From 7735efcfcae22cb1cb26f8f46dd5317db8f0daf9 Mon Sep 17 00:00:00 2001 From: Bogdan Lezhepekov Date: Feb 06 2023 10:18:13 +0000 Subject: Merge branch 'SLE15-SP2-RT' (5f575c34de0) into SLE15-SP2-EB-staging --- diff --git a/patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch b/patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch new file mode 100644 index 0000000..71f7075 --- /dev/null +++ b/patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch @@ -0,0 +1,72 @@ +From df02234e6b87d2a9a82acd3198e44bdeff8488c6 Mon Sep 17 00:00:00 2001 +From: Clement Lecigne +Date: Fri, 13 Jan 2023 13:07:45 +0100 +Subject: [PATCH] ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF +Git-commit: 56b88b50565cd8b946a2d00b0c83927b7ebb055e +Alt-commit: df02234e6b87d2a9a82acd3198e44bdeff8488c6 +Patch-mainline: v6.2-rc4 +References: CVE-2023-0266 bsc#1207134 + +[ Note: this is a fix that works around the bug equivalently as the + two upstream commits: + 1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper") + 56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF") + but in a simpler way to fit with older stable trees -- tiwai ] + +Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be +easily triggered and turned into an use-after-free. + +Example code paths with SNDRV_CTL_IOCTL_ELEM_READ: + +64-bits: +snd_ctl_ioctl + snd_ctl_elem_read_user + [takes controls_rwsem] + snd_ctl_elem_read [lock properly held, all good] + [drops controls_rwsem] + +32-bits (compat): +snd_ctl_ioctl_compat + snd_ctl_elem_write_read_compat + ctl_elem_write_read + snd_ctl_elem_read [missing lock, not good] + +CVE-2023-0266 was assigned for this issue. + +Signed-off-by: Clement Lecigne +Cc: stable@kernel.org # 5.12 and older +Signed-off-by: Takashi Iwai +Reviewed-by: Jaroslav Kysela +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/control_compat.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c +index 97467f6a32a1..980ab3580f1b 100644 +--- a/sound/core/control_compat.c ++++ b/sound/core/control_compat.c +@@ -304,7 +304,9 @@ static int ctl_elem_read_user(struct snd_card *card, + err = snd_power_wait(card, SNDRV_CTL_POWER_D0); + if (err < 0) + goto error; ++ down_read(&card->controls_rwsem); + err = snd_ctl_elem_read(card, data); ++ up_read(&card->controls_rwsem); + if (err < 0) + goto error; + err = copy_ctl_value_to_user(userdata, valuep, data, type, count); +@@ -332,7 +334,9 @@ static int ctl_elem_write_user(struct snd_ctl_file *file, + err = snd_power_wait(card, SNDRV_CTL_POWER_D0); + if (err < 0) + goto error; ++ down_write(&card->controls_rwsem); + err = snd_ctl_elem_write(card, file, data); ++ up_write(&card->controls_rwsem); + if (err < 0) + goto error; + err = copy_ctl_value_to_user(userdata, valuep, data, type, count); +-- +2.35.3 + diff --git a/patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch b/patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch new file mode 100644 index 0000000..57ee294 --- /dev/null +++ b/patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch @@ -0,0 +1,170 @@ +From 3aff8aaca4e36dc8b17eaa011684881a80238966 Mon Sep 17 00:00:00 2001 +From: Maxim Mikityanskiy +Date: Wed, 5 Oct 2022 00:27:18 +0300 +Subject: [PATCH] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu +Git-commit: 3aff8aaca4e36dc8b17eaa011684881a80238966 +Patch-mainline: v6.1-rc4 +References: CVE-2022-3564 bsc#1206073 + +Fix the race condition between the following two flows that run in +Parallel: + +1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) -> + __sock_queue_rcv_skb. + +2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram. + +An SKB can be queued by the first flow and immediately dequeued and +freed by the second flow, therefore the callers of l2cap_reassemble_sdu +can't use the SKB after that function returns. However, some places +continue accessing struct l2cap_ctrl that resides in the SKB's CB for a +short time after l2cap_reassemble_sdu returns, leading to a +use-after-free condition (the stack trace is below, line numbers for +kernel 5.19.8). + +Fix it by keeping a local copy of struct l2cap_ctrl. + +Bug: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth +Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169 + +Workqueue: hci0 hci_rx_work [bluetooth] +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) + print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth + ret_from_fork (arch/x86/entry/entry_64.S:306) + + +Allocated by task 43169: + kasan_save_stack (mm/kasan/common.c:39) + __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) + kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293) + __alloc_skb (net/core/skbuff.c:414) + l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth + l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth + hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth + process_one_work (kernel/workqueue.c:2289) + worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437) + kthread (kernel/kthread.c:376) + ret_from_fork (arch/x86/entry/entry_64.S:306) + +Freed by task 27920: + kasan_save_stack (mm/kasan/common.c:39) + kasan_set_track (mm/kasan/common.c:45) + kasan_set_free_info (mm/kasan/generic.c:372) + ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328) + slab_free_freelist_hook (mm/slub.c:1780) + kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553) + skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323) + bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth + l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth + sock_read_iter (net/socket.c:1087) + new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401) + vfs_read (fs/read_write.c:482) + ksys_read (fs/read_write.c:620) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u +Fixes: d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive state machine") +Fixes: 4b51dae96731 ("Bluetooth: Add streaming mode receive and incoming packet classifier") +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + net/bluetooth/l2cap_core.c | 48 ++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 41 insertions(+), 7 deletions(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6246,6 +6246,7 @@ static int l2cap_rx_state_recv(struct l2 + struct l2cap_ctrl *control, + struct sk_buff *skb, u8 event) + { ++ struct l2cap_ctrl local_control; + int err = 0; + bool skb_in_use = false; + +@@ -6270,15 +6271,32 @@ static int l2cap_rx_state_recv(struct l2 + chan->buffer_seq = chan->expected_tx_seq; + skb_in_use = true; + ++ /* l2cap_reassemble_sdu may free skb, hence invalidate ++ * control, so make a copy in advance to use it after ++ * l2cap_reassemble_sdu returns and to avoid the race ++ * condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but ++ * it was freed by skb_free_datagram. ++ */ ++ local_control = *control; + err = l2cap_reassemble_sdu(chan, skb, control); + if (err) + break; + +- if (control->final) { ++ if (local_control.final) { + if (!test_and_clear_bit(CONN_REJ_ACT, + &chan->conn_state)) { +- control->final = 0; +- l2cap_retransmit_all(chan, control); ++ local_control.final = 0; ++ l2cap_retransmit_all(chan, &local_control); + l2cap_ertm_send(chan); + } + } +@@ -6658,11 +6676,27 @@ static int l2cap_rx(struct l2cap_chan *c + static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + struct sk_buff *skb) + { ++ /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store ++ * the txseq field in advance to use it after l2cap_reassemble_sdu ++ * returns and to avoid the race condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but it was freed by ++ * skb_free_datagram. ++ */ ++ u16 txseq = control->txseq; ++ + BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, + chan->rx_state); + +- if (l2cap_classify_txseq(chan, control->txseq) == +- L2CAP_TXSEQ_EXPECTED) { ++ if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) { + l2cap_pass_to_tx(chan, control); + + BT_DBG("buffer_seq %d->%d", chan->buffer_seq, +@@ -6685,8 +6719,8 @@ static int l2cap_stream_rx(struct l2cap_ + } + } + +- chan->last_acked_seq = control->txseq; +- chan->expected_tx_seq = __next_seq(chan, control->txseq); ++ chan->last_acked_seq = txseq; ++ chan->expected_tx_seq = __next_seq(chan, txseq); + + return 0; + } diff --git a/patches.suse/HID-betop-check-shape-of-output-reports.patch b/patches.suse/HID-betop-check-shape-of-output-reports.patch new file mode 100644 index 0000000..b9cff34 --- /dev/null +++ b/patches.suse/HID-betop-check-shape-of-output-reports.patch @@ -0,0 +1,68 @@ +From 3782c0d6edf658b71354a64d60aa7a296188fc90 Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Wed, 11 Jan 2023 18:12:16 +0000 +Subject: [PATCH] HID: betop: check shape of output reports +Git-commit: 3782c0d6edf658b71354a64d60aa7a296188fc90 +Patch-mainline: v6.2-rc5 +References: git-fixes, bsc#1207186 + +betopff_init() only checks the total sum of the report counts for each +report field to be at least 4, but hid_betopff_play() expects 4 report +fields. +A device advertising an output report with one field and 4 report counts +would pass the check but crash the kernel with a NULL pointer dereference +in hid_betopff_play(). + +Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-betopff.