diff --git a/blacklist.conf b/blacklist.conf index 9eaaad5..ab5ee04 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -766,3 +766,4 @@ abc25bbcb55c08183d30ee79a308aeef16b62dcb # CONFIG_ARM_LPAE is not enabled for an ef775a0e36c6a81c5b07cb228c02f967133fe768 # PROC_FS is always set in our configs aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13 # swiotlb: caused a regression, reverted by below (bsc#1197460) bddac7c1e02ba47f0570e494c9289acea3062cc1 # swiotlb: reverting the above (bsc#1197460) +cc67482c9e5f2c80d62f623bcc347c29f9f648e1 # fbdev: smscufx: Fix several use-after-free bugs (bsc#1203992) diff --git a/patches.suse/0001-ipv6-ping-fix-wrong-checksum-for-large-frames.patch b/patches.suse/0001-ipv6-ping-fix-wrong-checksum-for-large-frames.patch new file mode 100644 index 0000000..b684076 --- /dev/null +++ b/patches.suse/0001-ipv6-ping-fix-wrong-checksum-for-large-frames.patch @@ -0,0 +1,47 @@ +From 971d3f1bb59ba9ebe36d0b04e9dba803b44d3f15 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 11 Oct 2022 14:27:28 -0700 +Subject: [PATCH 1/1] ipv6: ping: fix wrong checksum for large frames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 87445f369cca2965620e79f87145d3d7fa35befd +Patch-mainline: v6.1-rc1 +References: bsc#1203183 + +For a given ping datagram, ping_getfrag() is called once +per skb fragment. + +A large datagram requiring more than one page fragment +is currently getting the checksum of the last fragment, +instead of the cumulative one. + +After this patch, "ping -s 35000 ::1" is working correctly. + +Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.") +Signed-off-by: Eric Dumazet +Cc: Lorenzo Colitti +Cc: Maciej Żenczykowski +Signed-off-by: David S. Miller +Signed-off-by: Firo Yang +--- + net/ipv4/ping.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index dd1e0eae9199..1f5305133bae 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -628,7 +628,7 @@ int ping_getfrag(void *from, char *to, + * wcheck, it will be finalized in ping_v4_push_pending_frames. + */ + if (pfh->family == AF_INET6) { +- skb->csum = pfh->wcheck; ++ skb->csum = csum_block_add(skb->csum, pfh->wcheck, odd); + skb->ip_summed = CHECKSUM_NONE; + pfh->wcheck = 0; + } +-- +2.26.2 + diff --git a/patches.suse/0001-sctp-sysctl-make-extra-pointers-netns-aware.patch b/patches.suse/0001-sctp-sysctl-make-extra-pointers-netns-aware.patch new file mode 100644 index 0000000..446935f --- /dev/null +++ b/patches.suse/0001-sctp-sysctl-make-extra-pointers-netns-aware.patch @@ -0,0 +1,116 @@ +From 775e6d53e9942316a914d0adbc83bdee7fb5734f Mon Sep 17 00:00:00 2001 +From: Firo Yang +Date: Fri, 16 Dec 2022 07:53:39 +0100 +Subject: [PATCH 1/1] sctp: sysctl: make extra pointers netns aware + +Patch-mainline: Queued in subsystem maintainer repository +Git-repo: git.kernel.org/netdev/net-next +Git-commit: da05cecc4939c0410d56c29e252998b192756318 +References: bsc#1204760 + +Recently, a customer reported that from their container whose +net namespace is different to the host's init_net, they can't set +the container's net.sctp.rto_max to any value smaller than +init_net.sctp.rto_min. + +For instance, +Host: +sudo sysctl net.sctp.rto_min +net.sctp.rto_min = 1000 + +Container: +echo 100 > /mnt/proc-net/sctp/rto_min +echo 400 > /mnt/proc-net/sctp/rto_max +echo: write error: Invalid argument + +This is caused by the check made from this'commit 4f3fdf3bc59c +("sctp: add check rto_min and rto_max in sysctl")' +When validating the input value, it's always referring the boundary +value set for the init_net namespace. + +Having container's rto_max smaller than host's init_net.sctp.rto_min +does make sense. Consider that the rto between two containers on the +same host is very likely smaller than it for two hosts. + +So to fix this problem, as suggested by Marcelo, this patch makes the +extra pointers of rto_min, rto_max, pf_retrans, and ps_retrans point +to the corresponding variables from the newly created net namespace while + +Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl") +Reviewed-by: Marcelo Ricardo Leitner +Reviewed-by: Jakub Kicinski +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Firo Yang +--- + net/sctp/sysctl.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c +index 1250751bca1b..0b660fba93ff 100644 +--- a/net/sctp/sysctl.c ++++ b/net/sctp/sysctl.c +@@ -82,17 +82,16 @@ static struct ctl_table sctp_table[] = { + { /* sentinel */ } + }; + ++/* The following index defines are used in sctp_sysctl_net_register(). ++ * If you add new items to the sctp_net_table, please ensure that ++ * the index values of these defines hold the same meaning indicated by ++ * their macro names when they appear in sctp_net_table. ++ */ ++#define SCTP_RTO_MIN_IDX 0 ++#define SCTP_RTO_MAX_IDX 1 ++ + static struct ctl_table sctp_net_table[] = { +- { +- .procname = "rto_initial", +- .data = &init_net.sctp.rto_initial, +- .maxlen = sizeof(unsigned int), +- .mode = 0644, +- .proc_handler = proc_dointvec_minmax, +- .extra1 = SYSCTL_ONE, +- .extra2 = &timer_max +- }, +- { ++ [SCTP_RTO_MIN_IDX] = { + .procname = "rto_min", + .data = &init_net.sctp.rto_min, + .maxlen = sizeof(unsigned int), +@@ -101,7 +100,7 @@ static struct ctl_table sctp_net_table[] = { + .extra1 = SYSCTL_ONE, + .extra2 = &init_net.sctp.rto_max + }, +- { ++ [SCTP_RTO_MAX_IDX] = { + .procname = "rto_max", + .data = &init_net.sctp.rto_max, + .maxlen = sizeof(unsigned int), +@@ -110,6 +109,15 @@ static struct ctl_table sctp_net_table[] = { + .extra1 = &init_net.sctp.rto_min, + .extra2 = &timer_max + }, ++ { ++ .procname = "rto_initial", ++ .data = &init_net.sctp.rto_initial, ++ .maxlen = sizeof(unsigned int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = SYSCTL_ONE, ++ .extra2 = &timer_max ++ }, + { + .procname = "rto_alpha_exp_divisor", + .data = &init_net.sctp.rto_alpha, +@@ -472,6 +480,9 @@ int sctp_sysctl_net_register(struct net *net) + for (i = 0; table[i].data; i++) + table[i].data += (char *)(&net->sctp) - (char *)&init_net.sctp; + ++ table[SCTP_RTO_MIN_IDX].extra2 = &net->sctp.rto_max; ++ table[SCTP_RTO_MAX_IDX].extra1 = &net->sctp.rto_min; ++ + net->sctp.sysctl_header = register_net_sysctl(net, "net/sctp", table); + if (net->sctp.sysctl_header == NULL) { + kfree(table); +-- +2.26.2 + diff --git a/patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch b/patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch new file mode 100644 index 0000000..c390203 --- /dev/null +++ b/patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch @@ -0,0 +1,66 @@ +From ae4569813a6e931258db627cdfe50dfb4f917d5d Mon Sep 17 00:00:00 2001 +From: Sungwoo Kim +Date: Fri, 18 Nov 2022 15:01:47 -0500 +Subject: [PATCH] Bluetooth: L2CAP: Fix u8 overflow +Git-commit: ae4569813a6e931258db627cdfe50dfb4f917d5d +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git +Patch-mainline: Queued in subsystem maintainer repo +References: CVE-2022-45934 bsc#1205796 + +By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases +multiple times and eventually it will wrap around the maximum number +(i.e., 255). +This patch prevents this by adding a boundary check with +L2CAP_MAX_CONF_RSP + +Btmon log: +Bluetooth monitor ver 5.64 += Note: Linux version 6.1.0-rc2 (x86_64) 0.264594 += Note: Bluetooth subsystem version 2.22 0.264636 +@ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191 += New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604 +@ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741 += Open Index: 00:00:00:00:00:00 [hci0] 13.900426 +(...) +> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106 + invalid packet size (12 != 1033) + 08 00 01 00 02 01 04 00 01 10 ff ff ............ +> ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561 + invalid packet size (14 != 1547) + 0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@..... +> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390 + invalid packet size (16 != 2061) + 0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@....... +> ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932 + invalid packet size (16 != 2061) + 0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@....... += bluetoothd: Bluetooth daemon 5.43 14.401828 +> ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753 + invalid packet size (12 != 1033) + 08 00 01 00 04 01 04 00 40 00 00 00 ........@... + +Signed-off-by: Sungwoo Kim +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 93802b27f2a5..a3e0dc6a6e73 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4453,7 +4453,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, + + chan->ident = cmd->ident; + l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp); +- chan->num_conf_rsp++; ++ if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP) ++ chan->num_conf_rsp++; + + /* Reset config buffer. */ + chan->conf_len = 0; +-- +2.35.3 + diff --git a/patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch b/patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch new file mode 100644 index 0000000..ffe30a0 --- /dev/null +++ b/patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch @@ -0,0 +1,107 @@ +From cacdb14b1c8d3804a3a7d31773bc7569837b71a4 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Sun, 4 Sep 2022 12:31:15 -0700 +Subject: [PATCH] HID: roccat: Fix use-after-free in roccat_read() +Patch-mainline: v6.1-rc1 +Git-commit: cacdb14b1c8d3804a3a7d31773bc7569837b71a4 +References: bsc#1203960 CVE-2022-41850 + +roccat_report_event() is responsible for registering +roccat-related reports in struct roccat_device. + +int roccat_report_event(int minor, u8 const *data) +{ + struct roccat_device *device; + struct roccat_reader *reader; + struct roccat_report *report; + uint8_t *new_value; + + device = devices[minor]; + + new_value = kmemdup(data, device->report_size, GFP_ATOMIC); + if (!new_value) + return -ENOMEM; + + report = &device->cbuf[device->cbuf_end]; + + /* passing NULL is safe */ + kfree(report->value); + ... + +The registered report is stored in the struct roccat_device member +"struct roccat_report cbuf[ROCCAT_CBUF_SIZE];". +If more reports are received than the "ROCCAT_CBUF_SIZE" value, +kfree() the saved report from cbuf[0] and allocates a new reprot. +Since there is no lock when this kfree() is performed, +kfree() can be performed even while reading the saved report. + +static ssize_t roccat_read(struct file *file, char __user *buffer, + size_t count, loff_t *ppos) +{ + struct roccat_reader *reader = file->private_data; + struct roccat_device *device = reader->device; + struct roccat_report *report; + ssize_t retval = 0, len; + DECLARE_WAITQUEUE(wait, current); + + mutex_lock(&device->cbuf_lock); + + ... + + report = &device->cbuf[reader->cbuf_start]; + /* + * If report is larger than requested amount of data, rest of report + * is lost! + */ + len = device->report_size > count ? count : device->report_size; + + if (copy_to_user(buffer, report->value, len)) { + retval = -EFAULT; + goto exit_unlock; + } + ... + +The roccat_read() function receives the device->cbuf report and +delivers it to the user through copy_to_user(). +If the N+ROCCAT_CBUF_SIZE th report is received while copying of +the Nth report->value is in progress, the pointer that copy_to_user() +is working on is kfree()ed and UAF read may occur. (race condition) + +Since the device node of this driver does not set separate permissions, +this is not a security vulnerability, but because it is used for +requesting screen display of profile or dpi settings, +a user using the roccat device can apply udev to this device node or +There is a possibility to use it by giving. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Jiri Kosina +Signed-off-by: Oliver Neukum +--- + drivers/hid/hid-roccat.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index 26373b82fe81..6da80e442fdd 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,8 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->cbuf_lock); ++ + report = &device->cbuf[device->cbuf_end]; + + /* passing NULL is safe */ +@@ -276,6 +278,8 @@ int roccat_report_event(int minor, u8 const *data) + reader->cbuf_start = (reader->cbuf_start + 1) % ROCCAT_CBUF_SIZE; + } + ++ mutex_unlock(&device->cbuf_lock); ++ + wake_up_interruptible(&device->wait); + return 0; + } +-- +2.35.3 + diff --git a/patches.suse/RDMA-uverbs-Check-for-null-return-of-kmalloc_array.patch b/patches.suse/RDMA-uverbs-Check-for-null-return-of-kmalloc_array.patch new file mode 100644 index 0000000..63ceaf7 --- /dev/null +++ b/patches.suse/RDMA-uverbs-Check-for-null-return-of-kmalloc_array.patch @@ -0,0 +1,33 @@ +From: Jiasheng Jiang +Date: Fri, 31 Dec 2021 17:33:15 +0800 +Subject: RDMA/uverbs: Check for null return of kmalloc_array +Patch-mainline: v5.16 +Git-commit: 7694a7de22c53a312ea98960fcafc6ec62046531 +References: CVE-2022-3105 bsc#1206398 git-fixes + +Because of the possible failure of the allocation, data might be NULL +pointer and will cause the dereference of the NULL pointer later. +Therefore, it might be better to check it and return -ENOMEM. + +Fixes: 6884c6c4bd09 ("RDMA/verbs: Store the write/write_ex uapi entry points in the uverbs_api") +Link: https://lore.kernel.org/r/20211231093315.1917667-1-jiasheng@iscas.ac.cn +Signed-off-by: Jiasheng Jiang +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/core/uverbs_uapi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/uverbs_uapi.c ++++ b/drivers/infiniband/core/uverbs_uapi.c +@@ -450,6 +450,9 @@ static int uapi_finalize(struct uverbs_a + uapi->num_write_ex = max_write_ex + 1; + data = kmalloc_array(uapi->num_write + uapi->num_write_ex, + sizeof(*uapi->write_methods), GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ + for (i = 0; i != uapi->num_write + uapi->num_write_ex; i++) + data[i] = &uapi->notsupp_method; + uapi->write_methods = data; diff --git a/patches.suse/USB-core-Prevent-nested-device-reset-calls.patch b/patches.suse/USB-core-Prevent-nested-device-reset-calls.patch new file mode 100644 index 0000000..9de363f --- /dev/null +++ b/patches.suse/USB-core-Prevent-nested-device-reset-calls.patch @@ -0,0 +1,137 @@ +From 9c6d778800b921bde3bff3cff5003d1650f942d1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 26 Aug 2022 15:31:32 -0400 +Subject: [PATCH] USB: core: Prevent nested device-reset calls +Git-commit: 9c6d778800b921bde3bff3cff5003d1650f942d1 +References: bsc#1206664 CVE-2022-4662 +Patch-mainline: v6.0-rc4 + +Automatic kernel fuzzing revealed a recursive locking violation in +usb-storage: + +============================================ +WARNING: possible recursive locking detected +5.18.0 #3 Not tainted +-------------------------------------------- +kworker/1:3/1205 is trying to acquire lock: +ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: +usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 + +but task is already holding lock: +ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: +usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 + +... + +stack backtrace: +CPU: 1 PID: 1205 Comm: kworker/1:3 Not tainted 5.18.0 #3 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.13.0-1ubuntu1.1 04/01/2014 +Workqueue: usb_hub_wq hub_event +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 +print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] +check_deadlock kernel/locking/lockdep.c:3031 [inline] +validate_chain kernel/locking/lockdep.c:3816 [inline] +__lock_acquire.cold+0x152/0x3ca kernel/locking/lockdep.c:5053 +lock_acquire kernel/locking/lockdep.c:5665 [inline] +lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5630 +__mutex_lock_common kernel/locking/mutex.c:603 [inline] +__mutex_lock+0x14f/0x1610 kernel/locking/mutex.c:747 +usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 +usb_reset_device+0x37d/0x9a0 drivers/usb/core/hub.c:6109 +r871xu_dev_remove+0x21a/0x270 drivers/staging/rtl8712/usb_intf.c:622 +usb_unbind_interface+0x1bd/0x890 drivers/usb/core/driver.c:458 +device_remove drivers/base/dd.c:545 [inline] +device_remove+0x11f/0x170 drivers/base/dd.c:537 +__device_release_driver drivers/base/dd.c:1222 [inline] +device_release_driver_internal+0x1a7/0x2f0 drivers/base/dd.c:1248 +usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627 +usb_forced_unbind_intf+0x4d/0xa0 drivers/usb/core/driver.c:1118 +usb_reset_device+0x39b/0x9a0 drivers/usb/core/hub.c:6114 + +This turned out not to be an error in usb-storage but rather a nested +device reset attempt. That is, as the rtl8712 driver was being +unbound from a composite device in preparation for an unrelated USB +reset (that driver does not have pre_reset or post_reset callbacks), +its ->remove routine called usb_reset_device() -- thus nesting one +reset call within another. + +Performing a reset as part of disconnect processing is a questionable +practice at best. However, the bug report points out that the USB +core does not have any protection against nested resets. Adding a +reset_in_progress flag and testing it will prevent such errors in the +future. + +Link: https://lore.kernel.org/all/CAB7eexKUpvX-JNiLzhXBDWgfg2T9e9_0Tw4HQ6keN==voRbP0g@mail.gmail.com/ +Cc: stable@vger.kernel.org +Reported-and-tested-by: Rondreis +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YwkflDxvg0KWqyZK@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Acked-by: Vasant Karasulli +--- + drivers/usb/core/hub.c | 10 ++++++++++ + include/linux/usb.h | 2 ++ + 2 files changed, 12 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 2633acde7ac1..d4b1e70d1498 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -6038,6 +6038,11 @@ static int usb_reset_and_verify_device(struct usb_device *udev) + * the reset is over (using their post_reset method). + * + * Return: The same as for usb_reset_and_verify_device(). ++ * However, if a reset is already in progress (for instance, if a ++ * driver doesn't have pre_ or post_reset() callbacks, and while ++ * being unbound or re-bound during the ongoing reset its disconnect() ++ * or probe() routine tries to perform a second, nested reset), the ++ * routine returns -EINPROGRESS. + * + * Note: + * The caller must own the device lock. For example, it's safe to use +@@ -6071,6 +6076,10 @@ int usb_reset_device(struct usb_device *udev) + return -EISDIR; + } + ++ if (udev->reset_in_progress) ++ return -EINPROGRESS; ++ udev->reset_in_progress = 1; ++ + port_dev = hub->ports[udev->portnum - 1]; + + /* +@@ -6135,6 +6144,7 @@ int usb_reset_device(struct usb_device *udev) + + usb_autosuspend_device(udev); + memalloc_noio_restore(noio_flag); ++ udev->reset_in_progress = 0; + return ret; + } + EXPORT_SYMBOL_GPL(usb_reset_device); +diff --git a/include/linux/usb.h b/include/linux/usb.h +index f7a9914fc97f..9ff1ad4dfad1 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -575,6 +575,7 @@ struct usb3_lpm_parameters { + * @devaddr: device address, XHCI: assigned by HW, others: same as devnum + * @can_submit: URBs may be submitted + * @persist_enabled: USB_PERSIST enabled for this device ++ * @reset_in_progress: the device is being reset + * @have_langid: whether string_langid is valid + * @authorized: policy has said we can use it; + * (user space) policy determines if we authorize this device to be +@@ -662,6 +663,7 @@ struct usb_device { + + unsigned can_submit:1; + unsigned persist_enabled:1; ++ unsigned reset_in_progress:1; + unsigned have_langid:1; + unsigned authorized:1; + unsigned authenticated:1; +-- +2.35.3 + diff --git a/patches.suse/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_t.patch b/patches.suse/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_t.patch new file mode 100644 index 0000000..260a084 --- /dev/null +++ b/patches.suse/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_t.patch @@ -0,0 +1,56 @@ +From 3f4093e2bf4673f218c0bf17d8362337c400e77b Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Fri, 5 Aug 2022 15:00:08 +0800 +Subject: [PATCH] atm: idt77252: fix use-after-free bugs caused by tst_timer +Git-commit: 3f4093e2bf4673f218c0bf17d8362337c400e77b +Patch-mainline: v6.0-rc1 +References: CVE-2022-3635 bsc#1204631 + +There are use-after-free bugs caused by tst_timer. The root cause +is that there are no functions to stop tst_timer in idt77252_exit(). +One of the possible race conditions is shown below: + + (thread 1) | (thread 2) + | idt77252_init_one + | init_card + | fill_tst + | mod_timer(&card->tst_timer, ...) +idt77252_exit | (wait a time) + | tst_timer + | + | ... + kfree(card) // FREE | + | card->soft_tst[e] // USE + +The idt77252_dev is deallocated in idt77252_exit() and used in +timer handler. + +This patch adds del_timer_sync() in idt77252_exit() in order that +the timer handler could be stopped before the idt77252_dev is +deallocated. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220805070008.18007-1-duoming@zju.edu.cn +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai + +--- + drivers/atm/idt77252.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c +index 81ce81a75fc6..681cb3786794 100644 +--- a/drivers/atm/idt77252.c ++++ b/drivers/atm/idt77252.c +@@ -3752,6 +3752,7 @@ static void __exit idt77252_exit(void) + card = idt77252_chain; + dev = card->atmdev; + idt77252_chain = card->next; ++ del_timer_sync(&card->tst_timer); + + if (dev->phy->stop) + dev->phy->stop(dev); +-- +2.35.3 + diff --git a/patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch b/patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch new file mode 100644 index 0000000..7d5d728 --- /dev/null +++ b/patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch @@ -0,0 +1,41 @@ +From abfaf0eee97925905e742aa3b0b72e04a918fa9e Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 5 Jan 2022 17:09:43 +0800 +Subject: [PATCH] drm/amdkfd: Check for null pointer after calling kmemdup +Git-commit: abfaf0eee97925905e742aa3b0b72e04a918fa9e +Patch-mainline: v5.17-rc1 +References: CVE-2022-3108 bsc#1206389 git-fixes + +As the possible failure of the allocation, kmemdup() may return NULL +pointer. +Therefore, it should be better to check the 'props2' in order to prevent +the dereference of NULL pointer. + +Fixes: 3a87177eb141 ("drm/amdkfd: Add topology support for dGPUs") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Felix Kuehling +Signed-off-by: Felix Kuehling +Signed-off-by: Alex Deucher +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c +index f187596faf66..9624bbe8b501 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c +@@ -1060,6 +1060,9 @@ static int kfd_parse_subtype_iolink(struct crat_subtype_iolink *iolink, + return -ENODEV; + /* same everything but the other direction */ + props2 = kmemdup(props, sizeof(*props2), GFP_KERNEL); ++ if (!props2) ++ return -ENOMEM; ++ + props2->node_from = id_to; + props2->node_to = id_from; + props2->kobj = NULL; +-- +2.31.1 + diff --git a/patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch b/patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch new file mode 100644 index 0000000..df540cf --- /dev/null +++ b/patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch @@ -0,0 +1,38 @@ +From 04aa64375f48a5d430b5550d9271f8428883e550 Mon Sep 17 00:00:00 2001 +From: Andrzej Hajda +Date: Mon, 14 Nov 2022 11:38:24 +0100 +Subject: [PATCH] drm/i915: fix TLB invalidation for Gen12 video and compute engines +Git-commit: 04aa64375f48a5d430b5550d9271f8428883e550 +Patch-mainline: v6.1-rc8 +References: CVE-2022-4139 bsc#1205700 + +In case of Gen12 video and compute engines, TLB_INV registers are masked - +to modify one bit, corresponding bit in upper half of the register must +be enabled, otherwise nothing happens. + +Cve: CVE-2022-4139 +Suggested-by: Chris Wilson +Signed-off-by: Andrzej Hajda +Acked-by: Daniel Vetter +Fixes: 7938d61591d3 ("drm/i915: Flush TLBs before releasing backing store") +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + drivers/gpu/drm/i915/gt/intel_gt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/i915/gt/intel_gt.c ++++ b/drivers/gpu/drm/i915/gt/intel_gt.c +@@ -353,6 +353,10 @@ void intel_gt_invalidate_tlbs(struct int + if (!i915_mmio_reg_offset(rb.reg)) + continue; + ++ if (INTEL_GEN(i915) == 12 && (engine->class == VIDEO_DECODE_CLASS || ++ engine->class == VIDEO_ENHANCEMENT_CLASS)) ++ rb.bit = _MASKED_BIT_ENABLE(rb.bit); ++ + intel_uncore_write_fw(uncore, rb.reg, rb.bit); + if (__intel_wait_for_register_fw(uncore, + rb.reg, rb.bit, 0, diff --git a/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch b/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch index 9dcdef7..7b1cf9f 100644 --- a/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch +++ b/patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch @@ -1,10 +1,9 @@ -From 6a7bca685c93fd18133d313716e141faac3bddc3 Mon Sep 17 00:00:00 2001 +From 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c Mon Sep 17 00:00:00 2001 From: Hyunwoo Kim Date: Sun, 25 Sep 2022 06:32:43 -0700 Subject: [PATCH] fbdev: smscufx: Fix use-after-free in ufx_ops_open() -Git-commit: 6a7bca685c93fd18133d313716e141faac3bddc3 -Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev.git -Patch-mainline: Queued in subsystem maintainer repo +Git-commit: 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c +Patch-mainline: v6.1-rc1 References: CVE-2022-41849 bsc#1203992 A race condition may occur if the user physically removes the diff --git a/patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch b/patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch new file mode 100644 index 0000000..086fa4e --- /dev/null +++ b/patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch @@ -0,0 +1,111 @@ +From 813d8fe5d30388f73a21d3a2bf46b0a1fd72498c Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Sun, 16 Oct 2022 22:42:54 +0100 +Subject: [PATCH] io_uring/af_unix: defer registered files gc to io_uring + release +Git-commit: 0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 +Patch-mainline: v6.1-rc1 +References: bsc#1204228 CVE-2022-2602 + +[ upstream commit 0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 ] + +Instead of putting io_uring's registered files in unix_gc() we want it +to be done by io_uring itself. The trick here is to consider io_uring +registered files for cycle detection but not actually putting them down. +Because io_uring can't register other ring instances, this will remove +all refs to the ring file triggering the ->release path and clean up +with io_ring_ctx_free(). + +Cc: stable@vger.kernel.org +Fixes: 6b06314c47e1 ("io_uring: add file set registration") +Reported-and-tested-by: David Bouman +Signed-off-by: Pavel Begunkov +Signed-off-by: Thadeu Lima de Souza Cascardo +[axboe: add kerneldoc comment to skb, fold in skb leak fix] +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +Acked-by: David Disseldorp: +--- + fs/io_uring.c | 1 + + include/linux/skbuff.h | 2 ++ + net/unix/garbage.c | 20 ++++++++++++++++++++ + 3 files changed, 23 insertions(+) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 31a3a00ef48e2..b4c533f7dfed2 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2721,6 +2721,7 @@ static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset) + } + + skb->sk = sk; ++ skb->scm_io_uring = 1; + skb->destructor = io_destruct_skb; + + fpl->user = get_uid(ctx->user); +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index fd405e3d44a43..f86bbfcfa22ad 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -652,6 +652,7 @@ typedef unsigned char *sk_buff_data_t; + * @wifi_acked: whether frame was acked on wifi or not + * @no_fcs: Request NIC to treat last 4 bytes as Ethernet FCS + * @csum_not_inet: use CRC32c to resolve CHECKSUM_PARTIAL ++ * @scm_io_uring: SKB holds io_uring registered files + * @dst_pending_confirm: need to confirm neighbour + * @decrypted: Decrypted SKB + * @napi_id: id of the NAPI struct this skb came from +@@ -815,6 +816,7 @@ struct sk_buff { + #ifdef CONFIG_TLS_DEVICE + __u8 decrypted:1; + #endif ++ __u8 scm_io_uring:1; + + #ifdef CONFIG_NET_SCHED + __u16 tc_index; /* traffic control index */ +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 12e2ddaf887f2..04bbdce5373cd 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -201,6 +201,7 @@ void wait_for_unix_gc(void) + /* The external entry point: unix_gc() */ + void unix_gc(void) + { ++ struct sk_buff *next_skb, *skb; + struct unix_sock *u; + struct unix_sock *next; + struct sk_buff_head hitlist; +@@ -292,11 +293,30 @@ void unix_gc(void) + + spin_unlock(&unix_gc_lock); + ++ /* We need io_uring to clean its registered files, ignore all io_uring ++ * originated skbs. It's fine as io_uring doesn't keep references to ++ * other io_uring instances and so killing all other files in the cycle ++ * will put all io_uring references forcing it to go through normal ++ * release.path eventually putting registered files. ++ */ ++ skb_queue_walk_safe(&hitlist, skb, next_skb) { ++ if (skb->scm_io_uring) { ++ __skb_unlink(skb, &hitlist); ++ skb_queue_tail(&skb->sk->sk_receive_queue, skb); ++ } ++ } ++ + /* Here we are. Hitlist is filled. Die. */ + __skb_queue_purge(&hitlist); + + spin_lock(&unix_gc_lock); + ++ /* There could be io_uring registered files, just push them back to ++ * the inflight list ++ */ ++ list_for_each_entry_safe(u, next, &gc_candidates, link) ++ list_move_tail(&u->link, &gc_inflight_list); ++ + /* All candidates should have been detached by now. */ + BUG_ON(!list_empty(&gc_candidates)); + gc_in_progress = false; +-- +2.35.3 + diff --git a/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch b/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch index faec977..b016551 100644 --- a/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch +++ b/patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch @@ -1,76 +1,73 @@ +From 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc Mon Sep 17 00:00:00 2001 From: Zheng Wang -Date: Thu, 6 Oct 2022 23:26:43 +0800 -Subject: [PATCH] misc: sgi-gru: fix use-after-free error in - gru_set_context_option, gru_fault and gru_handle_user_call_os -Message-Id: <20221006152643.1694235-1-zyytlz.wz@163.com> -Patch-mainline: Submitted, LKML +Date: Thu, 10 Nov 2022 11:50:33 +0800 +Subject: [PATCH] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os +Git-commit: 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git +Patch-mainline: Queued in subsystem maintainer repo References: CVE-2022-3424 bsc#1204166 -Gts may be freed in gru_check_chiplet_assignment. -The caller still use it after that, UAF happens. +In some bad situation, the gts may be freed gru_check_chiplet_assignment. +The call chain can be gru_unload_context->gru_free_gru_context->gts_drop +and kfree finally. However, the caller didn't know if the gts is freed +or not and use it afterwards. This will trigger a Use after Free bug. Fix it by introducing a return value to see if it's in error path or not. Free the gts in caller if gru_check_chiplet_assignment check failed. Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2") -Reported-by: Zheng Wang Signed-off-by: Zheng Wang -Signed-off-by: Takashi Iwai +Acked-by: Dimitri Sivanich +Link: https://lore.kernel.org/r/20221110035033.19498-1-zyytlz.wz@163.com +Signed-off-by: Greg Kroah-Hartman +Acked-by: Takashi Iwai --- - drivers/misc/sgi-gru/grufault.c | 15 ++++++++++++--- - drivers/misc/sgi-gru/grumain.c | 17 +++++++++++++---- + drivers/misc/sgi-gru/grufault.c | 13 +++++++++++-- + drivers/misc/sgi-gru/grumain.c | 22 ++++++++++++++++++---- drivers/misc/sgi-gru/grutables.h | 2 +- - 3 files changed, 26 insertions(+), 8 deletions(-) + 3 files changed, 30 insertions(+), 7 deletions(-) diff --git a/drivers/misc/sgi-gru/grufault.c b/drivers/misc/sgi-gru/grufault.c -index d7ef61e602ed..f1e5b96fef4b 100644 +index d7ef61e602ed..b836936e9747 100644 --- a/drivers/misc/sgi-gru/grufault.c +++ b/drivers/misc/sgi-gru/grufault.c -@@ -656,7 +656,9 @@ int gru_handle_user_call_os(unsigned long cb) +@@ -648,6 +648,7 @@ int gru_handle_user_call_os(unsigned long cb) + if ((cb & (GRU_HANDLE_STRIDE - 1)) || ucbnum >= GRU_NUM_CB) + return -EINVAL; + ++again: + gts = gru_find_lock_gts(cb); + if (!gts) + return -EINVAL; +@@ -656,7 +657,11 @@ int gru_handle_user_call_os(unsigned long cb) if (ucbnum >= gts->ts_cbr_au_count * GRU_CBR_AU_SIZE) goto exit; - gru_check_context_placement(gts); -+ ret = gru_check_context_placement(gts); -+ if (ret) -+ goto err; ++ if (gru_check_context_placement(gts)) { ++ gru_unlock_gts(gts); ++ gru_unload_context(gts, 1); ++ goto again; ++ } /* * CCH may contain stale data if ts_force_cch_reload is set. -@@ -677,6 +679,10 @@ int gru_handle_user_call_os(unsigned long cb) - exit: - gru_unlock_gts(gts); - return ret; -+err: -+ gru_unlock_gts(gts); -+ gru_unload_context(gts, 1); -+ return -EINVAL; - } - - /* -@@ -874,7 +880,7 @@ int gru_set_context_option(unsigned long arg) +@@ -874,7 +879,11 @@ int gru_set_context_option(unsigned long arg) } else { gts->ts_user_blade_id = req.val1; gts->ts_user_chiplet_id = req.val0; - gru_check_context_placement(gts); -+ ret = gru_check_context_placement(gts); ++ if (gru_check_context_placement(gts)) { ++ gru_unlock_gts(gts); ++ gru_unload_context(gts, 1); ++ return ret; ++ } } break; case sco_gseg_owner: -@@ -889,6 +895,9 @@ int gru_set_context_option(unsigned long arg) - ret = -EINVAL; - } - gru_unlock_gts(gts); -- -+ if (ret) { -+ gru_unload_context(gts, 1); -+ ret = -EINVAL; -+ } - return ret; - } diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c -index 9afda47efbf2..79903cf7e706 100644 +index 6706ef3c5977..4eb4b9455139 100644 --- a/drivers/misc/sgi-gru/grumain.c +++ b/drivers/misc/sgi-gru/grumain.c @@ -716,9 +716,10 @@ static int gru_check_chiplet_assignment(struct gru_state *gru, @@ -85,9 +82,16 @@ index 9afda47efbf2..79903cf7e706 100644 /* * If the current task is the context owner, verify that the -@@ -727,14 +728,16 @@ void gru_check_context_placement(struct gru_thread_state *gts) +@@ -726,15 +727,23 @@ void gru_check_context_placement(struct gru_thread_state *gts) + * references. Pthread apps use non-owner references to the CBRs. */ gru = gts->ts_gru; ++ /* ++ * If gru or gts->ts_tgid_owner isn't initialized properly, return ++ * success to indicate that the caller does not need to unload the ++ * gru context.The caller is responsible for their inspection and ++ * reinitialization if needed. ++ */ if (!gru || gts->ts_tgid_owner != current->tgid) - return; + return ret; @@ -104,30 +108,22 @@ index 9afda47efbf2..79903cf7e706 100644 } -@@ -919,6 +922,7 @@ vm_fault_t gru_fault(struct vm_fault *vmf) - struct gru_thread_state *gts; - unsigned long paddr, vaddr; - unsigned long expires; -+ int ret; - - vaddr = vmf->address; - gru_dbg(grudev, "vma %p, vaddr 0x%lx (0x%lx)\n", -@@ -934,7 +938,12 @@ vm_fault_t gru_fault(struct vm_fault *vmf) +@@ -934,7 +943,12 @@ vm_fault_t gru_fault(struct vm_fault *vmf) mutex_lock(>s->ts_ctxlock); preempt_disable(); - gru_check_context_placement(gts); -+ ret = gru_check_context_placement(gts); -+ if (ret) { ++ if (gru_check_context_placement(gts)) { ++ preempt_enable(); + mutex_unlock(>s->ts_ctxlock); + gru_unload_context(gts, 1); -+ return ret; ++ return VM_FAULT_NOPAGE; + } if (!gts->ts_gru) { STAT(load_user_context); diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h -index 5efc869fe59a..f4a5a787685f 100644 +index 8c52776db234..640daf1994df 100644 --- a/drivers/misc/sgi-gru/grutables.h +++ b/drivers/misc/sgi-gru/grutables.h @@ -632,7 +632,7 @@ extern int gru_user_flush_tlb(unsigned long arg); diff --git a/patches.suse/msft-hv-2553-hv_netvsc-Add-check-for-kvmalloc_array.patch b/patches.suse/msft-hv-2553-hv_netvsc-Add-check-for-kvmalloc_array.patch index c6999db..296edd7 100644 --- a/patches.suse/msft-hv-2553-hv_netvsc-Add-check-for-kvmalloc_array.patch +++ b/patches.suse/msft-hv-2553-hv_netvsc-Add-check-for-kvmalloc_array.patch @@ -3,7 +3,7 @@ Date: Mon, 14 Mar 2022 10:01:25 +0800 Patch-mainline: v5.17 Subject: hv_netvsc: Add check for kvmalloc_array Git-commit: 886e44c9298a6b428ae046e2fa092ca52e822e6a -References: git-fixes +References: CVE-2022-3107 bsc#1206395 git-fixes As the potential failure of the kvmalloc_array(), it should be better to check and restore the 'data' diff --git a/patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch b/patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch new file mode 100644 index 0000000..948a3f1 --- /dev/null +++ b/patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch @@ -0,0 +1,45 @@ +From e6cfaf34be9fcd1a8285a294e18986bfc41a409c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 11:33:40 -0800 +Subject: [PATCH] proc: avoid integer type confusion in get_proc_long +Git-commit: e6cfaf34be9fcd1a8285a294e18986bfc41a409c +Patch-mainline: v6.1 +References: CVE-2022-4378 bsc#1206207 + +proc_get_long() is passed a size_t, but then assigns it to an 'int' +variable for the length. Let's not do that, even if our IO paths are +limited to MAX_RW_COUNT (exactly because of these kinds of type errors). + +So do the proper test in the rigth type. + +Reported-by: Kyle Zeng +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + kernel/sysctl.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 188c305aeb8b..8898ddeaaf75 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -342,13 +342,12 @@ static int proc_get_long(char **buf, size_t *size, + unsigned long *val, bool *neg, + const char *perm_tr, unsigned perm_tr_len, char *tr) + { +- int len; + char *p, tmp[TMPBUFLEN]; ++ ssize_t len = *size; + +- if (!*size) ++ if (len <= 0) + return -EINVAL; + +- len = *size; + if (len > TMPBUFLEN - 1) + len = TMPBUFLEN - 1; + +-- +2.35.3 + diff --git a/patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch b/patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch new file mode 100644 index 0000000..eec6a30 --- /dev/null +++ b/patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch @@ -0,0 +1,106 @@ +From bce9332220bd677d83b19d21502776ad555a0e73 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 5 Dec 2022 12:09:06 -0800 +Subject: [PATCH] proc: proc_skip_spaces() shouldn't think it is working on C strings +Git-commit: bce9332220bd677d83b19d21502776ad555a0e73 +Patch-mainline: v6.1 +References: CVE-2022-4378 bsc#1206207 + +proc_skip_spaces() seems to think it is working on C strings, and ends +up being just a wrapper around skip_spaces() with a really odd calling +convention. + +Instead of basing it on skip_spaces(), it should have looked more like +proc_skip_char(), which really is the exact same function (except it +skips a particular character, rather than whitespace). So use that as +inspiration, odd coding and all. + +Now the calling convention actually makes sense and works for the +intended purpose. + +Reported-and-tested-by: Kyle Zeng +Acked-by: Eric Dumazet +Signed-off-by: Linus Torvalds +Acked-by: Takashi Iwai + +--- + kernel/sysctl.