- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 v2] io_uring: hold uring mutex around poll removal
by Zhong Jinghua 05 Jul '23

05 Jul '23

From: Jens Axboe <axboe(a)kernel.dk> stable inclusion from stable-v5.10.185 commit 4716c73b188566865bdd79c3a6709696a224ac04 category: bugfix bugzilla: 188954, https://gitee.com/src-openeuler/kernel/issues/I7GVI5?from=project-issue CVE: CVE-2023-3389 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------------- Snipped from commit 9ca9fb24d5febccea354089c41f96a8ad0d853f8 upstream. While reworking the poll hashing in the v6.0 kernel, we ended up grabbing the ctx->uring_lock in poll update/removal. This also fixed a bug with linked timeouts racing with timeout expiry and poll removal. Bring back just the locking fix for that. Reported-and-tested-by: Querijn Voet <querijnqyn(a)gmail.com> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhong Jinghua <zhongjinghua(a)huawei.com> --- v2: cve number modify. io_uring/io_uring.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 67cb9d6ec4ac..f6af5ceb517e 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -5811,6 +5811,8 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags) struct io_kiocb *preq; int ret2, ret = 0; + io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); + spin_lock(&ctx->completion_lock); preq = io_poll_find(ctx, req->poll_update.old_user_data, true); if (!preq || !io_poll_disarm(preq)) { @@ -5842,6 +5844,7 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags) req_set_fail(req); /* complete update request, we're done with it */ io_req_complete(req, ret); + io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); return 0; } -- 2.31.1

2 1

[PATCH openEuler-1.0-LTS 0/5] jbd2: fix several checkpoint
by Zhihao Cheng 05 Jul '23

05 Jul '23

Zhang Yi (4): jbd2: remove journal_clean_one_cp_list() jbd2: fix a race when checking checkpoint buffer busy jbd2: remove __journal_try_to_free_buffer() jbd2: fix checkpoint cleanup performance regression Zhihao Cheng (1): jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint fs/jbd2/checkpoint.c | 147 ++++++++++++++++++------------------ fs/jbd2/transaction.c | 40 ++-------- include/linux/jbd2.h | 1 + include/trace/events/jbd2.h | 12 +-- 4 files changed, 87 insertions(+), 113 deletions(-) -- 2.31.1

2 6

[PATCH OLK-5.10] io_uring: hold uring mutex around poll removal
by Zhong Jinghua 05 Jul '23

05 Jul '23

From: Jens Axboe <axboe(a)kernel.dk> stable inclusion from stable-v5.10.185 commit 4716c73b188566865bdd79c3a6709696a224ac04 category: bugfix bugzilla: 188954, https://gitee.com/src-openeuler/kernel/issues/I5X879?from=project-issue CVE: CVE-2022-3238 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------------- Snipped from commit 9ca9fb24d5febccea354089c41f96a8ad0d853f8 upstream. While reworking the poll hashing in the v6.0 kernel, we ended up grabbing the ctx->uring_lock in poll update/removal. This also fixed a bug with linked timeouts racing with timeout expiry and poll removal. Bring back just the locking fix for that. Reported-and-tested-by: Querijn Voet <querijnqyn(a)gmail.com> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhong Jinghua <zhongjinghua(a)huawei.com> --- io_uring/io_uring.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 67cb9d6ec4ac..f6af5ceb517e 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -5811,6 +5811,8 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags) struct io_kiocb *preq; int ret2, ret = 0; + io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); + spin_lock(&ctx->completion_lock); preq = io_poll_find(ctx, req->poll_update.old_user_data, true); if (!preq || !io_poll_disarm(preq)) { @@ -5842,6 +5844,7 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags) req_set_fail(req); /* complete update request, we're done with it */ io_req_complete(req, ret); + io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); return 0; } -- 2.31.1

2 1

[PATCH OLK-5.10] io_uring: hold uring mutex around poll removal
by Zhong Jinghua 05 Jul '23