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c +index 467d789f9bc2..25ed7b9a917e 100644 +--- a/drivers/hid/hid-betopff.c ++++ b/drivers/hid/hid-betopff.c +@@ -60,7 +60,6 @@ static int betopff_init(struct hid_device *hid) + struct list_head *report_list = + &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev; +- int field_count = 0; + int error; + int i, j; + +@@ -86,19 +85,21 @@ static int betopff_init(struct hid_device *hid) + * ----------------------------------------- + * Do init them with default value. + */ ++ if (report->maxfield < 4) { ++ hid_err(hid, "not enough fields in the report: %d\n", ++ report->maxfield); ++ return -ENODEV; ++ } + for (i = 0; i < report->maxfield; i++) { ++ if (report->field[i]->report_count < 1) { ++ hid_err(hid, "no values in the field\n"); ++ return -ENODEV; ++ } + for (j = 0; j < report->field[i]->report_count; j++) { + report->field[i]->value[j] = 0x00; +- field_count++; + } + } + +- if (field_count < 4) { +- hid_err(hid, "not enough fields in the report: %d\n", +- field_count); +- return -ENODEV; +- } +- + betopff = kzalloc(sizeof(*betopff), GFP_KERNEL); + if (!betopff) + return -ENOMEM; +-- +2.35.3 + diff --git a/patches.suse/HID-check-empty-report_list-in-bigben_probe.patch b/patches.suse/HID-check-empty-report_list-in-bigben_probe.patch new file mode 100644 index 0000000..644d78f --- /dev/null +++ b/patches.suse/HID-check-empty-report_list-in-bigben_probe.patch @@ -0,0 +1,43 @@ +From c7bf714f875531f227f2ef1fdcc8f4d44e7c7d9d Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Mon, 16 Jan 2023 11:11:25 +0000 +Subject: [PATCH] HID: check empty report_list in bigben_probe() +Git-commit: c7bf714f875531f227f2ef1fdcc8f4d44e7c7d9d +Patch-mainline: v6.2-rc5 +References: git-fixes, bsc#1206784 + +Add a check for empty report_list in bigben_probe(). +The missing check causes a type confusion when issuing a list_entry() +on an empty report_list. +The problem is caused by the assumption that the device must +have valid report_list. While this will be true for all normal HID +devices, a suitably malicious device can violate the assumption. + +Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-bigbenff.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index e8c5e3ac9fff..e8b16665860d 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -344,6 +344,11 @@ static int bigben_probe(struct hid_device *hid, + } + + report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; ++ if (list_empty(report_list)) { ++ hid_err(hid, "no output report found\n"); ++ error = -ENODEV; ++ goto error_hw_stop; ++ } + bigben->report = list_entry(report_list->next, + struct hid_report, list); + +-- +2.35.3 + diff --git a/patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch b/patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch new file mode 100644 index 0000000..bf9d299 --- /dev/null +++ b/patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch @@ -0,0 +1,42 @@ +From b12fece4c64857e5fab4290bf01b2e0317a88456 Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Mon, 16 Jan 2023 11:11:24 +0000 +Subject: [PATCH] HID: check empty report_list in hid_validate_values() +Git-commit: b12fece4c64857e5fab4290bf01b2e0317a88456 +Patch-mainline: v6.2-rc5 +References: git-fixes, bsc#1206784 + +Add a check for empty report_list in hid_validate_values(). +The missing check causes a type confusion when issuing a list_entry() +on an empty report_list. +The problem is caused by the assumption that the device must +have valid report_list. While this will be true for all normal HID +devices, a suitably malicious device can violate the assumption. + +Fixes: 1b15d2e5b807 ("HID: core: fix validation of report id 0") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index bd47628da6be..3e1803592bd4 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -993,8 +993,8 @@ struct hid_report *hid_validate_values(struct hid_device *hid, + * Validating on id 0 means we should examine the first + * report in the list. + */ +- report = list_entry( +- hid->report_enum[type].report_list.next, ++ report = list_first_entry_or_null( ++ &hid->report_enum[type].report_list, + struct hid_report, list); + } else { + report = hid->report_enum[type].report_id_hash[id]; +-- +2.35.3 + diff --git a/patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch b/patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch new file mode 100644 index 0000000..ca0b105 --- /dev/null +++ b/patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch @@ -0,0 +1,180 @@ +From: NeilBrown +Subject: NFS: Handle missing attributes in OPEN reply +Patch-mainline: Submitted, 04jan2023 linux-nfs@vger.kernel.org +References: bsc#1203740 + +If a NFSv4 OPEN reply reports that the file was successfully opened but +the subsequent GETATTR fails, Linux-NFS will attempt a stand-alone +GETATTR request. If that also fails, handling of the reply is aborted +with error -EAGAIN and the open is attempted again from the start. + +This leaves the server with an active state (because the OPEN operation +succeeded) which the client doesn't know about. If the open-owner +(local user) did not have the file already open, this has minimal +consequences for the client and only causes the server to spend +resources on an open state that will never be used or explicitly closed. + +If the open-owner DID already have the file open, then it will hold a +reference to the open-state for that file, but the seq-id in the +state-id will now be out-of-sync with the server. The server will have +incremented the seq-id, but the client will not have noticed. So when +the client next attempts to access the file using that state (READ, +WRITE, SETATTR), the attempt will fail with NFS4ERR_OLD_STATEID. + +The Linux-client assumes this error is due to a race and simply retries +on the basis that the local state-id information should have been +updated by another thread. This basis is invalid in this case and the +result is an infinite loop attempting IO and getting OLD_STATEID. + +This has been observed with a NetApp Filer as the server (ONTAP 9.8 p5, +using NFSv4.0). The client is creating, writing, and unlinking a +particular file from multiple clients (.bash_history). If a new OPEN +from one client races with a REMOVE from another client while the first +client already has the file open, the Filer can report success for the +OPEN op, but NFS4ERR_STALE for the ACCESS and GETATTR ops in the OPEN +request. This gets the seq-id out-of-sync and a subsequent write to the +other open on the first client causes the infinite loop to occur. + +The reason that the client returns -EAGAIN is that it needs to find the +inode so it can find the associated state to update the seq-id, but the +inode lookup requires the file-id which is provided in the GETATTR +reply. Without the file-id normal inode lookup cannot be used. + +This patch changes the lookup so that when the file-id is not available +the list of states owned by the open-owner is examined to find the state +with the correct state-id (ignoring the seq-id part of the state-id). +If this is found it is used just as when a normal inode lookup finds an +inode. If it isn't found, -EAGAIN is returned as before. + +This bug can be demonstrated by modifying the Linux NFS server as +follows: + +1/ The second time a file is opened, unlink it. This simulates + a race with another client, without needing to have a race: + + // in fs/nfsd/nfs4proc.c: @@ -594,6 +594,12 @@ nfsd4_open(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + if (reclaim && !status) + nn->somebody_reclaimed = true; + out: + + if (!status && open->op_stateid.si_generation > 1) { + + printk("Opening gen %d\n", (int)open->op_stateid.si_generation); + + vfs_unlink(mnt_user_ns(resfh->fh_export->ex_path.mnt), + + resfh->fh_dentry->d_parent->d_inode, + + resfh->fh_dentry, NULL); + + } + if (open->op_filp) { + fput(open->op_filp); + open->op_filp = NULL; + +2/ When a GETATTR op is attempted on an unlinked file, return ESTALE + + // @@ -852,6 +858,11 @@ nfsd4_getattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + if (status) + return status; + + + if (cstate->current_fh.fh_dentry->d_inode->i_nlink == 0) { + + printk("Return Estale for unlinked file\n"); + + return nfserr_stale; + + } + + + if (getattr->ga_bmval[1] & NFSD_WRITEONLY_ATTRS_WORD1) + return nfserr_inval; + +Then mount the filesystem and + + Thread 1 Thread 2 + open a file + open the same file (will fail) + write to that file + +I use this shell fragment, using 'sleep' for synchronisation. +The use of /bin/echo ensures the write is flushed when /bin/echo closes +the fd on exit. + + ( + /bin/echo hello + sleep 3 + /bin/echo there + ) > /import/A/afile & + sleep 3 + cat /import/A/afile + +Probably when the OPEN succeeds, the GETATTR fails, and we don't already +have the state open, we should explicitly close the state. Leaving it +open could cause problems if, for example, the server revoked it and +signalled the client that there was a revoked state. The client would +not be able to find the state that needed to be relinquished. I haven't +attempted to implement this. + +Signed-off-by: NeilBrown +Acked-by: NeilBrown + +--- + fs/nfs/nfs4_fs.h | 1 + + fs/nfs/nfs4proc.c | 18 ++++++++++++++---- + fs/nfs/nfs4state.c | 17 +++++++++++++++++ + 3 files changed, 32 insertions(+), 4 deletions(-) + +--- a/fs/nfs/nfs4_fs.h ++++ b/fs/nfs/nfs4_fs.h +@@ -467,6 +467,7 @@ extern void nfs4_put_state_owner(struct + extern void nfs4_purge_state_owners(struct nfs_server *, struct list_head *); + extern void nfs4_free_state_owners(struct list_head *head); + extern struct nfs4_state * nfs4_get_open_state(struct inode *, struct nfs4_state_owner *); ++extern struct inode *nfs4_get_inode_by_stateid(nfs4_stateid *stateid, struct nfs4_state_owner *owner); + extern void nfs4_put_open_state(struct nfs4_state *); + extern void nfs4_close_state(struct nfs4_state *, fmode_t); + extern void nfs4_close_sync(struct nfs4_state *, fmode_t); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1946,10 +1946,20 @@ nfs4_opendata_get_inode(struct nfs4_open + case NFS4_OPEN_CLAIM_NULL: + case NFS4_OPEN_CLAIM_DELEGATE_CUR: + case NFS4_OPEN_CLAIM_DELEGATE_PREV: +- if (!(data->f_attr.valid & NFS_ATTR_FATTR)) +- return ERR_PTR(-EAGAIN); +- inode = nfs_fhget(data->dir->d_sb, &data->o_res.fh, +- &data->f_attr, data->f_label); ++ if (data->f_attr.valid & NFS_ATTR_FATTR) { ++ inode = nfs_fhget(data->dir->d_sb, &data->o_res.fh, ++ &data->f_attr, data->f_label); ++ } else { ++ /* We don't have the fileid and so cannot do inode ++ * lookup. If we already have this state open we MUST ++ * update the seqid to match the server, so we need to ++ * find it if possible. ++ */ ++ inode = nfs4_get_inode_by_stateid(&data->o_res.stateid, ++ data->owner); ++ if (!inode) ++ inode = ERR_PTR(-EAGAIN); ++ } + break; + default: + inode = d_inode(data->dentry); +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -751,6 +751,23 @@ out: + return state; + } + ++struct inode * ++nfs4_get_inode_by_stateid(nfs4_stateid *stateid, struct nfs4_state_owner *owner) ++{ ++ struct nfs4_state *state; ++ struct inode *inode = NULL; ++ ++ spin_lock(&owner->so_lock); ++ list_for_each_entry(state, &owner->so_states, open_states) ++ if (nfs4_stateid_match_other(stateid, &state->open_stateid)) { ++ inode = state->inode; ++ ihold(inode); ++ break; ++ } ++ spin_unlock(&owner->so_lock); ++ return inode; ++} ++ + void nfs4_put_open_state(struct nfs4_state *state) + { + struct inode *inode = state->inode; diff --git a/patches.suse/drm-mali-dp-potential-dereference-of-null-pointer.patch b/patches.suse/drm-mali-dp-potential-dereference-of-null-pointer.patch new file mode 100644 index 0000000..031b92a --- /dev/null +++ b/patches.suse/drm-mali-dp-potential-dereference-of-null-pointer.patch @@ -0,0 +1,42 @@ +From 73c3ed7495c67b8fbdc31cf58e6ca8757df31a33 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Tue, 14 Dec 2021 18:08:37 +0800 +Subject: [PATCH] drm: mali-dp: potential dereference of null pointer +Git-commit: 73c3ed7495c67b8fbdc31cf58e6ca8757df31a33 +Patch-mainline: v5.19-rc1 +References: CVE-2022-3115 bsc#1206393 + +The return value of kzalloc() needs to be checked. +To avoid use of null pointer '&state->base' in case of the +failure of alloc. + +Fixes: 99665d072183 ("drm: mali-dp: add malidp_crtc_state struct") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Brian Starkey +Signed-off-by: Liviu Dudau +Link: https://patchwork.freedesktop.org/patch/msgid/20211214100837.46912-1-jiasheng@iscas.ac.cn +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/arm/malidp_crtc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/arm/malidp_crtc.c b/drivers/gpu/drm/arm/malidp_crtc.c +index 494075ddbef6..b5928b52e279 100644 +--- a/drivers/gpu/drm/arm/malidp_crtc.c ++++ b/drivers/gpu/drm/arm/malidp_crtc.c +@@ -487,7 +487,10 @@ static void malidp_crtc_reset(struct drm_crtc *crtc) + if (crtc->state) + malidp_crtc_destroy_state(crtc, crtc->state); + +- __drm_atomic_helper_crtc_reset(crtc, &state->base); ++ if (state) ++ __drm_atomic_helper_crtc_reset(crtc, &state->base); ++ else ++ __drm_atomic_helper_crtc_reset(crtc, NULL); + } + + static int malidp_crtc_enable_vblank(struct drm_crtc *crtc) +-- +2.35.3 + diff --git a/patches.suse/ipv4-Handle-attempt-to-delete-multipath-route-when-f.patch b/patches.suse/ipv4-Handle-attempt-to-delete-multipath-route-when-f.patch new file mode 100644 index 0000000..e86397f --- /dev/null +++ b/patches.suse/ipv4-Handle-attempt-to-delete-multipath-route-when-f.patch @@ -0,0 +1,73 @@ +From adfe28a8fdbbdeb3d73b7237c6be02f0c712ddaa Mon Sep 17 00:00:00 2001 +From: David Ahern +Date: Thu, 6 Oct 2022 10:48:49 -0600 +Subject: [PATCH 2/2] ipv4: Handle attempt to delete multipath route when + fib_info contains an nh reference +Git-commit: 61b91eb33a69c3be11b259c5ea484505cd79f883 +References: bsc#1204171 CVE-2022-3435 +Patch-mainline: v6.1-rc1 + +Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match: + fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961 + fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753 + inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874 + +Separate nexthop objects are mutually exclusive with the legacy +multipath spec. Fix fib_nh_match to return if the config for the +to be deleted route contains a multipath spec while the fib_info +is using a nexthop object. + +Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects") +Fixes: 6bf92d70e690 ("net: ipv4: fix route with nexthop object delete warning") +Reported-by: Gwangun Jung +Signed-off-by: David Ahern +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/ipv4/fib_semantics.c | 8 ++++---- + tools/testing/selftests/net/fib_nexthops.sh | 5 +++++ + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 4db1cfd2ded0..0890e30c59ad 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -846,13 +846,13 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi, + return 1; + } + ++ /* cannot match on nexthop object attributes */ ++ if (fi->nh) ++ return 1; ++ + if (cfg->fc_oif || cfg->fc_gw_family) { + struct fib_nh *nh; + +- /* cannot match on nexthop object attributes */ +- if (fi->nh) +- return 1; +- + nh = fib_info_nh(fi, 0); + if (cfg->fc_encap) { + if (fib_encap_match(cfg->fc_encap_type, cfg->fc_encap, +diff --git a/tools/testing/selftests/net/fib_nexthops.sh b/tools/testing/selftests/net/fib_nexthops.sh +index 72e1a3edd020..3bc0829e90df 100755 +--- a/tools/testing/selftests/net/fib_nexthops.sh ++++ b/tools/testing/selftests/net/fib_nexthops.sh +@@ -583,6 +583,11 @@ ipv4_fcnal() + set +e + check_nexthop "dev veth1" "" + log_test $? 0 "Nexthops removed on admin down" ++ ++ run_cmd "$IP nexthop add id 21 via 172.16.1.6 dev veth1" ++ run_cmd "$IP ro add 172.16.101.0/24 nhid 21" ++ run_cmd "$IP ro del 172.16.101.0/24 nexthop via 172.16.1.7 dev veth1 nexthop via 172.16.1.8 dev veth1" ++ log_test $? 