zhaoxin inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6J3EV
CVE: NA

--------------------------------------------

Zhaoxin I2C Linux driver support all bidirectional bus protocols speed
specified in the I2C Specification 7.0. The speed mode listed in the
followed table.

|   Speed Name    |           Description                |
| Standard-mode   | Bit rate up to 100 kbit/s            |
| Fast-mode       | Bit rate up to 400 kbit/s.(default)  |
| Fast-mode Plus  | Bit rate up to 1 Mbit/s              |
| High-speed mode | Bit rate up to 3.4 Mbit/s.           |
Signed-off-by: Nleoliu-oc <leoliu-oc@zhaoxin.com>

Merge Pull Request from: @LiuYongQiang0816 
 
genirq bugfix from Yipeng Zou 
 
Link:https://gitee.com/openeuler/kernel/pulls/423 

Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6BO2R
CVE: NA

--------------------------------

CONFIG_GENERIC_PENDING_IRQ has been enable in ARM64 for LPI, which can
delay set irq affinity ops in chip->irq_eoi process. While drivers call
disable_irq_nosync in irq handler, __irq_move_irq would judge irq
is disabled and return directly, which cause set affinity failed.

To fix this issue, remove the irq status judgement in __irq_move_irq
for ARM64, cause there is no relationship between irq affinity and irq
disabled, and irq_set_affinity does not judge it either.

Fixes: 6ea55196 ("irqchip/gic-v3-its: introduce CONFIG_GENERIC_PENDING_IRQ")
Signed-off-by: NZhang Jianhua <chris.zjh@huawei.com>
Signed-off-by: NYipeng Zou <zouyipeng@huawei.com>
Reviewed-by: NLiao Chang <liaochang1@huawei.com>
Reviewed-by: NZhang Jianhua <chris.zjh@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

Merge Pull Request from: @LiuYongQiang0816 
 
two iscsi bugfixes backport from Zhong Jinghua 
 
Link:https://gitee.com/openeuler/kernel/pulls/422 

Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

mainline inclusion
from mainline-v6.2-rc6
commit f484a794
category: bugfix
bugzilla: 188443, https://gitee.com/openeuler/kernel/issues/I6I8YD
CVE: NA

----------------------------------------

If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.

Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.

Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.comSigned-off-by: NMike Christie <michael.christie@oracle.com>
Reviewed-by: NLee Duncan <lduncan@suse.com>
Acked-by: NDing Hui <dinghui@sangfor.com.cn>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
Reviewed-by: NHou Tao <houtao1@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v6.2-rc6
commit 6f1d64b1
category: bugfix
bugzilla: 188443, https://gitee.com/openeuler/kernel/issues/I6I8YD
CVE: NA

----------------------------------------

Bug report and analysis from Ding Hui.

During iSCSI session logout, if another task accesses the shost ipaddress
attr, we can get a KASAN UAF report like this:

[  276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0
[  276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088
[  276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G            E      6.1.0-rc8+ #3
[  276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[  276.944470] Call Trace:
[  276.944943]  <TASK>
[  276.945397]  dump_stack_lvl+0x34/0x48
[  276.945887]  print_address_description.constprop.0+0x86/0x1e7
[  276.946421]  print_report+0x36/0x4f
[  276.947358]  kasan_report+0xad/0x130
[  276.948234]  kasan_check_range+0x35/0x1c0
[  276.948674]  _raw_spin_lock_bh+0x78/0xe0
[  276.949989]  iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]
[  276.951765]  show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]
[  276.952185]  dev_attr_show+0x3f/0x80
[  276.953005]  sysfs_kf_seq_show+0x1fb/0x3e0
[  276.953401]  seq_read_iter+0x402/0x1020
[  276.954260]  vfs_read+0x532/0x7b0
[  276.955113]  ksys_read+0xed/0x1c0
[  276.955952]  do_syscall_64+0x38/0x90
[  276.956347]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  276.956769] RIP: 0033:0x7f5d3a679222
[  276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[  276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222
[  276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003
[  276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000
[  276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000
[  276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58
[  276.960536]  </TASK>
[  276.961357] Allocated by task 2209:
[  276.961756]  kasan_save_stack+0x1e/0x40
[  276.962170]  kasan_set_track+0x21/0x30
[  276.962557]  __kasan_kmalloc+0x7e/0x90
[  276.962923]  __kmalloc+0x5b/0x140
[  276.963308]  iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]
[  276.963712]  iscsi_session_setup+0xda/0xba0 [libiscsi]
[  276.964078]  iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]
[  276.964431]  iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]
[  276.964793]  iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]
[  276.965153]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[  276.965546]  netlink_unicast+0x4d5/0x7b0
[  276.965905]  netlink_sendmsg+0x78d/0xc30
[  276.966236]  sock_sendmsg+0xe5/0x120
[  276.966576]  ____sys_sendmsg+0x5fe/0x860
[  276.966923]  ___sys_sendmsg+0xe0/0x170
[  276.967300]  __sys_sendmsg+0xc8/0x170
[  276.967666]  do_syscall_64+0x38/0x90
[  276.968028]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  276.968773] Freed by task 2209:
[  276.969111]  kasan_save_stack+0x1e/0x40
[  276.969449]  kasan_set_track+0x21/0x30
[  276.969789]  kasan_save_free_info+0x2a/0x50
[  276.970146]  __kasan_slab_free+0x106/0x190
[  276.970470]  __kmem_cache_free+0x133/0x270
[  276.970816]  device_release+0x98/0x210
[  276.971145]  kobject_cleanup+0x101/0x360
[  276.971462]  iscsi_session_teardown+0x3fb/0x530 [libiscsi]
[  276.971775]  iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]
[  276.972143]  iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]
[  276.972485]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[  276.972808]  netlink_unicast+0x4d5/0x7b0
[  276.973201]  netlink_sendmsg+0x78d/0xc30
[  276.973544]  sock_sendmsg+0xe5/0x120
[  276.973864]  ____sys_sendmsg+0x5fe/0x860
[  276.974248]  ___sys_sendmsg+0xe0/0x170
[  276.974583]  __sys_sendmsg+0xc8/0x170
[  276.974891]  do_syscall_64+0x38/0x90
[  276.975216]  entry_SYSCALL_64_after_hwframe+0x63/0xcd

We can easily reproduce by two tasks:
1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done
2. while :; do cat \
/sys/devices/platform/host*/iscsi_host/host*/ipaddress; done

            iscsid              |        cat
--------------------------------+---------------------------------------
|- iscsi_sw_tcp_session_destroy |
  |- iscsi_session_teardown     |
    |- device_release           |
      |- iscsi_session_release  ||- dev_attr_show
        |- kfree                |  |- show_host_param_
                                |             ISCSI_HOST_PARAM_IPADDRESS
                                |    |- iscsi_sw_tcp_host_get_param
                                |      |- r/w tcp_sw_host->session (UAF)
  |- iscsi_host_remove          |
  |- iscsi_host_free            |

Fix the above bug by splitting the session removal into 2 parts:

 1. removal from iSCSI class which includes sysfs and removal from host
    tracking.

