stable inclusion
from stable-v5.10.190
commit b4256c99a7116c9514224847e8aaee2ecf110a0a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7SAP1
CVE: CVE-2023-4128

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b4256c99a7116c9514224847e8aaee2ecf110a0a

---------------------------

[ Upstream commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 ]

When u32_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.

This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.

Fix this by no longer copying the tcf_result struct from the old filter.

Fixes: de5df632 ("net: sched: cls_u32 changes to knode must appear atomic to readers")
Reported-by: Nvalis <sec@valis.email>
Reported-by: NM A Ramdhan <ramdhan@starlabs.sg>
Signed-off-by: Nvalis <sec@valis.email>
Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: NVictor Nogueira <victor@mojatatu.com>
Reviewed-by: NPedro Tammela <pctammela@mojatatu.com>
Reviewed-by: NM A Ramdhan <ramdhan@starlabs.sg>
Link: https://lore.kernel.org/r/20230729123202.72406-2-jhs@mojatatu.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NLiu Jian <liujian56@huawei.com>
(cherry picked from commit 3b77be79)

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1742 
 
PR sync from: Zhengchao Shao <shaozhengchao@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/TVEUUECSYUEZXJBL5E4A2HVG6OUZVDZZ/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7QE3L 
 
Link:https://gitee.com/openeuler/kernel/pulls/1756 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1749 
 
PR sync from: Yang Jihong <yangjihong1@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/TUHOROYESBXPQZYAJ6NRZKRHEBFESGHK/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7QE3F 
 
Link:https://gitee.com/openeuler/kernel/pulls/1763 

Reviewed-by: Xu Kuohai <xukuohai@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1657 
 
PR sync from: Ruan Jinjie <ruanjinjie@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/DMKZQARD2PWAP2YXIKY6D454ZNKTEVT3/ 
Backport CVE-2023-4132 fix commits.

Duoming Zhou (2):
  media: usb: siano: Fix use after free bugs caused by do_submit_urb
  media: usb: siano: Fix warning due to null work_func_t function
    pointer


-- 
2.34.1
 
https://gitee.com/openeuler/kernel/issues/I7QTMZ 
 
Link:https://gitee.com/openeuler/kernel/pulls/1668 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

mainline inclusion
from mainline-v6.5-rc1
commit dbe836576f12743a7d2d170ad4ad4fd324c4d47a
category: feature
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7QE3F
CVE: CVE-2023-4134

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dbe836576f12743a7d2d170ad4ad4fd324c4d47a

--------------------------------

The watchdog_timer can schedule tx_timeout_task and watchdog_work
can also arm watchdog_timer. The process is shown below:

----------- timer schedules work ------------
cyttsp4_watchdog_timer() //timer handler
  schedule_work(&cd->watchdog_work)

----------- work arms timer ------------
cyttsp4_watchdog_work() //workqueue callback function
  cyttsp4_start_wd_timer()
    mod_timer(&cd->watchdog_timer, ...)

Although del_timer_sync() and cancel_work_sync() are called in
cyttsp4_remove(), the timer and workqueue could still be rearmed.
As a result, the possible use after free bugs could happen. The
process is shown below:

  (cleanup routine)           |  (timer and workqueue routine)
cyttsp4_remove()              | cyttsp4_watchdog_timer() //timer
  cyttsp4_stop_wd_timer()     |   schedule_work()
    del_timer_sync()          |
                              | cyttsp4_watchdog_work() //worker
                              |   cyttsp4_start_wd_timer()
                              |     mod_timer()
    cancel_work_sync()        |
                              | cyttsp4_watchdog_timer() //timer
                              |   schedule_work()
    del_timer_sync()          |
  kfree(cd) //FREE            |
                              | cyttsp4_watchdog_work() // reschedule!
                              |   cd-> //USE

This patch changes del_timer_sync() to timer_shutdown_sync(),
which could prevent rearming of the timer from the workqueue.

