- 10 8月, 2023 7 次提交
-
-
由 Jiantao Xiao 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7ON9Y CVE: NA ---------------------------------------------------------------------- This reverts commit 7fbc48aa. Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
由 Jiantao Xiao 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7ON9Y CVE: NA ---------------------------------------------------------------------- This reverts commit c92b8f62. Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
由 Jiantao Xiao 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7ON9Y CVE: NA ---------------------------------------------------------------------- This reverts commit 987f422a. Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
由 Jiantao Xiao 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7ON9Y CVE: NA ---------------------------------------------------------------------- This reverts commit 92c6f2cf. Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
由 Jiantao Xiao 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7ON9Y CVE: NA ---------------------------------------------------------------------- This reverts commit f5432d46. Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
由 Jiantao Xiao 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7ON9Y CVE: NA ---------------------------------------------------------------------- This reverts commit 702c687c. Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
由 Jiantao Xiao 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7ON9Y CVE: NA ---------------------------------------------------------------------- This reverts commit b62afba4. Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
- 03 8月, 2023 6 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Ziyang Xuan <william.xuanziyang@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/5LGGZAJFGQ7GMAJWNGCSQVWZZ2K26FKH/ Backport CVE-2023-3863 fix commits. v2: - Resend the patchset. Krzysztof Kozlowski (1): nfc: llcp: simplify llcp_sock_connect() error paths Lin Ma (1): net: nfc: Fix use-after-free caused by nfc_llcp_find_local -- 2.25.1 https://gitee.com/src-openeuler/kernel/issues/I7NLJR Link:https://gitee.com/openeuler/kernel/pulls/1604 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
!1555 net: hns3: fix setting wrong tx_timeout value issue and synchronizes the differences between the kernel and openeuler Merge Pull Request from: @svishen This patch fix setting wrong tx_timeout value issue and fix some tc bug issue: https://gitee.com/openeuler/kernel/issues/I7OL9R Link:https://gitee.com/openeuler/kernel/pulls/1555 Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Hui Tang <tanghui20@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6VOVLX7JNJMSBWIH6TBFRFMXDKVTP6ME/ https://gitee.com/openeuler/kernel/issues/I7PNAF Link:https://gitee.com/openeuler/kernel/pulls/1611 Reviewed-by: Zucheng Zheng <zhengzucheng@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 Jijie Shao 提交于
mainline inclusion from mainline-v6.5-rc2 commit 882481b1c55fc44861d7e2d54b4e0936b1b39f2c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7OL9R CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=882481b1c55fc44861d7e2d54b4e0936b1b39f2c ---------------------------------------------------------------------- In dwrr mode, the default bandwidth weight of disabled tc is set to 0. If the bandwidth weight is 0, the mode will change to sp. Therefore, disabled tc default bandwidth weight need changed to 1, and 0 is returned when query the bandwidth weight of disabled tc. In addition, driver need stop configure bandwidth weight if tc is disabled. Fixes: 84844054 ("net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver") Signed-off-by: NJie Wang <wangjie125@huawei.com> Signed-off-by: NJijie Shao <shaojijie@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
由 Jijie Shao 提交于
