- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS 0/2] fix CVE-2022-48865
by Zhengchao Shao 20 Jul '24

20 Jul '24

Fix CVE-2022-48865 Tung Nguyen (1): tipc: fix kernel panic when enabling bearer Tuong Lien (1): tipc: fix NULL pointer dereference in tipc_disc_rcv() net/tipc/bearer.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) -- 2.34.1

2 3

[PATCH openEuler-22.03-LTS-SP1] drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group
by Kaixiong Yu 20 Jul '24

20 Jul '24

From: Junhao He <hejunhao3(a)huawei.com> stable inclusion from stable-v6.6.33 commit be1fa711e59c874d049f592aef1d4685bdd22bdf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SDT CVE: CVE-2024-38568 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 81bdd60a3d1d3b05e6cc6674845afb1694dd3a0e ] The perf tool allows users to create event groups through following cmd [1], but the driver does not check whether the array index is out of bounds when writing data to the event_group array. If the number of events in an event_group is greater than HNS3_PMU_MAX_HW_EVENTS, the memory write overflow of event_group array occurs. Add array index check to fix the possible array out of bounds violation, and return directly when write new events are written to array bounds. There are 9 different events in an event_group. [1] perf stat -e '{pmu/event1/, ... ,pmu/event9/} Fixes: 66637ab137b4 ("drivers/perf: hisi: add driver for HNS3 PMU") Signed-off-by: Junhao He <hejunhao3(a)huawei.com> Signed-off-by: Hao Chen <chenhao418(a)huawei.com> Acked-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Reviewed-by: Jijie Shao <shaojijie(a)huawei.com> Link: https://lore.kernel.org/r/20240425124627.13764-3-hejunhao3@huawei.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- drivers/perf/hisilicon/hns3_pmu.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/perf/hisilicon/hns3_pmu.c b/drivers/perf/hisilicon/hns3_pmu.c index 40edc4cfcc34..47c0de7671cc 100644 --- a/drivers/perf/hisilicon/hns3_pmu.c +++ b/drivers/perf/hisilicon/hns3_pmu.c @@ -1088,15 +1088,27 @@ static bool hns3_pmu_validate_event_group(struct perf_event *event) return false; for (num = 0; num < counters; num++) { + /* + * If we find a related event, then it's a valid group + * since we don't need to allocate a new counter for it. + */ if (hns3_pmu_cmp_event(event_group[num], sibling)) break; } + /* + * Otherwise it's a new event but if there's no available counter, + * fail the check since we cannot schedule all the events in + * the group simultaneously. + */ + if (num == HNS3_PMU_MAX_HW_EVENTS) + return false; + if (num == counters) event_group[counters++] = sibling; } - return counters <= HNS3_PMU_MAX_HW_EVENTS; + return true; } static u32 hns3_pmu_get_filter_condition(struct perf_event *event) -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS 0/2] fix CVE-2022-48865
by Zhengchao Shao 20 Jul '24

20 Jul '24

Fix CVE-2022-48865. Tung Nguyen (1): tipc: fix kernel panic when enabling bearer Tuong Lien (1): tipc: fix NULL pointer dereference in tipc_disc_rcv() net/tipc/bearer.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) -- 2.34.1

2 3

[PATCH OLK-6.6] cxl/region: Fix memregion leaks in devm_cxl_add_region()
by Pu Lehui 20 Jul '24

