diff --git a/README b/README index db1a48a..96589fc 100644 --- a/README +++ b/README @@ -194,9 +194,11 @@ depending on the impact of your changes. Use scripts/tar-up.sh for creating an OBS package directory. The kernel source tree that scripts/sequence-patch.sh creates can be -test compiled as follows: +test-compiled. Before that, make sure all prerequisites are installed. +These include libopenssl-devel, libelf-devel, and dwarves (look into +rpm/kernel-binary.spec.in for a complete list). Then, the compilation +can be done as follows: - $ cp config/i386/default /var/tmp/scratch/linux-5.3-SLE15-SP3 $ cd /var/tmp/scratch/linux-5.3-SLE15-SP3 $ make oldconfig $ make diff --git a/patches.suse/0001-drm-vmwgfx-Avoid-NULL-ptr-deref-in-vmw_cmd_dx_define.patch b/patches.suse/0001-drm-vmwgfx-Avoid-NULL-ptr-deref-in-vmw_cmd_dx_define.patch new file mode 100644 index 0000000..c7b58a9 --- /dev/null +++ b/patches.suse/0001-drm-vmwgfx-Avoid-NULL-ptr-deref-in-vmw_cmd_dx_define.patch @@ -0,0 +1,35 @@ +From 905483d9ea93e05d019664b3cfd078870233faaa Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Mon, 20 Feb 2023 10:38:08 +0100 +Subject: drm/vmwgfx: Avoid NULL-ptr deref in vmw_cmd_dx_define_query() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Patch-mainline: Never, quick fix for CVE-2022-38096 +References: bsc#1203331 CVE-2022-38096 + +See bsc#1203331. + +Suggested-by: Michal Koutný +Signed-off-by: Thomas Zimmermann +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index b652822a19671..e3f4da096fd41 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -1266,7 +1266,7 @@ static int vmw_cmd_dx_define_query(struct vmw_private *dev_priv, + struct vmw_resource *cotable_res; + int ret; + +- if (!ctx_node) ++ if (!ctx_node || !ctx_node->ctx) + return -EINVAL; + + cmd = container_of(header, typeof(*cmd), header); +-- +2.39.2 + diff --git a/patches.suse/0001-drm-vmwgfx-Validate-the-box-size-for-the-snooped-cur.patch b/patches.suse/0001-drm-vmwgfx-Validate-the-box-size-for-the-snooped-cur.patch new file mode 100644 index 0000000..47bdb00 --- /dev/null +++ b/patches.suse/0001-drm-vmwgfx-Validate-the-box-size-for-the-snooped-cur.patch @@ -0,0 +1,41 @@ +From 4cf949c7fafe21e085a4ee386bb2dade9067316e Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Tue, 25 Oct 2022 23:19:35 -0400 +Subject: drm/vmwgfx: Validate the box size for the snooped cursor +Git-commit: 4cf949c7fafe21e085a4ee386bb2dade9067316e +Patch-mainline: v6.2-rc1 +References: bsc#1203332 CVE-2022-36280 + +Invalid userspace dma surface copies could potentially overflow +the memcpy from the surface to the snooped image leading to crashes. +To fix it the dimensions of the copybox have to be validated +against the expected size of the snooped cursor. + +Signed-off-by: Zack Rusin +Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes") +Cc: # v3.2+ +Reviewed-by: Michael Banack +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index 0342efdf9063..d434b6ae1092 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -393,7 +393,8 @@ void vmw_kms_cursor_snoop(struct vmw_surface *srf, + if (cmd->dma.guest.ptr.offset % PAGE_SIZE || + box->x != 0 || box->y != 0 || box->z != 0 || + box->srcx != 0 || box->srcy != 0 || box->srcz != 0 || +- box->d != 1 || box_count != 1) { ++ box->d != 1 || box_count != 1 || ++ box->w > 64 || box->h > 64) { + /* TODO handle none page aligned offsets */ + /* TODO handle more dst & src != 0 */ + /* TODO handle more then one copy */ +-- +2.39.1 + diff --git a/patches.suse/0001-media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch b/patches.suse/0001-media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch new file mode 100644 index 0000000..f437b3b --- /dev/null +++ b/patches.suse/0001-media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch @@ -0,0 +1,65 @@ +From 0ed554fd769a19ea8464bb83e9ac201002ef74ad Mon Sep 17 00:00:00 2001 +From: Baisong Zhong +Date: Sun, 20 Nov 2022 06:59:18 +0000 +Subject: [PATCH] media: dvb-usb: az6027: fix null-ptr-deref in + az6027_i2c_xfer() +Git-commit: 0ed554fd769a19ea8464bb83e9ac201002ef74ad +Patch-mainline: v6.2-rc1 +References: bsc#1209291 CVE-2023-28328 + +Wei Chen reports a kernel bug as blew: + +general protection fault, probably for non-canonical address +Kasan: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +... +Call Trace: + +__i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109 +i2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170 +i2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297 +i2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:870 [inline] +__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +Rip: 0033:0x7fd834a8bded + +In az6027_i2c_xfer(), if msg[i].addr is 0x99, +a null-ptr-deref will caused when accessing msg[i].buf. +For msg[i].len is 0 and msg[i].buf is null. + +Fix this by checking msg[i].len in az6027_i2c_xfer(). + +Link: https://lore.kernel.org/lkml/CAO4mrfcPHB5aQJO=mpqV+p8mPLNg-Fok0gw8gZ=zemAfMGTzMg@mail.gmail.com/ + +Link: https://lore.kernel.org/linux-media/20221120065918.2160782-1-zhongbaisong@huawei.com +Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver") +Reported-by: Wei Chen +Signed-off-by: Baisong Zhong +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Vasant Karasulli + +--- + drivers/media/usb/dvb-usb/az6027.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c +index cf15988dfb51..7d78ee09be5e 100644 +--- a/drivers/media/usb/dvb-usb/az6027.c ++++ b/drivers/media/usb/dvb-usb/az6027.c +@@ -975,6 +975,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n + if (msg[i].addr == 0x99) { + req = 0xBE; + index = 0; ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + value = msg[i].buf[0] & 0x00ff; + length = 1; + az6027_usb_out_op(d, req, value, index, data, length); +-- +2.34.1 + diff --git a/patches.suse/HID-bigben-use-spinlock-to-protect-concurrent-access.patch b/patches.suse/HID-bigben-use-spinlock-to-protect-concurrent-access.patch new file mode 100644 index 0000000..93c0d3d --- /dev/null +++ b/patches.suse/HID-bigben-use-spinlock-to-protect-concurrent-access.patch @@ -0,0 +1,173 @@ +From 9fefb6201c4f8dd9f58c581b2a66e5cde2895ea2 Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Sun, 12 Feb 2023 18:59:59 +0000 +Subject: [PATCH] HID: bigben: use spinlock to protect concurrent accesses +Git-commit: 9fefb6201c4f8dd9f58c581b2a66e5cde2895ea2 +Patch-mainline: v6.3-rc1 +References: CVE-2023-25012 bsc#1207560 + +bigben driver has a worker that may access data concurrently. +Proct the accesses using a spinlock. + +Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-1-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-bigbenff.c | 52 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 50 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index e8b16665860d..ed3d2d7bc1dd 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -174,6 +174,7 @@ static __u8 pid0902_rdesc_fixed[] = { + struct bigben_device { + struct hid_device *hid; + struct hid_report *report; ++ spinlock_t lock; + bool removed; + u8 led_state; /* LED1 = 1 .. LED4 = 8 */ + u8 right_motor_on; /* right motor off/on 0/1 */ +@@ -190,12 +191,27 @@ static void bigben_worker(struct work_struct *work) + struct bigben_device *bigben = container_of(work, + struct bigben_device, worker); + struct hid_field *report_field = bigben->report->field[0]; ++ bool do_work_led = false; ++ bool do_work_ff = false; ++ u8 *buf; ++ u32 len; ++ unsigned long flags; + + if (bigben->removed || !report_field) + return; + ++ buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); ++ if (!buf) ++ return; ++ ++ len = hid_report_len(bigben->report); ++ ++ /* LED work */ ++ spin_lock_irqsave(&bigben->lock, flags); ++ + if (bigben->work_led) { + bigben->work_led = false; ++ do_work_led = true; + report_field->value[0] = 0x01; /* 1 = led message */ + report_field->value[1] = 0x08; /* reserved value, always 8 */ + report_field->value[2] = bigben->led_state; +@@ -204,11 +220,22 @@ static void bigben_worker(struct work_struct *work) + report_field->value[5] = 0x00; /* padding */ + report_field->value[6] = 0x00; /* padding */ + report_field->value[7] = 0x00; /* padding */ +- hid_hw_request(bigben->hid, bigben->report, HID_REQ_SET_REPORT); ++ hid_output_report(bigben->report, buf); ++ } ++ ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ ++ if (do_work_led) { ++ hid_hw_raw_request(bigben->hid, bigben->report->id, buf, len, ++ bigben->report->type, HID_REQ_SET_REPORT); + } + ++ /* FF work */ ++ spin_lock_irqsave(&bigben->lock, flags); ++ + if (bigben->work_ff) { + bigben->work_ff = false; ++ do_work_ff = true; + report_field->value[0] = 0x02; /* 2 = rumble effect message */ + report_field->value[1] = 0x08; /* reserved value, always 8 */ + report_field->value[2] = bigben->right_motor_on; +@@ -217,8 +244,17 @@ static void bigben_worker(struct work_struct *work) + report_field->value[5] = 0x00; /* padding */ + report_field->value[6] = 0x00; /* padding */ + report_field->value[7] = 0x00; /* padding */ +- hid_hw_request(bigben->hid, bigben->report, HID_REQ_SET_REPORT); ++ hid_output_report(bigben->report, buf); ++ } ++ ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ ++ if (do_work_ff) { ++ hid_hw_raw_request(bigben->hid, bigben->report->id, buf, len, ++ bigben->report->type, HID_REQ_SET_REPORT); + } ++ ++ kfree(buf); + } + + static int hid_bigben_play_effect(struct input_dev *dev, void *data, +@@ -228,6 +264,7 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, + struct bigben_device *bigben = hid_get_drvdata(hid); + u8 right_motor_on; + u8 left_motor_force; ++ unsigned long flags; + + if (!bigben) { + hid_err(hid, "no device data\n"); +@@ -242,9 +279,12 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, + + if (right_motor_on != bigben->right_motor_on || + left_motor_force != bigben->left_motor_force) { ++ spin_lock_irqsave(&bigben->lock, flags); + bigben->right_motor_on = right_motor_on; + bigben->left_motor_force = left_motor_force; + bigben->work_ff = true; ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ + schedule_work(&bigben->worker); + } + +@@ -259,6 +299,7 @@ static void bigben_set_led(struct led_classdev *led, + struct bigben_device *bigben = hid_get_drvdata(hid); + int n; + bool work; ++ unsigned long flags; + + if (!bigben) { + hid_err(hid, "no device data\n"); +@@ -267,6 +308,7 @@ static void bigben_set_led(struct led_classdev *led, + + for (n = 0; n < NUM_LEDS; n++) { + if (led == bigben->leds[n]) { ++ spin_lock_irqsave(&bigben->lock, flags); + if (value == LED_OFF) { + work = (bigben->led_state & BIT(n)); + bigben->led_state &= ~BIT(n); +@@ -274,6 +316,7 @@ static void bigben_set_led(struct led_classdev *led, + work = !(bigben->led_state & BIT(n)); + bigben->led_state |= BIT(n); + } ++ spin_unlock_irqrestore(&bigben->lock, flags); + + if (work) { + bigben->work_led = true; +@@ -307,8 +350,12 @@ static enum led_brightness bigben_get_led(struct led_classdev *led) + static void bigben_remove(struct hid_device *hid) + { + struct bigben_device *bigben = hid_get_drvdata(hid); ++ unsigned long flags; + ++ spin_lock_irqsave(&bigben->lock, flags); + bigben->removed = true; ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ + cancel_work_sync(&bigben->worker); + hid_hw_stop(hid); + } +@@ -362,6 +409,7 @@ static int bigben_probe(struct hid_device *hid, + set_bit(FF_RUMBLE, hidinput->input->ffbit); + + INIT_WORK(&bigben->worker, bigben_worker); ++ spin_lock_init(&bigben->lock); + + error = input_ff_create_memless(hidinput->input, NULL, + hid_bigben_play_effect); +-- +2.35.3 + diff --git a/patches.suse/HID-bigben-use-spinlock-to-safely-schedule-workers.patch b/patches.suse/HID-bigben-use-spinlock-to-safely-schedule-workers.patch new file mode 100644 index 0000000..efc24c0 --- /dev/null +++ b/patches.suse/HID-bigben-use-spinlock-to-safely-schedule-workers.patch @@ -0,0 +1,83 @@ +From 76ca8da989c7d97a7f76c75d475fe95a584439d7 Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Sun, 12 Feb 2023 19:00:01 +0000 +Subject: [PATCH] HID: bigben: use spinlock to safely schedule workers +Git-commit: 76ca8da989c7d97a7f76c75d475fe95a584439d7 +Patch-mainline: v6.3-rc1 +References: CVE-2023-25012 bsc#1207560 + +Use spinlocks to deal with workers introducing a wrapper +bigben_schedule_work(), and several spinlock checks. +Otherwise, bigben_set_led() may schedule bigben->worker after the +structure has been freed, causing a use-after-free. + +Fixes: 4eb1b01de5b9 ("HID: hid-bigbenff: fix race condition for scheduled work during removal") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-3-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-bigbenff.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index b98c5f31c184..9d6560db762b 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -185,6 +185,15 @@ struct bigben_device { + struct work_struct worker; + }; + ++static inline void bigben_schedule_work(struct bigben_device *bigben) ++{ ++ unsigned long flags; ++ ++ spin_lock_irqsave(&bigben->lock, flags); ++ if (!bigben->removed) ++ schedule_work(&bigben->worker); ++ spin_unlock_irqrestore(&bigben->lock, flags); ++} + + static void bigben_worker(struct work_struct *work) + { +@@ -197,9 +206,6 @@ static void bigben_worker(struct work_struct *work) + u32 len; + unsigned long flags; + +- if (bigben->removed) +- return; +- + buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); + if (!buf) + return; +@@ -285,7 +291,7 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, + bigben->work_ff = true; + spin_unlock_irqrestore(&bigben->lock, flags); + +- schedule_work(&bigben->worker); ++ bigben_schedule_work(bigben); + } + + return 0; +@@ -320,7 +326,7 @@ static void bigben_set_led(struct led_classdev *led, + + if (work) { + bigben->work_led = true; +- schedule_work(&bigben->worker); ++ bigben_schedule_work(bigben); + } + return; + } +@@ -450,7 +456,7 @@ static int bigben_probe(struct hid_device *hid, + bigben->left_motor_force = 0; + bigben->work_led = true; + bigben->work_ff = true; +- schedule_work(&bigben->worker); ++ bigben_schedule_work(bigben); + + hid_info(hid, "LED and force feedback support for BigBen gamepad\n"); + +-- +2.35.3 + diff --git a/patches.suse/HID-bigben_worker-remove-unneeded-check-on-report_fi.patch b/patches.suse/HID-bigben_worker-remove-unneeded-check-on-report_fi.patch new file mode 100644 index 0000000..a5d189b --- /dev/null +++ b/patches.suse/HID-bigben_worker-remove-unneeded-check-on-report_fi.patch @@ -0,0 +1,44 @@ +From 27d2a2fd844ec7da70d19fabb482304fd1e0595b Mon Sep 17 00:00:00 2001 +From: Pietro Borrello +Date: Sun, 12 Feb 2023 19:00:00 +0000 +Subject: [PATCH] HID: bigben_worker() remove unneeded check on report_field +Git-commit: 27d2a2fd844ec7da70d19fabb482304fd1e0595b +Patch-mainline: v6.3-rc1 +References: CVE-2023-25012 bsc#1207560 + +bigben_worker() checks report_field to be non-NULL. +The check has been added in commit +918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") +to prevent a NULL pointer crash. +However, the true root cause was a missing check for output +reports, patched in commit +c7bf714f8755 ("HID: check empty report_list in bigben_probe()"), +where the type-confused report list_entry was overlapping with +a NULL pointer, which was then causing the crash. + +Fixes: 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-2-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Acked-by: Takashi Iwai + +--- + drivers/hid/hid-bigbenff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index ed3d2d7bc1dd..b98c5f31c184 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -197,7 +197,7 @@ static void bigben_worker(struct work_struct *work) + u32 len; + unsigned long flags; + +- if (bigben->removed || !report_field) ++ if (bigben->removed) + return; + + buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); +-- +2.35.3 + diff --git a/patches.suse/RDMA-core-Fix-ib-block-iterator-counter-overflow.patch b/patches.suse/RDMA-core-Fix-ib-block-iterator-counter-overflow.patch new file mode 100644 index 0000000..0e6118d --- /dev/null +++ b/patches.suse/RDMA-core-Fix-ib-block-iterator-counter-overflow.patch @@ -0,0 +1,72 @@ +From: Yonatan Nachum +Date: Mon, 9 Jan 2023 13:37:11 +0000 +Subject: RDMA/core: Fix ib block iterator counter overflow +Patch-mainline: v6.2-rc5 +Git-commit: 0afec5e9cea732cb47014655685a2a47fb180c31 +References: bsc#1207878 + +When registering a new DMA MR after selecting the best aligned page size +for it, we iterate over the given sglist to split each entry to smaller, +aligned to the selected page size, DMA blocks. + +In given circumstances where the sg entry and page size fit certain +sizes and the sg entry is not aligned to the