diff --git a/README b/README index db1a48a..96589fc 100644 --- a/README +++ b/README @@ -194,9 +194,11 @@ depending on the impact of your changes. Use scripts/tar-up.sh for creating an OBS package directory. The kernel source tree that scripts/sequence-patch.sh creates can be -test compiled as follows: +test-compiled. Before that, make sure all prerequisites are installed. +These include libopenssl-devel, libelf-devel, and dwarves (look into +rpm/kernel-binary.spec.in for a complete list). Then, the compilation +can be done as follows: - $ cp config/i386/default /var/tmp/scratch/linux-5.3-SLE15-SP3 $ cd /var/tmp/scratch/linux-5.3-SLE15-SP3 $ make oldconfig $ make diff --git a/patches.suse/0001-drm-vmwgfx-Avoid-NULL-ptr-deref-in-vmw_cmd_dx_define.patch b/patches.suse/0001-drm-vmwgfx-Avoid-NULL-ptr-deref-in-vmw_cmd_dx_define.patch new file mode 100644 index 0000000..c7b58a9 --- /dev/null +++ b/patches.suse/0001-drm-vmwgfx-Avoid-NULL-ptr-deref-in-vmw_cmd_dx_define.patch @@ -0,0 +1,35 @@ +From 905483d9ea93e05d019664b3cfd078870233faaa Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Mon, 20 Feb 2023 10:38:08 +0100 +Subject: drm/vmwgfx: Avoid NULL-ptr deref in vmw_cmd_dx_define_query() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: Never, quick fix for CVE-2022-38096 +References: bsc#1203331 CVE-2022-38096 + +See bsc#1203331. + +Suggested-by: Michal Koutný +Signed-off-by: Thomas Zimmermann +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index b652822a19671..e3f4da096fd41 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -1266,7 +1266,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private *dev_priv, + struct vmw_resource *cotable_res; + int ret; + +- if (!ctx_node) ++ if (!ctx_node || !ctx_node->ctx) + return -EINVAL; + + cmd = container_of(header, typeof(*cmd), header); +-- +2.39.2 + diff --git a/patches.suse/0001-drm-vmwgfx-Validate-the-box-size-for-the-snooped-cur.patch b/patches.suse/0001-drm-vmwgfx-Validate-the-box-size-for-the-snooped-cur.patch new file mode 100644 index 0000000..47bdb00 --- /dev/null +++ b/patches.suse/0001-drm-vmwgfx-Validate-the-box-size-for-the-snooped-cur.patch @@ -0,0 +1,41 @@ +From 4cf949c7fafe21e085a4ee386bb2dade9067316e Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Tue, 25 Oct 2022 23:19:35 -0400 +Subject: drm/vmwgfx: Validate the box size for the snooped cursor +Git-commit: 4cf949c7fafe21e085a4ee386bb2dade9067316e +Patch-mainline: v6.2-rc1 +References: bsc#1203332 CVE-2022-36280 + +Invalid userspace dma surface copies could potentially overflow +the memcpy from the surface to the snooped image leading to crashes. +To fix it the dimensions of the copybox have to be validated +against the expected size of the snooped cursor. + +Signed-off-by: Zack Rusin +Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes") +Cc: # v3.2+ +Reviewed-by: Michael Banack +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index 0342efdf9063..d434b6ae1092 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -393,7 +393,8 @@ void vmw_kms_cursor_snoop(struct vmw_surface *srf, + if (cmd->dma.guest.ptr.offset % PAGE_SIZE || + box->x != 0 || box->y != 0 || box->z != 0 || + box->srcx != 0 || box->srcy != 0 || box->srcz != 0 || +- box->d != 1 || box_count != 1) { ++ box->d != 1 || box_count != 1 || ++ box->w > 64 || box->h > 64) { + /* TODO handle none page aligned offsets */ + /* TODO handle more dst & src != 0 */ + /* TODO handle more then one copy */ +-- +2.39.1 + diff --git a/patches.suse/0001-media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch b/patches.suse/0001-media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch new file mode 100644 index 0000000..f437b3b --- /dev/null +++ b/patches.suse/0001-media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch @@ -0,0 +1,65 @@ +From 0ed554fd769a19ea8464bb83e9ac201002ef74ad Mon Sep 17 00:00:00 2001 +From: Baisong Zhong +Date: Sun, 20 Nov 2022 06:59:18 +0000 +Subject: [PATCH] media: dvb-usb: az6027: fix null-ptr-deref in + az6027_i2c_xfer() +Git-commit: 0ed554fd769a19ea8464bb83e9ac201002ef74ad +Patch-mainline: v6.2-rc1 +References: bsc#1209291 CVE-2023-28328 + +Wei Chen reports a kernel bug as blew: + +general protection fault, probably for non-canonical address +Kasan: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +... +Call Trace: + +__i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109 +i2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170 +i2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297 +i2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:870 [inline] +__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7fd834a8bded + +In az6027_i2c_xfer(), if msg[i].addr is 0x99, +a null-ptr-deref will caused when accessing msg[i].buf. +For msg[i].len is 0 and msg[i].buf is null. + +Fix this by checking msg[i].len in az6027_i2c_xfer(). + +Link: https://lore.kernel.org/lkml/CAO4mrfcPHB5aQJO=mpqV+p8mPLNg-Fok0gw8gZ=zemAfMGTzMg@mail.gmail.com/ + +Link: https://lore.kernel.org/linux-media/20221120065918.2160782-1-zhongbaisong@huawei.com +Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver") +Reported-by: Wei Chen +Signed-off-by: Baisong Zhong +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Vasant Karasulli + +--- + drivers/media/usb/dvb-usb/az6027.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c +index cf15988dfb51..7d78ee09be5e 100644 +--- a/drivers/media/usb/dvb-usb/az6027.c ++++ b/drivers/media/usb/dvb-usb/az6027.c +@@ -975,6 +975,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n + if (msg[i].addr == 0x99) { + req = 0xBE; + index = 0; ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + value = msg[i].buf[0] & 0x00ff; + length = 1; + az6027_usb_out_op(d, req, value, index, data, length); +-- +2.34.1 + diff --git a/patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch b/patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch new file mode 100644 index 0000000..71f7075 --- /dev/null +++ b/patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch @@ -0,0 +1,72 @@ +From df02234e6b87d2a9a82acd3198e44bdeff8488c6 Mon Sep 17 00:00:00 2001 +From: Clement Lecigne +Date: Fri, 13 Jan 2023 13:07:45 +0100 +Subject: [PATCH] ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF +Git-commit: 56b88b50565cd8b946a2d00b0c83927b7ebb055e +Alt-commit: df02234e6b87d2a9a82acd3198e44bdeff8488c6 +Patch-mainline: v6.2-rc4 +References: CVE-2023-0266 bsc#1207134 + +[ Note: this is a fix that works around the bug equivalently as the + two upstream commits: + 1fa4445f9adf ("ALSA: control - introduce snd_ctl_notify_one() helper") + 56b88b50565c ("ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF") + but in a simpler way to fit with older stable trees -- tiwai ] + +Add missing locking in ctl_elem_read_user/ctl_elem_write_user which can be +easily triggered and turned into an use-after-free. + +Example code paths with SNDRV_CTL_IOCTL_ELEM_READ: + +64-bits: +snd_ctl_ioctl + snd_ctl_elem_read_user + [takes controls_rwsem] + snd_ctl_elem_read [lock properly held, all good] + [drops controls_rwsem] + +32-bits (compat): +snd_ctl_ioctl_compat + snd_ctl_elem_write_read_compat + ctl_elem_write_read + snd_ctl_elem_read [missing lock, not good] + +CVE-2023-0266 was assigned for this issue. + +Signed-off-by: Clement Lecigne +Cc: stable@kernel.org # 5.12 and older +Signed-off-by: Takashi Iwai +Reviewed-by: Jaroslav Kysela +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/control_compat.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/core/control_compat.c b/sound/core/control_compat.c +index 97467f6a32a1..980ab3580f1b 100644 +--- a/sound/core/control_compat.c ++++ b/sound/core/control_compat.c +@@ -304,7 +304,9 @@ static int ctl_elem_read_user(struct snd_card *card, + err = snd_power_wait(card, SNDRV_CTL_POWER_D0); + if (err < 0) + goto error; ++ down_read(&card->controls_rwsem); + err = snd_ctl_elem_read(card, data); ++ up_read(&card->controls_rwsem); + if (err < 0) + goto error; + err = copy_ctl_value_to_user(userdata, valuep, data, type, count); +@@ -332,7 +334,9 @@ static int ctl_elem_write_user(struct snd_ctl_file *file, + err = snd_power_wait(card, SNDRV_CTL_POWER_D0); + if (err < 0) + goto error; ++ down_write(&card->controls_rwsem); + err = snd_ctl_elem_write(card, file, data); ++ up_write(&card->controls_rwsem); + if (err < 0) + goto error; + err = copy_ctl_value_to_user(userdata, valuep, data, type, count); +-- +2.35.3 + diff --git a/patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch b/patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch new file mode 100644 index 0000000..57ee294 --- /dev/null +++ b/patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch @@ -0,0 +1,170 @@ +From 3aff8aaca4e36dc8b17eaa011684881a80238966 Mon Sep 17 00:00:00 2001 +From: Maxim Mikityanskiy +Date: Wed, 5 Oct 2022 00:27:18 +0300 +Subject: [PATCH] Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu +Git-commit: 3aff8aaca4e36dc8b17eaa011684881a80238966 +Patch-mainline: v6.1-rc4 +References: CVE-2022-3564 bsc#1206073 + +Fix the race condition between the following two flows that run in +Parallel: + +1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) -> + __sock_queue_rcv_skb. + +2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram. + +An SKB can be queued by the first flow and immediately dequeued and +freed by the second flow, therefore the callers of l2cap_reassemble_sdu +can't use the SKB after that function returns. However, some places +continue accessing struct l2cap_ctrl that resides in the SKB's CB for a +short time after l2cap_reassemble_sdu returns, leading to a +use-after-free condition (the stack trace is below, line numbers for +kernel 5.19.8). + +Fix it by keeping a local copy of struct l2cap_ctrl. + +Bug: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth +Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169 + +Workqueue: hci0 hci_rx_work [bluetooth] +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) + print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth + ret_from_fork (arch/x86/entry/entry_64.S:306) + + +Allocated by task 43169: + kasan_save_stack (mm/kasan/common.c:39) + __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) + kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293) + __alloc_skb (net/core/skbuff.c:414) + l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth + l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth + hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth + process_one_work (kernel/workqueue.c:2289) + worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437) + kthread (kernel/kthread.c:376) + ret_from_fork (arch/x86/entry/entry_64.S:306) + +Freed by task 27920: + kasan_save_stack (mm/kasan/common.c:39) + kasan_set_track (mm/kasan/common.c:45) + kasan_set_free_info (mm/kasan/generic.c:372) + ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328) + slab_free_freelist_hook (mm/slub.c:1780) + kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553) + skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323) + bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth + l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth + sock_read_iter (net/socket.c:1087) + new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401) + vfs_read (fs/read_write.c:482) + ksys_read (fs/read_write.c:620) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u +Fixes: d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive state machine") +Fixes: 4b51dae96731 ("Bluetooth: Add streaming mode receive and incoming packet classifier") +Signed-off-by: Maxim Mikityanskiy +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + net/bluetooth/l2cap_core.c | 48 ++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 41 insertions(+), 7 deletions(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6246,6 +6246,7 @@ static int l2cap_rx_state_recv(struct l2 + struct l2cap_ctrl *control, + struct sk_buff *skb, u8 event) + { ++ struct l2cap_ctrl local_control; + int err = 0; + bool skb_in_use = false; + +@@ -6270,15 +6271,32 @@ static int l2cap_rx_state_recv(struct l2 + chan->buffer_seq = chan->expected_tx_seq; + skb_in_use = true; + ++ /* l2cap_reassemble_sdu may free skb, hence invalidate ++ * control, so make a copy in advance to use it after ++ * l2cap_reassemble_sdu returns and to avoid the race ++ * condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but ++ * it was freed by skb_free_datagram. ++ */ ++ local_control = *control; + err = l2cap_reassemble_sdu(chan, skb, control); + if (err) + break; + +- if (control->final) { ++ if (local_control.final) { + if (!test_and_clear_bit(CONN_REJ_ACT, + &chan->conn_state)) { +- control->final = 0; +- l2cap_retransmit_all(chan, control); ++ local_control.final = 0; ++ l2cap_retransmit_all(chan, &local_control); + l2cap_ertm_send(chan); + } + } +@@ -6658,11 +6676,27 @@ static int l2cap_rx(struct l2cap_chan *c + static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + struct sk_buff *skb) + { ++ /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store ++ * the txseq field in advance to use it after l2cap_reassemble_sdu ++ * returns and to avoid the race condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but it was freed by ++ * skb_free_datagram. ++ */ ++ u16 txseq = control->txseq; ++ + BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, + chan->rx_state); + +- if (l2cap_classify_txseq(chan, control->txseq) == +- L2CAP_TXSEQ_EXPECTED) { ++ if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) { + l2cap_pass_to_tx(chan, control); + + BT_DBG("buffer_seq %d->%d", chan->buffer_seq, +@@ -6685,8 +6719,8 @@ static int l2cap_stream_rx(struct l2cap_ + } + } + +- chan->last_acked_seq = control->txseq; +- chan->expected_tx_seq = __next_seq(chan, control->txseq); ++ chan->last_acked_seq = txseq; ++ chan->expected_tx_seq = __next_seq(chan, txseq); + + return 0; + } diff --git a/patches.suse/HID-betop-check-shape-of-output-reports.patch b/patches.suse/HID-betop-check-shape-of-output-reports.patch new file mode 100644 index 0000000..b9cff34 --- /dev/null +++ b/patches.suse/HID-betop-check-shape-of-output-reports.patch @@ -0,0 +1,68 @@ +From 3782c0d6edf658b71354a64d60aa7a296188fc90 Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Wed, 11 Jan 2023 18:12:16 +0000 +Subject: [PATCH] HID: betop: check shape of output reports +Git-commit: 3782c0d6edf658b71354a64d60aa7a296188fc90 +Patch-mainline: v6.2-rc5 +References: git-fixes, bsc#1207186 + +betopff_init() only checks the total sum of the report counts for each +report field to be at least 4, but hid_betopff_play() expects 4 report +fields. +A device advertising an output report with one field and 4 report counts +would pass the check but crash the kernel with a NULL pointer dereference +in hid_betopff_play(). + +Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-betopff.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c +index 467d789f9bc2..25ed7b9a917e 100644 +--- a/drivers/hid/hid-betopff.c ++++ b/drivers/hid/hid-betopff.c +@@ -60,7 +60,6 @@ static int betopff_init(struct hid_device *hid) + struct list_head *report_list = + &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev; +- int field_count = 0; + int error; + int i, j; + +@@ -86,19 +85,21 @@ static int betopff_init(struct hid_device *hid) + * ----------------------------------------- + * Do init them with default value. + */ ++ if (report->maxfield < 4) { ++ hid_err(hid, "not enough fields in the report: %d\n", ++ report->maxfield); ++ return -ENODEV; ++ } + for (i = 0; i < report->maxfield; i++) { ++ if (report->field[i]->report_count < 1) { ++ hid_err(hid, "no values in the field\n"); ++ return -ENODEV; ++ } + for (j = 0; j < report->field[i]->report_count; j++) { + report->field[i]->value[j] = 0x00; +- field_count++; + } + } + +- if (field_count < 4) { +- hid_err(hid, "not enough fields in the report: %d\n", +- field_count); +- return -ENODEV; +- } +- + betopff = kzalloc(sizeof(*betopff), GFP_KERNEL); + if (!betopff) + return -ENOMEM; +-- +2.35.3 + diff --git a/patches.suse/HID-bigben-use-spinlock-to-protect-concurrent-access.patch b/patches.suse/HID-bigben-use-spinlock-to-protect-concurrent-access.patch new file mode 100644 index 0000000..93c0d3d --- /dev/null +++ b/patches.suse/HID-bigben-use-spinlock-to-protect-concurrent-access.patch @@ -0,0 +1,173 @@ +From 9fefb6201c4f8dd9f58c581b2a66e5cde2895ea2 Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Sun, 12 Feb 2023 18:59:59 +0000 +Subject: [PATCH] HID: bigben: use spinlock to protect concurrent accesses +Git-commit: 9fefb6201c4f8dd9f58c581b2a66e5cde2895ea2 +Patch-mainline: v6.3-rc1 +References: CVE-2023-25012 bsc#1207560 + +bigben driver has a worker that may access data concurrently. +Proct the accesses using a spinlock. + +Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-1-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-bigbenff.c | 52 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 50 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index e8b16665860d..ed3d2d7bc1dd 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -174,6 +174,7 @@ static __u8 pid0902_rdesc_fixed[] = { + struct bigben_device { + struct hid_device *hid; + struct hid_report *report; ++ spinlock_t lock; + bool removed; + u8 led_state; /* LED1 = 1 .. LED4 = 8 */ + u8 right_motor_on; /* right motor off/on 0/1 */ +@@ -190,12 +191,27 @@ static void bigben_worker(struct work_struct *work) + struct bigben_device *bigben = container_of(work, + struct bigben_device, worker); + struct hid_field *report_field = bigben->report->field[0]; ++ bool do_work_led = false; ++ bool do_work_ff = false; ++ u8 *buf; ++ u32 len; ++ unsigned long flags; + + if (bigben->removed || !report_field) + return; + ++ buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); ++ if (!buf) ++ return; ++ ++ len = hid_report_len(bigben->report); ++ ++ /* LED work */ ++ spin_lock_irqsave(&bigben->lock, flags); ++ + if (bigben->work_led) { + bigben->work_led = false; ++ do_work_led = true; + report_field->value[0] = 0x01; /* 1 = led message */ + report_field->value[1] = 0x08; /* reserved value, always 8 */ + report_field->value[2] = bigben->led_state; +@@ -204,11 +220,22 @@ static void bigben_worker(struct work_struct *work) + report_field->value[5] = 0x00; /* padding */ + report_field->value[6] = 0x00; /* padding */ + report_field->value[7] = 0x00; /* padding */ +- hid_hw_request(bigben->hid, bigben->report, HID_REQ_SET_REPORT); ++ hid_output_report(bigben->report, buf); ++ } ++ ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ ++ if (do_work_led) { ++ hid_hw_raw_request(bigben->hid, bigben->report->id, buf, len, ++ bigben->report->type, HID_REQ_SET_REPORT); + } + ++ /* FF work */ ++ spin_lock_irqsave(&bigben->lock, flags); ++ + if (bigben->work_ff) { + bigben->work_ff = false; ++ do_work_ff = true; + report_field->value[0] = 0x02; /* 2 = rumble effect message */ + report_field->value[1] = 0x08; /* reserved value, always 8 */ + report_field->value[2] = bigben->right_motor_on; +@@ -217,8 +244,17 @@ static void bigben_worker(struct work_struct *work) + report_field->value[5] = 0x00; /* padding */ + report_field->value[6] = 0x00; /* padding */ + report_field->value[7] = 0x00; /* padding */ +- hid_hw_request(bigben->hid, bigben->report, HID_REQ_SET_REPORT); ++ hid_output_report(bigben->report, buf); ++ } ++ ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ ++ if (do_work_ff) { ++ hid_hw_raw_request(bigben->hid, bigben->report->id, buf, len, ++ bigben->report->type, HID_REQ_SET_REPORT); + } ++ ++ kfree(buf); + } + + static int hid_bigben_play_effect(struct input_dev *dev, void *data, +@@ -228,6 +264,7 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, + struct bigben_device *bigben = hid_get_drvdata(hid); + u8 right_motor_on; + u8 left_motor_force; ++ unsigned long flags; + + if (!bigben) { + hid_err(hid, "no device data\n"); +@@ -242,9 +279,12 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, + + if (right_motor_on != bigben->right_motor_on || + left_motor_force != bigben->left_motor_force) { ++ spin_lock_irqsave(&bigben->lock, flags); + bigben->right_motor_on = right_motor_on; + bigben->left_motor_force = left_motor_force; + bigben->work_ff = true; ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ + schedule_work(&bigben->worker); + } + +@@ -259,6 +299,7 @@ static void bigben_set_led(struct led_classdev *led, + struct bigben_device *bigben = hid_get_drvdata(hid); + int n; + bool work; ++ unsigned long flags; + + if (!bigben) { + hid_err(hid, "no device data\n"); +@@ -267,6 +308,7 @@ static void bigben_set_led(struct led_classdev *led, + + for (n = 0; n < NUM_LEDS; n++) { + if (led == bigben->leds[n]) { ++ spin_lock_irqsave(&bigben->lock, flags); + if (value == LED_OFF) { + work = (bigben->led_state & BIT(n)); + bigben->led_state &= ~BIT(n); +@@ -274,6 +316,7 @@ static void bigben_set_led(struct led_classdev *led, + work = !(bigben->led_state & BIT(n)); + bigben->led_state |= BIT(n); + } ++ spin_unlock_irqrestore(&bigben->lock, flags); + + if (work) { + bigben->work_led = true; +@@ -307,8 +350,12 @@ static enum led_brightness bigben_get_led(struct led_classdev *led) + static void bigben_remove(struct hid_device *hid) + { + struct bigben_device *bigben = hid_get_drvdata(hid); ++ unsigned long flags; + ++ spin_lock_irqsave(&bigben->lock, flags); + bigben->removed = true; ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ + cancel_work_sync(&bigben->worker); + hid_hw_stop(hid); + } +@@ -362,6 +409,7 @@ static int bigben_probe(struct hid_device *hid, + set_bit(FF_RUMBLE, hidinput->input->ffbit); + + INIT_WORK(&bigben->worker, bigben_worker); ++ spin_lock_init(&bigben->lock); + + error = input_ff_create_memless(hidinput->input, NULL, + hid_bigben_play_effect); +-- +2.35.3 + diff --git a/patches.suse/HID-bigben-use-spinlock-to-safely-schedule-workers.patch b/patches.suse/HID-bigben-use-spinlock-to-safely-schedule-workers.patch new file mode 100644 index 0000000..efc24c0 --- /dev/null +++ b/patches.suse/HID-bigben-use-spinlock-to-safely-schedule-workers.patch @@ -0,0 +1,83 @@ +From 76ca8da989c7d97a7f76c75d475fe95a584439d7 Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Sun, 12 Feb 2023 19:00:01 +0000 +Subject: [PATCH] HID: bigben: use spinlock to safely schedule workers +Git-commit: 76ca8da989c7d97a7f76c75d475fe95a584439d7 +Patch-mainline: v6.3-rc1 +References: CVE-2023-25012 bsc#1207560 + +Use spinlocks to deal with workers introducing a wrapper +bigben_schedule_work(), and several spinlock checks. +Otherwise, bigben_set_led() may schedule bigben->worker after the +structure has been freed, causing a use-after-free. + +Fixes: 4eb1b01de5b9 ("HID: hid-bigbenff: fix race condition for scheduled work during removal") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-3-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-bigbenff.