[PATCH openEuler-5.10 1/9] livepatch: Fix kobject refcount bug on klp_init_patch_early failure path
From: David Vernet void@manifault.com
mainline inclusion from mainline-v5.17-rc1 commit 5ef3dd20555e8e878ac390a71e658db5fd02845c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4TF7T Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
When enabling a klp patch with klp_enable_patch(), klp_init_patch_early() is invoked to initialize the kobjects for the patch itself, as well as the 'struct klp_object' and 'struct klp_func' objects that comprise it. However, there are some error paths in klp_enable_patch() where some kobjects may have been initialized with kobject_init(), but an error code is still returned due to e.g. a 'struct klp_object' having a NULL funcs pointer.
In these paths, the initial reference of the kobject of the 'struct klp_patch' may never be released, along with one or more of its objects and their functions, as kobject_put() is not invoked on the cleanup path if klp_init_patch_early() returns an error code.
For example, if an object entry such as the following were added to the sample livepatch module's klp patch, it would cause the vmlinux klp_object, and its klp_func which updates 'cmdline_proc_show', to never be released:
static struct klp_object objs[] = { { /* name being NULL means vmlinux */ .funcs = funcs, }, { /* NULL funcs -- would cause reference leak */ .name = "kvm", }, { } };
Without this change, if CONFIG_DEBUG_KOBJECT is enabled, and the sample klp patch is loaded, the kobjects (the patch, the vmlinux 'struct klp_object', and its func) are observed as initialized, but never released, in the dmesg log output. With the change, these kobject references no longer fail to be released as the error case is properly handled before they are initialized.
Since 81fd525cedd9 ("[Huawei] livepatch: Add klp_{register,unregister}_patch for stop_machine model"), klp_register_patch was born out of klp_enable_patch with similar issue, we also fix it in this patch.
Signed-off-by: David Vernet void@manifault.com Reviewed-by: Petr Mladek pmladek@suse.com Acked-by: Miroslav Benes mbenes@suse.cz Acked-by: Josh Poimboeuf jpoimboe@redhat.com Signed-off-by: Petr Mladek pmladek@suse.com
Conflicts: kernel/livepatch/core.c
Fixes: 0430f78bf38f ("livepatch: Consolidate klp_free functions") Fixes: c33e42836a74 ("livepatch/core: Allow implementation without ftrace") Signed-off-by: Zheng Yejian zhengyejian1@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- kernel/livepatch/core.c | 50 +++++++++++++++++------------------------ 1 file changed, 20 insertions(+), 30 deletions(-)
diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c index b46ef236424d..b0f54d4c663b 100644 --- a/kernel/livepatch/core.c +++ b/kernel/livepatch/core.c @@ -1146,14 +1146,11 @@ static void klp_init_object_early(struct klp_patch *patch, #endif }
-static int klp_init_patch_early(struct klp_patch *patch) +static void klp_init_patch_early(struct klp_patch *patch) { struct klp_object *obj; struct klp_func *func;
- if (!patch->objs) - return -EINVAL; - INIT_LIST_HEAD(&patch->list); INIT_LIST_HEAD(&patch->obj_list); kobject_init(&patch->kobj, &klp_ktype_patch); @@ -1163,26 +1160,12 @@ static int klp_init_patch_early(struct klp_patch *patch) init_completion(&patch->finish);
klp_for_each_object_static(patch, obj) { - if (!obj->funcs) - return -EINVAL; - klp_init_object_early(patch, obj);
klp_for_each_func_static(obj, func) { klp_init_func_early(obj, func); } } - - /* - * For stop_machine model, we only need to module_get and module_put once when - * enable_patch and disable_patch respectively. - */ -#ifdef CONFIG_LIVEPATCH_PER_TASK_CONSISTENCY - if (!try_module_get(patch->mod)) - return -ENODEV; -#endif - - return 0; }
