- Mar 06, 2025
-
-
Augusto Caringi authored
Signed-off-by:Augusto Caringi <acaringi@redhat.com>
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6397 JIRA: https://issues.redhat.com/browse/RHEL-68997 There are several problems with the way hyp code lazily saves the host's FPSIMD/SVE state, including: * Host SVE being discarded unexpectedly due to inconsistent configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to result in QEMU crashes where SVE is used by memmove(), as reported by Eric Auger: https://issues.redhat.com/browse/RHEL-68997 * Host SVE state is discarded *after* modification by ptrace, which was an unintentional ptrace ABI change introduced with lazy discarding of SVE state. * The host FPMR value can be discarded when running a non-protected VM, where FPMR support is not exposed to a VM, and that VM uses FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR before unbinding the host's FPSIMD/SVE/SME state, leaving a stale value in memory. Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME state when loading a vCPU such that KVM does not need to save any of the host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is removed and the necessary call to fpsimd_save_and_flush_cpu_state() is placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr' should not be used, they are set to NULL; all uses of these will be removed in subsequent patches. Historical problems go back at least as far as v5.17, e.g. erroneous assumptions about TIF_SVE being clear in commit: 8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving") ... and so this eager save+flush probably needs to be backported to ALL stable trees. Signed-off-by:
Eric Auger <eric.auger@redhat.com> Approved-by:
Cornelia Huck <cohuck@redhat.com> Approved-by:
Gavin Shan <gshan@redhat.com> Approved-by:
Sebastian Ott <sebott@redhat.com> Approved-by:
Donald Dutile <ddutile@redhat.com> Approved-by:
CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6396 ``` JIRA: https://issues.redhat.com/browse/RHEL-67693 Omitted-fix: 0e0b45ab5d77 Omitted-fix: 40aeea504447 Omitted-fix: 91ff97a72259 Omitted-fix: 10435e0d2377 Omitted-fix: 90f1b42b1794 This series updates RHEL9's PCI subsystem with content from upstream v6.12 - Merge tag 'pci-v6.12-fixes-2' of git://git.kernel.org/pub/../git/pci/pci https://lkml.org/lkml/2024/11/1/1420 commit 05b92660cdfe53a49425467fa64b5ac4451a7f9e Merge: 269ce3bd62e8 f3c3ccc4fe49 Merge tag 'pci-v6.12-fixes-1' of git://git.kernel.org/pub/../git/pci/pci https://lkml.org/lkml/2024/10/25/1448 commit 48005a5a74d83cac0bf6cab03342c3ae7ef975ef Merge: 86d6688e6099 ad783b9f8e78 Merge tag 'pci-v6.12-changes' of git://git.kernel.org/pub/../git/pci/pci https://lkml.org/lkml/2024/9/19/779 commit 3a37872316c2e3288e09a1322221c83e5929768d Merge: 18ba6034468e 81e53c0da8f8 111 files changed, 3369 insertions(+), 1339 deletions(-) All patches within the series back-ported cleanly. However, there was one patch that had a false conflict - 10/115 - due to RHEL having back-ported patches from upstream out of order from what occurred upstream, which is noted in its commit message. Signed-off-by:
Myron Stowe <mstowe@redhat.com> ``` Approved-by:
John W. Linville <linville@redhat.com> Approved-by:
Lenny Szubowicz <lszubowi@redhat.com> Approved-by:
Mark Langsdorf <mlangsdo@redhat.com> Approved-by:
David Airlie <airlied@redhat.com> Approved-by:
Eric Chanudet <echanude@redhat.com> Approved-by:
Robert Foss <rfoss@kernel.org> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6394 JIRA: https://issues.redhat.com/browse/RHEL-75923 Omitted-fix: e120829dbf927c8b93cd5e06acfec0332cc82e02 (can be backported via perf) The following upstream commit was excluded from the backport as it is not currently compatible with RHEL: b4b1ddc9dfe9 cpufreq: Make cpufreq_driver->exit() return void Signed-off-by:
David Arcari <darcari@redhat.com> Approved-by:
Steve Best <sbest@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6386 JIRA: https://issues.redhat.com/browse/RHEL-79669 JIRA: https://issues.redhat.com/browse/RHEL-74191 Note: as a result of this MR several of the intel platform drivers were renamed as "intel_" was replaced with "intel-". The new module names are intel-ishtp_eclite.ko, intel-oaktrail.ko intel-sdsi.ko, intel-vsec.ko, intel-vsec_tpmi.ko. The following upstream commit was excluded from the backport due to difficulty mainly to do with scope: cdd30ebb1b9f module: Convert symbol namespace to string literal Signed-off-by:
Herton R. Krzesinski <herton@redhat.com> Approved-by:
Eder Zulian <ezulian@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6384 JIRA: https://issues.redhat.com/browse/RHEL-79553 The following upstream commits were excluded from the backport as they are difficult to backport to RHEL mainly due to scope: cdd30ebb1b9f module: Convert symbol namespace to string literal 7ff2fecc8bc2 platform/x86/intel/pmt: Constify 'struct bin_attribute' e5d3a57891ba x86/cpu: Make all all CPUID leaf names consistent 3ea5eb68b9d6 platform/x86: Switch back to struct platform_driver::remove() Signed-off-by:
Tony Camuso <tcamuso@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6383 JIRA: https://issues.redhat.com/browse/RHEL-21061 This series re-syncs the cs-9 netfilter selftests with upstream. Main reason is that we miss multiple test cases and those that we have are not very reliable due to either expecting particular versions of netcat or certain distro-provided sysctl defaults (rp_filter for instance). After this change, netfilter selftests reside in same location in upstream, cs-9 and cs-10. Known delta to upstream: - No xt_string.sh test, needs kernel changes we don't have - No conntrack_dump_flush test case, needs feature we don't have - No conntrack_reverse_clash test case, needs changes we don't have - No packetdrill tests - No sctp and udp conntrack race tests in nft_queue.sh, needs functional changes we don't have - nf_conntrack_helper.sh is unchanged, cs-9 still has the "autoassign helper" sysctl. Also means the test still fails on upstream kernels. While the number of backported commits is huge, there are no functional kernel changes here. Changes are only in netfilter selftests and the spec file to adjust for the changed test dir location. Also, easy to validate/diff the scripts vs. upstream/cs-10. Signed-off-by:
Florian Westphal <fwestpha@redhat.com> Approved-by:
Jan Stancek <jstancek@redhat.com> Approved-by:
Hangbin Liu <haliu@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/5356 JIRA: https://issues.redhat.com/browse/RHEL-61357 Omitted-fix: 423de5b5bc5b ("thermal/of: Fix cdev lookup in thermal_of_should_bind()") - this just landed upstream and will be addressed in the future. Signed-off-by:
José Ignacio Tornos Martínez <jtornosm@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/5996 x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client JIRA: https://issues.redhat.com/browse/RHEL-67470 CVE: CVE-2024-53114 Upstream: Merged commit a5ca1dc46a6b610dd4627d8b633d6c84f9724ef0 Author: Mario Limonciello <mario.limonciello@amd.com> Date: Tue Nov 5 10:02:34 2024 -0600 x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client A number of Zen4 client SoCs advertise the ability to use virtualized VMLOAD/VMSAVE, but using these instructions is reported to be a cause of a random host reboot. These instructions aren't intended to be advertised on Zen4 client so clear the capability. Signed-off-by:
Mario Limonciello <mario.limonciello@amd.com> Signed-off-by:
Borislav Petkov (AMD) <bp@alien8.de> Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=219009 Signed-off-by:
Jon Maloy <jmaloy@redhat.com> Approved-by:
Waiman Long <longman@redhat.com> Approved-by:
Vitaly Kuznetsov <vkuznets@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6504 Description: Fix refcount leak in powerpc xics JIRA: https://issues.redhat.com/browse/RHEL-80861 CVE: CVE-2022-49432 Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=66857305 Tested: Verified Brew build test kernel RPMs Signed-off-by:
