- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] net/hinic3: Add pcie device ID adaption for DPU_NIC card
by z00857956 03 Jul '24

03 Jul '24

From: zhoushuai <zhoushuai28(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA9G0T?from=project-issue CVE: NA -------------------------------- The pcie device ID of DPU_NIC card is 0x0224, need be added to nic_devID_list, otherwise card_node will be alloced for every PF. Signed-off-by: zhoushuai <zhoushuai28(a)huawei.com> --- drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c | 2 +- drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c b/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c index fdf92ab66e3b..5863beebde39 100644 --- a/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c +++ b/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c @@ -48,7 +48,7 @@ static int get_nic_drv_version(void *buf_out, const u32 *out_size) } err = snprintf(ver_info->ver, sizeof(ver_info->ver), "%s %s", - HINIC3_NIC_DRV_VERSION, "2023-05-17_19:56:38"); + HINIC3_NIC_DRV_VERSION, "2024-07-03_09:33:00"); if (err < 0) return -EINVAL; diff --git a/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h b/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h index 0b7bf8e18732..fa758460e587 100644 --- a/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h +++ b/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h @@ -21,7 +21,9 @@ #define ULD_LOCK_MAX_USLEEP_TIME 1000 #define HINIC3_IS_VF_DEV(pdev) ((pdev)->device == HINIC3_DEV_ID_VF) -#define HINIC3_IS_SPU_DEV(pdev) ((pdev)->device == HINIC3_DEV_ID_SPU) +#define HINIC3_IS_SPU_DEV(pdev) \ + (((pdev)->device == HINIC3_DEV_ID_SPU) || ((pdev)->device == HINIC3_DEV_ID_SDI_5_0_PF) || \ + (((pdev)->device == HINIC3_DEV_ID_DPU_PF))) enum { HINIC3_NOT_PROBE = 1, -- 2.43.0

2 1

[PATCH OLK-6.6 0/1] cgroup/cpuset: Make cpuset hotplug processing synchronous
by Chen Ridong 03 Jul '24

03 Jul '24

*** BLURB HERE *** Waiman Long (1): cgroup/cpuset: Make cpuset hotplug processing synchronous include/linux/cpuset.h | 3 -- kernel/cgroup/cpuset.c | 103 ++++++++++++++++++++++------------------- kernel/cpu.c | 48 ------------------- kernel/power/process.c | 2 - 4 files changed, 55 insertions(+), 101 deletions(-) -- 2.34.1

2 2

[PATCH OLK-5.10] crypto: bcm - Fix pointer arithmetic
by liwei 03 Jul '24

03 Jul '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> mainline inclusion from mainline-v6.10-rc1 commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5T CVE: CVE-2024-38579 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: dengquan <dengquan9(a)huawei.com> --- drivers/crypto/bcm/spu2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c index c860ffb0b4c3..670d439f204c 100644 --- a/drivers/crypto/bcm/spu2.c +++ b/drivers/crypto/bcm/spu2.c @@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, if (hash_iv_len) { packet_log(" Hash IV Length %u bytes\n", hash_iv_len); packet_dump(" hash IV: ", ptr, hash_iv_len); - ptr += ciph_key_len; + ptr += hash_iv_len; } if (ciph_iv_len) { -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] ax25: Fix reference count leak issue of net_device
by Zhengchao Shao 03 Jul '24

03 Jul '24

From: Duoming Zhou <duoming(a)zju.edu.cn> mainline inclusion from mainline-v6.10-rc1 commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4 CVE: CVE-2024-38554 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ax25/ax25_dev.c [The conflict occurs because the commit a968c799eb1d("ax25: merge repeat codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel universal linked list to implement ax25_dev_list") are not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ax25/ax25_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index 55a611f7239b..68a417cee39c 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -141,6 +141,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + dev_put(dev); ax25_dev_put(ax25_dev); } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ax25: Fix reference count leak issue of net_device
by Zhengchao Shao 03 Jul '24

03 Jul '24

From: Duoming Zhou <duoming(a)zju.edu.cn> mainline inclusion from mainline-v6.10-rc1 commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4 CVE: CVE-2024-38554 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ax25/ax25_dev.c [The conflict occurs because the commit a968c799eb1d("ax25: merge repeat codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel universal linked list to implement ax25_dev_list") are not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ax25/ax25_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index d1d8d8a21ddd..f68f42c083c8 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -138,6 +138,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + dev_put(dev); ax25_dev_put(ax25_dev); } -- 2.34.1

