- 08 11月, 2022 4 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @chenke1978 [Description] The ROH module driver consists of the ROH Core and ROH DRV modules, which work with hardware to implement communication between nodes through HCCS packets. ROH Core is a protocol stack of the ROH architecture. It provides related services for upper layers by invoking operation interfaces provided by the ROH DRV. The ROH DRV implements the lower layer functions of the ROH featureand provides a series of interfaces for operating hardware for the ROH Core. This PR contains the following contents: 1. Support the ROH device ID and complete the initialization of the HNS ROH device in ROH MAC type. 2. Provide the initialization of the ROH cmdq command channel to enable the ROH device to communicate with the IMP. 3. net: hns3: add support for roh ras/rest is userd to prepare for the roh next patch. [Testing] kernel options: CONFIG_ROH=m CONFIG_ROH_HNS=m Test passed with below step: 1. Using a hardware environment that supports ROH, run lspci to check the pci device info , and you can find the device id belonging to ROH: lspci 29:00.0 Class 0200: Device 19e5:a22c (rev 32) 2. Load the following modules in sequence: insmod hnae3.ko insmod hclge.ko insmod hns3.ko insmod roh_core.ko insmod hns-roh-v1.ko There is no error when roh ko is installed, and you will get a success message: "hns3 0000:29:00.0: roh driver init success" 3. Check the sysfs file and confirm that the hns3_0 device file has been generated in the /sys/class/roh/ directory: ls /sys/class/roh/ hns3_0 4. Confirm that the current pci device is in ROH MAC type cat /sys/kernel/debug/hns3/0000:29:00.0/reg/mac | grep type type: ROH 5. In ROH mode, run the ifconfig command to confirm that the network device has been generated normally 6. Uninstall roh_core.ko & hns-roh-v1.ko without any errors Link:https://gitee.com/openeuler/kernel/pulls/224 Reviewed-by: Ling Mingqiang <lingmingqiang@huawei.com> Reviewed-by: Yue Haibing <yuehaibing@huawei.com> Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @yezengruan To support HCCS bus using in Ascend series accelerators, the SMMU ATOS (a software-accessible Address Translation Operations facility) feature is enabled for a special SMMU aka Agent SMMU in the Ascend accelerator. In the VM scenario, the hypervisor creates Stage1 page table for the Agent SMMU. The Agent SMMU provides an interface for components in accelerator to translate addresses from IPA to PA. This allows the components to DMA on the HCCS bus using PA. The origin SMMU ATOS feature only support translation of only a single group of addresses at a time. Ascend Agent SMMUs use the IMPLEMENTATION DEFINED region to implement translation of max 32 groups of addresses at the same time which can greatly improve the efficiency. Link:https://gitee.com/openeuler/kernel/pulls/165 Reviewed-by: Hanjun Guo <guohanjun@huawei.com> Reviewed-by: Kevin Zhu <zhukeqian1@huawei.com> Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
-
由 Binfeng Wu 提交于
ascend inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5JSWJ CVE: NA ------------------------------------------------- To support HCCS bus using in Ascend series accelerators, the SMMU ATOS (a software-accessible Address Translation Operations facility) feature is enabled for a special SMMU aka Agent SMMU in the Ascend accelerator. In the VM scenario, the hypervisor creates Stage1 page table for the Agent SMMU. The Agent SMMU provides an interface for components in accelerator to translate addresses from IPA to PA. This allows the components to DMA on the HCCS bus using PA. The origin SMMU ATOS feature only support translation of only a single group of addresses at a time. Ascend Agent SMMUs use the IMPLEMENTATION DEFINED region to implement translation of max 32 groups of addresses at the same time which can greatly improve the efficiency. Reviewed-by: NYingtai Xie <xieyingtai@huawei.com> Reviewed-by: NXiaoyang Xu <xuxiaoyang2@huawei.com> Signed-off-by: NBinfeng Wu <wubinfeng@huawei.com> Reviewed-by: NWeilong Chen <chenweilong@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com> Signed-off-by: Nyezengruan <yezengruan@huawei.com>
-
由 Ke Chen 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WKYW ----------------------------------------------------------------------- Each ROH device has its own cmdq interface, which includes send queue CSQ and receive queue CRQ. These commands are used to obtain the resources of the ROH device from IMP and implement related configurations. This patch adds the support of IMP command interface to the ROH driver, include: 1. initialize the roh command queue resource 2. manage the roh command queue descriptors 3. provide the cmdq send operation APIs Signed-off-by: NKe Chen <chenke54@huawei.com> Reviewed-by: NGang Zhang <gang.zhang@huawei.com> Reviewed-by: NYefeng Yan <yanyefeng@huawei.com> Reviewed-by: NJingchao Dai <daijingchao1@huawei.com> Reviewed-by: NJian Shen <shenjian15@huawei.com>
-
- 07 11月, 2022 17 次提交
-
-
由 Shung-Hsi Yu 提交于
maillist inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5WLXN CVE: CVE-2022-3606 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/tools/lib/bpf/libbpf.c?h=next-20221024&id=d0d382f95a9270dcf803539d6781d6bd67e3f5b2 -------------------------------- When there are no program sections, obj->programs is left unallocated, and find_prog_by_sec_insn()'s search lands on &obj->programs[0] == NULL, and will cause null-pointer dereference in the following access to prog->sec_idx. Guard the search with obj->nr_programs similar to what's being done in __bpf_program__iter() to prevent null-pointer access from happening. Fixes: db2b8b06 ("libbpf: Support CO-RE relocations for multi-prog sections") Signed-off-by: NShung-Hsi Yu <shung-hsi.yu@suse.com> Signed-off-by: NAndrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20221012022353.7350-4-shung-hsi.yu@suse.comSigned-off-by: NPu Lehui <pulehui@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ye Bin 提交于