mainline inclusion from mainline-v6.5-rc2 commit 116d9f732eef634abbd871f2c6f613a5b4677742 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7OL9R CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=116d9f732eef634abbd871f2c6f613a5b4677742 ---------------------------------------------------------------------- Currently, the weight saved by the driver is used as the query result, which may be different from the actual weight in the register. Therefore, the register value read from the firmware is used as the query result Fixes: 0e32038d ("net: hns3: refactor dump tc of debugfs") Signed-off-by: NJijie Shao <shaojijie@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NJiantao Xiao <xiaojiantao1@h-partners.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: ZhaoLong Wang <wangzhaolong1@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6ETLQBKJNMKNALJRDIYCV27MJA2XG66X/ mainline patch f5c779b7("ksmbd: fix racy issue from session setup and logoff") It fixes three CVEs: CVE-2023-32250 CVE-2023-32252 CVE-2023-32257 In order to successfully apply the patch, we chose to incorporate the related pre-installed bugfix patch. Colin Ian King (1): ksmbd: Fix spelling mistake "excceed" -> "exceeded" Dawei Li (1): ksmbd: Implements sess->ksmbd_chann_list as xarray Namjae Jeon (2): ksmbd: limit pdu length size according to connection status ksmbd: fix racy issue from session setup and logoff -- 2.34.3 https://gitee.com/src-openeuler/kernel/issues/I7BG0L https://gitee.com/openeuler/kernel/issues/I7CETC Link:https://gitee.com/openeuler/kernel/pulls/1621 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
- 02 8月, 2023 6 次提交
-
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-v6.4-rc1 commit f5c779b7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7BG0L CVE: CVE-2023-32250,CVE-2023-32252,CVE-2023-32257 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5c779b7ddbda30866cf2a27c63e34158f858c73 -------------------------------- This racy issue is triggered by sending concurrent session setup and logoff requests. This patch does not set connection status as KSMBD_SESS_GOOD if state is KSMBD_SESS_NEED_RECONNECT in session setup. And relookup session to validate if session is deleted in logoff. Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-20481, ZDI-CAN-20590, ZDI-CAN-20596 Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NZhaoLong Wang <wangzhaolong1@huawei.com>
-
由 Colin Ian King 提交于
mainline inclusion from mainline-v6.3-rc1 commit 7a17c61e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7CETC CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7a17c61ee3b2683c40090179c273f4701fca9677 -------------------------------- There is a spelling mistake in an error message. Fix it. Signed-off-by: NColin Ian King <colin.i.king@gmail.com> Acked-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NZhaoLong Wang <wangzhaolong1@huawei.com>
-
由 Namjae Jeon 提交于
mainline inclusion from mainline-v6.3-rc1 commit 62c487b5 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7CETC CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=62c487b53a7ff31e322cf2874d3796b8202c54a5 -------------------------------- Stream protocol length will never be larger than 16KB until session setup. After session setup, the size of requests will not be larger than 16KB + SMB2 MAX WRITE size. This patch limits these invalidly oversized requests and closes the connection immediately. Fixes: 0626e664 ("cifsd: add server handler for central processing and tranport layers") Cc: stable@vger.kernel.org Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18259 Signed-off-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NZhaoLong Wang <wangzhaolong1@huawei.com> Conflicts: fs/ksmbd/smb2pdu.h
-
由 Dawei Li 提交于
mainline inclusion from mainline-v6.3-rc1 commit 1d9c4172 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7CETC CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1d9c4172110e645b383ff13eee759728d74f1a5d -------------------------------- For some ops on channel: 1. lookup_chann_list(), possibly on high frequency. 