2 1

[PATCH OLK-5.10] ax25: Fix reference count leak issue of net_device
by Zhengchao Shao 03 Jul '24

03 Jul '24

From: Duoming Zhou <duoming(a)zju.edu.cn> mainline inclusion from mainline-v6.10-rc1 commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4 CVE: CVE-2024-38554 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn> Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/ax25/ax25_dev.c [The conflict occurs because the commit a968c799eb1d("ax25: merge repeat codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel universal linked list to implement ax25_dev_list") are not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ax25/ax25_dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c index d1d8d8a21ddd..f68f42c083c8 100644 --- a/net/ax25/ax25_dev.c +++ b/net/ax25/ax25_dev.c @@ -138,6 +138,7 @@ void ax25_dev_device_down(struct net_device *dev) } spin_unlock_bh(&ax25_dev_lock); dev->ax25_ptr = NULL; + dev_put(dev); ax25_dev_put(ax25_dev); } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] crypto: bcm - Fix pointer arithmetic
by liwei 03 Jul '24

03 Jul '24

From: Aleksandr Mishin <amishin(a)t-argos.ru> mainline inclusion from mainline-v6.10-rc1 commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5T CVE: CVE-2024-38579 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin <amishin(a)t-argos.ru> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: dengquan <dengquan9(a)huawei.com> --- drivers/crypto/bcm/spu2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c index c860ffb0b4c3..670d439f204c 100644 --- a/drivers/crypto/bcm/spu2.c +++ b/drivers/crypto/bcm/spu2.c @@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, if (hash_iv_len) { packet_log(" Hash IV Length %u bytes\n", hash_iv_len); packet_dump(" hash IV: ", ptr, hash_iv_len); - ptr += ciph_key_len; + ptr += hash_iv_len; } if (ciph_iv_len) { -- 2.25.1

2 1

[PATCH OLK-6.6] net/hinic3: Add pcie device ID adaption for DPU_NIC card
by z00857956 03 Jul '24

03 Jul '24

From: zhoushuai <zhoushuai28(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IA9G0T?from=project-issue CVE: NA -------------------------------- The pcie device ID of DPU_NIC card is 0x0224, need be added to nic_devID_list, otherwise card_node will be alloced for every PF. Signed-off-by: zhoushuai <zhoushuai28(a)huawei.com> --- drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c | 2 +- drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c b/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c index 40ff4738420e..93231ebac18e 100644 --- a/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c +++ b/drivers/net/ethernet/huawei/hinic3/hinic3_dbg.c @@ -48,7 +48,7 @@ static int get_nic_drv_version(void *buf_out, const u32 *out_size) } err = snprintf(ver_info->ver, sizeof(ver_info->ver), "%s %s", - HINIC3_NIC_DRV_VERSION, "2023-05-17_19:56:38"); + HINIC3_NIC_DRV_VERSION, "2024-07-03_09:33:00"); if (err < 0) return -EINVAL; diff --git a/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h b/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h index bb7f5bb67ecb..02898a85e7b7 100644 --- a/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h +++ b/drivers/net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.h @@ -21,7 +21,9 @@ #define ULD_LOCK_MAX_USLEEP_TIME 1000 #define HINIC3_IS_VF_DEV(pdev) ((pdev)->device == HINIC3_DEV_ID_VF) -#define HINIC3_IS_SPU_DEV(pdev) ((pdev)->device == HINIC3_DEV_ID_SPU) +#define HINIC3_IS_SPU_DEV(pdev) \ + (((pdev)->device == HINIC3_DEV_ID_SPU) || ((pdev)->device == HINIC3_DEV_ID_SDI_5_0_PF) || \ + (((pdev)->device == HINIC3_DEV_ID_DPU_PF))) enum { HINIC3_NOT_PROBE = 1, -- 2.43.0

2 1

[PATCH OLK-6.6] tls: fix missing memory barrier in tls_init
by Liu Jian 03 Jul '24

