|
Re: Backporting of security patches for Intel i40e drivers required?
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi, Jan-san,
toggle quoted messageShow quoted text
Thanks for your response. Best regards, -- M. Kudo
-----Original Message-----
|
|
|
|
Release v4.19.150-cip36 and v4.4.238-cip50
Nobuhiro Iwamatsu
Hi,
CIP kernel team has released Linux kernel v4.19.150-cip36 and v4.4.238-cip50. The linux-4.19.y-cip tree has been updated base version to v4.19.150, and the linux-4.4.y-cip tree has been updated base version to v4.4.238 with audio support for iwg21d-q7 board. And this release includes a patch for ravb (77972b55fb9d: Revert "ravb: Fixed to be able to unload modules" ). This fixed the ethernet issue of Renesas SoCs temporarily. You can get this release via the git tree at: v4.19.150-cip36: repository: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git branch: linux-4.19.y-cip commit hash: 946cd6c834661fa97c8dc914c95fc8a90a111676 added commits: CIP: Bump version suffix to -cip36 after merge from stable with ravb fix Revert "ravb: Fixed to be able to unload modules" v4.4.238-cip50: repository: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git branch: linux-4.4.y-cip commit hash: e21f6a3128beb731449030d76249db60d380b8dd added commits: CIP: Bump version suffix to -cip50 after merge from stable with ravb fix Revert "ravb: Fixed to be able to unload modules" ARM: dts: r8a7742-iwg21d-q7: Sound DMA support via DVC on DTS ARM: dts: r8a7742-iwg21d-q7: Enable SGTL5000 audio codec ARM: dts: r8a7742: Add audio support dt-bindings: ASoC: renesas,rsnd: Add r8a7742 support Best regards, Nobuhiro
|
|
|
|
Re: Backporting of security patches for Intel i40e drivers required?
Jan Kiszka
Hi all,
toggle quoted messageShow quoted text
given the exposure of such a device but also the fact that I can't tell for sure if/where it's used (not only by us), I would recommend backporting. Jan
On 09.10.20 02:23, nobuhiro1.iwamatsu@... wrote:
Hi, --
Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux
|
|
|
|
Re: Backporting of security patches for Intel i40e drivers required?
Nobuhiro Iwamatsu
Hi,
toggle quoted messageShow quoted text
I have some comment for this issue. https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html https://lore.kernel.org/stable/20200807205517.1740307-1-jesse.brandeburg@intel.com/ There are multiple patches fixed for 4.19, which can be separated by feature. - i40e: add num_vectors checker in iwarp handler This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver"). e3219ce6a7754 is not included in 4.4.y and can be ignored. - i40e: Wrong truncation from u16 to u8 This can be apply in 4.4.y. - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c This issue has been produced by e284fc280473b ("i40e: Add and delete cloud filter"). It is not included in 4.4.y. However, this patch has several different fixes, so some patches need to be applied. --- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c @@ -181,7 +181,7 @@ static inline bool i40e_vc_isvalid_vsi_id(struct i40e_vf *vf, u16 vsi_id) * check for the valid queue id **/ static inline bool i40e_vc_isvalid_queue_id(struct i40e_vf *vf, u16 vsi_id, - u8 qid) + u16 qid) { struct i40e_pf *pf = vf->pf; struct i40e_vsi *vsi = i40e_find_vsi_from_id(pf, vsi_id); - i40e: Memory leak in i40e_config_iwarp_qvlist This issue has been produced by e3219ce6a7754 ("i40e: Add support for client interface for IWARP driver"). e3219ce6a7754 is not included in 4.4.y and can be ignored. Best regards, Nobuhiro
-----Original Message-----
|
|
|
|
Backporting of security patches for Intel i40e drivers required?
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi, Jan-san, All,
At the IRC meeting today, we identified the following new CVEs are not in LTS4.4 yet. - CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for mainline and 4.19+ These are for i40e driver for Intel. The kernel team would like to know whether their backporting is needed or not. For details of those CVE checking results, please see the following. https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/merge_requests/75/diffs Regarding the discussion of the IRC meeting, please see the following. https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-08-09.00.log.html Best regards, -- M. Kudo
|
|
|
|
Re: CIP IRC weekly meeting today
Chen-Yu Tsai (Moxa) <wens@...>
On Thu, Oct 8, 2020 at 8:57 AM masashi.kudo@...