20 Jul '24

From: Li Zhijian <lizhijian(a)fujitsu.com> stable inclusion from stable-v6.6.35 commit d8316838aa0686da63a8be4194b7a17b0103ae4a category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAD6H2 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 49ba7b515c4c0719b866d16f068e62d16a8a3dd1 ] Move the mode verification to __create_region() before allocating the memregion to avoid the memregion leaks. Fixes: 6e099264185d ("cxl/region: Add volatile region creation support") Signed-off-by: Li Zhijian <lizhijian(a)fujitsu.com> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Link: https://lore.kernel.org/r/20240507053421.456439-1-lizhijian@fujitsu.com Signed-off-by: Dave Jiang <dave.jiang(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/cxl/core/region.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c index e2a82ee4ff0c..6f06255012f0 100644 --- a/drivers/cxl/core/region.c +++ b/drivers/cxl/core/region.c @@ -2186,15 +2186,6 @@ static struct cxl_region *devm_cxl_add_region(struct cxl_root_decoder *cxlrd, struct device *dev; int rc; - switch (mode) { - case CXL_DECODER_RAM: - case CXL_DECODER_PMEM: - break; - default: - dev_err(&cxlrd->cxlsd.cxld.dev, "unsupported mode %d\n", mode); - return ERR_PTR(-EINVAL); - } - cxlr = cxl_region_alloc(cxlrd, id); if (IS_ERR(cxlr)) return cxlr; @@ -2245,6 +2236,15 @@ static struct cxl_region *__create_region(struct cxl_root_decoder *cxlrd, { int rc; + switch (mode) { + case CXL_DECODER_RAM: + case CXL_DECODER_PMEM: + break; + default: + dev_err(&cxlrd->cxlsd.cxld.dev, "unsupported mode %d\n", mode); + return ERR_PTR(-EINVAL); + } + rc = memregion_alloc(GFP_KERNEL); if (rc < 0) return ERR_PTR(rc); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] gianfar: ethtool: Fix refcount leak in gfar_get_ts_info
by Zhengchao Shao 20 Jul '24

20 Jul '24

From: Miaoqian Lin <linmq006(a)gmail.com> stable inclusion from stable-v4.19.235 commit 6263f2eb93a85ad7df504daf0c341a7fb6bbe8a6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGRU CVE: CVE-2022-48856 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 2ac5b58e645c66932438bb021cb5b52097ce70b0 ] The of_find_compatible_node() function returns a node pointer with refcount incremented, We should use of_node_put() on it when done Add the missing of_node_put() to release the refcount. Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata") Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> Reviewed-by: Jesse Brandeburg <jesse.brandeburg(a)intel.com> Reviewed-by: Claudiu Manoil <claudiu.manoil(a)nxp.com> Link: https://lore.kernel.org/r/20220310015313.14938-1-linmq006@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- drivers/net/ethernet/freescale/gianfar_ethtool.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/freescale/gianfar_ethtool.c b/drivers/net/ethernet/freescale/gianfar_ethtool.c index 395a5266ea30..0cddaaaf48aa 100644 --- a/drivers/net/ethernet/freescale/gianfar_ethtool.c +++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c @@ -1528,6 +1528,7 @@ static int gfar_get_ts_info(struct net_device *dev, ptp_node = of_find_compatible_node(NULL, NULL, "fsl,etsec-ptp"); if (ptp_node) { ptp_dev = of_find_device_by_node(ptp_node); + of_node_put(ptp_node); if (ptp_dev) ptp = platform_get_drvdata(ptp_dev); } -- 2.34.1

2 1

[PATCH v3 OLK-6.6] PCI/ROM: Fix PCI ROM header check bug
by liwei 19 Jul '24

19 Jul '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAEAGS -------------------------------- In UEFI Specification Version 2.8, describes that the PCIR data structure must start on a 4-byte boundary. Add checks to prevent vulnerabilities. Signed-off-by: liwei <liwei728(a)huawei.com> --- drivers/pci/rom.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c index 8fc9a4e911e3..c9b416e62a87 100644 --- a/drivers/pci/rom.c +++ b/drivers/pci/rom.c @@ -98,6 +98,12 @@ static size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, } /* get the PCI data structure and check its "PCIR" signature */ pds = image + readw(image + 24); + /* The PCIR data structure must begin on a 4-byte boundary */ + if (pds & 0x3) { + pci_info(pdev, "Invalid PCI ROM header signature: \ + Pointer to Configuration Utility Code Header %#06x\n", readw(image + 24)); + break; + } if (readl(pds) != 0x52494350) { pci_info(pdev, "Invalid PCI ROM data signature: expecting 0x52494350, got %#010x\n", readl(pds)); -- 2.25.1