 2. freeing of session.

During iscsi_tcp host and session removal we can remove the session from
sysfs then remove the host from sysfs. At this point we know userspace is
not accessing the kernel via sysfs so we can free the session and host.

Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@oracle.comSigned-off-by: NMike Christie <michael.christie@oracle.com>
Reviewed-by: NLee Duncan <lduncan@suse.com>
Acked-by: NDing Hui <dinghui@sangfor.com.cn>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: NWenchao Hao <haowenchao2@huawei.com>
Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
Reviewed-by: NHou Tao <houtao1@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

Merge Pull Request from: @LiuYongQiang0816 
 
Pull new CVEs:
CVE-2023-26545

a nbd bugfix from Zhong Jinghua
two selinux bugfixes from GONG, Ruiqi 
 
Link:https://gitee.com/openeuler/kernel/pulls/420 

Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

stable inclusion
from stable-v4.19.273
commit aa07c86e43ed8780d610ecfb2ce13da326729201
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6HZHU
CVE: CVE-2023-26545

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=aa07c86e43ed8780d610ecfb2ce13da326729201

--------------------------------

commit fda6c89f upstream.

lianhui reports that when MPLS fails to register the sysctl table
under new location (during device rename) the old pointers won't
get overwritten and may be freed again (double free).

Handle this gracefully. The best option would be unregistering
the MPLS from the device completely on failure, but unfortunately
mpls_ifdown() can fail. So failing fully is also unreliable.

Another option is to register the new table first then only
remove old one if the new one succeeds. That requires more
code, changes order of notifications and two tables may be
visible at the same time.

sysctl point is not used in the rest of the code - set to NULL
on failures and skip unregister if already NULL.
Reported-by: Nlianhui tang <bluetlh@gmail.com>
Fixes: 0fae3bf0 ("mpls: handle device renames for per-device sysctls")
Signed-off-by: NJakub Kicinski <kuba@kernel.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: NLiu Jian <liujian56@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 188413, https://gitee.com/openeuler/kernel/issues/I6GWYG
CVE: NA

----------------------------------------

A panic error is like below:

nbd_genl_connect
 nbd_dev_add
   first_minor = index << part_shift; // index =-1
   ...
   __device_add_disk
     blk_alloc_devt
       *devt = MKDEV(disk->major, disk->first_minor + part->partno);
       // part->partno = 0， first_minor = 11...110000 major is covered

There, index < 0 will reassign an index, but here disk->first_minor is
assigned -1 << part_shift.

This causes to the creation of the device with the same major and minor
device numbers each time the incoming index<0, and this will lead to
creation of kobject failed:
Warning: kobject_add_internal failed for 4095:1048544 with -EEXIST, don't
try to register things with the same name in the same directory.

Fix it by moving the first_minor assignment down to after getting the new
index.

Fixes: 01f7594e ("nbd: Fix use-after-free in blk_mq_free_rqs")
Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com>
Reviewed-by: NYu Kuai <yukuai3@huawei.com>
Reviewed-by: NHou Tao <houtao1@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DRJ1
CVE: NA

----------------------------------------

After backporting commit cfff75d8 ("selinux: reorder hooks to make
runtime disable less broken") to the 4.19 kernel of openEuler-1.0-LTS,
various kernel panic problems were still triggered by running the POC of
the aforementioned commit.

Here's a case from selinux_file_alloc_security():

BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
PGD 8000000002273067 P4D 8000000002273067 PUD 225c067 PMD 0
Oops: 0000 [#1] SMP PTI
CPU: 0 PID: 299 Comm: exe Tainted: G           OE     4.19.90+ #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:selinux_file_alloc_security+0x2a/0x50
Code: 0f 1f 44 00 00 55 be c0 80 60 00 53 48 89 fb 48 8b 3d c2 f3 98 01 65 48 8b 04 25 80 64 01 00 48 8b 80 b8 0a 00 00 48 8b 40 78 <8b> 68 04 e8 ce ce ee ff 48 85 c0 74 11 89 28 89 68 04 48 89 83 c0
RSP: 0018:ffffa3ff40967c48 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff94e881b6a600 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000006080c0 RDI: ffff94e8811472c0
RBP: ffff94e881b6a600 R08: 0000000000000100 R09: 0000000000000000
R10: ffff94e881b6a600 R11: 0000000000000020 R12: ffff94e881b6a600
R13: 0000000000000041 R14: ffffa3ff40967d10 R15: ffff94e882202c80
FS:  00000000007d28c0(0000) GS:ffff94e8be800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000004 CR3: 0000000002862000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 security_file_alloc+0x22/0x40
 __alloc_file+0x52/0x110
 alloc_empty_file+0x41/0xb0
 path_openat+0x43/0x280
 do_filp_open+0x91/0x100
 ? filemap_map_pages+0x424/0x460
 ? do_fault+0x21b/0x4c0
 do_open_execat+0x79/0x180
 __do_execve_file.isra.0+0x6dd/0x8b0
 __x64_sys_execve+0x35/0x40
 do_syscall_64+0x63/0x250
 ? async_page_fault+0x8/0x30
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x49a5db
Code: 41 89 01 eb da 66 2e 0f 1f 84 00 00 00 00 00 f7 d8 64 41 89 01 eb d6 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffce51a0148 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00000000007d4ee0 RCX: 000000000049a5db
RDX: 00000000007d4f08 RSI: 00000000007d4ee0 RDI: 00000000007d4f48
RBP: 00000000007d4f48 R08: fefefefefefefeff R09: fefefeff666d686f
R10: 00000000007d2b90 R11: 0000000000000246 R12: 00000000007d4f08
R13: 0000000000655894 R14: 00000000007d4f08 R15: 00000000007d3ed0
Modules linked in: e1000(OE)
CR2: 0000000000000004
---[ end trace 4a826955419bd28a ]---
RIP: 0010:selinux_file_alloc_security+0x2a/0x50
Code: 0f 1f 44 00 00 55 be c0 80 60 00 53 48 89 fb 48 8b 3d c2 f3 98 01 65 48 8b 04 25 80 64 01 00 48 8b 80 b8 0a 00 00 48 8b 40 78 <8b> 68 04 e8 ce ce ee ff 48 85 c0 74 11 89 28 89 68 04 48 89 83 c0
RSP: 0018:ffffa3ff40967c48 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff94e881b6a600 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00000000006080c0 RDI: ffff94e8811472c0
RBP: ffff94e881b6a600 R08: 0000000000000100 R09: 0000000000000000
R10: ffff94e881b6a600 R11: 0000000000000020 R12: ffff94e881b6a600
R13: 0000000000000041 R14: ffffa3ff40967d10 R15: ffff94e882202c80
FS:  00000000007d28c0(0000) GS:ffff94e8be800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000004 CR3: 0000000002862000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x33400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---

