Compare commits
30 Commits
c8
...
changed/a8
Author | SHA1 | Date | |
---|---|---|---|
a35919e2be | |||
f41dc39bea | |||
51a24e3c48 | |||
1fec3ae286 | |||
ab8c284acb | |||
d4136628be | |||
|
22b44d3394 | ||
07b53af9dc | |||
9ffc03d4cc | |||
|
bd7eca018c | ||
|
ecefa7c768 | ||
|
673058d7bb | ||
|
a713fd635c | ||
238501d3ca | |||
6dc3fdcd75 | |||
fffef0593f | |||
387100185b | |||
|
a11301c818 | ||
|
142729f8cd | ||
|
d71cb8120e | ||
|
b9216f5527 | ||
|
0b72df0ec0 | ||
dc2bf65b8f | |||
|
90134a736e | ||
|
5bd15e08f8 | ||
|
d01e4bcc17 | ||
|
76d004474a | ||
|
41f15049b2 | ||
|
c57660fffb | ||
273ff5a163 |
@ -0,0 +1,83 @@
|
|||||||
|
From f83f793e1fac3df2dda737ab857099e27b983440 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hangyu Hua <hbh25y@gmail.com>
|
||||||
|
Date: Wed, 19 Jul 2023 22:52:35 +0000
|
||||||
|
Subject: [PATCH 1/1] net: tls: fix possible race condition between
|
||||||
|
do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
|
||||||
|
|
||||||
|
ctx->crypto_send.info is not protected by lock_sock in
|
||||||
|
do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf()
|
||||||
|
and error paths of do_tls_setsockopt_conf() may lead to a use-after-free
|
||||||
|
or null-deref.
|
||||||
|
|
||||||
|
More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/
|
||||||
|
|
||||||
|
Fixes: 3c4d7559159b ("tls: kernel TLS support")
|
||||||
|
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
|
||||||
|
Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com
|
||||||
|
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||||||
|
(commit 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 upstream)
|
||||||
|
|
||||||
|
Conflicts:
|
||||||
|
net/tls/tls_main.c
|
||||||
|
|
||||||
|
CVE: CVE-2023-28466
|
||||||
|
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||||
|
Reviewed-by: Bert Barbe <bert.barbe@oracle.com>
|
||||||
|
---
|
||||||
|
net/tls/tls_main.c | 9 +++++----
|
||||||
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
|
||||||
|
index a4ca1bfaa..92909eeca 100644
|
||||||
|
--- a/net/tls/tls_main.c
|
||||||
|
+++ b/net/tls/tls_main.c
|
||||||
|
@@ -386,13 +386,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
|
||||||
|
rc = -EINVAL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- lock_sock(sk);
|
||||||
|
memcpy(crypto_info_aes_gcm_128->iv,
|
||||||
|
cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
|
||||||
|
TLS_CIPHER_AES_GCM_128_IV_SIZE);
|
||||||
|
memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq,
|
||||||
|
TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
|
||||||
|
- release_sock(sk);
|
||||||
|
if (copy_to_user(optval,
|
||||||
|
crypto_info_aes_gcm_128,
|
||||||
|
sizeof(*crypto_info_aes_gcm_128)))
|
||||||
|
@@ -410,13 +408,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
|
||||||
|
rc = -EINVAL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- lock_sock(sk);
|
||||||
|
memcpy(crypto_info_aes_gcm_256->iv,
|
||||||
|
cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
|
||||||
|
TLS_CIPHER_AES_GCM_256_IV_SIZE);
|
||||||
|
memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq,
|
||||||
|
TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
|
||||||
|
- release_sock(sk);
|
||||||
|
if (copy_to_user(optval,
|
||||||
|
crypto_info_aes_gcm_256,
|
||||||
|
sizeof(*crypto_info_aes_gcm_256)))
|
||||||
|
@@ -436,6 +432,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
|
||||||
|
{
|
||||||
|
int rc = 0;
|
||||||
|
|
||||||
|
+ lock_sock(sk);
|
||||||
|
+
|
||||||
|
switch (optname) {
|
||||||
|
case TLS_TX:
|
||||||
|
case TLS_RX:
|
||||||
|
@@ -446,6 +444,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
|
||||||
|
rc = -ENOPROTOOPT;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ release_sock(sk);
|
||||||
|
+
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,77 @@
|
|||||||
|
From b19a194712d8f25e80d53803ccd0176f619b3fbc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||||
|
Date: Tue, 8 Aug 2023 10:38:26 +0000
|
||||||
|
Subject: [PATCH 1/7] Bluetooth: L2CAP: Fix accepting connection request for
|
||||||
|
invalid SPSM
|
||||||
|
|
||||||
|
commit 711f8c3fb3db61897080468586b970c87c61d9e4 upstream
|
||||||
|
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||||
|
Date: Mon Oct 31 16:10:32 2022 -0700
|
||||||
|
|
||||||
|
Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
|
||||||
|
|
||||||
|
The Bluetooth spec states that the valid range for SPSM is from
|
||||||
|
0x0001-0x00ff so it is invalid to accept values outside of this range:
|
||||||
|
|
||||||
|
BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
|
||||||
|
page 1059:
|
||||||
|
Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
|
||||||
|
|
||||||
|
CVE: CVE-2022-42896
|
||||||
|
CC: stable@vger.kernel.org
|
||||||
|
Reported-by: Tamás Koczka <poprdi@google.com>
|
||||||
|
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||||
|
Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>
|
||||||
|
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++++++++
|
||||||
|
1 file changed, 25 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
|
||||||
|
index 86ecd4ad4..4fed6d24a 100644
|
||||||
|
--- a/net/bluetooth/l2cap_core.c
|
||||||
|
+++ b/net/bluetooth/l2cap_core.c
|
||||||
|
@@ -5771,6 +5771,19 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
|
||||||
|
BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
|
||||||
|
scid, mtu, mps);
|
||||||
|
|
||||||
|
+ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
|
||||||
|
+ * page 1059:
|
||||||
|
+ *
|
||||||
|
+ * Valid range: 0x0001-0x00ff
|
||||||
|
+ *
|
||||||
|
+ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
|
||||||
|
+ */
|
||||||
|
+ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
|
||||||
|
+ result = L2CAP_CR_LE_BAD_PSM;
|
||||||
|
+ chan = NULL;
|
||||||
|
+ goto response;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Check if we have socket listening on psm */
|
||||||
|
pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
|
||||||
|
&conn->hcon->dst, LE_LINK);
|
||||||
|
@@ -5958,6 +5971,18 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
|
||||||
|
|
||||||
|
psm = req->psm;
|
||||||
|
|
||||||
|
+ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
|
||||||
|
+ * page 1059:
|
||||||
|
+ *
|
||||||
|
+ * Valid range: 0x0001-0x00ff
|
||||||
|
+ *
|
||||||
|
+ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
|
||||||
|
+ */
|
||||||
|
+ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
|
||||||
|
+ result = L2CAP_CR_LE_BAD_PSM;
|
||||||
|
+ goto response;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
BT_DBG("psm 0x%2.2x mtu %u mps %u", __le16_to_cpu(psm), mtu, mps);
|
||||||
|
|
||||||
|
memset(&pdu, 0, sizeof(pdu));
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,113 @@
|
|||||||
|
From a11b8451e966830bb9aeaf27a9464fe0ab59907d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||||
|
Date: Tue, 8 Aug 2023 10:46:07 +0000
|
||||||
|
Subject: [PATCH 2/7] net/sched: tcindex: update imperfect hash filters
|
||||||
|
respecting rcu
|
||||||
|
|
||||||
|
commit ee059170b1f7e94e55fa6cadee544e176a6e59c2 upstream
|
||||||
|
Author: Pedro Tammela <pctammela@mojatatu.com>
|
||||||
|
Date: Thu Feb 9 11:37:39 2023 -0300
|
||||||
|
|
||||||
|
net/sched: tcindex: update imperfect hash filters respecting rcu
|
||||||
|
|
||||||
|
The imperfect hash area can be updated while packets are traversing,
|
||||||
|
which will cause a use-after-free when 'tcf_exts_exec()' is called
|
||||||
|
with the destroyed tcf_ext.
|
||||||
|
|
||||||
|
CPU 0: CPU 1:
|
||||||
|
tcindex_set_parms tcindex_classify
|
||||||
|
tcindex_lookup
|
||||||
|
tcindex_lookup
|
||||||
|
tcf_exts_change
|
||||||
|
tcf_exts_exec [UAF]
|
||||||
|
|
||||||
|
Stop operating on the shared area directly, by using a local copy,
|
||||||
|
and update the filter with 'rcu_replace_pointer()'. Delete the old
|
||||||
|
filter version only after a rcu grace period elapsed.
|
||||||
|
|
||||||
|
Fixes: 9b0d4446b569 ("net: sched: avoid atomic swap in tcf_exts_change")
|
||||||
|
Reported-by: valis <sec@valis.email>
|
||||||
|
Suggested-by: valis <sec@valis.email>
|
||||||
|
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||||
|
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
|
||||||
|
Link: https://lore.kernel.org/r/20230209143739.279867-1-pctammela@mojatatu.com
|
||||||
|
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||||||
|
|
||||||
|
CVE: CVE-2023-1281
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
net/sched/cls_tcindex.c | 34 ++++++++++++++++++++++++++++++----
|
||||||
|
1 file changed, 30 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
|
||||||
|
index df229a808..83042a101 100644
|
||||||
|
--- a/net/sched/cls_tcindex.c
|
||||||
|
+++ b/net/sched/cls_tcindex.c
|
||||||
|
@@ -11,6 +11,7 @@
|
||||||
|
#include <linux/errno.h>
|
||||||
|
#include <linux/slab.h>
|
||||||
|
#include <linux/refcount.h>
|
||||||
|
+#include <linux/rcupdate.h>
|
||||||
|
#include <net/act_api.h>
|
||||||
|
#include <net/netlink.h>
|
||||||
|
#include <net/pkt_cls.h>
|
||||||
|
@@ -337,6 +338,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
|
||||||
|
struct tcf_result cr = {};
|
||||||
|
int err, balloc = 0;
|
||||||
|
struct tcf_exts e;
|
||||||
|
+ bool update_h = false;
|
||||||
|
|
||||||
|
err = tcf_exts_init(&e, net, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
|
||||||
|
if (err < 0)
|
||||||
|
@@ -454,10 +456,13 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (cp->perfect)
|
||||||
|
+ if (cp->perfect) {
|
||||||
|
r = cp->perfect + handle;
|
||||||
|
- else
|
||||||
|
- r = tcindex_lookup(cp, handle) ? : &new_filter_result;
|
||||||
|
+ } else {
|
||||||
|
+ /* imperfect area is updated in-place using rcu */
|
||||||
|
+ update_h = !!tcindex_lookup(cp, handle);
|
||||||
|
+ r = &new_filter_result;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (r == &new_filter_result) {
|
||||||
|
f = kzalloc(sizeof(*f), GFP_KERNEL);
|
||||||
|
@@ -491,7 +496,28 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
|
||||||
|
|
||||||
|
rcu_assign_pointer(tp->root, cp);
|
||||||
|
|
||||||
|
- if (r == &new_filter_result) {
|
||||||
|
+ if (update_h) {
|
||||||
|
+ struct tcindex_filter __rcu **fp;
|
||||||
|
+ struct tcindex_filter *cf;
|
||||||
|
+
|
||||||
|
+ f->result.res = r->res;
|
||||||
|
+ tcf_exts_change(&f->result.exts, &r->exts);
|
||||||
|
+
|
||||||
|
+ /* imperfect area bucket */
|
||||||
|
+ fp = cp->h + (handle % cp->hash);
|
||||||
|
+
|
||||||
|
+ /* lookup the filter, guaranteed to exist */
|
||||||
|
+ for (cf = rcu_dereference_bh_rtnl(*fp); cf;
|
||||||
|
+ fp = &cf->next, cf = rcu_dereference_bh_rtnl(*fp))
|
||||||
|
+ if (cf->key == handle)
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ f->next = cf->next;
|
||||||
|
+
|
||||||
|
+ cf = rcu_replace_pointer(*fp, f, 1);
|
||||||
|
+ tcf_exts_get_net(&cf->result.exts);
|
||||||
|
+ tcf_queue_work(&cf->rwork, tcindex_destroy_fexts_work);
|
||||||
|
+ } else if (r == &new_filter_result) {
|
||||||
|
struct tcindex_filter *nfp;
|
||||||
|
struct tcindex_filter __rcu **fp;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,87 @@
|
|||||||
|
From ad24994e22b545703a710ae7928a160970ff72db Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||||
|
Date: Tue, 8 Aug 2023 11:07:16 +0000
|
||||||
|
Subject: [PATCH 3/7] net/sched: tcindex: search key must be 16 bits
|
||||||
|
|
||||||
|
commit 42018a322bd453e38b3ffee294982243e50a484f upstream
|
||||||
|
Author: Pedro Tammela <pctammela@mojatatu.com>
|
||||||
|
Date: Mon Feb 13 22:47:29 2023 -0300
|
||||||
|
|
||||||
|
net/sched: tcindex: search key must be 16 bits
|
||||||
|
|
||||||
|
Syzkaller found an issue where a handle greater than 16 bits would trigger
|
||||||
|
a null-ptr-deref in the imperfect hash area update.
|
||||||
|
|
||||||
|
general protection fault, probably for non-canonical address
|
||||||
|
0xdffffc0000000015: 0000 [#1] PREEMPT SMP KASAN
|
||||||
|
KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
|
||||||
|
CPU: 0 PID: 5070 Comm: syz-executor456 Not tainted
|
||||||
|
6.2.0-rc7-syzkaller-00112-gc68f345b7c42 #0
|
||||||
|
Hardware name: Google Google Compute Engine/Google Compute Engine,
|
||||||
|
BIOS Google 01/21/2023
|
||||||
|
RIP: 0010:tcindex_set_parms+0x1a6a/0x2990 net/sched/cls_tcindex.c:509
|
||||||
|
Code: 01 e9 e9 fe ff ff 4c 8b bd 28 fe ff ff e8 0e 57 7d f9 48 8d bb
|
||||||
|
a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c
|
||||||
|
02 00 0f 85 94 0c 00 00 48 8b 85 f8 fd ff ff 48 8b 9b a8 00
|
||||||
|
RSP: 0018:ffffc90003d3ef88 EFLAGS: 00010202
|
||||||
|
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
|
||||||
|
RDX: 0000000000000015 RSI: ffffffff8803a102 RDI: 00000000000000a8
|
||||||
|
RBP: ffffc90003d3f1d8 R08: 0000000000000001 R09: 0000000000000000
|
||||||
|
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801e2b10a8
|
||||||
|
R13: dffffc0000000000 R14: 0000000000030000 R15: ffff888017b3be00
|
||||||
|
FS: 00005555569af300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
|
||||||
|
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||||
|
CR2: 000056041c6d2000 CR3: 000000002bfca000 CR4: 00000000003506f0
|
||||||
|
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
|
||||||
|
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
|
||||||
|
Call Trace:
|
||||||
|
<TASK>
|
||||||
|
tcindex_change+0x1ea/0x320 net/sched/cls_tcindex.c:572
|
||||||
|
tc_new_tfilter+0x96e/0x2220 net/sched/cls_api.c:2155
|
||||||
|
rtnetlink_rcv_msg+0x959/0xca0 net/core/rtnetlink.c:6132
|
||||||
|
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2574
|
||||||
|
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
|
||||||
|
netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365
|
||||||
|
netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1942
|
||||||
|
sock_sendmsg_nosec net/socket.c:714 [inline]
|
||||||
|
sock_sendmsg+0xd3/0x120 net/socket.c:734
|
||||||
|
____sys_sendmsg+0x334/0x8c0 net/socket.c:2476
|
||||||
|
___sys_sendmsg+0x110/0x1b0 net/socket.c:2530
|
||||||
|
__sys_sendmmsg+0x18f/0x460 net/socket.c:2616
|
||||||
|
__do_sys_sendmmsg net/socket.c:2645 [inline]
|
||||||
|
__se_sys_sendmmsg net/socket.c:2642 [inline]
|
||||||
|
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2642
|
||||||
|
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
|
||||||
|
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
|
||||||
|
|
||||||
|
Fixes: ee059170b1f7 ("net/sched: tcindex: update imperfect hash filters respecting rcu")
|
||||||
|
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||||
|
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
|
||||||
|
Reported-by: syzbot <syzkaller@googlegroups.com>
|
||||||
|
Reviewed-by: Eric Dumazet <edumazet@google.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
|
||||||
|
CVE: CVE-2023-1281
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
net/sched/cls_tcindex.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
|
||||||
|
index 83042a101..a021ba685 100644
|
||||||
|
--- a/net/sched/cls_tcindex.c
|
||||||
|
+++ b/net/sched/cls_tcindex.c
|
||||||
|
@@ -509,7 +509,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
|
||||||
|
/* lookup the filter, guaranteed to exist */
|
||||||
|
for (cf = rcu_dereference_bh_rtnl(*fp); cf;
|
||||||
|
fp = &cf->next, cf = rcu_dereference_bh_rtnl(*fp))
|
||||||
|
- if (cf->key == handle)
|
||||||
|
+ if (cf->key == (u16)handle)
|
||||||
|
break;
|
||||||
|
|
||||||
|
f->next = cf->next;
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
836
SOURCES/1005-net-sched-Retire-tcindex-classifier.patch
Normal file
836
SOURCES/1005-net-sched-Retire-tcindex-classifier.patch
Normal file
@ -0,0 +1,836 @@
|
|||||||
|
From 4670364a13fccc328386157d820f6ff68619187c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||||
|
Date: Tue, 8 Aug 2023 18:26:13 +0000
|
||||||
|
Subject: [PATCH 4/7] net/sched: Retire tcindex classifier
|
||||||
|
|
||||||
|
commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28 upstream
|
||||||
|
|
||||||
|
The tcindex classifier has served us well for about a quarter of a century
|
||||||
|
but has not been getting much TLC due to lack of known users. Most recently
|
||||||
|
it has become easy prey to syzkaller. For this reason, we are retiring it.
