June 2024 - Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
by Wang Zhaolong 03 Jun '24

03 Jun '24

From: Paulo Alcantara <pc(a)manguebit.com> mainline inclusion from mainline-v6.7-rc1 commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4LM CVE: CVE-2023-52752 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/client/cifs_debug.c fs/cifs/cifs_debug.c [Path is changed and related functions has been refactored for a long time] Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/cifs/cifs_debug.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index a85aeff90df8..2595a528be97 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -287,6 +287,8 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) list_for_each(tmp2, &server->smb_ses_list) { ses = list_entry(tmp2, struct cifs_ses, smb_ses_list); + if (ses->status == CifsExiting) + continue; if ((ses->serverDomain == NULL) || (ses->serverOS == NULL) || (ses->serverNOS == NULL)) { -- 2.34.3

2 1

[PATCH openEuler-1.0-LTS] isofs: Fix out of bound access for corrupted isofs image
by Guo Mengqi 03 Jun '24

03 Jun '24

From: Jan Kara <jack(a)suse.cz> stable inclusion from stable-v4.19.217 commit b0ddff8d68f2e43857a84dce54c3deab181c8ae1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RD2M CVE: CVE-2021-47478 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit e96a1866b40570b5950cda8602c2819189c62a48 upstream. When isofs image is suitably corrupted isofs_read_inode() can read data beyond the end of buffer. Sanity-check the directory entry length before using it. Reported-and-tested-by: syzbot+6fc7fb214625d82af7d1(a)syzkaller.appspotmail.com CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- fs/isofs/inode.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/isofs/inode.c b/fs/isofs/inode.c index 488a9e7f8f66..f77a7f19b0db 100644 --- a/fs/isofs/inode.c +++ b/fs/isofs/inode.c @@ -1327,6 +1327,8 @@ static int isofs_read_inode(struct inode *inode, int relocated) de = (struct iso_directory_record *) (bh->b_data + offset); de_len = *(unsigned char *) de; + if (de_len < sizeof(struct iso_directory_record)) + goto fail; if (offset + de_len > bufsize) { int frag1 = bufsize - offset; -- 2.17.1

2 1

[PATCH openEuler-1.0-LTS] smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
by Wang Zhaolong 03 Jun '24

03 Jun '24

From: Paulo Alcantara <pc(a)manguebit.com> mainline inclusion from mainline-v6.7-rc1 commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4LM CVE: CVE-2023-52752 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/client/cifs_debug.c fs/cifs/cifs_debug.c [Path is changed and related functions has been refactored for a long time] Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/cifs/cifs_debug.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index a85aeff90df8..2595a528be97 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -287,6 +287,8 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) list_for_each(tmp2, &server->smb_ses_list) { ses = list_entry(tmp2, struct cifs_ses, smb_ses_list); + if (ses->status == CifsExiting) + continue; if ((ses->serverDomain == NULL) || (ses->serverOS == NULL) || (ses->serverNOS == NULL)) { -- 2.34.3

2 1

[PATCH OLK-5.10] mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq
by Xiang Yang 03 Jun '24

03 Jun '24

From: Duoming Zhou <duoming(a)zju.edu.cn> mainline inclusion from mainline-v6.1-rc1 commit 175302f6b79ebbb207c2d58d6d3e679465de23b0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UNYW CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The function hfcpci_softirq() is a timer handler. If it is running, the timer_pending() will return 0 and the del_timer_sync() in HFC_cleanup() will not be executed. As a result, the use-after-free bug will happen. The process is shown below: (cleanup routine) | (timer handler) HFC_cleanup() | hfcpci_softirq() if (timer_pending(&hfc_tl)) | del_timer_sync() | ... | ... pci_unregister_driver(hc) | driver_unregister | driver_for_each_device bus_remove_driver | _hfcpci_softirq driver_detach | ... put_device(dev) //[1]FREE | | dev_get_drvdata(dev) //[2]USE The device is deallocated is position [1] and used in position [2]. Fix by removing the "timer_pending" check in HFC_cleanup(), which makes sure that the hfcpci_softirq() have finished before the resource is deallocated. Fixes: 009fc857c5f6 ("mISDN: fix possible use-after-free in HFC_cleanup()") Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- drivers/isdn/hardware/mISDN/hfcpci.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c index d6cf01c32a33..fe391de1aba3 100644 --- a/drivers/isdn/hardware/mISDN/hfcpci.c +++ b/drivers/isdn/hardware/mISDN/hfcpci.c @@ -2350,8 +2350,7 @@ HFC_init(void) static void __exit HFC_cleanup(void) { - if (timer_pending(&hfc_tl)) - del_timer_sync(&hfc_tl); + del_timer_sync(&hfc_tl); pci_unregister_driver(&hfc_driver); } -- 2.34.1