2 "Delete multipath route with only nh id based entry" + } + + ipv4_grp_fcnal() +-- +2.16.4 + diff --git a/patches.suse/media-meson-vdec-potential-dereference-of-null-point.patch b/patches.suse/media-meson-vdec-potential-dereference-of-null-point.patch new file mode 100644 index 0000000..cb9fa39 --- /dev/null +++ b/patches.suse/media-meson-vdec-potential-dereference-of-null-point.patch @@ -0,0 +1,84 @@ +From c8c80c996182239ff9b05eda4db50184cf3b2e99 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Thu, 13 Jan 2022 07:59:28 +0100 +Subject: [PATCH] media: meson: vdec: potential dereference of null pointer +Git-commit: c8c80c996182239ff9b05eda4db50184cf3b2e99 +Patch-mainline: v5.18-rc1 +References: CVE-2022-3112 bsc#1206399 + +As the possible failure of the kzalloc(), the 'new_ts' could be NULL +pointer. +Therefore, it should be better to check it in order to avoid the +dereference of the NULL pointer. +Also, the caller esparser_queue() needs to deal with the return value of +the amvdec_add_ts(). + +Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance") +Signed-off-by: Jiasheng Jiang +Suggested-by: Neil Armstrong +Reviewed-by: Neil Armstrong +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/staging/media/meson/vdec/esparser.c | 7 ++++++- + drivers/staging/media/meson/vdec/vdec_helpers.c | 8 ++++++-- + drivers/staging/media/meson/vdec/vdec_helpers.h | 2 +- + 3 files changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/staging/media/meson/vdec/esparser.c ++++ b/drivers/staging/media/meson/vdec/esparser.c +@@ -200,7 +200,12 @@ esparser_queue(struct amvdec_session *se + + offset = esparser_get_offset(sess); + +- amvdec_add_ts_reorder(sess, vb->timestamp, offset); ++ ret = amvdec_add_ts_reorder(sess, vb->timestamp, offset); ++ if (ret) { ++ v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR); ++ return ret; ++ } ++ + dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X\n", + vb->timestamp, payload_size, offset); + +--- a/drivers/staging/media/meson/vdec/vdec_helpers.c ++++ b/drivers/staging/media/meson/vdec/vdec_helpers.c +@@ -200,12 +200,15 @@ int amvdec_set_canvases(struct amvdec_se + } + EXPORT_SYMBOL_GPL(amvdec_set_canvases); + +-void amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset) ++int amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset) + { + struct amvdec_timestamp *new_ts, *tmp; + unsigned long flags; + +- new_ts = kmalloc(sizeof(*new_ts), GFP_KERNEL); ++ new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL); ++ if (!new_ts) ++ return -ENOMEM; ++ + new_ts->ts = ts; + new_ts->offset = offset; + +@@ -225,6 +228,7 @@ add_tail: + list_add_tail(&new_ts->list, &sess->timestamps); + unlock: + spin_unlock_irqrestore(&sess->ts_spinlock, flags); ++ return 0; + } + EXPORT_SYMBOL_GPL(amvdec_add_ts_reorder); + +--- a/drivers/staging/media/meson/vdec/vdec_helpers.h ++++ b/drivers/staging/media/meson/vdec/vdec_helpers.h +@@ -50,7 +50,7 @@ void amvdec_dst_buf_done_offset(struct a + * @ts: timestamp to add + * @offset: offset in the VIFIFO where the associated packet was written + */ +-void amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset); ++int amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset); + void amvdec_remove_ts(struct amvdec_session *sess, u64 ts); + + /** diff --git a/patches.suse/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch b/patches.suse/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch new file mode 100644 index 0000000..872b9f7 --- /dev/null +++ b/patches.suse/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch @@ -0,0 +1,115 @@ +From 66cbe230a6222d19b5d57a2934dc417bee017e57 Mon Sep 17 00:00:00 2001 +From: Nikolay Aleksandrov +Date: Fri, 1 Apr 2022 10:33:42 +0300 +Subject: [PATCH 1/2] net: ipv4: fix route with nexthop object delete warning +Git-commit: 61b91eb33a69c3be11b259c5ea484505cd79f883 +References: bsc#1204171 CVE-2022-3435 +Patch-mainline: v6.1-rc1 + +FRR folks have hit a kernel warning[1] while deleting routes[2] which is +caused by trying to delete a route pointing to a nexthop id without +specifying nhid but matching on an interface. That is, a route is found +but we hit a warning while matching it. The warning is from +fib_info_nh() in include/net/nexthop.h because we run it on a fib_info +with nexthop object. The call chain is: + inet_rtm_delroute -> fib_table_delete -> fib_nh_match (called with a +nexthop fib_info and also with fc_oif set thus calling fib_info_nh on +the fib_info and triggering the warning). The fix is to not do any +matching in that branch if the fi has a nexthop object because those are +managed separately. I.e. we should match when deleting without nh spec and +should fail when deleting a nexthop route with old-style nh spec because +nexthop objects are managed separately, e.g.: + $ ip r show 1.2.3.4/32 + 1.2.3.4 nhid 12 via 192.168.11.2 dev dummy0 + + $ ip r del 1.2.3.4/32 + $ ip r del 1.2.3.4/32 nhid 12 + + + $ ip r del 1.2.3.4/32 dev dummy0 + + +[1] + [ 523.462226] ------------[ cut here ]------------ + [ 523.462230] WARNING: CPU: 14 PID: 22893 at include/net/nexthop.h:468 fib_nh_match+0x210/0x460 + [ 523.462236] Modules linked in: dummy rpcsec_gss_krb5 xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_raw iptable_raw bpf_preload xt_statistic ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_mark nf_tables xt_nat veth nf_conntrack_netlink nfnetlink xt_addrtype br_netfilter overlay dm_crypt nfsv3 nfs fscache netfs vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack 8021q garp mrp ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bridge stp llc rfcomm snd_seq_dummy snd_hrtimer rpcrdma rdma_cm iw_cm ib_cm ib_core ip6table_filter xt_comment ip6_tables vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) qrtr bnep binfmt_misc xfs vfat fat squashfs loop nvidia_drm(POE) nvidia_modeset(POE) nvidia_uvm(POE) nvidia(POE) intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi btusb btrtl iwlmvm uvcvideo btbcm snd_hda_intel edac_mce_amd + [ 523.462274] videobuf2_vmalloc videobuf2_memops btintel snd_intel_dspcfg videobuf2_v4l2 snd_intel_sdw_acpi bluetooth snd_usb_audio snd_hda_codec mac80211 snd_usbmidi_lib joydev snd_hda_core videobuf2_common kvm_amd snd_rawmidi snd_hwdep snd_seq videodev ccp snd_seq_device libarc4 ecdh_generic mc snd_pcm kvm iwlwifi snd_timer drm_kms_helper snd cfg80211 cec soundcore irqbypass rapl wmi_bmof i2c_piix4 rfkill k10temp pcspkr acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc drm zram ip_tables crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel nvme sp5100_tco r8169 nvme_core wmi ipmi_devintf ipmi_msghandler fuse + [ 523.462300] CPU: 14 PID: 22893 Comm: ip Tainted: P OE 5.16.18-200.fc35.x86_64 #1 + [ 523.462302] Hardware name: Micro-Star International Co., Ltd. MS-7C37/MPG X570 GAMING EDGE WIFI (MS-7C37), BIOS 1.C0 10/29/2020 + [ 523.462303] RIP: 0010:fib_nh_match+0x210/0x460 + [ 523.462304] Code: 7c 24 20 48 8b b5 90 00 00 00 e8 bb ee f4 ff 48 8b 7c 24 20 41 89 c4 e8 ee eb f4 ff 45 85 e4 0f 85 2e fe ff ff e9 4c ff ff ff <0f> 0b e9 17 ff ff ff 3c 0a 0f 85 61 fe ff ff 48 8b b5 98 00 00 00 + [ 523.462306] RSP: 0018:ffffaa53d4d87928 EFLAGS: 00010286 + [ 523.462307] RAX: 0000000000000000 RBX: ffffaa53d4d87a90 RCX: ffffaa53d4d87bb0 + [ 523.462308] RDX: ffff9e3d2ee6be80 RSI: ffffaa53d4d87a90 RDI: ffffffff920ed380 + [ 523.462309] RBP: ffff9e3d2ee6be80 R08: 0000000000000064 R09: 0000000000000000 + [ 523.462310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000031 + [ 523.462310] R13: 0000000000000020 R14: 0000000000000000 R15: ffff9e3d331054e0 + [ 523.462311] FS: 00007f245517c1c0(0000) GS:ffff9e492ed80000(0000) knlGS:0000000000000000 + [ 523.462313] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 523.462313] CR2: 000055e5dfdd8268 CR3: 00000003ef488000 CR4: 0000000000350ee0 + [ 523.462315] Call Trace: + [ 523.462316] + [ 523.462320] fib_table_delete+0x1a9/0x310 + [ 523.462323] inet_rtm_delroute+0x93/0x110 + [ 523.462325] rtnetlink_rcv_msg+0x133/0x370 + [ 523.462327] ? _copy_to_iter+0xb5/0x6f0 + [ 523.462330] ? rtnl_calcit.isra.0+0x110/0x110 + [ 523.462331] netlink_rcv_skb+0x50/0xf0 + [ 523.462334] netlink_unicast+0x211/0x330 + [ 523.462336] netlink_sendmsg+0x23f/0x480 + [ 523.462338] sock_sendmsg+0x5e/0x60 + [ 523.462340] ____sys_sendmsg+0x22c/0x270 + [ 523.462341] ? import_iovec+0x17/0x20 + [ 523.462343] ? sendmsg_copy_msghdr+0x59/0x90 + [ 523.462344] ? __mod_lruvec_page_state+0x85/0x110 + [ 523.462348] ___sys_sendmsg+0x81/0xc0 + [ 523.462350] ? netlink_seq_start+0x70/0x70 + [ 523.462352] ? __dentry_kill+0x13a/0x180 + [ 523.462354] ? __fput+0xff/0x250 + [ 523.462356] __sys_sendmsg+0x49/0x80 + [ 523.462358] do_syscall_64+0x3b/0x90 + [ 523.462361] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 523.462364] RIP: 0033:0x7f24552aa337 + [ 523.462365] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 + [ 523.462366] RSP: 002b:00007fff7f05a838 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + [ 523.462368] RAX: ffffffffffffffda RBX: 000000006245bf91 RCX: 00007f24552aa337 + [ 523.462368] RDX: 0000000000000000 RSI: 00007fff7f05a8a0 RDI: 0000000000000003 + [ 523.462369] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 + [ 523.462370] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 + [ 523.462370] R13: 00007fff7f05ce08 R14: 0000000000000000 R15: 000055e5dfdd1040 + [ 523.462373] + [ 523.462374] ---[ end trace ba537bc16f6bf4ed ]--- + +[2] https://github.com/FRRouting/frr/issues/6412 + +Fixes: 4c7e8084fd46 ("ipv4: Plumb support for nexthop object in a fib_info") +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/ipv4/fib_semantics.