|
||||||
|
|
||||||
|
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||||
|
Acked-by: Jiri Pirko <jiri@nvidia.com>
|
||||||
|
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
||||||
|
|
||||||
|
Conflicts:
|
||||||
|
include/net/tc_wrapper.h
|
||||||
|
tools/testing/selftests/tc-testing/tc-tests/filters/tcindex.json
|
||||||
|
|
||||||
|
CVE: CVE-2023-1829
|
||||||
|
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||||
|
Reviewed-by: Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
net/sched/Kconfig | 11 -
|
||||||
|
net/sched/Makefile | 1 -
|
||||||
|
net/sched/cls_tcindex.c | 763 ----------------------------------------
|
||||||
|
3 files changed, 775 deletions(-)
|
||||||
|
delete mode 100644 net/sched/cls_tcindex.c
|
||||||
|
|
||||||
|
diff --git a/net/sched/Kconfig b/net/sched/Kconfig
|
||||||
|
index afe1d506e..882446fce 100644
|
||||||
|
--- a/net/sched/Kconfig
|
||||||
|
+++ b/net/sched/Kconfig
|
||||||
|
@@ -502,17 +502,6 @@ config NET_CLS_BASIC
|
||||||
|
To compile this code as a module, choose M here: the
|
||||||
|
module will be called cls_basic.
|
||||||
|
|
||||||
|
-config NET_CLS_TCINDEX
|
||||||
|
- tristate "Traffic-Control Index (TCINDEX)"
|
||||||
|
- select NET_CLS
|
||||||
|
- help
|
||||||
|
- Say Y here if you want to be able to classify packets based on
|
||||||
|
- traffic control indices. You will want this feature if you want
|
||||||
|
- to implement Differentiated Services together with DSMARK.
|
||||||
|
-
|
||||||
|
- To compile this code as a module, choose M here: the
|
||||||
|
- module will be called cls_tcindex.
|
||||||
|
-
|
||||||
|
config NET_CLS_ROUTE4
|
||||||
|
tristate "Routing decision (ROUTE)"
|
||||||
|
depends on INET
|
||||||
|
diff --git a/net/sched/Makefile b/net/sched/Makefile
|
||||||
|
index dd14ef413..b7dbac5c5 100644
|
||||||
|
--- a/net/sched/Makefile
|
||||||
|
+++ b/net/sched/Makefile
|
||||||
|
@@ -70,7 +70,6 @@ obj-$(CONFIG_NET_CLS_U32) += cls_u32.o
|
||||||
|
obj-$(CONFIG_NET_CLS_ROUTE4) += cls_route.o
|
||||||
|
obj-$(CONFIG_NET_CLS_FW) += cls_fw.o
|
||||||
|
obj-$(CONFIG_NET_CLS_RSVP) += cls_rsvp.o
|
||||||
|
-obj-$(CONFIG_NET_CLS_TCINDEX) += cls_tcindex.o
|
||||||
|
obj-$(CONFIG_NET_CLS_RSVP6) += cls_rsvp6.o
|
||||||
|
obj-$(CONFIG_NET_CLS_BASIC) += cls_basic.o
|
||||||
|
obj-$(CONFIG_NET_CLS_FLOW) += cls_flow.o
|
||||||
|
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
|
||||||
|
deleted file mode 100644
|
||||||
|
index a021ba685..000000000
|
||||||
|
--- a/net/sched/cls_tcindex.c
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1,763 +0,0 @@
|
||||||
|
-/*
|
||||||
|
- * net/sched/cls_tcindex.c Packet classifier for skb->tc_index
|
||||||
|
- *
|
||||||
|
- * Written 1998,1999 by Werner Almesberger, EPFL ICA
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
-#include <linux/module.h>
|
||||||
|
-#include <linux/types.h>
|
||||||
|
-#include <linux/kernel.h>
|
||||||
|
-#include <linux/skbuff.h>
|
||||||
|
-#include <linux/errno.h>
|
||||||
|
-#include <linux/slab.h>
|
||||||
|
-#include <linux/refcount.h>
|
||||||
|
-#include <linux/rcupdate.h>
|
||||||
|
-#include <net/act_api.h>
|
||||||
|
-#include <net/netlink.h>
|
||||||
|
-#include <net/pkt_cls.h>
|
||||||
|
-#include <net/sch_generic.h>
|
||||||
|
-
|
||||||
|
-/*
|
||||||
|
- * Passing parameters to the root seems to be done more awkwardly than really
|
||||||
|
- * necessary. At least, u32 doesn't seem to use such dirty hacks. To be
|
||||||
|
- * verified. FIXME.
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
-#define PERFECT_HASH_THRESHOLD 64 /* use perfect hash if not bigger */
|
||||||
|
-#define DEFAULT_HASH_SIZE 64 /* optimized for diffserv */
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-struct tcindex_data;
|
||||||
|
-
|
||||||
|
-struct tcindex_filter_result {
|
||||||
|
- struct tcf_exts exts;
|
||||||
|
- struct tcf_result res;
|
||||||
|
- struct tcindex_data *p;
|
||||||
|
- struct rcu_work rwork;
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-struct tcindex_filter {
|
||||||
|
- u16 key;
|
||||||
|
- struct tcindex_filter_result result;
|
||||||
|
- struct tcindex_filter __rcu *next;
|
||||||
|
- struct rcu_work rwork;
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-struct tcindex_data {
|
||||||
|
- struct tcindex_filter_result *perfect; /* perfect hash; NULL if none */
|
||||||
|
- struct tcindex_filter __rcu **h; /* imperfect hash; */
|
||||||
|
- struct tcf_proto *tp;
|
||||||
|
- u16 mask; /* AND key with mask */
|
||||||
|
- u32 shift; /* shift ANDed key to the right */
|
||||||
|
- u32 hash; /* hash table size; 0 if undefined */
|
||||||
|
- u32 alloc_hash; /* allocated size */
|
||||||
|
- u32 fall_through; /* 0: only classify if explicit match */
|
||||||
|
- refcount_t refcnt; /* a temporary refcnt for perfect hash */
|
||||||
|
- struct rcu_work rwork;
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-static inline int tcindex_filter_is_set(struct tcindex_filter_result *r)
|
||||||
|
-{
|
||||||
|
- return tcf_exts_has_actions(&r->exts) || r->res.classid;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void tcindex_data_get(struct tcindex_data *p)
|
||||||
|
-{
|
||||||
|
- refcount_inc(&p->refcnt);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void tcindex_data_put(struct tcindex_data *p)
|
||||||
|
-{
|
||||||
|
- if (refcount_dec_and_test(&p->refcnt)) {
|
||||||
|
- kfree(p->perfect);
|
||||||
|
- kfree(p->h);
|
||||||
|
- kfree(p);
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static struct tcindex_filter_result *tcindex_lookup(struct tcindex_data *p,
|
||||||
|
- u16 key)
|
||||||
|
-{
|
||||||
|
- if (p->perfect) {
|
||||||
|
- struct tcindex_filter_result *f = p->perfect + key;
|
||||||
|
-
|
||||||
|
- return tcindex_filter_is_set(f) ? f : NULL;
|
||||||
|
- } else if (p->h) {
|
||||||
|
- struct tcindex_filter __rcu **fp;
|
||||||
|
- struct tcindex_filter *f;
|
||||||
|
-
|
||||||
|
- fp = &p->h[key % p->hash];
|
||||||
|
- for (f = rcu_dereference_bh_rtnl(*fp);
|
||||||
|
- f;
|
||||||
|
- fp = &f->next, f = rcu_dereference_bh_rtnl(*fp))
|
||||||
|
- if (f->key == key)
|
||||||
|
- return &f->result;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return NULL;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-static int tcindex_classify(struct sk_buff *skb, const struct tcf_proto *tp,
|
||||||
|
- struct tcf_result *res)
|
||||||
|
-{
|
||||||
|
- struct tcindex_data *p = rcu_dereference_bh(tp->root);
|
||||||
|
- struct tcindex_filter_result *f;
|
||||||
|
- int key = (skb->tc_index & p->mask) >> p->shift;
|
||||||
|
-
|
||||||
|
- pr_debug("tcindex_classify(skb %p,tp %p,res %p),p %p\n",
|
||||||
|
- skb, tp, res, p);
|
||||||
|
-
|
||||||
|
- f = tcindex_lookup(p, key);
|
||||||
|
- if (!f) {
|
||||||
|
- struct Qdisc *q = tcf_block_q(tp->chain->block);
|
||||||
|
-
|
||||||
|
- if (!p->fall_through)
|
||||||
|
- return -1;
|
||||||
|
- res->classid = TC_H_MAKE(TC_H_MAJ(q->handle), key);
|
||||||
|
- res->class = 0;
|
||||||
|
- pr_debug("alg 0x%x\n", res->classid);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
- *res = f->res;
|
||||||
|
- pr_debug("map 0x%x\n", res->classid);
|
||||||
|
-
|
||||||
|
- return tcf_exts_exec(skb, &f->exts, res);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-static void *tcindex_get(struct tcf_proto *tp, u32 handle)
|
||||||
|
-{
|
||||||
|
- struct tcindex_data *p = rtnl_dereference(tp->root);
|
||||||
|
- struct tcindex_filter_result *r;
|
||||||
|
-
|
||||||
|
- pr_debug("tcindex_get(tp %p,handle 0x%08x)\n", tp, handle);
|
||||||
|
- if (p->perfect && handle >= p->alloc_hash)
|
||||||
|
- return NULL;
|
||||||
|
- r = tcindex_lookup(p, handle);
|
||||||
|
- return r && tcindex_filter_is_set(r) ? r : NULL;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static int tcindex_init(struct tcf_proto *tp)
|
||||||
|
-{
|
||||||
|
- struct tcindex_data *p;
|
||||||
|
-
|
||||||
|
- pr_debug("tcindex_init(tp %p)\n", tp);
|
||||||
|
- p = kzalloc(sizeof(struct tcindex_data), GFP_KERNEL);
|
||||||
|
- if (!p)
|
||||||
|
- return -ENOMEM;
|
||||||
|
-
|
||||||
|
- p->mask = 0xffff;
|
||||||
|
- p->hash = DEFAULT_HASH_SIZE;
|
||||||
|
- p->fall_through = 1;
|
||||||
|
- refcount_set(&p->refcnt, 1); /* Paired with tcindex_destroy_work() */
|
||||||
|
-
|
||||||
|
- rcu_assign_pointer(tp->root, p);
|
||||||
|
- return 0;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void __tcindex_destroy_rexts(struct tcindex_filter_result *r)
|
||||||
|
-{
|
||||||
|
- tcf_exts_destroy(&r->exts);
|
||||||
|
- tcf_exts_put_net(&r->exts);
|
||||||
|
- tcindex_data_put(r->p);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void tcindex_destroy_rexts_work(struct work_struct *work)
|
||||||
|
-{
|
||||||
|
- struct tcindex_filter_result *r;
|
||||||
|
-
|
||||||
|
- r = container_of(to_rcu_work(work),
|
||||||
|
- struct tcindex_filter_result,
|
||||||
|
- rwork);
|
||||||
|
- rtnl_lock();
|
||||||
|
- __tcindex_destroy_rexts(r);
|
||||||
|
- rtnl_unlock();
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void __tcindex_destroy_fexts(struct tcindex_filter *f)
|
||||||
|
-{
|
||||||
|
- tcf_exts_destroy(&f->result.exts);
|
||||||
|
- tcf_exts_put_net(&f->result.exts);
|
||||||
|
- kfree(f);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void tcindex_destroy_fexts_work(struct work_struct *work)
|
||||||
|
-{
|
||||||
|
- struct tcindex_filter *f = container_of(to_rcu_work(work),
|
||||||
|
- struct tcindex_filter,
|
||||||
|
- rwork);
|
||||||
|
-
|
||||||
|
- rtnl_lock();
|
||||||
|
- __tcindex_destroy_fexts(f);
|
||||||
|
- rtnl_unlock();
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static int tcindex_delete(struct tcf_proto *tp, void *arg, bool *last,
|
||||||
|
- bool rtnl_held, struct netlink_ext_ack *extack)
|
||||||
|
-{
|
||||||
|
- struct tcindex_data *p = rtnl_dereference(tp->root);
|
||||||
|
- struct tcindex_filter_result *r = arg;
|
||||||
|
- struct tcindex_filter __rcu **walk;
|
||||||
|
- struct tcindex_filter *f = NULL;
|
||||||
|
-
|
||||||
|
- pr_debug("tcindex_delete(tp %p,arg %p),p %p\n", tp, arg, p);
|
||||||
|
- if (p->perfect) {
|
||||||
|
- if (!r->res.class)
|
||||||
|
- return -ENOENT;
|
||||||
|
- } else {
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- for (i = 0; i < p->hash; i++) {
|
||||||
|
- walk = p->h + i;
|
||||||
|
- for (f = rtnl_dereference(*walk); f;
|
||||||
|
- walk = &f->next, f = rtnl_dereference(*walk)) {
|
||||||
|
- if (&f->result == r)
|
||||||
|
- goto found;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- return -ENOENT;
|
||||||
|
-
|
||||||
|
-found:
|
||||||
|
- rcu_assign_pointer(*walk, rtnl_dereference(f->next));
|
||||||
|
- }
|
||||||
|
- tcf_unbind_filter(tp, &r->res);
|
||||||
|
- /* all classifiers are required to call tcf_exts_destroy() after rcu
|
||||||
|
- * grace period, since converted-to-rcu actions are relying on that
|
||||||
|
- * in cleanup() callback
|
||||||
|
- */
|
||||||
|
- if (f) {
|
||||||
|
- if (tcf_exts_get_net(&f->result.exts))
|
||||||
|
- tcf_queue_work(&f->rwork, tcindex_destroy_fexts_work);
|
||||||
|
- else
|
||||||
|
- __tcindex_destroy_fexts(f);
|
||||||
|
- } else {
|
||||||
|
- tcindex_data_get(p);
|
||||||
|
-
|
||||||
|
- if (tcf_exts_get_net(&r->exts))
|
||||||
|
- tcf_queue_work(&r->rwork, tcindex_destroy_rexts_work);
|
||||||
|
- else
|
||||||
|
- __tcindex_destroy_rexts(r);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- *last = false;
|
||||||
|
- return 0;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void tcindex_destroy_work(struct work_struct *work)
|
||||||
|
-{
|
||||||
|
- struct tcindex_data *p = container_of(to_rcu_work(work),
|
||||||
|
- struct tcindex_data,
|
||||||
|
- rwork);
|
||||||
|
-
|
||||||
|
- tcindex_data_put(p);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static inline int
|
||||||
|
-valid_perfect_hash(struct tcindex_data *p)
|
||||||
|
-{
|
||||||
|
- return p->hash > (p->mask >> p->shift);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static const struct nla_policy tcindex_policy[TCA_TCINDEX_MAX + 1] = {
|
||||||
|
- [TCA_TCINDEX_HASH] = { .type = NLA_U32 },
|
||||||
|
- [TCA_TCINDEX_MASK] = { .type = NLA_U16 },
|
||||||
|
- [TCA_TCINDEX_SHIFT] = { .type = NLA_U32 },
|
||||||
|
- [TCA_TCINDEX_FALL_THROUGH] = { .type = NLA_U32 },
|
||||||
|
- [TCA_TCINDEX_CLASSID] = { .type = NLA_U32 },
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-static int tcindex_filter_result_init(struct tcindex_filter_result *r,
|
||||||
|
- struct tcindex_data *p,
|
||||||
|
- struct net *net)
|
||||||
|
-{
|
||||||
|
- memset(r, 0, sizeof(*r));
|
||||||
|
- r->p = p;
|
||||||
|
- return tcf_exts_init(&r->exts, net, TCA_TCINDEX_ACT,
|
||||||
|
- TCA_TCINDEX_POLICE);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void tcindex_free_perfect_hash(struct tcindex_data *cp);
|
||||||
|
-
|
||||||
|
-static void tcindex_partial_destroy_work(struct work_struct *work)
|
||||||
|
-{
|
||||||
|
- struct tcindex_data *p = container_of(to_rcu_work(work),
|
||||||
|
- struct tcindex_data,
|
||||||
|
- rwork);
|
||||||
|
-
|
||||||
|
- rtnl_lock();
|
||||||
|
- if (p->perfect)
|
||||||
|
- tcindex_free_perfect_hash(p);
|
||||||
|
- kfree(p);
|
||||||
|
- rtnl_unlock();
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void tcindex_free_perfect_hash(struct tcindex_data *cp)
|
||||||
|
-{
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- for (i = 0; i < cp->hash; i++)
|
||||||
|
- tcf_exts_destroy(&cp->perfect[i].exts);
|
||||||
|
- kfree(cp->perfect);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static int tcindex_alloc_perfect_hash(struct net *net, struct tcindex_data *cp)
|
||||||
|
-{
|
||||||
|
- int i, err = 0;
|
||||||
|
-
|
||||||
|
- cp->perfect = kcalloc(cp->hash, sizeof(struct tcindex_filter_result),
|
||||||
|
- GFP_KERNEL | __GFP_NOWARN);
|
||||||
|
- if (!cp->perfect)
|
||||||
|
- return -ENOMEM;
|
||||||
|
-
|
||||||
|
- for (i = 0; i < cp->hash; i++) {
|
||||||
|
- err = tcf_exts_init(&cp->perfect[i].exts, net,
|
||||||
|
- TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
|
||||||
|
- if (err < 0)
|
||||||
|
- goto errout;
|
||||||
|
- cp->perfect[i].p = cp;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
-errout:
|
||||||
|
- tcindex_free_perfect_hash(cp);
|
||||||
|
- return err;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static int
|
||||||
|
-tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
|
||||||
|
- u32 handle, struct tcindex_data *p,
|
||||||
|
- struct tcindex_filter_result *r, struct nlattr **tb,
|
||||||
|
- struct nlattr *est, u32 flags, struct netlink_ext_ack *extack)
|
||||||
|
-{
|
||||||
|
- struct tcindex_filter_result new_filter_result, *old_r = r;
|
||||||
|
- struct tcindex_data *cp = NULL, *oldp;
|
||||||
|
- struct tcindex_filter *f = NULL; /* make gcc behave */
|
||||||
|
- struct tcf_result cr = {};
|
||||||
|
- int err, balloc = 0;
|
||||||
|
- struct tcf_exts e;
|
||||||
|
- bool update_h = false;
|
||||||
|
-
|
||||||
|
- err = tcf_exts_init(&e, net, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
|
||||||
|
- if (err < 0)
|
||||||
|
- return err;
|
||||||
|
- err = tcf_exts_validate(net, tp, tb, est, &e, flags, extack);
|
||||||
|
- if (err < 0)
|
||||||
|
- goto errout;
|
||||||
|
-
|
||||||
|
- err = -ENOMEM;
|
||||||
|
- /* tcindex_data attributes must look atomic to classifier/lookup so
|
||||||
|
- * allocate new tcindex data and RCU assign it onto root. Keeping
|
||||||
|
- * perfect hash and hash pointers from old data.
