- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 9406/23766] kernel/time/.tmp_posix-cpu-timers.o: warning: objtool: set_process_cpu_timer()+0xc7: unreachable instruction
by kernel test robot 25 Sep '24

25 Sep '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: ecca3ab84cbf3cf5ec32574bcec8a068e79d14df commit: 36ff49c95a04513935898fdcd4bc37646b2dc459 [9406/23766] posix-cpu-timers: Sanitize bogus WARNONS config: x86_64-buildonly-randconfig-002-20240923 (https://download.01.org/0day-ci/archive/20240925/202409251901.etAiBSp6-lkp@…) compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240925/202409251901.etAiBSp6-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409251901.etAiBSp6-lkp@intel.com/ All warnings (new ones prefixed by >>): >> kernel/time/.tmp_posix-cpu-timers.o: warning: objtool: set_process_cpu_timer()+0xc7: unreachable instruction objdump-func vmlinux.o set_process_cpu_timer: 0000 000000000011ca20 <set_process_cpu_timer>: 0000 11ca20: f3 0f 1e fa endbr64 0004 11ca24: 83 fe 02 cmp $0x2,%esi 0007 11ca27: 0f 83 82 00 00 00 jae 11caaf <set_process_cpu_timer+0x8f> 000d 11ca2d: 41 57 push %r15 000f 11ca2f: 41 56 push %r14 0011 11ca31: 53 push %rbx 0012 11ca32: 49 89 ce mov %rcx,%r14 0015 11ca35: 48 89 d3 mov %rdx,%rbx 0018 11ca38: 48 89 f8 mov %rdi,%rax 001b 11ca3b: 48 8b 8f a8 05 00 00 mov 0x5a8(%rdi),%rcx 0022 11ca42: 89 f2 mov %esi,%edx 0024 11ca44: 48 8d 14 52 lea (%rdx,%rdx,2),%rdx 0028 11ca48: 4c 8d bc d1 88 02 00 00 lea 0x288(%rcx,%rdx,8),%r15 0030 11ca50: 89 f7 mov %esi,%edi 0032 11ca52: 48 89 c6 mov %rax,%rsi 0035 11ca55: ba 01 00 00 00 mov $0x1,%edx 003a 11ca5a: e8 41 09 00 00 call 11d3a0 <cpu_clock_sample_group> 003f 11ca5f: 4d 85 f6 test %r14,%r14 0042 11ca62: 74 2c je 11ca90 <set_process_cpu_timer+0x70> 0044 11ca64: 49 8b 0e mov (%r14),%rcx 0047 11ca67: 48 85 c9 test %rcx,%rcx 004a 11ca6a: 74 0f je 11ca7b <set_process_cpu_timer+0x5b> 004c 11ca6c: 48 29 c1 sub %rax,%rcx 004f 11ca6f: ba 00 09 3d 00 mov $0x3d0900,%edx 0054 11ca74: 48 0f 47 d1 cmova %rcx,%rdx 0058 11ca78: 49 89 16 mov %rdx,(%r14) 005b 11ca7b: 48 8b 0b mov (%rbx),%rcx 005e 11ca7e: 48 85 c9 test %rcx,%rcx 0061 11ca81: 74 23 je 11caa6 <set_process_cpu_timer+0x86> 0063 11ca83: 48 01 c1 add %rax,%rcx 0066 11ca86: 48 89 0b mov %rcx,(%rbx) 0069 11ca89: 49 3b 0f cmp (%r15),%rcx 006c 11ca8c: 72 0a jb 11ca98 <set_process_cpu_timer+0x78> 006e 11ca8e: eb 0b jmp 11ca9b <set_process_cpu_timer+0x7b> 0070 11ca90: 48 8b 0b mov (%rbx),%rcx 0073 11ca93: 49 3b 0f cmp (%r15),%rcx 0076 11ca96: 73 03 jae 11ca9b <set_process_cpu_timer+0x7b> 0078 11ca98: 49 89 0f mov %rcx,(%r15) 007b 11ca9b: 5b pop %rbx 007c 11ca9c: 41 5e pop %r14 007e 11ca9e: 41 5f pop %r15 0080 11caa0: 2e e9 00 00 00 00 cs jmp 11caa6 <set_process_cpu_timer+0x86> 11caa2: R_X86_64_PLT32 __x86_return_thunk-0x4 0086 11caa6: 31 c9 xor %ecx,%ecx 0088 11caa8: 49 3b 0f cmp (%r15),%rcx 008b 11caab: 72 eb jb 11ca98 <set_process_cpu_timer+0x78> 008d 11caad: eb ec jmp 11ca9b <set_process_cpu_timer+0x7b> 008f 11caaf: 0f 0b ud2 0091 11cab1: 2e e9 00 00 00 00 cs jmp 11cab7 <set_process_cpu_timer+0x97> 11cab3: R_X86_64_PLT32 __x86_return_thunk-0x4 0097 11cab7: 66 0f 1f 84 00 00 00 00 00 nopw 0x0(%rax,%rax,1) -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] powerpc/qspinlock: Fix deadlock in MCS queue
by Yongqiang Liu 25 Sep '24

