November 2024 - Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 1219/1219] kernel/bpf/local_storage.o: warning: objtool: missing symbol for section .text
by kernel test robot 05 Nov '24

05 Nov '24

Hi Roman, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 0d426553bb97ebfcb4ea34e8fd63477a44316644 commit: de9cbbaadba5adf88a19e46df61f7054000838f6 [1219/1219] bpf: introduce cgroup storage maps config: x86_64-buildonly-randconfig-001-20241025 (https://download.01.org/0day-ci/archive/20241105/202411050225.MXLzE2ZJ-lkp@…) compiler: clang version 19.1.2 (https://github.com/llvm/llvm-project 7ba7d8e2f7b6445b60679da826210cdde29eaf8b) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241105/202411050225.MXLzE2ZJ-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411050225.MXLzE2ZJ-lkp@intel.com/ All warnings (new ones prefixed by >>): >> kernel/bpf/local_storage.o: warning: objtool: missing symbol for section .text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 1360/1360] Documentation/devicetree/bindings/arm/arm,mpam-msc.yaml:76:15: [error] string value is redundantly quoted with any quotes (quoted-strings)
by kernel test robot 04 Nov '24

04 Nov '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 4d3056ab32e02139d7656adf048416e877e283b0 commit: c21dc717760f8594e1fccae49eb86eb05e9a5f12 [1360/1360] dt-bindings: arm: Add MPAM MSC binding :::::: branch date: 2 hours ago :::::: commit date: 10 months ago config: loongarch-randconfig-052-20241104 (https://download.01.org/0day-ci/archive/20241104/202411041305.karqcxbp-lkp@…) compiler: loongarch64-linux-gcc (GCC) 14.1.0 dtschema version: 2024.10.dev6+g12c3cd5 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241104/202411041305.karqcxbp-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/r/202411041305.karqcxbp-lkp@intel.com/ dtcheck warnings: (new ones prefixed by >>) >> Documentation/devicetree/bindings/arm/arm,mpam-msc.yaml:76:15: [error] string value is redundantly quoted with any quotes (quoted-strings) Documentation/devicetree/bindings/arm/arm,mpam-msc.yaml:82:15: [error] string value is redundantly quoted with any quotes (quoted-strings) vim +76 Documentation/devicetree/bindings/arm/arm,mpam-msc.yaml c21dc717760f85 Rob Herring 2024-01-22 8 c21dc717760f85 Rob Herring 2024-01-22 9 description: | c21dc717760f85 Rob Herring 2024-01-22 10 The Arm MPAM specification can be found here: c21dc717760f85 Rob Herring 2024-01-22 11 c21dc717760f85 Rob Herring 2024-01-22 12 https://developer.arm.com/documentation/ddi0598/latest c21dc717760f85 Rob Herring 2024-01-22 13 c21dc717760f85 Rob Herring 2024-01-22 14 maintainers: c21dc717760f85 Rob Herring 2024-01-22 15 - Rob Herring <robh(a)kernel.org> c21dc717760f85 Rob Herring 2024-01-22 16 c21dc717760f85 Rob Herring 2024-01-22 17 properties: c21dc717760f85 Rob Herring 2024-01-22 18 compatible: c21dc717760f85 Rob Herring 2024-01-22 19 items: c21dc717760f85 Rob Herring 2024-01-22 20 - const: arm,mpam-msc # Further details are discoverable c21dc717760f85 Rob Herring 2024-01-22 21 - const: arm,mpam-memory-controller-msc c21dc717760f85 Rob Herring 2024-01-22 22 c21dc717760f85 Rob Herring 2024-01-22 23 reg: c21dc717760f85 Rob Herring 2024-01-22 24 maxItems: 1 c21dc717760f85 Rob Herring 2024-01-22 25 description: A memory region containing registers as defined in the MPAM c21dc717760f85 Rob Herring 2024-01-22 26 specification. c21dc717760f85 Rob Herring 2024-01-22 27 c21dc717760f85 Rob Herring 2024-01-22 28 interrupts: c21dc717760f85 Rob Herring 2024-01-22 29 minItems: 1 c21dc717760f85 Rob Herring 2024-01-22 30 items: c21dc717760f85 Rob Herring 2024-01-22 31 - description: error (optional) c21dc717760f85 Rob Herring 2024-01-22 32 - description: overflow (optional, only for monitoring) c21dc717760f85 Rob Herring 2024-01-22 33 c21dc717760f85 Rob Herring 2024-01-22 34 interrupt-names: c21dc717760f85 Rob Herring 2024-01-22 35 oneOf: c21dc717760f85 Rob Herring 2024-01-22 36 - items: c21dc717760f85 Rob Herring 2024-01-22 37 - enum: [ error, overflow ] c21dc717760f85 Rob Herring 2024-01-22 38 - items: c21dc717760f85 Rob Herring 2024-01-22 39 - const: error c21dc717760f85 Rob Herring 2024-01-22 40 - const: overflow c21dc717760f85 Rob Herring 2024-01-22 41 c21dc717760f85 Rob Herring 2024-01-22 42 arm,not-ready-us: c21dc717760f85 Rob Herring 2024-01-22 43 description: The maximum time in microseconds for monitoring data to be c21dc717760f85 Rob Herring 2024-01-22 44 accurate after a settings change. For more information, see the c21dc717760f85 Rob Herring 2024-01-22 45 Not-Ready (NRDY) bit description in the MPAM specification. c21dc717760f85 Rob Herring 2024-01-22 46 c21dc717760f85 Rob Herring 2024-01-22 47 numa-node-id: true # see NUMA binding c21dc717760f85 Rob Herring 2024-01-22 48 c21dc717760f85 Rob Herring 2024-01-22 49 '#address-cells': c21dc717760f85 Rob Herring 2024-01-22 50 const: 1 c21dc717760f85 Rob Herring 2024-01-22 51 c21dc717760f85 Rob Herring 2024-01-22 52 '#size-cells': c21dc717760f85 Rob Herring 2024-01-22 53 const: 0 c21dc717760f85 Rob Herring 2024-01-22 54 c21dc717760f85 Rob Herring 2024-01-22 55 patternProperties: c21dc717760f85 Rob Herring 2024-01-22 56 '^ris@[0-9a-f]$': c21dc717760f85 Rob Herring 2024-01-22 57 type: object c21dc717760f85 Rob Herring 2024-01-22 58 additionalProperties: false c21dc717760f85 Rob Herring 