- Kernel - mailweb.openeuler.org

[PATCH V3 OLK-5.10] iommu: Reserve kabi for iommu and memory related functions
by Zhang Zekun 28 May '24

28 May '24

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9S5ZK ------------------------------------- Reserve kabi for the iova and iommu related functions. It is used for future patches merge. Signed-off-by: Zhang Zekun <zhangzekun11(a)huawei.com> --- v3: - remove Offering HULK drivers/iommu/iommu.c | 4 ++++ include/linux/iova.h | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index 6d4f515294f9..1366a892891d 100644 --- a/drivers/iommu/iommu.c +++ b/drivers/iommu/iommu.c @@ -58,6 +58,10 @@ struct iommu_group { struct iommu_domain *default_domain; struct iommu_domain *domain; struct list_head entry; + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) }; struct group_device { diff --git a/include/linux/iova.h b/include/linux/iova.h index 25c447124638..ccc59e4b6c54 100644 --- a/include/linux/iova.h +++ b/include/linux/iova.h @@ -34,6 +34,8 @@ struct iova_rcache { struct iova_cpu_rcache __percpu *cpu_rcaches; struct iova_domain *iovad; struct delayed_work work; + KABI_RESERVE(1) + KABI_RESERVE(2) }; struct iova_domain; @@ -63,6 +65,8 @@ struct iova_fq { struct iova_fq_entry entries[IOVA_FQ_SIZE]; unsigned head, tail; spinlock_t lock; + KABI_RESERVE(1) + KABI_RESERVE(2) }; /* holds all the iova translations for a domain */ @@ -97,6 +101,10 @@ struct iova_domain { atomic_t fq_timer_on; /* 1 when timer is active, 0 when not */ struct work_struct free_iova_work; + KABI_RESERVE(1) + KABI_RESERVE(2) + KABI_RESERVE(3) + KABI_RESERVE(4) }; static inline unsigned long iova_size(struct iova *iova) -- 2.17.1

2 1

[PATCH openEuler-1.0-LTS] RDMA: Verify port when creating flow rule
by Zhengchao Shao 28 May '24

