- 16 8月, 2023 2 次提交
-
-
由 Ma Wupeng 提交于
maillist inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7QV2C CVE: NA Reference: https://lkml.kernel.org/r/20230802072328.2107981-1-mawupeng1@huawei.com -------------------------------- For system with kernelcore=mirror enabled while no mirrored memory is reported by efi. This could lead to kernel OOM during startup since all memory beside zone DMA are in the movable zone and this prevents the kernel to use it. Zone DMA/DMA32 initialization is independent of mirrored memory and their max pfn is set in zone_sizes_init(). Since kernel can fallback to zone DMA/DMA32 if there is no memory in zone Normal, these zones are seen as mirrored memory no mather their memory attributes are. To solve this problem, disable kernelcore=mirror when there is no real mirrored memory exists. Link: https://lkml.kernel.org/r/20230802072328.2107981-1-mawupeng1@huawei.comSigned-off-by: NMa Wupeng <mawupeng1@huawei.com> Suggested-by: NKefeng Wang <wangkefeng.wang@huawei.com> Suggested-by: NMike Rapoport <rppt@kernel.org> Reviewed-by: NMike Rapoport (IBM) <rppt@kernel.org> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Cc: Levi Yun <ppbuk5246@gmail.com> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NMa Wupeng <mawupeng1@huawei.com> (cherry picked from commit 6087cfe0)
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1729 PR sync from: Liu Jian <liujian56@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/RHW5R5YZ4QMNY3YD7F65XJ6AFMBVMCOF/ fix CVE-2023-4128 in OLK510 valis (3): net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free -- 2.34.1 https://gitee.com/src-openeuler/kernel/issues/I7SAP1 Link:https://gitee.com/openeuler/kernel/pulls/1777 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
- 15 8月, 2023 8 次提交
-
-
由 valis 提交于
stable inclusion from stable-v5.10.190 commit aaa71c4e8ad98828ed50dde3eec8e0d545a117f7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7SAP1 CVE: CVE-2023-4128 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aaa71c4e8ad98828ed50dde3eec8e0d545a117f7 --------------------------- [ Upstream commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 ] When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. Fix this by no longer copying the tcf_result struct from the old filter. Fixes: 1109c005 ("net: sched: RCU cls_route") Reported-by: Nvalis <sec@valis.email> Reported-by: NBing-Jhong Billy Jheng <billy@starlabs.sg> Signed-off-by: Nvalis <sec@valis.email> Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com> Reviewed-by: NVictor Nogueira <victor@mojatatu.com> Reviewed-by: NPedro Tammela <pctammela@mojatatu.com> Reviewed-by: NM A Ramdhan <ramdhan@starlabs.sg> Link: https://lore.kernel.org/r/20230729123202.72406-4-jhs@mojatatu.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NLiu Jian <liujian56@huawei.com> (cherry picked from commit a360f541)
-
由 valis 提交于
stable inclusion from stable-v5.10.190 commit a8d478200b104ff356f51e1f63499fe46ba8c9b8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7SAP1 CVE: CVE-2023-4128 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a8d478200b104ff356f51e1f63499fe46ba8c9b8 --------------------------- [ Upstream commit 76e42ae831991c828cffa8c37736ebfb831ad5ec ] When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. Fix this by no longer copying the tcf_result struct from the old filter. Fixes: e35a8ee5 ("net: sched: fw use RCU") Reported-by: Nvalis <sec@valis.email> Reported-by: NBing-Jhong Billy Jheng <billy@starlabs.sg> Signed-off-by: Nvalis <sec@valis.email> Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com> Reviewed-by: NVictor Nogueira <victor@mojatatu.com> Reviewed-by: NPedro Tammela <pctammela@mojatatu.com> Reviewed-by: NM A Ramdhan <ramdhan@starlabs.sg> Link: https://lore.kernel.org/r/20230729123202.72406-3-jhs@mojatatu.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NLiu Jian <liujian56@huawei.com> (cherry picked from commit 11d19448)
-
由 valis 提交于
stable inclusion from stable-v5.10.190 commit b4256c99a7116c9514224847e8aaee2ecf110a0a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7SAP1 CVE: CVE-2023-4128 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b4256c99a7116c9514224847e8aaee2ecf110a0a --------------------------- [ Upstream commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 ] When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. Fix this by no longer copying the tcf_result struct from the old filter. Fixes: de5df632 ("net: sched: cls_u32 changes to knode must appear atomic to readers") Reported-by: Nvalis <sec@valis.email> Reported-by: NM A Ramdhan <ramdhan@starlabs.sg> Signed-off-by: Nvalis <sec@valis.email> Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com> Reviewed-by: NVictor Nogueira <victor@mojatatu.com> Reviewed-by: NPedro Tammela <pctammela@mojatatu.com> Reviewed-by: NM A Ramdhan <ramdhan@starlabs.sg> Link: https://lore.kernel.org/r/20230729123202.72406-2-jhs@mojatatu.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NLiu Jian <liujian56@huawei.com> (cherry picked from commit 3b77be79)
