From 534a213d6afb840cdac17b91afb9023c404e701e Mon Sep 17 00:00:00 2001 From: Frederic Weisbecker Date: Apr 20 2023 19:44:19 +0000 Subject: Merge 'SLE15-SP5-GA' (965023dd05b) into 'SLE15-SP5-RT' - No -rt specific changes this merge. --- diff --git a/patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch b/patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch index 6b070e0..06df775 100644 --- a/patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch +++ b/patches.suse/netdevsim-fib-Fix-reference-count-leak-on-route-dele.patch @@ -4,7 +4,7 @@ Date: Thu, 28 Jul 2022 14:45:33 +0300 Subject: [PATCH 06/16] netdevsim: fib: Fix reference count leak on route deletion failure Git-commit: 180a6a3ee60a7cb69ed1232388460644f6a21f00 -References: git-fixes +References: git-fixes bsc#1210454 CVE-2023-2019 Patch-mainline: v6.0-rc1 As part of FIB offload simulation, netdevsim stores IPv4 and IPv6 routes diff --git a/patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch b/patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch new file mode 100644 index 0000000..f93e2d3 --- /dev/null +++ b/patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch @@ -0,0 +1,71 @@ +From 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Mon, 13 Mar 2023 00:08:37 +0800 +Subject: [PATCH] nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition +Git-commit: 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 +Patch-mainline: v6.3-rc3 +References: git-fixes bsc#1210337 CVE-2023-1990 + +This bug influences both st_nci_i2c_remove and st_nci_spi_remove. +Take st_nci_i2c_remove as an example. + +In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work +with llt_ndlc_sm_work. + +When it calls ndlc_recv or timeout handler, it will finally call +schedule_work to start the work. + +When we call st_nci_i2c_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in ndlc_remove + +CPU0 CPU1 + + |llt_ndlc_sm_work +st_nci_i2c_remove | + ndlc_remove | + st_nci_remove | + nci_free_device| + kfree(ndev) | +//free ndlc->ndev | + |llt_ndlc_rcv_queue + |nci_recv_frame + |//use ndlc->ndev + +Fixes: 35630df68d60 ("NFC: st21nfcb: Add driver for STMicroelectronics ST21NFCB NFC chip") +Signed-off-by: Zheng Wang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230312160837.2040857-1-zyytlz.wz@163.com +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai +Acked-by: Chester Lin +--- + drivers/nfc/st-nci/ndlc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/st-nci/ndlc.c b/drivers/nfc/st-nci/ndlc.c +index 755460a73c0d..d2aa9f766738 100644 +--- a/drivers/nfc/st-nci/ndlc.c ++++ b/drivers/nfc/st-nci/ndlc.c +@@ -282,13 +282,15 @@ EXPORT_SYMBOL(ndlc_probe); + + void ndlc_remove(struct llt_ndlc *ndlc) + { +- st_nci_remove(ndlc->ndev); +- + /* cancel timers */ + del_timer_sync(&ndlc->t1_timer); + del_timer_sync(&ndlc->t2_timer); + ndlc->t2_active = false; + ndlc->t1_active = false; ++ /* cancel work */ ++ cancel_work_sync(&ndlc->sm_work); ++ ++ st_nci_remove(ndlc->ndev); + + skb_queue_purge(&ndlc->rcv_q); + skb_queue_purge(&ndlc->send_q); +-- +2.35.3 + diff --git a/patches.suse/ovl-fail-on-invalid-uid-gid-mapping-at-copy-up.patch b/patches.suse/ovl-fail-on-invalid-uid-gid-mapping-at-copy-up.patch new file mode 100644 index 0000000..19ac837 --- /dev/null +++ b/patches.suse/ovl-fail-on-invalid-uid-gid-mapping-at-copy-up.patch @@ -0,0 +1,52 @@ +From 984534ac10f71d0b4c2541b2b1fa231d245d668d Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Tue, 24 Jan 2023 16:41:18 +0100 +Subject: [PATCH] ovl: fail on invalid uid/gid mapping at copy up +Git-commit: 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 +Patch-mainline: v6.2-rc6 +References: CVE-2023-0386 bsc#1209615 + +If st_uid/st_gid doesn't have a mapping in the mounter's user_ns, then +copy-up should fail, just like it would fail if the mounter task was doing +the copy using "cp -a". + +There's a corner case where the "cp -a" would succeed but copy up fail: if +there's a mapping of the invalid uid/gid (65534 by default) in the user +namespace. This is because stat(2) will return this value if the mapping +doesn't exist in the current user_ns and "cp -a" will in turn be able to +create a file with this uid/gid. + +This behavior would be inconsistent with POSIX ACL's, which return -1 for +invalid uid/gid which result in a failed copy. + +For consistency and simplicity fail the copy of the st_uid/st_gid are +invalid. + +Fixes: 459c7c565ac3 ("ovl: unprivieged mounts") +Cc: # v5.11 +Signed-off-by: Miklos Szeredi +Reviewed-by: Christian Brauner +Reviewed-by: Seth Forshee +Acked-by: David Disseldorp +--- + fs/overlayfs/copy_up.