- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
by Yi Yang 25 Dec '23

25 Dec '23

mainline inclusion from mainline-v6.5-rc7 commit 3c4f8333b582487a2d1e02171f1465531cde53e3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8QFUO CVE: CVE-2023-6546 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In commit 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux"), the UAF problem is not completely fixed. There is a race condition in gsm_cleanup_mux(), which caused this UAF. The UAF problem is triggered by the following race: task[5046] task[5054] ----------------------- ----------------------- gsm_cleanup_mux(); dlci = gsm->dlci[0]; mutex_lock(&gsm->mutex); gsm_cleanup_mux(); dlci = gsm->dlci[0]; //Didn't take the lock gsm_dlci_release(gsm->dlci[i]); gsm->dlci[i] = NULL; mutex_unlock(&gsm->mutex); mutex_lock(&gsm->mutex); dlci->dead = true; //UAF Fix it by assigning values after mutex_lock(). Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000 Cc: stable <stable(a)kernel.org> Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux") Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command") Signed-off-by: Yi Yang <yiyang13(a)huawei.com> Co-developed-by: Qiumiao Zhang <zhangqiumiao1(a)huawei.com> Signed-off-by: Qiumiao Zhang <zhangqiumiao1(a)huawei.com> Link: https://lore.kernel.org/r/20230811031121.153237-1-yiyang13@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> conflicts: drivers/tty/n_gsm.c Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/n_gsm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 3f08ad7e629a..c1851fd9149c 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2063,7 +2063,7 @@ static int gsm_disconnect(struct gsm_mux *gsm) static void gsm_cleanup_mux(struct gsm_mux *gsm) { int i; - struct gsm_dlci *dlci = gsm->dlci[0]; + struct gsm_dlci *dlci; struct gsm_msg *txq, *ntxq; gsm->dead = 1; @@ -2082,11 +2082,12 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm) del_timer_sync(&gsm->t2_timer); /* Now we are sure T2 has stopped */ + mutex_lock(&gsm->mutex); + dlci = gsm->dlci[0]; if (dlci) dlci->dead = 1; /* Free up any link layer users */ - mutex_lock(&gsm->mutex); for (i = 0; i < NUM_DLCI; i++) if (gsm->dlci[i]) gsm_dlci_release(gsm->dlci[i]); -- 2.25.1

2 1

[PATCH V3 OLK-6.6 0/4] Fix smmu pgtable prfetch and add support
by Zhang Zekun 25 Dec '23

25 Dec '23

Fix the pgtable prefetch problem, besides add some ras features which is used in ascend scenarios. v3: - Fix code check warnings v2: - issue new ISSUES for olk6.6 Zhang Jian (1): mm: export collect_procs() Zhang Zekun (3): iommu/arm-smmu-v3: Add a SYNC command to avoid broken page table prefetch mm: memory-failure: Directly return the task for specific use ACPI: APEI: Don't call notifier again in ts scenario arch/arm64/Kconfig | 13 +++++++++++++ arch/arm64/configs/openeuler_defconfig | 1 + arch/arm64/kernel/cpu_errata.c | 14 ++++++++++++++ arch/arm64/tools/cpucaps | 1 + drivers/acpi/apei/ghes.c | 3 +++ drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 20 ++++++++++++++++++++ include/linux/mm.h | 8 ++++++++ mm/Kconfig | 11 +++++++++++ mm/memory-failure.c | 13 +++++++++++++ 9 files changed, 84 insertions(+) -- 2.17.1

2 5

[PATCH] tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
by Yi Yang 25 Dec '23