Fixes: 17fb1563 ("Input: cyttsp4 - add core driver for Cypress TMA4XX touchscreen devices")
Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20230421082919.8471-1-duoming@zju.edu.cnSigned-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: NYang Jihong <yangjihong1@huawei.com>
(cherry picked from commit 717e1ea8)

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1737 
 
PR sync from: Li Nan <linan122@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/BK3WNMWIWF7LUE5WR6V4SB366MLOBVAY/ 
 
https://gitee.com/openeuler/kernel/issues/I7SVRC 
 
Link:https://gitee.com/openeuler/kernel/pulls/1753 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

mainline inclusion
from mainline-v6.3-rc1
commit e50b9b9e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7QE3L
CVE: CVE-2023-4133

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e50b9b9e8610d47b7c22529443e45a16b1ea3a15

--------------------------------

The flower_stats_timer can schedule flower_stats_work and
flower_stats_work can also arm the flower_stats_timer. The
process is shown below:

----------- timer schedules work ------------
ch_flower_stats_cb() //timer handler
  schedule_work(&adap->flower_stats_work);

----------- work arms timer ------------
ch_flower_stats_handler() //workqueue callback function
  mod_timer(&adap->flower_stats_timer, ...);

When the cxgb4 device is detaching, the timer and workqueue
could still be rearmed. The process is shown below:

  (cleanup routine)           | (timer and workqueue routine)
remove_one()                  |
  free_some_resources()       | ch_flower_stats_cb() //timer
    cxgb4_cleanup_tc_flower() |   schedule_work()
      del_timer_sync()        |
                              | ch_flower_stats_handler() //workqueue
                              |   mod_timer()
      cancel_work_sync()      |
  kfree(adapter) //FREE       | ch_flower_stats_cb() //timer
                              |   adap->flower_stats_work //USE

This patch changes del_timer_sync() to timer_shutdown_sync(),
which could prevent rearming of the timer from the workqueue.

Fixes: e0f911c8 ("cxgb4: fetch stats for offloaded tc flower flows")
Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20230415081227.7463-1-duoming@zju.edu.cnSigned-off-by: NPaolo Abeni <pabeni@redhat.com>
Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
(cherry picked from commit 6ff4dd3f)

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1727 
 
PR sync from: Yu Liao <liaoyu15@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/N7DVTGONEIVDI2GITMMBE6T4J2YVA4WH/ 
timer_shutdown_sync() function is useful for final teardown of an
infrastructure where the timer is subject to a circular dependency
problem.

A common pattern for this is a timer and a workqueue where the timer can
schedule work and work can arm the timer. On shutdown the workqueue must
be destroyed and the timer must be prevented from rearming. Unless the
code has conditionals like 'if (mything->in_shutdown)' to prevent that
there is no way to get this correct with timer_delete_sync().

timer_shutdown_sync() is solving the problem. The correct ordering of
calls in this case is:

 timer_shutdown_sync(&mything->timer);
 workqueue_destroy(&mything->workqueue);

After this 'mything' can be safely freed.

Steven Rostedt (Google) (3):
  ARM: spear: Do not use timer namespace for timer_shutdown() function
  clocksource/drivers/arm_arch_timer: Do not use timer namespace for
    timer_shutdown() function
  clocksource/drivers/sp804: Do not use timer namespace for
    timer_shutdown() function

Thomas Gleixner (10):
  timers: Get rid of del_singleshot_timer_sync()
  timers: Replace BUG_ON()s
  timers: Update kernel-doc for various functions
  timers: Use del_timer_sync() even on UP
  timers: Rename del_timer_sync() to timer_delete_sync()
  timers: Rename del_timer() to timer_delete()
  timers: Silently ignore timers with a NULL function
  timers: Add shutdown mechanism to the internal functions
  timers: Provide timer_shutdown[_sync]()

Yu Liao (2):
  sw64: Do not use timer namespace for timer_shutdown() function
  timers: Keep del_timer[_sync]() exported


-- 
2.25.1
 
https://gitee.com/openeuler/kernel/issues/I7R8WG 
 
Link:https://gitee.com/openeuler/kernel/pulls/1744 

Reviewed-by: Xiongfeng Wang <wangxiongfeng2@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

!1731 [sync] PR-1713:  netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1713 
 
PR sync from: Lu Wei <luwei32@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/SGMAG5EQTBM4R4SFB5KR5GIRFLPCZIQP/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7QG0U 
 
Link:https://gitee.com/openeuler/kernel/pulls/1731 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

mainline inclusion
from mainline-v6.5-rc1
commit 98422bdd4cb3ca4d08844046f6507d7ec2c2b8d8
category: bugfix
bugzilla: 189112, https://gitee.com/openeuler/kernel/issues/I7SVRC
CVE: CVE-2023-3867

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98422bdd4cb3ca4d08844046f6507d7ec2c2b8d8

----------------------------------------------------------------------

ksmbd does not consider the case of that smb2 session setup is
in compound request. If this is the second payload of the compound,
OOB read issue occurs while processing the first payload in
the smb2_sess_setup().