28 May '24

From: Maor Gottlieb <maorg(a)nvidia.com> mainline inclusion from mainline-v5.13-rc6 commit 2adcb4c5a52a2623cd2b43efa7041e74d19f3a5e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4GV CVE: CVE-2021-47265 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Validate port value provided by the user and with that remove no longer needed validation by the driver. The missing check in the mlx5_ib driver could cause to the below oops. Call trace: _create_flow_rule+0x2d4/0xf28 [mlx5_ib] mlx5_ib_create_flow+0x2d0/0x5b0 [mlx5_ib] ib_uverbs_ex_create_flow+0x4cc/0x624 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xd4/0x150 [ib_uverbs] ib_uverbs_cmd_verbs.isra.7+0xb28/0xc50 [ib_uverbs] ib_uverbs_ioctl+0x158/0x1d0 [ib_uverbs] do_vfs_ioctl+0xd0/0xaf0 ksys_ioctl+0x84/0xb4 __arm64_sys_ioctl+0x28/0xc4 el0_svc_common.constprop.3+0xa4/0x254 el0_svc_handler+0x84/0xa0 el0_svc+0x10/0x26c Code: b9401260 f9615681 51000400 8b001c20 (f9403c1a) Fixes: 436f2ad05a0b ("IB/core: Export ib_create/destroy_flow through uverbs") Link: https://lore.kernel.org/r/faad30dc5219a01727f47db3dc2f029d07c82c00.16233099… Reviewed-by: Mark Bloch <markb(a)mellanox.com> Signed-off-by: Maor Gottlieb <maorg(a)nvidia.com> Signed-off-by: Leon Romanovsky <leonro(a)nvidia.com> Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Conflicts: drivers/infiniband/core/uverbs_cmd.c drivers/infiniband/hw/mlx4/main.c drivers/infiniband/hw/mlx5/main.c [The conflict occurs because the commit 8313c10fa8be("RDMA/uverbs: Replace ib_uverbs_file with uverbs_attr_bundle for write") and 24dc831b77ec ("IB/core: Add inline function to validate port") are not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- drivers/infiniband/core/uverbs_cmd.c | 5 +++++ drivers/infiniband/hw/mlx4/main.c | 3 --- drivers/infiniband/hw/mlx5/main.c | 1 - 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c index e012ca80f9d1..f60c1a3e6386 100644 --- a/drivers/infiniband/core/uverbs_cmd.c +++ b/drivers/infiniband/core/uverbs_cmd.c @@ -3556,6 +3556,11 @@ int ib_uverbs_ex_create_flow(struct ib_uverbs_file *file, goto err_free_attr; } + if (!rdma_is_port_valid(uobj->context->device, cmd.flow_attr.port)) { + err = -EINVAL; + goto err_uobj; + } + qp = uobj_get_obj_read(qp, UVERBS_OBJECT_QP, cmd.qp_handle, file); if (!qp) { err = -EINVAL; diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c index 9386bb57b3d7..ed6130cba39d 100644 --- a/drivers/infiniband/hw/mlx4/main.c +++ b/drivers/infiniband/hw/mlx4/main.c @@ -1813,9 +1813,6 @@ static struct ib_flow *mlx4_ib_create_flow(struct ib_qp *qp, struct mlx4_dev *dev = (to_mdev(qp->device))->dev; int is_bonded = mlx4_is_bonded(dev); - if (flow_attr->port < 1 || flow_attr->port > qp->device->phys_port_cnt) - return ERR_PTR(-EINVAL); - if (flow_attr->flags & ~IB_FLOW_ATTR_FLAGS_DONT_TRAP) return ERR_PTR(-EOPNOTSUPP); diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 1f1f57a2753c..4f340d6db582 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3591,7 +3591,6 @@ static struct ib_flow *mlx5_ib_create_flow(struct ib_qp *qp, } if (domain != IB_FLOW_DOMAIN_USER || - flow_attr->port > dev->num_ports || (flow_attr->flags & ~(IB_FLOW_ATTR_FLAGS_DONT_TRAP | IB_FLOW_ATTR_FLAGS_EGRESS))) { err = -EINVAL; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] cpu/hotplug: Don't offline the last non-isolated CPU
by liwei 28 May '24

28 May '24

From: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> mainline inclusion from mainline-v6.7-rc1 commit 38685e2a0476127db766f81b1c06019ddc4c9ffa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFL2 CVE: CVE-2023-52831 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If a system has isolated CPUs via the "isolcpus=" command line parameter, then an attempt to offline the last housekeeping CPU will result in a WARN_ON() when rebuilding the scheduler domains and a subsequent panic due to and unhandled empty CPU mas in partition_sched_domains_locked(). cpuset_hotplug_workfn() rebuild_sched_domains_locked() ndoms = generate_sched_domains(&doms, &attr); cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN)); Thus results in an empty CPU mask which triggers the warning and then the subsequent crash: WARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408 Call trace: build_sched_domains+0x120c/0x1408 partition_sched_domains_locked+0x234/0x880 rebuild_sched_domains_locked+0x37c/0x798 rebuild_sched_domains+0x30/0x58 cpuset_hotplug_workfn+0x2a8/0x930 Unable to handle kernel paging request at virtual address fffe80027ab37080 partition_sched_domains_locked+0x318/0x880 rebuild_sched_domains_locked+0x37c/0x798 Aside of the resulting crash, it does not make any sense to offline the last last housekeeping CPU. Prevent this by masking out the non-housekeeping CPUs when selecting a target CPU for initiating the CPU unplug operation via the work queue. Suggested-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/r/202310171709530660462@zte.com.cn Conflicts: kernel/cpu.c [commit 04d4e665a60902cf36e7ad39af1179cb5df542ad ("sched/isolation: Use single feature type while referring to housekeeping cpumask") was nos merged] Signed-off-by: liwei <liwei728(a)huawei.com> --- kernel/cpu.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kernel/cpu.c b/kernel/cpu.c index d1d61f363a2c..ad58af7499e2 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -1044,11 +1044,14 @@ static int cpu_down_maps_locked(unsigned int cpu, enum cpuhp_state target) /* * Ensure that the control task does not run on the to be offlined * CPU to prevent a deadlock against cfs_b->period_timer. + * Also keep at least one housekeeping cpu onlined to avoid generating + * an empty sched_domain span. */ - cpu = cpumask_any_but(cpu_online_mask, cpu); - if (cpu >= nr_cpu_ids) - return -EBUSY; - return work_on_cpu(cpu, __cpu_down_maps_locked, &work); + for_each_cpu_and(cpu, cpu_online_mask, housekeeping_cpumask(HK_FLAG_DOMAIN)) { + if (cpu != work.cpu) + return work_on_cpu(cpu, __cpu_down_maps_locked, &work); + } + return -EBUSY; } static int do_cpu_down(unsigned int cpu, enum cpuhp_state target) -- 2.25.1

