- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS V1] ipc: fix to protect IPCS lookups using RCU
by Wang Tao 04 Jun '25

04 Jun '25

From: Jeongjun Park <aha310510(a)gmail.com> mainline inclusion from mainline-v6.16-rc1 commit d66adabe91803ef34a8b90613c81267b5ded1472 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICCDPO Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned(). Link: https://lkml.kernel.org/r/20250424143322.18830-1-aha310510@gmail.com Fixes: b34a6b1da371 ("ipc: introduce shm_rmid_forced sysctl") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot+a2b84e569d06ca3a949c(a)syzkaller.appspotmail.com Cc: Jeongjun Park <aha310510(a)gmail.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Vasiliy Kulikov <segoon(a)openwall.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Wang Tao <wangtao554(a)huawei.com> --- ipc/shm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipc/shm.c b/ipc/shm.c index 0a5053f5726f..14282b7f9800 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -417,8 +417,11 @@ static int shm_try_destroy_orphaned(int id, void *p, void *data) void shm_destroy_orphaned(struct ipc_namespace *ns) { down_write(&shm_ids(ns).rwsem); - if (shm_ids(ns).in_use) + if (shm_ids(ns).in_use) { + rcu_read_lock(); idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns); + rcu_read_unlock(); + } up_write(&shm_ids(ns).rwsem); } -- 2.34.1

2 1

[PATCH OLK-5.10 V1] ipc: fix to protect IPCS lookups using RCU
by Wang Tao 04 Jun '25

04 Jun '25

From: Jeongjun Park <aha310510(a)gmail.com> mainline inclusion from mainline-v6.16-rc1 commit d66adabe91803ef34a8b90613c81267b5ded1472 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICCDPO Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned(). Link: https://lkml.kernel.org/r/20250424143322.18830-1-aha310510@gmail.com Fixes: b34a6b1da371 ("ipc: introduce shm_rmid_forced sysctl") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot+a2b84e569d06ca3a949c(a)syzkaller.appspotmail.com Cc: Jeongjun Park <aha310510(a)gmail.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Vasiliy Kulikov <segoon(a)openwall.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Wang Tao <wangtao554(a)huawei.com> --- ipc/shm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipc/shm.c b/ipc/shm.c index b418731d66e8..323a5810a947 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -417,8 +417,11 @@ static int shm_try_destroy_orphaned(int id, void *p, void *data) void shm_destroy_orphaned(struct ipc_namespace *ns) { down_write(&shm_ids(ns).rwsem); - if (shm_ids(ns).in_use) + if (shm_ids(ns).in_use) { + rcu_read_lock(); idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns); + rcu_read_unlock(); + } up_write(&shm_ids(ns).rwsem); } -- 2.34.1

2 1

[PATCH OLK-6.6 V1] ipc: fix to protect IPCS lookups using RCU
by Wang Tao 04 Jun '25

04 Jun '25

From: Jeongjun Park <aha310510(a)gmail.com> mainline inclusion from mainline-v6.16-rc1 commit d66adabe91803ef34a8b90613c81267b5ded1472 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICCDPO Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned(). Link: https://lkml.kernel.org/r/20250424143322.18830-1-aha310510@gmail.com Fixes: b34a6b1da371 ("ipc: introduce shm_rmid_forced sysctl") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot+a2b84e569d06ca3a949c(a)syzkaller.appspotmail.com Cc: Jeongjun Park <aha310510(a)gmail.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Vasiliy Kulikov <segoon(a)openwall.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Wang Tao <wangtao554(a)huawei.com> --- ipc/shm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipc/shm.c b/ipc/shm.c index 0a02bc6d7cdf..fdc248663b2b 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -430,8 +430,11 @@ static int shm_try_destroy_orphaned(int id, void *p, void *data) void shm_destroy_orphaned(struct ipc_namespace *ns) { down_write(&shm_ids(ns).rwsem); - if (shm_ids(ns).in_use) + if (shm_ids(ns).in_use) { + rcu_read_lock(); idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns); + rcu_read_unlock(); + } up_write(&shm_ids(ns).rwsem); } -- 2.34.1

2 1

[PATCH OLK-6.6] dlm: prevent NPD when writing a positive value to event_done
by Xia Fukun 04 Jun '25

