- 08 11月, 2022 14 次提交
-
-
由 Jason Wang 提交于
stable inclusion from stable-v5.12 commit e3669129 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e3669129fdcd2494e6991bd4111e090551087e16 ---------------------------------------------------------------------- This patch introduces helpers to allow set and get device status. Signed-off-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210104065503.199631-7-jasowang@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Jason Wang 提交于
stable inclusion from stable-v5.12 commit 1a5c85f1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1a5c85f16594416df258fe38ec05e0dd05846479 ---------------------------------------------------------------------- This patch introduces vp_modern_config_vector() for setting config vector. Signed-off-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210104065503.199631-6-jasowang@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Jason Wang 提交于
stable inclusion from stable-v5.12 commit 32490370 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=32490370883822e9e8dd7e4410bbe22bb3b77b58 ---------------------------------------------------------------------- This patch introduces vp_modern_remove() doing device resources cleanup to make it can be used. Signed-off-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210104065503.199631-5-jasowang@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Jason Wang 提交于
stable inclusion from stable-v5.12 commit 117a9de2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=117a9de2826ccb0d338afb03f07223b3cb789371 ---------------------------------------------------------------------- This patch factors out the modern device initialization logic into a helper. Note that it still depends on the caller to enable pci device which allows the caller to use e.g devres. Signed-off-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210104065503.199631-4-jasowang@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Jason Wang 提交于
stable inclusion from stable-v5.12 commit b5d58094 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b5d58094508724970ed9b68cdeca01e8f5333e0e ---------------------------------------------------------------------- This patch splits out the virtio-pci modern device only attributes into another structure. While at it, a dedicated probe method for modern only attributes is introduced. This may help for split the logic into a dedicated module. Signed-off-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210104065503.199631-3-jasowang@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Jason Wang 提交于
stable inclusion from stable-v5.12 commit 64f2087a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=64f2087aaa2c2a504f637736f48e71da0cd4afe0 ---------------------------------------------------------------------- Instead of accessing iomem via struct virito_pci_device directly, tweak to call the io accessors through the iomem structure. This will ease the splitting of modern virtio device logic. Signed-off-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210104065503.199631-2-jasowang@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Longpeng 提交于
stable inclusion from stable-v5.18 commit b04d910a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b04d910af330b55e1d5d6eb9ecd53a375a9cf81c ---------------------------------------------------------------------- - GET_VQS_COUNT: the count of virtqueues that exposed Signed-off-by: NLongpeng <longpeng2@huawei.com> Link: https://lore.kernel.org/r/20220315032553.455-4-longpeng2@huawei.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Acked-by: NJason Wang <jasowang@redhat.com> Signed-off-by: Longpeng <<a href="mailto:longpeng2@huawei.com" target="_blank">longpeng2@huawei.com</a>><br> Reviewed-by: NStefano Garzarella <sgarzare@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Parav Pandit 提交于
stable inclusion from stable-v5.12 commit 903f7bca category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=903f7bcaedb84ca47998e609015a34ddde93742e ---------------------------------------------------------------------- Add the ability to add and delete a vdpa device. Examples: Create a vdpa device of type network named "foo2" from the management device vdpasim: $ vdpa dev add mgmtdev vdpasim_net name foo2 Delete the vdpa device after its use: $ vdpa dev del foo2 Signed-off-by: NParav Pandit <parav@nvidia.com> Reviewed-by: NEli Cohen <elic@nvidia.com> Reviewed-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210105103203.82508-5-parav@nvidia.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Parav Pandit 提交于
stable inclusion from stable-v5.11 commit 476c135e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=476c135e321716ad7a8a5d4a19a636e2dcc50526 ---------------------------------------------------------------------- Add missing comment for number of virtqueue. Signed-off-by: NParav Pandit <parav@nvidia.com> Reviewed-by: NEli Cohen <elic@nvidia.com> Acked-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20201112064005.349268-2-parav@nvidia.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Parav Pandit 提交于
