September 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 0/3] btrfs: do not WARN_ON() if we have PageError set
by Yu Kuai 04 Sep '24

04 Sep '24

Josef Bacik (1): btrfs: do not WARN_ON() if we have PageError set Qu Wenruo (2): btrfs: handle sectorsize < PAGE_SIZE case for extent buffer accessors btrfs: support page uptodate assertions in subpage mode fs/btrfs/ctree.c | 3 +- fs/btrfs/ctree.h | 38 ++++++++++++- fs/btrfs/extent_io.c | 116 +++++++++++++++++++++++++++------------- fs/btrfs/struct-funcs.c | 18 ++++--- 4 files changed, 127 insertions(+), 48 deletions(-) -- 2.39.2

2 4

[PATCH OLK-6.6] ext4: Track data blocks freeing operation in journal
by Zhihao Cheng 04 Sep '24

04 Sep '24

Offering: HULK hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9DN5Z -------------------------------- Since commit 7f6416dcd4a3f ("ext4: implement writeback iomap path"), the order mode is removed in iomap framework, which lets ext4_mb_clear_bb() free data blocks immediately. It may cause stale data read from truncated file in power-cut case. Following is details: P1 P2 vfs_truncate(file A) ext4_setattr EXT4_I(inode)->i_disksize = attr->ia_size // record in journal ext4_truncate ext4_mb_clear_bb mb_free_blocks // free block i vfs_write(file B) // get block i and writeback >> powercut << In the next mount, inode size and extent tree is stale(before truncated), the content in block i is file B. Fix the problem by tracking free data blocks in journal for iomap/non-writeback case. Fixes: 7f6416dcd4a3 ("ext4: implement writeback iomap path") Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Signed-off-by: Zhihao Cheng <chengzhihao(a)huaweicloud.com> --- fs/ext4/ext4_jbd2.c | 6 ------ fs/ext4/ext4_jbd2.h | 7 +++++++ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c index 94c8073b49e7..d1a2e6624401 100644 --- a/fs/ext4/ext4_jbd2.c +++ b/fs/ext4/ext4_jbd2.c @@ -11,12 +11,6 @@ int ext4_inode_journal_mode(struct inode *inode) { if (EXT4_JOURNAL(inode) == NULL) return EXT4_INODE_WRITEBACK_DATA_MODE; /* writeback */ - /* - * Ordered mode is no longer needed for the inode that use the - * iomap path, always use writeback mode. - */ - if (ext4_test_inode_state(inode, EXT4_STATE_BUFFERED_IOMAP)) - return EXT4_INODE_WRITEBACK_DATA_MODE; /* writeback */ /* We do not support data journalling with delayed allocation */ if (!S_ISREG(inode->i_mode) || ext4_test_inode_flag(inode, EXT4_INODE_EA_INODE) || diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h index 0c77697d5e90..c52d1caf6622 100644 --- a/fs/ext4/ext4_jbd2.h +++ b/fs/ext4/ext4_jbd2.h @@ -467,6 +467,13 @@ static inline int ext4_should_journal_data(struct inode *inode) static inline int ext4_should_order_data(struct inode *inode) { + /* + * Ordered mode is no longer needed for the inode that use the + * iomap path, always use writeback mode. + */ + if (ext4_test_inode_state(inode, EXT4_STATE_BUFFERED_IOMAP)) + return 0; /* writeback */ + return ext4_inode_journal_mode(inode) & EXT4_INODE_ORDERED_DATA_MODE; } -- 2.31.1

2 1

【重要】openEuler 24.03 LTS SP1版本需求收集中，请大家提交需要合入的特性到release plan
by Sujinling 04 Sep '24

04 Sep '24

大家好， openEuler 24.03 LTS SP1是基于6.6内核的24.03-LTS版本增强扩展版本，按release-plan计划启动需求收集，欢迎各sig maintainer、伙伴和社区开发者们积极反馈和交流。请大家提交需要合入的特性清单到release plan上，感谢！ openEuler 24.03 LTS SP1版本release plan详细版本计划： https://gitee.com/openeuler/release-management/blob/master/openEuler-24.03-… 需求申请流程链接，请按照流程步骤提交，issue 类型选择需求， issue 标题以 [openEuler-24.03 LTS SP1] 开头： https://gitee.com/openeuler/release-management/blob/master/Goverance/openEu… Thanks & best regards, 苏锦铃

1 1

[PATCH openEuler-22.03-LTS-SP1] fuse: Initialize beyond-EOF page contents before setting uptodate
by Yifan Qiao 04 Sep '24