mainline inclusion from mainline-v6.1-rc2 commit 2db96217 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZI04 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.1-rc3&id=2db96217e7e515071726ca4ec791742c4202a1b2 -------------------------------- As previous commit, 'blk_trace_cleanup' will stop block trace if block trace's state is 'Blktrace_running'. So remove unnessary stop block trace in 'blk_trace_shutdown'. Signed-off-by: NYe Bin <yebin10@huawei.com> Reviewed-by: NChristoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20221019033602.752383-4-yebin@huaweicloud.comSigned-off-by: NJens Axboe <axboe@kernel.dk> conflicts: kernel/trace/blktrace.c Signed-off-by: NYe Bin <yebin10@huawei.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ye Bin 提交于
mainline inclusion from mainline-v6.1-rc2 commit dcd1a59c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZI04 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.1-rc3&id=dcd1a59c62dc49da75539213611156d6db50ab5d -------------------------------- When test as follows: step1: ioctl(sda, BLKTRACESETUP, &arg) step2: ioctl(sda, BLKTRACESTART, NULL) step3: ioctl(sda, BLKTRACETEARDOWN, NULL) step4: ioctl(sda, BLKTRACESETUP, &arg) Got issue as follows: debugfs: File 'dropped' in directory 'sda' already present! debugfs: File 'msg' in directory 'sda' already present! debugfs: File 'trace0' in directory 'sda' already present! And also find syzkaller report issue like "KASAN: use-after-free Read in relay_switch_subbuf" "https://syzkaller.appspot.com/bug?id=13849f0d9b1b818b087341691be6cc3ac6a6bfb7" If remove block trace without stop(BLKTRACESTOP) block trace, '__blk_trace_remove' will just set 'q->blk_trace' with NULL. However, debugfs file isn't removed, so will report file already present when call BLKTRACESETUP. static int __blk_trace_remove(struct request_queue *q) { struct blk_trace *bt; bt = rcu_replace_pointer(q->blk_trace, NULL, lockdep_is_held(&q->debugfs_mutex)); if (!bt) return -EINVAL; if (bt->trace_state != Blktrace_running) blk_trace_cleanup(q, bt); return 0; } If do test as follows: step1: ioctl(sda, BLKTRACESETUP, &arg) step2: ioctl(sda, BLKTRACESTART, NULL) step3: ioctl(sda, BLKTRACETEARDOWN, NULL) step4: remove sda There will remove debugfs directory which will remove recursively all file under directory. >> blk_release_queue >> debugfs_remove_recursive(q->debugfs_dir) So all files which created in 'do_blk_trace_setup' are removed, and 'dentry->d_inode' is NULL. But 'q->blk_trace' is still in 'running_trace_lock', 'trace_note_tsk' will traverse 'running_trace_lock' all nodes. >>trace_note_tsk >> trace_note >> relay_reserve >> relay_switch_subbuf >> d_inode(buf->dentry)->i_size To solve above issues, reference commit '5afedf67', call 'blk_trace_cleanup' unconditionally in '__blk_trace_remove' and first stop block trace in 'blk_trace_cleanup'. Signed-off-by: NYe Bin <yebin10@huawei.com> Reviewed-by: NChristoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20221019033602.752383-3-yebin@huaweicloud.comSigned-off-by: NJens Axboe <axboe@kernel.dk> conflicts: kernel/trace/blktrace.c Signed-off-by: NYe Bin <yebin@huaweicloud.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ye Bin 提交于
mainline inclusion from mainline-v6.1-rc2 commit 60a9bb90 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZI04 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.1-rc3&id=60a9bb9048f9e95029df10a9bc346f6b066c593c -------------------------------- Introduce 'blk_trace_{start,stop}' helper. No functional changed. Signed-off-by: NYe Bin <yebin10@huawei.com> Reviewed-by: NChristoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20221019033602.752383-2-yebin@huaweicloud.comSigned-off-by: NJens Axboe <axboe@kernel.dk> conflicts: kernel/trace/blktrace.c Signed-off-by: NYe Bin <yebin@huaweicloud.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ye Bin 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5ZHOZ CVE: NA -------------------------------- There's issue as follows when do test with memory fault injection: [localhost]# fsck.ext4 -a image image: clean, 45595/655360 files, 466841/2621440 blocks [localhost]# fsck.ext4 -fn image Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information Block bitmap differences: -(1457230--1457256) Fix? no image: ********** WARNING: Filesystem still has errors ********** image: 45595/655360 files (12.4% non-contiguous), 466841/2621440 blocks Inject context: ----------------------------------------------------------- Inject function:kmem_cache_alloc (pid:177858) (return: 0) Calltrace Context: mem_cache_allock+0x73/0xcc ext4_mb_new_blocks+0x32e/0x540 [ext4] ext4_new_meta_blocks+0xc4/0x110 [ext4] ext4_ext_grow_indepth+0x68/0x250 [ext4] ext4_ext_create_new_leaf+0xc5/0x120 [ext4] ext4_ext_insert_extent+0x1bf/0x670 [ext4] ext4_split_extent_at+0x212/0x530 [ext4] ext4_split_extent+0x13a/0x1a0 [ext4] ext4_ext_handle_unwritten_extents+0x13d/0x240 [ext4] ext4_ext_map_blocks+0x459/0x8f0 [ext4] ext4_map_blocks+0x18e/0x5a0 [ext4] ext4_iomap_alloc+0xb0/0x1b0 [ext4] ext4_iomap_begin+0xb0/0x130 [ext4] iomap_apply+0x95/0x2e0 __iomap_dio_rw+0x1cc/0x4b0 iomap_dio_rw+0xe/0x40 ext4_dio_write_iter+0x1a9/0x390 [ext4] new_sync_write+0x113/0x1b0 vfs_write+0x1b7/0x250 ksys_write+0x5f/0xe0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x61/0xc6 Compare extent change in journal: Start: ee_block ee_len ee_start 75 32798 1457227 -> unwritten len=30 308 12 434489 355 5 442492 => ee_block ee_len ee_start 11 2 951584 74 32769 951647 -> unwritten len=1 75 32771 1457227 -> unwritten len=3 211 15 960906 308 12 434489 355 5 442492 Acctually, above issue can repaired by 'fsck -fa'. But file system is 'clean', 'fsck' will not do deep repair. Obviously, final lost 27 blocks. Above issue may happens as follows: ext4_split_extent_at ... err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags); -> return -ENOMEM if (err != -ENOSPC && err != -EDQUOT) goto out; -> goto 'out' will not fix extent length, will ... fix_extent_len: ex->ee_len = orig_ex.ee_len; /* * Ignore ext4_ext_dirty return value since we are already in error path * and err is a non-zero error code. */ ext4_ext_dirty(handle, inode, path + path->p_depth); return err; out: ext4_ext_show_leaf(inode, path); return err; If 'ext4_ext_insert_extent' return '-ENOMEM' which will not fix 'ex->ee_len' by old length. 