- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] cifs: fix small mempool leak in SMB2_negotiate()
by Wang Zhaolong 27 Jun '25

27 Jun '25

From: Enzo Matsumiya <ematsumiya(a)suse.de> mainline inclusion from mainline-v6.0-rc4 commit 27893dfc1285f80f80f46b3b8c95f5d15d2e66d0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICG9II CVE: CVE-2022-49938 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In some cases of failure (dialect mismatches) in SMB2_negotiate(), after the request is sent, the checks would return -EIO when they should be rather setting rc = -EIO and jumping to neg_exit to free the response buffer from mempool. Signed-off-by: Enzo Matsumiya <ematsumiya(a)suse.de> Cc: stable(a)vger.kernel.org Reviewed-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/cifs/smb2pdu.c [The code has been refactored many times, causing context conflicts.] Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/cifs/smb2pdu.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index e8304a44d9d8..9890674df444 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -725,38 +725,39 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) " older servers\n"); goto neg_exit; } else if (rc != 0) goto neg_exit; + rc = -EIO; if (strcmp(ses->server->vals->version_string, SMB3ANY_VERSION_STRING) == 0) { if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { cifs_dbg(VFS, "SMB2 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { cifs_dbg(VFS, "SMB2.1 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } } else if (strcmp(ses->server->vals->version_string, SMBDEFAULT_VERSION_STRING) == 0) { if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { cifs_dbg(VFS, "SMB2 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { /* ops set to 3.0 by default for default so update */ ses->server->ops = &smb21_operations; ses->server->vals = &smb21_values; } } else if (le16_to_cpu(rsp->DialectRevision) != ses->server->vals->protocol_id) { /* if requested single dialect ensure returned dialect matched */ cifs_dbg(VFS, "Illegal 0x%x dialect returned: not requested\n", le16_to_cpu(rsp->DialectRevision)); - return -EIO; + goto neg_exit; } cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode); if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) @@ -770,15 +771,15 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) cifs_dbg(FYI, "negotiated smb3.1.1 dialect\n"); else { cifs_dbg(VFS, "Illegal dialect returned by server 0x%x\n", le16_to_cpu(rsp->DialectRevision)); - rc = -EIO; goto neg_exit; } server->dialect = le16_to_cpu(rsp->DialectRevision); + rc = 0; /* * Keep a copy of the hash after negprot. This hash will be * the starting hash value for all sessions made from this * server. */ -- 2.34.3

2 1

[PATCH] cifs: fix small mempool leak in SMB2_negotiate()
by Wang Zhaolong 27 Jun '25

27 Jun '25

From: Enzo Matsumiya <ematsumiya(a)suse.de> mainline inclusion from mainline-v6.0-rc4 commit 27893dfc1285f80f80f46b3b8c95f5d15d2e66d0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICG9II CVE: CVE-2022-49938 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In some cases of failure (dialect mismatches) in SMB2_negotiate(), after the request is sent, the checks would return -EIO when they should be rather setting rc = -EIO and jumping to neg_exit to free the response buffer from mempool. Signed-off-by: Enzo Matsumiya <ematsumiya(a)suse.de> Cc: stable(a)vger.kernel.org Reviewed-by: Ronnie Sahlberg <lsahlber(a)redhat.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/cifs/smb2pdu.c [The code has been refactored many times, causing context conflicts.] Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/cifs/smb2pdu.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index e8304a44d9d8..9890674df444 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -725,38 +725,39 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) " older servers\n"); goto neg_exit; } else if (rc != 0) goto neg_exit; + rc = -EIO; if (strcmp(ses->server->vals->version_string, SMB3ANY_VERSION_STRING) == 0) { if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { cifs_dbg(VFS, "SMB2 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { cifs_dbg(VFS, "SMB2.1 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } } else if (strcmp(ses->server->vals->version_string, SMBDEFAULT_VERSION_STRING) == 0) { if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) { cifs_dbg(VFS, "SMB2 dialect returned but not requested\n"); - return -EIO; + goto neg_exit; } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) { /* ops set to 3.0 by default for default so update */ ses->server->ops = &smb21_operations; ses->server->vals = &smb21_values; } } else if (le16_to_cpu(rsp->DialectRevision) != ses->server->vals->protocol_id) { /* if requested single dialect ensure returned dialect matched */ cifs_dbg(VFS, "Illegal 0x%x dialect returned: not requested\n", le16_to_cpu(rsp->DialectRevision)); - return -EIO; + goto neg_exit; } cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode); if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) @@ -770,15 +771,15 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) cifs_dbg(FYI, "negotiated smb3.1.1 dialect\n"); else { cifs_dbg(VFS, "Illegal dialect returned by server 0x%x\n", le16_to_cpu(rsp->DialectRevision)); - rc = -EIO; goto neg_exit; } server->dialect = le16_to_cpu(rsp->DialectRevision); + rc = 0; /* * Keep a copy of the hash after negprot. This hash will be * the starting hash value for all sessions made from this * server. */ -- 2.34.3

