- 18 1月, 2023 3 次提交
-
-
由 Carlos Llamas 提交于
stable inclusion from stable-v5.10.154 commit 015ac18be7de25d17d6e5f1643cb3b60bfbe859e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I68WW5 CVE: CVE-2023-20928 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=015ac18be7de25d17d6e5f1643cb3b60bfbe859e -------------------------------- In commit 720c2419 ("ANDROID: binder: change down_write to down_read") binder assumed the mmap read lock is sufficient to protect alloc->vma inside binder_update_page_range(). This used to be accurate until commit dd2283f2 ("mm: mmap: zap pages with read mmap_sem in munmap"), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to teardown and free the vma with only the read lock held. This means that accesses to alloc->vma in binder_update_page_range() now will race with vm_area_free() in munmap() and can cause a UAF as shown in the following KASAN trace: ================================================================== BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0 Read of size 8 at addr ffff16204ad00600 by task server/558 CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2a0 show_stack+0x18/0x2c dump_stack+0xf8/0x164 print_address_description.constprop.0+0x9c/0x538 kasan_report+0x120/0x200 __asan_load8+0xa0/0xc4 vm_insert_page+0x7c/0x1f0 binder_update_page_range+0x278/0x50c binder_alloc_new_buf+0x3f0/0xba0 binder_transaction+0x64c/0x3040 binder_thread_write+0x924/0x2020 binder_ioctl+0x1610/0x2e5c __arm64_sys_ioctl+0xd4/0x120 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Allocated by task 559: kasan_save_stack+0x38/0x6c __kasan_kmalloc.constprop.0+0xe4/0xf0 kasan_slab_alloc+0x18/0x2c kmem_cache_alloc+0x1b0/0x2d0 vm_area_alloc+0x28/0x94 mmap_region+0x378/0x920 do_mmap+0x3f0/0x600 vm_mmap_pgoff+0x150/0x17c ksys_mmap_pgoff+0x284/0x2dc __arm64_sys_mmap+0x84/0xa4 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Freed by task 560: kasan_save_stack+0x38/0x6c kasan_set_track+0x28/0x40 kasan_set_free_info+0x24/0x4c __kasan_slab_free+0x100/0x164 kasan_slab_free+0x14/0x20 kmem_cache_free+0xc4/0x34c vm_area_free+0x1c/0x2c remove_vma+0x7c/0x94 __do_munmap+0x358/0x710 __vm_munmap+0xbc/0x130 __arm64_sys_munmap+0x4c/0x64 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 [...] ================================================================== To prevent the race above, revert back to taking the mmap write lock inside binder_update_page_range(). One might expect an increase of mmap lock contention. However, binder already serializes these calls via top level alloc->mutex. Also, there was no performance impact shown when running the binder benchmark tests. Note this patch is specific to stable branches 5.4 and 5.10. Since in newer kernel releases binder no longer caches a pointer to the vma. Instead, it has been refactored to use vma_lookup() which avoids the issue described here. This switch was introduced in commit a43cfc87 ("android: binder: stop saving a pointer to the VMA"). Fixes: dd2283f2 ("mm: mmap: zap pages with read mmap_sem in munmap") Reported-by: NJann Horn <jannh@google.com> Cc: <stable@vger.kernel.org> # 5.10.x Cc: Minchan Kim <minchan@kernel.org> Cc: Yang Shi <yang.shi@linux.alibaba.com> Cc: Liam Howlett <liam.howlett@oracle.com> Signed-off-by: NCarlos Llamas <cmllamas@google.com> Acked-by: NTodd Kjos <tkjos@google.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NChen Jiahao <chenjiahao16@huawei.com> Reviewed-by: NLiao Chang <liaochang1@huawei.com> Reviewed-by: NZhang Jianhua <chris.zjh@huawei.com> Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
-
由 Pavel Begunkov 提交于
stable inclusion from stable-v5.10.141 commit 28d8d2737e82fc29ff9e788597661abecc7f7994 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I685FC CEV: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.162&id=28d8d2737e82fc29ff9e788597661abecc7f7994 -------------------------------- Older kernels lack io_uring POLLFREE handling. As only affected files are signalfd and android binder the safest option would be to disable polling those files via io_uring and hope there are no users. Fixes: 221c5eb2 ("io_uring: add support for IORING_OP_POLL") Signed-off-by: NPavel Begunkov <asml.silence@gmail.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> conflicts: include/linux/fs.h Signed-off-by: NLi Lingfeng <lilingfeng3@huawei.com> Reviewed-by: NZhang Yi <yi.zhang@huawei.com> Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
-
由 Guo Mengqi 提交于
hulk inclusion category: other bugzilla: https://gitee.com/openeuler/kernel/issues/I69JDF CVE: NA ------------------------------- Delete svm driver, as it is specially designed for Hisilicon platform. Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com> Reviewed-by: Nchenweilong <chenweilong@huawei.com> Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
-
- 11 1月, 2023 2 次提交
-
-
由 Alan Stern 提交于
mainline inclusion from mainline-v6.0-rc7 commit 766a96dc category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I675RE CVE: CVE-2022-4662 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=766a96dc558385be735a370db867e302c8f22153 -------------------------------- A recent commit added an invalid RST expression to a kerneldoc comment in hub.c. The fix is trivial. Fixes: 9c6d7788 ("USB: core: Prevent nested device-reset calls") Cc: <stable@vger.kernel.org> Reported-by: NStephen Rothwell <sfr@canb.auug.org.au> Reviewed-by: NBagas Sanjaya <bagasdotme@gmail.com> Signed-off-by: NAlan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/YxDDcsLtRZ7c20pq@rowland.harvard.eduSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYuyao Lin <linyuyao1@huawei.com> Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com> Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
-
由 Alan Stern 提交于