'ext4_ext_insert_extent' will trigger extent tree merge, fix like 'ex->ee_len = orig_ex.ee_len' may lead to new issues. To solve above issue, record error messages when 'ext4_ext_insert_extent' return 'err' not equal '(-ENOSPC && -EDQUOT)'. If filesysten is mounted with 'errors=continue' as filesystem is not clean 'fsck' will repair issue. If filesystem is mounted with 'errors=remount-ro' filesystem will be remounted by read-only. Signed-off-by: NYe Bin <yebin10@huawei.com> Reviewed-by: NZhang Yi <yi.zhang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ziyang Xuan 提交于
maillist inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5Z86E CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=363a5328f4b0 -------------------------------- Recently, we got two syzkaller problems because of oversize packet when napi frags enabled. One of the problems is because the first seg size of the iov_iter from user space is very big, it is 2147479538 which is bigger than the threshold value for bail out early in __alloc_pages(). And skb->pfmemalloc is true, __kmalloc_reserve() would use pfmemalloc reserves without __GFP_NOWARN flag. Thus we got a warning as following: ======================================================== WARNING: CPU: 1 PID: 17965 at mm/page_alloc.c:5295 __alloc_pages+0x1308/0x16c4 mm/page_alloc.c:5295 ... Call trace: __alloc_pages+0x1308/0x16c4 mm/page_alloc.c:5295 __alloc_pages_node include/linux/gfp.h:550 [inline] alloc_pages_node include/linux/gfp.h:564 [inline] kmalloc_large_node+0x94/0x350 mm/slub.c:4038 __kmalloc_node_track_caller+0x620/0x8e4 mm/slub.c:4545 __kmalloc_reserve.constprop.0+0x1e4/0x2b0 net/core/skbuff.c:151 pskb_expand_head+0x130/0x8b0 net/core/skbuff.c:1654 __skb_grow include/linux/skbuff.h:2779 [inline] tun_napi_alloc_frags+0x144/0x610 drivers/net/tun.c:1477 tun_get_user+0x31c/0x2010 drivers/net/tun.c:1835 tun_chr_write_iter+0x98/0x100 drivers/net/tun.c:2036 The other problem is because odd IPv6 packets without NEXTHDR_NONE extension header and have big packet length, it is 2127925 which is bigger than ETH_MAX_MTU(65535). After ipv6_gso_pull_exthdrs() in ipv6_gro_receive(), network_header offset and transport_header offset are all bigger than U16_MAX. That would trigger skb->network_header and skb->transport_header overflow error, because they are all '__u16' type. Eventually, it would affect the value for __skb_push(skb, value), and make it be a big value. After __skb_push() in ipv6_gro_receive(), skb->data would less than skb->head, an out of bounds memory bug occurred. That would trigger the problem as following: ================================================================== BUG: KASAN: use-after-free in eth_type_trans+0x100/0x260 ... Call trace: dump_backtrace+0xd8/0x130 show_stack+0x1c/0x50 dump_stack_lvl+0x64/0x7c print_address_description.constprop.0+0xbc/0x2e8 print_report+0x100/0x1e4 kasan_report+0x80/0x120 __asan_load8+0x78/0xa0 eth_type_trans+0x100/0x260 napi_gro_frags+0x164/0x550 tun_get_user+0xda4/0x1270 tun_chr_write_iter+0x74/0x130 do_iter_readv_writev+0x130/0x1ec do_iter_write+0xbc/0x1e0 vfs_writev+0x13c/0x26c To fix the problems, restrict the packet size less than (ETH_MAX_MTU - NET_SKB_PAD - NET_IP_ALIGN) which has considered reserved skb space in napi_alloc_skb() because transport_header is an offset from skb->head. Add len check in tun_napi_alloc_frags() simply. Fixes: 90e33d45 ("tun: enable napi_gro_frags() for TUN/TAP driver") Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com> Reviewed-by: NEric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20221029094101.1653855-1-william.xuanziyang@huawei.comSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Christoph Hellwig 提交于
mainline inclusion from mainline-v5.11-rc1 commit 2dc691cc category: bugfix bugzilla: 187706,https://gitee.com/openeuler/kernel/issues/I5XEBX CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2dc691cc4ac259f8b5bb0bd8670645af894d30eb ---------------------------------------- Merge nbd_size_set and nbd_size_update into a single function that also updates the nbd_config fields. This new function takes the device size in bytes as the first argument, and the blocksize as the second argument, simplifying the calculations required in most callers. Signed-off-by: NChristoph Hellwig <hch@lst.de> Reviewed-by: NJosef Bacik <josef@toxicpanda.com> Signed-off-by: NJens Axboe <axboe@kernel.dk> Conflicts: drivers/block/nbd.c Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Reviewed-by: NYu Kuai <yukuai3@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Christoph Hellwig 提交于
mainline inclusion from mainline-v5.11-rc1 commit 92f93c3a category: bugfix bugzilla: 187706,,https://gitee.com/openeuler/kernel/issues/I5XEBX CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=92f93c3a1bf9dc73181dc6566497d16b690cb576 ---------------------------------------- nbd_size_update is about to acquire a few more callers, so lift the check into the function. Signed-off-by: NChristoph Hellwig <hch@lst.de> Reviewed-by: NJosef Bacik <josef@toxicpanda.com> Signed-off-by: NJens Axboe <axboe@kernel.dk> Conflicts: drivers/block/nbd.c [0c98057b ("nbd: Fix use-after-free in pid_show") include first] Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Reviewed-by: NYu Kuai <yukuai3@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Christoph Hellwig 提交于