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index b98c5f31c184..9d6560db762b 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -185,6 +185,15 @@ struct bigben_device { + struct work_struct worker; + }; + ++static inline void bigben_schedule_work(struct bigben_device *bigben) ++{ ++ unsigned long flags; ++ ++ spin_lock_irqsave(&bigben->lock, flags); ++ if (!bigben->removed) ++ schedule_work(&bigben->worker); ++ spin_unlock_irqrestore(&bigben->lock, flags); ++} + + static void bigben_worker(struct work_struct *work) + { +@@ -197,9 +206,6 @@ static void bigben_worker(struct work_struct *work) + u32 len; + unsigned long flags; + +- if (bigben->removed) +- return; +- + buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); + if (!buf) + return; +@@ -285,7 +291,7 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, + bigben->work_ff = true; + spin_unlock_irqrestore(&bigben->lock, flags); + +- schedule_work(&bigben->worker); ++ bigben_schedule_work(bigben); + } + + return 0; +@@ -320,7 +326,7 @@ static void bigben_set_led(struct led_classdev *led, + + if (work) { + bigben->work_led = true; +- schedule_work(&bigben->worker); ++ bigben_schedule_work(bigben); + } + return; + } +@@ -450,7 +456,7 @@ static int bigben_probe(struct hid_device *hid, + bigben->left_motor_force = 0; + bigben->work_led = true; + bigben->work_ff = true; +- schedule_work(&bigben->worker); ++ bigben_schedule_work(bigben); + + hid_info(hid, "LED and force feedback support for BigBen gamepad\n"); + +-- +2.35.3 + diff --git a/patches.suse/HID-bigben_worker-remove-unneeded-check-on-report_fi.patch b/patches.suse/HID-bigben_worker-remove-unneeded-check-on-report_fi.patch new file mode 100644 index 0000000..a5d189b --- /dev/null +++ b/patches.suse/HID-bigben_worker-remove-unneeded-check-on-report_fi.patch @@ -0,0 +1,44 @@ +From 27d2a2fd844ec7da70d19fabb482304fd1e0595b Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Sun, 12 Feb 2023 19:00:00 +0000 +Subject: [PATCH] HID: bigben_worker() remove unneeded check on report_field +Git-commit: 27d2a2fd844ec7da70d19fabb482304fd1e0595b +Patch-mainline: v6.3-rc1 +References: CVE-2023-25012 bsc#1207560 + +bigben_worker() checks report_field to be non-NULL. +The check has been added in commit +918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") +to prevent a NULL pointer crash. +However, the true root cause was a missing check for output +reports, patched in commit +c7bf714f8755 ("HID: check empty report_list in bigben_probe()"), +where the type-confused report list_entry was overlapping with +a NULL pointer, which was then causing the crash. + +Fixes: 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-2-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-bigbenff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index ed3d2d7bc1dd..b98c5f31c184 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -197,7 +197,7 @@ static void bigben_worker(struct work_struct *work) + u32 len; + unsigned long flags; + +- if (bigben->removed || !report_field) ++ if (bigben->removed) + return; + + buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); +-- +2.35.3 + diff --git a/patches.suse/HID-check-empty-report_list-in-bigben_probe.patch b/patches.suse/HID-check-empty-report_list-in-bigben_probe.patch new file mode 100644 index 0000000..644d78f --- /dev/null +++ b/patches.suse/HID-check-empty-report_list-in-bigben_probe.patch @@ -0,0 +1,43 @@ +From c7bf714f875531f227f2ef1fdcc8f4d44e7c7d9d Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Mon, 16 Jan 2023 11:11:25 +0000 +Subject: [PATCH] HID: check empty report_list in bigben_probe() +Git-commit: c7bf714f875531f227f2ef1fdcc8f4d44e7c7d9d +Patch-mainline: v6.2-rc5 +References: git-fixes, bsc#1206784 + +Add a check for empty report_list in bigben_probe(). +The missing check causes a type confusion when issuing a list_entry() +on an empty report_list. +The problem is caused by the assumption that the device must +have valid report_list. While this will be true for all normal HID +devices, a suitably malicious device can violate the assumption. + +Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-bigbenff.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index e8c5e3ac9fff..e8b16665860d 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -344,6 +344,11 @@ static int bigben_probe(struct hid_device *hid, + } + + report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; ++ if (list_empty(report_list)) { ++ hid_err(hid, "no output report found\n"); ++ error = -ENODEV; ++ goto error_hw_stop; ++ } + bigben->report = list_entry(report_list->next, + struct hid_report, list); + +-- +2.35.3 + diff --git a/patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch b/patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch new file mode 100644 index 0000000..bf9d299 --- /dev/null +++ b/patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch @@ -0,0 +1,42 @@ +From b12fece4c64857e5fab4290bf01b2e0317a88456 Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Mon, 16 Jan 2023 11:11:24 +0000 +Subject: [PATCH] HID: check empty report_list in hid_validate_values() +Git-commit: b12fece4c64857e5fab4290bf01b2e0317a88456 +Patch-mainline: v6.2-rc5 +References: git-fixes, bsc#1206784 + +Add a check for empty report_list in hid_validate_values(). +The missing check causes a type confusion when issuing a list_entry() +on an empty report_list. +The problem is caused by the assumption that the device must +have valid report_list. While this will be true for all normal HID +devices, a suitably malicious device can violate the assumption. + +Fixes: 1b15d2e5b807 ("HID: core: fix validation of report id 0") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index bd47628da6be..3e1803592bd4 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -993,8 +993,8 @@ struct hid_report *hid_validate_values(struct hid_device *hid, + * Validating on id 0 means we should examine the first + * report in the list. + */ +- report = list_entry( +- hid->report_enum[type].report_list.next, ++ report = list_first_entry_or_null( ++ &hid->report_enum[type].report_list, + struct hid_report, list); + } else { + report = hid->report_enum[type].report_id_hash[id]; +-- +2.35.3 + diff --git a/patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch b/patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch new file mode 100644 index 0000000..ca0b105 --- /dev/null +++ b/patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch @@ -0,0 +1,180 @@ +From: NeilBrown +Subject: NFS: Handle missing attributes in OPEN reply +Patch-mainline: Submitted, 04jan2023 linux-nfs@vger.kernel.org +References: bsc#1203740 + +If a NFSv4 OPEN reply reports that the file was successfully opened but +the subsequent GETATTR fails, Linux-NFS will attempt a stand-alone +GETATTR request. If that also fails, handling of the reply is aborted +with error -EAGAIN and the open is attempted again from the start. + +This leaves the server with an active state (because the OPEN operation +succeeded) which the client doesn't know about. If the open-owner +(local user) did not have the file already open, this has minimal +consequences for the client and only causes the server to spend +resources on an open state that will never be used or explicitly closed. + +If the open-owner DID already have the file open, then it will hold a +reference to the open-state for that file, but the seq-id in the +state-id will now be out-of-sync with the server. The server will have +incremented the seq-id, but the client will not have noticed. So when +the client next attempts to access the file using that state (READ, +WRITE, SETATTR), the attempt will fail with NFS4ERR_OLD_STATEID. + +The Linux-client assumes this error is due to a race and simply retries +on the basis that the local state-id information should have been +updated by another thread. This basis is invalid in this case and the +result is an infinite loop attempting IO and getting OLD_STATEID. + +This has been observed with a NetApp Filer as the server (ONTAP 9.8 p5, +using NFSv4.0). The client is creating, writing, and unlinking a +particular file from multiple clients (.bash_history). If a new OPEN +from one client races with a REMOVE from another client while the first +client already has the file open, the Filer can report success for the +OPEN op, but NFS4ERR_STALE for the ACCESS and GETATTR ops in the OPEN +request. This gets the seq-id out-of-sync and a subsequent write to the +other open on the first client causes the infinite loop to occur. + +The reason that the client returns -EAGAIN is that it needs to find the +inode so it can find the associated state to update the seq-id, but the +inode lookup requires the file-id which is provided in the GETATTR +reply. Without the file-id normal inode lookup cannot be used. + +This patch changes the lookup so that when the file-id is not available +the list of states owned by the open-owner is examined to find the state +with the correct state-id (ignoring the seq-id part of the state-id). +If this is found it is used just as when a normal inode lookup finds an +inode. If it isn't found, -EAGAIN is returned as before. + +This bug can be demonstrated by modifying the Linux NFS server as +follows: + +1/ The second time a file is opened, unlink it. This simulates + a race with another client, without needing to have a race: + + // in fs/nfsd/nfs4proc.c: @@ -594,6 +594,12 @@ nfsd4_open(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + if (reclaim && !status) + nn->somebody_reclaimed = true; + out: + + if (!status && open->op_stateid.si_generation > 1) { + + printk("Opening gen %d\n", (int)open->op_stateid.si_generation); + + vfs_unlink(mnt_user_ns(resfh->fh_export->ex_path.mnt), + + resfh->fh_dentry->d_parent->d_inode, + + resfh->fh_dentry, NULL); + + } + if (open->op_filp) { + fput(open->op_filp); + open->op_filp = NULL; + +2/ When a GETATTR op is attempted on an unlinked file, return ESTALE + + // @@ -852,6 +858,11 @@ nfsd4_getattr(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + if (status) + return status; + + + if (cstate->current_fh.fh_dentry->d_inode->i_nlink == 0) { + + printk("Return Estale for unlinked file\n"); + + return nfserr_stale; + + } + + + if (getattr->ga_bmval[1] & NFSD_WRITEONLY_ATTRS_WORD1) + return nfserr_inval; + +Then mount the filesystem and + + Thread 1 Thread 2 + open a file + open the same file (will fail) + write to that file + +I use this shell fragment, using 'sleep' for synchronisation. +The use of /bin/echo ensures the write is flushed when /bin/echo closes +the fd on exit. + + ( + /bin/echo hello + sleep 3 + /bin/echo there + ) > /import/A/afile & + sleep 3 + cat /import/A/afile + +Probably when the OPEN succeeds, the GETATTR fails, and we don't already +have the state open, we should explicitly close the state. Leaving it +open could cause problems if, for example, the server revoked it and +signalled the client that there was a revoked state. The client would +not be able to find the state that needed to be relinquished. I haven't +attempted to implement this. + +Signed-off-by: NeilBrown +Acked-by: NeilBrown + +--- + fs/nfs/nfs4_fs.h | 1 + + fs/nfs/nfs4proc.c | 18 ++++++++++++++---- + fs/nfs/nfs4state.c | 17 +++++++++++++++++ + 3 files changed, 32 insertions(+), 4 deletions(-) + +--- a/fs/nfs/nfs4_fs.h ++++ b/fs/nfs/nfs4_fs.h +@@ -467,6 +467,7 @@ extern void nfs4_put_state_owner(struct + extern void nfs4_purge_state_owners(struct nfs_server *, struct list_head *); + extern void nfs4_free_state_owners(struct list_head *head); + extern struct nfs4_state * nfs4_get_open_state(struct inode *, struct nfs4_state_owner *); ++extern struct inode *nfs4_get_inode_by_stateid(nfs4_stateid *stateid, struct nfs4_state_owner *owner); + extern void nfs4_put_open_state(struct nfs4_state *); + extern void nfs4_close_state(struct nfs4_state *, fmode_t); + extern void nfs4_close_sync(struct nfs4_state *, fmode_t); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1946,10 +1946,20 @@ nfs4_opendata_get_inode(struct nfs4_open + case NFS4_OPEN_CLAIM_NULL: + case NFS4_OPEN_CLAIM_DELEGATE_CUR: + case NFS4_OPEN_CLAIM_DELEGATE_PREV: +- if (!(data->f_attr.valid & NFS_ATTR_FATTR)) +- return ERR_PTR(-EAGAIN); +- inode = nfs_fhget(data->dir->d_sb, &data->o_res.fh, +- &data->f_attr, data->f_label); ++ if (data->f_attr.valid & NFS_ATTR_FATTR) { ++ inode = nfs_fhget(data->dir->d_sb, &data->o_res.fh, ++ &data->f_attr, data->f_label); ++ } else { ++ /* We don't have the fileid and so cannot do inode ++ * lookup. If we already have this state open we MUST ++ * update the seqid to match the server, so we need to ++ * find it if possible. ++ */ ++ inode = nfs4_get_inode_by_stateid(&data->o_res.stateid, ++ data->owner); ++ if (!inode) ++ inode = ERR_PTR(-EAGAIN); ++ } + break; + default: + inode = d_inode(data->dentry); +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -751,6 +751,23 @@ out: + return state; + } + ++struct inode * ++nfs4_get_inode_by_stateid(nfs4_stateid *stateid, struct nfs4_state_owner *owner) ++{ ++ struct nfs4_state *state; ++ struct inode *inode = NULL; ++ ++ spin_lock(&owner->so_lock); ++ list_for_each_entry(state, &owner->so_states, open_states) ++ if (nfs4_stateid_match_other(stateid, &state->open_stateid)) { ++ inode = state->inode; ++ ihold(inode); ++ break; ++ } ++ spin_unlock(&owner->so_lock); ++ return inode; ++} ++ + void nfs4_put_open_state(struct nfs4_state *state) + { + struct inode *inode = state->inode; diff --git a/patches.suse/RDMA-core-Fix-ib-block-iterator-counter-overflow.patch b/patches.suse/RDMA-core-Fix-ib-block-iterator-counter-overflow.patch new file mode 100644 index 0000000..0e6118d --- /dev/null +++ b/patches.suse/RDMA-core-Fix-ib-block-iterator-counter-overflow.patch @@ -0,0 +1,72 @@ +From: Yonatan Nachum +Date: Mon, 9 Jan 2023 13:37:11 +0000 +Subject: RDMA/core: Fix ib block iterator counter overflow +Patch-mainline: v6.2-rc5 +Git-commit: 0afec5e9cea732cb47014655685a2a47fb180c31 +References: bsc#1207878 + +When registering a new DMA MR after selecting the best aligned page size +for it, we iterate over the given sglist to split each entry to smaller, +aligned to the selected page size, DMA blocks. + +In given circumstances where the sg entry and page size fit certain +sizes and the sg entry is not aligned to the selected page size, the +total size of the aligned pages we need to cover the sg entry is >= 4GB. +Under this circumstances, while iterating page aligned blocks, the +counter responsible for counting how much we advanced from the start of +the sg entry is overflowed because its type is u32 and we pass 4GB in +size. This can lead to an infinite loop inside the iterator function +because the overflow prevents the counter to be larger +than the size of the sg entry. + +Fix the presented problem by changing the advancement condition to +eliminate overflow. + +Backtrace: +[ 192.374329] efa_reg_user_mr_dmabuf +[ 192.376783] efa_register_mr +[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000 +[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000] +[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3 +[ 192.399559] hp_cnt[3], pages_in_hp[524288] +[ 192.403690] umem->sgt_append.sgt.nents[1] +[ 192.407905] number entries: [1], pg_bit: [31] +[ 192.411397] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8] +[ 192.415601] biter->__sg_advance [665837568] sg_dma_len[3221225472] +[ 192.419823] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8] +[ 192.423976] biter->__sg_advance [2813321216] sg_dma_len[3221225472] +[ 192.428243] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8] +[ 192.432397] biter->__sg_advance [665837568] sg_dma_len[3221225472] + +Fixes: a808273a495c ("RDMA/verbs: Add a DMA iterator to return aligned contiguous memory blocks") +Signed-off-by: Yonatan Nachum +Link: https://lore.kernel.org/r/20230109133711.13678-1-ynachum@amazon.com +Signed-off-by: Leon Romanovsky +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/core/verbs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -2915,15 +2915,18 @@ EXPORT_SYMBOL(__rdma_block_iter_start); + bool __rdma_block_iter_next(struct ib_block_iter *biter) + { + unsigned int block_offset; ++ unsigned int sg_delta; + + if (!biter->__sg_nents || !biter->__sg) + return false; + + biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance; + block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1); +- biter->__sg_advance += BIT_ULL(biter->__pg_bit) - block_offset; ++ sg_delta = BIT_ULL(biter->__pg_bit) - block_offset; + +- if (biter->__sg_advance >= sg_dma_len(biter->__sg)) { ++ if (sg_dma_len(biter->__sg) - biter->__sg_advance > sg_delta) { ++ biter->__sg_advance += sg_delta; ++ } else { + biter->__sg_advance = 0; + biter->__sg = sg_next(biter->__sg); + biter->__sg_nents--; diff --git a/patches.suse/cifs-fix-use-after-free-caused-by-invalid-pointer-ho.patch b/patches.suse/cifs-fix-use-after-free-caused-by-invalid-pointer-ho.patch new file mode 100644 index 0000000..ee3b21a --- /dev/null +++ b/patches.suse/cifs-fix-use-after-free-caused-by-invalid-pointer-ho.patch @@ -0,0 +1,131 @@ +From 153695d36ead0ccc4d0256953c751cabf673e621 Mon Sep 17 00:00:00 2001 +From: Zeng Heng +Date: Thu, 27 Oct 2022 20:45:28 +0800 +Subject: [PATCH] cifs: fix use-after-free caused by invalid pointer `hostname` +References: bsc#1208971 +Git-commit: 153695d36ead0ccc4d0256953c751cabf673e621 +Patch-mainline: v6.1 + +`hostname` needs to be set as null-pointer after free in +`cifs_put_tcp_session` function, or when `cifsd` thread attempts +to resolve hostname and reconnect the host, the thread would deref +the invalid pointer. + +Here is one of practical backtrace examples as reference: + +Task 477 +--------------------------- + do_mount + path_mount + do_new_mount + vfs_get_tree + smb3_get_tree + smb3_get_tree_common + cifs_smb3_do_mount + cifs_mount + mount_put_conns + cifs_put_tcp_session + --> kfree(server->hostname) + +cifsd +--------------------------- + kthread + cifs_demultiplex_thread + cifs_reconnect + reconn_set_ipaddr_from_hostname + --> if (!server->hostname) + --> if (server->hostname[0] == '\0') // !! UAF fault here + +CIFS: VFS: cifs_mount failed w/return code = -112 +mount error(112): Host is down +BUG: KASAN: use-after-free in reconn_set_ipaddr_from_hostname+0x2ba/0x310 +Read of size 1 at addr ffff888108f35380 by task cifsd/480 +CPU: 2 PID: 480 Comm: cifsd Not tainted 6.1.0-rc2-00106-gf705792f89dd-dirty #25 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +Call Trace: + + dump_stack_lvl+0x68/0x85 + print_report+0x16c/0x4a3 + kasan_report+0x95/0x190 + reconn_set_ipaddr_from_hostname+0x2ba/0x310 + __cifs_reconnect.part.0+0x241/0x800 + cifs_reconnect+0x65f/0xb60 + cifs_demultiplex_thread+0x1570/0x2570 + kthread+0x2c5/0x380 + ret_from_fork+0x22/0x30 + +Allocated by task 477: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x7e/0x90 + __kmalloc_node_track_caller+0x52/0x1b0 + kstrdup+0x3b/0x70 + cifs_get_tcp_session+0xbc/0x19b0 + mount_get_conns+0xa9/0x10c0 + cifs_mount+0xdf/0x1970 + cifs_smb3_do_mount+0x295/0x1660 + smb3_get_tree+0x352/0x5e0 + vfs_get_tree+0x8e/0x2e0 + path_mount+0xf8c/0x1990 + do_mount+0xee/0x110 + __x64_sys_mount+0x14b/0x1f0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Freed by task 477: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0x10a/0x190 + __kmem_cache_free+0xca/0x3f0 + cifs_put_tcp_session+0x30c/0x450 + cifs_mount+0xf95/0x1970 + cifs_smb3_do_mount+0x295/0x1660 + smb3_get_tree+0x352/0x5e0 + vfs_get_tree+0x8e/0x2e0 + path_mount+0xf8c/0x1990 + do_mount+0xee/0x110 + __x64_sys_mount+0x14b/0x1f0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +The buggy address belongs to the object at ffff888108f35380 + which belongs to the cache kmalloc-16 of size 16 +The buggy address is located 0 bytes inside of + 16-byte region [ffff888108f35380, ffff888108f35390) +The buggy address belongs to the physical page: +page:00000000333f8e58 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888108f350e0 pfn:0x108f35 +flags: 0x200000000000200(slab|node=0|zone=2) +raw: 0200000000000200 0000000000000000 dead000000000122 ffff8881000423c0 +raw: ffff888108f350e0 000000008080007a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +Memory state around the buggy address: + ffff888108f35280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc + ffff888108f35300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc +>ffff888108f35380: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc + ^ + ffff888108f35400: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff888108f35480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 7be3248f3139 ("cifs: To match file servers, make sure the server hostname matches") +Signed-off-by: Zeng Heng +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Oscar Salvador +--- + fs/cifs/connect.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index ffb291579bb9..1cc47dd3b4d6 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1584,6 +1584,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect) + server->session_key.response = NULL; + server->session_key.len = 0; + kfree(server->hostname); ++ server->hostname = NULL; + + task = xchg(&server->tsk, NULL); + if (task) +-- +2.35.3 + diff --git a/patches.suse/drm-mali-dp-potential-dereference-of-null-pointer.patch b/patches.suse/drm-mali-dp-potential-dereference-of-null-pointer.patch new file mode 100644 index 0000000..031b92a --- /dev/null +++ b/patches.suse/drm-mali-dp-potential-dereference-of-null-pointer.patch @@ -0,0 +1,42 @@ +From 73c3ed7495c67b8fbdc31cf58e6ca8757df31a33 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Tue, 14 Dec 2021 18:08:37 +0800 +Subject: [PATCH] drm: mali-dp: potential dereference of null pointer +Git-commit: 73c3ed7495c67b8fbdc31cf58e6ca8757df31a33 +Patch-mainline: v5.19-rc1 +References: CVE-2022-3115 bsc#1206393 + +The return value of kzalloc() needs to be checked. +To avoid use of null pointer '&state->base' in case of the +failure of alloc. + +Fixes: 99665d072183 ("drm: mali-dp: add malidp_crtc_state struct") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Brian Starkey +Signed-off-by: Liviu Dudau +Link: https://patchwork.freedesktop.org/patch/msgid/20211214100837.46912-1-jiasheng@iscas.ac.cn +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/arm/malidp_crtc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/arm/malidp_crtc.c b/drivers/gpu/drm/arm/malidp_crtc.c +index 494075ddbef6..b5928b52e279 100644 +--- a/drivers/gpu/drm/arm/malidp_crtc.c ++++ b/drivers/gpu/drm/arm/malidp_crtc.c +@@ -487,7 +487,10 @@ static void malidp_crtc_reset(struct drm_crtc *crtc) + if (crtc->state) + malidp_crtc_destroy_state(crtc, crtc->state); + +- __drm_atomic_helper_crtc_reset(crtc, &state->base); ++ if (state) ++ __drm_atomic_helper_crtc_reset(crtc, &state->base); ++ else ++ __drm_atomic_helper_crtc_reset(crtc, NULL); + } + + static int malidp_crtc_enable_vblank(struct drm_crtc *crtc) +-- +2.35.3 + diff --git a/patches.suse/genirq-Provide-new-interfaces-for-affinity-hints.patch b/patches.suse/genirq-Provide-new-interfaces-for-affinity-hints.patch new file mode 100644 index 0000000..4219818 --- /dev/null +++ b/patches.suse/genirq-Provide-new-interfaces-for-affinity-hints.patch @@ -0,0 +1,130 @@ +From: Thomas Gleixner +Date: Fri, 3 Sep 2021 11:24:17 -0400 +Subject: genirq: Provide new interfaces for affinity hints +Patch-mainline: v5.17-rc1 +Git-commit: 65c7cdedeb3026fabcc967a7aae2f755ad4d0783 +References: bsc#1208153 + +The discussion about removing the side effect of irq_set_affinity_hint() of +actually applying the cpumask (if not NULL) as affinity to the interrupt, +unearthed a few unpleasantries: + + 1) The modular perf drivers rely on the current behaviour for the very + wrong reasons. + + 2) While none of the other drivers prevents user space from changing + the affinity, a cursorily inspection shows that there are at least + expectations in some drivers. + +#1 needs to be cleaned up anyway, so that's not a problem + +#2 might result in subtle regressions especially when irqbalanced (which + nowadays ignores the affinity hint) is disabled. + +Provide new interfaces: + + irq_update_affinity_hint() - Only sets the affinity hint pointer + irq_set_affinity_and_hint() - Set the pointer and apply the affinity to + the interrupt + +Make irq_set_affinity_hint() a wrapper around irq_apply_affinity_hint() and +document it to be phased out. + +SUSE: For kABI compliance changed this patch to leave irq_set_affinity_hint() + alone and only add the new interfaces. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Nitesh Narayan Lal +Signed-off-by: Thomas Gleixner +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20210501021832.743094-1-jesse.brandeburg@intel.com +Link: https://lore.kernel.org/r/20210903152430.244937-2-nitesh@redhat.com +Acked-by: Thomas Bogendoerfer +--- + include/linux/interrupt.h | 42 ++++++++++++++++++++++++++++++++++++++++++ + kernel/irq/manage.c | 16 ++++++++++++++++ + 2 files changed, 58 insertions(+) + +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -336,6 +336,36 @@ extern int irq_can_set_affinity(unsigned + extern int irq_select_affinity(unsigned int irq); + + extern int irq_set_affinity_hint(unsigned int irq, const struct cpumask *m); ++extern int __irq_apply_affinity_hint(unsigned int irq, const struct cpumask *m, ++ bool setaffinity); ++ ++/** ++ * irq_update_affinity_hint - Update the affinity hint ++ * @irq: Interrupt to update ++ * @m: cpumask pointer (NULL to clear the hint) ++ * ++ * Updates the affinity hint, but does not change the affinity of the interrupt. ++ */ ++static inline int ++irq_update_affinity_hint(unsigned int irq, const struct cpumask *m) ++{ ++ return __irq_apply_affinity_hint(irq, m, false); ++} ++ ++/** ++ * irq_set_affinity_and_hint - Update the affinity hint and apply the provided ++ * cpumask to the interrupt ++ * @irq: Interrupt to update ++ * @m: cpumask pointer (NULL to clear the hint) ++ * ++ * Updates the affinity hint and if @m is not NULL it applies it as the ++ * affinity of that interrupt. ++ */ ++static inline int ++irq_set_affinity_and_hint(unsigned int irq, const struct cpumask *m) ++{ ++ return __irq_apply_affinity_hint(irq, m, true); ++} + + extern int + irq_set_affinity_notifier(unsigned int irq, struct irq_affinity_notify *notify); +@@ -365,6 +395,18 @@ static inline int irq_can_set_affinity(u + + static inline int irq_select_affinity(unsigned int irq) { return 0; } + ++static inline int irq_update_affinity_hint(unsigned int irq, ++ const struct cpumask *m) ++{ ++ return -EINVAL; ++} ++ ++static inline int irq_set_affinity_and_hint(unsigned int irq, ++ const struct cpumask *m) ++{ ++ return -EINVAL; ++} ++ + static inline int irq_set_affinity_hint(unsigned int irq, + const struct cpumask *m) + { +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -322,6 +322,22 @@ int irq_set_affinity_hint(unsigned int i + } + EXPORT_SYMBOL_GPL(irq_set_affinity_hint); + ++int __irq_apply_affinity_hint(unsigned int irq, const struct cpumask *m, ++ bool setaffinity) ++{ ++ unsigned long flags; ++ struct irq_desc *desc = irq_get_desc_lock(irq, &flags, IRQ_GET_DESC_CHECK_GLOBAL); ++ ++ if (!desc) ++ return -EINVAL; ++ desc->affinity_hint = m; ++ irq_put_desc_unlock(desc, flags); ++ if (m && setaffinity) ++ __irq_set_affinity(irq, m, false); ++ return 0; ++} ++EXPORT_SYMBOL_GPL(__irq_apply_affinity_hint); ++ + static void irq_affinity_notify(struct work_struct *work) + { + struct irq_affinity_notify *notify = diff --git a/patches.suse/ipv4-Handle-attempt-to-delete-multipath-route-when-f.patch b/patches.suse/ipv4-Handle-attempt-to-delete-multipath-route-when-f.patch new file mode 100644 index 0000000..e86397f --- /dev/null +++ b/patches.suse/ipv4-Handle-attempt-to-delete-multipath-route-when-f.patch @@ -0,0 +1,73 @@ +From adfe28a8fdbbdeb3d73b7237c6be02f0c712ddaa Mon Sep 17 00:00:00 2001 +From: David Ahern +Date: Thu, 6 Oct 2022 10:48:49 -0600 +Subject: [PATCH 2/2] ipv4: Handle attempt to delete multipath route when + fib_info contains an nh reference +Git-commit: 61b91eb33a69c3be11b259c5ea484505cd79f883 +References: bsc#1204171 CVE-2022-3435 +Patch-mainline: v6.1-rc1 + +Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match: + fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961 + fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753 + inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874 + +Separate nexthop objects are mutually exclusive with the legacy +multipath spec. Fix fib_nh_match to return if the config for the +to be deleted route contains a multipath spec while the fib_info +is using a nexthop object. + +Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects") +Fixes: 6bf92d70e690 ("net: ipv4: fix route with nexthop object delete warning") +Reported-by: Gwangun Jung +Signed-off-by: David Ahern +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/ipv4/fib_semantics.c | 8 ++++---- + tools/testing/selftests/net/fib_nexthops.sh | 5 +++++ + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 4db1cfd2ded0..0890e30c59ad 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -846,13 +846,13 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi, + return 1; + } + ++ /* cannot match on nexthop object attributes */ ++ if (fi->nh) ++ return 1; ++ + if (cfg->fc_oif || cfg->fc_gw_family) { + struct fib_nh *nh; + +- /* cannot match on nexthop object attributes */ +- if (fi->nh) +- return 1; +- + nh = fib_info_nh(fi, 0); + if (cfg->fc_encap) { + if (fib_encap_match(cfg->fc_encap_type, cfg->fc_encap, +diff --git a/tools/testing/selftests/net/fib_nexthops.sh b/tools/testing/selftests/net/fib_nexthops.sh +index 72e1a3edd020..3bc0829e90df 100755 +--- a/tools/testing/selftests/net/fib_nexthops.sh ++++ b/tools/testing/selftests/net/fib_nexthops.sh +@@ -583,6 +583,11 @@ ipv4_fcnal() + set +e + check_nexthop "dev veth1" "" + log_test $? 0 "Nexthops removed on admin down" ++ ++ run_cmd "$IP nexthop add id 21 via 172.16.1.6 dev veth1" ++ run_cmd "$IP ro add 172.16.101.0/24 nhid 21" ++ run_cmd "$IP ro del 172.16.101.0/24 nexthop via 172.16.1.7 dev veth1 nexthop via 172.16.1.8 dev veth1" ++ log_test $? 2 "Delete multipath route with only nh id based entry" + } + + ipv4_grp_fcnal() +-- +2.16.4 + diff --git a/patches.suse/malidp-Fix-NULL-vs-IS_ERR-checking.patch b/patches.suse/malidp-Fix-NULL-vs-IS_ERR-checking.patch new file mode 100644 index 0000000..bff7a8e --- /dev/null +++ b/patches.suse/malidp-Fix-NULL-vs-IS_ERR-checking.patch @@ -0,0 +1,30 @@ +From 15342f930ebebcfe36f2415049736a77d7d2e045 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 13 Dec 2021 07:21:15 +0000 +Subject: malidp: Fix NULL vs IS_ERR() checking +Git-commit: 15342f930ebebcfe36f2415049736a77d7d2e045 +Patch-mainline: v5.19-rc1 +References: bsc#1208843 CVE-2023-23004 + +The get_sg_table() function does not return NULL. +It returns error pointers. + +Signed-off-by: Miaoqian Lin +Signed-off-by: Liviu Dudau +Link: https://lore.kernel.org/dri-devel/20211213072115.18098-1-linmq006@gmail.com/ +Acked-by: Patrik Jakobsson +--- + drivers/gpu/drm/arm/malidp_planes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/arm/malidp_planes.c ++++ b/drivers/gpu/drm/arm/malidp_planes.c +@@ -346,7 +346,7 @@ + else + sgt = obj->dev->driver->gem_prime_get_sg_table(obj); + +- if (!sgt) ++ if (IS_ERR(sgt)) + return false; + + sgl = sgt->sgl; diff --git a/patches.suse/media-meson-vdec-potential-dereference-of-null-point.patch b/patches.suse/media-meson-vdec-potential-dereference-of-null-point.patch new file mode 100644 index 0000000..cb9fa39 --- /dev/null +++ b/patches.suse/media-meson-vdec-potential-dereference-of-null-point.patch @@ -0,0 +1,84 @@ +From c8c80c996182239ff9b05eda4db50184cf3b2e99 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Thu, 13 Jan 2022 07:59:28 +0100 +Subject: [PATCH] media: meson: vdec: potential dereference of null pointer +Git-commit: c8c80c996182239ff9b05eda4db50184cf3b2e99 +Patch-mainline: v5.18-rc1 +References: CVE-2022-3112 bsc#1206399 + +As the possible failure of the kzalloc(), the 'new_ts' could be NULL +pointer. +Therefore, it should be better to check it in order to avoid the +dereference of the NULL pointer. +Also, the caller esparser_queue() needs to deal with the return value of +the amvdec_add_ts(). + +Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance") +Signed-off-by: Jiasheng Jiang +Suggested-by: Neil Armstrong +Reviewed-by: Neil Armstrong +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/staging/media/meson/vdec/esparser.c | 7 ++++++- + drivers/staging/media/meson/vdec/vdec_helpers.c | 8 ++++++-- + drivers/staging/media/meson/vdec/vdec_helpers.h | 2 +- + 3 files changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/staging/media/meson/vdec/esparser.c ++++ b/drivers/staging/media/meson/vdec/esparser.c +@@ -200,7 +200,12 @@ esparser_queue(struct amvdec_session *se + + offset = esparser_get_offset(sess); + +- amvdec_add_ts_reorder(sess, vb->timestamp, offset); ++ ret = amvdec_add_ts_reorder(sess, vb->timestamp, offset); ++ if (ret) { ++ v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR); ++ return ret; ++ } ++ + dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X\n", + vb->timestamp, payload_size, offset); + +--- a/drivers/staging/media/meson/vdec/vdec_helpers.c ++++ b/drivers/staging/media/meson/vdec/vdec_helpers.c +@@ -200,12 +200,15 @@ int amvdec_set_canvases(struct amvdec_se + } + EXPORT_SYMBOL_GPL(amvdec_set_canvases); + +-void amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset) ++int amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset) + { + struct amvdec_timestamp *new_ts, *tmp; + unsigned long flags; + +- new_ts = kmalloc(sizeof(*new_ts), GFP_KERNEL); ++ new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL); ++ if (!new_ts) ++ return -ENOMEM; ++ + new_ts->ts = ts; + new_ts->offset = offset; + +@@ -225,6 +228,7 @@ add_tail: + list_add_tail(&new_ts->list, &sess->timestamps); + unlock: + spin_unlock_irqrestore(&sess->ts_spinlock, flags); ++ return 0; + } + EXPORT_SYMBOL_GPL(amvdec_add_ts_reorder); + +--- a/drivers/staging/media/meson/vdec/vdec_helpers.h ++++ b/drivers/staging/media/meson/vdec/vdec_helpers.h +@@ -50,7 +50,7 @@ void amvdec_dst_buf_done_offset(struct a + * @ts: timestamp to add + * @offset: offset in the VIFIFO where the associated packet was written + */ +-void amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset); ++int amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset); + void amvdec_remove_ts(struct amvdec_session *sess, u64 ts); + + /** diff --git a/patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch b/patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch new file mode 100644 index 0000000..47b3951 --- /dev/null +++ b/patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch @@ -0,0 +1,83 @@ +From 29b0589a865b6f66d141d79b2dd1373e4e50fe17 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 24 Jan 2023 08:55:33 +0100 +Subject: [PATCH] media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() +Git-commit: 29b0589a865b6f66d141d79b2dd1373e4e50fe17 +Patch-mainline: v6.3-rc1 +References: CVE-2023-1118 bsc#1208837 + +When the ene device is detaching, function ene_remove() will +be called. But there is no function to cancel tx_sim_timer +in ene_remove(), the timer handler ene_tx_irqsim() could race +with ene_remove(). As a result, the UAF bugs could happen, +the process is shown below. + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +ene_remove() | (wait a time) + | ene_tx_irqsim() + | dev->hw_lock //USE + | ene_tx_sample(dev) //USE + +Fix by adding del_timer_sync(&dev->tx_sim_timer) in ene_remove(), +The tx_sim_timer could stop before ene device is deallocated. + +What's more, The rc_unregister_device() and del_timer_sync() +should be called first in ene_remove() and the deallocated +functions such as free_irq(), release_region() and so on +should be called behind them. Because the rc_unregister_device() +is well synchronized. Otherwise, race conditions may happen. The +situations that may lead to race conditions are shown below. + +Firstly, the rx receiver is disabled with ene_rx_disable() +before rc_unregister_device() in ene_remove(), which means it +can be enabled again if a process opens /dev/lirc0 between +ene_rx_disable() and rc_unregister_device(). + +Secondly, the irqaction descriptor is freed by free_irq() +before the rc device is unregistered, which means irqaction +descriptor may be accessed again after it is deallocated. + +Thirdly, the timer can call ene_tx_sample() that can write +to the io ports, which means the io ports could be accessed +again after they are deallocated by release_region(). + +Therefore, the rc_unregister_device() and del_timer_sync() +should be called first in ene_remove(). + +Suggested by: Sean Young + +Fixes: 9ea53b74df9c ("V4L/DVB: STAGING: remove lirc_ene0100 driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/rc/ene_ir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c +index e09270916fbc..11ee21a7db8f 100644 +--- a/drivers/media/rc/ene_ir.c ++++ b/drivers/media/rc/ene_ir.c +@@ -1106,6 +1106,8 @@ static void ene_remove(struct pnp_dev *pnp_dev) + struct ene_device *dev = pnp_get_drvdata(pnp_dev); + unsigned long flags; + ++ rc_unregister_device(dev->rdev); ++ del_timer_sync(&dev->tx_sim_timer); + spin_lock_irqsave(&dev->hw_lock, flags); + ene_rx_disable(dev); + ene_rx_restore_hw_buffer(dev); +@@ -1113,7 +1115,6 @@ static void ene_remove(struct pnp_dev *pnp_dev) + + free_irq(dev->irq, dev); + release_region(dev->hw_io, ENE_IO_SIZE); +- rc_unregister_device(dev->rdev); + kfree(dev); + } + +-- +2.35.3 + diff --git a/patches.suse/mm-slub-fix-panic-in-slab_alloc_node.patch b/patches.suse/mm-slub-fix-panic-in-slab_alloc_node.patch new file mode 100644 index 0000000..69ceb23 --- /dev/null +++ b/patches.suse/mm-slub-fix-panic-in-slab_alloc_node.patch @@ -0,0 +1,122 @@ +From: Laurent Dufour +Date: Fri, 13 Nov 2020 22:51:53 -0800 +Subject: mm/slub: fix panic in slab_alloc_node() +Git-commit: 22e4663e916321b72972c69ca0c6b962f529bd78 +Patch-mainline: v5.10-rc4 +References: bsc#1208023 + +While doing memory hot-unplug operation on a PowerPC VM running 1024 CPUs +with 11TB of ram, I hit the following panic: + + BUG: Kernel NULL pointer dereference on read at 0x00000007 + Faulting instruction address: 0xc000000000456048 + Oops: Kernel access of bad area, sig: 11 [#2] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS= 2048 NUMA pSeries + Modules linked in: rpadlpar_io rpaphp + CPU: 160 PID: 1 Comm: systemd Tainted: G D 5.9.0 #1 + NIP: c000000000456048 LR: c000000000455fd4 CTR: c00000000047b350 + REGS: c00006028d1b77a0 TRAP: 0300 Tainted: G D (5.9.0) + MSR: 8000000000009033 CR: 24004228 XER: 00000000 + CFAR: c00000000000f1b0 DAR: 0000000000000007 DSISR: 40000000 IRQMASK: 0 + GPR00: c000000000455fd4 c00006028d1b7a30 c000000001bec800 0000000000000000 + GPR04: 0000000000000dc0 0000000000000000 00000000000374ef c00007c53df99320 + GPR08: 000007c53c980000 0000000000000000 000007c53c980000 0000000000000000 + GPR12: 0000000000004400 c00000001e8e4400 0000000000000000 0000000000000f6a + GPR16: 0000000000000000 c000000001c25930 c000000001d62528 00000000000000c1 + GPR20: c000000001d62538 c00006be469e9000 0000000fffffffe0 c0000000003c0ff8 + GPR24: 0000000000000018 0000000000000000 0000000000000dc0 0000000000000000 + GPR28: c00007c513755700 c000000001c236a4 c00007bc4001f800 0000000000000001 + NIP [c000000000456048] __kmalloc_node+0x108/0x790 + LR [c000000000455fd4] __kmalloc_node+0x94/0x790 + Call Trace: + kvmalloc_node+0x58/0x110 + mem_cgroup_css_online+0x10c/0x270 + online_css+0x48/0xd0 + cgroup_apply_control_enable+0x2c4/0x470 + cgroup_mkdir+0x408/0x5f0 + kernfs_iop_mkdir+0x90/0x100 + vfs_mkdir+0x138/0x250 + do_mkdirat+0x154/0x1c0 + system_call_exception+0xf8/0x200 + system_call_common+0xf0/0x27c + Instruction dump: + e93e0000 e90d0030 39290008 7cc9402a e94d0030 e93e0000 7ce95214 7f89502a + 2fbc0000 419e0018 41920230 e9270010 <89290007> 7f994800 419e0220 7ee6bb78 + +This pointing to the following code: + + mm/slub.c:2851 + if (unlikely(!object || !node_match(page, node))) { + c000000000456038: 00 00 bc 2f cmpdi cr7,r28,0 + c00000000045603c: 18 00 9e 41 beq cr7,c000000000456054 <__kmalloc_node+0x114> + node_match(): + mm/slub.c:2491 + if (node != NUMA_NO_NODE && page_to_nid(page) != node) + c000000000456040: 30 02 92 41 beq cr4,c000000000456270 <__kmalloc_node+0x330> + page_to_nid(): + include/linux/mm.h:1294 + c000000000456044: 10 00 27 e9 ld r9,16(r7) + c000000000456048: 07 00 29 89 lbz r9,7(r9) <<<< r9 = NULL + node_match(): + mm/slub.c:2491 + c00000000045604c: 00 48 99 7f cmpw cr7,r25,r9 + c000000000456050: 20 02 9e 41 beq cr7,c000000000456270 <__kmalloc_node+0x330> + +The panic occurred in slab_alloc_node() when checking for the page's node: + + object = c->freelist; + page = c->page; + if (unlikely(!object || !node_match(page, node))) { + object = __slab_alloc(s, gfpflags, node, addr, c); + stat(s, ALLOC_SLOWPATH); + +The issue is that object is not NULL while page is NULL which is odd but +may happen if the cache flush happened after loading object but before +loading page. Thus checking for the page pointer is required too. + +The cache flush is done through an inter processor interrupt when a +piece of memory is off-lined. That interrupt is triggered when a memory +hot-unplug operation is initiated and offline_pages() is calling the +slub's MEM_GOING_OFFLINE callback slab_mem_going_offline_callback() +which is calling flush_cpu_slab(). If that interrupt is caught between +the reading of c->freelist and the reading of c->page, this could lead +to such a situation. That situation is expected and the later call to +this_cpu_cmpxchg_double() will detect the change to c->freelist and redo +the whole operation. + +In commit 6159d0f5c03e ("mm/slub.c: page is always non-NULL in +node_match()") check on the page pointer has been removed assuming that +page is always valid when it is called. It happens that this is not +true in that particular case, so check for page before calling +node_match() here. + +Fixes: 6159d0f5c03e ("mm/slub.c: page is always non-NULL in node_match()") +Signed-off-by: Laurent Dufour +Signed-off-by: Andrew Morton +Acked-by: Vlastimil Babka +Acked-by: Christoph Lameter +Cc: Wei Yang +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Nathan Lynch +Cc: Scott Cheloha +Cc: Michal Hocko +Cc: +Link: https://lkml.kernel.org/r/20201027190406.33283-1-ldufour@linux.ibm.com +Signed-off-by: Linus Torvalds +--- + mm/slub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -2802,7 +2802,7 @@ redo: + + object = c->freelist; + page = c->page; +- if (unlikely(!object || !node_match(page, node))) { ++ if (unlikely(!object || !page || !node_match(page, node))) { + object = __slab_alloc(s, gfpflags, node, addr, c); + stat(s, ALLOC_SLOWPATH); + } else { diff --git a/patches.suse/module-Don-t-wait-for-GOING-modules.patch b/patches.suse/module-Don-t-wait-for-GOING-modules.patch new file mode 100644 index 0000000..b22c226 --- /dev/null +++ b/patches.suse/module-Don-t-wait-for-GOING-modules.patch @@ -0,0 +1,111 @@ +From: Petr Pavlu +Date: Mon, 5 Dec 2022 11:35:57 +0100 +Subject: module: Don't wait for GOING modules +Git-commit: 0254127ab977e70798707a7a2b757c9f3c971210 +Patch-mainline: v6.2-rc6 +References: bsc#1196058, bsc#1186449, bsc#1204356, bsc#1204662 + +During a system boot, it can happen that the kernel receives a burst of +requests to insert the same module but loading it eventually fails +during its init call. For instance, udev can make a request to insert +a frequency module for each individual CPU when another frequency module +is already loaded which causes the init function of the new module to +return an error. + +Since commit 6e6de3dee51a ("kernel/module.c: Only return -EEXIST for +modules that have finished loading"), the kernel waits for modules in +MODULE_STATE_GOING state to finish unloading before making another +attempt to load the same module. + +This creates unnecessary work in the described scenario and delays the +boot. In the worst case, it can prevent udev from loading drivers for +other devices and might cause timeouts of services waiting on them and +subsequently a failed boot. + +This patch attempts a different solution for the problem 6e6de3dee51a +was trying to solve. Rather than waiting for the unloading to complete, +it returns a different error code (-EBUSY) for modules in the GOING +state. This should avoid the error situation that was described in +6e6de3dee51a (user space attempting to load a dependent module because +the -EEXIST error code would suggest to user space that the first module +had been loaded successfully), while avoiding the delay situation too. + +This has been tested on linux-next since December 2022 and passes +all kmod selftests except test 0009 with module compression enabled +but it has been confirmed that this issue has existed and has gone +unnoticed since prior to this commit and can also be reproduced without +module compression with a simple usleep(5000000) on tools/modprobe.c [0]. +These failures are caused by hitting the kernel mod_concurrent_max and can +happen either due to a self inflicted kernel module auto-loead DoS somehow +or on a system with large CPU count and each CPU count incorrectly triggering +many module auto-loads. Both of those issues need to be fixed in-kernel. + +[0] https://lore.kernel.org/all/Y9A4fiobL6IHp%2F%2FP@bombadil.infradead.org/ + +Fixes: 6e6de3dee51a ("kernel/module.c: Only return -EEXIST for modules that have finished loading") +Co-developed-by: Martin Wilck +Signed-off-by: Martin Wilck +Signed-off-by: Petr Pavlu +Cc: stable@vger.kernel.org +Reviewed-by: Petr Mladek +[mcgrof: enhance commit log with testing and kmod test result interpretation ] +Signed-off-by: Luis Chamberlain +--- + kernel/module.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index 48568a0f5651..4ac3fe43e6c8 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2393,7 +2393,8 @@ static bool finished_loading(const char *name) + sched_annotate_sleep(); + mutex_lock(&module_mutex); + mod = find_module_all(name, strlen(name), true); +- ret = !mod || mod->state == MODULE_STATE_LIVE; ++ ret = !mod || mod->state == MODULE_STATE_LIVE ++ || mod->state == MODULE_STATE_GOING; + mutex_unlock(&module_mutex); + + return ret; +@@ -2569,20 +2570,35 @@ static int add_unformed_module(struct module *mod) + + mod->state = MODULE_STATE_UNFORMED; + +-again: + mutex_lock(&module_mutex); + old = find_module_all(mod->name, strlen(mod->name), true); + if (old != NULL) { +- if (old->state != MODULE_STATE_LIVE) { ++ if (old->state == MODULE_STATE_COMING ++ || old->state == MODULE_STATE_UNFORMED) { + /* Wait in case it fails to load. */ + mutex_unlock(&module_mutex); + err = wait_event_interruptible(module_wq, + finished_loading(mod->name)); + if (err) + goto out_unlocked; +- goto again; ++ ++ /* The module might have gone in the meantime. */ ++ mutex_lock(&module_mutex); ++ old = find_module_all(mod->name, strlen(mod->name), ++ true); + } +- err = -EEXIST; ++ ++ /* ++ * We are here only when the same module was being loaded. Do ++ * not try to load it again right now. It prevents long delays ++ * caused by serialized module load failures. It might happen ++ * when more devices of the same type trigger load of ++ * a particular module. ++ */ ++ if (old && old->state == MODULE_STATE_LIVE) ++ err = -EEXIST; ++ else ++ err = -EBUSY; + goto out; + } + mod_update_bounds(mod); + diff --git a/patches.suse/net-add-sock_init_data_uid.patch b/patches.suse/net-add-sock_init_data_uid.patch new file mode 100644 index 0000000..183d996 --- /dev/null +++ b/patches.suse/net-add-sock_init_data_uid.patch @@ -0,0 +1,84 @@ +From: Pietro Borrello +Date: Sat, 4 Feb 2023 17:39:20 +0000 +Subject: net: add sock_init_data_uid() +Git-commit: 584f3742890e966d2f0a1f3c418c9ead70b2d99e +Patch-mainline: v6.3-rc1 +References: CVE-2023-1076 bsc#1208599 + +Add sock_init_data_uid() to explicitly initialize the socket uid. +To initialise the socket uid, sock_init_data() assumes a the struct +socket* sock is always embedded in a struct socket_alloc, used to +access the corresponding inode uid. This may not be true. +Examples are sockets created in tun_chr_open() and tap_open(). + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Pietro Borrello +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Acked-by: Miroslav Franc +--- + include/net/sock.h | 7 ++++++- + net/core/sock.c | 15 ++++++++++++--- + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 22d50dabdc9d..da758f2273e4 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1739,7 +1739,12 @@ void sk_common_release(struct sock *sk); + * Default socket callbacks and setup code + */ + +-/* Initialise core socket variables */ ++/* Initialise core socket variables using an explicit uid. */ ++void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid); ++ ++/* Initialise core socket variables. ++ * Assumes struct socket *sock is embedded in a struct socket_alloc. ++ */ + void sock_init_data(struct socket *sock, struct sock *sk); + + /* +diff --git a/net/core/sock.c b/net/core/sock.c +index 652913df588d..28382b23afe2 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2878,7 +2878,7 @@ void sk_stop_timer(struct sock *sk, struct timer_list* timer) + } + EXPORT_SYMBOL(sk_stop_timer); + +-void sock_init_data(struct socket *sock, struct sock *sk) ++void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid) + { + sk_init_common(sk); + sk->sk_send_head = NULL; +@@ -2897,11 +2897,10 @@ void sock_init_data(struct socket *sock, struct sock *sk) + sk->sk_type = sock->type; + RCU_INIT_POINTER(sk->sk_wq, &sock->wq); + sock->sk = sk; +- sk->sk_uid = SOCK_INODE(sock)->i_uid; + } else { + RCU_INIT_POINTER(sk->sk_wq, NULL); +- sk->sk_uid = make_kuid(sock_net(sk)->user_ns, 0); + } ++ sk->sk_uid = uid; + + rwlock_init(&sk->sk_callback_lock); + if (sk->sk_kern_sock) +@@ -2959,6 +2958,16 @@ void sock_init_data(struct socket *sock, struct sock *sk) + refcount_set(&sk->sk_refcnt, 1); + atomic_set(&sk->sk_drops, 0); + } ++EXPORT_SYMBOL(sock_init_data_uid); ++ ++void sock_init_data(struct socket *sock, struct sock *sk) ++{ ++ kuid_t uid = sock ? ++ SOCK_INODE(sock)->i_uid : ++ make_kuid(sock_net(sk)->user_ns, 0); ++ ++ sock_init_data_uid(sock, sk, uid); ++} + EXPORT_SYMBOL(sock_init_data); + + void lock_sock_nested(struct sock *sk, int subclass) diff --git a/patches.suse/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch b/patches.suse/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch new file mode 100644 index 0000000..872b9f7 --- /dev/null +++ b/patches.suse/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch @@ -0,0 +1,115 @@ +From 66cbe230a6222d19b5d57a2934dc417bee017e57 Mon Sep 17 00:00:00 2001 +From: Nikolay Aleksandrov +Date: Fri, 1 Apr 2022 10:33:42 +0300 +Subject: [PATCH 1/2] net: ipv4: fix route with nexthop object delete warning +Git-commit: 61b91eb33a69c3be11b259c5ea484505cd79f883 +References: bsc#1204171 CVE-2022-3435 +Patch-mainline: v6.1-rc1 + +FRR folks have