2024-01-22 59 description: | c21dc717760f85 Rob Herring 2024-01-22 60 RIS nodes for each RIS in an MSC. These nodes are required for each RIS c21dc717760f85 Rob Herring 2024-01-22 61 implementing known MPAM controls c21dc717760f85 Rob Herring 2024-01-22 62 c21dc717760f85 Rob Herring 2024-01-22 63 properties: c21dc717760f85 Rob Herring 2024-01-22 64 compatible: c21dc717760f85 Rob Herring 2024-01-22 65 enum: c21dc717760f85 Rob Herring 2024-01-22 66 # Bulk storage for cache c21dc717760f85 Rob Herring 2024-01-22 67 - arm,mpam-cache c21dc717760f85 Rob Herring 2024-01-22 68 # Memory bandwidth c21dc717760f85 Rob Herring 2024-01-22 69 - arm,mpam-memory c21dc717760f85 Rob Herring 2024-01-22 70 c21dc717760f85 Rob Herring 2024-01-22 71 reg: c21dc717760f85 Rob Herring 2024-01-22 72 minimum: 0 c21dc717760f85 Rob Herring 2024-01-22 73 maximum: 0xf c21dc717760f85 Rob Herring 2024-01-22 74 c21dc717760f85 Rob Herring 2024-01-22 75 cpus: c21dc717760f85 Rob Herring 2024-01-22 @76 $ref: '/schemas/types.yaml#/definitions/phandle-array' c21dc717760f85 Rob Herring 2024-01-22 77 description: c21dc717760f85 Rob Herring 2024-01-22 78 Phandle(s) to the CPU node(s) this RIS belongs to. By default, the parent c21dc717760f85 Rob Herring 2024-01-22 79 device's affinity is used. c21dc717760f85 Rob Herring 2024-01-22 80 c21dc717760f85 Rob Herring 2024-01-22 81 arm,mpam-device: c21dc717760f85 Rob Herring 2024-01-22 82 $ref: '/schemas/types.yaml#/definitions/phandle' c21dc717760f85 Rob Herring 2024-01-22 83 description: c21dc717760f85 Rob Herring 2024-01-22 84 By default, the MPAM enabled device associated with a RIS is the MSC's c21dc717760f85 Rob Herring 2024-01-22 85 parent node. It is possible for each RIS to be associated with different c21dc717760f85 Rob Herring 2024-01-22 86 devices in which case 'arm,mpam-device' should be used. c21dc717760f85 Rob Herring 2024-01-22 87 c21dc717760f85 Rob Herring 2024-01-22 88 required: c21dc717760f85 Rob Herring 2024-01-22 89 - compatible c21dc717760f85 Rob Herring 2024-01-22 90 - reg c21dc717760f85 Rob Herring 2024-01-22 91 c21dc717760f85 Rob Herring 2024-01-22 92 required: c21dc717760f85 Rob Herring 2024-01-22 93 - compatible c21dc717760f85 Rob Herring 2024-01-22 94 - reg c21dc717760f85 Rob Herring 2024-01-22 95 c21dc717760f85 Rob Herring 2024-01-22 96 dependencies: c21dc717760f85 Rob Herring 2024-01-22 97 interrupts: [ interrupt-names ] c21dc717760f85 Rob Herring 2024-01-22 98 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:OLK-6.6 1360/1360] Documentation/devicetree/bindings/gpu/phytium,dc.yaml:40:8: [warning] wrong indentation: expected 2 but found 7 (indentation)
by kernel test robot 04 Nov '24

