- 09 11月, 2021 7 次提交
-
-
由 Shaokun Zhang 提交于
mainline inclusion from mainline-v5.4-rc1 commit 8703317a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4A1XO CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8703317ae576c9bf3e07e5b97275e3f957e8d74b ------------------------------------------------------------------------ For some HiSilicon platform, the originally designed SCCL_ID and CCL_ID are not satisfied with much rich topology when the MT is set, so we extend the SCCL_ID to MPIDR[aff3] and CCL_ID to MPIDR[aff2]. Let's update this for HiSilicon uncore PMU driver. Cc: John Garry <john.garry@huawei.com> Cc: Hanjun Guo <guohanjun@huawei.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Will Deacon <will@kernel.org> Signed-off-by: NShaokun Zhang <zhangshaokun@hisilicon.com> Signed-off-by: NWill Deacon <will@kernel.org> Signed-off-by: NQi Liu <liuqi115@huawei.com> Reviewed-by: NYang Jihong <yangjihong1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Robin Murphy 提交于
mainline inclusion from mainline-v5.3-rc1 commit 3c934735 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4A1XO CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c9347351a6ea1234aa647b36f89052de050d2a2 ------------------------------------------------------------------------ With global filtering, it becomes possible for users to construct self-contradictory groups with conflicting filters. Make sure we cover that when initially validating events. Signed-off-by: NRobin Murphy <robin.murphy@arm.com> Signed-off-by: NWill Deacon <will@kernel.org> Signed-off-by: NQi Liu <liuqi115@huawei.com> Reviewed-by: NYang Jihong <yangjihong1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Robin Murphy 提交于
mainline inclusion from mainline-v5.3-rc1 commit 33e84ea4 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4A1XO CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=33e84ea4330da8a16bda8a871d0cd3c872bcd89f ------------------------------------------------------------------------ Ensure that a group will actually fit into the available counters. Signed-off-by: NRobin Murphy <robin.murphy@arm.com> Signed-off-by: NWill Deacon <will@kernel.org> Signed-off-by: NQi Liu <liuqi115@huawei.com> Reviewed-by: NYang Jihong <yangjihong1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Will Deacon 提交于
mainline inclusion from mainline-v5.1-rc3 commit 14ae42a6 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4A1XO CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=14ae42a6f0b13130a97d94d23481128961de5d38 ------------------------------------------------------------------------ Since commit 5768402f ("perf/ring_buffer: Use high order allocations for AUX buffers optimistically"), the perf core tends to back aux buffer allocations with high-order pages with the order encoded in the PagePrivate data. The Arm SPE driver explicitly rejects such pages, causing the perf tool to fail with: | failed to mmap with 12 (Cannot allocate memory) In actual fact, we can simply treat these pages just like any other since the perf core takes care to populate the page array appropriately. In theory we could try to map with PMDs where possible, but for now, let's just get things working again. Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Fixes: 5768402f ("perf/ring_buffer: Use high order allocations for AUX buffers optimistically") Reported-by: NHanjun Guo <guohanjun@huawei.com> Tested-by: NHanjun Guo <guohanjun@huawei.com> Tested-by: NSudeep Holla <sudeep.holla@arm.com> Signed-off-by: NWill Deacon <will.deacon@arm.com> Signed-off-by: NQi Liu <liuqi115@huawei.com> Reviewed-by: NYang Jihong <yangjihong1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Tian Tao 提交于
mainline inclusion from mainline-v5.14.0-rc7 commit a0d078d0 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I469VQ CVE: NA Refactoring hibmc_vdac_init, hibmc_connector_init method. --------------------------------------- Use drm_get_edid to get the resolution, if that fails, set it to a fixed resolution. Rewrite the desrtoy callback function to release resources. Signed-off-by: NTian Tao <tiantao6@hisilicon.com> Reviewed-by: NThomas Zimmermann <tzimmermann@suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/1600778670-60370-3-git-send-email-tiantao6@hisilicon.comSigned-off-by: Ngouhao <gouhao@uniontech.com> Reviewed-by: Ntian tao <tiantao6@hisilicon.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Tian Tao 提交于