mainline inclusion from mainline-v6.0-rc4 commit 9c6d7788 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I675RE CVE: CVE-2022-4662 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9c6d778800b921bde3bff3cff5003d1650f942d1 -------------------------------- Automatic kernel fuzzing revealed a recursive locking violation in usb-storage: ============================================ WARNING: possible recursive locking detected 5.18.0 #3 Not tainted -------------------------------------------- kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 but task is already holding lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 ... stack backtrace: CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] check_deadlock kernel/locking/lockdep.c:3031 [inline] validate_chain kernel/locking/lockdep.c:3816 [inline] __lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053 lock_acquire kernel/locking/lockdep.c:5665 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630 __mutex_lock_common kernel/locking/mutex.c:603 [inline] __mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747 usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 usb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109 r871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622 usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:545 [inline] device_remove+0x11f/0x170 drivers/base/dd.c:537 __device_release_driver drivers/base/dd.c:1222 [inline] device_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248 usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627 usb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118 usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114 This turned out not to be an error in usb-storage but rather a nested device reset attempt. That is, as the rtl8712 driver was being unbound from a composite device in preparation for an unrelated USB reset (that driver does not have pre_reset or post_reset callbacks), its ->remove routine called usb_reset_device() -- thus nesting one reset call within another. Performing a reset as part of disconnect processing is a questionable practice at best. However, the bug report points out that the USB core does not have any protection against nested resets. Adding a reset_in_progress flag and testing it will prevent such errors in the future. Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9_0Tw4HQ6keN==voRbP0g@mail.gmail.com/ Cc: stable@vger.kernel.org Reported-and-tested-by: NRondreis <linhaoguo86@gmail.com> Signed-off-by: NAlan Stern <stern@rowland.harvard.edu> Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.eduSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYuyao Lin <linyuyao1@huawei.com> Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com> Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
-
- 06 1月, 2023 1 次提交
-
-
由 Zheyu Ma 提交于
stable inclusion from stable-v5.15.86 commit 96c12fd0ec74641295e1c3c34dea3dce1b6c3422 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5MZPE CVE: CVE-2022-2873 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.15.86&id=96c12fd0ec74641295e1c3c34dea3dce1b6c3422 -------------------------------- [ Upstream commit 39244cc7 ] When the driver does not check the data from the user, the variable 'data->block[0]' may be very large to cause an out-of-bounds bug. The following log can reveal it: [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20 [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE [ 33.996475] ================================================================== [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485 [ 33.999450] Call Trace: [ 34.001849] memcpy+0x20/0x60 [ 34.002077] ismt_access.cold+0x374/0x214b [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0 [ 34.004007] i2c_smbus_xfer+0x10a/0x390 [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710 [ 34.005196] i2cdev_ioctl+0x5ec/0x74c Fix this bug by checking the size of 'data->block[0]' first. Fixes: 13f35ac1 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller") Signed-off-by: NZheyu Ma <zheyuma97@gmail.com> Signed-off-by: NWolfram Sang <wsa@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com> Reviewed-by: NWeilong Chen <chenweilong@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com> (cherry picked from commit 9da915fa)
-
- 04 1月, 2023 13 次提交
-
-
由 Alan Stern 提交于
mainline inclusion from mainline-v6.1-rc2 commit 41fd1cb6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6068W CVE: CVE-2022-3903 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=719b8f2850d3d9b863cc5e4f08e9ef0206e45b26 -------------------------------- Automatic kernel fuzzing led to a WARN about invalid pipe direction in the mceusb driver: ------------[ cut here ]------------ usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40 WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410 usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-00208-g69cb6c65 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Code: 7c 24 40 e8 ac 23 91 fd 48 8b 7c 24 40 e8 b2 70 1b ff 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 a0 30 a9 86 e8 48 07 11 02 <0f> 0b e9 1c f0 ff ff e8 7e 23 91 fd 0f b6 1d 63 22 83 05 31 ff 41 RSP: 0018:ffffc900032becf0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881100f3058 RCX: 0000000000000000 RDX: ffffc90004961000 RSI: ffff888114c6d580 RDI: fffff52000657d90 RBP: ffff888105ad90f0 R08: ffffffff812c3638 R09: 0000000000000000 R10: 0000000000000005 R11: ffffed1023504ef1 R12: ffff888105ad9000 R13: 0000000000000040 R14: 0000000080000380 R15: ffff88810ba96500 FS: 0000000000000000(0000) GS:ffff88811a800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe810bda58 CR3: 000000010b720000 CR4: 0000000000350ef0 Call Trace: <TASK> usb_start_wait_urb+0x101/0x4c0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153 mceusb_gen1_init drivers/media/rc/mceusb.c:1431 [inline] mceusb_dev_probe+0x258e/0x33f0 drivers/media/rc/mceusb.c:1807 The reason for the warning is clear enough; the driver sends an unusual read request on endpoint 0 but does not set the USB_DIR_IN bit in the bRequestType field. More importantly, the whole situation can be avoided and the driver simplified by converting it over to the relatively new usb_control_msg_recv() and usb_control_msg_send() routines. That's