2. ksmbd_chann_del(). Connection is used as indexing key to lookup channel, in that case, linear search based on list may suffer a bit for performance. Implements sess->ksmbd_chann_list as xarray. Signed-off-by: NDawei Li <set_pte_at@outlook.com> Acked-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NZhaoLong Wang <wangzhaolong1@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @sanglipeng Backport 5.10.160 - 5.10.162 LTS patches from upstream. Conflicts: Already merged(29): 75454b4bbfc7: io_uring: add missing item types for splice request eb6313c12955: nfp: fix use-after-free in area_cache_get() f3fe6817156a: Bluetooth: L2CAP: Fix u8 overflow 1500fed00878: kernel: provide create_io_thread() helper e86db87191d8: iov_iter: add helper to save iov_iter state c1fe7bd3e1aa: fs: add support for LOOKUP_CACHED 146fe79fff13: fix handling of nd->depth on LOOKUP_CACHED failures in try_to_unlazy* 0cf0ce8fb5b1: Make sure nd->path.mnt and nd->path.dentry are always valid pointers 5683caa7350f: fs: expose LOOKUP_CACHED through openat2() RESOLVE_CACHED 069ac28d9243: net: provide __sys_shutdown_sock() that takes a socket ad0b0137953a: net: add accept helper not installing fd 52cfde6bbf64: signal: Add task_sigpending() helper 214f80e25176: fs: make do_renameat2() take struct filename 57b20530363d: file: Rename __close_fd_get_file close_fd_get_file d2136fc145be: fs: provide locked helper variant of close_fd_get_file() 3c295bd2ddae: entry: Add support for TIF_NOTIFY_SIGNAL 4b1dcf8ec9b2: x86: Wire up TIF_NOTIFY_SIGNAL 79a9991e87fe: arm64: add support for TIF_NOTIFY_SIGNAL abab3d4444b5: powerpc: add support for TIF_NOTIFY_SIGNAL 1bee9dbbcabb: arm: add support for TIF_NOTIFY_SIGNAL 78a53ff02656: riscv: add support for TIF_NOTIFY_SIGNAL 90a2c3821bbf: kernel: remove checking for TIF_NOTIFY_SIGNAL 4b4d2c79921: Limit what can interrupt coredumps 320c8057eceb: arch: setup PF_IO_WORKER threads like PF_KTHREAD dd26e2cec74f: arch: ensure parisc/powerpc handle PF_IO_WORKER in copy_thread() f0a5f0dc0131: x86/process: setup io_threads more like normal user space threads 831cb78a2a5e: kernel: don't call do_exit() for PF_IO_WORKER threads ed3005032993: task_work: add helper for more targeted task_work canceling 788d0824269b: io_uring: import 5.15-stable io_uring Kabi change(1): a3025359ffa7 net: remove cmsg restriction from io_uring based send/recvmsg calls Total patches: 96 - 29 - 1 = 66 Link:https://gitee.com/openeuler/kernel/pulls/1578 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Lu Wei <luwei32@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/BHZDZMZMO33GAMZUG6UGXE75EWRFJO7B/ https://gitee.com/src-openeuler/kernel/issues/I7N3N2 Link:https://gitee.com/openeuler/kernel/pulls/1591 Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
- 01 8月, 2023 4 次提交
-
-
由 Hui Tang 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7PNAF ------------------------------- Fix build error if defined(!CONFIG_JUMP_LABEL) && defined(CONFIG_QOS_SCHED_DYNAMIC_AFFINITY). Fixes: d8f77f89 ("sched: fix performance degradation on lmbench") Signed-off-by: NHui Tang <tanghui20@huawei.com>
-
由 Lin Ma 提交于
stable inclusion from stable-v5.10.188 commit 96f2c6f272ec04083d828de46285a7d7b17d1aad category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7NLJR CVE: CVE-2023-3863 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=96f2c6f272ec04083d828de46285a7d7b17d1aad --------------------------- [ Upstream commit 6709d4b7bc2e079241fdef15d1160581c5261c10 ] This commit fixes several use-after-free that caused by function nfc_llcp_find_local(). For example, one UAF can happen when below buggy time window occurs. // nfc_genl_llc_get_params | // nfc_unregister_device | dev = nfc_get_device(idx); | device_lock(...) if (!dev) | dev->shutting_down = true; return -ENODEV; | device_unlock(...); | device_lock(...); | // nfc_llcp_unregister_device | nfc_llcp_find_local() nfc_llcp_find_local(...); | | local_cleanup() if (!local) { | rc = -ENODEV; | // nfc_llcp_local_put goto exit; | kref_put(.., local_release) } | | // local_release | list_del(&local->list) // nfc_genl_send_params | kfree() local->dev->idx !!!UAF!!! | | and the crash trace for the one of the discussed UAF like: BUG: KASAN: slab-use-after-free in nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045 Read of size 8 at addr ffff888105b0e410 by task 20114 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:319 [inline] print_report+0xcc/0x620 mm/kasan/report.c:430 kasan_report+0xb2/0xe0 mm/kasan/report.c:536 