05 Jul '23

From: Jens Axboe <axboe(a)kernel.dk> stable inclusion from stable-v5.10.185 commit 4716c73b188566865bdd79c3a6709696a224ac04 category: bugfix bugzilla: 188954, https://gitee.com/src-openeuler/kernel/issues/I5X879?from=project-issue CVE: CVE-2022-3238 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------------- Snipped from commit 9ca9fb24d5febccea354089c41f96a8ad0d853f8 upstream. While reworking the poll hashing in the v6.0 kernel, we ended up grabbing the ctx->uring_lock in poll update/removal. This also fixed a bug with linked timeouts racing with timeout expiry and poll removal. Bring back just the locking fix for that. Reported-and-tested-by: Querijn Voet <querijnqyn(a)gmail.com> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhong Jinghua <zhongjinghua(a)huawei.com> --- io_uring/io_uring.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 67cb9d6ec4ac..f6af5ceb517e 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -5811,6 +5811,8 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags) struct io_kiocb *preq; int ret2, ret = 0; + io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); + spin_lock(&ctx->completion_lock); preq = io_poll_find(ctx, req->poll_update.old_user_data, true); if (!preq || !io_poll_disarm(preq)) { @@ -5842,6 +5844,7 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags) req_set_fail(req); /* complete update request, we're done with it */ io_req_complete(req, ret); + io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); return 0; } -- 2.31.1

2 1

[PATCH openEuler-1.0-LTS 1/3] nbd: fold nbd config initialization into nbd_alloc_config()
by Yongqiang Liu 05 Jul '23

05 Jul '23

From: Yu Kuai <yukuai3(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7EENU CVE: NA ---------------------------------------- There are no functional changes, make the code cleaner and prepare to fix null-ptr-dereference while accessing 'nbd->config'. Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> conflict: drivers/block/nbd.c Signed-off-by: Zhong Jinghua <zhongjinghua(a)huawei.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/block/nbd.c | 41 +++++++++++++++++++---------------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index c306e9ffdd08..602679ce390f 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1469,17 +1469,20 @@ static int nbd_ioctl(struct block_device *bdev, fmode_t mode, return error; } -static struct nbd_config *nbd_alloc_config(void) +static int nbd_alloc_and_init_config(struct nbd_device *nbd) { struct nbd_config *config; + if (WARN_ON(nbd->config)) + return -EINVAL; + if (!try_module_get(THIS_MODULE)) - return ERR_PTR(-ENODEV); + return -ENODEV; config = kzalloc(sizeof(struct nbd_config), GFP_NOFS); if (!config) { module_put(THIS_MODULE); - return ERR_PTR(-ENOMEM); + return -ENOMEM; } atomic_set(&config->recv_threads, 0); @@ -1487,7 +1490,10 @@ static struct nbd_config *nbd_alloc_config(void) init_waitqueue_head(&config->conn_wait); config->blksize = NBD_DEF_BLKSIZE; atomic_set(&config->live_connections, 0); - return config; + nbd->config = config; + refcount_set(&nbd->config_refs, 1); + + return 0; } static int nbd_open(struct block_device *bdev, fmode_t mode) @@ -1506,21 +1512,17 @@ static int nbd_open(struct block_device *bdev, fmode_t mode) goto out; } if (!refcount_inc_not_zero(&nbd->config_refs)) { - struct nbd_config *config; - mutex_lock(&nbd->config_lock); if (refcount_inc_not_zero(&nbd->config_refs)) { mutex_unlock(&nbd->config_lock); goto out; } - config = nbd_alloc_config(); - if (IS_ERR(config)) { - ret = PTR_ERR(config); + ret = nbd_alloc_and_init_config(nbd); + if (ret) { mutex_unlock(&nbd->config_lock); goto out; } - nbd->config = config; - refcount_set(&nbd->config_refs, 1); + refcount_inc(&nbd->refs); mutex_unlock(&nbd->config_lock); bdev->bd_invalidated = 1; @@ -1924,22 +1926,17 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) printk(KERN_ERR "nbd: nbd%d already in use\n", index); return -EBUSY; } - if (WARN_ON(nbd->config)) { - mutex_unlock(&nbd->config_lock); - nbd_put(nbd); - return -EINVAL; - } - config = nbd_alloc_config(); - if (IS_ERR(config)) { + + ret = nbd_alloc_and_init_config(nbd); + if (ret) { mutex_unlock(&nbd->config_lock); nbd_put(nbd); printk(KERN_ERR "nbd: couldn't allocate config\n"); - return PTR_ERR(config); + return ret; } - nbd->config = config; - refcount_set(&nbd->config_refs, 1); - set_bit(NBD_RT_BOUND, &config->runtime_flags); + config = nbd->config; + set_bit(NBD_RT_BOUND, &config->runtime_flags); if (info->attrs[NBD_ATTR_SIZE_BYTES]) { u64 bytes = nla_get_u64(info->attrs[NBD_ATTR_SIZE_BYTES]); ret = nbd_set_size(nbd, bytes, config->blksize); -- 2.25.1