what this fix does. Reported-and-tested-by: NRondreis <linhaoguo86@gmail.com> Link: https://lore.kernel.org/all/CAB7eexLLApHJwZfMQ=X-PtRhw0BgO+5KcSMS05FNUYejJXqtSA@mail.gmail.com/Signed-off-by: NAlan Stern <stern@rowland.harvard.edu> Cc: stable@vger.kernel.org Signed-off-by: NSean Young <sean@mess.org> Signed-off-by: NMauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: NZhang Peng <zhangpeng362@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Junhao He 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I68F5A CVE: NA -------------------------------- In TSV200 platform, SCCL is Aff3[7:0], CCL is Aff2[7:0] if mt. Fixes: 1af26389 ("perf: hisi: Fix read sccl_id and ccl_id error in some platform") Signed-off-by: NJunhao He <hejunhao3@huawei.com> Reviewed-by: NYang Shen <shenyang39@huawei.com> Reviewed-by: NYang Jihong <yangjihong1@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Zheng Wang 提交于
misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os mainline inclusion from mainline-v6.2-rc1 commit 643a16a0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5UBUF CVE: CVE-2022-3424 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=643a16a0eb1d6ac23744bb6e90a00fc21148a9dc -------------------------------- In some bad situation, the gts may be freed gru_check_chiplet_assignment. The call chain can be gru_unload_context->gru_free_gru_context->gts_drop and kfree finally. However, the caller didn't know if the gts is freed or not and use it afterwards. This will trigger a Use after Free bug. Fix it by introducing a return value to see if it's in error path or not. Free the gts in caller if gru_check_chiplet_assignment check failed. Fixes: 55484c45 ("gru: allow users to specify gru chiplet 2") Signed-off-by: NZheng Wang <zyytlz.wz@163.com> Acked-by: NDimitri Sivanich <sivanich@hpe.com> Link: https://lore.kernel.org/r/20221110035033.19498-1-zyytlz.wz@163.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NZheng Yejian <zhengyejian1@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Zhihao Cheng 提交于
mainline inclusion from mainline-v6.2-rc1 commit 7991dbff category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I65M32 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=7991dbff6849f67e823b7cc0c15e5a90b0549b9f -------------------------------- Recently we found a softlock up problem in dm thin pool btree lookup code due to corrupted metadata: Kernel panic - not syncing: softlockup: hung tasks CPU: 7 PID: 2669225 Comm: kworker/u16:3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: dm-thin do_worker [dm_thin_pool] Call Trace: <IRQ> dump_stack+0x9c/0xd3 panic+0x35d/0x6b9 watchdog_timer_fn.cold+0x16/0x25 __run_hrtimer+0xa2/0x2d0 </IRQ> RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio] __bufio_new+0x11f/0x4f0 [dm_bufio] new_read+0xa3/0x1e0 [dm_bufio] dm_bm_read_lock+0x33/0xd0 [dm_persistent_data] ro_step+0x63/0x100 [dm_persistent_data] btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data] dm_btree_lookup+0x16f/0x210 [dm_persistent_data] dm_thin_find_block+0x12c/0x210 [dm_thin_pool] __process_bio_read_only+0xc5/0x400 [dm_thin_pool] process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool] process_one_work+0x3c5/0x730 Following process may generate a broken btree mixed with fresh and stale btree nodes, which could get dm thin trapped in an infinite loop while looking up data block: Transaction 1: pmd->root = A, A->B->C // One path in btree pmd->root = X, X->Y->Z // Copy-up Transaction 2: X,Z is updated on disk, Y write failed. // Commit failed, dm thin becomes read-only. process_bio_read_only dm_thin_find_block __find_block dm_btree_lookup(pmd->root) The pmd->root points to a broken btree, Y may contain stale node pointing to any block, for example X, which gets dm thin trapped into a dead loop while looking up Z. Fix this by setting pmd->root in __open_metadata(), so that dm thin will use the last transaction's pmd->root if commit failed. Fetch a reproducer in [Link]. Linke: https://bugzilla.kernel.org/show_bug.cgi?id=216790 Cc: stable@vger.kernel.org Fixes: 991d9fa0 ("dm: add thin provisioning target") Signed-off-by: NZhihao Cheng <chengzhihao1@huawei.com> Acked-by: NJoe Thornber <ejt@redhat.com> Signed-off-by: NMike Snitzer <snitzer@kernel.org> Signed-off-by: NZhihao Cheng <chengzhihao1@huawei.com> Reviewed-by: NZhang Yi <yi.zhang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ming Lei 提交于
mainline inclusion from mainline-v5.16-rc1 commit 5a4b6536 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I674BF CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5a4b653655d554b5f51a5d2252882708c56a6f7e -------------------------------- After resetting device in zram_remove(), disksize_store still may come and allocate resources again before deleting gendisk, fix the race by resetting zram after del_gendisk() returns. At that time, disksize_store can't come any more. Reported-by: NLuis Chamberlain <mcgrof@kernel.org> Reviewed-by: NLuis Chamberlain <mcgrof@kernel.org> Signed-off-by: NMing Lei <ming.lei@redhat.com> Acked-by: NMinchan Kim <minchan@kernel.org> Link: https://lore.kernel.org/r/20211025025426.2815424-4-ming.lei@redhat.comSigned-off-by: NJens Axboe <axboe@kernel.dk> Conflicts: drivers/block/zram/zram_drv.c Signed-off-by: NLonglong Xia <xialonglong1@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ming Lei 提交于