Another one from selinux_inode_alloc_security():

BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
PGD 8000000002187067 P4D 8000000002187067 PUD 2170067 PMD 0
Oops: 0000 [#1] SMP PTI
CPU: 7 PID: 521 Comm: ping Tainted: G           OE     4.19.90+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:selinux_inode_alloc_security+0x2a/0x80
Code: 0f 1f 44 00 00 55 be 40 80 60 00 53 48 89 fb 48 8b 3d 6a 0c 99 01 65 48 8b 04 25 80 64 01 00 48 8b 80 b8 0a 00 00 48 8b 40 78 <8b> 68 04 e8 6e e7 ee ff 48 85 c0 74 36 48 8d 50 08 c7 40 24 00 00
RSP: 0018:ffffbd7741077b08 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff95c48251e738 RCX: 0000000000000000
RDX: ffffffff85d11344 RSI: 0000000000608040 RDI: ffff95c481004380
RBP: ffff95c48251e738 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff95c48251e738
R13: ffff95c4822ac2c0 R14: ffffbd7741077dd0 R15: 0000000000000000
FS:  00000000018f08c0(0000) GS:ffff95c4be9c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000004 CR3: 00000000022dc000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 security_inode_alloc+0x2a/0x40
 inode_init_always+0x1b9/0x1d0
 alloc_inode+0x2f/0x90
 new_inode_pseudo+0xd/0x60
 new_inode+0x13/0x30
 proc_pid_make_inode+0x18/0xb0
 proc_pid_instantiate+0x1e/0x90
 proc_pid_lookup+0x4e/0x80
 proc_root_lookup+0x18/0x40
 __lookup_slow+0x94/0x160
 lookup_slow+0x36/0x50
 walk_component+0x1c4/0x340
 ? inode_permission+0x35/0x1a0
 link_path_walk.part.0+0x1af/0x540
 ? proc_ns_get_link+0xb0/0xb0
 path_lookupat.isra.0+0x4e/0x230
 filename_lookup+0xae/0x180
 ? simple_attr_release+0x20/0x20
 ? strncpy_from_user+0x47/0x160
 do_readlinkat+0x5d/0x130
 __x64_sys_readlink+0x1b/0x20
 do_syscall_64+0x63/0x250
 ? async_page_fault+0x8/0x30
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x5185e3
Code: 53 48 81 ec 00 10 00 00 48 83 0c 24 00 48 83 ec 08 ba 00 10 00 00 48 8d 3d f7 af 15 00 b8 59 00 00 00 48 89 e5 48 89 ee 0f 05 <3d> 00 f0 ff ff 77 5e 85 c0 7e 5a 0f b6 14 24 80 fa 5b 74 51 80 fa
RSP: 002b:00007ffe7aa96960 EFLAGS: 00000206 ORIG_RAX: 0000000000000059
RAX: ffffffffffffffda RBX: 0000000000400770 RCX: 00000000005185e3
RDX: 0000000000001000 RSI: 00007ffe7aa96960 RDI: 00000000006735cd
RBP: 00007ffe7aa96960 R08: 0000000000000003 R09: 00007ffe7aa97a64
R10: 0000000000671d9a R11: 0000000000000206 R12: 00007ffe7aa97b58
R13: 00007ffe7aa97b80 R14: 0000000000690018 R15: 0000000000000000
Modules linked in: e1000(OE)
CR2: 0000000000000004
---[ end trace a5121fc2d5201098 ]---
RIP: 0010:selinux_inode_alloc_security+0x2a/0x80
Code: 0f 1f 44 00 00 55 be 40 80 60 00 53 48 89 fb 48 8b 3d 6a 0c 99 01 65 48 8b 04 25 80 64 01 00 48 8b 80 b8 0a 00 00 48 8b 40 78 <8b> 68 04 e8 6e e7 ee ff 48 85 c0 74 36 48 8d 50 08 c7 40 24 00 00
RSP: 0018:ffffbd7741077b08 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff95c48251e738 RCX: 0000000000000000
RDX: ffffffff85d11344 RSI: 0000000000608040 RDI: ffff95c481004380
RBP: ffff95c48251e738 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff95c48251e738
R13: ffff95c4822ac2c0 R14: ffffbd7741077dd0 R15: 0000000000000000
FS:  00000000018f08c0(0000) GS:ffff95c4be9c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000004 CR3: 00000000022dc000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x3000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---

These problems were all caused by accessing a credential's tsec being
NULL. Given that many "allocating" hooks would access tsec as well
(e.g. selinux_{key,bpf_{map,prog}}_alloc, selinux_ib_alloc_security
etc), make a fourth block and move cred hooks of allocating tsec out
there.

Fixes: 87d41806 ("selinux: reorder hooks to make runtime disable less broken")
Signed-off-by: NGONG, Ruiqi <gongruiqi1@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DRJ1
CVE: NA