|
||||||
|
- */
|
||||||
|
- cp = kzalloc(sizeof(*cp), GFP_KERNEL);
|
||||||
|
- if (!cp)
|
||||||
|
- goto errout;
|
||||||
|
-
|
||||||
|
- cp->mask = p->mask;
|
||||||
|
- cp->shift = p->shift;
|
||||||
|
- cp->hash = p->hash;
|
||||||
|
- cp->alloc_hash = p->alloc_hash;
|
||||||
|
- cp->fall_through = p->fall_through;
|
||||||
|
- cp->tp = tp;
|
||||||
|
- refcount_set(&cp->refcnt, 1); /* Paired with tcindex_destroy_work() */
|
||||||
|
-
|
||||||
|
- if (tb[TCA_TCINDEX_HASH])
|
||||||
|
- cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]);
|
||||||
|
-
|
||||||
|
- if (tb[TCA_TCINDEX_MASK])
|
||||||
|
- cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
|
||||||
|
-
|
||||||
|
- if (tb[TCA_TCINDEX_SHIFT]) {
|
||||||
|
- cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
|
||||||
|
- if (cp->shift > 16) {
|
||||||
|
- err = -EINVAL;
|
||||||
|
- goto errout;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- if (!cp->hash) {
|
||||||
|
- /* Hash not specified, use perfect hash if the upper limit
|
||||||
|
- * of the hashing index is below the threshold.
|
||||||
|
- */
|
||||||
|
- if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD)
|
||||||
|
- cp->hash = (cp->mask >> cp->shift) + 1;
|
||||||
|
- else
|
||||||
|
- cp->hash = DEFAULT_HASH_SIZE;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (p->perfect) {
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- if (tcindex_alloc_perfect_hash(net, cp) < 0)
|
||||||
|
- goto errout;
|
||||||
|
- cp->alloc_hash = cp->hash;
|
||||||
|
- for (i = 0; i < min(cp->hash, p->hash); i++)
|
||||||
|
- cp->perfect[i].res = p->perfect[i].res;
|
||||||
|
- balloc = 1;
|
||||||
|
- }
|
||||||
|
- cp->h = p->h;
|
||||||
|
-
|
||||||
|
- err = tcindex_filter_result_init(&new_filter_result, cp, net);
|
||||||
|
- if (err < 0)
|
||||||
|
- goto errout_alloc;
|
||||||
|
- if (old_r)
|
||||||
|
- cr = r->res;
|
||||||
|
-
|
||||||
|
- err = -EBUSY;
|
||||||
|
-
|
||||||
|
- /* Hash already allocated, make sure that we still meet the
|
||||||
|
- * requirements for the allocated hash.
|
||||||
|
- */
|
||||||
|
- if (cp->perfect) {
|
||||||
|
- if (!valid_perfect_hash(cp) ||
|
||||||
|
- cp->hash > cp->alloc_hash)
|
||||||
|
- goto errout_alloc;
|
||||||
|
- } else if (cp->h && cp->hash != cp->alloc_hash) {
|
||||||
|
- goto errout_alloc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- err = -EINVAL;
|
||||||
|
- if (tb[TCA_TCINDEX_FALL_THROUGH])
|
||||||
|
- cp->fall_through = nla_get_u32(tb[TCA_TCINDEX_FALL_THROUGH]);
|
||||||
|
-
|
||||||
|
- if (!cp->perfect && !cp->h)
|
||||||
|
- cp->alloc_hash = cp->hash;
|
||||||
|
-
|
||||||
|
- /* Note: this could be as restrictive as if (handle & ~(mask >> shift))
|
||||||
|
- * but then, we'd fail handles that may become valid after some future
|
||||||
|
- * mask change. While this is extremely unlikely to ever matter,
|
||||||
|
- * the check below is safer (and also more backwards-compatible).
|
||||||
|
- */
|
||||||
|
- if (cp->perfect || valid_perfect_hash(cp))
|
||||||
|
- if (handle >= cp->alloc_hash)
|
||||||
|
- goto errout_alloc;
|
||||||
|
-
|
||||||
|
-
|
||||||
|
- err = -ENOMEM;
|
||||||
|
- if (!cp->perfect && !cp->h) {
|
||||||
|
- if (valid_perfect_hash(cp)) {
|
||||||
|
- if (tcindex_alloc_perfect_hash(net, cp) < 0)
|
||||||
|
- goto errout_alloc;
|
||||||
|
- balloc = 1;
|
||||||
|
- } else {
|
||||||
|
- struct tcindex_filter __rcu **hash;
|
||||||
|
-
|
||||||
|
- hash = kcalloc(cp->hash,
|
||||||
|
- sizeof(struct tcindex_filter *),
|
||||||
|
- GFP_KERNEL);
|
||||||
|
-
|
||||||
|
- if (!hash)
|
||||||
|
- goto errout_alloc;
|
||||||
|
-
|
||||||
|
- cp->h = hash;
|
||||||
|
- balloc = 2;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (cp->perfect) {
|
||||||
|
- r = cp->perfect + handle;
|
||||||
|
- } else {
|
||||||
|
- /* imperfect area is updated in-place using rcu */
|
||||||
|
- update_h = !!tcindex_lookup(cp, handle);
|
||||||
|
- r = &new_filter_result;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (r == &new_filter_result) {
|
||||||
|
- f = kzalloc(sizeof(*f), GFP_KERNEL);
|
||||||
|
- if (!f)
|
||||||
|
- goto errout_alloc;
|
||||||
|
- f->key = handle;
|
||||||
|
- f->next = NULL;
|
||||||
|
- err = tcindex_filter_result_init(&f->result, cp, net);
|
||||||
|
- if (err < 0) {
|
||||||
|
- kfree(f);
|
||||||
|
- goto errout_alloc;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (tb[TCA_TCINDEX_CLASSID]) {
|
||||||
|
- cr.classid = nla_get_u32(tb[TCA_TCINDEX_CLASSID]);
|
||||||
|
- tcf_bind_filter(tp, &cr, base);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (old_r && old_r != r) {
|
||||||
|
- err = tcindex_filter_result_init(old_r, cp, net);
|
||||||
|
- if (err < 0) {
|
||||||
|
- kfree(f);
|
||||||
|
- goto errout_alloc;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- oldp = p;
|
||||||
|
- r->res = cr;
|
||||||
|
- tcf_exts_change(&r->exts, &e);
|
||||||
|
-
|
||||||
|
- rcu_assign_pointer(tp->root, cp);
|
||||||
|
-
|
||||||
|
- if (update_h) {
|
||||||
|
- struct tcindex_filter __rcu **fp;
|
||||||
|
- struct tcindex_filter *cf;
|
||||||
|
-
|
||||||
|
- f->result.res = r->res;
|
||||||
|
- tcf_exts_change(&f->result.exts, &r->exts);
|
||||||
|
-
|
||||||
|
- /* imperfect area bucket */
|
||||||
|
- fp = cp->h + (handle % cp->hash);
|
||||||
|
-
|
||||||
|
- /* lookup the filter, guaranteed to exist */
|
||||||
|
- for (cf = rcu_dereference_bh_rtnl(*fp); cf;
|
||||||
|
- fp = &cf->next, cf = rcu_dereference_bh_rtnl(*fp))
|
||||||
|
- if (cf->key == (u16)handle)
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
- f->next = cf->next;
|
||||||
|
-
|
||||||
|
- cf = rcu_replace_pointer(*fp, f, 1);
|
||||||
|
- tcf_exts_get_net(&cf->result.exts);
|
||||||
|
- tcf_queue_work(&cf->rwork, tcindex_destroy_fexts_work);
|
||||||
|
- } else if (r == &new_filter_result) {
|
||||||
|
- struct tcindex_filter *nfp;
|
||||||
|
- struct tcindex_filter __rcu **fp;
|
||||||
|
-
|
||||||
|
- f->result.res = r->res;
|
||||||
|
- tcf_exts_change(&f->result.exts, &r->exts);
|
||||||
|
-
|
||||||
|
- fp = cp->h + (handle % cp->hash);
|
||||||
|
- for (nfp = rtnl_dereference(*fp);
|
||||||
|
- nfp;
|
||||||
|
- fp = &nfp->next, nfp = rtnl_dereference(*fp))
|
||||||
|
- ; /* nothing */
|
||||||
|
-
|
||||||
|
- rcu_assign_pointer(*fp, f);
|
||||||
|
- } else {
|
||||||
|
- tcf_exts_destroy(&new_filter_result.exts);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (oldp)
|
||||||
|
- tcf_queue_work(&oldp->rwork, tcindex_partial_destroy_work);
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
-errout_alloc:
|
||||||
|
- if (balloc == 1)
|
||||||
|
- tcindex_free_perfect_hash(cp);
|
||||||
|
- else if (balloc == 2)
|
||||||
|
- kfree(cp->h);
|
||||||
|
- tcf_exts_destroy(&new_filter_result.exts);
|
||||||
|
-errout:
|
||||||
|
- kfree(cp);
|
||||||
|
- tcf_exts_destroy(&e);
|
||||||
|
- return err;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static int
|
||||||
|
-tcindex_change(struct net *net, struct sk_buff *in_skb,
|
||||||
|
- struct tcf_proto *tp, unsigned long base, u32 handle,
|
||||||
|
- struct nlattr **tca, void **arg, u32 flags,
|
||||||
|
- struct netlink_ext_ack *extack)
|
||||||
|
-{
|
||||||
|
- struct nlattr *opt = tca[TCA_OPTIONS];
|
||||||
|
- struct nlattr *tb[TCA_TCINDEX_MAX + 1];
|
||||||
|
- struct tcindex_data *p = rtnl_dereference(tp->root);
|
||||||
|
- struct tcindex_filter_result *r = *arg;
|
||||||
|
- int err;
|
||||||
|
-
|
||||||
|
- pr_debug("tcindex_change(tp %p,handle 0x%08x,tca %p,arg %p),opt %p,"
|
||||||
|
- "p %p,r %p,*arg %p\n",
|
||||||
|
- tp, handle, tca, arg, opt, p, r, *arg);
|
||||||
|
-
|
||||||
|
- if (!opt)
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
- err = nla_parse_nested_deprecated(tb, TCA_TCINDEX_MAX, opt,
|
||||||
|
- tcindex_policy, NULL);
|
||||||
|
- if (err < 0)
|
||||||
|
- return err;
|
||||||
|
-
|
||||||
|
- return tcindex_set_parms(net, tp, base, handle, p, r, tb,
|
||||||
|
- tca[TCA_RATE], flags, extack);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void tcindex_walk(struct tcf_proto *tp, struct tcf_walker *walker,
|
||||||
|
- bool rtnl_held)
|
||||||
|
-{
|
||||||
|
- struct tcindex_data *p = rtnl_dereference(tp->root);
|
||||||
|
- struct tcindex_filter *f, *next;
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- pr_debug("tcindex_walk(tp %p,walker %p),p %p\n", tp, walker, p);
|
||||||
|
- if (p->perfect) {
|
||||||
|
- for (i = 0; i < p->hash; i++) {
|
||||||
|
- if (!p->perfect[i].res.class)
|
||||||
|
- continue;
|
||||||
|
- if (walker->count >= walker->skip) {
|
||||||
|
- if (walker->fn(tp, p->perfect + i, walker) < 0) {
|
||||||
|
- walker->stop = 1;
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- walker->count++;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- if (!p->h)
|
||||||
|
- return;
|
||||||
|
- for (i = 0; i < p->hash; i++) {
|
||||||
|
- for (f = rtnl_dereference(p->h[i]); f; f = next) {
|
||||||
|
- next = rtnl_dereference(f->next);
|
||||||
|
- if (walker->count >= walker->skip) {
|
||||||
|
- if (walker->fn(tp, &f->result, walker) < 0) {
|
||||||
|
- walker->stop = 1;
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- walker->count++;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void tcindex_destroy(struct tcf_proto *tp, bool rtnl_held,
|
||||||
|
- struct netlink_ext_ack *extack)
|
||||||
|
-{
|
||||||
|
- struct tcindex_data *p = rtnl_dereference(tp->root);
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- pr_debug("tcindex_destroy(tp %p),p %p\n", tp, p);
|
||||||
|
-
|
||||||
|
- if (p->perfect) {
|
||||||
|
- for (i = 0; i < p->hash; i++) {
|
||||||
|
- struct tcindex_filter_result *r = p->perfect + i;
|
||||||
|
-
|
||||||
|
- /* tcf_queue_work() does not guarantee the ordering we
|
||||||
|
- * want, so we have to take this refcnt temporarily to
|
||||||
|
- * ensure 'p' is freed after all tcindex_filter_result
|
||||||
|
- * here. Imperfect hash does not need this, because it
|
||||||
|
- * uses linked lists rather than an array.
|
||||||
|
- */
|
||||||
|
- tcindex_data_get(p);
|
||||||
|
-
|
||||||
|
- tcf_unbind_filter(tp, &r->res);
|
||||||
|
- if (tcf_exts_get_net(&r->exts))
|
||||||
|
- tcf_queue_work(&r->rwork,
|
||||||
|
- tcindex_destroy_rexts_work);
|
||||||
|
- else
|
||||||
|
- __tcindex_destroy_rexts(r);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- for (i = 0; p->h && i < p->hash; i++) {
|
||||||
|
- struct tcindex_filter *f, *next;
|
||||||
|
- bool last;
|
||||||
|
-
|
||||||
|
- for (f = rtnl_dereference(p->h[i]); f; f = next) {
|
||||||
|
- next = rtnl_dereference(f->next);
|
||||||
|
- tcindex_delete(tp, &f->result, &last, rtnl_held, NULL);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- tcf_queue_work(&p->rwork, tcindex_destroy_work);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-static int tcindex_dump(struct net *net, struct tcf_proto *tp, void *fh,
|
||||||
|
- struct sk_buff *skb, struct tcmsg *t, bool rtnl_held)
|
||||||
|
-{
|
||||||
|
- struct tcindex_data *p = rtnl_dereference(tp->root);
|
||||||
|
- struct tcindex_filter_result *r = fh;
|
||||||
|
- struct nlattr *nest;
|
||||||
|
-
|
||||||
|
- pr_debug("tcindex_dump(tp %p,fh %p,skb %p,t %p),p %p,r %p\n",
|
||||||
|
- tp, fh, skb, t, p, r);
|
||||||
|
- pr_debug("p->perfect %p p->h %p\n", p->perfect, p->h);
|
||||||
|
-
|
||||||
|
- nest = nla_nest_start_noflag(skb, TCA_OPTIONS);
|
||||||
|
- if (nest == NULL)
|
||||||
|
- goto nla_put_failure;
|
||||||
|
-
|
||||||
|
- if (!fh) {
|
||||||
|
- t->tcm_handle = ~0; /* whatever ... */
|
||||||
|
- if (nla_put_u32(skb, TCA_TCINDEX_HASH, p->hash) ||
|
||||||
|
- nla_put_u16(skb, TCA_TCINDEX_MASK, p->mask) ||
|
||||||
|
- nla_put_u32(skb, TCA_TCINDEX_SHIFT, p->shift) ||
|
||||||
|
- nla_put_u32(skb, TCA_TCINDEX_FALL_THROUGH, p->fall_through))
|
||||||
|
- goto nla_put_failure;
|
||||||
|
- nla_nest_end(skb, nest);
|
||||||
|
- } else {
|
||||||
|
- if (p->perfect) {
|
||||||
|
- t->tcm_handle = r - p->perfect;
|
||||||
|
- } else {
|
||||||
|
- struct tcindex_filter *f;
|
||||||
|
- struct tcindex_filter __rcu **fp;
|
||||||
|
- int i;
|
||||||
|
-
|
||||||
|
- t->tcm_handle = 0;
|
||||||
|
- for (i = 0; !t->tcm_handle && i < p->hash; i++) {
|
||||||
|
- fp = &p->h[i];
|
||||||
|
- for (f = rtnl_dereference(*fp);
|
||||||
|
- !t->tcm_handle && f;
|
||||||
|
- fp = &f->next, f = rtnl_dereference(*fp)) {
|
||||||
|
- if (&f->result == r)
|
||||||
|
- t->tcm_handle = f->key;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- pr_debug("handle = %d\n", t->tcm_handle);
|
||||||
|
- if (r->res.class &&
|
||||||
|
- nla_put_u32(skb, TCA_TCINDEX_CLASSID, r->res.classid))
|
||||||
|
- goto nla_put_failure;
|
||||||
|
-
|
||||||
|
- if (tcf_exts_dump(skb, &r->exts) < 0)
|
||||||
|
- goto nla_put_failure;
|
||||||
|
- nla_nest_end(skb, nest);
|
||||||
|
-
|
||||||
|
- if (tcf_exts_dump_stats(skb, &r->exts) < 0)
|
||||||
|
- goto nla_put_failure;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return skb->len;
|
||||||
|
-
|
||||||
|
-nla_put_failure:
|
||||||
|
- nla_nest_cancel(skb, nest);
|
||||||
|
- return -1;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void tcindex_bind_class(void *fh, u32 classid, unsigned long cl,
|
||||||
|
- void *q, unsigned long base)
|
||||||
|
-{
|
||||||
|
- struct tcindex_filter_result *r = fh;
|
||||||
|
-
|
||||||
|
- if (r && r->res.classid == classid) {
|
||||||
|
- if (cl)
|
||||||
|
- __tcf_bind_filter(q, &r->res, base);
|
||||||
|
- else
|
||||||
|
- __tcf_unbind_filter(q, &r->res);
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static struct tcf_proto_ops cls_tcindex_ops __read_mostly = {
|
||||||
|
- .kind = "tcindex",
|
||||||
|
- .classify = tcindex_classify,
|
||||||
|
- .init = tcindex_init,
|
||||||
|
- .destroy = tcindex_destroy,
|
||||||
|
- .get = tcindex_get,
|
||||||
|
- .change = tcindex_change,
|
||||||
|
- .delete = tcindex_delete,
|
||||||
|
- .walk = tcindex_walk,
|
||||||
|
- .dump = tcindex_dump,
|
||||||
|
- .bind_class = tcindex_bind_class,
|
||||||
|
- .owner = THIS_MODULE,
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-static int __init init_tcindex(void)
|
||||||
|
-{
|
||||||
|
- return register_tcf_proto_ops(&cls_tcindex_ops);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void __exit exit_tcindex(void)
|
||||||
|
-{
|
||||||
|
- unregister_tcf_proto_ops(&cls_tcindex_ops);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-module_init(init_tcindex)
|
||||||
|
-module_exit(exit_tcindex)
|
||||||
|
-MODULE_LICENSE("GPL");
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,119 @@
|
|||||||
|
From 124abc5a2d892bffaa2830d3d596f087555f0fd3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Darrick J. Wong" <djwong@kernel.org>
|
||||||
|
Date: Tue, 8 Aug 2023 12:41:24 +0000
|
||||||
|
Subject: [PATCH 5/7] xfs: verify buffer contents when we skip log replay
|
||||||
|
|
||||||
|
commit 22ed903eee23a5b174e240f1cdfa9acf393a5210 upstream
|
||||||
|
Author: Darrick J. Wong <djwong@kernel.org>
|
||||||
|
Date: Wed Apr 12 15:49:23 2023 +1000
|
||||||
|
|
||||||
|
xfs: verify buffer contents when we skip log replay
|
||||||
|
|
||||||
|
syzbot detected a crash during log recovery:
|
||||||
|
|
||||||
|
XFS (loop0): Mounting V5 Filesystem bfdc47fc-10d8-4eed-a562-11a831b3f791
|
||||||
|
XFS (loop0): Torn write (CRC failure) detected at log block 0x180. Truncating head block from 0x200.
