- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP2 0/1] net-memcg: Fix scope of sockmem pressure indicators
by Chen Ridong 22 May '24

22 May '24

*** BLURB HERE *** Abel Wu (1): net-memcg: Fix scope of sockmem pressure indicators include/linux/memcontrol.h | 9 +++++++-- mm/vmpressure.c | 13 ++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS 0/1] net-memcg: Fix scope of sockmem pressure indicators
by Chen Ridong 22 May '24

22 May '24

*** BLURB HERE *** Abel Wu (1): net-memcg: Fix scope of sockmem pressure indicators include/linux/memcontrol.h | 9 +++++++-- mm/vmpressure.c | 13 ++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS-SP1 0/1] net-memcg: Fix scope of sockmem pressure indicators
by Chen Ridong 22 May '24

22 May '24

*** BLURB HERE *** Abel Wu (1): net-memcg: Fix scope of sockmem pressure indicators include/linux/memcontrol.h | 9 +++++++-- mm/vmpressure.c | 13 ++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-1.0-LTS] i2c: smbus: fix NULL function pointer dereference
by Zhao Mengmeng 22 May '24

22 May '24

From: Wolfram Sang <wsa+renesas(a)sang-engineering.com> stable inclusion from stable-v4.19.313 commit 40f1d79f07b49c8a64a861706e5163f2db4bd95d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRRJ CVE: CVE-2024-35984 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f ] Baruch reported an OOPS when using the designware controller as target only. Target-only modes break the assumption of one transfer function always being available. Fix this by always checking the pointer in __i2c_transfer. Reported-by: Baruch Siach <baruch(a)tkos.co.il> Closes: https://lore.kernel.org/r/4269631780e5ba789cf1ae391eec1b959def7d99.17127619… Fixes: 4b1acc43331d ("i2c: core changes for slave support") [wsa: dropped the simplification in core-smbus to avoid theoretical regressions] Signed-off-by: Wolfram Sang <wsa+renesas(a)sang-engineering.com> Tested-by: Baruch Siach <baruch(a)tkos.co.il> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> --- drivers/i2c/i2c-core-base.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c index fdf644b53972..366bd86285d6 100644 --- a/drivers/i2c/i2c-core-base.c +++ b/drivers/i2c/i2c-core-base.c @@ -1911,13 +1911,18 @@ static int i2c_check_for_quirks(struct i2c_adapter *adap, struct i2c_msg *msgs, * Returns negative errno, else the number of messages executed. * * Adapter lock must be held when calling this function. No debug logging - * takes place. adap->algo->master_xfer existence isn't checked. + * takes place. */ int __i2c_transfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) { unsigned long orig_jiffies; int ret, try; + if (!adap->algo->master_xfer) { + dev_dbg(&adap->dev, "I2C level transfers not supported\n"); + return -EOPNOTSUPP; + } + if (WARN_ON(!msgs || num < 1)) return -EINVAL; -- 2.33.0

2 1

[PATCH v2 OLK-5.10 0/2] Fix CVE-2024-35896 and CVE-2024-35962
by Zhao Mengmeng 22 May '24

22 May '24

Fix CVE-2024-35896 and CVE-2024-35962 Eric Dumazet (2): netfilter: validate user input for expected length netfilter: complete validation of user input net/bridge/netfilter/ebtables.c | 6 ++++++ net/ipv4/netfilter/arp_tables.c | 8 ++++++++ net/ipv4/netfilter/ip_tables.c | 8 ++++++++ net/ipv6/netfilter/ip6_tables.c | 8 ++++++++ 4 files changed, 30 insertions(+) -- 2.33.0

2 3

[PATCH openEuler-1.0-LTS] powerpc/powernv: Add a null pointer check in opal_event_init()
by Guo Mengqi 22 May '24

22 May '24

From: Kunwu Chan <chentao(a)kylinos.cn> stable inclusion from stable-v4.19.306 commit 8422d179cf46889c15ceff9ede48c5bfa4e7f0b4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9IH CVE: CVE-2023-52686 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 8649829a1dd25199bbf557b2621cedb4bf9b3050 ] kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Fixes: 2717a33d6074 ("powerpc/opal-irqchip: Use interrupt names if present") Signed-off-by: Kunwu Chan <chentao(a)kylinos.cn> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20231127030755.1546750-1-chentao@kylinos.cn Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- arch/powerpc/platforms/powernv/opal-irqchip.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/powerpc/platforms/powernv/opal-irqchip.c b/arch/powerpc/platforms/powernv/opal-irqchip.c index bc97770a67db..e71f2111c8c0 100644 --- a/arch/powerpc/platforms/powernv/opal-irqchip.c +++ b/arch/powerpc/platforms/powernv/opal-irqchip.c @@ -282,6 +282,8 @@ int __init opal_event_init(void) else name = kasprintf(GFP_KERNEL, "opal"); + if (!name) + continue; /* Install interrupt handler */ rc = request_irq(r->start, opal_interrupt, r->flags & IRQD_TRIGGER_MASK, name, NULL); -- 2.17.1

