS_NEED_RECONNECT in session setup. And relookup session to validate if session is deleted in logoff. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20481, ZDI-CAN-20590, ZDI-CAN-20596 Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NZhaoLong Wang <wangzhaolong1@huawei.com>
-
由 Colin Ian King 提交于
mainline inclusion from mainline-v6.3-rc1 commit 7a17c61e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7CETC CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7a17c61ee3b2683c40090179c273f4701fca9677 -------------------------------- There is a spelling mistake in an error message. Fix it. Signed-off-by: NColin Ian King <colin.i.king@gmail.com> Acked-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NZhaoLong Wang <wangzhaolong1@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-v6.3-rc1 commit 62c487b5 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7CETC CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=62c487b53a7ff31e322cf2874d3796b8202c54a5 -------------------------------- Stream protocol length will never be larger than 16KB until session setup. After session setup, the size of requests will not be larger than 16KB + SMB2 MAX WRITE size. This patch limits these invalidly oversized requests and closes the connection immediately. Fixes: 0626e664 ("cifsd: add server handler for central processing and tranport layers") Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18259 Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NZhaoLong Wang <wangzhaolong1@huawei.com> Conflicts: fs/ksmbd/smb2pdu.h
-
由 Dawei Li 提交于
mainline inclusion from mainline-v6.3-rc1 commit 1d9c4172 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7CETC CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1d9c4172110e645b383ff13eee759728d74f1a5d -------------------------------- For some ops on channel: 1. lookup_chann_list(), possibly on high frequency. 2. ksmbd_chann_del(). Connection is used as indexing key to lookup channel, in that case, linear search based on list may suffer a bit for performance. Implements sess->ksmbd_chann_list as xarray. Signed-off-by: NDawei Li <set_pte_at@outlook.com> Acked-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NZhaoLong Wang <wangzhaolong1@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @sanglipeng Backport 5.10.160 - 5.10.162 LTS patches from upstream. Conflicts: Already merged(29): 75454b4bbfc7: io_uring: add missing item types for splice request eb6313c12955: nfp: fix use-after-free in area_cache_get() f3fe6817156a: Bluetooth: L2CAP: Fix u8 overflow 1500fed00878: kernel: provide create_io_thread() helper e86db87191d8: iov_iter: add helper to save iov_iter state c1fe7bd3e1aa: fs: add support for LOOKUP_CACHED 146fe79fff13: fix handling of nd->depth on LOOKUP_CACHED failures in try_to_unlazy* 0cf0ce8fb5b1: Make sure nd->path.mnt and nd->path.dentry are always valid pointers 5683caa7350f: fs: expose LOOKUP_CACHED through openat2() RESOLVE_CACHED 069ac28d9243: net: provide __sys_shutdown_sock() that takes a socket ad0b0137953a: net: add accept helper not installing fd 52cfde6bbf64: signal: Add task_sigpending() helper 214f80e25176: fs: make do_renameat2() take struct filename 57b20530363d: file: Rename __close_fd_get_file close_fd_get_file d2136fc145be: fs: provide locked helper variant of close_fd_get_file() 3c295bd2ddae: entry: Add support for TIF_NOTIFY_SIGNAL 4b1dcf8ec9b2: x86: Wire up TIF_NOTIFY_SIGNAL 79a9991e87fe: arm64: add support for TIF_NOTIFY_SIGNAL abab3d4444b5: powerpc: add support for TIF_NOTIFY_SIGNAL 1bee9dbbcabb: arm: add support for TIF_NOTIFY_SIGNAL 78a53ff02656: riscv: add support for TIF_NOTIFY_SIGNAL 90a2c3821bbf: kernel: remove checking for TIF_NOTIFY_SIGNAL 4b4d2c79921: Limit what can interrupt coredumps 320c8057eceb: arch: setup PF_IO_WORKER threads like PF_KTHREAD dd26e2cec74f: arch: ensure parisc/powerpc handle PF_IO_WORKER in copy_thread() f0a5f0dc0131: x86/process: setup io_threads more like normal user space threads 831cb78a2a5e: kernel: don't call do_exit() for PF_IO_WORKER threads ed3005032993: task_work: add helper for more targeted task_work canceling 788d0824269b: io_uring: import 5.15-stable io_uring Kabi change(1): a3025359ffa7 net: remove cmsg restriction from io_uring based send/recvmsg calls Total patches: 96 - 29 - 1 = 66 Link:https://gitee.com/openeuler/kernel/pulls/1578 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-