04 Nov '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 4d3056ab32e02139d7656adf048416e877e283b0 commit: ab9ff1e38569313e41ba5a036591f93cb55e5d87 [1360/1360] DRM: Phytium display DRM doc :::::: branch date: 3 hours ago :::::: commit date: 10 months ago config: loongarch-randconfig-052-20241104 (https://download.01.org/0day-ci/archive/20241104/202411041414.IJjJzikx-lkp@…) compiler: loongarch64-linux-gcc (GCC) 14.1.0 dtschema version: 2024.10.dev6+g12c3cd5 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241104/202411041414.IJjJzikx-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/r/202411041414.IJjJzikx-lkp@intel.com/ dtcheck warnings: (new ones prefixed by >>) >> Documentation/devicetree/bindings/gpu/phytium,dc.yaml:40:8: [warning] wrong indentation: expected 2 but found 7 (indentation) Documentation/devicetree/bindings/arm/arm,mpam-msc.yaml:76:15: [error] string value is redundantly quoted with any quotes (quoted-strings) Documentation/devicetree/bindings/arm/arm,mpam-msc.yaml:82:15: [error] string value is redundantly quoted with any quotes (quoted-strings) -- >> Documentation/devicetree/bindings/gpu/phytium,dc.yaml: properties:clocks:items: 'anyOf' conditional failed, one must be fixed: ['description:Display controller reference clock source'] is not of type 'object', 'boolean' 'description:Display controller reference clock source' is not of type 'object', 'boolean' from schema $id: http://json-schema.org/draft-07/schema# >> Documentation/devicetree/bindings/gpu/phytium,dc.yaml: properties:reg: 'oneOf' conditional failed, one must be fixed: [{'description': 'Offset and length of the memory mapped registers'}] is too short False schema does not allow 1 hint: "minItems" is only needed if less than the "items" list length from schema $id: http://devicetree.org/meta-schemas/items.yaml# >> Documentation/devicetree/bindings/gpu/phytium,dc.yaml: properties:clocks: 'oneOf' conditional failed, one must be fixed: ['description:Display controller reference clock source'] is too short False schema does not allow 1 hint: "minItems" is only needed if less than the "items" list length from schema $id: http://devicetree.org/meta-schemas/items.yaml# >> Documentation/devicetree/bindings/gpu/phytium,dc.yaml: 'Example' is not one of ['$id', '$schema', 'title', 'description', 'examples', 'required', 'allOf', 'anyOf', 'oneOf', 'definitions', '$defs', 'additionalProperties', 'dependencies', 'dependentRequired', 'dependentSchemas', 'patternProperties', 'properties', 'not', 'if', 'then', 'else', 'unevaluatedProperties', 'deprecated', 'maintainers', 'select', '$ref'] from schema $id: http://devicetree.org/meta-schemas/base.yaml# >> Documentation/devicetree/bindings/gpu/phytium,dc.yaml: properties:clocks: 'oneOf' conditional failed, one must be fixed: >> Documentation/devicetree/bindings/gpu/phytium,dc.yaml: properties:clocks: 'anyOf' conditional failed, one must be fixed: 'maxItems' is a required property hint: Only "maxItems" is required for a single entry if there are no constraints defined for the values. 'minItems' is not one of ['maxItems', 'description', 'deprecated'] hint: Only "maxItems" is required for a single entry if there are no constraints defined for the values. 'items' is not one of ['maxItems', 'description', 'deprecated'] hint: Only "maxItems" is required for a single entry if there are no constraints defined for the values. 