|
||||||
|
XFS (loop0): Starting recovery (logdev: internal)
|
||||||
|
==================================================================
|
||||||
|
BUG: KASAN: slab-out-of-bounds in xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813
|
||||||
|
Read of size 8 at addr ffff88807e89f258 by task syz-executor132/5074
|
||||||
|
|
||||||
|
CPU: 0 PID: 5074 Comm: syz-executor132 Not tainted 6.2.0-rc1-syzkaller #0
|
||||||
|
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
|
||||||
|
Call Trace:
|
||||||
|
<TASK>
|
||||||
|
__dump_stack lib/dump_stack.c:88 [inline]
|
||||||
|
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
|
||||||
|
print_address_description+0x74/0x340 mm/kasan/report.c:306
|
||||||
|
print_report+0x107/0x1f0 mm/kasan/report.c:417
|
||||||
|
kasan_report+0xcd/0x100 mm/kasan/report.c:517
|
||||||
|
xfs_btree_lookup_get_block+0x15c/0x6d0 fs/xfs/libxfs/xfs_btree.c:1813
|
||||||
|
xfs_btree_lookup+0x346/0x12c0 fs/xfs/libxfs/xfs_btree.c:1913
|
||||||
|
xfs_btree_simple_query_range+0xde/0x6a0 fs/xfs/libxfs/xfs_btree.c:4713
|
||||||
|
xfs_btree_query_range+0x2db/0x380 fs/xfs/libxfs/xfs_btree.c:4953
|
||||||
|
xfs_refcount_recover_cow_leftovers+0x2d1/0xa60 fs/xfs/libxfs/xfs_refcount.c:1946
|
||||||
|
xfs_reflink_recover_cow+0xab/0x1b0 fs/xfs/xfs_reflink.c:930
|
||||||
|
xlog_recover_finish+0x824/0x920 fs/xfs/xfs_log_recover.c:3493
|
||||||
|
xfs_log_mount_finish+0x1ec/0x3d0 fs/xfs/xfs_log.c:829
|
||||||
|
xfs_mountfs+0x146a/0x1ef0 fs/xfs/xfs_mount.c:933
|
||||||
|
xfs_fs_fill_super+0xf95/0x11f0 fs/xfs/xfs_super.c:1666
|
||||||
|
get_tree_bdev+0x400/0x620 fs/super.c:1282
|
||||||
|
vfs_get_tree+0x88/0x270 fs/super.c:1489
|
||||||
|
do_new_mount+0x289/0xad0 fs/namespace.c:3145
|
||||||
|
do_mount fs/namespace.c:3488 [inline]
|
||||||
|
__do_sys_mount fs/namespace.c:3697 [inline]
|
||||||
|
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
|
||||||
|
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
|
||||||
|
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
|
||||||
|
entry_SYSCALL_64_after_hwframe+0x63/0xcd
|
||||||
|
RIP: 0033:0x7f89fa3f4aca
|
||||||
|
Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
|
||||||
|
RSP: 002b:00007fffd5fb5ef8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
|
||||||
|
RAX: ffffffffffffffda RBX: 00646975756f6e2c RCX: 00007f89fa3f4aca
|
||||||
|
RDX: 0000000020000100 RSI: 0000000020009640 RDI: 00007fffd5fb5f10
|
||||||
|
RBP: 00007fffd5fb5f10 R08: 00007fffd5fb5f50 R09: 000000000000970d
|
||||||
|
R10: 0000000000200800 R11: 0000000000000206 R12: 0000000000000004
|
||||||
|
R13: 0000555556c6b2c0 R14: 0000000000200800 R15: 00007fffd5fb5f50
|
||||||
|
</TASK>
|
||||||
|
|
||||||
|
The fuzzed image contains an AGF with an obviously garbage
|
||||||
|
agf_refcount_level value of 32, and a dirty log with a buffer log item
|
||||||
|
for that AGF. The ondisk AGF has a higher LSN than the recovered log
|
||||||
|
item. xlog_recover_buf_commit_pass2 reads the buffer, compares the
|
||||||
|
LSNs, and decides to skip replay because the ondisk buffer appears to be
|
||||||
|
newer.
|
||||||
|
|
||||||
|
Unfortunately, the ondisk buffer is corrupt, but recovery just read the
|
||||||
|
buffer with no buffer ops specified:
|
||||||
|
|
||||||
|
error = xfs_buf_read(mp->m_ddev_targp, buf_f->blf_blkno,
|
||||||
|
buf_f->blf_len, buf_flags, &bp, NULL);
|
||||||
|
|
||||||
|
Skipping the buffer leaves its contents in memory unverified. This sets
|
||||||
|
us up for a kernel crash because xfs_refcount_recover_cow_leftovers
|
||||||
|
reads the buffer (which is still around in XBF_DONE state, so no read
|
||||||
|
verification) and creates a refcountbt cursor of height 32. This is
|
||||||
|
impossible so we run off the end of the cursor object and crash.
|
||||||
|
|
||||||
|
Fix this by invoking the verifier on all skipped buffers and aborting
|
||||||
|
log recovery if the ondisk buffer is corrupt. It might be smarter to
|
||||||
|
force replay the log item atop the buffer and then see if it'll pass the
|
||||||
|
write verifier (like ext4 does) but for now let's go with the
|
||||||
|
conservative option where we stop immediately.
|
||||||
|
|
||||||
|
Link: https://syzkaller.appspot.com/bug?extid=7e9494b8b399902e994e
|
||||||
|
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
|
||||||
|
Reviewed-by: Dave Chinner <dchinner@redhat.com>
|
||||||
|
Signed-off-by: Dave Chinner <david@fromorbit.com>
|
||||||
|
|
||||||
|
CVE: CVE-2023-2124
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
fs/xfs/xfs_buf_item_recover.c | 10 ++++++++++
|
||||||
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/fs/xfs/xfs_buf_item_recover.c b/fs/xfs/xfs_buf_item_recover.c
|
||||||
|
index aa4d45701..e8eeaf005 100644
|
||||||
|
--- a/fs/xfs/xfs_buf_item_recover.c
|
||||||
|
+++ b/fs/xfs/xfs_buf_item_recover.c
|
||||||
|
@@ -934,6 +934,16 @@ xlog_recover_buf_commit_pass2(
|
||||||
|
if (lsn && lsn != -1 && XFS_LSN_CMP(lsn, current_lsn) >= 0) {
|
||||||
|
trace_xfs_log_recover_buf_skip(log, buf_f);
|
||||||
|
xlog_recover_validate_buf_type(mp, bp, buf_f, NULLCOMMITLSN);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * We're skipping replay of this buffer log item due to the log
|
||||||
|
+ * item LSN being behind the ondisk buffer. Verify the buffer
|
||||||
|
+ * contents since we aren't going to run the write verifier.
|
||||||
|
+ */
|
||||||
|
+ if (bp->b_ops) {
|
||||||
|
+ bp->b_ops->verify_read(bp);
|
||||||
|
+ error = bp->b_error;
|
||||||
|
+ }
|
||||||
|
goto out_release;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,48 @@
|
|||||||
|
From 24bbece0ab10a61da0356b7d56a07b0055ee143d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wei Chen <harperchen1110@gmail.com>
|
||||||
|
Date: Tue, 8 Aug 2023 12:46:05 +0000
|
||||||
|
Subject: [PATCH 6/7] i2c: xgene-slimpro: Fix out-of-bounds bug in
|
||||||
|
xgene_slimpro_i2c_xfer()
|
||||||
|
|
||||||
|
commit 92fbb6d1296f81f41f65effd7f5f8c0f74943d15 upstream
|
||||||
|
Author: Wei Chen <harperchen1110@gmail.com>
|
||||||
|
Date: Tue Mar 14 16:54:21 2023 +0000
|
||||||
|
|
||||||
|
i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
|
||||||
|
|
||||||
|
The data->block[0] variable comes from user and is a number between
|
||||||
|
0-255. Without proper check, the variable may be very large to cause
|
||||||
|
an out-of-bounds when performing memcpy in slimpro_i2c_blkwr.
|
||||||
|
|
||||||
|
Fix this bug by checking the value of writelen.
|
||||||
|
|
||||||
|
Fixes: f6505fbabc42 ("i2c: add SLIMpro I2C device driver on APM X-Gene platform")
|
||||||
|
Signed-off-by: Wei Chen <harperchen1110@gmail.com>
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
|
||||||
|
Signed-off-by: Wolfram Sang <wsa@kernel.org>
|
||||||
|
|
||||||
|
CVE: CVE-2023-2194
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
drivers/i2c/busses/i2c-xgene-slimpro.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/drivers/i2c/busses/i2c-xgene-slimpro.c b/drivers/i2c/busses/i2c-xgene-slimpro.c
|
||||||
|
index f694b3c31..985ba3a3a 100644
|
||||||
|
--- a/drivers/i2c/busses/i2c-xgene-slimpro.c
|
||||||
|
+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
|
||||||
|
@@ -322,6 +322,9 @@ static int slimpro_i2c_blkwr(struct slimpro_i2c_dev *ctx, u32 chip,
|
||||||
|
u32 msg[3];
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
+ if (writelen > I2C_SMBUS_BLOCK_MAX)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+
|
||||||
|
memcpy(ctx->dma_buffer, data, writelen);
|
||||||
|
paddr = dma_map_single(ctx->dev, ctx->dma_buffer, writelen,
|
||||||
|
DMA_TO_DEVICE);
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,45 @@
|
|||||||
|
From 7dcc341e1a59f07dcd6ac591ecd90b41dcd28611 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Budimir Markovic <markovicbudimir@gmail.com>
|
||||||
|
Date: Tue, 8 Aug 2023 12:48:54 +0000
|
||||||
|
Subject: [PATCH 7/7] perf: Fix check before add_event_to_groups() in
|
||||||
|
perf_group_detach()
|
||||||
|
|
||||||
|
commit fd0815f632c24878e325821943edccc7fde947a2 upstream
|
||||||
|
Author: Budimir Markovic <markovicbudimir@gmail.com>
|
||||||
|
Date: Wed Mar 15 00:29:01 2023 -0700
|
||||||
|
|
||||||
|
Events should only be added to a groups rb tree if they have not been
|
||||||
|
removed from their context by list_del_event(). Since remove_on_exec
|
||||||
|
made it possible to call list_del_event() on individual events before
|
||||||
|
they are detached from their group, perf_group_detach() should check each
|
||||||
|
sibling's attach_state before calling add_event_to_groups() on it.
|
||||||
|
|
||||||
|
Fixes: 2e498d0a74e5 ("perf: Add support for event removal on exec")
|
||||||
|
|
||||||
|
Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com>
|
||||||
|
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
|
||||||
|
Link: https://lkml.kernel.org/r/ZBFzvQV9tEqoHEtH@gentoo
|
||||||
|
|
||||||
|
CVE: CVE-2023-2235
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
kernel/events/core.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/kernel/events/core.c b/kernel/events/core.c
|
||||||
|
index d2adc3cbf..182494495 100644
|
||||||
|
--- a/kernel/events/core.c
|
||||||
|
+++ b/kernel/events/core.c
|
||||||
|
@@ -2210,7 +2210,7 @@ static void perf_group_detach(struct perf_event *event)
|
||||||
|
/* Inherit group flags from the previous leader */
|
||||||
|
sibling->group_caps = event->group_caps;
|
||||||
|
|
||||||
|
- if (!RB_EMPTY_NODE(&event->group_node)) {
|
||||||
|
+ if (sibling->attach_state & PERF_ATTACH_CONTEXT) {
|
||||||
|
add_event_to_groups(sibling, event->ctx);
|
||||||
|
|
||||||
|
if (sibling->state == PERF_EVENT_STATE_ACTIVE)
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,56 @@
|
|||||||
|
From 5bdcf7f9a8e44d61d724943167c381611b02a5ff Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ruihan Li <lrh2000@pku.edu.cn>
|
||||||
|
Date: Sun, 16 Apr 2023 16:14:04 +0800
|
||||||
|
Subject: [PATCH 1/6] bluetooth: Perform careful capability checks in
|
||||||
|
hci_sock_ioctl()
|
||||||
|
|
||||||
|
Previously, capability was checked using capable(), which verified that the
|
||||||
|
caller of the ioctl system call had the required capability. In addition,
|
||||||
|
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
|
||||||
|
making it persistent for the socket.
|
||||||
|
|
||||||
|
However, malicious programs can abuse this approach by deliberately sharing
|
||||||
|
an HCI socket with a privileged task. The HCI socket will be marked as
|
||||||
|
trusted when the privileged task occasionally makes an ioctl call.
|
||||||
|
|
||||||
|
This problem can be solved by using sk_capable() to check capability, which
|
||||||
|
ensures that not only the current task but also the socket opener has the
|
||||||
|
specified capability, thus reducing the risk of privilege escalation
|
||||||
|
through the previously identified vulnerability.
|
||||||
|
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
|
||||||
|
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
|
||||||
|
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||||
|
(cherry picked from commit 25c150ac103a4ebeed0319994c742a90634ddf18)
|
||||||
|
|
||||||
|
CVE: CVE-2023-2002
|
||||||
|
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||||
|
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||||
|
---
|
||||||
|
net/bluetooth/hci_sock.c | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
|
||||||
|
index d7c9ead69554..3cb8a2879ebb 100644
|
||||||
|
--- a/net/bluetooth/hci_sock.c
|
||||||
|
+++ b/net/bluetooth/hci_sock.c
|
||||||
|
@@ -1000,7 +1000,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
|
||||||
|
if (hci_sock_gen_cookie(sk)) {
|
||||||
|
struct sk_buff *skb;
|
||||||
|
|
||||||
|
- if (capable(CAP_NET_ADMIN))
|
||||||
|
+ /* Perform careful checks before setting the HCI_SOCK_TRUSTED
|
||||||
|
+ * flag. Make sure that not only the current task but also
|
||||||
|
+ * the socket opener has the required capability, since
|
||||||
|
+ * privileged programs can be tricked into making ioctl calls
|
||||||
|
+ * on HCI sockets, and the socket should not be marked as
|
||||||
|
+ * trusted simply because the ioctl caller is privileged.
|
||||||
|
+ */
|
||||||
|
+ if (sk_capable(sk, CAP_NET_ADMIN))
|
||||||
|
hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
|
||||||
|
|
||||||
|
/* Send event to monitor */
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,172 @@
|
|||||||
|
From e594c8e25c5f6a3432c324cf8df93d34578825bb Mon Sep 17 00:00:00 2001
|
||||||
|
From: "t.feng" <fengtao40@huawei.com>
|
||||||
|
Date: Wed, 10 May 2023 11:50:44 +0800
|
||||||
|
Subject: [PATCH 2/6] ipvlan:Fix out-of-bounds caused by unclear skb->cb
|
||||||
|
|
||||||
|
If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which
|
||||||
|
is actually skb->cb, and IPCB(skb_in)->opt will be used in
|
||||||
|
__ip_options_echo. It is possible that memcpy is out of bounds and lead
|
||||||
|
to stack overflow.
|
||||||
|
We should clear skb->cb before ip_local_out or ip6_local_out.
|
||||||
|
|
||||||
|
v2:
|
||||||
|
1. clean the stack info
|
||||||
|
2. use IPCB/IP6CB instead of skb->cb
|
||||||
|
|
||||||
|
crash on stable-5.10(reproduce in kasan kernel).
