- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] ext4: fix warning: unused variable ‘sbi’ in ext4_dax_writepages()
by Baokun Li 31 Oct '24

31 Oct '24

hulk inclusion category: cleanup bugzilla: https://gitee.com/openeuler/kernel/issues/I9SYGK CVE: NA -------------------------------- Remove ext4_dax_writepages() unused variable 'sbi' to silence the following warning: fs/ext4/inode.c: In function ‘ext4_dax_writepages’: fs/ext4/inode.c:2995:23: warning: unused variable ‘sbi’ [-Wunused-variable] 2995 | struct ext4_sb_info *sbi = EXT4_SB(mapping->host->i_sb); Fixes: 7b208222f684 ("ext4: avoid deadlock in fs reclaim with page writeback") Signed-off-by: Baokun Li <libaokun1(a)huawei.com> --- fs/ext4/inode.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 6578d33b62d6..1b1ebb3862ce 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -2992,7 +2992,6 @@ static int ext4_dax_writepages(struct address_space *mapping, int ret; long nr_to_write = wbc->nr_to_write; struct inode *inode = mapping->host; - struct ext4_sb_info *sbi = EXT4_SB(mapping->host->i_sb); int alloc_ctx; if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb)))) -- 2.46.1

2 1

[PATCH openEuler-1.0-LTS] usb: gadget: uvc: Prevent buffer overflow in setup handler
by Wenyu Huang 31 Oct '24

31 Oct '24

From: Szymon Heidrich <szymon.heidrich(a)gmail.com> stable inclusion from stable-v4.19.270 commit bc8380fe5768c564f921f7b4eaba932e330b9e4b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRED CVE: CVE-2022-48948 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4c92670b16727365699fe4b19ed32013bab2c107 upstream. Setup function uvc_function_setup permits control transfer requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE), data stage handler for OUT transfer uses memcpy to copy req->actual bytes to uvc_event->data.data array of size 60. This may result in an overflow of 4 bytes. Fixes: cdda479f15cd ("USB gadget: video class function driver") Cc: stable <stable(a)kernel.org> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Reviewed-by: Daniel Scally <dan.scally(a)ideasonboard.com> Signed-off-by: Szymon Heidrich <szymon.heidrich(a)gmail.com> Link: https://lore.kernel.org/r/20221206141301.51305-1-szymon.heidrich@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wenyu Huang <huangwenyu5(a)huawei.com> --- drivers/usb/gadget/function/f_uvc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c index d8ce7868fe225..847434e5d7ae6 100644 --- a/drivers/usb/gadget/function/f_uvc.c +++ b/drivers/usb/gadget/function/f_uvc.c @@ -219,8 +219,9 @@ uvc_function_ep0_complete(struct usb_ep *ep, struct usb_request *req) memset(&v4l2_event, 0, sizeof(v4l2_event)); v4l2_event.type = UVC_EVENT_DATA; - uvc_event->data.length = req->actual; - memcpy(&uvc_event->data.data, req->buf, req->actual); + uvc_event->data.length = min_t(unsigned int, req->actual, + sizeof(uvc_event->data.data)); + memcpy(&uvc_event->data.data, req->buf, uvc_event->data.length); v4l2_event_queue(&uvc->vdev, &v4l2_event); } } -- 2.34.1

2 1

[PATCH OLK-6.6] KABI: Reserve kABI for future migration feautre
by Zhenyu Ye 31 Oct '24

31 Oct '24

From: eillon <yezhenyu2(a)huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/IB103D CVE: NA Reserve kABI for future migration feautre Signed-off-by: eillon <yezhenyu2(a)huawei.com> --- arch/arm64/include/asm/kvm_host.h | 2 ++ include/linux/kvm_host.h | 1 + 2 files changed, 3 insertions(+) diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h index ac8115098ec9..98e07bcd33ed 100644 --- a/arch/arm64/include/asm/kvm_host.h +++ b/arch/arm64/include/asm/kvm_host.h @@ -628,6 +628,8 @@ struct kvm_vcpu_arch { #ifdef CONFIG_HISI_VIRTCCA_HOST struct virtcca_cvm_tec tec; #endif + KABI_RESERVE(1) + KABI_RESERVE(2) }; /* diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index 000ae1ba0635..da40eaa90986 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -841,6 +841,7 @@ struct kvm { struct notifier_block pm_notifier; #endif char stats_id[KVM_STATS_NAME_SIZE]; + KABI_RESERVE(1) }; #define kvm_err(fmt, ...) \ -- 2.39.3