----------------------------------------

After backporting commit cfff75d8 ("selinux: reorder hooks to make
runtime disable less broken") to the 4.19 kernel of openEuler-1.0-LTS,
another kernel panic was triggered by running the POC of the
aforementioned commit:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
PGD 800000001840b067 P4D 800000001840b067 PUD 1840c067 PMD 0
Oops: 0002 [#1] SMP PTI
CPU: 7 PID: 273 Comm: exe Tainted: G           OE     4.19.90+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:selinux_file_open+0x49/0xf0
Code: 00 00 00 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 4c 89 e7 e8 a6 ec ff ff 49 8b 44 24 38 48 c7 c7 e0 a5 13 97 8b 40 1c <89> 45 08 e8 6f 80 ff ff ba 02 00 00 00 89 45 0c 8b 43 44 8b 73 40
RSP: 0018:ffffbb7300867ba0 EFLAGS: 00010246
RAX: 0000000000000003 RBX: ffff9dc301961400 RCX: 00000000000081ed
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffff9713a5e0
RBP: 0000000000000000 R08: 0000000000000001 R09: ffff9dc301fedcb0
R10: 0000000000000007 R11: 7fffffffffffffff R12: ffff9dc30204fd70
R13: 0000000000000000 R14: ffff9dc301961410 R15: ffffbb7300867c70
FS:  0000000000d258c0(0000) GS:ffff9dc33e9c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 00000000022bc000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ? generic_permission+0x10a/0x190
 security_file_open+0x26/0x90
 do_dentry_open+0xd9/0x380
 do_last+0x197/0x8d0
 path_openat+0x89/0x280
 do_filp_open+0x91/0x100
 do_open_execat+0x79/0x180
 __do_execve_file.isra.0+0x6dd/0x8b0
 __x64_sys_execve+0x35/0x40
 do_syscall_64+0x63/0x250
 ? async_page_fault+0x8/0x30
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x49a5db
Code: 41 89 01 eb da 66 2e 0f 1f 84 00 00 00 00 00 f7 d8 64 41 89 01 eb d6 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe7b1cebd8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 0000000000d27ee0 RCX: 000000000049a5db
RDX: 0000000000d27f08 RSI: 0000000000d27ee0 RDI: 0000000000d27f48
RBP: 0000000000d27f48 R08: fefefefefefefeff R09: fefefeff666d686f
R10: 0000000000d25b90 R11: 0000000000000246 R12: 0000000000d27f08
R13: 0000000000655894 R14: 0000000000d27f08 R15: 0000000000d26ed0
Modules linked in: e1000(OE)
CR2: 0000000000000008
---[ end trace e4eb884974c22e2d ]---
RIP: 0010:selinux_file_open+0x49/0xf0
Code: 00 00 00 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 4c 89 e7 e8 a6 ec ff ff 49 8b 44 24 38 48 c7 c7 e0 a5 13 97 8b 40 1c <89> 45 08 e8 6f 80 ff ff ba 02 00 00 00 89 45 0c 8b 43 44 8b 73 40
RSP: 0018:ffffbb7300867ba0 EFLAGS: 00010246
RAX: 0000000000000003 RBX: ffff9dc301961400 RCX: 00000000000081ed
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffff9713a5e0
RBP: 0000000000000000 R08: 0000000000000001 R09: ffff9dc301fedcb0
R10: 0000000000000007 R11: 7fffffffffffffff R12: ffff9dc30204fd70
R13: 0000000000000000 R14: ffff9dc301961410 R15: ffffbb7300867c70
FS:  0000000000d258c0(0000) GS:ffff9dc33e9c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 00000000022bc000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x14400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---

The problem was caused by selinux_file_open() accessing a file's fsec
being NULL, which indicated that the file_alloc_security hook should be
deleted later (at least after the file_open hook) when disabling SELinux
at runtime. Here I put it into the "allocating" part.

Fixes: 87d41806 ("selinux: reorder hooks to make runtime disable less broken")
Signed-off-by: NGONG, Ruiqi <gongruiqi1@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

Merge Pull Request from: @LiuYongQiang0816 
 
|标题| 分析结果|
|--------| ------|
|crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() |	在进行读取之前需要检查digest_info大小是否足够 |
|crypto: algif_skcipher - EBUSY on aio should be an error				 |	正确返回错误 |
|crypto: algif_skcipher - Use chunksize instead of blocksize				 |	修复CTR场景下参数错误的问题 |
|ipmi: use %*ph to print small buffer									 |	修复可能buffer溢出的问题 |
|component: do not dereference opaque pointer in debugfs					 |	match->compare[i].data不一定是struct device* 指针类型，这里使用dev_name(data)打印设备名，有可能造成空指针访问。改使用dev_name(component->dev)来打印设备名称|
|drivers/iommu: Export core IOMMU API symbols to permit modular drivers	 |	导出构建IOMMU驱动时所需要的iommu core api。此补丁能够解决iommu driver编译为模块时符号缺失的问题 |
|drivers/iommu: Allow IOMMU bus ops to be unregistered					 |	在iommu类KO卸载的情况下，ops指针非法，有可能触发访问非法地址。修复方式：让bus_set_iommu（）接受一个NULL值ops参数来让给定bus类型ops重置 |
|of: unittest: Add of_node_put() before return							 |	修复driver/of/unittest.c中异常返回路径上的内存泄漏问题 |
|of: resolver: Add of_node_put() before return and break					 |	修复从for_each_child_of_node循环中break/return时没有put node而导致内存泄漏的问题 |
|iommu: Properly export iommu_group_get_for_dev()						 |	修复一个iommu core api未使用EXPORT_SYMBOL_GPL导出的问题。是drivers/iommu: Export core IOMMU API symbols to permit modular drivers的后置补丁|
|evm: Check also if *tfm is an error pointer in init_desc()				 |	修补一种在多线程场景下可能的竞争状态|
|evm: Fix a small race in init_desc()									 |	在极端条件下，即便使用了 IS_ERR_OR_NULL() 也会出现竞争状态：其内部会针对 error pointer 和 NULL 做两次判断，而竞争状态可能出现在两次判断之间|
|selinux: reorder hooks to make runtime disable less broken				 |	由于该补丁（v5.6）于 LSM Blob 机制（v5.1）之后合入，一些 hooks 在 4.19 上的实现逻辑与该补丁合入时的有变化，因此它们的位置需要进一步调整|				
 
 
Link:https://gitee.com/openeuler/kernel/pulls/415 

Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

mainline inclusion
from mainline-v5.6-rc1
commit cfff75d8
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DRJ1
CVE: NA

----------------------------------------

Commit b1d9e6b0 ("LSM: Switch to lists of hooks") switched the LSM
infrastructure to use per-hook lists, which meant that removing the
hooks for a given module was no longer atomic. Even though the commit
clearly documents that modules implementing runtime revmoval of hooks
(only SELinux attempts this madness) need to take special precautions to
avoid race conditions, SELinux has never addressed this.

By inserting an artificial delay between the loop iterations of
security_delete_hooks() (I used 100 ms), booting to a state where
SELinux is enabled, but policy is not yet loaded, and running these
commands:

    while true; do ping -c 1 <some IP>; done &
    echo -n 1 >/sys/fs/selinux/disable
    kill %1
    wait

...I was able to trigger NULL pointer dereferences in various places. I
also have a report of someone getting panics on a stock RHEL-8 kernel
after setting SELINUX=disabled in /etc/selinux/config and rebooting
(without adding "selinux=0" to kernel command-line).

Reordering the SELinux hooks such that those that allocate structures
are removed last seems to prevent these panics. It is very much possible
that this doesn't make the runtime disable completely race-free, but at
least it makes the operation much less fragile.