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2169,13 +2169,14 @@ int proc_dostring(struct ctl_table *tabl + (char __user *)buffer, lenp, ppos); + } + +-static size_t proc_skip_spaces(char **buf) ++static void proc_skip_spaces(char **buf, size_t *size) + { +- size_t ret; +- char *tmp = skip_spaces(*buf); +- ret = tmp - *buf; +- *buf = tmp; +- return ret; ++ while (*size) { ++ if (!isspace(**buf)) ++ break; ++ (*size)--; ++ (*buf)++; ++ } + } + + static void proc_skip_char(char **buf, size_t *size, const char v) +@@ -2412,7 +2413,7 @@ static int __do_proc_dointvec(void *tbl_ + bool neg; + + if (write) { +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + if (!left) + break; +@@ -2443,7 +2444,7 @@ static int __do_proc_dointvec(void *tbl_ + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write) { + kfree(kbuf); + if (first) +@@ -2492,7 +2493,7 @@ static int do_proc_douintvec_w(unsigned + if (IS_ERR(kbuf)) + return -EINVAL; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) { + err = -EINVAL; + goto out_free; +@@ -2512,7 +2513,7 @@ static int do_proc_douintvec_w(unsigned + } + + if (!err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + out_free: + kfree(kbuf); +@@ -2926,7 +2927,7 @@ static int __do_proc_doulongvec_minmax(v + if (write) { + bool neg; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) + break; + +@@ -2959,7 +2960,7 @@ static int __do_proc_doulongvec_minmax(v + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write) { + kfree(kbuf); + if (first) diff --git a/patches.suse/xen-netback-Ensure-protocol-headers-don-t-fall-in-th.patch b/patches.suse/xen-netback-Ensure-protocol-headers-don-t-fall-in-th.patch new file mode 100644 index 0000000..b5ba3f7 --- /dev/null +++ b/patches.suse/xen-netback-Ensure-protocol-headers-don-t-fall-in-th.patch @@ -0,0 +1,388 @@ +Patch-mainline: v6.1 +Git-commit: ad7f402ae4f466647c3a669b8a6f3e5d4271c84a +References: bsc#1206113, XSA-423, CVE-2022-3643 +From: Ross Lagerwall +Date: Tue, 22 Nov 2022 09:16:59 +0000 +Subject: [PATCH] xen/netback: Ensure protocol headers don't fall in the + non-linear area + +In some cases, the frontend may send a packet where the protocol headers +are spread across multiple slots. This would result in netback creating +an skb where the protocol headers spill over into the non-linear area. +Some drivers and NICs don't handle this properly resulting in an +interface reset or worse. + +This issue was introduced by the removal of an unconditional skb pull in +the tx path to improve performance. Fix this without reintroducing the +pull by setting up grant copy ops for as many slots as needed to reach +the XEN_NETBACK_TX_COPY_LEN size. Adjust the rest of the code to handle +multiple copy operations per skb. + +This is XSA-423 / CVE-2022-3643. + +Fixes: 7e5d7753956b ("xen-netback: remove unconditional __pskb_pull_tail() in guest Tx path") +Signed-off-by: Ross Lagerwall +Reviewed-by: Paul Durrant +Signed-off-by: Juergen Gross +--- + drivers/net/xen-netback/netback.c | 223 ++++++++++++++++-------------- + 1 file changed, 123 insertions(+), 100 deletions(-) + +diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c +index 3d2081bbbc86..054ac0e897f6 100644 +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -332,10 +332,13 @@ static int xenvif_count_requests(struct xenvif_queue *queue, + + + struct xenvif_tx_cb { +- u16 pending_idx; ++ u16 copy_pending_idx[XEN_NETBK_LEGACY_SLOTS_MAX + 1]; ++ u8 copy_count; + }; + + #define XENVIF_TX_CB(skb) ((struct xenvif_tx_cb *)(skb)->cb) ++#define copy_pending_idx(skb, i) (XENVIF_TX_CB(skb)->copy_pending_idx[i]) ++#define copy_count(skb) (XENVIF_TX_CB(skb)->copy_count) + + static inline void xenvif_tx_create_map_op(struct xenvif_queue *queue, + u16 pending_idx, +@@ -370,31 +373,93 @@ static inline struct sk_buff *xenvif_alloc_skb(unsigned int size) + return skb; + } + +-static struct gnttab_map_grant_ref *xenvif_get_requests(struct xenvif_queue *queue, +- struct sk_buff *skb, +- struct xen_netif_tx_request *txp, +- struct gnttab_map_grant_ref *gop, +- unsigned int frag_overflow, +- struct sk_buff *nskb) ++static void xenvif_get_requests(struct xenvif_queue *queue, ++ struct sk_buff *skb, ++ struct xen_netif_tx_request *first, ++ struct xen_netif_tx_request *txfrags, ++ unsigned *copy_ops, ++ unsigned *map_ops, ++ unsigned int frag_overflow, ++ struct sk_buff *nskb, ++ unsigned int extra_count, ++ unsigned int data_len) + { + struct skb_shared_info *shinfo = skb_shinfo(skb); + skb_frag_t *frags = shinfo->frags; +- u16 pending_idx = XENVIF_TX_CB(skb)->pending_idx; +- int start; ++ u16 pending_idx; + pending_ring_idx_t index; + unsigned int nr_slots; ++ struct gnttab_copy *cop = queue->tx_copy_ops + *copy_ops; ++ struct gnttab_map_grant_ref *gop = queue->tx_map_ops + *map_ops; ++ struct xen_netif_tx_request *txp = first; ++ ++ nr_slots = shinfo->nr_frags + 1; ++ ++ copy_count(skb) = 0; ++ ++ /* Create copy ops for exactly data_len bytes into the skb head. */ ++ __skb_put(skb, data_len); ++ while (data_len > 0) { ++ int amount = data_len > txp->size ? txp->size : data_len; ++ ++ cop->source.u.ref = txp->gref; ++ cop->source.domid = queue->vif->domid; ++ cop->source.offset = txp->offset; ++ ++ cop->dest.domid = DOMID_SELF; ++ cop->dest.offset = (offset_in_page(skb->data + ++ skb_headlen(skb) - ++ data_len)) & ~XEN_PAGE_MASK; ++ cop->dest.u.gmfn = virt_to_gfn(skb->data + skb_headlen(skb) ++ - data_len); ++ ++ cop->len = amount; ++ cop->flags = GNTCOPY_source_gref; + +- nr_slots = shinfo->nr_frags; ++ index = pending_index(queue->pending_cons); ++ pending_idx = queue->pending_ring[index]; ++ callback_param(queue, pending_idx).ctx = NULL; ++ copy_pending_idx(skb, copy_count(skb)) = pending_idx; ++ copy_count(skb)++; ++ ++ cop++; ++ data_len -= amount; + +- /* Skip first skb fragment if it is on same page as header fragment. */ +- start = (frag_get_pending_idx(&shinfo->frags[0]) == pending_idx); ++ if (amount == txp->size) { ++ /* The copy op covered the full tx_request */ ++ ++ memcpy(&queue->pending_tx_info[pending_idx].req, ++ txp, sizeof(*txp)); ++ queue->pending_tx_info[pending_idx].extra_count = ++ (txp == first) ? extra_count : 0; ++ ++ if (txp == first) ++ txp = txfrags; ++ else ++ txp++; ++ queue->pending_cons++; ++ nr_slots--; ++ } else { ++ /* The copy op partially covered the tx_request. ++ * The remainder will be mapped. ++ */ ++ txp->offset += amount; ++ txp->size -= amount; ++ } ++ } + +- for (shinfo->nr_frags = start; shinfo->nr_frags < nr_slots; +- shinfo->nr_frags++, txp++, gop++) { ++ for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; ++ shinfo->nr_frags++, gop++) { + index = pending_index(queue->pending_cons++); + pending_idx = queue->pending_ring[index]; +- xenvif_tx_create_map_op(queue, pending_idx, txp, 0, gop); ++ xenvif_tx_create_map_op(queue, pending_idx, txp, ++ txp == first ? extra_count : 0, gop); + frag_set_pending_idx(&frags[shinfo->nr_frags], pending_idx); ++ ++ if (txp == first) ++ txp = txfrags; ++ else ++ txp++; + } + + if (frag_overflow) { +@@ -415,7 +480,8 @@ static struct gnttab_map_grant_ref *xenvif_get_requests(struct xenvif_queue *que + skb_shinfo(skb)->frag_list = nskb; + } + +- return gop; ++ (*copy_ops) = cop - queue->tx_copy_ops; ++ (*map_ops) = gop - queue->tx_map_ops; + } + + static inline void xenvif_grant_handle_set(struct xenvif_queue *queue, +@@ -451,7 +517,7 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue, + struct gnttab_copy **gopp_copy) + { + struct gnttab_map_grant_ref *gop_map = *gopp_map; +- u16 pending_idx = XENVIF_TX_CB(skb)->pending_idx; ++ u16 pending_idx; + /* This always points to the shinfo of the skb being checked, which + * could be either the first or the one on the frag_list + */ +@@ -462,24 +528,37 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue, + struct skb_shared_info *first_shinfo = NULL; + int