June 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] Bluetooth: SCO: Fix not validating setsockopt user input
by Tong Tiangen 07 Jun '24

07 Jun '24

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> stable inclusion from stable-v5.10.216 commit b0e30c37695b614bee69187f86eaf250e36606ce category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRB2 CVE: CVE-2024-35967 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 51eda36d33e43201e7a4fd35232e069b2c850b01 ] syzbot reported sco_sock_setsockopt() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90 net/bluetooth/sco.c:893 Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578 Fixes: ad10b1a48754 ("Bluetooth: Add Bluetooth socket voice option") Fixes: b96e9c671b05 ("Bluetooth: Add BT_DEFER_SETUP option to sco socket") Fixes: 00398e1d5183 ("Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections") Fixes: f6873401a608 ("Bluetooth: Allow setting of codec for HFP offload use case") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Tong Tiangen <tongtiangen(a)huawei.com> --- include/net/bluetooth/bluetooth.h | 9 +++++++++ net/bluetooth/sco.c | 19 ++++++++----------- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h index 355835639ae5..7d2bd562da4b 100644 --- a/include/net/bluetooth/bluetooth.h +++ b/include/net/bluetooth/bluetooth.h @@ -487,6 +487,15 @@ static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk, return skb; } +static inline int bt_copy_from_sockptr(void *dst, size_t dst_size, + sockptr_t src, size_t src_size) +{ + if (dst_size > src_size) + return -EINVAL; + + return copy_from_sockptr(dst, src, dst_size); +} + int bt_to_errno(u16 code); void hci_sock_set_flag(struct sock *sk, int nr); diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c index 3ee342665c97..f9a2993fd452 100644 --- a/net/bluetooth/sco.c +++ b/net/bluetooth/sco.c @@ -829,7 +829,7 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, sockptr_t optval, unsigned int optlen) { struct sock *sk = sock->sk; - int len, err = 0; + int err = 0; struct bt_voice voice; u32 opt; @@ -845,10 +845,9 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, break; } - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt) set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); @@ -865,11 +864,10 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, voice.setting = sco_pi(sk)->setting; - len = min_t(unsigned int, sizeof(voice), optlen); - if (copy_from_sockptr(&voice, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&voice, sizeof(voice), optval, + optlen); + if (err) break; - } /* Explicitly check for these values */ if (voice.setting != BT_VOICE_TRANSPARENT && @@ -882,10 +880,9 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname, break; case BT_PKT_STATUS: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt) sco_pi(sk)->cmsg_mask |= SCO_CMSG_PKT_STATUS; -- 2.25.1

2 1

[openeuler:openEuler-1.0-LTS] BUILD REGRESSION bc352912f825241ca0aa170080d3807ba4a67d72
by kernel test robot 07 Jun '24

07 Jun '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: bc352912f825241ca0aa170080d3807ba4a67d72 !8620 CVE-2024-35896 Error/Warning ids grouped by kconfigs: gcc_recent_errors |-- arm64-allmodconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code |-- arm64-defconfig | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:ISO-C90-forbids-mixed-declarations-and-code |-- x86_64-buildonly-randconfig-002-20240607 | `-- fs-f2fs-recovery.o:warning:objtool:missing-symbol-for-section-.init.text `-- x86_64-buildonly-randconfig-005-20240607 `-- mm-memory_hotplug.c:warning:start-may-be-used-uninitialized clang_recent_errors |-- x86_64-allyesconfig | |-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension | `-- fs-f2fs-.tmp_recovery.o:warning:objtool:missing-symbol-for-section-.init.text |-- x86_64-randconfig-004-20240607 | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension |-- x86_64-randconfig-015-20240607 | `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension `-- x86_64-randconfig-072-20240607 `-- drivers-gpu-drm-nouveau-nvkm-core-object.c:warning:mixing-declarations-and-code-is-a-C99-extension elapsed time: 1010m configs tested: 32 configs skipped: 147 tested configs: arm64 allmodconfig gcc arm64 allnoconfig gcc arm64 defconfig gcc arm64 randconfig-001-20240607 gcc arm64 randconfig-002-20240607 gcc arm64 randconfig-003-20240607 gcc arm64 randconfig-004-20240607 gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 buildonly-randconfig-001-20240607 gcc x86_64 buildonly-randconfig-002-20240607 gcc x86_64 buildonly-randconfig-003-20240607 clang x86_64 buildonly-randconfig-004-20240607 gcc x86_64 buildonly-randconfig-005-20240607 gcc x86_64 buildonly-randconfig-006-20240607 clang x86_64 defconfig gcc x86_64 randconfig-001-20240607 gcc x86_64 randconfig-002-20240607 gcc x86_64 randconfig-003-20240607 clang x86_64 randconfig-004-20240607 clang x86_64 randconfig-005-20240607 clang x86_64 randconfig-006-20240607 gcc x86_64 randconfig-011-20240607 gcc x86_64 randconfig-012-20240607 clang x86_64 randconfig-013-20240607 gcc x86_64 randconfig-014-20240607 gcc x86_64 randconfig-015-20240607 clang x86_64 randconfig-016-20240607 clang x86_64 randconfig-071-20240607 gcc x86_64 randconfig-072-20240607 clang x86_64 randconfig-073-20240607 gcc x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
by Xiang Yang 06 Jun '24