2 1

[PATCH OLK-5.10] cpu/hotplug: Don't offline the last non-isolated CPU
by liwei 28 May '24

28 May '24

From: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> mainline inclusion from mainline-v6.7-rc1 commit 38685e2a0476127db766f81b1c06019ddc4c9ffa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFL2 CVE: CVE-2023-52831 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If a system has isolated CPUs via the "isolcpus=" command line parameter, then an attempt to offline the last housekeeping CPU will result in a WARN_ON() when rebuilding the scheduler domains and a subsequent panic due to and unhandled empty CPU mas in partition_sched_domains_locked(). cpuset_hotplug_workfn() rebuild_sched_domains_locked() ndoms = generate_sched_domains(&doms, &attr); cpumask_and(doms[0], top_cpuset.effective_cpus, housekeeping_cpumask(HK_FLAG_DOMAIN)); Thus results in an empty CPU mask which triggers the warning and then the subsequent crash: WARNING: CPU: 4 PID: 80 at kernel/sched/topology.c:2366 build_sched_domains+0x120c/0x1408 Call trace: build_sched_domains+0x120c/0x1408 partition_sched_domains_locked+0x234/0x880 rebuild_sched_domains_locked+0x37c/0x798 rebuild_sched_domains+0x30/0x58 cpuset_hotplug_workfn+0x2a8/0x930 Unable to handle kernel paging request at virtual address fffe80027ab37080 partition_sched_domains_locked+0x318/0x880 rebuild_sched_domains_locked+0x37c/0x798 Aside of the resulting crash, it does not make any sense to offline the last last housekeeping CPU. Prevent this by masking out the non-housekeeping CPUs when selecting a target CPU for initiating the CPU unplug operation via the work queue. Suggested-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Link: https://lore.kernel.org/r/202310171709530660462@zte.com.cn Conflicts: kernel/cpu.c [commit 04d4e665a60902cf36e7ad39af1179cb5df542ad ("sched/isolation: Use single feature type while referring to housekeeping cpumask") was nos merged] Signed-off-by: liwei <liwei728(a)huawei.com> --- kernel/cpu.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/kernel/cpu.c b/kernel/cpu.c index fdd911b306e0..870ac4283f86 100644 --- a/kernel/cpu.c +++ b/kernel/cpu.c @@ -1142,11 +1142,14 @@ static int cpu_down_maps_locked(unsigned int cpu, enum cpuhp_state target) /* * Ensure that the control task does not run on the to be offlined * CPU to prevent a deadlock against cfs_b->period_timer. + * Also keep at least one housekeeping cpu onlined to avoid generating + * an empty sched_domain span. */ - cpu = cpumask_any_but(cpu_online_mask, cpu); - if (cpu >= nr_cpu_ids) - return -EBUSY; - return work_on_cpu(cpu, __cpu_down_maps_locked, &work); + for_each_cpu_and(cpu, cpu_online_mask, housekeeping_cpumask(HK_FLAG_DOMAIN)) { + if (cpu != work.cpu) + return work_on_cpu(cpu, __cpu_down_maps_locked, &work); + } + return -EBUSY; } static int cpu_down(unsigned int cpu, enum cpuhp_state target) -- 2.25.1

2 1

[PATCH OLK-5.10 v3] dmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup
by Xiongfeng Wang 28 May '24

