September 2024 - Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()
by Liu Jian 09 Sep '24

09 Sep '24

From: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> stable inclusion from stable-v5.10.224 commit b7b8d9f5e679af60c94251fd6728dde34be69a71 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXYL CVE: CVE-2024-44971 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit e3862093ee93fcfbdadcb7957f5f8974fffa806a ] bcm_sf2_mdio_register() calls of_phy_find_device() and then phy_device_remove() in a loop to remove existing PHY devices. of_phy_find_device() eventually calls bus_find_device(), which calls get_device() on the returned struct device * to increment the refcount. The current implementation does not decrement the refcount, which causes memory leak. This commit adds the missing phy_device_free() call to decrement the refcount via put_device() to balance the refcount. Fixes: 771089c2a485 ("net: dsa: bcm_sf2: Ensure that MDIO diversion is used") Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Tested-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Reviewed-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Link: https://patch.msgid.link/20240806011327.3817861-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/dsa/bcm_sf2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c index c6563d212476..7b8bdc34caa5 100644 --- a/drivers/net/dsa/bcm_sf2.c +++ b/drivers/net/dsa/bcm_sf2.c @@ -559,8 +559,10 @@ static int bcm_sf2_mdio_register(struct dsa_switch *ds) of_remove_property(child, prop); phydev = of_phy_find_device(child); - if (phydev) + if (phydev) { phy_device_remove(phydev); + phy_device_free(phydev); + } } err = mdiobus_register(priv->slave_mii_bus); -- 2.34.1

2 1

[openeuler:OLK-5.10 29989/30000] versioncheck: ./drivers/misc/sdma-dae/sdma_cdev.c: 9 linux/version.h not needed.
by kernel test robot 09 Sep '24

