From: Jan Beulich <jbeulich(a)suse.com>
stable inclusion
from stable-v4.19.306
commit 5bb8270789c88c0e4ad78c0de2f274f2275c7f6c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YCSC
CVE: CVE-2023-46838
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a upstream.
While frontends may submit zero-size requests (wasting a precious slot),
core networking code as of at least 3ece782693c4b ("sock: skb_copy_ubufs
support for compound pages") can't deal with SKBs when they have all
zero-size fragments. Respond to empty requests right when populating
fragments; all further processing is fragment based and hence won't
encounter these empty requests anymore.
In a way this should have been that way from the beginning: When no data
is to be transferred for a particular request, there's not even a point
in validating the respective grant ref. That's no different from e.g.
passing NULL into memcpy() when at the same time the size is 0.
This is XSA-448 / CVE-2023-46838.
Cc: stable(a)vger.kernel.org
Signed-off-by: Jan Beulich <jbeulich(a)suse.com>
Reviewed-by: Juergen Gross <jgross(a)suse.com>
Reviewed-by: Paul Durrant <paul(a)xen.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com>
---
v2:
- Fix comment head.
---
drivers/net/xen-netback/netback.c | 44 ++++++++++++++++++++++++++-----
1 file changed, 38 insertions(+), 6 deletions(-)
diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
index 103f2c09d785..850e8fdef34d 100644
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -440,12 +440,25 @@ static void xenvif_get_requests(struct xenvif_queue *queue,
}
for (shinfo->nr_frags = 0; nr_slots > 0 && shinfo->nr_frags < MAX_SKB_FRAGS;
- shinfo->nr_frags++, gop++, nr_slots--) {
+ nr_slots--) {
+ if (unlikely(!txp->size)) {
+ unsigned long flags;
+
+ spin_lock_irqsave(&queue->response_lock, flags);
+ make_tx_response(queue, txp, 0, XEN_NETIF_RSP_OKAY);
+ push_tx_responses(queue);
+ spin_unlock_irqrestore(&queue->response_lock, flags);
+ ++txp;
+ continue;
+ }
+
index = pending_index(queue->pending_cons++);
pending_idx = queue->pending_ring[index];
xenvif_tx_create_map_op(queue, pending_idx, txp,
txp == first ? extra_count : 0, gop);
frag_set_pending_idx(&frags[shinfo->nr_frags], pending_idx);
+ ++shinfo->nr_frags;
+ ++gop;
if (txp == first)
txp = txfrags;
@@ -458,20 +471,39 @@ static void xenvif_get_requests(struct xenvif_queue *queue,
shinfo = skb_shinfo(nskb);
frags = shinfo->frags;
- for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots;
- shinfo->nr_frags++, txp++, gop++) {
+ for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; ++txp) {
+ if (unlikely(!txp->size)) {
+ unsigned long flags;
+
+ spin_lock_irqsave(&queue->response_lock, flags);
+ make_tx_response(queue, txp, 0,
+ XEN_NETIF_RSP_OKAY);
+ push_tx_responses(queue);
+ spin_unlock_irqrestore(&queue->response_lock,
+ flags);
+ continue;
+ }
+
index = pending_index(queue->pending_cons++);
pending_idx = queue->pending_ring[index];
xenvif_tx_create_map_op(queue, pending_idx, txp, 0,
gop);
frag_set_pending_idx(&frags[shinfo->nr_frags],
pending_idx);
+ ++shinfo->nr_frags;
+ ++gop;
}
- skb_shinfo(skb)->frag_list = nskb;
- } else if (nskb) {
+ if (shinfo->nr_frags) {
+ skb_shinfo(skb)->frag_list = nskb;
+ nskb = NULL;
+ }
+ }
+
+ if (nskb) {
/* A frag_list skb was allocated but it is no longer needed
- * because enough slots were converted to copy ops above.
+ * because enough slots were converted to copy ops above or some
+ * were empty.
