- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] ocfs2: cancel dqi_sync_work before freeing oinfo
by Huang Xiaojia 26 Oct '24

26 Oct '24

From: Joseph Qi <joseph.qi(a)linux.alibaba.com> stable inclusion from stable-v5.10.227 commit 14114d8148db07e7946fb06b56a50cfa425e26c7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRD6 CVE: CVE-2024-49966 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 35fccce29feb3706f649726d410122dd81b92c18 upstream. ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the end, if error occurs after successfully reading global quota, it will trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c This reports that there is an active delayed work when freeing oinfo in error handling, so cancel dqi_sync_work first. BTW, return status instead of -1 when .read_file_info fails. Link: https://syzkaller.appspot.com/bug?extid=f7af59df5d6b25f0febd Link: https://lkml.kernel.org/r/20240904071004.2067695-1-joseph.qi@linux.alibaba.… Fixes: 171bf93ce11f ("ocfs2: Periodic quota syncing") Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Reported-by: syzbot+f7af59df5d6b25f0febd(a)syzkaller.appspotmail.com Tested-by: syzbot+f7af59df5d6b25f0febd(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Huang Xiaojia <huangxiaojia2(a)huawei.com> --- fs/ocfs2/quota_local.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c index b1a8b046f4c2..7a1c8da9e44b 100644 --- a/fs/ocfs2/quota_local.c +++ b/fs/ocfs2/quota_local.c @@ -689,7 +689,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) int status; struct buffer_head *bh = NULL; struct ocfs2_quota_recovery *rec; - int locked = 0; + int locked = 0, global_read = 0; info->dqi_max_spc_limit = 0x7fffffffffffffffLL; info->dqi_max_ino_limit = 0x7fffffffffffffffLL; @@ -697,6 +697,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) if (!oinfo) { mlog(ML_ERROR, "failed to allocate memory for ocfs2 quota" " info."); + status = -ENOMEM; goto out_err; } info->dqi_priv = oinfo; @@ -709,6 +710,7 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) status = ocfs2_global_read_info(sb, type); if (status < 0) goto out_err; + global_read = 1; status = ocfs2_inode_lock(lqinode, &oinfo->dqi_lqi_bh, 1); if (status < 0) { @@ -779,10 +781,12 @@ static int ocfs2_local_read_info(struct super_block *sb, int type) if (locked) ocfs2_inode_unlock(lqinode, 1); ocfs2_release_local_quota_bitmaps(&oinfo->dqi_chunk); + if (global_read) + cancel_delayed_work_sync(&oinfo->dqi_sync_work); kfree(oinfo); } brelse(bh); - return -1; + return status; } /* Write local info to quota file */ -- 2.34.1

2 1

[PATCH OLK-6.6] block: fix potential invalid pointer dereference in blk_add_partition
by Zheng Qixing 26 Oct '24