03 Jul '24

From: "Dae R. Jeong" <threeearcat(a)gmail.com> stable inclusion from stable-v6.6.33 commit ab67c2fd3d070a21914d0c31319d3858ab4e199c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D88 CVE: CVE-2024-36489 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 91e61dd7a0af660408e87372d8330ceb218be302 ] In tls_init(), a write memory barrier is missing, and store-store reordering may cause NULL dereference in tls_{setsockopt,getsockopt}. CPU0 CPU1 ----- ----- // In tls_init() // In tls_ctx_create() ctx = kzalloc() ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1) // In update_sk_prot() WRITE_ONCE(sk->sk_prot, tls_prots) -(2) // In sock_common_setsockopt() READ_ONCE(sk->sk_prot)->setsockopt() // In tls_{setsockopt,getsockopt}() ctx->sk_proto->setsockopt() -(3) In the above scenario, when (1) and (2) are reordered, (3) can observe the NULL value of ctx->sk_proto, causing NULL dereference. To fix it, we rely on rcu_assign_pointer() which implies the release barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is initialized, we can ensure that ctx->sk_proto are visible when changing sk->sk_prot. Fixes: d5bee7374b68 ("net/tls: Annotate access to sk_prot with READ_ONCE/WRITE_ONCE") Signed-off-by: Yewon Choi <woni9911(a)gmail.com> Signed-off-by: Dae R. Jeong <threeearcat(a)gmail.com> Link: https://lore.kernel.org/netdev/ZU4OJG56g2V9z_H7@dragonet/T/ Link: https://lore.kernel.org/r/Zkx4vjSFp0mfpjQ2@libra05 Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/tls/tls_main.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index e97fcb502115..0a67b93a52ec 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -814,9 +814,17 @@ struct tls_context *tls_ctx_create(struct sock *sk) return NULL; mutex_init(&ctx->tx_lock); - rcu_assign_pointer(icsk->icsk_ulp_data, ctx); ctx->sk_proto = READ_ONCE(sk->sk_prot); ctx->sk = sk; + /* Release semantic of rcu_assign_pointer() ensures that + * ctx->sk_proto is visible before changing sk->sk_prot in + * update_sk_prot(), and prevents reading uninitialized value in + * tls_{getsockopt, setsockopt}. Note that we do not need a + * read barrier in tls_{getsockopt,setsockopt} as there is an + * address dependency between sk->sk_proto->{getsockopt,setsockopt} + * and ctx->sk_proto. + */ + rcu_assign_pointer(icsk->icsk_ulp_data, ctx); return ctx; } -- 2.34.1

2 1

[PATCH OLK-6.6] wifi: nl80211: Avoid address calculations via out of bounds array indexing
by Liu Jian 03 Jul '24

03 Jul '24

From: Kees Cook <keescook(a)chromium.org> stable inclusion from stable-v6.6.33 commit ed74398642fcb19f6ff385c35a7d512c6663e17b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SBS CVE: CVE-2024-38562 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 838c7b8f1f278404d9d684c34a8cb26dc41aaaa1 ] Before request->channels[] can be used, request->n_channels must be set. Additionally, address calculations for memory after the "channels" array need to be calculated from the allocation base ("request") rather than via the first "out of bounds" index of "channels", otherwise run-time bounds checking will throw a warning. Reported-by: Nathan Chancellor <nathan(a)kernel.org> Fixes: e3eac9f32ec0 ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by") Signed-off-by: Kees Cook <keescook(a)chromium.org> Tested-by: Nathan Chancellor <nathan(a)kernel.org> Link: https://msgid.link/20240424220057.work.819-kees@kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/wireless/nl80211.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index c4f08f7eb741..8f8f077e6cd4 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -9153,6 +9153,7 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) struct wiphy *wiphy; int err, tmp, n_ssids = 0, n_channels, i; size_t ie_len, size; + size_t ssids_offset, ie_offset; wiphy = &rdev->wiphy; @@ -9198,21 +9199,20 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) return -EINVAL; size = struct_size(request, channels, n_channels); + ssids_offset = size; size = size_add(size, array_size(sizeof(*request->ssids), n_ssids)); + ie_offset = size; size = size_add(size, ie_len); request = kzalloc(size, GFP_KERNEL); if (!request) return -ENOMEM; + request->n_channels = n_channels; if (n_ssids) - request->ssids = (void *)&request->channels[n_channels]; + request->ssids = (void *)request + ssids_offset; request->n_ssids = n_ssids; - if (ie_len) { - if (n_ssids) - request->ie = (void *)(request->ssids + n_ssids); - else - request->ie = (void *)(request->channels + n_channels); - } + if (ie_len) + request->ie = (void *)request + ie_offset; i = 0; if (scan_freqs) { -- 2.34.1

2 1