Cc: stable@vger.kernel.org
Fixes: b1d9e6b0 ("LSM: Switch to lists of hooks")
Signed-off-by: NOndrej Mosnacek <omosnace@redhat.com>
Reviewed-by: NStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: NPaul Moore <paul@paul-moore.com>

Conflicts:
	security/selinux/hooks.c
Signed-off-by: NGONG, Ruiqi <gongruiqi1@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.7-rc7
commit 84338569
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6AAU7
CVE: NA

----------------------------------------

The IS_ERR_OR_NULL() function has two conditions and if we got really
unlucky we could hit a race where "ptr" started as an error pointer and
then was set to NULL.  Both conditions would be false even though the
pointer at the end was NULL.

This patch fixes the problem by ensuring that "*tfm" can only be NULL
or valid.  I have introduced a "tmp_tfm" variable to make that work.  I
also reversed a condition and pulled the code in one tab.
Reported-by: NRoberto Sassu <roberto.sassu@huawei.com>
Fixes: 53de3b08 ("evm: Check also if *tfm is an error pointer in init_desc()")
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Acked-by: NRoberto Sassu <roberto.sassu@huawei.com>
Acked-by: NKrzysztof Struczynski <krzysztof.struczynski@huawei.com>
Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>

Conflicts:
	security/integrity/evm/evm_crypto.c
Signed-off-by: NGONG, Ruiqi <gongruiqi1@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

stable inclusion
from stable-v4.19.125
commit 4c7a2e76ae93577628a022d2d2adf5e0d8a89147
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6AAU7
CVE: NA

----------------------------------------

[ Upstream commit 53de3b08 ]

This patch avoids a kernel panic due to accessing an error pointer set by
crypto_alloc_shash(). It occurs especially when there are many files that
require an unsupported algorithm, as it would increase the likelihood of
the following race condition:

Task A: *tfm = crypto_alloc_shash() <= error pointer
Task B: if (*tfm == NULL) <= *tfm is not NULL, use it
Task B: rc = crypto_shash_init(desc) <= panic
Task A: *tfm = NULL

This patch uses the IS_ERR_OR_NULL macro to determine whether or not a new
crypto context must be created.

Cc: stable@vger.kernel.org
Fixes: d46eb369 ("evm: crypto hash replaced by shash")
Co-developed-by: NKrzysztof Struczynski <krzysztof.struczynski@huawei.com>
Signed-off-by: NKrzysztof Struczynski <krzysztof.struczynski@huawei.com>
Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: NMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NGONG, Ruiqi <gongruiqi1@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.7-rc4
commit ae74c19f
category: bugfix
bugzilla: 34842, https://gitee.com/openeuler/kernel/issues/I6H9U5
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ae74c19faa7d7996e857e13165bd40fc4a285e0d

--------------------------------

In commit a7ba5c3d ("drivers/iommu: Export core IOMMU API symbols to
permit modular drivers") a bunch of iommu symbols were exported, all
with _GPL markings except iommu_group_get_for_dev().  That export should
also be _GPL like the others.

Fixes: a7ba5c3d ("drivers/iommu: Export core IOMMU API symbols to permit modular drivers")
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: NWill Deacon <will@kernel.org>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: John Garry <john.garry@huawei.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20200430120120.2948448-1-gregkh@linuxfoundation.orgSigned-off-by: NJoerg Roedel <jroedel@suse.de>
Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.3-rc5
commit 60d437bb
category: bugfix
bugzilla: 20547, https://gitee.com/openeuler/kernel/issues/I6H9U5
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=60d437bbff358748fcfc3bce5f08da9a6b3761da

--------------------------------

Each iteration of for_each_child_of_node puts the previous node, but in
the case of a return or break from the middle of the loop, there is no
put, thus causing a memory leak. Hence add an of_node_put before the
return or break in three places.
Issue found with Coccinelle.
Signed-off-by: NNishka Dasgupta <nishkadg.linux@gmail.com>
Signed-off-by: NRob Herring <robh@kernel.org>
Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.4-rc1
commit a7bcae59
category: bugfix
bugzilla: 22762, https://gitee.com/openeuler/kernel/issues/I6H9U5
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a7bcae591f595a727feea9a5a389756015579072

--------------------------------

The local variable np in function of_unittest_platform_populate takes
the return value of of_find_node_by_path, which gets a node but does not
put it. If np is not put before return it may cause a memory leak. Hence
put np before a return statement.
Issue found with Coccinelle.
Signed-off-by: NNishka Dasgupta <nishkadg.linux@gmail.com>
Signed-off-by: NRob Herring <robh@kernel.org>
Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.6-rc1
commit 4312cf7f
category: bugfix
bugzilla: 30226, https://gitee.com/openeuler/kernel/issues/I6H9U5
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4312cf7f16c8d43e154bf2a6eea6d1e9347c922c

--------------------------------

'bus_set_iommu()' allows IOMMU drivers to register their ops for a given
bus type. Unfortunately, it then doesn't allow them to be removed, which
is necessary for modular drivers to shutdown cleanly so that they can be
reloaded later on.

Allow 'bus_set_iommu()' to take a NULL 'ops' argument, which clear the
ops pointer for the selected bus_type.
Signed-off-by: NWill Deacon <will@kernel.org>
Tested-by: John Garry <john.garry@huawei.com> # smmu v3
Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJoerg Roedel <jroedel@suse.de>
Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.6-rc1
commit a7ba5c3d
category: bugfix
bugzilla: 30237, https://gitee.com/openeuler/kernel/issues/I6H9U5
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a7ba5c3d008dd78d881a1658eae5a2275ebd5087

--------------------------------

Building IOMMU drivers as modules requires that the core IOMMU API
symbols are exported as GPL symbols.
Signed-off-by: NWill Deacon <will@kernel.org>
Tested-by: John Garry <john.garry@huawei.com> # smmu v3
Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NJoerg Roedel <jroedel@suse.de>
Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

stable inclusion
from stable-v4.19.101
commit b7d002c50902fdde05a087fb7c776287be0b86f1
category: bugfix
bugzilla: 29297, https://gitee.com/openeuler/kernel/issues/I6H9U5
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b7d002c50902fdde05a087fb7c776287be0b86f1

--------------------------------

commit ef9ffc1e upstream.

The match data does not have to be a struct device pointer, and indeed
very often is not. Attempt to treat it as such easily results in a
crash.

For the components that are not registered, we don't know which device
is missing. Once it it is there, we can use the struct component to get
the device and whether it's bound or not.

Fixes: 59e73854 ('component: add debugfs support')
Signed-off-by: NLubomir Rintel <lkundrak@v3.sk>
Cc: stable <stable@vger.kernel.org>
Cc: Arnaud Pouliquen <arnaud.pouliquen@st.com>
Link: https://lore.kernel.org/r/20191118115431.63626-1-lkundrak@v3.skSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NGuo Mengqi <guomengqi3@huawei.com>
Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.5-rc1
commit 8ee7b485
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I69WIO
CVE: NA

--------------------------------

Use %*ph format to print small buffer as hex string.