mainline inclusion from mainline-v5.14.0-rc7 commit 4eb4d99d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I469VQ CVE: NA Remove #include <drm/drm_probe_helper.h> in hibmc_drm_i2c.c. ----------------------------- Adding driver implementation to support i2c driver algorithms for bit-shift adapters, so hibmc will using the interface provided by drm to read edid. Signed-off-by: NTian Tao <tiantao6@hisilicon.com> Reviewed-by: NThomas Zimmermann <tzimmermann@suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/1600778670-60370-2-git-send-email-tiantao6@hisilicon.comSigned-off-by: Ngouhao <gouhao@uniontech.com> Reviewed-by: Ntian tao <tiantao6@hisilicon.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Arvind Sankar 提交于
stable inclusion from linux-4.19.164 commit b207caff4176e3a6ba273243da2db2e595e4aad2 CVE: CVE-2021-0938 -------------------------------- commit 3347acc6 upstream. Commit 815f0ddb ("include/linux/compiler*.h: make compiler-*.h mutually exclusive") neglected to copy barrier_data() from compiler-gcc.h into compiler-clang.h. The definition in compiler-gcc.h was really to work around clang's more aggressive optimization, so this broke barrier_data() on clang, and consequently memzero_explicit() as well. For example, this results in at least the memzero_explicit() call in lib/crypto/sha256.c:sha256_transform() being optimized away by clang. Fix this by moving the definition of barrier_data() into compiler.h. Also move the gcc/clang definition of barrier() into compiler.h, __memory_barrier() is icc-specific (and barrier() is already defined using it in compiler-intel.h) and doesn't belong in compiler.h. [rdunlap@infradead.org: fix ALPHA builds when SMP is not enabled] Link: https://lkml.kernel.org/r/20201101231835.4589-1-rdunlap@infradead.org Fixes: 815f0ddb ("include/linux/compiler*.h: make compiler-*.h mutually exclusive") Signed-off-by: NArvind Sankar <nivedita@alum.mit.edu> Signed-off-by: NRandy Dunlap <rdunlap@infradead.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Tested-by: NNick Desaulniers <ndesaulniers@google.com> Reviewed-by: NNick Desaulniers <ndesaulniers@google.com> Reviewed-by: NKees Cook <keescook@chromium.org> Cc: <stable@vger.kernel.org> Link: https://lkml.kernel.org/r/20201014212631.207844-1-nivedita@alum.mit.eduSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org> [nd: backport to account for missing commit e506ea45 ("compiler.h: Split {READ,WRITE}_ONCE definitions out into rwonce.h") commit d08b9f0c ("scs: Add support for Clang's Shadow Call Stack (SCS)") commit a3f8a30f ("Compiler Attributes: use feature checks instead of version checks")] Signed-off-by: NNick Desaulniers <ndesaulniers@google.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Reviewed-by: NCheng Jian <cj.chengjian@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
- 08 11月, 2021 9 次提交
-
-
由 Huang Guobin 提交于
mainline inclusion from mainline-v5.15 commit b93c6a91 category: bugfix bugzilla: 185687 CVE: NA ------------------------------------------------- When I do fuzz test for bonding device interface, I got the following use-after-free Calltrace: ================================================================== BUG: KASAN: use-after-free in bond_enslave+0x1521/0x24f0 Read of size 8 at addr ffff88825bc11c00 by task ifenslave/7365 CPU: 5 PID: 7365 Comm: ifenslave Tainted: G E 5.15.0-rc1+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 Call Trace: dump_stack_lvl+0x6c/0x8b print_address_description.constprop.0+0x48/0x70 kasan_report.cold+0x82/0xdb __asan_load8+0x69/0x90 bond_enslave+0x1521/0x24f0 bond_do_ioctl+0x3e0/0x450 dev_ifsioc+0x2ba/0x970 dev_ioctl+0x112/0x710 sock_do_ioctl+0x118/0x1b0 sock_ioctl+0x2e0/0x490 __x64_sys_ioctl+0x118/0x150 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f19159cf577 Code: b3 66 90 48 8b 05 11 89 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 78 RSP: 002b:00007ffeb3083c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffeb3084bca RCX: 00007f19159cf577 RDX: 00007ffeb3083ce0 RSI: 0000000000008990 RDI: 