Cc: stable@vger.kernel.org
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21355
Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: NSteve French <stfrench@microsoft.com>
Signed-off-by: NLi Nan <linan122@huawei.com>
(cherry picked from commit 6a896802)

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

--------------------------------

A previous commit made del_timer[_sync]() obsolete and unexported, which
caused kabi to break. So making del_timer[_sync]() exported, the same as
before.
Signed-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit ec2d781a)

mainline inclusion
from mainline-v6.2-rc1
commit f571faf6
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f571faf6e443b6011ccb585d57866177af1f643c

--------------------------------

Tearing down timers which have circular dependencies to other
functionality, e.g. workqueues, where the timer can schedule work and work
can arm timers, is not trivial.

In those cases it is desired to shutdown the timer in a way which prevents
rearming of the timer. The mechanism to do so is to set timer->function to
NULL and use this as an indicator for the timer arming functions to ignore
the (re)arm request.

Expose new interfaces for this: timer_shutdown_sync() and timer_shutdown().

timer_shutdown_sync() has the same functionality as timer_delete_sync()
plus the NULL-ification of the timer function.

timer_shutdown() has the same functionality as timer_delete() plus the
NULL-ification of the timer function.

In both cases the rearming of the timer is prevented by silently discarding
rearm attempts due to timer->function being NULL.
Co-developed-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home
Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org
Link: https://lore.kernel.org/r/20221123201625.314230270@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit 4bf511b4)

mainline inclusion
from mainline-v6.2-rc1
commit 0cc04e80
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cc04e80458a822300b93f82ed861a513edde194

--------------------------------

Tearing down timers which have circular dependencies to other
functionality, e.g. workqueues, where the timer can schedule work and work
can arm timers, is not trivial.

In those cases it is desired to shutdown the timer in a way which prevents
rearming of the timer. The mechanism to do so is to set timer->function to
NULL and use this as an indicator for the timer arming functions to ignore
the (re)arm request.

Add a shutdown argument to the relevant internal functions which makes the
actual deactivation code set timer->function to NULL which in turn prevents
rearming of the timer.
Co-developed-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home
Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org
Link: https://lore.kernel.org/r/20221123201625.253883224@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit 8555e7d6)

mainline inclusion
from mainline-v6.2-rc1
commit 8553b5f2
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8553b5f2774a66b1f293b7d783934210afb8f23c

--------------------------------

Tearing down timers which have circular dependencies to other
functionality, e.g. workqueues, where the timer can schedule work and work
can arm timers, is not trivial.

In those cases it is desired to shutdown the timer in a way which prevents
rearming of the timer. The mechanism to do so is to set timer->function to
NULL and use this as an indicator for the timer arming functions to ignore
the (re)arm request.

Split the inner workings of try_do_del_timer_sync(), del_timer_sync() and
del_timer() into helper functions to prepare for implementing the shutdown
functionality.

No functional change.
Co-developed-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home
Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org
Link: https://lore.kernel.org/r/20221123201625.195147423@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit 7913b067)

mainline inclusion
from mainline-v6.2-rc1
commit d02e382c
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d02e382cef06cc73561dd32dfdc171c00dcc416d

--------------------------------

Tearing down timers which have circular dependencies to other
functionality, e.g. workqueues, where the timer can schedule work and work
can arm timers, is not trivial.

In those cases it is desired to shutdown the timer in a way which prevents
rearming of the timer. The mechanism to do so is to set timer->function to
NULL and use this as an indicator for the timer arming functions to ignore
the (re)arm request.

In preparation for that replace the warnings in the relevant code paths
with checks for timer->function == NULL. If the pointer is NULL, then
discard the rearm request silently.

Add debug_assert_init() instead of the WARN_ON_ONCE(!timer->function)
checks so that debug objects can warn about non-initialized timers.