04 Jun '25

From: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> mainline inclusion from mainline-v6.15-rc1 commit 8e2bad543eca5c25cd02cbc63d72557934d45f13 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC1QSS CVE: CVE-2025-23131 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- do_uevent returns the value written to event_done. In case it is a positive value, new_lockspace would undo all the work, and lockspace would not be set. __dlm_new_lockspace, however, would treat that positive value as a success due to commit 8511a2728ab8 ("dlm: fix use count with multiple joins"). Down the line, device_create_lockspace would pass that NULL lockspace to dlm_find_lockspace_local, leading to a NULL pointer dereference. Treating such positive values as successes prevents the problem. Given this has been broken for so long, this is unlikely to break userspace expectations. Fixes: 8511a2728ab8 ("dlm: fix use count with multiple joins") Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> Signed-off-by: David Teigland <teigland(a)redhat.com> Signed-off-by: Xia Fukun <xiafukun(a)huawei.com> --- fs/dlm/lockspace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c index 0455dddb0797..81fa59be7808 100644 --- a/fs/dlm/lockspace.c +++ b/fs/dlm/lockspace.c @@ -631,7 +631,7 @@ static int new_lockspace(const char *name, const char *cluster, lockspace to start running (via sysfs) in dlm_ls_start(). */ error = do_uevent(ls, 1); - if (error) + if (error < 0) goto out_recoverd; /* wait until recovery is successful or failed */ -- 2.34.1

2 1

[PATCH OLK-6.6 0/2] tracing: Fix oob write in trace_seq_to_buffer()
by Pan Taixi 04 Jun '25

04 Jun '25

Fix the issue where trace_seq_to_buffer() tries to copy more data than PAGE_SIZE to buf. Jeongjun Park (1): tracing: Fix oob write in trace_seq_to_buffer() Pan Taixi (1): tracing: Fix compilation warning on arm32 kernel/trace/trace.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.34.1

2 3

[PATCH OLK-5.10 0/2] tracing: Fix oob write in trace_seq_to_buffer()
by Pan Taixi 04 Jun '25

04 Jun '25

Fix the issue where trace_seq_to_buffer() tries to copy more data than PAGE_SIZE to buf. Jeongjun Park (1): tracing: Fix oob write in trace_seq_to_buffer() Pan Taixi (1): tracing: Fix compilation warning on arm32 kernel/trace/trace.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.34.1

2 3

[PATCH openEuler-1.0-LTS] module: ensure that kobject_put() is safe for module type kobjects
by Pan Taixi 04 Jun '25

04 Jun '25

From: Dmitry Antipov <dmantipov(a)yandex.ru> stable inclusion from stable-v5.15.183 commit f1c71b4bd721a4ea21da408806964b10468623f2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICBIZQ CVE: CVE-2025-37995 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit a6aeb739974ec73e5217c75a7c008a688d3d5cf1 upstream. In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe. Reported-by: syzbot+7fb8a372e1f6add936dd(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7fb8a372e1f6add936dd Fixes: 942e443127e9 ("module: Fix mod->mkobj.kobj potentially freed too early") Cc: stable(a)vger.kernel.org Suggested-by: Petr Pavlu <petr.pavlu(a)suse.com> Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Link: https://lore.kernel.org/r/20250507065044.86529-1-dmantipov@yandex.ru Signed-off-by: Petr Pavlu <petr.pavlu(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Pan Taixi <pantaixi1(a)huawei.com> --- kernel/params.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/params.c b/kernel/params.c index 8299bd764e42e7..1b856942d82d40 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -945,7 +945,9 @@ int module_sysfs_initialized; static void module_kobj_release(struct kobject *kobj) { struct module_kobject *mk = to_module_kobject(kobj); - complete(mk->kobj_completion); + + if (mk->kobj_completion) + complete(mk->kobj_completion); } struct kobj_type module_ktype = { -- cgit 1.2.3-korg

2 1

[PATCH OLK-6.6] module: ensure that kobject_put() is safe for module type kobjects
by Pan Taixi 04 Jun '25