selected page size, the +total size of the aligned pages we need to cover the sg entry is >= 4GB. +Under this circumstances, while iterating page aligned blocks, the +counter responsible for counting how much we advanced from the start of +the sg entry is overflowed because its type is u32 and we pass 4GB in +size. This can lead to an infinite loop inside the iterator function +because the overflow prevents the counter to be larger +than the size of the sg entry. + +Fix the presented problem by changing the advancement condition to +eliminate overflow. + +Backtrace: +[ 192.374329] efa_reg_user_mr_dmabuf +[ 192.376783] efa_register_mr +[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000 +[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000] +[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3 +[ 192.399559] hp_cnt[3], pages_in_hp[524288] +[ 192.403690] umem->sgt_append.sgt.nents[1] +[ 192.407905] number entries: [1], pg_bit: [31] +[ 192.411397] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8] +[ 192.415601] biter->__sg_advance [665837568] sg_dma_len[3221225472] +[ 192.419823] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8] +[ 192.423976] biter->__sg_advance [2813321216] sg_dma_len[3221225472] +[ 192.428243] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8] +[ 192.432397] biter->__sg_advance [665837568] sg_dma_len[3221225472] + +Fixes: a808273a495c ("RDMA/verbs: Add a DMA iterator to return aligned contiguous memory blocks") +Signed-off-by: Yonatan Nachum +Link: https://lore.kernel.org/r/20230109133711.13678-1-ynachum@amazon.com +Signed-off-by: Leon Romanovsky +Acked-by: Thomas Bogendoerfer +--- + drivers/infiniband/core/verbs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -2915,15 +2915,18 @@ EXPORT_SYMBOL(__rdma_block_iter_start); + bool __rdma_block_iter_next(struct ib_block_iter *biter) + { + unsigned int block_offset; ++ unsigned int sg_delta; + + if (!biter->__sg_nents || !biter->__sg) + return false; + + biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance; + block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1); +- biter->__sg_advance += BIT_ULL(biter->__pg_bit) - block_offset; ++ sg_delta = BIT_ULL(biter->__pg_bit) - block_offset; + +- if (biter->__sg_advance >= sg_dma_len(biter->__sg)) { ++ if (sg_dma_len(biter->__sg) - biter->__sg_advance > sg_delta) { ++ biter->__sg_advance += sg_delta; ++ } else { + biter->__sg_advance = 0; + biter->__sg = sg_next(biter->__sg); + biter->__sg_nents--; diff --git a/patches.suse/cifs-fix-use-after-free-caused-by-invalid-pointer-ho.patch b/patches.suse/cifs-fix-use-after-free-caused-by-invalid-pointer-ho.patch new file mode 100644 index 0000000..ee3b21a --- /dev/null +++ b/patches.suse/cifs-fix-use-after-free-caused-by-invalid-pointer-ho.patch @@ -0,0 +1,131 @@ +From 153695d36ead0ccc4d0256953c751cabf673e621 Mon Sep 17 00:00:00 2001 +From: Zeng Heng +Date: Thu, 27 Oct 2022 20:45:28 +0800 +Subject: [PATCH] cifs: fix use-after-free caused by invalid pointer `hostname` +References: bsc#1208971 +Git-commit: 153695d36ead0ccc4d0256953c751cabf673e621 +Patch-mainline: v6.1 + +`hostname` needs to be set as null-pointer after free in +`cifs_put_tcp_session` function, or when `cifsd` thread attempts +to resolve hostname and reconnect the host, the thread would deref +the invalid pointer. + +Here is one of practical backtrace examples as reference: + +Task 477 +--------------------------- + do_mount + path_mount + do_new_mount + vfs_get_tree + smb3_get_tree + smb3_get_tree_common + cifs_smb3_do_mount + cifs_mount + mount_put_conns + cifs_put_tcp_session + --> kfree(server->hostname) + +cifsd +--------------------------- + kthread + cifs_demultiplex_thread + cifs_reconnect + reconn_set_ipaddr_from_hostname + --> if (!server->hostname) + --> if (server->hostname[0] == '\0') // !! UAF fault here + +CIFS: VFS: cifs_mount failed w/return code = -112 +mount error(112): Host is down +BUG: KASAN: use-after-free in reconn_set_ipaddr_from_hostname+0x2ba/0x310 +Read of size 1 at addr ffff888108f35380 by task cifsd/480 +CPU: 2 PID: 480 Comm: cifsd Not tainted 6.1.0-rc2-00106-gf705792f89dd-dirty #25 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +Call Trace: + + dump_stack_lvl+0x68/0x85 + print_report+0x16c/0x4a3 + kasan_report+0x95/0x190 + reconn_set_ipaddr_from_hostname+0x2ba/0x310 + __cifs_reconnect.part.0+0x241/0x800 + cifs_reconnect+0x65f/0xb60 + cifs_demultiplex_thread+0x1570/0x2570 + kthread+0x2c5/0x380 + ret_from_fork+0x22/0x30 + +Allocated by task 477: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x7e/0x90 + __kmalloc_node_track_caller+0x52/0x1b0 + kstrdup+0x3b/0x70 + cifs_get_tcp_session+0xbc/0x19b0 + mount_get_conns+0xa9/0x10c0 + cifs_mount+0xdf/0x1970 + cifs_smb3_do_mount+0x295/0x1660 + smb3_get_tree+0x352/0x5e0 + vfs_get_tree+0x8e/0x2e0 + path_mount+0xf8c/0x1990 + do_mount+0xee/0x110 + __x64_sys_mount+0x14b/0x1f0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +Freed by task 477: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0x10a/0x190 + __kmem_cache_free+0xca/0x3f0 + cifs_put_tcp_session+0x30c/0x450 + cifs_mount+0xf95/0x1970 + cifs_smb3_do_mount+0x295/0x1660 + smb3_get_tree+0x352/0x5e0 + vfs_get_tree+0x8e/0x2e0 + path_mount+0xf8c/0x1990 + do_mount+0xee/0x110 + __x64_sys_mount+0x14b/0x1f0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +The buggy address belongs to the object at ffff888108f35380 + which belongs to the cache kmalloc-16 of size 16 +The buggy address is located 0 bytes inside of + 16-byte region [ffff888108f35380, ffff888108f35390) +The buggy address belongs to the physical page: +page:00000000333f8e58 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888108f350e0 pfn:0x108f35 +flags: 0x200000000000200(slab|node=0|zone=2) +raw: 0200000000000200 0000000000000000 dead000000000122 ffff8881000423c0 +raw: ffff888108f350e0 000000008080007a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +Memory state around the buggy address: + ffff888108f35280: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc + ffff888108f35300: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc +>ffff888108f35380: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc + ^ + ffff888108f35400: fa fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff888108f35480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 7be3248f3139 ("cifs: To match file servers, make sure the server hostname matches") +Signed-off-by: Zeng Heng +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Oscar Salvador +--- + fs/cifs/connect.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index ffb291579bb9..1cc47dd3b4d6 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1584,6 +1584,7 @@ cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect) + server->session_key.response = NULL; + server->session_key.len = 0; + kfree(server->hostname); ++ server->hostname = NULL; + + task = xchg(&server->tsk, NULL); + if (task) +-- +2.35.3 + diff --git a/patches.suse/genirq-Provide-new-interfaces-for-affinity-hints.patch b/patches.suse/genirq-Provide-new-interfaces-for-affinity-hints.patch new file mode 100644 index 0000000..4219818 --- /dev/null +++ b/patches.suse/genirq-Provide-new-interfaces-for-affinity-hints.patch @@ -0,0 +1,130 @@ +From: Thomas Gleixner +Date: Fri, 3 Sep 2021 11:24:17 -0400 +Subject: genirq: Provide new interfaces for affinity hints +Patch-mainline: v5.17-rc1 +Git-commit: 65c7cdedeb3026fabcc967a7aae2f755ad4d0783 +References: bsc#1208153 + +The discussion about removing the side effect of irq_set_affinity_hint() of +actually applying the cpumask (if not NULL) as affinity to the interrupt, +unearthed a few unpleasantries: + + 1) The modular perf drivers rely on the current behaviour for the very + wrong reasons. + + 2) While none of the other drivers prevents user space from changing + the affinity, a cursorily inspection shows that there are at least + expectations in some drivers. + +#1 needs to be cleaned up anyway, so that's not a problem + +#2 might result in subtle regressions especially when irqbalanced (which + nowadays ignores the affinity hint) is disabled. + +Provide new interfaces: + + irq_update_affinity_hint() - Only sets the affinity hint pointer + irq_set_affinity_and_hint() - Set the pointer and apply the affinity to + the interrupt + +Make irq_set_affinity_hint() a wrapper around irq_apply_affinity_hint() and +document it to be phased out. + +SUSE: For kABI compliance changed this patch to leave irq_set_affinity_hint() + alone and only add the new interfaces. + +Signed-off-by: Thomas Gleixner +Signed-off-by: Nitesh Narayan Lal +Signed-off-by: Thomas Gleixner +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20210501021832.743094-1-jesse.brandeburg@intel.com +Link: https://lore.kernel.org/r/20210903152430.244937-2-nitesh@redhat.com +Acked-by: Thomas Bogendoerfer +--- + include/linux/interrupt.h | 42 ++++++++++++++++++++++++++++++++++++++++++ + kernel/irq/manage.c | 16 ++++++++++++++++ + 2 files changed, 58 insertions(+) + +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -336,6 +336,36 @@ extern int irq_can_set_affinity(unsigned + extern int irq_select_affinity(unsigned int irq); + + extern int irq_set_affinity_hint(unsigned int irq, const struct cpumask *m); ++extern int __irq_apply_affinity_hint(unsigned int irq, const struct cpumask *m, ++ bool setaffinity); ++ ++/** ++ * irq_update_affinity_hint - Update the affinity hint ++ * @irq: Interrupt to update ++ * @m: cpumask pointer (NULL to clear the hint) ++ * ++ * Updates the affinity hint, but does not change the affinity of the interrupt. ++ */ ++static inline int ++irq_update_affinity_hint(unsigned int irq, const struct cpumask *m) ++{ ++ return __irq_apply_affinity_hint(irq, m, false); ++} ++ ++/** ++ * irq_set_affinity_and_hint - Update the affinity hint and apply the provided ++ * cpumask to the interrupt ++ * @irq: Interrupt to update ++ * @m: cpumask pointer (NULL to clear the hint) ++ * ++ * Updates the affinity hint and if @m is not NULL it applies it as the ++ * affinity of that interrupt. ++ */ ++static inline int ++irq_set_affinity_and_hint(unsigned int irq, const struct cpumask *m) ++{ ++ return __irq_apply_affinity_hint(irq, m, true); ++} + + extern int + irq_set_affinity_notifier(unsigned int irq, struct irq_affinity_notify *notify); +@@ -365,6 +395,18 @@ static inline int irq_can_set_affinity(u + + static inline int irq_select_affinity(unsigned int irq) { return 0; } + ++static inline int irq_update_affinity_hint(unsigned int irq, ++ const struct cpumask *m) ++{ ++ return -EINVAL; ++} ++ ++static inline int irq_set_affinity_and_hint(unsigned int irq, ++ const struct cpumask *m) ++{ ++ return -EINVAL; ++} ++ + static inline int irq_set_affinity_hint(unsigned int irq, + const struct cpumask *m) + { +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -322,6 +322,22 @@ int irq_set_affinity_hint(unsigned int i + } + EXPORT_SYMBOL_GPL(irq_set_affinity_hint); + ++int __irq_apply_affinity_hint(unsigned int irq, const struct cpumask *m, ++ bool setaffinity) ++{ ++ unsigned long flags; ++ struct irq_desc *desc = irq_get_desc_lock(irq, &flags, IRQ_GET_DESC_CHECK_GLOBAL); ++ ++ if (!desc) ++ return -EINVAL; ++ desc->affinity_hint = m; ++ irq_put_desc_unlock(desc, flags); ++ if (m && setaffinity) ++ __irq_set_affinity(irq, m, false); ++ return 0; ++} ++EXPORT_SYMBOL_GPL(__irq_apply_affinity_hint); ++ + static void irq_affinity_notify(struct work_struct *work) + { + struct irq_affinity_notify *notify = diff --git a/patches.suse/malidp-Fix-NULL-vs-IS_ERR-checking.patch b/patches.suse/malidp-Fix-NULL-vs-IS_ERR-checking.patch new file mode 100644 index 0000000..bff7a8e --- /dev/null +++ b/patches.suse/malidp-Fix-NULL-vs-IS_ERR-checking.patch @@ -0,0 +1,30 @@ +From 15342f930ebebcfe36f2415049736a77d7d2e045 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 13 Dec 2021 07:21:15 +0000 +Subject: malidp: Fix NULL vs IS_ERR() checking +Git-commit: 15342f930ebebcfe36f2415049736a77d7d2e045 +Patch-mainline: v5.19-rc1 +References: bsc#1208843 CVE-2023-23004 + +The get_sg_table() function does not return NULL. +It returns error pointers. + +Signed-off-by: Miaoqian Lin +Signed-off-by: Liviu Dudau +Link: https://lore.kernel.org/dri-devel/20211213072115.18098-1-linmq006@gmail.com/ +Acked-by: Patrik Jakobsson +--- + drivers/gpu/drm/arm/malidp_planes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/arm/malidp_planes.c ++++ b/drivers/gpu/drm/arm/malidp_planes.c +@@ -346,7 +346,7 @@ + else + sgt = obj->dev->driver->gem_prime_get_sg_table(obj); + +- if (!sgt) ++ if (IS_ERR(sgt)) + return false; + + sgl = sgt->sgl; diff --git a/patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch b/patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch new file mode 100644 index 0000000..47b3951 --- /dev/null +++ b/patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch @@ -0,0 +1,83 @@ +From 29b0589a865b6f66d141d79b2dd1373e4e50fe17 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 24 Jan 2023 08:55:33 +0100 +Subject: [PATCH] media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() +Git-commit: 29b0589a865b6f66d141d79b2dd1373e4e50fe17 +Patch-mainline: v6.3-rc1 +References: CVE-2023-1118 bsc#1208837 + +When the ene device is detaching, function ene_remove() will +be called. But there is no function to cancel tx_sim_timer +in ene_remove(), the timer handler ene_tx_irqsim() could race +with ene_remove(). As a result, the UAF bugs could happen, +the process is shown below. + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +ene_remove() | (wait a time) + | ene_tx_irqsim() + | dev->hw_lock //USE + | ene_tx_sample(dev) //USE + +Fix by adding del_timer_sync(&dev->tx_sim_timer) in ene_remove(), +The tx_sim_timer could stop before ene device is deallocated. + +What's more, The rc_unregister_device() and del_timer_sync() +should be called first in ene_remove() and the deallocated +functions such as free_irq(), release_region() and so on +should be called behind them. Because the rc_unregister_device() +is well synchronized. Otherwise, race conditions may happen. The +situations that may lead to race conditions are shown below. + +Firstly, the rx receiver is disabled with ene_rx_disable() +before rc_unregister_device() in ene_remove(), which means it +can be enabled again if a process opens /dev/lirc0 between +ene_rx_disable() and rc_unregister_device(). + +Secondly, the irqaction descriptor is freed by free_irq() +before the rc device is unregistered, which means irqaction +descriptor may be accessed again after it is deallocated. + +Thirdly, the timer can call ene_tx_sample() that can write +to the io ports, which means the io ports could be accessed +again after they are deallocated by release_region(). + +Therefore, the rc_unregister_device() and del_timer_sync() +should be called first in ene_remove(). + +Suggested by: Sean Young + +Fixes: 9ea53b74df9c ("V4L/DVB: STAGING: remove lirc_ene0100 driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/rc/ene_ir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c +index e09270916fbc..11ee21a7db8f 100644 +--- a/drivers/media/rc/ene_ir.c ++++ b/drivers/media/rc/ene_ir.c +@@ -1106,6 +1106,8 @@ static void ene_remove(struct pnp_dev *pnp_dev) + struct ene_device *dev = pnp_get_drvdata(pnp_dev); + unsigned long flags; + ++ rc_unregister_device(dev->rdev); ++ del_timer_sync(&dev->tx_sim_timer); + spin_lock_irqsave(&dev->hw_lock, flags); + ene_rx_disable(dev); + ene_rx_restore_hw_buffer(dev); +@@ -1113,7 +1115,6 @@ static void ene_remove(struct pnp_dev *pnp_dev) + + free_irq(dev->irq, dev); + release_region(dev->hw_io, ENE_IO_SIZE); +- rc_unregister_device(dev->rdev); + kfree(dev); + } + +-- +2.35.3 + diff --git a/patches.suse/mm-slub-fix-panic-in-slab_alloc_node.patch b/patches.suse/mm-slub-fix-panic-in-slab_alloc_node.patch new file mode 100644 index 0000000..69ceb23 --- /dev/null +++ b/patches.suse/mm-slub-fix-panic-in-slab_alloc_node.patch @@ -0,0 +1,122 @@ +From: Laurent Dufour +Date: Fri, 13 Nov 2020 22:51:53 -0800 +Subject: mm/slub: fix panic in slab_alloc_node() +Git-commit: 22e4663e916321b72972c69ca0c6b962f529bd78 +Patch-mainline: v5.10-rc4 +References: bsc#1208023 + +While doing memory hot-unplug operation on a PowerPC VM running 1024 CPUs +with 11TB of ram, I hit the following panic: + + BUG: Kernel NULL pointer dereference on read at 0x00000007 + Faulting instruction address: 0xc000000000456048 + Oops: Kernel access of bad area, sig: 11 [#2] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS= 2048 NUMA pSeries + Modules linked in: rpadlpar_io rpaphp + CPU: 160 PID: 1 Comm: systemd Tainted: G D 5.9.0 #1 + NIP: c000000000456048 