25 Sep '24

From: "Nysal Jan K.A" <nysal(a)linux.ibm.com> stable inclusion from stable-v6.6.51 commit d84ab6661e8d09092de9b034b016515ef9b66085 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYD6 CVE: CVE-2024-46797 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 734ad0af3609464f8f93e00b6c0de1e112f44559 upstream. If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the "next" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's "next" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \ --maximize --oomable --verify --syslog \ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ▼ | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ▼ | Interrupt | (happens before "nodes[0].lock = B") | | | ▼ | spin_lock_irqsave(A) | | | ▼ | id = qnodesp->count++ | nodes[1].lock = A | | | ▼ | Tail of MCS queue | | spin_lock_irqsave(A) ▼ | Head of MCS queue ▼ | CPU0 is previous tail ▼ | Spin indefinitely ▼ (until "nodes[1].next != NULL") prev = get_tail_qnode(A, CPU0) | ▼ prev == &qnodes[CPU0].nodes[0] (as qnodes[CPU0].nodes[0].lock == A) | ▼ WRITE_ONCE(prev->next, node) | ▼ Spin indefinitely (until nodes[0].locked == 1) Thanks to Saket Kumar Bhaskar for help with recreating the issue Fixes: 84990b169557 ("powerpc/qspinlock: add mcs queueing for contended waiters") Cc: stable(a)vger.kernel.org # v6.2+ Reported-by: Geetika Moolchandani <geetika(a)linux.ibm.com> Reported-by: Vaishnavi Bhat <vaish123(a)in.ibm.com> Reported-by: Jijo Varghese <vargjijo(a)in.ibm.com> Signed-off-by: Nysal Jan K.A. <nysal(a)linux.ibm.com> Reviewed-by: Nicholas Piggin <npiggin(a)gmail.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240829022830.1164355-1-nysal@linux.ibm.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- arch/powerpc/lib/qspinlock.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/lib/qspinlock.c b/arch/powerpc/lib/qspinlock.c index 6dd2f46bd3ef..8830267789c9 100644 --- a/arch/powerpc/lib/qspinlock.c +++ b/arch/powerpc/lib/qspinlock.c @@ -715,7 +715,15 @@ static __always_inline void queued_spin_lock_mcs_queue(struct qspinlock *lock, b } release: - qnodesp->count--; /* release the node */ + /* + * Clear the lock before releasing the node, as another CPU might see stale + * values if an interrupt occurs after we increment qnodesp->count + * but before node->lock is initialized. The barrier ensures that + * there are no further stores to the node after it has been released. + */ + node->lock = NULL; + barrier(); + qnodesp->count--; } void queued_spin_lock_slowpath(struct qspinlock *lock) -- 2.25.1

2 1

[PATCH OLK-6.6] uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
by Cai Xinchen 25 Sep '24

