- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1 v2 0/3] CVE-2024-38598
by Li Nan 09 Jul '24

09 Jul '24

Li Nan (2): Revert "md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter" md/raid10: check slab-out-of-bounds in md_bitmap_get_counter Yu Kuai (1): md: fix resync softlockup when bitmap size is less than array size drivers/md/md-bitmap.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) -- 2.39.2

2 4

[PATCH OLK-6.6] xfs: fix log recovery buffer allocation for the legacy h_size fixup
by Long Li 09 Jul '24

09 Jul '24

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-v6.9-rc4 commit 45cf976008ddef4a9c9a30310c9b4fb2a9a6602a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB0JY CVE: CVE-2024-39472 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by mkfs") added a fixup for incorrect h_size values used for the initial umount record in old xfsprogs versions. Later commit 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") cleaned up the log reover buffer calculation, but stoped using the fixed up h_size value to size the log recovery buffer, which can lead to an out of bounds access when the incorrect h_size does not come from the old mkfs tool, but a fuzzer. Fix this by open coding xlog_logrec_hblks and taking the fixed h_size into account for this calculation. Fixes: 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") Reported-by: Sam Sun <samsun1006219(a)gmail.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Brian Foster <bfoster(a)redhat.com> Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Chandan Babu R <chandanbabu(a)kernel.org> Conflicts: fs/xfs/xfs_log_recover.c [Conflicts due to mainline code use kvfree() in context] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/xfs/xfs_log_recover.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index a875c7237e2d..28acda900f03 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -2985,7 +2985,7 @@ xlog_do_recovery_pass( int error = 0, h_size, h_len; int error2 = 0; int bblks, split_bblks; - int hblks, split_hblks, wrapped_hblks; + int hblks = 1, split_hblks, wrapped_hblks; int i; struct hlist_head rhash[XLOG_RHASH_SIZE]; LIST_HEAD (buffer_list); @@ -3041,14 +3041,22 @@ xlog_do_recovery_pass( if (error) goto bread_err1; - hblks = xlog_logrec_hblks(log, rhead); - if (hblks != 1) { - kmem_free(hbp); - hbp = xlog_alloc_buffer(log, hblks); + /* + * This open codes xlog_logrec_hblks so that we can reuse the + * fixed up h_size value calculated above. Without that we'd + * still allocate the buffer based on the incorrect on-disk + * size. + */ + if (h_size > XLOG_HEADER_CYCLE_SIZE && + (rhead->h_version & cpu_to_be32(XLOG_VERSION_2))) { + hblks = DIV_ROUND_UP(h_size, XLOG_HEADER_CYCLE_SIZE); + if (hblks > 1) { + kmem_free(hbp); + hbp = xlog_alloc_buffer(log, hblks); + } } } else { ASSERT(log->l_sectBBsize == 1); - hblks = 1; hbp = xlog_alloc_buffer(log, 1); h_size = XLOG_BIG_RECORD_BSIZE; } -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1] xfs: fix log recovery buffer allocation for the legacy h_size fixup
by Long Li 09 Jul '24

09 Jul '24

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-v6.9-rc4 commit 45cf976008ddef4a9c9a30310c9b4fb2a9a6602a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB0JY CVE: CVE-2024-39472 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by mkfs") added a fixup for incorrect h_size values used for the initial umount record in old xfsprogs versions. Later commit 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") cleaned up the log reover buffer calculation, but stoped using the fixed up h_size value to size the log recovery buffer, which can lead to an out of bounds access when the incorrect h_size does not come from the old mkfs tool, but a fuzzer. Fix this by open coding xlog_logrec_hblks and taking the fixed h_size into account for this calculation. Fixes: 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") Reported-by: Sam Sun <samsun1006219(a)gmail.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Brian Foster <bfoster(a)redhat.com> Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Chandan Babu R <chandanbabu(a)kernel.org> Conflicts: fs/xfs/xfs_log_recover.c [Conflicts due to mainline code use kvfree() in context] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/xfs/xfs_log_recover.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index 331f568834a1..898c65b77457 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -2952,7 +2952,7 @@ xlog_do_recovery_pass( int error = 0, h_size, h_len; int error2 = 0; int bblks, split_bblks; - int hblks, split_hblks, wrapped_hblks; + int hblks = 1, split_hblks, wrapped_hblks; int i; struct hlist_head rhash[XLOG_RHASH_SIZE]; LIST_HEAD (buffer_list); @@ -3008,14 +3008,22 @@ xlog_do_recovery_pass( if (error) goto bread_err1; - hblks = xlog_logrec_hblks(log, rhead); - if (hblks != 1) { - kmem_free(hbp); - hbp = xlog_alloc_buffer(log, hblks); + /* + * This open codes xlog_logrec_hblks so that we can reuse the + * fixed up h_size value calculated above. Without that we'd + * still allocate the buffer based on the incorrect on-disk + * size. + */ + if (h_size > XLOG_HEADER_CYCLE_SIZE && + (rhead->h_version & cpu_to_be32(XLOG_VERSION_2))) { + hblks = DIV_ROUND_UP(h_size, XLOG_HEADER_CYCLE_SIZE); + if (hblks > 1) { + kmem_free(hbp); + hbp = xlog_alloc_buffer(log, hblks); + } } } else { ASSERT(log->l_sectBBsize == 1); - hblks = 1; hbp = xlog_alloc_buffer(log, 1); h_size = XLOG_BIG_RECORD_BSIZE; } -- 2.39.2