LR: c000000000455fd4 CTR: c00000000047b350 + REGS: c00006028d1b77a0 TRAP: 0300 Tainted: G D (5.9.0) + MSR: 8000000000009033 CR: 24004228 XER: 00000000 + CFAR: c00000000000f1b0 DAR: 0000000000000007 DSISR: 40000000 IRQMASK: 0 + GPR00: c000000000455fd4 c00006028d1b7a30 c000000001bec800 0000000000000000 + GPR04: 0000000000000dc0 0000000000000000 00000000000374ef c00007c53df99320 + GPR08: 000007c53c980000 0000000000000000 000007c53c980000 0000000000000000 + GPR12: 0000000000004400 c00000001e8e4400 0000000000000000 0000000000000f6a + GPR16: 0000000000000000 c000000001c25930 c000000001d62528 00000000000000c1 + GPR20: c000000001d62538 c00006be469e9000 0000000fffffffe0 c0000000003c0ff8 + GPR24: 0000000000000018 0000000000000000 0000000000000dc0 0000000000000000 + GPR28: c00007c513755700 c000000001c236a4 c00007bc4001f800 0000000000000001 + NIP [c000000000456048] __kmalloc_node+0x108/0x790 + LR [c000000000455fd4] __kmalloc_node+0x94/0x790 + Call Trace: + kvmalloc_node+0x58/0x110 + mem_cgroup_css_online+0x10c/0x270 + online_css+0x48/0xd0 + cgroup_apply_control_enable+0x2c4/0x470 + cgroup_mkdir+0x408/0x5f0 + kernfs_iop_mkdir+0x90/0x100 + vfs_mkdir+0x138/0x250 + do_mkdirat+0x154/0x1c0 + system_call_exception+0xf8/0x200 + system_call_common+0xf0/0x27c + Instruction dump: + e93e0000 e90d0030 39290008 7cc9402a e94d0030 e93e0000 7ce95214 7f89502a + 2fbc0000 419e0018 41920230 e9270010 <89290007> 7f994800 419e0220 7ee6bb78 + +This pointing to the following code: + + mm/slub.c:2851 + if (unlikely(!object || !node_match(page, node))) { + c000000000456038: 00 00 bc 2f cmpdi cr7,r28,0 + c00000000045603c: 18 00 9e 41 beq cr7,c000000000456054 <__kmalloc_node+0x114> + node_match(): + mm/slub.c:2491 + if (node != NUMA_NO_NODE && page_to_nid(page) != node) + c000000000456040: 30 02 92 41 beq cr4,c000000000456270 <__kmalloc_node+0x330> + page_to_nid(): + include/linux/mm.h:1294 + c000000000456044: 10 00 27 e9 ld r9,16(r7) + c000000000456048: 07 00 29 89 lbz r9,7(r9) <<<< r9 = NULL + node_match(): + mm/slub.c:2491 + c00000000045604c: 00 48 99 7f cmpw cr7,r25,r9 + c000000000456050: 20 02 9e 41 beq cr7,c000000000456270 <__kmalloc_node+0x330> + +The panic occurred in slab_alloc_node() when checking for the page's node: + + object = c->freelist; + page = c->page; + if (unlikely(!object || !node_match(page, node))) { + object = __slab_alloc(s, gfpflags, node, addr, c); + stat(s, ALLOC_SLOWPATH); + +The issue is that object is not NULL while page is NULL which is odd but +may happen if the cache flush happened after loading object but before +loading page. Thus checking for the page pointer is required too. + +The cache flush is done through an inter processor interrupt when a +piece of memory is off-lined. That interrupt is triggered when a memory +hot-unplug operation is initiated and offline_pages() is calling the +slub's MEM_GOING_OFFLINE callback slab_mem_going_offline_callback() +which is calling flush_cpu_slab(). If that interrupt is caught between +the reading of c->freelist and the reading of c->page, this could lead +to such a situation. That situation is expected and the later call to +this_cpu_cmpxchg_double() will detect the change to c->freelist and redo +the whole operation. + +In commit 6159d0f5c03e ("mm/slub.c: page is always non-NULL in +node_match()") check on the page pointer has been removed assuming that +page is always valid when it is called. It happens that this is not +true in that particular case, so check for page before calling +node_match() here. + +Fixes: 6159d0f5c03e ("mm/slub.c: page is always non-NULL in node_match()") +Signed-off-by: Laurent Dufour +Signed-off-by: Andrew Morton +Acked-by: Vlastimil Babka +Acked-by: Christoph Lameter +Cc: Wei Yang +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Nathan Lynch +Cc: Scott Cheloha +Cc: Michal Hocko +Cc: +Link: https://lkml.kernel.org/r/20201027190406.33283-1-ldufour@linux.ibm.com +Signed-off-by: Linus Torvalds +--- + mm/slub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -2802,7 +2802,7 @@ redo: + + object = c->freelist; + page = c->page; +- if (unlikely(!object || !node_match(page, node))) { ++ if (unlikely(!object || !page || !node_match(page, node))) { + object = __slab_alloc(s, gfpflags, node, addr, c); + stat(s, ALLOC_SLOWPATH); + } else { diff --git a/patches.suse/module-Don-t-wait-for-GOING-modules.patch b/patches.suse/module-Don-t-wait-for-GOING-modules.patch new file mode 100644 index 0000000..b22c226 --- /dev/null +++ b/patches.suse/module-Don-t-wait-for-GOING-modules.patch @@ -0,0 +1,111 @@ +From: Petr Pavlu +Date: Mon, 5 Dec 2022 11:35:57 +0100 +Subject: module: Don't wait for GOING modules +Git-commit: 0254127ab977e70798707a7a2b757c9f3c971210 +Patch-mainline: v6.2-rc6 +References: bsc#1196058, bsc#1186449, bsc#1204356, bsc#1204662 + +During a system boot, it can happen that the kernel receives a burst of +requests to insert the same module but loading it eventually fails +during its init call. For instance, udev can make a request to insert +a frequency module for each individual CPU when another frequency module +is already loaded which causes the init function of the new module to +return an error. + +Since commit 6e6de3dee51a ("kernel/module.c: Only return -EEXIST for +modules that have finished loading"), the kernel waits for modules in +MODULE_STATE_GOING state to finish unloading before making another +attempt to load the same module. + +This creates unnecessary work in the described scenario and delays the +boot. In the worst case, it can prevent udev from loading drivers for +other devices and might cause timeouts of services waiting on them and +subsequently a failed boot. + +This patch attempts a different solution for the problem 6e6de3dee51a +was trying to solve. Rather than waiting for the unloading to complete, +it returns a different error code (-EBUSY) for modules in the GOING +state. This should avoid the error situation that was described in +6e6de3dee51a (user space attempting to load a dependent module because +the -EEXIST error code would suggest to user space that the first module +had been loaded successfully), while avoiding the delay situation too. + +This has been tested on linux-next since December 2022 and passes +all kmod selftests except test 0009 with module compression enabled +but it has been confirmed that this issue has existed and has gone +unnoticed since prior to this commit and can also be reproduced without +module compression with a simple usleep(5000000) on tools/modprobe.c [0]. +These failures are caused by hitting the kernel mod_concurrent_max and can +happen either due to a self inflicted kernel module auto-loead DoS somehow +or on a system with large CPU count and each CPU count incorrectly triggering +many module auto-loads. Both of those issues need to be fixed in-kernel. + +[0] https://lore.kernel.org/all/Y9A4fiobL6IHp%2F%2FP@bombadil.infradead.org/ + +Fixes: 6e6de3dee51a ("kernel/module.c: Only return -EEXIST for modules that have finished loading") +Co-developed-by: Martin Wilck +Signed-off-by: Martin Wilck +Signed-off-by: Petr Pavlu +Cc: stable@vger.kernel.org +Reviewed-by: Petr Mladek +[mcgrof: enhance commit log with testing and kmod test result interpretation ] +Signed-off-by: Luis Chamberlain +--- + kernel/module.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +diff --git a/kernel/module.c b/kernel/module.c +index 48568a0f5651..4ac3fe43e6c8 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -2393,7 +2393,8 @@ static bool finished_loading(const char *name) + sched_annotate_sleep(); + mutex_lock(&module_mutex); + mod = find_module_all(name, strlen(name), true); +- ret = !mod || mod->state == MODULE_STATE_LIVE; ++ ret = !mod || mod->state == MODULE_STATE_LIVE ++ || mod->state == MODULE_STATE_GOING; + mutex_unlock(&module_mutex); + + return ret; +@@ -2569,20 +2570,35 @@ static int add_unformed_module(struct module *mod) + + mod->state = MODULE_STATE_UNFORMED; + +-again: + mutex_lock(&module_mutex); + old = find_module_all(mod->name, strlen(mod->name), true); + if (old != NULL) { +- if (old->state != MODULE_STATE_LIVE) { ++ if (old->state == MODULE_STATE_COMING ++ || old->state == MODULE_STATE_UNFORMED) { + /* Wait in case it fails to load. */ + mutex_unlock(&module_mutex); + err = wait_event_interruptible(module_wq, + finished_loading(mod->name)); + if (err) + goto out_unlocked; +- goto again; ++ ++ /* The module might have gone in the meantime. */ ++ mutex_lock(&module_mutex); ++ old = find_module_all(mod->name, strlen(mod->name), ++ true); + } +- err = -EEXIST; ++ ++ /* ++ * We are here only when the same module was being loaded. Do ++ * not try to load it again right now. It prevents long delays ++ * caused by serialized module load failures. It might happen ++ * when more devices of the same type trigger load of ++ * a particular module. ++ */ ++ if (old && old->state == MODULE_STATE_LIVE) ++ err = -EEXIST; ++ else ++ err = -EBUSY; + goto out; + } + mod_update_bounds(mod); + diff --git a/patches.suse/net-add-sock_init_data_uid.patch b/patches.suse/net-add-sock_init_data_uid.patch new file mode 100644 index 0000000..183d996 --- /dev/null +++ b/patches.suse/net-add-sock_init_data_uid.patch @@ -0,0 +1,84 @@ +From: Pietro Borrello +Date: Sat, 4 Feb 2023 17:39:20 +0000 +Subject: net: add sock_init_data_uid() +Git-commit: 584f3742890e966d2f0a1f3c418c9ead70b2d99e +Patch-mainline: v6.3-rc1 +References: CVE-2023-1076 bsc#1208599 + +Add sock_init_data_uid() to explicitly initialize the socket uid. +To initialise the socket uid, sock_init_data() assumes a the struct +socket* sock is always embedded in a struct socket_alloc, used to +access the corresponding inode uid. This may not be true. +Examples are sockets created in tun_chr_open() and tap_open(). + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Pietro Borrello +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Acked-by: Miroslav Franc +--- + include/net/sock.h | 7 ++++++- + net/core/sock.c | 15 ++++++++++++--- + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 22d50dabdc9d..da758f2273e4 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1739,7 +1739,12 @@ void sk_common_release(struct sock *sk); + * Default socket callbacks and setup code + */ + +-/* Initialise core socket variables */ ++/* Initialise core socket variables using an explicit uid. */ ++void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid); ++ ++/* Initialise core socket variables. ++ * Assumes struct socket *sock is embedded in a struct socket_alloc. ++ */ + void sock_init_data(struct socket *sock, struct sock *sk); + + /* +diff --git a/net/core/sock.c b/net/core/sock.c +index 652913df588d..28382b23afe2 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2878,7 +2878,7 @@ void sk_stop_timer(struct sock *sk, struct timer_list* timer) + } + EXPORT_SYMBOL(sk_stop_timer); + +-void sock_init_data(struct socket *sock, struct sock *sk) ++void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid) + { + sk_init_common(sk); + sk->sk_send_head = NULL; +@@ -2897,11 +2897,10 @@ void sock_init_data(struct socket *sock, struct sock *sk) + sk->sk_type = sock->type; + RCU_INIT_POINTER(sk->sk_wq, &sock->wq); + sock->sk = sk; +- sk->sk_uid = SOCK_INODE(sock)->i_uid; + } else { + RCU_INIT_POINTER(sk->sk_wq, NULL); +- sk->sk_uid = make_kuid(sock_net(sk)->user_ns, 0); + } ++ sk->sk_uid = uid; + + rwlock_init(&sk->sk_callback_lock); + if (sk->sk_kern_sock) +@@ -2959,6 +2958,16 @@ void sock_init_data(struct socket *sock, struct sock *sk) + refcount_set(&sk->sk_refcnt, 1); + atomic_set(&sk->sk_drops, 0); + } ++EXPORT_SYMBOL(sock_init_data_uid); ++ ++void sock_init_data(struct socket *sock, struct sock *sk) ++{ ++ kuid_t uid = sock ? ++ SOCK_INODE(sock)->i_uid : ++ make_kuid(sock_net(sk)->user_ns, 0); ++ ++ sock_init_data_uid(sock, sk, uid); ++} + EXPORT_SYMBOL(sock_init_data); + + void lock_sock_nested(struct sock *sk, int subclass) diff --git a/patches.suse/net-mana-Assign-interrupts-to-CPUs-based-on-NUMA-nod.patch b/patches.suse/net-mana-Assign-interrupts-to-CPUs-based-on-NUMA-nod.patch new file mode 100644 index 0000000..f1adcaf --- /dev/null +++ b/patches.suse/net-mana-Assign-interrupts-to-CPUs-based-on-NUMA-nod.patch @@ -0,0 +1,107 @@ +From: Saurabh Sengar +Date: Mon, 31 Oct 2022 23:06:01 -0700 +Subject: net: mana: Assign interrupts to CPUs based on NUMA nodes +Patch-mainline: v6.2-rc1 +Git-commit: 71fa6887eeca7b631528f9c7a39815498de8028c +References: bsc#1208153 + +In large VMs with multiple NUMA nodes, network performance is usually +best if network interrupts are all assigned to the same virtual NUMA +node. This patch assigns online CPU according to a numa aware policy, +local cpus are returned first, followed by non-local ones, then it wraps +around. + +Signed-off-by: Saurabh Sengar +Reviewed-by: Haiyang Zhang +Link: https://lore.kernel.org/r/1667282761-11547-1-git-send-email-ssengar@linux.microsoft.com +Signed-off-by: Paolo Abeni +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/microsoft/mana/gdma.h | 1 + drivers/net/ethernet/microsoft/mana/gdma_main.c | 30 +++++++++++++++++++++--- + 2 files changed, 28 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/gdma.h ++++ b/drivers/net/ethernet/microsoft/mana/gdma.h +@@ -353,6 +353,7 @@ struct gdma_context { + void __iomem *shm_base; + void __iomem *db_page_base; + u32 db_page_size; ++ int numa_node; + + /* Shared memory chanenl (used to bootstrap HWC) */ + struct shm_channel shm_channel; +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1197,8 +1197,10 @@ static int mana_gd_setup_irqs(struct pci + struct gdma_context *gc = pci_get_drvdata(pdev); + struct gdma_irq_context *gic; + unsigned int max_irqs; ++ u16 *cpus; ++ cpumask_var_t req_mask; + int nvec, irq; +- int err, i, j; ++ int err, i = 0, j; + + if (max_queues_per_port > MANA_MAX_NUM_QUEUES) + max_queues_per_port = MANA_MAX_NUM_QUEUES; +@@ -1217,7 +1219,21 @@ static int mana_gd_setup_irqs(struct pci + goto free_irq_vector; + } + ++ if (!zalloc_cpumask_var(&req_mask, GFP_KERNEL)) { ++ err = -ENOMEM; ++ goto free_irq; ++ } ++ ++ cpus = kcalloc(nvec, sizeof(*cpus), GFP_KERNEL); ++ if (!cpus) { ++ err = -ENOMEM; ++ goto free_mask; ++ } ++ for (i = 0; i < nvec; i++) ++ cpus[i] = cpumask_local_spread(i, gc->numa_node); ++ + for (i = 0; i < nvec; i++) { ++ cpumask_set_cpu(cpus[i], req_mask); + gic = &gc->irq_contexts[i]; + gic->handler = NULL; + gic->arg = NULL; +@@ -1225,13 +1241,17 @@ static int mana_gd_setup_irqs(struct pci + irq = pci_irq_vector(pdev, i); + if (irq < 0) { + err = irq; +- goto free_irq; ++ goto free_mask; + } + + err = request_irq(irq, mana_gd_intr, 0, "mana_intr", gic); + if (err) +- goto free_irq; ++ goto free_mask; ++ irq_set_affinity_and_hint(irq, req_mask); ++ cpumask_clear(req_mask); + } ++ free_cpumask_var(req_mask); ++ kfree(cpus); + + err = mana_gd_alloc_res_map(nvec, &gc->msix_resource); + if (err) +@@ -1242,6 +1262,9 @@ static int mana_gd_setup_irqs(struct pci + + return 0; + ++free_mask: ++ free_cpumask_var(req_mask); ++ kfree(cpus); + free_irq: + for (j = i - 1; j >= 0; j--) { + irq = pci_irq_vector(pdev, j); +@@ -1371,6 +1394,7 @@ static int mana_gd_probe(struct pci_dev + if (!bar0_va) + goto free_gc; + ++ gc->numa_node = dev_to_node(&pdev->dev); + gc->is_pf = mana_is_pf(pdev->device); + gc->bar0_va = bar0_va; + gc->dev = &pdev->dev; diff --git a/patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch b/patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch new file mode 100644 index 0000000..87c2604 --- /dev/null +++ b/patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch @@ -0,0 +1,63 @@ +From: Haiyang Zhang +Date: Thu, 19 Jan 2023 12:59:10 -0800 +Subject: net: mana: Fix IRQ name - add PCI and queue number +Patch-mainline: v6.2-rc6 +Git-commit: 20e3028c39a5bf882e91e717da96d14f1acec40e +References: bsc#1207875 + +The PCI and queue number info is missing in IRQ names. + +Add PCI and queue number to IRQ names, to allow CPU affinity +tuning scripts to work. + +Cc: stable@vger.kernel.org +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Signed-off-by: Haiyang Zhang +Reviewed-by: Jesse Brandeburg +Link: https://lore.kernel.org/r/1674161950-19708-1-git-send-email-haiyangz@microsoft.