2 1

[PATCH v2 OLK-6.6] PCI/ROM: Fix PCI ROM header check bug
by liwei 19 Jul '24

19 Jul '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAEAGS -------------------------------- In UEFI Specification Version 2.8, describes that the PCIR data structure must start on a 4-byte boundary. Add checks to prevent vulnerabilities. Signed-off-by: liwei <liwei728(a)huawei.com> --- drivers/pci/rom.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c index 8fc9a4e911e3..e6135d9875de 100644 --- a/drivers/pci/rom.c +++ b/drivers/pci/rom.c @@ -98,6 +98,12 @@ static size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, } /* get the PCI data structure and check its "PCIR" signature */ pds = image + readw(image + 24); + /* The PCIR data structure must begin on a 4-byte boundary */ + if (pds && 0x3) { + pci_info(pdev, "Invalid PCI ROM header signature: \ + Pointer to Configuration Utility Code Header %#06x\n", readw(image + 24)); + break; + } if (readl(pds) != 0x52494350) { pci_info(pdev, "Invalid PCI ROM data signature: expecting 0x52494350, got %#010x\n", readl(pds)); -- 2.25.1

2 1

[PATCH] PCI/ROM: Fix PCI ROM header check bug
by liwei 19 Jul '24

19 Jul '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAEAGS In UEFI Specification Version 2.8, describes that the PCIR data structure must start on a 4-byte boundary. Add checks to prevent vulnerabilities. Signed-off-by: liwei <liwei728(a)huawei.com> --- drivers/pci/rom.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c index 8fc9a4e911e3..e6135d9875de 100644 --- a/drivers/pci/rom.c +++ b/drivers/pci/rom.c @@ -98,6 +98,12 @@ static size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, } /* get the PCI data structure and check its "PCIR" signature */ pds = image + readw(image + 24); + /* The PCIR data structure must begin on a 4-byte boundary */ + if (pds && 0x3) { + pci_info(pdev, "Invalid PCI ROM header signature: \ + Pointer to Configuration Utility Code Header %#06x\n", readw(image + 24)); + break; + } if (readl(pds) != 0x52494350) { pci_info(pdev, "Invalid PCI ROM data signature: expecting 0x52494350, got %#010x\n", readl(pds)); -- 2.25.1

1 0

[PATCH OLK-5.10] dma-mapping: benchmark: fix node id validation
by Kaixiong Yu 19 Jul '24

19 Jul '24

From: Fedor Pchelkin <pchelkin(a)ispras.ru> stable inclusion from stable-v6.6.33 commit 34a816d8735f3924b74be8e5bf766ade1f3bd10b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7DBN CVE: CVE-2024-34777 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 1ff05e723f7ca30644b8ec3fb093f16312e408ad ] While validating node ids in map_benchmark_ioctl(), node_possible() may be provided with invalid argument outside of [0,MAX_NUMNODES-1] range leading to: BUG: KASAN: wild-memory-access in map_benchmark_ioctl (kernel/dma/map_benchmark.c:214) Read of size 8 at addr 1fffffff8ccb6398 by task dma_map_benchma/971 CPU: 7 PID: 971 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #37 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) kasan_report (mm/kasan/report.c:603) kasan_check_range (mm/kasan/generic.c:189) variable_test_bit (arch/x86/include/asm/bitops.h:227) [inline] arch_test_bit (arch/x86/include/asm/bitops.h:239) [inline] _test_bit at (include/asm-generic/bitops/instrumented-non-atomic.h:142) [inline] node_state (include/linux/nodemask.h:423) [inline] map_benchmark_ioctl (kernel/dma/map_benchmark.c:214) full_proxy_unlocked_ioctl (fs/debugfs/file.c:333) __x64_sys_ioctl (fs/ioctl.c:890) do_syscall_64 (arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Compare node ids with sane bounds first. NUMA_NO_NODE is considered a special valid case meaning that benchmarking kthreads won't be bound to a cpuset of a given node. Found by Linux Verification Center (linuxtesting.org). Fixes: 65789daa8087 ("dma-mapping: add benchmark support for streaming DMA APIs") Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> Reviewed-by: Robin Murphy <robin.murphy(a)arm.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- kernel/dma/map_benchmark.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/dma/map_benchmark.c b/kernel/dma/map_benchmark.c index c2d225e1cd47..5c13c9352bb5 100644 --- a/kernel/dma/map_benchmark.c +++ b/kernel/dma/map_benchmark.c @@ -228,7 +228,8 @@ static long map_benchmark_ioctl(struct file *file, unsigned int cmd, } if (map->bparam.node != NUMA_NO_NODE && - !node_possible(map->bparam.node)) { + (map->bparam.node < 0 || map->bparam.node >= MAX_NUMNODES || + !node_possible(map->bparam.node))) { pr_err("invalid numa node\n"); return -EINVAL; } -- 2.25.1