26 Oct '24

From: Riyan Dhiman <riyandhiman14(a)gmail.com> stable inclusion from stable-v6.6.54 commit 80f5bfbb80ea1615290dbc24f49d3d8c86db58fe category: bugifx bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJH CVE: CVE-2024-47705 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 26e197b7f9240a4ac301dd0ad520c0c697c2ea7d ] The blk_add_partition() function initially used a single if-condition (IS_ERR(part)) to check for errors when adding a partition. This was modified to handle the specific case of -ENXIO separately, allowing the function to proceed without logging the error in this case. However, this change unintentionally left a path where md_autodetect_dev() could be called without confirming that part is a valid pointer. This commit separates the error handling logic by splitting the initial if-condition, improving code readability and handling specific error scenarios explicitly. The function now distinguishes the general error case from -ENXIO without altering the existing behavior of md_autodetect_dev() calls. Fixes: b72053072c0b (block: allow partitions on host aware zone devices) Signed-off-by: Riyan Dhiman <riyandhiman14(a)gmail.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://lore.kernel.org/r/20240911132954.5874-1-riyandhiman14@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: block/partitions/core.c [The conflict occurs because commit 0d7ddfc89284 ("block: print symbolic error name instead of error code") is not introduced.] Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- block/partitions/core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/block/partitions/core.c b/block/partitions/core.c index 962e4b57d64a..0cdc44d11cb0 100644 --- a/block/partitions/core.c +++ b/block/partitions/core.c @@ -574,9 +574,11 @@ static bool blk_add_partition(struct gendisk *disk, part = add_partition(disk, p, from, size, state->parts[p].flags, &state->parts[p].info); - if (IS_ERR(part) && PTR_ERR(part) != -ENXIO) { - printk(KERN_ERR " %s: p%d could not be added: %ld\n", - disk->disk_name, p, -PTR_ERR(part)); + if (IS_ERR(part)) { + if (PTR_ERR(part) != -ENXIO) { + printk(KERN_ERR " %s: p%d could not be added: %pe\n", + disk->disk_name, p, -PTR_ERR(part)); + } return true; } -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] svm: fix UAF/Double Free in svm
by Lin Ruifeng 26 Oct '24

26 Oct '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAZLJE CVE: NA -------------------------------------------------- fix DTS2024100908489 Fixes: 221302d362d3 (“svm: add support for allocing memory which is within 4G physical address in svm_mmap”) Signed-off-by: Lin Ruifeng <linruifeng4(a)huawei.com> --- drivers/char/svm.c | 55 +++++++++++++++++++++++++++++++++------------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/drivers/char/svm.c b/drivers/char/svm.c index 4cd04ca378ff..d7f70f2019e2 100644 --- a/drivers/char/svm.c +++ b/drivers/char/svm.c @@ -1503,6 +1503,40 @@ static int svm_proc_load_flag(int __user *arg) return put_user(flag, arg); } +static void svm_vma_open(struct vm_area_struct *vma) +{ + struct page *page = vma->vm_private_data; + + if (page) + get_page(page); +} + +static void svm_vma_close(struct vm_area_struct *vma) +{ + struct page *page = vma->vm_private_data; + + put_page(page); +} + +/* avoid split */ +static int svm_vma_split(struct vm_area_struct *area, unsigned long addr) +{ + return -EINVAL; +} + +/* avoid mremap */ +static int svm_vma_mremap(struct vm_area_struct *area) +{ + return -EINVAL; +} + +static const struct vm_operations_struct svm_vma_ops = { + .open = svm_vma_open, + .close = svm_vma_close, + .split = svm_vma_split, + .mremap = svm_vma_mremap, +}; + static int svm_mmap(struct file *file, struct vm_area_struct *vma) { int err; @@ -1540,6 +1574,9 @@ static int svm_mmap(struct file *file, struct vm_area_struct *vma) dev_err(sdev->dev, "fail to remap 0x%pK err=%d\n", (void *)vma->vm_start, err); + + vma->vm_private_data = page; + vma->vm_ops = &svm_vma_ops; } else { if ((vma->vm_end < vma->vm_start) || ((vma->vm_end - vma->vm_start) > sdev->l2size)) @@ -1566,9 +1603,7 @@ static int svm_release_phys32(unsigned long __user *arg) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma = NULL; - struct page *page = NULL; - pte_t *pte = NULL; - unsigned long phys, addr, offset; + unsigned long addr; unsigned int len = 0; if (arg == NULL) @@ -1578,28 +1613,18 @@ static int svm_release_phys32(unsigned long __user *arg) return -EFAULT; down_read(&mm->mmap_sem); - pte = svm_walk_pt(addr, NULL, &offset); - if (pte && pte_present(*pte)) { - phys = PFN_PHYS(pte_pfn(*pte)) + offset; - } else { - up_read(&mm->mmap_sem); - return -EINVAL; - } vma = find_vma(mm, addr); - if (!vma) { + if (!vma || addr != vma->vm_start) { up_read(&mm->mmap_sem); return -EFAULT; } - page = phys_to_page(phys); len = vma->vm_end - vma->vm_start; - __free_pages(page, get_order(len)); - up_read(&mm->mmap_sem); - return 0; + return vm_munmap(addr, len); } static unsigned long svm_sp_alloc_mem(unsigned long __user *arg) -- 2.17.1