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/microsoft/mana/gdma.h | 3 +++ + drivers/net/ethernet/microsoft/mana/gdma_main.c | 9 ++++++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/microsoft/mana/gdma.h ++++ b/drivers/net/ethernet/microsoft/mana/gdma.h +@@ -324,9 +324,12 @@ struct gdma_queue_spec { + }; + }; + ++#define MANA_IRQ_NAME_SZ 32 ++ + struct gdma_irq_context { + void (*handler)(void *arg); + void *arg; ++ char name[MANA_IRQ_NAME_SZ]; + }; + + struct gdma_context { +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1238,13 +1238,20 @@ static int mana_gd_setup_irqs(struct pci + gic->handler = NULL; + gic->arg = NULL; + ++ if (!i) ++ snprintf(gic->name, MANA_IRQ_NAME_SZ, "mana_hwc@pci:%s", ++ pci_name(pdev)); ++ else ++ snprintf(gic->name, MANA_IRQ_NAME_SZ, "mana_q%d@pci:%s", ++ i - 1, pci_name(pdev)); ++ + irq = pci_irq_vector(pdev, i); + if (irq < 0) { + err = irq; + goto free_mask; + } + +- err = request_irq(irq, mana_gd_intr, 0, "mana_intr", gic); ++ err = request_irq(irq, mana_gd_intr, 0, gic->name, gic); + if (err) + goto free_mask; + irq_set_affinity_and_hint(irq, req_mask); diff --git a/patches.suse/net-mana-Fix-accessing-freed-irq-affinity_hint.patch b/patches.suse/net-mana-Fix-accessing-freed-irq-affinity_hint.patch new file mode 100644 index 0000000..d207f4d --- /dev/null +++ b/patches.suse/net-mana-Fix-accessing-freed-irq-affinity_hint.patch @@ -0,0 +1,131 @@ +From: Haiyang Zhang +Date: Mon, 6 Feb 2023 13:28:49 -0800 +Subject: net: mana: Fix accessing freed irq affinity_hint +Patch-mainline: v6.2-rc8 +Git-commit: 18a048370b06a3a521219e9e5b10bdc2178ef19c +References: bsc#1208153 + +After calling irq_set_affinity_and_hint(), the cpumask pointer is +saved in desc->affinity_hint, and will be used later when reading +/proc/irq//affinity_hint. So the cpumask variable needs to be +persistent. Otherwise, we are accessing freed memory when reading +the affinity_hint file. + +Also, need to clear affinity_hint before free_irq(), otherwise there +is a one-time warning and stack trace during module unloading: + + [ 243.948687] WARNING: CPU: 10 PID: 1589 at kernel/irq/manage.c:1913 free_irq+0x318/0x360 + ... + [ 243.948753] Call Trace: + [ 243.948754] + [ 243.948760] mana_gd_remove_irqs+0x78/0xc0 [mana] + [ 243.948767] mana_gd_remove+0x3e/0x80 [mana] + [ 243.948773] pci_device_remove+0x3d/0xb0 + [ 243.948778] device_remove+0x46/0x70 + [ 243.948782] device_release_driver_internal+0x1fe/0x280 + [ 243.948785] driver_detach+0x4e/0xa0 + [ 243.948787] bus_remove_driver+0x70/0xf0 + [ 243.948789] driver_unregister+0x35/0x60 + [ 243.948792] pci_unregister_driver+0x44/0x90 + [ 243.948794] mana_driver_exit+0x14/0x3fe [mana] + [ 243.948800] __do_sys_delete_module.constprop.0+0x185/0x2f0 + +To fix the bug, use the persistent mask, cpumask_of(cpu#), and set +affinity_hint to NULL before freeing the IRQ, as required by free_irq(). + +Cc: stable@vger.kernel.org +Fixes: 71fa6887eeca ("net: mana: Assign interrupts to CPUs based on NUMA nodes") +Signed-off-by: Haiyang Zhang +Reviewed-by: Michael Kelley +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/1675718929-19565-1-git-send-email-haiyangz@microsoft.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/microsoft/mana/gdma_main.c | 37 +++++++----------------- + 1 file changed, 11 insertions(+), 26 deletions(-) + +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1196,9 +1196,7 @@ static int mana_gd_setup_irqs(struct pci + unsigned int max_queues_per_port = num_online_cpus(); + struct gdma_context *gc = pci_get_drvdata(pdev); + struct gdma_irq_context *gic; +- unsigned int max_irqs; +- u16 *cpus; +- cpumask_var_t req_mask; ++ unsigned int max_irqs, cpu; + int nvec, irq; + int err, i = 0, j; + +@@ -1219,21 +1217,7 @@ static int mana_gd_setup_irqs(struct pci + goto free_irq_vector; + } + +- if (!zalloc_cpumask_var(&req_mask, GFP_KERNEL)) { +- err = -ENOMEM; +- goto free_irq; +- } +- +- cpus = kcalloc(nvec, sizeof(*cpus), GFP_KERNEL); +- if (!cpus) { +- err = -ENOMEM; +- goto free_mask; +- } +- for (i = 0; i < nvec; i++) +- cpus[i] = cpumask_local_spread(i, gc->numa_node); +- + for (i = 0; i < nvec; i++) { +- cpumask_set_cpu(cpus[i], req_mask); + gic = &gc->irq_contexts[i]; + gic->handler = NULL; + gic->arg = NULL; +@@ -1248,17 +1232,16 @@ static int mana_gd_setup_irqs(struct pci + irq = pci_irq_vector(pdev, i); + if (irq < 0) { + err = irq; +- goto free_mask; ++ goto free_irq; + } + + err = request_irq(irq, mana_gd_intr, 0, gic->name, gic); + if (err) +- goto free_mask; +- irq_set_affinity_and_hint(irq, req_mask); +- cpumask_clear(req_mask); ++ goto free_irq; ++ ++ cpu = cpumask_local_spread(i, gc->numa_node); ++ irq_set_affinity_and_hint(irq, cpumask_of(cpu)); + } +- free_cpumask_var(req_mask); +- kfree(cpus); + + err = mana_gd_alloc_res_map(nvec, &gc->msix_resource); + if (err) +@@ -1269,13 +1252,12 @@ static int mana_gd_setup_irqs(struct pci + + return 0; + +-free_mask: +- free_cpumask_var(req_mask); +- kfree(cpus); + free_irq: + for (j = i - 1; j >= 0; j--) { + irq = pci_irq_vector(pdev, j); + gic = &gc->irq_contexts[j]; ++ ++ irq_update_affinity_hint(irq, NULL); + free_irq(irq, gic); + } + +@@ -1303,6 +1285,9 @@ static void mana_gd_remove_irqs(struct p + continue; + + gic = &gc->irq_contexts[i]; ++ ++ /* Need to clear the hint before free_irq */ ++ irq_update_affinity_hint(irq, NULL); + free_irq(irq, gic); + } + diff --git a/patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch b/patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch new file mode 100644 index 0000000..c0c5988 --- /dev/null +++ b/patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch @@ -0,0 +1,40 @@ +From: Miaoqian Lin +Date: Wed, 22 Dec 2021 06:54:53 +0000 +Subject: net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources +Patch-mainline: v5.16-rc8 +Git-commit: 6b8b42585886c59a008015083282aae434349094 +References: bsc#1208845 CVE-2023-23006 + +The mlx5_get_uars_page() function returns error pointers. +Using IS_ERR() to check the return value to fix this. + +Fixes: 4ec9e7b02697 ("net/mlx5: DR, Expose steering domain functionality") +Signed-off-by: Miaoqian Lin +Signed-off-by: Saeed Mahameed +Acked-by: Thomas Bogendoerfer +--- + drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c +@@ -2,6 +2,7 @@ + /* Copyright (c) 2019 Mellanox Technologies. */ + + #include ++#include + #include "dr_types.h" + + static int dr_domain_init_cache(struct mlx5dr_domain *dmn) +@@ -64,9 +65,9 @@ static int dr_domain_init_resources(stru + } + + dmn->uar = mlx5_get_uars_page(dmn->mdev); +- if (!dmn->uar) { ++ if (IS_ERR(dmn->uar)) { + mlx5dr_err(dmn, "Couldn't allocate UAR\n"); +- ret = -ENOMEM; ++ ret = PTR_ERR(dmn->uar); + goto clean_pd; + } + diff --git a/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch b/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch new file mode 100644 index 0000000..c6c5d55 --- /dev/null +++ b/patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch @@ -0,0 +1,52 @@ +From: Jakub Kicinski +Date: Mon, 13 Feb 2023 22:53:55 -0800 +Subject: net: mpls: fix stale pointer if allocation fails during device rename +Patch-mainline: v6.2 +Git-commit: fda6c89fe3d9aca073495a664e1d5aea28cd4377 +References: bsc#1208700 CVE-2023-26545 + +lianhui reports that when MPLS fails to register the sysctl table +under new location (during device rename) the old pointers won't +get overwritten and may be freed again (double free). + +Handle this gracefully. The best option would be unregistering +the MPLS from the device completely on failure, but unfortunately +mpls_ifdown() can fail. So failing fully is also unreliable. + +Another option is to register the new table first then only +remove old one if the new one succeeds. That requires more +code, changes order of notifications and two tables may be +visible at the same time. + +sysctl point is not used in the rest of the code - set to NULL +on failures and skip unregister if already NULL. + +Reported-by: lianhui tang +Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Acked-by: Thomas Bogendoerfer +--- + net/mpls/af_mpls.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -1428,6 +1428,7 @@ static int mpls_dev_sysctl_register(stru + free: + kfree(table); + out: ++ mdev->sysctl = NULL; + return -ENOBUFS; + } + +@@ -1437,6 +1438,9 @@ static void mpls_dev_sysctl_unregister(s + struct net *net = dev_net(dev); + struct ctl_table *table; + ++ if (!mdev->sysctl) ++ return; ++ + table = mdev->sysctl->ctl_table_arg; + unregister_net_sysctl_table(mdev->sysctl); + kfree(table); diff --git a/patches.suse/net-sched-fix-race-condition-in-qdisc_graft.patch b/patches.suse/net-sched-fix-race-condition-in-qdisc_graft.patch new file mode 100644 index 0000000..79d77da --- /dev/null +++ b/patches.suse/net-sched-fix-race-condition-in-qdisc_graft.patch @@ -0,0 +1,259 @@ +From: Eric Dumazet +Date: Tue, 18 Oct 2022 20:32:58 +0000 +Subject: net: sched: fix race condition in qdisc_graft() +Patch-mainline: v6.1-rc2 +Git-commit: ebda44da44f6f309d302522b049f43d6f829f7aa +References: CVE-2023-0590 bsc#1207795 + +We had one syzbot report [1] in syzbot queue for a while. +I was waiting for more occurrences and/or a repro but +Dmitry Vyukov spotted the issue right away. + + +qdisc_graft() drops reference to qdisc in notify_and_destroy +while it's still assigned to dev->qdisc + + +Indeed, RCU rules are clear when replacing a data structure. +The visible pointer (dev->qdisc in this case) must be updated +to the new object _before_ RCU grace period is started +(qdisc_put(old) in this case). + +[1] +BUG: KASAN: use-after-free in __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066 +Read of size 4 at addr ffff88802065e038 by task syz-executor.4/21027 + +CPU: 0 PID: 21027 Comm: syz-executor.4 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3e60b #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 +print_address_description mm/kasan/report.c:317 [inline] +print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 +kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 +__tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066 +__tcf_qdisc_find net/sched/cls_api.c:1051 [inline] +tc_new_tfilter+0x34f/0x2200 net/sched/cls_api.c:2018 +rtnetlink_rcv_msg+0x955/0xca0 net/core/rtnetlink.c:6081 +netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 +netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] +netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 +netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xcf/0x120 net/socket.c:734 +____sys_sendmsg+0x6eb/0x810 net/socket.c:2482 +___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 +__sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f5efaa89279 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f5efbc31168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f5efab9bf80 RCX: 00007f5efaa89279 +RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 +RBP: 00007f5efaae32e9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f5efb0cfb1f R14: 00007f5efbc31300 R15: 0000000000022000 + + +Allocated by task 21027: +kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 +kasan_set_track mm/kasan/common.c:45 [inline] +set_alloc_info mm/kasan/common.c:437 [inline] +____kasan_kmalloc mm/kasan/common.c:516 [inline] +____kasan_kmalloc mm/kasan/common.c:475 [inline] +__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525 +kmalloc_node include/linux/slab.h:623 [inline] +kzalloc_node include/linux/slab.h:744 [inline] +qdisc_alloc+0xb0/0xc50 net/sched/sch_generic.c:938 +qdisc_create_dflt+0x71/0x4a0 net/sched/sch_generic.c:997 +attach_one_default_qdisc net/sched/sch_generic.c:1152 [inline] +netdev_for_each_tx_queue include/linux/netdevice.h:2437 [inline] +attach_default_qdiscs net/sched/sch_generic.c:1170 [inline] +dev_activate+0x760/0xcd0 net/sched/sch_generic.c:1229 +__dev_open+0x393/0x4d0 net/core/dev.c:1441 +__dev_change_flags+0x583/0x750 net/core/dev.c:8556 +rtnl_configure_link+0xee/0x240 net/core/rtnetlink.c:3189 +rtnl_newlink_create net/core/rtnetlink.c:3371 [inline] +__rtnl_newlink+0x10b8/0x17e0 net/core/rtnetlink.c:3580 +rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593 +rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6090 +netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 +netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] +netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 +netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xcf/0x120 net/socket.c:734 +____sys_sendmsg+0x6eb/0x810 net/socket.c:2482 +___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 +__sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 21020: +kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 +kasan_set_track+0x21/0x30 mm/kasan/common.c:45 +kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 +____kasan_slab_free mm/kasan/common.c:367 [inline] +____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329 +kasan_slab_free include/linux/kasan.h:200 [inline] +slab_free_hook mm/slub.c:1754 [inline] +slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780 +slab_free mm/slub.c:3534 [inline] +kfree+0xe2/0x580 mm/slub.c:4562 +rcu_do_batch kernel/rcu/tree.c:2245 [inline] +rcu_core+0x7b5/0x1890 kernel/rcu/tree.c:2505 +__do_softirq+0x1d3/0x9c6 kernel/softirq.c:571 + +Last potentially related work creation: +kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 +__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 +call_rcu+0x99/0x790 kernel/rcu/tree.c:2793 +qdisc_put+0xcd/0xe0 net/sched/sch_generic.c:1083 +notify_and_destroy net/sched/sch_api.c:1012 [inline] +qdisc_graft+0xeb1/0x1270 net/sched/sch_api.c:1084 +tc_modify_qdisc+0xbb7/0x1a00 net/sched/sch_api.c:1671 +rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6090 +netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501 +netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] +netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 +netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xcf/0x120 net/socket.c:734 +____sys_sendmsg+0x6eb/0x810 net/socket.c:2482 +___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 +__sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Second to last potentially related work creation: +kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 +__kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 +kvfree_call_rcu+0x74/0x940 kernel/rcu/tree.c:3322 +neigh_destroy+0x431/0x630 net/core/neighbour.c:912 +neigh_release include/net/neighbour.h:454 [inline] +neigh_cleanup_and_release+0x1f8/0x330 net/core/neighbour.c:103 +neigh_del net/core/neighbour.c:225 [inline] +neigh_remove_one+0x37d/0x460 net/core/neighbour.c:246 +neigh_forced_gc net/core/neighbour.c:276 [inline] +neigh_alloc net/core/neighbour.c:447 [inline] +___neigh_create+0x18b5/0x29a0 net/core/neighbour.c:642 +ip6_finish_output2+0xfb8/0x1520 net/ipv6/ip6_output.c:125 +__ip6_finish_output net/ipv6/ip6_output.c:195 [inline] +ip6_finish_output+0x690/0x1160 net/ipv6/ip6_output.c:206 +NF_HOOK_COND include/linux/netfilter.h:296 [inline] +ip6_output+0x1ed/0x540 net/ipv6/ip6_output.c:227 +dst_output include/net/dst.h:451 [inline] +NF_HOOK include/linux/netfilter.h:307 [inline] +NF_HOOK include/linux/netfilter.h:301 [inline] +mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820 +mld_send_cr net/ipv6/mcast.c:2121 [inline] +mld_ifc_work+0x71c/0xdc0 net/ipv6/mcast.c:2653 +process_one_work+0x991/0x1610 kernel/workqueue.c:2289 +worker_thread+0x665/0x1080 kernel/workqueue.c:2436 +kthread+0x2e4/0x3a0 kernel/kthread.c:376 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + +The buggy address belongs to the object at ffff88802065e000 +which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 56 bytes inside of +1024-byte region [ffff88802065e000, ffff88802065e400) + +The buggy address belongs to the physical page: +page:ffffea0000819600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20658 +head:ffffea0000819600 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011841dc0 +raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3523, tgid 3523 (sshd), ts 41495190986, free_ts 41417713212 +prep_new_page mm/page_alloc.c:2532 [inline] +get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283 +__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515 +alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270 +alloc_slab_page mm/slub.c:1824 [inline] +allocate_slab+0x27e/0x3d0 mm/slub.c:1969 +new_slab mm/slub.c:2029 [inline] +___slab_alloc+0x7f1/0xe10 mm/slub.c:3031 +__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118 +slab_alloc_node mm/slub.c:3209 [inline] +__kmalloc_node_track_caller+0x2f2/0x380 mm/slub.c:4955 +kmalloc_reserve net/core/skbuff.c:358 [inline] +__alloc_skb+0xd9/0x2f0 net/core/skbuff.c:430 +alloc_skb_fclone include/linux/skbuff.h:1307 [inline] +tcp_stream_alloc_skb+0x38/0x580 net/ipv4/tcp.c:861 +tcp_sendmsg_locked+0xc36/0x2f80 net/ipv4/tcp.c:1325 +tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1483 +inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg+0xcf/0x120 net/socket.c:734 +sock_write_iter+0x291/0x3d0 net/socket.c:1108 +call_write_iter include/linux/fs.h:2187 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x9e9/0xdd0 fs/read_write.c:578 +ksys_write+0x1e8/0x250 fs/read_write.c:631 +page last free stack trace: +reset_page_owner include/linux/page_owner.h:24 [inline] +free_pages_prepare mm/page_alloc.c:1449 [inline] +free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499 +free_unref_page_prepare mm/page_alloc.c:3380 [inline] +free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476 +__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2548 +qlink_free mm/kasan/quarantine.c:168 [inline] +qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 +kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294 +__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447 +kasan_slab_alloc include/linux/kasan.h:224 [inline] +slab_post_alloc_hook mm/slab.h:727 [inline] +slab_alloc_node mm/slub.c:3243 [inline] +slab_alloc mm/slub.c:3251 [inline] +__kmem_cache_alloc_lru mm/slub.c:3258 [inline] +kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3268 +kmem_cache_zalloc include/linux/slab.h:723 [inline] +alloc_buffer_head+0x20/0x140 fs/buffer.c:2974 +alloc_page_buffers+0x280/0x790 fs/buffer.c:829 +create_empty_buffers+0x2c/0xee0 fs/buffer.c:1558 +ext4_block_write_begin+0x1004/0x1530 fs/ext4/inode.c:1074 +ext4_da_write_begin+0x422/0xae0 fs/ext4/inode.c:2996 +generic_perform_write+0x246/0x560 mm/filemap.c:3738 +ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:270 +ext4_file_write_iter+0x44a/0x1660 fs/ext4/file.c:679 +call_write_iter include/linux/fs.h:2187 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x9e9/0xdd0 fs/read_write.c:578 + +Fixes: af356afa010f ("net_sched: reintroduce dev->qdisc for use by sch_api") +Reported-by: syzbot +Diagnosed-by: Dmitry Vyukov +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20221018203258.2793282-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Acked-by: Michal Kubecek + +--- + net/sched/sch_api.