Mamatha Inamdar <minamdar@redhat.com> commit 5dd9e27ea4a39f7edd4bf81e9e70208e7ac0b7c9 Author: Lv Ruyi <lv.ruyi@zte.com.cn> Date: Sat Apr 2 01:34:19 2022 +0000 powerpc/xics: fix refcount leak in icp_opal_init() The of_find_compatible_node() function returns a node pointer with refcount incremented, use of_node_put() on it when done. Reported-by:
Zeal Robot <zealci@zte.com.cn> Signed-off-by:
Lv Ruyi <lv.ruyi@zte.com.cn> Signed-off-by:
Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20220402013419.2410298-1-lv.ruyi@zte.com.cn Signed-off-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6503 Description: Updates for powerpc papr scm JIRA: https://issues.redhat.com/browse/RHEL-81000 CVE: CVE-2022-49353 Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=66856536 Tested: Verified Brew build test kernel RPMs Signed-off-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6497 Description: Updates for powerpc XIVE JIRA: https://issues.redhat.com/browse/RHEL-80849 CVE: CVE-2022-49437 Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=66839686 Tested: Verified Brew build test kernel RPMs Signed-off-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6358 JIRA: https://issues.redhat.com/browse/RHEL-75869 CVE: CVE-2024-56672 JIRA: https://issues.redhat.com/browse/RHEL-77216 CVE: CVE-2025-21671 JIRA: https://issues.redhat.com/browse/RHEL-77310 CVE: CVE-2025-21631 JIRA: https://issues.redhat.com/browse/RHEL-75854 CVE: CVE-2024-53170 Signed-off-by:
Ming Lei <ming.lei@redhat.com> Approved-by:
Jeff Moyer <jmoyer@redhat.com> Approved-by:
Maurizio Lombardi <mlombard@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6350 JIRA: https://issues.redhat.com/browse/RHEL-75544 ``` bonding: Correctly support GSO ESP offload The referenced fix is incomplete. It correctly computes bond_dev->gso_partial_features across slaves, but unfortunately netdev_fix_features discards gso_partial_features from the feature set if NETIF_F_GSO_PARTIAL isn't set in bond_dev->features. This is visible with ethtool -k bond0 | grep esp: tx-esp-segmentation: off [requested on] esp-hw-offload: on esp-tx-csum-hw-offload: on This patch reworks the bonding GSO offload support by: - making aggregating gso_partial_features across slaves similar to the other feature sets (this part is a no-op). - advertising the default partial gso features on empty bond devs, same as with other feature sets (also a no-op). - adding NETIF_F_GSO_PARTIAL to hw_enc_features filtered across slaves. - adding NETIF_F_GSO_PARTIAL to features in bond_setup() With all of these, 'ethtool -k bond0 | grep esp' now reports: tx-esp-segmentation: on esp-hw-offload: on esp-tx-csum-hw-offload: on Fixes: 4861333b4217 ("bonding: add ESP offload features when slaves support") Signed-off-by:
Hangbin Liu <liuhangbin@gmail.com> Signed-off-by:
Cosmin Ratiu <cratiu@nvidia.com> Acked-by:
Jay Vosburgh <jv@jvosburgh.net> Link: https://patch.msgid.link/20250127104147.759658-1-cratiu@nvidia.com Signed-off-by:
Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 9e6c4e6b605c1fa3e24f74ee0b641e95f090188a) ``` Signed-off-by:
CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com> --- <small>Created 2025-02-06 02:44 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small > Approved-by:
Xin Long <lxin@redhat.com> Approved-by:
Kamal Heib <kheib@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6343 JIRA: https://issues.redhat.com/browse/RHEL-77915 CVE: CVE-2024-53680 ``` ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() Under certain kernel configurations when building with Clang/LLVM, the compiler does not generate a return or jump as the terminator instruction for ip_vs_protocol_init(), triggering the following objtool warning during build time: vmlinux.o: warning: objtool: ip_vs_protocol_init() falls through to next function __initstub__kmod_ip_vs_rr__935_123_ip_vs_rr_init6() At runtime, this either causes an oops when trying to load the ipvs module or a boot-time panic if ipvs is built-in. This same issue has been reported by the Intel kernel test robot previously. Digging deeper into both LLVM and the kernel code reveals this to be a undefined behavior problem. ip_vs_protocol_init() uses a on-stack