28 May '24

From: Kory Maincent <kory.maincent(a)bootlin.com> mainline inclusion from mainline-v6.8-rc7 commit bbcc1c83f343e580c3aa1f2a8593343bf7b55bba category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8OH CVE: CVE-2024-27408 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The Linked list element and pointer are not stored in the same memory as the eDMA controller register. If the doorbell register is toggled before the full write of the linked list a race condition error will occur. In remote setup we can only use a readl to the memory to assure the full write has occurred. Fixes: 7e4b8a4fbe2c ("dmaengine: Add Synopsys eDMA IP version 0 support") Reviewed-by: Serge Semin <fancer.lancer(a)gmail.com> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> Signed-off-by: Kory Maincent <kory.maincent(a)bootlin.com> Link: https://lore.kernel.org/r/20240129-b4-feature_hdma_mainline-v7-6-8e8c1acb7a… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Conflicts: drivers/dma/dw-edma/dw-edma-v0-core.c [wangxiongfeng: Remove the following check in the origin patch: 'if (!(chunk->chan->dw->chip->flags & DW_EDMA_CHIP_LOCAL))'. Because DW_EDMA_CHIP_LOCAL is not introduced, and there is no member in struct dw_edma_chan. DW_EDMA_CHIP_LOCAL is only set for driver DW_EDMA_CHIP_LOCAL in commit 939fbcd568fd ("PCI: dwc: Add Root Port and Endpoint controller eDMA engine support", which is not merged in 5.10. Also change 'vaddr.io' to 'vaddr' because 'vaddr.io' is not introduced and these two have the same meaning. Refer to 16f8a08643b6 ("dmaengine: dw-edma: Add mem-mapped LL-entries support")] Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> --- drivers/dma/dw-edma/dw-edma-v0-core.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/dma/dw-edma/dw-edma-v0-core.c b/drivers/dma/dw-edma/dw-edma-v0-core.c index 692de47b1670..4016a3e07c7a 100644 --- a/drivers/dma/dw-edma/dw-edma-v0-core.c +++ b/drivers/dma/dw-edma/dw-edma-v0-core.c @@ -233,6 +233,19 @@ static void dw_edma_v0_core_write_chunk(struct dw_edma_chunk *chunk) SET_LL(&llp->llp_high, upper_32_bits(chunk->ll_region.paddr)); } +static void dw_edma_v0_sync_ll_data(struct dw_edma_chunk *chunk) +{ + /* + * In case of remote eDMA engine setup, the DW PCIe RP/EP internal + * configuration registers and application memory are normally accessed + * over different buses. Ensure LL-data reaches the memory before the + * doorbell register is toggled by issuing the dummy-read from the remote + * LL memory in a hope that the MRd TLP will return only after the + * last MWr TLP is completed + */ + readl(chunk->ll_region.vaddr); +} + void dw_edma_v0_core_start(struct dw_edma_chunk *chunk, bool first) { struct dw_edma_chan *chan = chunk->chan; @@ -262,6 +275,9 @@ void dw_edma_v0_core_start(struct dw_edma_chunk *chunk, bool first) SET_CH(dw, chan->dir, chan->id, llp_high, upper_32_bits(chunk->ll_region.paddr)); } + + dw_edma_v0_sync_ll_data(chunk); + /* Doorbell */ SET_RW(dw, chan->dir, doorbell, FIELD_PREP(EDMA_V0_DOORBELL_CH_MASK, chan->id)); -- 2.20.1

2 1

[PATCH OLK-6.6] LoongArch: Fix secondary bridge routing errors
by Hongchen Zhang 28 May '24