<masashi.kudo@...> wrote: I might not make it. Here's this week's update: Five new CVEs: - CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 [net/i40e] - Fixed for mainline and 4.19+ - This is enabled in Siemens x86 configs for both 4.4 and 4.19 and we should probably backport them. - CVE-2020-25643 [hdlc_ppp] - Fixed in all current stable kernels - CVE-2020-26541 [UEFI secure boot] - Fix posted but hasn't landed I also reviewed some patches from Daniel for cip-kernel-sec on the mailing list. ChenYu * Kernel testing
|
|
|
|
Re: [cip-kernel-sec 3/3] issues: fill in the description field of remaining CVEs
Chen-Yu Tsai (Moxa) <wens@...>
On Fri, Sep 25, 2020 at 12:01 PM Daniel Sangorrin
<daniel.sangorrin@...> wrote: Looks like all the new descriptions were copied from MITRE. Reviewed-by: Chen-Yu Tsai (Moxa) <wens@...>
|
|
|
|
Re: [cip-kernel-sec 2/3] report_affected: Delete extra blank lines between CVEs
Chen-Yu Tsai (Moxa) <wens@...>
On Thu, Oct 8, 2020 at 3:59 PM Chen-Yu Tsai <wens@...> wrote:
Jumped the gun. This patch is no longer needed if you use join() to combine the lines.
|
|
|
|
Re: [cip-kernel-sec 2/3] report_affected: Delete extra blank lines between CVEs
Chen-Yu Tsai (Moxa) <wens@...>
On Fri, Sep 25, 2020 at 12:00 PM Daniel Sangorrin
<daniel.sangorrin@...> wrote: Reviewed-by: Chen-Yu Tsai (Moxa) <wens@...> Though these occurrences seem to be very rare. ---
|
|
|
|
Re: [cip-kernel-sec 1/3] report_affected: word-wrap for the 'description'
Chen-Yu Tsai (Moxa) <wens@...>
On Fri, Sep 25, 2020 at 12:00 PM Daniel Sangorrin
<daniel.sangorrin@...> wrote: I believe it would be better to include the "CVE => " string in the full text passed to textwrap. That would make all lines properly wrapped at the given width. Also, textwrap can handle indentation for subsequent lines, so you don't have to handle that yourself. And it might be easier to read if they matched up with the beginning of the description in the first line. Last, you could use join() to combine the lines. So I would rewrite the part as: text = cve_id + ' => ' + kernel_sec.issue.load(cve_id).get('description', 'None') print('\n'.join(textwrap.wrap(text, 80, subsequent_indent=' ' * (len(cve_id) + 4), break_long_words=False))) ChenYu Moxa + print(cve_id, '=>',wrap_description)
|
|
|
|
Re: CIP IRC weekly meeting today
Nobuhiro Iwamatsu
Hi Kudo-san,
toggle quoted messageShow quoted text
Sorry, I can not participate IRC meeting today.
-----Original Message-----No update. 2. Check whether CVE-2020-25284 needs to be backported to 4.4-rtI reviewed 4.4.y-rc. * Kernel testingBest regards, Nobuhiro
|
|
|
|
Re: [ANNOUNCE] v4.19.148-cip35-rt15
Nobuhiro Iwamatsu
Hi,
toggle quoted messageShow quoted text
-----Original Message-----Sorry, this may be wrong. If 151 isn't released this weekend, I'll cherry pick this commit, and release new CIP kernel. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?h=linux-4.19.y&id=1fa5848fae409511eda2c6ee4f8ad9e42a0cb3c1 And I think we can use it to release the cip-rt tree.Best regards, Nobuhiro
|
|
|
|
Re: [ANNOUNCE] v4.19.148-cip35-rt15
Nobuhiro Iwamatsu
Hi Pavel,
toggle quoted messageShow quoted text
-----Original Message-----Yes, I think so. Perhaps 4.19.151 will be released this weekend. And this week is the release week of the CIP kernel. And I think we can use it to release the cip-rt tree. Best regards, Nobuhiro
|
|
|
|
Re: CIP IRC weekly meeting today
Kento Yoshida
Hi Kudo-san and all,
toggle quoted messageShow quoted text
I'll be absent today. And, I'll report here as an alternative to attendance. Both minor updates were once reported, but since they are protracted, I will summarize again here. Major updates: There is no major update this week. Minor updates: 1. Gap assessment for the development process (IEC 62443-4-1): The report from the certification body, whether development process for OSS meets to the IEC 62443-4-1 standard, is delayed. But, perhaps we can get it the end of this week. And then, we'll plan to share the documents on the development process that reflects the feedback from the report. 2. Gap assessment for security features of security packages we suggested (IEC 62443-4-2): We started review security features of security packages we suggested to add as CIP core packages. The completion date is scheduled by the end of December. After this, we'll continue to proceed our suggestion, now it's pended. Regards, Kent
-----Original Message-----
|
|
|
|
CIP IRC weekly meeting today
masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
Hi all,
Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today. *Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting* https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=10&day=8&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248 USWest USEast UK DE TW JP 02:00 05:00 10:00 11:00 17:00 18:00 Channel: * irc:chat.freenode.net:6667/cip Last meeting minutes: https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-01-09.00.log.html Agenda: * Action item 1. Combine root filesystem with kselftest binary - iwamatsu 2. Check whether CVE-2020-25284 needs to be backported to 4.4-rt -> Delete rbd ( Ceph block device ) from 4.4-rt x86 config - iwamatsu -> Done, so will be closed today. * Kernel maintenance updates * Kernel testing * Software update * CIP Security * AOB The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics can stay. Otherwise, the topic will be taken offline or in the next meeting. Best regards, -- M. Kudo Cybertrust Japan Co., Ltd.