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1064,12 +1064,13 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, + + skip: + if (!ingress) { +- notify_and_destroy(net, skb, n, classid, +- rtnl_dereference(dev->qdisc), new); ++ old = rtnl_dereference(dev->qdisc); + if (new && !new->ops->attach) + qdisc_refcount_inc(new); + rcu_assign_pointer(dev->qdisc, new ? : &noop_qdisc); + ++ notify_and_destroy(net, skb, n, classid, old, new); ++ + if (new && new->ops->attach) + new->ops->attach(new); + } else { diff --git a/patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch b/patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch new file mode 100644 index 0000000..446c726 --- /dev/null +++ b/patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch @@ -0,0 +1,301 @@ +From: Eric Dumazet +Date: Fri, 11 Feb 2022 12:06:23 -0800 +Subject: net_sched: add __rcu annotation to netdev->qdisc +Patch-mainline: v5.17-rc5 +Git-commit: 5891cd5ec46c2c2eb6427cb54d214b149635dd0e +References: CVE-2023-0590 bsc#1207795 + +syzbot found a data-race [1] which lead me to add __rcu +annotations to netdev->qdisc, and proper accessors +to get LOCKDEP support. + +[1] +BUG: KCSAN: data-race in dev_activate / qdisc_lookup_rcu + +write to 0xffff888168ad6410 of 8 bytes by task 13559 on cpu 1: + attach_default_qdiscs net/sched/sch_generic.c:1167 [inline] + dev_activate+0x2ed/0x8f0 net/sched/sch_generic.c:1221 + __dev_open+0x2e9/0x3a0 net/core/dev.c:1416 + __dev_change_flags+0x167/0x3f0 net/core/dev.c:8139 + rtnl_configure_link+0xc2/0x150 net/core/rtnetlink.c:3150 + __rtnl_newlink net/core/rtnetlink.c:3489 [inline] + rtnl_newlink+0xf4d/0x13e0 net/core/rtnetlink.c:3529 + rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888168ad6410 of 8 bytes by task 13560 on cpu 0: + qdisc_lookup_rcu+0x30/0x2e0 net/sched/sch_api.c:323 + __tcf_qdisc_find+0x74/0x3a0 net/sched/cls_api.c:1050 + tc_del_tfilter+0x1c7/0x1350 net/sched/cls_api.c:2211 + rtnetlink_rcv_msg+0x5ba/0x7e0 net/core/rtnetlink.c:5585 + netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494 + rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 + ___sys_sendmsg net/socket.c:2467 [inline] + __sys_sendmsg+0x195/0x230 net/socket.c:2496 + __do_sys_sendmsg net/socket.c:2505 [inline] + __se_sys_sendmsg net/socket.c:2503 [inline] + __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0xffffffff85dee080 -> 0xffff88815d96ec00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 13560 Comm: syz-executor.2 Not tainted 5.17.0-rc3-syzkaller-00116-gf1baf68e1383-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 470502de5bdb ("net: sched: unlock rules update API") +Signed-off-by: Eric Dumazet +Cc: Vlad Buslov +Reported-by: syzbot +Cc: Jamal Hadi Salim +Cc: Cong Wang +Cc: Jiri Pirko +Signed-off-by: David S. Miller +Acked-by: Michal Kubecek + +--- + include/linux/netdevice.h | 2 +- + net/core/rtnetlink.c | 6 ++++-- + net/sched/cls_api.c | 6 +++--- + net/sched/sch_api.c | 22 ++++++++++++---------- + net/sched/sch_generic.c | 20 +++++++++++--------- + 5 files changed, 31 insertions(+), 25 deletions(-) + +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -1985,7 +1985,7 @@ struct net_device { + struct netdev_queue *_tx ____cacheline_aligned_in_smp; + unsigned int num_tx_queues; + unsigned int real_num_tx_queues; +- struct Qdisc *qdisc; ++ struct Qdisc __rcu *qdisc; + #ifdef CONFIG_NET_SCHED + DECLARE_HASHTABLE (qdisc_hash, 4); + #endif +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -1660,6 +1660,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, + { + struct ifinfomsg *ifm; + struct nlmsghdr *nlh; ++ struct Qdisc *qdisc; + + ASSERT_RTNL(); + nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ifm), flags); +@@ -1677,6 +1678,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, + if (tgt_netnsid >= 0 && nla_put_s32(skb, IFLA_TARGET_NETNSID, tgt_netnsid)) + goto nla_put_failure; + ++ qdisc = rtnl_dereference(dev->qdisc); + if (nla_put_string(skb, IFLA_IFNAME, dev->name) || + nla_put_u32(skb, IFLA_TXQLEN, dev->tx_queue_len) || + nla_put_u8(skb, IFLA_OPERSTATE, +@@ -1695,8 +1697,8 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, + #endif + put_master_ifindex(skb, dev) || + nla_put_u8(skb, IFLA_CARRIER, netif_carrier_ok(dev)) || +- (dev->qdisc && +- nla_put_string(skb, IFLA_QDISC, dev->qdisc->ops->id)) || ++ (qdisc && ++ nla_put_string(skb, IFLA_QDISC, qdisc->ops->id)) || + nla_put_ifalias(skb, dev) || + nla_put_u32(skb, IFLA_CARRIER_CHANGES, + atomic_read(&dev->carrier_up_count) + +--- a/net/sched/cls_api.c ++++ b/net/sched/cls_api.c +@@ -1065,7 +1065,7 @@ static int __tcf_qdisc_find(struct net *net, struct Qdisc **q, + + /* Find qdisc */ + if (!*parent) { +- *q = dev->qdisc; ++ *q = rcu_dereference(dev->qdisc); + *parent = (*q)->handle; + } else { + *q = qdisc_lookup_rcu(dev, TC_H_MAJ(*parent)); +@@ -2524,7 +2524,7 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb) + + parent = tcm->tcm_parent; + if (!parent) { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + parent = q->handle; + } else { + q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); +@@ -2911,7 +2911,7 @@ static int tc_dump_chain(struct sk_buff *skb, struct netlink_callback *cb) + + parent = tcm->tcm_parent; + if (!parent) { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + parent = q->handle; + } else { + q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -298,7 +298,7 @@ struct Qdisc *qdisc_lookup(struct net_device *dev, u32 handle) + + if (!handle) + return NULL; +- q = qdisc_match_from_root(dev->qdisc, handle); ++ q = qdisc_match_from_root(rtnl_dereference(dev->qdisc), handle); + if (q) + goto out; + +@@ -317,7 +317,7 @@ struct Qdisc *qdisc_lookup_rcu(struct net_device *dev, u32 handle) + + if (!handle) + return NULL; +- q = qdisc_match_from_root(dev->qdisc, handle); ++ q = qdisc_match_from_root(rcu_dereference(dev->qdisc), handle); + if (q) + goto out; + +@@ -1065,10 +1065,10 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent, + skip: + if (!ingress) { + notify_and_destroy(net, skb, n, classid, +- dev->qdisc, new); ++ rtnl_dereference(dev->qdisc), new); + if (new && !new->ops->attach) + qdisc_refcount_inc(new); +- dev->qdisc = new ? : &noop_qdisc; ++ rcu_assign_pointer(dev->qdisc, new ? : &noop_qdisc); + + if (new && new->ops->attach) + new->ops->attach(new); +@@ -1448,7 +1448,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + q = dev_ingress_queue(dev)->qdisc_sleeping; + } + } else { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + } + if (!q) { + NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device"); +@@ -1537,7 +1537,7 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + q = dev_ingress_queue(dev)->qdisc_sleeping; + } + } else { +- q = dev->qdisc; ++ q = rtnl_dereference(dev->qdisc); + } + + /* It may be default qdisc, ignore it */ +@@ -1759,7 +1759,8 @@ static int tc_dump_qdisc(struct sk_buff *skb, struct netlink_callback *cb) + s_q_idx = 0; + q_idx = 0; + +- if (tc_dump_qdisc_root(dev->qdisc, skb, cb, &q_idx, s_q_idx, ++ if (tc_dump_qdisc_root(rtnl_dereference(dev->qdisc), ++ skb, cb, &q_idx, s_q_idx, + true, tca[TCA_DUMP_INVISIBLE]) < 0) + goto done; + +@@ -2035,7 +2036,7 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, + } else if (qid1) { + qid = qid1; + } else if (qid == 0) +- qid = dev->qdisc->handle; ++ qid = rtnl_dereference(dev->qdisc)->handle; + + /* Now qid is genuine qdisc handle consistent + * both with parent and child. +@@ -2046,7 +2047,7 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, + portid = TC_H_MAKE(qid, portid); + } else { + if (qid == 0) +- qid = dev->qdisc->handle; ++ qid = rtnl_dereference(dev->qdisc)->handle; + } + + /* OK. Locate qdisc */ +@@ -2207,7 +2208,8 @@ static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb) + s_t = cb->args[0]; + t = 0; + +- if (tc_dump_tclass_root(dev->qdisc, skb, tcm, cb, &t, s_t) < 0) ++ if (tc_dump_tclass_root(rtnl_dereference(dev->qdisc), ++ skb, tcm, cb, &t, s_t) < 0) + goto done; + + dev_queue = dev_ingress_queue(dev); +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1074,18 +1074,20 @@ static void attach_default_qdiscs(struct net_device *dev) + if (!netif_is_multiqueue(dev) || + dev->priv_flags & IFF_NO_QUEUE) { + netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL); +- dev->qdisc = txq->qdisc_sleeping; +- qdisc_refcount_inc(dev->qdisc); ++ qdisc = txq->qdisc_sleeping; ++ rcu_assign_pointer(dev->qdisc, qdisc); ++ qdisc_refcount_inc(qdisc); + } else { + qdisc = qdisc_create_dflt(txq, &mq_qdisc_ops, TC_H_ROOT, NULL); + if (qdisc) { +- dev->qdisc = qdisc; ++ rcu_assign_pointer(dev->qdisc, qdisc); + qdisc->ops->attach(qdisc); + } + } ++ qdisc = rtnl_dereference(dev->qdisc); + #ifdef CONFIG_NET_SCHED +- if (dev->qdisc != &noop_qdisc) +- qdisc_hash_add(dev->qdisc, false); ++ if (qdisc != &noop_qdisc) ++ qdisc_hash_add(qdisc, false); + #endif + } + +@@ -1115,7 +1117,7 @@ void dev_activate(struct net_device *dev) + * and noqueue_qdisc for virtual interfaces + */ + +- if (dev->qdisc == &noop_qdisc) ++ if (rtnl_dereference(dev->qdisc) == &noop_qdisc) + attach_default_qdiscs(dev); + + if (!netif_carrier_ok(dev)) +@@ -1298,7 +1300,7 @@ static void dev_init_scheduler_queue(struct net_device *dev, + + void dev_init_scheduler(struct net_device *dev) + { +- dev->qdisc = &noop_qdisc; ++ rcu_assign_pointer(dev->qdisc, &noop_qdisc); + netdev_for_each_tx_queue(dev, dev_init_scheduler_queue, &noop_qdisc); + if (dev_ingress_queue(dev)) + dev_init_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc); +@@ -1326,8 +1328,8 @@ void dev_shutdown(struct net_device *dev) + netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc); + if (dev_ingress_queue(dev)) + shutdown_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc); +- qdisc_put(dev->qdisc); +- dev->qdisc = &noop_qdisc; ++ qdisc_put(rtnl_dereference(dev->qdisc)); ++ rcu_assign_pointer(dev->qdisc, &noop_qdisc); + + WARN_ON(timer_pending(&dev->watchdog_timer)); + } diff --git a/patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch b/patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch new file mode 100644 index 0000000..d6131f5 --- /dev/null +++ b/patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch @@ -0,0 +1,46 @@ +From: Florian Westphal +Date: Tue, 9 Aug 2022 18:34:02 +0200 +Subject: netfilter: nf_tables: fix null deref due to zeroed list head +Git-commit: 580077855a40741cf511766129702d97ff02f4d9 +Patch-mainline: v6.0-rc1 +References: CVE-2023-1095 bsc#1208777 + +In nf_tables_updtable, if nf_tables_table_enable returns an error, +nft_trans_destroy is called to free the transaction object. + +nft_trans_destroy() calls list_del(), but the transaction was never +placed on a list -- the list head is all zeroes, this results in +a null dereference: + +BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59 +Call Trace: + nft_trans_destroy+0x26/0x59 + nf_tables_newtable+0x4bc/0x9bc + [..] + +Its sane to assume that nft_trans_destroy() can be called +on the transaction object returned by nft_trans_alloc(), so +make sure the list head is initialised. + +Fixes: 55dd6f93076b ("netfilter: nf_tables: use new transaction infrastructure to handle table") +Reported-by: mingi cho +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Acked-by: Miroslav Franc +--- + net/netfilter/nf_tables_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 460b0925ea60..3cc88998b879 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -153,6 +153,7 @@ static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx, + if (trans == NULL) + return NULL; + ++ INIT_LIST_HEAD(&trans->list); + trans->msg_type = msg_type; + trans->ctx = *ctx; + + diff --git a/patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch b/patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch new file mode 100644 index 0000000..9d314e1 --- /dev/null +++ b/patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch @@ -0,0 +1,62 @@ +From: "J. Bruce Fields" +Date: Mon, 29 Nov 2021 15:08:00 -0500 +Subject: [PATCH] nfsd: fix use-after-free due to delegation race +Git-commit: 548ec0805c399c65ed66c6641be467f717833ab5 +Patch-mainline: v5.16 +References: bsc#1208813 + +A delegation break could arrive as soon as we've called vfs_setlease. A +delegation break runs a callback which immediately (in +nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we +then exit nfs4_set_delegation without hashing the delegation, it will be +freed as soon as the callback is done with it, without ever being +removed from del_recall_lru. + +Symptoms show up later as use-after-free or list corruption warnings, +usually in the laundromat thread. + +I suspect aba2072f4523 "nfsd: grant read delegations to clients holding +writes" made this bug easier to hit, but I looked as far back as v3.0 +and it looks to me it already had the same problem. So I'm not sure +where the bug was introduced; it may have been there from the beginning. + +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Acked-by: NeilBrown + +--- + fs/nfsd/nfs4state.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1047,6 +1047,11 @@ hash_delegation_locked(struct nfs4_deleg + return 0; + } + ++static bool delegation_hashed(struct nfs4_delegation *dp) ++{ ++ return !