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index b1b3220917ca..4db1cfd2ded0 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -847,8 +847,13 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi, + } + + if (cfg->fc_oif || cfg->fc_gw_family) { +- struct fib_nh *nh = fib_info_nh(fi, 0); ++ struct fib_nh *nh; ++ ++ /* cannot match on nexthop object attributes */ ++ if (fi->nh) ++ return 1; + ++ nh = fib_info_nh(fi, 0); + if (cfg->fc_encap) { + if (fib_encap_match(cfg->fc_encap_type, cfg->fc_encap, + nh, cfg, extack)) +-- +2.16.4 + diff --git a/patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch b/patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch new file mode 100644 index 0000000..2a97d49 --- /dev/null +++ b/patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch @@ -0,0 +1,42 @@ +From c03072dea1c0fc5d66e48692cd8be13443327a29 Mon Sep 17 00:00:00 2001 +From: Jamal Hadi Salim +Date: Sun, 1 Jan 2023 16:57:43 -0500 +Subject: [PATCH 2/2] net: sched: atm: dont intepret cls results when asked to + drop +Git-commit: a2965c7be0522eaa18808684b7b82b248515511b +References: bsc#1207125 CVE-2023-23455 +Patch-mainline: v6.2-rc3 + +If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume +res.class contains a valid pointer +Fixes: b0188d4dbe5f ("[NET_SCHED]: sch_atm: Lindent") + +Signed-off-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/sched/sch_atm.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c +index 6385995dc700..34dd0434d99d 100644 +--- a/net/sched/sch_atm.c ++++ b/net/sched/sch_atm.c +@@ -396,10 +396,13 @@ static int atm_tc_enqueue(struct sk_buff *skb, struct Qdisc *sch, + result = tcf_classify(skb, fl, &res, true); + if (result < 0) + continue; ++ if (result == TC_ACT_SHOT) ++ goto done; ++ + flow = (struct atm_flow_data *)res.class; + if (!flow) + flow = lookup_flow(sch, res.classid); +- goto done; ++ goto drop; + } + } + flow = NULL; +-- +2.16.4 + diff --git a/patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch b/patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch new file mode 100644 index 0000000..d5b0a43 --- /dev/null +++ b/patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch @@ -0,0 +1,147 @@ +From 71c4471290abc5888cf1cb13a7661e06367d3c5f Mon Sep 17 00:00:00 2001 +From: Jamal Hadi Salim +Date: Sun, 1 Jan 2023 16:57:44 -0500 +Subject: [PATCH 1/2] net: sched: cbq: dont intepret cls results when asked to + drop +Git-commit: caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12 +References: bsc#1207036 CVE-2023-23454 +Patch-mainline: v6.2-rc3 + +If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume that +res.class contains a valid pointer + +Sample splat reported by Kyle Zeng + +[ 5.405624] 0: reclassify loop, rule prio 0, protocol 800 +[ 5.406326] ================================================================== +[ 5.407240] BUG: KASAN: slab-out-of-bounds in cbq_enqueue+0x54b/0xea0 +[ 5.407987] Read of size 1 at addr ffff88800e3122aa by task poc/299 +[ 5.408731] +[ 5.408897] CPU: 0 PID: 299 Comm: poc Not tainted 5.10.155+ #15 +[ 5.409516] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS 1.15.0-1 04/01/2014 +[ 5.410439] Call Trace: +[ 5.410764] dump_stack+0x87/0xcd +[ 5.411153] print_address_description+0x7a/0x6b0 +[ 5.411687] ? vprintk_func+0xb9/0xc0 +[ 5.411905] ? printk+0x76/0x96 +[ 5.412110] ? cbq_enqueue+0x54b/0xea0 +[ 5.412323] kasan_report+0x17d/0x220 +[ 5.412591] ? cbq_enqueue+0x54b/0xea0 +[ 5.412803] __asan_report_load1_noabort+0x10/0x20 +[ 5.413119] cbq_enqueue+0x54b/0xea0 +[ 5.413400] ? __kasan_check_write+0x10/0x20 +[ 5.413679] __dev_queue_xmit+0x9c0/0x1db0 +[ 5.413922] dev_queue_xmit+0xc/0x10 +[ 5.414136] ip_finish_output2+0x8bc/0xcd0 +[ 5.414436] __ip_finish_output+0x472/0x7a0 +[ 5.414692] ip_finish_output+0x5c/0x190 +[ 5.414940] ip_output+0x2d8/0x3c0 +[ 5.415150] ? ip_mc_finish_output+0x320/0x320 +[ 5.415429] __ip_queue_xmit+0x753/0x1760 +[ 5.415664] ip_queue_xmit+0x47/0x60 +[ 5.415874] __tcp_transmit_skb+0x1ef9/0x34c0 +[ 5.416129] tcp_connect+0x1f5e/0x4cb0 +[ 5.416347] tcp_v4_connect+0xc8d/0x18c0 +[ 5.416577] __inet_stream_connect+0x1ae/0xb40 +[ 5.416836] ? local_bh_enable+0x11/0x20 +[ 5.417066] ? lock_sock_nested+0x175/0x1d0 +[ 5.417309] inet_stream_connect+0x5d/0x90 +[ 5.417548] ? __inet_stream_connect+0xb40/0xb40 +[ 5.417817] __sys_connect+0x260/0x2b0 +[ 5.418037] __x64_sys_connect+0x76/0x80 +[ 5.418267] do_syscall_64+0x31/0x50 +[ 5.418477] entry_SYSCALL_64_after_hwframe+0x61/0xc6 +[ 5.418770] RIP: 0033:0x473bb7 +[ 5.418952] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 +00 00 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2a 00 00 +00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 18 89 54 24 0c 48 89 34 +24 89 +[ 5.420046] RSP: 002b:00007fffd20eb0f8 EFLAGS: 00000246 ORIG_RAX: +000000000000002a +[ 5.420472] RAX: ffffffffffffffda RBX: 00007fffd20eb578 RCX: 0000000000473bb7 +[ 5.420872] RDX: 0000000000000010 RSI: 00007fffd20eb110 RDI: 0000000000000007 +[ 5.421271] RBP: 00007fffd20eb150 R08: 0000000000000001 R09: 0000000000000004 +[ 5.421671] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 +[ 5.422071] R13: 00007fffd20eb568 R14: 00000000004fc740 R15: 0000000000000002 +[ 5.422471] +[ 5.422562] Allocated by task 299: +[ 5.422782] __kasan_kmalloc+0x12d/0x160 +[ 5.423007] kasan_kmalloc+0x5/0x10 +[ 5.423208] kmem_cache_alloc_trace+0x201/0x2e0 +[ 5.423492] tcf_proto_create+0x65/0x290 +[ 5.423721] tc_new_tfilter+0x137e/0x1830 +[ 5.423957] rtnetlink_rcv_msg+0x730/0x9f0 +[ 5.424197] netlink_rcv_skb+0x166/0x300 +[ 5.424428] rtnetlink_rcv+0x11/0x20 +[ 5.424639] netlink_unicast+0x673/0x860 +[ 5.424870] netlink_sendmsg+0x6af/0x9f0 +[ 5.425100] __sys_sendto+0x58d/0x5a0 +[ 5.425315] __x64_sys_sendto+0xda/0xf0 +[ 5.425539] do_syscall_64+0x31/0x50 +[ 5.425764] entry_SYSCALL_64_after_hwframe+0x61/0xc6 +[ 5.426065] +[ 5.426157] The buggy address belongs to the object at ffff88800e312200 +[ 5.426157] which belongs to the cache kmalloc-128 of size 128 +[ 5.426955] The buggy address is located 42 bytes to the right of +[ 5.426955] 128-byte region [ffff88800e312200, ffff88800e312280) +[ 5.427688] The buggy address belongs to the page: +[ 5.427992] page:000000009875fabc refcount:1 mapcount:0 +mapping:0000000000000000 index:0x0 pfn:0xe312 +[ 5.428562] flags: 0x100000000000200(slab) +[ 5.428812] raw: 0100000000000200 dead000000000100 dead000000000122 +ffff888007843680 +[ 5.429325] raw: 0000000000000000 0000000000100010 00000001ffffffff +ffff88800e312401 +[ 5.429875] page dumped because: kasan: bad access detected +[ 5.430214] page->mem_cgroup:ffff88800e312401 +[ 5.430471] +[ 5.430564] Memory state around the buggy address: +[ 5.430846] ffff88800e312180: fc fc fc fc fc fc fc fc fc fc fc fc +fc fc fc fc +[ 5.431267] ffff88800e312200: 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 fc +[ 5.431705] >ffff88800e312280: fc fc fc fc fc fc fc fc fc fc fc fc +fc fc fc fc +[ 5.432123] ^ +[ 5.432391] ffff88800e312300: 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 fc +[ 5.432810] ffff88800e312380: fc fc fc fc fc fc fc fc fc fc fc fc +fc fc fc fc +[ 5.433229] ================================================================== +[ 5.433648] Disabling lock debugging due to kernel taint + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Kyle Zeng +Signed-off-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/sched/sch_cbq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c +index 39b427dc7512..845f62c82ab4 100644 +--- a/net/sched/sch_cbq.c ++++ b/net/sched/sch_cbq.c +@@ -231,6 +231,8 