25 Dec '23

mainline inclusion from mainline-v6.5-rc7 commit 3c4f8333b582487a2d1e02171f1465531cde53e3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8QFUO CVE: CVE-2023-6546 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In commit 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux"), the UAF problem is not completely fixed. There is a race condition in gsm_cleanup_mux(), which caused this UAF. The UAF problem is triggered by the following race: task[5046] task[5054] ----------------------- ----------------------- gsm_cleanup_mux(); dlci = gsm->dlci[0]; mutex_lock(&gsm->mutex); gsm_cleanup_mux(); dlci = gsm->dlci[0]; //Didn't take the lock gsm_dlci_release(gsm->dlci[i]); gsm->dlci[i] = NULL; mutex_unlock(&gsm->mutex); mutex_lock(&gsm->mutex); dlci->dead = true; //UAF Fix it by assigning values after mutex_lock(). Link: https://syzkaller.appspot.com/text?tag=CrashReport&x=176188b5a80000 Cc: stable <stable(a)kernel.org> Fixes: 9b9c8195f3f0 ("tty: n_gsm: fix UAF in gsm_cleanup_mux") Fixes: aa371e96f05d ("tty: n_gsm: fix restart handling via CLD command") Signed-off-by: Yi Yang <yiyang13(a)huawei.com> Co-developed-by: Qiumiao Zhang <zhangqiumiao1(a)huawei.com> Signed-off-by: Qiumiao Zhang <zhangqiumiao1(a)huawei.com> Link: https://lore.kernel.org/r/20230811031121.153237-1-yiyang13@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> conflicts: drivers/tty/n_gsm.c Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/n_gsm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 3f08ad7e629a..c1851fd9149c 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2063,7 +2063,7 @@ static int gsm_disconnect(struct gsm_mux *gsm) static void gsm_cleanup_mux(struct gsm_mux *gsm) { int i; - struct gsm_dlci *dlci = gsm->dlci[0]; + struct gsm_dlci *dlci; struct gsm_msg *txq, *ntxq; gsm->dead = 1; @@ -2082,11 +2082,12 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm) del_timer_sync(&gsm->t2_timer); /* Now we are sure T2 has stopped */ + mutex_lock(&gsm->mutex); + dlci = gsm->dlci[0]; if (dlci) dlci->dead = 1; /* Free up any link layer users */ - mutex_lock(&gsm->mutex); for (i = 0; i < NUM_DLCI; i++) if (gsm->dlci[i]) gsm_dlci_release(gsm->dlci[i]); -- 2.25.1

1 0

[PATCH V2 OLK-6.6 0/5] ubi: Enhance fault injection capability for the UBI driver
by ZhaoLong Wang 25 Dec '23

25 Dec '23

CONFIG Dependency CONFIG_MTD=y CONFIG_MTD_NAND_NANDSIM=m CONFIG_MTD_UBI=m CONFIG_FAULT_INJECTION_DEBUG_FS=y CONFIG_MTD_PARTITIONED_MASTER The existing fault injection capability of UBI is too simple. It uses hard-coded fault probability values and lacks other configurable options. As a result, these interfaces are difficult to use when digging defects in the abnormal path of code and reproducing some problems. The kernel provides a powerful fault injection framework, which provides rich configurable fault injection attributes during runtime. So it can be used to improve the fault injection capability of the UBI driver. This series of patches refactor the existing fault injection interface and add some fault injection types to help testers and developers find potential problems in the code. This series of patches enhance the existing fault injection interface and retain the old debugfs interface, and add some fault injection types to help testers and developers Look for potential problems in the code. ZhaoLong Wang (5): ubi: Use the fault injection framework to enhance the fault injection capability ubi: Split io_failures into write_failure and erase_failure ubi: Add six fault injection type for testing ubi: Reserve sufficient buffer length for the input mask mtd: Add several functions to the fail_function list ZhaoLong Wang (5): ubi: Use the fault injection framework to enhance the fault injection capability ubi: Split io_failures into write_failure and erase_failure ubi: Add six fault injection type for testing ubi: Reserve sufficient buffer length for the input mask mtd: Add several functions to the fail_function list drivers/mtd/mtdcore.c | 5 + drivers/mtd/ubi/Kconfig | 9 ++ drivers/mtd/ubi/debug.c | 107 ++++++++++++-- drivers/mtd/ubi/debug.h | 304 +++++++++++++++++++++++++++++++++++++--- drivers/mtd/ubi/io.c | 86 +++++++++++- drivers/mtd/ubi/ubi.h | 45 +++--- 6 files changed, 497 insertions(+), 59 deletions(-) -- 2.39.2