stable inclusion from stable-v5.12 commit 33b34750 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=33b347503f014ebf76257327cbc7001c6b721956 ---------------------------------------------------------------------- To add one or more VDPA devices, define a management device which allows adding or removing vdpa device. A management device defines set of callbacks to manage vdpa devices. To begin with, it defines add and remove callbacks through which a user defined vdpa device can be added or removed. A unique management device is identified by its unique handle identified by management device name and optionally the bus name. Hence, introduce routine through which driver can register a management device and its callback operations for adding and remove a vdpa device. Introduce vdpa netlink socket family so that user can query management device and its attributes. Example of show vdpa management device which allows creating vdpa device of networking class (device id = 0x1) of virtio specification 1.1 section 5.1.1. $ vdpa mgmtdev show vdpasim_net: supported_classes: net Example of showing vdpa management device in JSON format. $ vdpa mgmtdev show -jp { "show": { "vdpasim_net": { "supported_classes": [ "net" ] } } } Signed-off-by: NParav Pandit <parav@nvidia.com> Reviewed-by: NEli Cohen <elic@nvidia.com> Reviewed-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210105103203.82508-4-parav@nvidia.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Including a bugfix: vpda: correctly size vdpa_nl_policy We need to ensure last entry of vdpa_nl_policy[] is zero, otherwise out-of-bounds access is hurting us. Signed-off-by: NEric Dumazet <edumazet@google.com> Reported-by: Nsyzbot <syzkaller@googlegroups.com> Cc: Parav Pandit <parav@nvidia.com> Cc: Eli Cohen <elic@nvidia.com> Cc: Jason Wang <jasowang@redhat.com> Cc: Michael S. Tsirkin <mst@redhat.com> Link: https://lore.kernel.org/r/20210210134911.4119555-1-eric.dumazet@gmail.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Parav Pandit 提交于
stable inclusion from stable-v5.12 commit fd70a406 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fd70a406a344e084ac680c3f14e71d37d6023883 ---------------------------------------------------------------------- In a subsequent patch, when user initiated command creates a vdpa device, the user chooses the name of the vdpa device. To support it, extend the device allocation API to consider this name specified by the caller driver. Signed-off-by: NParav Pandit <parav@nvidia.com> Reviewed-by: NEli Cohen <elic@nvidia.com> Acked-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210105103203.82508-3-parav@nvidia.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Longpeng 提交于
stable inclusion from stable-v5.18 commit a61280dd category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a61280ddddaa45f95b60dd54c05f8e0e5b6810b7 ---------------------------------------------------------------------- - GET_CONFIG_SIZE: return the size of the virtio config space. The size contains the fields which are conditional on feature bits. Acked-by: NJason Wang <jasowang@redhat.com> Signed-off-by: NLongpeng <longpeng2@huawei.com> Link: https://lore.kernel.org/r/20220315032553.455-2-longpeng2@huawei.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NStefano Garzarella <sgarzare@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Stefano Garzarella 提交于
stable inclusion from stable-v5.13 commit 442706f9 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=442706f9f94d28fe3c9f188ae4ebbd6b40addffe ---------------------------------------------------------------------- This new callback is used to get the size of the configuration space of vDPA devices. Signed-off-by: NStefano Garzarella <sgarzare@redhat.com> Link: https://lore.kernel.org/r/20210315163450.254396-9-sgarzare@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Acked-by: NJason Wang <jasowang@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
由 Jason Wang 提交于
stable inclusion from stable-v5.13 commit 64b9f64f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WXCZ CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=64b9f64f80a6f4b7ea51bf0510119cb15e801dc6 ---------------------------------------------------------------------- This patch introduce a vDPA driver for virtio-pci device. It bridges the virtio-pci control command to the vDPA bus. This will be used for features prototyping and testing. Note that get/restore virtqueue state is not supported which needs extension on the virtio specification. Signed-off-by: NJason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210223061905.422659-4-jasowang@redhat.comSigned-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPengyuan Zhao <zhaopengyuan@hisilicon.com>
-
- 19 10月, 2022 26 次提交
-
-
由 Carlos Llamas 提交于
mainline inclusion from mainline-v6.0-rc4 commit a0e44c64 category: bugfix bugzilla: 187805, https://gitee.com/src-openeuler/kernel/issues/I5U713 CVE: CVE-2022-20421 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.0&id=a0e44c64b6061dda7e00b7c458e4523e2331b739 -------------------------------- A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed reference unhandled. The transaction then ends and the target proc gets released making the ref->proc now a dangling pointer. Later on, ref->node is closed and we attempt to take spin_lock(&ref->proc->inner_lock), which leads to the use-after-free bug reported below. Let's fix this by cleaning up the failed reference on the spot instead of relying on the target to do so. ================================================================== BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150 Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590 CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: dump_backtrace.part.0+0x1d0/0x1e0 show_stack+0x18/0x70 dump_stack_lvl+0x68/0x84 print_report+0x2e4/0x61c kasan_report+0xa4/0x110 kasan_check_range+0xfc/0x1a4 __kasan_check_write+0x3c/0x50 _raw_spin_lock+0xa8/0x150 binder_deferred_func+0x5e0/0x9b0 process_one_work+0x38c/0x5f0 worker_thread+0x9c/0x694 kthread+0x188/0x190 ret_from_fork+0x10/0x20 Acked-by: NChristian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: NCarlos Llamas <cmllamas@google.com> Cc: stable <stable@kernel.org> # 4.14+ Link: https://lore.kernel.org/r/20220801182511.3371447-1-cmllamas@google.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NRen Zhijie <renzhijie2@huawei.com> Reviewed-by: NZhang Qiao <zhangqiao22@huawei.com> Reviewed-by: NChen Hui <judy.chenhui@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Johannes Berg 提交于