The warning of debug objects does not warn if timer->function == NULL.  It
warns when timer was not initialized using timer_setup[_on_stack]() or via
DEFINE_TIMER(). If developers fail to enable debug objects and then waste
lots of time to figure out why their non-initialized timer is not firing,
they deserve it. Same for initializing a timer with a NULL function.
Co-developed-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home
Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org
Link: https://lore.kernel.org/r/87wn7kdann.ffs@tglxSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit c84834f9)

mainline inclusion
from mainline-v6.2-rc1
commit bb663f0f
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bb663f0f3c396c6d05f6c5eeeea96ced20ff112e

--------------------------------

The timer related functions do not have a strict timer_ prefixed namespace
which is really annoying.

Rename del_timer() to timer_delete() and provide del_timer()
as a wrapper. Document that del_timer() is not for new code.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NSteven Rostedt (Google) <rostedt@goodmis.org>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/r/20221123201625.015535022@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit 37ba6517)

mainline inclusion
from mainline-v6.2-rc1
commit 9b13df3f
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9b13df3fb64ee95e2397585404e442afee2c7d4f

--------------------------------

The timer related functions do not have a strict timer_ prefixed namespace
which is really annoying.

Rename del_timer_sync() to timer_delete_sync() and provide del_timer_sync()
as a wrapper. Document that del_timer_sync() is not for new code.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NSteven Rostedt (Google) <rostedt@goodmis.org>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/r/20221123201624.954785441@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit 3875c56a)

mainline inclusion
from mainline-v6.2-rc1
commit 168f6b6f
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=168f6b6ffbeec0b9333f3582e4cf637300858db5

--------------------------------

del_timer_sync() is assumed to be pointless on uniprocessor systems and can
be mapped to del_timer() because in theory del_timer() can never be invoked
while the timer callback function is executed.

This is not entirely true because del_timer() can be invoked from interrupt
context and therefore hit in the middle of a running timer callback.

Contrary to that del_timer_sync() is not allowed to be invoked from
interrupt context unless the affected timer is marked with TIMER_IRQSAFE.
del_timer_sync() has proper checks in place to detect such a situation.

Give up on the UP optimization and make del_timer_sync() unconditionally
available.
Co-developed-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home
Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org
Link: https://lore.kernel.org/r/20221123201624.888306160@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit 39923cb6)

mainline inclusion
from mainline-v6.2-rc1
commit 14f043f1
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=14f043f1340bf30bc60af127bff39f55889fef26

--------------------------------

The kernel-doc of timer related functions is partially uncomprehensible
word salad. Rewrite it to make it useful.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/r/20221123201624.828703870@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit baff0f87)

mainline inclusion
from mainline-v6.2-rc1
commit 82ed6f7e
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=82ed6f7ef58f9634fe4462dd721902c580f01569

--------------------------------

The timer code still has a few BUG_ON()s left which are crashing the kernel
in situations where it still can recover or simply refuse to take an
action.

Remove the one in the hotplug callback which checks for the CPU being
offline. If that happens then the whole hotplug machinery will explode in
colourful ways.

Replace the rest with WARN_ON_ONCE() and conditional returns where
appropriate.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/r/20221123201624.769128888@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit ebf38635)

mainline inclusion
from mainline-v6.2-rc1
commit 9a5a3056
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9a5a305686971f4be10c6d7251c8348d74b3e014

--------------------------------

del_singleshot_timer_sync() used to be an optimization for deleting timers
which are not rearmed from the timer callback function.

This optimization turned out to be broken and got mapped to
del_timer_sync() about 17 years ago.

Get rid of the undocumented indirection and use del_timer_sync() directly.

No functional change.
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lore.kernel.org/r/20221123201624.706987932@linutronix.de

 Conflicts:
	net/sunrpc/xprt.c
Signed-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit fe99d43f)

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

--------------------------------

A new "shutdown" timer state is being added to the generic timer code. One
of the functions to change the timer into the state is called
"timer_shutdown()". This means that there can not be other functions
called "timer_shutdown()" as the timer code owns the "timer_*" name space.