|
||||||
|
Stack info:
|
||||||
|
[ 2203.651571] BUG: KASAN: stack-out-of-bounds in
|
||||||
|
__ip_options_echo+0x589/0x800
|
||||||
|
[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task
|
||||||
|
swapper/3/0
|
||||||
|
[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted
|
||||||
|
5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
|
||||||
|
[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
|
||||||
|
BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
|
||||||
|
[ 2203.655475] Call Trace:
|
||||||
|
[ 2203.655481] <IRQ>
|
||||||
|
[ 2203.655501] dump_stack+0x9c/0xd3
|
||||||
|
[ 2203.655514] print_address_description.constprop.0+0x19/0x170
|
||||||
|
[ 2203.655530] __kasan_report.cold+0x6c/0x84
|
||||||
|
[ 2203.655586] kasan_report+0x3a/0x50
|
||||||
|
[ 2203.655594] check_memory_region+0xfd/0x1f0
|
||||||
|
[ 2203.655601] memcpy+0x39/0x60
|
||||||
|
[ 2203.655608] __ip_options_echo+0x589/0x800
|
||||||
|
[ 2203.655654] __icmp_send+0x59a/0x960
|
||||||
|
[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
|
||||||
|
[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT]
|
||||||
|
[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables]
|
||||||
|
[ 2203.655821] nf_hook_slow+0x69/0x100
|
||||||
|
[ 2203.655828] __ip_local_out+0x21e/0x2b0
|
||||||
|
[ 2203.655857] ip_local_out+0x28/0x90
|
||||||
|
[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]
|
||||||
|
[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]
|
||||||
|
[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan]
|
||||||
|
[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan]
|
||||||
|
[ 2203.655984] xmit_one.constprop.0+0xe1/0x280
|
||||||
|
[ 2203.655992] dev_hard_start_xmit+0x62/0x100
|
||||||
|
[ 2203.656000] sch_direct_xmit+0x215/0x640
|
||||||
|
[ 2203.656028] __qdisc_run+0x153/0x1f0
|
||||||
|
[ 2203.656069] __dev_queue_xmit+0x77f/0x1030
|
||||||
|
[ 2203.656173] ip_finish_output2+0x59b/0xc20
|
||||||
|
[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0
|
||||||
|
[ 2203.656312] ip_finish_output+0x168/0x190
|
||||||
|
[ 2203.656320] ip_output+0x12d/0x220
|
||||||
|
[ 2203.656357] __ip_queue_xmit+0x392/0x880
|
||||||
|
[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0
|
||||||
|
[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30
|
||||||
|
[ 2203.656505] tcp_retransmit_skb+0x2d/0x190
|
||||||
|
[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0
|
||||||
|
[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510
|
||||||
|
[ 2203.656529] tcp_write_timer+0x55/0x180
|
||||||
|
[ 2203.656542] call_timer_fn+0x3f/0x1d0
|
||||||
|
[ 2203.656555] expire_timers+0x160/0x200
|
||||||
|
[ 2203.656562] run_timer_softirq+0x1f4/0x480
|
||||||
|
[ 2203.656606] __do_softirq+0xfd/0x402
|
||||||
|
[ 2203.656613] asm_call_irq_on_stack+0x12/0x20
|
||||||
|
[ 2203.656617] </IRQ>
|
||||||
|
[ 2203.656623] do_softirq_own_stack+0x37/0x50
|
||||||
|
[ 2203.656631] irq_exit_rcu+0x134/0x1a0
|
||||||
|
[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80
|
||||||
|
[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20
|
||||||
|
[ 2203.656654] RIP: 0010:default_idle+0x13/0x20
|
||||||
|
[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc
|
||||||
|
cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb
|
||||||
|
f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08
|
||||||
|
[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256
|
||||||
|
[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:
|
||||||
|
ffffffffaf290191
|
||||||
|
[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:
|
||||||
|
ffff88811a3c4f60
|
||||||
|
[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:
|
||||||
|
ffff88811a3c4f63
|
||||||
|
[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:
|
||||||
|
0000000000000003
|
||||||
|
[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:
|
||||||
|
0000000000000000
|
||||||
|
[ 2203.656729] default_idle_call+0x5a/0x150
|
||||||
|
[ 2203.656735] cpuidle_idle_call+0x1c6/0x220
|
||||||
|
[ 2203.656780] do_idle+0xab/0x100
|
||||||
|
[ 2203.656786] cpu_startup_entry+0x19/0x20
|
||||||
|
[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb
|
||||||
|
|
||||||
|
[ 2203.657409] The buggy address belongs to the page:
|
||||||
|
[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0
|
||||||
|
mapping:0000000000000000 index:0x0 pfn:0x11a388
|
||||||
|
[ 2203.658665] flags:
|
||||||
|
0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
|
||||||
|
[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208
|
||||||
|
0000000000000000
|
||||||
|
[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff
|
||||||
|
0000000000000000
|
||||||
|
[ 2203.658686] page dumped because: kasan: bad access detected
|
||||||
|
|
||||||
|
To reproduce(ipvlan with IPVLAN_MODE_L3):
|
||||||
|
Env setting:
|
||||||
|
=======================================================
|
||||||
|
modprobe ipvlan ipvlan_default_mode=1
|
||||||
|
sysctl net.ipv4.conf.eth0.forwarding=1
|
||||||
|
iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j
|
||||||
|
MASQUERADE
|
||||||
|
ip link add gw link eth0 type ipvlan
|
||||||
|
ip -4 addr add 20.0.0.254/24 dev gw
|
||||||
|
ip netns add net1
|
||||||
|
ip link add ipv1 link eth0 type ipvlan
|
||||||
|
ip link set ipv1 netns net1
|
||||||
|
ip netns exec net1 ip link set ipv1 up
|
||||||
|
ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1
|
||||||
|
ip netns exec net1 route add default gw 20.0.0.254
|
||||||
|
ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%
|
||||||
|
ifconfig gw up
|
||||||
|
iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with
|
||||||
|
icmp-port-unreachable
|
||||||
|
=======================================================
|
||||||
|
And then excute the shell(curl any address of eth0 can reach):
|
||||||
|
|
||||||
|
for((i=1;i<=100000;i++))
|
||||||
|
do
|
||||||
|
ip netns exec net1 curl x.x.x.x:8888
|
||||||
|
done
|
||||||
|
=======================================================
|
||||||
|
|
||||||
|
Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
|
||||||
|
Signed-off-by: "t.feng" <fengtao40@huawei.com>
|
||||||
|
Suggested-by: Florian Westphal <fw@strlen.de>
|
||||||
|
Reviewed-by: Paolo Abeni <pabeni@redhat.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
(cherry picked from commit 90cbed5247439a966b645b34eb0a2e037836ea8e)
|
||||||
|
|
||||||
|
CVE: CVE-2023-3090
|
||||||
|
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||||
|
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||||
|
---
|
||||||
|
drivers/net/ipvlan/ipvlan_core.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
|
||||||
|
index 62c73a8ed0c3..f1ffe1800754 100644
|
||||||
|
--- a/drivers/net/ipvlan/ipvlan_core.c
|
||||||
|
+++ b/drivers/net/ipvlan/ipvlan_core.c
|
||||||
|
@@ -443,6 +443,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
skb_dst_set(skb, &rt->dst);
|
||||||
|
+
|
||||||
|
+ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
|
||||||
|
+
|
||||||
|
err = ip_local_out(net, skb->sk, skb);
|
||||||
|
if (unlikely(net_xmit_eval(err)))
|
||||||
|
dev->stats.tx_errors++;
|
||||||
|
@@ -481,6 +484,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
skb_dst_set(skb, dst);
|
||||||
|
+
|
||||||
|
+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
|
||||||
|
+
|
||||||
|
err = ip6_local_out(net, skb->sk, skb);
|
||||||
|
if (unlikely(net_xmit_eval(err)))
|
||||||
|
dev->stats.tx_errors++;
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,62 @@
|
|||||||
|
From 0da574f21ad25aae92e8262b7636dc95cf12aacf Mon Sep 17 00:00:00 2001
|
||||||
|
From: M A Ramdhan <ramdhan@starlabs.sg>
|
||||||
|
Date: Wed, 5 Jul 2023 12:15:30 -0400
|
||||||
|
Subject: [PATCH 3/6] net/sched: cls_fw: Fix improper refcount update leads to
|
||||||
|
use-after-free
|
||||||
|
|
||||||
|
In the event of a failure in tcf_change_indev(), fw_set_parms() will
|
||||||
|
immediately return an error after incrementing or decrementing
|
||||||
|
reference counter in tcf_bind_filter(). If attacker can control
|
||||||
|
reference counter to zero and make reference freed, leading to
|
||||||
|
use after free.
|
||||||
|
|
||||||
|
In order to prevent this, move the point of possible failure above the
|
||||||
|
point where the TC_FW_CLASSID is handled.
|
||||||
|
|
||||||
|
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
|
||||||
|
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
|
||||||
|
Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
|
||||||
|
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||||
|
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
|
||||||
|
Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
|
||||||
|
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||||||
|
(cherry picked from commit 0323bce598eea038714f941ce2b22541c46d488f)
|
||||||
|
|
||||||
|
CVE: CVE-2023-3776
|
||||||
|
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||||
|
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||||
|
---
|
||||||
|
net/sched/cls_fw.c | 10 +++++-----
|
||||||
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
|
||||||
|
index 6a0d3ee00758..4240ca68cbc4 100644
|
||||||
|
--- a/net/sched/cls_fw.c
|
||||||
|
+++ b/net/sched/cls_fw.c
|
||||||
|
@@ -214,11 +214,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
|
||||||
|
if (err < 0)
|
||||||
|
return err;
|
||||||
|
|
||||||
|
- if (tb[TCA_FW_CLASSID]) {
|
||||||
|
- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
|
||||||
|
- tcf_bind_filter(tp, &f->res, base);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
if (tb[TCA_FW_INDEV]) {
|
||||||
|
int ret;
|
||||||
|
ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack);
|
||||||
|
@@ -235,6 +230,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
|
||||||
|
} else if (head->mask != 0xFFFFFFFF)
|
||||||
|
return err;
|
||||||
|
|
||||||
|
+ if (tb[TCA_FW_CLASSID]) {
|
||||||
|
+ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
|
||||||
|
+ tcf_bind_filter(tp, &f->res, base);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,63 @@
|
|||||||
|
From 036bd76b11980194badfb3b281a0307b4f6be7df Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florian Westphal <fw@strlen.de>
|
||||||
|
Date: Wed, 19 Jul 2023 21:08:21 +0200
|
||||||
|
Subject: [PATCH 4/6] netfilter: nft_set_pipapo: fix improper element removal
|
||||||
|
|
||||||
|
end key should be equal to start unless NFT_SET_EXT_KEY_END is present.
|
||||||
|
|
||||||
|
Its possible to add elements that only have a start key
|
||||||
|
("{ 1.0.0.0 . 2.0.0.0 }") without an internval end.
|
||||||
|
|
||||||
|
Insertion treats this via:
|
||||||
|
|
||||||
|
if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
|
||||||
|
end = (const u8 *)nft_set_ext_key_end(ext)->data;
|
||||||
|
else
|
||||||
|
end = start;
|
||||||
|
|
||||||
|
but removal side always uses nft_set_ext_key_end().
|
||||||
|
This is wrong and leads to garbage remaining in the set after removal
|
||||||
|
next lookup/insert attempt will give:
|
||||||
|
|
||||||
|
BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90
|
||||||
|
Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399
|
||||||
|
Call Trace:
|
||||||
|
kasan_report+0x105/0x140
|
||||||
|
pipapo_get+0x8eb/0xb90
|
||||||
|
nft_pipapo_insert+0x1dc/0x1710
|
||||||
|
nf_tables_newsetelem+0x31f5/0x4e00
|
||||||
|
..
|
||||||
|
|
||||||
|
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
|
||||||
|
Reported-by: lonial con <kongln9170@gmail.com>
|
||||||
|
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
|
||||||
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||||
|
(cherry picked from commit 87b5a5c209405cb6b57424cdfa226a6dbd349232)
|
||||||
|
|
||||||
|
CVE: CVE-2023-4004
|
||||||
|
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||||
|
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||||
|
---
|
||||||
|
net/netfilter/nft_set_pipapo.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
|
||||||
|
index 1eab335fb14b..0181617f9628 100644
|
||||||
|
--- a/net/netfilter/nft_set_pipapo.c
|
||||||
|
+++ b/net/netfilter/nft_set_pipapo.c
|
||||||
|
@@ -1797,7 +1797,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set,
|
||||||
|
int i, start, rules_fx;
|
||||||
|
|
||||||
|
match_start = data;
|
||||||
|
- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
|
||||||
|
+
|
||||||
|
+ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END))
|
||||||
|
+ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
|
||||||
|
+ else
|
||||||
|
+ match_end = data;
|
||||||
|
|
||||||
|
start = first_rule;
|
||||||
|
rules_fx = rules_f0;
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,217 @@
|
|||||||
|
From b8f43f1b9945bb063ef0eae3bcdc6e04d8728d8f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||||||
|
Date: Wed, 5 Jul 2023 18:05:35 -0300
|
||||||
|
Subject: [PATCH 5/6] netfilter: nf_tables: prevent OOB access in
|
||||||
|
nft_byteorder_eval
|
||||||
|
|
||||||
|
When evaluating byteorder expressions with size 2, a union with 32-bit and
|
||||||
|
16-bit members is used. Since the 16-bit members are aligned to 32-bit,
|
||||||
|
the array accesses will be out-of-bounds.
|
||||||
|
|
||||||
|
It may lead to a stack-out-of-bounds access like the one below:
|
||||||
|
|
||||||
|
[ 23.095215] ==================================================================
|
||||||
|
[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320
|
||||||
|
[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115
|
||||||
|
[ 23.096358]
|
||||||
|
[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413
|
||||||
|
[ 23.096770] Call Trace:
|
||||||
|
[ 23.096910] <IRQ>
|
||||||
|
[ 23.097030] dump_stack_lvl+0x60/0xc0
|
||||||
|
[ 23.097218] print_report+0xcf/0x630
|
||||||
|
[ 23.097388] ? nft_byteorder_eval+0x13c/0x320
|
||||||
|
[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0
|
||||||
|
[ 23.097760] ? nft_byteorder_eval+0x13c/0x320
|
||||||
|
[ 23.097949] kasan_report+0xc9/0x110
|
||||||
|
[ 23.098106] ? nft_byteorder_eval+0x13c/0x320
|
||||||
|
[ 23.098298] __asan_load2+0x83/0xd0
|
||||||
|
[ 23.098453] nft_byteorder_eval+0x13c/0x320
|
||||||
|
[ 23.098659] nft_do_chain+0x1c8/0xc50
|
||||||
|
[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10
|
||||||
|
[ 23.099078] ? __kasan_check_read+0x11/0x20
|
||||||
|
[ 23.099295] ? __pfx___lock_acquire+0x10/0x10
|
||||||
|
[ 23.099535] ? __pfx___lock_acquire+0x10/0x10
|
||||||
|
[ 23.099745] ? __kasan_check_read+0x11/0x20
|
||||||
|
[ 23.099929] nft_do_chain_ipv4+0xfe/0x140
|
||||||
|
[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10
|
||||||
|
[ 23.100327] ? lock_release+0x204/0x400
|
||||||
|
[ 23.100515] ? nf_hook.constprop.0+0x340/0x550
|
||||||
|
[ 23.100779] nf_hook_slow+0x6c/0x100
|
||||||
|
[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10
|
||||||
|
[ 23.101223] nf_hook.constprop.0+0x334/0x550
|
||||||
|
[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10
|
||||||
|
[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10
|
||||||
|
[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10
|
||||||
|
[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10
|
||||||
|
[ 23.102291] ? rcu_read_lock_held+0x4b/0x70
|
||||||
|
[ 23.102481] ip_local_deliver+0xbb/0x110
|
||||||
|
[ 23.102665] ? __pfx_ip_rcv+0x10/0x10
|
||||||
|
[ 23.102839] ip_rcv+0x199/0x2a0
|
||||||
|
[ 23.102980] ? __pfx_ip_rcv+0x10/0x10
|
||||||
|
[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150
|
||||||
|
[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10
|
||||||
|
[ 23.103647] ? mark_held_locks+0x48/0xa0
|
||||||
|
[ 23.103819] ? process_backlog+0x36c/0x380
|
||||||
|
[ 23.103999] __netif_receive_skb+0x23/0xc0
|
||||||
|
[ 23.104179] process_backlog+0x91/0x380
|
||||||
|
[ 23.104350] __napi_poll.constprop.0+0x66/0x360
|
||||||
|
[ 23.104589] ? net_rx_action+0x1cb/0x610
|
||||||
|
[ 23.104811] net_rx_action+0x33e/0x610
|
||||||
|
[ 23.105024] ? _raw_spin_unlock+0x23/0x50
|
||||||
|
[ 23.105257] ? __pfx_net_rx_action+0x10/0x10
|
||||||
|
[ 23.105485] ? mark_held_locks+0x48/0xa0
|
||||||
|
[ 23.105741] __do_softirq+0xfa/0x5ab
|
||||||
|
[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00
|
||||||
|
[ 23.106193] do_softirq.part.0+0x49/0xc0
|
||||||
|
[ 23.106423] </IRQ>
|
||||||
|
[ 23.106547] <TASK>
|
||||||
|
[ 23.106670] __local_bh_enable_ip+0xf5/0x120
|
||||||
|
[ 23.106903] __dev_queue_xmit+0x789/0x1c00
|
||||||
|
[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10
|
||||||
|
[ 23.107381] ? find_held_lock+0x8e/0xb0
|
||||||
|
[ 23.107585] ? lock_release+0x204/0x400
|
||||||
|
[ 23.107798] ? neigh_resolve_output+0x185/0x350
|
||||||
|
[ 23.108049] ? mark_held_locks+0x48/0xa0
|
||||||
|
[ 23.108265] ? neigh_resolve_output+0x185/0x350
|
||||||
|
[ 23.108514] neigh_resolve_output+0x246/0x350
|
||||||
|
[ 23.108753] ? neigh_resolve_output+0x246/0x350
|
||||||
|
[ 23.109003] ip_finish_output2+0x3c3/0x10b0
|
||||||
|
[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10
|
||||||
|
[ 23.109510] ? __pfx_nf_hook+0x10/0x10
|
||||||
|
[ 23.109732] __ip_finish_output+0x217/0x390
|
||||||
|
[ 23.109978] ip_finish_output+0x2f/0x130
|
||||||
|
[ 23.110207] ip_output+0xc9/0x170
|
||||||
|
[ 23.110404] ip_push_pending_frames+0x1a0/0x240
|
||||||
|
[ 23.110652] raw_sendmsg+0x102e/0x19e0
|
||||||
|
[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10
|
||||||
|
[ 23.111093] ? lock_release+0x204/0x400
|
||||||
|
[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330
|
||||||
|
[ 23.111567] ? find_held_lock+0x8e/0xb0
|
||||||
|
[ 23.111777] ? find_held_lock+0x8e/0xb0
|
||||||
|
[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0
|
||||||
|
[ 23.112225] ? aa_sk_perm+0x18a/0x550
|
||||||
|
[ 23.112431] ? filemap_map_pages+0x4f1/0x900
|
||||||
|
[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10
|
||||||
|
[ 23.112880] ? find_held_lock+0x8e/0xb0
|
||||||
|
[ 23.113098] inet_sendmsg+0xa0/0xb0
|
||||||
|
[ 23.113297] ? inet_sendmsg+0xa0/0xb0
|
||||||
|
[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10
|
||||||
|
[ 23.113727] sock_sendmsg+0xf4/0x100
|
||||||
|
[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0
|
||||||
|
[ 23.114190] __sys_sendto+0x1d4/0x290
|
||||||
|
[ 23.114391] ? __pfx___sys_sendto+0x10/0x10
|
||||||
|
[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10
|
||||||
|
[ 23.114869] ? lock_release+0x204/0x400
|
||||||
|
[ 23.115076] ? find_held_lock+0x8e/0xb0
|
||||||
|
[ 23.115287] ? rcu_is_watching+0x23/0x60
|
||||||
|
[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860
|
||||||
|
[ 23.115778] ? __kasan_check_write+0x14/0x30
|
||||||
|
[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770
|
||||||
|
[ 23.116285] ? mark_held_locks+0x28/0xa0
|
||||||
|
[ 23.116503] ? do_syscall_64+0x37/0x90
|
||||||
|
[ 23.116713] __x64_sys_sendto+0x7f/0xb0
|
||||||
|
[ 23.116924] do_syscall_64+0x59/0x90
|
||||||
|
[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30
|
||||||
|
[ 23.117387] ? irqentry_exit+0x77/0xb0
|
||||||
|
[ 23.117593] ? exc_page_fault+0x92/0x140
|
||||||
|
[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
|
||||||
|
[ 23.118081] RIP: 0033:0x7f744aee2bba
|
||||||
|
[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
|
||||||
|
[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
|
||||||
|
[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba
|
||||||
|
[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003
|
||||||
|
[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010
|
||||||
|
[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
|
||||||
|
[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0
|
||||||
|
[ 23.121617] </TASK>
|
||||||
|
[ 23.121749]
|
||||||
|
[ 23.121845] The buggy address belongs to the virtual mapping at
|
||||||
|
[ 23.121845] [ffffc90000000000, ffffc90000009000) created by:
|
||||||
|
[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270
|
||||||
|
[ 23.122707]
|
||||||
|
[ 23.122803] The buggy address belongs to the physical page:
|
||||||
|
[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09
|
||||||
|
[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff)
|
||||||
|
[ 23.123998] page_type: 0xffffffff()
|
||||||
|
[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000
|
||||||
|
[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
|
||||||
|
[ 23.125023] page dumped because: kasan: bad access detected
|
||||||
|
[ 23.125326]
|
||||||
|
[ 23.125421] Memory state around the buggy address:
|
||||||
|
[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||||
|
[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00
|
||||||
|
[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00
|
||||||
|
[ 23.126840] ^
|
||||||
|
[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3
|
||||||
|
[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
|
||||||
|
[ 23.127906] ==================================================================
|
||||||
|
[ 23.128324] Disabling lock debugging due to kernel taint
|
||||||
|
|
||||||
|
Using simple s16 pointers for the 16-bit accesses fixes the problem. For
|
||||||
|
the 32-bit accesses, src and dst can be used directly.