*/
kfree_skb(nskb);
}
--
2.25.1
tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS
head: 94f199d2ce0118d64c47192cef7247cf30560eba
commit: 267bce716c1008522c3b8ddbeac8d3c65514e98f [21582/21628] crypto: hisilicon/qm - drop unnecessary IS_ENABLE(CONFIG_NUMA) check
config: arm64-randconfig-003-20240218 (https://download.01.org/0day-ci/archive/20240220/202402200406.0uniupLa-lkp@…)
compiler: aarch64-linux-gcc (GCC) 13.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240220/202402200406.0uniupLa-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202402200406.0uniupLa-lkp@intel.com/
Note: it may well be a FALSE warning. FWIW you are at least aware of it now.
http://gcc.gnu.org/wiki/Better_Uninitialized_Warnings
All warnings (new ones prefixed by >>):
In file included from include/linux/poll.h:12,
from include/linux/rtc.h:52,
from include/linux/efi.h:20,
from arch/arm64/include/asm/acpi.h:15,
from include/acpi/acpi_io.h:7,
from include/linux/acpi.h:47,
from drivers/crypto/hisilicon/qm.c:4:
In function '_copy_from_user',
inlined from 'copy_from_user' at include/linux/uaccess.h:144:7,
inlined from 'hisi_qm_uacce_ioctl' at drivers/crypto/hisilicon/qm.c:2280:7:
>> include/linux/uaccess.h:112:17: warning: 'qp_ctx' may be used uninitialized [-Wmaybe-uninitialized]
112 | kasan_check_write(to, n);
| ^~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/compiler.h:265,
from arch/arm64/include/asm/memory.h:24,
from arch/arm64/include/asm/page.h:52,
from drivers/crypto/hisilicon/qm.c:3:
include/linux/kasan-checks.h: In function 'hisi_qm_uacce_ioctl':
include/linux/kasan-checks.h:7:6: note: by argument 1 of type 'const volatile void *' to 'kasan_check_write' declared here
7 | void kasan_check_write(const volatile void *p, unsigned int size);
| ^~~~~~~~~~~~~~~~~
drivers/crypto/hisilicon/qm.c:2277:28: note: 'qp_ctx' declared here
2277 | struct hisi_qp_ctx qp_ctx;
| ^~~~~~
drivers/crypto/hisilicon/qm.c:3322: warning: Excess function parameter 'ce' description in 'qm_hw_error_init'
drivers/crypto/hisilicon/qm.c:3322: warning: Excess function parameter 'nfe' description in 'qm_hw_error_init'
drivers/crypto/hisilicon/qm.c:3322: warning: Excess function parameter 'fe' description in 'qm_hw_error_init'
drivers/crypto/hisilicon/qm.c:3322: warning: Excess function parameter 'msi' description in 'qm_hw_error_init'
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for UACCE
Depends on [n]: IOMMU_API [=n]
Selected by [y]:
- CRYPTO_DEV_HISI_QM [=y] && CRYPTO [=y] && CRYPTO_HW [=y] && ARM64 [=y] && PCI [=y]
vim +/qp_ctx +112 include/linux/uaccess.h
d597580d373774 Al Viro 2017-03-20 104
d597580d373774 Al Viro 2017-03-20 105 #ifdef INLINE_COPY_FROM_USER
d597580d373774 Al Viro 2017-03-20 106 static inline unsigned long
d597580d373774 Al Viro 2017-03-20 107 _copy_from_user(void *to, const void __user *from, unsigned long n)
d597580d373774 Al Viro 2017-03-20 108 {
d597580d373774 Al Viro 2017-03-20 109 unsigned long res = n;
9c5f6908de03a4 Al Viro 2017-06-29 110 might_fault();
4983cb67a383a7 Linus Torvalds 2019-02-14 111 if (likely(access_ok(from, n))) {
9c5f6908de03a4 Al Viro 2017-06-29 @112 kasan_check_write(to, n);
d597580d373774 Al Viro 2017-03-20 113 res = raw_copy_from_user(to, from, n);
9c5f6908de03a4 Al Viro 2017-06-29 114 }
d597580d373774 Al Viro 2017-03-20 115 if (unlikely(res))
d597580d373774 Al Viro 2017-03-20 116 memset(to + (n - res), 0, res);