28 May '24

From: Guxin Gao <gaojuxin(a)loongson.cn> LoongArch inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9SW2E CVE: NA ------------------------------------------------------------------ Fixed the problem of device interrupt exception on lower bridge 1 of 3C5000 dual-bridge platform due to extended IO interrupt routing error. Fixes: a0636064c194 ("irqchip/loongson-pch-pic: Update interrupt registration policy") Signed-off-by: Guxin Gao <gaojuxin(a)loongson.cn> Signed-off-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> --- drivers/irqchip/irq-loongson-pch-pic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-loongson-pch-pic.c b/drivers/irqchip/irq-loongson-pch-pic.c index 6b650020fff8..6e4dde64687e 100644 --- a/drivers/irqchip/irq-loongson-pch-pic.c +++ b/drivers/irqchip/irq-loongson-pch-pic.c @@ -268,7 +268,7 @@ static void pch_pic_reset(struct pch_pic *priv) for (i = 0; i < PIC_COUNT; i++) { /* Write vector ID */ - writeb(priv->ht_vec_base + i, priv->base + PCH_INT_HTVEC(hwirq_to_bit(priv, i))); + writeb(i, priv->base + PCH_INT_HTVEC(hwirq_to_bit(priv, i))); /* Hardcode route to HT0 Lo */ writeb(1, priv->base + PCH_INT_ROUTE(i)); } -- 2.33.0

2 1

[PATCH OLK-5.10] mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()
by Ziyang Xuan 28 May '24

28 May '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.8-rc1 commit be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9D1 CVE: CVE-2024-35840 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- subflow_finish_connect() uses four fields (backup, join_id, thmac, none) that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set in mptcp_parse_option() Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Florian Westphal <fw(a)strlen.de> Cc: Peter Krystad <peter.krystad(a)linux.intel.com> Cc: Matthieu Baerts <matttbe(a)kernel.org> Cc: Mat Martineau <martineau(a)kernel.org> Cc: Geliang Tang <geliang.tang(a)linux.dev> Reviewed-by: Simon Horman <horms(a)kernel.org> Acked-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Mat Martineau <martineau(a)kernel.org> Link: https://lore.kernel.org/r/20240111194917.4044654-4-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/mptcp/options.c net/mptcp/protocol.h net/mptcp/subflow.c [The introduction of suboptions is from commit 74c7dfbee3e1, and OPTION_MPTCP_MPJ_SYNACK assignment of suboptions is from commit 89e23277f9c1. Just focus on OPTION_MPTCP_MPJ_SYNACK related logic.] Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- net/mptcp/options.c | 2 ++ net/mptcp/protocol.h | 1 + net/mptcp/subflow.c | 3 ++- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/net/mptcp/options.c b/net/mptcp/options.c index 2cc80a07ff23..501011bec8b8 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -113,6 +113,7 @@ static void mptcp_parse_option(const struct sk_buff *skb, mp_opt->backup, mp_opt->join_id, mp_opt->token, mp_opt->nonce); } else if (opsize == TCPOLEN_MPTCP_MPJ_SYNACK) { + mp_opt->suboptions |= OPTION_MPTCP_MPJ_SYNACK; mp_opt->backup = *ptr++ & MPTCPOPT_BACKUP; mp_opt->join_id = *ptr++; mp_opt->thmac = get_unaligned_be64(ptr); @@ -299,6 +300,7 @@ void mptcp_get_options(const struct sk_buff *skb, mp_opt->port = 0; mp_opt->rm_addr = 0; mp_opt->dss = 0; + mp_opt->suboptions = 0; length = (th->doff * 4) - sizeof(struct tcphdr); ptr = (const unsigned char *)(th + 1); diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index 3e5af8397434..9f8fb7b1f4fa 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -107,6 +107,7 @@ struct mptcp_options_received { family : 4, echo : 1, backup : 1; + u16 suboptions; u32 token; u32 nonce; u64 thmac; diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 9d2e73db4c27..1b73230c0262 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -323,7 +323,7 @@ static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb) } else if (subflow->request_join) { u8 hmac[SHA256_DIGEST_SIZE]; - if (!mp_opt.mp_join) + if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_SYNACK)) goto do_reset; subflow->thmac = mp_opt.thmac; @@ -542,6 +542,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, * are not parsed */ mp_opt.mp_capable = 0; + mp_opt.suboptions = 0; /* hopefully temporary handling for MP_JOIN+syncookie */ subflow_req = mptcp_subflow_rsk(req); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] drm/nouveau/debugfs: fix file release memory leak
by Zheng Zucheng 28 May '24

