{"release":{"tag":{"name":"4.19.90-2210.4.0","path":"/openeuler/kernel/tags/4.19.90-2210.4.0","tree_path":"/openeuler/kernel/tree/4.19.90-2210.4.0","message":"4.19.90-2210.4.0","commit":{"id":"187e173a47cc3045b4f596dfdce31bc2b1494b90","short_id":"187e173","title":"nfp: fix use-after-free in area_cache_get()","title_markdown":"nfp: fix use-after-free in area_cache_get()","description":"\nmainline inclusion\nfrom mainline-v6.0-rc1\ncommit 02e1a114fdb71e59ee6770294166c30d437bf86a\ncategory: bugfix\nbugzilla: 187867, https://gitee.com/src-openeuler/kernel/issues/I5W7B5\nCVE: CVE-2022-3545\n\n--------------------------------\n\narea_cache_get() is used to distribute cache-\u003Earea and set cache-\u003Eid,\n and if cache-\u003Eid is not 0 and cache-\u003Earea-\u003Ekref refcount is 0, it will\n release the cache-\u003Earea by nfp_cpp_area_release(). area_cache_get()\n set cache-\u003Eid before cpp-\u003Eop-\u003Earea_init() and nfp_cpp_area_acquire().\n\nBut if area_init() or nfp_cpp_area_acquire() fails, the cache-\u003Eid is\n is already set but the refcount is not increased as expected. At this\n time, calling the nfp_cpp_area_release() will cause use-after-free.\n\nTo avoid the use-after-free, set cache-\u003Eid after area_init() and\n nfp_cpp_area_acquire() complete successfully.\n\nNote: This vulnerability is triggerable by providing emulated device\n equipped with specified configuration.\n\n BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)\n  Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1\n\n Call Trace:\n  \u003CTASK\u003E\n nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)\n area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884)\n\n Allocated by task 1:\n nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303)\n nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802)\n nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230)\n nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215)\n nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744)\n\n Freed by task 1:\n kfree (mm/slub.c:4562)\n area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873)\n nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973)\n nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48)\n\nSigned-off-by: Jialiang Wang \u003Cwangjialiang0806@163.com\u003E\nReviewed-by: Yinjun Zhang \u003Cyinjun.zhang@corigine.com\u003E\nAcked-by: Simon Horman \u003Csimon.horman@corigine.com\u003E\nLink: https://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com\nSigned-off-by: Jakub Kicinski \u003Ckuba@kernel.org\u003E\nSigned-off-by: Yuyao Lin \u003Clinyuyao1@huawei.com\u003E\nReviewed-by: Wei Li \u003Cliwei391@huawei.com\u003E\nReviewed-by: Xiu Jianfeng \u003Cxiujianfeng@huawei.com\u003E\nSigned-off-by: Yongqiang Liu \u003Cliuyongqiang13@huawei.com\u003E","description_markdown":"mainline inclusion\nfrom mainline-v6.0-rc1\ncommit 02e1a114fdb71e59ee6770294166c30d437bf86a\ncategory: bugfix\nbugzilla: 187867, \u003Ca title=\"Issue: CVE-2022-3545\" class=\"gfm gfm-issue\" href=\"/open_euler/dashboard?issue_id=I5W7B5\"\u003E#I5W7B5\u003C/a\u003ECVE: CVE-2022-3545\n--------------------------------\narea_cache_get() is used to distribute cache-\u0026gt;area and set cache-\u0026gt;id,\nand if cache-\u0026gt;id is not 0 and cache-\u0026gt;area-\u0026gt;kref refcount is 0, it will\nrelease the cache-\u0026gt;area by nfp_cpp_area_release(). area_cache_get()\nset cache-\u0026gt;id before cpp-\u0026gt;op-\u0026gt;area_init() and nfp_cpp_area_acquire().\nBut if area_init() or nfp_cpp_area_acquire() fails, the cache-\u0026gt;id is\nis already set but the refcount is not increased as expected. At this\ntime, calling the nfp_cpp_area_release() will cause use-after-free.\nTo avoid the use-after-free, set cache-\u0026gt;id after area_init() and\nnfp_cpp_area_acquire() complete successfully.\nNote: This vulnerability is triggerable by providing emulated device\nequipped with specified configuration.\nBUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)\nWrite of size 4 at addr ffff888005b7f4a0 by task swapper/0/1\nCall Trace:\n\nnfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)\narea_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884)\nAllocated by task 1:\nnfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303)\nnfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802)\nnfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230)\nnfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215)\nnfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744)\nFreed by task 1:\nkfree (mm/slub.c:4562)\narea_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873)\nnfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973)\nnfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48)\nSigned-off-by: Jialiang Wang \u003Ca href=\"mailto:wangjialiang0806@163.com\"\u003Ewangjialiang0806@163.com\u003C/a\u003E\nReviewed-by: Yinjun Zhang \u003Ca href=\"mailto:yinjun.zhang@corigine.com\"\u003Eyinjun.zhang@corigine.com\u003C/a\u003E\nAcked-by: Simon Horman \u003Ca href=\"mailto:simon.horman@corigine.com\"\u003Esimon.horman@corigine.com\u003C/a\u003E\nLink: \u003Ca href=\"https://gitee.com/link?target=https%3A%2F%2Flore.kernel.org%2Fr%2F20220810073057.4032-1-wangjialiang0806%40163.com\"\u003Ehttps://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com\u003C/a\u003E\nSigned-off-by: Jakub Kicinski \u003Ca href=\"mailto:kuba@kernel.org\"\u003Ekuba@kernel.org\u003C/a\u003E\nSigned-off-by: Yuyao Lin \u003Ca href=\"mailto:linyuyao1@huawei.com\"\u003Elinyuyao1@huawei.com\u003C/a\u003E\nReviewed-by: Wei Li \u003Ca href=\"mailto:liwei391@huawei.com\"\u003Eliwei391@huawei.com\u003C/a\u003E\nReviewed-by: Xiu Jianfeng \u003Ca href=\"mailto:xiujianfeng@huawei.com\"\u003Exiujianfeng@huawei.com\u003C/a\u003E\nSigned-off-by: Yongqiang Liu \u003Ca href=\"mailto:liuyongqiang13@huawei.com\"\u003Eliuyongqiang13@huawei.com\u003C/a\u003E","message":"nfp: fix use-after-free in area_cache_get()\n\nmainline inclusion\nfrom mainline-v6.0-rc1\ncommit 02e1a114fdb71e59ee6770294166c30d437bf86a\ncategory: bugfix\nbugzilla: 187867, https://gitee.com/src-openeuler/kernel/issues/I5W7B5\nCVE: CVE-2022-3545\n\n--------------------------------\n\narea_cache_get() is used to distribute cache-\u003Earea and set cache-\u003Eid,\n and if cache-\u003Eid is not 0 and cache-\u003Earea-\u003Ekref refcount is 0, it will\n release the cache-\u003Earea by nfp_cpp_area_release(). area_cache_get()\n set cache-\u003Eid before cpp-\u003Eop-\u003Earea_init() and nfp_cpp_area_acquire().\n\nBut if area_init() or nfp_cpp_area_acquire() fails, the cache-\u003Eid is\n is already set but the refcount is not increased as expected. At this\n time, calling the nfp_cpp_area_release() will cause use-after-free.\n\nTo avoid the use-after-free, set cache-\u003Eid after area_init() and\n nfp_cpp_area_acquire() complete successfully.\n\nNote: This vulnerability is triggerable by providing emulated device\n equipped with specified configuration.\n\n BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)\n  Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1\n\n Call Trace:\n  \u003CTASK\u003E\n nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)\n area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884)\n\n Allocated by task 1:\n nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303)\n nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802)\n nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230)\n nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215)\n nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744)\n\n Freed by task 1:\n kfree (mm/slub.c:4562)\n area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873)\n nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973)\n nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48)\n\nSigned-off-by: Jialiang Wang \u003Cwangjialiang0806@163.com\u003E\nReviewed-by: Yinjun Zhang \u003Cyinjun.zhang@corigine.com\u003E\nAcked-by: Simon Horman \u003Csimon.horman@corigine.com\u003E\nLink: https://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com\nSigned-off-by: Jakub Kicinski \u003Ckuba@kernel.org\u003E\nSigned-off-by: Yuyao Lin \u003Clinyuyao1@huawei.com\u003E\nReviewed-by: Wei Li \u003Cliwei391@huawei.com\u003E\nReviewed-by: Xiu Jianfeng \u003Cxiujianfeng@huawei.com\u003E\nSigned-off-by: Yongqiang Liu \u003Cliuyongqiang13@huawei.com\u003E\n","message_markdown":"nfp: fix use-after-free in area_cache_get()\nmainline inclusion\nfrom mainline-v6.0-rc1\ncommit 02e1a114fdb71e59ee6770294166c30d437bf86a\ncategory: bugfix\nbugzilla: 187867, \u003Ca title=\"Issue: CVE-2022-3545\" class=\"gfm gfm-issue\" href=\"/open_euler/dashboard?issue_id=I5W7B5\"\u003E#I5W7B5\u003C/a\u003ECVE: CVE-2022-3545\n--------------------------------\narea_cache_get() is used to distribute cache-\u0026gt;area and set cache-\u0026gt;id,\nand if cache-\u0026gt;id is not 0 and cache-\u0026gt;area-\u0026gt;kref refcount is 0, it will\nrelease the cache-\u0026gt;area by nfp_cpp_area_release(). area_cache_get()\nset cache-\u0026gt;id before cpp-\u0026gt;op-\u0026gt;area_init() and nfp_cpp_area_acquire().\nBut if area_init() or nfp_cpp_area_acquire() fails, the cache-\u0026gt;id is\nis already set but the refcount is not increased as expected. At this\ntime, calling the nfp_cpp_area_release() will cause use-after-free.\nTo avoid the use-after-free, set cache-\u0026gt;id after area_init() and\nnfp_cpp_area_acquire() complete successfully.\nNote: This vulnerability is triggerable by providing emulated device\nequipped with specified configuration.\nBUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)\nWrite of size 4 at addr ffff888005b7f4a0 by task swapper/0/1\nCall Trace:\n\nnfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)\narea_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884)\nAllocated by task 1:\nnfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303)\nnfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802)\nnfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230)\nnfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215)\nnfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744)\nFreed by task 1:\nkfree (mm/slub.c:4562)\narea_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873)\nnfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973)\nnfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48)\nSigned-off-by: Jialiang Wang \u003Ca href=\"mailto:wangjialiang0806@163.com\"\u003Ewangjialiang0806@163.com\u003C/a\u003E\nReviewed-by: Yinjun Zhang \u003Ca href=\"mailto:yinjun.zhang@corigine.com\"\u003Eyinjun.zhang@corigine.com\u003C/a\u003E\nAcked-by: Simon Horman \u003Ca href=\"mailto:simon.horman@corigine.com\"\u003Esimon.horman@corigine.com\u003C/a\u003E\nLink: \u003Ca href=\"https://gitee.com/link?target=https%3A%2F%2Flore.kernel.org%2Fr%2F20220810073057.4032-1-wangjialiang0806%40163.com\"\u003Ehttps://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.com\u003C/a\u003E\nSigned-off-by: Jakub Kicinski \u003Ca href=\"mailto:kuba@kernel.org\"\u003Ekuba@kernel.org\u003C/a\u003E\nSigned-off-by: Yuyao Lin \u003Ca href=\"mailto:linyuyao1@huawei.com\"\u003Elinyuyao1@huawei.com\u003C/a\u003E\nReviewed-by: Wei Li \u003Ca href=\"mailto:liwei391@huawei.com\"\u003Eliwei391@huawei.com\u003C/a\u003E\nReviewed-by: Xiu Jianfeng \u003Ca href=\"mailto:xiujianfeng@huawei.com\"\u003Exiujianfeng@huawei.com\u003C/a\u003E\nSigned-off-by: Yongqiang Liu \u003Ca href=\"mailto:liuyongqiang13@huawei.com\"\u003Eliuyongqiang13@huawei.com\u003C/a\u003E","detail_path":"/openeuler/kernel/commit/187e173a47cc3045b4f596dfdce31bc2b1494b90","commits_path":"/openeuler/kernel/commits/187e173a47cc3045b4f596dfdce31bc2b1494b90","tree_path":"/openeuler/kernel/tree/187e173a47cc3045b4f596dfdce31bc2b1494b90","author":{"name":"Jialiang Wang","email":"wangjialiang0806@163.com","username":null,"user_path":null,"enterprise_user_path":null,"image_path":"no_portrait.png#Jialiang