d597580d373774 Al Viro 2017-03-20 117 return res;
d597580d373774 Al Viro 2017-03-20 118 }
d597580d373774 Al Viro 2017-03-20 119 #else
d597580d373774 Al Viro 2017-03-20 120 extern unsigned long
d597580d373774 Al Viro 2017-03-20 121 _copy_from_user(void *, const void __user *, unsigned long);
d597580d373774 Al Viro 2017-03-20 122 #endif
d597580d373774 Al Viro 2017-03-20 123
:::::: The code at line 112 was first introduced by commit
:::::: 9c5f6908de03a4f52ba7364b11fcd6116225480c copy_{from,to}_user(): move kasan checks and might_fault() out-of-line
:::::: TO: Al Viro <viro(a)zeniv.linux.org.uk>
:::::: CC: Al Viro <viro(a)zeniv.linux.org.uk>
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
From: Johan Hovold <johan(a)kernel.org>
stable inclusion
from stable-v4.19.191
commit 76d7fc0857bc4033415fcad905db13753d0febc7
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I926JG
CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 1b8b20868a6d64cfe8174a21b25b74367bdf0560 ]
Drivers should return -ENOTTY ("Inappropriate I/O control operation")
when an ioctl isn't supported, while -EINVAL is used for invalid
arguments.
Fix up the TIOCMGET, TIOCMSET and TIOCGICOUNT helpers which returned
-EINVAL when a tty driver did not implement the corresponding
operations.
Note that the TIOCMGET and TIOCMSET helpers predate git and do not get a
corresponding Fixes tag below.
Fixes: d281da7ff6f7 ("tty: Make tiocgicount a handler")
Signed-off-by: Johan Hovold <johan(a)kernel.org>
Link: https://lore.kernel.org/r/20210407095208.31838-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Yi Yang <yiyang13(a)huawei.com>
---
drivers/tty/tty_io.c | 8 ++++----
include/linux/tty_driver.h | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 58c3f7b92b0d..908c331c5760 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -2441,14 +2441,14 @@ static int send_break(struct tty_struct *tty, unsigned int duration)
* @p: pointer to result
*
* Obtain the modem status bits from the tty driver if the feature
- * is supported. Return -EINVAL if it is not available.
+ * is supported. Return -ENOTTY if it is not available.
*
* Locking: none (up to the driver)
*/
static int tty_tiocmget(struct tty_struct *tty, int __user *p)
{
- int retval = -EINVAL;
+ int retval = -ENOTTY;
if (tty->ops->tiocmget) {
retval = tty->ops->tiocmget(tty);
@@ -2466,7 +2466,7 @@ static int tty_tiocmget(struct tty_struct *tty, int __user *p)
* @p: pointer to desired bits
*
* Set the modem status bits from the tty driver if the feature
- * is supported. Return -EINVAL if it is not available.
+ * is supported. Return -ENOTTY if it is not available.
*
* Locking: none (up to the driver)
*/
@@ -2478,7 +2478,7 @@ static int tty_tiocmset(struct tty_struct *tty, unsigned int cmd,
unsigned int set, clear, val;
if (tty->ops->tiocmset == NULL)
- return -EINVAL;
+ return -ENOTTY;
retval = get_user(val, p);
if (retval)
diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
index 71dbc891851a..e10b09672345 100644
--- a/include/linux/tty_driver.h
+++ b/include/linux/tty_driver.h
@@ -236,7 +236,7 @@
*
* Called when the device receives a TIOCGICOUNT ioctl. Passed a kernel
* structure to complete. This method is optional and will only be called
- * if provided (otherwise EINVAL will be returned).
+ * if provided (otherwise ENOTTY will be returned).
*/
#include <linux/export.h>
--
2.25.1