nfc_genl_send_params net/nfc/netlink.c:999 [inline] nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045 genl_family_rcv_msg_doit.isra.0+0x1ee/0x2e0 net/netlink/genetlink.c:968 genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] genl_rcv_msg+0x503/0x7d0 net/netlink/genetlink.c:1065 netlink_rcv_skb+0x161/0x430 net/netlink/af_netlink.c:2548 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x644/0x900 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x934/0xe70 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b6/0x200 net/socket.c:747 ____sys_sendmsg+0x6e9/0x890 net/socket.c:2501 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2555 __sys_sendmsg+0xf7/0x1d0 net/socket.c:2584 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f34640a2389 RSP: 002b:00007f3463415168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f34641c1f80 RCX: 00007f34640a2389 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000006 RBP: 00007f34640ed493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe38449ecf R14: 00007f3463415300 R15: 0000000000022000 </TASK> Allocated by task 20116: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x7f/0x90 mm/kasan/common.c:383 kmalloc include/linux/slab.h:580 [inline] kzalloc include/linux/slab.h:720 [inline] nfc_llcp_register_device+0x49/0xa40 net/nfc/llcp_core.c:1567 nfc_register_device+0x61/0x260 net/nfc/core.c:1124 nci_register_device+0x776/0xb20 net/nfc/nci/core.c:1257 virtual_ncidev_open+0x147/0x230 drivers/nfc/virtual_ncidev.c:148 misc_open+0x379/0x4a0 drivers/char/misc.c:165 chrdev_open+0x26c/0x780 fs/char_dev.c:414 do_dentry_open+0x6c4/0x12a0 fs/open.c:920 do_open fs/namei.c:3560 [inline] path_openat+0x24fe/0x37e0 fs/namei.c:3715 do_filp_open+0x1ba/0x410 fs/namei.c:3742 do_sys_openat2+0x171/0x4c0 fs/open.c:1356 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x143/0x200 fs/open.c:1383 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 20115: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free mm/kasan/common.c:200 [inline] __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:162 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook mm/slub.c:1807 [inline] slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x7a/0x190 mm/slub.c:3800 local_release net/nfc/llcp_core.c:174 [inline] kref_put include/linux/kref.h:65 [inline] nfc_llcp_local_put net/nfc/llcp_core.c:182 [inline] nfc_llcp_local_put net/nfc/llcp_core.c:177 [inline] nfc_llcp_unregister_device+0x206/0x290 net/nfc/llcp_core.c:1620 nfc_unregister_device+0x160/0x1d0 net/nfc/core.c:1179 virtual_ncidev_close+0x52/0xa0 drivers/nfc/virtual_ncidev.c:163 __fput+0x252/0xa20 fs/file_table.c:321 task_work_run+0x174/0x270 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x108/0x110 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:297 do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc Last potentially related work creation: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 __kasan_record_aux_stack+0x95/0xb0 mm/kasan/generic.c:491 kvfree_call_rcu+0x29/0xa80 kernel/rcu/tree.c:3328 drop_sysctl_table+0x3be/0x4e0 fs/proc/proc_sysctl.c:1735 unregister_sysctl_table.part.0+0x9c/0x190 fs/proc/proc_sysctl.c:1773 unregister_sysctl_table+0x24/0x30 fs/proc/proc_sysctl.c:1753 neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3895 addrconf_notify+0x140/0x17b0 net/ipv6/addrconf.c:3684 notifier_call_chain+0xbe/0x210 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x150 net/core/dev.c:1937 call_netdevice_notifiers_extack net/core/dev.c:1975 [inline] call_netdevice_notifiers net/core/dev.c:1989 [inline] dev_change_name+0x3c3/0x870 net/core/dev.c:1211 dev_ifsioc+0x800/0xf70 net/core/dev_ioctl.c:376 dev_ioctl+0x3d9/0xf80 net/core/dev_ioctl.c:542 sock_do_ioctl+0x160/0x260 net/socket.c:1213 sock_ioctl+0x3f9/0x670 net/socket.c:1316 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x19e/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc The buggy address belongs to the object at ffff888105b0e400 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 16 bytes inside of freed 1024-byte region [ffff888105b0e400, ffff888105b0e800) The buggy address