0000000000000003 RBP: 00007ffeb3084bc4 R08: 0000000000000040 R09: 0000000000000000 R10: 00007ffeb3084bc0 R11: 0000000000000246 R12: 00007ffeb3083ce0 R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffeb3083cb0 Allocated by task 7365: kasan_save_stack+0x23/0x50 __kasan_kmalloc+0x83/0xa0 kmem_cache_alloc_trace+0x22e/0x470 bond_enslave+0x2e1/0x24f0 bond_do_ioctl+0x3e0/0x450 dev_ifsioc+0x2ba/0x970 dev_ioctl+0x112/0x710 sock_do_ioctl+0x118/0x1b0 sock_ioctl+0x2e0/0x490 __x64_sys_ioctl+0x118/0x150 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 7365: kasan_save_stack+0x23/0x50 kasan_set_track+0x20/0x30 kasan_set_free_info+0x24/0x40 __kasan_slab_free+0xf2/0x130 kfree+0xd1/0x5c0 slave_kobj_release+0x61/0x90 kobject_put+0x102/0x180 bond_sysfs_slave_add+0x7a/0xa0 bond_enslave+0x11b6/0x24f0 bond_do_ioctl+0x3e0/0x450 dev_ifsioc+0x2ba/0x970 dev_ioctl+0x112/0x710 sock_do_ioctl+0x118/0x1b0 sock_ioctl+0x2e0/0x490 __x64_sys_ioctl+0x118/0x150 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Last potentially related work creation: kasan_save_stack+0x23/0x50 kasan_record_aux_stack+0xb7/0xd0 insert_work+0x43/0x190 __queue_work+0x2e3/0x970 delayed_work_timer_fn+0x3e/0x50 call_timer_fn+0x148/0x470 run_timer_softirq+0x8a8/0xc50 __do_softirq+0x107/0x55f Second to last potentially related work creation: kasan_save_stack+0x23/0x50 kasan_record_aux_stack+0xb7/0xd0 insert_work+0x43/0x190 __queue_work+0x2e3/0x970 __queue_delayed_work+0x130/0x180 queue_delayed_work_on+0xa7/0xb0 bond_enslave+0xe25/0x24f0 bond_do_ioctl+0x3e0/0x450 dev_ifsioc+0x2ba/0x970 dev_ioctl+0x112/0x710 sock_do_ioctl+0x118/0x1b0 sock_ioctl+0x2e0/0x490 __x64_sys_ioctl+0x118/0x150 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88825bc11c00 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 0 bytes inside of 1024-byte region [ffff88825bc11c00, ffff88825bc12000) The buggy address belongs to the page: page:ffffea00096f0400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25bc10 head:ffffea00096f0400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff) raw: 057ff00000010200 ffffea0009a71c08 ffff888240001968 ffff88810004dbc0 raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88825bc11b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88825bc11b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88825bc11c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88825bc11c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88825bc11d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Put new_slave in bond_sysfs_slave_add() will cause use-after-free problems when new_slave is accessed in the subsequent error handling process. Since new_slave will be put in the subsequent error handling process, remove the unnecessary put to fix it. In addition, when sysfs_create_file() fails, if some files have been crea- ted successfully, we need to call sysfs_remove_file() to remove them. Since there are sysfs_create_files() & sysfs_remove_files() can be used, use these two functions instead. Fixes: 7afcaec4 (bonding: use kobject_put instead of _del after kobject_add) Signed-off-by: NHuang Guobin <huangguobin4@huawei.com> Reviewed-by: NJakub Kicinski <kuba@kernel.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NHuang Guobin <huangguobin4@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hridya Valsaraju 提交于
hulk inclusion category: bugfix bugzilla: NA CVE: CVE-2021-0929 https://source.android.com/security/bulletin/2021-11-01 https://android-review.googlesource.com/c/kernel/common/+/1780045 --------------------------- Since dma_buf_begin/end_cpu_access() calls always used to bracket dma_buf_kmap/kunmap calls, ION performed kmap/kunmap invocations for the buffer during dma_buf_begin/end_cpu_access() calls and cached the results with a kmap counter. However, dma_buf_begin/end_cpu_access() invocations can be triggered from the userspace using the DMA_BUF_IOC_SYNC ioctl as well. This means that a mapping that was created by a device driver using by a dma_buf_kmap() call or an ion_map_kernel() call could be unmapped from userspace if a client accidentally(or maliciously) invoked DMA_BUF_IOCTL_SYNC IOCTL with 'DMA_BUF_SYNC_END' argument since this would inturn invoke dma_buf_end_cpu_access() which would then decrement the kmap counter and invoke kunmap() when the counter gets to 0. This patch moves the kmap/kunmap operations from the begin/end_cpu_access() DMA-BUF ops to the map/unmap DMA-BUF ops to prevent the issue. Bug: 187527909 Change-Id: I00dc8eefefb1f3aab99e770f90d624011f7740f0 Signed-off-by: NHridya Valsaraju <hridya@google.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Jouni Malinen 提交于
