October 2024 - Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] r8169: add tally counter fields added with RTL8125
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Heiner Kallweit <hkallweit1(a)gmail.com> stable inclusion from stable-v5.10.227 commit 991e8b0bab669b7d06927c3e442b3352532e8581 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9Q CVE: CVE-2024-49973 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a ] RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it. Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125") Cc: stable(a)vger.kernel.org Signed-off-by: Heiner Kallweit <hkallweit1(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/741d26a9-2b2b-485d-91d9-ecb302e345b5@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/net/ethernet/realtek/r8169_main.c [Missing previous patch 8df9439389a4, fix this conflict] Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/ethernet/realtek/r8169_main.c | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index c4e96293323c..5706e2d235f0 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -569,6 +569,33 @@ struct rtl8169_counters { __le32 rx_multicast; __le16 tx_aborted; __le16 tx_underun; + /* new since RTL8125 */ + __le64 tx_octets; + __le64 rx_octets; + __le64 rx_multicast64; + __le64 tx_unicast64; + __le64 tx_broadcast64; + __le64 tx_multicast64; + __le32 tx_pause_on; + __le32 tx_pause_off; + __le32 tx_pause_all; + __le32 tx_deferred; + __le32 tx_late_collision; + __le32 tx_all_collision; + __le32 tx_aborted32; + __le32 align_errors32; + __le32 rx_frame_too_long; + __le32 rx_runt; + __le32 rx_pause_on; + __le32 rx_pause_off; + __le32 rx_pause_all; + __le32 rx_unknown_opcode; + __le32 rx_mac_error; + __le32 tx_underrun32; + __le32 rx_mac_missed; + __le32 rx_tcam_dropped; + __le32 tdu; + __le32 rdu; }; struct rtl8169_tc_offsets { -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] net/xen-netback: prevent UAF in xenvif_flush_hash()
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Jeongjun Park <aha310510(a)gmail.com> stable inclusion from stable-v5.10.227 commit a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB6 CVE: CVE-2024-49936 Reference: https://git.kernel.org/stable/c/a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c -------------------------------- [ Upstream commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 ] During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe. Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/xen-netback/hash.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c index ff96f22648ef..45ddce35f6d2 100644 --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data, static void xenvif_flush_hash(struct xenvif *vif) { - struct xenvif_hash_cache_entry *entry; + struct xenvif_hash_cache_entry *entry, *n; unsigned long flags; if (xenvif_hash_cache_size == 0) @@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif) spin_lock_irqsave(&vif->hash.cache.lock, flags); - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, - lockdep_is_held(&vif->hash.cache.lock)) { + list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu); -- 2.34.1

2 1

[openeuler:OLK-6.6 7137/15906] arch/loongarch/kvm/exit.c:764:63: error: 'struct sched_info' has no member named 'run_delay'
by kernel test robot 31 Oct '24

31 Oct '24

Hi Bibo, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: ab348dfdf1ec26d67e53449056f417e399807edc commit: faa35b0fcdefb1e5f2d05b0eeac12be32e69e566 [7137/15906] LoongArch: KVM: Add steal time support in kvm side config: loongarch-randconfig-001-20241031 (https://download.01.org/0day-ci/archive/20241031/202410311034.Boz3bHHh-lkp@…) compiler: loongarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241031/202410311034.Boz3bHHh-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410311034.Boz3bHHh-lkp@intel.com/ All errors (new ones prefixed by >>): arch/loongarch/kvm/exit.c: In function 'kvm_save_notify': >> arch/loongarch/kvm/exit.c:764:63: error: 'struct sched_info' has no member named 'run_delay' 764 | vcpu->arch.st.last_steal = current->sched_info.run_delay; | ^ -- arch/loongarch/kvm/vcpu.c: In function 'kvm_update_stolen_time': >> arch/loongarch/kvm/vcpu.c:68:37: error: 'struct sched_info' has no member named 'run_delay' 68 | steal += current->sched_info.run_delay - | ^ arch/loongarch/kvm/vcpu.c:70:55: error: 'struct sched_info' has no member named 'run_delay' 70 | vcpu->arch.st.last_steal = current->sched_info.run_delay; | ^ vim +764 arch/loongarch/kvm/exit.c 754 755 static int kvm_save_notify(struct kvm_vcpu *vcpu) 756 { 757 unsigned long id, data; 758 759 id = vcpu->arch.gprs[LOONGARCH_GPR_A1]; 760 data = vcpu->arch.gprs[LOONGARCH_GPR_A2]; 761 switch (id) { 762 case KVM_FEATURE_STEAL_TIME: 763 vcpu->arch.st.guest_addr = data; > 764 vcpu->arch.st.last_steal = current->sched_info.run_delay; 765 kvm_make_request(KVM_REQ_RECORD_STEAL, vcpu); 766 break; 767 default: 768 break; 769 }; 770 771 return 0; 772 }; 773 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] net/xen-netback: prevent UAF in xenvif_flush_hash()
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Jeongjun Park <aha310510(a)gmail.com> mainline inclusion from mainline-v6.12-rc1 commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB6 CVE: CVE-2024-49936 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe. Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: drivers/net/xen-netback/hash.c [ A previous commit f3265971ded9 is not merged, but it is ok to merge this patch. Because this patch will remove the modification of the previous patch. ] Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/xen-netback/hash.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c index 10d580c3dea3..bb7545ab9cd1 100644 --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -94,7 +94,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data, static void xenvif_flush_hash(struct xenvif *vif) { - struct xenvif_hash_cache_entry *entry; + struct xenvif_hash_cache_entry *entry, *n; unsigned long flags; if (xenvif_hash_cache_size == 0) @@ -102,7 +102,7 @@ static void xenvif_flush_hash(struct xenvif *vif) spin_lock_irqsave(&vif->hash.cache.lock, flags); - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) { + list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu); -- 2.34.1