belongs to the physical page: head:ffffea000416c200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000010200(slab|head|node=0|zone=2) raw: 0200000000010200 ffff8881000430c0 ffffea00044c7010 ffffea0004510e10 raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888105b0e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888105b0e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888105b0e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888105b0e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888105b0e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb In summary, this patch solves those use-after-free by 1. Re-implement the nfc_llcp_find_local(). The current version does not grab the reference when getting the local from the linked list. For example, the llcp_sock_bind() gets the reference like below: // llcp_sock_bind() local = nfc_llcp_find_local(dev); // A ..... \ | raceable ..... / llcp_sock->local = nfc_llcp_local_get(local); // B There is an apparent race window that one can drop the reference and free the local object fetched in (A) before (B) gets the reference. 2. Some callers of the nfc_llcp_find_local() do not grab the reference at all. For example, the nfc_genl_llc_{{get/set}_params/sdreq} functions. We add the nfc_llcp_local_put() for them. Moreover, we add the necessary error handling function to put the reference. 3. Add the nfc_llcp_remove_local() helper. The local object is removed from the linked list in local_release() when all reference is gone. This patch removes it when nfc_llcp_unregister_device() is called. Therefore, every caller of nfc_llcp_find_local() will get a reference even when the nfc_llcp_unregister_device() is called. This promises no use-after-free for the local object is ever possible. Fixes: 52feb444 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support") Fixes: c7aa1225 ("NFC: Take a reference on the LLCP local pointer when creating a socket") Signed-off-by: NLin Ma <linma@zju.edu.cn> Reviewed-by: NSimon Horman <simon.horman@corigine.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
-
由 Krzysztof Kozlowski 提交于
stable inclusion from stable-v5.10.188 commit a3a1550c4d2e5fecbd317778ef2832e933d4774b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7NLJR CVE: CVE-2023-3863 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a3a1550c4d2e5fecbd317778ef2832e933d4774b --------------------------- [ Upstream commit ec10fd15 ] The llcp_sock_connect() error paths were using a mixed way of central exit (goto) and cleanup Signed-off-by: NKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Stable-dep-of: 6709d4b7bc2e ("net: nfc: Fix use-after-free caused by nfc_llcp_find_local") Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Lu Jialin <lujialin4@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/PC6T7HRTE7LIGXV2HL57QYEPFKPNYTCX/ https://gitee.com/openeuler/kernel/issues/I7OOZR Link:https://gitee.com/openeuler/kernel/pulls/1581 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
- 31 7月, 2023 17 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Longlong Xia <xialonglong1@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/MRUYLTWKNNGDLYTDA5J4NZTSS63O4NQD/ https://gitee.com/src-openeuler/kernel/issues/I7L0Z9 Link:https://gitee.com/openeuler/kernel/pulls/1547 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @ci-robot PR sync from: Long Li <leo.lilong@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/WWGP5YIJCFVLQK67BM5AROHE2XTHIAJ3/ https://gitee.com/src-openeuler/kernel/issues/I7LU2N Link:https://gitee.com/openeuler/kernel/pulls/1585 Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
-
由 Jens Axboe 提交于
stable inclusion from stable-v5.10.162 commit 189556b05e1770263c43fa5b4c689e7cd3fa5b4e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=189556b05e1770263c43fa5b4c689e7cd3fa5b4e -------------------------------- [ Upstream commit 44648532 ] Pass in EPOLL_URING_WAKE when signaling eventfd or doing poll related wakups, so that we can check for a circular event dependency between eventfd and epoll. If this flag is set when our wakeup handlers are called, then we know we have a dependency that needs to terminate multishot requests. eventfd and epoll are the only such possible dependencies. Cc: stable@vger.kernel.org # 6.0 Signed-off-by: NJens Axboe <axboe@kernel.dk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Jens Axboe 提交于
