diff --git a/blacklist.conf b/blacklist.conf index 69fbc86..3e0dcf2 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -862,3 +862,4 @@ a909d629ae77b97b6288bc3cfe68560454bf79c6 # cleanup designed to break kABI e96fddb32931d007db12b1fce9b5e8e4c080401b # bsc#1222324 CVE-2024-26662: not affected: drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' 4f32504a2f85a7b40fe149436881381f48e9c0c0 # bsc#1222358 CVE-2024-26672: not affected: drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()' 32f5f73b79ffdef215e2e1bcb6ad74387c0f925c # We don't have FRED +993bf0f4c393b3667830918f9247438a8f6fdb5b # bug introduced by 83e80a6e3543f ("ext4: use buckets for cr 1 block scan instead of rbtree") in 6.0 diff --git a/patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch b/patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch index b090ce9..5398eae 100644 --- a/patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch +++ b/patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch @@ -3,7 +3,7 @@ From: Oscar Salvador Date: Tue, 30 Jan 2024 22:04:18 +0100 Subject: [PATCH] fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super -References: bsc#1219264 CVE-2024-0841 +References: bsc#1219264 CVE-2024-0841 CVE-2024-26688 bsc#1222482 Patch-mainline: v6.8-rc4 Git-commit: 79d72c68c58784a3e1cd2378669d51bfd0cb7498 diff --git a/patches.suse/ALSA-gus-fix-null-pointer-dereference-on-pointer-blo.patch b/patches.suse/ALSA-gus-fix-null-pointer-dereference-on-pointer-blo.patch index 587e091..3fc3522 100644 --- a/patches.suse/ALSA-gus-fix-null-pointer-dereference-on-pointer-blo.patch +++ b/patches.suse/ALSA-gus-fix-null-pointer-dereference-on-pointer-blo.patch @@ -4,7 +4,7 @@ Date: Sun, 24 Oct 2021 03:46:11 -0700 Subject: [PATCH] ALSA: gus: fix null pointer dereference on pointer block Git-commit: a0d21bb3279476c777434c40d969ea88ca64f9aa Patch-mainline: v5.16-rc1 -References: git-fixes +References: git-fixes CVE-2021-47207 bsc#1222790 The pointer block return from snd_gf1_dma_next_block could be null, so there is a potential null pointer dereference issue. diff --git a/patches.suse/ALSA-usb-audio-fix-null-pointer-dereference-on-point.patch b/patches.suse/ALSA-usb-audio-fix-null-pointer-dereference-on-point.patch index b924ac1..3043de3 100644 --- a/patches.suse/ALSA-usb-audio-fix-null-pointer-dereference-on-point.patch +++ b/patches.suse/ALSA-usb-audio-fix-null-pointer-dereference-on-point.patch @@ -4,7 +4,7 @@ Date: Sun, 24 Oct 2021 04:17:36 -0700 Subject: [PATCH] ALSA: usb-audio: fix null pointer dereference on pointer cs_desc Git-commit: b97053df0f04747c3c1e021ecbe99db675342954 Patch-mainline: v5.16-rc1 -References: bsc#1192354 +References: bsc#1192354 CVE-2021-47211 bsc#1222869 The pointer cs_desc return from snd_usb_find_clock_source could be null, so there is a potential null pointer dereference issue. diff --git a/patches.suse/RDMA-core-Set-send-and-receive-CQ-before-forwarding-.patch b/patches.suse/RDMA-core-Set-send-and-receive-CQ-before-forwarding-.patch index ef202df..fea3509 100644 --- a/patches.suse/RDMA-core-Set-send-and-receive-CQ-before-forwarding-.patch +++ b/patches.suse/RDMA-core-Set-send-and-receive-CQ-before-forwarding-.patch @@ -3,7 +3,7 @@ Date: Thu, 11 Nov 2021 13:45:00 +0200 Subject: RDMA/core: Set send and receive CQ before forwarding to the driver Patch-mainline: v5.16-rc2 Git-commit: 6cd7397d01c4a3e09757840299e4f114f0aa5fa0 -References: jsc#SLE-19249 +References: jsc#SLE-19249 CVE-2021-47196 bsc#1222773 Preset both receive and send CQ pointers prior to call to the drivers and overwrite it later again till the mlx4 is going to be changed do not diff --git a/patches.suse/arm64-dts-qcom-msm8998-Fix-CPU-L2-idle-state-latency.patch b/patches.suse/arm64-dts-qcom-msm8998-Fix-CPU-L2-idle-state-latency.patch index 8b47625..dadb6d7 100644 --- a/patches.suse/arm64-dts-qcom-msm8998-Fix-CPU-L2-idle-state-latency.patch +++ b/patches.suse/arm64-dts-qcom-msm8998-Fix-CPU-L2-idle-state-latency.patch @@ -4,7 +4,7 @@ Date: Wed, 1 Sep 2021 20:31:21 +0200 Subject: [PATCH] arm64: dts: qcom: msm8998: Fix CPU/L2 idle state latency and residency Git-commit: 3f1dcaff642e75c1d2ad03f783fa8a3b1f56dd50 Patch-mainline: v5.16-rc1 -References: git-fixes +References: git-fixes CVE-2021-47187 bsc#1222703 The entry/exit latency and minimum residency in state for the idle states of MSM8998 were ..bad: first of all, for all of them the diff --git a/patches.suse/arp-Prevent-overflow-in-arp_req_get.patch b/patches.suse/arp-Prevent-overflow-in-arp_req_get.patch index 4f48415..fb9baad 100644 --- a/patches.suse/arp-Prevent-overflow-in-arp_req_get.patch +++ b/patches.suse/arp-Prevent-overflow-in-arp_req_get.patch @@ -78,18 +78,19 @@ Signed-off-by: Paolo Abeni Acked-by: Michal Kubecek --- - net/ipv4/arp.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + net/ipv4/arp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/ipv4/arp.c +++ b/net/ipv4/arp.c -@@ -1104,7 +1104,8 @@ static int arp_req_get(struct arpreq *r, struct net_device *dev) +@@ -1104,7 +1104,9 @@ static int arp_req_get(struct arpreq *r, struct net_device *dev) if (neigh) { if (!