The change is safe since the specifier can handle up to 64 bytes and taking
into account the buffer size of 100 bytes on stack the function has never been
used to dump more than 32 bytes. Note, this also avoids potential buffer
overflow if the length of the input buffer is bigger.

This completely eliminates ipmi_debug_msg() in favour of Dynamic Debug.
Signed-off-by: NAndy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
Message-Id: <20191011155036.36748-1-andriy.shevchenko@linux.intel.com>
Signed-off-by: NCorey Minyard <cminyard@mvista.com>
Conflicts:
	drivers/char/ipmi/ipmi_msghandler.c
v2->v1:
	Add conflicts commit msg
Signed-off-by: NLu Jialin <lujialin4@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.5-rc1
commit 5b0fe955
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6F049
CVE: NA

--------------------------------

When algif_skcipher does a partial operation it always process data
that is a multiple of blocksize.  However, for algorithms such as
CTR this is wrong because even though it can process any number of
bytes overall, the partial block must come at the very end and not
in the middle.

This is exactly what chunksize is meant to describe so this patch
changes blocksize to chunksize.

Fixes: 8ff59090 ("crypto: algif_skcipher - User-space...")
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Conflicts:
	include/crypto/internal/skcipher.h
	include/crypto/skcipher.h
Signed-off-by: NLu Jialin <lujialin4@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: Nguozihua <guozihua@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

stable inclusion
from stable-v4.19.153
commit b0112ecef7d8e65b71ee9e30d9635788ddcbb48b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6FMKH
CVE: NA

--------------------------------

[ Upstream commit 2a05b029 ]

I removed the MAY_BACKLOG flag on the aio path a while ago but
the error check still incorrectly interpreted EBUSY as success.
This may cause the submitter to wait for a request that will never
complete.

Fixes: dad41997 ("crypto: algif_skcipher - Do not set...")
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NLu Jialin <lujialin4@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: Nguozihua <guozihua@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.18-rc1
commit a24611ea
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6HB6T
CVE: NA

--------------------------------

Before checking whether the expected digest_info is present, we need to
check that there are enough bytes remaining.

Fixes: a49de377 ("crypto: Add hash param to pkcs1pad")
Cc: <stable@vger.kernel.org> # v4.6+
Cc: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: NEric Biggers <ebiggers@google.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Conflicts:
	crypto/rsa-pkcs1pad.c
Signed-off-by: NGUO Zihua <guozihua@huawei.com>
Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 46904, https://gitee.com/openeuler/kernel/issues/I6GSKP
CVE: NA

--------------------------------

For a hwpoison hugetlb page, the page will be freed firstly. If succeed, it
will be dissolved and released to buddy system, then isolate the hwpoison page.

For a hwpoison hugepage belong to dynamic hugetlb, we isolate the hugepage
without dissolve it. Add a check in free_huge_page_to_dhugetlb_pool() to
isolate the hwpoison hugepage directly. And keep HUGETLB_PAGE_DTOR after free
to ensure the PageHuge() check return true in dissolve_free_huge_page().

Fixes: 0f0535e57da("dhugetlb: skip dissolve hugepage belonging to dynamic hugetlb")
Signed-off-by: NLiu Shixin <liushixin2@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6G76L
CVE: NA

----------------------------------------------

When a process is deleted from a group, the process does not apply for
memory from the shared group. Otherwise, the UAF problem occurs. We checked
this, but it didn't do a good job of preventing sp_alloc and del_task
concurrency. The process applies for memory after passing the check, which
violates our requirements and causes problems. The solution is to place the
checked code in the critical area to ensure that no memory can be allocated
after the check is passed.

[ T7596] Unable to handle kernel NULL pointer dereference at virtual
address 0000000000000098
[ T7596] Mem abort info:
[ T7596]   ESR = 0x96000004
[ T7596]   EC = 0x25: DABT (current EL), IL = 32 bits
[ T7596]   SET = 0, FnV = 0
[ T7596]   EA = 0, S1PTW = 0
[ T7596] Data abort info:
[ T7596]   ISV = 0, ISS = 0x00000004
[ T7596]   CM = 0, WnR = 0
[ T7596] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001040a3000
[ T7596] [0000000000000098] pgd=0000000000000000, p4d=0000000000000000
[ T7596] Internal error: Oops: 96000004 [#1] SMP
[ T7596] Modules linked in: sharepool_dev(OE) [last unloaded: demo]
[ T7596] CPU: 1 PID: 7596 Comm: test_sp_group_d Tainted: G OE 5.10.0+ #8
[ T7596] Hardware name: linux,dummy-virt (DT)
[ T7596] pstate: 20000005 (nzCv daif -PAN -UAO -TCO BTYPE=--)
[ T7596] pc : sp_free_area+0x34/0x120
[ T7596] lr : sp_free_area+0x30/0x120
[ T7596] sp : ffff80001c6a3b20
[ T7596] x29: ffff80001c6a3b20 x28: 0000000000000009
[ T7596] x27: 0000000000000000 x26: ffff800011c49d20
[ T7596] x25: ffff0000c227f6c0 x24: 0000000000000008
[ T7596] x23: ffff0000c0cf0ce8 x22: 0000000000000001
[ T7596] x21: ffff0000c4082b30 x20: 0000000000000000
[ T7596] x19: ffff0000c4082b00 x18: 0000000000000000
[ T7596] x17: 0000000000000000 x16: 0000000000000000
[ T7596] x15: 0000000000000000 x14: 0000000000000000
[ T7596] x13: 0000000000000000 x12: ffff0005fffe12c0
[ T7596] x11: 0000000000000008 x10: ffff0005fffe12c0
[ T7596] x9 : ffff8000103eb690 x8 : 0000000000000001
[ T7596] x7 : 0000000000210d00 x6 : 0000000000000000
[ T7596] x5 : ffff8000123edea0 x4 : 0000000000000030
[ T7596] x3 : ffffeff000000000 x2 : 0000eff000000000
[ T7596] x1 : 0000e80000000000 x0 : 0000000000000000
[ T7596] Call trace:
[ T7596]  sp_free_area+0x34/0x120
[ T7596]  __sp_area_drop_locked+0x3c/0x60
[ T7596]  sp_area_drop+0x80/0xbc
[ T7596]  remove_vma+0x54/0x70
[ T7596]  exit_mmap+0x114/0x1d0
[ T7596]  mmput+0x90/0x1ec
[ T7596]  exit_mm+0x1d0/0x2f0
[ T7596]  do_exit+0x180/0x400
[ T7596]  do_group_exit+0x40/0x114
[ T7596]  get_signal+0x1e8/0x720
[ T7596]  do_signal+0x11c/0x1e4
[ T7596]  do_notify_resume+0x15c/0x250
[ T7596]  work_pending+0xc/0x6d8
[ T7596] Code: f9400001 f9402c00 97fff0e5 aa0003f4 (f9404c00)
[ T7596] ---[ end trace 3c8368d77e758ebd ]---
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>
Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