stable inclusion from stable-v5.10.162 commit 4ef66581d7fdbd9bfe0b399c1a2479f8ea5cfdf0 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4ef66581d7fdbd9bfe0b399c1a2479f8ea5cfdf0 -------------------------------- [ Upstream commit 03e02acd ] This is identical to eventfd_signal(), but it allows the caller to pass in a mask to be used for the poll wakeup key. The use case is avoiding repeated multishot triggers if we have a dependency between eventfd and io_uring. If we setup an eventfd context and register that as the io_uring eventfd, and at the same time queue a multishot poll request for the eventfd context, then any CQE posted will repeatedly trigger the multishot request until it terminates when the CQ ring overflows. In preparation for io_uring detecting this circular dependency, add the mentioned helper so that io_uring can pass in EPOLL_URING as part of the poll wakeup key. Cc: stable@vger.kernel.org # 6.0 [axboe: fold in !CONFIG_EVENTFD fix from Zhang Qilong] Signed-off-by: NJens Axboe <axboe@kernel.dk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Jens Axboe 提交于
stable inclusion from stable-v5.10.162 commit 2f093775022b45253b0d8df0e7296e7bc0d13a7b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2f093775022b45253b0d8df0e7296e7bc0d13a7b -------------------------------- [ Upstream commit caf1aeaf ] We can have dependencies between epoll and io_uring. Consider an epoll context, identified by the epfd file descriptor, and an io_uring file descriptor identified by iofd. If we add iofd to the epfd context, and arm a multishot poll request for epfd with iofd, then the multishot poll request will repeatedly trigger and generate events until terminated by CQ ring overflow. This isn't a desired behavior. Add EPOLL_URING so that io_uring can pass it in as part of the poll wakeup key, and io_uring can check for that to detect a potential recursive invocation. Cc: stable@vger.kernel.org # 6.0 Signed-off-by: NJens Axboe <axboe@kernel.dk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Jens Axboe 提交于
stable inclusion from stable-v5.10.162 commit b76c5373f084c802964e751efb825934a9bbbbec category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b76c5373f084c802964e751efb825934a9bbbbec -------------------------------- [ Upstream commit 9e8d9e82 ] This reverts commit 8d4c3e76. No longer needed, as the io-wq worker threads have the right identity. Signed-off-by: NJens Axboe <axboe@kernel.dk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Jens Axboe 提交于
stable inclusion from stable-v5.10.162 commit 87cb08dc6b4f42a491e582d3ee79c30893681193 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=87cb08dc6b4f42a491e582d3ee79c30893681193 -------------------------------- [ Upstream commit 2587890b ] This reverts commit 0d4370cf. No longer needed, as the io-wq worker threads have the right identity. Signed-off-by: NJens Axboe <axboe@kernel.dk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Lee Jones 提交于
stable inclusion from stable-v5.10.185 commit af6eaa57986e82d7efd81984ee607927c6de61e4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7N3N2 CVE: CVE-2023-3609 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=af6eaa57986e82d7efd81984ee607927c6de61e4 --------------------------- [ Upstream commit 04c55383 ] In the event of a failure in tcf_change_indev(), u32_set_parms() will immediately return without decrementing the recently incremented reference counter. If this happens enough times, the counter will rollover and the reference freed, leading to a double free which can be used to do 'bad things'. In order to prevent this, move the point of possible failure above the point where the reference counter is incremented. Also save any meaningful return values to be applied to the return data at the appropriate point in time. This issue was caught with KASAN. Fixes: 705c7091 ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") Suggested-by: NEric Dumazet <edumazet@google.com> Signed-off-by: NLee Jones <lee@kernel.org> Reviewed-by: NEric Dumazet <edumazet@google.com> Acked-by: NJamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NLu Wei <luwei32@huawei.com>
