- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 0/2] xhci:fix USB xhci controller issue
by liulongfang 11 Sep '23

11 Sep '23

From: JiangShui Yang <yangjiangshui(a)h-partners.com> JiangShui Yang (1): Revert "xhci:fix USB xhci controller issue" Longfang Liu (1): xhci:fix USB xhci controller issue drivers/usb/host/xhci-ring.c | 4 +--- drivers/usb/host/xhci.h | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) -- 2.30.0

2 3

[PATCH OLK-5.10 0/4] Fixed 4 CVEs of the ksmbd
by ZhaoLong Wang 11 Sep '23

11 Sep '23

CVE-2023-32247 CVE-2023-32251 CVE-2023-32253 CVE-2023-32249 Namjae Jeon (4): ksmbd: destroy expired sessions ksmbd: block asynchronous requests when making a delay on session setup ksmbd: fix deadlock in ksmbd_find_crypto_ctx() ksmbd: not allow guest user on multichannel fs/ksmbd/auth.c | 19 +++++----- fs/ksmbd/mgmt/user_session.c | 68 ++++++++++++++++++++---------------- fs/ksmbd/mgmt/user_session.h | 1 + fs/ksmbd/smb2pdu.c | 17 +++++++-- fs/ksmbd/smb2pdu.h | 2 ++ 5 files changed, 65 insertions(+), 42 deletions(-) -- 2.34.3

2 5

[PATCH openEuler-1.0-LTS] io_uring: ensure IOPOLL locks around deferred work
by Zhihao Cheng 11 Sep '23

11 Sep '23

From: Jens Axboe <axboe(a)kernel.dk> stable inclusion from stable-v5.10.188 commit 810e401b34c4c4c244d8b93b9947ea5b3d4d49f8 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7KXLN CVE: CVE-2023-21400 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- No direct upstream commit exists for this issue. It was fixed in 5.18 as part of a larger rework of the completion side. io_commit_cqring() writes the CQ ring tail to make it visible, but it also kicks off any deferred work we have. A ring setup with IOPOLL does not need any locking around the CQ ring updates, as we're always under the ctx uring_lock. But if we have deferred work that needs processing, then io_queue_deferred() assumes that the completion_lock is held, as it is for !IOPOLL. Add a lockdep assertion to check and document this fact, and have io_iopoll_complete() check if we have deferred work and run that separately with the appropriate lock grabbed. Cc: stable(a)vger.kernel.org # 5.10, 5.15 Reported-by: dghost david <daviduniverse18(a)gmail.com> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Lin Yujun <linyujun809(a)huawei.com> Conflicts: fs/io_uring.c Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> --- fs/io_uring.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index ce60df5e4d91..679de9ba1787 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -1310,6 +1310,8 @@ static void io_kill_timeouts(struct io_ring_ctx *ctx) static void __io_queue_deferred(struct io_ring_ctx *ctx) { + lockdep_assert_held(&ctx->completion_lock); + do { struct io_defer_entry *de = list_first_entry(&ctx->defer_list, struct io_defer_entry, list); @@ -2181,7 +2183,14 @@ static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events, io_req_free_batch(&rb, req); } - io_commit_cqring(ctx); + io_flush_timeouts(ctx); + __io_commit_cqring(ctx); + + spin_lock(&ctx->completion_lock); + if (unlikely(!list_empty(&ctx->defer_list))) + __io_queue_deferred(ctx); + spin_unlock(&ctx->completion_lock); + if (ctx->flags & IORING_SETUP_SQPOLL) io_cqring_ev_posted(ctx); io_req_free_batch_finish(ctx, &rb); -- 2.31.1

2 1

[PATCH OLK-5.10] io_uring: ensure IOPOLL locks around deferred work
by Zhihao Cheng 11 Sep '23

