- Apr 01, 2021
-
-
Ding Hui authored
driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I3BNT6 CVE: NA ----------------------------------------------- We can get a crash when disconnecting the iSCSI session, the call trace like this: [ffff00002a00fb70] kfree at ffff00000830e224 [ffff00002a00fba0] ses_intf_remove at ffff000001f200e4 [ffff00002a00fbd0] device_del at ffff0000086b6a98 [ffff00002a00fc50] device_unregister at ffff0000086b6d58 [ffff00002a00fc70] __scsi_remove_device at ffff00000870608c [ffff00002a00fca0] scsi_remove_device at ffff000008706134 [ffff00002a00fcc0] __scsi_remove_target at ffff0000087062e4 [ffff00002a00fd10] scsi_remove_target at ffff0000087064c0 [ffff00002a00fd70] __iscsi_unbind_session at ffff000001c872c4 [ffff00002a00fdb0] process_one_work at ffff00000810f35c [ffff00002a00fe00] worker_thread at ffff00000810f648 [ffff00002a00fe70] kthread at ffff000008116e98 In ses_intf_add, components count could be 0, and kcalloc 0 size scomp, but not saved in edev->component[i].scratch In this situation, edev->component[0].scratch is an invalid pointer, when kfree it in ses_intf_remove_enclosure, a crash like above would happen The call trace also could be other random cases when kfree cannot catch the invalid pointer We should not use edev->component[] array when the components count is 0 We also need check index when use edev->component[] array in ses_enclosure_data_process Another fix option is report error and do not attach in ses_intf_add if we meet a zero component enclosure Tested-by:
Zeng Zhicong <timmyzeng@163.com> Signed-off-by:
Ding Hui <dinghui@sangfor.com.cn> Reviewed-by:
Jason Yan <yanaijie@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Guangbin Huang authored
driver inclusion category: feature bugzilla: NA CVE: NA ---------------------------- Previously, VF updates its link status every second by send query command to PF in periodic service task. If link stats of PF is changed, VF may need at most one second to update its link status. To reduce delay of link status between PF and VFs, PF actively push its link status to VFs when its link status is updated. And to let VF know PF supports this new feature, the link status changed mailbox command Signed-off-by:
Guangbin Huang <huangguangbin2@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Yonglong Liu authored
driver inclusion category: bugfix bugzilla: NA CVE: NA ----------------------------- This patch update hns version to 21.2.1 and make driver version the same as module version. Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
YueHaibing authored
mainline inclusion from mainline-5.10-rc1 commit 26613a95 category: bugfix bugzilla: NA CVE: NA --------------------------- There is no caller in tree. Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Barry Song authored
mainline inclusion from mainline-5.10-rc1 commit 5a6bd84f category: bugfix bugzilla: NA CVE: NA --------------------------- Rather than doing request_irq and then disabling the irq immediately, it should be safer to use IRQ_NOAUTOEN flag for the irq. It removes any gap between request_irq() and disable_irq(). Cc: Salil Mehta <salil.mehta@huawei.com> Reviewed-by:
Yunsheng Lin <linyunsheng@huawei.com> Signed-off-by:
Barry Song <song.bao.hua@hisilicon.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Gustavo A. R. Silva authored
mainline inclusion from mainline-5.7-rc1 commit c5d6cf90 category: bugfix bugzilla: NA CVE: NA --------------------------- The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare variable-length types such as these ones is a flexible array member[1][2], introduced in C99: struct foo { int stuff; struct boo array[]; }; By making use of the mechanism above, we will get a compiler warning in case the flexible array does not occur last in the structure, which will help us prevent some kind of undefined behavior bugs from being inadvertently introduced[3] to the codebase from now on. Also, notice that, dynamic memory allocations won't be affected by this change: "Flexible array members have incomplete type, and so the sizeof operator may not be applied. As a quirk of the original implementation of zero-length arrays, sizeof evaluates to zero."[1] This issue was found with the help of Coccinelle. [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html [2] https://github.com/KSPP/linux/issues/21 [3] commit 76497732 ("cxgb3/l2t: Fix undefined behaviour") Signed-off-by:
Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Zheng Yongjun authored
mainline inclusion from mainline-5.11-rc1 commit 3d4068b24cd947ca4e3fd7f4f2a34fa1bc229202 category: bugfix bugzilla: NA CVE: NA --------------------------- Replace a comma between expression statements by a semicolon. Signed-off-by:
Zheng Yongjun <zhengyongjun3@huawei.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Colin Ian King authored
mainline inclusion from mainline-5.5-rc1 commit 99d89572 category: bugfix bugzilla: NA CVE: NA --------------------------- Don't populate the arrays port_map and sl_map on the stack but instead make them static. Makes the object code smaller by 64 bytes. Before: text data bss dec hex filename 49575 6872 64 56511 dcbf hisilicon/hns/hns_dsaf_main.o After: text data bss dec hex filename 49350 7032 64 56446 dc7e hisilicon/hns/hns_dsaf_main.o (gcc version 9.2.1, amd64) Signed-off-by:
Colin Ian King <colin.king@canonical.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Krzysztof Wilczynski authored
mainline inclusion from mainline-5.4-rc1 commit 5e5d8bc4 category: bugfix bugzilla: NA CVE: NA --------------------------- Move the static keyword to the front of declaration of g_dsaf_mode_match, and resolve the following compiler warning that can be seen when building with warnings enabled (W=1): drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c:27:1: warning: ‘static’ is not at beginning of declaration [-Wold-style-declaration] Signed-off-by:
Krzysztof Wilczynski <kw@linux.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Xu Wang authored
mainline inclusion from mainline-5.9-rc1 commit 74b5afea category: bugfix bugzilla: NA CVE: NA --------------------------- This patch is to use eth_broadcast_addr() to assign broadcast address insetad of memset(). Signed-off-by:
Xu Wang <vulab@iscas.ac.cn> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Jason Yan authored
mainline inclusion from mainline-5.8-rc1 commit 6d927977 category: bugfix bugzilla: NA CVE: NA --------------------------- Fix the following coccicheck warning: drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c:700:2-8: WARNING: Assignment of 0/1 to bool variable drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c:702:2-8: WARNING: Assignment of 0/1 to bool variable Reported-by:
Hulk Robot <hulkci@huawei.com> Signed-off-by:
Jason Yan <yanaijie@huawei.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Yonglong Liu authored
driver inclusion category: bugfix bugzilla: NA CVE: NA ----------------------------- The "Advertised link modes" always shows "1000baseT/Full", because the driver only assigned this value. Function ethtool_convert_link_mode_to_legacy_u32() should be called after function phy_ethtool_ksettings_get() to get the current value of the phy. Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Yonglong Liu authored
driver inclusion category: bugfix bugzilla: NA CVE: NA ----------------------------- When setting "autoneg off speed 100 duplex half", ping will failed. This patch turn off the autoneg mode of mac to fix the problem. Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Tom Rix authored
mainline inclusion from mainline-v5.11-rc5 commit 99d518970c5a1901e83cdd4a0a6ff5a41ba56a56 category: bugfix bugzilla: NA CVE: NA ---------------------------- When DEBUG is defined this error occurs drivers/net/ethernet/hisilicon/hns/hns_enet.c:1505:36: error: ‘struct net_device’ has no member named ‘ae_handle’; did you mean ‘rx_handler’? assert(skb->queue_mapping < ndev->ae_handle->q_num); ^~~~~~~~~ ae_handle is an element of struct hns_nic_priv, so change ndev to priv. Signed-off-by:
Tom Rix <trix@redhat.com> Link: https://lore.kernel.org/r/20210117191044.533725-1-trix@redhat.com Signed-off-by:
Jakub Kicinski <kuba@kernel.org> Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Yonglong Liu authored
driver inclusion category: bugfix bugzilla: NA CVE: NA ---------------------------- When disable promisc mode after enable promisc mode, the non-promiscuous mode does not take effect. The driver use the last 12 mac table for promisc mode(6 ports, each port have a mc vague mac table and a uc vague mac table). But when disabling promisc mode, the driver did not look for the last 12 vague mac table, cause this problem. Fixes: 421ccc3859d6 ("net: hns: fix ping failed when use net bridge and send multicast") Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Yonglong Liu authored