mainline inclusion from mainline-v5.16-rc1 commit 8c54499a category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I674BF CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8c54499a59b026a3dc2afccf6e1b36d5700d2fef -------------------------------- When the zram module is being unloaded, no one should be using the zram disks. However even while being unloaded the zram module's sysfs attributes might be poked at to re-configure zram devices. This is expected, and kernfs ensures that these operations complete before device_del() completes. But reset_store() may set ->claim which will fail zram_remove(), when this happens, zram_reset_device() is bypassed, and zram->comp can't be destroyed, so the warning of 'Error: Removing state 63 which has instances left.' is triggered during unloading module, together with memory leak and sort of thing. Fixes the issue by not failing zram_remove() if ->claim is set, and we actually need to do nothing in case that zram_reset() is running since del_gendisk() will wait until zram_reset() is done. Reported-by: NLuis Chamberlain <mcgrof@kernel.org> Reviewed-by: NLuis Chamberlain <mcgrof@kernel.org> Signed-off-by: NMing Lei <ming.lei@redhat.com> Acked-by: NMinchan Kim <minchan@kernel.org> Link: https://lore.kernel.org/r/20211025025426.2815424-3-ming.lei@redhat.comSigned-off-by: NJens Axboe <axboe@kernel.dk> Conflicts: drivers/block/zram/zram_drv.c Signed-off-by: NLonglong Xia <xialonglong1@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Phil Turnbull 提交于
stable inclusion from stable-v5.10.157 commit 5a068535c0073c8402aa0755e8ef259fb98a33c5 category: bugfix bugzilla: 188173 https://gitee.com/src-openeuler/kernel/issues/I66M3J CVE: CVE-2022-47521 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5a068535c0073c8402aa0755e8ef259fb98a33c5 -------------------------------- commit f9b62f98 upstream. Validate that the IEEE80211_P2P_ATTR_CHANNEL_LIST attribute contains enough space for a 'struct wilc_attr_oper_ch'. If the attribute is too small then it can trigger an out-of-bounds write later in the function. 'struct wilc_attr_oper_ch' is variable sized so also check 'attr_len' does not extend beyond the end of 'buf'. Signed-off-by: NPhil Turnbull <philipturnbull@github.com> Tested-by: NAjay Kathat <ajay.kathat@microchip.com> Acked-by: NAjay Kathat <ajay.kathat@microchip.com> Signed-off-by: NKalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20221123153543.8568-4-philipturnbull@github.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NLiu Jian <liujian56@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
-
由 Juergen Gross 提交于
stable inclusion from stable-v5.10.159 commit 83632fc41449c480f2d0193683ec202caaa186c9 category: bugfix bugzilla: 188137, https://gitee.com/src-openeuler/kernel/issues/I651DP CVE: CVE-2022-42328 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=83632fc41449c480f2d0193683ec202caaa186c9 -------------------------------- [ Upstream commit 74e7e1ef ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So remove kfree_skb() from the spin_lock_irqsave() section and use the already existing "drop" label in xenvif_start_xmit() for dropping the SKB. At the same time replace the dev_kfree_skb() call there with a call of dev_kfree_skb_any(), as xenvif_start_xmit() can be called with disabled interrupts. This is XSA-424 / CVE-2022-42328 / CVE-2022-42329. Fixes: be81992f ("xen/netback: don't queue unlimited number of packages") Reported-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NJuergen Gross <jgross@suse.com> Reviewed-by: NJan Beulich <jbeulich@suse.com> Signed-off-by: NJuergen Gross <jgross@suse.com> Signed-off-by: NSasha Levin <sashal@kernel.org> conflict: drivers/net/xen-netback/common.h Signed-off-by: NLu Wei <luwei32@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Takashi Iwai 提交于
stable inclusion from stable-v6.1.1 commit fd3d91ab category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5SDE4 CVE: CVE-2022-41218 -------------------------------- The dvb-core tries to sync the releases of opened files at dvb_dmxdev_release() with two refcounts: dvbdev->users and dvr_dvbdev->users. A problem is present in those two syncs: when yet another dvb_demux_open() is called during those sync waits, dvb_demux_open() continues to process even if the device is being closed. This includes the increment of the former refcount, resulting in the leftover refcount after the sync of the latter refcount at dvb_dmxdev_release(). It ends up with use-after-free, since the function believes that all usages were gone and releases the resources. This patch addresses the problem by adding the check of dmxdev->exit flag at dvb_demux_open(), just like dvb_dvr_open() already does. With the exit flag check, the second call of dvb_demux_open() fails, hence the further corruption can be avoided. Also for avoiding the races of the dmxdev->exit flag reference, this patch serializes the dmxdev->exit set up and the sync waits with the dmxdev->mutex lock at dvb_dmxdev_release(). Without the mutex lock, dvb_demux_open() (or dvb_dvr_open()) may run concurrently with dvb_dmxdev_release(), which allows to skip the exit flag check and continue the open process that is being closed. CVE-2022-41218 is assigned to those bugs above. Reported-by: NHyunwoo Kim <imv4bel@gmail.com> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/20220908132754.30532-1-tiwai@suse.deSigned-off-by: NTakashi Iwai <tiwai@suse.de> Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: NRen Zhijie <renzhijie2@huawei.com> Reviewed-by: Nsongping yu <yusongping@huawei.com> Reviewed-by: NZhang Qiao <zhangqiao22@huawei.com> Reviewed-by: NChen Hui <judy.chenhui@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Phil Turnbull 提交于
stable inclusion from stable-v5.10.156 commit 7c6535fb4d67ea37c98a1d1d24ca33dd5ec42693 category: bugfix bugzilla: 188177, https://gitee.com/src-openeuler/kernel/issues/I66M3K CVE: CVE-2022-47520 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7c6535fb4d67ea37c98a1d1d24ca33dd5ec42693 -------------------------------- commit cd21d99e upstream. There is no validation of 'offset' which can trigger an out-of-bounds read when extracting RSN capabilities. Signed-off-by: NPhil Turnbull <philipturnbull@github.com> Tested-by: NAjay Kathat <ajay.kathat@microchip.com> Acked-by: NAjay Kathat <ajay.kathat@microchip.com> Signed-off-by: NKalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NDong Chenchen <dongchenchen2@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Phil Turnbull 提交于