stable inclusion from stable-v5.10.148 commit a6408e0b694c1bdd8ae7dd0464a86b98518145ec category: bugfix bugzilla: 187813, https://gitee.com/src-openeuler/kernel/issues/I5VM7L CVE: CVE-2022-41674 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a6408e0b694c1bdd8ae7dd0464a86b98518145ec -------------------------------- In the copy code of the elements, we do the following calculation to reach the end of the MBSSID element: /* copy the IEs after MBSSID */ cpy_len = mbssid[1] + 2; This looks fine, however, cpy_len is a u8, the same as mbssid[1], so the addition of two can overflow. In this case the subsequent memcpy() will overflow the allocated buffer, since it copies 256 bytes too much due to the way the allocation and memcpy() sizes are calculated. Fix this by using size_t for the cpy_len variable. This fixes CVE-2022-41674. Reported-by: NSoenke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: NSoenke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning") Reviewed-by: NKees Cook <keescook@chromium.org> Signed-off-by: NJohannes Berg <johannes.berg@intel.com> Signed-off-by: NDong Chenchen <dongchenchen2@huawei.com> Reviewed-by: NLiu Jian <liujian56@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Johannes Berg 提交于
stable inclusion from stable-v5.10.149 commit 31ce5da48a845bac48930bbde1d45e7449591728 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5VM7O CVE: CVE-2022-42719 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=31ce5da48a845bac48930bbde1d45e7449591728 -------------------------------- Commit ff05d4b4 upstream. This is a different version of the commit, changed to store the non-transmitted profile in the elems, and freeing it in the few places where it's relevant, since that is only the case when the last argument for parsing (the non-tx BSSID) is non-NULL. When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed. Fix this by not allocating the scratch buffer separately but as part of the returned structure instead, that way, there are no lifetime issues with it. The scratch buffer introduction as part of the returned data here is taken from MLO feature work done by Ilan. This fixes CVE-2022-42719. Fixes: 5023b14c ("mac80211: support profile split between elements") Co-developed-by: NIlan Peer <ilan.peer@intel.com> Signed-off-by: NIlan Peer <ilan.peer@intel.com> Reviewed-by: NKees Cook <keescook@chromium.org> Signed-off-by: NJohannes Berg <johannes.berg@intel.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NXu Jia <xujia39@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Hyunwoo Kim 提交于
mainline inclusion from mainline-v6.0-rc1 commit 5610bcfe category: bugfix bugzilla: 187798, https://gitee.com/src-openeuler/kernel/issues/I5U1NZ CVE: CVE-2022-41849 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs?id=5610bcfe8693c02e2e4c8b31427f1bdbdecc839c --------------------------- A race condition may occur if the user physically removes the USB device while calling open() for this device node. This is a race condition between the ufx_ops_open() function and the ufx_usb_disconnect() function, which may eventually result in UAF. So, add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions to avoid race contidion of krefs. Signed-off-by: NHyunwoo Kim <imv4bel@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: NHelge Deller <deller@gmx.de> Signed-off-by: NChenXiaoSong <chenxiaosong2@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 haibinzhang (张海斌) 提交于
stable inclusion from stable-v5.10.137 commit 353b4673d01c512303c45cf2346f630cda73b5c9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5U71M?from=project-issue CVE: CVE-2022-20422 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=353b4673d01c512303c45cf2346f630cda73b5c9 --------------------------- [ Upstream commit af483947 ] emulation_proc_handler() changes table->data for proc_dointvec_minmax and can generate the following Oops if called concurrently with itself: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 | Internal error: Oops: 96000006 [#1] SMP | Call trace: | update_insn_emulation_mode+0xc0/0x148 | emulation_proc_handler+0x64/0xb8 | proc_sys_call_handler+0x9c/0xf8 | proc_sys_write+0x18/0x20 | __vfs_write+0x20/0x48 | vfs_write+0xe4/0x1d0 | ksys_write+0x70/0xf8 | __arm64_sys_write+0x20/0x28 | el0_svc_common.constprop.0+0x7c/0x1c0 | el0_svc_handler+0x2c/0xa0 | el0_svc+0x8/0x200 To fix this issue, keep the table->data as &insn->current_mode and use container_of() to retrieve the insn pointer. Another mutex is used to protect against the current_mode update but not for retrieving insn_emulation as table->data is no longer changing. Co-developed-by: Nhewenliang <hewenliang4@huawei.com> Signed-off-by: Nhewenliang <hewenliang4@huawei.com> Signed-off-by: NHaibin Zhang <haibinzhang@tencent.com> Reviewed-by: NCatalin Marinas <catalin.marinas@arm.com> Link: https://lore.kernel.org/r/20220128090324.2727688-1-hewenliang4@huawei.com Link: https://lore.kernel.org/r/9A004C03-250B-46C5-BF39-782D7551B00E@tencent.comSigned-off-by: NWill Deacon <will@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: Nruanjinjie <ruanjinjie@huawei.com> Reviewed-by: NZhang Jianhua <chris.zjh@huawei.com> Reviewed-by: NLiao Chang <liaochang1@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Johannes Berg 提交于
stable inclusion from stable-v5.10.148 commit b0e5c5deb7880be5b8a459d584e13e1f9879d307 category: bugfix bugzilla: 187803 CVE: CVE-2022-42721 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b0e5c5deb7880be5b8a459d584e13e1f9879d307 -------------------------------- commit bcca8520 upstream. If a non-transmitted BSS shares enough information (both SSID and BSSID!) with another non-transmitted BSS of a different AP, then we can find and update it, and then try to add it to the non-transmitted BSS list. We do a search for it on the transmitted BSS, but if it's not there (but belongs to another transmitted BSS), the list gets corrupted. Since this is an erroneous situation, simply fail the list insertion in this case and free the non-transmitted BSS. This fixes CVE-2022-42721. Reported-by: NSönke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: NSönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: NJohannes Berg <johannes.berg@intel.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NBaisong Zhong <zhongbaisong@huawei.com> Reviewed-by: NLiu Jian <liujian56@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Zhang Yi 提交于