mainline inclusion from mainline-v5.11-rc1 commit ee4bf648 category: bugfix bugzilla: 187706,https://gitee.com/openeuler/kernel/issues/I5XEBX CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee4bf648635055d2b76afadaf34236c8b2d852a7 ---------------------------------------- Block driver have no business setting the file system concept of a block size. Signed-off-by: NChristoph Hellwig <hch@lst.de> Reviewed-by: NJosef Bacik <josef@toxicpanda.com> Signed-off-by: NJens Axboe <axboe@kernel.dk> conflicts: drivers/block/nbd.c Signed-off-by: NZhong Jinghua <zhongjinghua@huawei.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Reviewed-by: NYu Kuai <yukuai3@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Luo Meng 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5WBQA CVE: NA -------------------------------- This reverts commit 1f9fa07b. Commit 2fe0e281f7ad witch merged by LTS (cifs: fix double free race when mount fails in cifs_get_root()) fixes a double free. However, the previous patch d17abdf7 is not merged. There is no such issue on 5.10 because it will return after cifs_cleanup_volume_info(). Since merge this patch, cifs_cleanup_volume_info() is skipped, leading to a memory leak. Signed-off-by: NLuo Meng <luomeng12@huawei.com> Reviewed-by: NZhang Xiaoxu <zhangxiaoxu5@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ke Chen 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WKYW ----------------------------------------------------------------------- These are the source code files for the Hisilicon ROH driver for ARM, include: 1. hns3_roh_device instance initialization and uninitialization. 2. apply for a ROH device to register with the ROH core, deregister and release the ROH device from ROH Core. Signed-off-by: NKe Chen <chenke54@huawei.com> Reviewed-by: NGang Zhang <gang.zhang@huawei.com> Reviewed-by: NYefeng Yan <yanyefeng@huawei.com> Reviewed-by: NJingchao Dai <daijingchao1@huawei.com> Reviewed-by: NJian Shen <shenjian15@huawei.com>
-
由 Ke Chen 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WKYW ----------------------------------------------------------------------- Adds ROH reset support for HNS3 ethernet driver. Signed-off-by: NYufeng Mo <moyufeng@huawei.com> Signed-off-by: NKe Chen <chenke54@huawei.com> Reviewed-by: NGang Zhang <gang.zhang@huawei.com> Reviewed-by: NYefeng Yan <yanyefeng@huawei.com> Reviewed-by: NJingchao Dai <daijingchao1@huawei.com> Reviewed-by: NJian Shen <shenjian15@huawei.com>
-
由 Ke Chen 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WKYW ----------------------------------------------------------------------- Add HCLGE_RAS_REG_ROH_ERR_MASK to support the error recovery of the ROH ras. Add HCLGE_RAS_REG_ERR_MASK to define the combination of the nfe_mask, the rocee_err_mask and the roh_err_mask. Add new module error types for ROH, adjust the order of these types according to the design of firmware. Signed-off-by: Jiaran Zhang <zhangjiaran@huawei.com> Signed-off-by: NKe Chen <chenke54@huawei.com> Reviewed-by: NGang Zhang <gang.zhang@huawei.com> Reviewed-by: NYefeng Yan <yanyefeng@huawei.com> Reviewed-by: NJingchao Dai <daijingchao1@huawei.com> Reviewed-by: NJian Shen <shenjian15@huawei.com>
-
由 Ke Chen 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WKYW ----------------------------------------------------------------------- In ROH mode, MAC address is related to the EID. If an invalid MAC address is set, the mapping between MAC and EID cannot be ensured, and communication may be abnormal. Therefore, firmware verification is required to intercept invalid MAC address set by user. Signed-off-by: NYufeng Mo <moyufeng@huawei.com> Signed-off-by: NKe Chen <chenke54@huawei.com> Reviewed-by: NGang Zhang <gang.zhang@huawei.com> Reviewed-by: NYefeng Yan <yanyefeng@huawei.com> Reviewed-by: NJingchao Dai <daijingchao1@huawei.com> Reviewed-by: NJian Shen <shenjian15@huawei.com>
-
由 Ke Chen 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WKYW ----------------------------------------------------------------------- HNAE3 framework add MAC type definitions for NIC or RoCE or ROH clients. There are two types of MAC in Hip09, ethernet and ROH. In ROH type, some operations are different, such as setting MAC address. This type will be used as the judgment condition in subsequent patches. Signed-off-by: NYufeng Mo <moyufeng@huawei.com> Signed-off-by: NKe Chen <chenke54@huawei.com> Reviewed-by: NGang Zhang <gang.zhang@huawei.com> Reviewed-by: NYefeng Yan <yanyefeng@huawei.com> Reviewed-by: NJingchao Dai <daijingchao1@huawei.com> Reviewed-by: NJian Shen <shenjian15@huawei.com>
-
由 Ke Chen 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WKYW ----------------------------------------------------------------------- HNAE3 framework supports ROH clients to register with HNAE3 devices and their associated operations. The ROH driver works as a client at the HNAE layer. The NIC driver needs to provide some necessary information, such as the vector base address, and suppor the registration of the ROH client. This patch also supports roh device IDs in the hns3 and hclge modules. Signed-off-by: NYufeng Mo <moyufeng@huawei.com> Signed-off-by: NKe Chen <chenke54@huawei.com> Reviewed-by: NGang Zhang <gang.zhang@huawei.com> Reviewed-by: NYefeng Yan <yanyefeng@huawei.com> Reviewed-by: NJingchao Dai <daijingchao1@huawei.com> Reviewed-by: NJian Shen <shenjian15@huawei.com>
-
由 GUO Zihua 提交于