(neigh->nud_state & NUD_NOARP)) { read_lock_bh(&neigh->lock); - memcpy(r->arp_ha.sa_data, neigh->ha, dev->addr_len); + memcpy(r->arp_ha.sa_data, neigh->ha, -+ min(dev->addr_len, sizeof(r->arp_ha.sa_data))); ++ min_t(unsigned char, dev->addr_len, ++ sizeof(r->arp_ha.sa_data))); r->arp_flags = arp_state_to_flags(neigh); read_unlock_bh(&neigh->lock); r->arp_ha.sa_family = dev->type; diff --git a/patches.suse/btrfs-fix-double-free-of-anonymous-device-after-snap.patch b/patches.suse/btrfs-fix-double-free-of-anonymous-device-after-snap.patch index 127843c..a7c4dcf 100644 --- a/patches.suse/btrfs-fix-double-free-of-anonymous-device-after-snap.patch +++ b/patches.suse/btrfs-fix-double-free-of-anonymous-device-after-snap.patch @@ -2,7 +2,7 @@ From e2b54eaf28df0c978626c9736b94f003b523b451 Mon Sep 17 00:00:00 2001 Message-ID: From: Filipe Manana Git-commit: e2b54eaf28df0c978626c9736b94f003b523b451 -References: bsc#1219126 CVE-2024-23850 +References: bsc#1219126 CVE-2024-23850 CVE-2024-26792 bsc#1222430 Patch-mainline: v6.8-rc7 Date: Fri, 23 Feb 2024 16:38:43 +0000 Subject: [PATCH] btrfs: fix double free of anonymous device after snapshot diff --git a/patches.suse/cfg80211-call-cfg80211_stop_ap-when-switch-from-P2P_.patch b/patches.suse/cfg80211-call-cfg80211_stop_ap-when-switch-from-P2P_.patch index 403e9f1..e09498c 100644 --- a/patches.suse/cfg80211-call-cfg80211_stop_ap-when-switch-from-P2P_.patch +++ b/patches.suse/cfg80211-call-cfg80211_stop_ap-when-switch-from-P2P_.patch @@ -4,7 +4,7 @@ Date: Thu, 28 Oct 2021 01:37:22 +0800 Subject: [PATCH] cfg80211: call cfg80211_stop_ap when switch from P2P_GO type Git-commit: 563fbefed46ae4c1f70cffb8eb54c02df480b2c2 Patch-mainline: v5.16-rc2 -References: git-fixes +References: git-fixes CVE-2021-47194 bsc#1222829 If the userspace tools switch from NL80211_IFTYPE_P2P_GO to NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), it diff --git a/patches.suse/clk-sunxi-ng-Unregister-clocks-resets-when-unbinding.patch b/patches.suse/clk-sunxi-ng-Unregister-clocks-resets-when-unbinding.patch index df1f7de..d53cb1f 100644 --- a/patches.suse/clk-sunxi-ng-Unregister-clocks-resets-when-unbinding.patch +++ b/patches.suse/clk-sunxi-ng-Unregister-clocks-resets-when-unbinding.patch @@ -4,7 +4,7 @@ Date: Wed, 1 Sep 2021 00:05:19 -0500 Subject: [PATCH] clk: sunxi-ng: Unregister clocks/resets when unbinding Git-commit: 9bec2b9c6134052994115d2d3374e96f2ccb9b9d Patch-mainline: v5.16-rc1 -References: git-fixes +References: git-fixes CVE-2021-47205 bsc#1222888 Currently, unbinding a CCU driver unmaps the device's MMIO region, while leaving its clocks/resets and their providers registered. This can cause diff --git a/patches.suse/drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch b/patches.suse/drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch index 9b03d0f..1b2e70e 100644 --- a/patches.suse/drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch +++ b/patches.suse/drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch @@ -4,7 +4,7 @@ Date: Thu, 30 Sep 2021 09:00:07 +1000 Subject: drm/prime: Fix use after free in mmap with drm_gem_ttm_mmap Git-commit: 8244a3bc27b3efd057da154b8d7e414670d5044f Patch-mainline: v5.16-rc1 -References: jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 +References: jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 CVE-2021-47200 bsc#1222838 drm_gem_ttm_mmap() drops a reference to the gem object on success. If the gem object's refcount == 1 on entry to drm_gem_prime_mmap(), that diff --git a/patches.suse/ext4-avoid-allocating-blocks-from-corrupted-group-in.patch b/patches.suse/ext4-avoid-allocating-blocks-from-corrupted-group-in.patch new file mode 100644 index 0000000..83fafd9 --- /dev/null +++ b/patches.suse/ext4-avoid-allocating-blocks-from-corrupted-group-in.patch @@ -0,0 +1,60 @@ +From 4530b3660d396a646aad91a787b6ab37cf604b53 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 4 Jan 2024 22:20:38 +0800 +Subject: [PATCH] ext4: avoid allocating blocks from corrupted group in + ext4_mb_try_best_found() +Git-commit: 4530b3660d396a646aad91a787b6ab37cf604b53 +Patch-mainline: v6.8-rc3 +References: bsc#1222618 CVE-2024-26773 + +Determine if the group block bitmap is corrupted before using ac_b_ex in +ext4_mb_try_best_found() to avoid allocating blocks from a group with a +corrupted block bitmap in the following concurrency and making the +situation worse. + +ext4_mb_regular_allocator + ext4_lock_group(sb, group) + ext4_mb_good_group + // check if the group bbitmap is corrupted + ext4_mb_complex_scan_group + // Scan group gets ac_b_ex but doesn't use it + ext4_unlock_group(sb, group) + ext4_mark_group_bitmap_corrupted(group) + // The block bitmap was corrupted during + // the group unlock gap. + ext4_mb_try_best_found + ext4_lock_group(ac->ac_sb, group) + ext4_mb_use_best_found + mb_mark_used + // Allocating blocks in block bitmap corrupted group + +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240104142040.2835097-7-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/mballoc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2175,6 +2175,9 @@ int ext4_mb_try_best_found(struct ext4_a + return err; + + ext4_lock_group(ac->ac_sb, group); ++ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) ++ goto out; ++ + max = mb_find_extent(e4b, ex.fe_start, ex.fe_len, &ex); + + if (max > 0) { +@@ -2182,6 +2185,7 @@ int ext4_mb_try_best_found(struct ext4_a + ext4_mb_use_best_found(ac, e4b); + } + ++out: + ext4_unlock_group(ac->ac_sb, group); + ext4_mb_unload_buddy(e4b); + diff --git a/patches.suse/ext4-regenerate-buddy-after-block-freeing-failed-if-.patch b/patches.suse/ext4-regenerate-buddy-after-block-freeing-failed-if-.patch new file mode 100644 index 0000000..7b463cd --- /dev/null +++ b/patches.suse/ext4-regenerate-buddy-after-block-freeing-failed-if-.patch @@ -0,0 +1,63 @@ +From c9b528c35795b711331ed36dc3dbee90d5812d4e Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Thu, 4 Jan 2024 22:20:35 +0800 +Subject: [PATCH] ext4: regenerate buddy after block freeing failed if under fc + replay +Git-commit: c9b528c35795b711331ed36dc3dbee90d5812d4e +Patch-mainline: v6.8-rc3 +References: bsc#1220342 CVE-2024-26601 + +This mostly reverts commit 6bd97bf273bd ("ext4: remove redundant +mb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based on +code in mb_free_blocks(), fast commit replay can end up marking as free +blocks that are already marked as such. This causes corruption of the +buddy bitmap so we need to regenerate it in that case. + +Reported-by: Jan Kara +Fixes: 6bd97bf273bd ("ext4: remove redundant mb_regenerate_buddy()") +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20240104142040.2835097-4-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Acked-by: Jan Kara + +--- + fs/ext4/mballoc.