hit a kernel warning[1] while deleting routes[2] which is +caused by trying to delete a route pointing to a nexthop id without +specifying nhid but matching on an interface. That is, a route is found +but we hit a warning while matching it. The warning is from +fib_info_nh() in include/net/nexthop.h because we run it on a fib_info +with nexthop object. The call chain is: + inet_rtm_delroute -> fib_table_delete -> fib_nh_match (called with a +nexthop fib_info and also with fc_oif set thus calling fib_info_nh on +the fib_info and triggering the warning). The fix is to not do any +matching in that branch if the fi has a nexthop object because those are +managed separately. I.e. we should match when deleting without nh spec and +should fail when deleting a nexthop route with old-style nh spec because +nexthop objects are managed separately, e.g.: + $ ip r show 1.2.3.4/32 + 1.2.3.4 nhid 12 via 192.168.11.2 dev dummy0 + + $ ip r del 1.2.3.4/32 + $ ip r del 1.2.3.4/32 nhid 12 + + + $ ip r del 1.2.3.4/32 dev dummy0 + + +[1] + [ 523.462226] ------------[ cut here ]------------ + [ 523.462230] WARNING: CPU: 14 PID: 22893 at include/net/nexthop.h:468 fib_nh_match+0x210/0x460 + [ 523.462236] Modules linked in: dummy rpcsec_gss_krb5 xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_raw iptable_raw bpf_preload xt_statistic ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs xt_mark nf_tables xt_nat veth nf_conntrack_netlink nfnetlink xt_addrtype br_netfilter overlay dm_crypt nfsv3 nfs fscache netfs vhost_net vhost vhost_iotlb tap tun xt_CHECKSUM xt_MASQUERADE xt_conntrack 8021q garp mrp ipt_REJECT nf_reject_ipv4 ip6table_mangle ip6table_nat iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bridge stp llc rfcomm snd_seq_dummy snd_hrtimer rpcrdma rdma_cm iw_cm ib_cm ib_core ip6table_filter xt_comment ip6_tables vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) qrtr bnep binfmt_misc xfs vfat fat squashfs loop nvidia_drm(POE) nvidia_modeset(POE) nvidia_uvm(POE) nvidia(POE) intel_rapl_msr intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi btusb btrtl iwlmvm uvcvideo btbcm snd_hda_intel edac_mce_amd + [ 523.462274] videobuf2_vmalloc videobuf2_memops btintel snd_intel_dspcfg videobuf2_v4l2 snd_intel_sdw_acpi bluetooth snd_usb_audio snd_hda_codec mac80211 snd_usbmidi_lib joydev snd_hda_core videobuf2_common kvm_amd snd_rawmidi snd_hwdep snd_seq videodev ccp snd_seq_device libarc4 ecdh_generic mc snd_pcm kvm iwlwifi snd_timer drm_kms_helper snd cfg80211 cec soundcore irqbypass rapl wmi_bmof i2c_piix4 rfkill k10temp pcspkr acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc drm zram ip_tables crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel nvme sp5100_tco r8169 nvme_core wmi ipmi_devintf ipmi_msghandler fuse + [ 523.462300] CPU: 14 PID: 22893 Comm: ip Tainted: P OE 5.16.18-200.fc35.x86_64 #1 + [ 523.462302] Hardware name: Micro-Star International Co., Ltd. MS-7C37/MPG X570 GAMING EDGE WIFI (MS-7C37), BIOS 1.C0 10/29/2020 + [ 523.462303] RIP: 0010:fib_nh_match+0x210/0x460 + [ 523.462304] Code: 7c 24 20 48 8b b5 90 00 00 00 e8 bb ee f4 ff 48 8b 7c 24 20 41 89 c4 e8 ee eb f4 ff 45 85 e4 0f 85 2e fe ff ff e9 4c ff ff ff <0f> 0b e9 17 ff ff ff 3c 0a 0f 85 61 fe ff ff 48 8b b5 98 00 00 00 + [ 523.462306] RSP: 0018:ffffaa53d4d87928 EFLAGS: 00010286 + [ 523.462307] RAX: 0000000000000000 RBX: ffffaa53d4d87a90 RCX: ffffaa53d4d87bb0 + [ 523.462308] RDX: ffff9e3d2ee6be80 RSI: ffffaa53d4d87a90 RDI: ffffffff920ed380 + [ 523.462309] RBP: ffff9e3d2ee6be80 R08: 0000000000000064 R09: 0000000000000000 + [ 523.462310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000031 + [ 523.462310] R13: 0000000000000020 R14: 0000000000000000 R15: ffff9e3d331054e0 + [ 523.462311] FS: 00007f245517c1c0(0000) GS:ffff9e492ed80000(0000) knlGS:0000000000000000 + [ 523.462313] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 523.462313] CR2: 000055e5dfdd8268 CR3: 00000003ef488000 CR4: 0000000000350ee0 + [ 523.462315] Call Trace: + [ 523.462316] + [ 523.462320] fib_table_delete+0x1a9/0x310 + [ 523.462323] inet_rtm_delroute+0x93/0x110 + [ 523.462325] rtnetlink_rcv_msg+0x133/0x370 + [ 523.462327] ? _copy_to_iter+0xb5/0x6f0 + [ 523.462330] ? rtnl_calcit.isra.0+0x110/0x110 + [ 523.462331] netlink_rcv_skb+0x50/0xf0 + [ 523.462334] netlink_unicast+0x211/0x330 + [ 523.462336] netlink_sendmsg+0x23f/0x480 + [ 523.462338] sock_sendmsg+0x5e/0x60 + [ 523.462340] ____sys_sendmsg+0x22c/0x270 + [ 523.462341] ? import_iovec+0x17/0x20 + [ 523.462343] ? sendmsg_copy_msghdr+0x59/0x90 + [ 523.462344] ? __mod_lruvec_page_state+0x85/0x110 + [ 523.462348] ___sys_sendmsg+0x81/0xc0 + [ 523.462350] ? netlink_seq_start+0x70/0x70 + [ 523.462352] ? __dentry_kill+0x13a/0x180 + [ 523.462354] ? __fput+0xff/0x250 + [ 523.462356] __sys_sendmsg+0x49/0x80 + [ 523.462358] do_syscall_64+0x3b/0x90 + [ 523.462361] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 523.462364] RIP: 0033:0x7f24552aa337 + [ 523.462365] Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 + [ 523.462366] RSP: 002b:00007fff7f05a838 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + [ 523.462368] RAX: ffffffffffffffda RBX: 000000006245bf91 RCX: 00007f24552aa337 + [ 523.462368] RDX: 0000000000000000 RSI: 00007fff7f05a8a0 RDI: 0000000000000003 + [ 523.462369] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 + [ 523.462370] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001 + [ 523.462370] R13: 00007fff7f05ce08 R14: 0000000000000000 R15: 000055e5dfdd1040 + [ 523.462373] + [ 523.462374] ---[ end trace ba537bc16f6bf4ed ]--- + +[2] https://github.com/FRRouting/frr/issues/6412 + +Fixes: 4c7e8084fd46 ("ipv4: Plumb support for nexthop object in a fib_info") +Signed-off-by: Nikolay Aleksandrov +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/ipv4/fib_semantics.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index b1b3220917ca..4db1cfd2ded0 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -847,8 +847,13 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi, + } + + if (cfg->fc_oif || cfg->fc_gw_family) { +- struct fib_nh *nh = fib_info_nh(fi, 0); ++ struct fib_nh *nh; ++ ++ /* cannot match on nexthop object attributes */ ++ if (fi->nh) ++ return 1; + ++ nh = fib_info_nh(fi, 0); + if (cfg->fc_encap) { + if (fib_encap_match(cfg->fc_encap_type, cfg->fc_encap, + nh, cfg, extack)) +-- +2.16.4 + diff --git a/patches.suse/net-mana-Assign-interrupts-to-CPUs-based-on-NUMA-nod.patch b/patches.suse/net-mana-Assign-interrupts-to-CPUs-based-on-NUMA-nod.patch new file mode 100644 index 0000000..f1adcaf --- /dev/null +++ b/patches.suse/net-mana-Assign-interrupts-to-CPUs-based-on-NUMA-nod.patch @@ -0,0 +1,107 @@ +From: Saurabh Sengar +Date: Mon, 31 Oct 2022 23:06:01 -0700 +Subject: net: mana: Assign interrupts to CPUs based on NUMA nodes +Patch-mainline: v6.2-rc1 +Git-commit: 71fa6887eeca7b631528f9c7a39815498de8028c +References: bsc#1208153 + +In large VMs with multiple NUMA nodes, network performance is usually +best if network interrupts are all assigned to the same virtual NUMA +node. This patch assigns online CPU according to a numa aware policy, +local cpus are returned first, followed by non-local ones, then it wraps +around. + +Signed-off-by: Saurabh Sengar +Reviewed-by: Haiyang Zhang +Link: https://lore.kernel.org/r/1667282761-11547-1-git-send-email-ssengar@linux.microsoft.com +Signed-off-by: Paolo Abeni +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/microsoft/mana/gdma.h | 1 + drivers/net/ethernet/microsoft/mana/gdma_main.c | 30 +++++++++++++++++++++--- + 2 files changed, 28 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/gdma.h ++++ b/drivers/net/ethernet/microsoft/mana/gdma.h +@@ -353,6 +353,7 @@ struct gdma_context { + void __iomem *shm_base; + void __iomem *db_page_base; + u32 db_page_size; ++ int numa_node; + + /* Shared memory chanenl (used to bootstrap HWC) */ + struct shm_channel shm_channel; +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1197,8 +1197,10 @@ static int mana_gd_setup_irqs(struct pci + struct gdma_context *gc = pci_get_drvdata(pdev); + struct gdma_irq_context *gic; + unsigned int max_irqs; ++ u16 *cpus; ++ cpumask_var_t req_mask; + int nvec, irq; +- int err, i, j; ++ int err, i = 0, j; + + if (max_queues_per_port > MANA_MAX_NUM_QUEUES) + max_queues_per_port = MANA_MAX_NUM_QUEUES; +@@ -1217,7 +1219,21 @@ static int mana_gd_setup_irqs(struct pci + goto free_irq_vector; + } + ++ if (!zalloc_cpumask_var(&req_mask, GFP_KERNEL)) { ++ err = -ENOMEM; ++ goto free_irq; ++ } ++ ++ cpus = kcalloc(nvec, sizeof(*cpus), GFP_KERNEL); ++ if (!cpus) { ++ err = -ENOMEM; ++ goto free_mask; ++ } ++ for (i = 0; i < nvec; i++) ++ cpus[i] = cpumask_local_spread(i, gc->numa_node); ++ + for (i = 0; i < nvec; i++) { ++ cpumask_set_cpu(cpus[i], req_mask); + gic = &gc->irq_contexts[i]; + gic->handler = NULL; + gic->arg = NULL; +@@ -1225,13 +1241,17 @@ static int mana_gd_setup_irqs(struct pci + irq = pci_irq_vector(pdev, i); + if (irq < 0) { + err = irq; +- goto free_irq; ++ goto free_mask; + } + + err = request_irq(irq, mana_gd_intr, 0, "mana_intr", gic); + if (err) +- goto free_irq; ++ goto free_mask; ++ irq_set_affinity_and_hint(irq, req_mask); ++ cpumask_clear(req_mask); + } ++ free_cpumask_var(req_mask); ++ kfree(cpus); + + err = mana_gd_alloc_res_map(nvec, &gc->msix_resource); + if (err) +@@ -1242,6 +1262,9 @@ static int mana_gd_setup_irqs(struct pci + + return 0; + ++free_mask: ++ free_cpumask_var(req_mask); ++ kfree(cpus); + free_irq: + for (j = i - 1; j >= 0; j--) { + irq = pci_irq_vector(pdev, j); +@@ -1371,6 +1394,7 @@ static int mana_gd_probe(struct pci_dev + if (!bar0_va) + goto free_gc; + ++ gc->numa_node = dev_to_node(&pdev->dev); + gc->is_pf = mana_is_pf(pdev->device); + gc->bar0_va = bar0_va; + gc->dev = &pdev->dev; diff --git a/patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch b/patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch new file mode 100644 index 0000000..87c2604 --- /dev/null +++ b/patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch @@ -0,0 +1,63 @@ +From: Haiyang Zhang +Date: Thu, 19 Jan 2023 12:59:10 -0800 +Subject: net: mana: Fix IRQ name - add PCI and queue number +Patch-mainline: v6.2-rc6 +Git-commit: 20e3028c39a5bf882e91e717da96d14f1acec40e +References: bsc#1207875 + +The PCI and queue number info is missing in IRQ names. + +Add PCI and queue number to IRQ names, to allow CPU affinity +tuning scripts to work. + +Cc: stable@vger.kernel.org +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Signed-off-by: Haiyang Zhang +Reviewed-by: Jesse Brandeburg +Link: https://lore.kernel.org/r/1674161950-19708-1-git-send-email-haiyangz@microsoft.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/microsoft/mana/gdma.h | 3 +++ + drivers/net/ethernet/microsoft/mana/gdma_main.c | 9 ++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/microsoft/mana/gdma.h ++++ b/drivers/net/ethernet/microsoft/mana/gdma.h +@@ -324,9 +324,12 @@ struct gdma_queue_spec { + }; + }; + ++#define MANA_IRQ_NAME_SZ 32 ++ + struct gdma_irq_context { + void (*handler)(void *arg); + void *arg; ++ char name[MANA_IRQ_NAME_SZ]; + }; + + struct gdma_context { +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1238,13 +1238,20 @@ static int mana_gd_setup_irqs(struct pci + gic->handler = NULL; + gic->arg = NULL; + ++ if (!i) ++ snprintf(gic->name, MANA_IRQ_NAME_SZ, "mana_hwc@pci:%s", ++ pci_name(pdev)); ++ else ++ snprintf(gic->name, MANA_IRQ_NAME_SZ, "mana_q%d@pci:%s", ++ i - 1, pci_name(pdev)); ++ + irq = pci_irq_vector(pdev, i); + if (irq < 0) { + err = irq; + goto free_mask; + } + +- err = request_irq(irq, mana_gd_intr, 0, "mana_intr", gic); ++ err = request_irq(irq, mana_gd_intr, 0, gic->name, gic); + if (err) + goto free_mask; + irq_set_affinity_and_hint(irq, req_mask); diff --git a/patches.suse/net-mana-Fix-accessing-freed-irq-affinity_hint.patch b/patches.suse/net-mana-Fix-accessing-freed-irq-affinity_hint.patch new file mode 100644 index 0000000..d207f4d --- /dev/null +++ b/patches.suse/net-mana-Fix-accessing-freed-irq-affinity_hint.patch @@ -0,0 +1,131 @@ +From: Haiyang Zhang +Date: Mon, 6 Feb 2023 13:28:49 -0800 +Subject: net: mana: Fix accessing freed irq affinity_hint +Patch-mainline: v6.2-rc8 +Git-commit: 18a048370b06a3a521219e9e5b10bdc2178ef19c +References: bsc#1208153 + +After calling irq_set_affinity_and_hint(), the cpumask pointer is +saved in desc->affinity_hint, and will be used later when reading +/proc/irq//affinity_hint. So the cpumask variable needs to be +persistent. Otherwise, we are accessing freed memory when reading +the affinity_hint file. + +Also, need to clear affinity_hint before free_irq(), otherwise there +is a one-time warning and stack trace during module unloading: + + [ 243.948687] WARNING: CPU: 10 PID: 1589 at kernel/irq/manage.c:1913 free_irq+0x318/0x360 + ... + [ 243.948753] Call Trace: + [ 243.948754] + [ 243.948760] mana_gd_remove_irqs+0x78/0xc0 [mana] + [ 243.948767] mana_gd_remove+0x3e/0x80 [mana] + [ 243.948773] pci_device_remove+0x3d/0xb0 + [ 243.948778] device_remove+0x46/0x70 + [ 243.948782] device_release_driver_internal+0x1fe/0x280 + [ 243.948785] driver_detach+0x4e/0xa0 + [ 243.948787] bus_remove_driver+0x70/0xf0 + [ 243.948789] driver_unregister+0x35/0x60 + [ 243.948792] pci_unregister_driver+0x44/0x90 + [ 243.948794] mana_driver_exit+0x14/0x3fe [mana] + [ 243.948800] __do_sys_delete_module.constprop.0+0x185/0x2f0 + +To fix the bug, use the persistent mask, cpumask_of(cpu#), and set +affinity_hint to NULL before freeing the IRQ, as required by free_irq(). + +Cc: stable@vger.kernel.org +Fixes: 71fa6887eeca ("net: mana: Assign interrupts to CPUs based on NUMA nodes") +Signed-off-by: Haiyang Zhang +Reviewed-by: Michael Kelley +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/1675718929-19565-1-git-send-email-haiyangz@microsoft.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/microsoft/mana/gdma_main.c | 37 +++++++----------------- + 1 file changed, 11 insertions(+), 26 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1196,9 +1196,7 @@ static int mana_gd_setup_irqs(struct pci + unsigned int max_queues_per_port = num_online_cpus(); + struct gdma_context *gc = pci_get_drvdata(pdev); + struct gdma_irq_context *gic; +- unsigned int max_irqs; +- u16 *cpus; +- cpumask_var_t req_mask; ++ unsigned int max_irqs, cpu; + int nvec, irq; + int err, i = 0, j; + +@@ -1219,21 +1217,7 @@ static int mana_gd_setup_irqs(struct pci + goto free_irq_vector; + } + +- if (!zalloc_cpumask_var(&req_mask, GFP_KERNEL)) { +- err = -ENOMEM; +- goto free_irq; +- } +- +- cpus = kcalloc(nvec, sizeof(*cpus), GFP_KERNEL); +- if (!cpus) { +- err = -ENOMEM; +- goto free_mask; +- } +- for (i = 0; i < nvec; i++) +- cpus[i] = cpumask_local_spread(i, gc->numa_node); +- + for (i = 0; i < nvec; i++) { +- cpumask_set_cpu(cpus[i], req_mask); + gic = &gc->irq_contexts[i]; + gic->handler = NULL; + gic->arg = NULL; +@@ -1248,17 +1232,16 @@ static int mana_gd_setup_irqs(struct pci + irq = pci_irq_vector(pdev, i); + if (irq < 0) { + err = irq; +- goto free_mask; ++ goto free_irq; + } + + err = request_irq(irq, mana_gd_intr, 0, gic->name, gic); + if (err) +- goto free_mask; +- irq_set_affinity_and_hint(irq, req_mask); +- cpumask_clear(req_mask); ++ goto free_irq; ++ ++ cpu = cpumask_local_spread(i, gc->numa_node); ++ irq_set_affinity_and_hint(irq, cpumask_of(cpu)); + } +- free_cpumask_var(req_mask); +- kfree(cpus); + + err = mana_gd_alloc_res_map(nvec, &gc->msix_resource); + if (err) +@@ -1269,13 +1252,12 @@ static int mana_gd_setup_irqs(struct pci + + return 0; + +-free_mask: +- free_cpumask_var(req_mask); +- kfree(cpus); + free_irq: + for (j = i - 1; j >= 0; j--) { + irq = pci_irq_vector(pdev, j); + gic = &gc->irq_contexts[j]; ++ ++ irq_update_affinity_hint(irq, NULL); + free_irq(irq, gic); + } + +@@ -1303,6 +1285,9 @@ static void mana_gd_remove_irqs(struct p + continue; + + gic = &gc->irq_contexts[i]; ++ ++ /* Need to clear the hint before free_irq */ ++ irq_update_affinity_hint(irq, NULL); + free_irq(irq, gic); + } + diff --git a/patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch b/patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch new file mode 100644 index 0000000..c0c5988 --- /dev/null +++ b/patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch @@ -0,0 +1,40 @@ +From: Miaoqian Lin +Date: Wed, 22 Dec 2021 06:54:53 +0000 +Subject: net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources +Patch-mainline: v5.16-rc8 +Git-commit: 6b8b42585886c59a008015083282aae434349094 +References: bsc#1208845 CVE-2023-23006 + +The mlx5_get_uars_page() function returns error pointers. +Using IS_ERR() to check the return value to fix this. + +Fixes: 4ec9e7b02697 ("net/mlx5: DR, Expose steering domain functionality") +Signed-off-by: Miaoqian Lin +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -2,6 +2,7 @@ + /* Copyright (c) 2019 Mellanox Technologies. */ + + #include ++#include + #include "dr_types.h" + + static int dr_domain_init_cache(struct mlx5dr_domain *dmn) +@@ -64,9 +65,9 @@ static int dr_domain_init_resources(stru + } + + dmn->uar = mlx5_get_uars_page(dmn->mdev); +- if (!dmn->uar) { ++ if (IS_ERR(dmn->uar)) { + mlx5dr_err(dmn, "Couldn't allocate UAR\n"); +- ret = -ENOMEM; ++ ret = PTR_ERR(dmn->uar); + goto clean_pd; + } + diff --git a/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch b/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch new file mode 100644 index 0000000..c6c5d55 --- /dev/null +++ b/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch @@ -0,0 +1,52 @@ +From: Jakub Kicinski +Date: Mon, 13 Feb 2023 22:53:55 -0800 +Subject: net: mpls: fix stale pointer if allocation fails during device rename +Patch-mainline: v6.2 +Git-commit: fda6c89fe3d9aca073495a664e1d5aea28cd4377 +References: bsc#1208700 CVE-2023-26545 + +lianhui reports that when MPLS fails to register the sysctl table +under new location (during device rename) the old pointers won't +get overwritten and may be freed again (double free). + +Handle this gracefully. The best option would be unregistering +the MPLS from the device completely on failure, but unfortunately +mpls_ifdown() can fail. So failing fully is also unreliable. + +Another option is to register the new table first then only +remove old one if the new one succeeds. That requires more +code, changes order of notifications and two tables may be +visible at the same time. + +sysctl point is not used in the rest of the code - set to NULL +on failures and skip unregister if already NULL. + +Reported-by: lianhui tang +Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + net/mpls/af_mpls.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -1428,6 +1428,7 @@ static int mpls_dev_sysctl_register(stru + free: + kfree(table); + out: ++ mdev->sysctl = NULL; + return -ENOBUFS; + } + +@@ -1437,6 +1438,9 @@ static void mpls_dev_sysctl_unregister(s + struct net *net = dev_net(dev); + struct ctl_table *table; + ++ if (!mdev->sysctl) ++ return; ++ + table = mdev->sysctl->ctl_table_arg; + unregister_net_sysctl_table(mdev->sysctl); + kfree(table); diff --git a/patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch b/patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch new file mode 100644 index 0000000..2a97d49 --- /dev/null +++ b/patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch @@ -0,0 +1,42 @@ +From c03072dea1c0fc5d66e48692cd8be13443327a29 Mon Sep 17 00:00:00 2001 +From: Jamal Hadi Salim +Date: Sun, 1 Jan 2023 16:57:43 -0500 +Subject: [PATCH 2/2] net: sched: atm: dont intepret cls results when asked to + drop +Git-commit: a2965c7be0522eaa18808684b7b82b248515511b +References: bsc#1207125 CVE-2023-23455 +Patch-mainline: v6.2-rc3 + +If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume +res.class contains a valid pointer +Fixes: b0188d4dbe5f ("[NET_SCHED]: sch_atm: Lindent") + +Signed-off-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/sched/sch_atm.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c +index 6385995dc700..34dd0434d99d 100644 +--- a/net/sched/sch_atm.c ++++ b/net/sched/sch_atm.c +@@ -396,10 +396,13 @@ static int atm_tc_enqueue(struct sk_buff *skb, struct Qdisc *sch, + result = tcf_classify(skb, fl, &res, true); + if (result < 0) + continue; ++ if (result == TC_ACT_SHOT) ++ goto done; ++ + flow = (struct atm_flow_data *)res.class; + if (!flow) + flow = lookup_flow(sch, res.classid); +- goto done; ++ goto drop; + } + } + flow = NULL; +-- +2.16.4 + diff --git a/patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch b/patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch new file mode 100644 index 0000000..d5b0a43 --- /dev/null +++ b/patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch @@ -0,0 +1,147 @@ +From 71c4471290abc5888cf1cb13a7661e06367d3c5f Mon Sep 17 00:00:00 2001 +From: Jamal Hadi Salim +Date: Sun, 1 Jan 2023 16:57:44 -0500 +Subject: [PATCH 1/2] net: sched: cbq: dont intepret cls results when asked to + drop +Git-commit: caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12 +References: bsc#1207036 CVE-2023-23454 +Patch-mainline: v6.2-rc3 + +If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume that +res.class contains a valid pointer + +Sample splat reported by Kyle Zeng + +[ 5.405624] 0: reclassify loop, rule prio 0, protocol 800 +[ 5.406326] ================================================================== +[ 5.407240] BUG: KASAN: slab-out-of-bounds in cbq_enqueue+0x54b/0xea0 +[ 5.407987] Read of size 1 at addr ffff88800e3122aa by task poc/299 +[ 5.408731] +[ 5.408897] CPU: 0 PID: 299 Comm: poc Not tainted 5.10.155+ #15 +[ 5.409516] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS 1.15.0-1 04/01/2014 +[ 5.410439] Call Trace: +[ 5.410764] dump_stack+0x87/0xcd +[ 5.411153] print_address_description+0x7a/0x6b0 +[ 5.411687] ? vprintk_func+0xb9/0xc0 +[ 5.411905] ? printk+0x76/0x96 +[ 5.412110] ? cbq_enqueue+0x54b/0xea0 +[ 5.412323] kasan_report+0x17d/0x220 +[ 5.412591] ? cbq_enqueue+0x54b/0xea0 +[ 5.412803] __asan_report_load1_noabort+0x10/0x20 +[ 5.413119] cbq_enqueue+0x54b/0xea0 +[ 5.413400] ? __kasan_check_write+0x10/0x20 +[ 5.413679] __dev_queue_xmit+0x9c0/0x1db0 +[ 5.413922] dev_queue_xmit+0xc/0x10 +[ 5.414136] ip_finish_output2+0x8bc/0xcd0 +[ 5.414436] __ip_finish_output+0x472/0x7a0 +[ 5.414692] ip_finish_output+0x5c/0x190 +[ 5.414940] ip_output+0x2d8/0x3c0 +[ 5.415150] ? ip_mc_finish_output+0x320/0x320 +[ 5.415429] __ip_queue_xmit+0x753/0x1760 +[ 5.415664] ip_queue_xmit+0x47/0x60 +[ 5.415874] __tcp_transmit_skb+0x1ef9/0x34c0 +[ 5.416129] tcp_connect+0x1f5e/0x4cb0 +[ 5.416347] tcp_v4_connect+0xc8d/0x18c0 +[ 5.416577] __inet_stream_connect+0x1ae/0xb40 +[ 5.416836] ? local_bh_enable+0x11/0x20 +[ 5.417066] ? lock_sock_nested+0x175/0x1d0 +[ 5.417309] inet_stream_connect+0x5d/0x90 +[ 5.417548] ? __inet_stream_connect+0xb40/0xb40 +[ 5.417817] __sys_connect+0x260/0x2b0 +[ 5.418037] __x64_sys_connect+0x76/0x80 +[ 5.418267] do_syscall_64+0x31/0x50 +[ 5.418477] entry_SYSCALL_64_after_hwframe+0x61/0xc6 +[ 5.418770] RIP: 0033:0x473bb7 +[ 5.418952] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 +00 00 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2a 00 00 +00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 18 89 54 24 0c 48 89 34 +24 89 +[ 5.420046] RSP: 002b:00007fffd20eb0f8 EFLAGS: 00000246 ORIG_RAX: +000000000000002a +[ 5.420472] RAX: ffffffffffffffda RBX: 00007fffd20eb578 RCX: 0000000000473bb7 +[ 5.420872] RDX: 0000000000000010 RSI: 00007fffd20eb110 RDI: 0000000000000007 +[ 5.421271] RBP: 00007fffd20eb150 R08: 0000000000000001 R09: 0000000000000004 +[ 5.421671] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 +[ 5.422071] R13: 00007fffd20eb568 R14: 00000000004fc740 R15: 0000000000000002 +[ 5.422471] +[ 5.422562] Allocated by task 299: +[ 5.422782] __kasan_kmalloc+0x12d/0x160 +[ 5.423007] kasan_kmalloc+0x5/0x10 +[ 5.423208] kmem_cache_alloc_trace+0x201/0x2e0 +[ 5.423492] tcf_proto_create+0x65/0x290 +[ 5.423721] tc_new_tfilter+0x137e/0x1830 +[ 5.423957] rtnetlink_rcv_msg+0x730/0x9f0 +[ 5.424197] netlink_rcv_skb+0x166/0x300 +[ 5.424428] rtnetlink_rcv+0x11/0x20 +[ 5.424639] netlink_unicast+0x673/0x860 +[ 5.424870] netlink_sendmsg+0x6af/0x9f0 +[ 5.425100] __sys_sendto+0x58d/0x5a0 +[ 5.425315] __x64_sys_sendto+0xda/0xf0 +[ 5.425539] do_syscall_64+0x31/0x50 +[ 5.425764] entry_SYSCALL_64_after_hwframe+0x61/0xc6 +[ 5.426065] +[ 5.426157] The buggy address belongs to the object at ffff88800e312200 +[ 5.426157] which belongs to the cache kmalloc-128 of size 128 +[ 5.426955] The buggy address is located 42 bytes to the right of +[ 5.426955] 128-byte region [ffff88800e312200, ffff88800e312280) +[ 5.427688] The buggy address belongs to the page: +[ 