mainline inclusion from mainline-v6.1-rc1 commit 0b73284c category: bugfix bugzilla: 187414, https://gitee.com/openeuler/kernel/issues/I5W498 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0b73284c564d3ae4feef4bc920292f004acf4980 -------------------------------- Recently we notice that ext4 filesystem would occasionally fail to read metadata from disk and report error message, but the disk and block layer looks fine. After analyse, we lockon commit 88dbcbb3 ("blkdev: avoid migration stalls for blkdev pages"). It provide a migration method for the bdev, we could move page that has buffers without extra users now, but it lock the buffers on the page, which breaks the fragile metadata read operation on ext4 filesystem, ext4_read_bh_lock() was copied from ll_rw_block(), it depends on the assumption of that locked buffer means it is under IO. So it just trylock the buffer and skip submit IO if it lock failed, after wait_on_buffer() we conclude IO error because the buffer is not uptodate. This issue could be easily reproduced by add some delay just after buffer_migrate_lock_buffers() in __buffer_migrate_folio() and do fsstress on ext4 filesystem. EXT4-fs error (device pmem1): __ext4_find_entry:1658: inode #73193: comm fsstress: reading directory lblock 0 EXT4-fs error (device pmem1): __ext4_find_entry:1658: inode #75334: comm fsstress: reading directory lblock 0 Fix it by removing the trylock logic in ext4_read_bh_lock(), just lock the buffer and submit IO if it's not uptodate, and also leave over readahead helper. Cc: stable@kernel.org Signed-off-by: NZhang Yi <yi.zhang@huawei.com> Reviewed-by: NJan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/20220831074629.3755110-1-yi.zhang@huawei.comSigned-off-by: NTheodore Ts'o <tytso@mit.edu> Conflict: fs/ext4/super.c Signed-off-by: NZhang Yi <yi.zhang@huawei.com> Reviewed-by: NZhihao Cheng <chengzhihao1@huawei.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 David Ahern 提交于
maillist inclusion category: bugfix bugzilla: 18774, https://gitee.com/src-openeuler/kernel/issues/I5UJIE CVE: CVE-2022-3435 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=61b91eb33a69c3be11b259c5ea484505cd79f883 -------------------------------- Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match: fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961 fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753 inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874 Separate nexthop objects are mutually exclusive with the legacy multipath spec. Fix fib_nh_match to return if the config for the to be deleted route contains a multipath spec while the fib_info is using a nexthop object. Fixes: 493ced1a ("ipv4: Allow routes to use nexthop objects") Fixes: 6bf92d70 ("net: ipv4: fix route with nexthop object delete warning") Reported-by: NGwangun Jung <exsociety@gmail.com> Signed-off-by: NDavid Ahern <dsahern@kernel.org> Reviewed-by: NIdo Schimmel <idosch@nvidia.com> Tested-by: NIdo Schimmel <idosch@nvidia.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NDong Chenchen <dongchenchen2@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Hyunwoo Kim 提交于
mainline inclusion from mainline-v6.1-rc1 commit cacdb14b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5U1PE CVE: CVE-2022-41850 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cacdb14b1c8d3804a3a7d31773bc7569837b71a4 -------------------------------- roccat_report_event() is responsible for registering roccat-related reports in struct roccat_device. int roccat_report_event(int minor, u8 const *data) { struct roccat_device *device; struct roccat_reader *reader; struct roccat_report *report; uint8_t *new_value; device = devices[minor]; new_value = kmemdup(data, device->report_size, GFP_ATOMIC); if (!new_value) return -ENOMEM; report = &device->cbuf[device->cbuf_end]; /* passing NULL is safe */ kfree(report->value); ... The registered report is stored in the struct roccat_device member "struct roccat_report cbuf[ROCCAT_CBUF_SIZE];". If more reports are received than the "ROCCAT_CBUF_SIZE" value, kfree() the saved report from cbuf[0] and allocates a new reprot. Since there is no lock when this kfree() is performed, kfree() can be performed even while reading the saved report. static ssize_t roccat_read(struct file *file, char __user *buffer, size_t count, loff_t *ppos) { struct roccat_reader *reader = file->private_data; struct roccat_device *device = reader->device; struct roccat_report *report; ssize_t retval = 0, len; DECLARE_WAITQUEUE(wait, current); mutex_lock(&device->cbuf_lock); ... report = &device->cbuf[reader->cbuf_start]; /* * If report is larger than requested amount of data, rest of report * is lost! */ len = device->report_size > count ? count : device->report_size; if (copy_to_user(buffer, report->value, len)) { retval = -EFAULT; goto exit_unlock; } ... The roccat_read() function receives the device->cbuf report and delivers it to the user through copy_to_user(). If the N+ROCCAT_CBUF_SIZE th report is received while copying of the Nth report->value is in progress, the pointer that copy_to_user() is working on is kfree()ed and UAF read may occur. (race condition) Since the device node of this driver does not set separate permissions, this is not a security vulnerability, but because it is used for requesting screen display of profile or dpi settings, a user using the roccat device can apply udev to this device node or There is a possibility to use it by giving. Signed-off-by: NHyunwoo Kim <imv4bel@gmail.com> Signed-off-by: NJiri Kosina <jkosina@suse.cz> Signed-off-by: NCai Xinchen <caixinchen1@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com> Reviewed-by: NGUO Zihua <guozihua@huawei.com> Reviewed-by: NGONG Ruiqi <gongruiqi1@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Johannes Berg 提交于