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr) + result = tcf_classify(skb, fl, &res, true); + if (!fl || result < 0) + goto fallback; ++ if (result == TC_ACT_SHOT) ++ return NULL; + + cl = (void *)res.class; + if (!cl) { +@@ -251,8 +253,6 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr) + case TC_ACT_TRAP: + *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN; + /* fall through */ +- case TC_ACT_SHOT: +- return NULL; + case TC_ACT_RECLASSIFY: + return cbq_reclassify(skb, cl); + } +-- +2.16.4 + diff --git a/patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch b/patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch new file mode 100644 index 0000000..d248219 --- /dev/null +++ b/patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch @@ -0,0 +1,97 @@ +From e99a1ad03ed12ba46b8624a40b850912e21e5a08 Mon Sep 17 00:00:00 2001 +From: Frederick Lawler +Date: Mon, 9 Jan 2023 10:39:06 -0600 +Subject: [PATCH] net: sched: disallow noqueue for qdisc classes +Git-commit: 96398560f26aa07e8f2969d73c8197e6a6d10407 +References: bsc#1207237 CVE-2022-47929 +Patch-mainline: v6.2-rc4 + +While experimenting with applying noqueue to a classful queue discipline, +we discovered a NULL pointer dereference in the __dev_queue_xmit() +path that generates a kernel OOPS: + + # dev=enp0s5 + # tc qdisc replace dev $dev root handle 1: htb default 1 + # tc class add dev $dev parent 1: classid 1:1 htb rate 10mbit + # tc qdisc add dev $dev parent 1:1 handle 10: noqueue + # ping -I $dev -w 1 -c 1 1.1.1.1 + +[ 2.172856] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 2.173217] #PF: supervisor instruction fetch in kernel mode +... +[ 2.178451] Call Trace: +[ 2.178577] +[ 2.178686] htb_enqueue+0x1c8/0x370 +[ 2.178880] dev_qdisc_enqueue+0x15/0x90 +[ 2.179093] __dev_queue_xmit+0x798/0xd00 +[ 2.179305] ? _raw_write_lock_bh+0xe/0x30 +[ 2.179522] ? __local_bh_enable_ip+0x32/0x70 +[ 2.179759] ? ___neigh_create+0x610/0x840 +[ 2.179968] ? eth_header+0x21/0xc0 +[ 2.180144] ip_finish_output2+0x15e/0x4f0 +[ 2.180348] ? dst_output+0x30/0x30 +[ 2.180525] ip_push_pending_frames+0x9d/0xb0 +[ 2.180739] raw_sendmsg+0x601/0xcb0 +[ 2.180916] ? _raw_spin_trylock+0xe/0x50 +[ 2.181112] ? _raw_spin_unlock_irqrestore+0x16/0x30 +[ 2.181354] ? get_page_from_freelist+0xcd6/0xdf0 +[ 2.181594] ? sock_sendmsg+0x56/0x60 +[ 2.181781] sock_sendmsg+0x56/0x60 +[ 2.181958] __sys_sendto+0xf7/0x160 +[ 2.182139] ? handle_mm_fault+0x6e/0x1d0 +[ 2.182366] ? do_user_addr_fault+0x1e1/0x660 +[ 2.182627] __x64_sys_sendto+0x1b/0x30 +[ 2.182881] do_syscall_64+0x38/0x90 +[ 2.183085] entry_SYSCALL_64_after_hwframe+0x63/0xcd +... +[ 2.187402] + +Previously in commit d66d6c3152e8 ("net: sched: register noqueue +qdisc"), NULL was set for the noqueue discipline on noqueue init +so that __dev_queue_xmit() falls through for the noqueue case. This +also sets a bypass of the enqueue NULL check in the +register_qdisc() function for the struct noqueue_disc_ops. + +Classful queue disciplines make it past the NULL check in +__dev_queue_xmit() because the discipline is set to htb (in this case), +and then in the call to __dev_xmit_skb(), it calls into htb_enqueue() +which grabs a leaf node for a class and then calls qdisc_enqueue() by +passing in a queue discipline which assumes ->enqueue() is not set to NULL. + +Fix this by not allowing classes to be assigned to the noqueue +discipline. Linux TC Notes states that classes cannot be set to +the noqueue discipline. [1] Let's enforce that here. + +Links: +1. https://linux-tc-notes.sourceforge.net/tc/doc/sch_noqueue.txt + +Fixes: d66d6c3152e8 ("net: sched: register noqueue qdisc") +Cc: stable@vger.kernel.org +Signed-off-by: Frederick Lawler +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/r/20230109163906.706000-1-fred@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + net/sched/sch_api.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 50794125bf02..5c1daa97bd25 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1097,6 +1097,11 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, + return -ENOENT; + } + ++ if (new && new->ops == &noqueue_qdisc_ops) { ++ NL_SET_ERR_MSG(extack, "Cannot assign noqueue to a class"); ++ return -EINVAL; ++ } ++ + err = cops->graft(parent, cl, new, &old, extack); + if (err) + return err; +-- +2.16.4 + diff --git a/patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch b/patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch new file mode 100644 index 0000000..5781e37 --- /dev/null +++ b/patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch @@ -0,0 +1,44 @@ +From 559c36c5a8d730c49ef805a72b213d3bba155cc8 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 7 Sep 2022 10:26:18 +0200 +Subject: [PATCH] netfilter: nfnetlink_osf: fix possible bogus match in + nf_osf_find() +References: bsc#1204614 +Git-commit: 559c36c5a8d730c49ef805a72b213d3bba155cc8 +Patch-mainline: v6.0-rc7 + +nf_osf_find() incorrectly returns true on mismatch, this leads to +copying uninitialized memory area in nft_osf which can be used to leak +stale kernel stack data to userspace. + +Fixes: 22c7652cdaa8 ("netfilter: nft_osf: Add version option support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Oscar Salvador +--- + net/netfilter/nfnetlink_osf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -265,6 +265,7 @@ bool nf_osf_find(const struct sk_buff *s + const struct nf_osf_finger *kf; + struct nf_osf_hdr_ctx ctx; + const struct tcphdr *tcp; ++ bool found = false; + + memset(&ctx, 0, sizeof(ctx)); + +@@ -279,10 +280,11 @@ bool nf_osf_find(const struct sk_buff *s + + data->genre = f->genre; + data->version = f->version; ++ found = true; + break; + } + +- return true; ++ return found; + } + EXPORT_SYMBOL_GPL(nf_osf_find); + diff --git a/patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch b/patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch new file mode 100644 index 0000000..5135503 --- /dev/null +++ b/patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch @@ -0,0 +1,62 @@ +From: Marcelo Ricardo Leitner +Date: Mon, 23 Jan 2023 14:59:33 -0300 +Subject: sctp: fail if no bound addresses can be used for a given scope +Patch-mainline: v6.2-rc6 +Git-commit: 458e279f861d3f61796894cd158b780765a1569f +References: bsc#1206677 + +Currently, if you bind the socket to something like: + servaddr.sin6_family = AF_INET6; + servaddr.sin6_port = htons(0); + servaddr.sin6_scope_id = 0; + inet_pton(AF_INET6, "::1", &servaddr.sin6_addr); + +And then request a connect to: + connaddr.sin6_family = AF_INET6; + connaddr.sin6_port = htons(20000); + connaddr.sin6_scope_id = if_nametoindex("lo"); + inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr); + +What the stack does is: + - bind the socket + - create a new asoc + - to handle the connect + - copy the addresses that can be used for the given scope + - try to connect + +But the copy returns 0 addresses, and the effect is that it ends up +trying to connect as if the socket wasn't bound, which is not the +desired behavior. This unexpected behavior also allows KASLR leaks +through SCTP diag interface. + +The fix here then is, if when trying to copy the addresses that can +be used for the scope used in connect() it returns 0 addresses, bail +out. This is what TCP does with a similar reproducer. + +Reported-by: Pietro Borrello +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner@gmail.com +Signed-off-by: Jakub Kicinski +Acked-by: Michal Kubecek + +--- + net/sctp/bind_addr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/sctp/bind_addr.c ++++ b/net/sctp/bind_addr.c +@@ -73,6 +73,12 @@ int sctp_bind_addr_copy(struct net *net, struct sctp_bind_addr *dest, + } + } + ++ /* If somehow no addresses were found that can be used with this ++ * scope, it's an error. ++ */ ++ if (list_empty(&dest->address_list)) ++ error = -ENETUNREACH; ++ + out: + if (error) + sctp_bind_addr_clean(dest); diff --git a/patches.suse/wifi-wilc1000-validate-pairwise-and-authentication-s.patch b/patches.suse/wifi-wilc1000-validate-pairwise-and-authentication-s.patch new file mode 100644 index 0000000..16eaca3 --- /dev/null +++ b/patches.suse/wifi-wilc1000-validate-pairwise-and-authentication-s.patch @@ -0,0 +1,55 @@ +From cd21d99e595ec1d8721e1058dcdd4f1f7de1d793 Mon Sep 17 00:00:00 2001 +From: Phil Turnbull +Date: Wed, 23 Nov 2022 10:35:40 -0500 +Subject: [PATCH] wifi: wilc1000: validate pairwise and authentication suite offsets +Git-commit: cd21d99e595ec1d8721e1058dcdd4f1f7de1d793 +Patch-mainline: v6.1-rc8 +References: CVE-2022-47520 bsc#1206515 + +There is no validation of 'offset' which can trigger an out-of-bounds +read when extracting RSN capabilities. + +Signed-off-by: Phil Turnbull +Tested-by: Ajay Kathat +Acked-by: Ajay Kathat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com +Acked-by: Takashi Iwai + +--- + drivers/staging/wilc1000/wilc_hif.