11 Sep '23

From: Jens Axboe <axboe(a)kernel.dk> stable inclusion from stable-v5.10.188 commit 810e401b34c4c4c244d8b93b9947ea5b3d4d49f8 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7KXLN CVE: CVE-2023-21400 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- No direct upstream commit exists for this issue. It was fixed in 5.18 as part of a larger rework of the completion side. io_commit_cqring() writes the CQ ring tail to make it visible, but it also kicks off any deferred work we have. A ring setup with IOPOLL does not need any locking around the CQ ring updates, as we're always under the ctx uring_lock. But if we have deferred work that needs processing, then io_queue_deferred() assumes that the completion_lock is held, as it is for !IOPOLL. Add a lockdep assertion to check and document this fact, and have io_iopoll_complete() check if we have deferred work and run that separately with the appropriate lock grabbed. Cc: stable(a)vger.kernel.org # 5.10, 5.15 Reported-by: dghost david <daviduniverse18(a)gmail.com> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Lin Yujun <linyujun809(a)huawei.com> Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> --- io_uring/io_uring.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 3d35f5d13666..781af0b05d8c 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -1521,6 +1521,8 @@ static void io_kill_timeout(struct io_kiocb *req, int status) static void io_queue_deferred(struct io_ring_ctx *ctx) { + lockdep_assert_held(&ctx->completion_lock); + while (!list_empty(&ctx->defer_list)) { struct io_defer_entry *de = list_first_entry(&ctx->defer_list, struct io_defer_entry, list); @@ -1572,14 +1574,24 @@ static void __io_commit_cqring_flush(struct io_ring_ctx *ctx) io_queue_deferred(ctx); } -static inline void io_commit_cqring(struct io_ring_ctx *ctx) +static inline bool io_commit_needs_flush(struct io_ring_ctx *ctx) +{ + return ctx->off_timeout_used || ctx->drain_active; +} + +static inline void __io_commit_cqring(struct io_ring_ctx *ctx) { - if (unlikely(ctx->off_timeout_used || ctx->drain_active)) - __io_commit_cqring_flush(ctx); /* order cqe stores with ring update */ smp_store_release(&ctx->rings->cq.tail, ctx->cached_cq_tail); } +static inline void io_commit_cqring(struct io_ring_ctx *ctx) +{ + if (unlikely(io_commit_needs_flush(ctx))) + __io_commit_cqring_flush(ctx); + __io_commit_cqring(ctx); +} + static inline bool io_sqring_full(struct io_ring_ctx *ctx) { struct io_rings *r = ctx->rings; @@ -2509,7 +2521,12 @@ static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events, io_req_free_batch(&rb, req, &ctx->submit_state); } - io_commit_cqring(ctx); + if (io_commit_needs_flush(ctx)) { + spin_lock(&ctx->completion_lock); + __io_commit_cqring_flush(ctx); + spin_unlock(&ctx->completion_lock); + } + __io_commit_cqring(ctx); io_cqring_ev_posted_iopoll(ctx); io_req_free_batch_finish(ctx, &rb); } -- 2.31.1

2 1

[PATCH OLK-5.10 0/4] Fixed 4 CVEs belonging to the ksmbd
by ZhaoLong Wang 11 Sep '23

11 Sep '23

CVE-2023-32247 CVE-2023-32251 CVE-2023-32253 CVE-2023-32249 Namjae Jeon (4): ksmbd: destroy expired sessions ksmbd: block asynchronous requests when making a delay on session setup ksmbd: fix deadlock in ksmbd_find_crypto_ctx() ksmbd: not allow guest user on multichannel fs/ksmbd/auth.c | 19 +++++----- fs/ksmbd/mgmt/user_session.c | 68 ++++++++++++++++++++---------------- fs/ksmbd/mgmt/user_session.h | 1 + fs/ksmbd/smb2pdu.c | 17 +++++++-- fs/ksmbd/smb2pdu.h | 2 ++ 5 files changed, 65 insertions(+), 42 deletions(-) -- 2.34.3

1 4

[PATCH OLK-5.10 0/5] sync ascend patches for openeuler
by Zhang Zekun 11 Sep '23

11 Sep '23

Sync patches for olk-5.10 Jian Zhang (1): ascend/hugetlb: Fix alloc static hugepage will fall back to other node Xu Qiang (1): hugetlb: Fixed a deadlock issue when allocating hugetlb page memory. Zhang Jian (2): Export function sched_setscheduler kernel/sdei: enable SDEI for nmi Zhou Guanghui (1): mm/hugetlb: support disable clear hugepage arch/arm64/Kconfig | 15 +++++++++++++++ arch/arm64/kernel/sdei.c | 2 ++ fs/hugetlbfs/inode.c | 5 +++-- kernel/sched/core.c | 1 + mm/hugetlb.c | 13 ++++++++----- 5 files changed, 29 insertions(+), 7 deletions(-) -- 2.17.1

2 6

[PATCH openEuler-23.09] arm64: fix abi change caused by ILP32
by Chen Jiahao 11 Sep '23