Merge Pull Request from: @CTC-XiboWang 
 
This PR is cherry-pick from upstream "net: bonding: Inherit MPLS features from slave devices"

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/net/bonding?id=2e770b507ccde8eedc129946e4b78ceed0a22df2 
 
Link:https://gitee.com/openeuler/kernel/pulls/213 

Reviewed-by: Laibin Qiu <qiulaibin@huawei.com> 
Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
Reviewed-by: Jackie Liu <liuyun01@kylinos.cn> 
Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 

hulk inclusion
category: bugfix
bugzilla: 187818, https://gitee.com/openeuler/kernel/issues/I6DK3O
CVE: NA

--------------------------------

check_paravirt() calls orc_find() before its implementation code.

If CONFIG_DYNAMIC_FTRACE is enabled, orc_find() will be declared
earlier and compiling will not fail. Otherwise it will fail for
"implicit declaration of function 'orc_find'".

Move declaration of orc_find() out of CONFIG_DYNAMIC_FTRACE macro to
fix this.

Fixes: fecb933c06b8 ("x86/unwind: Fix orc entry for paravirt {save,restore}_fl")
Signed-off-by: NChen Zhongjin <chenzhongjin@huawei.com>
Reviewed-by: NZheng Yejian <zhengyejian1@huawei.com>
Reviewed-by: NXu Kuohai <xukuohai@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

hulk inclusion
category: bugfix
bugzilla: 46904, https://gitee.com/openeuler/kernel/issues/I6FCQZ
CVE: NA

--------------------------------

When dynamic hugetlb is enabled, the hpool should be NULL for cont-bit
hugepage, set it.

Fixes: f15774c6 ("dhugetlb: only support 1G/2M hugepage and ARM64_4K_PAGES")
Signed-off-by: NLiu Shixin <liushixin2@huawei.com>
Reviewed-by: NNanyong Sun <sunnanyong@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6FK2R
CVE: NA

-------------------------------

This feature has been deleted.
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>
Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6FK2R
CVE: NA

-------------------------------

This feature is not actually used and introduce a list double added
problem. Just delete its source.

------------[ cut here ]------------
list_add double add: new=ffff20000cdd1780, prev=ffff20000cdd1780, next=ffff20000cd1f300.
WARNING: CPU: 1 PID: 31515 at lib/list_debug.c:35 __list_add_valid+0x124/0x158 lib/list_debug.c:33
Modules linked in:
CPU: 1 PID: 31515 Comm: syz-executor.2 Not tainted 4.19.90 #1
Hardware name: linux,dummy-virt (DT)
pstate: 80400005 (Nzcv daif +PAN -UAO)
pc : __list_add_valid+0x124/0x158 lib/list_debug.c:33
lr : __list_add_valid+0x124/0x158 lib/list_debug.c:33
...
Call trace:
 __list_add_valid+0x124/0x158 lib/list_debug.c:33
 __list_add include/linux/list.h:60 [inline]
 list_add_tail include/linux/list.h:93 [inline]
 register_shrinker_prepared+0x4c/0x130 mm/vmscan.c:420
 register_shrinker+0x38/0x50 mm/vmscan.c:431
 hugepage_tuning_enable+0x60/0x360 mm/hugepage_tuning.c:558
 hp_enable_store+0x88/0x108 mm/hugepage_tuning.c:460
 hugepage_tuning_attr_store+0x68/0x98 mm/hugepage_tuning.c:402
 sysfs_kf_write+0x114/0x190 fs/sysfs/file.c:139
 kernfs_fop_write+0x264/0x4b8 fs/kernfs/file.c:316
 __vfs_write+0xf4/0x5a0 fs/read_write.c:487
 vfs_write+0x144/0x400 fs/read_write.c:551
 ksys_write+0xf4/0x238 fs/read_write.c:601
 __do_sys_write fs/read_write.c:613 [inline]
 __se_sys_write fs/read_write.c:610 [inline]
 __arm64_sys_write+0x74/0xa8 fs/read_write.c:610
 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
 el0_svc_common+0x134/0x570 arch/arm64/kernel/syscall.c:121
 el0_svc_handler+0x190/0x260 arch/arm64/kernel/syscall.c:190
 el0_svc+0x10/0x640 arch/arm64/kernel/entry.S:1028
---[ end trace 328ad58f62232ded ]---

Revert "arm64/ascend: Add auto tuning hugepage module"
This reverts commit ecec54f4.

Revert "arm64/ascend: Add hugepage flags change interface"
This reverts commit db1d159b.

Revert "arm64/ascend: Add set hugepage number helper function"
This reverts commit b6bcd500.

Revert "arm64/ascend: Add mmap hook when alloc hugepage"
This reverts commit d9952490.

Revert "arm64/ascend: Add new CONFIG for auto-tuning hugepage"
This reverts commit 2597ada2.
Signed-off-by: NWang Wensheng <wangwensheng4@huawei.com>
Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6AXGS
CVE: NA

--------------------------------

syzbot is reporting GFP_KERNEL allocation with oom_lock held when
reporting memcg OOM [1]. If this allocation triggers the global OOM
situation then the system can livelock because the GFP_KERNEL
allocation with oom_lock held cannot trigger the global OOM killer
because __alloc_pages_may_oom() fails to hold oom_lock.

The problem mentioned above has been fixed by patch[2]. The is the same
problem in memcg_memfs_info feature too. Refer to the patch[2], fix it by
removing the allocation from mem_cgroup_print_memfs_info() completely,
and pass static buffer when calling from memcg OOM path.

Link: https://syzkaller.appspot.com/bug?extid=2d2aeadc6ce1e1f11d45 [1]
Link: https://lkml.kernel.org/r/86afb39f-8c65-bec2-6cfc-c5e3cd600c0b@I-love.SAKURA.ne.jp [2]
Fixes: 6b1d4d3a ("mm/memcg_memfs_info: show files that having pages charged in mem_cgroup")
Signed-off-by: NLiu Shixin <liushixin2@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.16-rc8
commit 99b40610
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6DKZJ
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=99b40610956a8a8755653a67392e2a8b772453be

--------------------------------

As reported[1] if query interval is set too low and we have multiple
bridges or even a single bridge with multiple querier vlans configured
we can crash the machine. Add a 1 second minimum which must be enforced
by overwriting the value if set lower (i.e. without returning an error) to
avoid breaking user-space. If that happens a log message is emitted to let
the administrator know that the interval has been set to the minimum.
The issue has been present since these intervals could be user-controlled.