06 Jun '24

From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> stable inclusion from stable-v4.19.315 commit 7d303dee473ba3529d75b63491e9963342107bed category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9S26U CVE: CVE-2023-52880 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 67c37756898a5a6b2941a13ae7260c89b54e0d88 upstream. Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Link: https://lore.kernel.org/r/20230731185942.279611-1-cascardo@canonical.com Cc: Salvatore Bonaccorso <carnil(a)debian.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- drivers/tty/n_gsm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 05d9064b4ee7..10ccad12c92b 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2356,6 +2356,9 @@ static int gsmld_open(struct tty_struct *tty) struct gsm_mux *gsm; int ret; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tty->ops->write == NULL) return -EINVAL; -- 2.34.1

2 1

[PATCH OLK-5.10] tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
by Xiang Yang 06 Jun '24

06 Jun '24

From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> stable inclusion from stable-v5.10.215 commit ada28eb4b9561aab93942f3224a2e41d76fe57fa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9S26U CVE: CVE-2023-52880 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 67c37756898a5a6b2941a13ae7260c89b54e0d88 upstream. Any unprivileged user can attach N_GSM0710 ldisc, but it requires CAP_NET_ADMIN to create a GSM network anyway. Require initial namespace CAP_NET_ADMIN to do that. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Link: https://lore.kernel.org/r/20230731185942.279611-1-cascardo@canonical.com Cc: Salvatore Bonaccorso <carnil(a)debian.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- drivers/tty/n_gsm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index fa49529682ce..c20f69a4c5e9 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2661,6 +2661,9 @@ static int gsmld_open(struct tty_struct *tty) { struct gsm_mux *gsm; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + if (tty->ops->write == NULL) return -EINVAL; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] netrom: Decrease sock refcount when sock timers expire
by Hui Tang 06 Jun '24