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1157,6 +1157,24 @@ void ext4_mb_generate_buddy(struct super + mb_update_avg_fragment_size(sb, grp); + } + ++static void mb_regenerate_buddy(struct ext4_buddy *e4b) ++{ ++ int count; ++ int order = 1; ++ void *buddy; ++ ++ while ((buddy = mb_find_buddy(e4b, order++, &count))) ++ ext4_set_bits(buddy, 0, count); ++ ++ e4b->bd_info->bb_fragments = 0; ++ memset(e4b->bd_info->bb_counters, 0, ++ sizeof(*e4b->bd_info->bb_counters) * ++ (e4b->bd_sb->s_blocksize_bits + 2)); ++ ++ ext4_mb_generate_buddy(e4b->bd_sb, e4b->bd_buddy, ++ e4b->bd_bitmap, e4b->bd_group); ++} ++ + /* The buddy information is attached the buddy cache inode + * for convenience. The information regarding each group + * is loaded via ext4_mb_load_buddy. The information involve +@@ -1824,6 +1842,8 @@ static void mb_free_blocks(struct inode + ext4_mark_group_bitmap_corrupted( + sb, e4b->bd_group, + EXT4_GROUP_INFO_BBITMAP_CORRUPT); ++ } else { ++ mb_regenerate_buddy(e4b); + } + goto done; + } diff --git a/patches.suse/fs-aio-Check-IOCB_AIO_RW-before-the-struct-aio_kiocb.patch b/patches.suse/fs-aio-Check-IOCB_AIO_RW-before-the-struct-aio_kiocb.patch new file mode 100644 index 0000000..cf74032 --- /dev/null +++ b/patches.suse/fs-aio-Check-IOCB_AIO_RW-before-the-struct-aio_kiocb.patch @@ -0,0 +1,69 @@ +From 961ebd120565cb60cebe21cb634fbc456022db4a Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 4 Mar 2024 15:57:15 -0800 +Subject: [PATCH] fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb + conversion +Git-commit: 961ebd120565cb60cebe21cb634fbc456022db4a +Patch-mainline: v6.8 +References: bsc#1222721 CVE-2024-26764 + +The first kiocb_set_cancel_fn() argument may point at a struct kiocb +that is not embedded inside struct aio_kiocb. With the current code, +depending on the compiler, the req->ki_ctx read happens either before +the IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such +that it is guaranteed that the IOCB_AIO_RW test happens first. + +Reported-by: Eric Biggers +Cc: Benjamin LaHaise +Cc: Eric Biggers +Cc: Christoph Hellwig +Cc: Avi Kivity +Cc: Sandeep Dhavale +Cc: Jens Axboe +Cc: Greg Kroah-Hartman +Cc: Kent Overstreet +Cc: stable@vger.kernel.org +Fixes: b820de741ae4 ("fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240304235715.3790858-1-bvanassche@acm.org +Reviewed-by: Jens Axboe +Reviewed-by: Eric Biggers +Signed-off-by: Christian Brauner +Acked-by: Jan Kara + +--- + fs/aio.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/aio.c b/fs/aio.c +index da18dbcfcb22..9cdaa2faa536 100644 +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -589,8 +589,8 @@ static int aio_setup_ring(struct kioctx *ctx, unsigned int nr_events) + + void kiocb_set_cancel_fn(struct kiocb *iocb, kiocb_cancel_fn *cancel) + { +- struct aio_kiocb *req = container_of(iocb, struct aio_kiocb, rw); +- struct kioctx *ctx = req->ki_ctx; ++ struct aio_kiocb *req; ++ struct kioctx *ctx; + unsigned long flags; + + /* +@@ -600,9 +600,13 @@ void kiocb_set_cancel_fn(struct kiocb *iocb, kiocb_cancel_fn *cancel) + if (!(iocb->ki_flags & IOCB_AIO_RW)) + return; + ++ req = container_of(iocb, struct aio_kiocb, rw); ++ + if (WARN_ON_ONCE(!list_empty(&req->ki_list))) + return; + ++ ctx = req->ki_ctx; ++ + spin_lock_irqsave(&ctx->ctx_lock, flags); + list_add_tail(&req->ki_list, &ctx->active_reqs); + req->ki_cancel = cancel; +-- +2.35.3 + diff --git a/patches.suse/fs-aio-Restrict-kiocb_set_cancel_fn-to-I-O-submitted.patch b/patches.suse/fs-aio-Restrict-kiocb_set_cancel_fn-to-I-O-submitted.patch new file mode 100644 index 0000000..afd66f7 --- /dev/null +++ b/patches.suse/fs-aio-Restrict-kiocb_set_cancel_fn-to-I-O-submitted.patch @@ -0,0 +1,85 @@ +From b820de741ae48ccf50dd95e297889c286ff4f760 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 15 Feb 2024 12:47:38 -0800 +Subject: [PATCH] fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via + libaio +Git-commit: b820de741ae48ccf50dd95e297889c286ff4f760 +Patch-mainline: v6.8-rc6 +References: bsc#1222721 CVE-2024-26764 + +If kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the +following kernel warning appears: + +Warning: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8 +Call trace: + kiocb_set_cancel_fn+0x9c/0xa8 + ffs_epfile_read_iter+0x144/0x1d0 + io_read+0x19c/0x498 + io_issue_sqe+0x118/0x27c + io_submit_sqes+0x25c/0x5fc + __arm64_sys_io_uring_enter+0x104/0xab0 + invoke_syscall+0x58/0x11c + el0_svc_common+0xb4/0xf4 + do_el0_svc+0x2c/0xb0 + el0_svc+0x2c/0xa4 + el0t_64_sync_handler+0x68/0xb4 + el0t_64_sync+0x1a4/0x1a8 + +Fix this by setting the IOCB_AIO_RW flag for read and write I/O that is +submitted by libaio. + +Suggested-by: Jens Axboe +Cc: Christoph Hellwig +Cc: Avi Kivity +Cc: Sandeep Dhavale +Cc: Jens Axboe +Cc: Greg Kroah-Hartman +Cc: Kent Overstreet +Cc: stable@vger.kernel.org +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240215204739.2677806-2-bvanassche@acm.org +Signed-off-by: Christian Brauner +Acked-by: Jan Kara + +--- + fs/aio.c | 9 ++++++++- + include/linux/fs.h | 3 +++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -568,6 +568,13 @@ void kiocb_set_cancel_fn(struct kiocb *i + struct kioctx *ctx = req->ki_ctx; + unsigned long flags; + ++ /* ++ * kiocb didn't come from aio or is neither a read nor a write, hence ++ * ignore it. ++ */ ++ if (!