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1742 PR sync from: Zhengchao Shao <shaozhengchao@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/TVEUUECSYUEZXJBL5E4A2HVG6OUZVDZZ/ https://gitee.com/src-openeuler/kernel/issues/I7QE3L Link:https://gitee.com/openeuler/kernel/pulls/1758 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1749 PR sync from: Yang Jihong <yangjihong1@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/TUHOROYESBXPQZYAJ6NRZKRHEBFESGHK/ https://gitee.com/src-openeuler/kernel/issues/I7QE3F Link:https://gitee.com/openeuler/kernel/pulls/1765 Reviewed-by: Xu Kuohai <xukuohai@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1657 PR sync from: Ruan Jinjie <ruanjinjie@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/DMKZQARD2PWAP2YXIKY6D454ZNKTEVT3/ Backport CVE-2023-4132 fix commits. Duoming Zhou (2): media: usb: siano: Fix use after free bugs caused by do_submit_urb media: usb: siano: Fix warning due to null work_func_t function pointer -- 2.34.1 https://gitee.com/openeuler/kernel/issues/I7QTMZ Link:https://gitee.com/openeuler/kernel/pulls/1670 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 Duoming Zhou 提交于
mainline inclusion from mainline-v6.5-rc1 commit dbe836576f12743a7d2d170ad4ad4fd324c4d47a category: feature bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7QE3F CVE: CVE-2023-4134 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dbe836576f12743a7d2d170ad4ad4fd324c4d47a -------------------------------- The watchdog_timer can schedule tx_timeout_task and watchdog_work can also arm watchdog_timer. The process is shown below: ----------- timer schedules work ------------ cyttsp4_watchdog_timer() //timer handler schedule_work(&cd->watchdog_work) ----------- work arms timer ------------ cyttsp4_watchdog_work() //workqueue callback function cyttsp4_start_wd_timer() mod_timer(&cd->watchdog_timer, ...) Although del_timer_sync() and cancel_work_sync() are called in cyttsp4_remove(), the timer and workqueue could still be rearmed. As a result, the possible use after free bugs could happen. The process is shown below: (cleanup routine) | (timer and workqueue routine) cyttsp4_remove() | cyttsp4_watchdog_timer() //timer cyttsp4_stop_wd_timer() | schedule_work() del_timer_sync() | | cyttsp4_watchdog_work() //worker | cyttsp4_start_wd_timer() | mod_timer() cancel_work_sync() | | cyttsp4_watchdog_timer() //timer | schedule_work() del_timer_sync() | kfree(cd) //FREE | | cyttsp4_watchdog_work() // reschedule! | cd-> //USE This patch changes del_timer_sync() to timer_shutdown_sync(), which could prevent rearming of the timer from the workqueue. Fixes: 17fb1563 ("Input: cyttsp4 - add core driver for Cypress TMA4XX touchscreen devices") Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn> Link: https://lore.kernel.org/r/20230421082919.8471-1-duoming@zju.edu.cnSigned-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: NYang Jihong <yangjihong1@huawei.com> (cherry picked from commit 717e1ea8)
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1737 PR sync from: Li Nan <linan122@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/BK3WNMWIWF7LUE5WR6V4SB366MLOBVAY/ https://gitee.com/openeuler/kernel/issues/I7SVRC Link:https://gitee.com/openeuler/kernel/pulls/1755 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
- 14 8月, 2023 23 次提交
-
-
由 Duoming Zhou 提交于
mainline inclusion from mainline-v6.3-rc1 commit e50b9b9e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7QE3L CVE: CVE-2023-4133 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e50b9b9e8610d47b7c22529443e45a16b1ea3a15 -------------------------------- The flower_stats_timer can schedule flower_stats_work and flower_stats_work can also arm the flower_stats_timer. The process is shown below: ----------- timer schedules work ------------ ch_flower_stats_cb() //timer handler schedule_work(&adap->flower_stats_work); ----------- work arms timer ------------ ch_flower_stats_handler() //workqueue callback function mod_timer(&adap->flower_stats_timer, ...); When the cxgb4 device is detaching, the timer and workqueue could still be rearmed. The process is shown below: (cleanup routine) | (timer and workqueue routine) remove_one() | free_some_resources() | ch_flower_stats_cb() //timer cxgb4_cleanup_tc_flower() | schedule_work() del_timer_sync() | | ch_flower_stats_handler() //workqueue | mod_timer() cancel_work_sync() | kfree(adapter) //FREE | ch_flower_stats_cb() //timer | adap->flower_stats_work //USE This patch changes del_timer_sync() to timer_shutdown_sync(), which could prevent rearming of the timer from the workqueue. Fixes: e0f911c8 ("cxgb4: fetch stats for offloaded tc flower flows") Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn> Link: https://lore.kernel.org/r/20230415081227.7463-1-duoming@zju.edu.cnSigned-off-by: NPaolo Abeni <pabeni@redhat.com> Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com> (cherry picked from commit 6ff4dd3f)