09 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 3e6d44ea60eb8609ba59273c12276e3236cd76b2 commit: 1eb55075d727b4f06ceeb95a71670e2a0d7d026c [29989/30000] drivers:misc:sdma-dae: fix icsl code check problems reproduce: (https://download.01.org/0day-ci/archive/20240909/202409091107.diXxqb2W-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409091107.diXxqb2W-lkp@intel.com/ versioncheck warnings: (new ones prefixed by >>) INFO PATH=/opt/cross/rustc-1.58.0-bindgen-0.56.0/cargo/bin:/opt/cross/clang-18/bin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /usr/bin/timeout -k 100 3h /usr/bin/make KCFLAGS= -Wtautological-compare -Wno-error=return-type -Wreturn-type -Wcast-function-type -funsigned-char -Wundef -fstrict-flex-arrays=3 -Wformat-overflow -Wformat-truncation -Wenum-conversion W=1 --keep-going LLVM=1 -j32 ARCH=x86_64 versioncheck find ./* \( -name SCCS -o -name BitKeeper -o -name .svn -o -name CVS -o -name .pc -o -name .hg -o -name .git \) -prune -o \ -name '*.[hcS]' -type f -print | sort \ | xargs perl -w ./scripts/checkversion.pl ./arch/csky/include/asm/atomic.h: 6 linux/version.h not needed. ./arch/csky/include/asm/io.h: 9 linux/version.h not needed. ./arch/csky/include/asm/thread_info.h: 9 linux/version.h not needed. ./arch/csky/include/asm/uaccess.h: 15 linux/version.h not needed. ./arch/csky/kernel/process.c: 5 linux/version.h not needed. ./arch/csky/mm/dma-mapping.c: 12 linux/version.h not needed. ./arch/csky/mm/fault.c: 16 linux/version.h not needed. ./arch/s390/include/asm/setup.h: 183: need linux/version.h ./arch/um/drivers/vector_kern.c: 11 linux/version.h not needed. ./drivers/block/rsxx/rsxx_priv.h: 14 linux/version.h not needed. ./drivers/char/ipmi/ipmi_si_ls2k500.c: 19 linux/version.h not needed. ./drivers/crypto/cavium/cpt/cptpf_main.c: 13 linux/version.h not needed. ./drivers/crypto/cavium/zip/common.h: 59 linux/version.h not needed. ./drivers/crypto/ccree/cc_driver.h: 26 linux/version.h not needed. ./drivers/crypto/montage/tsse/tsse_vuart.c: 21 linux/version.h not needed. ./drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c: 62 linux/version.h not needed. ./drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c: 28 linux/version.h not needed. ./drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c: 26 linux/version.h not needed. ./drivers/gpu/drm/inspur/inspur_drm_de.c: 513: need linux/version.h ./drivers/gpu/drm/inspur/inspur_drm_drv.c: 456: need linux/version.h ./drivers/gpu/drm/pl111/pl111_display.c: 14 linux/version.h not needed. ./drivers/gpu/drm/pl111/pl111_drv.c: 47 linux/version.h not needed. ./drivers/gpu/drm/tve200/tve200_display.c: 14 linux/version.h not needed. ./drivers/gpu/drm/tve200/tve200_drv.c: 38 linux/version.h not needed. ./drivers/hv/hv.c: 16 linux/version.h not needed. ./drivers/i2c/busses/i2c-brcmstb.c: 25 linux/version.h not needed. ./drivers/i2c/busses/i2c-xgene-slimpro.c: 22 linux/version.h not needed. ./drivers/media/pci/cx25821/cx25821.h: 31 linux/version.h not needed. ./drivers/media/platform/s3c-camif/camif-core.c: 26 linux/version.h not needed. ./drivers/media/platform/sti/c8sectpfe/c8sectpfe-common.h: 16 linux/version.h not needed. ./drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c: 31 linux/version.h not needed. ./drivers/media/platform/sti/c8sectpfe/c8sectpfe-dvb.c: 14 linux/version.h not needed. ./drivers/media/usb/uvc/uvc_driver.c: 18 linux/version.h not needed. >> ./drivers/misc/sdma-dae/sdma_cdev.c: 9 linux/version.h not needed. ./drivers/net/ethernet/3snic/sssnic/include/kernel/sss_linux_kernel.h: 12 linux/version.h not needed. ./drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c: 21 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/edma_drv/bma_include.h: 32 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/edma_drv/bma_pci.c: 17 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/kbox_drv/kbox_include.h: 20 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/kbox_drv/kbox_main.c: 22 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/kbox_drv/kbox_mce.c: 