'minItems' is not one of ['description', 'deprecated', 'const', 'enum', 'minimum', 'maximum', 'multipleOf', 'default', '$ref', 'oneOf'] 'items' is not one of ['description', 'deprecated', 'const', 'enum', 'minimum', 'maximum', 'multipleOf', 'default', '$ref', 'oneOf'] ['description:Display controller reference clock source'] is valid under each of {'type': 'array', 'maxItems': 1, 'items': {'allOf': [{'$ref': '#/array'}], 'required': ['items']}}, {'type': 'array', 'items': {'$ref': '#/single'}} hint: "items" can be a list defining each entry or a schema applying to all items. A list has an implicit size. A schema requires minItems/maxItems to define the size. hint: cell array properties must define how many entries and what the entries are when there is more than one entry. from schema $id: http://devicetree.org/meta-schemas/clocks.yaml# 'minItems' is not one of ['type', 'description', 'dependencies', 'dependentRequired', 'dependentSchemas', 'properties', 'patternProperties', 'additionalProperties', 'unevaluatedProperties', 'deprecated', 'required', 'not', 'allOf', 'anyOf', 'oneOf', '$ref'] 'items' is not one of ['type', 'description', 'dependencies', 'dependentRequired', 'dependentSchemas', 'properties', 'patternProperties', 'additionalProperties', 'unevaluatedProperties', 'deprecated', 'required', 'not', 'allOf', 'anyOf', 'oneOf', '$ref'] 'type' is a required property hint: DT nodes ("object" type in schemas) can only use a subset of json-schema keywords from schema $id: http://devicetree.org/meta-schemas/clocks.yaml# >> Documentation/devicetree/bindings/gpu/phytium,dc.yaml: $id: Cannot determine base path from $id, relative path/filename doesn't match actual path or filename $id: http://devicetree.org/schemas/dc/snps,dc.yaml file: Documentation/devicetree/bindings/gpu/phytium,dc.yaml Documentation/devicetree/bindings/mfd/rockchip,rk808.yaml: ^(DCDC_REG[1-4]|LDO_REG[1-8]|SWITCH_REG[1-2])$: Missing additionalProperties/unevaluatedProperties constraint -- >> Documentation/devicetree/bindings/gpu/phytium,dc.yaml: ignoring, error in schema: properties: clocks: items /usr/local/lib/python3.11/dist-packages/dtschema/schemas/reserved-memory/framebuffer.yaml: warning: ignoring duplicate '$id' value 'http://devicetree.org/schemas/reserved-memory/framebuffer.yaml#' /usr/local/lib/python3.11/dist-packages/dtschema/schemas/reserved-memory/shared-dma-pool.yaml: warning: ignoring duplicate '$id' value 'http://devicetree.org/schemas/reserved-memory/shared-dma-pool.yaml#' /usr/local/lib/python3.11/dist-packages/dtschema/schemas/reserved-memory/reserved-memory.yaml: warning: ignoring duplicate '$id' value 'http://devicetree.org/schemas/reserved-memory/reserved-memory.yaml#' /usr/local/lib/python3.11/dist-packages/dtschema/schemas/reserved-memory/memory-region.yaml: warning: ignoring duplicate '$id' value 'http://devicetree.org/schemas/reserved-memory/memory-region.yaml#' Documentation/devicetree/bindings/display/panel/advantech,idk-2121wr.yaml: dual-lvds-odd-pixels: missing type definition Documentation/devicetree/bindings/display/panel/advantech,idk-2121wr.yaml: dual-lvds-even-pixels: missing type definition Documentation/devicetree/bindings/input/touchscreen/ti,tsc2005.yaml: ti,x-plate-ohms: missing type definition Documentation/devicetree/bindings/sound/audio-graph-port.yaml: convert-sample-format: missing type definition Documentation/devicetree/bindings/media/i2c/ti,ds90ub960.yaml: i2c-alias: missing type definition Warning: Duplicate compatible "maxim,max6625" found in schemas matching "$id": vim +40 Documentation/devicetree/bindings/gpu/phytium,dc.yaml ab9ff1e3856931 lishuo 2024-01-19 33 ab9ff1e3856931 lishuo 2024-01-19 34 required: ab9ff1e3856931 lishuo 2024-01-19 35 - compatible ab9ff1e3856931 lishuo 2024-01-19 36 - reg ab9ff1e3856931 lishuo 2024-01-19 37 - interrupts ab9ff1e3856931 lishuo 2024-01-19 38 ab9ff1e3856931 lishuo 2024-01-19 39 Example: ab9ff1e3856931 lishuo 2024-01-19 @40 /memreserve/ 0xf4000000 0x4000000; // (optional) -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS 0/2] CVE-2024-49878
by Yongqiang Liu 04 Nov '24