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1727 PR sync from: Yu Liao <liaoyu15@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/N7DVTGONEIVDI2GITMMBE6T4J2YVA4WH/ timer_shutdown_sync() function is useful for final teardown of an infrastructure where the timer is subject to a circular dependency problem. A common pattern for this is a timer and a workqueue where the timer can schedule work and work can arm the timer. On shutdown the workqueue must be destroyed and the timer must be prevented from rearming. Unless the code has conditionals like 'if (mything->in_shutdown)' to prevent that there is no way to get this correct with timer_delete_sync(). timer_shutdown_sync() is solving the problem. The correct ordering of calls in this case is: timer_shutdown_sync(&mything->timer); workqueue_destroy(&mything->workqueue); After this 'mything' can be safely freed. Steven Rostedt (Google) (3): ARM: spear: Do not use timer namespace for timer_shutdown() function clocksource/drivers/arm_arch_timer: Do not use timer namespace for timer_shutdown() function clocksource/drivers/sp804: Do not use timer namespace for timer_shutdown() function Thomas Gleixner (10): timers: Get rid of del_singleshot_timer_sync() timers: Replace BUG_ON()s timers: Update kernel-doc for various functions timers: Use del_timer_sync() even on UP timers: Rename del_timer_sync() to timer_delete_sync() timers: Rename del_timer() to timer_delete() timers: Silently ignore timers with a NULL function timers: Add shutdown mechanism to the internal functions timers: Provide timer_shutdown[_sync]() Yu Liao (2): sw64: Do not use timer namespace for timer_shutdown() function timers: Keep del_timer[_sync]() exported -- 2.25.1 https://gitee.com/openeuler/kernel/issues/I7R8WG Link:https://gitee.com/openeuler/kernel/pulls/1746 Reviewed-by: Xiongfeng Wang <wangxiongfeng2@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
!1733 [sync] PR-1713: netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1713 PR sync from: Lu Wei <luwei32@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/SGMAG5EQTBM4R4SFB5KR5GIRFLPCZIQP/ https://gitee.com/src-openeuler/kernel/issues/I7QG0U Link:https://gitee.com/openeuler/kernel/pulls/1733 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1578 Backport 5.10.160 - 5.10.162 LTS patches from upstream. Conflicts: Already merged(29): 75454b4bbfc7: io_uring: add missing item types for splice request eb6313c12955: nfp: fix use-after-free in area_cache_get() f3fe6817156a: Bluetooth: L2CAP: Fix u8 overflow 1500fed00878: kernel: provide create_io_thread() helper e86db87191d8: iov_iter: add helper to save iov_iter state c1fe7bd3e1aa: fs: add support for LOOKUP_CACHED 146fe79fff13: fix handling of nd->depth on LOOKUP_CACHED failures in try_to_unlazy* 0cf0ce8fb5b1: Make sure nd->path.mnt and nd->path.dentry are always valid pointers 5683caa7350f: fs: expose LOOKUP_CACHED through openat2() RESOLVE_CACHED 069ac28d9243: net: provide __sys_shutdown_sock() that takes a socket ad0b0137953a: net: add accept helper not installing fd 52cfde6bbf64: signal: Add task_sigpending() helper 214f80e25176: fs: make do_renameat2() take struct filename 57b20530363d: file: Rename __close_fd_get_file close_fd_get_file d2136fc145be: fs: provide locked helper variant of close_fd_get_file() 3c295bd2ddae: entry: Add support for TIF_NOTIFY_SIGNAL 4b1dcf8ec9b2: x86: Wire up TIF_NOTIFY_SIGNAL 79a9991e87fe: arm64: add support for TIF_NOTIFY_SIGNAL abab3d4444b5: powerpc: add support for TIF_NOTIFY_SIGNAL 1bee9dbbcabb: arm: add support for TIF_NOTIFY_SIGNAL 78a53ff02656: riscv: add support for TIF_NOTIFY_SIGNAL 90a2c3821bbf: kernel: remove checking for TIF_NOTIFY_SIGNAL 4b4d2c79921: Limit what can interrupt coredumps 320c8057eceb: arch: setup PF_IO_WORKER threads like PF_KTHREAD dd26e2cec74f: arch: ensure parisc/powerpc handle PF_IO_WORKER in copy_thread() f0a5f0dc0131: x86/process: setup io_threads more like normal user space threads 831cb78a2a5e: kernel: don't call do_exit() for PF_IO_WORKER threads ed3005032993: task_work: add helper for more targeted task_work canceling 788d0824269b: io_uring: import 5.15-stable io_uring Kabi