06 Jun '24

From: Nguyen Dinh Phi <phind.uet(a)gmail.com> stable inclusion from stable-v4.19.199 commit 9619cc7d97c3aa8ed3cfd2b8678b74fb6d6c7950 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4JQ CVE: CVE-2021-47294 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ] Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use sock timer API. It replaces mod_timer() by sk_reset_timer(), and del_timer() by sk_stop_timer(). Function sk_reset_timer() will increase the refcount of sock if it is called on an inactive timer, hence, in case the timer expires, we need to decrease the refcount ourselves in the handler, otherwise, the sock refcount will be unbalanced and the sock will never be freed. Signed-off-by: Nguyen Dinh Phi <phind.uet(a)gmail.com> Reported-by: syzbot+10f1194569953b72f1ae(a)syzkaller.appspotmail.com Fixes: 63346650c1a9 ("netrom: switch to sock timer API") Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Hui Tang <tanghui20(a)huawei.com> --- net/netrom/nr_timer.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c index 908e53ab47a4..426d49609524 100644 --- a/net/netrom/nr_timer.c +++ b/net/netrom/nr_timer.c @@ -124,11 +124,9 @@ static void nr_heartbeat_expiry(struct timer_list *t) is accepted() it isn't 'dead' so doesn't get removed. */ if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) { - sock_hold(sk); bh_unlock_sock(sk); nr_destroy_socket(sk); - sock_put(sk); - return; + goto out; } break; @@ -149,6 +147,8 @@ static void nr_heartbeat_expiry(struct timer_list *t) nr_start_heartbeat(sk); bh_unlock_sock(sk); +out: + sock_put(sk); } static void nr_t2timer_expiry(struct timer_list *t) @@ -162,6 +162,7 @@ static void nr_t2timer_expiry(struct timer_list *t) nr_enquiry_response(sk); } bh_unlock_sock(sk); + sock_put(sk); } static void nr_t4timer_expiry(struct timer_list *t) @@ -172,6 +173,7 @@ static void nr_t4timer_expiry(struct timer_list *t) bh_lock_sock(sk); nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY; bh_unlock_sock(sk); + sock_put(sk); } static void nr_idletimer_expiry(struct timer_list *t) @@ -200,6 +202,7 @@ static void nr_idletimer_expiry(struct timer_list *t) sock_set_flag(sk, SOCK_DEAD); } bh_unlock_sock(sk); + sock_put(sk); } static void nr_t1timer_expiry(struct timer_list *t) @@ -212,8 +215,7 @@ static void nr_t1timer_expiry(struct timer_list *t) case NR_STATE_1: if (nr->n2count == nr->n2) { nr_disconnect(sk, ETIMEDOUT); - bh_unlock_sock(sk); - return; + goto out; } else { nr->n2count++; nr_write_internal(sk, NR_CONNREQ); @@ -223,8 +225,7 @@ static void nr_t1timer_expiry(struct timer_list *t) case NR_STATE_2: if (nr->n2count == nr->n2) { nr_disconnect(sk, ETIMEDOUT); - bh_unlock_sock(sk); - return; + goto out; } else { nr->n2count++; nr_write_internal(sk, NR_DISCREQ); @@ -234,8 +235,7 @@ static void nr_t1timer_expiry(struct timer_list *t) case NR_STATE_3: if (nr->n2count == nr->n2) { nr_disconnect(sk, ETIMEDOUT); - bh_unlock_sock(sk); - return; + goto out; } else { nr->n2count++; nr_requeue_frames(sk); @@ -244,5 +244,7 @@ static void nr_t1timer_expiry(struct timer_list *t) } nr_start_t1timer(sk); +out: bh_unlock_sock(sk); + sock_put(sk); } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS v2 0/7] arm64 mpam fix patch
by Yu Liao 06 Jun '24

06 Jun '24

Some bugfix patches to address mpam issues. Yu Liao (7): mpam/resctrl: Fix a deadlock due to inaccurate reference mpam/resctrl: Clean up unused function parameter in mkdir path mpam/resctrl: Clean up resctrl_group_rmdir_[ctrl/mon]() mpam/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup arm64/mpam: change allocation mode from GFP_KERNEL to GFP_NOWAIT arm64/mpam: Fix wrong seconds to jiffies conversion arm64/mpam: Fix softlockup when reading mondata arch/arm64/kernel/mpam/mpam_ctrlmon.c | 3 ++ arch/arm64/kernel/mpam/mpam_resctrl.c | 6 +-- fs/resctrlfs.c | 57 ++++++++++----------------- 3 files changed, 27 insertions(+), 39 deletions(-) -- 2.33.0

2 8

[PATCH openEuler-22.03-LTS-SP1] smb: client: fix UAF in smb2_reconnect_server()
by Long Li 06 Jun '24