16 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/kbox_drv/kbox_ram_op.c: 16 linux/version.h not needed. ./drivers/net/ethernet/huawei/hinic/ossl_knl.h: 22 linux/version.h not needed. ./drivers/net/ethernet/huawei/hinic3/ossl_knl_linux.h: 12 linux/version.h not needed. ./drivers/net/ethernet/mucse/rnpm/rnpm_common.h: 7 linux/version.h not needed. ./drivers/net/ethernet/nebula-matrix/m1600/common.h: 12 linux/version.h not needed. ./drivers/net/ethernet/nebula-matrix/m1600/txrx.c: 9 linux/version.h not needed. ./drivers/net/ethernet/qlogic/qede/qede.h: 10 linux/version.h not needed. ./drivers/net/ethernet/qlogic/qede/qede_ethtool.c: 7 linux/version.h not needed. ./drivers/net/ethernet/qlogic/qede/qede_main.c: 10 linux/version.h not needed. ./drivers/net/ethernet/yunsilicon/xsc/common/xsc_core.h: 26 linux/version.h not needed. ./drivers/net/usb/lan78xx.c: 5 linux/version.h not needed. ./drivers/net/wireless/rsi/rsi_91x_ps.c: 19 linux/version.h not needed. ./drivers/scsi/cxgbi/libcxgbi.h: 27 linux/version.h not needed. ./drivers/scsi/hisi_raid/hiraid_main.c: 9 linux/version.h not needed. ./drivers/scsi/huawei/hifc/hifc_knl_adp.h: 23 linux/version.h not needed. ./drivers/scsi/qedf/qedf.h: 15 linux/version.h not needed. ./drivers/scsi/qedf/qedf_dbg.h: 13 linux/version.h not needed. ./drivers/scsi/qedi/qedi_dbg.h: 14 linux/version.h not needed. ./drivers/scsi/sssraid/sssraid_fw.c: 6 linux/version.h not needed. ./drivers/scsi/sssraid/sssraid_os.c: 6 linux/version.h not needed. ./drivers/soc/tegra/powergate-bpmp.c: 10 linux/version.h not needed. ./drivers/staging/media/atomisp/include/linux/atomisp.h: 23 linux/version.h not needed. ./drivers/staging/rtl8723bs/include/drv_types.h: 17 linux/version.h not needed. ./drivers/staging/rtl8723bs/include/ioctl_cfg80211.h: 10 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_cdev_file.c: 23 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_device.c: 33 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_genl.c: 26 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_genl_admin.c: 20 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_main.c: 28 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_tp.c: 26 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_umem.c: 26 linux/version.h not needed. ./drivers/ub/urma/uburma/uburma_main.c: 29 linux/version.h not needed. ./drivers/ub/urma/uburma/uburma_mmap.c: 21 linux/version.h not needed. ./drivers/watchdog/ziirave_wdt.c: 21 linux/version.h not needed. ./fs/eulerfs/euler.h: 20 linux/version.h not needed. ./fs/eulerfs/euler_common.h: 25 linux/version.h not needed. ./fs/proc/etmem_scan.c: 13 linux/version.h not needed. ./include/linux/qed/qed_ll2_if.h: 15 linux/version.h not needed. ./kernel/bpf/syscall.c: 20 linux/version.h not needed. ./samples/bpf/sampleip_kern.c: 7 linux/version.h not needed. ./samples/bpf/trace_event_kern.c: 8 linux/version.h not needed. ./sound/soc/codecs/cs35l35.c: 12 linux/version.h not needed. ./sound/soc/codecs/cs42l42.c: 14 linux/version.h not needed. ./tools/lib/bpf/libbpf_sched.h: 21 linux/version.h not needed. ./tools/perf/include/bpf/bpf.h: 70: need linux/version.h ./tools/perf/tests/bpf-script-example.c: 49: need linux/version.h ./tools/perf/tests/bpf-script-test-kbuild.c: 21: need linux/version.h ./tools/perf/tests/bpf-script-test-prologue.c: 47: need linux/version.h ./tools/perf/tests/bpf-script-test-relocation.c: 51: need linux/version.h ./tools/testing/selftests/bpf/progs/test_map_lock.c: 4 linux/version.h not needed. ./tools/testing/selftests/bpf/progs/test_send_signal_kern.c: 4 linux/version.h not needed. ./tools/testing/selftests/bpf/progs/test_spin_lock.c: 4 linux/version.h not needed. ./tools/testing/selftests/bpf/progs/test_tcp_estats.c: 37 linux/version.h not needed. ./tools/testing/selftests/wireguard/qemu/init.c: 25 linux/version.h not needed. -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 0/2] mm/ksm: fix ksm_zero_pages accounting
by Kaixiong Yu 09 Sep '24