2 1

[PATCH OLK-5.10 v2] iomap: Ensure sub-page dirty state is set during mmap writes
by Long Li 03 Jun '24

03 Jun '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9UNQS CVE: NA ------------------------------------------ While running xfstests, specifically test xfs/032, the following errors were reported: XFS (sdb): ino 4a data fork has delalloc extent at [0x3c:0x10] XFS: Assertion failed: 0, file: fs/xfs/xfs_icache.c, line: 1854 The issue stems from the dirty state of sub-pages not being set during mmap writes. This behavior was observed after the introduction of the commit 99e9a55ba32b ("iomap: add support to track dirty state of sub-pages"), which enabled iomap to track the dirty state of sub-pages when the block size is smaller than the page size. Currently, iomap updates the sub-page dirty state only in `__iomap_write_end()`. However, the mmap write path does not invoke this function, resulting in dirty pages created by mmap writes not being scheduled for write-back. This patch fixes the issue by ensuring that the sub-page dirty state is set during mmap writes. Fixes: 99e9a55ba32b ("iomap: add support to track dirty state of sub pages") Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/iomap/buffered-io.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c index 25448d5827d2..569296ad9215 100644 --- a/fs/iomap/buffered-io.c +++ b/fs/iomap/buffered-io.c @@ -158,9 +158,6 @@ iomap_set_range_dirty(struct page *page, unsigned int off, unsigned int len) if (PageError(page)) return; - if (len) - iomap_set_page_dirty(page); - if (!page_has_private(page)) return; @@ -757,6 +754,7 @@ static size_t __iomap_write_end(struct inode *inode, loff_t pos, size_t len, if (unlikely(copied < len && !PageUptodate(page))) return 0; iomap_set_range_uptodate(page, offset_in_page(pos), len); + iomap_set_page_dirty(page); iomap_set_range_dirty(page, offset_in_page(pos), len); return copied; } @@ -1074,6 +1072,7 @@ iomap_page_mkwrite_actor(struct inode *inode, loff_t pos, loff_t length, } else { WARN_ON_ONCE(!PageUptodate(page)); set_page_dirty(page); + iomap_set_range_dirty(page, offset_in_page(pos), length); } return length; -- 2.31.1