|
||||||
|
|
||||||
|
Fixes: 96518518cc41 ("netfilter: add nftables")
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI
|
||||||
|
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||||||
|
Reviewed-by: Florian Westphal <fw@strlen.de>
|
||||||
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
(cherry picked from commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd)
|
||||||
|
|
||||||
|
CVE: CVE-2023-35001
|
||||||
|
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||||
|
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||||
|
---
|
||||||
|
net/netfilter/nft_byteorder.c | 14 +++++++-------
|
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
|
||||||
|
index 6fc6f2f45b0a..a752c98e97fb 100644
|
||||||
|
--- a/net/netfilter/nft_byteorder.c
|
||||||
|
+++ b/net/netfilter/nft_byteorder.c
|
||||||
|
@@ -33,11 +33,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
|
||||||
|
const struct nft_byteorder *priv = nft_expr_priv(expr);
|
||||||
|
u32 *src = ®s->data[priv->sreg];
|
||||||
|
u32 *dst = ®s->data[priv->dreg];
|
||||||
|
- union { u32 u32; u16 u16; } *s, *d;
|
||||||
|
+ u16 *s16, *d16;
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
- s = (void *)src;
|
||||||
|
- d = (void *)dst;
|
||||||
|
+ s16 = (void *)src;
|
||||||
|
+ d16 = (void *)dst;
|
||||||
|
|
||||||
|
switch (priv->size) {
|
||||||
|
case 8: {
|
||||||
|
@@ -64,11 +64,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
|
||||||
|
switch (priv->op) {
|
||||||
|
case NFT_BYTEORDER_NTOH:
|
||||||
|
for (i = 0; i < priv->len / 4; i++)
|
||||||
|
- d[i].u32 = ntohl((__force __be32)s[i].u32);
|
||||||
|
+ dst[i] = ntohl((__force __be32)src[i]);
|
||||||
|
break;
|
||||||
|
case NFT_BYTEORDER_HTON:
|
||||||
|
for (i = 0; i < priv->len / 4; i++)
|
||||||
|
- d[i].u32 = (__force __u32)htonl(s[i].u32);
|
||||||
|
+ dst[i] = (__force __u32)htonl(src[i]);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
@@ -76,11 +76,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
|
||||||
|
switch (priv->op) {
|
||||||
|
case NFT_BYTEORDER_NTOH:
|
||||||
|
for (i = 0; i < priv->len / 2; i++)
|
||||||
|
- d[i].u16 = ntohs((__force __be16)s[i].u16);
|
||||||
|
+ d16[i] = ntohs((__force __be16)s16[i]);
|
||||||
|
break;
|
||||||
|
case NFT_BYTEORDER_HTON:
|
||||||
|
for (i = 0; i < priv->len / 2; i++)
|
||||||
|
- d[i].u16 = (__force __u16)htons(s[i].u16);
|
||||||
|
+ d16[i] = (__force __u16)htons(s16[i]);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,44 @@
|
|||||||
|
From b07f2873225c6e16abd6ec352e9cd52a72fe7785 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hangyu Hua <hbh25y@gmail.com>
|
||||||
|
Date: Wed, 31 May 2023 18:28:04 +0800
|
||||||
|
Subject: [PATCH 6/6] net/sched: flower: fix possible OOB write in
|
||||||
|
fl_set_geneve_opt()
|
||||||
|
|
||||||
|
If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
|
||||||
|
size is 252 bytes(key->enc_opts.len = 252) then
|
||||||
|
key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
|
||||||
|
TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
|
||||||
|
bypasses the next bounds check and results in an out-of-bounds.
|
||||||
|
|
||||||
|
Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
|
||||||
|
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
|
||||||
|
Reviewed-by: Simon Horman <simon.horman@corigine.com>
|
||||||
|
Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
|
||||||
|
Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com
|
||||||
|
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
||||||
|
(cherry picked from commit 4d56304e5827c8cc8cc18c75343d283af7c4825c)
|
||||||
|
|
||||||
|
CVE: CVE-2023-35788
|
||||||
|
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||||
|
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||||
|
---
|
||||||
|
net/sched/cls_flower.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
|
||||||
|
index b81abfcd2a19..ca232483cfab 100644
|
||||||
|
--- a/net/sched/cls_flower.c
|
||||||
|
+++ b/net/sched/cls_flower.c
|
||||||
|
@@ -1151,6 +1151,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key,
|
||||||
|
if (option_len > sizeof(struct geneve_opt))
|
||||||
|
data_len = option_len - sizeof(struct geneve_opt);
|
||||||
|
|
||||||
|
+ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4)
|
||||||
|
+ return -ERANGE;
|
||||||
|
+
|
||||||
|
opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len];
|
||||||
|
memset(opt, 0xff, option_len);
|
||||||
|
opt->length = data_len / 4;
|
||||||
|
--
|
||||||
|
2.39.3
|
||||||
|
|
@ -0,0 +1,110 @@
|
|||||||
|
From a0bb51f2638e0810c347024679239fd10a8f7990 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||||
|
Date: Tue, 28 Apr 2020 11:38:22 +0200
|
||||||
|
Subject: [PATCH] x86/xen: Split HVM vector callback setup and interrupt gate
|
||||||
|
allocation
|
||||||
|
|
||||||
|
As a preparatory change for making alloc_intr_gate() __init split
|
||||||
|
xen_callback_vector() into callback vector setup via hypercall
|
||||||
|
(xen_setup_callback_vector()) and interrupt gate allocation
|
||||||
|
(xen_alloc_callback_vector()).
|
||||||
|
|
||||||
|
xen_setup_callback_vector() is being called twice: on init and upon
|
||||||
|
system resume from xen_hvm_post_suspend(). alloc_intr_gate() only
|
||||||
|
needs to be called once.
|
||||||
|
|
||||||
|
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
|
||||||
|
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
||||||
|
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||||
|
Link: https://lkml.kernel.org/r/20200428093824.1451532-2-vkuznets@redhat.com
|
||||||
|
---
|
||||||
|
arch/x86/xen/suspend_hvm.c | 2 +-
|
||||||
|
arch/x86/xen/xen-ops.h | 2 +-
|
||||||
|
drivers/xen/events/events_base.c | 28 +++++++++++++++++-----------
|
||||||
|
3 files changed, 19 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/arch/x86/xen/suspend_hvm.c b/arch/x86/xen/suspend_hvm.c
|
||||||
|
index e666b614cf6d..5152afe16876 100644
|
||||||
|
--- a/arch/x86/xen/suspend_hvm.c
|
||||||
|
+++ b/arch/x86/xen/suspend_hvm.c
|
||||||
|
@@ -13,6 +13,6 @@ void xen_hvm_post_suspend(int suspend_cancelled)
|
||||||
|
xen_hvm_init_shared_info();
|
||||||
|
xen_vcpu_restore();
|
||||||
|
}
|
||||||
|
- xen_callback_vector();
|
||||||
|
+ xen_setup_callback_vector();
|
||||||
|
xen_unplug_emulated_devices();
|
||||||
|
}
|
||||||
|
diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
|
||||||
|
index 45a441c33d6d..1cc1568bfe04 100644
|
||||||
|
--- a/arch/x86/xen/xen-ops.h
|
||||||
|
+++ b/arch/x86/xen/xen-ops.h
|
||||||
|
@@ -55,7 +55,7 @@ void xen_enable_sysenter(void);
|
||||||
|
void xen_enable_syscall(void);
|
||||||
|
void xen_vcpu_restore(void);
|
||||||
|
|
||||||
|
-void xen_callback_vector(void);
|
||||||
|
+void xen_setup_callback_vector(void);
|
||||||
|
void xen_hvm_init_shared_info(void);
|
||||||
|
void xen_unplug_emulated_devices(void);
|
||||||
|
|
||||||
|
diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
|
||||||
|
index 3a791c8485d0..eb35c3cda9a6 100644
|
||||||
|
--- a/drivers/xen/events/events_base.c
|
||||||
|
+++ b/drivers/xen/events/events_base.c
|
||||||
|
@@ -1639,26 +1639,30 @@ EXPORT_SYMBOL_GPL(xen_set_callback_via);
|
||||||
|
/* Vector callbacks are better than PCI interrupts to receive event
|
||||||
|
* channel notifications because we can receive vector callbacks on any
|
||||||
|
* vcpu and we don't need PCI support or APIC interactions. */
|
||||||
|
-void xen_callback_vector(void)
|
||||||
|
+void xen_setup_callback_vector(void)
|
||||||
|
{
|
||||||
|
- int rc;
|
||||||
|
uint64_t callback_via;
|
||||||
|
|
||||||
|
if (xen_have_vector_callback) {
|
||||||
|
callback_via = HVM_CALLBACK_VECTOR(HYPERVISOR_CALLBACK_VECTOR);
|
||||||
|
- rc = xen_set_callback_via(callback_via);
|
||||||
|
- if (rc) {
|
||||||
|
+ if (xen_set_callback_via(callback_via)) {
|
||||||
|
pr_err("Request for Xen HVM callback vector failed\n");
|
||||||
|
xen_have_vector_callback = 0;
|
||||||
|
- return;
|
||||||
|
}
|
||||||
|
- pr_info("Xen HVM callback vector for event delivery is enabled\n");
|
||||||
|
- alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR,
|
||||||
|
- xen_hvm_callback_vector);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+static __init void xen_alloc_callback_vector(void)
|
||||||
|
+{
|
||||||
|
+ if (!xen_have_vector_callback)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ pr_info("Xen HVM callback vector for event delivery is enabled\n");
|
||||||
|
+ alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR, xen_hvm_callback_vector);
|
||||||
|
+}
|
||||||
|
#else
|
||||||
|
-void xen_callback_vector(void) {}
|
||||||
|
+void xen_setup_callback_vector(void) {}
|
||||||
|
+static inline void xen_alloc_callback_vector(void) {}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#undef MODULE_PARAM_PREFIX
|
||||||
|
@@ -1692,8 +1696,10 @@ void __init xen_init_IRQ(void)
|
||||||
|
if (xen_initial_domain())
|
||||||
|
pci_xen_initial_domain();
|
||||||
|
}
|
||||||
|
- if (xen_feature(XENFEAT_hvm_callback_vector))
|
||||||
|
- xen_callback_vector();
|
||||||
|
+ if (xen_feature(XENFEAT_hvm_callback_vector)) {
|
||||||
|
+ xen_setup_callback_vector();
|
||||||
|
+ xen_alloc_callback_vector();
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (xen_hvm_domain()) {
|
||||||
|
native_init_IRQ();
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
@ -0,0 +1,30 @@
|
|||||||
|
From a32b0f0db3f396f1c9be2fe621e77c09ec3d8e7d Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Borislav Petkov (AMD)" <bp@alien8.de>
|
||||||
|
Date: Tue, 2 May 2023 19:53:50 +0200
|
||||||
|
Subject: [PATCH] x86/microcode/AMD: Load late on both threads too
|
||||||
|
|
||||||
|
Do the same as early loading - load on both threads.
|
||||||
|
|
||||||
|
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
|
||||||
|
Cc: <stable@kernel.org>
|
||||||
|
Link: https://lore.kernel.org/r/20230605141332.25948-1-bp@alien8.de
|
||||||
|
---
|
||||||
|
arch/x86/kernel/cpu/microcode/amd.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
|
||||||
|
index f14f4ea0b537..87208e46f7ed 100644
|
||||||
|
--- a/arch/x86/kernel/cpu/microcode/amd.c
|
||||||
|
+++ b/arch/x86/kernel/cpu/microcode/amd.c
|
||||||
|
@@ -700,7 +700,7 @@ static enum ucode_state apply_microcode_amd(int cpu)
|
||||||
|
rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy);
|
||||||
|
|
||||||
|
/* need to apply patch? */
|
||||||
|
- if (rev >= mc_amd->hdr.patch_id) {
|
||||||
|
+ if (rev > mc_amd->hdr.patch_id) {
|
||||||
|
ret = UCODE_OK;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
46
SOURCES/almalinux.pem
Normal file
46
SOURCES/almalinux.pem
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIID3zCCAsegAwIBAgIQY4iebPtuT3OKR2M/jWZWEzANBgkqhkiG9w0BAQsFADBg
|
||||||
|
MSUwIwYJKoZIhvcNAQkBFhZzZWN1cml0eUBhbG1hbGludXgub3JnMRIwEAYDVQQK
|
||||||
|
EwlBbG1hTGludXgxIzAhBgNVBAMTGkFsbWFMaW51eCBTZWN1cmUgQm9vdCBDQSAx
|
||||||
|
MB4XDTIxMDExNDIxMDcxOVoXDTM2MDExMTIxMDcxOVowaTElMCMGCSqGSIb3DQEJ
|
||||||
|
ARYWc2VjdXJpdHlAYWxtYWxpbnV4Lm9yZzESMBAGA1UEChMJQWxtYUxpbnV4MSww
|
||||||
|
KgYDVQQDEyNBbG1hTGludXggRHJpdmVyIHVwZGF0ZSBzaWduaW5nIGtleTCCASIw
|
||||||
|
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK7kGZShKo5uegg6T4U/wR9UeyCa
|
||||||
|
qTtx+OvzUMKT8l5+R5WfBgQU8sDrIqX3Vv3tD6UeOUyFIQ40iGESdDhWnAFynJX4
|
||||||
|
v0k81KxJ+rVFAt5EJBeGw7U2qdpn8hzJG2dVANZ1gXJWGhC95Muif5q8fL7BJdU4
|
||||||
|
RufixfKWq6WHAalwHaiTCbA+/Ft6TLyZcA62glKkmBn7uWn83tlMfVqC4EN2NfQb
|
||||||
|
//C2MFCbm43BoKmgrMV0J3Pu8un3QZ4ukDDhJJ9eHfSqscq9SHPjqd0RM6TRcFXW
|
||||||
|
BzmTpG7MOJRvk4ypQSHxxc4jK5MVOqzel+2UPB2ihkvvnK9hdsvvI/bal/sCAwEA
|
||||||
|
AaOBizCBiDAfBgNVHSMEGDAWgBSY0u339QWy5Y/vkiTSvJ6Ffy5GkzAVBglghkgB
|
||||||
|
hvhCAQEBAf8EBQMDAPABMB8GA1UdJQQYMBYGCCsGAQUFBwMDBgorBgEEAZIIEAEC
|
||||||
|
MA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUe4Y+AkDtIIq2uBuKbyhgwPTox9Yw
|
||||||
|
DQYJKoZIhvcNAQELBQADggEBAHoPojMTRdFO050Ihrmr8jkdOweiOSBtlAZkLGd2
|
||||||
|
lTybNp2Xi1lQ8SqsqU/NFs/KUPVFykmjmLeqNWC9QoKdrVGzoD9MOHprRxe6gC8k
|
||||||
|
sHzBCFqdx3B+qbeSxBUN2QLIydzM6C23qf1TjBCeEDtRrvcvupFTlOBxiOJrIwbp
|
||||||
|
dJD1JfjbgxfvLzg7PaJPi5Ev6B3gY4ybCnKQmor029Z3R4zw3miPpZVA04xt3Z9e
|
||||||
|
m45Jjv86u10wjLmGRgfMmYT43jiMbOwlG1N8OikvgIHwlZtWxUpL1t/mEYtMMkTv
|
||||||
|
R//lA5z5dqXiDCPdTwHhSjEfBFWGLl7ciYt6rYkpdlqnYdk=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIID2DCCAsCgAwIBAgIQHDEXJMuZQ/m5MXRiSmLMljANBgkqhkiG9w0BAQsFADBg
|
||||||
|
MSUwIwYJKoZIhvcNAQkBFhZzZWN1cml0eUBhbG1hbGludXgub3JnMRIwEAYDVQQK
|
||||||
|
EwlBbG1hTGludXgxIzAhBgNVBAMTGkFsbWFMaW51eCBTZWN1cmUgQm9vdCBDQSAx
|
||||||
|
MB4XDTIxMDExNDIxMDgwMFoXDTM2MDExMTIxMDgwMFowYjElMCMGCSqGSIb3DQEJ
|
||||||
|
ARYWc2VjdXJpdHlAYWxtYWxpbnV4Lm9yZzESMBAGA1UEChMJQWxtYUxpbnV4MSUw
|
||||||
|
IwYDVQQDExxBbG1hTGludXgga3BhdGNoIHNpZ25pbmcga2V5MIIBIjANBgkqhkiG
|
||||||
|
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxncKQ7a49o5IUwqPB1axIzopNdGoSoERVuUd
|
||||||
|
hdHAZLB2MGIuU2fGCuZ4iD2Pwk+t2KsgR1y58pmHyRBCLi2tYfEdDB8LUzUY3P+8
|
||||||
|
Wxm2+zz8TPJUIcvPE4rHEb0vV4nTzwjpG4BTBwLkYRj+AxGbzWEy5Eetxzq5Ji+V
|
||||||
|
TMuTzRKshHEGNs3tFRPbSssc50NH+OuVKpzJAIqBmz7Gca9RqhK9ARK1p3aDEoR+
|
||||||
|
pYw4zRjIczc3s57WeuQxRMvFK5j48U0hpEUh+eQn1m40Bus3e7i4YTskwgKN5Vq3
|
||||||
|
lGlEdBoK4utuoHPj3JYh97hOii/kulOa9j5xeNe5z/6QByMxpwIDAQABo4GLMIGI
|
||||||
|
MB8GA1UdIwQYMBaAFJjS7ff1BbLlj++SJNK8noV/LkaTMBUGCWCGSAGG+EIBAQEB
|
||||||
|
/wQFAwMA8AEwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBkggQAQIwDgYDVR0P
|
||||||
|
AQH/BAQDAgSwMB0GA1UdDgQWBBRpptnu0/Yg1cLhOh0hHEZRClrZ9TANBgkqhkiG
|
||||||
|
9w0BAQsFAAOCAQEAMDiuS0CD31MtO1Sn4HRYvai2LFdKpUKAEXVy9hsN+AfbcMcl
|
||||||
|
2sF/w49o43cMNIFoWKhMWZMOjCj/DGQY7ehNH3DRaTl7DNCu6y7mBNJPU+iPcE4r
|
||||||
|
92SBWIxUNi7YVbsc1evKBOnrtq6xd5BUJQx1cVGmSBI9dnd4tDBB2+KjpmdhzZK5
|
||||||
|
V1KQz1ilz5g2FNyEj6L7hnpkGUeMYnuM49YL7JP8QNtaKUBBA3BR4S7de+Tu070h
|
||||||
|
pEhvE539I6B+wmgV/bio20TUpQ5W2eH+5YUHVIZa5pZ30tVkm21iNB7eccbM4NYc
|
||||||
|
IRmwIsesuROtaM1e0lHoxKdW0N2xOSkhSY6oyQ==
|
||||||
|
-----END CERTIFICATE-----
|
BIN
SOURCES/almalinuxsecurebootca0.cer
Normal file
BIN
SOURCES/almalinuxsecurebootca0.cer
Normal file
Binary file not shown.