2 1

[PATCH OLK-6.6] parport: Proper fix for array out-of-bounds access
by Yipeng Zou 31 Oct '24

31 Oct '24

From: Takashi Iwai <tiwai(a)suse.de> stable inclusion from stable-v6.6.58 commit 66029078fee00646e2e9dbb8f41ff7819f8e7569 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB0ENI CVE: CVE-2024-50074 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 02ac3a9ef3a18b58d8f3ea2b6e46de657bf6c4f9 upstream. The recent fix for array out-of-bounds accesses replaced sprintf() calls blindly with snprintf(). However, since snprintf() returns the would-be-printed size, not the actually output size, the length calculation can still go over the given limit. Use scnprintf() instead of snprintf(), which returns the actually output letters, for addressing the potential out-of-bounds access properly. Fixes: ab11dac93d2d ("dev/parport: fix the array out-of-bounds risk") Cc: stable(a)vger.kernel.org Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Link: https://lore.kernel.org/r/20240920103318.19271-1-tiwai@suse.de Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> --- drivers/parport/procfs.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c index c334ef6e3b3f..3b7d7e23602a 100644 --- a/drivers/parport/procfs.c +++ b/drivers/parport/procfs.c @@ -58,12 +58,12 @@ static int do_active_device(struct ctl_table *table, int write, for (dev = port->devices; dev ; dev = dev->next) { if(dev == port->cad) { - len += snprintf(buffer, sizeof(buffer), "%s\n", dev->name); + len += scnprintf(buffer, sizeof(buffer), "%s\n", dev->name); } } if(!len) { - len += snprintf(buffer, sizeof(buffer), "%s\n", "none"); + len += scnprintf(buffer, sizeof(buffer), "%s\n", "none"); } if (len > *lenp) @@ -94,19 +94,19 @@ static int do_autoprobe(struct ctl_table *table, int write, } if ((str = info->class_name) != NULL) - len += snprintf (buffer + len, sizeof(buffer) - len, "CLASS:%s;\n", str); + len += scnprintf (buffer + len, sizeof(buffer) - len, "CLASS:%s;\n", str); if ((str = info->model) != NULL) - len += snprintf (buffer + len, sizeof(buffer) - len, "MODEL:%s;\n", str); + len += scnprintf (buffer + len, sizeof(buffer) - len, "MODEL:%s;\n", str); if ((str = info->mfr) != NULL) - len += snprintf (buffer + len, sizeof(buffer) - len, "MANUFACTURER:%s;\n", str); + len += scnprintf (buffer + len, sizeof(buffer) - len, "MANUFACTURER:%s;\n", str); if ((str = info->description) != NULL) - len += snprintf (buffer + len, sizeof(buffer) - len, "DESCRIPTION:%s;\n", str); + len += scnprintf (buffer + len, sizeof(buffer) - len, "DESCRIPTION:%s;\n", str); if ((str = info->cmdset) != NULL) - len += snprintf (buffer + len, sizeof(buffer) - len, "COMMAND SET:%s;\n", str); + len += scnprintf (buffer + len, sizeof(buffer) - len, "COMMAND SET:%s;\n", str); if (len > *lenp) len = *lenp; @@ -135,7 +135,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += snprintf (buffer, sizeof(buffer), "%lu\t%lu\n", port->base, port->base_hi); + len += scnprintf (buffer, sizeof(buffer), "%lu\t%lu\n", port->base, port->base_hi); if (len > *lenp) len = *lenp; @@ -162,7 +162,7 @@ static int do_hardware_irq(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += snprintf (buffer, sizeof(buffer), "%d\n", port->irq); + len += scnprintf (buffer, sizeof(buffer), "%d\n", port->irq); if (len > *lenp) len = *lenp; @@ -189,7 +189,7 @@ static int do_hardware_dma(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += snprintf (buffer, sizeof(buffer), "%d\n", port->dma); + len += scnprintf (buffer, sizeof(buffer), "%d\n", port->dma); if (len > *lenp) len = *lenp; @@ -220,7 +220,7 @@ static int do_hardware_modes(struct ctl_table *table, int write, #define printmode(x) \ do { \ if (port->modes & PARPORT_MODE_##x) \ - len += snprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," : "", #x); \ + len += scnprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," : "", #x); \ } while (0) int f = 0; printmode(PCSPP); -- 2.34.1