28 May '24

From: Yang Yingliang <yangyingliang(a)huawei.com> stable inclusion from linux-4.19.211 commit 1508b09945bde393326a9dab73b1fc35f672d771 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4NL CVE: CVE-2021-47423 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f5a8703a9c418c6fc54eb772712dfe7641e3991c ] When using single_open() for opening, single_release() should be called, otherwise the 'op' allocated in single_open() will be leaked. Fixes: 6e9fc177399f ("drm/nouveau/debugfs: add copy of sysfs pstate interface ported to debugfs") Reported-by: Hulk Robot <hulkci(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: Karol Herbst <kherbst(a)redhat.com> Signed-off-by: Karol Herbst <kherbst(a)redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20210911075023.3969054-2-yang… Signed-off-by: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zheng Zucheng <zhengzucheng(a)huawei.com> --- drivers/gpu/drm/nouveau/nouveau_debugfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c index 9635704a1d86..41f9c53302ab 100644 --- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c +++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c @@ -182,6 +182,7 @@ static const struct file_operations nouveau_pstate_fops = { .open = nouveau_debugfs_pstate_open, .read = seq_read, .write = nouveau_debugfs_pstate_set, + .release = single_release, }; static struct drm_info_list nouveau_debugfs_list[] = { -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] pinctrl: single: fix potential NULL dereference
by Yang Yingliang 28 May '24

28 May '24

From: Maxim Korotkov <korotkov.maxim.s(a)gmail.com> mainline inclusion from mainline-v6.2-rc5 commit d2d73e6d4822140445ad4a7b1c6091e0f5fe703b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4L9 CVE: CVE-2022-48708 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Added checking of pointer "function" in pcs_set_mux(). pinmux_generic_get_function() can return NULL and the pointer "function" was dereferenced without checking against NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 571aec4df5b7 ("pinctrl: single: Use generic pinmux helpers for managing functions") Signed-off-by: Maxim Korotkov <korotkov.maxim.s(a)gmail.com> Reviewed-by: Tony Lindgren <tony(a)atomide.com> Link: https://lore.kernel.org/r/20221118104332.943-1-korotkov.maxim.s@gmail.com Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/pinctrl/pinctrl-single.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c index 7ec72ff2419a..2958758935ed 100644 --- a/drivers/pinctrl/pinctrl-single.c +++ b/drivers/pinctrl/pinctrl-single.c @@ -345,6 +345,8 @@ static int pcs_set_mux(struct pinctrl_dev *pctldev, unsigned fselector, if (!pcs->fmask) return 0; function = pinmux_generic_get_function(pctldev, fselector); + if (!function) + return -EINVAL; func = function->data; if (!func) return -EINVAL; -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS] pinctrl: single: fix potential NULL dereference
by Yang Yingliang 28 May '24

28 May '24

From: Maxim Korotkov <korotkov.maxim.s(a)gmail.com> mainline inclusion from mainline-v6.2-rc5 commit d2d73e6d4822140445ad4a7b1c6091e0f5fe703b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4L9 CVE: CVE-2022-48708 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Added checking of pointer "function" in pcs_set_mux(). pinmux_generic_get_function() can return NULL and the pointer "function" was dereferenced without checking against NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 571aec4df5b7 ("pinctrl: single: Use generic pinmux helpers for managing functions") Signed-off-by: Maxim Korotkov <korotkov.maxim.s(a)gmail.com> Reviewed-by: Tony Lindgren <tony(a)atomide.com> Link: https://lore.kernel.org/r/20221118104332.943-1-korotkov.maxim.s@gmail.com Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/pinctrl/pinctrl-single.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c index 7ec72ff2419a..2958758935ed 100644 --- a/drivers/pinctrl/pinctrl-single.c +++ b/drivers/pinctrl/pinctrl-single.c @@ -345,6 +345,8 @@ static int pcs_set_mux(struct pinctrl_dev *pctldev, unsigned fselector, if (!pcs->fmask) return 0; function = pinmux_generic_get_function(pctldev, fselector); + if (!function) + return -EINVAL; func = function->data; if (!func) return -EINVAL; -- 2.25.1

2 1