change(1): a3025359ffa7 net: remove cmsg restriction from io_uring based send/recvmsg calls Total patches: 96 - 29 - 1 = 66 Link:https://gitee.com/openeuler/kernel/pulls/1620 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-v6.5-rc1 commit 98422bdd4cb3ca4d08844046f6507d7ec2c2b8d8 category: bugfix bugzilla: 189112, https://gitee.com/openeuler/kernel/issues/I7SVRC CVE: CVE-2023-3867 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98422bdd4cb3ca4d08844046f6507d7ec2c2b8d8 ---------------------------------------------------------------------- ksmbd does not consider the case of that smb2 session setup is in compound request. If this is the second payload of the compound, OOB read issue occurs while processing the first payload in the smb2_sess_setup(). Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-21355 Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NLi Nan <linan122@huawei.com> (cherry picked from commit 6a896802)
-
由 Yu Liao 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG -------------------------------- A previous commit made del_timer[_sync]() obsolete and unexported, which caused kabi to break. So making del_timer[_sync]() exported, the same as before. Signed-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit ec2d781a)
-
由 Thomas Gleixner 提交于
mainline inclusion from mainline-v6.2-rc1 commit f571faf6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f571faf6e443b6011ccb585d57866177af1f643c -------------------------------- Tearing down timers which have circular dependencies to other functionality, e.g. workqueues, where the timer can schedule work and work can arm timers, is not trivial. In those cases it is desired to shutdown the timer in a way which prevents rearming of the timer. The mechanism to do so is to set timer->function to NULL and use this as an indicator for the timer arming functions to ignore the (re)arm request. Expose new interfaces for this: timer_shutdown_sync() and timer_shutdown(). timer_shutdown_sync() has the same functionality as timer_delete_sync() plus the NULL-ification of the timer function. timer_shutdown() has the same functionality as timer_delete() plus the NULL-ification of the timer function. In both cases the rearming of the timer is prevented by silently discarding rearm attempts due to timer->function being NULL. Co-developed-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org Link: https://lore.kernel.org/r/20221123201625.314230270@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit 4bf511b4)
-
由 Thomas Gleixner 提交于
mainline inclusion from mainline-v6.2-rc1 commit 0cc04e80 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cc04e80458a822300b93f82ed861a513edde194 -------------------------------- Tearing down timers which have circular dependencies to other functionality, e.g. workqueues, where the timer can schedule work and work can arm timers, is not trivial. In those cases it is desired to shutdown the timer in a way which prevents rearming of the timer. The mechanism to do so is to set timer->function to NULL and use this as an indicator for the timer arming functions to ignore the (re)arm request. Add a shutdown argument to the relevant internal functions which makes the actual deactivation code set timer->function to NULL which in turn prevents rearming of the timer. Co-developed-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org Link: https://lore.kernel.org/r/20221123201625.253883224@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit 8555e7d6)
-
由 Thomas Gleixner 提交于
mainline inclusion from mainline-v6.2-rc1 commit 8553b5f2 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8553b5f2774a66b1f293b7d783934210afb8f23c -------------------------------- Tearing down timers which have circular dependencies to other functionality, e.g. workqueues, where the timer can schedule work and work can arm timers, is not trivial. In those cases it is desired to shutdown the timer in a way which prevents rearming of the timer. The mechanism to do so is to set timer->function to NULL and use this as an indicator for the timer arming functions to ignore the (re)arm request. Split the inner workings of try_do_del_timer_sync(), del_timer_sync() and del_timer() into helper functions to prepare for implementing the shutdown functionality. No functional change. Co-developed-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org Link: https://lore.kernel.org/r/20221123201625.195147423@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit 7913b067)
-
由 Thomas Gleixner 提交于