Rename timer_shutdown() to sw64_timer_shutdown() to avoid this conflict.
Signed-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit d0f4c739)

mainline inclusion
from mainline-v6.2-rc1
commit 6e1fc259
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e1fc2591f116dfb20b65cf27356475461d61bd8

--------------------------------

A new "shutdown" timer state is being added to the generic timer code. One
of the functions to change the timer into the state is called
"timer_shutdown()". This means that there can not be other functions
called "timer_shutdown()" as the timer code owns the "timer_*" name space.

Rename timer_shutdown() to evt_timer_shutdown() to avoid this conflict.
Signed-off-by: NSteven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Link: https://lkml.kernel.org/r/20221106212702.182883323@goodmis.org
Link: https://lore.kernel.org/all/20221105060155.592778858@goodmis.org/
Link: https://lore.kernel.org/r/20221110064147.158230501@goodmis.org
Link: https://lore.kernel.org/r/20221123201624.634354813@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit 3e0e7195)

mainline inclusion
from mainline-v6.2-rc1
commit 73737a58
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=73737a5833ace25a8408b0d3b783637cb6bf29d1

--------------------------------

A new "shutdown" timer state is being added to the generic timer code. One
of the functions to change the timer into the state is called
"timer_shutdown()". This means that there can not be other functions
called "timer_shutdown()" as the timer code owns the "timer_*" name space.

Rename timer_shutdown() to arch_timer_shutdown() to avoid this conflict.
Signed-off-by: NSteven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Acked-by: NMarc Zyngier <maz@kernel.org>
Link: https://lkml.kernel.org/r/20221106212702.002251651@goodmis.org
Link: https://lore.kernel.org/all/20221105060155.409832154@goodmis.org/
Link: https://lore.kernel.org/r/20221110064146.981725531@goodmis.org
Link: https://lore.kernel.org/r/20221123201624.574672568@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit 2ebfa836)

mainline inclusion
from mainline-v6.2-rc1
commit 80b55772
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80b55772d41d8afec68dbc4ff0368a9fe5d1f390

--------------------------------

A new "shutdown" timer state is being added to the generic timer code. One
of the functions to change the timer into the state is called
"timer_shutdown()". This means that there can not be other functions called
"timer_shutdown()" as the timer code owns the "timer_*" name space.

Rename timer_shutdown() to spear_timer_shutdown() to avoid this conflict.
Signed-off-by: NSteven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
Tested-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NGuenter Roeck <linux@roeck-us.net>
Reviewed-by: NJacob Keller <jacob.e.keller@intel.com>
Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de>
Acked-by: NArnd Bergmann <arnd@arndb.de>
Acked-by: NViresh Kumar <viresh.kumar@linaro.org>
Link: https://lkml.kernel.org/r/20221106212701.822440504@goodmis.org
Link: https://lore.kernel.org/all/20221105060155.228348078@goodmis.org/
Link: https://lore.kernel.org/r/20221110064146.810953418@goodmis.org
Link: https://lore.kernel.org/r/20221123201624.513863211@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com>
(cherry picked from commit 0695f959)

Merge Pull Request from: @ddjsaiwqq 
 
Fix vcpu timer initialize, saved, restore and triggered functions.
As the previous code does not init vcpu timer, and the timer value
should add time value instead of ticks value to calculate the expire 
time when vcpu timer triggered.
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1617 

Reviewed-by: Kevin Zhu <zhukeqian1@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @ci-robot 
 
PR sync from: Yong Hu <yong.hu@windriver.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/BYQKULLDBICIPTVMVEPZUOLO6E6W33GS/ 
 
https://gitee.com/openeuler/kernel/issues/I6D0XA 
 
Link:https://gitee.com/openeuler/kernel/pulls/1639 

Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1711 
 
PR sync from: Zhengchao Shao <shaozhengchao@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/B3ZSS336JXNQSPFJCYBONSQZLLYXKGQ2/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7NYWN 
 
Link:https://gitee.com/openeuler/kernel/pulls/1714 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1604 
 
PR sync from: Ziyang Xuan <william.xuanziyang@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5LGGZAJFGQ7GMAJWNGCSQVWZZ2K26FKH/ 
Backport CVE-2023-3863 fix commits.

v2:
  - Resend the patchset.