5.427992] page:000000009875fabc refcount:1 mapcount:0 +mapping:0000000000000000 index:0x0 pfn:0xe312 +[ 5.428562] flags: 0x100000000000200(slab) +[ 5.428812] raw: 0100000000000200 dead000000000100 dead000000000122 +ffff888007843680 +[ 5.429325] raw: 0000000000000000 0000000000100010 00000001ffffffff +ffff88800e312401 +[ 5.429875] page dumped because: kasan: bad access detected +[ 5.430214] page->mem_cgroup:ffff88800e312401 +[ 5.430471] +[ 5.430564] Memory state around the buggy address: +[ 5.430846] ffff88800e312180: fc fc fc fc fc fc fc fc fc fc fc fc +fc fc fc fc +[ 5.431267] ffff88800e312200: 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 fc +[ 5.431705] >ffff88800e312280: fc fc fc fc fc fc fc fc fc fc fc fc +fc fc fc fc +[ 5.432123] ^ +[ 5.432391] ffff88800e312300: 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 fc +[ 5.432810] ffff88800e312380: fc fc fc fc fc fc fc fc fc fc fc fc +fc fc fc fc +[ 5.433229] ================================================================== +[ 5.433648] Disabling lock debugging due to kernel taint + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Kyle Zeng +Signed-off-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Denis Kirjanov +--- + net/sched/sch_cbq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c +index 39b427dc7512..845f62c82ab4 100644 +--- a/net/sched/sch_cbq.c ++++ b/net/sched/sch_cbq.c +@@ -231,6 +231,8 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr) + result = tcf_classify(skb, fl, &res, true); + if (!fl || result < 0) + goto fallback; ++ if (result == TC_ACT_SHOT) ++ return NULL; + + cl = (void *)res.class; + if (!cl) { +@@ -251,8 +253,6 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr) + case TC_ACT_TRAP: + *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN; + /* fall through */ +- case TC_ACT_SHOT: +- return NULL; + case TC_ACT_RECLASSIFY: + return cbq_reclassify(skb, cl); + } +-- +2.16.4 + diff --git a/patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch b/patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch new file mode 100644 index 0000000..d248219 --- /dev/null +++ b/patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch @@ -0,0 +1,97 @@ +From e99a1ad03ed12ba46b8624a40b850912e21e5a08 Mon Sep 17 00:00:00 2001 +From: Frederick Lawler +Date: Mon, 9 Jan 2023 10:39:06 -0600 +Subject: [PATCH] net: sched: disallow noqueue for qdisc classes +Git-commit: 96398560f26aa07e8f2969d73c8197e6a6d10407 +References: bsc#1207237 CVE-2022-47929 +Patch-mainline: v6.2-rc4 + +While experimenting with applying noqueue to a classful queue discipline, +we discovered a NULL pointer dereference in the __dev_queue_xmit() +path that generates a kernel OOPS: + + # dev=enp0s5 + # tc qdisc replace dev $dev root handle 1: htb default 1 + # tc class add dev $dev parent 1: classid 1:1 htb rate 10mbit + # tc qdisc add dev $dev parent 1:1 handle 10: noqueue + # ping -I $dev -w 1 -c 1 1.1.1.1 + +[ 2.172856] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 2.173217] #PF: supervisor instruction fetch in kernel mode +... +[ 2.178451] Call Trace: +[ 2.178577] +[ 2.178686] htb_enqueue+0x1c8/0x370 +[ 2.178880] dev_qdisc_enqueue+0x15/0x90 +[ 2.179093] __dev_queue_xmit+0x798/0xd00 +[ 2.179305] ? _raw_write_lock_bh+0xe/0x30 +[ 2.179522] ? __local_bh_enable_ip+0x32/0x70 +[ 2.179759] ? ___neigh_create+0x610/0x840 +[ 2.179968] ? eth_header+0x21/0xc0 +[ 2.180144] ip_finish_output2+0x15e/0x4f0 +[ 2.180348] ? dst_output+0x30/0x30 +[ 2.180525] ip_push_pending_frames+0x9d/0xb0 +[ 2.180739] raw_sendmsg+0x601/0xcb0 +[ 2.180916] ? _raw_spin_trylock+0xe/0x50 +[ 2.181112] ? _raw_spin_unlock_irqrestore+0x16/0x30 +[ 2.181354] ? get_page_from_freelist+0xcd6/0xdf0 +[ 2.181594] ? sock_sendmsg+0x56/0x60 +[ 2.181781] sock_sendmsg+0x56/0x60 +[ 2.181958] __sys_sendto+0xf7/0x160 +[ 2.182139] ? handle_mm_fault+0x6e/0x1d0 +[ 2.182366] ? do_user_addr_fault+0x1e1/0x660 +[ 2.182627] __x64_sys_sendto+0x1b/0x30 +[ 2.182881] do_syscall_64+0x38/0x90 +[ 2.183085] entry_SYSCALL_64_after_hwframe+0x63/0xcd +... +[ 2.187402] + +Previously in commit d66d6c3152e8 ("net: sched: register noqueue +qdisc"), NULL was set for the noqueue discipline on noqueue init +so that __dev_queue_xmit() falls through for the noqueue case. This +also sets a bypass of the enqueue NULL check in the +register_qdisc() function for the struct noqueue_disc_ops. + +Classful queue disciplines make it past the NULL check in +__dev_queue_xmit() because the discipline is set to htb (in this case), +and then in the call to __dev_xmit_skb(), it calls into htb_enqueue() +which grabs a leaf node for a class and then calls qdisc_enqueue() by +passing in a queue discipline which assumes ->enqueue() is not set to NULL. + +Fix this by not allowing classes to be assigned to the noqueue +discipline. Linux TC Notes states that classes cannot be set to +the noqueue discipline. [1] Let's enforce that here. + +Links: +1. https://linux-tc-notes.sourceforge.net/tc/doc/sch_noqueue.txt + +Fixes: d66d6c3152e8 ("net: sched: register noqueue qdisc") +Cc: stable@vger.kernel.org +Signed-off-by: Frederick Lawler +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/r/20230109163906.706000-1-fred@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + net/sched/sch_api.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 50794125bf02..5c1daa97bd25 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1097,6 +1097,11 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, + return -ENOENT; + } + ++ if (new && new->ops == &noqueue_qdisc_ops) { ++ NL_SET_ERR_MSG(extack, "Cannot assign noqueue to a class"); ++ return -EINVAL; ++ } ++ + err = cops->graft(parent, cl, new, &old, extack); + if (err) + return err; +-- +2.16.4 + diff --git a/patches.suse/net-sched-fix-race-condition-in-qdisc_graft.patch b/patches.suse/net-sched-fix-race-condition-in-qdisc_graft.patch new file mode 100644 index 0000000..79d77da --- /dev/null +++ b/patches.suse/net-sched-fix-race-condition-in-qdisc_graft.patch @@ -0,0 +1,259 @@ +From: Eric Dumazet +Date: Tue, 18 Oct 2022 20:32:58 +0000 +Subject: net: sched: fix race condition in qdisc_graft() +Patch-mainline: v6.1-rc2 +Git-commit: ebda44da44f6f309d302522b049f43d6f829f7aa +References: CVE-2023-0590 bsc#1207795 + +We had one syzbot report [1] in syzbot queue for a while. +I was waiting for more occurrences and/or a repro but +Dmitry Vyukov spotted the issue right away. + + +qdisc_graft() drops reference to qdisc in notify_and_destroy +while it's still assigned to dev->qdisc + + +Indeed, RCU rules are clear when replacing a data structure. +The visible pointer (dev->qdisc in this case) must be updated +to the new object _before_ RCU grace period is started +(qdisc_put(old) in this case). + +[1] +BUG: KASAN: use-after-free in __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066 +Read of size 4 at addr ffff88802065e038 by task syz-executor.4/21027 + +CPU: 0 PID: 21027 Comm: syz-executor.4 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3e60b #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 +print_address_description mm/kasan/report.c:317 [inline] +print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 +kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 +__tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066 +__tcf_qdisc_find net/sched/cls_api.c:1051 [inline] +tc_new_tfilter+0x34f/0x2200 net/sched/cls_api.c:2018 +rtnetlink_rcv_msg+0x955/0xca0 net/core/rtnetlink.c:6081 +netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 +netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] +netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 +netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xcf/0x120 net/socket.c:734 +____sys_sendmsg+0x6eb/0x810 net/socket.c:2482 +___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 +__sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f5efaa89279 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f5efbc31168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f5efab9bf80 RCX: 00007f5efaa89279 +RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 +RBP: 00007f5efaae32e9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f5efb0cfb1f R14: 00007f5efbc31300 R15: 0000000000022000 + + +Allocated by task 21027: +kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 +kasan_set_track mm/kasan/common.c:45 [inline] +set_alloc_info mm/kasan/common.c:437 [inline] +____kasan_kmalloc mm/kasan/common.c:516 [inline] +____kasan_kmalloc mm/kasan/common.c:475 [inline] +__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525 +kmalloc_node include/linux/slab.h:623 [inline] +kzalloc_node include/linux/slab.h:744 [inline] +qdisc_alloc+0xb0/0xc50 net/sched/sch_generic.c:938 +qdisc_create_dflt+0x71/0x4a0 net/sched/sch_generic.c:997 +attach_one_default_qdisc net/sched/sch_generic.c:1152 [inline] +netdev_for_each_tx_queue include/linux/netdevice.h:2437 [inline] +attach_default_qdiscs net/sched/sch_generic.c:1170 [inline] +dev_activate+0x760/0xcd0 net/sched/sch_generic.c:1229 +__dev_open+0x393/0x4d0 net/core/dev.c:1441 +__dev_change_flags+0x583/0x750 net/core/dev.c:8556 +rtnl_configure_link+0xee/0x240 net/core/rtnetlink.c:3189 +rtnl_newlink_create net/core/rtnetlink.c:3371 [inline] +__rtnl_newlink+0x10b8/0x17e0 net/core/rtnetlink.c:3580 +rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593 +rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6090 +netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 +netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] +netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 +netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xcf/0x120 net/socket.c:734 +____sys_sendmsg+0x6eb/0x810 net/socket.c:2482 +___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 +__sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 21020: +kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 +kasan_set_track+0x21/0x30 mm/kasan/common.c:45 +kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 +____kasan_slab_free mm/kasan/common.c:367 [inline] +____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329 +kasan_slab_free include/linux/kasan.h:200 [inline] +slab_free_hook mm/slub.c:1754 [inline] +slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780 +slab_free mm/slub.c:3534 [inline] +kfree+0xe2/0x580 mm/slub.c:4562 +rcu_do_batch kernel/rcu/tree.c:2245 [inline] +rcu_core+0x7b5/0x1890 kernel/rcu/tree.c:2505 +__do_softirq+0x1d3/0x9c6 kernel/softirq.c:571 + +Last potentially related work creation: +kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 +__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 +call_rcu+0x99/0x790 kernel/rcu/tree.c:2793 +qdisc_put+0xcd/0xe0 net/sched/sch_generic.c:1083 +notify_and_destroy net/sched/sch_api.c:1012 [inline] +qdisc_graft+0xeb1/0x1270 net/sched/sch_api.c:1084 +tc_modify_qdisc+0xbb7/0x1a00 net/sched/sch_api.c:1671 +rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6090 +netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 +netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] +netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 +netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xcf/0x120 net/socket.c:734 +____sys_sendmsg+0x6eb/0x810 net/socket.c:2482 +___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 +__sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Second to last potentially related work creation: +kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 +__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 +kvfree_call_rcu+0x74/0x940 kernel/rcu/tree.c:3322 +neigh_destroy+0x431/0x630 net/core/neighbour.c:912 +neigh_release include/net/neighbour.h:454 [inline] +neigh_cleanup_and_release+0x1f8/0x330 net/core/neighbour.c:103 +neigh_del net/core/neighbour.c:225 [inline] +neigh_remove_one+0x37d/0x460 net/core/neighbour.c:246 +neigh_forced_gc net/core/neighbour.c:276 [inline] +neigh_alloc net/core/neighbour.c:447 [inline] +___neigh_create+0x18b5/0x29a0 net/core/neighbour.c:642 +ip6_finish_output2+0xfb8/0x1520 net/ipv6/ip6_output.c:125 +__ip6_finish_output net/ipv6/ip6_output.c:195 [inline] +ip6_finish_output+0x690/0x1160 net/ipv6/ip6_output.c:206 +NF_HOOK_COND include/linux/netfilter.h:296 [inline] +ip6_output+0x1ed/0x540 net/ipv6/ip6_output.c:227 +dst_output include/net/dst.h:451 [inline] +NF_HOOK include/linux/netfilter.h:307 [inline] +NF_HOOK include/linux/netfilter.h:301 [inline] +mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820 +mld_send_cr net/ipv6/mcast.c:2121 [inline] +mld_ifc_work+0x71c/0xdc0 net/ipv6/mcast.c:2653 +process_one_work+0x991/0x1610 kernel/workqueue.c:2289 +worker_thread+0x665/0x1080 kernel/workqueue.c:2436 +kthread+0x2e4/0x3a0 kernel/kthread.c:376 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + +The buggy address belongs to the object at ffff88802065e000 +which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 56 bytes inside of +1024-byte region [ffff88802065e000, ffff88802065e400) + +The buggy address belongs to the physical page: +page:ffffea0000819600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20658 +head:ffffea0000819600 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011841dc0 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3523, tgid 3523 (sshd), ts 41495190986, free_ts 41417713212 +prep_new_page mm/page_alloc.c:2532 [inline] +get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283 +__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515 +alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270 +alloc_slab_page mm/slub.c:1824 [inline] +allocate_slab+0x27e/0x3d0 mm/slub.c:1969 +new_slab mm/slub.c:2029 [inline] +___slab_alloc+0x7f1/0xe10 mm/slub.c:3031 +__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118 +slab_alloc_node mm/slub.c:3209 [inline] +__kmalloc_node_track_caller+0x2f2/0x380 mm/slub.c:4955 +kmalloc_reserve net/core/skbuff.c:358 [inline] +__alloc_skb+0xd9/0x2f0 net/core/skbuff.c:430 +alloc_skb_fclone include/linux/skbuff.h:1307 [inline] +tcp_stream_alloc_skb+0x38/0x580 net/ipv4/tcp.c:861 +tcp_sendmsg_locked+0xc36/0x2f80 net/ipv4/tcp.c:1325 +tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1483 +inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xcf/0x120 net/socket.c:734 +sock_write_iter+0x291/0x3d0 net/socket.c:1108 +call_write_iter include/linux/fs.h:2187 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x9e9/0xdd0 fs/read_write.c:578 +ksys_write+0x1e8/0x250 fs/read_write.c:631 +page last free stack trace: +reset_page_owner include/linux/page_owner.h:24 [inline] +free_pages_prepare mm/page_alloc.c:1449 [inline] +free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499 +free_unref_page_prepare mm/page_alloc.c:3380 [inline] +free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476 +__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2548 +qlink_free mm/kasan/quarantine.c:168 [inline] +qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 +kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294 +__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447 +kasan_slab_alloc include/linux/kasan.h:224 [inline] +slab_post_alloc_hook mm/slab.h:727 [inline] +slab_alloc_node mm/slub.c:3243 [inline] +slab_alloc mm/slub.c:3251 [inline] +__kmem_cache_alloc_lru mm/slub.c:3258 [inline] +kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3268 +kmem_cache_zalloc include/linux/slab.h:723 [inline] +alloc_buffer_head+0x20/0x140 fs/buffer.c:2974 +alloc_page_buffers+0x280/0x790 fs/buffer.c:829 +create_empty_buffers+0x2c/0xee0 fs/buffer.c:1558 +ext4_block_write_begin+0x1004/0x1530 fs/ext4/inode.c:1074 +ext4_da_write_begin+0x422/0xae0 fs/ext4/inode.c:2996 +generic_perform_write+0x246/0x560 mm/filemap.c:3738 +ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:270 +ext4_file_write_iter+0x44a/0x1660 fs/ext4/file.c:679 +call_write_iter include/linux/fs.h:2187 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x9e9/0xdd0 fs/read_write.c:578 + +Fixes: af356afa010f ("net_sched: reintroduce dev->qdisc for use by sch_api") +Reported-by: syzbot +Diagnosed-by: Dmitry Vyukov +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20221018203258.2793282-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Acked-by: Michal Kubecek + +--- + net/sched/sch_api.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1064,12 +1064,13 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, + + skip: + if (!ingress) { +- notify_and_destroy(net, skb, n, classid, +- rtnl_dereference(dev->qdisc), new); ++ old = rtnl_dereference(dev->qdisc); + if (new && !new->ops->attach) + qdisc_refcount_inc(new); + rcu_assign_pointer(dev->qdisc, new ? : &noop_qdisc); + ++ notify_and_destroy(net, skb, n, classid, old, new); ++ + if (new && new->ops->attach) + new->ops->attach(new); + } else { diff --git a/patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch b/patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch new file mode 100644 index 0000000..446c726 --- /dev/null +++ b/patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch @@ -0,0 +1,301 @@ +From: Eric Dumazet +Date: Fri, 11 Feb 2022 12:06:23 -0800 +Subject: net_sched: add __rcu annotation to netdev->qdisc +Patch-mainline: v5.17-rc5 +Git-commit: 5891cd5ec46c2c2eb6427cb54d214b149635dd0e +References: CVE-2023-0590 bsc#1207795 + +syzbot found a data-race [1] which lead me to add __rcu +annotations to netdev->qdisc, and proper accessors +to get LOCKDEP support. + +[1] +BUG: KCSAN: data-race in dev_activate / qdisc_lookup_rcu + +write to 0xffff888168ad6410 of 8 bytes by task 13559 on cpu 1: + attach_default_qdiscs net/sched/sch_generic.c:1167 [inline] + dev_activate+0x2ed/0x8f0 net/sched/sch_generic.c:1221 + __dev_open+0x2e9/0x3a0 net/core/dev.c:1416 + __dev_change_flags+0x167/0x3f0 net/core/dev.c:8139 + rtnl_configure_link+0xc2/0x150 net/core/rtnetlink.c:3150 + __rtnl_newlink net/core/rtnetlink.c:3489 [inline] + rtnl_newlink+0xf4d/0x13e0 net/core/rtnetlink.c:3529 + rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888168ad6410 of 8 bytes by task 13560 on cpu 0: + qdisc_lookup_rcu+0x30/0x2e0 net/sched/sch_api.c:323 + __tcf_qdisc_find+0x74/0x3a0 net/sched/cls_api.c:1050 + tc_del_tfilter+0x1c7/0x1350 net/sched/cls_api.c:2211 + rtnetlink_rcv_msg+0x5ba/0x7e0 net/core/rtnetlink.c:5585 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xffffffff85dee080 -> 0xffff88815d96ec00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 13560 Comm: syz-executor.2 Not tainted 5.17.0-rc3-syzkaller-00116-gf1baf68e1383-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 470502de5bdb ("net: sched: unlock rules update API") +Signed-off-by: Eric Dumazet +Cc: Vlad Buslov +Reported-by: syzbot +Cc: Jamal Hadi Salim +Cc: Cong Wang +Cc: Jiri Pirko +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + include/linux/netdevice.h | 2 +- + net/core/rtnetlink.c | 6 ++++-- + net/sched/cls_api.c | 6 +++--- + net/sched/sch_api.c | 22 ++++++++++++---------- + net/sched/sch_generic.c | 20 +++++++++++--------- + 5 files changed, 31 insertions(+), 25 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1985,7 +1985,7 @@ struct net_device { + struct netdev_queue *_tx ____cacheline_aligned_in_smp; + unsigned int num_tx_queues; + unsigned int real_num_tx_queues; +- struct Qdisc *qdisc; ++ struct Qdisc __rcu *qdisc; + #ifdef CONFIG_NET_SCHED + DECLARE_HASHTABLE (qdisc_hash, 4); + #endif +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1660,6 +1660,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, + { + struct ifinfomsg *ifm; + struct nlmsghdr *nlh; ++ struct Qdisc *qdisc; + + ASSERT_RTNL(); + nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ifm), flags); +@@ -1677,6 +1678,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, + if (tgt_netnsid >= 0 && nla_put_s32(skb, IFLA_TARGET_NETNSID, tgt_netnsid)) + goto nla_put_failure; + ++ qdisc = rtnl_dereference(dev->qdisc); + if (nla_put_string(skb, IFLA_IFNAME, dev->name) || + nla_put_u32(skb, IFLA_TXQLEN, dev->tx_queue_len) || + nla_put_u8(skb, IFLA_OPERSTATE, +@@ -1695,8 +1697,8 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, + #endif + put_master_ifindex(skb, dev) || + nla_put_u8(skb, IFLA_CARRIER, netif_carrier_ok(dev)) || +- (dev->qdisc && +- nla_put_string(skb, IFLA_QDISC, dev->qdisc->ops->id)) || ++ (qdisc && ++ nla_put_string(skb, IFLA_QDISC, qdisc->ops->id)) || + nla_put_ifalias(skb, dev) || + nla_put_u32(skb, IFLA_CARRIER_CHANGES, + atomic_read(&dev->carrier_up_count) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -1065,7 +1065,7 @@ static int __tcf_qdisc_find(struct net *net, struct Qdisc **q, + + /* Find qdisc */ + if (!*parent) { +- *q = dev->qdisc; ++ *q = rcu_dereference(dev->qdisc); + *parent = (*q)->handle; + } else { + *q = qdisc_lookup_rcu(dev, TC_H_MAJ(*parent)); +@@ -2524,7 +2524,7 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb) + + parent = tcm->tcm_parent; + if (!parent) { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + parent = q->handle; + } else { + q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); +@@ -2911,7 +2911,7 @@ static int tc_dump_chain(struct sk_buff *skb, struct netlink_callback *cb) + + parent = tcm->tcm_parent; + if (!parent) { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + parent = q->handle; + } else { + q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -298,7 +298,7 @@ struct Qdisc *qdisc_lookup(struct net_device *dev, u32 handle) + + if (!handle) + return NULL; +- q = qdisc_match_from_root(dev->qdisc, handle); ++ q = qdisc_match_from_root(rtnl_dereference(dev->qdisc), handle); + if (q) + goto out; + +@@ -317,7 +317,7 @@ struct Qdisc *qdisc_lookup_rcu(struct net_device *dev, u32 handle) + + if (!handle) + return NULL; +- q = qdisc_match_from_root(dev->qdisc, handle); ++ q = qdisc_match_from_root(rcu_dereference(dev->qdisc), handle); + if (q) + goto out; + +@@ -1065,10 +1065,10 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, + skip: + if (!ingress) { + notify_and_destroy(net, skb, n, classid, +- dev->qdisc, new); ++ rtnl_dereference(dev->qdisc), new); + if (new && !new->ops->attach) + qdisc_refcount_inc(new); +- dev->qdisc = new ? : &noop_qdisc; ++ rcu_assign_pointer(dev->qdisc, new ? : &noop_qdisc); + + if (new && new->ops->attach) + new->ops->attach(new); +@@ -1448,7 +1448,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + q = dev_ingress_queue(dev)->qdisc_sleeping; + } + } else { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + } + if (!q) { + NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device"); +@@ -1537,7 +1537,7 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + q = dev_ingress_queue(dev)->qdisc_sleeping; + } + } else { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + } + + /* It may be default qdisc, ignore it */ +@@ -1759,7 +1759,8 @@ static int tc_dump_qdisc(struct sk_buff *skb, struct netlink_callback *cb) + s_q_idx = 0; + q_idx = 0; + +- if (tc_dump_qdisc_root(dev->qdisc, skb, cb, &q_idx, s_q_idx, ++ if (tc_dump_qdisc_root(rtnl_dereference(dev->qdisc), ++ skb, cb, &q_idx, s_q_idx, + true, tca[TCA_DUMP_INVISIBLE]) < 0) + goto done; + +@@ -2035,7 +2036,7 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, + } else if (qid1) { + qid = qid1; + } else if (qid == 0) +- qid = dev->qdisc->handle; ++ qid = rtnl_dereference(dev->qdisc)->handle; + + /* Now qid is genuine qdisc handle consistent + * both with parent and child. +@@ -2046,7 +2047,7 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, + portid = TC_H_MAKE(qid, portid); + } else { + if (qid == 0) +- qid = dev->qdisc->handle; ++ qid = rtnl_dereference(dev->qdisc)->handle; + } + + /* OK. Locate qdisc */ +@@ -2207,7 +2208,8 @@ static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb) + s_t = cb->args[0]; + t = 0; + +- if (tc_dump_tclass_root(dev->qdisc, skb, tcm, cb, &t, s_t) < 0) ++ if (tc_dump_tclass_root(rtnl_dereference(dev->qdisc), ++ skb, tcm, cb, &t, s_t) < 0) + goto done; + + dev_queue = dev_ingress_queue(dev); +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1074,18 +1074,20 @@ static void attach_default_qdiscs(struct net_device *dev) + if (!netif_is_multiqueue(dev) || + dev->priv_flags & IFF_NO_QUEUE) { + netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL); +- dev->qdisc = txq->qdisc_sleeping; +- qdisc_refcount_inc(dev->qdisc); ++ qdisc = txq->qdisc_sleeping; ++ rcu_assign_pointer(dev->qdisc, qdisc); ++ qdisc_refcount_inc(qdisc); + } else { + qdisc = qdisc_create_dflt(txq, &mq_qdisc_ops, TC_H_ROOT, NULL); + if (qdisc) { +- dev->qdisc = qdisc; ++ rcu_assign_pointer(dev->qdisc, qdisc); + qdisc->ops->attach(qdisc); + } + } ++ qdisc = rtnl_dereference(dev->qdisc); + #ifdef CONFIG_NET_SCHED +- if (dev->qdisc != &noop_qdisc) +- qdisc_hash_add(dev->qdisc, false); ++ if (qdisc != &noop_qdisc) ++ qdisc_hash_add(qdisc, false); + #endif + } + +@@ -1115,7 +1117,7 @@ void dev_activate(struct net_device *dev) + * and noqueue_qdisc for virtual interfaces + */ + +- if (dev->qdisc == &noop_qdisc) ++ if (rtnl_dereference(dev->qdisc) == &noop_qdisc) + attach_default_qdiscs(dev); + + if (!netif_carrier_ok(dev)) +@@ -1298,7 +1300,7 @@ static void dev_init_scheduler_queue(struct net_device *dev, + + void dev_init_scheduler(struct net_device *dev) + { +- dev->qdisc = &noop_qdisc; ++ rcu_assign_pointer(dev->qdisc, &noop_qdisc); + netdev_for_each_tx_queue(dev, dev_init_scheduler_queue, &noop_qdisc); + if (dev_ingress_queue(dev)) + dev_init_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc); +@@ -1326,8 +1328,8 @@ void dev_shutdown(struct net_device *dev) + netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc); + if (dev_ingress_queue(dev)) + shutdown_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc); +- qdisc_put(dev->qdisc); +- dev->qdisc = &noop_qdisc; ++ qdisc_put(rtnl_dereference(dev->qdisc)); ++ rcu_assign_pointer(dev->qdisc, &noop_qdisc); + + WARN_ON(timer_pending(&dev->watchdog_timer)); + } diff --git a/patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch b/patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch new file mode 100644 index 0000000..d6131f5 --- /dev/null +++ b/patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch @@ -0,0 +1,46 @@ +From: Florian Westphal +Date: Tue, 9 Aug 2022 18:34:02 +0200 +Subject: netfilter: nf_tables: fix null deref due to zeroed list head +Git-commit: 580077855a40741cf511766129702d97ff02f4d9 +Patch-mainline: v6.0-rc1 +References: CVE-2023-1095 bsc#1208777 + +In nf_tables_updtable, if nf_tables_table_enable returns an error, +nft_trans_destroy is called to free the transaction object. + +nft_trans_destroy() calls list_del(), but the transaction was never +placed on a list -- the list head is all zeroes, this results in +a null dereference: + +BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59 +Call Trace: + nft_trans_destroy+0x26/0x59 + nf_tables_newtable+0x4bc/0x9bc + [..] + +Its sane to assume that nft_trans_destroy() can be called +on the transaction object returned by nft_trans_alloc(), so +make sure the list head is initialised. + +Fixes: 55dd6f93076b ("netfilter: nf_tables: use new transaction infrastructure to handle table") +Reported-by: mingi cho +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Acked-by: Miroslav Franc +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 460b0925ea60..3cc88998b879 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -153,6 +153,7 @@ static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, + if (trans == NULL) + return NULL; + ++ INIT_LIST_HEAD(&trans->list); + trans->msg_type = msg_type; + trans->ctx = *ctx; + + diff --git a/patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch b/patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch new file mode 100644 index 0000000..5781e37 --- /dev/null +++ b/patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch @@ -0,0 +1,44 @@ +From 559c36c5a8d730c49ef805a72b213d3bba155cc8 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 7 Sep 2022 10:26:18 +0200 +Subject: [PATCH] netfilter: nfnetlink_osf: fix possible bogus match in + nf_osf_find() +References: bsc#1204614 +Git-commit: 559c36c5a8d730c49ef805a72b213d3bba155cc8 +Patch-mainline: v6.0-rc7 + +nf_osf_find() incorrectly returns true on mismatch, this leads to +copying uninitialized memory area in nft_osf which can be used to leak +stale kernel stack data to userspace. + +Fixes: 22c7652cdaa8 ("netfilter: nft_osf: Add version option support") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Oscar Salvador +--- + net/netfilter/nfnetlink_osf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -265,6 +265,7 @@ bool nf_osf_find(const struct sk_buff *s + const struct nf_osf_finger *kf; + struct nf_osf_hdr_ctx ctx; + const struct tcphdr *tcp; ++ bool found = false; + + memset(&ctx, 0, sizeof(ctx)); + +@@ -279,10 +280,11 @@ bool nf_osf_find(const struct sk_buff *s + + data->genre = f->genre; + data->version = f->version; ++ found = true; + break; + } + +- return true; ++ return found; + } + EXPORT_SYMBOL_GPL(nf_osf_find); + diff --git a/patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch b/patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch new file mode 100644 index 0000000..9d314e1 --- /dev/null +++ b/patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch @@ -0,0 +1,62 @@ +From: "J. Bruce Fields" +Date: Mon, 29 Nov 2021 15:08:00 -0500 +Subject: [PATCH] nfsd: fix use-after-free due to delegation race +Git-commit: 548ec0805c399c65ed66c6641be467f717833ab5 +Patch-mainline: v5.16 +References: bsc#1208813 + +A delegation break could arrive as soon as we've called vfs_setlease. A +delegation break runs a callback which immediately (in +nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we +then exit nfs4_set_delegation without hashing the delegation, it will be +freed as soon as the callback is done with it, without ever being +removed from del_recall_lru. + +Symptoms show up later as use-after-free or list corruption warnings, +usually in the laundromat thread. + +I suspect aba2072f4523 "nfsd: grant read delegations to clients holding +writes" made this bug easier to hit, but I looked as far back as v3.0 +and it looks to me it already had the same problem. So I'm not sure +where the bug was introduced; it may have been there from the beginning. + +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Acked-by: NeilBrown + +--- + fs/nfsd/nfs4state.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1047,6 +1047,11 @@ hash_delegation_locked(struct nfs4_deleg + return 0; + } + ++static bool delegation_hashed(struct nfs4_delegation *dp) ++{ ++ return !(list_empty(&dp->dl_perfile)); ++} ++ + static bool + unhash_delegation_locked(struct nfs4_delegation *dp) + { +@@ -1054,7 +1059,7 @@ unhash_delegation_locked(struct nfs4_del + + lockdep_assert_held(&state_lock); + +- if (list_empty(&dp->dl_perfile)) ++ if (!delegation_hashed(dp)) + return false; + + dp->dl_stid.sc_type = NFS4_CLOSED_DELEG_STID; +@@ -4505,7 +4510,7 @@ static void nfsd4_cb_recall_prepare(stru + * queued for a lease break. Don't queue it again. + */ + spin_lock(&state_lock); +- if (dp->dl_time == 0) { ++ if (delegation_hashed(dp) && dp->dl_time == 0) { + dp->dl_time = get_seconds(); + list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru); + } diff --git a/patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch b/patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch new file mode 100644 index 0000000..27d0f48 --- /dev/null +++ b/patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch @@ -0,0 +1,38 @@ +From 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 13 Dec 2021 02:05:07 +0000 +Subject: [PATCH] phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function +Git-commit: 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f +Patch-mainline: v5.17-rc1 +References: CVE-2023-23000 bsc#1208816 + +callers of tegra_xusb_find_port_node() function only do NULL checking for +the return value. return NULL instead of ERR_PTR(-ENOMEM) to keep +consistent. + +Signed-off-by: Miaoqian Lin +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20211213020507.1458-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/phy/tegra/xusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c +index 963de5913e50..aa5237eacd29 100644 +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -455,7 +455,7 @@ tegra_xusb_find_port_node(struct tegra_xusb_padctl *padctl, const char *type, + name = kasprintf(GFP_KERNEL, "%s-%u", type, index); + if (!name) { + of_node_put(ports); +- return ERR_PTR(-ENOMEM); ++ return NULL; + } + np = of_get_child_by_name(ports, name); + kfree(name); +-- +2.35.3 + diff --git a/patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch b/patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch new file mode 100644 index 0000000..5135503 --- /dev/null +++ b/patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch @@ -0,0 +1,62 @@ +From: Marcelo Ricardo Leitner +Date: Mon, 23 Jan 2023 14:59:33 -0300 +Subject: sctp: fail if no bound addresses can be used for a given scope +Patch-mainline: v6.2-rc6 +Git-commit: 458e279f861d3f61796894cd158b780765a1569f +References: bsc#1206677 + +Currently, if you bind the socket to something like: + servaddr.sin6_family = AF_INET6; + servaddr.sin6_port = htons(0); + servaddr.sin6_scope_id = 0; + inet_pton(AF_INET6, "::1", &servaddr.sin6_addr); + +And then request a connect to: + connaddr.sin6_family = AF_INET6; + connaddr.sin6_port = htons(20000); + connaddr.sin6_scope_id = if_nametoindex("lo"); + inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr); + +What the stack does is: + - bind the socket + - create a new asoc + - to handle the connect + - copy the addresses that can be used for the given scope + - try to connect + +But the copy returns 0 addresses, and the effect is that it ends up +trying to connect as if the socket wasn't bound, which is not the +desired behavior. This unexpected behavior also allows KASLR leaks +through SCTP diag interface. + +The fix here then is, if when trying to copy the addresses that can +be used for the scope used in connect() it returns 0 addresses, bail +out. This is what TCP does with a similar reproducer. + +Reported-by: Pietro Borrello +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner@gmail.com +Signed-off-by: Jakub Kicinski +Acked-by: Michal Kubecek + +--- + net/sctp/bind_addr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/sctp/bind_addr.c ++++ b/net/sctp/bind_addr.c +@@ -73,6 +73,12 @@ int sctp_bind_addr_copy(struct net *net, struct sctp_bind_addr *dest, + } + } + ++ /* If somehow no addresses were found that can be used with this ++ * scope, it's an error. ++ */ ++ if (list_empty(&dest->address_list)) ++ error = -ENETUNREACH; ++ + out: + if (error) + sctp_bind_addr_clean(dest); diff --git a/patches.suse/smaps_rollup-fix-no-vmas-null-deref.patch b/patches.suse/smaps_rollup-fix-no-vmas-null-deref.patch new file mode 100644 index 0000000..6c4e57d --- /dev/null +++ b/patches.suse/smaps_rollup-fix-no-vmas-null-deref.patch @@ -0,0 +1,35 @@ +From: Seth Jenkins +Date: Mon, 3 Oct 2022 18:45:31 -0400 +Subject: [PATCH] mm: /proc/pid/smaps_rollup: fix no vma's null-deref +Patch-mainline: Never, fixed differently +References: bsc#1207769 + +mhocko@suse.com: +The upstream has fixed by c4c84f06285e ("fs/proc/task_mmu: stop using linked +list and highest_vm_end") which is a larger chabge not really suitable for +backporintg. + +Commit 258f669e7e88 ("mm: /proc/pid/smaps_rollup: convert to single value +seq_file") introduced a null-deref if there are no vma's in the task in +show_smaps_rollup. + +Fixes: 258f669e7e88 ("mm: /proc/pid/smaps_rollup: convert to single value seq_file") +Cc: stable@vger.kernel.org +Signed-off-by: Seth Jenkins +Acked-by: Michal Hocko + +--- + fs/proc/task_mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -876,7 +876,7 @@ static int show_smaps_rollup(struct seq_ + last_vma_end = vma->vm_end; + } + +- show_vma_header_prefix(m, priv->mm->mmap->vm_start, ++ show_vma_header_prefix(m, priv->mm->mmap ? priv->mm->mmap->vm_start : 0, + last_vma_end, 0, 0, 0, 0); + seq_pad(m, ' '); + seq_puts(m, "[rollup]\n"); diff --git a/patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch b/patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch new file mode 100644 index 0000000..51470f8 --- /dev/null +++ b/patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch @@ -0,0 +1,43 @@ +From: Pietro Borrello +Date: Sat, 4 Feb 2023 17:39:22 +0000 +Subject: tap: tap_open(): correctly initialize socket uid +Git-commit: 66b2c338adce580dfce2199591e65e2bab889cff +Patch-mainline: v6.3-rc1 +References: CVE-2023-1076 bsc#1208599 + +sock_init_data() assumes that the `struct socket` passed in input is +contained in a `struct socket_alloc` allocated with sock_alloc(). +However, tap_open() passes a `struct socket` embedded in a `struct +tap_queue` allocated with sk_alloc(). +This causes a type confusion when issuing a container_of() with +SOCK_INODE() in sock_init_data() which results in assigning a wrong +sk_uid to the `struct sock` in input. +On default configuration, the type confused field overlaps with +padding bytes between `int vnet_hdr_sz` and `struct tap_dev __rcu +*tap` in `struct tap_queue`, which makes the uid of all tap sockets 0, +i.e., the root one. +Fix the assignment by using sock_init_data_uid(). + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Pietro Borrello +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Acked-by: Miroslav Franc +--- + drivers/net/tap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/tap.c b/drivers/net/tap.c +index a2be1994b389..8941aa199ea3 100644 +--- a/drivers/net/tap.c ++++ b/drivers/net/tap.c +@@ -533,7 +533,7 @@ static int tap_open(struct inode *inode, struct file *file) + q->sock.state = SS_CONNECTED; + q->sock.file = file; + q->sock.ops = &tap_socket_ops; +- sock_init_data(&q->sock, &q->sk); ++ sock_init_data_uid(&q->sock, &q->sk, inode->i_uid); + q->sk.sk_write_space = tap_sock_write_space; + q->sk.sk_destruct = tap_sock_destruct; + q->flags = IFF_VNET_HDR | IFF_NO_PI | IFF_TAP; + diff --git a/patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch b/patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch new file mode 100644 index 0000000..f75ffc6 --- /dev/null +++ b/patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch @@ -0,0 +1,83 @@ +From ba2ee4b6dc9874de0de26ad4b03c59b179f5dbe5 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 18 Nov 2022 16:45:01 -0500 +Subject: [PATCH 2/2] tipc: add an extra conn_get in tipc_conn_alloc +Git-commit: a7b42969d63f47320853a802efd879fbdc4e010e +Patch-mainline: v6.1-rc7 +References: bsc#1209288 CVE-2023-1382 + +One extra conn_get() is needed in tipc_conn_alloc(), as after +tipc_conn_alloc() is called, tipc_conn_close() may free this +con before deferencing it in tipc_topsrv_accept(): + + tipc_conn_alloc(); + newsk = newsock->sk; + <---- tipc_conn_close(); + write_lock_bh(&sk->sk_callback_lock); + newsk->sk_data_ready = tipc_conn_data_ready; + +Then an uaf issue can be triggered: + + BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc] + Call Trace: + + dump_stack_lvl+0x33/0x46 + print_report+0x178/0x4b0 + kasan_report+0x8c/0x100 + kasan_check_range+0x179/0x1e0 + tipc_topsrv_accept+0x1e7/0x370 [tipc] + process_one_work+0x6a3/0x1030 + worker_thread+0x8a/0xdf0 + +This patch fixes it by holding it in tipc_conn_alloc(), then after +all accessing in tipc_topsrv_accept() releasing it. Note when does +this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns +0 or -1 only, we don't need to check for "> 0". + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + net/tipc/topsrv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 61e9828a76cd..1a3d9837ac6a 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -206,6 +206,7 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *s + set_bit(CF_CONNECTED, &con->flags); + con->server = s; + con->sock = sock; ++ conn_get(con); + spin_unlock_bh(&s->idr_lock); + + return con; +@@ -474,6 +475,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + + /* Wake up receive process in case of 'SYN+' message */ + newsk->sk_data_ready(newsk); ++ conn_put(con); + } + } + +@@ -573,10 +575,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + + *conid = con->conid; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); +- if (rc >= 0) +- return true; ++ if (rc) ++ conn_put(con); ++ + conn_put(con); +- return false; ++ return !rc; + } + + void tipc_topsrv_kern_unsubscr(struct net *net, int conid) +-- +2.16.4 + diff --git a/patches.suse/tipc-set-con-sock-in-tipc_conn_alloc.patch b/patches.suse/tipc-set-con-sock-in-tipc_conn_alloc.patch new file mode 100644 index 0000000..fb63e16 --- /dev/null +++ b/patches.suse/tipc-set-con-sock-in-tipc_conn_alloc.patch @@ -0,0 +1,105 @@ +From dd9735fb2cdb7d811c7b930a2a501a943dc10d0e Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 18 Nov 2022 16:45:00 -0500 +Subject: [PATCH 1/2] tipc: set con sock in tipc_conn_alloc +Git-commit: 0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4 +Patch-mainline: v6.1-rc7 +References: bsc#1209288 CVE-2023-1382 + +A crash was reported by Wei Chen: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:tipc_conn_close+0x12/0x100 + Call Trace: + tipc_topsrv_exit_net+0x139/0x320 + ops_exit_list.isra.9+0x49/0x80 + cleanup_net+0x31a/0x540 + process_one_work+0x3fa/0x9f0 + worker_thread+0x42/0x5c0 + +It was caused by !con->sock in tipc_conn_close(). In tipc_topsrv_accept(), +con is allocated in conn_idr then its sock is set: + + con = tipc_conn_alloc(); + ... <----[1] + con->sock = newsock; + +If tipc_conn_close() is called in anytime of [1], the null-pointer-def +is triggered by con->sock->sk due to con->sock is not yet set. + +This patch fixes it by moving the con->sock setting to tipc_conn_alloc() +under s->idr_lock. So that con->sock can never be NULL when getting the +con from s->conn_idr. It will be also safer to move con->server and flag +CF_CONNECTED setting under s->idr_lock, as they should all be set before +tipc_conn_alloc() is called. + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Reported-by: Wei Chen +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + net/tipc/topsrv.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 1b63a6b2c518..61e9828a76cd 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -176,7 +176,7 @@ static void tipc_conn_close(struct tipc_conn *con) + conn_put(con); + } + +-static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) ++static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *sock) + { + struct tipc_conn *con; + int ret; +@@ -202,10 +202,11 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) + } + con->conid = ret; + s->idr_in_use++; +- spin_unlock_bh(&s->idr_lock); + + set_bit(CF_CONNECTED, &con->flags); + con->server = s; ++ con->sock = sock; ++ spin_unlock_bh(&s->idr_lock); + + return con; + } +@@ -457,7 +458,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + ret = kernel_accept(lsock, &newsock, O_NONBLOCK); + if (ret < 0) + return; +- con = tipc_conn_alloc(srv); ++ con = tipc_conn_alloc(srv, newsock); + if (IS_ERR(con)) { + ret = PTR_ERR(con); + sock_release(newsock); +@@ -469,7 +470,6 @@ static void tipc_topsrv_accept(struct work_struct *work) + newsk->sk_data_ready = tipc_conn_data_ready; + newsk->sk_write_space = tipc_conn_write_space; + newsk->sk_user_data = con; +- con->sock = newsock; + write_unlock_bh(&newsk->sk_callback_lock); + + /* Wake up receive process in case of 'SYN+' message */ +@@ -567,12 +567,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + sub.filter = filter; + *(u32 *)&sub.usr_handle = port; + +- con = tipc_conn_alloc(tipc_topsrv(net)); ++ con = tipc_conn_alloc(tipc_topsrv(net), NULL); + if (IS_ERR(con)) + return false; + + *conid = con->conid; +- con->sock = NULL; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); + if (rc >= 0) + return true; +-- +2.16.4 + diff --git a/patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch b/patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch new file mode 100644 index 0000000..ebeadfe --- /dev/null +++ b/patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch @@ -0,0 +1,43 @@ +From: Pietro Borrello +Date: Sat, 4 Feb 2023 17:39:21 +0000 +Subject: tun: tun_chr_open(): correctly initialize socket uid +Git-commit: a096ccca6e503a5c575717ff8a36ace27510ab0a +Patch-mainline: v6.3-rc1 +References: CVE-2023-1076 bsc#1208599 + +sock_init_data() assumes that the `struct socket` passed in input is +contained in a `struct socket_alloc` allocated with sock_alloc(). +However, tun_chr_open() passes a `struct socket` embedded in a `struct +tun_file` allocated with sk_alloc(). +This causes a type confusion when issuing a container_of() with +SOCK_INODE() in sock_init_data() which results in assigning a wrong +sk_uid to the `struct sock` in input. +On default configuration, the type confused field overlaps with the +high 4 bytes of `struct tun_struct __rcu *tun` of `struct tun_file`, +NULL at the time of call, which makes the uid of all tun sockets 0, +i.e., the root one. +Fix the assignment by using sock_init_data_uid(). + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Pietro Borrello +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Acked-by: Miroslav Franc +--- + drivers/net/tun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index a7d17c680f4a..745131b2d6db 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -3448,7 +3448,7 @@ static int tun_chr_open(struct inode *inode, struct file * file) + tfile->socket.file = file; + tfile->socket.ops = &tun_socket_ops; + +- sock_init_data(&tfile->socket, &tfile->sk); ++ sock_init_data_uid(&tfile->socket, &tfile->sk, inode->i_uid); + + tfile->sk.sk_write_space = tun_sock_write_space; + tfile->sk.sk_sndbuf = INT_MAX; + diff --git a/patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch b/patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch new file mode 100644 index 0000000..2cbe0de --- /dev/null +++ b/patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch @@ -0,0 +1,51 @@ +From fa0ef93868a6062babe1144df2807a8b1d4924d2 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Fri, 31 Dec 2021 11:36:41 +0000 +Subject: [PATCH] usb: dwc3: dwc3-qcom: Add missing platform_device_put() in + dwc3_qcom_acpi_register_core +Git-commit: fa0ef93868a6062babe1144df2807a8b1d4924d2 +Patch-mainline: v5.17-rc1 +References: bsc#1208741 CVE-2023-22995 + +Add the missing platform_device_put() before return from +dwc3_qcom_acpi_register_core in the error handling case. + +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20211231113641.31474-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/dwc3/dwc3-qcom.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -474,8 +474,10 @@ static int dwc3_qcom_acpi_register_core( + qcom->dwc3->dev.coherent_dma_mask = dev->coherent_dma_mask; + + child_res = kcalloc(2, sizeof(*child_res), GFP_KERNEL); +- if (!child_res) ++ if (!child_res) { ++ platform_device_put(qcom->dwc3); + return -ENOMEM; ++ } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!res) { +@@ -507,10 +509,15 @@ static int dwc3_qcom_acpi_register_core( + } + + ret = platform_device_add(qcom->dwc3); +- if (ret) ++ if (ret) { + dev_err(&pdev->dev, "failed to add device\n"); ++ goto out; ++ } ++ kfree(child_res); ++ return 0; + + out: ++ platform_device_put(qcom->dwc3); + kfree(child_res); + return ret; + } diff --git a/patches.suse/usb-rndis_host-Secure-rndis_query-check-against-int-.patch b/patches.suse/usb-rndis_host-Secure-rndis_query-check-against-int-.patch new file mode 100644 index 0000000..515e30d --- /dev/null +++ b/patches.suse/usb-rndis_host-Secure-rndis_query-check-against-int-.patch @@ -0,0 +1,43 @@ +From c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 Mon Sep 17 00:00:00 2001 +From: Szymon Heidrich +Date: Tue, 3 Jan 2023 10:17:09 +0100 +Subject: [PATCH] usb: rndis_host: Secure rndis_query check against int + overflow +Git-commit: c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 +References: CVE-2023-23559 bsc#1207051 +Patch-mainline: v6.2-rc3 + +Variables off and len typed as uint32 in rndis_query function +are controlled by incoming RNDIS response message thus their +value may be manipulated. Setting off to a unexpectetly large +value will cause the sum with len and 8 to overflow and pass +the implemented validation step. Consequently the response +pointer will be referring to a location past the expected +buffer boundaries allowing information leakage e.g. via +RNDIS_OID_802_3_PERMANENT_ADDRESS OID. + +Fixes: ddda08624013 ("USB: rndis_host, various cleanups") +Signed-off-by: Szymon Heidrich +Signed-off-by: David S. Miller +Signed-off-by: Oliver Neukum +--- + drivers/net/usb/rndis_host.