stable inclusion from linux-4.19.205 commit 08c613a2cb06c68ef4e7733e052af067b21e5dbb CVE: CVE-2020-3702 -------------------------------- commit ca284802 upstream. Do not delete a key cache entry that is still being referenced by pending frames in TXQs. This avoids reuse of the key cache entry while a frame might still be transmitted using it. To avoid having to do any additional operations during the main TX path operations, track pending key cache entries in a new bitmap and check whether any pending entries can be deleted before every new key add/remove operation. Also clear any remaining entries when stopping the interface. Signed-off-by: NJouni Malinen <jouni@codeaurora.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20201214172118.18100-6-jouni@codeaurora.org Cc: Pali Rohár <pali@kernel.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Jouni Malinen 提交于
stable inclusion from linux-4.19.205 commit 7c5a966edd3c6eec4a9bdf698c1f27712d1781f0 CVE: CVE-2020-3702 -------------------------------- commit 144cd24d upstream. tkip_keymap can be used internally to avoid the reference to key->cipher and with this, only the key index value itself is needed. This allows ath_key_delete() call to be postponed to be handled after the upper layer STA and key entry have already been removed. This is needed to make ath9k key cache management safer. Signed-off-by: NJouni Malinen <jouni@codeaurora.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20201214172118.18100-5-jouni@codeaurora.org Cc: Pali Rohár <pali@kernel.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Jouni Malinen 提交于
stable inclusion from linux-4.19.205 commit fb924bfcecc90ca63ca76b5a10f192bd0e1bb35d CVE: CVE-2020-3702 -------------------------------- commit d2d3e364 upstream. ath9k is going to use this for safer management of key cache entries. Signed-off-by: NJouni Malinen <jouni@codeaurora.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20201214172118.18100-4-jouni@codeaurora.org Cc: Pali Rohár <pali@kernel.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Jouni Malinen 提交于
stable inclusion from linux-4.19.205 commit d2fd9d34210f34cd0ff5b33fa94e9fcc2a513cea CVE: CVE-2020-3702 -------------------------------- commit 73488cb2 upstream. Now that ath/key.c may not be explicitly clearing keys from the key cache, clear all key cache entries when disabling hardware to make sure no keys are left behind beyond this point. Signed-off-by: NJouni Malinen <jouni@codeaurora.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20201214172118.18100-3-jouni@codeaurora.org Cc: Pali Rohár <pali@kernel.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Jouni Malinen 提交于
stable inclusion from linux-4.19.205 commit dd5815f023b89c9a28325d8a2a5f0779b57b7190 CVE: CVE-2020-3702 -------------------------------- commit 56c5485c upstream. It is possible for there to be pending frames in TXQs with a reference to the key cache entry that is being deleted. If such a key cache entry is cleared, those pending frame in TXQ might get transmitted without proper encryption. It is safer to leave the previously used key into the key cache in such cases. Instead, only clear the MAC address to prevent RX processing from using this key cache entry. This is needed in particularly in AP mode where the TXQs cannot be flushed on station disconnection. This change alone may not be able to address all cases where the key cache entry might get reused for other purposes immediately (the key cache entry should be released for reuse only once the TXQs do not have any remaining references to them), but this makes it less likely to get unprotected frames and the more complete changes may end up being significantly more complex. Signed-off-by: NJouni Malinen <jouni@codeaurora.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20201214172118.18100-2-jouni@codeaurora.org Cc: Pali Rohár <pali@kernel.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Theodore Ts'o 提交于