static int klp_init_patch(struct klp_patch *patch) @@ -1431,10 +1414,16 @@ static int __klp_enable_patch(struct klp_patch *patch) int klp_enable_patch(struct klp_patch *patch) { int ret; + struct klp_object *obj;
- if (!patch || !patch->mod) + if (!patch || !patch->mod || !patch->objs) return -EINVAL;
+ klp_for_each_object_static(patch, obj) { + if (!obj->funcs) + return -EINVAL; + } + if (!is_livepatch_module(patch->mod)) { pr_err("module %s is not marked as a livepatch module\n", patch->mod->name); @@ -1458,11 +1447,10 @@ int klp_enable_patch(struct klp_patch *patch) return -EINVAL; }
- ret = klp_init_patch_early(patch); - if (ret) { - mutex_unlock(&klp_mutex); - return ret; - } + if (!try_module_get(patch->mod)) + return -ENODEV; + + klp_init_patch_early(patch);
ret = klp_init_patch(patch); if (ret) @@ -1609,10 +1597,16 @@ static int __klp_enable_patch(struct klp_patch *patch) int klp_register_patch(struct klp_patch *patch) { int ret; + struct klp_object *obj;
- if (!patch || !patch->mod) + if (!patch || !patch->mod || !patch->objs) return -EINVAL;
+ klp_for_each_object_static(patch, obj) { + if (!obj->funcs) + return -EINVAL; + } + if (!is_livepatch_module(patch->mod)) { pr_err("module %s is not marked as a livepatch module\n", patch->mod->name); @@ -1629,11 +1623,7 @@ int klp_register_patch(struct klp_patch *patch) return -EINVAL; }
- ret = klp_init_patch_early(patch); - if (ret) { - mutex_unlock(&klp_mutex); - return ret; - } + klp_init_patch_early(patch);
ret = klp_init_patch(patch); if (ret)
From: Yang Yingliang yangyingliang@huawei.com
mainline inclusion from mainline-v5.17-rc1 commit 50a0f3f55e382b313e7cbebdf8ccf1593296e16f category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4TF7T Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Add missing unlock when try_module_get() fails in klp_enable_patch().
Fixes: 5ef3dd20555e8e8 ("livepatch: Fix kobject refcount bug on klp_init_patch_early failure path") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com Acked-by: David Vernet void@manifault.com Reviewed-by: Petr Mladek pmladek@suse.com Signed-off-by: Petr Mladek pmladek@suse.com Link: https://lore.kernel.org/r/20211225025115.475348-1-yangyingliang@huawei.com Signed-off-by: Zheng Yejian zhengyejian1@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- kernel/livepatch/core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c index b0f54d4c663b..660a4b4f61e4 100644 --- a/kernel/livepatch/core.c +++ b/kernel/livepatch/core.c @@ -1447,8 +1447,10 @@ int klp_enable_patch(struct klp_patch *patch) return -EINVAL; }
- if (!try_module_get(patch->mod)) + if (!try_module_get(patch->mod)) { + mutex_unlock(&klp_mutex); return -ENODEV; + }
klp_init_patch_early(patch);
From: Zhang Wensheng zhangwensheng5@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4STNX?from=project-issue CVE: NA
--------------------------------
When the inflight IOs are slow and no new IOs are issued, we expect iostat could manifest the IO hang problem. However after commit 5b18b5a73760 ("block: delete part_round_stats and switch to less precise counting"), io_tick and time_in_queue will not be updated until the end of IO, and the avgqu-sz and %util columns of iostat will be zero.
Because it has using stat.nsecs accumulation to express time_in_queue which is not suitable to change, and may %util will express the status better when io hang occur. To fix io_ticks, we use update_io_ticks and inflight to update io_ticks when diskstats_show and part_stat_show been called.