stable inclusion from stable-v5.10.157 commit 3eb6b89a4e9f9e44c3170d70d8d16c3c8dc8c800 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I66LQ3?from=project-issue CVE: CVE-2022-47518 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3eb6b89a4e9f9e44c3170d70d8d16c3c8dc8c800 -------------------------------- commit 0cdfa9e6 upstream. There is no validation of 'e->no_of_channels' which can trigger an out-of-bounds write in the following 'memset' call. Validate that the number of channels does not extends beyond the size of the channel list element. Signed-off-by: NPhil Turnbull <philipturnbull@github.com> Tested-by: NAjay Kathat <ajay.kathat@microchip.com> Acked-by: NAjay Kathat <ajay.kathat@microchip.com> Signed-off-by: NKalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20221123153543.8568-5-philipturnbull@github.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Phil Turnbull 提交于
stable inclusion from stable-v5.10.157 commit 905f886eae4b065656a575e8a02544045cbaadcf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I66M3L CVE: CVE-2022-47519 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=905f886eae4b065656a575e8a02544045cbaadcf -------------------------------- commit 051ae669 upstream. Validate that the IEEE80211_P2P_ATTR_OPER_CHANNEL attribute contains enough space for a 'struct struct wilc_attr_oper_ch'. If the attribute is too small then it triggers an out-of-bounds write later in the function. Signed-off-by: NPhil Turnbull <philipturnbull@github.com> Tested-by: NAjay Kathat <ajay.kathat@microchip.com> Acked-by: NAjay Kathat <ajay.kathat@microchip.com> Signed-off-by: NKalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20221123153543.8568-3-philipturnbull@github.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NBaisong Zhong <zhongbaisong@huawei.com> Reviewed-by: NLiu Jian <liujian56@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Jiasheng Jiang 提交于
stable inclusion from stable-v6.0.14 commit abfaf0ee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6694U CVE: CVE-2022-3108 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=abfaf0eee97925905e742aa3b0b72e04a918fa9e -------------------------------- As the possible failure of the allocation, kmemdup() may return NULL pointer. Therefore, it should be better to check the 'props2' in order to prevent the dereference of NULL pointer. Fixes: 3a87177e ("drm/amdkfd: Add topology support for dGPUs") Signed-off-by: NJiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: NFelix Kuehling <Felix.Kuehling@amd.com> Signed-off-by: NFelix Kuehling <Felix.Kuehling@amd.com> Signed-off-by: NAlex Deucher <alexander.deucher@amd.com> Signed-off-by: NRen Zhijie <renzhijie2@huawei.com> Reviewed-by: Nsongping yu <yusongping@huawei.com> Reviewed-by: NChen Hui <judy.chenhui@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
- 23 12月, 2022 2 次提交
-
-
由 Li Nan 提交于
hulk inclusion category: bugfix bugzilla: 188176, https://gitee.com/openeuler/kernel/issues/I67294 CVE: NA ------------------------------- Commit 891e2639 ("scsi: iscsi: Stop queueing during ep_disconnect") introduces .unbind_conn to fix the race between __iscsi_conn_send_pdu() and .ep_disconnect, however it also introduces the KABI problem. Considering the issue is only related with offload iscsi driver but not iscsi_tcp, so tried to revert it, however the above commit is just one patch in a patchset, the following patches depends on it and these patches fix problem related with iscsi_tcp. So just reverting it manually by removing .unbind_conn from iscsi_transport. Signed-off-by: NLi Nan <linan122@huawei.com> Reviewed-by: NZhang Yi <yi.zhang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Li Nan 提交于
hulk inclusion category: bugfix bugzilla: 188176, https://gitee.com/openeuler/kernel/issues/I67294 CVE: NA -------------------------------- This reverts commit 230035ef. Drivers use tgt_dscvr will compile failed because API has changed. Signed-off-by: NLi Nan <linan122@huawei.com> Reviewed-by: NZhang Yi <yi.zhang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
- 19 12月, 2022 2 次提交
-
-
由 Xiangyou Xie 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I6404X?from=project-issue CVE: NA --------------------------- To ensure energy efficiency, haltpoll is disabled by default. But In some performance scenarios, you can enable haltpoll using the following methods: echo Y > /sys/module/cpuidle_haltpoll/parameters/force Signed-off-by: NXiangyou Xie <xiexiangyou@huawei.com> Reviewed-by: NKeqian Zhu <zhukeqian1@huawei.com> Reviewed-by: NQingqing Li <liqingqing3@huawei.com> Reviewed-by: Nchenhui <judy.chenhui@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Jiasheng Jiang 提交于
mainline inclusion from mainline-v5.19-rc1 commit ed713e2b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6698Y CVE: CVE-2022-3114 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed713e2bc093239ccd380c2ce8ae9e4162f5c037 -------------------------------- As the potential failure of the kcalloc(), it should be better to check it in order to avoid the dereference of the NULL pointer. Fixes: 379c9a24 ("clk: imx: Fix reparenting of UARTs not associated with stdout") Signed-off-by: NJiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: NAbel Vesa <abel.vesa@nxp.com> Link: https://lore.kernel.org/r/20220310080257.1988412-1-jiasheng@iscas.ac.cnSigned-off-by: NAbel Vesa <abel.vesa@nxp.com> Signed-off-by: NYi Yang <yiyang13@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
- 16 12月, 2022 5 次提交
-
-