2 1

[PATCH v6 OLK-5.10 0/6] Add support for l0
by Wupeng Ma 03 Jun '24

03 Jun '24

From: Ma Wupeng <mawupeng1(a)huawei.com> Add support for l3t & l0. Last Level Cache driver for platforms such Kunpeng 920. This provides interfaces to enable LLC cache lockdown. L0 driver for platforms such Kunpeng 920. This provides interfaces to for user to alloc and lock memory. Changelog since v1: - return -EINVAL if sccl_to_node_id return err. - code refactoring in hisi_lockdown.c Changelog since v2: - code cleanup in hisi_lockdown.c Changelog since v3: - adjusting the patch order - cleanup in l3t.c - rename get_page_policy_node to get_vma_policy_node - export symbol cpu_logical_map without GPL Changelog since v4: - fix UAF. Changelog since v5: - update patch title in get_vma_policy_node. Ma Wupeng (6): export symbol alloc_contig_pages arm64: export cpu_logical_map mm/mempolicy: Add and export get_vma_policy_node hisi: l3t: Add L3 cache driver for hisi hisi: l0: Add support for l0 arm64: config: Enable hisi l3t & l0 by default arch/arm64/configs/openeuler_defconfig | 2 + arch/arm64/kernel/setup.c | 1 + drivers/soc/hisilicon/Kconfig | 18 ++ drivers/soc/hisilicon/Makefile | 3 + drivers/soc/hisilicon/hisi_l0.c | 173 ++++++++++++++++ drivers/soc/hisilicon/hisi_l3t.h | 45 +++++ drivers/soc/hisilicon/hisi_lockdown.c | 140 +++++++++++++ drivers/soc/hisilicon/l3t.c | 263 +++++++++++++++++++++++++ include/linux/mempolicy.h | 4 + mm/mempolicy.c | 23 +++ mm/page_alloc.c | 1 + 11 files changed, 673 insertions(+) create mode 100644 drivers/soc/hisilicon/hisi_l0.c create mode 100644 drivers/soc/hisilicon/hisi_l3t.h create mode 100644 drivers/soc/hisilicon/hisi_lockdown.c create mode 100644 drivers/soc/hisilicon/l3t.c -- 2.25.1

2 7

[PATCH openEuler-1.0-LTS 0/2] CVE-2021-47409
by Wenyu Huang 03 Jun '24

03 Jun '24

Miaoqian Lin (1): usb: dwc2: Fix memory leak in dwc2_hcd_init Yang Yingliang (1): usb: dwc2: check return value after calling platform_get_resource() drivers/usb/dwc2/hcd.c | 4 ++++ 1 file changed, 4 insertions(+) -- 2.34.1

2 3

[PATCH openEuler-1.0-LTS v2 0/2] *** CVE-2021-47356 ***
by Xiang Yang 03 Jun '24

03 Jun '24

Duoming Zhou (1): mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq Zou Wei (1): mISDN: fix possible use-after-free in HFC_cleanup() drivers/isdn/hardware/mISDN/hfcpci.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) -- 2.34.1

2 3

[PATCH openEuler-22.03-LTS-SP1] net: ena: Fix incorrect descriptor free behavior
by Li Huafei 03 Jun '24

03 Jun '24

From: David Arinzon <darinzon(a)amazon.com> stable inclusion from stable-v5.10.216 commit b26aa765f7437e1bbe8db4c1641b12bd5dd378f0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRO8 CVE: CVE-2024-35958 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit bf02d9fe00632d22fa91d34749c7aacf397b6cde ] ENA has two types of TX queues: - queues which only process TX packets arriving from the network stack - queues which only process TX packets forwarded to it by XDP_REDIRECT or XDP_TX instructions The ena_free_tx_bufs() cycles through all descriptors in a TX queue and unmaps + frees every descriptor that hasn't been acknowledged yet by the device (uncompleted TX transactions). The function assumes that the processed TX queue is necessarily from the first category listed above and ends up using napi_consume_skb() for descriptors belonging to an XDP specific queue. This patch solves a bug in which, in case of a VF reset, the descriptors aren't freed correctly, leading to crashes. Fixes: 548c4940b9f1 ("net: ena: Implement XDP_TX action") Signed-off-by: Shay Agroskin <shayagr(a)amazon.com> Signed-off-by: David Arinzon <darinzon(a)amazon.com> Reviewed-by: Shannon Nelson <shannon.nelson(a)amd.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> --- drivers/net/ethernet/amazon/ena/ena_netdev.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c index 52414ac2c901a..8b766c5c35c4c 100644 --- a/drivers/net/ethernet/amazon/ena/ena_netdev.c +++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c @@ -1104,8 +1104,11 @@ static void ena_unmap_tx_buff(struct ena_ring *tx_ring, static void ena_free_tx_bufs(struct ena_ring *tx_ring) { bool print_once = true; + bool is_xdp_ring; u32 i; + is_xdp_ring = ENA_IS_XDP_INDEX(tx_ring->adapter, tx_ring->qid); + for (i = 0; i < tx_ring->ring_size; i++) { struct ena_tx_buffer *tx_info = &tx_ring->tx_buffer_info[i]; @@ -1125,10 +1128,15 @@ static void ena_free_tx_bufs(struct ena_ring *tx_ring) ena_unmap_tx_buff(tx_ring, tx_info); - dev_kfree_skb_any(tx_info->skb); + if (is_xdp_ring) + xdp_return_frame(tx_info->xdpf); + else + dev_kfree_skb_any(tx_info->skb); } - netdev_tx_reset_queue(netdev_get_tx_queue(tx_ring->netdev, - tx_ring->qid)); + + if (!is_xdp_ring) + netdev_tx_reset_queue(netdev_get_tx_queue(tx_ring->netdev, + tx_ring->qid)); } static void ena_free_all_tx_bufs(struct ena_adapter *adapter) -- 2.25.1