2 1

[PATCH OLK-6.6] net/xen-netback: prevent UAF in xenvif_flush_hash()
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Jeongjun Park <aha310510(a)gmail.com> stable inclusion from stable-v6.6.55 commit 143edf098b80669d05245b2f2367dd156a83a2c5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB6 CVE: CVE-2024-49936 Reference: https://git.kernel.org/stable/c/143edf098b80669d05245b2f2367dd156a83a2c5 -------------------------------- [ Upstream commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 ] During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe. Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/xen-netback/hash.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c index ff96f22648ef..45ddce35f6d2 100644 --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data, static void xenvif_flush_hash(struct xenvif *vif) { - struct xenvif_hash_cache_entry *entry; + struct xenvif_hash_cache_entry *entry, *n; unsigned long flags; if (xenvif_hash_cache_size == 0) @@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif) spin_lock_irqsave(&vif->hash.cache.lock, flags); - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, - lockdep_is_held(&vif->hash.cache.lock)) { + list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu); -- 2.34.1

2 1

[PATCH OLK-5.10] net/xen-netback: prevent UAF in xenvif_flush_hash()
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Jeongjun Park <aha310510(a)gmail.com> stable inclusion from stable-v5.10.227 commit a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB6 CVE: CVE-2024-49936 Reference: https://git.kernel.org/stable/c/a7f0073fcd12ed7de185ef2c0af9d0fa1ddef22c -------------------------------- [ Upstream commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 ] During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe. Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/xen-netback/hash.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c index ff96f22648ef..45ddce35f6d2 100644 --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data, static void xenvif_flush_hash(struct xenvif *vif) { - struct xenvif_hash_cache_entry *entry; + struct xenvif_hash_cache_entry *entry, *n; unsigned long flags; if (xenvif_hash_cache_size == 0) @@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif) spin_lock_irqsave(&vif->hash.cache.lock, flags); - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, - lockdep_is_held(&vif->hash.cache.lock)) { + list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu); -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] r8169: add tally counter fields added with RTL8125
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Heiner Kallweit <hkallweit1(a)gmail.com> stable inclusion from stable-v5.10.227 commit 991e8b0bab669b7d06927c3e442b3352532e8581 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9Q CVE: CVE-2024-49973 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a ] RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it. Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125") Cc: stable(a)vger.kernel.org Signed-off-by: Heiner Kallweit <hkallweit1(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/741d26a9-2b2b-485d-91d9-ecb302e345b5@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/net/ethernet/realtek/r8169_main.c [Missing previous patch 8df9439389a4, fix this conflict] Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/ethernet/realtek/r8169_main.c | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index c4e96293323c..5706e2d235f0 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -569,6 +569,33 @@ struct rtl8169_counters { __le32 rx_multicast; __le16 tx_aborted; __le16 tx_underun; + /* new since RTL8125 */ + __le64 tx_octets; + __le64 rx_octets; + __le64 rx_multicast64; + __le64 tx_unicast64; + __le64 tx_broadcast64; + __le64 tx_multicast64; + __le32 tx_pause_on; + __le32 tx_pause_off; + __le32 tx_pause_all; + __le32 tx_deferred; + __le32 tx_late_collision; + __le32 tx_all_collision; + __le32 tx_aborted32; + __le32 align_errors32; + __le32 rx_frame_too_long; + __le32 rx_runt; + __le32 rx_pause_on; + __le32 rx_pause_off; + __le32 rx_pause_all; + __le32 rx_unknown_opcode; + __le32 rx_mac_error; + __le32 tx_underrun32; + __le32 rx_mac_missed; + __le32 rx_tcam_dropped; + __le32 tdu; + __le32 rdu; }; struct rtl8169_tc_offsets { -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] r8169: add tally counter fields added with RTL8125
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Heiner Kallweit <hkallweit1(a)gmail.com> stable inclusion from stable-v5.10.227 commit 991e8b0bab669b7d06927c3e442b3352532e8581 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9Q CVE: CVE-2024-49973 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a ] RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it. Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125") Cc: stable(a)vger.kernel.org Signed-off-by: Heiner Kallweit <hkallweit1(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/741d26a9-2b2b-485d-91d9-ecb302e345b5@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/net/ethernet/realtek/r8169_main.c [Missing previous patch 8df9439389a4, fix this conflict] Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/ethernet/realtek/r8169_main.c | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index c4e96293323c..5706e2d235f0 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -569,6 +569,33 @@ struct rtl8169_counters { __le32 rx_multicast; __le16 tx_aborted; __le16 tx_underun; + /* new since RTL8125 */ + __le64 tx_octets; + __le64 rx_octets; + __le64 rx_multicast64; + __le64 tx_unicast64; + __le64 tx_broadcast64; + __le64 tx_multicast64; + __le32 tx_pause_on; + __le32 tx_pause_off; + __le32 tx_pause_all; + __le32 tx_deferred; + __le32 tx_late_collision; + __le32 tx_all_collision; + __le32 tx_aborted32; + __le32 align_errors32; + __le32 rx_frame_too_long; + __le32 rx_runt; + __le32 rx_pause_on; + __le32 rx_pause_off; + __le32 rx_pause_all; + __le32 rx_unknown_opcode; + __le32 rx_mac_error; + __le32 tx_underrun32; + __le32 rx_mac_missed; + __le32 rx_tcam_dropped; + __le32 tdu; + __le32 rdu; }; struct rtl8169_tc_offsets { -- 2.34.1

