- Jul 01, 2022
-
-
Liu Shixin authored
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5EZK8 CVE: NA -------------------------------- After patch ddbd89deb7d3 ("swiotlb: fix info leak with DMA_FROM_DEVICE"), swiotlb_bounce will be called in swiotlb_tbl_map_single unconditionally. This requires that the physical address must be valid, which is not always true on stable-4.19 or earlier version. On stable-4.19, swiotlb_alloc_buffer will call swiotlb_tbl_map_single with orig_addr equal to zero, which cause such a panic: Unable to handle kernel paging request at virtual address ffffb77a40000000 ... pc : __memcpy+0x100/0x180 lr : swiotlb_bounce+0x74/0x88 ... Call trace: __memcpy+0x100/0x180 swiotlb_tbl_map_single+0x2c8/0x338 swiotlb_alloc+0xb4/0x198 __dma_alloc+0x84/0x1d8 ... On stable-4.9 and stable-4.14, swiotlb_alloc_coherent wille call map_single with orig_addr equal to zero, which can cause same panic. Fix this by skipping swiotlb_bounce when orig_addr is zero. Fixes: ddbd89deb7d3 ("swiotlb: fix info leak with DMA_FROM_DEVICE") Signed-off-by:
Liu Shixin <liushixin2@huawei.com> Reviewed-by:
Kefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Vitaly Kuznetsov authored
stable inclusion from stable-v4.19.238 commit 2f4835b5188f3b73b2b048a761ae2553e845b027 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5EI1I CVE: CVE-2022-2153 -------------------------------- commit b1e34d325397a33d97d845e312d7cf2a8b646b44 upstream. Setting non-zero values to SYNIC/STIMER MSRs activates certain features, this should not happen when KVM_CAP_HYPERV_SYNIC{,2} was not activated. Note, it would've been better to forbid writing anything to SYNIC/STIMER MSRs, including zeroes, however, at least QEMU tries clearing HV_X64_MSR_STIMER0_CONFIG without SynIC. HV_X64_MSR_EOM MSR is somewhat 'special' as writing zero there triggers an action, this also should not happen when SynIC wasn't activated. Signed-off-by:
Vitaly Kuznetsov <vkuznets@redhat.com> Message-Id: <20220325132140.25650-4-vkuznets@redhat.com> Cc: stable@vger.kernel.org Signed-off-by:
Paolo Bonzini <pbonzini@redhat.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
ChenXiaoSong <chenxiaosong2@huawei.com> Reviewed-by:
Jason Yan <yanaijie@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Wang Wensheng authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I578LV CVE: NA ------------------------------------------------- Add the missing initialization for kc.sp_flag in sp_make_share_kva_to_spg(). Or a random value would be used in sp_remap_kva_to_vma(). Fixes: da51b55e ("mm/share_pool: Support read-only memory allocation") Signed-off-by:
Wang Wensheng <wangwensheng4@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
- Jun 29, 2022
-
-
Wang Wensheng authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- sp_get_local_group() could be invoked in kthread, where the current process isn't the process we want. Add a parameter and let the caller to avoid this problem. Signed-off-by:
Wang Wensheng <wangwensheng4@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Wang Wensheng authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- The user doesn't care about the start address of the dvpp range, what is mattered is that the virtual space tagged DVPP located at in a 16G range. So we can safely drop the dvpp address space as long as it's empty during merging process. Signed-off-by:
Wang Wensheng <wangwensheng4@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Wang Wensheng authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- Currently the dvpp range is global for each device. And it is unreasonable after the reconstruction that makes the DVPP mappings private to each process or group. This allows to configure the dvpp range for each process. The dvpp range for each dvpp mapping can only be configured once just as the old version. Signed-off-by:
Wang Wensheng <wangwensheng4@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Wang Wensheng authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- When SPG_NOD_DVPP is specified to sp_group_add_task, we don't create a DVPP mapping for the newly created sp_group. And the new group cannot support allocating DVPP memory. Signed-off-by:
Wang Wensheng <wangwensheng4@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Wang Wensheng authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- 1. Add a list for sp_mapping to record all the sp_groups attached to it. 2. Initialize the sp_mapping for local_group when it is created. So when we add a task to a group, we should merge the dvpp mapping of the local group. 3. Every two groups can be merged if and only if at least one of them is empty. Then the empty mapping would be dropped and another mapping would be attached to the two groups. This need to traverse all the groups attached to the mapping. 4. A mapping is considered empty when no spa is allocated from it and its address space is default. Signed-off-by:
Wang Wensheng <wangwensheng4@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Wang Wensheng authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- A few structures must have been created when a process want to get into sharepool subsystem, including allocating sharepool memory, being added into a spg or doing k2u and so on. Currently we create those structures just before we actually need them. For example, we find or create a sp_spa_stat after a successful memory allocation and before updating the statistical structure. The creation of a new structure may fail due to oom and we should then reclaim the memory allocated and revert all the process before. Or we just forget to do that and a potential memory-leak occurs. This design makes it confused when we indeed create a structure and we always worry about potential memory-leak when we changes the code around it. A better solution is to initialize all that structures at the same time when a process join in sharepool subsystem. And in future, we will clear the unnecessary statistical structures. Signed-off-by:
Wang Wensheng <wangwensheng4@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Wang Wensheng authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- There are two types of memory allocated from sharepool: passthrough memory for DVPP and shared memory. Currently, we branch to different routines depending on the memory type, both during the allocation and free process. Since we have already create a local group for passthrough memory, with just one step ahead, we could drop the redundant branches in allocation and free process and in all the fallback process when an error occurs. Here is the content of this patch: 1. Add erery process to its local group when initilizing its group_master. 2. Avoid to return the local group in find_sp_group_id_by_pid(). 3. Delete the redundant branches during allocation and free process. Signed-off-by:
Wang Wensheng <wangwensheng4@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Wang Wensheng authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- When we destroy a vma, we first find the spa depending on the vma->vm_start, during which we should hold the sp_area_lock. While we store the spa in vma, we can get the spa directly. Don't worry if the spa exists or if it's to be freed soon, since we have increaced the refcount for the spa when it's mappend into a vma. Signed-off-by:
Wang Wensheng <wangwensheng4@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Zhou Guanghui authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- The management of the address space is adjusted, and the statistical data processing of the shared pool needs to be adapted. Signed-off-by:
Zhou Guanghui <zhouguanghui1@huawei.com> Signed-off-by:
Zhang Jian <zhangjian210@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Zhou Guanghui authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- The address space of the DVPP is managed by group. When releasing the shared pool memory, you need to find the corresponding address space based on the ID. Signed-off-by:
Zhou Guanghui <zhouguanghui1@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Zhou Guanghui authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- The DVPP address space is per process or per sharing group. During sp_free and unshare, you need to know which address space the current address belongs to. Signed-off-by:
Zhou Guanghui <zhouguanghui1@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Zhou Guanghui authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- Separately manage the normal and dvpp address spaces of the sp_group and set the normal and dvpp address spaces of the corresponding groups when adding a group, sp_alloc, and k2task. Signed-off-by:
Zhou Guanghui <zhouguanghui1@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Zhou Guanghui authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- struct sp_mapping is used to manage the address space of a shared pool. During the initialization of the shared pool, normal address spaces are created to allocate the memory of the current shared pool. Signed-off-by:
Zhou Guanghui <zhouguanghui1@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Zhou Guanghui authored
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EORS CVE: NA -------------------------------- The single-group mode has no application scenario. Therefore, the related branch is deleted. The boot option "enable_sp_multi_group_mode" does not take effect. Signed-off-by:
Zhou Guanghui <zhouguanghui1@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
- Jun 28, 2022
-
-
Zhihao Cheng authored
hulk inclusion category: bugfix bugzilla: 186543, https://gitee.com/openeuler/kernel/issues/I5BGFA CVE: NA -------------------------------- Following process will trigger an use-after-free problem: 1. open /proc/sysvipc/msg and lock it by file lock fcntl_setlk do_lock_file_wait vfs_lock_file posix_lock_file locks_insert_lock_ctx locks_insert_global_locks // Added to lock list 2. Close /proc/sysvipc/msg by io_uring filp_close(close->put_file, req->work.files) // req->work.files equals NULL,io_grab_files() initialize it, non-async operations won't invokes the function. locks_remove_posix(filp, NULL) lock.fl_owner = NULL vfs_lock_file posix_lock_file posix_same_owner // Return false according to fl_owner. locks_delete_lock_ctx(fl, &dispose) and locks_dispose_list won't be executed, flock is not removed from lock list fput(filp) // release filp 3. Read /proc/locks seq_read locks_start // Get flock from lock list locks_show lock_get_status file_inode(f->file) // Access released file, UAF occurs! Fix it by passing current->files when req->work.files is uninitialized, because io-sq thread shares same files with uring_fd task, so it still works in SQPOLL mode. Signed-off-by:
Zhihao Cheng <chengzhihao1@huawei.com> Reviewed-by:
Zhang Yi <yi.zhang@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
- Jun 27, 2022
-
-
卢佳琳 authored
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5E8LA CVE: NA -------------------------------- At present, only when the absolute value of stat_cpu->count exceeds MEMCG_CHARGE_BATCH will it be updated to stat, so there will always be a certain lag difference between stat and the correct value. In addition, since the partially deleted memcg is still referenced, it will not be freed immediately after it is offline. Although the remaining memcg has released the page, it and the parent's stat will still be not 0 or too large due to the update lag, which leads to the abnormality of the total_<count> parameter in the memory.stat file. This patch mainly solves the problem of synchronization between memcg's stat and the correct value during the destruction process from two aspects: 1) Perform a flush synchronization operation when memcg is offline 2) For memcg in the process of being destroyed, bypass the threshold judgment when updating vmstats Signed-off-by:
Lu Jialin <lujialin4@huawei.com> Reviewed-by:
Kefeng Wang <wangkefeng.wang@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
- Jun 25, 2022
-
-
Li Lingfeng authored
hulk inclusion category: bugfix bugzilla: 186944, https://gitee.com/openeuler/kernel/issues/I5DAJY CVE: NA -------------------------------- When migrating to extents, the checksum seed of temporary inode need to be replaced by inode's, otherwise the inode checksums will be incorrect when swapping the inodes data. However, the temporary inode can not match it's checksum to itself since it has lost it's own checksum seed. mkfs.ext4 -F /dev/sdc mount /dev/sdc /mnt/sdc xfs_io -fc "pwrite 4k 4k" -c "fsync" /mnt/sdc/testfile chattr -e /mnt/sdc/testfile chattr +e /mnt/sdc/testfile fsck -fn /dev/sdc ======== ... Pass 1: Checking inodes, blocks, and sizes Inode 13 passes checks, but checksum does not match inode. Fix? no ... ======== The fix is simple, save the checksum seed of temporary inode, and recover it after migrating to extents. Fixes: e81c9302a6c3 ("ext4: set csum seed in tmp inode while migrating to extents") Signed-off-by:
Li Lingfeng <lilingfeng3@huawei.com> Reviewed-by:
Zhang Yi <yi.zhang@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
- Jun 22, 2022
-
-
Kaixu Xia authored
mainline inclusion from mainline-v5.11-rc6 commit 237d7887ae723af7d978e8b9a385fdff416f357b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5AG18 CVE: NA -------------------------------- The quota option 'usrquota' should be shown if both the XFS_UQUOTA_ACCT and XFS_UQUOTA_ENFD flags are set. The option 'uqnoenforce' should be shown when only the XFS_UQUOTA_ACCT flag is set. The current code logic seems wrong, Fix it and show proper options. Signed-off-by:
Kaixu Xia <kaixuxia@tencent.com> Reviewed-by:
Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by:
Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by:
tangbin <tangbin@cmss.chinamobile.com> Reviewed-by:
Xuenan Guo <guoxuenan@huawei.com> Signed-off-by:
Laibin Qiu <qiulaibin@huawei.com>
-
- Jun 21, 2022
-
-
Joe Perches authored
mainline inclusion from mainline-v5.10-rc1 commit 6284a6e8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5C32F CVE: CVE-2022-20166 --------------------------------------------------- Remove the trailing semicolon from the macro and add it to its uses. Signed-off-by:
Joe Perches <joe@perches.com> Link: https://lore.kernel.org/r/faf51a671160cf884efa68fb458d3e8a44b1a7a7.1600285923.git.joe@perches.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Joe Perches authored
mainline inclusion from mainline-v5.10-rc1 commit e015e036 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5C32F CVE: CVE-2022-20166 -------------------------------------------------- Do not indirect the bitmap printing of these shared_cpu show functions by using cpumap_print_to_pagebuf/bitmap_print_to_pagebuf. Use the more typical style with the vsnprintf %*pb and %*pbl extensions directly so there is no possible mixup about the use of offset_in_page(buf) by bitmap_print_to_pagebuf. Signed-off-by:
Joe Perches <joe@perches.com> Link: https://lore.kernel.org/r/80457b467ab6cde13a173cfd8a4f49cd8467a7fd.1600285923.git.joe@perches.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Joe Perches authored
mainline inclusion from mainline-v5.10-rc1 commit 7981593b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5C32F CVE: CVE-2022-20166 -------------------------------------------------- Convert the unbound sprintf in hugetlb_report_node_meminfo to use sysfs_emit_at so that no possible overrun of a PAGE_SIZE buf can occur. Signed-off-by:
Joe Perches <joe@perches.com> Acked-by:
Mike Kravetz <mike.kravetz@oracle.com> Link: https://lore.kernel.org/r/894b351b82da6013cde7f36ff4b5493cd0ec30d0.1600285923.git.joe@perches.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: drivers/base/node.c include/linux/hugetlb.h Signed-off-by:
Guo Mengqi <guomengqi3@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Joe Perches authored
mainline inclusion from mainline-v5.10-rc1 commit 948b3edb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5C32F CVE: CVE-2022-20166 -------------------------------------------------- Change additional instances that could use sysfs_emit and sysfs_emit_at that the coccinelle script could not convert. o macros creating show functions with ## concatenation o unbound sprintf uses with buf+len for start of output to sysfs_emit_at o returns with ?: tests and sprintf to sysfs_emit o sysfs output with struct class * not struct device * arguments Miscellanea: o remove unnecessary initializations around these changes o consistently use int len for return length of show functions o use octal permissions and not S_<FOO> o rename a few show function names so DEVICE_ATTR_<FOO> can be used o use DEVICE_ATTR_ADMIN_RO where appropriate o consistently use const char *output for strings o checkpatch/style neatening Signed-off-by:
Joe Perches <joe@perches.com> Link: https://lore.kernel.org/r/8bc24444fe2049a9b2de6127389b57edfdfe324d.1600285923.git.joe@perches.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: drivers/base/bus.c drivers/base/core.c drivers/base/cpu.c drivers/base/dd.c drivers/base/memory.c drivers/base/node.c drivers/base/platform.c drivers/base/power/sysfs.c drivers/base/soc.c Signed-off-by:
Guo Mengqi <guomengqi3@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Joe Perches authored
mainline inclusion from mainline-v5.10-rc1 commit 973c3911 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5C32F CVE: CVE-2022-20166 -------------------------------------------------- strcat is no longer necessary for sysfs_emit and sysfs_emit_at uses. Convert the strcat uses to sysfs_emit calls and neaten other block uses of direct returns to use an intermediate const char *. Signed-off-by:
Joe Perches <joe@perches.com> Link: https://lore.kernel.org/r/5d606519698ce4c8f1203a2b35797d8254c6050a.1600285923.git.joe@perches.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: drivers/base/node.c Signed-off-by:
Guo Mengqi <guomengqi3@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Joe Perches authored
mainline inclusion from mainline-v5.10-rc1 commit aa838896 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5C32F CVE: CVE-2022-20166 ---------------------------------------------- Convert the various sprintf fmaily calls in sysfs device show functions to sysfs_emit and sysfs_emit_at for PAGE_SIZE buffer safety. Done with: $ spatch -sp-file sysfs_emit_dev.cocci --in-place --max-width=80 . And cocci script: $ cat sysfs_emit_dev.cocci @@ identifier d_show; identifier dev, attr, buf; @@ ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) { <... return - sprintf(buf, + sysfs_emit(buf, ...); ...> } @@ identifier d_show; identifier dev, attr, buf; @@ ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) { <... return - snprintf(buf, PAGE_SIZE, + sysfs_emit(buf, ...); ...> } @@ identifier d_show; identifier dev, attr, buf; @@ ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) { <... return - scnprintf(buf, PAGE_SIZE, + sysfs_emit(buf, ...); ...> } @@ identifier d_show; identifier dev, attr, buf; expression chr; @@ ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) { <... return - strcpy(buf, chr); + sysfs_emit(buf, chr); ...> } @@ identifier d_show; identifier dev, attr, buf; identifier len; @@ ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) { <... len = - sprintf(buf, + sysfs_emit(buf, ...); ...> return len; } @@ identifier d_show; identifier dev, attr, buf; identifier len; @@ ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) { <... len = - snprintf(buf, PAGE_SIZE, + sysfs_emit(buf, ...); ...> return len; } @@ identifier d_show; identifier dev, attr, buf; identifier len; @@ ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) { <... len = - scnprintf(buf, PAGE_SIZE, + sysfs_emit(buf, ...); ...> return len; } @@ identifier d_show; identifier dev, attr, buf; identifier len; @@ ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) { <... - len += scnprintf(buf + len, PAGE_SIZE - len, + len += sysfs_emit_at(buf, len, ...); ...> return len; } @@ identifier d_show; identifier dev, attr, buf; expression chr; @@ ssize_t d_show(struct device *dev, struct device_attribute *attr, char *buf) { ... - strcpy(buf, chr); - return strlen(buf); + return sysfs_emit(buf, chr); } Signed-off-by:
Joe Perches <joe@perches.com> Link: https://lore.kernel.org/r/3d033c33056d88bbe34d4ddb62afd05ee166ab9a.1600285923.git.joe@perches.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: drivers/base/node.c Signed-off-by:
Guo Mengqi <guomengqi3@huawei.com> Reviewed-by:
Weilong Chen <chenweilong@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
- Jun 20, 2022
-
-
Chen Jiahao authored
hulk inclusion category: bugfix bugzilla: 186460, https://gitee.com/src-openeuler/kernel/issues/I53MHA CVE: CVE-2022-23960 -------------------------------- In cpufeature.c, when num is set to ARM64_SPECTRE_BHB, it should not be passed to cpu_hwcap_keys, otherwise the out-of-range error would happen as below: UBSAN: Undefined behaviour in arch/arm64/kernel/cpufeature.c:1742:3 index 40 is out of range for type 'static_key_false [39]' CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.90+ #1 Call trace: dump_backtrace+0x0/0x390 show_stack+0x24/0x30 dump_stack+0x130/0x188 ubsan_epilogue+0x14/0xa4 __ubsan_handle_out_of_bounds+0x144/0x184 __enable_cpu_capabilities+0x158/0x1d4 setup_cpu_features+0x34/0xc8 smp_cpus_done+0x44/0x13c smp_init+0x188/0x1a4 kernel_init_freeable+0x454/0x974 kernel_init+0x18/0x150 ret_from_fork+0x10/0x18 Because KABI cpu_hwcap_keys is consistent and defined with length ARM64_NCAPS, which is smaller than ARM64_SPECTRE_BHB. Fixes: 2df7cf89 ("arm64: fix extra cpucaps setup problem") Signed-off-by:
Chen Jiahao <chenjiahao16@huawei.com> Reviewed-by:
Liao Chang <liaochang1@huawei.com> Reviewed-by:
Zhang Jianhua <chris.zjh@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
- Jun 18, 2022
-
-
Darrick J. Wong authored
mainline inclusion from mainline-v5.5-rc1 commit c2414ad6 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BDCU CVE: NA -------------------------------- There are a few places where we return -EIO instead of -EFSCORRUPTED when we find corrupt metadata. Fix those places. Signed-off-by:
Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by:
Christoph Hellwig <hch@lst.de> Reviewed-by:
Brian Foster <bfoster@redhat.com> Signed-off-by:
tangbin <tangbin@cmss.chinamobile.com> Reviewed-by:
Lihong Kou <koulihong@huawei.com> Reviewed-by:
Xuenan Guo <guoxuenan@huawei.com> Signed-off-by:
Laibin Qiu <qiulaibin@huawei.com>
-
Darrick J. Wong authored
mainline inclusion from mainline-v5.5-rc1 commit 04df34ac category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BDCU CVE: NA -------------------------------- Actually call namecheck on directory entry names before we hand them over to userspace. Signed-off-by:
Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by:
Christoph Hellwig <hch@lst.de> Reviewed-by:
Brian Foster <bfoster@redhat.com> Signed-off-by:
tangbin <tangbin@cmss.chinamobile.com> Reviewed-by:
Lihong Kou <koulihong@huawei.com> Reviewed-by:
Xuenan Guo <guoxuenan@huawei.com> Signed-off-by:
Laibin Qiu <qiulaibin@huawei.com>
-
Darrick J. Wong authored
mainline inclusion from mainline-v5.5-rc1 commit 16c6e92c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BDCU CVE: NA -------------------------------- Actually call namecheck on attribute names before we hand them over to userspace. Signed-off-by:
Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by:
Brian Foster <bfoster@redhat.com> Signed-off-by:
tangbin <tangbin@cmss.chinamobile.com> Reviewed-by:
Lihong Kou <koulihong@huawei.com> Reviewed-by:
Xuenan Guo <guoxuenan@huawei.com> Signed-off-by:
Laibin Qiu <qiulaibin@huawei.com>
-
Darrick J. Wong authored
mainline inclusion from mainline-v5.5-rc1 commit c8476065 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BDCU CVE: NA -------------------------------- Add missing structure checks in the attribute leaf verifier. Signed-off-by:
Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by:
Brian Foster <bfoster@redhat.com> Signed-off-by:
tangbin <tangbin@cmss.chinamobile.com> Reviewed-by:
Lihong Kou <koulihong@huawei.com> Reviewed-by:
Xuenan Guo <guoxuenan@huawei.com> Signed-off-by:
Laibin Qiu <qiulaibin@huawei.com>
-
Darrick J. Wong authored
mainline inclusion from mainline-v5.1-rc1 commit 65480536 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BDCU CVE: NA -------------------------------- Check extended attribute entry names for invalid characters. Signed-off-by:
Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by:
Brian Foster <bfoster@redhat.com> Signed-off-by:
tangbin <tangbin@cmss.chinamobile.com> Reviewed-by:
Lihong Kou <koulihong@huawei.com> Reviewed-by:
Xuenan Guo <guoxuenan@huawei.com> Signed-off-by:
Laibin Qiu <qiulaibin@huawei.com>
-
Darrick J. Wong authored
mainline inclusion from mainline-v5.1-rc1 commit e5d7d51b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BDCU CVE: NA -------------------------------- Check directory entry names for invalid characters. Signed-off-by:
Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by:
Brian Foster <bfoster@redhat.com> Signed-off-by:
tangbin <tangbin@cmss.chinamobile.com> Reviewed-by:
Lihong Kou <koulihong@huawei.com> Reviewed-by:
Xuenan Guo <guoxuenan@huawei.com> Signed-off-by:
Laibin Qiu <qiulaibin@huawei.com>
-
Darrick J. Wong authored
mainline inclusion from mainline-v5.1-rc1 commit f8c1d702 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BDCU CVE: NA -------------------------------- Teach scrub to flag extent maps that exceed the range that can be mapped with a xfs_dablk_t. Signed-off-by:
Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by:
Brian Foster <bfoster@redhat.com> Signed-off-by:
tangbin <tangbin@cmss.chinamobile.com> Reviewed-by:
Lihong Kou <koulihong@huawei.com> Reviewed-by:
Xuenan Guo <guoxuenan@huawei.com> Signed-off-by:
Laibin Qiu <qiulaibin@huawei.com>
-
Darrick J. Wong authored
mainline inclusion from mainline-v5.1-rc1 commit 3258cb20 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BDCU CVE: NA -------------------------------- The extended attribute scrubber should abort the "read all attrs" loop if there's a fatal signal pending on the process. Signed-off-by:
Darrick J. Wong <darrick.wong@oracle.com> Reviewed-by:
Brian Foster <bfoster@redhat.com> Signed-off-by:
tangbin <tangbin@cmss.chinamobile.com> Reviewed-by:
Lihong Kou <koulihong@huawei.com> Reviewed-by:
Xuenan Guo <guoxuenan@huawei.com> Signed-off-by:
Laibin Qiu <qiulaibin@huawei.com>
-
- Jun 17, 2022
-
-
Willy Tarreau authored