-
由 Chih-Yen Chang 提交于
mainline inclusion from mainline-v6.4-rc2 commit 02f76c40 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7LU2N CVE: CVE-2023-38426 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=02f76c401d17e409ed45bf7887148fcc22c93c85 -------------------------------- Add tag_len argument in smb2_find_context_vals() to avoid out-of-bound read when create_context's name_len is larger than tag length. [ 7.995411] ================================================================== [ 7.995866] BUG: KASAN: global-out-of-bounds in memcmp+0x83/0xa0 [ 7.996248] Read of size 8 at addr ffffffff8258d940 by task kworker/0:0/7 ... [ 7.998191] Call Trace: [ 7.998358] <TASK> [ 7.998503] dump_stack_lvl+0x33/0x50 [ 7.998743] print_report+0xcc/0x620 [ 7.999458] kasan_report+0xae/0xe0 [ 7.999895] kasan_check_range+0x35/0x1b0 [ 8.000152] memcmp+0x83/0xa0 [ 8.000347] smb2_find_context_vals+0xf7/0x1e0 [ 8.000635] smb2_open+0x1df2/0x43a0 [ 8.006398] handle_ksmbd_work+0x274/0x810 [ 8.006666] process_one_work+0x419/0x760 [ 8.006922] worker_thread+0x2a2/0x6f0 [ 8.007429] kthread+0x160/0x190 [ 8.007946] ret_from_fork+0x1f/0x30 [ 8.008181] </TASK> Cc: stable@vger.kernel.org Signed-off-by: NChih-Yen Chang <cc85nod@gmail.com> Acked-by: NNamjae Jeon <linkinjeon@kernel.org> Signed-off-by: NSteve French <stfrench@microsoft.com> Signed-off-by: NLong Li <leo.lilong@huawei.com>
-
由 Lu Jialin 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7OOZR ------------------------------- When CONFIG_CGROUP=n ,the compile error is: In file included from kernel/sched/core.c:13: kernel/sched/sched.h:2679:22: error: array type has incomplete element type ‘struct cftype’ extern struct cftype cgroup_v1_psi_files[]; ^~~~~~~~~~~~~~~~~~~ the reason is then CONFIG_CGROUP=n, struct cftype is not defined. We also find that, cgroup_v1_psi_files is used only in kernel/cgroup/cgroup.c and kernel/sched/cpuacct.c. Therefore, move extern struct cftype cgroup_v1_psi_files to kernel/sched/cpuacct.c.This also solved the compile error, because, then CONFIG_CGROUP=n, CONFIG_CGROUP_CPUACCT=n, the kernel/sched/cpuacct.c is not compiled, which will solve the compile error. Signed-off-by: NLu Jialin <lujialin4@huawei.com>
-
由 Jens Axboe 提交于
stable inclusion from stable-v5.10.162 commit 6ef2b4728a00c98cc1163212443e39d79a4c2c94 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6ef2b4728a00c98cc1163212443e39d79a4c2c94 -------------------------------- [ Upstream commit 35d0b389 ] Song reported a boot regression in a kvm image with 5.11-rc, and bisected it down to the below patch. Debugging this issue, turns out that the boot stalled when a task is waiting on a pipe being released. As we no longer run task_work from get_signal() unless it's queued with TWA_SIGNAL, the task goes idle without running the task_work. This prevents ->release() from being called on the pipe, which another boot task is waiting on. For now, re-instate the unconditional task_work run from get_signal(). For 5.12, we'll collapse TWA_RESUME and TWA_SIGNAL, as it no longer makes sense to have a distinction between the two. This will turn task_work notification into a simple boolean, whether to notify or not. Fixes: 98b89b64 ("signal: kill JOBCTL_TASK_WORK") Reported-by: NSong Liu <songliubraving@fb.com> Tested-by: NJohn Stultz <john.stultz@linaro.org> Tested-by: NDouglas Anderson <dianders@chromium.org> Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # LLVM/Clang version 11.0.1 Signed-off-by: NJens Axboe <axboe@kernel.dk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Jens Axboe 提交于
stable inclusion from stable-v5.10.162 commit c91ab04781f9e46c1a2143bd1ba8fc1f1aff6ebc category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c91ab04781f9e46c1a2143bd1ba8fc1f1aff6ebc -------------------------------- [ Upstream commit 98b89b64 ] It's no longer used, get rid of it. Signed-off-by: NJens Axboe <axboe@kernel.dk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Jens Axboe 提交于