2 1

[openeuler:openEuler-1.0-LTS 2662/23859] arch/arm64/include/asm/irqflags.h:88:9: warning: 'flags' may be used uninitialized
by kernel test robot 26 Oct '24

26 Oct '24

Hi Geert, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: d2a40c79ddef4b96b8a7a396bd7273121b1b4a5c commit: 9dae7e237a64858407b7626260bad53aa13c9198 [2662/23859] serial: sh-sci: Fix locking in sci_submit_rx() config: arm64-randconfig-002-20241026 (https://download.01.org/0day-ci/archive/20241026/202410260911.Qmhlx5mF-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241026/202410260911.Qmhlx5mF-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410260911.Qmhlx5mF-lkp@intel.com/ Note: it may well be a FALSE warning. FWIW you are at least aware of it now. http://gcc.gnu.org/wiki/Better_Uninitialized_Warnings All warnings (new ones prefixed by >>): In file included from include/linux/irqflags.h:16, from include/linux/spinlock.h:54, from include/linux/rwsem.h:16, from include/linux/notifier.h:15, from include/linux/clk.h:17, from drivers/tty/serial/sh-sci.c:24: In function 'arch_local_irq_restore', inlined from '__raw_spin_unlock_irqrestore' at include/linux/spinlock_api_smp.h:160:2, inlined from 'spin_unlock_irqrestore' at include/linux/spinlock.h:384:2, inlined from 'sci_submit_rx' at drivers/tty/serial/sh-sci.c:1376:3: >> arch/arm64/include/asm/irqflags.h:88:9: warning: 'flags' may be used uninitialized [-Wmaybe-uninitialized] 88 | asm volatile( | ^~~ drivers/tty/serial/sh-sci.c: In function 'sci_submit_rx': drivers/tty/serial/sh-sci.c:1338:23: note: 'flags' was declared here 1338 | unsigned long flags; | ^~~~~ In file included from drivers/tty/serial/sh-sci.c:53: In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:940:7: include/linux/tty_flip.h:27:53: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 27 | *flag_buf_ptr(tb, tb->used) = flag; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ In file included from include/linux/serial_core.h:29, from include/linux/serial_sci.h:6, from drivers/tty/serial/sh-sci.c:46: include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:940:7: include/linux/tty_flip.h:28:47: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 28 | *char_buf_ptr(tb, tb->used++) = ch; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:950:7: include/linux/tty_flip.h:27:53: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 27 | *flag_buf_ptr(tb, tb->used) = flag; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:950:7: include/linux/tty_flip.h:28:47: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 28 | *char_buf_ptr(tb, tb->used++) = ch; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:960:7: include/linux/tty_flip.h:27:53: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 27 | *flag_buf_ptr(tb, tb->used) = flag; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_handle_errors' at drivers/tty/serial/sh-sci.c:960:7: include/linux/tty_flip.h:28:47: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 28 | *char_buf_ptr(tb, tb->used++) = ch; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ include/linux/tty.h: In function 'sci_handle_errors': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_receive_chars' at drivers/tty/serial/sh-sci.c:906:5: include/linux/tty_flip.h:27:53: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 27 | *flag_buf_ptr(tb, tb->used) = flag; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ include/linux/tty.h: In function 'sci_receive_chars': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_receive_chars' at drivers/tty/serial/sh-sci.c:906:5: include/linux/tty_flip.h:28:47: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 28 | *char_buf_ptr(tb, tb->used++) = ch; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ include/linux/tty.h: In function 'sci_receive_chars': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_receive_chars' at drivers/tty/serial/sh-sci.c:883:5: include/linux/tty_flip.h:27:53: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 27 | *flag_buf_ptr(tb, tb->used) = flag; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~ include/linux/tty.h: In function 'sci_receive_chars': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ In function 'tty_insert_flip_char', inlined from 'sci_receive_chars' at drivers/tty/serial/sh-sci.c:883:5: include/linux/tty_flip.h:28:47: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 28 | *char_buf_ptr(tb, tb->used++) = ch; | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~ include/linux/tty.h: In function 'sci_receive_chars': include/linux/tty.h:69:23: note: destination object 'data' of size 0 69 | unsigned long data[0]; | ^~~~ vim +/flags +88 arch/arm64/include/asm/irqflags.h fb9bd7d6df81dd Marc Zyngier 2012-03-05 82 fb9bd7d6df81dd Marc Zyngier 2012-03-05 83 /* fb9bd7d6df81dd Marc Zyngier 2012-03-05 84 * restore saved IRQ state fb9bd7d6df81dd Marc Zyngier 2012-03-05 85 */ fb9bd7d6df81dd Marc Zyngier 2012-03-05 86 static inline void arch_local_irq_restore(unsigned long flags) fb9bd7d6df81dd Marc Zyngier 2012-03-05 87 { fb9bd7d6df81dd Marc Zyngier 2012-03-05 @88 asm volatile( fb9bd7d6df81dd Marc Zyngier 2012-03-05 89 "msr daif, %0 // arch_local_irq_restore" fb9bd7d6df81dd Marc Zyngier 2012-03-05 90 : fb9bd7d6df81dd Marc Zyngier 2012-03-05 91 : "r" (flags) fb9bd7d6df81dd Marc Zyngier 2012-03-05 92 : "memory"); fb9bd7d6df81dd Marc Zyngier 2012-03-05 93 } fb9bd7d6df81dd Marc Zyngier 2012-03-05 94 :::::: The code at line 88 was first introduced by commit :::::: fb9bd7d6df81ddf1e7ab6648ac89ddbe0625b26b arm64: IRQ handling :::::: TO: Marc Zyngier <marc.zyngier(a)arm.com> :::::: CC: Catalin Marinas <catalin.marinas(a)arm.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] nbd: fix race between timeout and normal completion
by Zheng Qixing 26 Oct '24