2 1

[PATCH OLK-5.10] net: ena: Fix incorrect descriptor free behavior
by Li Huafei 03 Jun '24

03 Jun '24

From: David Arinzon <darinzon(a)amazon.com> stable inclusion from stable-v5.10.216 commit b26aa765f7437e1bbe8db4c1641b12bd5dd378f0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRO8 CVE: CVE-2024-35958 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit bf02d9fe00632d22fa91d34749c7aacf397b6cde ] ENA has two types of TX queues: - queues which only process TX packets arriving from the network stack - queues which only process TX packets forwarded to it by XDP_REDIRECT or XDP_TX instructions The ena_free_tx_bufs() cycles through all descriptors in a TX queue and unmaps + frees every descriptor that hasn't been acknowledged yet by the device (uncompleted TX transactions). The function assumes that the processed TX queue is necessarily from the first category listed above and ends up using napi_consume_skb() for descriptors belonging to an XDP specific queue. This patch solves a bug in which, in case of a VF reset, the descriptors aren't freed correctly, leading to crashes. Fixes: 548c4940b9f1 ("net: ena: Implement XDP_TX action") Signed-off-by: Shay Agroskin <shayagr(a)amazon.com> Signed-off-by: David Arinzon <darinzon(a)amazon.com> Reviewed-by: Shannon Nelson <shannon.nelson(a)amd.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> --- drivers/net/ethernet/amazon/ena/ena_netdev.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c index e13ae04d2f0fd..fc81db75b19d0 100644 --- a/drivers/net/ethernet/amazon/ena/ena_netdev.c +++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c @@ -1105,8 +1105,11 @@ static void ena_unmap_tx_buff(struct ena_ring *tx_ring, static void ena_free_tx_bufs(struct ena_ring *tx_ring) { bool print_once = true; + bool is_xdp_ring; u32 i; + is_xdp_ring = ENA_IS_XDP_INDEX(tx_ring->adapter, tx_ring->qid); + for (i = 0; i < tx_ring->ring_size; i++) { struct ena_tx_buffer *tx_info = &tx_ring->tx_buffer_info[i]; @@ -1126,10 +1129,15 @@ static void ena_free_tx_bufs(struct ena_ring *tx_ring) ena_unmap_tx_buff(tx_ring, tx_info); - dev_kfree_skb_any(tx_info->skb); + if (is_xdp_ring) + xdp_return_frame(tx_info->xdpf); + else + dev_kfree_skb_any(tx_info->skb); } - netdev_tx_reset_queue(netdev_get_tx_queue(tx_ring->netdev, - tx_ring->qid)); + + if (!is_xdp_ring) + netdev_tx_reset_queue(netdev_get_tx_queue(tx_ring->netdev, + tx_ring->qid)); } static void ena_free_all_tx_bufs(struct ena_adapter *adapter) -- 2.25.1

2 1

2024

2023

2022

2021

2020

2019

Kernel June 2024