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/drivers/staging/wilc1000/wilc_hif.c ++++ b/drivers/staging/wilc1000/wilc_hif.c +@@ -547,14 +547,25 @@ void *wilc_parse_join_bss_param(struct c + + rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies->data, ies->len); + if (rsn_ie) { ++ int rsn_ie_len = sizeof(struct element) + rsn_ie[1]; + int offset = 8; + +- param->mode_802_11i = 2; +- param->rsn_found = true; + //extract RSN capabilities +- offset += (rsn_ie[offset] * 4) + 2; +- offset += (rsn_ie[offset] * 4) + 2; +- memcpy(param->rsn_cap, &rsn_ie[offset], 2); ++ if (offset < rsn_ie_len) { ++ /* skip over pairwise suites */ ++ offset += (rsn_ie[offset] * 4) + 2; ++ ++ if (offset < rsn_ie_len) { ++ /* skip over authentication suites */ ++ offset += (rsn_ie[offset] * 4) + 2; ++ ++ if (offset + 1 < rsn_ie_len) { ++ param->mode_802_11i = 2; ++ param->rsn_found = true; ++ memcpy(param->rsn_cap, &rsn_ie[offset], 2); ++ } ++ } ++ } + } + + if (param->rsn_found) { diff --git a/rpm/check-for-config-changes b/rpm/check-for-config-changes index fb31586..c0754d3 100755 --- a/rpm/check-for-config-changes +++ b/rpm/check-for-config-changes @@ -5,20 +5,21 @@ # # please keep them sorted alphabetically declare -a IGNORED_CONFIGS_RE=( - 'AS_HAS_[A-Z_]*' + 'AS_HAS_[A-Z0-9_]*' 'AS_VERSION' 'CC_CAN_[A-Z_]*' 'CC_HAS_[A-Z_]*' 'CC_HAVE_[A-Z_]*' 'CC_VERSION_TEXT' - 'FTRACE_MCOUNT_USE_CC' - 'FTRACE_MCOUNT_USE_RECORDMCOUNT' + 'FTRACE_MCOUNT_USE_[A-Z_]*' 'GCC_VERSION' 'G*CC[0-9]*_NO_[A-Z_]*' 'HAVE_[A-Z]*_COMPILER' 'LD_VERSION' 'PAHOLE_VERSION' + 'TOOLCHAIN_HAS_[A-Z_]*' 'TOOLS_SUPPORT_[A-Z_]*' + 'OBJTOOL' ) declare -a SED_ARGS=() diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index 336bfd2..3cdf607 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -24,6 +24,7 @@ %define compress_modules @COMPRESS_MODULES@ %define compress_vmlinux @COMPRESS_VMLINUX@ %define livepatch @LIVEPATCH@%{nil} +%define livepatch_rt @LIVEPATCH_RT@%{nil} %include %_sourcedir/kernel-spec-macros @@ -1334,7 +1335,7 @@ relink ../../linux-%{kernelrelease}%{variant}-obj/"%cpu_arch_flavor" /usr/src/li /usr/src/linux-obj/%kmp_target_cpu %endif -%if "%livepatch" != "" && "%CONFIG_SUSE_KERNEL_SUPPORTED" == "y" && "%variant" == "" && %build_default +%if "%livepatch" != "" && "%CONFIG_SUSE_KERNEL_SUPPORTED" == "y" && (("%variant" == "" && %build_default) || ("%variant" == "-rt" && 0%livepatch_rt)) %if "%livepatch" == "kgraft" %define patch_package %{livepatch}-patch %else @@ -1344,13 +1345,15 @@ relink ../../linux-%{kernelrelease}%{variant}-obj/"%cpu_arch_flavor" /usr/src/li Summary: Metapackage to pull in matching %patch_package package Group: System/Kernel Requires: %{patch_package}-%(echo %{version}-%{source_rel} | sed 'y/\./_/')-%{build_flavor} +Provides: multiversion(kernel) +%if "%variant" != "-rt" Provides: kernel-default-kgraft = %version Provides: kernel-xen-kgraft = %version -Provides: multiversion(kernel) %if "%livepatch" != "kgraft" Obsoletes: kernel-default-kgraft < %version Obsoletes: kernel-xen-kgraft < %version %endif +%endif %description %{livepatch} This is a metapackage that pulls in the matching %patch_package package for a @@ -1389,6 +1392,8 @@ Provides: multiversion(kernel) # tell weak-modules2 to ignore this package Provides: kmp_in_kernel Requires(post): suse-module-tools >= 12.4 +Enhances: %name +Supplements: packageand(%name:%@KMP_NAME@-%build_flavor) @KMP_DEPS@ %description -n @KMP_NAME@-%build_flavor diff --git a/rpm/kernel-source.rpmlintrc b/rpm/kernel-source.rpmlintrc index a63f94e..fa0fc43 100644 --- a/rpm/kernel-source.rpmlintrc +++ b/rpm/kernel-source.rpmlintrc @@ -10,7 +10,3 @@ addFilter("dangling-symlink .*/lib/modules/[1-9].*/source") addFilter("hidden-file-or-dir /usr/src/linux-.*-obj/.*/.config") addFilter("hidden-file-or-dir /usr/src/linux-.*-obj/.*/.kernel-binary.spec.buildenv") addFilter("hidden-file-or-dir /boot/\..*\.hmac") -# This check ensures that KMPs are built using the %kernel_module_package -# macro, but we are deliberately not doing this for KMPs built from the -# kernel spec file (fate#319339) -addFilter("suse-policy-kmp-missing-supplements") diff --git a/rpm/macros.kernel-source b/rpm/macros.kernel-source index 3097b62..78b4126 100644 --- a/rpm/macros.kernel-source +++ b/rpm/macros.kernel-source @@ -7,7 +7,7 @@ else \ end } %kernel_module_package_release 1 -%kernel_module_package_buildreqs modutils kernel-syms kmod-compat %kernel_build_shell_package +%kernel_module_package_buildreqs modutils kernel-syms kmod-compat suse-kernel-rpm-scriptlets %kernel_build_shell_package %cpu_arch %(case %_target_cpu in \ # from rpm --eval '%ix86' \ diff --git a/rpm/mkspec b/rpm/mkspec index 4fe1124..c415073 100755 --- a/rpm/mkspec +++ b/rpm/mkspec @@ -41,6 +41,7 @@ my $compress_modules = 'none'; my $compress_vmlinux = 'gz'; my $build_dtbs = (); my $livepatch = ""; +my $livepatch_rt = ""; if (defined($vars{'COMPRESS_MODULES'})) { $compress_modules = $vars{'COMPRESS_MODULES'}; } @@ -55,6 +56,10 @@ if (defined($vars{'LIVEPATCH'})) { $livepatch = $vars{'LIVEPATCH'}; $livepatch = "" if $livepatch =~ /^(0+|no|none)$/i; } +if (defined($vars{'LIVEPATCH_RT'})) { + $livepatch_rt = $vars{'LIVEPATCH_RT'}; + $livepatch_rt = "" if $livepatch_rt =~ /^(0+|no|none)$/i; +} $vanilla_only ||= "0"; if (!defined ($rpmrelease)) { $rpmrelease = $vars{'RELEASE'} || 0; @@ -121,6 +126,7 @@ my %macros = ( UNPACK_PATCHES => $unpack_patches, SCRIPTS => $scripts, LIVEPATCH => $livepatch, + LIVEPATCH_RT => $livepatch_rt, YEAR => (localtime time)[5] + 1900, COMPRESS_MODULES => $compress_modules, COMPRESS_VMLINUX => $compress_vmlinux, diff --git a/rpm/mkspec-dtb b/rpm/mkspec-dtb index a46416f..4d9ff96 100755 --- a/rpm/mkspec-dtb +++ b/rpm/mkspec-dtb @@ -87,6 +87,7 @@ my @aarch64_package_list = ( # DTB packages names my @riscv64_package_list = ( ['dtb-microchip', 'microchip/*.dts', "Microchip based riscv64 systems"], + ['dtb-renesas', 'renesas/*.dts', "Renesas based riscv64 systems"], ['dtb-sifive', 'sifive/*.dts', "SiFive based riscv64 systems"], ['dtb-starfive', 'starfive/*.dts', "StarFive based riscv64 systems"], ); diff --git a/scripts/check-kernel-commit b/scripts/check-kernel-commit new file mode 100755 index 0000000..45a0a6e --- /dev/null +++ b/scripts/check-kernel-commit @@ -0,0 +1,173 @@ +#!/bin/bash + +usage() +{ + echo "Check whether a given list of commit is available in" + echo "a given list of branches." + echo + echo "Usage: ${0##*/} [branches.conf] term..." + echo + echo "Parametes:" + echo " branches.conf: file with the list of branches to be checked" + echo " term: hash of the commit|CVE|bsc to be found" +} + +fetch_branches() +{ + local CACHED_BRANCHES="/tmp/$USER-branches.conf" + local URL="https://kerncvs.suse.de/branches.conf" + local EXPIRE=7 + branches=$CACHED_BRANCHES + if [[ $(find "$CACHED_BRANCHES" -mtime -$EXPIRE -print 2>/dev/null) \ + && -s "$CACHED_BRANCHES" ]]; then + echo "Using cached $CACHED_BRANCHES" >&2 + return + fi + curl "$URL" -o "$CACHED_BRANCHES" +} + +if [ $# -lt 1 ] ; then + usage + exit 1 +fi + +branches=$1 +if [ ! -f "$branches" ] ; then + echo "Branches file not specified, trying to fetch it..." >&2 + if ! fetch_branches ; then + "Error: Can't find the file with the list of branches: $branches nor fetch it" + exit 1 + fi +else + shift; +fi + +KBC_CHECK_TERMS="$*" + +term2regex() +{ + shopt -q nocasematch + local t=$1 + case $t in + # CVEs first + 2[0-9][0-9][0-9]-*) + t=cve-$t + ;& + cve-*) + echo "^References:.*$t" + ;; + # looks like a hash, look for commits + [a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]*) + echo "^Git-commit:.*$t" + ;; + # treat rest as a generic reference + *) + echo "^References:.*$t" + ;; + esac +} + +check_branch() +{ + verbose=0 + if [ "$1" = "-v" ] ; then + verbose=1 + shift + fi + + branch="$1" + found="" + missing="" + + for term in $KBC_CHECK_TERMS ; do + git grep -qi "$(term2regex $term)" "remotes/origin/$branch" -- 'patches.