stable inclusion from stable-v5.10.162 commit 9ded44b69c711455dbbddf6ec39b77ac41e4eed7 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9ded44b69c711455dbbddf6ec39b77ac41e4eed7 -------------------------------- [ Upstream commit b16b3855 ] This is racy - move the blocking into when the task is created and we're marking it as PF_IO_WORKER anyway. The IO threads are now prepared to handle signals like SIGSTOP as well, so clear that from the mask to allow proper stopping of IO threads. Acked-by: N"Eric W. Biederman" <ebiederm@xmission.com> Reported-by: NOleg Nesterov <oleg@redhat.com> Signed-off-by: NJens Axboe <axboe@kernel.dk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Seth Forshee 提交于
stable inclusion from stable-v5.10.162 commit 000de389ad7b8094bcf714ee27e2362eb5054a1a category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=000de389ad7b8094bcf714ee27e2362eb5054a1a -------------------------------- [ Upstream commit 3e684903 ] A livepatch transition may stall indefinitely when a kvm vCPU is heavily loaded. To the host, the vCPU task is a user thread which is spending a very long time in the ioctl(KVM_RUN) syscall. During livepatch transition, set_notify_signal() will be called on such tasks to interrupt the syscall so that the task can be transitioned. This interrupts guest execution, but when xfer_to_guest_mode_work() sees that TIF_NOTIFY_SIGNAL is set but not TIF_SIGPENDING it concludes that an exit to user mode is unnecessary, and guest execution is resumed without transitioning the task for the livepatch. This handling of TIF_NOTIFY_SIGNAL is incorrect, as set_notify_signal() is expected to break tasks out of interruptible kernel loops and cause them to return to userspace. Change xfer_to_guest_mode_work() to handle TIF_NOTIFY_SIGNAL the same as TIF_SIGPENDING, signaling to the vCPU run loop that an exit to userpsace is needed. Any pending task_work will be run when get_signal() is called from exit_to_user_mode_loop(), so there is no longer any need to run task work from xfer_to_guest_mode_work(). Suggested-by: N"Eric W. Biederman" <ebiederm@xmission.com> Cc: Petr Mladek <pmladek@suse.com> Signed-off-by: NSeth Forshee <sforshee@digitalocean.com> Message-Id: <20220504180840.2907296-1-sforshee@digitalocean.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Jens Axboe 提交于
stable inclusion from stable-v5.10.162 commit 0f735cf52bd0b2aaca865e3d2e3dc276479e41ba category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0f735cf52bd0b2aaca865e3d2e3dc276479e41ba -------------------------------- [ Upstream commit 66ae0d1e ] fork() fails if signal_pending() is true, but there are two conditions that can lead to that: 1) An actual signal is pending. We want fork to fail for that one, like we always have. 2) TIF_NOTIFY_SIGNAL is pending, because the task has pending task_work. We don't need to make it fail for that case. Allow fork() to proceed if just task_work is pending, by changing the signal_pending() check to task_sigpending(). Signed-off-by: NJens Axboe <axboe@kernel.dk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Jens Axboe 提交于
stable inclusion from stable-v5.10.162 commit 61bdeb142e8f7550826373295cb35b3571d70f62 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=61bdeb142e8f7550826373295cb35b3571d70f62 -------------------------------- [ Upstream commit 03941ccf ] All archs now support TIF_NOTIFY_SIGNAL. Signed-off-by: NJens Axboe <axboe@kernel.dk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-
由 Al Viro 提交于
stable inclusion from stable-v5.10.162 commit 6e2bce21acb4f0c35521e68d74e4317fd6afd97d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7P7OH Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6e2bce21acb4f0c35521e68d74e4317fd6afd97d -------------------------------- [ Upstream commit e2c7554c ] it needs to be added to _TIF_WORK_MASK, or we might not reach do_work_pending() in the first place... Fixes: 5a9a8897 "alpha: add support for TIF_NOTIFY_SIGNAL" Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Nsanglipeng <sanglipeng1@jd.com>
-