2 6

[PATCH V2 OLK-6.6 0/4] Fix smmu pgtable prfetch and add support
by Zhang Zekun 25 Dec '23

25 Dec '23

Fix the pgtable prefetch problem, besides add some ras features which is used in ascend scenarios. v2: - issue new ISSUES for olk6.6 Zhang Jian (1): mm: export collect_procs() Zhang Zekun (3): iommu/arm-smmu-v3: Add a SYNC command to avoid broken page table prefetch mm: memory-failure: Directly return the task for specific use ACPI: APEI: Don't call notifier again in ts senario arch/arm64/Kconfig | 13 +++++++++++++ arch/arm64/configs/openeuler_defconfig | 1 + arch/arm64/kernel/cpu_errata.c | 14 ++++++++++++++ arch/arm64/tools/cpucaps | 1 + drivers/acpi/apei/ghes.c | 3 +++ drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 20 ++++++++++++++++++++ include/linux/mm.h | 8 ++++++++ mm/Kconfig | 9 +++++++++ mm/memory-failure.c | 13 +++++++++++++ 9 files changed, 82 insertions(+) -- 2.17.1

2 5

[PATCH OLK-6.6 0/4] Fix smmu pgtable prfetch and add support
by Zhang Zekun 25 Dec '23

25 Dec '23

Fix the pgtable prefetch problem, besides add some ras features which is used in ascend scenarios. Zhang Jian (1): mm: export collect_procs() Zhang Zekun (3): iommu/arm-smmu-v3: Add a SYNC command to avoid broken page table prefetch mm: memory-failure: Directly return the task for specific use ACPI: APEI: Don't call notifier again in ts senario arch/arm64/Kconfig | 13 +++++++++++++ arch/arm64/configs/openeuler_defconfig | 1 + arch/arm64/kernel/cpu_errata.c | 14 ++++++++++++++ arch/arm64/tools/cpucaps | 1 + drivers/acpi/apei/ghes.c | 3 +++ drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 20 ++++++++++++++++++++ include/linux/mm.h | 8 ++++++++ mm/Kconfig | 9 +++++++++ mm/memory-failure.c | 13 +++++++++++++ 9 files changed, 82 insertions(+) -- 2.17.1

2 5

[PATCH openEuler-1.0-LTS v2] net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev()
by Liu Jian 25 Dec '23

25 Dec '23

mainline inclusion from mainline-v6.7-rc7 commit 01a564bab4876007ce35f312e16797dfe40e4823 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8KNM7 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- I got the below warning trace: WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0 Call Trace: rtnl_dellink rtnetlink_rcv_msg netlink_rcv_skb netlink_unicast netlink_sendmsg __sock_sendmsg ____sys_sendmsg ___sys_sendmsg __sys_sendmsg do_syscall_64 entry_SYSCALL_64_after_hwframe It can be repoduced via: ip netns add ns1 ip netns exec ns1 ip link add bond0 type bond mode 0 ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2 ip netns exec ns1 ip link set bond_slave_1 master bond0 [1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off [2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0 [3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0 [4] ip netns exec ns1 ip link set bond_slave_1 nomaster [5] ip netns exec ns1 ip link del veth2 ip netns del ns1 This is all caused by command [1] turning off the rx-vlan-filter function of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands [2] [3] add the same vid to slave and master respectively, causing command [4] to empty slave->vlan_info. The following command [5] triggers this problem. To fix this problem, we should add VLAN_FILTER feature checks in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect addition or deletion of vlan_vid information. Fixes: 348a1443cc43 ("vlan: introduce functions to do mass addition/deletion of vids by another device") Signed-off-by: Liu Jian <liujian56(a)huawei.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> (cherry picked from commit 01a564bab4876007ce35f312e16797dfe40e4823) Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/8021q/vlan_core.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c index 4f60e86f4b8d3..e92c914316cbd 100644 --- a/net/8021q/vlan_core.c +++ b/net/8021q/vlan_core.c @@ -380,6 +380,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, return 0; list_for_each_entry(vid_info, &vlan_info->vid_list, list) { + if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) + continue; err = vlan_vid_add(dev, vid_info->proto, vid_info->vid); if (err) goto unwind; @@ -390,6 +392,8 @@ int vlan_vids_add_by_dev(struct net_device *dev, list_for_each_entry_continue_reverse(vid_info, &vlan_info->vid_list, list) { + if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) + continue; vlan_vid_del(dev, vid_info->proto, vid_info->vid); } @@ -409,8 +413,11 @@ void vlan_vids_del_by_dev(struct net_device *dev, if (!vlan_info) return; - list_for_each_entry(vid_info, &vlan_info->vid_list, list) + list_for_each_entry(vid_info, &vlan_info->vid_list, list) { + if (!vlan_hw_filter_capable(by_dev, vid_info->proto)) + continue; vlan_vid_del(dev, vid_info->proto, vid_info->vid); + } } EXPORT_SYMBOL(vlan_vids_del_by_dev); -- 2.34.1

