eb9b9d5...
by
Jakub Kicinski <email address hidden>
net: mpls: fix stale pointer if allocation fails during device rename
lianhui reports that when MPLS fails to register the sysctl table
under new location (during device rename) the old pointers won't
get overwritten and may be freed again (double free).
Handle this gracefully. The best option would be unregistering
the MPLS from the device completely on failure, but unfortunately
mpls_ifdown() can fail. So failing fully is also unreliable.
Another option is to register the new table first then only
remove old one if the new one succeeds. That requires more
code, changes order of notifications and two tables may be
visible at the same time.
sysctl point is not used in the rest of the code - set to NULL
on failures and skip unregister if already NULL.
Reported-by: lianhui tang <email address hidden>
Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls")
Signed-off-by: Jakub Kicinski <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
CVE-2023-26545
(cherry picked from commit fda6c89fe3d9aca073495a664e1d5aea28cd4377)
Signed-off-by: Cengiz Can <email address hidden>
Acked-by: Luke Nowakowski-Krijger <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Luke Nowakowski-Krijger <email address hidden>
c27a658...
by
Pedro Tammela <email address hidden>
The imperfect hash area can be updated while packets are traversing,
which will cause a use-after-free when 'tcf_exts_exec()' is called
with the destroyed tcf_ext.
CPU 0: CPU 1:
tcindex_set_parms tcindex_classify
tcindex_lookup tcindex_lookup
tcf_exts_change tcf_exts_exec [UAF]
Stop operating on the shared area directly, by using a local copy,
and update the filter with 'rcu_replace_pointer()'. Delete the old
filter version only after a rcu grace period elapsed.
Fixes: 9b0d4446b569 ("net: sched: avoid atomic swap in tcf_exts_change")
Reported-by: valis <email address hidden>
Suggested-by: valis <email address hidden>
Signed-off-by: Jamal Hadi Salim <email address hidden>
Signed-off-by: Pedro Tammela <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Jakub Kicinski <email address hidden>
(cherry picked from commit ee059170b1f7e94e55fa6cadee544e176a6e59c2)
CVE-2023-1281
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Cengiz Can <email address hidden>
Signed-off-by: Luke Nowakowski-Krijger <email address hidden>
9bed66d...
by
Jiapeng Chong <email address hidden>
During driver unload, mrioc->bsg_device reference count becomes
negative. Also, as reported in [1], the driver's bsg_device model had few
more bugs. Fix all these up.
Add sysfs attributes for exposing target device details such as SAS
address, firmware device handle, and persistent ID for the
controller-attached devices and RAID volumes.
(backported from commit 9feb5c4c3f95ec42fc12dc92f7216c2603b1a571)
[mreed: adjusted context for missing .shost_groups in last hunk]
Signed-off-by: Michael Reed <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
Add shost related sysfs attributes to display the controller's firmware
version, queue depth, number of requests, and number of reply queues. Also
add an attribute to set & get the logging_level.
Return -ENOMEM instead of success if dma_alloc_coherent() fails.
Link: https://lore.kernel.org/r/YnOmMGHqCOtUCYQ1@kili
Fixes: 43ca11005098 ("scsi: mpi3mr: Add support for PEL commands")
Signed-off-by: Dan Carpenter <email address hidden>
Signed-off-by: Martin K. Petersen <email address hidden>
(cherry picked from commit bc7896d31a922ee9caabb10dc07509f65d41dc0e)
Signed-off-by: Michael Reed <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
f414adb...
by
Dan Carpenter <email address hidden>
scsi: mpi3mr: Fix a NULL vs IS_ERR() bug in mpi3mr_bsg_init()