09 Sep '24

fix the bug from mainline inclusion commits e2942062e01d ("ksm: count all zero pages placed by KSM") and 6080d19f0704 ("ksm: add ksm zero pages for each process") Chengming Zhou (1): mm/ksm: fix ksm_zero_pages accounting Kaixiong Yu (1): mm_types: Fix kabi breakage in struct mm_struct fs/proc/base.c | 2 +- include/linux/ksm.h | 17 ++++++++++++++--- include/linux/mm_types.h | 3 ++- mm/ksm.c | 11 +++++------ 4 files changed, 22 insertions(+), 11 deletions(-) -- 2.25.1

2 3

[openeuler:OLK-5.10 4121/30000] fs/xfs/xfs_icache.c:52 xfs_icwalk_tag() warn: unsigned 'goal' is never less than zero.
by kernel test robot 09 Sep '24

09 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 3e6d44ea60eb8609ba59273c12276e3236cd76b2 commit: b12b4a14e6dc13b75697ebc80f513fedd068345e [4121/30000] xfs: remove xfs_dqrele_all_inodes config: x86_64-randconfig-161-20240906 (https://download.01.org/0day-ci/archive/20240909/202409091024.XP4R6muy-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409091024.XP4R6muy-lkp@intel.com/ New smatch warnings: fs/xfs/xfs_icache.c:52 xfs_icwalk_tag() warn: unsigned 'goal' is never less than zero. Old smatch warnings: fs/xfs/xfs_icache.c:534 xfs_iget_cache_hit() warn: missing unwind goto? vim +/goal +52 fs/xfs/xfs_icache.c 656d89e710ffc0 Darrick J. Wong 2022-01-07 47 656d89e710ffc0 Darrick J. Wong 2022-01-07 48 /* Compute the inode radix tree tag for this goal. */ 656d89e710ffc0 Darrick J. Wong 2022-01-07 49 static inline unsigned int 656d89e710ffc0 Darrick J. Wong 2022-01-07 50 xfs_icwalk_tag(enum xfs_icwalk_goal goal) 656d89e710ffc0 Darrick J. Wong 2022-01-07 51 { 656d89e710ffc0 Darrick J. Wong 2022-01-07 @52 return goal < 0 ? XFS_ICWALK_NULL_TAG : goal; 656d89e710ffc0 Darrick J. Wong 2022-01-07 53 } 656d89e710ffc0 Darrick J. Wong 2022-01-07 54 :::::: The code at line 52 was first introduced by commit :::::: 656d89e710ffc01bc169a476208c84a0048cb554 xfs: pass the goal of the incore inode walk to xfs_inode_walk() :::::: TO: Darrick J. Wong <djwong(a)kernel.org> :::::: CC: Zheng Zengkai <zhengzengkai(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()
by Liu Jian 09 Sep '24

09 Sep '24

From: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> stable inclusion from stable-v5.10.224 commit b7b8d9f5e679af60c94251fd6728dde34be69a71 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXYL CVE: CVE-2024-44971 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit e3862093ee93fcfbdadcb7957f5f8974fffa806a ] bcm_sf2_mdio_register() calls of_phy_find_device() and then phy_device_remove() in a loop to remove existing PHY devices. of_phy_find_device() eventually calls bus_find_device(), which calls get_device() on the returned struct device * to increment the refcount. The current implementation does not decrement the refcount, which causes memory leak. This commit adds the missing phy_device_free() call to decrement the refcount via put_device() to balance the refcount. Fixes: 771089c2a485 ("net: dsa: bcm_sf2: Ensure that MDIO diversion is used") Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Tested-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Reviewed-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Link: https://patch.msgid.link/20240806011327.3817861-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/dsa/bcm_sf2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c index a5849663f65c..d0f94a5fae5a 100644 --- a/drivers/net/dsa/bcm_sf2.c +++ b/drivers/net/dsa/bcm_sf2.c @@ -558,8 +558,10 @@ static int bcm_sf2_mdio_register(struct dsa_switch *ds) of_remove_property(child, prop); phydev = of_phy_find_device(child); - if (phydev) + if (phydev) { phy_device_remove(phydev); + phy_device_free(phydev); + } } err = mdiobus_register(priv->slave_mii_bus); -- 2.34.1

2 1

[PATCH OLK-5.10] mptcp: pm: avoid possible UaF when selecting endp
by Liu Jian 09 Sep '24