mainline inclusion from mainline-5.15-rc1 commit 308c57cc category: bugfix bugzilla: 109297 CVE: NA --------------------------- If the underlying storage device is using thin-provisioning, it's possible for a zeroout operation to return ENOSPC. Commit df22291f ("ext4: Retry block allocation if we have free blocks left") added logic to retry block allocation since we might get free block after we commit a transaction. But the ENOSPC from thin-provisioning will confuse ext4, and lead to an infinite loop. Since using zeroout instead of splitting the extent node is an optimization, if it fails, we might as well fall back to splitting the extent node. Reported-by: Nyangerkun <yangerkun@huawei.com> Signed-off-by: NTheodore Ts'o <tytso@mit.edu> Signed-off-by: Nyangerkun <yangerkun@huawei.com> Reviewed-by: NZhang Yi <yi.zhang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Lin, Zhenpeng 提交于
mainline inclusion from mainline-v5.15-rc2 commit d9ea761f category: bugfix bugzilla: 85666 CVE: CVE-2020-16119 ------------------------------------------------- Commit 2677d206 ("dccp: don't free ccid2_hc_tx_sock ...") fixed a UAF but reintroduced CVE-2017-6074. When the sock is cloned, two dccps_hc_tx_ccid will reference to the same ccid. So one can free the ccid object twice from two socks after cloning. This issue was found by "Hadar Manor" as well and assigned with CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port the patch from Ubuntu to fix it. The patch prevents cloned socks from referencing the same ccid. Fixes: 2677d206 ("dccp: don't free ccid2_hc_tx_sock ...") Signed-off-by: NZhenpeng Lin <zplin@psu.edu> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NLu Wei <luwei32@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
- 05 11月, 2021 14 次提交
-
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- It attaches eBPF program into fs_file_read() and fs_file_release() respectively. The program for fs_file_read() will record read history, calculate read pattern and set f_mode for specific file, And program for fs_file_release() will clean the saved read history. Signed-off-by: NHou Tao <houtao1@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- Identify writable tracepoint program by section prefix raw_tracepoint.w/. The correct way is back-porting from commit ccaf12d6 ("libbpf: Support detecting and attaching of writable tracepoint program"), but the refactoring of libbpf makes it hard, so using the same section prefix as ccaf12d6 and post a home-made patch instead. Signed-off-by: NHou Tao <houtao1@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- Use fs_file_read_do_trace() and trace_fs_file_release() to do that. Signed-off-by: NHou Tao <houtao1@huawei.com> Acked-by: Nfang wei <fangwei1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- Use fs_file_read_do_trace() and trace_fs_file_release() to do that. Signed-off-by: NHou Tao <houtao1@huawei.com> Acked-by: Nfang wei <fangwei1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- fs_file_read_do_trace() uses writable-tracepoint to update f_mode for file read procedure. Also export it to make it being usable for filesystem kernel module. Signed-off-by: NHou Tao <houtao1@huawei.com> Acked-by: Nfang wei <fangwei1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- Add a writable bare tracepoint fs_file_read() and a bare tracepoint fs_file_release(). A version field is added to fs_file_read() to support extension of fs_file_read_ctx in future. These two tracepoints need to be exported and will be used by filesystem kernel module. Signed-off-by: NHou Tao <houtao1@huawei.com> Acked-by: Nfang wei <fangwei1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
mainline inclusion from mainline-5.16 commit 65223741 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- Commit 9df1c28b ("bpf: add writable context for raw tracepoints") supports writable context for tracepoint, but it misses the support for bare tracepoint which has no associated trace event. Bare tracepoint is defined by DECLARE_TRACE(), so adding a corresponding DECLARE_TRACE_WRITABLE() macro to generate a definition in __bpf_raw_tp_map section for bare tracepoint in a similar way to DEFINE_TRACE_WRITABLE(). Signed-off-by: NHou Tao <houtao1@huawei.com> Signed-off-by: NAndrii Nakryiko <andrii@kernel.org> Acked-by: NAndrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20211004094857.30868-2-hotforest@gmail.comReviewed-by: NKuohai Xu <xukuohai@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Qais Yousef 提交于
