From: Xiongfeng Wang <wangxiongfeng2(a)huawei.com>
stable inclusion
from stable-v4.19.268
commit 876d7bfb89273997056220029ff12b1c2cc4691d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRE3
CVE: CVE-2022-49002
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 4bedbbd782ebbe7287231fea862c158d4f08a9e3 ]
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() for the error path to avoid reference count leak.
Fixes: 2e4552893038 ("iommu/vt-d: Unify the way to process DMAR device scope array")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com>
Link: https://lore.kernel.org/r/20221121113649.190393-3-wangxiongfeng2@huawei.com
Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel(a)suse.de>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com>
---
drivers/iommu/dmar.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c
index 187812e35c99..6d608f71867c 100644
--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -806,6 +806,7 @@ int __init dmar_dev_scope_init(void)
info = dmar_alloc_pci_notify_info(dev,
BUS_NOTIFY_ADD_DEVICE);
if (!info) {
+ pci_dev_put(dev);
return dmar_dev_scope_status;
} else {
dmar_pci_bus_add_dev(info);
--
2.17.1
From: Kuan-Wei Chiu <visitorckw(a)gmail.com>
stable inclusion
from stable-v6.6.55
commit c2d9f9a7837ab29ccae0c42252f17d436bf0a501
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IB0R30
CVE: CVE-2024-49987
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit f04e2ad394e2755d0bb2d858ecb5598718bf00d5 ]
When netfilter has no entry to display, qsort is called with
qsort(NULL, 0, ...). This results in undefined behavior, as UBSan
reports:
net.c:827:2: runtime error: null pointer passed as argument 1, which is declared to never be null
Although the C standard does not explicitly state whether calling qsort
with a NULL pointer when the size is 0 constitutes undefined behavior,
Section 7.1.4 of the C standard (Use of library functions) mentions:
"Each of the following statements applies unless explicitly stated
otherwise in the detailed descriptions that follow: If an argument to a
function has an invalid value (such as a value outside the domain of
the function, or a pointer outside the address space of the program, or
a null pointer, or a pointer to non-modifiable storage when the
corresponding parameter is not const-qualified) or a type (after
promotion) not expected by a function with variable number of
arguments, the behavior is undefined."
To avoid this, add an early return when nf_link_info is NULL to prevent
calling qsort with a NULL pointer.
Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com>
Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org>
Reviewed-by: Quentin Monnet <qmo(a)kernel.org>
Link: https://lore.kernel.org/bpf/20240910150207.3179306-1-visitorckw@gmail.com
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13(a)huawei.com>
---
tools/bpf/bpftool/net.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
index 66a8ce8ae012..bd4e66d514f1 100644
--- a/tools/bpf/bpftool/net.c
+++ b/tools/bpf/bpftool/net.c
@@ -819,6 +819,9 @@ static void show_link_netfilter(void)
nf_link_count++;
}
+ if (!nf_link_info)
+ return;
+
qsort(nf_link_info, nf_link_count, sizeof(*nf_link_info), netfilter_link_compar);
for (id = 0; id < nf_link_count; id++) {
--
2.34.1
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: d9cf86e2fe8e5c014fd3e46c31f3415549ab813f
commit: 7243df9bf3ab4130b2c8f5dfa9a620afc964cc72 [1231/1231] arm64/mpam: resctrl: Write and read schemata by schema_list
config: arm64-randconfig-001-20241029 (https://download.01.org/0day-ci/archive/20241104/202411041549.sgcRhuo9-lkp@…)
compiler: aarch64-linux-gcc (GCC) 14.1.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241104/202411041549.sgcRhuo9-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202411041549.sgcRhuo9-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> arch/arm64/kernel/mpam/mpam_ctrlmon.c:300: warning: Function parameter or member 's' not described in 'show_doms'
>> arch/arm64/kernel/mpam/mpam_ctrlmon.c:300: warning: Function parameter or member 'r' not described in 'show_doms'
>> arch/arm64/kernel/mpam/mpam_ctrlmon.c:300: warning: Function parameter or member 'schema_name' not described in 'show_doms'
arch/arm64/kernel/mpam/mpam_ctrlmon.c:300: warning: Function parameter or member 'partid' not described in 'show_doms'
vim +300 arch/arm64/kernel/mpam/mpam_ctrlmon.c
1abcabe9dab59ec arch/arm64/kernel/mpam_ctrlmon.c Yang Yingliang 2019-01-30 287
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 288 /**
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 289 * MPAM resources such as L2 may have too many domains for arm64,
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 290 * at this time we should rearrange this display for brevity and
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 291 * harmonious interaction.