09 Sep '24

From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> mainline inclusion from mainline-v6.11-rc5 commit 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOY17 CVE: CVE-2024-44974 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------------- select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with. Reported-by: Paolo Abeni <pabeni(a)redhat.com> Closes: https://lore.kernel.org/45cd30d3-7710-491c-ae4d-a1368c00beb1@redhat.com Fixes: 01cacb00b35c ("mptcp: add netlink-based PM") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-14-38035d40de5… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/mptcp/pm_netlink.c [Did not backport 90d930882139 ("mptcp: constify a bunch of of helpers"), 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set"), 86e39e04482b ("mptcp: keep track of local endpoint still available for each msk").] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/mptcp/pm_netlink.c | 44 ++++++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 0d6f3d912891..824420c4e8f9 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -128,11 +128,13 @@ static bool lookup_subflow_by_saddr(const struct list_head *list, return false; } -static struct mptcp_pm_addr_entry * +static bool select_local_address(const struct pm_nl_pernet *pernet, - struct mptcp_sock *msk) + struct mptcp_sock *msk, + struct mptcp_pm_addr_entry *new_entry) { - struct mptcp_pm_addr_entry *entry, *ret = NULL; + struct mptcp_pm_addr_entry *entry; + bool found = false; rcu_read_lock(); spin_lock_bh(&msk->join_list_lock); @@ -146,19 +148,23 @@ select_local_address(const struct pm_nl_pernet *pernet, if (entry->addr.family == ((struct sock *)msk)->sk_family && !lookup_subflow_by_saddr(&msk->conn_list, &entry->addr) && !lookup_subflow_by_saddr(&msk->join_list, &entry->addr)) { - ret = entry; + *new_entry = *entry; + found = true; break; } } spin_unlock_bh(&msk->join_list_lock); rcu_read_unlock(); - return ret; + + return found; } -static struct mptcp_pm_addr_entry * -select_signal_address(struct pm_nl_pernet *pernet, unsigned int pos) +static bool +select_signal_address(struct pm_nl_pernet *pernet, unsigned int pos, + struct mptcp_pm_addr_entry *new_entry) { - struct mptcp_pm_addr_entry *entry, *ret = NULL; + struct mptcp_pm_addr_entry *entry; + bool found = false; int i = 0; rcu_read_lock(); @@ -171,12 +177,14 @@ select_signal_address(struct pm_nl_pernet *pernet, unsigned int pos) if (!(entry->addr.flags & MPTCP_PM_ADDR_FLAG_SIGNAL)) continue; if (i++ == pos) { - ret = entry; + *new_entry = *entry; + found = true; break; } } rcu_read_unlock(); - return ret; + + return found; } static void check_work_pending(struct mptcp_sock *msk) @@ -306,7 +314,7 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) { struct mptcp_addr_info remote = { 0 }; struct sock *sk = (struct sock *)msk; - struct mptcp_pm_addr_entry *local; + struct mptcp_pm_addr_entry local; struct pm_nl_pernet *pernet; pernet = net_generic(sock_net((struct sock *)msk), pm_nl_pernet_id); @@ -318,13 +326,12 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) /* check first for announce */ if (msk->pm.add_addr_signaled < msk->pm.add_addr_signal_max) { - local = select_signal_address(pernet, - msk->pm.add_addr_signaled); - if (local) { - if (mptcp_pm_alloc_anno_list(msk, local)) { + if (select_signal_address(pernet, + msk->pm.add_addr_signaled, &local)) { + if (mptcp_pm_alloc_anno_list(msk, &local)) { msk->pm.add_addr_signaled++; - mptcp_pm_announce_addr(msk, &local->addr, false); + mptcp_pm_announce_addr(msk, &local.addr, false); } } else { /* pick failed, avoid fourther attempts later */ @@ -339,13 +346,12 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) msk->pm.subflows < msk->pm.subflows_max) { remote_address((struct sock_common *)sk, &remote); - local = select_local_address(pernet, msk); - if (local) { + if (select_local_address(pernet, msk, &local)) { msk->pm.local_addr_used++; msk->pm.subflows++; check_work_pending(msk); spin_unlock_bh(&msk->pm.lock); - __mptcp_subflow_connect(sk, &local->addr, &remote); + __mptcp_subflow_connect(sk, &local.addr, &remote); spin_lock_bh(&msk->pm.lock); return; } -- 2.34.1

2 1

[PATCH OLK-6.6] bnxt_en: Fix double DMA unmapping for XDP_REDIRECT
by Liu Jian 09 Sep '24