stable inclusion from stable-v5.10.148 commit 6b944845031356f3e0c0f6695f9252a8ddc8b02f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5VM7D?from=project-issue CVE: CVE-2022-42720 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6b944845031356f3e0c0f6695f9252a8ddc8b02f -------------------------------- commit 0b780881 upstream. There are multiple refcounting bugs related to multi-BSSID: - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then the bss pointer is overwritten before checking for the transmitted BSS, which is clearly wrong. Fix this by using the bss_from_pub() macro. - In cfg80211_bss_update() we copy the transmitted_bss pointer from tmp into new, but then if we release new, we'll unref it erroneously. We already set the pointer and ref it, but need to NULL it since it was copied from the tmp data. - In cfg80211_inform_single_bss_data(), if adding to the non- transmitted list fails, we unlink the BSS and yet still we return it, but this results in returning an entry without a reference. We shouldn't return it anyway if it was broken enough to not get added there. This fixes CVE-2022-42720. Reported-by: NSönke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: NSönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: a3584f56 ("cfg80211: Properly track transmitting and non-transmitting BSS") Signed-off-by: NJohannes Berg <johannes.berg@intel.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ma Wupeng 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5JT6V CVE: NA -------------------------------- In order to fix CVE-2022-42703, degree in struct anon_vma is splited into two variables(num_children, num_active_vmas) and this will lead to broken kabi. Since struct anon_vma is only used by mm module and referenced by other struct as pointers. So we can ignore this kabi change warning. For variable degree in struct anon_vma, previous patch has already delete this but this will lead to kabi change. Add it back at the same position with KABI_DEPRECATE. For variables(num_children, num_active_vmas), add them at the end of struct anon_vma with KABI_EXTEND. Signed-off-by: NMa Wupeng <mawupeng1@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Jann Horn 提交于
stable inclusion from stable-v5.10.141 commit 98f401d36396134c0c86e9e3bd00b6b6b028b521 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5USOP CVE: CVE-2022-42703 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=98f401d36396134c0c86e9e3bd00b6b6b028b521 -------------------------------- commit 2555283e upstream. anon_vma->degree tracks the combined number of child anon_vmas and VMAs that use the anon_vma as their ->anon_vma. anon_vma_clone() then assumes that for any anon_vma attached to src->anon_vma_chain other than src->anon_vma, it is impossible for it to be a leaf node of the VMA tree, meaning that for such VMAs ->degree is elevated by 1 because of a child anon_vma, meaning that if ->degree equals 1 there are no VMAs that use the anon_vma as their ->anon_vma. This assumption is wrong because the ->degree optimization leads to leaf nodes being abandoned on anon_vma_clone() - an existing anon_vma is reused and no new parent-child relationship is created. So it is possible to reuse an anon_vma for one VMA while it is still tied to another VMA. This is an issue because is_mergeable_anon_vma() and its callers assume that if two VMAs have the same ->anon_vma, the list of anon_vmas attached to the VMAs is guaranteed to be the same. When this assumption is violated, vma_merge() can merge pages into a VMA that is not attached to the corresponding anon_vma, leading to dangling page->mapping pointers that will be dereferenced during rmap walks. Fix it by separately tracking the number of child anon_vmas and the number of VMAs using the anon_vma as their ->anon_vma. Fixes: 7a3ef208 ("mm: prevent endless growth of anon_vma hierarchy") Cc: stable@kernel.org Acked-by: NMichal Hocko <mhocko@suse.com> Acked-by: NVlastimil Babka <vbabka@suse.cz> Signed-off-by: NJann Horn <jannh@google.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NMa Wupeng <mawupeng1@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Andrey Konovalov 提交于
mainline inclusion from mainline-v6.1-rc1 commit ca77f290 category: bugfix bugzilla: 187796, https://gitee.com/openeuler/kernel/issues/I5W6YV CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ca77f290cff1dfa095d71ae16cc7cda8ee6df495 -------------------------------- Patch series "kasan: switch tag-based modes to stack ring from per-object metadata", v3. This series makes the tag-based KASAN modes use a ring buffer for storing stack depot handles for alloc/free stack traces for slab objects instead of per-object metadata. This ring buffer is referred to as the stack ring. On each alloc/free of a slab object, the tagged address of the object and the current stack trace are recorded in the stack ring. On each bug report, if the accessed address belongs to a slab object, the stack ring is scanned for matching entries. The newest entries are used to print the alloc/free stack traces in the report: one entry for alloc and one for free. The advantages of this approach over storing stack trace handles in per-object metadata with the tag-based KASAN modes: - Allows to find relevant stack traces for use-after-free bugs without using quarantine for freed memory. (Currently, if the object was reallocated multiple times, the report contains the latest alloc/free stack traces, not necessarily the ones relevant to the buggy allocation.) - Allows to better identify and mark use-after-free bugs, effectively making the CONFIG_KASAN_TAGS_IDENTIFY functionality always-on. - Has fixed memory overhead. The disadvantage: - If the affected object was allocated/freed long before the bug happened and the stack trace events were purged from the stack ring, the report will have no stack traces. Discussion ========== The proposed implementation of the stack ring