mainline inclusion from mainline-5.12 commit 6939f4ef category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- Some subsystems only have bare tracepoints (a tracepoint with no associated trace event) to avoid the problem of trace events being an ABI that can't be changed. >From bpf presepective, bare tracepoints are what it calls RAW_TRACEPOINT(). Since bpf assumed there's 1:1 mapping, it relied on hooking to DEFINE_EVENT() macro to create bpf mapping of the tracepoints. Since bare tracepoints use DECLARE_TRACE() to create the tracepoint, bpf had no knowledge about their existence. By teaching bpf_probe.h to parse DECLARE_TRACE() in a similar fashion to DEFINE_EVENT(), bpf can find and attach to the new raw tracepoints. Enabling that comes with the contract that changes to raw tracepoints don't constitute a regression if they break existing bpf programs. We need the ability to continue to morph and modify these raw tracepoints without worrying about any ABI. Update Documentation/bpf/bpf_design_QA.rst to document this contract. Signed-off-by: NQais Yousef <qais.yousef@arm.com> Signed-off-by: NAlexei Starovoitov <ast@kernel.org> Acked-by: NYonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20210119122237.2426878-2-qais.yousef@arm.comSigned-off-by: NHou Tao <houtao1@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Steven Rostedt (VMware) 提交于
mainline inclusion from mainline-5.10 commit afbe7973 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- As tracepoints are discouraged from being added in a header because it can cause side effects if other tracepoints are in headers, as well as bloat the kernel as the trace_<tracepoint>() function is not a small inline, the common workaround is to add a function call that calls a wrapper function in a C file that then calls the tracepoint. But as function calls add overhead, this function should only be called when the tracepoint in question is enabled. To get around this overhead, a static_branch can be used to only have the tracepoint wrapper get called when the tracepoint is enabled. Add a tracepoint_enabled(tp) macro that gets passed the name of the tracepoint, and this becomes a static_branch that is enabled when the tracepoint is enabled and is a nop when the tracepoint is disabled. Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org> Signed-off-by: NHou Tao <houtao1@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- There are two issues with the current solution: 1) tracepoint xfs_read_file is visible in tracefs It forms an ABI for userspace. It is bad because new field may be added into xfs_writable_file to export more information to userspace. 2) tracepoint xfs_read_file is specific to xfs HDFS can be stacked on ext4. This reverts commit 4a0a1e84. Signed-off-by: NHou Tao <houtao1@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- There are two issues with the current solution: 1) tracepoint xfs_read_file is visible in tracefs It forms an ABI for userspace. It is bad because new field may be added into xfs_writable_file to export more information to userspace. 2) tracepoint xfs_read_file is specific to xfs HDFS can be stacked on ext4. This reverts commit 66844901. Signed-off-by: NHou Tao <houtao1@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- There are two issues with the current solution: 1) tracepoint xfs_read_file is visible in tracefs It forms an ABI for userspace. It is bad because new field may be added into xfs_writable_file to export more information to userspace. 2) tracepoint xfs_read_file is specific to xfs HDFS can be stacked on ext4. This reverts commit b1e9dddb, but keep the definitions of FMODE_WILLNEED & FMODE_SPC_READAHEAD. Signed-off-by: NHou Tao <houtao1@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- There are two issues with the current solution: 1) tracepoint xfs_read_file is visible in tracefs It forms an ABI for userspace. It is bad because new field may be added into xfs_writable_file to export more information to userspace. 2) tracepoint xfs_read_file is specific to xfs HDFS can be stacked on ext4. This reverts commit 38abc1bb. Signed-off-by: NHou Tao <houtao1@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Hou Tao 提交于
