- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] crypto: bcm - Fix pointer arithmetic
by liwei 03 Jul '24

03 Jul '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> mainline inclusion from mainline-v6.10-rc1 commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5T CVE: CVE-2024-38579 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: dengquan <dengquan9(a)huawei.com> --- drivers/crypto/bcm/spu2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c index 07989bb8c220..3fdc64b5a65e 100644 --- a/drivers/crypto/bcm/spu2.c +++ b/drivers/crypto/bcm/spu2.c @@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, if (hash_iv_len) { packet_log(" Hash IV Length %u bytes\n", hash_iv_len); packet_dump(" hash IV: ", ptr, hash_iv_len); - ptr += ciph_key_len; + ptr += hash_iv_len; } if (ciph_iv_len) { -- 2.25.1

2 1

[PATCH OLK-5.10] net/hinic3: Add pcie device ID adaption for DPU_NIC card
by z00857956 03 Jul '24

03 Jul '24

From: zhoushuai <zhoushuai28(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA9G0T?from=project-issue CVE: NA -------------------------------- The pcie device ID of DPU_NIC card is 0x0224, need be added to nic_devID_list, otherwise card_node will be alloced for every PF. Signed-off-by: zhoushuai <zhoushuai28(a)huawei.com> --- drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c | 2 +- drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c b/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c index fdf92ab66e3b..5863beebde39 100644 --- a/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c +++ b/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c @@ -48,7 +48,7 @@ static int get_nic_drv_version(void *buf_out, const u32 *out_size) } err = snprintf(ver_info->ver, sizeof(ver_info->ver), "%s %s", - HINIC3_NIC_DRV_VERSION, "2023-05-17_19:56:38"); + HINIC3_NIC_DRV_VERSION, "2024-07-03_09:33:00"); if (err < 0) return -EINVAL; diff --git a/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h b/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h index 0b7bf8e18732..fa758460e587 100644 --- a/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h +++ b/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h @@ -21,7 +21,9 @@ #define ULD_LOCK_MAX_USLEEP_TIME 1000 #define HINIC3_IS_VF_DEV(pdev) ((pdev)->device == HINIC3_DEV_ID_VF) -#define HINIC3_IS_SPU_DEV(pdev) ((pdev)->device == HINIC3_DEV_ID_SPU) +#define HINIC3_IS_SPU_DEV(pdev) \ + (((pdev)->device == HINIC3_DEV_ID_SPU) || ((pdev)->device == HINIC3_DEV_ID_SDI_5_0_PF) || \ + (((pdev)->device == HINIC3_DEV_ID_DPU_PF))) enum { HINIC3_NOT_PROBE = 1, -- 2.43.0

2 1

[PATCH OLK-6.6 0/1] cgroup/cpuset: Make cpuset hotplug processing synchronous
by Chen Ridong 03 Jul '24

03 Jul '24

*** BLURB HERE *** Waiman Long (1): cgroup/cpuset: Make cpuset hotplug processing synchronous include/linux/cpuset.h | 3 -- kernel/cgroup/cpuset.c | 103 ++++++++++++++++++++++------------------- kernel/cpu.c | 48 ------------------- kernel/power/process.c | 2 - 4 files changed, 55 insertions(+), 101 deletions(-) -- 2.34.1

2 2

[PATCH OLK-5.10] crypto: bcm - Fix pointer arithmetic
by liwei 03 Jul '24

03 Jul '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> mainline inclusion from mainline-v6.10-rc1 commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5T CVE: CVE-2024-38579 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: dengquan <dengquan9(a)huawei.com> --- drivers/crypto/bcm/spu2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c index c860ffb0b4c3..670d439f204c 100644 --- a/drivers/crypto/bcm/spu2.c +++ b/drivers/crypto/bcm/spu2.c @@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, if (hash_iv_len) { packet_log(" Hash IV Length %u bytes\n", hash_iv_len); packet_dump(" hash IV: ", ptr, hash_iv_len); - ptr += ciph_key_len; + ptr += hash_iv_len; } if (ciph_iv_len) { -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] ax25: Fix reference count leak issue of net_device
by Zhengchao Shao 03 Jul '24

03 Jul '24

From: Duoming Zhou <duoming(a)zju.edu.cn> mainline inclusion from mainline-v6.10-rc1 commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4 CVE: CVE-2024-38554 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ax25/ax25_dev.c [The conflict occurs because the commit a968c799eb1d("ax25: merge repeat codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel universal linked list to implement ax25_dev_list") are not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ax25/ax25_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 55a611f7239b..68a417cee39c 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -141,6 +141,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + dev_put(dev); ax25_dev_put(ax25_dev); } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ax25: Fix reference count leak issue of net_device
by Zhengchao Shao 03 Jul '24

03 Jul '24

From: Duoming Zhou <duoming(a)zju.edu.cn> mainline inclusion from mainline-v6.10-rc1 commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4 CVE: CVE-2024-38554 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ax25/ax25_dev.c [The conflict occurs because the commit a968c799eb1d("ax25: merge repeat codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel universal linked list to implement ax25_dev_list") are not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ax25/ax25_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index d1d8d8a21ddd..f68f42c083c8 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -138,6 +138,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + dev_put(dev); ax25_dev_put(ax25_dev); } -- 2.34.1

2 1

[PATCH OLK-5.10] ax25: Fix reference count leak issue of net_device
by Zhengchao Shao 03 Jul '24