06 Jun '24

From: Paulo Alcantara <pc(a)manguebit.com> mainline inclusion from mainline-v6.9-rc2 commit 24a9799aa8efecd0eb55a75e35f9d8e6400063aa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG1A CVE: CVE-2024-35870 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses(). This can happen when (a) the client has connection to the server but no session or (b) another thread ends up setting @ses->ses_status again to something different than SES_EXITING. To fix this, we need to make sure to unconditionally set @ses->ses_status to SES_EXITING and prevent any other threads from setting a new status while we're still tearing it down. The following can be reproduced by adding some delay to right after the ipc is freed in __cifs_put_smb_ses() - which will give smb2_reconnect_server() worker a chance to run and then accessing @ses->ipc: kinit ... mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 &>/dev/null sleep 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x36/0x90 ? exc_general_protection+0x1c1/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? __list_del_entry_valid_or_report+0x33/0xf0 __cifs_put_smb_ses+0x1ae/0x500 [cifs] smb2_reconnect_server+0x4ed/0x710 [cifs] process_one_work+0x205/0x6b0 worker_thread+0x191/0x360 ? __pfx_worker_thread+0x10/0x10 kthread+0xe2/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/cifs/connect.c fs/smb/client/connect.c [Path is changed and related functions has been refactored for a long time] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/cifs/connect.c | 48 ++++++++++++++++++----------------------------- 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 5cf5b58b9b66..0290c573db89 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -455,6 +455,8 @@ cifs_reconnect(struct TCP_Server_Info *server) spin_lock(&cifs_tcp_ses_lock); list_for_each(tmp, &server->smb_ses_list) { ses = list_entry(tmp, struct cifs_ses, smb_ses_list); + if (ses->status == CifsExiting) + continue; ses->need_reconnect = true; list_for_each(tmp2, &ses->tcon_list) { tcon = list_entry(tmp2, struct cifs_tcon, tcon_list); @@ -2814,34 +2816,6 @@ cifs_setup_ipc(struct cifs_ses *ses, struct smb_vol *volume_info) return rc; } -/** - * cifs_free_ipc - helper to release the session IPC tcon - * - * Needs to be called everytime a session is destroyed - */ -static int -cifs_free_ipc(struct cifs_ses *ses) -{ - int rc = 0, xid; - struct cifs_tcon *tcon = ses->tcon_ipc; - - if (tcon == NULL) - return 0; - - if (ses->server->ops->tree_disconnect) { - xid = get_xid(); - rc = ses->server->ops->tree_disconnect(xid, tcon); - free_xid(xid); - } - - if (rc) - cifs_dbg(FYI, "failed to disconnect IPC tcon (rc=%d)\n", rc); - - tconInfoFree(tcon); - ses->tcon_ipc = NULL; - return rc; -} - static struct cifs_ses * cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol) { @@ -2863,8 +2837,9 @@ cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol) void cifs_put_smb_ses(struct cifs_ses *ses) { - unsigned int rc, xid; + unsigned int rc = 0, xid; struct TCP_Server_Info *server = ses->server; + struct cifs_tcon *tcon = NULL; cifs_dbg(FYI, "%s: ses_count=%d\n", __func__, ses->ses_count); @@ -2881,10 +2856,23 @@ void cifs_put_smb_ses(struct cifs_ses *ses) spin_lock(&GlobalMid_Lock); if (ses->status == CifsGood) ses->status = CifsExiting; + tcon = ses->tcon_ipc; + ses->tcon_ipc = NULL; spin_unlock(&GlobalMid_Lock); spin_unlock(&cifs_tcp_ses_lock); - cifs_free_ipc(ses); + if (tcon) { + if (ses->server->ops->tree_disconnect) { + xid = get_xid(); + rc = ses->server->ops->tree_disconnect(xid, tcon); + free_xid(xid); + } + + if (rc) + cifs_dbg(FYI, "failed to disconnect IPC tcon (rc=%d)\n", rc); + + tconInfoFree(tcon); + } if (ses->status == CifsExiting && server->ops->logoff) { xid = get_xid(); -- 2.39.2

2 1

[PATCH OLK-5.10] smb: client: fix UAF in smb2_reconnect_server()
by Long Li 06 Jun '24