buffer of 64 chars to store the registered protocol names and leaves it uninitialized after definition. The function calls strnlen() when concatenating protocol names into the buffer. With CONFIG_FORTIFY_SOURCE strnlen() performs an extra step to check whether the last byte of the input char buffer is a null character (commit 3009f891bb9f ("fortify: Allow strlen() and strnlen() to pass compile-time known lengths")). This, together with possibly other configurations, cause the following IR to be generated: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #5 section ".init.text" align 16 !kcfi_type !29 { %1 = alloca [64 x i8], align 16 ... 14: ; preds = %11 %15 = getelementptr inbounds i8, ptr %1, i64 63 %16 = load i8, ptr %15, align 1 %17 = tail call i1 @llvm.is.constant.i8(i8 %16) %18 = icmp eq i8 %16, 0 %19 = select i1 %17, i1 %18, i1 false br i1 %19, label %20, label %23 20: ; preds = %14 %21 = call i64 @strlen(ptr noundef nonnull dereferenceable(1) %1) #23 ... 23: ; preds = %14, %11, %20 %24 = call i64 @strnlen(ptr noundef nonnull dereferenceable(1) %1, i64 noundef 64) #24 ... } The above code calculates the address of the last char in the buffer (value %15) and then loads from it (value %16). Because the buffer is never initialized, the LLVM GVN pass marks value %16 as undefined: %13 = getelementptr inbounds i8, ptr %1, i64 63 br i1 undef, label %14, label %17 This gives later passes (SCCP, in particular) more DCE opportunities by propagating the undef value further, and eventually removes everything after the load on the uninitialized stack location: define hidden i32 @ip_vs_protocol_init() local_unnamed_addr #0 section ".init.text" align 16 !kcfi_type !11 { %1 = alloca [64 x i8], align 16 ... 12: ; preds = %11 %13 = getelementptr inbounds i8, ptr %1, i64 63 unreachable } In this way, the generated native code will just fall through to the next function, as LLVM does not generate any code for the unreachable IR instruction and leaves the function without a terminator. Zero the on-stack buffer to avoid this possible UB. Fixes: 1da177e4 ("Linux-2.6.12-rc2") Reported-by:
kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202402100205.PWXIz1ZK-lkp@intel.com/ Co-developed-by:
Ruowen Qin <ruqin@redhat.com> Signed-off-by:
Jinghao Jia <jinghao7@illinois.edu> Acked-by:
Julian Anastasov <ja@ssi.bg> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 146b6f1112eb30a19776d6c323c994e9d67790db) ``` Signed-off-by:
Guillaume Nault <gnault@redhat.com> Approved-by:
Andrea Claudi <aclaudi@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6342 JIRA: https://issues.redhat.com/browse/RHEL-77891 CVE: CVE-2025-21648 ``` netfilter: conntrack: clamp maximum hashtable size to INT_MAX Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. See: 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls") Note: hashtable resize is only possible from init_netns. Fixes: 9cc1c73a ("netfilter: conntrack: avoid integer overflow when resizing") Signed-off-by:
Antoine Tenart <atenart@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6463 JIRA: https://issues.redhat.com/browse/RHEL-63629 CVE: CVE-2024-49864 JIRA: https://issues.redhat.com/browse/RHEL-77202 CVE: CVE-2025-21672 JIRA: https://issues.redhat.com/browse/RHEL-68562 CVE: CVE-2024-53090 JIRA: https://issues.redhat.com/browse/RHEL-67999 CVE: CVE-2024-50294 Signed-off-by:
Marc Dionne <mdionne@redhat.com> Approved-by:
David Howells <dhowells@redhat.com> Approved-by:
Alice Mitchell <ajmitchell@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6450 JIRA: https://issues.redhat.com/browse/RHEL-73706 commit 7a2f6f7687c5f7083a35317cddec5ad9fa491443 Author: Benjamin Coddington <bcodding@redhat.com> Date: Tue Feb 11 12:31:57 2025 -0500 SUNRPC: Handle -ETIMEDOUT return from tlshd If the TLS handshake attempt returns -ETIMEDOUT, we currently translate that error into -EACCES. This becomes problematic for cases where the RPC layer is attempting to re-connect in paths that don't resonably handle -EACCES, for example: writeback. The RPC layer can handle -ETIMEDOUT quite well, however - so if the handshake returns this error let's just pass it along. Fixes: 75eb6af7acdf ("SUNRPC: Add a TCP-with-TLS RPC transport class") Signed-off-by:
Benjamin Coddington <bcodding@redhat.com> Signed-off-by:
Anna Schumaker <anna.schumaker@oracle.com> Signed-off-by:
Olga Kornievskaia <okorniev@redhat.com> Approved-by:
Scott Mayhew <smayhew@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6446 JIRA: INTERNAL Upstream Status: RHEL only Signed-off-by:
Scott Weaver <scweaver@redhat.com> Approved-by:
Julio Faracco <jfaracco@redhat.com> Merged-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6183 JIRA: https://issues.redhat.com/browse/RHEL-62750 Patches are required to fix E825 initialization on the GNR-D platform. Signed-off-by:
Petr Oros <poros@redhat.com> Approved-by:
Michal Schmidt <mschmidt@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6420 Description: I/O DLPAR Kernel Improvements JIRA: https://issues.redhat.com/browse/RHEL-77266 Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=66798241 Tested: Verified Brew build test kernel RPMs Signed-off-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6417 JIRA: https://issues.redhat.com/browse/RHEL-66942 CVE: CVE-2024-50195 Signed-off-by:
Prarit Bhargava <prarit@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6284 Description: Updates for radix kfence JIRA: https://issues.redhat.com/browse/RHEL-73626 Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=66501145 Tested: Verified Brew build test kernel RPMs Signed-off-by:
Hari Bathini <hbathini@linux.ibm.com> Signed-off-by:
Desnes Nunes <desnesn@redhat.com> Approved-by:
Rafael Aquini <raquini@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6158 JIRA: https://issues.redhat.com/browse/RHEL-72325 CVE: CVE-2024-56603 ``` net: af_can: do not leave a dangling sk pointer in can_create() On error can_create() frees the allocated sk object, but sock_init_data() has already attached it to the provided sock object. This will leave a dangling sk pointer in the sock object and may cause use-after-free later. Signed-off-by:
Ignat Korchagin <ignat@cloudflare.com> Reviewed-by:
Vincent Mailhol <mailhol.vincent@wanadoo.fr> Reviewed-by:
Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by:
Marc Kleine-Budde <mkl@pengutronix.de> Link: https://patch.msgid.link/20241014153808.51894-5-ignat@cloudflare.com Signed-off-by:
Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 811a7ca7320c062e15d0f5b171fe6ad8592d1434) ``` Signed-off-by:
Radu Rendec <rrendec@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6157 JIRA: https://issues.redhat.com/browse/RHEL-72261 CVE: CVE-2024-56645 ``` can: j1939: j1939_session_new(): fix skb reference counting Since j1939_session_skb_queue() does an extra skb_get() for each new skb, do the same for the initial one in j1939_session_new() to avoid refcount underflow. Reported-by:
<syzbot+d4e8dc385d9258220c31@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=d4e8dc385d9258220c31 Fixes: 9d71dd0c ("can: add support of SAE J1939 protocol") Signed-off-by:
Dmitry Antipov <dmantipov@yandex.ru> Tested-by:
Oleksij Rempel <o.rempel@pengutronix.de> Acked-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6156 JIRA: https://issues.redhat.com/browse/RHEL-72057 CVE: CVE-2023-52922 ``` can: bcm: Fix UAF in bcm_proc_show() BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op. Fixes: ffd980f9 ("[CAN]: Add broadcast manager (bcm) protocol") Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Reviewed-by:
Oliver Hartkopp <socketcan@hartkopp.net> Acked-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6410 JIRA: https://issues.redhat.com/browse/RHEL-79811 commits; ``` 6cf9ff463317217d95732a6cce6fbdd12508921a ``` Signed-off-by:
Mete Durlu <mdurlu@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6409 JIRA: https://issues.redhat.com/browse/RHEL-79813 commits; ``` c12b2704a678b8a116eeb03f5b91895b90b4dd6f ``` Signed-off-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6408 JIRA: https://issues.redhat.com/browse/RHEL-79808 commits; ``` 225d09d6e5f3870560665a1829d2db79330b4c58 d414f4ecb240b994cba8c9666def0a4b9c953601 ``` Signed-off-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6407 JIRA: https://issues.redhat.com/browse/RHEL-78507 Signed-off-by:
Paulo Alcantara <paalcant@redhat.com> Approved-by:
Jay Shin <jaeshin@redhat.com> Approved-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6278 JIRA: https://issues.redhat.com/browse/RHEL-76350 Commits: ``` 9988df07dbe1ca8282f5ae95f1b534f91bab73fc ``` Signed-off-by:
-
Augusto Caringi authored
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6404 JIRA: https://issues.redhat.com/browse/RHEL-63642 Patches are required for managing MSI-X in driver. Signed-off-by:
-
- Mar 03, 2025
-
-
Mamatha Inamdar authored
JIRA: https://issues.redhat.com/browse/RHEL-80861 CVE: CVE-2022-49432 commit 5dd9e27ea4a39f7edd4bf81e9e70208e7ac0b7c9 Author: Lv Ruyi <lv.ruyi@zte.com.cn> Date: Sat Apr 2 01:34:19 2022 +0000 powerpc/xics: fix refcount leak in icp_opal_init() The of_find_compatible_node() function returns a node pointer with refcount incremented, use of_node_put() on it when done. Reported-by:
-
Mamatha Inamdar authored
JIRA: https://issues.redhat.com/browse/RHEL-81000 CVE: CVE-2022-49353 commit 07bf9431b1590d1cd7a8d62075d0b50b073f0495 Author: Vaibhav Jain <vaibhav@linux.ibm.com> Date: Tue May 24 16:53:53 2022 +0530 powerpc/papr_scm: don't requests stats with '0' sized stats buffer Sachin reported [1] that on a POWER-10 lpar he is seeing a kernel panic being reported with vPMEM when papr_scm probe is being called. The panic is of the form below and is observed only with following option disabled(profile) for the said LPAR 'Enable Performance Information Collection' in the HMC: Kernel attempted to write user page (1c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on write at 0x0000001c Faulting instruction address: 0xc008000001b90844 Oops: Kernel access of bad area, sig: 11 [#1] <snip> NIP [c008000001b90844] drc_pmem_query_stats+0x5c/0x270 [papr_scm] LR [c008000001b92794] papr_scm_probe+0x2ac/0x6ec [papr_scm] Call Trace: 0xc00000000941bca0 (unreliable) papr_scm_probe+0x2ac/0x6ec [papr_scm] platform_probe+0x98/0x150 really_probe+0xfc/0x510 __driver_probe_device+0x17c/0x230 <snip> ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception On investigation looks like this panic was caused due to a 'stat_buffer' of size==0 being provided to drc_pmem_query_stats() to fetch all performance stats-ids of an NVDIMM. However drc_pmem_query_stats() shouldn't have been called since the vPMEM NVDIMM doesn't support and performance stat-id's. This was caused due to missing check for 'p->stat_buffer_len' at the beginning of papr_scm_pmu_check_events() which indicates that the NVDIMM doesn't support performance-stats. Fix this by introducing the check for 'p->stat_buffer_len' at the beginning of papr_scm_pmu_check_events(). [1] https://lore.kernel.org/all/6B3A522A-6A5F-4CC9-B268-0C63AA6E07D3@linux.ibm.com Fixes: 0e0946e22f3665d2732 ("powerpc/papr_scm: Fix leaking nvdimm_events_map elements") Reported-by:
Sachin Sant <sachinp@linux.ibm.com> Signed-off-by:
Vaibhav Jain <vaibhav@linux.ibm.com> Tested-by:
-
Mamatha Inamdar authored
JIRA: https://issues.redhat.com/browse/RHEL-81000 CVE: CVE-2022-49353 commit 0e0946e22f3665d27325d389ff45ade6e93f3678 Author: Vaibhav Jain <vaibhav@linux.ibm.com> Date: Wed May 11 13:56:36 2022 +0530 powerpc/papr_scm: Fix leaking nvdimm_events_map elements Right now 'char *' elements allocated for individual 'stat_id' in 'papr_scm_priv.nvdimm_events_map[]' during papr_scm_pmu_check_events(), get leaked in papr_scm_remove() and papr_scm_pmu_register(), papr_scm_pmu_check_events() error paths. Also individual 'stat_id' arent NULL terminated 'char *' instead they are fixed 8-byte sized identifiers. However papr_scm_pmu_register() assumes it to be a NULL terminated 'char *' and at other places it assumes it to be a 'papr_scm_perf_stat.stat_id' sized string which is 8-byes in size. Fix this by allocating the memory for papr_scm_priv.nvdimm_events_map to also include space for 'stat_id' entries. This is possible since number of available events/stat_ids are known upfront. This saves some memory and one extra level of indirection from 'nvdimm_events_map' to 'stat_id'. Also rest of the code can continue to call 'kfree(papr_scm_priv.nvdimm_events_map)' without needing to iterate over the array and free up individual elements. Fixes: 4c08d4bbc089 ("powerpc/papr_scm: Add perf interface support") Signed-off-by:
-
- Feb 28, 2025
-
-
Mamatha Inamdar authored
JIRA: https://issues.redhat.com/browse/RHEL-80849 CVE: CVE-2022-49437 commit 1d1fb9618bdd5a5fbf9a9eb75133da301d33721c Author: Miaoqian Lin <linmq006@gmail.com> Date: Thu May 12 13:05:33 2022 +0400 powerpc/xive: Fix refcount leak in xive_spapr_init of_find_compatible_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() to avoid refcount leak. Fixes: eac1e731 ("powerpc/xive: guest exploitation of the XIVE interrupt controller") Signed-off-by:
Miaoqian Lin <linmq006@gmail.com> Reviewed-by:
Cédric Le Goater <clg@kaod.org> Signed-off-by:
-
Mamatha Inamdar authored
JIRA: https://issues.redhat.com/browse/RHEL-80849 CVE: CVE-2022-49437 commit e414e2938ee26e734f19e92a60cd090ebaff37e6 Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Date: Tue Feb 1 13:31:16 2022 +0100 powerpc/xive: Add some error handling code to 'xive_spapr_init()' 'xive_irq_bitmap_add()' can return -ENOMEM. In this case, we should free the memory already allocated and return 'false' to the caller. Also add an error path which undoes the 'tima = ioremap(...)' Signed-off-by:
Christophe JAILLET <christophe.jaillet@wanadoo.fr> Reviewed-by:
-
- Feb 27, 2025
-
-
Augusto Caringi authored
JIRA: INTERNAL Upstream Status: RHEL only Signed-off-by: -
Marc Dionne authored
JIRA: https://issues.redhat.com/browse/RHEL-63629 CVE: CVE-2024-49864 commit bc212465326e8587325f520a052346f0b57360e6 Author: David Howells <dhowells@redhat.com> Date: Tue Oct 1 14:26:58 2024 +0100 rxrpc: Fix a race between socket set up and I/O thread creation In rxrpc_open_socket(), it sets up the socket and then sets up the I/O thread that will handle it. This is a problem, however, as there's a gap between the two phases in which a packet may come into rxrpc_encap_rcv() from the UDP packet but we oops when trying to wake the not-yet created I/O thread. As a quick fix, just make rxrpc_encap_rcv() discard the packet if there's no I/O thread yet. A better, but more intrusive fix would perhaps be to rearrange things such that the socket creation is done by the I/O thread. Fixes: a275da62e8c1 ("rxrpc: Create a per-local endpoint receive queue and I/O thread") Signed-off-by:
Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20241001132702.3122709-2-dhowells@redhat.com Signed-off-by:
-
Marc Dionne authored
JIRA: https://issues.redhat.com/browse/RHEL-77202 CVE: CVE-2025-21672 commit 17a4fde81d3a7478d97d15304a6d61094a10c2e3 Author: Lizhi Xu <lizhi.xu@windriver.com> Date: Tue Jan 7 14:52:32 2025 +0000 afs: Fix merge preference rule failure condition syzbot reported a lock held when returning to userspace[1]. This is because if argc is less than 0 and the function returns directly, the held inode lock is not released. Fix this by store the error in ret and jump to done to clean up instead of returning directly. [dh: Modified Lizhi Xu's original patch to make it honour the error code from afs_split_string()] [1] WARNING: lock held when returning to user space! 6.13.0-rc3-syzkaller-00209-g499551201b5f #0 Not tainted ------------------------------------------------ syz-executor133/5823 is leaving the kernel with locks still held! 1 lock held by syz-executor133/5823: #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: inode_lock include/linux/fs.h:818 [inline] #0: ffff888071cffc00 (&sb->s_type->i_mutex_key#9){++++}-{4:4}, at: afs_proc_addr_prefs_write+0x2bb/0x14e0 fs/afs/addr_prefs.c:388 Reported-by:
<syzbot+76f33569875eb708e575@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=76f33569875eb708e575 Signed-off-by:
Lizhi Xu <lizhi.xu@windriver.com> Signed-off-by:
Christian Brauner <brauner@kernel.org> Signed-off-by:
-