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4H3JT CVE: NA --------------------------- There are two issues with the current solution: 1) tracepoint xfs_read_file is visible in tracefs It forms an ABI for userspace. It is bad because new field may be added into xfs_writable_file to export more information to userspace. 2) tracepoint xfs_read_file is specific to xfs HDFS can be stacked on ext4. A new solution is proposed which uses vfs bare tracepoint, so reverts commit 69513cfb. Signed-off-by: NHou Tao <houtao1@huawei.com> Reviewed-by: NKuohai Xu <xukuohai@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
- 04 11月, 2021 10 次提交
-
-
由 zhangguijiang 提交于
ascend inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4GVSG CVE: NA ------------------- Struct mmc_host using variable private[0] to point the end of struct mmc_host, at deaf01a6 we modified struct mmc_host but ignored the role of private[0] and not put it to the end of struct mmc_host. It will make mmc card probe failed, so we fix this problem, and now ascend hisi mmc card is able to probe success. Signed-off-by: Nzhangguijiang <zhangguijiang@huawei.com> Reviewed-by: NDing Tianhong <dingtianhong@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
mainline inclusion from mainline-v5.14-rc1 commit 3cfdf8fc category: bugfix bugzilla: NA CVE: CVE-2021-34981 ------------------------------------------------- When cmtp_attach_device fails, cmtp_add_connection returns the error value which leads to the caller to doing fput through sockfd_put. But cmtp_session kthread, which is stopped in this path will also call fput, leading to a potential refcount underflow or a use-after-free. Add a refcount before we signal the kthread to stop. The kthread will try to grab the cmtp_session_sem mutex before doing the fput, which is held when get_file is called, so there should be no races there. Reported-by: Ryota Shiga Signed-off-by: NThadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: NMarcel Holtmann <marcel@holtmann.org> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Reviewed-by: Nweiyang wang <wangweiyang2@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Xingui Yang 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA --------------------- To help debugging efforts, print d2h status and error D2H: FIS Status Bits = 0x53 BSY = 0... .... Off DRDY = .1.. .... On DF = ..0. .... Off DSC = ...1 .... On DRQ = .... 0... Off Alignment Error = .... .0.. Off Sense Data Available = .... ..1. On ERR = .... ...1 On FIS Error Bits = 0x40 ICRC = 0... .... Off UNC = .1.. .... On MC (O) = ..0. .... Off IDNF = ...0 .... Off MCR (O) = .... 0... Off ABRT = .... .0.. Off EOM = .... ..0. Off CCTO = .... ...0 Off Here is an example print: hisi_sas_v3_hw 0000:74:02.0: sata d2h status 0x53, error 0x40 Signed-off-by: NXingui Yang <yangxingui@huawei.com> Reviewed by kangfenglong <kangfenglong@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Xingui Yang 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA ----------------------------------------- This reverts commit 5868da04. this optimization patch depends on the patch of the kernel MQ block. If the block MQ patch is not integrated at the upper layer, there is a possibility that the spinlock deadlock occurs. Signed-off-by: NXingui Yang <yangxingui@huawei.com> Reviewed-by: NKangfenglong <kangfenglong@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Xingui Yang 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA --------------------- This reverts commit 2c2ed927. this optimization patch depends on the kernel block MQ patch. If the block MQ patch is not integrated, there is a possibility that the spinlock deadlock occurs. Signed-off-by: NXingui Yang <yangxingui@huawei.com> Reviewed-by: NKangfenglong <kangfenglong@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Yonglong Liu 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA ---------------------------- Signed-off-by: NYonglong Liu <liuyonglong@huawei.com> Reviewed-by: Nli yongxin <liyongxin1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Huazhong Tan 提交于