driver inclusion category: cleanup bugzilla: NA CVE: NA ---------------------------- Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Thomas Gleixner authored
mainline inclusion from mainline-5.2-rc3 commit 2874c5fd category: bugfix bugzilla: NA CVE: NA --------------------------- Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version extracted by the scancode license scanner the SPDX license identifier GPL-2.0-or-later has been chosen to replace the boilerplate/reference in 3029 file(s). Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Reviewed-by:
Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
Yonglong Liu <liuyonglong@huawei.com> Reviewed-by:
li yongxin <liyongxin1@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Chiqijun authored
driver inclusion category: bugfix bugzilla: 4472 ----------------------------------------------------------------------- update hinic version to 2.3.2.18 Signed-off-by:
Chiqijun <chiqijun@huawei.com> Reviewed-by:
Wangxiaoyun <cloud.wangxiaoyun@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Chiqijun authored
driver inclusion category: feature bugzilla: 4472 ----------------------------------------------------------------------- Add support for hinic PMD on VF Signed-off-by:
Chiqijun <chiqijun@huawei.com> Reviewed-by:
Wangxiaoyun <cloud.wangxiaoyun@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Chiqijun authored
driver inclusion category: feature bugzilla: 4472 ----------------------------------------------------------------------- Add XDP support for pass and drop actions. Signed-off-by:
Chiqijun <chiqijun@huawei.com> Reviewed-by:
Wangxiaoyun <cloud.wangxiaoyun@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Chiqijun authored
driver inclusion category: feature bugzilla: 4472 ----------------------------------------------------------------------- Add the 'ethtool -K ethx rx-vlan-filter on/off' command to turn on/off the vlan filter. Signed-off-by:
Chiqijun <chiqijun@huawei.com> Reviewed-by:
Wangxiaoyun <cloud.wangxiaoyun@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Wenwen Wang authored
mainline inclusion from mainline-5.4-rc1 commit cfddf9f4 category: bugfix bugzilla: 21612 CVE: NA --------------------------- In __break_lease(), the file lock 'new_fl' is allocated in lease_alloc(). However, it is not deallocated in the following execution if smp_load_acquire() fails, leading to a memory leak bug. To fix this issue, free 'new_fl' before returning the error. Signed-off-by:
Wenwen Wang <wenwen@cs.uga.edu> Signed-off-by:
Jeff Layton <jlayton@kernel.org> Signed-off-by:
Yu Kuai <yukuai3@huawei.com> Reviewed-by:
zhangyi (F) <yi.zhang@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
- Mar 29, 2021
-
-
Liu Shixin authored
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I3CG47 CVE: NA ------------------------------------------------- Patch a222f341 ("mm: generalize putback scan functions") has combined move_active_pages_to_lru() and putback_inactive_pages() into single move_pages_to_lru(). But we didn't backport this patch so move_active_pages_to_lru() is still existed. When We moved mem_cgroup_uncharge() in 7ae88534 ("mm: move mem_cgroup_uncharge out of __page_cache_release()"), move_active_pages_to_lru() should be changed together. Fixes: 7ae88534 ("mm: move mem_cgroup_uncharge out of __page_cache_release()") Signed-off-by:
Liu Shixin <liushixin2@huawei.com> Reviewed-by:
Kefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Dan Carpenter authored
stable inclusion from linux-4.19.181 commit eda4378094de16090d74eacea3d8c10f7719ed25 CVE: CVE-2021-28660 -------------------------------- commit 74b6b20df8cfe90ada777d621b54c32e69e27cd7 upstream. This code has a check to prevent read overflow but it needs another check to prevent writing beyond the end of the ->ssid[] array. Fixes: a2c60d42 ("staging: r8188eu: Add files for new driver - part 16") Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/YEHymwsnHewzoam7@mwanda Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Tyrel Datwyler authored