(iocb->ki_flags & IOCB_AIO_RW)) ++ return; ++ + if (WARN_ON_ONCE(!list_empty(&req->ki_list))) + return; + +@@ -1453,7 +1460,7 @@ static int aio_prep_rw(struct kiocb *req + req->ki_complete = aio_complete_rw; + req->private = NULL; + req->ki_pos = iocb->aio_offset; +- req->ki_flags = iocb_flags(req->ki_filp); ++ req->ki_flags = iocb_flags(req->ki_filp) | IOCB_AIO_RW; + if (iocb->aio_flags & IOCB_FLAG_RESFD) + req->ki_flags |= IOCB_EVENTFD; + req->ki_hint = ki_hint_validate(file_write_hint(req->ki_filp)); +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -324,6 +324,9 @@ enum rw_hint { + /* can use bio alloc cache */ + #define IOCB_ALLOC_CACHE (1 << 21) + ++/* kiocb is a read or write operation submitted by fs/aio.c. */ ++#define IOCB_AIO_RW (1 << 23) ++ + struct kiocb { + struct file *ki_filp; + diff --git a/patches.suse/i40e-Fix-NULL-ptr-dereference-on-VSI-filter-sync.patch b/patches.suse/i40e-Fix-NULL-ptr-dereference-on-VSI-filter-sync.patch index d0ff251..5bc6d18 100644 --- a/patches.suse/i40e-Fix-NULL-ptr-dereference-on-VSI-filter-sync.patch +++ b/patches.suse/i40e-Fix-NULL-ptr-dereference-on-VSI-filter-sync.patch @@ -3,7 +3,7 @@ Date: Wed, 24 Feb 2021 12:07:48 +0000 Subject: i40e: Fix NULL ptr dereference on VSI filter sync Patch-mainline: v5.16-rc2 Git-commit: 37d9e304acd903a445df8208b8a13d707902dea6 -References: jsc#SLE-18378 +References: jsc#SLE-18378 CVE-2021-47184 bsc#1222666 Remove the reason of null pointer dereference in sync VSI filters. Added new I40E_VSI_RELEASING flag to signalize deleting and releasing diff --git a/patches.suse/iavf-free-q_vectors-before-queues-in-iavf_disable_vf.patch b/patches.suse/iavf-free-q_vectors-before-queues-in-iavf_disable_vf.patch index 2dbd2d3..0d85e02 100644 --- a/patches.suse/iavf-free-q_vectors-before-queues-in-iavf_disable_vf.patch +++ b/patches.suse/iavf-free-q_vectors-before-queues-in-iavf_disable_vf.patch @@ -3,7 +3,7 @@ Date: Fri, 4 Jun 2021 09:48:54 -0700 Subject: iavf: free q_vectors before queues in iavf_disable_vf Patch-mainline: v5.16-rc2 Git-commit: 89f22f129696ab53cfbc608e0a2184d0fea46ac1 -References: jsc#SLE-18385 +References: jsc#SLE-18385 CVE-2021-47201 bsc#1222792 iavf_free_queues() clears adapter->num_active_queues, which iavf_free_q_vectors() relies on, so swap the order of these two function diff --git a/patches.suse/msft-hv-2480-x86-hyperv-Fix-NULL-deref-in-set_hv_tscchange_cb-if-.patch b/patches.suse/msft-hv-2480-x86-hyperv-Fix-NULL-deref-in-set_hv_tscchange_cb-if-.patch index 48aa1a5..c2faf01 100644 --- a/patches.suse/msft-hv-2480-x86-hyperv-Fix-NULL-deref-in-set_hv_tscchange_cb-if-.patch +++ b/patches.suse/msft-hv-2480-x86-hyperv-Fix-NULL-deref-in-set_hv_tscchange_cb-if-.patch @@ -3,7 +3,7 @@ Date: Thu, 4 Nov 2021 18:22:38 +0000 Patch-mainline: v5.16-rc2 Subject: x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails Git-commit: daf972118c517b91f74ff1731417feb4270625a4 -References: git-fixes +References: git-fixes CVE-2021-47217 bsc#1222836 Check for a valid hv_vp_index array prior to derefencing hv_vp_index when setting Hyper-V's TSC change callback. If Hyper-V setup failed in diff --git a/patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch b/patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch index 41dd947..28477ee 100644 --- a/patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch +++ b/patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch @@ -4,7 +4,7 @@ Date: Tue, 16 Nov 2021 18:17:12 +0300 Subject: [PATCH 3/7] net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove Git-commit: 9b5a333272a48c2f8b30add7a874e46e8b26129c Patch-mainline: v5.16-rc2 -References: git-fixes +References: git-fixes CVE-2021-47204 bsc#1222787 Access to netdev after free_netdev() will cause use-after-free bug. Move debug log before free_netdev() call to avoid it. diff --git a/patches.suse/net-mlx5-Update-error-handler-for-UCTX-and-UMEM.patch b/patches.suse/net-mlx5-Update-error-handler-for-UCTX-and-UMEM.patch index 5837ed6..dd0236d 100644 --- a/patches.suse/net-mlx5-Update-error-handler-for-UCTX-and-UMEM.patch +++ b/patches.suse/net-mlx5-Update-error-handler-for-UCTX-and-UMEM.patch @@ -3,7 +3,7 @@ Date: Wed, 27 Oct 2021 15:16:14 +0300 Subject: net/mlx5: Update error handler for UCTX and UMEM Patch-mainline: v5.16-rc2 Git-commit: ba50cd9451f6c49cf0841c0a4a146ff6a2822699 -References: jsc#SLE-19253 +References: jsc#SLE-19253 CVE-2021-47212 bsc#1222709 In the fast unload flow, the device state is set to internal error, which indicates that the driver started the destroy process. diff --git a/patches.suse/net-mlx5e-CT-Fix-multiple-allocations-and-memleak-of.patch b/patches.suse/net-mlx5e-CT-Fix-multiple-allocations-and-memleak-of.patch index 82c19bc..01eb672 100644 --- a/patches.suse/net-mlx5e-CT-Fix-multiple-allocations-and-memleak-of.patch +++ b/patches.suse/net-mlx5e-CT-Fix-multiple-allocations-and-memleak-of.patch @@ -3,7 +3,7 @@ Date: Mon, 8 Nov 2021 16:41:05 +0200 Subject: net/mlx5e: CT, Fix multiple allocations and memleak of mod acts Patch-mainline: v5.16-rc2 Git-commit: 806401c20a0f9c51b6c8fd7035671e6ca841f6c2 -References: jsc#SLE-19253 +References: jsc#SLE-19253 CVE-2021-47199 bsc#1222785 CT clear action offload adds additional mod hdr actions to the flow's original mod actions in order to clear the registers which diff --git a/patches.suse/net-mlx5e-kTLS-Fix-crash-in-RX-resync-flow.patch b/patches.suse/net-mlx5e-kTLS-Fix-crash-in-RX-resync-flow.patch index 731f959..6273c2e 100644 --- a/patches.suse/net-mlx5e-kTLS-Fix-crash-in-RX-resync-flow.patch +++ b/patches.suse/net-mlx5e-kTLS-Fix-crash-in-RX-resync-flow.patch @@ -3,7 +3,7 @@ Date: Wed, 15 Sep 2021 13:25:31 +0300 Subject: net/mlx5e: kTLS, Fix crash