*' 2>/dev/null + if [ $? -eq 0 ] ; then + found="$found $term" + else + missing="$missing $term" + fi + done + + # found + if [ -z "$missing" ] ; then + return 0 + fi + + # missing + if [ -z "$found" ] ; then + return 2 + fi + + # partly + if [ $verbose -ne 0 ] ; then + echo " missing hash:" + for hash in $missing ; do + echo " $term" + done + echo + fi + return 1 +} + +check_parents() +{ + last_branch="" + for branch in "$@" ; do + check_branch $branch + case $? in + 0) + echo " (found in $branch)" + return + ;; + 1) + echo " (partly in $branch)" + return + ;; + *) + ;; + esac + last_branch="$branch" + done + + # not found anywhere + echo " (not even in $last_branch)" +} + +grep -w build "$branches" | grep -v -E "^(master|vanilla|linux-next|cve)" | \ +while read line ; do + line=${line%%\#*} + branch=${line%%:*} + + # empty line or comment + if [ -z "$branch" ] ; then + continue + fi + + # always check also the _EMBARGO branch as a possible parent + parents="${branch}_EMBARGO" + set dummy ${line#$branch:} + while [ $# -gt 0 ] ; do + shift + [[ "$1" =~ "merge:" ]] || continue + tmp="${1//*merge:-/}" + parents="$parents ${tmp//*merge:/}" + done + + printf "%-23s" "$branch" + check_branch "$branch" + + case $? in + 0) + echo "" + ;; + 1) + echo -n " " + check_parents $parents + # print missing commits + check_branch -v "$branch" + ;; + *) + echo -n "" + check_parents "${branch}_EMBARGO" $parents + esac +done diff --git a/scripts/git_sort/git_sort.py b/scripts/git_sort/git_sort.py index d4881c7..b1af35d 100755 --- a/scripts/git_sort/git_sort.py +++ b/scripts/git_sort/git_sort.py @@ -212,9 +212,10 @@ remotes = ( Head(RepoURL("gregkh/driver-core.git"), "driver-core-next"), Head(RepoURL("gregkh/tty.git"), "tty-next"), Head(RepoURL("gregkh/usb.git"), "usb-next"), + Head(RepoURL("gregkh/usb.git"), "usb-linus"), Head(RepoURL("jj/linux-apparmor.git"), "apparmor-next"), - Head(RepoURL("pablo/nf.git")), - Head(RepoURL("pablo/nf-next.git")), + Head(RepoURL("netfilter/nf.git")), + Head(RepoURL("netfilter/nf-next.git")), Head(RepoURL("horms/ipvs.git")), Head(RepoURL("horms/ipvs-next.git")), Head(RepoURL("klassert/ipsec.git")), @@ -261,6 +262,9 @@ remotes = ( Head(RepoURL("bpf/bpf.git")), Head(RepoURL("bpf/bpf-next.git")), Head(RepoURL("linusw/linux-gpio.git"), "for-next"), + Head(RepoURL("soc/soc.git"), "for-next"), + Head(RepoURL("https://gitlab.freedesktop.org/drm/tegra.git"), "for-next"), + Head(RepoURL("git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm.git"), "for-next"), ) diff --git a/scripts/python/suse_git/header.py b/scripts/python/suse_git/header.py index 43d4406..f3fcd04 100755 --- a/scripts/python/suse_git/header.py +++ b/scripts/python/suse_git/header.py @@ -59,6 +59,11 @@ tag_map = { 'match' : 'Submitted,?\s+.+', 'excludes' : [ 'Git-commit', 'Git-repo' ], }, { + # Catch a frequent misuse of 'Not yet'. + 'match' : 'Not yet,\s+submitted', + 'error' : "Please use 'Submitted'", + 'excludes' : [ 'Git-commit', 'Git-repo' ], + }, { # Should be used rarely. Description should provide # reason for the patch not being accepted upstream. 'name' : 'Not yet', diff --git a/scripts/python/tests/test_header.py b/scripts/python/tests/test_header.py index 5051b39..21daceb 100755 --- a/scripts/python/tests/test_header.py +++ b/scripts/python/tests/test_header.py @@ -715,3 +715,18 @@ References: FATE#123456 Acked-by: developer@suse.com """ self.header = header.Checker(text, False, "patches.kabi/FATE123456_fix_kabi.patch") + + def test_patch_mainline_invalid2(self): + text = """ +From: developer@site.com +Subject: some patch +Patch-mainline: Not yet, submitted 2022-08-23 +References: bsc#12345 +Acked-by: developer@suse.com +""" + with self.assertRaises(header.HeaderException) as cm: + self.header = header.Checker(text) + + e = cm.exception + self.assertEqual(1, e.errors(header.FormatError)) + self.assertEqual(1, e.errors()) diff --git a/scripts/wd-functions.sh b/scripts/wd-functions.sh index 3111d40..d645a42 100644 --- a/scripts/wd-functions.sh +++ b/scripts/wd-functions.sh @@ -34,7 +34,7 @@ get_branch_name() if $using_git; then # FIXME: guess a branch name when a non-branch revision is checked # out - local res=$(sed -ne 's|^ref: refs/heads/||p' "$scripts_dir"/../.git/HEAD 2>/dev/null) + local res=$(sed -ne 's|^ref: refs/heads/||p' "$(git rev-parse --git-dir)"/HEAD 2>/dev/null) echo "$res" fi } diff --git a/series.conf b/series.conf index fb62b1f..0acb8a2 100644 --- a/series.conf +++ b/series.conf @@ -23290,6 +23290,7 @@ patches.suse/tpm-fix-reference-counting-for-struct-tpm_chip.patch patches.suse/exec-Force-single-empty-string-when-argv-is-empty.patch patches.suse/media-v4l2-mem2mem-Apply-DST_QUEUE_OFF_BASE-on-MMAP-.patch + patches.suse/media-meson-vdec-potential-dereference-of-null-point.patch patches.suse/media-em28xx-initialize-refcount-before-kref_get.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-hw_params-and-hw.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-read-write-and-b.patch @@ -23361,6 +23362,7 @@ patches.suse/msft-hv-2567-net-hyperv-remove-use-of-bpf_op_t.patch patches.suse/msft-hv-2568-hv_netvsc-Print-value-of-invalid-ID-in-netvsc_send_-.patch patches.suse/msft-hv-2609-hv_netvsc-Fix-potential-dereference-of-NULL-pointer.patch + patches.suse/drm-mali-dp-potential-dereference-of-null-pointer.patch patches.suse/msft-hv-2573-Drivers-hv-vmbus-Add-VMbus-IMC-device-to-unsupported.patch patches.suse/msft-hv-2574-PCI-hv-Fix-multi-MSI-to-allow-more-than-one-MSI-vect.patch patches.suse/msft-hv-2575-Drivers-hv-vmbus-Fix-handling-of-messages-with-trans.patch @@ -23476,6 +23478,7 @@ patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch patches.suse/sch_sfb-Also-store-skb-len-before-calling-child-enqu.patch patches.suse/ALSA-pcm-oss-Fix-race-at-SNDCTL_DSP_SYNC.patch + patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch patches.suse/msft-hv-2644-net-mana-Add-rmb-after-checking-owner-bits.patch patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-Rdir.patch patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch @@ -23499,6 +23502,8 @@ patches.suse/nilfs2-fix-NULL-pointer-dereference-at-nilfs_bmap_lo.patch patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch patches.suse/msft-hv-2671-hv_netvsc-Fix-race-between-VF-offering-and-VF-associ.patch + patches.suse/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch + patches.suse/ipv4-Handle-attempt-to-delete-multipath-route-when-f.patch patches.suse/0001-ipv6-ping-fix-wrong-checksum-for-large-frames.patch patches.suse/tcp-udp-Fix-memory-leak-in-ipv6_renew_options.patch patches.suse/ipv6-Fix-data-races-around-sk-sk_prot.patch @@ -23510,6 +23515,7 @@ patches.suse/wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch patches.suse/kcm-avoid-potential-race-in-kcm_tx_work.patch patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch + patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch patches.suse/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch patches.suse/Bluetooth-L2CAP-Fix-attempting-to-access-uninitializ.patch patches.suse/msft-hv-2678-PCI-hv-Fix-the-definition-of-vector-in-hv_compose_ms.patch @@ -23518,11 +23524,20 @@ patches.suse/msft-hv-2681-PCI-hv-Only-reuse-existing-IRTE-allocation-for-Multi.patch patches.suse/msft-hv-2682-Drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch patches.suse/msft-hv-2683-Drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch + patches.suse/wifi-wilc1000-validate-pairwise-and-authentication-s.patch patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch patches.suse/xen-netback-Ensure-protocol-headers-don-t-fall-in-th.patch patches.suse/xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch + patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch + patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch + patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch + patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch + patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch + patches.suse/HID-check-empty-report_list-in-bigben_probe.patch + patches.suse/HID-betop-check-shape-of-output-reports.patch + patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch ######################################################## # end of sorted patches @@ -23709,6 +23724,7 @@ patches.suse/nfsd-dont-revoke-v4-0-states.patch patches.suse/SUNRPC-avoid-race-between-mod_timer-and-del_timer_sy.patch patches.suse/nfs-access-cache-no-negative.patch + patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch # other patches.suse/pstore_disable_efi_backend_by_default.patch