Fixes: 5b18b5a73760 ("block: delete part_round_stats and switch to less precise counting") Signed-off-by: Zhang Wensheng zhangwensheng5@huawei.com Reviewed-by: Hou Tao houtao1@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- block/blk-core.c | 2 +- block/blk.h | 2 ++ block/genhd.c | 14 ++++++++++++-- 3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/block/blk-core.c b/block/blk-core.c index 89f1e74785dc..019d583b355c 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -1249,7 +1249,7 @@ unsigned int blk_rq_err_bytes(const struct request *rq) } EXPORT_SYMBOL_GPL(blk_rq_err_bytes);
-static void update_io_ticks(struct hd_struct *part, unsigned long now, bool end) +void update_io_ticks(struct hd_struct *part, unsigned long now, bool end) { unsigned long stamp; again: diff --git a/block/blk.h b/block/blk.h index cd39fd0c93f1..3165c16725d5 100644 --- a/block/blk.h +++ b/block/blk.h @@ -255,6 +255,8 @@ static inline bool blk_do_io_stat(struct request *rq) return rq->rq_disk && (rq->rq_flags & RQF_IO_STAT); }
+void update_io_ticks(struct hd_struct *part, unsigned long now, bool end); + static inline void req_set_nomerge(struct request_queue *q, struct request *req) { req->cmd_flags |= REQ_NOMERGE; diff --git a/block/genhd.c b/block/genhd.c index 6566eacc807d..f94152e99876 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -1301,12 +1301,17 @@ ssize_t part_stat_show(struct device *dev, struct disk_stats stat; unsigned int inflight;
- part_stat_read_all(p, &stat); if (queue_is_mq(q)) inflight = blk_mq_in_flight(q, p); else inflight = part_in_flight(p);
+ if (inflight) { + part_stat_lock(); + update_io_ticks(p, jiffies, true); + part_stat_unlock(); + } + part_stat_read_all(p, &stat); return sprintf(buf, "%8lu %8lu %8llu %8u " "%8lu %8lu %8llu %8u " @@ -1623,12 +1628,17 @@ static int diskstats_show(struct seq_file *seqf, void *v)
disk_part_iter_init(&piter, gp, DISK_PITER_INCL_EMPTY_PART0); while ((hd = disk_part_iter_next(&piter))) { - part_stat_read_all(hd, &stat); if (queue_is_mq(gp->queue)) inflight = blk_mq_in_flight(gp->queue, hd); else inflight = part_in_flight(hd);
+ if (inflight) { + part_stat_lock(); + update_io_ticks(hd, jiffies, true); + part_stat_unlock(); + } + part_stat_read_all(hd, &stat); seq_printf(seqf, "%4d %7d %s " "%lu %lu %lu %u " "%lu %lu %lu %u "
From: Zhang Qiao zhangqiao22@huawei.com
maillist inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4TR86 CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git/commit/?id=05c...
--------------------------------
As previously discussed(https://lkml.org/lkml/2022/1/20/51), cpuset_attach() is affected with similar cpu hotplug race, as follow scenario:
cpuset_attach() cpu hotplug --------------------------- ---------------------- down_write(cpuset_rwsem) guarantee_online_cpus() // (load cpus_attach) sched_cpu_deactivate set_cpu_active() // will change cpu_active_mask set_cpus_allowed_ptr(cpus_attach) __set_cpus_allowed_ptr_locked() // (if the intersection of cpus_attach and cpu_active_mask is empty, will return -EINVAL) up_write(cpuset_rwsem)
To avoid races such as described above, protect cpuset_attach() call with cpu_hotplug_lock.
Fixes: be367d099270 ("cgroups: let ss->can_attach and ss->attach do whole threadgroups at a time") Cc: stable@vger.kernel.org # v2.6.32+ Reported-by: Zhao Gongyi zhaogongyi@huawei.com Signed-off-by: Zhang Qiao zhangqiao22@huawei.com Acked-by: Waiman Long longman@redhat.com Reviewed-by: Michal Koutný mkoutny@suse.com Signed-off-by: Tejun Heo tj@kernel.org Reviewed-by: Chen Hui judy.chenhui@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- kernel/cgroup/cpuset.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c index 4708c06eba0a..01966adceced 100644 --- a/kernel/cgroup/cpuset.c +++ b/kernel/cgroup/cpuset.c @@ -2211,6 +2211,7 @@ static void cpuset_attach(struct cgroup_taskset *tset) cgroup_taskset_first(tset, &css); cs = css_cs(css);
+ cpus_read_lock(); percpu_down_write(&cpuset_rwsem);
/* prepare for attach */ @@ -2266,6 +2267,7 @@ static void cpuset_attach(struct cgroup_taskset *tset) wake_up(&cpuset_attach_wq);
percpu_up_write(&cpuset_rwsem); + cpus_read_unlock(); }
/* The various types of files and directories in a cpuset file system */
From: Trond Myklebust trond.myklebust@hammerspace.com
mainline inclusion from mainline-v5.17-rc2 commit ac795161c93699d600db16c1a8cc23a65a1eceaf category: bugfix bugzilla: 186205 https://gitee.com/openeuler/kernel/issues/I4U2NK CVE: CVE-2022-24448
-----------------------------------------------
If the application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() will punt to doing a regular lookup. If the server then returns a regular file, we will happily return a file descriptor with uninitialised open state.
The fix is to return the expected ENOTDIR error in these cases.