in RX resync flow Patch-mainline: v5.16-rc2 Git-commit: cc4a9cc03faa6d8db1a6954bb536f2c1e63bdff6 -References: jsc#SLE-19253 +References: jsc#SLE-19253 CVE-2021-47215 bsc#1222704 For the TLS RX resync flow, we maintain a list of TLS contexts that require some attention, to communicate their resync information diff --git a/patches.suse/net-mlx5e-nullify-cq-dbg-pointer-in-mlx5_debug_cq_re.patch b/patches.suse/net-mlx5e-nullify-cq-dbg-pointer-in-mlx5_debug_cq_re.patch index a579991..8516d66 100644 --- a/patches.suse/net-mlx5e-nullify-cq-dbg-pointer-in-mlx5_debug_cq_re.patch +++ b/patches.suse/net-mlx5e-nullify-cq-dbg-pointer-in-mlx5_debug_cq_re.patch @@ -3,7 +3,7 @@ Date: Tue, 26 Oct 2021 11:42:41 +0300 Subject: net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove() Patch-mainline: v5.16-rc2 Git-commit: 76ded29d3fcda4928da8849ffc446ea46871c1c2 -References: jsc#SLE-19253 +References: jsc#SLE-19253 CVE-2021-47197 bsc#1222776 Prior to this patch in case mlx5_core_destroy_cq() failed it proceeds to rest of destroy operations. mlx5_core_destroy_cq() could be called again diff --git a/patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch b/patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch index 190adbe..172d465 100644 --- a/patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch +++ b/patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch @@ -3,7 +3,7 @@ Date: Thu, 15 Feb 2024 06:33:46 -0800 Subject: net/sched: act_mirred: don't override retval if we already lost the skb Patch-mainline: v6.8-rc6 Git-commit: 166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210 -References: CVE-2024-26733 bsc#1222585 +References: CVE-2024-26733 bsc#1222585 CVE-2024-26739 bsc#1222559 If we're redirecting the skb, and haven't called tcf_mirred_forward(), yet, we need to tell the core to drop the skb by setting the retcode diff --git a/patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch b/patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch index 5a0d9aa..6d80050 100644 --- a/patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch +++ b/patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch @@ -5,7 +5,7 @@ Subject: [PATCH] ocfs2: Avoid touching renamed directory if parent does not change Git-commit: 9d618d19b29c2943527e3a43da0a35aea91062fc Patch-mainline: v6.8-rc1 -References: bsc#1221044 CVE-2023-52591 +References: bsc#1221044 bsc#1221088 CVE-2023-52591 CVE-2023-52590 The VFS will not be locking moved directory if its parent does not change. Change ocfs2 rename code to avoid touching renamed directory if diff --git a/patches.suse/sched-fair-Prevent-dead-task-groups-from-regaining-cfs_rq-s.patch b/patches.suse/sched-fair-Prevent-dead-task-groups-from-regaining-cfs_rq-s.patch index e703dda..51f9894 100644 --- a/patches.suse/sched-fair-Prevent-dead-task-groups-from-regaining-cfs_rq-s.patch +++ b/patches.suse/sched-fair-Prevent-dead-task-groups-from-regaining-cfs_rq-s.patch @@ -6,7 +6,7 @@ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: b027789e5e50494c2325cc70c8642e7fd6059479 Patch-mainline: v5.16-rc1 -References: bsc#1192837 +References: bsc#1192837 CVE-2021-47209 bsc#1222796 Kevin is reporting crashes which point to a use-after-free of a cfs_rq in update_blocked_averages(). Initial debugging revealed that we've diff --git a/patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch b/patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch index 2ab65ae..d32bc6d 100644 --- a/patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch +++ b/patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch @@ -3,7 +3,7 @@ Date: Wed, 29 Sep 2021 20:25:37 +0800 Subject: [PATCH] scsi: advansys: Fix kernel pointer leak Git-commit: d4996c6eac4c81b8872043e9391563f67f13e406 Patch-mainline: v5.16-rc1 -References: jsc#PED-1559 +References: jsc#PED-1559 git-fixes CVE-2021-47216 bsc#1222876 Pointers should be printed with %p or %px rather than cast to 'unsigned long' and printed with %lx. diff --git a/patches.suse/scsi-core-sysfs-Fix-hang-when-device-state-is-set-via-sysfs b/patches.suse/scsi-core-sysfs-Fix-hang-when-device-state-is-set-via-sysfs index 7d4eb17..494231b 100644 --- a/patches.suse/scsi-core-sysfs-Fix-hang-when-device-state-is-set-via-sysfs +++ b/patches.suse/scsi-core-sysfs-Fix-hang-when-device-state-is-set-via-sysfs @@ -3,7 +3,7 @@ Date: Fri, 5 Nov 2021 17:10:48 -0500 Subject: scsi: core: sysfs: Fix hang when device state is set via sysfs Git-commit: 4edd8cd4e86dd3047e5294bbefcc0a08f66a430f Patch-mainline: v5.16-rc2 -References: git-fixes +References: git-fixes CVE-2021-47192 bsc#1222867 This fixes a regression added with: diff --git a/patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch b/patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch index 6491bf9..fcc5cf7 100644 --- a/patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch +++ b/patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch @@ -3,7 +3,7 @@ Date: Fri, 10 Sep 2021 16:31:46 -0700 Subject: scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() Patch-mainline: v5.16-rc1 Git-commit: 99154581b05c8fb22607afb7c3d66c1bace6aa5d -References: bsc#1190576 +References: bsc#1190576 CVE-2021-47203 bsc#1222881 When parsing the txq list in lpfc_drain_txq(), the driver attempts to pass the requests to the adapter. If such an attempt fails, a local "fail_msg" diff --git a/patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch b/patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch index d4bfa1e..23745eb 100644 --- a/patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch +++ b/patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch @@ -3,7 +3,7 @@ Date: Wed, 20 Oct 2021 14:14:13 -0700 Subject: scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine Patch-mainline: v5.16-rc1 Git-commit: 79b20beccea3a3938a8500acef4e6b9d7c66142f -References: bsc#1192145 +References: bsc#1192145 CVE-2021-47198 bsc#1222883 An error is detected with the following report when unloading the driver: "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b" diff --git a/patches.suse/scsi-pm80xx-Fix-memory-leak-during-rmmod.patch b/patches.suse/scsi-pm80xx-Fix-memory-leak-during-rmmod.patch index 11fed25..366b12a 100644 --- a/patches.suse/scsi-pm80xx-Fix-memory-leak-during-rmmod.patch +++ b/patches.suse/scsi-pm80xx-Fix-memory-leak-during-rmmod.patch @@ -3,7 +3,7 @@ Date: Mon, 6 Sep 2021 22:34:04 +0530 Subject: scsi: pm80xx: Fix memory leak during rmmod Git-commit: 51e6ed83bb4ade7c360551fa4ae55c4eacea354b Patch-mainline: v5.16-rc1 -References: jsc#PED-1559 +References: CVE-2021-47193 bsc#1222879 jsc#PED-1559 Driver failed to release all memory allocated. This would lead to memory leak during driver removal. diff --git a/patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_readcap16.patch b/patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_readcap16.patch index bac98c7..1770200 100644 --- a/patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_readcap16.patch +++ b/patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_readcap16.patch @@ -3,7 +3,7 @@ Date: Wed, 13 Oct 2021 11:39:12 +0800 Subject: [PATCH] scsi: scsi_debug: Fix out-of-bound read in resp_readcap16() Git-commit: 4e3ace0051e7e504b55d239daab8789dd89b863c Patch-mainline: v5.16-rc1 -References: jsc#PED-1559 +References: jsc#PED-1559 CVE-2021-47191 bsc#1222866 The following warning was observed running syzkaller: diff --git a/patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_report_tgtpgs.patch b/patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_report_tgtpgs.patch index 2d6dbb5..97f21c3 100644 --- a/patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_report_tgtpgs.patch +++ b/patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_report_tgtpgs.patch @@ -4,7 +4,7 @@ Subject: [PATCH] scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs() Git-commit: f347c26836c270199de1599c3cd466bb7747caa9 Patch-mainline: v5.16-rc1 -References: jsc#PED-1559 +References: jsc#PED-1559 CVE-2021-47219 bsc#1222824 The following issue was observed running syzkaller: diff --git a/patches.suse/scsi-ufs-core-Improve-SCSI-abort-handling b/patches.suse/scsi-ufs-core-Improve-SCSI-abort-handling index 80954fa..63a0872 100644 --- a/patches.suse/scsi-ufs-core-Improve-SCSI-abort-handling +++ b/patches.suse/scsi-ufs-core-Improve-SCSI-abort-handling @@ -3,7 +3,7 @@ Date: Thu, 4 Nov 2021 11:10:53 -0700 Subject: scsi: ufs: core: Improve SCSI abort handling Git-commit: 3ff1f6b6ba6f97f50862aa50e79959cc8ddc2566 Patch-mainline: v5.16-rc2 -References: git-fixes +References: git-fixes CVE-2021-47188 bsc#1222671 The following has been observed on a test setup: diff --git a/patches.suse/selinux-fix-NULL-pointer-dereference-when-hashtab-al.patch b/patches.suse/selinux-fix-NULL-pointer-dereference-when-hashtab-al.patch index 0a94b54..2adb254 100644 --- a/patches.suse/selinux-fix-NULL-pointer-dereference-when-hashtab-al.patch +++ b/patches.suse/selinux-fix-NULL-pointer-dereference-when-hashtab-al.patch @@ -4,7 +4,7 @@ Date: Fri, 19 Nov 2021 14:45:20 +0100 Subject: [PATCH] selinux: fix NULL-pointer dereference when hashtab allocation fails Git-commit: dc27f3c5d10c58069672215787a96b4fae01818b Patch-mainline: v5.16-rc3 -References: git-fixes +References: git-fixes CVE-2021-47218 bsc#1222791 When the hash table slot array allocation fails in hashtab_init(), h->size is left initialized with a non-zero value, but the h->htable diff --git a/patches.suse/spi-fix-use-after-free-of-the-add_lock-mutex.patch b/patches.suse/spi-fix-use-after-free-of-the-add_lock-mutex.patch index ade5536..359c18b 100644 --- a/patches.suse/spi-fix-use-after-free-of-the-add_lock-mutex.patch +++ b/patches.suse/spi-fix-use-after-free-of-the-add_lock-mutex.patch @@ -7,7 +7,7 @@ Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8bit Git-commit: 6c53b45c71b4920b5e62f0ea8079a1da382b9434 Patch-mainline: v5.16-rc2 -References: git-fixes +References: git-fixes CVE-2021-47195 bsc#1222832 Commit 6098475d4cb4 ("spi: Fix deadlock when adding SPI controllers on SPI buses") introduced a per-controller mutex. But mutex_unlock() of diff --git a/patches.suse/thermal-Fix-NULL-pointer-dereferences-in-of_thermal_.patch b/patches.suse/thermal-Fix-NULL-pointer-dereferences-in-of_thermal_.patch index 5bdc51a..90c3be6 100644 --- a/patches.suse/thermal-Fix-NULL-pointer-dereferences-in-of_thermal_.patch +++ b/patches.suse/thermal-Fix-NULL-pointer-dereferences-in-of_thermal_.patch @@ -4,7 +4,7 @@ Date: Thu, 4 Nov 2021 16:57:07 -0700 Subject: [PATCH] thermal: Fix NULL pointer dereferences in of_thermal_ functions Git-commit: 96cfe05051fd8543cdedd6807ec59a0e6c409195 Patch-mainline: v5.16-rc1 -References: stable-5.14.21 +References: stable-5.14.21 CVE-2021-47202 bsc#1222878 commit 96cfe05051fd8543cdedd6807ec59a0e6c409195 upstream. diff --git a/patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch b/patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch index 51f856b..3663d84 100644 --- a/patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch +++ b/patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch @@ -4,7 +4,7 @@ Date: Mon, 11 Oct 2021 22:08:24 +0800 Subject: [PATCH] tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc Git-commit: 3968ddcf05fb4b9409cd1859feb06a5b0550a1c1 Patch-mainline: v5.16-rc1 -References: git-fixes CVE-2021-47185 +References: git-fixes CVE-2021-47185 bsc#1222669 When running ltp testcase(ltp/testcases/kernel/pty/pty04.c) with