09 Sep '24

From: Somnath Kotur <somnath.kotur(a)broadcom.com> stable inclusion from stable-v6.6.48 commit fa4e6ae38574d0fc5596272bee64727d8ab7052b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZU CVE: CVE-2024-44984 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit 8baeef7616d5194045c5a6b97fd1246b87c55b13 ] Remove the dma_unmap_page_attrs() call in the driver's XDP_REDIRECT code path. This should have been removed when we let the page pool handle the DMA mapping. This bug causes the warning: WARNING: CPU: 7 PID: 59 at drivers/iommu/dma-iommu.c:1198 iommu_dma_unmap_page+0xd5/0x100 CPU: 7 PID: 59 Comm: ksoftirqd/7 Tainted: G W 6.8.0-1010-gcp #11-Ubuntu Hardware name: Dell Inc. PowerEdge R7525/0PYVT1, BIOS 2.15.2 04/02/2024 RIP: 0010:iommu_dma_unmap_page+0xd5/0x100 Code: 89 ee 48 89 df e8 cb f2 69 ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 31 f6 31 ff 45 31 c0 e9 ab 17 71 00 <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 RSP: 0018:ffffab1fc0597a48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff99ff838280c8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffab1fc0597a78 R08: 0000000000000002 R09: ffffab1fc0597c1c R10: ffffab1fc0597cd3 R11: ffff99ffe375acd8 R12: 00000000e65b9000 R13: 0000000000000050 R14: 0000000000001000 R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffff9a06efb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000565c34c37210 CR3: 00000005c7e3e000 CR4: 0000000000350ef0 ? show_regs+0x6d/0x80 ? __warn+0x89/0x150 ? iommu_dma_unmap_page+0xd5/0x100 ? report_bug+0x16a/0x190 ? handle_bug+0x51/0xa0 ? exc_invalid_op+0x18/0x80 ? iommu_dma_unmap_page+0xd5/0x100 ? iommu_dma_unmap_page+0x35/0x100 dma_unmap_page_attrs+0x55/0x220 ? bpf_prog_4d7e87c0d30db711_xdp_dispatcher+0x64/0x9f bnxt_rx_xdp+0x237/0x520 [bnxt_en] bnxt_rx_pkt+0x640/0xdd0 [bnxt_en] __bnxt_poll_work+0x1a1/0x3d0 [bnxt_en] bnxt_poll+0xaa/0x1e0 [bnxt_en] __napi_poll+0x33/0x1e0 net_rx_action+0x18a/0x2f0 Fixes: 578fcfd26e2a ("bnxt_en: Let the page pool manage the DMA mapping") Reviewed-by: Andy Gospodarek <andrew.gospodarek(a)broadcom.com> Reviewed-by: Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> Signed-off-by: Somnath Kotur <somnath.kotur(a)broadcom.com> Signed-off-by: Michael Chan <michael.chan(a)broadcom.com> Reviewed-by: Jacob Keller <jacob.e.keller(a)intel.com> Link: https://patch.msgid.link/20240820203415.168178-1-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c index 8cb9a99154aa..2845796f782c 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c @@ -297,11 +297,6 @@ bool bnxt_rx_xdp(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, u16 cons, * redirect is coming from a frame received by the * bnxt_en driver. */ - rx_buf = &rxr->rx_buf_ring[cons]; - mapping = rx_buf->mapping - bp->rx_dma_offset; - dma_unmap_page_attrs(&pdev->dev, mapping, - BNXT_RX_PAGE_SIZE, bp->rx_dir, - DMA_ATTR_WEAK_ORDERING); /* if we are unable to allocate a new buffer, abort and reuse */ if (bnxt_alloc_rx_data(bp, rxr, rxr->rx_prod, GFP_ATOMIC)) { -- 2.34.1

2 1

[PATCH OLK-6.6] mptcp: pm: avoid possible UaF when selecting endp
by Liu Jian 09 Sep '24