04 Jun '25

From: Dmitry Antipov <dmantipov(a)yandex.ru> stable inclusion from stable-v6.6.91 commit faa9059631d3491d699c69ecf512de9e1a3d6649 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICBIZQ CVE: CVE-2025-37995 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit a6aeb739974ec73e5217c75a7c008a688d3d5cf1 upstream. In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe. Reported-by: syzbot+7fb8a372e1f6add936dd(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7fb8a372e1f6add936dd Fixes: 942e443127e9 ("module: Fix mod->mkobj.kobj potentially freed too early") Cc: stable(a)vger.kernel.org Suggested-by: Petr Pavlu <petr.pavlu(a)suse.com> Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Link: https://lore.kernel.org/r/20250507065044.86529-1-dmantipov@yandex.ru Signed-off-by: Petr Pavlu <petr.pavlu(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Pan Taixi <pantaixi1(a)huawei.com> --- kernel/params.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/params.c b/kernel/params.c index c7aed3c51cd538..e39ac5420cd6dc 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -945,7 +945,9 @@ struct kset *module_kset; static void module_kobj_release(struct kobject *kobj) { struct module_kobject *mk = to_module_kobject(kobj); - complete(mk->kobj_completion); + + if (mk->kobj_completion) + complete(mk->kobj_completion); } const struct kobj_type module_ktype = { -- cgit 1.2.3-korg

2 1

[PATCH OLK-5.10] module: ensure that kobject_put() is safe for module type kobjects
by Pan Taixi 04 Jun '25

04 Jun '25

From: Dmitry Antipov <dmantipov(a)yandex.ru> stable inclusion from stable-v5.15.183 commit f1c71b4bd721a4ea21da408806964b10468623f2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICBIZQ CVE: CVE-2025-37995 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit a6aeb739974ec73e5217c75a7c008a688d3d5cf1 upstream. In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding an extra check whether 'complete()' is actually required makes 'kobject_put()' safe. Reported-by: syzbot+7fb8a372e1f6add936dd(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7fb8a372e1f6add936dd Fixes: 942e443127e9 ("module: Fix mod->mkobj.kobj potentially freed too early") Cc: stable(a)vger.kernel.org Suggested-by: Petr Pavlu <petr.pavlu(a)suse.com> Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Link: https://lore.kernel.org/r/20250507065044.86529-1-dmantipov@yandex.ru Signed-off-by: Petr Pavlu <petr.pavlu(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Pan Taixi <pantaixi1(a)huawei.com> --- kernel/params.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/params.c b/kernel/params.c index 8299bd764e42e7..1b856942d82d40 100644 --- a/kernel/params.c +++ b/kernel/params.c @@ -945,7 +945,9 @@ int module_sysfs_initialized; static void module_kobj_release(struct kobject *kobj) { struct module_kobject *mk = to_module_kobject(kobj); - complete(mk->kobj_completion); + + if (mk->kobj_completion) + complete(mk->kobj_completion); } struct kobj_type module_ktype = { -- cgit 1.2.3-korg

2 1

[PATCH OLK-6.6] dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature
by Xia Fukun 04 Jun '25

04 Jun '25

From: Kent Overstreet <kent.overstreet(a)linux.dev> stable inclusion from stable-v6.6.84 commit 818330f756f3800c37d738bd36bce60eac949938 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBY429 CVE: CVE-2025-21966 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 57e9417f69839cb10f7ffca684c38acd28ceb57b upstream. Fix memory corruption due to incorrect parameter being passed to bio_init Signed-off-by: Kent Overstreet <kent.overstreet(a)linux.dev> Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Cc: stable(a)vger.kernel.org # v6.5+ Fixes: 1d9a94389853 ("dm flakey: clone pages on write bio before corrupting them") Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Xia Fukun <xiafukun(a)huawei.com> --- drivers/md/dm-flakey.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c index 120153e44ae0..dc491dc771d7 100644 --- a/drivers/md/dm-flakey.c +++ b/drivers/md/dm-flakey.c @@ -426,7 +426,7 @@ static struct bio *clone_bio(struct dm_target *ti, struct flakey_c *fc, struct b if (!clone) return NULL; - bio_init(clone, fc->dev->bdev, bio->bi_inline_vecs, nr_iovecs, bio->bi_opf); + bio_init(clone, fc->dev->bdev, clone->bi_inline_vecs, nr_iovecs, bio->bi_opf); clone->bi_iter.bi_sector = flakey_map_sector(ti, bio->bi_iter.bi_sector); clone->bi_private = bio; -- 2.34.1

2 1