由 Zheng Zengkai 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I66G0M ----------------------------------------------- Commit 36a1a891 ("efi/loongarch: Add efistub booting support") introduced the following macro definition for riscv in file drivers/firmware/efi/libstub/efi-stub.c # define EFI_RT_VIRTUAL_LIMIT DEFAULT_MAP_WINDOW_64 # define EFI_RT_VIRTUAL_LIMIT TASK_SIZE_MIN # define EFI_RT_VIRTUAL_LIMIT TASK_SIZE but related patches have not been merged for riscv, like e8a62cc2 ("riscv: Implement sv48 support"), 01abdfea ("riscv: compat: Support TASK_SIZE for compat mode"), Causing build error in riscv: build failed: riscv, allmodconfig <line too long ...> n this function); did you mean ‘TASK_SIZE_MAX’? # define EFI_RT_VIRTUAL_LIMIT TASK_SIZE_MIN ^ drivers/firmware/efi/libstub/efi-stub.c:289:31: note: in expansion of macro ‘EFI_RT_VIRTUAL_LIMIT’ static const u64 headroom = EFI_RT_VIRTUAL_LIMIT - ^~~~~~~~~~~~~~~~~~~~ drivers/firmware/efi/libstub/efi-stub.c:44:32: note: each undeclared identifier is reported only once for each function it appears in # define EFI_RT_VIRTUAL_LIMIT TASK_SIZE_MIN ^ drivers/firmware/efi/libstub/efi-stub.c:289:31: note: in expansion of macro ‘EFI_RT_VIRTUAL_LIMIT’ static const u64 headroom = EFI_RT_VIRTUAL_LIMIT - ^~~~~~~~~~~~~~~~~~~~ make[4]: *** [drivers/firmware/efi/libstub/efi-stub.o] Error 1 make[3]: *** [drivers/firmware/efi/libstub] Error 2 make[2]: *** [drivers/firmware/efi] Error 2 make[1]: *** [drivers/firmware] Error 2 make[1]: *** Waiting for unfinished jobs.... make: *** [drivers] Error 2 Fix it by removing the CONFIG_RISCV condition for EFI_RT_VIRTUAL_LIMIT definition. Fixes: 36a1a891 ("efi/loongarch: Add efistub booting support") Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: NWei Li <liwei391@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Zeng Jingxiang 提交于
mainline inclusion from mainline-v6.1-rc1 commit 8b740c08 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I664DZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8b740c08eb8202817562c358e8d867db0f7d6565 -------------------------------- Coverity complains of a possible NULL dereference: in of_select_probe_type(): 1. returned_null: of_match_device() returns NULL. 2. var_assigned: match = NULL return value from of_match_device() 309 match = of_match_device(of_flash_match, &dev->dev); 3.dereference: Dereferencing the NULL pointer match. 310 probe_type = match->data; Signed-off-by: NZeng Jingxiang <linuszeng@tencent.com> Signed-off-by: NMiquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/linux-mtd/20220727060302.1560325-1-zengjx95@gmail.comSigned-off-by: NXiang Yang <xiangyang3@huawei.com> Reviewed-by: Nyiyang <yiyang13@huawei.com> Reviewed-by: Nguozihua <guozihua@huawei.com> Reviewed-by: NGONG, Ruiqi <gongruiqi1@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Dan Williams 提交于
stable inclusion from stable-v5.10.137 commit 71042279b161ba329d730e5fe517adbc106c031b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I60PLB Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=71042279b161ba329d730e5fe517adbc106c031b -------------------------------- [ Upstream commit b13a3e5f ] When a platform marks a memory range as "special purpose" it is not onlined as System RAM by default. However, it is still suitable for error injection. Add IORES_DESC_SOFT_RESERVED to einj_error_inject() as a permissible memory type in the sanity checking of the arguments to _EINJ. Fixes: 262b45ae ("x86/efi: EFI soft reservation to E820 enumeration") Reviewed-by: NTony Luck <tony.luck@intel.com> Reported-by: NOmar Avelar <omar.avelar@intel.com> Signed-off-by: NDan Williams <dan.j.williams@intel.com> Signed-off-by: NRafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: NSasha Levin <sashal@kernel.org> Conflicts: drivers/acpi/apei/einj.c Reviewed-by: NXiongfeng Wang <wangxiongfeng2@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Juergen Gross 提交于
mainline inclusion from mainline-v6.1 commit 7dfa764e category: bugfix bugzilla: 188138 CVE: CVE-2022-3643 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7dfa764e0223a324366a2a1fc056d4d9d4e95491 -------------------------------- Commit ad7f402a ("xen/netback: Ensure protocol headers don't fall in the non-linear area") introduced a (valid) build warning. There have even been reports of this problem breaking networking of Xen guests. Fixes: ad7f402a ("xen/netback: Ensure protocol headers don't fall in the non-linear area") Signed-off-by: NJuergen Gross <jgross@suse.com> Reviewed-by: NJan Beulich <jbeulich@suse.com> Reviewed-by: NRoss Lagerwall <ross.lagerwall@citrix.com> Tested-by: NJason Andryuk <jandryuk@gmail.com> Signed-off-by: NJuergen Gross <jgross@suse.com> Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ross Lagerwall 提交于
mainline inclusion from mainline-v6.1 commit ad7f402a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I651EB CVE: CVE-2022-3643 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ad7f402ae4f466647c3a669b8a6f3e5d4271c84a -------------------------------- In some cases, the frontend may send a packet where the protocol headers are spread across multiple slots. This would result in netback creating an skb where the protocol headers spill over into the non-linear area. Some drivers and NICs don't handle this properly resulting in an interface reset or worse. This issue was introduced by the removal of an unconditional skb pull in the tx path to improve performance. Fix this without reintroducing the pull by setting up grant copy ops for as many slots as needed to reach the XEN_NETBACK_TX_COPY_LEN size. Adjust the rest of the code to handle multiple copy operations per skb. This is XSA-423 / CVE-2022-3643. Fixes: 7e5d7753 ("xen-netback: remove unconditional __pskb_pull_tail() in guest Tx path") Signed-off-by: NRoss Lagerwall <ross.lagerwall@citrix.com> Reviewed-by: NPaul Durrant <paul@xen.org> Signed-off-by: NJuergen Gross <jgross@suse.com> Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
- 15 12月, 2022 3 次提交
-
-
由 Junxian Huang 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I665OG --------------------------------------------------------------- In this patch, the following constraints are added: 1. RoCE Bonding cannot be set with a PF which enables VF; 2. A PF in RoCE Bonding cannot enable RoCE VF. Fixes: 6ba084e0 ("RDMA/hns: add constraints for bonding-unsupported situations") Signed-off-by: NJunxian Huang <huangjunxian6@hisilicon.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chengchang Tang 提交于