25 Sep '24

From: Saurabh Sengar <ssengar(a)linux.microsoft.com> stable inclusion from stable-v6.6.51 commit de6946be9c8bc7d2279123433495af7c21011b99 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWG0 CVE: CVE-2024-46739 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit fb1adbd7e50f3d2de56d0a2bb0700e2e819a329e upstream. For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel. Cc: stable(a)vger.kernel.org Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support") Signed-off-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240829071312.1595-2-namjain@linux.microsoft.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/uio/uio_hv_generic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 6be3462b109f..94a1fe82e4d5 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -104,10 +104,11 @@ static void hv_uio_channel_cb(void *context) /* * Callback from vmbus_event when channel is rescinded. + * It is meant for rescind of primary channels only. */ static void hv_uio_rescind(struct vmbus_channel *channel) { - struct hv_device *hv_dev = channel->primary_channel->device_obj; + struct hv_device *hv_dev = channel->device_obj; struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev); /* -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
by Cai Xinchen 25 Sep '24

25 Sep '24

From: Saurabh Sengar <ssengar(a)linux.microsoft.com> stable inclusion from stable-v4.19.322 commit 3d414b64ecf6fd717d7510ffb893c6f23acbf50e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWG0 CVE: CVE-2024-46739 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit fb1adbd7e50f3d2de56d0a2bb0700e2e819a329e upstream. For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel. Cc: stable(a)vger.kernel.org Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support") Signed-off-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240829071312.1595-2-namjain@linux.microsoft.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/uio/uio_hv_generic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index b58e7c582d3f..0899e12adc1d 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -104,10 +104,11 @@ static void hv_uio_channel_cb(void *context) /* * Callback from vmbus_event when channel is rescinded. + * It is meant for rescind of primary channels only. */ static void hv_uio_rescind(struct vmbus_channel *channel) { - struct hv_device *hv_dev = channel->primary_channel->device_obj; + struct hv_device *hv_dev = channel->device_obj; struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev); /* -- 2.34.1

2 1

[PATCH OLK-5.10] uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
by Cai Xinchen 25 Sep '24

25 Sep '24

From: Saurabh Sengar <ssengar(a)linux.microsoft.com> stable inclusion from stable-v5.10.226 commit 1d8e020e51ab07e40f9dd00b52f1da7d96fec04c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWG0 CVE: CVE-2024-46739 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit fb1adbd7e50f3d2de56d0a2bb0700e2e819a329e upstream. For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel. Cc: stable(a)vger.kernel.org Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support") Signed-off-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Signed-off-by: Naman Jain <namjain(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240829071312.1595-2-namjain@linux.microsoft.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Cai Xinchen <caixinchen1(a)huawei.com> --- drivers/uio/uio_hv_generic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 4abd8e20fb5b..4c43cc9a25c0 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -104,10 +104,11 @@ static void hv_uio_channel_cb(void *context) /* * Callback from vmbus_event when channel is rescinded. + * It is meant for rescind of primary channels only. */ static void hv_uio_rescind(struct vmbus_channel *channel) { - struct hv_device *hv_dev = channel->primary_channel->device_obj; + struct hv_device *hv_dev = channel->device_obj; struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev); /* -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS v3] tools: fix implicit declaration of function __ALIGN_KERNEL
by Long Li 25 Sep '24

