- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 11568/23451] drivers/net/ethernet/hisilicon/hns3/hns3_cae/.tmp_hns3_cae_led.o: warning: objtool: missing symbol for section .text
by kernel test robot 06 Aug '24

06 Aug '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: b99509998bfe488900920c783664b4b4a70795da commit: eb3a8c90a2b27a2f2dbe26e8a2e7edff6b61417c [11568/23451] net: HNS3: Increase the dft for the command of led config: x86_64-buildonly-randconfig-005-20240727 (https://download.01.org/0day-ci/archive/20240806/202408062209.71Gj0prX-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240806/202408062209.71Gj0prX-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408062209.71Gj0prX-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/net/ethernet/hisilicon/hns3/hns3_cae/.tmp_hns3_cae_led.o: warning: objtool: missing symbol for section .text -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS 0/3] CVE-2024-41034
by Zhihao Cheng 06 Aug '24

06 Aug '24

Matthew Wilcox (Oracle) (2): nilfs2: Remove check for PageError nilfs2: return the mapped address from nilfs_get_page() Ryusuke Konishi (1): nilfs2: fix kernel bug on rename operation of broken directory fs/nilfs2/dir.c | 83 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 54 insertions(+), 29 deletions(-) -- 2.31.1

2 4

[PATCH OLK-5.10 0/2] fix CVE-2024-42155
by Hongbo Li 06 Aug '24

06 Aug '24

Fix CVE-2024-42155. Holger Dengler (1): s390/pkey: Wipe copies of protected- and secure-keys Hongbo Li (1): Revert "s390/pkey: Wipe copies of protected- and secure-keys" drivers/s390/crypto/pkey_api.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) -- 2.34.1

2 3

[PATCH OLK-5.10] s390/pkey: Wipe sensitive data on failure
by Peng Zhang 06 Aug '24

06 Aug '24

From: Holger Dengler <dengler(a)linux.ibm.com> mainline inclusion from mainline-v6.10-rc1 commit 1d8c270de5eb74245d72325d285894a577a945d9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGSLY CVE: CVE-2024-42157 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------------------------------------- Wipe sensitive data from stack also if the copy_to_user() fails. Suggested-by: Heiko Carstens <hca(a)linux.ibm.com> Reviewed-by: Harald Freudenberger <freude(a)linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki(a)linux.ibm.com> Acked-by: Heiko Carstens <hca(a)linux.ibm.com> Signed-off-by: Holger Dengler <dengler(a)linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com> --- drivers/s390/crypto/pkey_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index fddcc3d3ba81..271ef4b4cddf 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c @@ -1154,7 +1154,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, if (rc) break; if (copy_to_user(ucs, &kcs, sizeof(kcs))) - return -EFAULT; + rc = -EFAULT; memzero_explicit(&kcs, sizeof(kcs)); break; } @@ -1185,7 +1185,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, if (rc) break; if (copy_to_user(ucp, &kcp, sizeof(kcp))) - return -EFAULT; + rc = -EFAULT; memzero_explicit(&kcp, sizeof(kcp)); break; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] s390/pkey: Wipe sensitive data on failure
by Peng Zhang 06 Aug '24

06 Aug '24

From: Holger Dengler <dengler(a)linux.ibm.com> mainline inclusion from mainline-v6.10-rc1 commit 1d8c270de5eb74245d72325d285894a577a945d9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGSLY CVE: CVE-2024-42157 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------------------------------------- Wipe sensitive data from stack also if the copy_to_user() fails. Suggested-by: Heiko Carstens <hca(a)linux.ibm.com> Reviewed-by: Harald Freudenberger <freude(a)linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki(a)linux.ibm.com> Acked-by: Heiko Carstens <hca(a)linux.ibm.com> Signed-off-by: Holger Dengler <dengler(a)linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com> --- drivers/s390/crypto/pkey_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index 6e07a02f4363..eccee7cabf18 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c @@ -1154,7 +1154,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, if (rc) break; if (copy_to_user(ucs, &kcs, sizeof(kcs))) - return -EFAULT; + rc = -EFAULT; memzero_explicit(&kcs, sizeof(kcs)); break; } @@ -1185,7 +1185,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, if (rc) break; if (copy_to_user(ucp, &kcp, sizeof(kcp))) - return -EFAULT; + rc = -EFAULT; memzero_explicit(&kcp, sizeof(kcp)); break; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] nilfs2: fix kernel bug on rename operation of broken directory
by Zhihao Cheng 06 Aug '24