1 0

[PATCH openEuler-1.0-LTS 0/2] hidraw:·fix·memory·leak·in·hidraw_release
by Bowen You 27 Jun '25

27 Jun '25

*** BLURB HERE *** Karthik Alapati (1): HID: hidraw: fix memory leak in hidraw_release() Su Hui (1): HID: hidraw: fix a problem of memory leak in hidraw_release() drivers/hid/hidraw.c | 5 +++++ 1 file changed, 5 insertions(+) -- 2.34.1

2 3

[PATCH openEuler-1.0-LTS 0/2] HID: hidraw: fix memory leak in hidraw_release
by Bowen You 27 Jun '25

27 Jun '25

*** BLURB HERE *** Karthik Alapati (1): HID: hidraw: fix memory leak in hidraw_release() Su Hui (1): HID: hidraw: fix a problem of memory leak in hidraw_release() drivers/hid/hidraw.c | 5 +++++ 1 file changed, 5 insertions(+) -- 2.34.1

2 3

[PATCH V2 OLK-6.6 0/2] Fix some smmu bugs
by Zhang Zekun 27 Jun '25

27 Jun '25

Fix some smmu bugs Zhang Zekun (2): iommu/arm-smmu-v3: Fix the extra atc tlb flush iommu/arm-smmu-v3: Fix the problematic platform detection logic drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 16 ++++------------ drivers/iommu/io-pgtable-arm.c | 8 +++++--- include/linux/io-pgtable.h | 1 + 3 files changed, 10 insertions(+), 15 deletions(-) -- 2.22.0

2 3

[PATCH OLK-5.10] nfsd: don't ignore the return code of svc_proc_register()
by Li Lingfeng 27 Jun '25