nr_frags = shinfo->nr_frags; + const bool sharedslot = nr_frags && +- frag_get_pending_idx(&shinfo->frags[0]) == pending_idx; ++ frag_get_pending_idx(&shinfo->frags[0]) == ++ copy_pending_idx(skb, copy_count(skb) - 1); +- int i, err; ++ int i, err = 0; + +- /* Check status of header. */ +- err = (*gopp_copy)->status; +- if (unlikely(err)) { +- if (net_ratelimit()) +- netdev_dbg(queue->vif->dev, +- "Grant copy of header failed! status: %d pending_idx: %u ref: %u\n", +- (*gopp_copy)->status, +- pending_idx, +- (*gopp_copy)->source.u.ref); +- /* The first frag might still have this slot mapped */ +- if (!sharedslot) +- xenvif_idx_release(queue, pending_idx, +- XEN_NETIF_RSP_ERROR); ++ for (i = 0; i < copy_count(skb); i++) { ++ int newerr; ++ ++ /* Check status of header. */ ++ pending_idx = copy_pending_idx(skb, i); ++ ++ newerr = (*gopp_copy)->status; ++ if (likely(!newerr)) { ++ /* The first frag might still have this slot mapped */ ++ if (i < copy_count(skb) - 1 || !sharedslot) ++ xenvif_idx_release(queue, pending_idx, ++ XEN_NETIF_RSP_OKAY); ++ } else { ++ err = newerr; ++ if (net_ratelimit()) ++ netdev_dbg(queue->vif->dev, ++ "Grant copy of header failed! status: %d pending_idx: %u ref: %u\n", ++ (*gopp_copy)->status, ++ pending_idx, ++ (*gopp_copy)->source.u.ref); ++ /* The first frag might still have this slot mapped */ ++ if (i < copy_count(skb) - 1 || !sharedslot) ++ xenvif_idx_release(queue, pending_idx, ++ XEN_NETIF_RSP_ERROR); ++ } ++ (*gopp_copy)++; + } +- (*gopp_copy)++; + + check_frags: + for (i = 0; i < nr_frags; i++, gop_map++) { +@@ -526,14 +605,6 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue, + if (err) + continue; + +- /* First error: if the header haven't shared a slot with the +- * first frag, release it as well. +- */ +- if (!sharedslot) +- xenvif_idx_release(queue, +- XENVIF_TX_CB(skb)->pending_idx, +- XEN_NETIF_RSP_OKAY); +- + /* Invalidate preceding fragments of this skb. */ + for (j = 0; j < i; j++) { + pending_idx = frag_get_pending_idx(&shinfo->frags[j]); +@@ -803,7 +874,6 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue, + unsigned *copy_ops, + unsigned *map_ops) + { +- struct gnttab_map_grant_ref *gop = queue->tx_map_ops; + struct sk_buff *skb, *nskb; + int ret; + unsigned int frag_overflow; +@@ -885,8 +955,12 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue, + continue; + } + ++ data_len = (txreq.size > XEN_NETBACK_TX_COPY_LEN) ? ++ XEN_NETBACK_TX_COPY_LEN : txreq.size; ++ + ret = xenvif_count_requests(queue, &txreq, extra_count, + txfrags, work_to_do); ++ + if (unlikely(ret < 0)) + break; + +@@ -912,9 +986,8 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue, + index = pending_index(queue->pending_cons); + pending_idx = queue->pending_ring[index]; + +- data_len = (txreq.size > XEN_NETBACK_TX_COPY_LEN && +- ret < XEN_NETBK_LEGACY_SLOTS_MAX) ? +- XEN_NETBACK_TX_COPY_LEN : txreq.size; ++ if (ret >= XEN_NETBK_LEGACY_SLOTS_MAX - 1 && data_len < txreq.size) ++ data_len = txreq.size; + + skb = xenvif_alloc_skb(data_len); + if (unlikely(skb == NULL)) { +@@ -925,8 +998,6 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue, + } + + skb_shinfo(skb)->nr_frags = ret; +- if (data_len < txreq.size) +- skb_shinfo(skb)->nr_frags++; + /* At this point shinfo->nr_frags is in fact the number of + * slots, which can be as large as XEN_NETBK_LEGACY_SLOTS_MAX. + */ +@@ -988,54 +1059,19 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue, + type); + } + +- XENVIF_TX_CB(skb)->pending_idx = pending_idx; +- +- __skb_put(skb, data_len); +- queue->tx_copy_ops[*copy_ops].source.u.ref = txreq.gref; +- queue->tx_copy_ops[*copy_ops].source.domid = queue->vif->domid; +- queue->tx_copy_ops[*copy_ops].source.offset = txreq.offset; +- +- queue->tx_copy_ops[*copy_ops].dest.u.gmfn = +- virt_to_gfn(skb->data); +- queue->tx_copy_ops[*copy_ops].dest.domid = DOMID_SELF; +- queue->tx_copy_ops[*copy_ops].dest.offset = +- offset_in_page(skb->data) & ~XEN_PAGE_MASK; +- +- queue->tx_copy_ops[*copy_ops].len = data_len; +- queue->tx_copy_ops[*copy_ops].flags = GNTCOPY_source_gref; +- +- (*copy_ops)++; +- +- if (data_len < txreq.size) { +- frag_set_pending_idx(&skb_shinfo(skb)->frags[0], +- pending_idx); +- xenvif_tx_create_map_op(queue, pending_idx, &txreq, +- extra_count, gop); +- gop++; +- } else { +- frag_set_pending_idx(&skb_shinfo(skb)->frags[0], +- INVALID_PENDING_IDX); +- memcpy(&queue->pending_tx_info[pending_idx].req, +- &txreq, sizeof(txreq)); +- queue->pending_tx_info[pending_idx].extra_count = +- extra_count; +- } +- +- queue->pending_cons++; +- +- gop = xenvif_get_requests(queue, skb, txfrags, gop, +- frag_overflow, nskb); ++ xenvif_get_requests(queue, skb, &txreq, txfrags, copy_ops, ++ map_ops, frag_overflow, nskb, extra_count, ++ data_len); + + __skb_queue_tail(&queue->tx_queue, skb); + + queue->tx.req_cons = idx; + +- if (((gop-queue->tx_map_ops) >= ARRAY_SIZE(queue->tx_map_ops)) || ++ if ((*map_ops >= ARRAY_SIZE(queue->tx_map_ops)) || + (*copy_ops >= ARRAY_SIZE(queue->tx_copy_ops))) + break; + } + +- (*map_ops) = gop - queue->tx_map_ops; + return; + } + +@@ -1114,9 +1150,8 @@ static int xenvif_tx_submit(struct xenvif_queue *queue) + while ((skb = __skb_dequeue(&queue->tx_queue)) != NULL) { + struct xen_netif_tx_request *txp; + u16 pending_idx; +- unsigned data_len; + +- pending_idx = XENVIF_TX_CB(skb)->pending_idx; ++ pending_idx = copy_pending_idx(skb, 0); + txp = &queue->pending_tx_info[pending_idx].req; + + /* Check the remap error code. */ +@@ -1135,18 +1170,6 @@ static int xenvif_tx_submit(struct xenvif_queue *queue) + continue; + } + +- data_len = skb->len; +- callback_param(queue, pending_idx).ctx = NULL; +- if (data_len < txp->size) { +- /* Append the packet payload as a fragment. */ +- txp->offset += data_len; +- txp->size -= data_len; +- } else { +- /* Schedule a response immediately. */ +- xenvif_idx_release(queue, pending_idx, +- XEN_NETIF_RSP_OKAY); +- } +- + if (txp->flags & XEN_NETTXF_csum_blank) + skb->ip_summed = CHECKSUM_PARTIAL; + else if (txp->flags & XEN_NETTXF_data_validated) +@@ -1332,7 +1355,7 @@ static inline void xenvif_tx_dealloc_action(struct xenvif_queue *queue) + /* Called after netfront has transmitted */ + int xenvif_tx_action(struct xenvif_queue *queue, int budget) + { +- unsigned nr_mops, nr_cops = 0; ++ unsigned nr_mops = 0, nr_cops = 0; + int work_done, ret; + + if (unlikely(!tx_work_todo(queue))) +-- +2.35.3 + diff --git a/patches.suse/xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch b/patches.suse/xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch new file mode 100644 index 0000000..1216235 --- /dev/null +++ b/patches.suse/xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch @@ -0,0 +1,102 @@ +Patch-mainline: v6.1 +Git-commit: 74e7e1efdad45580cc3839f2a155174cf158f9b5 +References: bsc#1206114, XSA-424, CVE-2022-42328, CVE-2022-42329 +From: Juergen Gross +Date: Tue, 6 Dec 2022 08:54:24 +0100 +Subject: [PATCH] xen/netback: don't call kfree_skb() with interrupts disabled + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So remove kfree_skb() +from the spin_lock_irqsave() section and use the already existing +"drop" label in xenvif_start_xmit() for dropping the SKB. At the +same time replace the dev_kfree_skb() call there with a call of +dev_kfree_skb_any(), as xenvif_start_xmit() can be called with +disabled interrupts. + +This is XSA-424 / CVE-2022-42328 / CVE-2022-42329. + +Fixes: be81992f9086 ("xen/netback: don't queue unlimited number of packages") +Reported-by: Yang Yingliang +Signed-off-by: Juergen Gross +Reviewed-by: Jan Beulich +Signed-off-by: Juergen Gross +--- + drivers/net/xen-netback/common.h | 2 +- + drivers/net/xen-netback/interface.c | 6 ++++-- + drivers/net/xen-netback/rx.c | 8 +++++--- + 3 