2 1

[PATCH OLK-5.10] xfs: fix log recovery buffer allocation for the legacy h_size fixup
by Long Li 09 Jul '24

09 Jul '24

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-v6.9-rc4 commit 45cf976008ddef4a9c9a30310c9b4fb2a9a6602a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB0JY CVE: CVE-2024-39472 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by mkfs") added a fixup for incorrect h_size values used for the initial umount record in old xfsprogs versions. Later commit 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") cleaned up the log reover buffer calculation, but stoped using the fixed up h_size value to size the log recovery buffer, which can lead to an out of bounds access when the incorrect h_size does not come from the old mkfs tool, but a fuzzer. Fix this by open coding xlog_logrec_hblks and taking the fixed h_size into account for this calculation. Fixes: 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") Reported-by: Sam Sun <samsun1006219(a)gmail.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Brian Foster <bfoster(a)redhat.com> Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Chandan Babu R <chandanbabu(a)kernel.org> Conflicts: fs/xfs/xfs_log_recover.c [Conflicts due to mainline code use kvfree() in context] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/xfs/xfs_log_recover.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index 331f568834a1..898c65b77457 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -2952,7 +2952,7 @@ xlog_do_recovery_pass( int error = 0, h_size, h_len; int error2 = 0; int bblks, split_bblks; - int hblks, split_hblks, wrapped_hblks; + int hblks = 1, split_hblks, wrapped_hblks; int i; struct hlist_head rhash[XLOG_RHASH_SIZE]; LIST_HEAD (buffer_list); @@ -3008,14 +3008,22 @@ xlog_do_recovery_pass( if (error) goto bread_err1; - hblks = xlog_logrec_hblks(log, rhead); - if (hblks != 1) { - kmem_free(hbp); - hbp = xlog_alloc_buffer(log, hblks); + /* + * This open codes xlog_logrec_hblks so that we can reuse the + * fixed up h_size value calculated above. Without that we'd + * still allocate the buffer based on the incorrect on-disk + * size. + */ + if (h_size > XLOG_HEADER_CYCLE_SIZE && + (rhead->h_version & cpu_to_be32(XLOG_VERSION_2))) { + hblks = DIV_ROUND_UP(h_size, XLOG_HEADER_CYCLE_SIZE); + if (hblks > 1) { + kmem_free(hbp); + hbp = xlog_alloc_buffer(log, hblks); + } } } else { ASSERT(log->l_sectBBsize == 1); - hblks = 1; hbp = xlog_alloc_buffer(log, 1); h_size = XLOG_BIG_RECORD_BSIZE; } -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove
by Zhengchao Shao 09 Jul '24

09 Jul '24

From: Pavel Skripkin <paskripkin(a)gmail.com> mainline inclusion from mainline-v5.16-rc2 commit 9b5a333272a48c2f8b30add7a874e46e8b26129c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9FNEY CVE: CVE-2021-47204 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Access to netdev after free_netdev() will cause use-after-free bug. Move debug log before free_netdev() call to avoid it. Fixes: 7472dd9f6499 ("staging: fsl-dpaa2/eth: Move print message") Signed-off-by: Pavel Skripkin <paskripkin(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c [The conflict occurs because the commit 34ff68465a17("dpaa2-eth: Move DPAA2 Ethernet driver from staging to drivers/net") is not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c index 9329fcad95ac..2f8f1f3f1bcd 100644 --- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c +++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c @@ -2632,10 +2632,10 @@ static int dpaa2_eth_remove(struct fsl_mc_device *ls_dev) fsl_mc_portal_free(priv->mc_io); - free_netdev(net_dev); - dev_dbg(net_dev->dev.parent, "Removed interface %s\n", net_dev->name); + free_netdev(net_dev); + return 0; } -- 2.34.1