2 1

[PATCH OLK-6.6] r8169: add tally counter fields added with RTL8125
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Heiner Kallweit <hkallweit1(a)gmail.com> stable inclusion from stable-v6.6.55 commit 1c723d785adb711496bc64c24240f952f4faaabf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9Q CVE: CVE-2024-49973 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a ] RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it. Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125") Cc: stable(a)vger.kernel.org Signed-off-by: Heiner Kallweit <hkallweit1(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/741d26a9-2b2b-485d-91d9-ecb302e345b5@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/net/ethernet/realtek/r8169_main.c [Missing previous patch 8df9439389a4, fix this conflict] Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/ethernet/realtek/r8169_main.c | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index 8a732edac15a..8987eb143758 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -567,6 +567,33 @@ struct rtl8169_counters { __le32 rx_multicast; __le16 tx_aborted; __le16 tx_underun; + /* new since RTL8125 */ + __le64 tx_octets; + __le64 rx_octets; + __le64 rx_multicast64; + __le64 tx_unicast64; + __le64 tx_broadcast64; + __le64 tx_multicast64; + __le32 tx_pause_on; + __le32 tx_pause_off; + __le32 tx_pause_all; + __le32 tx_deferred; + __le32 tx_late_collision; + __le32 tx_all_collision; + __le32 tx_aborted32; + __le32 align_errors32; + __le32 rx_frame_too_long; + __le32 rx_runt; + __le32 rx_pause_on; + __le32 rx_pause_off; + __le32 rx_pause_all; + __le32 rx_unknown_opcode; + __le32 rx_mac_error; + __le32 tx_underrun32; + __le32 rx_mac_missed; + __le32 rx_tcam_dropped; + __le32 tdu; + __le32 rdu; }; struct rtl8169_tc_offsets { -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] r8169: add tally counter fields added with RTL8125
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Heiner Kallweit <hkallweit1(a)gmail.com> stable inclusion from stable-v5.10.227 commit 991e8b0bab669b7d06927c3e442b3352532e8581 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9Q CVE: CVE-2024-49973 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a ] RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it. Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125") Cc: stable(a)vger.kernel.org Signed-off-by: Heiner Kallweit <hkallweit1(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/741d26a9-2b2b-485d-91d9-ecb302e345b5@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/net/ethernet/realtek/r8169_main.c [Missing previous patch 8df9439389a4, fix this conflict] Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/ethernet/realtek/r8169_main.c | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index c4e96293323c..5706e2d235f0 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -569,6 +569,33 @@ struct rtl8169_counters { __le32 rx_multicast; __le16 tx_aborted; __le16 tx_underun; + /* new since RTL8125 */ + __le64 tx_octets; + __le64 rx_octets; + __le64 rx_multicast64; + __le64 tx_unicast64; + __le64 tx_broadcast64; + __le64 tx_multicast64; + __le32 tx_pause_on; + __le32 tx_pause_off; + __le32 tx_pause_all; + __le32 tx_deferred; + __le32 tx_late_collision; + __le32 tx_all_collision; + __le32 tx_aborted32; + __le32 align_errors32; + __le32 rx_frame_too_long; + __le32 rx_runt; + __le32 rx_pause_on; + __le32 rx_pause_off; + __le32 rx_pause_all; + __le32 rx_unknown_opcode; + __le32 rx_mac_error; + __le32 tx_underrun32; + __le32 rx_mac_missed; + __le32 rx_tcam_dropped; + __le32 tdu; + __le32 rdu; }; struct rtl8169_tc_offsets { -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] net/xen-netback: prevent UAF in xenvif_flush_hash()
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Jeongjun Park <aha310510(a)gmail.com> stable inclusion from stable-v5.10.227 commit a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB6 CVE: CVE-2024-49936 Reference: https://git.kernel.org/stable/c/a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c -------------------------------- [ Upstream commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 ] During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe. Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/xen-netback/hash.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c index ff96f22648ef..45ddce35f6d2 100644 --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data, static void xenvif_flush_hash(struct xenvif *vif) { - struct xenvif_hash_cache_entry *entry; + struct xenvif_hash_cache_entry *entry, *n; unsigned long flags; if (xenvif_hash_cache_size == 0) @@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif) spin_lock_irqsave(&vif->hash.cache.lock, flags); - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, - lockdep_is_held(&vif->hash.cache.lock)) { + list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu); -- 2.34.1