2 1

[PATCH OLK-5.10] i2c: smbus: fix NULL function pointer dereference
by Zhao Mengmeng 22 May '24

22 May '24

From: Wolfram Sang <wsa+renesas(a)sang-engineering.com> stable inclusion from stable-v5.10.216 commit 5fd72404587d7db4acb2d241fd8c387afb0a7aec category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRRJ CVE: CVE-2024-35984 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f ] Baruch reported an OOPS when using the designware controller as target only. Target-only modes break the assumption of one transfer function always being available. Fix this by always checking the pointer in __i2c_transfer. Reported-by: Baruch Siach <baruch(a)tkos.co.il> Closes: https://lore.kernel.org/r/4269631780e5ba789cf1ae391eec1b959def7d99.17127619… Fixes: 4b1acc43331d ("i2c: core changes for slave support") [wsa: dropped the simplification in core-smbus to avoid theoretical regressions] Signed-off-by: Wolfram Sang <wsa+renesas(a)sang-engineering.com> Tested-by: Baruch Siach <baruch(a)tkos.co.il> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> --- drivers/i2c/i2c-core-base.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c index 40e05f762a1b..f86741ba8a00 100644 --- a/drivers/i2c/i2c-core-base.c +++ b/drivers/i2c/i2c-core-base.c @@ -2060,13 +2060,18 @@ static int i2c_check_for_quirks(struct i2c_adapter *adap, struct i2c_msg *msgs, * Returns negative errno, else the number of messages executed. * * Adapter lock must be held when calling this function. No debug logging - * takes place. adap->algo->master_xfer existence isn't checked. + * takes place. */ int __i2c_transfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) { unsigned long orig_jiffies; int ret, try; + if (!adap->algo->master_xfer) { + dev_dbg(&adap->dev, "I2C level transfers not supported\n"); + return -EOPNOTSUPP; + } + if (WARN_ON(!msgs || num < 1)) return -EINVAL; @@ -2133,11 +2138,6 @@ int i2c_transfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) { int ret; - if (!adap->algo->master_xfer) { - dev_dbg(&adap->dev, "I2C level transfers not supported\n"); - return -EOPNOTSUPP; - } - /* REVISIT the fault reporting model here is weak: * * - When we get an error after receiving N bytes from a slave, -- 2.33.0

2 1

[PATCH openEuler-1.0-LTS] selinux: avoid dereference of garbage after mount failure
by felix 22 May '24

22 May '24

From: Christian Göttsche <cgzones(a)googlemail.com> stable inclusion from stable-v6.6.26 commit 477ed6789eb9f3f4d3568bb977f90c863c12724e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG73 CVE: CVE-2024-35904 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 37801a36b4d68892ce807264f784d818f8d0d39b upstream. In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount. Cc: stable(a)vger.kernel.org Fixes: 0619f0f5e36f ("selinux: wrap selinuxfs state") Signed-off-by: Christian Göttsche <cgzones(a)googlemail.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: security/selinux/selinuxfs.c [commit cd2bb4cb0996 db478cd60d55 was not merged, but it only adjust the attr of selinuxfs_mount, finally we delete it, so it does not affect the patch] Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- security/selinux/selinuxfs.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 4f72d0998580..7edf19dbb58a 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -2028,7 +2028,6 @@ static struct file_system_type sel_fs_type = { .kill_sb = sel_kill_sb, }; -struct vfsmount *selinuxfs_mount; struct path selinux_null; static int __init init_sel_fs(void) @@ -2050,18 +2049,21 @@ static int __init init_sel_fs(void) return err; } - selinux_null.mnt = selinuxfs_mount = kern_mount(&sel_fs_type); - if (IS_ERR(selinuxfs_mount)) { + selinux_null.mnt = kern_mount(&sel_fs_type); + if (IS_ERR(selinux_null.mnt)) { pr_err("selinuxfs: could not mount!\n"); - err = PTR_ERR(selinuxfs_mount); - selinuxfs_mount = NULL; + err = PTR_ERR(selinux_null.mnt); + selinux_null.mnt = NULL; + return err; } + selinux_null.dentry = d_hash_and_lookup(selinux_null.mnt->mnt_root, &null_name); if (IS_ERR(selinux_null.dentry)) { pr_err("selinuxfs: could not lookup null!\n"); err = PTR_ERR(selinux_null.dentry); selinux_null.dentry = NULL; + return err; } return err; -- 2.34.1

2 1

[PATCH OLK-5.10] selinux: avoid dereference of garbage after mount failure
by felix 22 May '24