25 Sep '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAQOJ9 CVE: NA ---------------------------------------- After mergerd commit "bitmap: introduce generic optimizedbitmap_size()", When compiling tools/perf, I encountered the following error. I reverted the changes that added bitmap_size() in tools/include/linux/bitmap.h. There are no functional changes. error: implicit declaration of function \ ‘__ALIGN_KERNEL’ [-Werror=implicit-function-declaration] #define ALIGN(x, a) __ALIGN_KERNEL((x), (a)) Fixes: 9e8111c56a25 ("bitmap: introduce generic optimized bitmap_size()") Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- tools/include/linux/bitmap.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/include/linux/bitmap.h b/tools/include/linux/bitmap.h index 3aeeb60f1988..3517972c259e 100644 --- a/tools/include/linux/bitmap.h +++ b/tools/include/linux/bitmap.h @@ -27,14 +27,14 @@ int __bitmap_and(unsigned long *dst, const unsigned long *bitmap1, #define small_const_nbits(nbits) \ (__builtin_constant_p(nbits) && (nbits) <= BITS_PER_LONG) -#define bitmap_size(nbits) (ALIGN(nbits, BITS_PER_LONG) / BITS_PER_BYTE) - static inline void bitmap_zero(unsigned long *dst, int nbits) { if (small_const_nbits(nbits)) *dst = 0UL; else { - memset(dst, 0, bitmap_size(nbits)); + int len = BITS_TO_LONGS(nbits) * sizeof(unsigned long); + + memset(dst, 0, len); } } @@ -120,7 +120,7 @@ static inline int test_and_clear_bit(int nr, unsigned long *addr) */ static inline unsigned long *bitmap_alloc(int nbits) { - return calloc(1, bitmap_size(nbits)); + return calloc(1, BITS_TO_LONGS(nbits) * sizeof(unsigned long)); } /* -- 2.31.1

2 1

[PATCH] selinux,smack: don't bypass permissions check in inode_setsecctx hook
by GONG Ruiqi 25 Sep '24

25 Sep '24

From: Scott Mayhew <smayhew(a)redhat.com> commit 76a0e79bc84f466999fa501fce5bf7a07641b8a7 upstream. Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode's i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don't do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label. Cc: stable(a)kernel.org Reported-by: Marek Gresko <marek.gresko(a)protonmail.com> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218809 Signed-off-by: Scott Mayhew <smayhew(a)redhat.com> Tested-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Reviewed-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Reviewed-by: Chuck Lever <chuck.lever(a)oracle.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Acked-by: Casey Schaufler <casey(a)schaufler-ca.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- security/selinux/hooks.c | 4 ++-- security/smack/smack_lsm.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d32d16d75795..d4a99d98ec77 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6553,8 +6553,8 @@ static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen */ static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { - return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, - ctx, ctxlen, 0); + return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, + ctx, ctxlen, 0, NULL); } static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 49d9da878ac6..6b92e09d3f78 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4772,8 +4772,8 @@ static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { - return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, - ctx, ctxlen, 0); + return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, + ctx, ctxlen, 0, NULL); } static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) -- 2.25.1

1 0

[PATCH OLK-5.10] selinux,smack: don't bypass permissions check in inode_setsecctx hook
by GONG Ruiqi 25 Sep '24

25 Sep '24

From: Scott Mayhew <smayhew(a)redhat.com> mainline inclusion from mainline-v6.11-rc6 commit 76a0e79bc84f466999fa501fce5bf7a07641b8a7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4JE CVE: CVE-2024-46695 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode's i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don't do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label. Cc: stable(a)kernel.org Reported-by: Marek Gresko <marek.gresko(a)protonmail.com> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218809 Signed-off-by: Scott Mayhew <smayhew(a)redhat.com> Tested-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Reviewed-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Reviewed-by: Chuck Lever <chuck.lever(a)oracle.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Acked-by: Casey Schaufler <casey(a)schaufler-ca.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Conflicts: security/selinux/hooks.c security/smack/smack_lsm.c [Due to the lack of mnt_idmap feature in 5.10, which brings a new input argument for both __vfs_setxattr_locked/noperm().] Signed-off-by: GONG Ruiqi <gongruiqi1(a)huawei.com> --- security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fac2029437c7..3559303272e8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6556,7 +6556,7 @@ static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen */ static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { - return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0); + return __vfs_setxattr_locked(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0, NULL); } static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index d35a61e7b7b9..41bf2ed19f7b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4626,7 +4626,7 @@ static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { - return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); + return __vfs_setxattr_locked(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0, NULL); } static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) -- 2.25.1