04 Nov '24

Huang Ying (1): resource: fix region_intersects() vs add_memory_driver_managed() Wei Yang (1): mm/resource: Use resource_overlaps() to simplify region_intersects() kernel/iomem.c | 4 +-- kernel/resource.c | 65 ++++++++++++++++++++++++++++++++++++++--------- 2 files changed, 55 insertions(+), 14 deletions(-) -- 2.25.1

2 3

[PATCH OLK-6.6] bpf: Fail verification for sign-extension of packet data/data_end/data_meta
by Chen Zhongjin 04 Nov '24

04 Nov '24

From: Yonghong Song <yonghong.song(a)linux.dev> mainline inclusion from mainline-v6.12-rc1 commit 92de36080c93296ef9005690705cba260b9bd68a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJQ CVE: CVE-2024-47702 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- syzbot reported a kernel crash due to commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses"). The reason is due to sign-extension of 32-bit load for packet data/data_end/data_meta uapi field. The original code looks like: r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */ r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */ r0 = r2 r0 += 8 if r3 > r0 goto +1 ... Note that __sk_buff->data load has 32-bit sign extension. After verification and convert_ctx_accesses(), the final asm code looks like: r2 = *(u64 *)(r1 +208) r2 = (s32)r2 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 ... Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid which may cause runtime failure. Currently, in C code, typically we have void *data = (void *)(long)skb->data; void *data_end = (void *)(long)skb->data_end; ... and it will generate r2 = *(u64 *)(r1 +208) r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 If we allow sign-extension, void *data = (void *)(long)(int)skb->data; void *data_end = (void *)(long)skb->data_end; ... the generated code looks like r2 = *(u64 *)(r1 +208) r2 <<= 32 r2 s>>= 32 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 and this will cause verification failure since "r2 <<= 32" is not allowed as "r2" is a packet pointer. To fix this issue for case r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */ this patch added additional checking in is_valid_access() callback function for packet data/data_end/data_meta access. If those accesses are with sign-extenstion, the verification will fail. [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/ Reported-by: syzbot+ad9ec60c8eaf69e6f99c(a)syzkaller.appspotmail.com Fixes: 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses") Acked-by: Eduard Zingerman <eddyz87(a)gmail.com> Signed-off-by: Yonghong Song <yonghong.song(a)linux.dev> Link: https://lore.kernel.org/r/20240723153439.2429035-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Conflicts: include/linux/bpf.h [fix struct bpf_insn_access_aux KABI breakage] Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- include/linux/bpf.h | 1 + kernel/bpf/verifier.c | 5 +++-- net/core/filter.c | 21 ++++++++++++++++----- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index beec79b4d74b..d8a53afe7127 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -914,6 +914,7 @@ static_assert(__BPF_REG_TYPE_MAX <= BPF_BASE_TYPE_LIMIT); struct bpf_insn_access_aux { enum bpf_reg_type reg_type; KABI_FILL_HOLE(bool is_retval) /* is accessing function return value ? */ + KABI_FILL_HOLE(bool is_ldsx) union { int ctx_field_size; struct { diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index e11daa9fccee..915ff766ec3d 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5576,12 +5576,13 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, /* check access to 'struct bpf_context' fields. Supports fixed offsets only */ static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size, enum bpf_access_type t, enum bpf_reg_type *reg_type, - struct btf **btf, u32 *btf_id, bool *is_retval) + struct btf **btf, u32 *btf_id, bool *is_retval, bool is_ldsx) { struct bpf_insn_access_aux info = { .reg_type = *reg_type, .log = &env->log, .is_retval = false, + .is_ldsx = is_ldsx, }; if (env->ops->is_valid_access && @@ -6844,7 +6845,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn return err; err = check_ctx_access(env, insn_idx, off, size, t, &reg_type, &btf, - &btf_id, &is_retval); + &btf_id, &is_retval, is_ldsx); if (err) verbose_linfo(env, insn_idx, "; "); if (!err && t == BPF_READ && value_regno >= 0) { diff --git a/net/core/filter.c b/net/core/filter.c index e16d746c23da..e4f1dc9f222b 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -8601,13 +8601,16 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type if (off + size > offsetofend(struct __sk_buff, cb[4])) return false; break; + case bpf_ctx_range(struct __sk_buff, data): + case bpf_ctx_range(struct __sk_buff, data_meta): + case bpf_ctx_range(struct __sk_buff, data_end): + if (info->is_ldsx || size != size_default) + return false; + break; case bpf_ctx_range_till(struct __sk_buff, remote_ip6[0], remote_ip6[3]): case bpf_ctx_range_till(struct __sk_buff, local_ip6[0], local_ip6[3]): case bpf_ctx_range_till(struct __sk_buff, remote_ip4, remote_ip4): case bpf_ctx_range_till(struct __sk_buff, local_ip4, local_ip4): - case bpf_ctx_range(struct __sk_buff, data): - case bpf_ctx_range(struct __sk_buff, data_meta): - case bpf_ctx_range(struct __sk_buff, data_end): if (size != size_default) return false; break; @@ -9051,6 +9054,14 @@ static bool xdp_is_valid_access(int off, int size, } } return false; + } else { + switch (off) { + case offsetof(struct xdp_md, data_meta): + case offsetof(struct xdp_md, data): + case offsetof(struct xdp_md, data_end): + if (info->is_ldsx) + return false; + } } switch (off) { @@ -9381,12 +9392,12 @@ static bool flow_dissector_is_valid_access(int off, int size, switch (off) { case bpf_ctx_range(struct __sk_buff, data): - if (size != size_default) + if (info->is_ldsx || size != size_default) return false; info->reg_type = PTR_TO_PACKET; return true; case bpf_ctx_range(struct __sk_buff, data_end): - if (size != size_default) + if (info->is_ldsx || size != size_default) return false; info->reg_type = PTR_TO_PACKET_END; return true; -- 2.25.1