06 Aug '24

From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> stable inclusion from stable-v5.10.222 commit a9a466a69b85059b341239766a10efdd3ee68a4b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEKP CVE: CVE-2024-41034 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 ] Syzbot reported that in rename directory operation on broken directory on nilfs2, __block_write_begin_int() called to prepare block write may fail BUG_ON check for access exceeding the folio/page size. This is because nilfs_dotdot(), which gets parent directory reference entry ("..") of the directory to be moved or renamed, does not check consistency enough, and may return location exceeding folio/page size for broken directories. Fix this issue by checking required directory entries ("." and "..") in the first chunk of the directory in nilfs_dotdot(). Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+d3abed1ad3d367fa2627(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627 Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Zhihao Cheng <chengzhihao(a)huaweicloud.com> --- fs/nilfs2/dir.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c index 1de96b40e404..c30278761fa4 100644 --- a/fs/nilfs2/dir.c +++ b/fs/nilfs2/dir.c @@ -390,11 +390,39 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr, struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct page **p) { - struct nilfs_dir_entry *de = nilfs_get_page(dir, 0, p); + struct page *page; + struct nilfs_dir_entry *de, *next_de; + size_t limit; + char *msg; + de = nilfs_get_page(dir, 0, &page); if (IS_ERR(de)) return NULL; - return nilfs_next_entry(de); + + limit = nilfs_last_byte(dir, 0); /* is a multiple of chunk size */ + if (unlikely(!limit || le64_to_cpu(de->inode) != dir->i_ino || + !nilfs_match(1, ".", de))) { + msg = "missing '.'"; + goto fail; + } + + next_de = nilfs_next_entry(de); + /* + * If "next_de" has not reached the end of the chunk, there is + * at least one more record. Check whether it matches "..". + */ + if (unlikely((char *)next_de == (char *)de + nilfs_chunk_size(dir) || + !nilfs_match(2, "..", next_de))) { + msg = "missing '..'"; + goto fail; + } + *p = page; + return next_de; + +fail: + nilfs_error(dir->i_sb, "directory #%lu %s", dir->i_ino, msg); + nilfs_put_page(page); + return NULL; } ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr) -- 2.31.1

2 1

[PATCH OLK-5.10] nilfs2: fix kernel bug on rename operation of broken directory
by Zhihao Cheng 06 Aug '24