[1] https://lore.kernel.org/netdev/e8b9ce41-57b9-b6e2-a46a-ff9c791cf0ba@gmail.com/

Fixes: d902eee4 ("bridge: Add multicast count/interval sysfs entries")
Reported-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NNikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: NJakub Kicinski <kuba@kernel.org>

Conflicts:
	net/bridge/br_multicast.c
	net/bridge/br_netlink.c
	net/bridge/br_private.h
	net/bridge/br_sysfs_br.c
Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

mainline inclusion
from mainline-v5.16-rc8
commit f83a112b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6DKZJ
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f83a112bd91a494cdee671aec74e777470fb4a07

--------------------------------

As reported[1] if startup query interval is set too low in combination with
large number of startup queries and we have multiple bridges or even a
single bridge with multiple querier vlans configured we can crash the
machine. Add a 1 second minimum which must be enforced by overwriting the
value if set lower (i.e. without returning an error) to avoid breaking
user-space. If that happens a log message is emitted to let the admin know
that the startup interval has been set to the minimum. It doesn't make
sense to make the startup interval lower than the normal query interval
so use the same value of 1 second. The issue has been present since these
intervals could be user-controlled.

[1] https://lore.kernel.org/netdev/e8b9ce41-57b9-b6e2-a46a-ff9c791cf0ba@gmail.com/

Fixes: d902eee4 ("bridge: Add multicast count/interval sysfs entries")
Reported-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NNikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: NJakub Kicinski <kuba@kernel.org>

Conflicts:
	net/bridge/br_multicast.c
	net/bridge/br_netlink.c
	net/bridge/br_private.h
	net/bridge/br_sysfs_br.c
Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

Merge Pull Request from: @wang-yufen316 
 
This is achieved by broadcasting ARP or ND packets to all of its slave devices on transmit side. The switch will take further actions based on proper configuration.
A new sysctl knob "net.bonding.broadcast_arp_or_nd" is introduced which controls the behaviour of broadcasting. 
 
Link:https://gitee.com/openeuler/kernel/pulls/396 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com> 
Reviewed-by: Laibin Qiu <qiulaibin@huawei.com> 
Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com> 
Acked-by: Xie XiuQi <xiexiuqi@huawei.com> 

mainline inclusion
from mainline-v6.2-rc5
commit 216f7647
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I6DZIB
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=216f764716f34fe68cedc7296ae2043a7727e640

--------------------------------

The updating of 'bfqg->ref' should be protected by 'bfqd->lock', however,
during code review, we found that bfq_pd_free() update 'bfqg->ref'
without holding the lock, which is problematic:

1) bfq_pd_free() triggered by removing cgroup is called asynchronously;
2) bfqq will grab bfqg reference, and exit bfqq will drop the reference,
which can concurrent with 1).

Unfortunately, 'bfqd->lock' can't be held here because 'bfqd' might already
be freed in bfq_pd_free(). Fix the problem by using atomic refcount apis.
Signed-off-by: NYu Kuai <yukuai3@huawei.com>
Reviewed-by: NJan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230103084755.1256479-1-yukuai1@huaweicloud.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
Reviewed-by: NHou Tao <houtao1@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

stable inclusion
from stable-v4.19.270
commit 940ede60d74d2fc7291b96cb38072d705333c8e0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6CU98
CVE: CVE-2023-0045

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.19.y&id=940ede60d74d2fc7291b96cb38072d705333c8e0

--------------------------------

commit a664ec91 upstream.

We missed the window between the TIF flag update and the next reschedule.
Signed-off-by: NRodrigo Branco <bsdaemon@google.com>
Reviewed-by: NBorislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: NIngo Molnar <mingo@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NYuyao Lin <linyuyao1@huawei.com>
Reviewed-by: NWei Li <liwei391@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

stable inclusion
from stable-v4.19.270
commit 9c7fba9503b826f0c061d136f8f0c9f953ed18b9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/risc-v-kernel/issues/I6CIGU
CVE: CVE-2023-0615

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9c7fba9503b826f0c061d136f8f0c9f953ed18b9

--------------------------------

[ Upstream commit 94a7ad92 ]

syzkaller found a bug:

 BUG: unable to handle page fault for address: ffffc9000a3b1000
 #PF: supervisor write access in kernel mode
 #PF: error_code(0x0002) - not-present page
 PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0
 Oops: 0002 [#1] PREEMPT SMP
 CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
 RIP: 0010:memcpy_erms+0x6/0x10
[...]
 Call Trace:
  <TASK>
  ? tpg_fill_plane_buffer+0x856/0x15b0
  vivid_fillbuff+0x8ac/0x1110
  vivid_thread_vid_cap_tick+0x361/0xc90
  vivid_thread_vid_cap+0x21a/0x3a0
  kthread+0x143/0x180
  ret_from_fork+0x1f/0x30
  </TASK>

This is because we forget to check boundary after adjust compose->height
int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem
for this case.

Fixes: ef834f78 ("[media] vivid: add the video capture and output parts")
Signed-off-by: NLiu Shixin <liushixin2@huawei.com>
Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NLonglong Xia <xialonglong1@huawei.com>
Reviewed-by: NNanyong Sun <sunnanyong@huawei.com>
Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NYongqiang Liu <liuyongqiang13@huawei.com>

anolis inclusion
from devel-4.19
commit e8f3dccdd4460162518bcaac7d9a0a05f9d455c4
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I697AN
CVE: NA

Reference: https://gitee.com/anolis/cloud-kernel/commit/e8f3dccdd4460162518bcaac7d9a0a05f9d455c4

---------------------------

ANBZ: #3666

This is achieved by broadcasting ARP or ND packets to all of its slave
devices on transmit side. The switch will take further actions based on
proper configuration.

A new sysctl knob "net.bonding.broadcast_arp_or_nd" is introduced which
controls the behaviour of broadcasting.
Signed-off-by: NTony Lu <tonylu@linux.alibaba.com>
Signed-off-by: NQiao Ma <mqaio@linux.alibaba.com>
Reviewed-by: NShile Zhang <shile.zhang@linux.alibaba.com>
Acked-by: NDust Li <dust.li@linux.alibaba.com>
Link: https://gitee.com/anolis/cloud-kernel/pulls/1061