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/rndis_host.c b/drivers/net/usb/rndis_host.c +index f79333fe1783..7b3739b29c8f 100644 +--- a/drivers/net/usb/rndis_host.c ++++ b/drivers/net/usb/rndis_host.c +@@ -255,7 +255,8 @@ static int rndis_query(struct usbnet *dev, struct usb_interface *intf, + + off = le32_to_cpu(u.get_c->offset); + len = le32_to_cpu(u.get_c->len); +- if (unlikely((8 + off + len) > CONTROL_BUFFER_SIZE)) ++ if (unlikely((off > CONTROL_BUFFER_SIZE - 8) || ++ (len > CONTROL_BUFFER_SIZE - 8 - off))) + goto response_error; + + if (*reply_len != -1 && len != *reply_len) +-- +2.39.1 + diff --git a/patches.suse/vmxnet3-move-rss-code-block-under-eop-descriptor.patch b/patches.suse/vmxnet3-move-rss-code-block-under-eop-descriptor.patch new file mode 100644 index 0000000..cb6a42c --- /dev/null +++ b/patches.suse/vmxnet3-move-rss-code-block-under-eop-descriptor.patch @@ -0,0 +1,94 @@ +From: Ronak Doshi +Date: Wed, 8 Feb 2023 14:38:59 -0800 +Subject: vmxnet3: move rss code block under eop descriptor +Patch-mainline: v6.2 +Git-commit: ec76d0c2da5c6dfb6a33f1545cc15997013923da +References: bsc#1208212 + +Commit b3973bb40041 ("vmxnet3: set correct hash type based on +rss information") added hashType information into skb. However, +rssType field is populated for eop descriptor. This can lead +to incorrectly reporting of hashType for packets which use +multiple rx descriptors. Multiple rx descriptors are used +for Jumbo frame or LRO packets, which can hit this issue. + +This patch moves the RSS codeblock under eop descritor. + +Cc: stable@vger.kernel.org +Fixes: b3973bb40041 ("vmxnet3: set correct hash type based on rss information") +Signed-off-by: Ronak Doshi +Acked-by: Peng Li +Acked-by: Guolin Yang +Link: https://lore.kernel.org/r/20230208223900.5794-1-doshir@vmware.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 50 +++++++++++++++++++------------------- + 1 file changed, 25 insertions(+), 25 deletions(-) + +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1479,31 +1479,6 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx + rxd->len = rbi->len; + } + +-#ifdef VMXNET3_RSS +- if (rcd->rssType != VMXNET3_RCD_RSS_TYPE_NONE && +- (adapter->netdev->features & NETIF_F_RXHASH)) { +- enum pkt_hash_types hash_type; +- +- switch (rcd->rssType) { +- case VMXNET3_RCD_RSS_TYPE_IPV4: +- case VMXNET3_RCD_RSS_TYPE_IPV6: +- hash_type = PKT_HASH_TYPE_L3; +- break; +- case VMXNET3_RCD_RSS_TYPE_TCPIPV4: +- case VMXNET3_RCD_RSS_TYPE_TCPIPV6: +- case VMXNET3_RCD_RSS_TYPE_UDPIPV4: +- case VMXNET3_RCD_RSS_TYPE_UDPIPV6: +- hash_type = PKT_HASH_TYPE_L4; +- break; +- default: +- hash_type = PKT_HASH_TYPE_L3; +- break; +- } +- skb_set_hash(ctx->skb, +- le32_to_cpu(rcd->rssHash), +- hash_type); +- } +-#endif + skb_put(ctx->skb, rcd->len); + + if (VMXNET3_VERSION_GE_2(adapter) && +@@ -1580,6 +1555,31 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx + u32 mtu = adapter->netdev->mtu; + skb->len += skb->data_len; + ++#ifdef VMXNET3_RSS ++ if (rcd->rssType != VMXNET3_RCD_RSS_TYPE_NONE && ++ (adapter->netdev->features & NETIF_F_RXHASH)) { ++ enum pkt_hash_types hash_type; ++ ++ switch (rcd->rssType) { ++ case VMXNET3_RCD_RSS_TYPE_IPV4: ++ case VMXNET3_RCD_RSS_TYPE_IPV6: ++ hash_type = PKT_HASH_TYPE_L3; ++ break; ++ case VMXNET3_RCD_RSS_TYPE_TCPIPV4: ++ case VMXNET3_RCD_RSS_TYPE_TCPIPV6: ++ case VMXNET3_RCD_RSS_TYPE_UDPIPV4: ++ case VMXNET3_RCD_RSS_TYPE_UDPIPV6: ++ hash_type = PKT_HASH_TYPE_L4; ++ break; ++ default: ++ hash_type = PKT_HASH_TYPE_L3; ++ break; ++ } ++ skb_set_hash(skb, ++ le32_to_cpu(rcd->rssHash), ++ hash_type); ++ } ++#endif + vmxnet3_rx_csum(adapter, skb, + (union Vmxnet3_GenericDesc *)rcd); + skb->protocol = eth_type_trans(skb, adapter->netdev); diff --git a/patches.suse/wifi-wilc1000-validate-pairwise-and-authentication-s.patch b/patches.suse/wifi-wilc1000-validate-pairwise-and-authentication-s.patch new file mode 100644 index 0000000..16eaca3 --- /dev/null +++ b/patches.suse/wifi-wilc1000-validate-pairwise-and-authentication-s.patch @@ -0,0 +1,55 @@ +From cd21d99e595ec1d8721e1058dcdd4f1f7de1d793 Mon Sep 17 00:00:00 2001 +From: Phil Turnbull +Date: Wed, 23 Nov 2022 10:35:40 -0500 +Subject: [PATCH] wifi: wilc1000: validate pairwise and authentication suite offsets +Git-commit: cd21d99e595ec1d8721e1058dcdd4f1f7de1d793 +Patch-mainline: v6.1-rc8 +References: CVE-2022-47520 bsc#1206515 + +There is no validation of 'offset' which can trigger an out-of-bounds +read when extracting RSN capabilities. + +Signed-off-by: Phil Turnbull +Tested-by: Ajay Kathat +Acked-by: Ajay Kathat +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221123153543.8568-2-philipturnbull@github.com +Acked-by: Takashi Iwai + +--- + drivers/staging/wilc1000/wilc_hif.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/drivers/staging/wilc1000/wilc_hif.c ++++ b/drivers/staging/wilc1000/wilc_hif.c +@@ -547,14 +547,25 @@ void *wilc_parse_join_bss_param(struct c + + rsn_ie = cfg80211_find_ie(WLAN_EID_RSN, ies->data, ies->len); + if (rsn_ie) { ++ int rsn_ie_len = sizeof(struct element) + rsn_ie[1]; + int offset = 8; + +- param->mode_802_11i = 2; +- param->rsn_found = true; + //extract RSN capabilities +- offset += (rsn_ie[offset] * 4) + 2; +- offset += (rsn_ie[offset] * 4) + 2; +- memcpy(param->rsn_cap, &rsn_ie[offset], 2); ++ if (offset < rsn_ie_len) { ++ /* skip over pairwise suites */ ++ offset += (rsn_ie[offset] * 4) + 2; ++ ++ if (offset < rsn_ie_len) { ++ /* skip over authentication suites */ ++ offset += (rsn_ie[offset] * 4) + 2; ++ ++ if (offset + 1 < rsn_ie_len) { ++ param->mode_802_11i = 2; ++ param->rsn_found = true; ++ memcpy(param->rsn_cap, &rsn_ie[offset], 2); ++ } ++ } ++ } + } + + if (param->rsn_found) { diff --git a/patches.suse/x86-bugs-Flush-IBP-in-ib_prctl_set.patch b/patches.suse/x86-bugs-Flush-IBP-in-ib_prctl_set.patch new file mode 100644 index 0000000..6a0e7c8 --- /dev/null +++ b/patches.suse/x86-bugs-Flush-IBP-in-ib_prctl_set.patch @@ -0,0 +1,29 @@ +From: Rodrigo Branco +Date: Tue, 3 Jan 2023 14:17:51 -0600 +Subject: x86/bugs: Flush IBP in ib_prctl_set() +Git-commit: a664ec9158eeddd75121d39c9a0758016097fa96 +Patch-mainline: 6.2-rc3 +References: bsc#1207773 CVE-2023-0045 + +We missed the window between the TIF flag update and the next reschedule. + +Signed-off-by: Rodrigo Branco +Reviewed-by: Borislav Petkov (AMD) +Signed-off-by: Ingo Molnar +Cc: +Signed-off-by: Jiri Slaby +--- + arch/x86/kernel/cpu/bugs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1332,6 +1332,8 @@ static int ib_prctl_set(struct task_stru + if (ctrl == PR_SPEC_FORCE_DISABLE) + task_set_spec_ib_force_disable(task); + task_update_spec_tif(task); ++ if (task == current) ++ indirect_branch_prediction_barrier(); + break; + default: + return -ERANGE; diff --git a/patches.suse/x86-mm-Randomize-per-cpu-entry-area.patch b/patches.suse/x86-mm-Randomize-per-cpu-entry-area.patch new file mode 100644 index 0000000..295c5bb --- /dev/null +++ b/patches.suse/x86-mm-Randomize-per-cpu-entry-area.patch @@ -0,0 +1,157 @@ +From: Peter Zijlstra +Date: Thu, 27 Oct 2022 14:54:41 -0700 +Subject: x86/mm: Randomize per-cpu entry area +Git-commit: 97e3d26b5e5f371b3ee223d94dd123e6c442ba80 +Patch-mainline: v6.2-rc1 +References: bsc#1207845 CVE-2023-0597 + +Seth found that the CPU-entry-area; the piece of per-cpu data that is +mapped into the userspace page-tables for kPTI is not subject to any +randomization -- irrespective of kASLR settings. + +On x86_64 a whole P4D (512 GB) of virtual address space is reserved for +this structure, which is plenty large enough to randomize things a +little. + +As such, use a straight forward randomization scheme that avoids +duplicates to spread the existing CPUs over the available space. + + [ bp: Fix le build. ] + +Reported-by: Seth Jenkins +Reviewed-by: Kees Cook +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Dave Hansen +Signed-off-by: Borislav Petkov +[mkoutny: v5.14 backport: init_cea_offsets() is called way before + prandom_init_early() initcall, prandom_u32_max() is not properly + seeded yet. Use KASLR seed and local state to generate CPU entry + areas offsets, this is based on the approach in + kernel_randomize_memory() and should provide same randomness + guarantees -- beware we don't get cryptographically secure random + offsets. This reduces effective entropy in exfiltrating *all* CPU + entry areas by log2(nr_cpus) bits, entropy for *any* CPU is + unaffected. + This was chosen instead of backporting f62384995e4c ("random: split + initialization into early step and later step") and crng related + reworks.] +[mkoutny: v5.3 backport: dropped hw_breakpoint hunk without 24ae0c91cbc5 + ("x86/hw_breakpoint: Prevent data breakpoints on cpu_entry_area"), + adjusted context for missing doublefault_stack on 32b] +Acked-by: Michal Koutný +--- + arch/x86/include/asm/cpu_entry_area.h | 13 ++++----- + arch/x86/mm/cpu_entry_area.c | 48 ++++++++++++++++++++++++++++++++-- + 2 files changed, 53 insertions(+), 8 deletions(-) + +--- a/arch/x86/include/asm/cpu_entry_area.h ++++ b/arch/x86/include/asm/cpu_entry_area.h +@@ -111,10 +111,6 @@ struct cpu_entry_area { + }; + + #define CPU_ENTRY_AREA_SIZE (sizeof(struct cpu_entry_area)) +-#define CPU_ENTRY_AREA_ARRAY_SIZE (CPU_ENTRY_AREA_SIZE * NR_CPUS) +- +-/* Total size includes the readonly IDT mapping page as well: */ +-#define CPU_ENTRY_AREA_TOTAL_SIZE (CPU_ENTRY_AREA_ARRAY_SIZE + PAGE_SIZE) + + DECLARE_PER_CPU(struct cpu_entry_area *, cpu_entry_area); + DECLARE_PER_CPU(struct cea_exception_stacks *, cea_exception_stacks); +@@ -128,8 +124,13 @@ extern void cea_set_pte(void *cea_vaddr, + + #define CPU_ENTRY_AREA_RO_IDT_VADDR ((void *)CPU_ENTRY_AREA_RO_IDT) + +-#define CPU_ENTRY_AREA_MAP_SIZE \ +- (CPU_ENTRY_AREA_PER_CPU + CPU_ENTRY_AREA_ARRAY_SIZE - CPU_ENTRY_AREA_BASE) ++#ifdef CONFIG_X86_32 ++#define CPU_ENTRY_AREA_MAP_SIZE (CPU_ENTRY_AREA_PER_CPU + \ ++ (CPU_ENTRY_AREA_SIZE * NR_CPUS) - \ ++ CPU_ENTRY_AREA_BASE) ++#else ++#define CPU_ENTRY_AREA_MAP_SIZE P4D_SIZE ++#endif + + extern struct cpu_entry_area *get_cpu_entry_area(int cpu); + +--- a/arch/x86/mm/cpu_entry_area.c ++++ b/arch/x86/mm/cpu_entry_area.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -15,11 +16,53 @@ static DEFINE_PER_CPU_PAGE_ALIGNED(struc + #ifdef CONFIG_X86_64 + static DEFINE_PER_CPU_PAGE_ALIGNED(struct exception_stacks, exception_stacks); + DEFINE_PER_CPU(struct cea_exception_stacks*, cea_exception_stacks); ++ ++static DEFINE_PER_CPU_READ_MOSTLY(unsigned long, _cea_offset); ++ ++static __always_inline unsigned int cea_offset(unsigned int cpu) ++{ ++ return per_cpu(_cea_offset, cpu); ++} ++ ++static __init void init_cea_offsets(void) ++{ ++ struct rnd_state rand_state; ++ unsigned int max_cea, rand; ++ unsigned int i, j; ++ ++ max_cea = (CPU_ENTRY_AREA_MAP_SIZE - PAGE_SIZE) / CPU_ENTRY_AREA_SIZE; ++ prandom_seed_state(&rand_state, kaslr_get_random_long("CPU entry")); ++ ++ /* O(sodding terrible) */ ++ for_each_possible_cpu(i) { ++ unsigned int cea; ++ ++again: ++ prandom_bytes_state(&rand_state, &rand, sizeof(rand)); ++ cea = rand % max_cea; ++ ++ for_each_possible_cpu(j) { ++ if (cea_offset(j) == cea) ++ goto again; ++ ++ if (i == j) ++ break; ++ } ++ ++ per_cpu(_cea_offset, i) = cea; ++ } ++} ++#else /* !X86_64 */ ++static __always_inline unsigned int cea_offset(unsigned int cpu) ++{ ++ return cpu; ++} ++static inline void init_cea_offsets(void) { } + #endif + + struct cpu_entry_area *get_cpu_entry_area(int cpu) + { +- unsigned long va = CPU_ENTRY_AREA_PER_CPU + cpu * CPU_ENTRY_AREA_SIZE; ++ unsigned long va = CPU_ENTRY_AREA_PER_CPU + cea_offset(cpu) * CPU_ENTRY_AREA_SIZE; + BUILD_BUG_ON(sizeof(struct cpu_entry_area) % PAGE_SIZE != 0); + + return (struct cpu_entry_area *) va; +@@ -180,7 +223,6 @@ static __init void setup_cpu_entry_area_ + + /* The +1 is for the readonly IDT: */ + BUILD_BUG_ON((CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE); +- BUILD_BUG_ON(CPU_ENTRY_AREA_TOTAL_SIZE != CPU_ENTRY_AREA_MAP_SIZE); + BUG_ON(CPU_ENTRY_AREA_BASE & ~PMD_MASK); + + start = CPU_ENTRY_AREA_BASE; +@@ -196,6 +238,8 @@ void __init setup_cpu_entry_areas(void) + { + unsigned int cpu; + ++ init_cea_offsets(); ++ + setup_cpu_entry_area_ptes(); + + for_each_possible_cpu(cpu) diff --git a/rpm/check-for-config-changes b/rpm/check-for-config-changes index fb31586..c0754d3 100755 --- a/rpm/check-for-config-changes +++ b/rpm/check-for-config-changes @@ -5,20 +5,21 @@ # # please keep them sorted alphabetically declare -a IGNORED_CONFIGS_RE=( - 'AS_HAS_[A-Z_]*' + 'AS_HAS_[A-Z0-9_]*' 'AS_VERSION' 'CC_CAN_[A-Z_]*' 'CC_HAS_[A-Z_]*' 'CC_HAVE_[A-Z_]*' 'CC_VERSION_TEXT' - 'FTRACE_MCOUNT_USE_CC' - 'FTRACE_MCOUNT_USE_RECORDMCOUNT' + 'FTRACE_MCOUNT_USE_[A-Z_]*' 'GCC_VERSION' 'G*CC[0-9]*_NO_[A-Z_]*' 'HAVE_[A-Z]*_COMPILER' 'LD_VERSION' 'PAHOLE_VERSION' + 'TOOLCHAIN_HAS_[A-Z_]*' 'TOOLS_SUPPORT_[A-Z_]*' + 'OBJTOOL' ) declare -a SED_ARGS=() diff --git a/rpm/group-source-files.pl b/rpm/group-source-files.pl index 768ecff..89fa8e8 100755 --- a/rpm/group-source-files.pl +++ b/rpm/group-source-files.pl @@ -66,7 +66,7 @@ sub calc_dirs do { $path =~ s{/[^/]+$}{}; $dirs{$path} = 1; - } while ($path ne $base); + } while ($path ne $base and $path ne ""); # This loop also makes sure that $base itself is included. } diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index 336bfd2..106b254 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -24,6 +24,7 @@ %define compress_modules @COMPRESS_MODULES@ %define compress_vmlinux @COMPRESS_VMLINUX@ %define livepatch @LIVEPATCH@%{nil} +%define livepatch_rt @LIVEPATCH_RT@%{nil} %include %_sourcedir/kernel-spec-macros @@ -710,6 +711,10 @@ export BRP_PESIGN_FILES %if "%{compress_modules}" != "none" export BRP_PESIGN_COMPRESS_MODULE=%{compress_modules} %endif +# Do not sign vanilla kernels released in official projects +%if %build_vanilla && ! %vanilla_only +BRP_PESIGN_FILES="" +%endif if test -x /usr/lib/rpm/pesign/gen-hmac; then $_ -r %buildroot /boot/%image-%kernelrelease-%build_flavor @@ -1334,7 +1339,7 @@ relink ../../linux-%{kernelrelease}%{variant}-obj/"%cpu_arch_flavor" /usr/src/li /usr/src/linux-obj/%kmp_target_cpu %endif -%if "%livepatch" != "" && "%CONFIG_SUSE_KERNEL_SUPPORTED" == "y" && "%variant" == "" && %build_default +%if "%livepatch" != "" && "%CONFIG_SUSE_KERNEL_SUPPORTED" == "y" && (("%variant" == "" && %build_default) || ("%variant" == "-rt" && 0%livepatch_rt)) %if "%livepatch" == "kgraft" %define patch_package %{livepatch}-patch %else @@ -1344,13 +1349,15 @@ relink ../../linux-%{kernelrelease}%{variant}-obj/"%cpu_arch_flavor" /usr/src/li Summary: Metapackage to pull in matching %patch_package package Group: System/Kernel Requires: %{patch_package}-%(echo %{version}-%{source_rel} | sed 'y/\./_/')-%{build_flavor} +Provides: multiversion(kernel) +%if "%variant" != "-rt" Provides: kernel-default-kgraft = %version Provides: kernel-xen-kgraft = %version -Provides: multiversion(kernel) %if "%livepatch" != "kgraft" Obsoletes: kernel-default-kgraft < %version Obsoletes: kernel-xen-kgraft < %version %endif +%endif %description %{livepatch} This is a metapackage that pulls in the matching %patch_package package for a @@ -1389,6 +1396,8 @@ Provides: multiversion(kernel) # tell weak-modules2 to ignore this package Provides: kmp_in_kernel Requires(post): suse-module-tools >= 12.4 +Enhances: %name +Supplements: packageand(%name:%@KMP_NAME@-%build_flavor) @KMP_DEPS@ %description -n @KMP_NAME@-%build_flavor diff --git a/rpm/kernel-source.rpmlintrc b/rpm/kernel-source.rpmlintrc index a63f94e..fa0fc43 100644 --- a/rpm/kernel-source.rpmlintrc +++ b/rpm/kernel-source.rpmlintrc @@ -10,7 +10,3 @@ addFilter("dangling-symlink .*/lib/modules/[1-9].*/source") addFilter("hidden-file-or-dir /usr/src/linux-.*-obj/.*/.config") addFilter("hidden-file-or-dir /usr/src/linux-.*-obj/.*/.kernel-binary.spec.buildenv") addFilter("hidden-file-or-dir /boot/\..*\.hmac") -# This check ensures that KMPs are built using the %kernel_module_package -# macro, but we are deliberately not doing this for KMPs built from the -# kernel spec file (fate#319339) -addFilter("suse-policy-kmp-missing-supplements") diff --git a/rpm/macros.kernel-source b/rpm/macros.kernel-source index 3097b62..78b4126 100644 --- a/rpm/macros.kernel-source +++ b/rpm/macros.kernel-source @@ -7,7 +7,7 @@ else \ end } %kernel_module_package_release 1 -%kernel_module_package_buildreqs modutils kernel-syms kmod-compat %kernel_build_shell_package +%kernel_module_package_buildreqs modutils kernel-syms kmod-compat suse-kernel-rpm-scriptlets %kernel_build_shell_package %cpu_arch %(case %_target_cpu in \ # from rpm --eval '%ix86' \ diff --git a/rpm/mkspec b/rpm/mkspec index 4fe1124..c415073 100755 --- a/rpm/mkspec +++ b/rpm/mkspec @@ -41,6 +41,7 @@ my $compress_modules = 'none'; my $compress_vmlinux = 'gz'; my $build_dtbs = (); my $livepatch = ""; +my $livepatch_rt = ""; if (defined($vars{'COMPRESS_MODULES'})) { $compress_modules = $vars{'COMPRESS_MODULES'}; } @@ -55,6 +56,10 @@ if (defined($vars{'LIVEPATCH'})) { $livepatch = $vars{'LIVEPATCH'}; $livepatch = "" if $livepatch =~ /^(0+|no|none)$/i; } +if (defined($vars{'LIVEPATCH_RT'})) { + $livepatch_rt = $vars{'LIVEPATCH_RT'}; + $livepatch_rt = "" if $livepatch_rt =~ /^(0+|no|none)$/i; +} $vanilla_only ||= "0"; if (!defined ($rpmrelease)) { $rpmrelease = $vars{'RELEASE'} || 0; @@ -121,6 +126,7 @@ my %macros = ( UNPACK_PATCHES => $unpack_patches, SCRIPTS => $scripts, LIVEPATCH => $livepatch, + LIVEPATCH_RT => $livepatch_rt, YEAR => (localtime time)[5] + 1900, COMPRESS_MODULES => $compress_modules, COMPRESS_VMLINUX => $compress_vmlinux, diff --git a/rpm/mkspec-dtb b/rpm/mkspec-dtb index a46416f..4d9ff96 100755 --- a/rpm/mkspec-dtb +++ b/rpm/mkspec-dtb @@ -87,6 +87,7 @@ my @aarch64_package_list = ( # DTB packages names my @riscv64_package_list = ( ['dtb-microchip', 'microchip/*.dts', "Microchip based riscv64 systems"], + ['dtb-renesas', 'renesas/*.dts', "Renesas based riscv64 systems"], ['dtb-sifive', 'sifive/*.dts', "SiFive based riscv64 systems"], ['dtb-starfive', 'starfive/*.dts', "StarFive based riscv64 systems"], ); diff --git a/scripts/check-kernel-commit b/scripts/check-kernel-commit new file mode 100755 index 0000000..45a0a6e --- /dev/null +++ b/scripts/check-kernel-commit @@ -0,0 +1,173 @@ +#!/bin/bash + +usage() +{ + echo "Check whether a given list of commit is available in" + echo "a given list of branches." + echo + echo "Usage: ${0##*/} [branches.conf] term..." + echo + echo "Parametes:" + echo " branches.conf: file with the list of branches to be checked" + echo " term: hash of the commit|CVE|bsc to be found" +} + +fetch_branches() +{ + local CACHED_BRANCHES="/tmp/$USER-branches.conf" + local URL="https://kerncvs.suse.de/branches.conf" + local EXPIRE=7 + branches=$CACHED_BRANCHES + if [[ $(find "$CACHED_BRANCHES" -mtime -$EXPIRE -print 2>/dev/null) \ + && -s "$CACHED_BRANCHES" ]]; then + echo "Using cached $CACHED_BRANCHES" >&2 + return + fi + curl "$URL" -o "$CACHED_BRANCHES" +} + +if [ $# -lt 1 ] ; then + usage + exit 1 +fi + +branches=$1 +if [ ! -f "$branches" ] ; then + echo "Branches file not specified, trying to fetch it..." >&2 + if ! fetch_branches ; then + "Error: Can't find the file with the list of branches: $branches nor fetch it" + exit 1 + fi +else + shift; +fi + +KBC_CHECK_TERMS="$*" + +term2regex() +{ + shopt -q nocasematch + local t=$1 + case $t in + # CVEs first + 2[0-9][0-9][0-9]-*) + t=cve-$t + ;& + cve-*) + echo "^References:.*$t" + ;; + # looks like a hash, look for commits + [a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]*) + echo "^Git-commit:.*$t" + ;; + # treat rest as a generic reference + *) + echo "^References:.*$t" + ;; + esac +} + +check_branch() +{ + verbose=0 + if [ "$1" = "-v" ] ; then + verbose=1 + shift + fi + + branch="$1" + found="" + missing="" + + for term in $KBC_CHECK_TERMS ; do + git grep -qi "$(term2regex $term)" "remotes/origin/$branch" -- 'patches.*' 2>/dev/null + if [ $? -eq 0 ] ; then + found="$found $term" + else + missing="$missing $term" + fi + done + + # found + if [ -z "$missing" ] ; then + return 0 + fi + + # missing + if [ -z "$found" ] ; then + return 2 + fi + + # partly + if [ $verbose -ne 0 ] ; then + echo " missing hash:" + for hash in $missing ; do + echo " $term" + done + echo + fi + return 1 +} + +check_parents() +{ + last_branch="" + for branch in "$@" ; do + check_branch $branch + case $? in + 0) + echo " (found in $branch)" + return + ;; + 1) + echo " (partly in $branch)" + return + ;; + *) + ;; + esac + last_branch="$branch" + done + + # not found anywhere + echo " (not even in $last_branch)" +} + +grep -w build "$branches" | grep -v -E "^(master|vanilla|linux-next|cve)" | \ +while read line ; do + line=${line%%\#*} + branch=${line%%:*} + + # empty line or comment + if [ -z "$branch" ] ; then + continue + fi + + # always check also the _EMBARGO branch as a possible parent + parents="${branch}_EMBARGO" + set dummy ${line#$branch:} + while [ $# -gt 0 ] ; do + shift + [[ "$1" =~ "merge:" ]] || continue + tmp="${1//*merge:-/}" + parents="$parents ${tmp//*merge:/}" + done + + printf "%-23s" "$branch" + check_branch "$branch" + + case $? in + 0) + echo "" + ;; + 1) + echo -n " " + check_parents $parents + # print missing commits + check_branch -v "$branch" + ;; + *) + echo -n "" + check_parents "${branch}_EMBARGO" $parents + esac +done diff --git a/scripts/git_sort/git_sort.py b/scripts/git_sort/git_sort.py index d4881c7..b1af35d 100755 --- a/scripts/git_sort/git_sort.py +++ b/scripts/git_sort/git_sort.py @@ -212,9 +212,10 @@ remotes = ( Head(RepoURL("gregkh/driver-core.git"), "driver-core-next"), Head(RepoURL("gregkh/tty.git"), "tty-next"), Head(RepoURL("gregkh/usb.git"), "usb-next"), + Head(RepoURL("gregkh/usb.git"), "usb-linus"), Head(RepoURL("jj/linux-apparmor.git"), "apparmor-next"), - Head(RepoURL("pablo/nf.git")), - Head(RepoURL("pablo/nf-next.git")), + Head(RepoURL("netfilter/nf.git")), + Head(RepoURL("netfilter/nf-next.git")), Head(RepoURL("horms/ipvs.git")), Head(RepoURL("horms/ipvs-next.git")), Head(RepoURL("klassert/ipsec.git")), @@ -261,6 +262,9 @@ remotes = ( Head(RepoURL("bpf/bpf.git")), Head(RepoURL("bpf/bpf-next.git")), Head(RepoURL("linusw/linux-gpio.git"), "for-next"), + Head(RepoURL("soc/soc.git"), "for-next"), + Head(RepoURL("https://gitlab.freedesktop.org/drm/tegra.git"), "for-next"), + Head(RepoURL("git://git.kernel.org/pub/scm/linux/kernel/git/thierry.reding/linux-pwm.git"), "for-next"), ) diff --git a/scripts/git_sort/tests/opensuse-15.3/Dockerfile b/scripts/git_sort/tests/opensuse-15.3/Dockerfile deleted file mode 100644 index 6c45bc6..0000000 --- a/scripts/git_sort/tests/opensuse-15.3/Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -# https://hub.docker.com/r/opensuse/leap/ -FROM opensuse/leap:15.3 AS base - -RUN zypper -n ref - -FROM base AS packages - -RUN zypper -n in git python3 python3-dbm rcs - -RUN git config --global user.email "you@example.com" -RUN git config --global user.name "Your Name" - -RUN zypper -n ar -G https://download.opensuse.org/repositories/Kernel:/tools/openSUSE_Leap_15.3/Kernel:tools.repo -RUN zypper -n in python3-pygit2 quilt - -FROM packages - -VOLUME /scripts - -WORKDIR /scripts/git_sort - -CMD python3 -m unittest discover -v diff --git a/scripts/git_sort/tests/opensuse-15.4/Dockerfile b/scripts/git_sort/tests/opensuse-15.4/Dockerfile new file mode 100644 index 0000000..1d5cbc7 --- /dev/null +++ b/scripts/git_sort/tests/opensuse-15.4/Dockerfile @@ -0,0 +1,24 @@ +# https://hub.docker.com/r/opensuse/leap/ +FROM opensuse/leap:15.4 AS base + +RUN zypper -n ref + +FROM base AS packages + +RUN zypper -n in git python3 python3-dbm rcs + +RUN git config --global user.email "you@example.com" +RUN git config --global user.name "Your Name" + +COPY Kernel.gpg /tmp +RUN rpmkeys --import /tmp/Kernel.gpg +RUN zypper -n ar https://download.opensuse.org/repositories/Kernel:/tools/SLE_15_SP4/Kernel:tools.repo +RUN zypper -n in python3-pygit2 quilt + +FROM packages + +VOLUME /scripts + +WORKDIR /scripts/git_sort + +CMD python3 -m unittest discover -v diff --git a/scripts/git_sort/tests/opensuse-tumbleweed/Dockerfile b/scripts/git_sort/tests/opensuse-tumbleweed/Dockerfile index 205d2c8..af6cfbc 100644 --- a/scripts/git_sort/tests/opensuse-tumbleweed/Dockerfile +++ b/scripts/git_sort/tests/opensuse-tumbleweed/Dockerfile @@ -10,7 +10,9 @@ RUN zypper -n in git python3 python3-dbm python3-pygit2 rcs util-linux RUN git config --global user.email "you@example.com" RUN git config --global user.name "Your Name" -RUN zypper -n ar -G https://download.opensuse.org/repositories/Kernel:/tools/openSUSE_Factory/Kernel:tools.repo +COPY Kernel.gpg /tmp +RUN rpmkeys --import /tmp/Kernel.gpg +RUN zypper -n ar https://download.opensuse.org/repositories/Kernel:/tools/openSUSE_Factory/Kernel:tools.repo RUN zypper -n in --from Kernel_tools quilt FROM packages diff --git a/scripts/git_sort/tests/run_all.sh b/scripts/git_sort/tests/run_all.sh index 0177c1a..f63ab5b 100755 --- a/scripts/git_sort/tests/run_all.sh +++ b/scripts/git_sort/tests/run_all.sh @@ -6,13 +6,19 @@ for release in \ sle12-sp4 \ sle12-sp5 \ sle15 \ - opensuse-15.3 \ + opensuse-15.4 \ opensuse-tumbleweed \ ; do echo "Building container image for $release..." + cp -a $libdir/../../lib/SUSE/Kernel.gpg $libdir/$release docker build -q -t gs-test-$release "$libdir/$release" + ret=$? + rm -f $libdir/$release/Kernel.gpg + [ $ret -eq 0 ] || exit $? echo "Running tests in $release:" docker run --rm --name=gs-test-$release \ --mount type=bind,source="$libdir/../../",target=/scripts,readonly \ gs-test-$release + ret=$? + [ $ret -eq 0 ] || exit $? done diff --git a/scripts/git_sort/tests/sle12-sp4/Dockerfile b/scripts/git_sort/tests/sle12-sp4/Dockerfile index e0c545b..49d8f9c 100644 --- a/scripts/git_sort/tests/sle12-sp4/Dockerfile +++ b/scripts/git_sort/tests/sle12-sp4/Dockerfile @@ -2,13 +2,13 @@ FROM registry.suse.de/suse/containers/sle-server/12-sp4/containers/suse/sles12sp4:latest AS base RUN rpm -e container-suseconnect -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-12:/GA/standard/SUSE:SLE-12:GA.repo -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-12:/Update/standard/SUSE:SLE-12:Update.repo -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD1/ DVD1 -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD2/ DVD2 -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD3/ DVD3 +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-12:/GA/standard/SUSE:SLE-12:GA.repo +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-12:/Update/standard/SUSE:SLE-12:Update.repo +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD1/ DVD1 +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD2/ DVD2 +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD3/ DVD3 # RUN zypper -n ar -G http://updates.suse.de/SUSE/Products/SLE-SDK/12-SP4/$(rpm -E %_arch)/product/ SDK -RUN zypper -n ar -G http://download.suse.de/update/build.suse.de/SUSE/Updates/SLE-SERVER/12-SP4/$(rpm -E %_arch)/update/SUSE:Updates:SLE-SERVER:12-SP4:$(rpm -E %_arch).repo +RUN zypper -n ar http://download.suse.de/update/build.suse.de/SUSE/Updates/SLE-SERVER/12-SP4/$(rpm -E %_arch)/update/SUSE:Updates:SLE-SERVER:12-SP4:$(rpm -E %_arch).repo RUN zypper -n ref @@ -19,7 +19,9 @@ RUN zypper -n in git-core python3 python3-dbm rcs RUN git config --global user.email "you@example.com" RUN git config --global user.name "Your Name" -RUN zypper -n ar -G https://download.opensuse.org/repositories/Kernel:/tools/SLE_12_SP4/Kernel:tools.repo +COPY Kernel.gpg /tmp +RUN rpmkeys --import /tmp/Kernel.gpg +RUN zypper -n ar https://download.opensuse.org/repositories/Kernel:/tools/SLE_12_SP4/Kernel:tools.repo RUN zypper -n in python3-pygit2 quilt FROM packages diff --git a/scripts/git_sort/tests/sle12-sp5/Dockerfile b/scripts/git_sort/tests/sle12-sp5/Dockerfile index c8b601d..f5e2f58 100644 --- a/scripts/git_sort/tests/sle12-sp5/Dockerfile +++ b/scripts/git_sort/tests/sle12-sp5/Dockerfile @@ -2,13 +2,13 @@ FROM registry.suse.de/suse/containers/sle-server/12-sp5/containers/suse/sles12sp5:latest AS base RUN rpm -e container-suseconnect -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-12:/GA/standard/SUSE:SLE-12:GA.repo -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-12:/Update/standard/SUSE:SLE-12:Update.repo -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD1/ DVD1 -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD2/ DVD2 -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD3/ DVD3 +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-12:/GA/standard/SUSE:SLE-12:GA.repo +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-12:/Update/standard/SUSE:SLE-12:Update.repo +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD1/ DVD1 +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD2/ DVD2 +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD3/ DVD3 # RUN zypper -n ar -G http://updates.suse.de/SUSE/Products/SLE-SDK/12-SP5/$(rpm -E %_arch)/product/ SDK -RUN zypper -n ar -G http://download.suse.de/update/build.suse.de/SUSE/Updates/SLE-SERVER/12-SP5/$(rpm -E %_arch)/update/SUSE:Updates:SLE-SERVER:12-SP5:$(rpm -E %_arch).repo +RUN zypper -n ar http://download.suse.de/update/build.suse.de/SUSE/Updates/SLE-SERVER/12-SP5/$(rpm -E %_arch)/update/SUSE:Updates:SLE-SERVER:12-SP5:$(rpm -E %_arch).repo RUN zypper -n ref @@ -19,7 +19,9 @@ RUN zypper -n in git-core python3 python3-dbm rcs RUN git config --global user.email "you@example.com" RUN git config --global user.name "Your Name" -RUN zypper -n ar -G https://download.opensuse.org/repositories/Kernel:/tools/SLE_12_SP5/Kernel:tools.repo +COPY Kernel.gpg /tmp +RUN rpmkeys --import /tmp/Kernel.gpg +RUN zypper -n ar https://download.opensuse.org/repositories/Kernel:/tools/SLE_12_SP5/Kernel:tools.repo RUN zypper -n in python3-pygit2 quilt FROM packages diff --git a/scripts/git_sort/tests/sle15/Dockerfile b/scripts/git_sort/tests/sle15/Dockerfile index 3fd5bf4..002074f 100644 --- a/scripts/git_sort/tests/sle15/Dockerfile +++ b/scripts/git_sort/tests/sle15/Dockerfile @@ -1,9 +1,9 @@ # http://registry.suse.de/ -FROM registry.suse.de/suse/containers/sle-server/15/containers/bci/python:3.9 AS base +FROM registry.suse.de/suse/containers/sle-server/15/containers/bci/python:3.6 AS base RUN rpm -e container-suseconnect -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-15:/GA/standard/SUSE:SLE-15:GA.repo -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-15:/Update/standard/SUSE:SLE-15:Update.repo +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-15:/GA/standard/SUSE:SLE-15:GA.repo +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-15:/Update/standard/SUSE:SLE-15:Update.repo RUN zypper -n ref FROM base AS packages @@ -13,7 +13,9 @@ RUN zypper -n in git-core python3 python3-dbm rcs awk RUN git config --global user.email "you@example.com" RUN git config --global user.name "Your Name" -RUN zypper -n ar -G https://download.opensuse.org/repositories/Kernel:/tools/SLE_15/Kernel:tools.repo +COPY Kernel.gpg /tmp +RUN rpmkeys --import /tmp/Kernel.gpg +RUN zypper -n ar https://download.opensuse.org/repositories/Kernel:/tools/SLE_15/Kernel:tools.repo RUN zypper -n in python3-pygit2 quilt FROM packages diff --git a/scripts/git_sort/tests/test_series_sort.py b/scripts/git_sort/tests/test_series_sort.py index f0ffe5b..25f80a9 100755 --- a/scripts/git_sort/tests/test_series_sort.py +++ b/scripts/git_sort/tests/test_series_sort.py @@ -293,8 +293,8 @@ class TestFromPatch(unittest.TestCase): self.repo.remotes.create("rdma", self.rdma_repo) self.dledford_repo = k_org_canon_prefix + "dledford/rdma.git" self.repo.remotes.create("dledford/rdma", self.dledford_repo) - self.nf_repo = k_org_canon_prefix + "pablo/nf.git" - self.repo.remotes.create("pablo/nf", self.nf_repo) + self.nf_repo = k_org_canon_prefix + "netfilter/nf.git" + self.repo.remotes.create("netfilter/nf", self.nf_repo) self.commits = {} self.commits["mainline 0"] = self.repo.create_commit( @@ -377,7 +377,7 @@ class TestFromPatch(unittest.TestCase): tree.write(), [self.commits["mainline 0"]] ) - self.repo.references.create("refs/remotes/pablo/nf/master", + self.repo.references.create("refs/remotes/netfilter/nf/master", self.commits["nf 0"]) self.commits["mainline 2"] = self.repo.create_commit( @@ -822,13 +822,13 @@ class TestFromPatch(unittest.TestCase): with open("series.conf", mode="w") as f: f.write(tests.support.format_series(( - ("pablo/nf-next", ( + ("netfilter/nf-next", ( name, )), ))) series2 = tests.support.format_series(( - ("pablo/nf", ( + ("netfilter/nf", ( name, )), )) @@ -838,9 +838,9 @@ class TestFromPatch(unittest.TestCase): def test_found_notindexed_upstream_bad2_moveupstream(self): """ - patch sorted in pablo nf-next (not fetched), commit found in pablo nf, + patch sorted in netfilter nf-next (not fetched), commit found in netfilter nf, git-repo tag is bad - moves to pablo nf + moves to netfilter nf tag is NOT updated This is a special case. See the log of commit 0ac6457e94e8 @@ -854,7 +854,7 @@ class TestFromPatch(unittest.TestCase): def test_found_notindexed_upstream_bad2_nomoveupstream(self): """ - patch sorted in pablo nf-next (not fetched), commit found in pablo nf, + patch sorted in netfilter nf-next (not fetched), commit found in netfilter nf, git-repo tag is bad error, possible causes: section is wrong or Git-repo is wrong diff --git a/scripts/lib/SUSE/Kernel.gpg b/scripts/lib/SUSE/Kernel.gpg new file mode 100644 index 0000000..4d7dbc7 --- /dev/null +++ b/scripts/lib/SUSE/Kernel.gpg @@ -0,0 +1,20 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.5 (GNU/Linux) + +mQENBFEaM/IBCADo3+2CX4/tZoGIooy7QF8+J94rwr7Tov3kXFADlXr+aG7zHMrz +r398QiSCmLsE7kJ8DcapHH+TaYrpy5yuS06RV4euhlJjo2+SHEcSzTGDIjrPTDvM +8KZE3CWZgyRTVZnTq7bRPtVhSIzkTPNyJe1AMMDZH8YYgDgo0zleZWR3w3VA75dC +fGUYjFTjymAM2QtzK3WAgywqZK0F21MKOCUWrz8ZFbCmdcZh/mAYDhmNlFcN6mZS +E/yD5E6pqGEF1Pr4dfwP0NbPBpsYq8wP3T5TIdaD5wr38u2QJNORxCKi8fuCqpf7 +HQx5v3x2EVz4VhRzzc31TPVz1LX5MPby8ypBABEBAAG0Lktlcm5lbCBPQlMgUHJv +amVjdCA8S2VybmVsQGJ1aWxkLm9wZW5zdXNlLm9yZz6JATwEEwECACYFAmFcgfcC +GwMFCRRg/gUGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRDs7vIQA1ecHYjiB/9j +HSpLuZUnN2YIg6BFTXs4thRLcH0oaYqqvn9j9B4JR9ORHkCharrsBGLRw8zk+Rxt +fCKkty0hkF8yEnnrQV1SaTIBotadf+OnK3Rll4XTO/i7ww7vNcBklYDl801j8z21 +rDoDt9WPRMO748XFHbc1lcQxw7kyfT5XrmpMA1aKcP8jGk2Zs0+1dR4ZlHMs5yq3 +txVIq5dZE+cB+5F4ab3QhFdtGJlW5oM4kzojLSvPJq2NMH4NZPM0fbotbrKSiVDO +QjYURv7Crh/3uPs2OHgh3QRaEva4rU7z2Q/z6Lo5iinQJ9WcRfL8cMOHxSMArUCw +IwudjqU4hN/AyJ+OIYK0iEYEExECAAYFAlEaM/IACgkQOzARt2udZSOyewCguDRQ +jsRPwMa3DqdijMtrGaWTtdcAn20WA8ufB0LM8evtkMiv4PmlYfEz +=ehs+ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/scripts/lib/SUSE/SUSE_Trust_Root.pem b/scripts/lib/SUSE/SUSE_Trust_Root.pem index 27cb843..85975b5 100644 --- a/scripts/lib/SUSE/SUSE_Trust_Root.pem +++ b/scripts/lib/SUSE/SUSE_Trust_Root.pem @@ -1,4 +1,4 @@ ------BEGIN TRUSTED CERTIFICATE----- +-----BEGIN CERTIFICATE----- MIIG6DCCBNCgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCREUx EjAQBgNVBAgTCUZyYW5jb25pYTESMBAGA1UEBxMJTnVyZW1iZXJnMSEwHwYDVQQK ExhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgxFTATBgNVBAsTDE9QUyBTZXJ2aWNl @@ -35,6 +35,5 @@ OL+vEVNBlzGiU2mPuk/E75V43dhnaI3ktqph5oNq6gEZWArLkze2nksWdexjH7G5 42cij0RBO/+5RjmVzG9IXzmScE2V57McJpVDf0lPV57+xCkn6msqyRiJoDS3DPfV ySq1QlcPxhQUNSbDIL663gwirdJyf98C4W/zVcwjnUc+zGgxVInqhJVpuWvte9h/ bIf8cLGxGtSyQ616qwdS92vg1atJoG51Jdxw0EhzFtxJ8QVrfkGn1IT2ngUYYaOK -W8NcaXbJ/yeblISOdtHRxuCpZs8P9MxDAQn/X873eYfcim1xfqSimgJ2dpAwEQwP -U1VTRSBUcnVzdCBSb290 ------END TRUSTED CERTIFICATE----- +W8NcaXbJ/yeblISOdtHRxuCpZs8P9MxDAQn/X873eYfcim1xfqSimgJ2dpA= +-----END CERTIFICATE----- diff --git a/scripts/osc_wrapper b/scripts/osc_wrapper index 83f98c1..1869e6c 100755 --- a/scripts/osc_wrapper +++ b/scripts/osc_wrapper @@ -251,11 +251,7 @@ do_build() shift ;; *.spec) - if test $# -eq 1; then - spec=$1 - else - osc_args=("${osc_args[@]}" "$1") - fi + spec=$1 shift ;; *) diff --git a/scripts/python/suse_git/header.py b/scripts/python/suse_git/header.py index 43d4406..f3fcd04 100755 --- a/scripts/python/suse_git/header.py +++ b/scripts/python/suse_git/header.py @@ -59,6 +59,11 @@ tag_map = { 'match' : 'Submitted,?\s+.+', 'excludes' : [ 'Git-commit', 'Git-repo' ], }, { + # Catch a frequent misuse of 'Not yet'. + 'match' : 'Not yet,\s+submitted', + 'error' : "Please use 'Submitted'", + 'excludes' : [ 'Git-commit', 'Git-repo' ], + }, { # Should be used rarely. Description should provide # reason for the patch not being accepted upstream. 'name' : 'Not yet', diff --git a/scripts/python/tests/test_header.py b/scripts/python/tests/test_header.py index 5051b39..21daceb 100755 --- a/scripts/python/tests/test_header.py +++ b/scripts/python/tests/test_header.py @@ -715,3 +715,18 @@ References: FATE#123456 Acked-by: developer@suse.com """ self.header = header.Checker(text, False, "patches.kabi/FATE123456_fix_kabi.patch") + + def test_patch_mainline_invalid2(self): + text = """ +From: developer@site.com +Subject: some patch +Patch-mainline: Not yet, submitted 2022-08-23 +References: bsc#12345 +Acked-by: developer@suse.com +""" + with self.assertRaises(header.HeaderException) as cm: + self.header = header.Checker(text) + + e = cm.exception + self.assertEqual(1, e.errors(header.FormatError)) + self.assertEqual(1, e.errors()) diff --git a/scripts/renamepatches b/scripts/renamepatches index f86d7da..81a4e44 100755 --- a/scripts/renamepatches +++ b/scripts/renamepatches @@ -29,14 +29,20 @@ fi branch=$1 trap 'rm -f "$temp"' EXIT temp=$(mktemp) -git grep -iE '^(Git-commit:|No-fix:|\(cherry picked from commit)' $branch | grep -vF patches.kernel.org > $temp +git grep -iE '^(Git-commit:|No-fix:|\(cherry picked from commit)' $branch -- 'patches.*' | tr ':' ' ' | \ + awk '!/patches.kernel.org/ {fn=$2; hash=$NF; map[hash]=map[hash] fn;} + END { for (hash in map) printf("map[%s]=\"%s\"\n", hash, map[hash]); }' \ + >$temp -grep -E "^[[:space:]]*patches\.[a-z]+\/" < series.conf | while read patch ; do - commit="$([ -f $patch ] && { grep -iE "^(Git-commit|No-fix):" < $patch | awk '{ print $2}' ; - grep -i "^(cherry picked from commit" < $patch | awk '{ print $5}' ; } )" - [ -n "$commit" ] && echo "$commit" | while read c ; do - grep -F $c < $temp | tr ':' ' ' | while read junk fn blah ; do - [ -n "$fn" ] && [ $fn != $patch ] && git mv $patch $fn && sed -i -e "s,$patch,$fn," series.conf - done - done +declare -A map +source $temp + +grep -E "^[[:space:]]*patches\.[a-z]+/" < series.conf | while read patch ; do + [ ! -f "$patch" ] && continue + commit="$(awk -v IGNORECASE=1 '/^(Git-commit|No-fix):/ { print $2} + /^\(cherry picked from commit/ { print $5}' $patch)" + [ -z "$commit" ] && continue + for fn in ${map[$commit]} ; do + [ $fn != $patch ] && git mv $patch $fn && sed -i -e "s,$patch,$fn," series.conf + done done diff --git a/scripts/sequence-patch.sh b/scripts/sequence-patch.sh index 15f9409..bdfac19 100755 --- a/scripts/sequence-patch.sh +++ b/scripts/sequence-patch.sh @@ -503,7 +503,7 @@ if ! [ -d $ORIG_DIR ]; then fi if $VANILLA; then - PATCHES=( $(scripts/guards $SYMBOLS < series.conf | egrep '^patches\.(kernel\.org|rpmify)/') ) + PATCHES=( $(scripts/guards $SYMBOLS < series.conf | grep -E '^patches\.(kernel\.org|rpmify)/') ) else PATCHES=( $(scripts/guards $SYMBOLS < series.conf) ) fi diff --git a/scripts/wd-functions.sh b/scripts/wd-functions.sh index 3111d40..d645a42 100644 --- a/scripts/wd-functions.sh +++ b/scripts/wd-functions.sh @@ -34,7 +34,7 @@ get_branch_name() if $using_git; then # FIXME: guess a branch name when a non-branch revision is checked # out - local res=$(sed -ne 's|^ref: refs/heads/||p' "$scripts_dir"/../.git/HEAD 2>/dev/null) + local res=$(sed -ne 's|^ref: refs/heads/||p' "$(git rev-parse --git-dir)"/HEAD 2>/dev/null) echo "$res" fi } diff --git a/series.conf b/series.conf index fb62b1f..db7b11d 100644 --- a/series.conf +++ b/series.conf @@ -17766,6 +17766,7 @@ patches.suse/selinux-Fix-error-return-code-in-sel_ib_pkey_sid_slo.patch patches.suse/hwmon-pwm-fan-Fix-RPM-calculation.patch patches.suse/clk-define-to_clk_regmap-as-inline-function.patch + patches.suse/mm-slub-fix-panic-in-slab_alloc_node.patch patches.suse/Revert-kernel-reboot.c-convert-simple_strtoul-to-kst.patch patches.suse/reboot-fix-overflow-parsing-reboot-cpu-number.patch patches.suse/kernel-watchdog-fix-watchdog_allowed_mask-not-used-w.patch @@ -23158,6 +23159,7 @@ patches.suse/signalfd-use-wake_up_pollfree.patch patches.suse/aio-keep-poll-requests-on-waitqueue-until-completed.patch patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch + patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch patches.suse/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch patches.suse/phonet-refcount-leak-in-pep_sock_accep.patch @@ -23172,6 +23174,7 @@ patches.suse/tee-handle-lookup-of-shm-with-reference-count-0.patch patches.suse/x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch patches.suse/recordmcount.pl-fix-typo-in-s390-mcount-regex.patch + patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch patches.suse/sctp-use-call_rcu-to-free-endpoint.patch patches.suse/net-ena-Fix-undefined-state-when-tx-request-id-is-ou.patch patches.suse/net-ena-Fix-wrong-rx-request-id-by-resetting-device.patch @@ -23211,11 +23214,13 @@ patches.suse/usb-host-xen-hcd-add-missing-unlock-in-error-path.patch patches.suse/usb-gadget-don-t-release-an-existing-dev-buf.patch patches.suse/usb-gadget-clear-related-members-when-goto-fail.patch + patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch patches.suse/x86-use-mindirect-branch-cs-prefix-for-retpoline-builds.patch patches.suse/x86-lib-atomic64_386_32-rename-things.patch patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch patches.suse/x86-prepare-inline-asm-for-straight-line-speculation.patch patches.suse/x86-add-straight-line-speculation-mitigation.patch + patches.suse/genirq-Provide-new-interfaces-for-affinity-hints.patch patches.suse/powerpc-watchdog-Fix-missed-watchdog-reset-due-to-me.patch patches.suse/powerpc-watchdog-tighten-non-atomic-read-modify-writ.patch patches.suse/powerpc-watchdog-Avoid-holding-wd_smp_lock-over-prin.patch @@ -23223,6 +23228,7 @@ patches.suse/powerpc-watchdog-Fix-wd_smp_last_reset_tb-reporting.patch patches.suse/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch patches.suse/powerpc-fadump-Fix-inaccurate-CPU-state-info-in-vmco.patch + patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch patches.suse/msft-hv-2510-PCI-hv-Make-the-code-arch-neutral-by-adding-arch-spe.patch patches.suse/msft-hv-2484-PCI-hv-Use-PCI_ERROR_RESPONSE-to-identify-config-rea.patch @@ -23258,6 +23264,7 @@ patches.suse/usb-gadget-rndis-check-size-of-RNDIS_MSG_SET-command.patch patches.suse/msft-hv-2522-PCI-hv-Fix-NUMA-node-assignment-when-kernel-boots-wi.patch patches.suse/mmc-block-fix-read-single-on-recovery-logic.patch + patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch patches.suse/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch patches.suse/scsi-lpfc-Fix-pt2pt-NVMe-PRLI-reject-LOGO-loop.patch patches.suse/lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch @@ -23290,6 +23297,7 @@ patches.suse/tpm-fix-reference-counting-for-struct-tpm_chip.patch patches.suse/exec-Force-single-empty-string-when-argv-is-empty.patch patches.suse/media-v4l2-mem2mem-Apply-DST_QUEUE_OFF_BASE-on-MMAP-.patch + patches.suse/media-meson-vdec-potential-dereference-of-null-point.patch patches.suse/media-em28xx-initialize-refcount-before-kref_get.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-hw_params-and-hw.patch patches.suse/ALSA-pcm-Fix-races-among-concurrent-read-write-and-b.patch @@ -23361,6 +23369,8 @@ patches.suse/msft-hv-2567-net-hyperv-remove-use-of-bpf_op_t.patch patches.suse/msft-hv-2568-hv_netvsc-Print-value-of-invalid-ID-in-netvsc_send_-.patch patches.suse/msft-hv-2609-hv_netvsc-Fix-potential-dereference-of-NULL-pointer.patch + patches.suse/drm-mali-dp-potential-dereference-of-null-pointer.patch + patches.suse/malidp-Fix-NULL-vs-IS_ERR-checking.patch patches.suse/msft-hv-2573-Drivers-hv-vmbus-Add-VMbus-IMC-device-to-unsupported.patch patches.suse/msft-hv-2574-PCI-hv-Fix-multi-MSI-to-allow-more-than-one-MSI-vect.patch patches.suse/msft-hv-2575-Drivers-hv-vmbus-Fix-handling-of-messages-with-trans.patch @@ -23458,6 +23468,7 @@ patches.suse/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_t.patch patches.suse/netfilter-nf_tables-do-not-allow-SET_ID-to-refer-to-.patch patches.suse/netfilter-nf_tables-do-not-allow-RULE_ID-to-refer-to.patch + patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch patches.suse/devlink-Fix-use-after-free-after-a-failed-reload.patch patches.suse/net_sched-cls_route-remove-from-list-when-handle-is-.patch @@ -23476,6 +23487,7 @@ patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch patches.suse/sch_sfb-Also-store-skb-len-before-calling-child-enqu.patch patches.suse/ALSA-pcm-oss-Fix-race-at-SNDCTL_DSP_SYNC.patch + patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch patches.suse/msft-hv-2644-net-mana-Add-rmb-after-checking-owner-bits.patch patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-Rdir.patch patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch @@ -23499,6 +23511,8 @@ patches.suse/nilfs2-fix-NULL-pointer-dereference-at-nilfs_bmap_lo.patch patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch patches.suse/msft-hv-2671-hv_netvsc-Fix-race-between-VF-offering-and-VF-associ.patch + patches.suse/net-ipv4-fix-route-with-nexthop-object-delete-warnin.patch + patches.suse/ipv4-Handle-attempt-to-delete-multipath-route-when-f.patch patches.suse/0001-ipv6-ping-fix-wrong-checksum-for-large-frames.patch patches.suse/tcp-udp-Fix-memory-leak-in-ipv6_renew_options.patch patches.suse/ipv6-Fix-data-races-around-sk-sk_prot.patch @@ -23510,19 +23524,52 @@ patches.suse/wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch patches.suse/kcm-avoid-potential-race-in-kcm_tx_work.patch patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch + patches.suse/net-sched-fix-race-condition-in-qdisc_graft.patch + patches.suse/cifs-fix-use-after-free-caused-by-invalid-pointer-ho.patch + patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch patches.suse/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch patches.suse/Bluetooth-L2CAP-Fix-attempting-to-access-uninitializ.patch patches.suse/msft-hv-2678-PCI-hv-Fix-the-definition-of-vector-in-hv_compose_ms.patch patches.suse/x86-cpu-Restore-AMD-s-DE_CFG-MSR-after-resume.patch patches.suse/l2tp-Serialize-access-to-sk_user_data-with-sk_callba.patch + patches.suse/tipc-set-con-sock-in-tipc_conn_alloc.patch + patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch patches.suse/msft-hv-2681-PCI-hv-Only-reuse-existing-IRTE-allocation-for-Multi.patch patches.suse/msft-hv-2682-Drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch patches.suse/msft-hv-2683-Drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch + patches.suse/wifi-wilc1000-validate-pairwise-and-authentication-s.patch patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch patches.suse/xen-netback-Ensure-protocol-headers-don-t-fall-in-th.patch patches.suse/xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch + patches.suse/0001-media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch + patches.suse/0001-drm-vmwgfx-Validate-the-box-size-for-the-snooped-cur.patch + patches.suse/net-mana-Assign-interrupts-to-CPUs-based-on-NUMA-nod.patch + patches.suse/x86-mm-Randomize-per-cpu-entry-area.patch + patches.suse/x86-bugs-Flush-IBP-in-ib_prctl_set.patch + patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch + patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch + patches.suse/usb-rndis_host-Secure-rndis_query-check-against-int-.patch + patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch + patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch + patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch + patches.suse/HID-check-empty-report_list-in-bigben_probe.patch + patches.suse/HID-betop-check-shape-of-output-reports.patch + patches.suse/RDMA-core-Fix-ib-block-iterator-counter-overflow.patch + patches.suse/module-Don-t-wait-for-GOING-modules.patch + patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch + patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch + patches.suse/net-mana-Fix-accessing-freed-irq-affinity_hint.patch + patches.suse/vmxnet3-move-rss-code-block-under-eop-descriptor.patch + patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch + patches.suse/net-add-sock_init_data_uid.patch + patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch + patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch + patches.suse/HID-bigben-use-spinlock-to-protect-concurrent-access.patch + patches.suse/HID-bigben_worker-remove-unneeded-check-on-report_fi.patch + patches.suse/HID-bigben-use-spinlock-to-safely-schedule-workers.patch + patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch ######################################################## # end of sorted patches @@ -23660,6 +23707,7 @@ patches.suse/mm-inform-about-enabling-mirrored-memory.patch patches.suse/0001-Reserve-64MiB-of-CMA-for-RPi3-s-VC4.patch patches.suse/mm-Warn-users-of-node-memory-hot-remove-if-the-memory-ratio-is-a-high-risk.patch + patches.suse/smaps_rollup-fix-no-vmas-null-deref.patch ######################################################## # Filesystems @@ -23709,6 +23757,7 @@ patches.suse/nfsd-dont-revoke-v4-0-states.patch patches.suse/SUNRPC-avoid-race-between-mod_timer-and-del_timer_sy.patch patches.suse/nfs-access-cache-no-negative.patch + patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch # other patches.suse/pstore_disable_efi_backend_by_default.patch @@ -23829,6 +23878,7 @@ patches.suse/drm-ast-Add-25MHz-refclk-support.patch patches.suse/drm-prevent-spectre-issue-in-vmw_execbuf_ioctl.patch patches.suse/0001-drm-i915-gvt-fix-double-free-bug-in-split_2MB_gtt_en.patch + patches.suse/0001-drm-vmwgfx-Avoid-NULL-ptr-deref-in-vmw_cmd_dx_define.patch ######################################################## # Storage