09 Sep '24

From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> stable inclusion from stable-v6.6.48 commit 9a9afbbc3fbfca4975eea4aa5b18556db5a0c0b8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOY17 CVE: CVE-2024-44974 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- commit 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d upstream. select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with. Reported-by: Paolo Abeni <pabeni(a)redhat.com> Closes: https://lore.kernel.org/45cd30d3-7710-491c-ae4d-a1368c00beb1@redhat.com Fixes: 01cacb00b35c ("mptcp: add netlink-based PM") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-14-38035d40de5… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/mptcp/pm_netlink.c | 64 ++++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index b81fa77ce054..aa56696cdc78 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -148,11 +148,13 @@ static bool lookup_subflow_by_daddr(const struct list_head *list, return false; } -static struct mptcp_pm_addr_entry * +static bool select_local_address(const struct pm_nl_pernet *pernet, - const struct mptcp_sock *msk) + const struct mptcp_sock *msk, + struct mptcp_pm_addr_entry *new_entry) { - struct mptcp_pm_addr_entry *entry, *ret = NULL; + struct mptcp_pm_addr_entry *entry; + bool found = false; msk_owned_by_me(msk); @@ -164,17 +166,21 @@ select_local_address(const struct pm_nl_pernet *pernet, if (!test_bit(entry->addr.id, msk->pm.id_avail_bitmap)) continue; - ret = entry; + *new_entry = *entry; + found = true; break; } rcu_read_unlock(); - return ret; + + return found; } -static struct mptcp_pm_addr_entry * -select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk) +static bool +select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk, + struct mptcp_pm_addr_entry *new_entry) { - struct mptcp_pm_addr_entry *entry, *ret = NULL; + struct mptcp_pm_addr_entry *entry; + bool found = false; rcu_read_lock(); /* do not keep any additional per socket state, just signal @@ -189,11 +195,13 @@ select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk) if (!(entry->flags & MPTCP_PM_ADDR_FLAG_SIGNAL)) continue; - ret = entry; + *new_entry = *entry; + found = true; break; } rcu_read_unlock(); - return ret; + + return found; } unsigned int mptcp_pm_get_add_addr_signal_max(const struct mptcp_sock *msk) @@ -520,9 +528,10 @@ __lookup_addr(struct pm_nl_pernet *pernet, const struct mptcp_addr_info *info, static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) { - struct mptcp_pm_addr_entry *local, *signal_and_subflow = NULL; struct sock *sk = (struct sock *)msk; + struct mptcp_pm_addr_entry local; unsigned int add_addr_signal_max; + bool signal_and_subflow = false; unsigned int local_addr_max; struct pm_nl_pernet *pernet; unsigned int subflows_max; @@ -573,23 +582,22 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) if (msk->pm.addr_signal & BIT(MPTCP_ADD_ADDR_SIGNAL)) return; - local = select_signal_address(pernet, msk); - if (!local) + if (!select_signal_address(pernet, msk, &local)) goto subflow; /* If the alloc fails, we are on memory pressure, not worth * continuing, and trying to create subflows. */ - if (!mptcp_pm_alloc_anno_list(msk, &local->addr)) + if (!mptcp_pm_alloc_anno_list(msk, &local.addr)) return; - __clear_bit(local->addr.id, msk->pm.id_avail_bitmap); + __clear_bit(local.addr.id, msk->pm.id_avail_bitmap); msk->pm.add_addr_signaled++; - mptcp_pm_announce_addr(msk, &local->addr, false); + mptcp_pm_announce_addr(msk, &local.addr, false); mptcp_pm_nl_addr_send_ack(msk); - if (local->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) - signal_and_subflow = local; + if (local.flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) + signal_and_subflow = true; } subflow: @@ -600,26 +608,22 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) bool fullmesh; int i, nr; - if (signal_and_subflow) { - local = signal_and_subflow; - signal_and_subflow = NULL; - } else { - local = select_local_address(pernet, msk); - if (!local) - break; - } + if (signal_and_subflow) + signal_and_subflow = false; + else if (!select_local_address(pernet, msk, &local)) + break; - fullmesh = !!(local->flags & MPTCP_PM_ADDR_FLAG_FULLMESH); + fullmesh = !!(local.flags & MPTCP_PM_ADDR_FLAG_FULLMESH); msk->pm.local_addr_used++; - __clear_bit(local->addr.id, msk->pm.id_avail_bitmap); - nr = fill_remote_addresses_vec(msk, &local->addr, fullmesh, addrs); + __clear_bit(local.addr.id, msk->pm.id_avail_bitmap); + nr = fill_remote_addresses_vec(msk, &local.addr, fullmesh, addrs); if (nr == 0) continue; spin_unlock_bh(&msk->pm.lock); for (i = 0; i < nr; i++) - __mptcp_subflow_connect(sk, &local->addr, &addrs[i]); + __mptcp_subflow_connect(sk, &local.addr, &addrs[i]); spin_lock_bh(&msk->pm.lock); } mptcp_pm_nl_check_work_pending(msk); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] usb: gadget: core: Check for unset descriptor
by Ye Bin 09 Sep '24