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5Z7MD CVE: NA -------------------------------- Return of crypto_alloc_shash would be either a valid pointer or an error pointer. We should check the result with IS_ERR. Signed-off-by: NGUO Zihua <guozihua@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
- 04 11月, 2022 5 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @leoliu-oc The patch is to add Zhaoxin feature bits on Zhaoxin CPUs. ### Issue [#I5NYQF](https://gitee.com/openeuler/kernel/issues/I5NYQF) ### Test Build and boot kernel with this patch. Check various features in `lscpu` or `/proc/cpuinfo`. ```shell # cat /proc/cpuinfo | grep flags # or # lscpu | grep flags # you will see new Zhaoxin feature flags # for example, rng2/rng2_en/phe2/phe2_en/... # +#define X86_FEATURE_RNG2 (5*32+22) /* 2nd generation of RNG present */ # +#define X86_FEATURE_RNG2_EN (5*32+23) /* 2nd generation of RNG enabled */ # +#define X86_FEATURE_PHE2 (5*32+25) /* SHA384 and SHA 512 present */ # +#define X86_FEATURE_PHE2_EN (5*32+26) /* SHA384 and SHA 512 enabled */ Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq monitor vmx smx est tm2 ssse3 cx16 xtpr pcid sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand rng rng_en ccs ccs_en ace ace_en ace2 phe phe_en pmm pmm_en parallax parallax_en rng2 rng2_en phe2 phe2_en xmodx xmodx_en lahf_lm abm 3dnowprefetch invpcid_single tpr_shadow vnmi ept vpid fsgsbase tsc_adjust bmi1 smep bmi2 invpcid rdseed adx xsaveopt dtherm umip arch_capabilities ``` ### Known Issue N/A ### Default config change N/A Link:https://gitee.com/openeuler/kernel/pulls/85 Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
-
由 openeuler-ci-bot 提交于
!166 SPR: KVM: Add new instructions, Bus Lock Debug Exception, Bus Lock VM exit and Notify VM exit support Merge Pull Request from: @allen-shi This PR is to add new instructions(AVX_VNNI and AVX512_FP16), Bus Lock Debug Exception, Bus Lock VM exit and Notify VM exit support, and kabi is not changed based on OpenEuler-22.03-LTS kabi whitelist. **Intel-Kernel Issue** [#I5O6WB](https://gitee.com/openeuler/intel-kernel/issues/I5O6WB) [#I5RJCB](https://gitee.com/openeuler/intel-kernel/issues/I5RJCB) [#I5PAJ5](https://gitee.com/openeuler/intel-kernel/issues/I5PAJ5) [#I5RHW7](https://gitee.com/openeuler/intel-kernel/issues/I5RHW7) **Test** 1. Built and run the kernel successfully on OpenEuler 22.03 LTS. 2. SPR new instructions feature(AVX_VNNI and AVX512_FP16) is supported on guests. 3. Bus Lock Debug Exception feature is supported on guests. 4. Bus Lock VM Exit feature is supported. 5. Notify VM Exit feature is supported. **Known Issue** N/A **Default config change** N/A Link:https://gitee.com/openeuler/kernel/pulls/166 Reviewed-by: Kevin Zhu <zhukeqian1@huawei.com> Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: Jason Zeng <jason.zeng@intel.com> Reviewed-by: Chen Wei <chenwei@xfusion.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
-
由 LeoLiu-oc 提交于
zhaoxin inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5NYQF CVE: NA -------------------------------------------- Add Zhaoxin feature bits on Zhaoxin CPUs. Signed-off-by: NLeoLiu-oc <LeoLiu-oc@zhaoxin.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @youquan_song [Description] https://gitee.com/openeuler/intel-kernel/issues/I5V3SJ An HBM memory channel is divided into two pseudo channels. Each pseudo channel has its own retry_rd_err_log registers. Retrieve and print retry_rd_err_log registers of the HBM pseudo channel if the memory error is from HBM. 14646de4 EDAC/skx_common: Add ChipSelect ADXL component acd4cf68 EDAC/i10nm: Retrieve and print retry_rd_err_log registers for HBM d5f5e499 EDAC/i10nm: Print an extra register set of retry_rd_err_log [Testing] 1.Add kernel options in grub: efi=nosoftreserve i10nm_edac.retry_rd_err_log=1 2.numactl -H node distances: node 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0: 10 12 12 12 21 21 21 21 13 14 14 14 23 23 23 23 1: 12 10 12 12 21 21 21 21 14 13 14 14 23 23 23 23 2: 12 12 10 12 21 21 21 21 14 14 13 14 23 23 23 23 3: 12 12 12 10 21 21 21 21 14 14 14 13 23 23 23 23 4: 21 21 21 21 10 12 12 12 23 23 23 23 13 14 14 14 5: 21 21 21 21 12 10 12 12 23 23 23 23 14 13 14 14 6: 21 21 21 21 12 12 10 12 23 23 23 23 14 14 13 14 7: 21 21 21 21 12 12 12 10 23 23 23 23 14 14 14 13 8: 13 14 14 14 23 23 23 23 10 14 14 14 23 23 23 23 9: 14 13 14 14 23 23 23 23 14 10 14 14 23 23 23 23 10: 14 14 13 14 23 23 23 23 14 14 10 14 23 23 23 23 11: 14 14 14 13 23 23 23 23 14 14 14 10 23 23 23 23 12: 23 23 23 23 13 14 14 14 23 23 23 23 10 14 14 14 13: 23 23 23 23 14 13 14 14 23 23 23 23 14 10 14 14 14: 23 23 23 23 14 14 13 14 23 23 23 23 14 14 10 14 15: 23 23 23 23 14 14 14 13 23 23 23 23 14 14 14 10 3. #modprobe einj 4. git clone https://git.kernel.org/pub/scm/linux/kernel/git/aegl/ras-tools.git, build it 5. # numactl --cpunodebind=0 --membind=13 /home/ras-tools/cmcistorm 1 0: vaddr = 0x130d490 paddr = d87ff42490 6. #dmesg: output retry_rd_err_log registers value. [83086.997090] EDAC MC29: 0 CE memory read error on CPU_SrcID#1_HBMC#9_Chan#1 (channel:1 page:0xd87ff42 offset:0x480 grain:32 syndrome:0x0 - err_code:0x0000:0x009f SystemAddress:0xd87ff42480 ProcessorSocketId:0x1 MemoryControllerId:0x9 ChannelAddress:0x7ffe8480 ChannelId:0x1 RankAddress:0x3fff4240 PhysicalRankId:0x0 Row:0x7ffe Column:0x14 Bank:0x0 BankGroup:0x0 ChipSelect:0x2 ChipId:0x1 retry_rd_err_log[08928208 00000000 0000000000010000 00500081 80007ffe 000000d87ff42480] correrrcnt[0001 0000 0001 0000 0000 0000 0000 0000]) Link:https://gitee.com/openeuler/kernel/pulls/171 Reviewed-by: Chen Wei <chenwei@xfusion.com> Reviewed-by: Xiongfeng Wang <wangxiongfeng2@huawei.com> Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: Jun Tian <jun.j.tian@intel.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @juntianlinux [Description] Temporary fix for #I5U037 Occasionally TSC clocksource is wrongly judged as unstable watchdog like 'jiffies', HPET on some platforms like Skylake 4S. For normal cases, we can use nr_online_nodes <= 4 as a quick workaround for this issue. However, there are many cases that 'nr_online_nodes' could have issue. Intel is still working on a formal fix, the patch in this PR is a more general fix but still have open under discussion. Generally, there are some corner cases, but we can use this for a temporary fix to this issue. In next step, we need to update this fix after upstream merging the final solution. Link:https://gitee.com/openeuler/kernel/pulls/210 Reviewed-by: Jiao Fenfang <jiaofenfang@uniontech.com> Reviewed-by: Chen Wei <chenwei@xfusion.com> Reviewed-by: Xibo.Wang <wangxb12@chinatelecom.cn> Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