(list_empty(&dp->dl_perfile)); ++} ++ + static bool + unhash_delegation_locked(struct nfs4_delegation *dp) + { +@@ -1054,7 +1059,7 @@ unhash_delegation_locked(struct nfs4_del + + lockdep_assert_held(&state_lock); + +- if (list_empty(&dp->dl_perfile)) ++ if (!delegation_hashed(dp)) + return false; + + dp->dl_stid.sc_type = NFS4_CLOSED_DELEG_STID; +@@ -4505,7 +4510,7 @@ static void nfsd4_cb_recall_prepare(stru + * queued for a lease break. Don't queue it again. + */ + spin_lock(&state_lock); +- if (dp->dl_time == 0) { ++ if (delegation_hashed(dp) && dp->dl_time == 0) { + dp->dl_time = get_seconds(); + list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru); + } diff --git a/patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch b/patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch new file mode 100644 index 0000000..27d0f48 --- /dev/null +++ b/patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch @@ -0,0 +1,38 @@ +From 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 13 Dec 2021 02:05:07 +0000 +Subject: [PATCH] phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function +Git-commit: 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f +Patch-mainline: v5.17-rc1 +References: CVE-2023-23000 bsc#1208816 + +callers of tegra_xusb_find_port_node() function only do NULL checking for +the return value. return NULL instead of ERR_PTR(-ENOMEM) to keep +consistent. + +Signed-off-by: Miaoqian Lin +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20211213020507.1458-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Acked-by: Takashi Iwai + +--- + drivers/phy/tegra/xusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c +index 963de5913e50..aa5237eacd29 100644 +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -455,7 +455,7 @@ tegra_xusb_find_port_node(struct tegra_xusb_padctl *padctl, const char *type, + name = kasprintf(GFP_KERNEL, "%s-%u", type, index); + if (!name) { + of_node_put(ports); +- return ERR_PTR(-ENOMEM); ++ return NULL; + } + np = of_get_child_by_name(ports, name); + kfree(name); +-- +2.35.3 + diff --git a/patches.suse/smaps_rollup-fix-no-vmas-null-deref.patch b/patches.suse/smaps_rollup-fix-no-vmas-null-deref.patch new file mode 100644 index 0000000..6c4e57d --- /dev/null +++ b/patches.suse/smaps_rollup-fix-no-vmas-null-deref.patch @@ -0,0 +1,35 @@ +From: Seth Jenkins +Date: Mon, 3 Oct 2022 18:45:31 -0400 +Subject: [PATCH] mm: /proc/pid/smaps_rollup: fix no vma's null-deref +Patch-mainline: Never, fixed differently +References: bsc#1207769 + +mhocko@suse.com: +The upstream has fixed by c4c84f06285e ("fs/proc/task_mmu: stop using linked +list and highest_vm_end") which is a larger chabge not really suitable for +backporintg. + +Commit 258f669e7e88 ("mm: /proc/pid/smaps_rollup: convert to single value +seq_file") introduced a null-deref if there are no vma's in the task in +show_smaps_rollup. + +Fixes: 258f669e7e88 ("mm: /proc/pid/smaps_rollup: convert to single value seq_file") +Cc: stable@vger.kernel.org +Signed-off-by: Seth Jenkins +Acked-by: Michal Hocko + +--- + fs/proc/task_mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -876,7 +876,7 @@ static int show_smaps_rollup(struct seq_ + last_vma_end = vma->vm_end; + } + +- show_vma_header_prefix(m, priv->mm->mmap->vm_start, ++ show_vma_header_prefix(m, priv->mm->mmap ? priv->mm->mmap->vm_start : 0, + last_vma_end, 0, 0, 0, 0); + seq_pad(m, ' '); + seq_puts(m, "[rollup]\n"); diff --git a/patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch b/patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch new file mode 100644 index 0000000..51470f8 --- /dev/null +++ b/patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch @@ -0,0 +1,43 @@ +From: Pietro Borrello +Date: Sat, 4 Feb 2023 17:39:22 +0000 +Subject: tap: tap_open(): correctly initialize socket uid +Git-commit: 66b2c338adce580dfce2199591e65e2bab889cff +Patch-mainline: v6.3-rc1 +References: CVE-2023-1076 bsc#1208599 + +sock_init_data() assumes that the `struct socket` passed in input is +contained in a `struct socket_alloc` allocated with sock_alloc(). +However, tap_open() passes a `struct socket` embedded in a `struct +tap_queue` allocated with sk_alloc(). +This causes a type confusion when issuing a container_of() with +SOCK_INODE() in sock_init_data() which results in assigning a wrong +sk_uid to the `struct sock` in input. +On default configuration, the type confused field overlaps with +padding bytes between `int vnet_hdr_sz` and `struct tap_dev __rcu +*tap` in `struct tap_queue`, which makes the uid of all tap sockets 0, +i.e., the root one. +Fix the assignment by using sock_init_data_uid(). + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Pietro Borrello +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Acked-by: Miroslav Franc +--- + drivers/net/tap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/tap.c b/drivers/net/tap.c +index a2be1994b389..8941aa199ea3 100644 +--- a/drivers/net/tap.c ++++ b/drivers/net/tap.c +@@ -533,7 +533,7 @@ static int tap_open(struct inode *inode, struct file *file) + q->sock.state = SS_CONNECTED; + q->sock.file = file; + q->sock.ops = &tap_socket_ops; +- sock_init_data(&q->sock, &q->sk); ++ sock_init_data_uid(&q->sock, &q->sk, inode->i_uid); + q->sk.sk_write_space = tap_sock_write_space; + q->sk.sk_destruct = tap_sock_destruct; + q->flags = IFF_VNET_HDR | IFF_NO_PI | IFF_TAP; + diff --git a/patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch b/patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch new file mode 100644 index 0000000..f75ffc6 --- /dev/null +++ b/patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch @@ -0,0 +1,83 @@ +From ba2ee4b6dc9874de0de26ad4b03c59b179f5dbe5 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 18 Nov 2022 16:45:01 -0500 +Subject: [PATCH 2/2] tipc: add an extra conn_get in tipc_conn_alloc +Git-commit: a7b42969d63f47320853a802efd879fbdc4e010e +Patch-mainline: v6.1-rc7 +References: bsc#1209288 CVE-2023-1382 + +One extra conn_get() is needed in tipc_conn_alloc(), as after +tipc_conn_alloc() is called, tipc_conn_close() may free this +con before deferencing it in tipc_topsrv_accept(): + + tipc_conn_alloc(); + newsk = newsock->sk; + <---- tipc_conn_close(); + write_lock_bh(&sk->sk_callback_lock); + newsk->sk_data_ready = tipc_conn_data_ready; + +Then an uaf issue can be triggered: + + BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc] + Call Trace: + + dump_stack_lvl+0x33/0x46 + print_report+0x178/0x4b0 + kasan_report+0x8c/0x100 + kasan_check_range+0x179/0x1e0 + tipc_topsrv_accept+0x1e7/0x370 [tipc] + process_one_work+0x6a3/0x1030 + worker_thread+0x8a/0xdf0 + +This patch fixes it by holding it in tipc_conn_alloc(), then after +all accessing in tipc_topsrv_accept() releasing it. Note when does +this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns +0 or -1 only, we don't need to check for "> 0". + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + net/tipc/topsrv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 61e9828a76cd..1a3d9837ac6a 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -206,6 +206,7 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *s + set_bit(CF_CONNECTED, &con->flags); + con->server = s; + con->sock = sock; ++ conn_get(con); + spin_unlock_bh(&s->idr_lock); + + return con; +@@ -474,6 +475,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + + /* Wake up receive process in case of 'SYN+' message */ + newsk->sk_data_ready(newsk); ++ conn_put(con); + } + } + +@@ -573,10 +575,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + + *conid = con->conid; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); +- if (rc >= 0) +- return true; ++ if (rc) ++ conn_put(con); ++ + conn_put(con); +- return false; ++ return !rc; + } + + void tipc_topsrv_kern_unsubscr(struct net *net, int conid) +-- +2.16.4 + diff --git a/patches.suse/tipc-set-con-sock-in-tipc_conn_alloc.patch b/patches.suse/tipc-set-con-sock-in-tipc_conn_alloc.patch new file mode 100644 index 0000000..fb63e16 --- /dev/null +++ b/patches.suse/tipc-set-con-sock-in-tipc_conn_alloc.patch @@ -0,0 +1,105 @@ +From dd9735fb2cdb7d811c7b930a2a501a943dc10d0e Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 18 Nov 2022 16:45:00 -0500 +Subject: [PATCH 1/2] tipc: set con sock in tipc_conn_alloc +Git-commit: 0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4 +Patch-mainline: v6.1-rc7 +References: bsc#1209288 CVE-2023-1382 + +A crash was reported by Wei Chen: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + RIP: 0010:tipc_conn_close+0x12/0x100 + Call Trace: + tipc_topsrv_exit_net+0x139/0x320 + ops_exit_list.isra.9+0x49/0x80 + cleanup_net+0x31a/0x540 + process_one_work+0x3fa/0x9f0 + worker_thread+0x42/0x5c0 + +It was caused by !con->sock in tipc_conn_close(). In tipc_topsrv_accept(), +con is allocated in conn_idr then its sock is set: + + con = tipc_conn_alloc(); + ... <----[1] + con->sock = newsock; + +If tipc_conn_close() is called in anytime of [1], the null-pointer-def +is triggered by con->sock->sk due to con->sock is not yet set. + +This patch fixes it by moving the con->sock setting to tipc_conn_alloc() +under s->idr_lock. So that con->sock can never be NULL when getting the +con from s->conn_idr. It will be also safer to move con->server and flag +CF_CONNECTED setting under s->idr_lock, as they should all be set before +tipc_conn_alloc() is called. + +Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure") +Reported-by: Wei Chen +Signed-off-by: Xin Long +Acked-by: Jon Maloy +Signed-off-by: Jakub Kicinski +Signed-off-by: Denis Kirjanov +--- + net/tipc/topsrv.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c +index 1b63a6b2c518..61e9828a76cd 100644 +--- a/net/tipc/topsrv.c ++++ b/net/tipc/topsrv.c +@@ -176,7 +176,7 @@ static void tipc_conn_close(struct tipc_conn *con) + conn_put(con); + } + +-static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) ++static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *sock) + { + struct tipc_conn *con; + int ret; +@@ -202,10 +202,11 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s) + } + con->conid = ret; + s->idr_in_use++; +- spin_unlock_bh(&s->idr_lock); + + set_bit(CF_CONNECTED, &con->flags); + con->server = s; ++ con->sock = sock; ++ spin_unlock_bh(&s->idr_lock); + + return con; + } +@@ -457,7 +458,7 @@ static void tipc_topsrv_accept(struct work_struct *work) + ret = kernel_accept(lsock, &newsock, O_NONBLOCK); + if (ret < 0) + return; +- con = tipc_conn_alloc(srv); ++ con = tipc_conn_alloc(srv, newsock); + if (IS_ERR(con)) { + ret = PTR_ERR(con); + sock_release(newsock); +@@ -469,7 +470,6 @@ static void tipc_topsrv_accept(struct work_struct *work) + newsk->sk_data_ready = tipc_conn_data_ready; + newsk->sk_write_space = tipc_conn_write_space; + newsk->sk_user_data = con; +- con->sock = newsock; + write_unlock_bh(&newsk->sk_callback_lock); + + /* Wake up receive process in case of 'SYN+' message */ +@@ -567,12 +567,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower, + sub.filter = filter; + *(u32 *)&sub.usr_handle = port; + +- con = tipc_conn_alloc(tipc_topsrv(net)); ++ con = tipc_conn_alloc(tipc_topsrv(net), NULL); + if (IS_ERR(con)) + return false; + + *conid = con->conid; +- con->sock = NULL; + rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub); + if (rc >= 0) + return true; +-- +2.16.4 + diff --git a/patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch b/patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch new file mode 100644 index 0000000..ebeadfe --- /dev/null +++ b/patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch @@ -0,0 +1,43 @@ +From: Pietro Borrello +Date: Sat, 4 Feb 2023 17:39:21 +0000 +Subject: tun: tun_chr_open(): correctly initialize socket uid +Git-commit: a096ccca6e503a5c575717ff8a36ace27510ab0a +Patch-mainline: v6.3-rc1 +References: CVE-2023-1076 bsc#1208599 + +sock_init_data() assumes that the `struct socket` passed in input is +contained in a `struct socket_alloc` allocated with sock_alloc(). +However, tun_chr_open() passes a `struct socket` embedded in a `struct +tun_file` allocated with sk_alloc(). +This causes a type confusion when issuing a container_of() with +SOCK_INODE() in sock_init_data() which results in assigning a wrong +sk_uid to the `struct sock` in input. +On default configuration, the type confused field overlaps with the +high 4 bytes of `struct tun_struct __rcu *tun` of `struct tun_file`, +NULL at the time of call, which makes the uid of all tun sockets 0, +i.e., the root one. +Fix the assignment by using sock_init_data_uid(). + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Pietro Borrello +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Acked-by: Miroslav Franc +--- + drivers/net/tun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index a7d17c680f4a..745131b2d6db 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -3448,7 +3448,7 @@ static int tun_chr_open(struct inode *inode, struct file * file) + tfile->socket.file = file; + tfile->socket.ops = &tun_socket_ops; + +- sock_init_data(&tfile->socket, &tfile->sk); ++ sock_init_data_uid(&tfile->socket, &tfile->sk, inode->i_uid); + + tfile->sk.sk_write_space = tun_sock_write_space; + tfile->sk.sk_sndbuf = INT_MAX; + diff --git a/patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch b/patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch new file mode 100644 index 0000000..2cbe0de --- /dev/null +++ b/patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch @@ -0,0 +1,51 @@ +From fa0ef93868a6062babe1144df2807a8b1d4924d2 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Fri, 31 Dec 2021 11:36:41 +0000 +Subject: [PATCH] usb: dwc3: dwc3-qcom: Add missing platform_device_put() in + dwc3_qcom_acpi_register_core +Git-commit: fa0ef93868a6062babe1144df2807a8b1d4924d2 +Patch-mainline: v5.17-rc1 +References: bsc#1208741 CVE-2023-22995 + +Add the missing platform_device_put() before return from +dwc3_qcom_acpi_register_core in the error handling case. + +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20211231113641.31474-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Oliver Neukum +--- + drivers/usb/dwc3/dwc3-qcom.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -474,8 +474,10 @@ static int dwc3_qcom_acpi_register_core( + qcom->dwc3->dev.coherent_dma_mask = dev->coherent_dma_mask; + + child_res = kcalloc(2, sizeof(*child_res), GFP_KERNEL); +- if (!child_res) ++ if (!child_res) { ++ platform_device_put(qcom->dwc3); + return -ENOMEM; ++ } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!res) { +@@ -507,10 +509,15 @@ static int dwc3_qcom_acpi_register_core( + } + + ret = platform_device_add(qcom->dwc3); +- if (ret) ++ if (ret) { + dev_err(&pdev->dev, "failed to add device\n"); ++ goto out; ++ } ++ kfree(child_res); ++ return 0; + + out: ++ platform_device_put(qcom->dwc3); + kfree(child_res); + return ret; + } diff --git a/patches.suse/usb-rndis_host-Secure-rndis_query-check-against-int-.patch b/patches.suse/usb-rndis_host-Secure-rndis_query-check-against-int-.patch new file mode 100644 index 0000000..515e30d --- /dev/null +++ b/patches.suse/usb-rndis_host-Secure-rndis_query-check-against-int-.patch @@ -0,0 +1,43 @@ +From c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 Mon Sep 17 00:00:00 2001 +From: Szymon Heidrich +Date: Tue, 3 Jan 2023 10:17:09 +0100 +Subject: [PATCH] usb: rndis_host: Secure rndis_query check against int + overflow +Git-commit: c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 +References: CVE-2023-23559 bsc#1207051 +Patch-mainline: v6.2-rc3 + +Variables off and len typed as uint32 in rndis_query function +are controlled by incoming RNDIS response message thus their +value may be manipulated. Setting off to a unexpectetly large +value will cause the sum with len and 8 to overflow and pass +the implemented validation step. Consequently the response +pointer will be referring to a location past the expected +buffer boundaries allowing information leakage e.g. via +RNDIS_OID_802_3_PERMANENT_ADDRESS OID. + +Fixes: ddda08624013 ("USB: rndis_host, various cleanups") +Signed-off-by: Szymon Heidrich +Signed-off-by: David S. Miller +Signed-off-by: Oliver Neukum +--- + drivers/net/usb/rndis_host.