09 Sep '24

From: Chris Wulff <crwulff(a)gmail.com> mainline inclusion from mainline-v6.11-rc3 commit 973a57891608a98e894db2887f278777f564de18 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZ1 CVE: CVE-2024-44960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Make sure the descriptor has been set before looking at maxpacket. This fixes a null pointer panic in this case. This may happen if the gadget doesn't properly set up the endpoint for the current speed, or the gadget descriptors are malformed and the descriptor for the speed/endpoint are not found. No current gadget driver is known to have this problem, but this may cause a hard-to-find bug during development of new gadgets. Fixes: 54f83b8c8ea9 ("USB: gadget: Reject endpoints with 0 maxpacket value") Cc: stable(a)vger.kernel.org Signed-off-by: Chris Wulff <crwulff(a)gmail.com> Link: https://lore.kernel.org/r/20240725010419.314430-2-crwulff@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Ye Bin <yebin10(a)huawei.com> --- drivers/usb/gadget/udc/core.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index b45dd7827ff9..1335a715f5dd 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -99,12 +99,10 @@ int usb_ep_enable(struct usb_ep *ep) goto out; /* UDC drivers can't handle endpoints with maxpacket size 0 */ - if (usb_endpoint_maxp(ep->desc) == 0) { - /* - * We should log an error message here, but we can't call - * dev_err() because there's no way to find the gadget - * given only ep. - */ + if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) { + WARN_ONCE(1, "%s: ep%d (%s) has %s\n", __func__, ep->address, ep->name, + (!ep->desc) ? "NULL descriptor" : "maxpacket 0"); + ret = -EINVAL; goto out; } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] usb: gadget: core: Check for unset descriptor
by Ye Bin 09 Sep '24

09 Sep '24

From: Chris Wulff <crwulff(a)gmail.com> mainline inclusion from mainline-v6.11-rc3 commit 973a57891608a98e894db2887f278777f564de18 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZ1 CVE: CVE-2024-44960 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Make sure the descriptor has been set before looking at maxpacket. This fixes a null pointer panic in this case. This may happen if the gadget doesn't properly set up the endpoint for the current speed, or the gadget descriptors are malformed and the descriptor for the speed/endpoint are not found. No current gadget driver is known to have this problem, but this may cause a hard-to-find bug during development of new gadgets. Fixes: 54f83b8c8ea9 ("USB: gadget: Reject endpoints with 0 maxpacket value") Cc: stable(a)vger.kernel.org Signed-off-by: Chris Wulff <crwulff(a)gmail.com> Link: https://lore.kernel.org/r/20240725010419.314430-2-crwulff@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Ye Bin <yebin10(a)huawei.com> --- drivers/usb/gadget/udc/core.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index 7330c1999104..77ee0dbc52c5 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -99,12 +99,10 @@ int usb_ep_enable(struct usb_ep *ep) goto out; /* UDC drivers can't handle endpoints with maxpacket size 0 */ - if (usb_endpoint_maxp(ep->desc) == 0) { - /* - * We should log an error message here, but we can't call - * dev_err() because there's no way to find the gadget - * given only ep. - */ + if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) { + WARN_ONCE(1, "%s: ep%d (%s) has %s\n", __func__, ep->address, ep->name, + (!ep->desc) ? "NULL descriptor" : "maxpacket 0"); + ret = -EINVAL; goto out; } -- 2.34.1

2 1