2 1

[openeuler:OLK-6.6 7137/15906] arch/loongarch/kvm/exit.c:764:63: error: 'struct sched_info' has no member named 'run_delay'
by kernel test robot 31 Oct '24

31 Oct '24

Hi Bibo, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: ab348dfdf1ec26d67e53449056f417e399807edc commit: faa35b0fcdefb1e5f2d05b0eeac12be32e69e566 [7137/15906] LoongArch: KVM: Add steal time support in kvm side config: loongarch-randconfig-001-20241031 (https://download.01.org/0day-ci/archive/20241031/202410311034.Boz3bHHh-lkp@…) compiler: loongarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241031/202410311034.Boz3bHHh-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410311034.Boz3bHHh-lkp@intel.com/ All errors (new ones prefixed by >>): arch/loongarch/kvm/exit.c: In function 'kvm_save_notify': >> arch/loongarch/kvm/exit.c:764:63: error: 'struct sched_info' has no member named 'run_delay' 764 | vcpu->arch.st.last_steal = current->sched_info.run_delay; | ^ -- arch/loongarch/kvm/vcpu.c: In function 'kvm_update_stolen_time': >> arch/loongarch/kvm/vcpu.c:68:37: error: 'struct sched_info' has no member named 'run_delay' 68 | steal += current->sched_info.run_delay - | ^ arch/loongarch/kvm/vcpu.c:70:55: error: 'struct sched_info' has no member named 'run_delay' 70 | vcpu->arch.st.last_steal = current->sched_info.run_delay; | ^ vim +764 arch/loongarch/kvm/exit.c 754 755 static int kvm_save_notify(struct kvm_vcpu *vcpu) 756 { 757 unsigned long id, data; 758 759 id = vcpu->arch.gprs[LOONGARCH_GPR_A1]; 760 data = vcpu->arch.gprs[LOONGARCH_GPR_A2]; 761 switch (id) { 762 case KVM_FEATURE_STEAL_TIME: 763 vcpu->arch.st.guest_addr = data; > 764 vcpu->arch.st.last_steal = current->sched_info.run_delay; 765 kvm_make_request(KVM_REQ_RECORD_STEAL, vcpu); 766 break; 767 default: 768 break; 769 }; 770 771 return 0; 772 }; 773 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] net/xen-netback: prevent UAF in xenvif_flush_hash()
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Jeongjun Park <aha310510(a)gmail.com> mainline inclusion from mainline-v6.12-rc1 commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB6 CVE: CVE-2024-49936 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe. Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: drivers/net/xen-netback/hash.c [ A previous commit f3265971ded9 is not merged, but it is ok to merge this patch. Because this patch will remove the modification of the previous patch. ] Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/xen-netback/hash.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c index 10d580c3dea3..bb7545ab9cd1 100644 --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -94,7 +94,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data, static void xenvif_flush_hash(struct xenvif *vif) { - struct xenvif_hash_cache_entry *entry; + struct xenvif_hash_cache_entry *entry, *n; unsigned long flags; if (xenvif_hash_cache_size == 0) @@ -102,7 +102,7 @@ static void xenvif_flush_hash(struct xenvif *vif) spin_lock_irqsave(&vif->hash.cache.lock, flags); - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) { + list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu); -- 2.34.1

2 1

[PATCH OLK-6.6] net/xen-netback: prevent UAF in xenvif_flush_hash()
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Jeongjun Park <aha310510(a)gmail.com> stable inclusion from stable-v6.6.55 commit 143edf098b80669d05245b2f2367dd156a83a2c5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB6 CVE: CVE-2024-49936 Reference: https://git.kernel.org/stable/c/143edf098b80669d05245b2f2367dd156a83a2c5 -------------------------------- [ Upstream commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 ] During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe. Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/xen-netback/hash.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c index ff96f22648ef..45ddce35f6d2 100644 --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data, static void xenvif_flush_hash(struct xenvif *vif) { - struct xenvif_hash_cache_entry *entry; + struct xenvif_hash_cache_entry *entry, *n; unsigned long flags; if (xenvif_hash_cache_size == 0) @@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif) spin_lock_irqsave(&vif->hash.cache.lock, flags); - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, - lockdep_is_held(&vif->hash.cache.lock)) { + list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu); -- 2.34.1

2 1