mainline inclusion from mainline-v5.18-rc6 commit 4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5C3A9 CVE: CVE-2022-32296 -------------------------------- Moshe Kol, Amit Klein, and Yossi Gilad reported being able to accurately identify a client by forcing it to emit only 40 times more connections than there are entries in the table_perturb[] table. The previous two improvements consisting in resalting the secret every 10s and adding randomness to each port selection only slightly improved the situation, and the current value of 2^8 was too small as it's not very difficult to make a client emit 10k connections in less than 10 seconds. Thus we're increasing the perturb table from 2^8 to 2^16 so that the same precision now requires 2.6M connections, which is more difficult in this time frame and harder to hide as a background activity. The impact is that the table now uses 256 kB instead of 1 kB, which could mostly affect devices making frequent outgoing connections. However such components usually target a small set of destinations (load balancers, database clients, perf assessment tools), and in practice only a few entries will be visited, like before. A live test at 1 million connections per second showed no performance difference from the previous value. Reported-by:
Moshe Kol <moshe.kol@mail.huji.ac.il> Reported-by:
Yossi Gilad <yossi.gilad@mail.huji.ac.il> Reported-by:
Amit Klein <aksecurity@gmail.com> Reviewed-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
Willy Tarreau <w@1wt.eu> Signed-off-by:
Jakub Kicinski <kuba@kernel.org> Conflicts: net/ipv4/inet_hashtables.c Signed-off-by:
Baisong Zhong <zhongbaisong@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by:
Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
Eric Dumazet authored
stable inclusion from stable-v4.19.246 commit ddec440133913a6b8880e53b896d521a4b7ff24f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5C3A9 CVE: CVE-2022-32296 -------------------------------- commit 190cc82489f46f9d88e73c81a47e14f80a791e1a upstream. RFC 6056 (Recommendations for Transport-Protocol Port Randomization) provides good summary of why source selection needs extra care. David Dworken reminded us that linux implements Algorithm 3 as described in RFC 6056 3.3.3 Quoting David : In the context of the web, this creates an interesting info leak where websites can count how many TCP connections a user's computer is establishing over time. For example, this allows a website to count exactly how many subresources a third party website loaded. This also allows: - Distinguishing between different users behind a VPN based on distinct source port ranges. - Tracking users over time across multiple networks. - Covert communication channels between different browsers/browser profiles running on the same computer - Tracking what applications are running on a computer based on the pattern of how fast source ports are getting incremented. Section 3.3.4 describes an enhancement, that reduces attackers ability to use the basic information currently stored into the shared 'u32 hint'. This change also decreases collision rate when multiple applications need to connect() to different destinations. Signed-off-by:
Eric Dumazet <edumazet@google.com> Reported-by:
David Dworken <ddworken@google.com> Cc: Willem de Bruijn <willemb@google.com> Signed-off-by:
David S. Miller <davem@davemloft.net> [SG: Adjusted context] Signed-off-by:
Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: net/ipv4/inet_hashtables.c Signed-off-by:
Baisong Zhong <zhongbaisong@huawei.com> Reviewed-by:
Wei Yongjun <weiyongjun1@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
- Jun 16, 2022
-
-
Chen Jiahao authored
hulk inclusion category: bugfix bugzilla: 186460, https://gitee.com/src-openeuler/kernel/issues/I53MHA CVE: CVE-2022-23960 -------------------------------- When introducing a new cpucaps macro ARM64_SPECTRE_BHB, ARM64_NCAPS was not able to modified easily due to KABI consistency. Here introduce a workaround to properly setup ARM64_SPECTRE_BHB beyond ARM64_NCAPS range. Fixes: def2df57 ("KVM: arm64: Add templates for BHB mitigation sequences") Signed-off-by:
Chen Jiahao <chenjiahao16@huawei.com> Reviewed-by:
Zhang Jianhua <chris.zjh@huawei.com> Reviewed-by:
Liao Chang <liaochang1@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-
- Jun 15, 2022
-
-
Zhang Qiao authored
hulk inclusion category: bugfix bugzilla: 186973, https://gitee.com/openeuler/kernel/issues/I5CA6K CVE: NA -------------------------------- This reverts commit 74bd9b82. Signed-off-by:
Zhang Qiao <zhangqiao22@huawei.com> Reviewed-by:
Chen Hui <judy.chenhui@huawei.com> Signed-off-by:
Yongqiang Liu <liuyongqiang13@huawei.com>
-