2 1

[PATCH OLK-6.6] r8169: add tally counter fields added with RTL8125
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Heiner Kallweit <hkallweit1(a)gmail.com> stable inclusion from stable-v6.6.55 commit 1c723d785adb711496bc64c24240f952f4faaabf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9Q CVE: CVE-2024-49973 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a ] RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it. Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125") Cc: stable(a)vger.kernel.org Signed-off-by: Heiner Kallweit <hkallweit1(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/741d26a9-2b2b-485d-91d9-ecb302e345b5@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/net/ethernet/realtek/r8169_main.c [Missing previous patch 8df9439389a4, fix this conflict] Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/ethernet/realtek/r8169_main.c | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index 8a732edac15a..8987eb143758 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -567,6 +567,33 @@ struct rtl8169_counters { __le32 rx_multicast; __le16 tx_aborted; __le16 tx_underun; + /* new since RTL8125 */ + __le64 tx_octets; + __le64 rx_octets; + __le64 rx_multicast64; + __le64 tx_unicast64; + __le64 tx_broadcast64; + __le64 tx_multicast64; + __le32 tx_pause_on; + __le32 tx_pause_off; + __le32 tx_pause_all; + __le32 tx_deferred; + __le32 tx_late_collision; + __le32 tx_all_collision; + __le32 tx_aborted32; + __le32 align_errors32; + __le32 rx_frame_too_long; + __le32 rx_runt; + __le32 rx_pause_on; + __le32 rx_pause_off; + __le32 rx_pause_all; + __le32 rx_unknown_opcode; + __le32 rx_mac_error; + __le32 tx_underrun32; + __le32 rx_mac_missed; + __le32 rx_tcam_dropped; + __le32 tdu; + __le32 rdu; }; struct rtl8169_tc_offsets { -- 2.34.1

2 1

[PATCH OLK-5.10] r8169: add tally counter fields added with RTL8125
by Luo Gengkun 31 Oct '24

31 Oct '24

From: Heiner Kallweit <hkallweit1(a)gmail.com> stable inclusion from stable-v5.10.227 commit 991e8b0bab669b7d06927c3e442b3352532e8581 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9Q CVE: CVE-2024-49973 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a ] RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it. Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125") Cc: stable(a)vger.kernel.org Signed-off-by: Heiner Kallweit <hkallweit1(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/741d26a9-2b2b-485d-91d9-ecb302e345b5@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/net/ethernet/realtek/r8169_main.c [Missing previous patch 8df9439389a4, fix this conflict] Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/net/ethernet/realtek/r8169_main.c | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index f9994ff36579..9121235114de 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -570,6 +570,33 @@ struct rtl8169_counters { __le32 rx_multicast; __le16 tx_aborted; __le16 tx_underun; + /* new since RTL8125 */ + __le64 tx_octets; + __le64 rx_octets; + __le64 rx_multicast64; + __le64 tx_unicast64; + __le64 tx_broadcast64; + __le64 tx_multicast64; + __le32 tx_pause_on; + __le32 tx_pause_off; + __le32 tx_pause_all; + __le32 tx_deferred; + __le32 tx_late_collision; + __le32 tx_all_collision; + __le32 tx_aborted32; + __le32 align_errors32; + __le32 rx_frame_too_long; + __le32 rx_runt; + __le32 rx_pause_on; + __le32 rx_pause_off; + __le32 rx_pause_all; + __le32 rx_unknown_opcode; + __le32 rx_mac_error; + __le32 tx_underrun32; + __le32 rx_mac_missed; + __le32 rx_tcam_dropped; + __le32 tdu; + __le32 rdu; }; struct rtl8169_tc_offsets { -- 2.34.1

2 1

2024

2023

2022

2021

2020

2019

Kernel October 2024