arm64, there is a soft lockup, which look like this one: diff --git a/patches.suse/usb-host-ohci-tmio-check-return-value-after-calling-.patch b/patches.suse/usb-host-ohci-tmio-check-return-value-after-calling-.patch index 3920fb1..4e3b05b 100644 --- a/patches.suse/usb-host-ohci-tmio-check-return-value-after-calling-.patch +++ b/patches.suse/usb-host-ohci-tmio-check-return-value-after-calling-.patch @@ -4,7 +4,7 @@ Date: Mon, 11 Oct 2021 21:49:20 +0800 Subject: [PATCH] usb: host: ohci-tmio: check return value after calling platform_get_resource() Git-commit: 9eff2b2e59fda25051ab36cd1cb5014661df657b Patch-mainline: v5.16-rc1 -References: git-fixes +References: git-fixes CVE-2021-47206 bsc#1222894 It will cause null-ptr-deref if platform_get_resource() returns NULL, we need check the return value. diff --git a/patches.suse/usb-typec-tipd-Remove-WARN_ON-in-tps6598x_block_read.patch b/patches.suse/usb-typec-tipd-Remove-WARN_ON-in-tps6598x_block_read.patch index ff2372b..193a442 100644 --- a/patches.suse/usb-typec-tipd-Remove-WARN_ON-in-tps6598x_block_read.patch +++ b/patches.suse/usb-typec-tipd-Remove-WARN_ON-in-tps6598x_block_read.patch @@ -4,7 +4,7 @@ Date: Tue, 14 Sep 2021 16:02:35 +0200 Subject: [PATCH] usb: typec: tipd: Remove WARN_ON in tps6598x_block_read Git-commit: b7a0a63f3fed57d413bb857de164ea9c3984bc4e Patch-mainline: v5.16-rc1 -References: git-fixes +References: git-fixes CVE-2021-47210 bsc#1222901 Calling tps6598x_block_read with a higher than allowed len can be handled by just returning an error. There's no need to crash systems diff --git a/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch b/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch new file mode 100644 index 0000000..989f582 --- /dev/null +++ b/patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch @@ -0,0 +1,44 @@ +From cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Thu, 11 Jan 2024 15:07:25 +0200 +Subject: [PATCH] wifi: iwlwifi: fix a memory corruption +Git-commit: cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d +Patch-mainline: v6.8-rc2 +References: CVE-2024-26610 bsc#1221299 + +iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that +if we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is in +bytes, we'll write past the buffer. + +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218233 +Fixes: cf29c5b66b9f ("iwlwifi: dbg_ini: implement time point handling") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240111150610.2d2b8b870194.I14ed76505a5cf87304e0c9cc05cc0ae85ed3bf91@changeid +Signed-off-by: Johannes Berg +Acked-by: Takashi Iwai + +--- + drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause + /* +- * Copyright (C) 2018-2022 Intel Corporation ++ * Copyright (C) 2018-2024 Intel Corporation + */ + #include + #include "iwl-drv.h" +@@ -1082,7 +1082,7 @@ static int iwl_dbg_tlv_override_trig_nod + node_trig = (void *)node_tlv->data; + } + +- memcpy(node_trig->data + offset, trig->data, trig_data_len); ++ memcpy((u8 *)node_trig->data + offset, trig->data, trig_data_len); + node_tlv->length = cpu_to_le32(size); + + if (policy & IWL_FW_INI_APPLY_POLICY_OVERRIDE_CFG) { diff --git a/patches.suse/xen-events-close-evtchn-after-mapping-cleanup.patch b/patches.suse/xen-events-close-evtchn-after-mapping-cleanup.patch new file mode 100644 index 0000000..60b752b --- /dev/null +++ b/patches.suse/xen-events-close-evtchn-after-mapping-cleanup.patch @@ -0,0 +1,159 @@ +Patch-mainline: v6.8-rc5 +Git-commit: fa765c4b4aed2d64266b694520ecb025c862c5a9 +References: CVE-2024-26687, bsc#1222435 +From: Maximilian Heyne +Date: Wed, 24 Jan 2024 16:31:28 +0000 +Subject: [PATCH] xen/events: close evtchn after mapping cleanup + +shutdown_pirq and startup_pirq are not taking the +irq_mapping_update_lock because they can't due to lock inversion. Both +are called with the irq_desc->lock being taking. The lock order, +however, is first irq_mapping_update_lock and then irq_desc->lock. + +This opens multiple races: +- shutdown_pirq can be interrupted by a function that allocates an event + channel: + + CPU0 CPU1 + shutdown_pirq { + xen_evtchn_close(e) + __startup_pirq { + EVTCHNOP_bind_pirq + -> returns just freed evtchn e + set_evtchn_to_irq(e, irq) + } + xen_irq_info_cleanup() { + set_evtchn_to_irq(e, -1) + } + } + + Assume here event channel e refers here to the same event channel + number. + After this race the evtchn_to_irq mapping for e is invalid (-1). + +- __startup_pirq races with __unbind_from_irq in a similar way. Because + __startup_pirq doesn't take irq_mapping_update_lock it can grab the + evtchn that __unbind_from_irq is currently freeing and cleaning up. In + this case even though the event channel is allocated, its mapping can + be unset in evtchn_to_irq. + +The fix is to first cleanup the mappings and then close the event +channel. In this way, when an event channel gets allocated it's +potential previous evtchn_to_irq mappings are guaranteed to be unset already. +This is also the reverse order of the allocation where first the event +channel is allocated and then the mappings are setup. + +On a 5.10 kernel prior to commit 3fcdaf3d7634 ("xen/events: modify internal +[un]bind interfaces"), we hit a BUG like the following during probing of NVMe +devices. The issue is that during nvme_setup_io_queues, pci_free_irq +is called for every device which results in a call to shutdown_pirq. +With many nvme devices it's therefore likely to hit this race during +boot because there will be multiple calls to shutdown_pirq and +startup_pirq are running potentially in parallel. + + ------------[ cut here ]------------ + blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled + kernel BUG at drivers/xen/events/events_base.c:499! + invalid