Reported-by: Lyu Tao tao.lyu@epfl.ch Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") Signed-off-by: Trond Myklebust trond.myklebust@hammerspace.com Signed-off-by: Anna Schumaker Anna.Schumaker@Netapp.com Signed-off-by: Zhang Xiaoxu zhangxiaoxu5@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- fs/nfs/dir.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c index 8b963c72dd3b..6e55d9763a19 100644 --- a/fs/nfs/dir.c +++ b/fs/nfs/dir.c @@ -1777,6 +1777,19 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry,
no_open: res = nfs_lookup(dir, dentry, lookup_flags); + if (!res) { + inode = d_inode(dentry); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) + res = ERR_PTR(-ENOTDIR); + } else if (!IS_ERR(res)) { + inode = d_inode(res); + if ((lookup_flags & LOOKUP_DIRECTORY) && inode && + !S_ISDIR(inode->i_mode)) { + dput(res); + res = ERR_PTR(-ENOTDIR); + } + } if (switched) { d_lookup_done(dentry); if (!res)
From: Trond Myklebust trond.myklebust@hammerspace.com
mainline inclusion from mainline-v5.17-rc2 commit 1751fc1db36f6f411709e143d5393f92d12137a9 category: bugfix bugzilla: 186205 https://gitee.com/openeuler/kernel/issues/I4U2NK CVE: CVE-2022-24448
-----------------------------------------------
If the file type changes back to being a regular file on the server between the failed OPEN and our LOOKUP, then we need to re-run the OPEN.
Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()") Signed-off-by: Trond Myklebust trond.myklebust@hammerspace.com Signed-off-by: Anna Schumaker Anna.Schumaker@Netapp.com Signed-off-by: Zhang Xiaoxu zhangxiaoxu5@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- fs/nfs/dir.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c index 6e55d9763a19..1276437b48de 100644 --- a/fs/nfs/dir.c +++ b/fs/nfs/dir.c @@ -1782,12 +1782,17 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry, if ((lookup_flags & LOOKUP_DIRECTORY) && inode && !S_ISDIR(inode->i_mode)) res = ERR_PTR(-ENOTDIR); + else if (inode && S_ISREG(inode->i_mode)) + res = ERR_PTR(-EOPENSTALE); } else if (!IS_ERR(res)) { inode = d_inode(res); if ((lookup_flags & LOOKUP_DIRECTORY) && inode && !S_ISDIR(inode->i_mode)) { dput(res); res = ERR_PTR(-ENOTDIR); + } else if (inode && S_ISREG(inode->i_mode)) { + dput(res); + res = ERR_PTR(-EOPENSTALE); } } if (switched) {
From: "Eric W. Biederman" ebiederm@xmission.com
stable inclusion from stable-v5.10.97 commit 1fc3444cda9a78c65b769e3fa93455e09ff7a0d3 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4TUA0?from=project-issue CVE: CVE-2022-0492
-------------------------------
commit 24f6008564183aa120d07c03d9289519c2fe02af upstream.
The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set fo capabilities. Therefore require capabilities when setting the release_agaent.
Reported-by: Tabitha Sable tabitha.c.sable@gmail.com Tested-by: Tabitha Sable tabitha.c.sable@gmail.com Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") Cc: stable@vger.kernel.org # v2.6.24+ Signed-off-by: "Eric W. Biederman" ebiederm@xmission.com Signed-off-by: Tejun Heo tj@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Lu Jialin lujialin4@huawei.com Reviewed-by: Wang Weiyang wangweiyang2@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- kernel/cgroup/cgroup-v1.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c index 1805c682ccc3..9f5221653f80 100644 --- a/kernel/cgroup/cgroup-v1.c +++ b/kernel/cgroup/cgroup-v1.c @@ -548,6 +548,14 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of,
BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+ /* + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ + if ((of->file->f_cred->user_ns != &init_user_ns) || + !capable(CAP_SYS_ADMIN)) + return -EPERM; + cgrp = cgroup_kn_lock_live(of->kn, false); if (!cgrp) return -ENODEV; @@ -961,6 +969,12 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param) /* Specifying two release agents is forbidden */ if (ctx->release_agent) return invalfc(fc, "release_agent respecified"); + /* + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ + if ((fc->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN)) + return invalfc(fc, "Setting release_agent not allowed"); ctx->release_agent = param->string; param->string = NULL; break;
From: Jon Maloy jmaloy@redhat.com
mainline inclusion from mainline-v5.17-rc4 commit 9aa422ad326634b76309e8ff342c246800621216 category: bugfix bugzilla: 186252 https://gitee.com/openeuler/kernel/issues/I4U36S CVE: CVE-2022-0435
Reference: https://github.com/torvalds/linux/commit/9aa422ad326634b76309e8ff342c2468006...