04 Sep '24

From: Jann Horn <jannh(a)google.com> stable inclusion from stable-v6.6.48 commit ac42e0f0eb66af966015ee33fd355bc6f5d80cd6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOAMF CVE: CVE-2024-44947 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream. fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter). Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574 Cc: stable(a)kernel.org Fixes: a1d75f258230 ("fuse: add store request") Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/fuse/dev.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 8ac91ba05d6d..e6cbed7aedcb 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1627,9 +1627,11 @@ static int fuse_notify_store(struct fuse_conn *fc, unsigned int size, this_num = min_t(unsigned, num, PAGE_SIZE - offset); err = fuse_copy_page(cs, &page, offset, this_num, 0); - if (!err && offset == 0 && - (this_num == PAGE_SIZE || file_size == end)) + if (!PageUptodate(page) && !err && offset == 0 && + (this_num == PAGE_SIZE || file_size == end)) { + zero_user_segment(page, this_num, PAGE_SIZE); SetPageUptodate(page); + } unlock_page(page); put_page(page); -- 2.39.2

2 1

[PATCH OLK-5.10] fuse: Initialize beyond-EOF page contents before setting uptodate
by Yifan Qiao 04 Sep '24

04 Sep '24

From: Jann Horn <jannh(a)google.com> stable inclusion from stable-v6.6.48 commit ac42e0f0eb66af966015ee33fd355bc6f5d80cd6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOAMF CVE: CVE-2024-44947 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream. fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter). Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574 Cc: stable(a)kernel.org Fixes: a1d75f258230 ("fuse: add store request") Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/fuse/dev.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 8ac91ba05d6d..e6cbed7aedcb 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1627,9 +1627,11 @@ static int fuse_notify_store(struct fuse_conn *fc, unsigned int size, this_num = min_t(unsigned, num, PAGE_SIZE - offset); err = fuse_copy_page(cs, &page, offset, this_num, 0); - if (!err && offset == 0 && - (this_num == PAGE_SIZE || file_size == end)) + if (!PageUptodate(page) && !err && offset == 0 && + (this_num == PAGE_SIZE || file_size == end)) { + zero_user_segment(page, this_num, PAGE_SIZE); SetPageUptodate(page); + } unlock_page(page); put_page(page); -- 2.39.2

2 1

[PATCH OLK-6.6] fuse: Initialize beyond-EOF page contents before setting uptodate
by Yifan Qiao 04 Sep '24

04 Sep '24

From: Jann Horn <jannh(a)google.com> stable inclusion from stable-v6.6.48 commit ac42e0f0eb66af966015ee33fd355bc6f5d80cd6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOAMF CVE: CVE-2024-44947 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream. fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter). Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574 Cc: stable(a)kernel.org Fixes: a1d75f258230 ("fuse: add store request") Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/fuse/dev.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 1a8f82f478cb..8573d79ef29c 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1618,9 +1618,11 @@ static int fuse_notify_store(struct fuse_conn *fc, unsigned int size, this_num = min_t(unsigned, num, PAGE_SIZE - offset); err = fuse_copy_page(cs, &page, offset, this_num, 0); - if (!err && offset == 0 && - (this_num == PAGE_SIZE || file_size == end)) + if (!PageUptodate(page) && !err && offset == 0 && + (this_num == PAGE_SIZE || file_size == end)) { + zero_user_segment(page, this_num, PAGE_SIZE); SetPageUptodate(page); + } unlock_page(page); put_page(page); -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS V2] cifs: Fix pages leak when cifs_writedata allocate fails in cifs_writedata_direct_alloc()
by Zizhi Wo 04 Sep '24

04 Sep '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAOH1I -------------------------------- The function cifs_writedata_alloc() first allocates pages and then executes cifs_writedata_direct_alloc(). If the subsequent allocation of wdata fails, the previously allocated pages are not released, leading to a memory leak: hex dump (first 8 bytes): 00 00 00 00 00 00 00 00 ........ backtrace: [<00000000c2b9cca5>] cifs_write_from_iter.isra.0+0x103/0x730 [<0000000069a4b2e6>] cifs_user_writev+0x138/0x280 [<00000000bfdbeacd>] __vfs_write+0x12b/0x190 [<00000000460567cf>] vfs_write+0xac/0x1a0 [<00000000f92e5dfc>] ksys_write+0x43/0xb0 [<0000000094ddd57e>] do_syscall_64+0x63/0x220 [<0000000055ce26ff>] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 [<00000000359223fa>] 0xffffffffffffffff This issue can be avoided by promptly using kvfree. Fixes: 8e7360f67e75 ("CIFS: Add support for direct pages in wdata") Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/cifs/cifssmb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c index cb70f0c6aa1b..7950c906e7b3 100644 --- a/fs/cifs/cifssmb.c +++ b/fs/cifs/cifssmb.c @@ -2129,6 +2129,8 @@ cifs_writedata_direct_alloc(struct page **pages, work_func_t complete) INIT_LIST_HEAD(&wdata->list); init_completion(&wdata->done); INIT_WORK(&wdata->work, complete); + } else { + kvfree(pages); } return wdata; } -- 2.39.2