2 1

[PATCH OLK-6.6] selinux,smack: don't bypass permissions check in inode_setsecctx hook
by GONG Ruiqi 25 Sep '24

25 Sep '24

From: Scott Mayhew <smayhew(a)redhat.com> stable inclusion from stable-v6.6.49 commit 459584258d47ec3cc6245a82e8a49c9d08eb8b57 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4JE CVE: CVE-2024-46695 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 76a0e79bc84f466999fa501fce5bf7a07641b8a7 upstream. Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled. The end of the kerneldoc comment for __vfs_setxattr_noperm() states: * This function requires the caller to lock the inode's i_mutex before it * is executed. It also assumes that the caller will make the appropriate * permission checks. nfsd_setattr() does do permissions checking via fh_verify() and nfsd_permission(), but those don't do all the same permissions checks that are done by security_inode_setxattr() and its related LSM hooks do. Since nfsd_setattr() is the only consumer of security_inode_setsecctx(), simplest solution appears to be to replace the call to __vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label. Cc: stable(a)kernel.org Reported-by: Marek Gresko <marek.gresko(a)protonmail.com> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218809 Signed-off-by: Scott Mayhew <smayhew(a)redhat.com> Tested-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Reviewed-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Reviewed-by: Chuck Lever <chuck.lever(a)oracle.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Acked-by: Casey Schaufler <casey(a)schaufler-ca.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: GONG Ruiqi <gongruiqi1(a)huawei.com> --- security/selinux/hooks.c | 4 ++-- security/smack/smack_lsm.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 53cfeefb2f19..8b8e7bab93a7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6543,8 +6543,8 @@ static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen */ static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { - return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, - ctx, ctxlen, 0); + return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX, + ctx, ctxlen, 0, NULL); } static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index e1e297deb02e..87359b805377 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4770,8 +4770,8 @@ static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) { - return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, - ctx, ctxlen, 0); + return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, + ctx, ctxlen, 0, NULL); } static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS v2] tools: fix implicit declaration of function __ALIGN_KERNEL
by Long Li 25 Sep '24

25 Sep '24

hulk inclusion category: feature bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAQOJ9 CVE: NA ---------------------------------------- After mergerd commit "bitmap: introduce generic optimizedbitmap_size()", When compiling tools/perf, I encountered the following error. I reverted the changes that added bitmap_size() in tools/include/linux/bitmap.h. There are no functional changes. error: implicit declaration of function \ ‘__ALIGN_KERNEL’ [-Werror=implicit-function-declaration] #define ALIGN(x, a) __ALIGN_KERNEL((x), (a)) Fixes: 9e8111c56a25 ("bitmap: introduce generic optimized bitmap_size()") Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- tools/include/linux/bitmap.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/include/linux/bitmap.h b/tools/include/linux/bitmap.h index 3aeeb60f1988..3517972c259e 100644 --- a/tools/include/linux/bitmap.h +++ b/tools/include/linux/bitmap.h @@ -27,14 +27,14 @@ int __bitmap_and(unsigned long *dst, const unsigned long *bitmap1, #define small_const_nbits(nbits) \ (__builtin_constant_p(nbits) && (nbits) <= BITS_PER_LONG) -#define bitmap_size(nbits) (ALIGN(nbits, BITS_PER_LONG) / BITS_PER_BYTE) - static inline void bitmap_zero(unsigned long *dst, int nbits) { if (small_const_nbits(nbits)) *dst = 0UL; else { - memset(dst, 0, bitmap_size(nbits)); + int len = BITS_TO_LONGS(nbits) * sizeof(unsigned long); + + memset(dst, 0, len); } } @@ -120,7 +120,7 @@ static inline int test_and_clear_bit(int nr, unsigned long *addr) */ static inline unsigned long *bitmap_alloc(int nbits) { - return calloc(1, bitmap_size(nbits)); + return calloc(1, BITS_TO_LONGS(nbits) * sizeof(unsigned long)); } /* -- 2.31.1

2 1