mainline inclusion from mainline-v6.2-rc1 commit d02e382c category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d02e382cef06cc73561dd32dfdc171c00dcc416d -------------------------------- Tearing down timers which have circular dependencies to other functionality, e.g. workqueues, where the timer can schedule work and work can arm timers, is not trivial. In those cases it is desired to shutdown the timer in a way which prevents rearming of the timer. The mechanism to do so is to set timer->function to NULL and use this as an indicator for the timer arming functions to ignore the (re)arm request. In preparation for that replace the warnings in the relevant code paths with checks for timer->function == NULL. If the pointer is NULL, then discard the rearm request silently. Add debug_assert_init() instead of the WARN_ON_ONCE(!timer->function) checks so that debug objects can warn about non-initialized timers. The warning of debug objects does not warn if timer->function == NULL. It warns when timer was not initialized using timer_setup[_on_stack]() or via DEFINE_TIMER(). If developers fail to enable debug objects and then waste lots of time to figure out why their non-initialized timer is not firing, they deserve it. Same for initializing a timer with a NULL function. Co-developed-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org Link: https://lore.kernel.org/r/87wn7kdann.ffs@tglxSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit c84834f9)
-
由 Thomas Gleixner 提交于
mainline inclusion from mainline-v6.2-rc1 commit bb663f0f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bb663f0f3c396c6d05f6c5eeeea96ced20ff112e -------------------------------- The timer related functions do not have a strict timer_ prefixed namespace which is really annoying. Rename del_timer() to timer_delete() and provide del_timer() as a wrapper. Document that del_timer() is not for new code. Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NSteven Rostedt (Google) <rostedt@goodmis.org> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/r/20221123201625.015535022@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit 37ba6517)
-
由 Thomas Gleixner 提交于
mainline inclusion from mainline-v6.2-rc1 commit 9b13df3f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9b13df3fb64ee95e2397585404e442afee2c7d4f -------------------------------- The timer related functions do not have a strict timer_ prefixed namespace which is really annoying. Rename del_timer_sync() to timer_delete_sync() and provide del_timer_sync() as a wrapper. Document that del_timer_sync() is not for new code. Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NSteven Rostedt (Google) <rostedt@goodmis.org> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/r/20221123201624.954785441@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit 3875c56a)
-
由 Thomas Gleixner 提交于
mainline inclusion from mainline-v6.2-rc1 commit 168f6b6f category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=168f6b6ffbeec0b9333f3582e4cf637300858db5 -------------------------------- del_timer_sync() is assumed to be pointless on uniprocessor systems and can be mapped to del_timer() because in theory del_timer() can never be invoked while the timer callback function is executed. This is not entirely true because del_timer() can be invoked from interrupt context and therefore hit in the middle of a running timer callback. Contrary to that del_timer_sync() is not allowed to be invoked from interrupt context unless the affected timer is marked with TIMER_IRQSAFE. del_timer_sync() has proper checks in place to detect such a situation. Give up on the UP optimization and make del_timer_sync() unconditionally available. Co-developed-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/all/20220407161745.7d6754b3@gandalf.local.home Link: https://lore.kernel.org/all/20221110064101.429013735@goodmis.org Link: https://lore.kernel.org/r/20221123201624.888306160@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit 39923cb6)
-
由 Thomas Gleixner 提交于
mainline inclusion from mainline-v6.2-rc1 commit 14f043f1 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=14f043f1340bf30bc60af127bff39f55889fef26 -------------------------------- The kernel-doc of timer related functions is partially uncomprehensible word salad. Rewrite it to make it useful. Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/r/20221123201624.828703870@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit baff0f87)
-
由 Thomas Gleixner 提交于
mainline inclusion from mainline-v6.2-rc1 commit 82ed6f7e category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=82ed6f7ef58f9634fe4462dd721902c580f01569 -------------------------------- The timer code still has a few BUG_ON()s left which are crashing the kernel in situations where it still can recover or simply refuse to take an action. Remove the one in the hotplug callback which checks for the CPU being offline. If that happens then the whole hotplug machinery will explode in colourful ways. Replace the rest with WARN_ON_ONCE() and conditional returns where appropriate. Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/r/20221123201624.769128888@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit ebf38635)