22 May '24

From: Christian Göttsche <cgzones(a)googlemail.com> stable inclusion from stable-v6.6.26 commit 477ed6789eb9f3f4d3568bb977f90c863c12724e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG73 CVE: CVE-2024-35904 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 37801a36b4d68892ce807264f784d818f8d0d39b upstream. In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount. Cc: stable(a)vger.kernel.org Fixes: 0619f0f5e36f ("selinux: wrap selinuxfs state") Signed-off-by: Christian Göttsche <cgzones(a)googlemail.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: security/selinux/selinuxfs.c [commit cd2bb4cb0996 db478cd60d55 was not merged, but it only adjust the attr of selinuxfs_mount, finally we delete it, so it does not affect the patch] Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- security/selinux/selinuxfs.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index d893c2280f59..b45fb2924476 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -2205,7 +2205,6 @@ static struct file_system_type sel_fs_type = { .kill_sb = sel_kill_sb, }; -struct vfsmount *selinuxfs_mount; struct path selinux_null; static int __init init_sel_fs(void) @@ -2227,18 +2226,21 @@ static int __init init_sel_fs(void) return err; } - selinux_null.mnt = selinuxfs_mount = kern_mount(&sel_fs_type); - if (IS_ERR(selinuxfs_mount)) { + selinux_null.mnt = kern_mount(&sel_fs_type); + if (IS_ERR(selinux_null.mnt)) { pr_err("selinuxfs: could not mount!\n"); - err = PTR_ERR(selinuxfs_mount); - selinuxfs_mount = NULL; + err = PTR_ERR(selinux_null.mnt); + selinux_null.mnt = NULL; + return err; } + selinux_null.dentry = d_hash_and_lookup(selinux_null.mnt->mnt_root, &null_name); if (IS_ERR(selinux_null.dentry)) { pr_err("selinuxfs: could not lookup null!\n"); err = PTR_ERR(selinux_null.dentry); selinux_null.dentry = NULL; + return err; } return err; -- 2.34.1

2 1

[PATCH OLK-5.10] netfilter: complete validation of user input
by Zhao Mengmeng 22 May '24

22 May '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v5.10.216 commit cf4bc359b76144a3dd55d7c09464ef4c5f2b2b05 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRRU CVE: CVE-2024-35962 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ] In my recent commit, I missed that do_replace() handlers use copy_from_sockptr() (which I fixed), followed by unsafe copy_from_sockptr_offset() calls. In all functions, we can perform the @optlen validation before even calling xt_alloc_table_info() with the following check: if ((u64)optlen < (u64)tmp.size + sizeof(tmp)) return -EINVAL; Fixes: 0c83842df40f ("netfilter: validate user input for expected length") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> --- net/ipv4/netfilter/arp_tables.c | 4 ++++ net/ipv4/netfilter/ip_tables.c | 4 ++++ net/ipv6/netfilter/ip6_tables.c | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 48c6aa3d91ae..5823e89b8a73 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -965,6 +965,8 @@ static int do_replace(struct net *net, sockptr_t arg, unsigned int len) return -ENOMEM; if (tmp.num_counters == 0) return -EINVAL; + if ((u64)len < (u64)tmp.size + sizeof(tmp)) + return -EINVAL; tmp.name[sizeof(tmp.name)-1] = 0; @@ -1265,6 +1267,8 @@ static int compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) return -ENOMEM; if (tmp.num_counters == 0) return -EINVAL; + if ((u64)len < (u64)tmp.size + sizeof(tmp)) + return -EINVAL; tmp.name[sizeof(tmp.name)-1] = 0; diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index b46d58b9f3fe..22e9ff592cd7 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1119,6 +1119,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) return -ENOMEM; if (tmp.num_counters == 0) return -EINVAL; + if ((u64)len < (u64)tmp.size + sizeof(tmp)) + return -EINVAL; tmp.name[sizeof(tmp.name)-1] = 0; @@ -1505,6 +1507,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) return -ENOMEM; if (tmp.num_counters == 0) return -EINVAL; + if ((u64)len < (u64)tmp.size + sizeof(tmp)) + return -EINVAL; tmp.name[sizeof(tmp.name)-1] = 0; diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index d013395be05f..df7cd3d285e4 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -1137,6 +1137,8 @@ do_replace(struct net *net, sockptr_t arg, unsigned int len) return -ENOMEM; if (tmp.num_counters == 0) return -EINVAL; + if ((u64)len < (u64)tmp.size + sizeof(tmp)) + return -EINVAL; tmp.name[sizeof(tmp.name)-1] = 0; @@ -1515,6 +1517,8 @@ compat_do_replace(struct net *net, sockptr_t arg, unsigned int len) return -ENOMEM; if (tmp.num_counters == 0) return -EINVAL; + if ((u64)len < (u64)tmp.size + sizeof(tmp)) + return -EINVAL; tmp.name[sizeof(tmp.name)-1] = 0; -- 2.33.0

2 1