uses a single ring buffer for the whole kernel. This might lead to contention due to atomic accesses to the ring buffer index on multicore systems. At this point, it is unknown whether the performance impact from this contention would be significant compared to the slowdown introduced by collecting stack traces due to the planned changes to the latter part, see the section below. For now, the proposed implementation is deemed to be good enough, but this might need to be revisited once the stack collection becomes faster. A considered alternative is to keep a separate ring buffer for each CPU and then iterate over all of them when printing a bug report. This approach requires somehow figuring out which of the stack rings has the freshest stack traces for an object if multiple stack rings have them. Further plans ============= This series is a part of an effort to make KASAN stack trace collection suitable for production. This requires stack trace collection to be fast and memory-bounded. The planned steps are: 1. Speed up stack trace collection (potentially, by using SCS; patches on-hold until steps #2 and #3 are completed). 2. Keep stack trace handles in the stack ring (this series). 3. Add a memory-bounded mode to stack depot or provide an alternative memory-bounded stack storage. 4. Potentially, implement stack trace collection sampling to minimize the performance impact. This patch (of 34): __kasan_metadata_size() calculates the size of the redzone for objects in a slab cache. When accounting for presence of kasan_free_meta in the redzone, this function only compares free_meta_offset with 0. But free_meta_offset could also be equal to KASAN_NO_FREE_META, which indicates that kasan_free_meta is not present at all. Add a comparison with KASAN_NO_FREE_META into __kasan_metadata_size(). Link: https://lkml.kernel.org/r/cover.1662411799.git.andreyknvl@google.com Link: https://lkml.kernel.org/r/c7b316d30d90e5947eb8280f4dc78856a49298cf.1662411799.git.andreyknvl@google.comSigned-off-by: NAndrey Konovalov <andreyknvl@google.com> Reviewed-by: NMarco Elver <elver@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Evgenii Stepanov <eugenis@google.com> Cc: Peter Collingbourne <pcc@google.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLiu Shixin <liushixin2@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Andrey Konovalov 提交于
mainline inclusion from mainline-v5.11-rc1 commit 97593cad category: bugfix bugzilla: 187796, https://gitee.com/openeuler/kernel/issues/I5W6YV CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=97593cad003c668e2532cb2939a24a031f8de52d -------------------------------- KASAN marks caches that are sanitized with the SLAB_KASAN cache flag. Currently if the metadata that is appended after the object (stores e.g. stack trace ids) doesn't fit into KMALLOC_MAX_SIZE (can only happen with SLAB, see the comment in the patch), KASAN turns off sanitization completely. With this change sanitization of the object data is always enabled. However the metadata is only stored when it fits. Instead of checking for SLAB_KASAN flag accross the code to find out whether the metadata is there, use cache->kasan_info.alloc/free_meta_offset. As 0 can be a valid value for free_meta_offset, introduce KASAN_NO_FREE_META as an indicator that the free metadata is missing. Without this change all sanitized KASAN objects would be put into quarantine with generic KASAN. With this change, only the objects that have metadata (i.e. when it fits) are put into quarantine, the rest is freed right away. Along the way rework __kasan_cache_create() and add claryfying comments. Link: https://lkml.kernel.org/r/aee34b87a5e4afe586c2ac6a0b32db8dc4dcc2dc.1606162397.git.andreyknvl@google.com Link: https://linux-review.googlesource.com/id/Icd947e2bea054cb5cfbdc6cf6652227d97032dcbCo-developed-by: NVincenzo Frascino <Vincenzo.Frascino@arm.com> Signed-off-by: NVincenzo Frascino <Vincenzo.Frascino@arm.com> Signed-off-by: NAndrey Konovalov <andreyknvl@google.com> Reviewed-by: NMarco Elver <elver@google.com> Tested-by: NVincenzo Frascino <vincenzo.frascino@arm.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Branislav Rankov <Branislav.Rankov@arm.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Evgenii Stepanov <eugenis@google.com> Cc: Kevin Brodsky <kevin.brodsky@arm.com> Cc: Vasily Gorbik <gor@linux.ibm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Conflicts: mm/kasan/common.c mm/kasan/hw_tags.c mm/kasan/kasan.h mm/kasan/quarantine.c mm/kasan/report.c mm/kasan/report_sw_tags.c mm/kasan/sw_tags.c Signed-off-by: NLiu Shixin <liushixin2@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Andrey Konovalov 提交于
mainline inclusion from mainline-v5.11-rc1 commit 8bb0009b category: bugfix bugzilla: 187796, https://gitee.com/openeuler/kernel/issues/I5W6YV CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8bb0009b19465da5a0cd394b5a6ccc2eaf418f23 -------------------------------- Add set_alloc_info() helper and move kasan_set_track() into it. This will simplify the code for one of the upcoming changes. No functional changes. Link: https://lkml.kernel.org/r/b2393e8f1e311a70fc3aaa2196461b6acdee7d21.1606162397.git.andreyknvl@google.com Link: https://linux-review.googlesource.com/id/I0316193cbb4ecc9b87b7c2eee0dd79f8ec908c1aSigned-off-by: NAndrey Konovalov <andreyknvl@google.com> Reviewed-by: NDmitry Vyukov <dvyukov@google.com> Reviewed-by: NMarco Elver <elver@google.com> Tested-by: NVincenzo Frascino <vincenzo.frascino@arm.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Branislav Rankov <Branislav.Rankov@arm.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Evgenii Stepanov <eugenis@google.com> Cc: Kevin Brodsky <kevin.brodsky@arm.com> Cc: Vasily Gorbik <gor@linux.ibm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NLiu Shixin <liushixin2@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Andrey Konovalov 提交于