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/rndis_host.c b/drivers/net/usb/rndis_host.c +index f79333fe1783..7b3739b29c8f 100644 +--- a/drivers/net/usb/rndis_host.c ++++ b/drivers/net/usb/rndis_host.c +@@ -255,7 +255,8 @@ static int rndis_query(struct usbnet *dev, struct usb_interface *intf, + + off = le32_to_cpu(u.get_c->offset); + len = le32_to_cpu(u.get_c->len); +- if (unlikely((8 + off + len) > CONTROL_BUFFER_SIZE)) ++ if (unlikely((off > CONTROL_BUFFER_SIZE - 8) || ++ (len > CONTROL_BUFFER_SIZE - 8 - off))) + goto response_error; + + if (*reply_len != -1 && len != *reply_len) +-- +2.39.1 + diff --git a/patches.suse/vmxnet3-move-rss-code-block-under-eop-descriptor.patch b/patches.suse/vmxnet3-move-rss-code-block-under-eop-descriptor.patch new file mode 100644 index 0000000..cb6a42c --- /dev/null +++ b/patches.suse/vmxnet3-move-rss-code-block-under-eop-descriptor.patch @@ -0,0 +1,94 @@ +From: Ronak Doshi +Date: Wed, 8 Feb 2023 14:38:59 -0800 +Subject: vmxnet3: move rss code block under eop descriptor +Patch-mainline: v6.2 +Git-commit: ec76d0c2da5c6dfb6a33f1545cc15997013923da +References: bsc#1208212 + +Commit b3973bb40041 ("vmxnet3: set correct hash type based on +rss information") added hashType information into skb. However, +rssType field is populated for eop descriptor. This can lead +to incorrectly reporting of hashType for packets which use +multiple rx descriptors. Multiple rx descriptors are used +for Jumbo frame or LRO packets, which can hit this issue. + +This patch moves the RSS codeblock under eop descritor. + +Cc: stable@vger.kernel.org +Fixes: b3973bb40041 ("vmxnet3: set correct hash type based on rss information") +Signed-off-by: Ronak Doshi +Acked-by: Peng Li +Acked-by: Guolin Yang +Link: https://lore.kernel.org/r/20230208223900.5794-1-doshir@vmware.com +Signed-off-by: Jakub Kicinski +Acked-by: Thomas Bogendoerfer +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 50 +++++++++++++++++++------------------- + 1 file changed, 25 insertions(+), 25 deletions(-) + +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1479,31 +1479,6 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx + rxd->len = rbi->len; + } + +-#ifdef VMXNET3_RSS +- if (rcd->rssType != VMXNET3_RCD_RSS_TYPE_NONE && +- (adapter->netdev->features & NETIF_F_RXHASH)) { +- enum pkt_hash_types hash_type; +- +- switch (rcd->rssType) { +- case VMXNET3_RCD_RSS_TYPE_IPV4: +- case VMXNET3_RCD_RSS_TYPE_IPV6: +- hash_type = PKT_HASH_TYPE_L3; +- break; +- case VMXNET3_RCD_RSS_TYPE_TCPIPV4: +- case VMXNET3_RCD_RSS_TYPE_TCPIPV6: +- case VMXNET3_RCD_RSS_TYPE_UDPIPV4: +- case VMXNET3_RCD_RSS_TYPE_UDPIPV6: +- hash_type = PKT_HASH_TYPE_L4; +- break; +- default: +- hash_type = PKT_HASH_TYPE_L3; +- break; +- } +- skb_set_hash(ctx->skb, +- le32_to_cpu(rcd->rssHash), +- hash_type); +- } +-#endif + skb_put(ctx->skb, rcd->len); + + if (VMXNET3_VERSION_GE_2(adapter) && +@@ -1580,6 +1555,31 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx + u32 mtu = adapter->netdev->mtu; + skb->len += skb->data_len; + ++#ifdef VMXNET3_RSS ++ if (rcd->rssType != VMXNET3_RCD_RSS_TYPE_NONE && ++ (adapter->netdev->features & NETIF_F_RXHASH)) { ++ enum pkt_hash_types hash_type; ++ ++ switch (rcd->rssType) { ++ case VMXNET3_RCD_RSS_TYPE_IPV4: ++ case VMXNET3_RCD_RSS_TYPE_IPV6: ++ hash_type = PKT_HASH_TYPE_L3; ++ break; ++ case VMXNET3_RCD_RSS_TYPE_TCPIPV4: ++ case VMXNET3_RCD_RSS_TYPE_TCPIPV6: ++ case VMXNET3_RCD_RSS_TYPE_UDPIPV4: ++ case VMXNET3_RCD_RSS_TYPE_UDPIPV6: ++ hash_type = PKT_HASH_TYPE_L4; ++ break; ++ default: ++ hash_type = PKT_HASH_TYPE_L3; ++ break; ++ } ++ skb_set_hash(skb, ++ le32_to_cpu(rcd->rssHash), ++ hash_type); ++ } ++#endif + vmxnet3_rx_csum(adapter, skb, + (union Vmxnet3_GenericDesc *)rcd); + skb->protocol = eth_type_trans(skb, adapter->netdev); diff --git a/patches.suse/x86-bugs-Flush-IBP-in-ib_prctl_set.patch b/patches.suse/x86-bugs-Flush-IBP-in-ib_prctl_set.patch new file mode 100644 index 0000000..6a0e7c8 --- /dev/null +++ b/patches.suse/x86-bugs-Flush-IBP-in-ib_prctl_set.patch @@ -0,0 +1,29 @@ +From: Rodrigo Branco +Date: Tue, 3 Jan 2023 14:17:51 -0600 +Subject: x86/bugs: Flush IBP in ib_prctl_set() +Git-commit: a664ec9158eeddd75121d39c9a0758016097fa96 +Patch-mainline: 6.2-rc3 +References: bsc#1207773 CVE-2023-0045 + +We missed the window between the TIF flag update and the next reschedule. + +Signed-off-by: Rodrigo Branco +Reviewed-by: Borislav Petkov (AMD) +Signed-off-by: Ingo Molnar +Cc: +Signed-off-by: Jiri Slaby +--- + arch/x86/kernel/cpu/bugs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1332,6 +1332,8 @@ static int ib_prctl_set(struct task_stru + if (ctrl == PR_SPEC_FORCE_DISABLE) + task_set_spec_ib_force_disable(task); + task_update_spec_tif(task); ++ if (task == current) ++ indirect_branch_prediction_barrier(); + break; + default: + return -ERANGE; diff --git a/patches.suse/x86-mm-Randomize-per-cpu-entry-area.patch b/patches.suse/x86-mm-Randomize-per-cpu-entry-area.patch new file mode 100644 index 0000000..295c5bb --- /dev/null +++ b/patches.suse/x86-mm-Randomize-per-cpu-entry-area.patch @@ -0,0 +1,157 @@ +From: Peter Zijlstra +Date: Thu, 27 Oct 2022 14:54:41 -0700 +Subject: x86/mm: Randomize per-cpu entry area +Git-commit: 97e3d26b5e5f371b3ee223d94dd123e6c442ba80 +Patch-mainline: v6.2-rc1 +References: bsc#1207845 CVE-2023-0597 + +Seth found that the CPU-entry-area; the piece of per-cpu data that is +mapped into the userspace page-tables for kPTI is not subject to any +randomization -- irrespective of kASLR settings. + +On x86_64 a whole P4D (512 GB) of virtual address space is reserved for +this structure, which is plenty large enough to randomize things a +little. + +As such, use a straight forward randomization scheme that avoids +duplicates to spread the existing CPUs over the available space. + + [ bp: Fix le build. ] + +Reported-by: Seth Jenkins +Reviewed-by: Kees Cook +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Dave Hansen +Signed-off-by: Borislav Petkov +[mkoutny: v5.14 backport: init_cea_offsets() is called way before + prandom_init_early() initcall, prandom_u32_max() is not properly + seeded yet. Use KASLR seed and local state to generate CPU entry + areas offsets, this is based on the approach in + kernel_randomize_memory() and should provide same randomness + guarantees -- beware we don't get cryptographically secure random + offsets. This reduces effective entropy in exfiltrating *all* CPU + entry areas by log2(nr_cpus) bits, entropy for *any* CPU is + unaffected. + This was chosen instead of backporting f62384995e4c ("random: split + initialization into early step and later step") and crng related + reworks.] +[mkoutny: v5.3 backport: dropped hw_breakpoint hunk without 24ae0c91cbc5 + ("x86/hw_breakpoint: Prevent data breakpoints on cpu_entry_area"), + adjusted context for missing doublefault_stack on 32b] +Acked-by: Michal Koutný +--- + arch/x86/include/asm/cpu_entry_area.h | 13 ++++----- + arch/x86/mm/cpu_entry_area.c | 48 ++++++++++++++++++++++++++++++++-- + 2 files changed, 53 insertions(+), 8 deletions(-) + +--- a/arch/x86/include/asm/cpu_entry_area.h ++++ b/arch/x86/include/asm/cpu_entry_area.h +@@ -111,10 +111,6 @@ struct cpu_entry_area { + }; + + #define CPU_ENTRY_AREA_SIZE (sizeof(struct cpu_entry_area)) +-#define CPU_ENTRY_AREA_ARRAY_SIZE (CPU_ENTRY_AREA_SIZE * NR_CPUS) +- +-/* Total size includes the readonly IDT mapping page as well: */ +-#define CPU_ENTRY_AREA_TOTAL_SIZE (CPU_ENTRY_AREA_ARRAY_SIZE + PAGE_SIZE) + + DECLARE_PER_CPU(struct cpu_entry_area *, cpu_entry_area); + DECLARE_PER_CPU(struct cea_exception_stacks *, cea_exception_stacks); +@@ -128,8 +124,13 @@ extern void cea_set_pte(void *cea_vaddr, + + #define CPU_ENTRY_AREA_RO_IDT_VADDR ((void *)CPU_ENTRY_AREA_RO_IDT) + +-#define CPU_ENTRY_AREA_MAP_SIZE \ +- (CPU_ENTRY_AREA_PER_CPU + CPU_ENTRY_AREA_ARRAY_SIZE - CPU_ENTRY_AREA_BASE) ++#ifdef CONFIG_X86_32 ++#define CPU_ENTRY_AREA_MAP_SIZE (CPU_ENTRY_AREA_PER_CPU + \ ++ (CPU_ENTRY_AREA_SIZE * NR_CPUS) - \ ++ CPU_ENTRY_AREA_BASE) ++#else ++#define CPU_ENTRY_AREA_MAP_SIZE P4D_SIZE ++#endif + + extern struct cpu_entry_area *get_cpu_entry_area(int cpu); + +--- a/arch/x86/mm/cpu_entry_area.c ++++ b/arch/x86/mm/cpu_entry_area.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -15,11 +16,53 @@ static DEFINE_PER_CPU_PAGE_ALIGNED(struc + #ifdef CONFIG_X86_64 + static DEFINE_PER_CPU_PAGE_ALIGNED(struct exception_stacks, exception_stacks); + DEFINE_PER_CPU(struct cea_exception_stacks*, cea_exception_stacks); ++ ++static DEFINE_PER_CPU_READ_MOSTLY(unsigned long, _cea_offset); ++ ++static __always_inline unsigned int cea_offset(unsigned int cpu) ++{ ++ return per_cpu(_cea_offset, cpu); ++} ++ ++static __init void init_cea_offsets(void) ++{ ++ struct rnd_state rand_state; ++ unsigned int max_cea, rand; ++ unsigned int i, j; ++ ++ max_cea = (CPU_ENTRY_AREA_MAP_SIZE - PAGE_SIZE) / CPU_ENTRY_AREA_SIZE; ++ prandom_seed_state(&rand_state, kaslr_get_random_long("CPU entry")); ++ ++ /* O(sodding terrible) */ ++ for_each_possible_cpu(i) { ++ unsigned int cea; ++ ++again: ++ prandom_bytes_state(&rand_state, &rand, sizeof(rand)); ++ cea = rand % max_cea; ++ ++ for_each_possible_cpu(j) { ++ if (cea_offset(j) == cea) ++ goto again; ++ ++ if (i == j) ++ break; ++ } ++ ++ per_cpu(_cea_offset, i) = cea; ++ } ++} ++#else /* !X86_64 */ ++static __always_inline unsigned int cea_offset(unsigned int cpu) ++{ ++ return cpu; ++} ++static inline void init_cea_offsets(void) { } + #endif + + struct cpu_entry_area *get_cpu_entry_area(int cpu) + { +- unsigned long va = CPU_ENTRY_AREA_PER_CPU + cpu * CPU_ENTRY_AREA_SIZE; ++ unsigned long va = CPU_ENTRY_AREA_PER_CPU + cea_offset(cpu) * CPU_ENTRY_AREA_SIZE; + BUILD_BUG_ON(sizeof(struct cpu_entry_area) % PAGE_SIZE != 0); + + return (struct cpu_entry_area *) va; +@@ -180,7 +223,6 @@ static __init void setup_cpu_entry_area_ + + /* The +1 is for the readonly IDT: */ + BUILD_BUG_ON((CPU_ENTRY_AREA_PAGES+1)*PAGE_SIZE != CPU_ENTRY_AREA_MAP_SIZE); +- BUILD_BUG_ON(CPU_ENTRY_AREA_TOTAL_SIZE != CPU_ENTRY_AREA_MAP_SIZE); + BUG_ON(CPU_ENTRY_AREA_BASE & ~PMD_MASK); + + start = CPU_ENTRY_AREA_BASE; +@@ -196,6 +238,8 @@ void __init setup_cpu_entry_areas(void) + { + unsigned int cpu; + ++ init_cea_offsets(); ++ + setup_cpu_entry_area_ptes(); + + for_each_possible_cpu(cpu) diff --git a/rpm/group-source-files.pl b/rpm/group-source-files.pl index 768ecff..89fa8e8 100755 --- a/rpm/group-source-files.pl +++ b/rpm/group-source-files.pl @@ -66,7 +66,7 @@ sub calc_dirs do { $path =~ s{/[^/]+$}{}; $dirs{$path} = 1; - } while ($path ne $base); + } while ($path ne $base and $path ne ""); # This loop also makes sure that $base itself is included. } diff --git a/rpm/kernel-binary.spec.in b/rpm/kernel-binary.spec.in index 3cdf607..106b254 100644 --- a/rpm/kernel-binary.spec.in +++ b/rpm/kernel-binary.spec.in @@ -711,6 +711,10 @@ export BRP_PESIGN_FILES %if "%{compress_modules}" != "none" export BRP_PESIGN_COMPRESS_MODULE=%{compress_modules} %endif +# Do not sign vanilla kernels released in official projects +%if %build_vanilla && ! %vanilla_only +BRP_PESIGN_FILES="" +%endif if test -x /usr/lib/rpm/pesign/gen-hmac; then $_ -r %buildroot /boot/%image-%kernelrelease-%build_flavor diff --git a/scripts/git_sort/tests/opensuse-15.3/Dockerfile b/scripts/git_sort/tests/opensuse-15.3/Dockerfile deleted file mode 100644 index 6c45bc6..0000000 --- a/scripts/git_sort/tests/opensuse-15.3/Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -# https://hub.docker.com/r/opensuse/leap/ -FROM opensuse/leap:15.3 AS base - -RUN zypper -n ref - -FROM base AS packages - -RUN zypper -n in git python3 python3-dbm rcs - -RUN git config --global user.email "you@example.com" -RUN git config --global user.name "Your Name" - -RUN zypper -n ar -G https://download.opensuse.org/repositories/Kernel:/tools/openSUSE_Leap_15.3/Kernel:tools.repo -RUN zypper -n in python3-pygit2 quilt - -FROM packages - -VOLUME /scripts - -WORKDIR /scripts/git_sort - -CMD python3 -m unittest discover -v diff --git a/scripts/git_sort/tests/opensuse-15.4/Dockerfile b/scripts/git_sort/tests/opensuse-15.4/Dockerfile new file mode 100644 index 0000000..1d5cbc7 --- /dev/null +++ b/scripts/git_sort/tests/opensuse-15.4/Dockerfile @@ -0,0 +1,24 @@ +# https://hub.docker.com/r/opensuse/leap/ +FROM opensuse/leap:15.4 AS base + +RUN zypper -n ref + +FROM base AS packages + +RUN zypper -n in git python3 python3-dbm rcs + +RUN git config --global user.email "you@example.com" +RUN git config --global user.name "Your Name" + +COPY Kernel.gpg /tmp +RUN rpmkeys --import /tmp/Kernel.gpg +RUN zypper -n ar https://download.opensuse.org/repositories/Kernel:/tools/SLE_15_SP4/Kernel:tools.repo +RUN zypper -n in python3-pygit2 quilt + +FROM packages + +VOLUME /scripts + +WORKDIR /scripts/git_sort + +CMD python3 -m unittest discover -v diff --git a/scripts/git_sort/tests/opensuse-tumbleweed/Dockerfile b/scripts/git_sort/tests/opensuse-tumbleweed/Dockerfile index 205d2c8..af6cfbc 100644 --- a/scripts/git_sort/tests/opensuse-tumbleweed/Dockerfile +++ b/scripts/git_sort/tests/opensuse-tumbleweed/Dockerfile @@ -10,7 +10,9 @@ RUN zypper -n in git python3 python3-dbm python3-pygit2 rcs util-linux RUN git config --global user.email "you@example.com" RUN git config --global user.name "Your Name" -RUN zypper -n ar -G https://download.opensuse.org/repositories/Kernel:/tools/openSUSE_Factory/Kernel:tools.repo +COPY Kernel.gpg /tmp +RUN rpmkeys --import /tmp/Kernel.gpg +RUN zypper -n ar https://download.opensuse.org/repositories/Kernel:/tools/openSUSE_Factory/Kernel:tools.repo RUN zypper -n in --from Kernel_tools quilt FROM packages diff --git a/scripts/git_sort/tests/run_all.sh b/scripts/git_sort/tests/run_all.sh index 0177c1a..f63ab5b 100755 --- a/scripts/git_sort/tests/run_all.sh +++ b/scripts/git_sort/tests/run_all.sh @@ -6,13 +6,19 @@ for release in \ sle12-sp4 \ sle12-sp5 \ sle15 \ - opensuse-15.3 \ + opensuse-15.4 \ opensuse-tumbleweed \ ; do echo "Building container image for $release..." + cp -a $libdir/../../lib/SUSE/Kernel.gpg $libdir/$release docker build -q -t gs-test-$release "$libdir/$release" + ret=$? + rm -f $libdir/$release/Kernel.gpg + [ $ret -eq 0 ] || exit $? echo "Running tests in $release:" docker run --rm --name=gs-test-$release \ --mount type=bind,source="$libdir/../../",target=/scripts,readonly \ gs-test-$release + ret=$? + [ $ret -eq 0 ] || exit $? done diff --git a/scripts/git_sort/tests/sle12-sp4/Dockerfile b/scripts/git_sort/tests/sle12-sp4/Dockerfile index e0c545b..49d8f9c 100644 --- a/scripts/git_sort/tests/sle12-sp4/Dockerfile +++ b/scripts/git_sort/tests/sle12-sp4/Dockerfile @@ -2,13 +2,13 @@ FROM registry.suse.de/suse/containers/sle-server/12-sp4/containers/suse/sles12sp4:latest AS base RUN rpm -e container-suseconnect -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-12:/GA/standard/SUSE:SLE-12:GA.repo -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-12:/Update/standard/SUSE:SLE-12:Update.repo -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD1/ DVD1 -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD2/ DVD2 -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD3/ DVD3 +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-12:/GA/standard/SUSE:SLE-12:GA.repo +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-12:/Update/standard/SUSE:SLE-12:Update.repo +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD1/ DVD1 +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD2/ DVD2 +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP4-Server-GM/$(rpm -E %_arch)/DVD3/ DVD3 # RUN zypper -n ar -G http://updates.suse.de/SUSE/Products/SLE-SDK/12-SP4/$(rpm -E %_arch)/product/ SDK -RUN zypper -n ar -G http://download.suse.de/update/build.suse.de/SUSE/Updates/SLE-SERVER/12-SP4/$(rpm -E %_arch)/update/SUSE:Updates:SLE-SERVER:12-SP4:$(rpm -E %_arch).repo +RUN zypper -n ar http://download.suse.de/update/build.suse.de/SUSE/Updates/SLE-SERVER/12-SP4/$(rpm -E %_arch)/update/SUSE:Updates:SLE-SERVER:12-SP4:$(rpm -E %_arch).repo RUN zypper -n ref @@ -19,7 +19,9 @@ RUN zypper -n in git-core python3 python3-dbm rcs RUN git config --global user.email "you@example.com" RUN git config --global user.name "Your Name" -RUN zypper -n ar -G https://download.opensuse.org/repositories/Kernel:/tools/SLE_12_SP4/Kernel:tools.repo +COPY Kernel.gpg /tmp +RUN rpmkeys --import /tmp/Kernel.gpg +RUN zypper -n ar https://download.opensuse.org/repositories/Kernel:/tools/SLE_12_SP4/Kernel:tools.repo RUN zypper -n in python3-pygit2 quilt FROM packages diff --git a/scripts/git_sort/tests/sle12-sp5/Dockerfile b/scripts/git_sort/tests/sle12-sp5/Dockerfile index c8b601d..f5e2f58 100644 --- a/scripts/git_sort/tests/sle12-sp5/Dockerfile +++ b/scripts/git_sort/tests/sle12-sp5/Dockerfile @@ -2,13 +2,13 @@ FROM registry.suse.de/suse/containers/sle-server/12-sp5/containers/suse/sles12sp5:latest AS base RUN rpm -e container-suseconnect -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-12:/GA/standard/SUSE:SLE-12:GA.repo -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-12:/Update/standard/SUSE:SLE-12:Update.repo -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD1/ DVD1 -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD2/ DVD2 -RUN zypper -n ar -G http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD3/ DVD3 +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-12:/GA/standard/SUSE:SLE-12:GA.repo +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-12:/Update/standard/SUSE:SLE-12:Update.repo +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD1/ DVD1 +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD2/ DVD2 +RUN zypper -n ar http://download.suse.de/install/SLP/SLE-12-SP5-Server-GM/$(rpm -E %_arch)/DVD3/ DVD3 # RUN zypper -n ar -G http://updates.suse.de/SUSE/Products/SLE-SDK/12-SP5/$(rpm -E %_arch)/product/ SDK -RUN zypper -n ar -G http://download.suse.de/update/build.suse.de/SUSE/Updates/SLE-SERVER/12-SP5/$(rpm -E %_arch)/update/SUSE:Updates:SLE-SERVER:12-SP5:$(rpm -E %_arch).repo +RUN zypper -n ar http://download.suse.de/update/build.suse.de/SUSE/Updates/SLE-SERVER/12-SP5/$(rpm -E %_arch)/update/SUSE:Updates:SLE-SERVER:12-SP5:$(rpm -E %_arch).repo RUN zypper -n ref @@ -19,7 +19,9 @@ RUN zypper -n in git-core python3 python3-dbm rcs RUN git config --global user.email "you@example.com" RUN git config --global user.name "Your Name" -RUN zypper -n ar -G https://download.opensuse.org/repositories/Kernel:/tools/SLE_12_SP5/Kernel:tools.repo +COPY Kernel.gpg /tmp +RUN rpmkeys --import /tmp/Kernel.gpg +RUN zypper -n ar