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 292 *
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 293 * Before rearrangement: L2:0=ff;1=ff;2=fc;3=ff;4=f;....;255=ff
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 294 * After rearrangement: L2:S;2=fc;S;4=f;S
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 295 * Those continuous fully sharable domains will be combined into
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 296 * a single "S" simply.
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 297 */
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 298 static void show_doms(struct seq_file *s, struct resctrl_resource *r,
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 299 char *schema_name, int partid)
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 @300 {
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 301 struct raw_resctrl_resource *rr = r->res;
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 302 struct rdt_domain *dom;
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 303 bool sep = false;
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 304 bool rg = false;
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 305 bool prev_auto_fill = false;
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 306 u32 reg_val;
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 307
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 308 if (r->dom_num > RESCTRL_SHOW_DOM_MAX_NUM)
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 309 rg = true;
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 310
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 311 seq_printf(s, "%*s:", max_name_width, schema_name);
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 312 list_for_each_entry(dom, &r->domains, list) {
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 313 reg_val = rr->msr_read(dom, partid);
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 314
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 315 if (rg && reg_val == r->default_ctrl &&
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 316 prev_auto_fill == true)
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 317 continue;
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 318
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 319 if (sep)
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 320 seq_puts(s, ";");
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 321 if (rg && reg_val == r->default_ctrl) {
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 322 prev_auto_fill = true;
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 323 seq_puts(s, "S");
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 324 } else {
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 325 seq_printf(s, rr->format_str, dom->id,
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 326 max_data_width, reg_val);
7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 327 }
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 328 sep = true;
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 329 }
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 330 seq_puts(s, "\n");
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 331 }
be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 332
:::::: The code at line 300 was first introduced by commit
:::::: be2167d2a188dc20648fa10c2c5ccd56ba579533 arm64/mpam: support resctrl_group_schemata_show
:::::: TO: Xie XiuQi <xiexiuqi(a)huawei.com>
:::::: CC: Xie XiuQi <xiexiuqi(a)huawei.com>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
mainline inclusion
from mainline-v6.12-rc6
commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAY2B4
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow
in sk_dst_gso_max_size(), which may trigger a BUG_ON crash,
because sk->sk_gso_max_size would be much bigger than device limits.
Call Trace:
tcp_write_xmit
tso_segs = tcp_init_tso_segs(skb, mss_now);
tcp_set_skb_tso_segs
tcp_skb_pcount_set
// skb->len = 524288, mss_now = 8
// u16 tso_segs = 524288/8 = 65535 -> 0
tso_segs = DIV_ROUND_UP(skb->len, mss_now)
BUG_ON(!tso_segs)
Add check for the minimum value of gso_max_size and gso_ipv4_max_size.
Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation")
Conflicts:
net/core/rtnetlink.c
[conflicts due to not mergered 3e48be05f3c7 ("netlink: add attribute range validation to policy"),
conflicts due to not mergered 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")]
Signed-off-by: Wang Liang <wangliang74(a)huawei.com>
Reviewed-by: Eric Dumazet <edumazet(a)google.com>
Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
---
net/core/rtnetlink.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 9209623ab644..c66f60941e5b 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2072,6 +2072,11 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[])
if (tb[IFLA_BROADCAST] &&
nla_len(tb[IFLA_BROADCAST]) < dev->addr_len)
return -EINVAL;
+
+ if (tb[IFLA_GSO_MAX_SIZE] &&
+ (nla_get_u32(tb[IFLA_GSO_MAX_SIZE]) < MAX_TCP_HEADER + 1)) {
+ return -EINVAL;
+ }
}
if (tb[IFLA_AF_SPEC]) {
--
2.34.1