11
SOURCES/debrand-rh-i686-cpu.patch
Normal file
11
SOURCES/debrand-rh-i686-cpu.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
--- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700
|
||||||
|
+++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700
|
||||||
|
@@ -147,7 +147,7 @@ void main(void)
|
||||||
|
|
||||||
|
/* Make sure we have all the proper CPU support */
|
||||||
|
if (validate_cpu()) {
|
||||||
|
- puts("This processor is not supported in this version of RHEL.\n");
|
||||||
|
+ puts("This processor is not supported in this version of AlmaLinux.\n");
|
||||||
|
die();
|
||||||
|
}
|
||||||
|
|
81
SOURCES/debrand-rh_taint.patch
Normal file
81
SOURCES/debrand-rh_taint.patch
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
--- a/kernel/rh_taint.c 2020-10-16 10:41:51.000000000 -0500
|
||||||
|
+++ b/kernel/rh_taint.c 2020-11-19 10:50:24.853039167 -0600
|
||||||
|
@@ -2,12 +2,12 @@
|
||||||
|
#include <linux/module.h>
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * The following functions are used by Red Hat to indicate to users that
|
||||||
|
- * hardware and drivers are unsupported, or have limited support in RHEL major
|
||||||
|
+ * The following functions are used by AlmaLinux to indicate to users that
|
||||||
|
+ * hardware and drivers are unsupported, or have limited support in AlmaLinux major
|
||||||
|
* and minor releases. These functions output loud warning messages to the end
|
||||||
|
* user and should be USED WITH CAUTION.
|
||||||
|
*
|
||||||
|
- * Any use of these functions _MUST_ be documented in the RHEL Release Notes,
|
||||||
|
+ * Any use of these functions _MUST_ be documented in the AlmaLinux Release Notes,
|
||||||
|
* and have approval of management.
|
||||||
|
*/
|
||||||
|
|
||||||
|
@@ -16,15 +16,15 @@
|
||||||
|
* @msg: Hardware name, class, or type
|
||||||
|
*
|
||||||
|
* Called to mark a device, class of devices, or types of devices as not having
|
||||||
|
- * support in any RHEL minor release. This does not TAINT the kernel. Red Hat
|
||||||
|
- * will not fix bugs against this hardware in this minor release. Red Hat may
|
||||||
|
+ * support in any AlmaLinux minor release. This does not TAINT the kernel. AlmaLinux
|
||||||
|
+ * will not fix bugs against this hardware in this minor release. AlmaLinux may
|
||||||
|
* declare support in a future major or minor update release. This cannot be
|
||||||
|
* used to mark drivers unsupported.
|
||||||
|
*/
|
||||||
|
void mark_hardware_unsupported(const char *msg)
|
||||||
|
{
|
||||||
|
/* Print one single message */
|
||||||
|
- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://catalog.redhat.com for certified hardware.\n", msg);
|
||||||
|
+ pr_crit("Warning: %s - this hardware has not undergone testing by AlmaLinux and might not be certified.\n", msg);
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL(mark_hardware_unsupported);
|
||||||
|
|
||||||
|
@@ -35,12 +35,12 @@ EXPORT_SYMBOL(mark_hardware_unsupported)
|
||||||
|
* Called to minimize the support status of a previously supported device in
|
||||||
|
* a minor release. This does not TAINT the kernel. Marking hardware
|
||||||
|
* deprecated is usually done in conjunction with the hardware vendor. Future
|
||||||
|
- * RHEL major releases may not include this driver. Driver updates and fixes
|
||||||
|
+ * AlmaLinux major releases may not include this driver. Driver updates and fixes
|
||||||
|
* for this device will be limited to critical issues in future minor releases.
|
||||||
|
*/
|
||||||
|
void mark_hardware_deprecated(const char *msg)
|
||||||
|
{
|
||||||
|
- pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact Red Hat Support or your device's hardware vendor for additional information.\n", msg);
|
||||||
|
+ pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this AlmaLinux release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact AlmaLinux Support or your device's hardware vendor for additional information.\n", msg);
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL(mark_hardware_deprecated);
|
||||||
|
|
||||||
|
@@ -50,9 +50,9 @@ EXPORT_SYMBOL(mark_hardware_deprecated);
|
||||||
|
*
|
||||||
|
* Called to minimize the support status of a new driver. This does TAINT the
|
||||||
|
* kernel. Calling this function indicates that the driver or subsystem has
|
||||||
|
- * had limited testing and is not marked for full support within this RHEL
|
||||||
|
- * minor release. The next RHEL minor release may contain full support for
|
||||||
|
- * this driver. Red Hat does not guarantee that bugs reported against this
|
||||||
|
+ * had limited testing and is not marked for full support within this AlmaLinux
|
||||||
|
+ * minor release. The next AlmaLinux minor release may contain full support for
|
||||||
|
+ * this driver. AlmaLinux does not guarantee that bugs reported against this
|
||||||
|
* driver or subsystem will be resolved.
|
||||||
|
*/
|
||||||
|
void mark_tech_preview(const char *msg, struct module *mod)
|
||||||
|
@@ -81,13 +81,13 @@ EXPORT_SYMBOL(mark_tech_preview);
|
||||||
|
* mark_driver_unsupported - drivers that we know we don't want to support
|
||||||
|
* @name: the name of the driver
|
||||||
|
*
|
||||||
|
- * In some cases Red Hat has chosen to build a driver for internal QE
|
||||||
|
+ * In some cases AlmaLinux has chosen to build a driver for internal QE
|
||||||
|
* use. Use this function to mark those drivers as unsupported for
|
||||||
|
* customers.
|
||||||
|
*/
|
||||||
|
void mark_driver_unsupported(const char *name)
|
||||||
|
{
|
||||||
|
- pr_crit("Warning: %s - This driver has not undergone sufficient testing by Red Hat for this release and therefore cannot be used in production systems.\n",
|
||||||
|
+ pr_crit("Warning: %s - This driver has not undergone sufficient testing by AlmaLinux for this release and therefore cannot be used in production systems.\n",
|
||||||
|
name ? name : "kernel");
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL(mark_driver_unsupported);
|
11
SOURCES/debrand-single-cpu.patch
Normal file
11
SOURCES/debrand-single-cpu.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
--- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700
|
||||||
|
+++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700
|
||||||
|
@@ -900,7 +900,7 @@ static void rh_check_supported(void)
|
||||||
|
if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) &&
|
||||||
|
!guest && is_kdump_kernel()) {
|
||||||
|
pr_crit("Detected single cpu native boot.\n");
|
||||||
|
- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems.");
|
||||||
|
+ pr_crit("Important: In AlmaLinux 8, single threaded, single CPU 64-bit physical systems are unsupported. Please see https://www.almalinux.org for more information");
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
@ -2919,7 +2919,7 @@ CONFIG_CRYPTO_ECHAINIV=m
|
|||||||
CONFIG_CRYPTO_ESSIV=y
|
CONFIG_CRYPTO_ESSIV=y
|
||||||
CONFIG_CRYPTO_FCRYPT=m
|
CONFIG_CRYPTO_FCRYPT=m
|
||||||
CONFIG_CRYPTO_FIPS=y
|
CONFIG_CRYPTO_FIPS=y
|
||||||
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API"
|
CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
|
||||||
CONFIG_CRYPTO_GCM=y
|
CONFIG_CRYPTO_GCM=y
|
||||||
CONFIG_CRYPTO_GF128MUL=y
|
CONFIG_CRYPTO_GF128MUL=y
|
||||||
CONFIG_CRYPTO_GHASH=y
|
CONFIG_CRYPTO_GHASH=y
|
||||||
|
@ -2982,7 +2982,7 @@ CONFIG_CRYPTO_ECHAINIV=m
|
|||||||
CONFIG_CRYPTO_ESSIV=y
|
CONFIG_CRYPTO_ESSIV=y
|
||||||
CONFIG_CRYPTO_FCRYPT=m
|
CONFIG_CRYPTO_FCRYPT=m
|
||||||
CONFIG_CRYPTO_FIPS=y
|
CONFIG_CRYPTO_FIPS=y
|
||||||
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API"
|
CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
|
||||||
CONFIG_CRYPTO_GCM=y
|
CONFIG_CRYPTO_GCM=y
|
||||||
CONFIG_CRYPTO_GF128MUL=y
|
CONFIG_CRYPTO_GF128MUL=y
|
||||||
CONFIG_CRYPTO_GHASH=y
|
CONFIG_CRYPTO_GHASH=y
|
||||||
|
@ -2593,7 +2593,7 @@ CONFIG_CRYPTO_ECHAINIV=m
|
|||||||
CONFIG_CRYPTO_ESSIV=y
|
CONFIG_CRYPTO_ESSIV=y
|
||||||
CONFIG_CRYPTO_FCRYPT=m
|
CONFIG_CRYPTO_FCRYPT=m
|
||||||
CONFIG_CRYPTO_FIPS=y
|
CONFIG_CRYPTO_FIPS=y
|
||||||
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API"
|
CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
|
||||||
CONFIG_CRYPTO_GCM=y
|
CONFIG_CRYPTO_GCM=y
|
||||||
CONFIG_CRYPTO_GF128MUL=y
|
CONFIG_CRYPTO_GF128MUL=y
|
||||||
CONFIG_CRYPTO_GHASH=y
|
CONFIG_CRYPTO_GHASH=y
|
||||||
|
@ -2653,7 +2653,7 @@ CONFIG_CRYPTO_ECHAINIV=m
|
|||||||
CONFIG_CRYPTO_ESSIV=y
|
CONFIG_CRYPTO_ESSIV=y
|
||||||
CONFIG_CRYPTO_FCRYPT=m
|
CONFIG_CRYPTO_FCRYPT=m
|
||||||
CONFIG_CRYPTO_FIPS=y
|
CONFIG_CRYPTO_FIPS=y
|
||||||
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API"
|
CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
|
||||||
CONFIG_CRYPTO_GCM=y
|
CONFIG_CRYPTO_GCM=y
|
||||||
CONFIG_CRYPTO_GF128MUL=y
|
CONFIG_CRYPTO_GF128MUL=y
|
||||||
CONFIG_CRYPTO_GHASH=y
|
CONFIG_CRYPTO_GHASH=y
|
||||||
|
@ -2714,7 +2714,7 @@ CONFIG_CRYPTO_ECHAINIV=m
|
|||||||
CONFIG_CRYPTO_ESSIV=y
|
CONFIG_CRYPTO_ESSIV=y
|
||||||
CONFIG_CRYPTO_FCRYPT=m
|
CONFIG_CRYPTO_FCRYPT=m
|
||||||
CONFIG_CRYPTO_FIPS=y
|
CONFIG_CRYPTO_FIPS=y
|
||||||
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API"
|
CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
|
||||||
CONFIG_CRYPTO_GCM=y
|
CONFIG_CRYPTO_GCM=y
|
||||||
CONFIG_CRYPTO_GF128MUL=y
|
CONFIG_CRYPTO_GF128MUL=y
|
||||||
CONFIG_CRYPTO_GHASH=y
|
CONFIG_CRYPTO_GHASH=y
|
||||||
|
@ -2925,7 +2925,7 @@ CONFIG_CRYPTO_ECHAINIV=y
|
|||||||
CONFIG_CRYPTO_ESSIV=y
|
CONFIG_CRYPTO_ESSIV=y
|
||||||
CONFIG_CRYPTO_FCRYPT=y
|
CONFIG_CRYPTO_FCRYPT=y
|
||||||
CONFIG_CRYPTO_FIPS=y
|
CONFIG_CRYPTO_FIPS=y
|
||||||
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API"
|
CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
|
||||||
CONFIG_CRYPTO_GCM=y
|
CONFIG_CRYPTO_GCM=y
|
||||||
CONFIG_CRYPTO_GF128MUL=y
|
CONFIG_CRYPTO_GF128MUL=y
|
||||||
CONFIG_CRYPTO_GHASH=y
|
CONFIG_CRYPTO_GHASH=y
|
||||||
|
@ -2776,7 +2776,7 @@ CONFIG_CRYPTO_ECHAINIV=m
|
|||||||
CONFIG_CRYPTO_ESSIV=y
|
CONFIG_CRYPTO_ESSIV=y
|
||||||
CONFIG_CRYPTO_FCRYPT=m
|
CONFIG_CRYPTO_FCRYPT=m
|
||||||
CONFIG_CRYPTO_FIPS=y
|
CONFIG_CRYPTO_FIPS=y
|
||||||
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API"
|
CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
|
||||||
CONFIG_CRYPTO_GCM=y
|
CONFIG_CRYPTO_GCM=y
|
||||||
CONFIG_CRYPTO_GF128MUL=y
|
CONFIG_CRYPTO_GF128MUL=y
|
||||||
CONFIG_CRYPTO_GHASH=y
|
CONFIG_CRYPTO_GHASH=y
|
||||||
|
@ -2654,7 +2654,7 @@ CONFIG_CRYPTO_ECHAINIV=m
|
|||||||
CONFIG_CRYPTO_ESSIV=y
|
CONFIG_CRYPTO_ESSIV=y
|
||||||
CONFIG_CRYPTO_FCRYPT=m
|
CONFIG_CRYPTO_FCRYPT=m
|
||||||
CONFIG_CRYPTO_FIPS=y
|
CONFIG_CRYPTO_FIPS=y
|
||||||
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API"
|
CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
|
||||||
CONFIG_CRYPTO_GCM=y
|
CONFIG_CRYPTO_GCM=y
|
||||||
CONFIG_CRYPTO_GF128MUL=y
|
CONFIG_CRYPTO_GF128MUL=y
|
||||||
CONFIG_CRYPTO_GHASH=y
|
CONFIG_CRYPTO_GHASH=y
|
||||||
|
@ -2716,7 +2716,7 @@ CONFIG_CRYPTO_ECHAINIV=m
|
|||||||
CONFIG_CRYPTO_ESSIV=y
|
CONFIG_CRYPTO_ESSIV=y
|
||||||
CONFIG_CRYPTO_FCRYPT=m
|
CONFIG_CRYPTO_FCRYPT=m
|
||||||
CONFIG_CRYPTO_FIPS=y
|
CONFIG_CRYPTO_FIPS=y
|
||||||
CONFIG_CRYPTO_FIPS_NAME="Red Hat Enterprise Linux 8 - Kernel Cryptographic API"
|
CONFIG_CRYPTO_FIPS_NAME="AlmaLinux 8 - Kernel Cryptographic API"
|
||||||
CONFIG_CRYPTO_GCM=y
|
CONFIG_CRYPTO_GCM=y
|
||||||
CONFIG_CRYPTO_GF128MUL=y
|
CONFIG_CRYPTO_GF128MUL=y
|
||||||
CONFIG_CRYPTO_GHASH=y
|
CONFIG_CRYPTO_GHASH=y
|
||||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -5,9 +5,9 @@ prompt = no
|
|||||||
x509_extensions = myexts
|
x509_extensions = myexts
|
||||||
|
|
||||||
[ req_distinguished_name ]
|
[ req_distinguished_name ]
|
||||||
O = Red Hat
|
O = AlmaLinux
|
||||||
CN = Red Hat Enterprise Linux kernel signing key
|
CN = AlmaLinux kernel signing key
|
||||||
emailAddress = secalert@redhat.com
|
emailAddress = security@almalinux.org
|
||||||
|
|
||||||
[ myexts ]
|
[ myexts ]
|
||||||
basicConstraints=critical,CA:FALSE
|
basicConstraints=critical,CA:FALSE
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
%global distro_build 477
|
%global distro_build 477
|
||||||
|
|
||||||
# Sign the x86_64 kernel for secure boot authentication
|
# Sign the x86_64 kernel for secure boot authentication
|
||||||
%ifarch x86_64 aarch64 s390x ppc64le
|
%ifarch x86_64 aarch64
|
||||||
%global signkernel 1
|
%global signkernel 1
|
||||||
%else
|
%else
|
||||||
%global signkernel 0
|
%global signkernel 0
|
||||||
@ -38,10 +38,11 @@
|
|||||||
# define buildid .local
|
# define buildid .local
|
||||||
|
|
||||||
%define rpmversion 4.18.0
|
%define rpmversion 4.18.0
|
||||||
%define pkgrelease 477.13.1.el8_8
|
%define pkgrelease 477.27.1.el8_8
|
||||||
|
%define tarfile_release 477.13.1.el8_8
|
||||||
|
|
||||||
# allow pkg_release to have configurable %%{?dist} tag
|
# allow pkg_release to have configurable %%{?dist} tag
|
||||||
%define specrelease 477.13.1%{?dist}
|
%define specrelease 477.27.1%{?dist}
|
||||||
|
|
||||||
%define pkg_release %{specrelease}%{?buildid}
|
%define pkg_release %{specrelease}%{?buildid}
|
||||||
|
|
||||||
@ -218,14 +219,14 @@
|
|||||||
%define with_bpftool 1
|
%define with_bpftool 1
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%ifnarch noarch
|
%ifnarch x86_64
|
||||||
%define with_kernel_abi_stablelists 0
|
%define with_kernel_abi_stablelists 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Overrides for generic default options
|
# Overrides for generic default options
|
||||||
|
|
||||||
# only package docs noarch
|
# only package docs noarch
|
||||||
%ifnarch noarch
|
%ifnarch x86_64
|
||||||
%define with_doc 0
|
%define with_doc 0
|
||||||
%define doc_build_fail true
|
%define doc_build_fail true
|
||||||
%endif
|
%endif
|
||||||
@ -435,7 +436,7 @@ BuildRequires: xmlto
|
|||||||
BuildRequires: asciidoc
|
BuildRequires: asciidoc
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz
|
Source0: linux-%{rpmversion}-%{tarfile_release}.tar.xz
|
||||||
|
|
||||||
Source9: x509.genkey
|
Source9: x509.genkey
|
||||||
|
|
||||||
@ -447,34 +448,11 @@ Source9: x509.genkey
|
|||||||
%define signing_key_filename kernel-signing-s390.cer
|
%define signing_key_filename kernel-signing-s390.cer
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
Source10: redhatsecurebootca3.cer
|
Source11: almalinuxsecurebootca0.cer
|
||||||
Source11: redhatsecurebootca5.cer
|
|
||||||
Source12: redhatsecureboot301.cer
|
|
||||||
Source13: redhatsecureboot501.cer
|
|
||||||
Source14: secureboot_s390.cer
|
|
||||||
Source15: secureboot_ppc.cer
|
|
||||||
Source16: redhatsecurebootca7.cer
|
|
||||||
|
|
||||||
%define secureboot_ca_0 %{SOURCE10}
|
%define secureboot_ca_0 %{SOURCE11}
|
||||||
%define secureboot_ca_1 %{SOURCE11}
|
%define secureboot_key_0 %{SOURCE11}
|
||||||
%define secureboot_ca_2 %{SOURCE16}
|
%define pesign_name_0 almalinuxsecurebootca0
|
||||||
|
|
||||||
%ifarch x86_64 aarch64
|
|
||||||
%define secureboot_key_0 %{SOURCE12}
|
|
||||||
%define pesign_name_0 redhatsecureboot301
|
|
||||||
%define secureboot_key_1 %{SOURCE13}
|
|
||||||
%define pesign_name_1 redhatsecureboot501
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%ifarch s390x
|
|
||||||
%define secureboot_key_0 %{SOURCE14}
|
|
||||||
%define pesign_name_0 redhatsecureboot302
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%ifarch ppc64le
|
|
||||||
%define secureboot_key_0 %{SOURCE15}
|
|
||||||
%define pesign_name_0 redhatsecureboot701
|
|
||||||
%endif
|
|
||||||
|
|
||||||
Source17: mod-blacklist.sh
|
Source17: mod-blacklist.sh