Wang-","is_gitee_user":false,"is_enterprise_user":null,"widget_url":null},"committer":{"name":"Yongqiang Liu","email":"duanzi@zju.edu.cn","username":null,"user_path":null,"enterprise_user_path":null,"image_path":"no_portrait.png#Yongqiang Liu-","is_gitee_user":false,"is_enterprise_user":null,"widget_url":null},"authored_date":"2022-10-25T09:29:22+00:00","committed_date":"2022-10-25T17:17:35+08:00","signature":null,"build_state":null},"archive_path":"/openeuler/kernel/repository/archive/4.19.90-2210.4.0","signature":null},"operating":{"edit":false,"download":true,"destroy":false,"enterprise_forbid_zip":false},"release":{"title":"openEuler 20.03 update 4.19.90-2210.4.0","path":"/openeuler/kernel/releases/tag/4.19.90-2210.4.0","tag_path":"/openeuler/kernel/tree/4.19.90-2210.4.0","project_id":7696525,"created_at":"2022-10-25T17:27:19+08:00","is_prerelease":false,"description":"# 1TASK\r\n-------\r\n\r\n# 4.19.90-2210.3.0~1...4.19.90-2210.4.0\r\n-------\r\n| TASK | COMMIT |\r\n|:----:|:------:|\r\n|     bugzilla: 187867, https://gitee.com/src-openeuler/kernel/issues/I5W7B5 | 187e173a47cc nfp: fix use-after-free in area_cache_get()\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5W7YH | 20fb5fafab62 mISDN: fix use-after-free bugs in l1oip timer handlers\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5W7ZF | 1ae8a44b0107 tcp: Fix data races around icsk-\u003Eicsk_af_ops.\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5W7XW | 1c1e7cf5f472 Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu\u003Cbr\u003E |\r\n|     bugzilla: 187839, https://gitee.com/src-openeuler/kernel/issues/I5W7B1 | c3844d5ad5f9 bnx2x: fix potential memory leak in bnx2x_tpa_stop()\u003Cbr\u003E |\r\n|     bugzilla: 187847, https://gitee.com/src-openeuler/kernel/issues/I5WFKR | 4302727af81f r8152: Rate limit overflow messages\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/openeuler/kernel/issues/I5WW82 | cafd261d0428 scsi: megaraid_sas: Add support for MegaRAID Aero controllers\u003Cbr\u003E|\r\n|     bugzilla: https://gitee.com/openeuler/kernel/issues/I5WW3D | c1ebe562b7fb vfio-pci: Mask cap zero\u003Cbr\u003E |\r\n|     bugzilla: 187825, https://gitee.com/src-openeuler/kernel/issues/I5VZ0J | 0724868f7c1a tcp/udp: Fix memory leak in ipv6_renew_options().\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5W7AX | 92febc730135 net: mvpp2: fix mvpp2 debugfs leak\u003Cbr\u003E |\r\n|     bugzilla: 187823, https://gitee.com/src-openeuler/kernel/issues/I5VZ0N | a4c35ce0dab6 kcm: avoid potential race in kcm_tx_work\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/openeuler/kernel/issues/I5UY5E | 1eefd25aa8f5 net: bonding: Add support for IPV6 ns/na to balance-alb/balance-tlb mode\u003Cbr\u003E|\r\n|     bugzilla: 187798, https://gitee.com/src-openeuler/kernel/issues/I5U1NZ | 4b472e21a9dc fbdev: smscufx: Fix use-after-free in ufx_ops_open()\u003Cbr\u003E|\r\n|     bugzilla: https://gitee.com/openeuler/kernel/issues/I5986O | 1e83e42b007c nvme: fix controller instance leak\u003Cbr\u003E |\r\n|     bugzilla:https://gitee.com/openeuler/kernel/issues/I5986O | 7d574b4c65c7 nvme: Assign subsys instance from first ctrl\u003Cbr\u003E|\r\n|     bugzilla: 187805, https://gitee.com/src-openeuler/kernel/issues/I5U713 | edb25e44f5d5 binder: fix UAF of ref-\u003Eproc caused by race condition\u003Cbr\u003E|\r\n\r\n# 2CVE\r\n-------\r\n| CVE | issue |\r\n|:---:|:-----:|\r\n| CVE-2022-3521 | #I5VZ0N |\r\n| CVE-2022-3524 | #I5VZ0J |\r\n| CVE-2022-3535 | #I5W7AX |\r\n| CVE-2022-3542 | #I5W7B1 |\r\n| CVE-2022-3545 | #I5W7B5 |\r\n| CVE-2022-3564 | #I5W7XW |\r\n| CVE-2022-3565 | #I5W7YH |\r\n| CVE-2022-3566 | #I5W7ZF |\r\n| CVE-2022-3594 | #I5WFKR |\r\n| CVE-2022-41849 | #I5U1NZ |\r\n","author":{"name":"Qiuuuuu","username":"qiuuuuu","path":"/qiuuuuu","avatar_url":"no_portrait.png#Qiuuuuu-qiuuuuu"},"attach_files":[],"zip_download_url":"/openeuler/kernel/releases/tag/4.19.90-2210.4.0.zip","tar_download_url":"/openeuler/kernel/releases/tag/4.19.90-2210.4.0.tar.gz"}}}