2 1

[PATCH OLK-6.6 0/5] ubi: Enhance fault injection capability for the UBI driver
by ZhaoLong Wang 25 Dec '23

25 Dec '23

CONFIG Dependency CONFIG_MTD=y CONFIG_MTD_NAND_NANDSIM=m CONFIG_MTD_UBI=m CONFIG_FAULT_INJECTION_DEBUG_FS=y CONFIG_MTD_PARTITIONED_MASTER The existing fault injection capability of UBI is too simple. It uses hard-coded fault probability values and lacks other configurable options. As a result, these interfaces are difficult to use when digging defects in the abnormal path of code and reproducing some problems. The kernel provides a powerful fault injection framework, which provides rich configurable fault injection attributes during runtime. So it can be used to improve the fault injection capability of the UBI driver. This series of patches refactor the existing fault injection interface and add some fault injection types to help testers and developers find potential problems in the code. This series of patches enhance the existing fault injection interface and retain the old debugfs interface, and add some fault injection types to help testers and developers Look for potential problems in the code. ZhaoLong Wang (5): ubi: Use the fault injection framework to enhance the fault injection capability ubi: Split io_failures into write_failure and erase_failure ubi: Add six fault injection type for testing ubi: Reserve sufficient buffer length for the input mask mtd: Add several functions to the fail_function list drivers/mtd/mtdcore.c | 5 + drivers/mtd/ubi/Kconfig | 9 ++ drivers/mtd/ubi/debug.c | 107 ++++++++++++-- drivers/mtd/ubi/debug.h | 304 +++++++++++++++++++++++++++++++++++++--- drivers/mtd/ubi/io.c | 86 +++++++++++- drivers/mtd/ubi/ubi.h | 45 +++--- 6 files changed, 497 insertions(+), 59 deletions(-) -- 2.39.2

2 6

[PATCH OLK-5.10 0/2] kernel: update SP3 OPENEULER_MINOR and introduced OPENEULER_LTS
by Jialin Zhang 25 Dec '23

25 Dec '23

Jialin Zhang (1): kernel: update SP3 OPENEULER_MINOR value to 3 Xie XiuQi (1): openEuler: introduced OPENEULER_LTS to identify LTS Release Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.25.1

2 3

[PATCH OLK-5.10 v2 0/2] block: warn once for each partition in bio_check_ro()
by Yu Kuai 25 Dec '23

25 Dec '23

Yu Kuai (2): block: warn once for each partition in bio_check_ro() block: fix kabi broken in struct hd_part block/blk-core.c | 5 +++++ include/linux/genhd.h | 1 + 2 files changed, 6 insertions(+) -- 2.39.2

2 3