https://download.opensuse.org/repositories/Kernel:/tools/SLE_12_SP5/Kernel:tools.repo RUN zypper -n in python3-pygit2 quilt FROM packages diff --git a/scripts/git_sort/tests/sle15/Dockerfile b/scripts/git_sort/tests/sle15/Dockerfile index 3fd5bf4..002074f 100644 --- a/scripts/git_sort/tests/sle15/Dockerfile +++ b/scripts/git_sort/tests/sle15/Dockerfile @@ -1,9 +1,9 @@ # http://registry.suse.de/ -FROM registry.suse.de/suse/containers/sle-server/15/containers/bci/python:3.9 AS base +FROM registry.suse.de/suse/containers/sle-server/15/containers/bci/python:3.6 AS base RUN rpm -e container-suseconnect -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-15:/GA/standard/SUSE:SLE-15:GA.repo -RUN zypper -n ar -G http://download.suse.de/ibs/SUSE:/SLE-15:/Update/standard/SUSE:SLE-15:Update.repo +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-15:/GA/standard/SUSE:SLE-15:GA.repo +RUN zypper -n ar http://download.suse.de/ibs/SUSE:/SLE-15:/Update/standard/SUSE:SLE-15:Update.repo RUN zypper -n ref FROM base AS packages @@ -13,7 +13,9 @@ RUN zypper -n in git-core python3 python3-dbm rcs awk RUN git config --global user.email "you@example.com" RUN git config --global user.name "Your Name" -RUN zypper -n ar -G https://download.opensuse.org/repositories/Kernel:/tools/SLE_15/Kernel:tools.repo +COPY Kernel.gpg /tmp +RUN rpmkeys --import /tmp/Kernel.gpg +RUN zypper -n ar https://download.opensuse.org/repositories/Kernel:/tools/SLE_15/Kernel:tools.repo RUN zypper -n in python3-pygit2 quilt FROM packages diff --git a/scripts/git_sort/tests/test_series_sort.py b/scripts/git_sort/tests/test_series_sort.py index f0ffe5b..25f80a9 100755 --- a/scripts/git_sort/tests/test_series_sort.py +++ b/scripts/git_sort/tests/test_series_sort.py @@ -293,8 +293,8 @@ class TestFromPatch(unittest.TestCase): self.repo.remotes.create("rdma", self.rdma_repo) self.dledford_repo = k_org_canon_prefix + "dledford/rdma.git" self.repo.remotes.create("dledford/rdma", self.dledford_repo) - self.nf_repo = k_org_canon_prefix + "pablo/nf.git" - self.repo.remotes.create("pablo/nf", self.nf_repo) + self.nf_repo = k_org_canon_prefix + "netfilter/nf.git" + self.repo.remotes.create("netfilter/nf", self.nf_repo) self.commits = {} self.commits["mainline 0"] = self.repo.create_commit( @@ -377,7 +377,7 @@ class TestFromPatch(unittest.TestCase): tree.write(), [self.commits["mainline 0"]] ) - self.repo.references.create("refs/remotes/pablo/nf/master", + self.repo.references.create("refs/remotes/netfilter/nf/master", self.commits["nf 0"]) self.commits["mainline 2"] = self.repo.create_commit( @@ -822,13 +822,13 @@ class TestFromPatch(unittest.TestCase): with open("series.conf", mode="w") as f: f.write(tests.support.format_series(( - ("pablo/nf-next", ( + ("netfilter/nf-next", ( name, )), ))) series2 = tests.support.format_series(( - ("pablo/nf", ( + ("netfilter/nf", ( name, )), )) @@ -838,9 +838,9 @@ class TestFromPatch(unittest.TestCase): def test_found_notindexed_upstream_bad2_moveupstream(self): """ - patch sorted in pablo nf-next (not fetched), commit found in pablo nf, + patch sorted in netfilter nf-next (not fetched), commit found in netfilter nf, git-repo tag is bad - moves to pablo nf + moves to netfilter nf tag is NOT updated This is a special case. See the log of commit 0ac6457e94e8 @@ -854,7 +854,7 @@ class TestFromPatch(unittest.TestCase): def test_found_notindexed_upstream_bad2_nomoveupstream(self): """ - patch sorted in pablo nf-next (not fetched), commit found in pablo nf, + patch sorted in netfilter nf-next (not fetched), commit found in netfilter nf, git-repo tag is bad error, possible causes: section is wrong or Git-repo is wrong diff --git a/scripts/lib/SUSE/Kernel.gpg b/scripts/lib/SUSE/Kernel.gpg new file mode 100644 index 0000000..4d7dbc7 --- /dev/null +++ b/scripts/lib/SUSE/Kernel.gpg @@ -0,0 +1,20 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.5 (GNU/Linux) + +mQENBFEaM/IBCADo3+2CX4/tZoGIooy7QF8+J94rwr7Tov3kXFADlXr+aG7zHMrz +r398QiSCmLsE7kJ8DcapHH+TaYrpy5yuS06RV4euhlJjo2+SHEcSzTGDIjrPTDvM +8KZE3CWZgyRTVZnTq7bRPtVhSIzkTPNyJe1AMMDZH8YYgDgo0zleZWR3w3VA75dC +fGUYjFTjymAM2QtzK3WAgywqZK0F21MKOCUWrz8ZFbCmdcZh/mAYDhmNlFcN6mZS +E/yD5E6pqGEF1Pr4dfwP0NbPBpsYq8wP3T5TIdaD5wr38u2QJNORxCKi8fuCqpf7 +HQx5v3x2EVz4VhRzzc31TPVz1LX5MPby8ypBABEBAAG0Lktlcm5lbCBPQlMgUHJv +amVjdCA8S2VybmVsQGJ1aWxkLm9wZW5zdXNlLm9yZz6JATwEEwECACYFAmFcgfcC +GwMFCRRg/gUGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRDs7vIQA1ecHYjiB/9j +HSpLuZUnN2YIg6BFTXs4thRLcH0oaYqqvn9j9B4JR9ORHkCharrsBGLRw8zk+Rxt +fCKkty0hkF8yEnnrQV1SaTIBotadf+OnK3Rll4XTO/i7ww7vNcBklYDl801j8z21 +rDoDt9WPRMO748XFHbc1lcQxw7kyfT5XrmpMA1aKcP8jGk2Zs0+1dR4ZlHMs5yq3 +txVIq5dZE+cB+5F4ab3QhFdtGJlW5oM4kzojLSvPJq2NMH4NZPM0fbotbrKSiVDO +QjYURv7Crh/3uPs2OHgh3QRaEva4rU7z2Q/z6Lo5iinQJ9WcRfL8cMOHxSMArUCw +IwudjqU4hN/AyJ+OIYK0iEYEExECAAYFAlEaM/IACgkQOzARt2udZSOyewCguDRQ +jsRPwMa3DqdijMtrGaWTtdcAn20WA8ufB0LM8evtkMiv4PmlYfEz +=ehs+ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/scripts/lib/SUSE/SUSE_Trust_Root.pem b/scripts/lib/SUSE/SUSE_Trust_Root.pem index 27cb843..85975b5 100644 --- a/scripts/lib/SUSE/SUSE_Trust_Root.pem +++ b/scripts/lib/SUSE/SUSE_Trust_Root.pem @@ -1,4 +1,4 @@ ------BEGIN TRUSTED CERTIFICATE----- +-----BEGIN CERTIFICATE----- MIIG6DCCBNCgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBqDELMAkGA1UEBhMCREUx EjAQBgNVBAgTCUZyYW5jb25pYTESMBAGA1UEBxMJTnVyZW1iZXJnMSEwHwYDVQQK ExhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgxFTATBgNVBAsTDE9QUyBTZXJ2aWNl @@ -35,6 +35,5 @@ OL+vEVNBlzGiU2mPuk/E75V43dhnaI3ktqph5oNq6gEZWArLkze2nksWdexjH7G5 42cij0RBO/+5RjmVzG9IXzmScE2V57McJpVDf0lPV57+xCkn6msqyRiJoDS3DPfV ySq1QlcPxhQUNSbDIL663gwirdJyf98C4W/zVcwjnUc+zGgxVInqhJVpuWvte9h/ bIf8cLGxGtSyQ616qwdS92vg1atJoG51Jdxw0EhzFtxJ8QVrfkGn1IT2ngUYYaOK -W8NcaXbJ/yeblISOdtHRxuCpZs8P9MxDAQn/X873eYfcim1xfqSimgJ2dpAwEQwP -U1VTRSBUcnVzdCBSb290 ------END TRUSTED CERTIFICATE----- +W8NcaXbJ/yeblISOdtHRxuCpZs8P9MxDAQn/X873eYfcim1xfqSimgJ2dpA= +-----END CERTIFICATE----- diff --git a/scripts/osc_wrapper b/scripts/osc_wrapper index 83f98c1..1869e6c 100755 --- a/scripts/osc_wrapper +++ b/scripts/osc_wrapper @@ -251,11 +251,7 @@ do_build() shift ;; *.spec) - if test $# -eq 1; then - spec=$1 - else - osc_args=("${osc_args[@]}" "$1") - fi + spec=$1 shift ;; *) diff --git a/scripts/renamepatches b/scripts/renamepatches index f86d7da..81a4e44 100755 --- a/scripts/renamepatches +++ b/scripts/renamepatches @@ -29,14 +29,20 @@ fi branch=$1 trap 'rm -f "$temp"' EXIT temp=$(mktemp) -git grep -iE '^(Git-commit:|No-fix:|\(cherry picked from commit)' $branch | grep -vF patches.kernel.org > $temp +git grep -iE '^(Git-commit:|No-fix:|\(cherry picked from commit)' $branch -- 'patches.*' | tr ':' ' ' | \ + awk '!/patches.kernel.org/ {fn=$2; hash=$NF; map[hash]=map[hash] fn;} + END { for (hash in map) printf("map[%s]=\"%s\"\n", hash, map[hash]); }' \ + >$temp -grep -E "^[[:space:]]*patches\.[a-z]+\/" < series.conf | while read patch ; do - commit="$([ -f $patch ] && { grep -iE "^(Git-commit|No-fix):" < $patch | awk '{ print $2}' ; - grep -i "^(cherry picked from commit" < $patch | awk '{ print $5}' ; } )" - [ -n "$commit" ] && echo "$commit" | while read c ; do - grep -F $c < $temp | tr ':' ' ' | while read junk fn blah ; do - [ -n "$fn" ] && [ $fn != $patch ] && git mv $patch $fn && sed -i -e "s,$patch,$fn," series.conf - done - done +declare -A map +source $temp + +grep -E "^[[:space:]]*patches\.[a-z]+/" < series.conf | while read patch ; do + [ ! -f "$patch" ] && continue + commit="$(awk -v IGNORECASE=1 '/^(Git-commit|No-fix):/ { print $2} + /^\(cherry picked from commit/ { print $5}' $patch)" + [ -z "$commit" ] && continue + for fn in ${map[$commit]} ; do + [ $fn != $patch ] && git mv $patch $fn && sed -i -e "s,$patch,$fn," series.conf + done done diff --git a/scripts/sequence-patch.sh b/scripts/sequence-patch.sh index 15f9409..bdfac19 100755 --- a/scripts/sequence-patch.sh +++ b/scripts/sequence-patch.sh @@ -503,7 +503,7 @@ if ! [ -d $ORIG_DIR ]; then fi if $VANILLA; then - PATCHES=( $(scripts/guards $SYMBOLS < series.conf | egrep '^patches\.(kernel\.org|rpmify)/') ) + PATCHES=( $(scripts/guards $SYMBOLS < series.conf | grep -E '^patches\.(kernel\.org|rpmify)/') ) else PATCHES=( $(scripts/guards $SYMBOLS < series.conf) ) fi diff --git a/series.conf b/series.conf index 0acb8a2..db7b11d 100644 --- a/series.conf +++ b/series.conf @@ -17766,6 +17766,7 @@ patches.suse/selinux-Fix-error-return-code-in-sel_ib_pkey_sid_slo.patch patches.suse/hwmon-pwm-fan-Fix-RPM-calculation.patch patches.suse/clk-define-to_clk_regmap-as-inline-function.patch + patches.suse/mm-slub-fix-panic-in-slab_alloc_node.patch patches.suse/Revert-kernel-reboot.c-convert-simple_strtoul-to-kst.patch patches.suse/reboot-fix-overflow-parsing-reboot-cpu-number.patch patches.suse/kernel-watchdog-fix-watchdog_allowed_mask-not-used-w.patch @@ -23158,6 +23159,7 @@ patches.suse/signalfd-use-wake_up_pollfree.patch patches.suse/aio-keep-poll-requests-on-waitqueue-until-completed.patch patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch + patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch patches.suse/fget-clarify-and-improve-__fget_files-implementation.patch patches.suse/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch patches.suse/phonet-refcount-leak-in-pep_sock_accep.patch @@ -23172,6 +23174,7 @@ patches.suse/tee-handle-lookup-of-shm-with-reference-count-0.patch patches.suse/x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch patches.suse/recordmcount.pl-fix-typo-in-s390-mcount-regex.patch + patches.suse/net-mlx5-DR-Fix-NULL-vs-IS_ERR-checking-in-dr_domain.patch patches.suse/sctp-use-call_rcu-to-free-endpoint.patch patches.suse/net-ena-Fix-undefined-state-when-tx-request-id-is-ou.patch patches.suse/net-ena-Fix-wrong-rx-request-id-by-resetting-device.patch @@ -23211,11 +23214,13 @@ patches.suse/usb-host-xen-hcd-add-missing-unlock-in-error-path.patch patches.suse/usb-gadget-don-t-release-an-existing-dev-buf.patch patches.suse/usb-gadget-clear-related-members-when-goto-fail.patch + patches.suse/usb-dwc3-dwc3-qcom-Add-missing-platform_device_put-i.patch patches.suse/x86-use-mindirect-branch-cs-prefix-for-retpoline-builds.patch patches.suse/x86-lib-atomic64_386_32-rename-things.patch patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch patches.suse/x86-prepare-inline-asm-for-straight-line-speculation.patch patches.suse/x86-add-straight-line-speculation-mitigation.patch + patches.suse/genirq-Provide-new-interfaces-for-affinity-hints.patch patches.suse/powerpc-watchdog-Fix-missed-watchdog-reset-due-to-me.patch patches.suse/powerpc-watchdog-tighten-non-atomic-read-modify-writ.patch patches.suse/powerpc-watchdog-Avoid-holding-wd_smp_lock-over-prin.patch @@ -23223,6 +23228,7 @@ patches.suse/powerpc-watchdog-Fix-wd_smp_last_reset_tb-reporting.patch patches.suse/powerpc-handle-kdump-appropriately-with-crash_kexec_.patch patches.suse/powerpc-fadump-Fix-inaccurate-CPU-state-info-in-vmco.patch + patches.suse/phy-tegra-xusb-Fix-return-value-of-tegra_xusb_find_p.patch patches.suse/drm-amdkfd-Check-for-null-pointer-after-calling-kmem.patch patches.suse/msft-hv-2510-PCI-hv-Make-the-code-arch-neutral-by-adding-arch-spe.patch patches.suse/msft-hv-2484-PCI-hv-Use-PCI_ERROR_RESPONSE-to-identify-config-rea.patch @@ -23258,6 +23264,7 @@ patches.suse/usb-gadget-rndis-check-size-of-RNDIS_MSG_SET-command.patch patches.suse/msft-hv-2522-PCI-hv-Fix-NUMA-node-assignment-when-kernel-boots-wi.patch patches.suse/mmc-block-fix-read-single-on-recovery-logic.patch + patches.suse/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch patches.suse/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch patches.suse/scsi-lpfc-Fix-pt2pt-NVMe-PRLI-reject-LOGO-loop.patch patches.suse/lib-iov_iter-initialize-flags-in-new-pipe_buffer.patch @@ -23363,6 +23370,7 @@ patches.suse/msft-hv-2568-hv_netvsc-Print-value-of-invalid-ID-in-netvsc_send_-.patch patches.suse/msft-hv-2609-hv_netvsc-Fix-potential-dereference-of-NULL-pointer.patch patches.suse/drm-mali-dp-potential-dereference-of-null-pointer.patch + patches.suse/malidp-Fix-NULL-vs-IS_ERR-checking.patch patches.suse/msft-hv-2573-Drivers-hv-vmbus-Add-VMbus-IMC-device-to-unsupported.patch patches.suse/msft-hv-2574-PCI-hv-Fix-multi-MSI-to-allow-more-than-one-MSI-vect.patch patches.suse/msft-hv-2575-Drivers-hv-vmbus-Fix-handling-of-messages-with-trans.patch @@ -23460,6 +23468,7 @@ patches.suse/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_t.patch patches.suse/netfilter-nf_tables-do-not-allow-SET_ID-to-refer-to-.patch patches.suse/netfilter-nf_tables-do-not-allow-RULE_ID-to-refer-to.patch + patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch patches.suse/devlink-Fix-use-after-free-after-a-failed-reload.patch patches.suse/net_sched-cls_route-remove-from-list-when-handle-is-.patch @@ -23515,12 +23524,16 @@ patches.suse/wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch patches.suse/kcm-avoid-potential-race-in-kcm_tx_work.patch patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch + patches.suse/net-sched-fix-race-condition-in-qdisc_graft.patch + patches.suse/cifs-fix-use-after-free-caused-by-invalid-pointer-ho.patch patches.suse/Bluetooth-L2CAP-Fix-use-after-free-caused-by-l2cap_r.patch patches.suse/Bluetooth-L2CAP-Fix-accepting-connection-request-for.patch patches.suse/Bluetooth-L2CAP-Fix-attempting-to-access-uninitializ.patch patches.suse/msft-hv-2678-PCI-hv-Fix-the-definition-of-vector-in-hv_compose_ms.patch patches.suse/x86-cpu-Restore-AMD-s-DE_CFG-MSR-after-resume.patch patches.suse/l2tp-Serialize-access-to-sk_user_data-with-sk_callba.patch + patches.suse/tipc-set-con-sock-in-tipc_conn_alloc.patch + patches.suse/tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch patches.suse/msft-hv-2681-PCI-hv-Only-reuse-existing-IRTE-allocation-for-Multi.patch patches.suse/msft-hv-2682-Drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch patches.suse/msft-hv-2683-Drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch @@ -23530,14 +23543,33 @@ patches.suse/proc-proc_skip_spaces-shouldn-t-think-it-is-working-.patch patches.suse/xen-netback-Ensure-protocol-headers-don-t-fall-in-th.patch patches.suse/xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch + patches.suse/0001-media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch + patches.suse/0001-drm-vmwgfx-Validate-the-box-size-for-the-snooped-cur.patch + patches.suse/net-mana-Assign-interrupts-to-CPUs-based-on-NUMA-nod.patch + patches.suse/x86-mm-Randomize-per-cpu-entry-area.patch + patches.suse/x86-bugs-Flush-IBP-in-ib_prctl_set.patch patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch + patches.suse/usb-rndis_host-Secure-rndis_query-check-against-int-.patch patches.suse/net-sched-disallow-noqueue-for-qdisc-classes.patch patches.suse/ALSA-pcm-Move-rwsem-lock-inside-snd_ctl_elem_read-to.patch patches.suse/HID-check-empty-report_list-in-hid_validate_values.patch patches.suse/HID-check-empty-report_list-in-bigben_probe.patch patches.suse/HID-betop-check-shape-of-output-reports.patch + patches.suse/RDMA-core-Fix-ib-block-iterator-counter-overflow.patch + patches.suse/module-Don-t-wait-for-GOING-modules.patch + patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch + patches.suse/net-mana-Fix-accessing-freed-irq-affinity_hint.patch + patches.suse/vmxnet3-move-rss-code-block-under-eop-descriptor.patch + patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch + patches.suse/net-add-sock_init_data_uid.patch + patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch + patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch + patches.suse/HID-bigben-use-spinlock-to-protect-concurrent-access.patch + patches.suse/HID-bigben_worker-remove-unneeded-check-on-report_fi.patch + patches.suse/HID-bigben-use-spinlock-to-safely-schedule-workers.patch + patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch ######################################################## # end of sorted patches @@ -23675,6 +23707,7 @@ patches.suse/mm-inform-about-enabling-mirrored-memory.patch patches.suse/0001-Reserve-64MiB-of-CMA-for-RPi3-s-VC4.patch patches.suse/mm-Warn-users-of-node-memory-hot-remove-if-the-memory-ratio-is-a-high-risk.patch + patches.suse/smaps_rollup-fix-no-vmas-null-deref.patch ######################################################## # Filesystems @@ -23845,6 +23878,7 @@ patches.suse/drm-ast-Add-25MHz-refclk-support.patch patches.suse/drm-prevent-spectre-issue-in-vmw_execbuf_ioctl.patch patches.suse/0001-drm-i915-gvt-fix-double-free-bug-in-split_2MB_gtt_en.patch + patches.suse/0001-drm-vmwgfx-Avoid-NULL-ptr-deref-in-vmw_cmd_dx_define.patch ######################################################## # Storage