stable inclusion from linux-4.19.183 commit f27a00f0d5b0646a52633e98f5fc3ef719004dcd CVE: CVE-2021-28972 -------------------------------- commit cc7a0bb058b85ea03db87169c60c7cfdd5d34678 upstream. Both add_slot_store() and remove_slot_store() try to fix up the drc_name copied from the store buffer by placing a NUL terminator at nbyte + 1 or in place of a '\n' if present. However, the static buffer that we copy the drc_name data into is not zeroed and can contain anything past the n-th byte. This is problematic if a '\n' byte appears in that buffer after nbytes and the string copied into the store buffer was not NUL terminated to start with as the strchr() search for a '\n' byte will mark this incorrectly as the end of the drc_name string resulting in a drc_name string that contains garbage data after the n-th byte. Additionally it will cause us to overwrite that '\n' byte on the stack with NUL, potentially corrupting data on the stack. The following debugging shows an example of the drmgr utility writing "PHB 4543" to the add_slot sysfs attribute, but add_slot_store() logging a corrupted string value. drmgr: drmgr: -c phb -a -s PHB 4543 -d 1 add_slot_store: drc_name = PHB 4543°|<82>!, rc = -19 Fix this by using strscpy() instead of memcpy() to ensure the string is NUL terminated when copied into the static drc_name buffer. Further, since the string is now NUL terminated the code only needs to change '\n' to '\0' when present. Cc: stable@vger.kernel.org Signed-off-by:
Tyrel Datwyler <tyreld@linux.ibm.com> [mpe: Reformat change log and add mention of possible stack corruption] Signed-off-by:
Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20210315214821.452959-1-tyreld@linux.ibm.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by:
Xiongfeng Wang <wangxiongfeng2@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Kan Liang authored
stable inclusion from linux-4.19.183 commit b35214c541365c7dd7c9d5f44a02b0633a1cc83f CVE: CVE-2021-28971 -------------------------------- commit d88d05a9e0b6d9356e97129d4ff9942d765f46ea upstream. A repeatable crash can be triggered by the perf_fuzzer on some Haswell system. https://lore.kernel.org/lkml/7170d3b-c17f-1ded-52aa-cc6d9ae999f4@maine.edu/ For some old CPUs (HSW and earlier), the PEBS status in a PEBS record may be mistakenly set to 0. To minimize the impact of the defect, the commit was introduced to try to avoid dropping the PEBS record for some cases. It adds a check in the intel_pmu_drain_pebs_nhm(), and updates the local pebs_status accordingly. However, it doesn't correct the PEBS status in the PEBS record, which may trigger the crash, especially for the large PEBS. It's possible that all the PEBS records in a large PEBS have the PEBS status 0. If so, the first get_next_pebs_record_by_bit() in the __intel_pmu_pebs_event() returns NULL. The at = NULL. Since it's a large PEBS, the 'count' parameter must > 1. The second get_next_pebs_record_by_bit() will crash. Besides the local pebs_status, correct the PEBS status in the PEBS record as well. Fixes: 01330d72 ("perf/x86: Allow zero PEBS status with only single active event") Reported-by:
Vince Weaver <vincent.weaver@maine.edu> Suggested-by:
Peter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by:
Kan Liang <kan.liang@linux.intel.com> Signed-off-by:
Peter Zijlstra (Intel) <peterz@infradead.org> Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1615555298-140216-1-git-send-email-kan.liang@linux.intel.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by:
Jian Cheng <cj.chengjian@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Filipe Manana authored
stable inclusion from linux-4.19.183 commit 12dc6889bcff1bc2921a1587afca55ca4091b73e CVE: CVE-2021-28964 -------------------------------- commit dbcc7d57bffc0c8cac9dac11bec548597d59a6a5 upstream. While resolving backreferences, as part of a logical ino ioctl call or fiemap, we can end up hitting a BUG_ON() when replaying tree mod log operations of a root, triggering a stack trace like the following: ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:1210! invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 PID: 19054 Comm: crawl_335 Tainted: G W 5.11.0-2d11c0084b02-misc-next+ #89 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__tree_mod_log_rewind+0x3b1/0x3c0 Code: 05 48 8d 74 10 (...) RSP: 0018:ffffc90001eb70b8 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff88812344e400 RCX: ffffffffb28933b6 RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ...