06 Aug '24

From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> stable inclusion from stable-v5.10.222 commit a9a466a69b85059b341239766a10efdd3ee68a4b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEKP CVE: CVE-2024-41034 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 ] Syzbot reported that in rename directory operation on broken directory on nilfs2, __block_write_begin_int() called to prepare block write may fail BUG_ON check for access exceeding the folio/page size. This is because nilfs_dotdot(), which gets parent directory reference entry ("..") of the directory to be moved or renamed, does not check consistency enough, and may return location exceeding folio/page size for broken directories. Fix this issue by checking required directory entries ("." and "..") in the first chunk of the directory in nilfs_dotdot(). Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+d3abed1ad3d367fa2627(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627 Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Zhihao Cheng <chengzhihao(a)huaweicloud.com> --- fs/nilfs2/dir.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c index 1de96b40e404..c30278761fa4 100644 --- a/fs/nilfs2/dir.c +++ b/fs/nilfs2/dir.c @@ -390,11 +390,39 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr, struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct page **p) { - struct nilfs_dir_entry *de = nilfs_get_page(dir, 0, p); + struct page *page; + struct nilfs_dir_entry *de, *next_de; + size_t limit; + char *msg; + de = nilfs_get_page(dir, 0, &page); if (IS_ERR(de)) return NULL; - return nilfs_next_entry(de); + + limit = nilfs_last_byte(dir, 0); /* is a multiple of chunk size */ + if (unlikely(!limit || le64_to_cpu(de->inode) != dir->i_ino || + !nilfs_match(1, ".", de))) { + msg = "missing '.'"; + goto fail; + } + + next_de = nilfs_next_entry(de); + /* + * If "next_de" has not reached the end of the chunk, there is + * at least one more record. Check whether it matches "..". + */ + if (unlikely((char *)next_de == (char *)de + nilfs_chunk_size(dir) || + !nilfs_match(2, "..", next_de))) { + msg = "missing '..'"; + goto fail; + } + *p = page; + return next_de; + +fail: + nilfs_error(dir->i_sb, "directory #%lu %s", dir->i_ino, msg); + nilfs_put_page(page); + return NULL; } ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr) -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1] crypto: hisilicon/sec - Fix memory leak for sec resource release
by Peng Zhang 06 Aug '24

06 Aug '24

From: Chenghai Huang <huangchenghai2(a)huawei.com> mainline inclusion from mainline-v6.10-rc1 commit bba4250757b4ae1680fea435a358d8093f254094 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAD2XU CVE: CVE-2024-41002 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------- The AIV is one of the SEC resources. When releasing resources, it need to release the AIV resources at the same time. Otherwise, memory leakage occurs. The aiv resource release is added to the sec resource release function. Signed-off-by: Chenghai Huang <huangchenghai2(a)huawei.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com> --- drivers/crypto/hisilicon/sec2/sec_crypto.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c index 84ae8ddd1a13..6d3ab6c909cf 100644 --- a/drivers/crypto/hisilicon/sec2/sec_crypto.c +++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c @@ -479,8 +479,10 @@ static void sec_alg_resource_free(struct sec_ctx *ctx, if (ctx->pbuf_supported) sec_free_pbuf_resource(dev, qp_ctx->res); - if (ctx->alg_type == SEC_AEAD) + if (ctx->alg_type == SEC_AEAD) { sec_free_mac_resource(dev, qp_ctx->res); + sec_free_aiv_resource(dev, qp_ctx->res); + } } static int sec_alloc_qp_ctx_resource(struct hisi_qm *qm, struct sec_ctx *ctx, -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1 0/2] Fix CVE-2021-47582
by Peng Zhang 06 Aug '24

06 Aug '24

From: ZhangPeng <zhangpeng362(a)huawei.com> Backport 2 bugfixes to fix CVE-2021-47582. Alan Stern (1): USB: core: Make do_proc_control() and do_proc_bulk() killable Tasos Sahanidis (1): usb: core: Don't hold the device lock while sleeping in do_proc_control() drivers/usb/core/devio.c | 146 ++++++++++++++++++++++++++++++--------- 1 file changed, 114 insertions(+), 32 deletions(-) -- 2.25.1

2 3

[PATCH OLK-5.10 0/2] Fix CVE-2021-47582
by Peng Zhang 06 Aug '24

06 Aug '24

From: ZhangPeng <zhangpeng362(a)huawei.com> Backport 2 patches to fix CVE-2021-47582. Alan Stern (1): USB: core: Make do_proc_control() and do_proc_bulk() killable Tasos Sahanidis (1): usb: core: Don't hold the device lock while sleeping in do_proc_control() drivers/usb/core/devio.c | 146 ++++++++++++++++++++++++++++++--------- 1 file changed, 114 insertions(+), 32 deletions(-) -- 2.25.1

2 3