2 1

[PATCH OLK-6.6] ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension
by Xiongfeng Wang 09 Jul '24

09 Jul '24

From: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> mainline inclusion from mainline-v6.10-rc2 commit ffa077b2f6ad124ec3d23fbddc5e4b0ff2647af8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAB05U CVE: CVE-2024-39473 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If a process module does not have base config extension then the same format applies to all of it's inputs and the process->base_config_ext is NULL, causing NULL dereference when specifically crafted topology and sequences used. Fixes: 648fea128476 ("ASoC: SOF: ipc4-topology: set copier output format for process module") Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> Reviewed-by: Seppo Ingalsuo <seppo.ingalsuo(a)linux.intel.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> Cc: stable(a)vger.kernel.org Link: https://msgid.link/r/20240529121201.14687-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> --- sound/soc/sof/ipc4-topology.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c index 2c075afd237c..78ff129be772 100644 --- a/sound/soc/sof/ipc4-topology.c +++ b/sound/soc/sof/ipc4-topology.c @@ -195,6 +195,14 @@ sof_ipc4_get_input_pin_audio_fmt(struct snd_sof_widget *swidget, int pin_index) } process = swidget->private; + + /* + * For process modules without base config extension, base module config + * format is used for all input pins + */ + if (process->init_config != SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) + return &process->base_config.audio_fmt; + base_cfg_ext = process->base_config_ext; /* -- 2.20.1

2 1

[PATCH openEuler-22.03-LTS-SP1 0/1] cgroup: Fix AA deadlock caused by cgroup_bpf_release
by Chen Ridong 09 Jul '24

09 Jul '24

*** BLURB HERE *** Chen Ridong (1): cgroup: Fix AA deadlock caused by cgroup_bpf_release kernel/bpf/cgroup.c | 2 +- kernel/cgroup/cgroup-internal.h | 1 + kernel/cgroup/cgroup.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) -- 2.34.1

2 2

[PATCH OLK-5.10 0/1] cgroup: Fix AA deadlock caused by cgroup_bpf_release
by Chen Ridong 09 Jul '24

09 Jul '24

*** BLURB HERE *** Chen Ridong (1): cgroup: Fix AA deadlock caused by cgroup_bpf_release kernel/bpf/cgroup.c | 2 +- kernel/cgroup/cgroup-internal.h | 1 + kernel/cgroup/cgroup.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) -- 2.34.1

2 2

[PATCH OLK-6.6 0/1] cgroup: Fix AA deadlock caused by cgroup_bpf_release
by Chen Ridong 09 Jul '24

09 Jul '24

*** BLURB HERE *** Chen Ridong (1): cgroup: Fix AA deadlock caused by cgroup_bpf_release kernel/bpf/cgroup.c | 2 +- kernel/cgroup/cgroup-internal.h | 1 + kernel/cgroup/cgroup.c | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-1.0-LTS] net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove
by Zhengchao Shao 09 Jul '24

09 Jul '24

From: Pavel Skripkin <paskripkin(a)gmail.com> mainline inclusion from mainline-v5.16-rc2 commit 9b5a333272a48c2f8b30add7a874e46e8b26129c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9FNEY CVE: CVE-2021-47204 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Access to netdev after free_netdev() will cause use-after-free bug. Move debug log before free_netdev() call to avoid it. Fixes: 7472dd9f6499 ("staging: fsl-dpaa2/eth: Move print message") Signed-off-by: Pavel Skripkin <paskripkin(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Conflicts: drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c [The conflict occurs because the commit 34ff68465a17("dpaa2-eth: Move DPAA2 Ethernet driver from staging to drivers/net") is not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c index 9329fcad95ac..2f8f1f3f1bcd 100644 --- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c +++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c @@ -2632,10 +2632,10 @@ static int dpaa2_eth_remove(struct fsl_mc_device *ls_dev) fsl_mc_portal_free(priv->mc_io); - free_netdev(net_dev); - dev_dbg(net_dev->dev.parent, "Removed interface %s\n", net_dev->name); + free_netdev(net_dev); + return 0; } -- 2.34.1

2 1