06 Jun '24

From: Paulo Alcantara <pc(a)manguebit.com> mainline inclusion from mainline-v6.9-rc2 commit 24a9799aa8efecd0eb55a75e35f9d8e6400063aa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG1A CVE: CVE-2024-35870 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses(). This can happen when (a) the client has connection to the server but no session or (b) another thread ends up setting @ses->ses_status again to something different than SES_EXITING. To fix this, we need to make sure to unconditionally set @ses->ses_status to SES_EXITING and prevent any other threads from setting a new status while we're still tearing it down. The following can be reproduced by adding some delay to right after the ipc is freed in __cifs_put_smb_ses() - which will give smb2_reconnect_server() worker a chance to run and then accessing @ses->ipc: kinit ... mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 &>/dev/null sleep 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x36/0x90 ? exc_general_protection+0x1c1/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? __list_del_entry_valid_or_report+0x33/0xf0 __cifs_put_smb_ses+0x1ae/0x500 [cifs] smb2_reconnect_server+0x4ed/0x710 [cifs] process_one_work+0x205/0x6b0 worker_thread+0x191/0x360 ? __pfx_worker_thread+0x10/0x10 kthread+0xe2/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/cifs/connect.c fs/smb/client/connect.c [Path is changed and related functions has been refactored for a long time] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/cifs/connect.c | 48 ++++++++++++++++++----------------------------- 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index f6a7e25ce234..5a688129b5ca 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -455,6 +455,8 @@ cifs_reconnect(struct TCP_Server_Info *server) spin_lock(&cifs_tcp_ses_lock); list_for_each(tmp, &server->smb_ses_list) { ses = list_entry(tmp, struct cifs_ses, smb_ses_list); + if (ses->status == CifsExiting) + continue; ses->need_reconnect = true; list_for_each(tmp2, &ses->tcon_list) { tcon = list_entry(tmp2, struct cifs_tcon, tcon_list); @@ -2814,34 +2816,6 @@ cifs_setup_ipc(struct cifs_ses *ses, struct smb_vol *volume_info) return rc; } -/** - * cifs_free_ipc - helper to release the session IPC tcon - * - * Needs to be called everytime a session is destroyed - */ -static int -cifs_free_ipc(struct cifs_ses *ses) -{ - int rc = 0, xid; - struct cifs_tcon *tcon = ses->tcon_ipc; - - if (tcon == NULL) - return 0; - - if (ses->server->ops->tree_disconnect) { - xid = get_xid(); - rc = ses->server->ops->tree_disconnect(xid, tcon); - free_xid(xid); - } - - if (rc) - cifs_dbg(FYI, "failed to disconnect IPC tcon (rc=%d)\n", rc); - - tconInfoFree(tcon); - ses->tcon_ipc = NULL; - return rc; -} - static struct cifs_ses * cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol) { @@ -2863,8 +2837,9 @@ cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol) void cifs_put_smb_ses(struct cifs_ses *ses) { - unsigned int rc, xid; + unsigned int rc = 0, xid; struct TCP_Server_Info *server = ses->server; + struct cifs_tcon *tcon = NULL; cifs_dbg(FYI, "%s: ses_count=%d\n", __func__, ses->ses_count); @@ -2881,10 +2856,23 @@ void cifs_put_smb_ses(struct cifs_ses *ses) spin_lock(&GlobalMid_Lock); if (ses->status == CifsGood) ses->status = CifsExiting; + tcon = ses->tcon_ipc; + ses->tcon_ipc = NULL; spin_unlock(&GlobalMid_Lock); spin_unlock(&cifs_tcp_ses_lock); - cifs_free_ipc(ses); + if (tcon) { + if (ses->server->ops->tree_disconnect) { + xid = get_xid(); + rc = ses->server->ops->tree_disconnect(xid, tcon); + free_xid(xid); + } + + if (rc) + cifs_dbg(FYI, "failed to disconnect IPC tcon (rc=%d)\n", rc); + + tconInfoFree(tcon); + } if (ses->status == CifsExiting && server->ops->logoff) { xid = get_xid(); -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] btrfs: fix deadlock with fiemap and extent locking
by Zizhi Wo 06 Jun '24