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/xen-netback/common.h b/drivers/net/xen-netback/common.h +index 1545cbee77a4..3dbfc8a6924e 100644 +--- a/drivers/net/xen-netback/common.h ++++ b/drivers/net/xen-netback/common.h +@@ -386,7 +386,7 @@ int xenvif_dealloc_kthread(void *data); + + bool xenvif_have_rx_work(struct xenvif_queue *queue, bool test_kthread); + void xenvif_rx_action(struct xenvif_queue *queue); +-void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb); ++bool xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb); + + void xenvif_carrier_on(struct xenvif *vif); + +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index 650fa180220f..f3f2c07423a6 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -254,14 +254,16 @@ xenvif_start_xmit(struct sk_buff *skb, struct net_device *dev) + if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE) + skb_clear_hash(skb); + +- xenvif_rx_queue_tail(queue, skb); ++ if (!xenvif_rx_queue_tail(queue, skb)) ++ goto drop; ++ + xenvif_kick_thread(queue); + + return NETDEV_TX_OK; + + drop: + vif->dev->stats.tx_dropped++; +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + return NETDEV_TX_OK; + } + +diff --git a/drivers/net/xen-netback/rx.c b/drivers/net/xen-netback/rx.c +index 932762177110..0ba754ebc5ba 100644 +--- a/drivers/net/xen-netback/rx.c ++++ b/drivers/net/xen-netback/rx.c +@@ -82,9 +82,10 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue) + return false; + } + +-void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb) ++bool xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb) + { + unsigned long flags; ++ bool ret = true; + + spin_lock_irqsave(&queue->rx_queue.lock, flags); + +@@ -92,8 +93,7 @@ void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb) + struct net_device *dev = queue->vif->dev; + + netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id)); +- kfree_skb(skb); +- queue->vif->dev->stats.rx_dropped++; ++ ret = false; + } else { + if (skb_queue_empty(&queue->rx_queue)) + xenvif_update_needed_slots(queue, skb); +@@ -104,6 +104,8 @@ void xenvif_rx_queue_tail(struct xenvif_queue *queue, struct sk_buff *skb) + } + + spin_unlock_irqrestore(&queue->rx_queue.lock, flags); ++ ++ return ret; + } + + static struct sk_buff *xenvif_rx_dequeue(struct xenvif_queue *queue) +-- +2.35.3 + diff --git a/series.conf b/series.conf index dc88d98..fb62b1f 100644 --- a/series.conf +++ b/series.conf @@ -23176,6 +23176,7 @@ patches.suse/net-ena-Fix-undefined-state-when-tx-request-id-is-ou.patch patches.suse/net-ena-Fix-wrong-rx-request-id-by-resetting-device.patch patches.suse/net-ena-Fix-error-handling-when-calculating-max-IO-q.patch + patches.suse/RDMA-uverbs-Check-for-null-return-of-kmalloc_array.patch patches.suse/cgroup-Use-open-time-credentials-for-process-migraton-perm-checks.patch patches.suse/cgroup-Allocate-cgroup_file_ctx-for-kernfs_open_file-priv.patch patches.suse/cgroup-Use-open-time-cgroup-namespace-for-process-migration-perm-checks.patch @@ -23222,6 +23223,7 @@ patches.suse/powerpc-watchdog-Fix-wd_smp_last_reset_tb-reporting.patch patches.suse/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch patches.suse/powerpc-fadump-Fix-inaccurate-CPU-state-info-in-vmco.patch + patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch patches.suse/msft-hv-2510-PCI-hv-Make-the-code-arch-neutral-by-adding-arch-spe.patch patches.suse/msft-hv-2484-PCI-hv-Use-PCI_ERROR_RESPONSE-to-identify-config-rea.patch patches.suse/livepatch-Avoid-CPU-hogging-with-cond_resched.patch @@ -23453,6 +23455,7 @@ patches.suse/fs-add-mode_strip_sgid-helper.patch patches.suse/fs-Add-missing-umask-strip-in-vfs_tmpfile.patch patches.suse/fs-move-S_ISGID-stripping-into-the-vfs_-helpers.patch + patches.suse/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_t.patch patches.suse/netfilter-nf_tables-do-not-allow-SET_ID-to-refer-to-.patch patches.suse/netfilter-nf_tables-do-not-allow-RULE_ID-to-refer-to.patch patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch @@ -23464,6 +23467,7 @@ patches.suse/msft-hv-2639-scsi-storvsc-Remove-WQ_MEM_RECLAIM-from-storvsc_erro.patch patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch patches.suse/bpf-Don-t-use-tnum_range-on-array-range-checking-for.patch + patches.suse/USB-core-Prevent-nested-device-reset-calls.patch patches.suse/media-mceusb-Use-new-usb_control_msg_-routines.patch patches.suse/mm-pagewalk-Fix-race-between-unmap-and-page-walker.patch patches.suse/staging-rtl8712-fix-use-after-free-bugs.patch @@ -23485,14 +23489,17 @@ patches.suse/fs-fix-UAF-GPF-bug-in-nilfs_mdt_destroy.patch patches.suse/nvme-restrict-management-ioctls-to-admin.patch patches.suse/nvme-ensure-subsystem-reset-is-single-threaded.patch + patches.suse/HID-roccat-Fix-use-after-free-in-roccat_read.patch patches.suse/msft-hv-2651-scsi-storvsc-Drop-DID_TARGET_FAILURE-use.patch patches.suse/scsi-stex-Properly-zero-out-the-passthrough-command-structure.patch patches.suse/usb-mon-make-mmapped-memory-read-only.patch + patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch patches.suse/mm-hugetlb-fix-races-when-looking-up-a-CONT-PTE-PMD-.patch patches.suse/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch patches.suse/nilfs2-fix-NULL-pointer-dereference-at-nilfs_bmap_lo.patch patches.suse/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thre.patch patches.suse/msft-hv-2671-hv_netvsc-Fix-race-between-VF-offering-and-VF-associ.patch + patches.suse/0001-ipv6-ping-fix-wrong-checksum-for-large-frames.patch patches.suse/tcp-udp-Fix-memory-leak-in-ipv6_renew_options.patch patches.suse/ipv6-Fix-data-races-around-sk-sk_prot.patch patches.suse/wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch @@ -23502,6 +23509,7 @@ patches.suse/wifi-cfg80211-fix-BSS-refcounting-bugs.patch patches.suse/wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch patches.suse/kcm-avoid-potential-race-in-kcm_tx_work.patch + patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch patches.suse/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch patches.suse/Bluetooth-L2CAP-Fix-attempting-to-access-uninitializ.patch patches.suse/msft-hv-2678-PCI-hv-Fix-the-definition-of-vector-in-hv_compose_ms.patch @@ -23510,6 +23518,11 @@ patches.suse/msft-hv-2681-PCI-hv-Only-reuse-existing-IRTE-allocation-for-Multi.patch patches.suse/msft-hv-2682-Drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch patches.suse/msft-hv-2683-Drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch + patches.suse/drm-i915-fix-TLB-invalidation-for-Gen12-video-and-co.patch + patches.suse/proc-avoid-integer-type-confusion-in-get_proc_long.patch + patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch + patches.suse/xen-netback-Ensure-protocol-headers-don-t-fall-in-th.patch + patches.suse/xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch ######################################################## # end of sorted patches @@ -23547,10 +23560,10 @@ patches.suse/SUNRPC-xprt-async-tasks-mustn-t-block-waiting-for-me.patch patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch patches.suse/media-dvb-core-Fix-UAF-due-to-refcount-races-at-rele.patch - patches.suse/fbdev-smscufx-Fix-use-after-free-in-ufx_ops_open.patch patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch + patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch ######################################################## # kbuild/module infrastructure fixes @@ -23725,6 +23738,7 @@ patches.suse/net-sctp-filter-remap-copy_from_user-failure-error.patch patches.suse/NFC-SUSE-specific-brutal-fix-for-runtime-PM.patch patches.suse/net-allow-retransmitting-a-TCP-packet-if-original-is.patch + patches.suse/0001-sctp-sysctl-make-extra-pointers-netns-aware.patch ######################################################## # Security