|
|
|
|
Re: [ANNOUNCE] v4.19.148-cip35-rt15
Pavel Machek
Hi!
FYI:Yes, and the revert is now queued to 4.19-stable, too. So.. what do we want to do here? We can merge 4.19.151 to -cip when it is released, and I can then release new -cip-rt that works on renesas boards... Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|
|
Re: [cip-kernel-sec] reports: add script to convert reports to csv format
Daniel Sangorrin <daniel.sangorrin@...>
Hello Ben,
toggle quoted messageShow quoted text
Thanks a lot for your review and sorry for taking your time. We will have an internal review and take your comments into account to prepare a new proposal. Kind regards, Daniel
-----Original Message-----
|
|
|
|
Re: [ANNOUNCE] v4.19.148-cip35-rt15
Nobuhiro Iwamatsu
Hi,
toggle quoted messageShow quoted text
FYI: https://patchwork.ozlabs.org/project/netdev/patch/20200922072931.2148-1-geert+renesas@glider.be/ Best regards, Nobuhiro
-----Original Message-----
|
|
|
|
Re: [cip-kernel-sec] reports: add script to convert reports to csv format
Ben Hutchings <ben.hutchings@...>
On Fri, 2020-09-25 at 14:07 +0900, Daniel Sangorrin wrote:
The text version is probably enough for developers but[...] I think this script is trying to do too many different things: 1. Importing data from NVD 2. Importing data from Debian security tracker 3. Parsing an existing report (!) 4. Generating a new report 1. If there's useful information from NVD that belongs in reports, and the license allows us to redistribute it, we should add an import script that adds that to the issue files (and extend the schema if necessary). We can then use that in any of the reporting scripts. 2. I'm not sure why the script is using Debian's general security tracker. Debian's kernel-sec normally has better information for kernel issues, and the import_debian.py script already imports that. 3. The output of report_affected.py is intended to be human-readable, and just happens to be relatively easy to parse. If you want to use its output as input, that should either be done by adding a structured format (e.g. JSON) for the intermediate file, or by sharing code between the two reporting scripts so there's no need to use an intermediate file. Other comments: - The new script needs to be documented in README.md. - Any files created in the process of importing data should go under the import/ subdirectory. - Error handling needs improvement, e.g.: +def download_file(src, file, bar=""):This doesn't check whether there was a network error; it retries in case of *any* error. The except block should specify which exception types we want to handle. + if not os.path.exists(file):Error messages should go to stderr. + exit(1)This should call sys.exit. Ben. -- Ben Hutchings, Software Developer Codethink Ltd https://www.codethink.co.uk/ Dale House, 35 Dale Street Manchester, M1 2HF, United Kingdom
|
|
|
|
Re: [ANNOUNCE] v4.19.148-cip35-rt15
Nobuhiro Iwamatsu
Hi,
toggle quoted messageShow quoted text
This issue seems to occur randomly. # cip+rt kernel NG: https://lava.ciplatform.org/scheduler/job/57129 https://lava.ciplatform.org/scheduler/job/57842 OK: https://lava.ciplatform.org/scheduler/job/57851 https://lava.ciplatform.org/scheduler/job/57841 # 4.19.148+cip kernel NG: https://lava.ciplatform.org/scheduler/job/58836 OK: https://lava.ciplatform.org/scheduler/job/58837 We may need to confirm these relationships with CIP kernel patches. Best regards, Nobuhiro
-----Original Message-----
|
|
|