|
||||||
Source18: mod-sign.sh
|
Source18: mod-sign.sh
|
||||||
@ -503,8 +481,8 @@ Source43: generate_bls_conf.sh
|
|||||||
|
|
||||||
Source44: mod-internal.list
|
Source44: mod-internal.list
|
||||||
|
|
||||||
Source100: rheldup3.x509
|
# Source100: rheldup3.x509
|
||||||
Source101: rhelkpatch1.x509
|
# Source101: rhelkpatch1.x509
|
||||||
|
|
||||||
%if %{with_kabichk}
|
%if %{with_kabichk}
|
||||||
Source200: check-kabi
|
Source200: check-kabi
|
||||||
@ -532,23 +510,47 @@ Source2000: cpupower.service
|
|||||||
Source2001: cpupower.config
|
Source2001: cpupower.config
|
||||||
Source2002: kvm_stat.logrotate
|
Source2002: kvm_stat.logrotate
|
||||||
|
|
||||||
|
|
||||||
|
Source9000: almalinux.pem
|
||||||
# CI gating config
|
# CI gating config
|
||||||
Source4000: gating.yaml
|
Source4000: gating.yaml
|
||||||
# rpminspect config
|
# rpminspect config
|
||||||
Source4001: rpminspect.yaml
|
Source4001: rpminspect.yaml
|
||||||
|
|
||||||
|
|
||||||
## Patches needed for building this package
|
## Patches needed for building this package
|
||||||
|
|
||||||
# empty final patch to facilitate testing of kernel patches
|
# empty final patch to facilitate testing of kernel patches
|
||||||
Patch999999: linux-kernel-test.patch
|
Patch999999: linux-kernel-test.patch
|
||||||
|
|
||||||
|
Patch0001: debrand-single-cpu.patch
|
||||||
|
# Patch0002: debrand-rh_taint.patch
|
||||||
|
Patch0003: debrand-rh-i686-cpu.patch
|
||||||
|
Patch1001: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
|
||||||
|
Patch1002: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch
|
||||||
|
Patch1003: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch
|
||||||
|
Patch1004: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch
|
||||||
|
Patch1005: 1005-net-sched-Retire-tcindex-classifier.patch
|
||||||
|
Patch1006: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
|
||||||
|
Patch1007: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
|
||||||
|
Patch1008: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
|
||||||
|
Patch1009: 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch
|
||||||
|
Patch1010: 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
|
||||||
|
Patch1011: 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch
|
||||||
|
Patch1012: 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch
|
||||||
|
Patch1013: 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch
|
||||||
|
Patch1014: 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
|
||||||
|
|
||||||
|
Patch9001: 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch
|
||||||
|
Patch9002: 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root
|
BuildRoot: %{_tmppath}/%{name}-%{KVERREL}-root
|
||||||
|
|
||||||
%description
|
%description
|
||||||
This is the package which provides the Linux %{name} for Red Hat Enterprise
|
This is the package which provides the Linux %{name} for AlmaLinux.
|
||||||
Linux. It is based on upstream Linux at version %{version} and maintains kABI
|
It is based on upstream Linux at version %{version} and maintains kABI
|
||||||
compatibility of a set of approved symbols, however it is heavily modified with
|
compatibility of a set of approved symbols, however it is heavily modified with
|
||||||
backports and fixes pulled from newer upstream Linux %{name} releases. This means
|
backports and fixes pulled from newer upstream Linux %{name} releases. This means
|
||||||
this is not a %{version} kernel anymore: it includes several components which come
|
this is not a %{version} kernel anymore: it includes several components which come
|
||||||
@ -556,7 +558,7 @@ from newer upstream linux versions, while maintaining a well tested and stable
|
|||||||
core. Some of the components/backports that may be pulled in are: changes like
|
core. Some of the components/backports that may be pulled in are: changes like
|
||||||
updates to the core kernel (eg.: scheduler, cgroups, memory management, security
|
updates to the core kernel (eg.: scheduler, cgroups, memory management, security
|
||||||
fixes and features), updates to block layer, supported filesystems, major driver
|
fixes and features), updates to block layer, supported filesystems, major driver
|
||||||
updates for supported hardware in Red Hat Enterprise Linux, enhancements for
|
updates for supported hardware in AlmaLinux, enhancements for
|
||||||
enterprise customers, etc.
|
enterprise customers, etc.
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -591,6 +593,7 @@ AutoProv: yes\
|
|||||||
%package doc
|
%package doc
|
||||||
Summary: Various documentation bits found in the kernel source
|
Summary: Various documentation bits found in the kernel source
|
||||||
Group: Documentation
|
Group: Documentation
|
||||||
|
BuildArch: noarch
|
||||||
%description doc
|
%description doc
|
||||||
This package contains documentation files from the kernel
|
This package contains documentation files from the kernel
|
||||||
source. Various bits of information about the Linux kernel and the
|
source. Various bits of information about the Linux kernel and the
|
||||||
@ -800,14 +803,15 @@ kernel-gcov includes the gcov graph and source files for gcov coverage collectio
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%package -n %{name}-abi-stablelists
|
%package -n %{name}-abi-stablelists
|
||||||
Summary: The Red Hat Enterprise Linux kernel ABI symbol stablelists
|
Summary: The AlmaLinux kernel ABI symbol stablelists
|
||||||
Group: System Environment/Kernel
|
Group: System Environment/Kernel
|
||||||
AutoReqProv: no
|
AutoReqProv: no
|
||||||
|
BuildArch: noarch
|
||||||
Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release}
|
Obsoletes: %{name}-abi-whitelists < %{rpmversion}-%{pkg_release}
|
||||||
Provides: %{name}-abi-whitelists
|
Provides: %{name}-abi-whitelists
|
||||||
%description -n %{name}-abi-stablelists
|
%description -n %{name}-abi-stablelists
|
||||||
The kABI package contains information pertaining to the Red Hat Enterprise
|
The kABI package contains information pertaining to the AlmaLinux
|
||||||
Linux kernel ABI, including lists of kernel symbols that are needed by
|
kernel ABI, including lists of kernel symbols that are needed by
|
||||||
external Linux kernel modules, and a yum plugin to aid enforcement.
|
external Linux kernel modules, and a yum plugin to aid enforcement.
|
||||||
|
|
||||||
%if %{with_kabidw_base}
|
%if %{with_kabidw_base}
|
||||||
@ -816,8 +820,8 @@ Summary: The baseline dataset for kABI verification using DWARF data
|
|||||||
Group: System Environment/Kernel
|
Group: System Environment/Kernel
|
||||||
AutoReqProv: no
|
AutoReqProv: no
|
||||||
%description kernel-kabidw-base-internal
|
%description kernel-kabidw-base-internal
|
||||||
The package contains data describing the current ABI of the Red Hat Enterprise
|
The package contains data describing the current ABI of the AlmaLinux
|
||||||
Linux kernel, suitable for the kabi-dw tool.
|
kernel, suitable for the kabi-dw tool.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -891,7 +895,7 @@ Requires: %{name}%{?1:-%{1}}-modules-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
|
|||||||
AutoReq: no\
|
AutoReq: no\
|
||||||
AutoProv: yes\
|
AutoProv: yes\
|
||||||
%description %{?1:%{1}-}modules-internal\
|
%description %{?1:%{1}-}modules-internal\
|
||||||
This package provides kernel modules for the %{?2:%{2} }kernel package for Red Hat internal usage.\
|
This package provides kernel modules for the %{?2:%{2} }kernel package for AlmaLinux internal usage.\
|
||||||
%{nil}
|
%{nil}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -982,6 +986,11 @@ Summary: %{variant_summary}\
|
|||||||
Group: System Environment/Kernel\
|
Group: System Environment/Kernel\
|
||||||
Provides: %{name}-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
|
Provides: %{name}-%{?1:%{1}-}core-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
|
||||||
Provides: installonlypkg(kernel)\
|
Provides: installonlypkg(kernel)\
|
||||||
|
%if "%{?1}" == ""\
|
||||||
|
Provides: almalinux(kernel-sig-key) = 202303\
|
||||||
|
Conflicts: shim-ia32 <= 15.6-1.el8.alma\
|
||||||
|
Conflicts: shim-x64 <= 15.6-1.el8.alma\
|
||||||
|
%endif\
|
||||||
%{expand:%%kernel_reqprovconf}\
|
%{expand:%%kernel_reqprovconf}\
|
||||||
%if %{?1:1} %{!?1:0} \
|
%if %{?1:1} %{!?1:0} \
|
||||||
%{expand:%%kernel_meta_package %{?1:%{1}}}\
|
%{expand:%%kernel_meta_package %{?1:%{1}}}\
|
||||||
@ -1088,11 +1097,33 @@ ApplyOptionalPatch()
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
%setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c
|
%setup -q -n %{name}-%{rpmversion}-%{tarfile_release} -c
|
||||||
mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL}
|
cp -v %{SOURCE9000} linux-%{rpmversion}-%{tarfile_release}/certs/rhel.pem
|
||||||
|
mv linux-%{rpmversion}-%{tarfile_release} linux-%{KVERREL}
|
||||||
|
|
||||||
cd linux-%{KVERREL}
|
cd linux-%{KVERREL}
|
||||||
|
|
||||||
|
ApplyPatch debrand-single-cpu.patch
|
||||||
|
# ApplyPatch debrand-rh_taint.patch
|
||||||
|
ApplyPatch debrand-rh-i686-cpu.patch
|
||||||
|
ApplyPatch 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
|
||||||
|
ApplyPatch 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch
|
||||||
|
ApplyPatch 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch
|
||||||
|
ApplyPatch 1004-net-sched-tcindex-search-key-must-be-16-bits.patch
|
||||||
|
ApplyPatch 1005-net-sched-Retire-tcindex-classifier.patch
|
||||||
|
ApplyPatch 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
|
||||||
|
ApplyPatch 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
|
||||||
|
ApplyPatch 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
|
||||||
|
ApplyPatch 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch
|
||||||
|
ApplyPatch 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
|
||||||
|
ApplyPatch 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch
|
||||||
|
ApplyPatch 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch
|
||||||
|
ApplyPatch 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch
|
||||||
|
ApplyPatch 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
|
||||||
|
|
||||||
|
ApplyPatch 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch
|
||||||
|
ApplyPatch 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch
|
||||||
|
|
||||||
ApplyOptionalPatch linux-kernel-test.patch
|
ApplyOptionalPatch linux-kernel-test.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
@ -1162,11 +1193,11 @@ done
|
|||||||
|
|
||||||
# Add DUP and kpatch certificates to system trusted keys for RHEL
|
# Add DUP and kpatch certificates to system trusted keys for RHEL
|
||||||
%if %{signkernel}%{signmodules}
|
%if %{signkernel}%{signmodules}
|
||||||
openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
|
# openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
|
||||||
openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
|
# openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
|
||||||
cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
|
# cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
|
||||||
%ifarch ppc64le
|
%ifarch ppc64le
|
||||||
openssl x509 -inform der -in %{secureboot_ca_2} -out secureboot.pem
|
openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
|
||||||
cat secureboot.pem >> ../certs/rhel.pem
|
cat secureboot.pem >> ../certs/rhel.pem
|
||||||
%endif
|
%endif
|
||||||
for i in *.config; do
|
for i in *.config; do
|
||||||
@ -1317,9 +1348,7 @@ BuildKernel() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
%ifarch x86_64 aarch64
|
%ifarch x86_64 aarch64
|
||||||
%pesign -s -i $SignImage -o vmlinuz.tmp -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
|
||||||
%pesign -s -i vmlinuz.tmp -o vmlinuz.signed -a %{secureboot_ca_1} -c %{secureboot_key_1} -n %{pesign_name_1}
|
|
||||||
rm vmlinuz.tmp
|
|
||||||
%endif
|
%endif
|
||||||
%ifarch s390x ppc64le
|
%ifarch s390x ppc64le
|
||||||
if [ -x /usr/bin/rpm-sign ]; then
|
if [ -x /usr/bin/rpm-sign ]; then
|
||||||
@ -1746,12 +1775,11 @@ BuildKernel() {
|
|||||||
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
|
# Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
|
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
|
||||||
%ifarch x86_64 aarch64
|
%ifarch x86_64 aarch64
|
||||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20200609.cer
|
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20210114.cer
|
||||||
install -m 0644 %{secureboot_ca_1} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca-20140212.cer
|
ln -s kernel-signing-ca-20210114.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||||
ln -s kernel-signing-ca-20200609.cer $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
|
||||||
%else
|
%else
|
||||||
%ifarch ppc64le
|
%ifarch ppc64le
|
||||||
install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||||
%else
|
%else
|
||||||
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
|
||||||
%endif
|
%endif
|
||||||
@ -2699,6 +2727,32 @@ fi
|
|||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 21 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.27.1.el8_8]
|
||||||
|
- bluetooth: Perform careful capability checks in hci_sock_ioctl() {CVE-2023-2002}
|
||||||
|
- ipvlan:Fix out-of-bounds caused by unclear skb->cb {CVE-2023-3090}
|
||||||
|
- net/sched: cls_fw: Fix improper refcount update leads to use-after-free {CVE-2023-3776}
|
||||||
|
- netfilter: nft_set_pipapo: fix improper element removal {CVE-2023-4004}
|
||||||
|
- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval {CVE-2023-35001}
|
||||||
|
- net/sched: flower: fix possible OOB write in fl_set_geneve_opt() {CVE-2023-35788}
|
||||||
|
|
||||||
|
* Fri Sep 08 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.21.3.el8_8]
|
||||||
|
- x86/microcode/AMD: Load late on both threads too
|
||||||
|
|
||||||
|
* Mon Aug 28 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.21.2.el8_8]
|
||||||
|
- x86/xen: Split HVM vector callback setup and interrupt gate allocation
|
||||||
|
|
||||||
|
* Tue Aug 8 2023 Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com> [4.18.0-477.21.1.el8_8]
|
||||||
|
- Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM (Tamás Koczka) {CVE-2022-42896}
|
||||||
|
- net/sched: tcindex: update imperfect hash filters respecting rcu (Jamal Hadi Salim) {CVE-2023-1281}
|
||||||
|
- net/sched: tcindex: search key must be 16 bits (Jamal Hadi Salim) {CVE-2023-1281}
|
||||||
|
- net/sched: Retire tcindex classifier (Jamal Hadi Salim) {CVE-2023-1829}
|
||||||
|
- xfs: verify buffer contents when we skip log replay (Darrick J. Wong) {CVE-2023-2124}
|
||||||
|
- i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() (Wei Chen) {CVE-2023-2194}
|
||||||
|
- perf: Fix check before add_event_to_groups() in perf_group_detach() (Budimir Markovic) {CVE-2023-2235}
|
||||||
|
|
||||||
|
* Mon Jul 24 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.15.1.el8_8]
|
||||||
|
- net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() (Hangyu Hua) {CVE-2023-28466}
|
||||||
|
|
||||||
* Thu May 18 2023 Lucas Zampieri <lzampier@redhat.com> [4.18.0-477.13.1.el8_8]
|
* Thu May 18 2023 Lucas Zampieri <lzampier@redhat.com> [4.18.0-477.13.1.el8_8]
|
||||||
- netfilter: nf_tables: deactivate anonymous set from preparation phase (Florian Westphal) [2196147 2196146] {CVE-2023-32233}
|
- netfilter: nf_tables: deactivate anonymous set from preparation phase (Florian Westphal) [2196147 2196146] {CVE-2023-32233}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user