27 Jun '25

From: Jeff Layton <jlayton(a)kernel.org> mainline inclusion from mainline-v6.15-rc1 commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC1QT8 CVE: CVE-2025-22026 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later. Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs. svc_proc_register() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM. Reported-by: syzbot+e34ad04f27991521104c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.… Cc: stable(a)vger.kernel.org # v6.9 Signed-off-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Conflicts: fs/nfsd/nfsctl.c fs/nfsd/stats.c fs/nfsd/stats.h [Commit 5e092be7418f ("NFSD: Distinguish per-net namespace initialization") changes nfsd_init_net to nfsd_net_init; commit 93483ac5fec6 ("nfsd: expose /proc/net/sunrpc/nfsd in net namespaces") change nfsd_stat_init to nfsd_proc_stat_init.] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> Reviewed-by: Zhihao Cheng <chengzhihao1(a)huawei.com> --- fs/nfsd/nfsctl.c | 6 +++++- fs/nfsd/stats.c | 4 ++-- fs/nfsd/stats.h | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c index 02e3dd0c4703..040340080b3d 100644 --- a/fs/nfsd/nfsctl.c +++ b/fs/nfsd/nfsctl.c @@ -1522,7 +1522,10 @@ static int __init init_nfsd(void) retval = nfsd4_init_pnfs(); if (retval) goto out_free_slabs; - nfsd_stat_init(); /* Statistics */ + if (!nfsd_stat_init()) { /* Statistics */ + retval = -ENOMEM; + goto out_free_pnfs; + } retval = nfsd_drc_slab_create(); if (retval) goto out_free_stat; @@ -1552,6 +1555,7 @@ static int __init init_nfsd(void) nfsd_drc_slab_free(); out_free_stat: nfsd_stat_shutdown(); +out_free_pnfs: nfsd4_exit_pnfs(); out_free_slabs: nfsd4_free_slabs(); diff --git a/fs/nfsd/stats.c b/fs/nfsd/stats.c index b1bc582b0493..9d45f4ce9344 100644 --- a/fs/nfsd/stats.c +++ b/fs/nfsd/stats.c @@ -91,10 +91,10 @@ static const struct proc_ops nfsd_proc_ops = { .proc_release = single_release, }; -void +struct proc_dir_entry * nfsd_stat_init(void) { - svc_proc_register(&init_net, &nfsd_svcstats, &nfsd_proc_ops); + return svc_proc_register(&init_net, &nfsd_svcstats, &nfsd_proc_ops); } void diff --git a/fs/nfsd/stats.h b/fs/nfsd/stats.h index b23fdac69820..fdd7dfaee470 100644 --- a/fs/nfsd/stats.h +++ b/fs/nfsd/stats.h @@ -38,7 +38,7 @@ struct nfsd_stats { extern struct nfsd_stats nfsdstats; extern struct svc_stat nfsd_svcstats; -void nfsd_stat_init(void); +struct proc_dir_entry *nfsd_stat_init(void); void nfsd_stat_shutdown(void); #endif /* _NFSD_STATS_H */ -- 2.46.1

2 1

[PATCH openEuler-1.0-LTS 0/2] HID: hidraw: fix memory leak in hidraw_release
by Bowen You 27 Jun '25

27 Jun '25

*** BLURB HERE *** Karthik Alapati (1): HID: hidraw: fix memory leak in hidraw_release() Su Hui (1): HID: hidraw: fix a problem of memory leak in hidraw_release() drivers/hid/hidraw.c | 5 +++++ 1 file changed, 5 insertions(+) -- 2.34.1

2 3

[PATCH OLK-6.6 0/2] Fix some smmu bugs
by Zhang Zekun 27 Jun '25

27 Jun '25

Fix some smmu bugs Zhang Zekun (2): iommu/arm-smmu-v3: Fix the extra atc tlb flush iommu/arm-smmu-v3: Fix the problematic platform detection logic drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 14 ++++---------- drivers/iommu/io-pgtable-arm.c | 8 +++++--- include/linux/io-pgtable.h | 1 + 3 files changed, 10 insertions(+), 13 deletions(-) -- 2.22.0

2 3

[PATCH OLK-5.10 0/3] CVE-2024-26798
by Zeng Heng 27 Jun '25

27 Jun '25

Jiri Slaby (SUSE) (1): fbcon: always restore the old font data in fbcon_do_set_font() Shigeru Yoshida (1): fbdev: fbcon: Properly revert changes when vc_resize() failed Tetsuo Handa (1): fbdev: fbcon: release buffer when fbcon_do_set_font() failed drivers/video/fbdev/core/fbcon.c | 66 +++++++++++++++++++++----------- 1 file changed, 44 insertions(+), 22 deletions(-) -- 2.25.1

2 4

[PATCH OLK-5.10 0/2] CVE-2024-26798
by Zeng Heng 27 Jun '25

27 Jun '25

Shigeru Yoshida (1): fbdev: fbcon: Properly revert changes when vc_resize() failed Tetsuo Handa (1): fbdev: fbcon: release buffer when fbcon_do_set_font() failed drivers/video/fbdev/core/fbcon.c | 60 ++++++++++++++++++++++---------- 1 file changed, 42 insertions(+), 18 deletions(-) -- 2.25.1

2 3