driver inclusion category: bugfix bugzilla:https://gitee.com/openeuler/kernel/issues/I667QG --------------------------------------------------------------------------- The queried AH attr is invalid. This patch fix it. This problem is found by rdma-core test test_mr_rereg_pd ERROR: test_mr_rereg_pd (tests.test_mr.MRTest) Test that cover rereg MR's PD with this flow: ---------------------------------------------------------------------- Traceback (most recent call last): File "./tests/test_mr.py", line 157, in test_mr_rereg_pd self.restate_qps() File "./tests/test_mr.py", line 113, in restate_qps self.server.qp.to_rts(self.server_qp_attr) File "qp.pyx", line 1137, in pyverbs.qp.QP.to_rts File "qp.pyx", line 1123, in pyverbs.qp.QP.to_rtr pyverbs.pyverbs_error.PyverbsRDMAError: Failed to modify QP state to RTR. Errno: 22, Invalid argument Fixes: 926a01dc ("RDMA/hns: Add QP operations support for hip08 SoC") Signed-off-by: NChengchang Tang <tangchengchang@huawei.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Guofeng Yue 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I65TUL --------------------------------------------------------------- In the reset scenario, if the kernel receives the reset signal, it needs to notify the user space to stop ring doorbell. Signed-off-by: NYixing Liu <liuyixing1@huawei.com> Signed-off-by: NGuofeng Yue <yueguofeng@hisilicon.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
- 13 12月, 2022 9 次提交
-
-
由 Lu Wei 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I62TLE CVE: NA -------------------------------- This reverts commit 382ceac7. In order to make iproute compatible with other operation system like SUSE, rethad and etc, put IPVLAN_MODE_L2E last. Signed-off-by: NLu Wei <luwei32@huawei.com> Reviewed-by: NLiu Jian <liujian56@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Zhihao Cheng 提交于
mainline inclusion from mainline-next commit 8111964f category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I65I9A CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/md?h=next-20221208&id=8111964f1b8524c4bb56b02cd9c7a37725ea21fd ------------------------------- Following concurrent processes: P1(drop cache) P2(kworker) drop_caches_sysctl_handler drop_slab shrink_slab down_read(&shrinker_rwsem) - LOCK A do_shrink_slab super_cache_scan prune_icache_sb dispose_list evict ext4_evict_inode ext4_clear_inode ext4_discard_preallocations ext4_mb_load_buddy_gfp ext4_mb_init_cache ext4_read_block_bitmap_nowait ext4_read_bh_nowait submit_bh dm_submit_bio do_worker process_deferred_bios commit metadata_operation_failed dm_pool_abort_metadata down_write(&pmd->root_lock) - LOCK B __destroy_persistent_data_objects dm_block_manager_destroy dm_bufio_client_destroy unregister_shrinker down_write(&shrinker_rwsem) thin_map | dm_thin_find_block ↓ down_read(&pmd->root_lock) --> ABBA deadlock , which triggers hung task: [ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds. [ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910 [ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2 [ 76.978534] Workqueue: dm-thin do_worker [ 76.978552] Call Trace: [ 76.978564] __schedule+0x6ba/0x10f0 [ 76.978582] schedule+0x9d/0x1e0 [ 76.978588] rwsem_down_write_slowpath+0x587/0xdf0 [ 76.978600] down_write+0xec/0x110 [ 76.978607] unregister_shrinker+0x2c/0xf0 [ 76.978616] dm_bufio_client_destroy+0x116/0x3d0 [ 76.978625] dm_block_manager_destroy+0x19/0x40 [ 76.978629] __destroy_persistent_data_objects+0x5e/0x70 [ 76.978636] dm_pool_abort_metadata+0x8e/0x100 [ 76.978643] metadata_operation_failed+0x86/0x110 [ 76.978649] commit+0x6a/0x230 [ 76.978655] do_worker+0xc6e/0xd90 [ 76.978702] process_one_work+0x269/0x630 [ 76.978714] worker_thread+0x266/0x630 [ 76.978730] kthread+0x151/0x1b0 [ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds. [ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910 [ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459 [ 76.982128] Call Trace: [ 76.982139] __schedule+0x6ba/0x10f0 [ 76.982155] schedule+0x9d/0x1e0 [ 76.982159] rwsem_down_read_slowpath+0x4f4/0x910 [ 76.982173] down_read+0x84/0x170 [ 76.982177] dm_thin_find_block+0x4c/0xd0 [ 76.982183] thin_map+0x201/0x3d0 [ 76.982188] __map_bio+0x5b/0x350 [ 76.982195] dm_submit_bio+0x2b6/0x930 [ 76.982202] __submit_bio+0x123/0x2d0 [ 76.982209] submit_bio_noacct_nocheck+0x101/0x3e0 [ 76.982222] submit_bio_noacct+0x389/0x770 [ 76.982227] submit_bio+0x50/0xc0 [ 76.982232] submit_bh_wbc+0x15e/0x230 [ 76.982238] submit_bh+0x14/0x20 [ 76.982241] ext4_read_bh_nowait+0xc5/0x130 [ 76.982247] ext4_read_block_bitmap_nowait+0x340/0xc60 [ 76.982254] ext4_mb_init_cache+0x1ce/0xdc0 [ 76.982259] ext4_mb_load_buddy_gfp+0x987/0xfa0 [ 76.982263] ext4_discard_preallocations+0x45d/0x830 [ 76.982274] ext4_clear_inode+0x48/0xf0 [ 76.982280] ext4_evict_inode+0xcf/0xc70 [ 76.982285] evict+0x119/0x2b0 [ 76.982290] dispose_list+0x43/0xa0 [ 76.982294] prune_icache_sb+0x64/0x90 [ 76.982298] super_cache_scan+0x155/0x210 [ 76.982303] do_shrink_slab+0x19e/0x4e0 [ 76.982310] shrink_slab+0x2bd/0x450 [ 76.982317] drop_slab+0xcc/0x1a0 [ 76.982323] drop_caches_sysctl_handler+0xb7/0xe0 [ 76.982327] proc_sys_call_handler+0x1bc/0x300 [ 76.982331] proc_sys_write+0x17/0x20 [ 76.982334] vfs_write+0x3d3/0x570 [ 76.982342] ksys_write+0x73/0x160 [ 76.982347] __x64_sys_write+0x1e/0x30 [ 76.982352] do_syscall_64+0x35/0x80 [ 76.982357] entry_SYSCALL_64_after_hwframe+0x63/0xcd Function metadata_operation_failed() is called when operations failed on dm pool metadata, dm pool will destroy and recreate metadata. So, shrinker will be unregistered and registered, which could down write shrinker_rwsem under pmd_write_lock. Fix it by allocating dm_block_manager before locking pmd->root_lock and destroying old dm_block_manager after unlocking pmd->root_lock, then old dm_block_manager is replaced with new dm_block_manager under pmd->root_lock. So, shrinker register/unregister could be done without holding pmd->root_lock. Fetch a reproducer in [Link]. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216676 Fixes: e49e5829 ("dm thin: add read only and fail io modes") Signed-off-by: NZhihao Cheng <chengzhihao1@huawei.com> Reviewed-by: NZhang Yi <yi.zhang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Rong Wang 提交于