2 1

[PATCH OLK-5.10 0/2] CVE-2024-49950
by Zhang Changzhong 04 Nov '24

04 Nov '24

Luiz Augusto von Dentz (1): Bluetooth: L2CAP: Fix uaf in l2cap_connect Yu Liu (1): Bluetooth: Return whether a connection is outbound include/net/bluetooth/hci_core.h | 2 +- include/net/bluetooth/mgmt.h | 1 + net/bluetooth/hci_core.c | 3 +++ net/bluetooth/hci_event.c | 10 +++++----- net/bluetooth/l2cap_core.c | 9 --------- net/bluetooth/mgmt.c | 6 +++++- 6 files changed, 15 insertions(+), 16 deletions(-) -- 2.9.5

2 3

[PATCH openEuler-22.03-LTS-SP1 0/2] CVE-2024-49950
by Zhang Changzhong 04 Nov '24

04 Nov '24

Luiz Augusto von Dentz (1): Bluetooth: L2CAP: Fix uaf in l2cap_connect Yu Liu (1): Bluetooth: Return whether a connection is outbound include/net/bluetooth/hci_core.h | 2 +- include/net/bluetooth/mgmt.h | 1 + net/bluetooth/hci_core.c | 3 +++ net/bluetooth/hci_event.c | 10 +++++----- net/bluetooth/l2cap_core.c | 9 --------- net/bluetooth/mgmt.c | 6 +++++- 6 files changed, 15 insertions(+), 16 deletions(-) -- 2.9.5

2 3

[PATCH openEuler-1.0-LTS 0/2] CVE-2024-49950
by Zhang Changzhong 04 Nov '24

04 Nov '24

Luiz Augusto von Dentz (1): Bluetooth: L2CAP: Fix uaf in l2cap_connect Yu Liu (1): Bluetooth: Return whether a connection is outbound include/net/bluetooth/hci_core.h | 2 +- include/net/bluetooth/mgmt.h | 1 + net/bluetooth/hci_core.c | 3 +++ net/bluetooth/hci_event.c | 10 +++++----- net/bluetooth/l2cap_core.c | 9 --------- net/bluetooth/mgmt.c | 6 +++++- 6 files changed, 15 insertions(+), 16 deletions(-) -- 2.9.5

2 3

[PATCH OLK-5.10 0/2] Fix CVE-2024-50086
by Long Li 04 Nov '24

04 Nov '24

This patch set fix CVE-2024-50086. Namjae Jeon (2): ksmbd: fix race condition between session lookup and expire ksmbd: fix user-after-free from session log off fs/ksmbd/connection.c | 2 ++ fs/ksmbd/connection.h | 1 + fs/ksmbd/mgmt/user_session.c | 34 +++++++++++++++++++++++++++------- fs/ksmbd/mgmt/user_session.h | 3 +++ fs/ksmbd/server.c | 2 ++ fs/ksmbd/smb2pdu.c | 8 +++++++- 6 files changed, 42 insertions(+), 8 deletions(-) -- 2.39.2

2 3

[PATCH openEuler-22.03-LTS-SP1 0/2] Fix CVE-2024-50086
by Long Li 04 Nov '24

04 Nov '24

This patch set fix CVE-2024-50086. Namjae Jeon (2): ksmbd: fix race condition between session lookup and expire ksmbd: fix user-after-free from session log off fs/ksmbd/connection.c | 2 ++ fs/ksmbd/connection.h | 1 + fs/ksmbd/mgmt/user_session.c | 34 +++++++++++++++++++++++++++------- fs/ksmbd/mgmt/user_session.h | 3 +++ fs/ksmbd/server.c | 2 ++ fs/ksmbd/smb2pdu.c | 8 +++++++- 6 files changed, 42 insertions(+), 8 deletions(-) -- 2.39.2

2 3

2024

2023

2022

2021

2020

2019

Kernel November 2024