mainline inclusion from mainline-v5.8-rc1 commit 95163521 category: bugfix bugzilla: NA CVE: NA ---------------------------- Remove the redundant 'goto' and return -ENOMEM directly, when allocating memory for 'hdev' fails in hclge_init_ae_dev(). Fixes: a3ecdc004300 ("net: hns3: add a missing mutex destroy in hclge_init_ad_dev()") Signed-off-by: NHuazhong Tan <tanhuazhong@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NYonglong Liu <liuyonglong@huawei.com> Reviewed-by: Nli yongxin <liyongxin1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Yonglong Liu 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA ---------------------------- If the parameter is not valid in hclge_get_dfx_reg(), the ret is used but not initialized. Signed-off-by: NYonglong Liu <liuyonglong@huawei.com> Reviewed-by: Nli yongxin <liyongxin1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Yonglong Liu 提交于
driver inclusion category: bugfix bugzilla: NA CVE: NA ---------------------------- The previous commit 7051ad8d91c9 ("net: hns3: fix kernel crash when unload VF while it is being reset") did not full solve the problem, we should clear the state HCLGEVF_STATE_NIC_REGISTERED after reset handling done. Signed-off-by: NYonglong Liu <liuyonglong@huawei.com> Reviewed-by: Nli yongxin <liyongxin1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-
由 Guangbin Huang 提交于
mainline inclusion from mainline-v5.15-rc7 commit 0251d196 category: bugfix bugzilla: NA CVE: NA ---------------------------- Currently, if there is a reset event triggered by RAS during device in initialization process, driver may run reset process concurrently with initialization process. In this case, it may cause problem. For example, the RSS indirection table may has not been alloc memory in initialization process yet, but it is used in reset process, it will cause a call trace like this: [61228.744836] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 ... [61228.897677] Workqueue: hclgevf hclgevf_service_task [hclgevf] [61228.911390] pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--) [61228.918670] pc : hclgevf_set_rss_indir_table+0xb4/0x190 [hclgevf] [61228.927812] lr : hclgevf_set_rss_indir_table+0x90/0x190 [hclgevf] [61228.937248] sp : ffff8000162ebb50 [61228.941087] x29: ffff8000162ebb50 x28: ffffb77add72dbc0 x27: ffff0820c7dc8080 [61228.949516] x26: 0000000000000000 x25: ffff0820ad4fc880 x24: ffff0820c7dc8080 [61228.958220] x23: ffff0820c7dc8090 x22: 00000000ffffffff x21: 0000000000000040 [61228.966360] x20: ffffb77add72b9c0 x19: 0000000000000000 x18: 0000000000000030 [61228.974646] x17: 0000000000000000 x16: ffffb77ae713feb0 x15: ffff0820ad4fcce8 [61228.982808] x14: ffffffffffffffff x13: ffff8000962eb7f7 x12: 00003834ec70c960 [61228.991990] x11: 00e0fafa8c206982 x10: 9670facc78a8f9a8 x9 : ffffb77add717530 [61229.001123] x8 : ffff0820ad4fd6b8 x7 : 0000000000000000 x6 : 0000000000000011 [61229.010249] x5 : 00000000000cb1b0 x4 : 0000000000002adb x3 : 0000000000000049 [61229.018662] x2 : ffff8000162ebbb8 x1 : 0000000000000000 x0 : 0000000000000480 [61229.027002] Call trace: [61229.030177] hclgevf_set_rss_indir_table+0xb4/0x190 [hclgevf] [61229.039009] hclgevf_rss_init_hw+0x128/0x1b4 [hclgevf] [61229.046809] hclgevf_reset_rebuild+0x17c/0x69c [hclgevf] [61229.053862] hclgevf_reset_service_task+0x4cc/0xa80 [hclgevf] [61229.061306] hclgevf_service_task+0x6c/0x630 [hclgevf] [61229.068491] process_one_work+0x1dc/0x48c [61229.074121] worker_thread+0x15c/0x464 [61229.078562] kthread+0x168/0x16c [61229.082873] ret_from_fork+0x10/0x18 [61229.088221] Code: 7900e7f6 f904a683 d503201f 9101a3e2 (38616b43) [61229.095357] ---[ end trace 153661a538f6768c ]--- To fix this problem, don't schedule reset task before initialization process is done. Signed-off-by: NGuangbin Huang <huangguangbin2@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NYonglong Liu <liuyonglong@huawei.com> Reviewed-by: Nli yongxin <liyongxin1@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
-