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index 2846b943e80c1..95b2173ab9bca 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -886,6 +886,10 @@ static int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry, + if (err) + return err; + ++ if (!kuid_has_mapping(current_user_ns(), ctx.stat.uid) || ++ !kgid_has_mapping(current_user_ns(), ctx.stat.gid)) ++ return -EOVERFLOW; ++ + ctx.metacopy = ovl_need_meta_copy_up(dentry, ctx.stat.mode, flags); + + if (parent) { +-- +2.40.0 + diff --git a/patches.suse/udmabuf-add-back-sanity-check.patch b/patches.suse/udmabuf-add-back-sanity-check.patch index 52121c3..95f7c62 100644 --- a/patches.suse/udmabuf-add-back-sanity-check.patch +++ b/patches.suse/udmabuf-add-back-sanity-check.patch @@ -4,7 +4,7 @@ Date: Mon, 20 Jun 2022 09:15:47 +0200 Subject: udmabuf: add back sanity check Git-commit: 05b252cccb2e5c3f56119d25de684b4f810ba40a Patch-mainline: v5.19-rc4 -References: jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 +References: jsc#PED-1166 jsc#PED-1168 jsc#PED-1170 jsc#PED-1218 jsc#PED-1220 jsc#PED-1222 jsc#PED-1223 jsc#PED-1225 bsc#1210453 CVE-2023-2008 Check vm_fault->pgoff before using it. When we removed the warning, we also removed the check. diff --git a/patches.suse/vmxnet3-use-gro-callback-when-UPT-is-enabled.patch b/patches.suse/vmxnet3-use-gro-callback-when-UPT-is-enabled.patch new file mode 100644 index 0000000..a9e8473 --- /dev/null +++ b/patches.suse/vmxnet3-use-gro-callback-when-UPT-is-enabled.patch @@ -0,0 +1,46 @@ +From: Ronak Doshi +Date: Thu, 23 Mar 2023 13:07:21 -0700 +Subject: vmxnet3: use gro callback when UPT is enabled +Patch-mainline: v6.3-rc5 +Git-commit: 3bced313b9a5a237c347e0f079c8c2fe4b3935aa +References: bsc#1209739 + +Currently, vmxnet3 uses GRO callback only if LRO is disabled. However, +on smartNic based setups where UPT is supported, LRO can be enabled +from guest VM but UPT devicve does not support LRO as of now. In such +cases, there can be performance degradation as GRO is not being done. + +This patch fixes this issue by calling GRO API when UPT is enabled. We +use updateRxProd to determine if UPT mode is active or not. + +To clarify few things discussed over the thread: +The patch is not neglecting any feature bits nor disabling GRO. It uses +GRO callback when UPT is active as LRO is not available in UPT. +GRO callback cannot be used as default for all cases as it degrades +performance for non-UPT cases or for cases when LRO is already done in +ESXi. + +Cc: stable@vger.kernel.org +Fixes: 6f91f4ba046e ("vmxnet3: add support for capability registers") +Signed-off-by: Ronak Doshi +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230323200721.27622-1-doshir@vmware.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1688,7 +1688,9 @@ not_lro: + if (unlikely(rcd->ts)) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), rcd->tci); + +- if (adapter->netdev->features & NETIF_F_LRO) ++ /* Use GRO callback if UPT is enabled */ ++ if ((adapter->netdev->features & NETIF_F_LRO) && ++ !rq->shared->updateRxProd) + netif_receive_skb(skb); + else + napi_gro_receive(&rq->napi, skb); diff --git a/series.conf b/series.conf index 30df216..d925516 100644 --- a/series.conf +++ b/series.conf @@ -36899,6 +36899,7 @@ patches.suse/VMCI-Use-threaded-irqs-instead-of-tasklets.patch patches.suse/module-Don-t-wait-for-GOING-modules.patch patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch + patches.suse/ovl-fail-on-invalid-uid-gid-mapping-at-copy-up.patch patches.suse/tracing-Fix-poll-and-select-do-not-work-on-per_cpu-trace_pipe-and-trace_pipe_raw.patch patches.suse/rds-rds_rm_zerocopy_callback-use-list_first_entry.patch patches.suse/Fix-page-corruption-caused-by-racy-check-in-__free_pages.patch @@ -36920,7 +36921,9 @@ patches.suse/0001-net-tls-fix-possible-race-condition-between-do_tls_g.patch patches.suse/bnxt_en-Avoid-order-5-memory-allocation-for-TPA-data.patch patches.suse/ice-avoid-bonding-causing-auxiliary-plug-unplug-unde.patch + patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch patches.suse/s390-uaccess-add-missing-earlyclobber-annotations-to-__clear_user.patch + patches.suse/vmxnet3-use-gro-callback-when-UPT-is-enabled.patch ######################################################## # end of sorted patches