Krzysztof Kozlowski (1):
  nfc: llcp: simplify llcp_sock_connect() error paths

Lin Ma (1):
  net: nfc: Fix use-after-free caused by nfc_llcp_find_local


-- 
2.25.1
 
https://gitee.com/src-openeuler/kernel/issues/I7NLJR 
 
Link:https://gitee.com/openeuler/kernel/pulls/1632 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

mainline inclusion
from mainline-v6.5-rc4
commit 0ebc1064e4874d5987722a2ddbc18f94aa53b211
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7QG0U
CVE: CVE-2023-4147

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0ebc1064e4874d5987722a2ddbc18f94aa53b211

--------------------------------

Bail out with EOPNOTSUPP when adding rule to bound chain via
NFTA_RULE_CHAIN_ID. The following warning splat is shown when
adding a rule to a deleted bound chain:

 WARNING: CPU: 2 PID: 13692 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]
 CPU: 2 PID: 13692 Comm: chain-bound-rul Not tainted 6.1.39 #1
 RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables]

Fixes: d0e2c7de ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Reported-by: NKevin Rich <kevinrich1337@gmail.com>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NLu Wei <luwei32@huawei.com>
(cherry picked from commit a39007a6)

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1618 
 
LoongArch: fix the following configs not defined:
CONFIG_ZONE_DMA32
CONFIG_TRACE_IRQFLAGS_SUPPORT
CONFIG_HAVE_SETUP_PER_CPU_AREA
CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK
CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK 
 
Link:https://gitee.com/openeuler/kernel/pulls/1710 

Reviewed-by: Guo Dongtai <guodongtai@kylinos.cn> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

mainline inclusion
from mainline-v6.5-rc3
commit 00374d9b6d9f932802b55181be9831aa948e5b7c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7NYWN
CVE: CVE-2023-3772

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=00374d9b6d9f932802b55181be9831aa948e5b7c

--------------------------------

Normally, x->replay_esn and x->preplay_esn should be allocated at
xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the
xfrm_update_ae_params(...) is okay to update them. However, the current
implementation of xfrm_new_ae(...) allows a malicious user to directly
dereference a NULL pointer and crash the kernel like below.

BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774d #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4
RIP: 0010:memcpy_orig+0xad/0x140
Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c
RSP: 0018:ffff888008f57658 EFLAGS: 00000202
RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571
RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818
R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000
FS:  00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 ? __die+0x1f/0x70
 ? page_fault_oops+0x1e8/0x500
 ? __pfx_is_prefetch.constprop.0+0x10/0x10
 ? __pfx_page_fault_oops+0x10/0x10
 ? _raw_spin_unlock_irqrestore+0x11/0x40
 ? fixup_exception+0x36/0x460
 ? _raw_spin_unlock_irqrestore+0x11/0x40
 ? exc_page_fault+0x5e/0xc0
 ? asm_exc_page_fault+0x26/0x30
 ? xfrm_update_ae_params+0xd1/0x260
 ? memcpy_orig+0xad/0x140
 ? __pfx__raw_spin_lock_bh+0x10/0x10
 xfrm_update_ae_params+0xe7/0x260
 xfrm_new_ae+0x298/0x4e0
 ? __pfx_xfrm_new_ae+0x10/0x10
 ? __pfx_xfrm_new_ae+0x10/0x10
 xfrm_user_rcv_msg+0x25a/0x410
 ? __pfx_xfrm_user_rcv_msg+0x10/0x10
 ? __alloc_skb+0xcf/0x210
 ? stack_trace_save+0x90/0xd0
 ? filter_irq_stacks+0x1c/0x70
 ? __stack_depot_save+0x39/0x4e0
 ? __kasan_slab_free+0x10a/0x190
 ? kmem_cache_free+0x9c/0x340
 ? netlink_recvmsg+0x23c/0x660
 ? sock_recvmsg+0xeb/0xf0
 ? __sys_recvfrom+0x13c/0x1f0
 ? __x64_sys_recvfrom+0x71/0x90
 ? do_syscall_64+0x3f/0x90
 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
 ? copyout+0x3e/0x50
 netlink_rcv_skb+0xd6/0x210
 ? __pfx_xfrm_user_rcv_msg+0x10/0x10
 ? __pfx_netlink_rcv_skb+0x10/0x10
 ? __pfx_sock_has_perm+0x10/0x10
 ? mutex_lock+0x8d/0xe0
 ? __pfx_mutex_lock+0x10/0x10
 xfrm_netlink_rcv+0x44/0x50
 netlink_unicast+0x36f/0x4c0
 ? __pfx_netlink_unicast+0x10/0x10
 ? netlink_recvmsg+0x500/0x660
 netlink_sendmsg+0x3b7/0x700

This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit
adds additional NULL check in xfrm_update_ae_params to fix the NPD.