26 Oct '24

From: Ming Lei <ming.lei(a)redhat.com> mainline inclusion from mainline-v6.12-rc1 commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQRD CVE: CVE-2024-49855 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue. Cc: Josef Bacik <josef(a)toxicpanda.com> Cc: Yu Kuai <yukuai3(a)huawei.com> Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed") Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/block/nbd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index fae0846d9409..9d413c4fd64c 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -169,6 +169,17 @@ static void nbd_requeue_cmd(struct nbd_cmd *cmd) { struct request *req = blk_mq_rq_from_pdu(cmd); + lockdep_assert_held(&cmd->lock); + + /* + * Clear INFLIGHT flag so that this cmd won't be completed in + * normal completion path + * + * INFLIGHT flag will be set when the cmd is queued to nbd next + * time. + */ + __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags); + if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags)) blk_mq_requeue_request(req, true); } @@ -434,8 +445,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req, nbd_mark_nsock_dead(nbd, nsock, 1); mutex_unlock(&nsock->tx_lock); } - mutex_unlock(&cmd->lock); nbd_requeue_cmd(cmd); + mutex_unlock(&cmd->lock); nbd_config_put(nbd); return BLK_EH_DONE; } -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1] nbd: fix race between timeout and normal completion
by Zheng Qixing 26 Oct '24