-
Piotr Krysiuk authored
stable inclusion from linux-4.19.182 commit ec5307f2ed2377fc55f0a8c990c6004c63014a54 CVE: CVE-2020-27171 -------------------------------- commit 10d2bb2e6b1d8c4576c56a748f697dbeb8388899 upstream. retrieve_ptr_limit() computes the ptr_limit for registers with stack and map_value type. ptr_limit is the size of the memory area that is still valid / in-bounds from the point of the current position and direction of the operation (add / sub). This size will later be used for masking the operation such that attempting out-of-bounds access in the speculative domain is redirected to remain within the bounds of the current map value. When masking to the right the size is correct, however, when masking to the left, the size is off-by-one which would lead to an incorrect mask and thus incorrect arithmetic operation in the non-speculative domain. Piotr found that if the resulting alu_limit value is zero, then the BPF_MOV32_IMM() from the fixup_bpf_calls() rewrite will end up loading 0xffffffff into AX instead of sign-extending to the full 64 bit range, and as a result, this allows abuse for executing speculatively out-of- bounds loads against 4GB window of address space and thus extracting the contents of kernel memory via side-channel. Fixes: 979d63d5 ("bpf: prevent out of bounds speculation on pointer arithmetic") Signed-off-by:
Piotr Krysiuk <piotras@gmail.com> Co-developed-by:
Daniel Borkmann <daniel@iogearbox.net> Signed-off-by:
Daniel Borkmann <daniel@iogearbox.net> Acked-by:
Alexei Starovoitov <ast@kernel.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by:
Jian Cheng <cj.chengjian@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Piotr Krysiuk authored
stable inclusion from linux-4.19.182 commit bc49612a0e2c379a0d997375901c5371ba015518 CVE: CVE-2020-27170 -------------------------------- commit f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 upstream. The purpose of this patch is to streamline error propagation and in particular to propagate retrieve_ptr_limit() errors for pointer types that are not defining a ptr_limit such that register-based alu ops against these types can be rejected. The main rationale is that a gap has been identified by Piotr in the existing protection against speculatively out-of-bounds loads, for example, in case of ctx pointers, unprivileged programs can still perform pointer arithmetic. This can be abused to execute speculatively out-of-bounds loads without restrictions and thus extract contents of kernel memory. Fix this by rejecting unprivileged programs that attempt any pointer arithmetic on unprotected pointer types. The two affected ones are pointer to ctx as well as pointer to map. Field access to a modified ctx' pointer is rejected at a later point in time in the verifier, and 7c696732 ("bpf: Permit map_ptr arithmetic with opcode add and offset 0") only relevant for root-only use cases. Risk of unprivileged program breakage is considered very low. Fixes: 7c696732 ("bpf: Permit map_ptr arithmetic with opcode add and offset 0") Fixes: b2157399 ("bpf: prevent out-of-bounds speculation") Signed-off-by:
Piotr Krysiuk <piotras@gmail.com> Co-developed-by:
Daniel Borkmann <daniel@iogearbox.net> Signed-off-by:
Daniel Borkmann <daniel@iogearbox.net> Acked-by:
Alexei Starovoitov <ast@kernel.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by:
Jian Cheng <cj.chengjian@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Dan Carpenter authored
stable inclusion from linux-4.19.162 commit 304c080fc33258e3b177b6f0736b97d54e6fea3b CVE: CVE-2020-35519 -------------------------------- [ Upstream commit 6ee50c8e ] The .x25_addr[] address comes from the user and is not necessarily NUL terminated. This leads to a couple problems. The first problem is that the strlen() in x25_bind() can read beyond the end of the buffer. The second problem is more subtle and could result in memory corruption. The call tree is: x25_connect() --> x25_write_internal() --> x25_addr_aton() The .x25_addr[] buffers are copied to the "addresses" buffer from x25_write_internal() so it will lead to stack corruption. Verify that the strings are NUL terminated and return -EINVAL if they are not. Fixes: 1da177e4 ("Linux-2.6.12-rc2") Fixes: a9288525 ("X25: Dont let x25_bind use addresses containing characters") Reported-by:
"kiyin(尹亮)" <kiyin@tencent.com> Signed-off-by: Dan Carpenter ...