opcode: 0000 [#1] SMP PTI + CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1 + Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006 + Workqueue: nvme-reset-wq nvme_reset_work + RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0 + Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 + RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006 + RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff + RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00 + R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed + R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002 + FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + ? show_trace_log_lvl+0x1c1/0x2d9 + ? show_trace_log_lvl+0x1c1/0x2d9 + ? set_affinity_irq+0xdc/0x1c0 + ? __die_body.cold+0x8/0xd + ? die+0x2b/0x50 + ? do_trap+0x90/0x110 + ? bind_evtchn_to_cpu+0xdf/0xf0 + ? do_error_trap+0x65/0x80 + ? bind_evtchn_to_cpu+0xdf/0xf0 + ? exc_invalid_op+0x4e/0x70 + ? bind_evtchn_to_cpu+0xdf/0xf0 + ? asm_exc_invalid_op+0x12/0x20 + ? bind_evtchn_to_cpu+0xdf/0xf0 + ? bind_evtchn_to_cpu+0xc5/0xf0 + set_affinity_irq+0xdc/0x1c0 + irq_do_set_affinity+0x1d7/0x1f0 + irq_setup_affinity+0xd6/0x1a0 + irq_startup+0x8a/0xf0 + __setup_irq+0x639/0x6d0 + ? nvme_suspend+0x150/0x150 + request_threaded_irq+0x10c/0x180 + ? nvme_suspend+0x150/0x150 + pci_request_irq+0xa8/0xf0 + ? __blk_mq_free_request+0x74/0xa0 + queue_request_irq+0x6f/0x80 + nvme_create_queue+0x1af/0x200 + nvme_create_io_queues+0xbd/0xf0 + nvme_setup_io_queues+0x246/0x320 + ? nvme_irq_check+0x30/0x30 + nvme_reset_work+0x1c8/0x400 + process_one_work+0x1b0/0x350 + worker_thread+0x49/0x310 + ? process_one_work+0x350/0x350 + kthread+0x11b/0x140 + ? __kthread_bind_mask+0x60/0x60 + ret_from_fork+0x22/0x30 + Modules linked in: + ---[ end trace a11715de1eee1873 ]--- + +Fixes: d46a78b05c0e ("xen: implement pirq type event channels") +Cc: stable@vger.kernel.org +Co-debugged-by: Andrew Panyakin +Signed-off-by: Maximilian Heyne +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20240124163130.31324-1-mheyne@amazon.de +Signed-off-by: Juergen Gross +--- + drivers/xen/events/events_base.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index b8cfea7812d6..3b9f080109d7 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -935,8 +935,8 @@ static void shutdown_pirq(struct irq_data *data) + return; + + do_mask(info, EVT_MASK_REASON_EXPLICIT); +- xen_evtchn_close(evtchn); + xen_irq_info_cleanup(info); ++ xen_evtchn_close(evtchn); + } + + static void enable_pirq(struct irq_data *data) +@@ -980,8 +980,6 @@ static void __unbind_from_irq(unsigned int irq) + unsigned int cpu = cpu_from_irq(irq); + struct xenbus_device *dev; + +- xen_evtchn_close(evtchn); +- + switch (type_from_irq(irq)) { + case IRQT_VIRQ: + per_cpu(virq_to_irq, cpu)[virq_from_irq(irq)] = -1; +@@ -999,6 +996,8 @@ static void __unbind_from_irq(unsigned int irq) + } + + xen_irq_info_cleanup(info); ++ ++ xen_evtchn_close(evtchn); + } + + xen_free_irq(irq); +-- +2.35.3 + diff --git a/series.conf b/series.conf index dd7a2be..3aa90dc 100644 --- a/series.conf +++ b/series.conf @@ -45591,6 +45591,7 @@ patches.suse/net-rds-Fix-UBSAN-array-index-out-of-bounds-in-rds_c.patch patches.suse/ipv6-init-the-accept_queue-s-spinlocks-in-inet6_crea.patch patches.suse/wifi-cfg80211-fix-missing-interfaces-when-dumping.patch + patches.suse/wifi-iwlwifi-fix-a-memory-corruption.patch patches.suse/wifi-mac80211-fix-race-condition-on-enabling-fast-xm.patch patches.suse/msft-hv-2938-hv_netvsc-Calculate-correct-ring-size-when-PAGE_SIZE.patch patches.suse/fjes-fix-memleaks-in-fjes_hw_setup.patch @@ -45684,6 +45685,8 @@ patches.suse/serial-max310x-fail-probe-if-clock-crystal-is-unstab.patch patches.suse/misc-fastrpc-Mark-all-sessions-as-invalid-in-cb_remo.patch patches.suse/ext4-fix-double-free-of-blocks-due-to-wrong-extents-.patch + patches.suse/ext4-regenerate-buddy-after-block-freeing-failed-if-.patch + patches.suse/ext4-avoid-allocating-blocks-from-corrupted-group-in.patch patches.suse/btrfs-do-not-ASSERT-if-the-newly-created-subvolume-a.patch patches.suse/nfsd-don-t-take-fi_lock-in-nfsd_break_deleg_cb.patch patches.suse/KVM-s390-vsie-fix-race-during-shadow-creation.patch @@ -45735,6 +45738,7 @@ patches.suse/spi-mxs-Fix-chipselect-glitch.patch patches.suse/xen-xenbus-document-will_handle-argument-for-xenbus_.patch patches.suse/x86-xen-Add-some-null-pointer-checking-to-smp.c.patch + patches.suse/xen-events-close-evtchn-after-mapping-cleanup.patch patches.suse/net-openvswitch-limit-the-number-of-recursions-from-.patch patches.suse/tls-fix-race-between-tx-work-scheduling-and-socket-c.patch patches.suse/net-stmmac-xgmac-use-define-for-string-constants.patch @@ -45799,6 +45803,7 @@ patches.suse/selftests-bpf-Test-racing-between-bpf_timer_cancel_a.patch patches.suse/cachefiles-fix-memory-leak-in-cachefiles_add_cache.patch patches.suse/afs-Increase-buffer-size-in-afs_update_volume_status.patch + patches.suse/fs-aio-Restrict-kiocb_set_cancel_fn-to-I-O-submitted.patch patches.suse/platform-x86-think-lmi-Fix-password-opcode-ordering-.patch patches.suse/platform-x86-touchscreen_dmi-Allow-partial-prefix-ma.patch patches.suse/platform-x86-thinkpad_acpi-Only-update-profile-if-su.patch @@ -45874,6 +45879,7 @@ patches.suse/dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch patches.suse/dmaengine-ptdma-use-consistent-DMA-masks.patch patches.suse/msft-hv-2944-Drivers-hv-vmbus-Calculate-ring-buffer-size-for-more.patch + patches.suse/fs-aio-Check-IOCB_AIO_RW-before-the-struct-aio_kiocb.patch patches.suse/net-lan78xx-fix-runtime-PM-count-underflow-on-link-s.patch patches.suse/netfilter-nf_tables-disallow-anonymous-set-with-time.patch patches.suse/drm-i915-Check-before-removing-mm-notifier.patch