26 Oct '24

From: Ming Lei <ming.lei(a)redhat.com> mainline inclusion from mainline-v6.12-rc1 commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQRD CVE: CVE-2024-49855 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue. Cc: Josef Bacik <josef(a)toxicpanda.com> Cc: Yu Kuai <yukuai3(a)huawei.com> Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed") Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/block/nbd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 6a9e8fd84f03..9dbd7cb3df13 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -172,6 +172,17 @@ static void nbd_requeue_cmd(struct nbd_cmd *cmd) { struct request *req = blk_mq_rq_from_pdu(cmd); + lockdep_assert_held(&cmd->lock); + + /* + * Clear INFLIGHT flag so that this cmd won't be completed in + * normal completion path + * + * INFLIGHT flag will be set when the cmd is queued to nbd next + * time. + */ + __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags); + if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags)) blk_mq_requeue_request(req, true); } @@ -453,8 +464,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req, nbd_mark_nsock_dead(nbd, nsock, 1); mutex_unlock(&nsock->tx_lock); } - mutex_unlock(&cmd->lock); nbd_requeue_cmd(cmd); + mutex_unlock(&cmd->lock); nbd_config_put(nbd); return BLK_EH_DONE; } -- 2.39.2

2 1

[PATCH OLK-5.10] nbd: fix race between timeout and normal completion
by Zheng Qixing 26 Oct '24

26 Oct '24

From: Ming Lei <ming.lei(a)redhat.com> mainline inclusion from mainline-v6.12-rc1 commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQRD CVE: CVE-2024-49855 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue. Cc: Josef Bacik <josef(a)toxicpanda.com> Cc: Yu Kuai <yukuai3(a)huawei.com> Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed") Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/block/nbd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 6a9e8fd84f03..9dbd7cb3df13 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -172,6 +172,17 @@ static void nbd_requeue_cmd(struct nbd_cmd *cmd) { struct request *req = blk_mq_rq_from_pdu(cmd); + lockdep_assert_held(&cmd->lock); + + /* + * Clear INFLIGHT flag so that this cmd won't be completed in + * normal completion path + * + * INFLIGHT flag will be set when the cmd is queued to nbd next + * time. + */ + __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags); + if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags)) blk_mq_requeue_request(req, true); } @@ -453,8 +464,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req, nbd_mark_nsock_dead(nbd, nsock, 1); mutex_unlock(&nsock->tx_lock); } - mutex_unlock(&cmd->lock); nbd_requeue_cmd(cmd); + mutex_unlock(&cmd->lock); nbd_config_put(nbd); return BLK_EH_DONE; } -- 2.39.2

2 1

[PATCH OLK-6.6] nbd: fix race between timeout and normal completion
by Zheng Qixing 26 Oct '24

26 Oct '24

From: Ming Lei <ming.lei(a)redhat.com> stable inclusion from stable-v6.6.54 commit 6e73b946a379a1dfbb62626af93843bdfb53753d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQRD CVE: CVE-2024-49855 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 ] If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue. Cc: Josef Bacik <josef(a)toxicpanda.com> Cc: Yu Kuai <yukuai3(a)huawei.com> Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed") Signed-off-by: Ming Lei <ming.lei(a)redhat.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/block/nbd.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 8bb5972284b5..74d1f9c26ecc 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -181,6 +181,17 @@ static void nbd_requeue_cmd(struct nbd_cmd *cmd) { struct request *req = blk_mq_rq_from_pdu(cmd); + lockdep_assert_held(&cmd->lock); + + /* + * Clear INFLIGHT flag so that this cmd won't be completed in + * normal completion path + * + * INFLIGHT flag will be set when the cmd is queued to nbd next + * time. + */ + __clear_bit(NBD_CMD_INFLIGHT, &cmd->flags); + if (!test_and_set_bit(NBD_CMD_REQUEUED, &cmd->flags)) blk_mq_requeue_request(req, true); } @@ -461,8 +472,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req) nbd_mark_nsock_dead(nbd, nsock, 1); mutex_unlock(&nsock->tx_lock); } - mutex_unlock(&cmd->lock); nbd_requeue_cmd(cmd); + mutex_unlock(&cmd->lock); nbd_config_put(nbd); return BLK_EH_DONE; } -- 2.39.2