-
由 Thomas Gleixner 提交于
mainline inclusion from mainline-v6.2-rc1 commit 9a5a3056 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9a5a305686971f4be10c6d7251c8348d74b3e014 -------------------------------- del_singleshot_timer_sync() used to be an optimization for deleting timers which are not rearmed from the timer callback function. This optimization turned out to be broken and got mapped to del_timer_sync() about 17 years ago. Get rid of the undocumented indirection and use del_timer_sync() directly. No functional change. Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lore.kernel.org/r/20221123201624.706987932@linutronix.de Conflicts: net/sunrpc/xprt.c Signed-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit fe99d43f)
-
由 Yu Liao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG -------------------------------- A new "shutdown" timer state is being added to the generic timer code. One of the functions to change the timer into the state is called "timer_shutdown()". This means that there can not be other functions called "timer_shutdown()" as the timer code owns the "timer_*" name space. Rename timer_shutdown() to sw64_timer_shutdown() to avoid this conflict. Signed-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit d0f4c739)
-
由 Steven Rostedt (Google) 提交于
mainline inclusion from mainline-v6.2-rc1 commit 6e1fc259 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e1fc2591f116dfb20b65cf27356475461d61bd8 -------------------------------- A new "shutdown" timer state is being added to the generic timer code. One of the functions to change the timer into the state is called "timer_shutdown()". This means that there can not be other functions called "timer_shutdown()" as the timer code owns the "timer_*" name space. Rename timer_shutdown() to evt_timer_shutdown() to avoid this conflict. Signed-off-by: NSteven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Link: https://lkml.kernel.org/r/20221106212702.182883323@goodmis.org Link: https://lore.kernel.org/all/20221105060155.592778858@goodmis.org/ Link: https://lore.kernel.org/r/20221110064147.158230501@goodmis.org Link: https://lore.kernel.org/r/20221123201624.634354813@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit 3e0e7195)
-
由 Steven Rostedt (Google) 提交于
mainline inclusion from mainline-v6.2-rc1 commit 73737a58 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=73737a5833ace25a8408b0d3b783637cb6bf29d1 -------------------------------- A new "shutdown" timer state is being added to the generic timer code. One of the functions to change the timer into the state is called "timer_shutdown()". This means that there can not be other functions called "timer_shutdown()" as the timer code owns the "timer_*" name space. Rename timer_shutdown() to arch_timer_shutdown() to avoid this conflict. Signed-off-by: NSteven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Acked-by: NMarc Zyngier <maz@kernel.org> Link: https://lkml.kernel.org/r/20221106212702.002251651@goodmis.org Link: https://lore.kernel.org/all/20221105060155.409832154@goodmis.org/ Link: https://lore.kernel.org/r/20221110064146.981725531@goodmis.org Link: https://lore.kernel.org/r/20221123201624.574672568@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit 2ebfa836)
-
由 Steven Rostedt (Google) 提交于
mainline inclusion from mainline-v6.2-rc1 commit 80b55772 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7R8WG Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80b55772d41d8afec68dbc4ff0368a9fe5d1f390 -------------------------------- A new "shutdown" timer state is being added to the generic timer code. One of the functions to change the timer into the state is called "timer_shutdown()". This means that there can not be other functions called "timer_shutdown()" as the timer code owns the "timer_*" name space. Rename timer_shutdown() to spear_timer_shutdown() to avoid this conflict. Signed-off-by: NSteven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: NThomas Gleixner <tglx@linutronix.de> Tested-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NGuenter Roeck <linux@roeck-us.net> Reviewed-by: NJacob Keller <jacob.e.keller@intel.com> Reviewed-by: NAnna-Maria Behnsen <anna-maria@linutronix.de> Acked-by: NArnd Bergmann <arnd@arndb.de> Acked-by: NViresh Kumar <viresh.kumar@linaro.org> Link: https://lkml.kernel.org/r/20221106212701.822440504@goodmis.org Link: https://lore.kernel.org/all/20221105060155.228348078@goodmis.org/ Link: https://lore.kernel.org/r/20221110064146.810953418@goodmis.org Link: https://lore.kernel.org/r/20221123201624.513863211@linutronix.deSigned-off-by: NYu Liao <liaoyu15@huawei.com> (cherry picked from commit 0695f959)