mainline inclusion from mainline-v5.11-rc1 commit 6476792f category: bugfix bugzilla: 187796, https://gitee.com/openeuler/kernel/issues/I5W6YV CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6476792f1015a356e6864076c210b328b64d08cc -------------------------------- Rename get_alloc_info() and get_free_info() to kasan_get_alloc_meta() and kasan_get_free_meta() to better reflect what those do and avoid confusion with kasan_set_free_info(). No functional changes. Link: https://lkml.kernel.org/r/27b7c036b754af15a2839e945f6d8bfce32b4c2f.1606162397.git.andreyknvl@google.com Link: https://linux-review.googlesource.com/id/Ib6e4ba61c8b12112b403d3479a9799ac8fff8de1Signed-off-by: NAndrey Konovalov <andreyknvl@google.com> Reviewed-by: NDmitry Vyukov <dvyukov@google.com> Reviewed-by: NMarco Elver <elver@google.com> Tested-by: NVincenzo Frascino <vincenzo.frascino@arm.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Branislav Rankov <Branislav.Rankov@arm.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Evgenii Stepanov <eugenis@google.com> Cc: Kevin Brodsky <kevin.brodsky@arm.com> Cc: Vasily Gorbik <gor@linux.ibm.com> Cc: Will Deacon <will.deacon@arm.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Conflicts: mm/kasan/generic.c mm/kasan/quarantine.c mm/kasan/report.c mm/kasan/report_sw_tags.c mm/kasan/sw_tags.c Signed-off-by: NLiu Shixin <liushixin2@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Andrey Konovalov 提交于
mainline inclusion from mainline-v5.11-rc1 commit c696de9f category: bugfix bugzilla: 187796, https://gitee.com/openeuler/kernel/issues/I5W6YV CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c696de9f12b7ddeddc05d378fc4dc0f66e9a8c95 -------------------------------- Patch series "kasan: boot parameters for hardware tag-based mode", v4. === Overview Hardware tag-based KASAN mode [1] is intended to eventually be used in production as a security mitigation. Therefore there's a need for finer control over KASAN features and for an existence of a kill switch. This patchset adds a few boot parameters for hardware tag-based KASAN that allow to disable or otherwise control particular KASAN features, as well as provides some initial optimizations for running KASAN in production. There's another planned patchset what will further optimize hardware tag-based KASAN, provide proper benchmarking and tests, and will fully enable tag-based KASAN for production use. Hardware tag-based KASAN relies on arm64 Memory Tagging Extension (MTE) [2] to perform memory and pointer tagging. Please see [3] and [4] for detailed analysis of how MTE helps to fight memory safety problems. The features that can be controlled are: 1. Whether KASAN is enabled at all. 2. Whether KASAN collects and saves alloc/free stacks. 3. Whether KASAN panics on a detected bug or not. The patch titled "kasan: add and integrate kasan boot parameters" of this series adds a few new boot parameters. kasan.mode allows to choose one of three main modes: - kasan.mode=off - KASAN is disabled, no tag checks are performed - kasan.mode=prod - only essential production features are enabled - kasan.mode=full - all KASAN features are enabled The chosen mode provides default control values for the features mentioned above. However it's also possible to override the default values by providing: - kasan.stacktrace=off/on - enable stacks collection (default: on for mode=full, otherwise off) - kasan.fault=report/panic - only report tag fault or also panic (default: report) If kasan.mode parameter is not provided, it defaults to full when CONFIG_DEBUG_KERNEL is enabled, and to prod otherwise. It is essential that switching between these modes doesn't require rebuilding the kernel with different configs, as this is required by the Android GKI (Generic Kernel Image) initiative. === Benchmarks For now I've only performed a few simple benchmarks such as measuring kernel boot time and slab memory usage after boot. There's an upcoming patchset which will optimize KASAN further and include more detailed benchmarking results. The benchmarks were performed in QEMU and the results below exclude the slowdown caused by QEMU memory tagging emulation (as it's different from the slowdown that will be introduced by hardware and is therefore irrelevant). KASAN_HW_TAGS=y + kasan.mode=off introduces no performance or memory impact compared to KASAN_HW_TAGS=n. kasan.mode=prod (manually excluding tagging) introduces 3% of performance and no memory impact (except memory used by hardware to store tags) compared to kasan.mode=off. kasan.mode=full has about 40% performance and 30% memory impact over kasan.mode=prod. Both come from alloc/free stack collection. === Notes This patchset is available here: https://github.com/xairy/linux/tree/up-boot-mte-v4 This patchset is based on v11 of "kasan: add hardware tag-based mode for arm64" patchset [1]. For testing in QEMU hardware tag-based KASAN requires: 1. QEMU built from master [6] (use "-machine virt,mte=on -cpu max" arguments to run). 2. GCC version 10. [1] https://lore.kernel.org/linux-arm-kernel/cover.1606161801.git.andreyknvl@google.com/T/#t [2] https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/enhancing-memory-safety [3] https://arxiv.org/pdf/1802.09517.pdf [4] https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdf [5] https://source.android.com/devices/architecture/kernel/generic-kernel-image [6] https://github.com/qemu/qemu === Tags Tested-by: NVincenzo Frascino <vincenzo.frascino@arm.com> This patch (of 19): Move get_free_info() call into quarantine_put() to simplify the call site. No functional changes. Link: https://lkml.kernel.org/r/cover.1606162397.git.andreyknvl@google.com Link: https://lkml.kernel.org/r/312d0a3ef92cc6dc4fa5452cbc1714f9393ca239.1606162397.git.andreyknvl@google.com Link: https://linux-review.googlesource.com/id/Iab0f04e7ebf8d83247024b7190c67c3c34c7940fSigned-off-by: NAndrey Konovalov <andreyknvl@google.com> Reviewed-by: NDmitry Vyukov <dvyukov@google.com> Reviewed-by: NMarco Elver <elver@google.com> Tested-by: NVincenzo Frascino <vincenzo.frascino@arm.