maillist inclusion category: bugfix Reference: https://lore.kernel.org/all/20221207120813.2837529-1-sunnanyong@huawei.com/ -------------------------------- In vp_vdpa_remove(), the code kfree(&vp_vdpa_mgtdev->mgtdev.id_table) uses a reference of pointer as the parameter of kfree, which is the wrong pointer and then may hit crash like this: Unable to handle kernel paging request at virtual address 00ffff003363e30c Internal error: Oops: 96000004 [#1] SMP Call trace: rb_next+0x20/0x5c ext4_readdir+0x494/0x5c4 [ext4] iterate_dir+0x168/0x1b4 __se_sys_getdents64+0x68/0x170 __arm64_sys_getdents64+0x24/0x30 el0_svc_common.constprop.0+0x7c/0x1bc do_el0_svc+0x2c/0x94 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Code: 54000220 f9400441 b4000161 aa0103e0 (f9400821) SMP: stopping secondary CPUs Starting crashdump kernel... Signed-off-by: NRong Wang <wangrong68@huawei.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Stefano Garzarella 提交于
mainline inclusion from mainline-v5.19-rc5 commit 037d4305 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=037d4305569aacaa018a617771dccbb81cc60257 ---------------------------------------------------------------------- Before commit 3d569879 ("vhost-vdpa: introduce asid based IOTLB") we call vhost_vdpa_iotlb_free() during the release to clean all regions mapped in the iotlb. That commit removed vhost_vdpa_iotlb_free() and added vhost_vdpa_cleanup() to do some cleanup, including deleting all mappings, but we forgot to call it in vhost_vdpa_release(). This causes that if an application does not remove all mappings explicitly (or it crashes), the mappings remain in the iotlb and subsequent applications may fail if they map the same addresses. Calling vhost_vdpa_cleanup() also fixes a memory leak since we are not freeing `v->vdev.vqs` during the release from the same commit. Since vhost_vdpa_cleanup() calls vhost_dev_cleanup() we can remove its call from vhost_vdpa_release(). Fixes: 3d569879 ("vhost-vdpa: introduce asid based IOTLB") Cc: gautam.dawar@xilinx.com Signed-off-by: NStefano Garzarella <sgarzare@redhat.com> Message-Id: <20220622151407.51232-1-sgarzare@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Tested-by: NEugenio Pérez <eperezma@redhat.com> Acked-by: NJason Wang <jasowang@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Jason Wang 提交于
mainline inclusion from mainline-v5.17 commit 95932ab2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95932ab2ea07b79cdb33121e2f40ccda9e6a73b5 ---------------------------------------------------------------------- Commit e2ae38cf ("vhost: fix hung thread due to erroneous iotlb entries") tries to reject the IOTLB message whose size is zero. But the size is not necessarily meaningful, one example is the batching hint, so the commit breaks that. Fixing this be reject zero size message only if the message is used to update/invalidate the IOTLB. Fixes: e2ae38cf ("vhost: fix hung thread due to erroneous iotlb entries") Reported-by: NEli Cohen <elic@nvidia.com> Cc: Anirudh Rayabharam <mail@anirudhrb.com> Signed-off-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20220310075211.4801-1-jasowang@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Tested-by: NEli Cohen <elic@nvidia.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Stefano Garzarella 提交于
mainline inclusion from mainline-v5.11-rc1 commit b240491b category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b240491b7a48028fb67e5377ffd1be21e9260c4e ---------------------------------------------------------------------- Instead of calling the vq callback directly, we can leverage the vringh_notify() function, adding vdpasim_vq_notify() and setting it in the vringh notify callback. Suggested-by: NJason Wang <jasowang@redhat.com> Acked-by: NJason Wang <jasowang@redhat.com> Signed-off-by: NStefano Garzarella <sgarzare@redhat.com> Link: https://lore.kernel.org/r/20201215144256.155342-15-sgarzare@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Jason Wang 提交于
mainline inclusion from mainline-v5.19-rc1 commit 0aa96837 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0aa96837c3ded5de58782a07b88176f2f1d01404 ---------------------------------------------------------------------- This allows us to do common extension without duplicating code. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: "Paul E. McKenney" <paulmck@kernel.org> Cc: Marc Zyngier <maz@kernel.org> Cc: Halil Pasic <pasic@linux.ibm.com> Cc: Cornelia Huck <cohuck@redhat.com> Cc: Vineeth Vijayan <vneethv@linux.ibm.com> Cc: Peter Oberparleiter <oberpar@linux.ibm.com> Cc: linux-s390@vger.kernel.org Reviewed-by: NCornelia Huck <cohuck@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com> Message-Id: <20220527060120.20964-3-jasowang@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NXuan Zhuo <xuanzhuo@linux.alibaba.com> Reviewed-by: NEugenio Pérez <eperezma@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Michael S. Tsirkin 提交于
mainline inclusion from mainline-v5.17-rc8 commit c46eccda category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c46eccdaadabb7822080a04e633f81b2ad37f358 ---------------------------------------------------------------------- Looks like most callers get driver/device removal wrong. Document what's expected of callers. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Michael S. Tsirkin 提交于
mainline inclusion from mainline-v5.17-rc1 commit d9679d00 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d9679d0013a66849f23057978f92e76b255c50aa ---------------------------------------------------------------------- This will enable cleanups down the road. The idea is to disable cbs, then add "flush_queued_cbs" callback as a parameter, this way drivers can flush any work queued after callbacks have been disabled. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Link: https://lore.kernel.org/r/20211013105226.20225-1-mst@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-