2 1

[PATCH OLK-5.10] net: dsa: seville: register the mdiobus under devres
by Zhengchao Shao 19 Jul '24

19 Jul '24

From: Vladimir Oltean <vladimir.oltean(a)nxp.com> mainline inclusion from mainline-v5.17-rc4 commit bd488afc3b39e045ba71aab472233f2a78726e7b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADFY0 CVE: CVE-2022-48814 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- As explained in commits: 74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres") 5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() will panic when called from devm_mdiobus_free() <- devres_release_all() <- __device_release_driver(), and that mdiobus was not previously unregistered. The Seville VSC9959 switch is a platform device, so the initial set of constraints that I thought would cause this (I2C or SPI buses which call ->remove on ->shutdown) do not apply. But there is one more which applies here. If the DSA master itself is on a bus that calls ->remove from ->shutdown (like dpaa2-eth, which is on the fsl-mc bus), there is a device link between the switch and the DSA master, and device_links_unbind_consumers() will unbind the seville switch driver on shutdown. So the same treatment must be applied to all DSA switch drivers, which is: either use devres for both the mdiobus allocation and registration, or don't use devres at all. The seville driver has a code structure that could accommodate both the mdiobus_unregister and mdiobus_free calls, but it has an external dependency upon mscc_miim_setup() from mdio-mscc-miim.c, which calls devm_mdiobus_alloc_size() on its behalf. So rather than restructuring that, and exporting yet one more symbol mscc_miim_teardown(), let's work with devres and replace of_mdiobus_register with the devres variant. When we use all-devres, we can ensure that devres doesn't free a still-registered bus (it either runs both callbacks, or none). Fixes: ac3a68d56651 ("net: phy: don't abuse devres in devm_mdiobus_register()") Signed-off-by: Vladimir Oltean <vladimir.oltean(a)nxp.com> Reviewed-by: Florian Fainelli <f.fainelli(a)gmail.com> Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: drivers/net/dsa/ocelot/seville_vsc9953.c [The conflict occurs because the commit 5186c4a05b97("net: dsa: ocelot: seville: utilize of_mdiobus_register") is not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- drivers/net/dsa/ocelot/seville_vsc9953.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/dsa/ocelot/seville_vsc9953.c b/drivers/net/dsa/ocelot/seville_vsc9953.c index 7026523f886c..81875e96096b 100644 --- a/drivers/net/dsa/ocelot/seville_vsc9953.c +++ b/drivers/net/dsa/ocelot/seville_vsc9953.c @@ -1092,7 +1092,7 @@ static int vsc9953_mdio_bus_alloc(struct ocelot *ocelot) snprintf(bus->id, MII_BUS_ID_SIZE, "%s-imdio", dev_name(dev)); /* Needed in order to initialize the bus mutex lock */ - rc = mdiobus_register(bus); + rc = devm_mdiobus_register(dev, bus); if (rc < 0) { dev_err(dev, "failed to register MDIO bus\n"); return rc; @@ -1144,7 +1144,8 @@ static void vsc9953_mdio_bus_free(struct ocelot *ocelot) mdio_device_free(pcs->mdio); lynx_pcs_destroy(pcs); } - mdiobus_unregister(felix->imdio); + + /* mdiobus_unregister and mdiobus_free handled by devres */ } static void vsc9953_xmit_template_populate(struct ocelot *ocelot, int port) -- 2.34.1

2 1

2024

2023

2022

2021

2020

2019

Kernel