Fixes: d8647b79 ("xfrm: Add user interface for esn and big anti-replay windows")
Signed-off-by: NLin Ma <linma@zju.edu.cn>
Reviewed-by: NLeon Romanovsky <leonro@nvidia.com>
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>

Conflicts:
	net/xfrm/xfrm_user.c
Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
(cherry picked from commit 5bfbef90)

LoongArch inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7PT2H

--------------------------------
Signed-off-by: NYingkun Meng <mengyingkun@loongson.cn>
Signed-off-by: NHongchen Zhang <zhanghongchen@loongson.cn>
(cherry picked from commit c5226585)

LoongArch inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7PT2H

--------------------------------
Signed-off-by: NHongchen Zhang <zhanghongchen@loongson.cn>
(cherry picked from commit d50c28b6)

LoongArch inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7PT2H

--------------------------------

Percpu area not allocated as expected because some CONFIG not defined,
Defined the required CONFIG to fix it.
Signed-off-by: NHongchen Zhang <zhanghongchen@loongson.cn>
(cherry picked from commit 056e342d)

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1682 
 
PR sync from: Lu Wei <luwei32@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/XHWCN4LVCI4W4ZNP4NXSYHBEYGDNGBUG/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7P3TK 
 
Link:https://gitee.com/openeuler/kernel/pulls/1702 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1596 
 
PR sync from: Li Lingfeng <lilingfeng3@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/MKD6POKWLXC45KXPZXCZ7N52MPOZMNAR/ 
 
https://gitee.com/src-openeuler/kernel/issues/I7LU2Q 
 
Link:https://gitee.com/openeuler/kernel/pulls/1674 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 

stable inclusion
from stable-v5.10.188
commit 3a91099ecd59a42d1632fcb152bf7222f268ea2b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7P3TK
CVE: CVE-2023-4004

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3a91099ecd59a42d1632fcb152bf7222f268ea2b

---------------------------

[ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ]

end key should be equal to start unless NFT_SET_EXT_KEY_END is present.

Its possible to add elements that only have a start key
("{ 1.0.0.0 . 2.0.0.0 }") without an internval end.

Insertion treats this via:

if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
   end = (const u8 *)nft_set_ext_key_end(ext)->data;
else
   end = start;

but removal side always uses nft_set_ext_key_end().
This is wrong and leads to garbage remaining in the set after removal
next lookup/insert attempt will give:

BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90
Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399
Call Trace:
 kasan_report+0x105/0x140
 pipapo_get+0x8eb/0xb90
 nft_pipapo_insert+0x1dc/0x1710
 nf_tables_newsetelem+0x31f5/0x4e00
 ..

Fixes: 3c4287f6 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Reported-by: Nlonial con <kongln9170@gmail.com>
Reviewed-by: NStefano Brivio <sbrivio@redhat.com>
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NLu Wei <luwei32@huawei.com>
(cherry picked from commit 979e0dee)

Merge Pull Request from: @ci-robot 
 
PR sync from: Wang ShaoBo <bobo.shaobowang@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/LUCQ2ZA4VCZMGUGIE3SQDRCTOPLR3TEX/ 
 
https://gitee.com/openeuler/kernel/issues/I7PN0A 
 
Link:https://gitee.com/openeuler/kernel/pulls/1656 

Reviewed-by: Xie XiuQi <xiexiuqi@huawei.com> 
Signed-off-by: Liu YongQiang <liuyongqiang13@huawei.com> 

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1551 
 
PR sync from: Li Nan <linan122@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/ZPU6DOWXQ62ZYWCTSJSULWSJFG2MUIKX/ 
 
https://gitee.com/openeuler/kernel/issues/I7LU2I 
 
Link:https://gitee.com/openeuler/kernel/pulls/1640 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>