-
Dave Airlie authored
stable inclusion from linux-4.19.140 commit 10c8a526b2db1fcdf9e2d59d4885377b91939c55 CVE: CVE-2021-20292 -------------------------------- commit 5de5b6ec upstream. This is confusing, and from my reading of all the drivers only nouveau got this right. Just make the API act under driver control of it's own allocation failing, and don't call destroy, if the page table fails to create there is nothing to cleanup here. (I'm willing to believe I've missed something here, so please review deeply). Reviewed-by:
Christian König <christian.koenig@amd.com> Signed-off-by:
Dave Airlie <airlied@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20200728041736.20689-1-airlied@gmail.com Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Reviewed-by:
Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
卢佳琳 authored
hulk inclusion category: feature/cgroups bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=7 CVE: NA -------- The patch adds ifndef(__GENKSYMS__) into cgroup_subsys.h, and this change is more nasty than it looks. It hides the fact that that we change the layout of "struct cgroup" and "struct css_set", they both have the subsys[CGROUP_SUBSYS_COUNT] member. I hope this is fine, the modular code has no reasons to access the private members after ->subsys[], and the helpers like cgroup_sane_behavior() shouldn't be used by external modules. The patch also fixes the following compile warning caused by the fix kabi broken. Signed-off-by:
Lu Jialin <lujialin4@huawei.com> Reviewed-by:
Chen Zhou <chenzhou10@huawei.com> Reviewed-by:
Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
张明 authored
openEuler inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I3D58V CVE: NA ---------------------------------- No unlock operation is performed on the mpam_devices_lock before the return statement, which may lead to a deadlock. Signed-off-by:
Zhang Ming <154842638@qq.com> Reported-by:
Cheng Jian <cj.chengjian@huawei.com> Suggested-by:
Cheng Jian <cj.chengjian@huawei.com> Reviewed-by:
Wang ShaoBo <bobo.shaobowang@huawei.com> Reviewed-by:
Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com>
-
Zhen Lei authored
driver inclusion category: feature bugzilla: 50797 CVE: NA ------------------------------------------------------------------------- Set CONFIG_GMJS_TCM_CORE=m and CONFIG_GMJS_TCM_SPI=m, so that its ko can be distributed in ISO on arm64. Signed-off-by:
Zhen Lei <thunder.leizhen@huawei.com> Acked-by:
Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by:
Zhen Lei <thunder.leizhen@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Li ZhiGang authored
driver inclusion category: feature bugzilla: 50797 CVE: NA ------------------------------------------------------------------------- Nationz Tech TCM are used for trusted computing, the chip attached via SPI or LPC. We have a brief verify/test with this driver on KunPeng920 + openEuler system, with externally compiled module. Signed-off-by:
Li ZhiGang <lizhigang@kylinos.cn> Acked-by:
Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by:
Zhen Lei <thunder.leizhen@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Yang Yingliang authored
driver inclusion category: feature bugzilla: 50777 CVE: NA ------------------------------------------------------------------------- enable config TXGBE by default on arm64 for compile test. Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
zhenpengzheng authored
driver inclusion category: feature bugzilla: 50777 CVE: NA ------------------------------------------------------------------------- Set CONFIG_TXGBE=m, so that its ko can be distributed in ISO on X86. Signed-off-by:
zhenpengzheng <zhenpengzheng@net-swift.com> Acked-by:
Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by:
Zhen Lei <thunder.leizhen@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
zhenpengzheng authored
driver inclusion category: feature bugzilla: 50777 CVE: NA ------------------------------------------------------------------------- This driver is based on drivers/net/ethernet/intel/ixgbe/. Signed-off-by:
zhenpengzheng <zhenpengzheng@net-swift.com> Acked-by:
Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by:
Zhen Lei <thunder.leizhen@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
- Mar 22, 2021
-
-
张明 authored
openEuler inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I3BPPX CVE: NA ----------------------------------------------------------- The default branch in switch will not run at present, but there may be related extensions in the future, which may lead to memory leakage. Signed-off-by:
Zhang Ming <154842638@qq.com> Reported-by:
Wang ShaoBo <bobo.shaobowang@huawei.com> Suggested-by:
Jian Cheng <cj.chengjian@huawei.com> Reviewed-by:
Xie XiuQi <xiexiuqi@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-
Jason Yan authored
hulk inclusion category: bugfix bugzilla: NA CVE: NA ----------------------------------------------- When the scsi device status is offline, mode sense command will return a result with only DID_NO_CONNECT set. Then in sd_read_write_protect_flag(), only status byte of the result is checked, we still consider the command returned good, and read sdkp->write_prot from the buffer. And because of bug [1], garbage data is copied to the buffer, the disk sometimes be set readonly. When the scsi device is set running again, users cannot write data to the disk. Fix this by check the whole result returned by the driver. [1] https://patchwork.kernel.org/project/linux-block/patch/20210318122621.330010-1-yanaijie@huawei.com/ Signed-off-by:
Jason Yan <yanaijie@huawei.com> Reviewed-by:
Yufen Yu <yuyufen@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
Cheng Jian <cj.chengjian@huawei.com>
-