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will.deacon@arm.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Alexander Potapenko <glider@google.com> Cc: Evgenii Stepanov <eugenis@google.com> Cc: Branislav Rankov <Branislav.Rankov@arm.com> Cc: Kevin Brodsky <kevin.brodsky@arm.com> Cc: Vasily Gorbik <gor@linux.ibm.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NLiu Shixin <liushixin2@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Wangming Shao 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5VGP3 ----------------------------------------------------------------- Add compilation settings for the hisi_ptt module. Signed-off-by: NWangming Shao <shaowangming@h-partners.com> Reviewed-by: NYicong Yang <yangyicong@huawei.com> Reviewed-by: NChao Liu <liuchao173@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Luoyouming 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5USIG ---------------------------------------------------------- Enable the CQEIE field and configure the CQEIS field of QPC. And add compatibility handling. Signed-off-by: NLuoyouming <luoyouming@huawei.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYueHaibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Luoyouming 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5USIG ---------------------------------------------------------- The rq inline only use in userspace, and it should enable in RTR status. Added compatibility processing between different user space and kernel space. Signed-off-by: NLuoyouming <luoyouming@huawei.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYueHaibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Luoyouming 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5USIG ---------------------------------------------------------- Modify the sge num calculation algorithm when creating qp. The value of the sge-num takes the maximum value calculated by the parameter max_send_sge or parameter max_inline_data set by the user.In the sq inline mode, the following 2 cases will use extended sge: 1)UD: payload bytes more than 8 2)RC/XRC: payload bytes more than 32 Fixes:05201e01("RDMA/hns: Refactor process of setting extended sge") Fixes:30b70788("RDMA/hns: Support inline data in extented sge space for RC") Signed-off-by: NLuoyouming <luoyouming@huawei.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYueHaibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Luoyouming 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5USIG ----------------------------------------------------------- The max_gs is the sum of extended sge and standard sge. In function fill_ext_sge_inl_data, max_gs does not subtract the number of extended sges, but is directly used to calculate the size of extended sges. Signed-off-by: NLuoyouming <luoyouming@huawei.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYueHaibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Luoyouming 提交于
driver inclusion category: cleanup bugzilla: https://gitee.com/openeuler/kernel/issues/I5USIG ----------------------------------------------------------- The sge size is known to be constant, so it's unnecessary to use sizeof to calculate. Fixes: 30b70788 ("RDMA/hns: Support inline data in extented sge space for RC") Signed-off-by: NLuoyouming <luoyouming@huawei.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYueHaibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Zhiqi Song 提交于
mainline inclusion from mainline-v6.1-rc1 commit d310dc25 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5T7AD CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d310dc2554a5296a338f974d2b4e4f9af2687558 ---------------------------------------------------------------------- The value of qm algorithm can change dynamically according to the value of the capability register. Add xxx_set_qm_algs() function to obtain the algs that the hardware device supported from the capability register and set them into usr mode attribute files. Signed-off-by: NZhiqi Song <songzhiqi1@huawei.com> Signed-off-by: NWenkai Lin <linwenkai6@hisilicon.com> Signed-off-by: NWeili Qian <qianweili@huawei.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NJiangshui Yang <yangjiangshui@h-partners.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NYang Shen <shenyang39@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Wenkai Lin 提交于
mainline inclusion from mainline-v6.1-rc1 commit 921715b6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5T7AD CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=921715b6b7827157bba6e8153d7a09774b0d034f ---------------------------------------------------------------------- Add function 'sec_get_alg_bitmap' to get hardware algorithm bitmap before register algorithm to crypto, instead of determining whether to register an algorithm based on hardware platform's version. Signed-off-by: NWenkai Lin <linwenkai6@hisilicon.com> Signed-off-by: NWeili Qian <qianweili@huawei.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NJiangshui Yang <yangjiangshui@h-partners.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NYang Shen <shenyang39@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Weili Qian 提交于
mainline inclusion from mainline-v6.1-rc1 commit db700974 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5T7AD CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=db700974b69d2c12a8fe84c45820892416a1e265 ---------------------------------------------------------------------- Add function 'hisi_zip_alg_support' to get device configuration information from capability registers, instead of determining whether to register an algorithm based on hardware platform's version. Signed-off-by: NWeili Qian <qianweili@huawei.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NJiangshui Yang <yangjiangshui@h-partners.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NYang Shen <shenyang39@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-