11 Sep '23

From: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7WGZU CVE: NA -------------------------------- One of the ILP32 patchset rename 'compat_user_mode' and 'compat_thumb_mode' to 'a32_user_mode' and 'a32_user_mode'. But these two macros are used in some opensource userspace application. To keep compatibility, we redefine these two macros. Fixes: 23b2f00 ("arm64: rename functions that reference compat term") Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> Reviewed-by: Hanjun Guo <guohanjun(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> Reviewed-by: liwei <liwei391(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> Signed-off-by: Chen Jiahao <chenjiahao16(a)huawei.com> --- arch/arm64/include/asm/ptrace.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 992b04efe7f8..9cb0fd362ac4 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -224,6 +224,8 @@ static inline void forget_syscall(struct pt_regs *regs) #define a32_thumb_mode(regs) (0) #endif +#define compat_thumb_mode(regs) a32_thumb_mode(regs) + #define user_mode(regs) \ (((regs)->pstate & PSR_MODE_MASK) == PSR_MODE_EL0t) @@ -231,6 +233,8 @@ static inline void forget_syscall(struct pt_regs *regs) (((regs)->pstate & (PSR_MODE32_BIT | PSR_MODE_MASK)) == \ (PSR_MODE32_BIT | PSR_MODE_EL0t)) +#define compat_user_mode(regs) a32_user_mode(regs) + #define processor_mode(regs) \ ((regs)->pstate & PSR_MODE_MASK) -- 2.34.1

2 1

[OLK-5.10 0/4] Fixed 4 CVEs belonging to the ksmbd
by ZhaoLong Wang 11 Sep '23

11 Sep '23

CVE-2023-32247 CVE-2023-32251 CVE-2023-32253 CVE-2023-32249 Namjae Jeon (4): ksmbd: destroy expired sessions ksmbd: block asynchronous requests when making a delay on session setup ksmbd: fix deadlock in ksmbd_find_crypto_ctx() ksmbd: not allow guest user on multichannel fs/ksmbd/auth.c | 19 +++++----- fs/ksmbd/mgmt/user_session.c | 68 ++++++++++++++++++++---------------- fs/ksmbd/mgmt/user_session.h | 1 + fs/ksmbd/smb2pdu.c | 17 +++++++-- fs/ksmbd/smb2pdu.h | 2 ++ 5 files changed, 65 insertions(+), 42 deletions(-) -- 2.34.3

1 4

[PATCH OLK-5.10] netfilter: nf_tables: skip bound chain on rule flush
by Zhengchao Shao 09 Sep '23

09 Sep '23

From: Pablo Neira Ayuso <pablo(a)netfilter.org> stable inclusion from stable-v5.10.188 commit 30e5460d69e631c0e84db37dba2d8f98648778d4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7YIXI CVE: CVE-2023-3777 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 ] Skip bound chain when flushing table rules, the rule that owns this chain releases these objects. Otherwise, the following warning is triggered: WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") Reported-by: Kevin Rich <kevinrich1337(a)gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/netfilter/nf_tables_api.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 3b2275b151a2..bbe6e7023683 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3516,6 +3516,8 @@ static int nf_tables_delrule(struct net *net, struct sock *nlsk, list_for_each_entry(chain, &table->chains, list) { if (!nft_is_active_next(net, chain)) continue; + if (nft_chain_is_bound(chain)) + continue; ctx.chain = chain; err = nft_delrule_by_chain(&ctx); -- 2.34.1

2 1

[PATCH openEuler-23.09] mm: gmem: Init gmem state counter
by Wupeng Ma 09 Sep '23

09 Sep '23

From: Ma Wupeng <mawupeng1(a)huawei.com> euleros inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7WLVX --------------------------------------------- Current gmem state counter is not init before use which will lead to null-ptr. Fix it by init it at start. Fixes: 46a7894b5e4c ("mm: gmem: Introduce GMEM") Signed-off-by: Ma Wupeng <mawupeng1(a)huawei.com> --- mm/gmem.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/mm/gmem.c b/mm/gmem.c index b6a36bec8668..a710869d04a9 100644 --- a/mm/gmem.c +++ b/mm/gmem.c @@ -77,6 +77,23 @@ void gmem_state_counter(enum gmem_stat_item item, int val) percpu_counter_add(&g_gmem_stats[item], val); } +static int gmem_stat_init(void) +{ + int i, rc; + + for (i = 0; i < NR_GMEM_STAT_ITEMS; i++) { + rc = percpu_counter_init(&g_gmem_stats[i], 0, GFP_KERNEL); + if (rc) { + for (i--; i >= 0; i--) + percpu_counter_destroy(&g_gmem_stats[i]); + + break; /* break the initialization process */ + } + } + + return rc; +} + #ifdef CONFIG_PROC_FS static int gmemstat_show(struct seq_file *m, void *arg) { @@ -121,6 +138,10 @@ static int __init gmem_init(void) if (err) goto free_ctx; + err = gmem_stat_init(); + if (err) + goto free_ctx; + prefetch_wq = alloc_workqueue("prefetch", __WQ_LEGACY | WQ_UNBOUND | WQ_HIGHPRI | WQ_CPU_INTENSIVE, GM_WORK_CONCURRENCY); if (!prefetch_wq) { -- 2.25.1

2 1