-
- 03 11月, 2022 14 次提交
-
-
由 openeuler-ci-bot 提交于
Merge Pull Request from: @guzitao These patches generally cover the following tasks: 1.optimize kernel cores, remove unused codes, simplify interfaces, fix compile errors 2.fixes for perf, fix perf_get_regs_user, uretprobe, uprobe 3.add support, add ebpf-jit compiler support, add guest live migration support, add support for S3 sleep option 4.modify interface, reimplement die_if_kernel, fix sys_rt_sigaction, 5.fixes for kvm, expand the number of SWVM_IRQS, fix wrong info print of KVM_MEMHOTPLUG, turn off the clock timer of guest os 6.fix dynamic CPUfreq scaling bugs Link:https://gitee.com/openeuler/kernel/pulls/198 Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
-
由 Xiang Chen 提交于
mainline inclusion from mainline-v5.19-rc7 commit 1e82e462 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5M9GC CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1e82e4627a795 ---------------------------------------------------------------------- Currently if a phy reset or enable phy is issued via sysfs when controller is suspended, those operations will be ignored as SAS_HA_REGISTERED is cleared. If RPM is enabled then we may aggressively suspend automatically. In this case it may be difficult to enable or reset a phy via sysfs, so resume the host in these scenarios. Link: https://lore.kernel.org/r/1657823002-139010-6-git-send-email-john.garry@huawei.comSigned-off-by: NXiang Chen <chenxiang66@hisilicon.com> Signed-off-by: NJohn Garry <john.garry@huawei.com> Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Nxiabing <xiabing12@h-partners.com> Reviewed-by: NJason Yan <yanaijie@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Yixing Liu 提交于
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5YZ0Q ---------------------------------------------------------- When the driver does not have an ex_cmd flag, related ioctl() or syscall() will fail to execute. for example, if the modify_qp flag is missing, the following error will appear when running perftest: Failed to modify QP to INIT, ret=95 Failed to modify QP to INIT Failed to modify QP 24 to RTR Failed to modify QP 25 to RTR Unable to Connect the HCA's through the link Unable to Connect the HCA's through the link So add query_device、create_cq、modify_qp and create_qp flag. Fixes: df065107 ("RDMA/hns: Enable modify_cq for uverbs.") Signed-off-by: NYixing Liu <liuyixing1@huawei.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Lang Cheng 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5Z2DS ---------------------------------------------------------- When the netdev port status changes, the roce driver sends a port down event by parsing the netdev event dispatched by IB_CORE, which takes about a few hundred milliseconds. But,it is not fast enough for ULP sometimes. The HNS NIC driver can directly notify the ROCE driver send port event via callback function, this takes only a few milliseconds. This patch implements this callback function. Signed-off-by: NLang Cheng <chenglang@huawei.com> Signed-off-by: NChengchang Tang <tangchengchang@huawei.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Lang Cheng 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5Z2DS ---------------------------------------------------------- Driver can notify ulp with IB event when net link down/up. Signed-off-by: NLang Cheng <chenglang@huawei.com> Signed-off-by: NChengchang Tang <tangchengchang@huawei.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Chengchang Tang 提交于
driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5Z2HJ ---------------------------------------------------------- Currently, we have dumped some fields in the QP/CQ/MR resource. This information is not enough. It is very inconvenient to continue to expand on the current field, and it will also introduce some trouble to parse this raw data. This patch dump whole resource in raw to avoid the above problems. Signed-off-by: NChengchang Tang <tangchengchang@huawei.com> Reviewed-by: NYangyang Li <liyangyang20@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Jiangshui Yang 提交于
yangjiangshui inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5XYPG CVE: NA ---------------------------------------------------------------------- The sm4-ccm and sm4-gcm algorithms of the sec module depend on the fallback TFM function. Therefore, the sm4_generic module of the crypto subsystem needs to be loaded. Signed-off-by: NJiangshui Yang <yangjiangshui@h-partners.com> Reviewed-by: NKai Ye <yekai13@huawei.com> Reviewed-by: NChao Liu <liuchao173@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Liu Shixin 提交于