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1711 PR sync from: Zhengchao Shao <shaozhengchao@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/B3ZSS336JXNQSPFJCYBONSQZLLYXKGQ2/ https://gitee.com/src-openeuler/kernel/issues/I7NYWN Link:https://gitee.com/openeuler/kernel/pulls/1716 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1604 PR sync from: Ziyang Xuan <william.xuanziyang@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5LGGZAJFGQ7GMAJWNGCSQVWZZ2K26FKH/ Backport CVE-2023-3863 fix commits. v2: - Resend the patchset. Krzysztof Kozlowski (1): nfc: llcp: simplify llcp_sock_connect() error paths Lin Ma (1): net: nfc: Fix use-after-free caused by nfc_llcp_find_local -- 2.25.1 https://gitee.com/src-openeuler/kernel/issues/I7NLJR Link:https://gitee.com/openeuler/kernel/pulls/1634 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 Pablo Neira Ayuso 提交于
mainline inclusion from mainline-v6.5-rc4 commit 0ebc1064e4874d5987722a2ddbc18f94aa53b211 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7QG0U CVE: CVE-2023-4147 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0ebc1064e4874d5987722a2ddbc18f94aa53b211 -------------------------------- Bail out with EOPNOTSUPP when adding rule to bound chain via NFTA_RULE_CHAIN_ID. The following warning splat is shown when adding a rule to a deleted bound chain: WARNING: CPU: 2 PID: 13692 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] CPU: 2 PID: 13692 Comm: chain-bound-rul Not tainted 6.1.39 #1 RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] Fixes: d0e2c7de ("netfilter: nf_tables: add NFT_CHAIN_BINDING") Reported-by: NKevin Rich <kevinrich1337@gmail.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NLu Wei <luwei32@huawei.com> (cherry picked from commit a39007a6)
-
- 10 8月, 2023 1 次提交
-
-
由 Lin Ma 提交于
mainline inclusion from mainline-v6.5-rc3 commit 00374d9b6d9f932802b55181be9831aa948e5b7c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7NYWN CVE: CVE-2023-3772 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=00374d9b6d9f932802b55181be9831aa948e5b7c -------------------------------- Normally, x->replay_esn and x->preplay_esn should be allocated at xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the xfrm_update_ae_params(...) is okay to update them. However, the current implementation of xfrm_new_ae(...) allows a malicious user to directly dereference a NULL pointer and crash the kernel like below. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774d #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4 RIP: 0010:memcpy_orig+0xad/0x140 Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c RSP: 0018:ffff888008f57658 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571 RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818 R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000 FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0 Call Trace: <TASK> ? __die+0x1f/0x70 ? page_fault_oops+0x1e8/0x500 ? __pfx_is_prefetch.constprop.0+0x10/0x10 ? __pfx_page_fault_oops+0x10/0x10 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? fixup_exception+0x36/0x460 ? _raw_spin_unlock_irqrestore+0x11/0x40 ? exc_page_fault+0x5e/0xc0 ? asm_exc_page_fault+0x26/0x30 ? xfrm_update_ae_params+0xd1/0x260 ? memcpy_orig+0xad/0x140 ? __pfx__raw_spin_lock_bh+0x10/0x10 xfrm_update_ae_params+0xe7/0x260 xfrm_new_ae+0x298/0x4e0 ? __pfx_xfrm_new_ae+0x10/0x10 ? __pfx_xfrm_new_ae+0x10/0x10 xfrm_user_rcv_msg+0x25a/0x410 ? __pfx_xfrm_user_rcv_msg+0x10/0x10 ? __alloc_skb+0xcf/0x210 ? stack_trace_save+0x90/0xd0 ? filter_irq_stacks+0x1c/0x70 ? __stack_depot_save+0x39/0x4e0 ? __kasan_slab_free+0x10a/0x190 ? kmem_cache_free+0x9c/0x340 ? netlink_recvmsg+0x23c/0x660 ? sock_recvmsg+0xeb/0xf0 ? __sys_recvfrom+0x13c/0x1f0 ? __x64_sys_recvfrom+0x71/0x90 ? do_syscall_64+0x3f/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc ? copyout+0x3e/0x50 netlink_rcv_skb+0xd6/0x210 ? __pfx_xfrm_user_rcv_msg+0x10/0x10 ? __pfx_netlink_rcv_skb+0x10/0x10 ? __pfx_sock_has_perm+0x10/0x10 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 xfrm_netlink_rcv+0x44/0x50 netlink_unicast+0x36f/0x4c0 ? __pfx_netlink_unicast+0x10/0x10 ? netlink_recvmsg+0x500/0x660 netlink_sendmsg+0x3b7/0x700 This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit adds additional NULL check in xfrm_update_ae_params to fix the NPD. Fixes: d8647b79 ("xfrm: Add user interface for esn and big anti-replay windows") Signed-off-by: NLin Ma <linma@zju.edu.cn> Reviewed-by: NLeon Romanovsky <leonro@nvidia.com> Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com> Conflicts: net/xfrm/xfrm_user.c Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com> (cherry picked from commit 5bfbef90)