2 1

[PATCH OLK-5.10] dmaengine: idxd: Prevent use after free on completion memory
by Liu Mingrui 04 Sep '24

04 Sep '24

From: Reinette Chatre <reinette.chatre(a)intel.com> stable inclusion from stable-v6.1.8 commit b9e8e3fcfec625fc1c2f68f684448aeeb882625b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALILE CVE: CVE-2022-48867 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 1beeec45f9ac31eba52478379f70a5fa9c2ad005 upstream. On driver unload any pending descriptors are flushed at the time the interrupt is freed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs(). If there are any descriptors present that need to be flushed this flow triggers a "not present" page fault as below: BUG: unable to handle page fault for address: ff391c97c70c9040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page The address that triggers the fault is the address of the descriptor that was freed moments earlier via: drv_disable_wq()->idxd_wq_free_resources() Fix the use after free by freeing the descriptors after any possible usage. This is done after idxd_wq_reset() to ensure that the memory remains accessible during possible completion writes by the device. Fixes: 63c14ae6c161 ("dmaengine: idxd: refactor wq driver enable/disable operations") Suggested-by: Dave Jiang <dave.jiang(a)intel.com> Signed-off-by: Reinette Chatre <reinette.chatre(a)intel.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Reviewed-by: Fenghua Yu <fenghua.yu(a)intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/6c4657d9cff0a0a00501a7b928297ac966e9ec9d.16704524… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- drivers/dma/idxd/device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c index 06f5d3783d77..300ee3b5cf63 100644 --- a/drivers/dma/idxd/device.c +++ b/drivers/dma/idxd/device.c @@ -1408,11 +1408,11 @@ void drv_disable_wq(struct idxd_wq *wq) dev_warn(dev, "Clients has claim on wq %d: %d\n", wq->id, idxd_wq_refcount(wq)); - idxd_wq_free_resources(wq); idxd_wq_unmap_portal(wq); idxd_wq_drain(wq); idxd_wq_free_irq(wq); idxd_wq_reset(wq); + idxd_wq_free_resources(wq); percpu_ref_exit(&wq->wq_active); wq->type = IDXD_WQT_NONE; wq->client_count = 0; -- 2.25.1

2 1

[PATCH OLK-5.10] dmaengine: idxd: Prevent use after free on completion memory
by Liu Mingrui 04 Sep '24

04 Sep '24

From: Reinette Chatre <reinette.chatre(a)intel.com> stable inclusion from stable-v6.1.8~66 commit b9e8e3fcfec625fc1c2f68f684448aeeb882625b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALILE CVE: CVE-2022-48867 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 1beeec45f9ac31eba52478379f70a5fa9c2ad005 upstream. On driver unload any pending descriptors are flushed at the time the interrupt is freed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs(). If there are any descriptors present that need to be flushed this flow triggers a "not present" page fault as below: BUG: unable to handle page fault for address: ff391c97c70c9040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page The address that triggers the fault is the address of the descriptor that was freed moments earlier via: drv_disable_wq()->idxd_wq_free_resources() Fix the use after free by freeing the descriptors after any possible usage. This is done after idxd_wq_reset() to ensure that the memory remains accessible during possible completion writes by the device. Fixes: 63c14ae6c161 ("dmaengine: idxd: refactor wq driver enable/disable operations") Suggested-by: Dave Jiang <dave.jiang(a)intel.com> Signed-off-by: Reinette Chatre <reinette.chatre(a)intel.com> Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Reviewed-by: Fenghua Yu <fenghua.yu(a)intel.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/6c4657d9cff0a0a00501a7b928297ac966e9ec9d.16704524… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- drivers/dma/idxd/device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c index 06f5d3783d77..300ee3b5cf63 100644 --- a/drivers/dma/idxd/device.c +++ b/drivers/dma/idxd/device.c @@ -1408,11 +1408,11 @@ void drv_disable_wq(struct idxd_wq *wq) dev_warn(dev, "Clients has claim on wq %d: %d\n", wq->id, idxd_wq_refcount(wq)); - idxd_wq_free_resources(wq); idxd_wq_unmap_portal(wq); idxd_wq_drain(wq); idxd_wq_free_irq(wq); idxd_wq_reset(wq); + idxd_wq_free_resources(wq); percpu_ref_exit(&wq->wq_active); wq->type = IDXD_WQT_NONE; wq->client_count = 0; -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1 0/1] fix CVE-2023-45896
by Lin Yujun 04 Sep '24

04 Sep '24

Konstantin Komarov (1): fs/ntfs3: Add more attributes checks in mi_enum_attr() fs/ntfs3/record.c | 63 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 50 insertions(+), 13 deletions(-) -- 2.34.1

2 2