maillist inclusion category: bugfix bugzilla: 187198, https://gitee.com/openeuler/kernel/issues/I5NX1S Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?h=next-20220823&id=f5606044e659f8fa754fa692e2fa5aea1ec7f2f6 -------------------------------- The vmemmap pages is marked by kmemleak when allocated from memblock. Remove it from kmemleak when freeing the page. Otherwise, when we reuse the page, kmemleak may report such an error and then stop working. kmemleak: Cannot insert 0xffff98fb6eab3d40 into the object search tree (overlaps existing) kmemleak: Kernel memory leak detector disabled kmemleak: Object 0xffff98fb6be00000 (size 335544320): kmemleak: comm "swapper", pid 0, jiffies 4294892296 kmemleak: min_count = 0 kmemleak: count = 0 kmemleak: flags = 0x1 kmemleak: checksum = 0 kmemleak: backtrace: Link: https://lkml.kernel.org/r/20220819094005.2928241-1-liushixin2@huawei.com Fixes: f41f2ed4 (mm: hugetlb: free the vmemmap pages associated with each HugeTLB page) Signed-off-by: NLiu Shixin <liushixin2@huawei.com> Reviewed-by: NMuchun Song <songmuchun@bytedance.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: Mike Kravetz <mike.kravetz@oracle.com> Cc: Oscar Salvador <osalvador@suse.de> Cc: <stable@vger.kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLiu Shixin <liushixin2@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Kefeng Wang 提交于
hulk inclusion category: bugfix bugzilla: 187483, https://gitee.com/openeuler/kernel/issues/I5MH9N CVE: NA -------------------------------- When support memmap=nn[KMG]$ss[KMG], it will request resource to show reserved memory in iomem, but with memblock_setclr_flag() called memblock_mark_memmap() leads to split memblock region and then request_resource() could return -EBUSY when passed unaligned address. Let's directly use memblock_reserve() and drop membloc_setclr_flag() and show error if request_resource() in request_memmap_resource() return error code. Signed-off-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NLiu Shixin <liushixin2@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Duoming Zhou 提交于
stable inclusion from stable-v5.10.138 commit a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e category: bugfix bugzilla: 187909, https://gitee.com/src-openeuler/kernel/issues/I5X3ML CVE: CVE-2022-3635 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e -------------------------------- commit 3f4093e2 upstream. There are use-after-free bugs caused by tst_timer. The root cause is that there are no functions to stop tst_timer in idt77252_exit(). One of the possible race conditions is shown below: (thread 1) | (thread 2) | idt77252_init_one | init_card | fill_tst | mod_timer(&card->tst_timer, ...) idt77252_exit | (wait a time) | tst_timer | | ... kfree(card) // FREE | | card->soft_tst[e] // USE The idt77252_dev is deallocated in idt77252_exit() and used in timer handler. This patch adds del_timer_sync() in idt77252_exit() in order that the timer handler could be stopped before the idt77252_dev is deallocated. Fixes: 1da177e4 ("Linux-2.6.12-rc2") Signed-off-by: NDuoming Zhou <duoming@zju.edu.cn> Link: https://lore.kernel.org/r/20220805070008.18007-1-duoming@zju.edu.cnSigned-off-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NZhang Changzhong <zhangchangzhong@huawei.com> Reviewed-by: NZhang Xiaoxu <zhangxiaoxu5@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Dongliang Mu 提交于
mainline inclusion from mainline-v6.1-rc1 commit 2e488f13 category: bugfix bugzilla: 187543, https://gitee.com/src-openeuler/kernel/issues/I5NZ98 CVE: CVE-2022-2978 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.1-rc3&id=2e488f13755ffbb60f307e991b27024716a33b29 ------------------------------- In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes) Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.comReported-by: Nbutt3rflyh4ck <butterflyhuangxx@gmail.com> Reported-by: NHao Sun <sunhao.th@gmail.com> Reported-by: NJiacheng Xu <stitch@zju.edu.cn> Reviewed-by: NChristian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: NDongliang Mu <mudongliangabcd@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@vger.kernel.org Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Signed-off-by: NLi Lingfeng <lilingfeng3@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Dokyung Song 提交于
maillist inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5YGD6 CVE: CVE-2022-3628 Reference: https://patchwork.kernel.org/project/linux-wireless/patch/20221021061359.GA550858@laguna/ -------------------------------- This patch fixes an intra-object buffer overflow in brcmfmac that occurs when the device provides a 'bsscfgidx' equal to or greater than the buffer size. The patch adds a check that leads to a safe failure if that is the case. This fixes CVE-2022-3628. UBSAN: array-index-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c index 52 is out of range for type 'brcmf_if *[16]' CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: events brcmf_fweh_event_worker Call Trace: dump_stack_lvl+0x57/0x7d ubsan_epilogue+0x5/0x40 __ubsan_handle_out_of_bounds+0x69/0x80 ? memcpy+0x39/0x60 brcmf_fweh_event_worker+0xae1/0xc00 ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 process_one_work+0x873/0x13e0 ? lock_release+0x640/0x640 ? pwq_dec_nr_in_flight+0x320/0x320 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x8b/0xd10 ? __kthread_parkme+0xd9/0x1d0 ? process_one_work+0x13e0/0x13e0 kthread+0x379/0x450 ? _raw_spin_unlock_irq+0x24/0x30 ? set_kthread_struct+0x100/0x100 ret_from_fork+0x1f/0x30 ================================================================================ general protection fault, probably for non-canonical address 0xe5601c0020023fff: 0000 [#1] SMP KASAN KASAN: maybe wild-memory-access in range [0x2b0100010011fff8-0x2b0100010011ffff] CPU: 0 PID: 1898 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: events brcmf_fweh_event_worker RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100 Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00 RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000 RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50 RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809 R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045 R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: brcmf_fweh_event_worker+0x117/0xc00 ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 process_one_work+0x873/0x13e0 ? lock_release+0x640/0x640 ? pwq_dec_nr_in_flight+0x320/0x320 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x8b/0xd10 ? __kthread_parkme+0xd9/0x1d0 ? process_one_work+0x13e0/0x13e0 kthread+0x379/0x450 ? _raw_spin_unlock_irq+0x24/0x30 ? set_kthread_struct+0x100/0x100 ret_from_fork+0x1f/0x30 Modules linked in: 88XXau(O) 88x2bu(O) ---[ end trace 41d302138f3ff55a ]--- RIP: 0010:brcmf_fweh_call_event_handler.isra.0+0x42/0x100 Code: 89 f5 53 48 89 fb 48 83 ec 08 e8 79 0b 38 fe 48 85 ed 74 7e e8 6f 0b 38 fe 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 8b 00 00 00 4c 8b 7d 00 44 89 e0 48 ba 00 00 00 RSP: 0018:ffffc9000259fbd8 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: ffff888115d8cd50 RCX: 0000000000000000 RDX: 0560200020023fff RSI: ffffffff8304bc91 RDI: ffff888115d8cd50 RBP: 2b0100010011ffff R08: ffff888112340050 R09: ffffed1023549809 R10: ffff88811aa4c047 R11: ffffed1023549808 R12: 0000000000000045 R13: ffffc9000259fca0 R14: ffff888112340050 R15: ffff888112340000 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000004053ccc0 CR3: 0000000112740000 CR4: 0000000000750ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Kernel panic - not syncing: Fatal exception Reported-by: NDokyung Song <dokyungs@yonsei.ac.kr> Reported-by: NJisoo Jang <jisoo.jang@yonsei.ac.kr> Reported-by: NMinsuk Kang <linuxlovemin@yonsei.ac.kr> Reviewed-by: NArend van Spriel <aspriel@gmail.com> Signed-off-by: NDokyung Song <dokyung.song@gmail.com> Signed-off-by: NLiu Jian <liujian56@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Ryusuke Konishi 提交于
mainline inclusion from mainline-v6.0-rc3 commit 21a87d88 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5X1Z4 CVE: CVE-2022-3621 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21a87d88c2253350e115029f14fe2a10a7e6c856 -------------------------------- If the i_mode field in inode of metadata files is corrupted on disk, it can cause the initialization of bmap structure, which should have been called from nilfs_read_inode_common(), not to be called. This causes a lockdep warning followed by a NULL pointer dereference at nilfs_bmap_lookup_at_level(). This patch fixes these issues by adding a missing sanitiy check for the i_mode field of metadata file's inode. Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.comSigned-off-by: NRyusuke Konishi <konishi.ryusuke@gmail.com> Reported-by: syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com Reported-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Tested-by: NRyusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLong Li <leo.lilong@huawei.com> Reviewed-by: NZhang Yi <yi.zhang@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-
由 Baolin Wang 提交于
mainline inclusion from mainline-v6.1-rc1 commit fac35ba7 category: bugfix bugzilla: 187864, https://gitee.com/src-openeuler/kernel/issues/I5X1Z9 CVE: CVE-2022-3623 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=fac35ba763ed07ba93154c95ffc0c4a55023707f -------------------------------- On some architectures (like ARM64), it can support CONT-PTE/PMD size hugetlb, which means it can support not only PMD/PUD size hugetlb (2M and 1G), but also CONT-PTE/PMD size(64K and 32M) if a 4K page size specified. So when looking up a CONT-PTE size hugetlb page by follow_page(), it will use pte_offset_map_lock() to get the pte entry lock for the CONT-PTE size hugetlb in follow_page_pte(). However this pte entry lock is incorrect for the CONT-PTE size hugetlb, since we should use huge_pte_lock() to get the correct lock, which is mm->page_table_lock. That means the pte entry of the CONT-PTE size hugetlb under current pte lock is unstable in follow_page_pte(), we can continue to migrate or poison the pte entry of the CONT-PTE size hugetlb, which can cause some potential race issues, even though they are under the 'pte lock'. For example, suppose thread A is trying to look up a CONT-PTE size hugetlb page by move_pages() syscall under the lock, however antoher thread B can migrate the CONT-PTE hugetlb page at the same time, which will cause thread A to get an incorrect page, if thread A also wants to do page migration, then data inconsistency error occurs. Moreover we have the same issue for CONT-PMD size hugetlb in follow_huge_pmd(). To fix above issues, rename the follow_huge_pmd() as follow_huge_pmd_pte() to handle PMD and PTE level size hugetlb, which uses huge_pte_lock() to get the correct pte entry lock to make the pte entry stable. Mike said: Support for CONT_PMD/_PTE was added with bb9dd3df ("arm64: hugetlb: refactor find_num_contig()"). Patch series "Support for contiguous pte hugepages", v4. However, I do not believe these code paths were executed until migration support was added with 5480280d ("arm64/mm: enable HugeTLB migration for contiguous bit HugeTLB pages") I would go with 5480280d for the Fixes: targe. Link: https://lkml.kernel.org/r/635f43bdd85ac2615a58405da82b4d33c6e5eb05.1662017562.git.baolin.wang@linux.alibaba.com Fixes: 5480280d ("arm64/mm: enable HugeTLB migration for contiguous bit HugeTLB pages") Signed-off-by: NBaolin Wang <baolin.wang@linux.alibaba.com> Suggested-by: NMike Kravetz <mike.kravetz@oracle.com> Reviewed-by: NMike Kravetz <mike.kravetz@oracle.com> Cc: David Hildenbrand <david@redhat.com> Cc: Muchun Song <songmuchun@bytedance.com> Cc: <stable@vger.kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Conflicts: mm/hugetlb.c Signed-off-by: NLiu Shixin <liushixin2@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
-