--------------------------------
The function tipc_mon_rcv() allows a node to receive and process domain_record structs from peer nodes to track their views of the network topology.
This patch verifies that the number of members in a received domain record does not exceed the limit defined by MAX_MON_DOMAIN, something that may otherwise lead to a stack overflow.
tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where we are reading a 32 bit message data length field into a uint16. To avert any risk of bit overflow, we add an extra sanity check for this in that function. We cannot see that happen with the current code, but future designers being unaware of this risk, may introduce it by allowing delivery of very large (> 64k) sk buffers from the bearer layer. This potential problem was identified by Eric Dumazet.
This fixes CVE-2022-0435
Reported-by: Samuel Page samuel.page@appgate.com Reported-by: Eric Dumazet edumazet@google.com Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework") Signed-off-by: Jon Maloy jmaloy@redhat.com Reviewed-by: Xin Long lucien.xin@gmail.com Reviewed-by: Samuel Page samuel.page@appgate.com Reviewed-by: Eric Dumazet edumazet@google.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Zhengchao Shao shaozhengchao@huawei.com Reviewed-by: Yongjun Wei weiyongjun1@huawei.com Reviewed-by: Yue Haibing yuehaibing@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- net/tipc/link.c | 9 +++++++-- net/tipc/monitor.c | 2 ++ 2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/tipc/link.c b/net/tipc/link.c index 29591955d08a..fb835a3822f4 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c @@ -2159,7 +2159,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, struct tipc_msg *hdr = buf_msg(skb); struct tipc_gap_ack_blks *ga = NULL; bool reply = msg_probe(hdr), retransmitted = false; - u16 dlen = msg_data_sz(hdr), glen = 0; + u32 dlen = msg_data_sz(hdr), glen = 0; u16 peers_snd_nxt = msg_next_sent(hdr); u16 peers_tol = msg_link_tolerance(hdr); u16 peers_prio = msg_linkprio(hdr); @@ -2173,6 +2173,10 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, void *data;
trace_tipc_proto_rcv(skb, false, l->name); + + if (dlen > U16_MAX) + goto exit; + if (tipc_link_is_blocked(l) || !xmitq) goto exit;
@@ -2268,7 +2272,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
/* Receive Gap ACK blocks from peer if any */ glen = tipc_get_gap_ack_blks(&ga, l, hdr, true); - + if(glen > dlen) + break; tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr, &l->mon_state, l->bearer_id);
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c index 6dce2abf436e..a37190da5a50 100644 --- a/net/tipc/monitor.c +++ b/net/tipc/monitor.c @@ -465,6 +465,8 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr, state->probing = false;
/* Sanity check received domain record */ + if (new_member_cnt > MAX_MON_DOMAIN) + return; if (dlen < dom_rec_len(arrv_dom, 0)) return; if (dlen != dom_rec_len(arrv_dom, new_member_cnt))
From: Chao Liu liuchao173@huawei.com
euler inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4T7MX CVE: NA
--------------------------------
Provide a separate, distinct keyring for platform trusted keys which is used in secure boot.
Signed-off-by: Chao Liu liuchao173@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Reviewed-by: Kai Liu kai.liu@suse.com Reviewed-by: Yin Xiujiang yinxiujiang@kylinos.cn Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- arch/arm64/configs/openeuler_defconfig | 3 ++- arch/x86/configs/openeuler_defconfig | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index a93616556d12..7bc72dfe9d05 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -6503,7 +6503,8 @@ CONFIG_INTEGRITY=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_TRUSTED_KEYRING=y -# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y +CONFIG_LOAD_UEFI_KEYS=y CONFIG_INTEGRITY_AUDIT=y CONFIG_IMA=y # CONFIG_IMA_KEXEC is not set diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index febdd7627f8b..316c4122a859 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -7603,7 +7603,8 @@ CONFIG_INTEGRITY=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_TRUSTED_KEYRING=y -# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y +CONFIG_LOAD_UEFI_KEYS=y CONFIG_INTEGRITY_AUDIT=y CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10
-
Zheng Zengkai