03 Jul '24

From: Duoming Zhou <duoming(a)zju.edu.cn> mainline inclusion from mainline-v6.10-rc1 commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4 CVE: CVE-2024-38554 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ax25/ax25_dev.c [The conflict occurs because the commit a968c799eb1d("ax25: merge repeat codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel universal linked list to implement ax25_dev_list") are not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ax25/ax25_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index d1d8d8a21ddd..f68f42c083c8 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -138,6 +138,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + dev_put(dev); ax25_dev_put(ax25_dev); } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] crypto: bcm - Fix pointer arithmetic
by liwei 03 Jul '24

03 Jul '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> mainline inclusion from mainline-v6.10-rc1 commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5T CVE: CVE-2024-38579 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: dengquan <dengquan9(a)huawei.com> --- drivers/crypto/bcm/spu2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c index c860ffb0b4c3..670d439f204c 100644 --- a/drivers/crypto/bcm/spu2.c +++ b/drivers/crypto/bcm/spu2.c @@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, if (hash_iv_len) { packet_log(" Hash IV Length %u bytes\n", hash_iv_len); packet_dump(" hash IV: ", ptr, hash_iv_len); - ptr += ciph_key_len; + ptr += hash_iv_len; } if (ciph_iv_len) { -- 2.25.1

2 1

[PATCH OLK-6.6] net/hinic3: Add pcie device ID adaption for DPU_NIC card
by z00857956 03 Jul '24

03 Jul '24

From: zhoushuai <zhoushuai28(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA9G0T?from=project-issue CVE: NA -------------------------------- The pcie device ID of DPU_NIC card is 0x0224, need be added to nic_devID_list, otherwise card_node will be alloced for every PF. Signed-off-by: zhoushuai <zhoushuai28(a)huawei.com> --- drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c | 2 +- drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c b/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c index 40ff4738420e..93231ebac18e 100644 --- a/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c +++ b/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c @@ -48,7 +48,7 @@ static int get_nic_drv_version(void *buf_out, const u32 *out_size) } err = snprintf(ver_info->ver, sizeof(ver_info->ver), "%s %s", - HINIC3_NIC_DRV_VERSION, "2023-05-17_19:56:38"); + HINIC3_NIC_DRV_VERSION, "2024-07-03_09:33:00"); if (err < 0) return -EINVAL; diff --git a/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h b/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h index bb7f5bb67ecb..02898a85e7b7 100644 --- a/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h +++ b/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h @@ -21,7 +21,9 @@ #define ULD_LOCK_MAX_USLEEP_TIME 1000 #define HINIC3_IS_VF_DEV(pdev) ((pdev)->device == HINIC3_DEV_ID_VF) -#define HINIC3_IS_SPU_DEV(pdev) ((pdev)->device == HINIC3_DEV_ID_SPU) +#define HINIC3_IS_SPU_DEV(pdev) \ + (((pdev)->device == HINIC3_DEV_ID_SPU) || ((pdev)->device == HINIC3_DEV_ID_SDI_5_0_PF) || \ + (((pdev)->device == HINIC3_DEV_ID_DPU_PF))) enum { HINIC3_NOT_PROBE = 1, -- 2.43.0

2 1

[PATCH OLK-6.6] tls: fix missing memory barrier in tls_init
by Liu Jian 03 Jul '24

03 Jul '24

From: "Dae R. Jeong" <threeearcat(a)gmail.com> stable inclusion from stable-v6.6.33 commit ab67c2fd3d070a21914d0c31319d3858ab4e199c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D88 CVE: CVE-2024-36489 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 91e61dd7a0af660408e87372d8330ceb218be302 ] In tls_init(), a write memory barrier is missing, and store-store reordering may cause NULL dereference in tls_{setsockopt,getsockopt}. CPU0 CPU1 ----- ----- // In tls_init() // In tls_ctx_create() ctx = kzalloc() ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1) // In update_sk_prot() WRITE_ONCE(sk->sk_prot, tls_prots) -(2) // In sock_common_setsockopt() READ_ONCE(sk->sk_prot)->setsockopt() // In tls_{setsockopt,getsockopt}() ctx->sk_proto->setsockopt() -(3) In the above scenario, when (1) and (2) are reordered, (3) can observe the NULL value of ctx->sk_proto, causing NULL dereference. To fix it, we rely on rcu_assign_pointer() which implies the release barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is initialized, we can ensure that ctx->sk_proto are visible when changing sk->sk_prot. Fixes: d5bee7374b68 ("net/tls: Annotate access to sk_prot with READ_ONCE/WRITE_ONCE") Signed-off-by: Yewon Choi <woni9911(a)gmail.com> Signed-off-by: Dae R. Jeong <threeearcat(a)gmail.com> Link: https://lore.kernel.org/netdev/ZU4OJG56g2V9z_H7@dragonet/T/ Link: https://lore.kernel.org/r/Zkx4vjSFp0mfpjQ2@libra05 Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/tls/tls_main.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index e97fcb502115..0a67b93a52ec 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -814,9 +814,17 @@ struct tls_context *tls_ctx_create(struct sock *sk) return NULL; mutex_init(&ctx->tx_lock); - rcu_assign_pointer(icsk->icsk_ulp_data, ctx); ctx->sk_proto = READ_ONCE(sk->sk_prot); ctx->sk = sk; + /* Release semantic of rcu_assign_pointer() ensures that + * ctx->sk_proto is visible before changing sk->sk_prot in + * update_sk_prot(), and prevents reading uninitialized value in + * tls_{getsockopt, setsockopt}. Note that we do not need a + * read barrier in tls_{getsockopt,setsockopt} as there is an + * address dependency between sk->sk_proto->{getsockopt,setsockopt} + * and ctx->sk_proto. + */ + rcu_assign_pointer(icsk->icsk_ulp_data, ctx); return ctx; } -- 2.34.1

2 1