2 1

[openeuler:openEuler-1.0-LTS 14594/23859] arch/arm64/kvm/../../../virt/kvm/arm/arm.c:411:36: error: 'struct sched_info' has no member named 'run_delay'
by kernel test robot 26 Oct '24

26 Oct '24

Hi chenjiajun, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: d2a40c79ddef4b96b8a7a396bd7273121b1b4a5c commit: b94fc31d4e16ff65dc2141f0a1a3af6a3aac5bb2 [14594/23859] kvm: debugfs: aarch64 export cpu time related items to debugfs config: arm64-randconfig-003-20241026 (https://download.01.org/0day-ci/archive/20241026/202410260758.Qe33nEsp-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241026/202410260758.Qe33nEsp-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410260758.Qe33nEsp-lkp@intel.com/ All errors (new ones prefixed by >>): arch/arm64/kvm/../../../virt/kvm/arm/arm.c: In function 'update_steal_time': >> arch/arm64/kvm/../../../virt/kvm/arm/arm.c:411:36: error: 'struct sched_info' has no member named 'run_delay' 411 | delta = current->sched_info.run_delay - vcpu->stat.steal; | ^ arch/arm64/kvm/../../../virt/kvm/arm/arm.c:412:47: error: 'struct sched_info' has no member named 'run_delay' 412 | vcpu->stat.steal = current->sched_info.run_delay; | ^ vim +411 arch/arm64/kvm/../../../virt/kvm/arm/arm.c 406 407 static void update_steal_time(struct kvm_vcpu *vcpu) 408 { 409 u64 delta; 410 > 411 delta = current->sched_info.run_delay - vcpu->stat.steal; 412 vcpu->stat.steal = current->sched_info.run_delay; 413 vcpu->stat.st_max = max(vcpu->stat.st_max, delta); 414 } 415 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS] BUILD REGRESSION d2a40c79ddef4b96b8a7a396bd7273121b1b4a5c
by kernel test robot 26 Oct '24