06 Jun '24

From: Josef Bacik <josef(a)toxicpanda.com> stable inclusion from stable-v6.6.24 commit ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8ZZ CVE: CVE-2024-35784 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- commit b0ad381fa7690244802aed119b478b4bdafc31dd upstream. While working on the patchset to remove extent locking I got a lockdep splat with fiemap and pagefaulting with my new extent lock replacement lock. This deadlock exists with our normal code, we just don't have lockdep annotations with the extent locking so we've never noticed it. Since we're copying the fiemap extent to user space on every iteration we have the chance of pagefaulting. Because we hold the extent lock for the entire range we could mkwrite into a range in the file that we have mmap'ed. This would deadlock with the following stack trace [<0>] lock_extent+0x28d/0x2f0 [<0>] btrfs_page_mkwrite+0x273/0x8a0 [<0>] do_page_mkwrite+0x50/0xb0 [<0>] do_fault+0xc1/0x7b0 [<0>] __handle_mm_fault+0x2fa/0x460 [<0>] handle_mm_fault+0xa4/0x330 [<0>] do_user_addr_fault+0x1f4/0x800 [<0>] exc_page_fault+0x7c/0x1e0 [<0>] asm_exc_page_fault+0x26/0x30 [<0>] rep_movs_alternative+0x33/0x70 [<0>] _copy_to_user+0x49/0x70 [<0>] fiemap_fill_next_extent+0xc8/0x120 [<0>] emit_fiemap_extent+0x4d/0xa0 [<0>] extent_fiemap+0x7f8/0xad0 [<0>] btrfs_fiemap+0x49/0x80 [<0>] __x64_sys_ioctl+0x3e1/0xb50 [<0>] do_syscall_64+0x94/0x1a0 [<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 I wrote an fstest to reproduce this deadlock without my replacement lock and verified that the deadlock exists with our existing locking. To fix this simply don't take the extent lock for the entire duration of the fiemap. This is safe in general because we keep track of where we are when we're searching the tree, so if an ordered extent updates in the middle of our fiemap call we'll still emit the correct extents because we know what offset we were on before. The only place we maintain the lock is searching delalloc. Since the delalloc stuff can change during writeback we want to lock the extent range so we have a consistent view of delalloc at the time we're checking to see if we need to set the delalloc flag. With this patch applied we no longer deadlock with my testcase. CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: fs/btrfs/extent_io.c [The key to fixing the patch is the fiemap_process_hole function, which locks only before querying delalloc. Earlier versions do not have this function, and adaptation requires a lot of refactoring patches. So do something similar directly in the get_extent_skip_holes function, which contains the logic to query delalloc.] Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/btrfs/extent_io.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index b20021c501d7..7d608dbae970 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -4332,12 +4332,31 @@ static struct extent_map *get_extent_skip_holes(struct inode *inode, return NULL; while (1) { + struct extent_state *cached_state = NULL; + u64 lockstart; + u64 lockend; + len = last - offset; if (len == 0) break; len = ALIGN(len, sectorsize); + lockstart = round_down(offset, sectorsize); + lockend = round_up(offset + len, sectorsize) - 1; + + /* + * We are only locking for the delalloc range because that's the + * only thing that can change here. With fiemap we have a lock + * on the inode, so no buffered or direct writes can happen. + * + * However mmaps and normal page writeback will cause this to + * change arbitrarily. We have to lock the extent lock here to + * make sure that nobody messes with the tree while we're doing + * btrfs_find_delalloc_in_range. + */ + lock_extent_bits(&BTRFS_I(inode)->io_tree, lockstart, lockend, &cached_state); em = btrfs_get_extent_fiemap(BTRFS_I(inode), NULL, 0, offset, len, 0); + unlock_extent_cached(&BTRFS_I(inode)->io_tree, lockstart, lockend, &cached_state); if (IS_ERR_OR_NULL(em)) return em; @@ -4481,7 +4500,6 @@ int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, u64 isize = i_size_read(inode); struct btrfs_key found_key; struct extent_map *em = NULL; - struct extent_state *cached_state = NULL; struct btrfs_path *path; struct btrfs_root *root = BTRFS_I(inode)->root; struct fiemap_cache cache = { 0 }; @@ -4547,9 +4565,6 @@ int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, last_for_get_extent = isize; } - lock_extent_bits(&BTRFS_I(inode)->io_tree, start, start + len - 1, - &cached_state); - em = get_extent_skip_holes(inode, start, last_for_get_extent); if (!em) goto out; @@ -4662,8 +4677,6 @@ int extent_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, free_extent_map(em); out: btrfs_free_path(path); - unlock_extent_cached(&BTRFS_I(inode)->io_tree, start, start + len - 1, - &cached_state); return ret; } -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] memory: fsl_ifc: fix leak of IO mapping on probe failure
by Tong Tiangen 06 Jun '24

06 Jun '24

From: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> stable inclusion from stable-v4.19.198 commit 94bc2fe46102d1e060fc749c0c19511e76c9995f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RKXC CVE: CVE-2021-47315 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3b132ab67fc7a358fff35e808fa65d4bea452521 ] On probe error the driver should unmap the IO memory. Smatch reports: drivers/memory/fsl_ifc.c:298 fsl_ifc_ctrl_probe() warn: 'fsl_ifc_ctrl_dev->gregs' not released on lines: 298. Fixes: a20cbdeffce2 ("powerpc/fsl: Add support for Integrated Flash Controller") Reported-by: kernel test robot <lkp(a)intel.com> Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> Link: https://lore.kernel.org/r/20210527154322.81253-1-krzysztof.kozlowski@canoni… Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Tong Tiangen <tongtiangen(a)huawei.com> --- drivers/memory/fsl_ifc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c index 1272e8886a42..38b945eb410f 100644 --- a/drivers/memory/fsl_ifc.c +++ b/drivers/memory/fsl_ifc.c @@ -231,8 +231,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) fsl_ifc_ctrl_dev->gregs = of_iomap(dev->dev.of_node, 0); if (!fsl_ifc_ctrl_dev->gregs) { dev_err(&dev->dev, "failed to get memory region\n"); - ret = -ENODEV; - goto err; + return -ENODEV; } if (of_property_read_bool(dev->dev.of_node, "little-endian")) { @@ -308,6 +307,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) free_irq(fsl_ifc_ctrl_dev->irq, fsl_ifc_ctrl_dev); irq_dispose_mapping(fsl_ifc_ctrl_dev->irq); err: + iounmap(fsl_ifc_ctrl_dev->gregs); return ret; } -- 2.25.1

2 1