-
- 09 8月, 2023 3 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1682 PR sync from: Lu Wei <luwei32@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/XHWCN4LVCI4W4ZNP4NXSYHBEYGDNGBUG/ https://gitee.com/src-openeuler/kernel/issues/I7P3TK Link:https://gitee.com/openeuler/kernel/pulls/1704 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @did-you-collect-the-wool-today virt inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7QPGW CVE: NA ------------------------------------------------------------------ In probe_vendor_drivers, all registered vendor drivers are traversed. This is not a good idea. If a vendor driver is not implemented well enough, it may cause the system to panic. Use the vendor id and device id to select a proper driver. In the pervious device registration logic, since the live migration operation ops of the three accelerator devices is the same. Therefore, only one driver entity will be registered. As a result, only the first sec will be loaded successfully, while hpre and zip cannot be loaded. The acc live migration driver needs to be adapted. Tips: The problem code is not completely fixed. To keep consistent with olk-5.10, roll back the previous bugfix and resubmit a new one. This new bugfix is consistent with the one for the olk-5.10 branch. Signed-off-by: NLongfang Liu <liulongfang@huawei.com> Signed-off-by: Kunkun Jiang <jiangkunkun@huawei.com> Link:https://gitee.com/openeuler/kernel/pulls/1700 Reviewed-by: Zenghui Yu <yuzenghui@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1596 PR sync from: Li Lingfeng <lilingfeng3@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/MKD6POKWLXC45KXPZXCZ7N52MPOZMNAR/ https://gitee.com/src-openeuler/kernel/issues/I7LU2Q Link:https://gitee.com/openeuler/kernel/pulls/1676 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
- 08 8月, 2023 3 次提交
-
-
由 Florian Westphal 提交于
stable inclusion from stable-v5.10.188 commit 3a91099ecd59a42d1632fcb152bf7222f268ea2b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7P3TK CVE: CVE-2023-4004 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3a91099ecd59a42d1632fcb152bf7222f268ea2b --------------------------- [ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ] end key should be equal to start unless NFT_SET_EXT_KEY_END is present. Its possible to add elements that only have a start key ("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. Insertion treats this via: if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) end = (const u8 *)nft_set_ext_key_end(ext)->data; else end = start; but removal side always uses nft_set_ext_key_end(). This is wrong and leads to garbage remaining in the set after removal next lookup/insert attempt will give: BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 Call Trace: kasan_report+0x105/0x140 pipapo_get+0x8eb/0xb90 nft_pipapo_insert+0x1dc/0x1710 nf_tables_newsetelem+0x31f5/0x4e00 .. Fixes: 3c4287f6 ("nf_tables: Add set type for arbitrary concatenation of ranges") Reported-by: Nlonial con <kongln9170@gmail.com> Reviewed-by: NStefano Brivio <sbrivio@redhat.com> Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NLu Wei <luwei32@huawei.com> (cherry picked from commit 979e0dee)
-
由 Kunkun Jiang 提交于
virt inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7QPGW CVE: NA ------------------------------------------------------------------ In probe_vendor_drivers, all registered vendor drivers are traversed. This is not a good idea. If a vendor driver is not implemented well enough, it may cause the system to panic. Use the vendor id and device id to select a proper driver. In the pervious device registration logic, since the live migration operation ops of the three accelerator devices is the same. Therefore, only one driver entity will be registered. As a result, only the first sec will be loaded successfully, while hpre and zip cannot be loaded. The acc live migration driver needs to be adapted. Tips: This bugfix is consistent with the one for the olk-5.10 branch. Signed-off-by: NLongfang Liu <liulongfang@huawei.com> Signed-off-by: NKunkun Jiang <jiangkunkun@huawei.com>
-
由 Kunkun Jiang 提交于
virt inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7QPGW CVE: NA ------------------------------------------------------------------ This reverts commit 75fbddc8. The problem code is not completely fixed. To keep consistent with olk-5.10, roll back this patch and resubmit the bugfix. Signed-off-by: NKunkun Jiang <jiangkunkun@huawei.com>
-