26 Oct '24

tree/branch: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS branch HEAD: d2a40c79ddef4b96b8a7a396bd7273121b1b4a5c !12378 cgroup: Protect css->cgroup write under css_set_lock Error/Warning (recently discovered and may have been fixed): https://lore.kernel.org/oe-kbuild-all/202410251513.0TgJ5Ukq-lkp@intel.com https://lore.kernel.org/oe-kbuild-all/202410251924.cmJOufCW-lkp@intel.com ld.lld: error: undefined symbol: __alloc_skb ld.lld: error: undefined symbol: __netlink_kernel_create ld.lld: error: undefined symbol: __nlmsg_put ld.lld: error: undefined symbol: init_net ld.lld: error: undefined symbol: kfree_skb ld.lld: error: undefined symbol: netlink_broadcast ld.lld: error: undefined symbol: netlink_kernel_release Error/Warning ids grouped by kconfigs: recent_errors |-- arm64-allnoconfig | `-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains |-- arm64-randconfig-001-20241026 | |-- drivers-clocksource-arm_arch_timer.c:error:hisi_161010101_read_cntvct_el0-undeclared-(first-use-in-this-function) | `-- drivers-tty-tty_buffer.c:error:implicit-declaration-of-function-printk_safe_exit |-- arm64-randconfig-002-20241026 | |-- drivers-crypto-hisilicon-qm.c:warning:Excess-function-parameter-ce-description-in-qm_hw_error_init | |-- drivers-crypto-hisilicon-qm.c:warning:Excess-function-parameter-fe-description-in-qm_hw_error_init | |-- drivers-crypto-hisilicon-qm.c:warning:Excess-function-parameter-msi-description-in-qm_hw_error_init | `-- drivers-crypto-hisilicon-qm.c:warning:Excess-function-parameter-nfe-description-in-qm_hw_error_init |-- arm64-randconfig-003-20241026 | `-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains |-- arm64-randconfig-004-20241026 | `-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains |-- x86_64-allyesconfig | `-- drivers-net-ethernet-stmicro-stmmac-dwmac-phytium.c:error:incompatible-pointer-to-integer-conversion-returning-void-from-a-function-with-result-type-int |-- x86_64-buildonly-randconfig-004-20241025 | |-- ld.lld:error:undefined-symbol:__alloc_skb | |-- ld.lld:error:undefined-symbol:__netlink_kernel_create | |-- ld.lld:error:undefined-symbol:__nlmsg_put | |-- ld.lld:error:undefined-symbol:init_net | |-- ld.lld:error:undefined-symbol:kfree_skb | |-- ld.lld:error:undefined-symbol:netlink_broadcast | `-- ld.lld:error:undefined-symbol:netlink_kernel_release |-- x86_64-buildonly-randconfig-004-20241026 | |-- arch-x86-kernel-cpu-mce-apei.o:warning:objtool:missing-symbol-for-section-.text | |-- arch-x86-kernel-cpu-mce-therm_throt.o:warning:objtool:missing-symbol-for-section-.irqentry.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_checksum.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_cmd.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_dcqcn.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_dfx.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_fd.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_gro.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_hilink_param.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_irq.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_led.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_lib.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_mac.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_pfc_storm.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_port.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_promisc.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_qinfo.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_qos.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_qres.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_rss.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_stat.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_tm.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_version.o:warning:objtool:missing-symbol-for-section-.text | |-- drivers-net-ethernet-hisilicon-hns3-hns3_cae-hns3_cae_vlan.o:warning:objtool:missing-symbol-for-section-.text | `-- drivers-net-ethernet-hisilicon-hns3-hns3_extension-hns3_enet_it.o:warning:objtool:missing-symbol-for-section-.text |-- x86_64-buildonly-randconfig-005-20241026 | |-- kernel-sched-core.c:error:implicit-declaration-of-function-init_auto_affinity-Werror-Wimplicit-function-declaration | |-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains-Werror-Wimplicit-function-declaration | `-- kernel-sched-core.c:error:use-of-undeclared-identifier-root_task_group |-- x86_64-buildonly-randconfig-006-20241026 | `-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains |-- x86_64-randconfig-003-20241026 | `-- kernel-sched-core.c:error:implicit-declaration-of-function-tg_update_affinity_domains `-- x86_64-randconfig-004-20241025 |-- drivers-gpu-drm-amd-amdgpu-amdgpu_ids.o:warning:objtool:amdgpu_vmid_grab:unreachable-instruction `-- fs-debugfs-file.o:warning:objtool:full_proxy_open:unreachable-instruction elapsed time: 1170m configs tested: 22 configs skipped: 126 tested configs: arm64 allmodconfig gcc-14.1.0 arm64 allnoconfig gcc-14.1.0 arm64 randconfig-001-20241026 gcc-14.1.0 arm64 randconfig-002-20241026 gcc-14.1.0 arm64 randconfig-003-20241026 gcc-14.1.0 arm64 randconfig-004-20241026 gcc-14.1.0 x86_64 allnoconfig clang-19 x86_64 allyesconfig clang-19 x86_64 buildonly-randconfig-001-20241026 clang-19 x86_64 buildonly-randconfig-002-20241026 clang-19 x86_64 buildonly-randconfig-003-20241026 gcc-12 x86_64 buildonly-randconfig-004-20241026 clang-19 x86_64 buildonly-randconfig-005-20241026 clang-19 x86_64 buildonly-randconfig-006-20241026 gcc-12 x86_64 defconfig gcc-11 x86_64 kexec clang-19 x86_64 randconfig-001-20241026 clang-19 x86_64 randconfig-002-20241026 gcc-12 x86_64 randconfig-003-20241026 gcc-12 x86_64 rhel-8.3 gcc-12 x86_64 rhel-8.3-func gcc-12 x86_64 rhel-8.3-kselftests gcc-12 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0