1 2

[PATCH OLK-5.10 0/7] jbd2: fix several checkpoint inconsistent
by Zhihao Cheng 05 Jul '23

05 Jul '23

Zhang Yi (6): jbd2: recheck chechpointing non-dirty buffer jbd2: remove t_checkpoint_io_list jbd2: remove journal_clean_one_cp_list() jbd2: fix a race when checking checkpoint buffer busy jbd2: remove __journal_try_to_free_buffer() jbd2: fix checkpoint cleanup performance regression Zhihao Cheng (1): jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint fs/jbd2/checkpoint.c | 281 +++++++++++++----------------------- fs/jbd2/commit.c | 3 +- fs/jbd2/transaction.c | 40 +---- include/linux/jbd2.h | 1 + include/trace/events/jbd2.h | 12 +- 5 files changed, 114 insertions(+), 223 deletions(-) -- 2.31.1

1 7

[PATCH openEuler-1.0-LTS] ext4: Stop trying writing pages if no free blocks generated
by Zhihao Cheng 05 Jul '23

05 Jul '23

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7CBCS CVE: NA -------------------------------- Folllowing steps could make ext4_wripages trap into a dead loop: 1. Consume free_clusters until free_clusters > 2 * sbi->s_resv_clusters, and free_clusters > EXT4_FREECLUSTERS_WATERMARK. // eg. free_clusters = 1422, sbi->s_resv_clusters = 512 // nr_cpus = 4, EXT4_FREECLUSTERS_WATERMARK = 512 2. umount && mount. // dirty_clusters = 0 3. Run free_clusters tasks concurrently to write different files, many tasks write(appendant) 4K data by da_write method. And each inode will consume one data block and one extent block in map_block. // There are (free_clusters - EXT4_FREECLUSTERS_WATERMARK = 910) // tasks choosing da_write method, left 512 tasks choose write_begin // method. If tasks which chooses da_write path run first. // dirty_clusters = 910, free_clusters = 1422 // Tasks which choose write_begin path will get ENOSPC: // free_clusters < (nclusters + dirty_clusters + resv_clusters) // 1422 < (1 + 910 + 512) 4. After certain number of map_block iterations in ext4_writepages. // free_clusters = 0, // dirty_clusters = 910 - (1422 / 2) = 199 5. Delete one 4K file. // free_clusters = 1 6. ext4_writepages traps into dead loop: mpage_map_and_submit_extent mpage_map_one_extent // ret = ENOSPC ext4_map_blocks -> ext4_ext_map_blocks -> ext4_mb_new_blocks -> ext4_claim_free_clusters: if (free_clusters >= (nclusters + dirty_clusters)) // false if (err == -ENOSPC && ext4_count_free_clusters(sb)) // true return err *give_up_on_write = true // won't be executed Fix it by terminating ext4_writepages if no free blocks generated. Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> --- fs/ext4/ext4.h | 1 + fs/ext4/extents.c | 4 +++- fs/ext4/inode.c | 2 +- fs/ext4/mballoc.c | 5 +++-- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index 6df919b154b4..3165fc239036 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -656,6 +656,7 @@ enum { #define EXT4_FREE_BLOCKS_NO_QUOT_UPDATE 0x0008 #define EXT4_FREE_BLOCKS_NOFREE_FIRST_CLUSTER 0x0010 #define EXT4_FREE_BLOCKS_NOFREE_LAST_CLUSTER 0x0020 +#define EXT4_FREE_BLOCKS_DONT_WAIT_JOURNAL 0x0080 /* * ioctl commands diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 6edab0ef28fd..379d91d54d5e 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -1328,7 +1328,8 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, if (!ablocks[i]) continue; ext4_free_blocks(handle, inode, NULL, ablocks[i], 1, - EXT4_FREE_BLOCKS_METADATA); + EXT4_FREE_BLOCKS_METADATA | + EXT4_FREE_BLOCKS_DONT_WAIT_JOURNAL); } } kfree(ablocks); @@ -4606,6 +4607,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, /* not a good idea to call discard here directly, * but otherwise we'd need to call it every free() */ ext4_discard_preallocations(inode); + fb_flags |= EXT4_FREE_BLOCKS_DONT_WAIT_JOURNAL; ext4_free_blocks(handle, inode, NULL, newblock, EXT4_C2B(sbi, allocated_clusters), fb_flags); goto out2; diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index c40f4442c5c3..e547abd0cdc4 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -2525,7 +2525,7 @@ static int mpage_map_and_submit_extent(handle_t *handle, * is non-zero, a commit should free up blocks. */ if ((err == -ENOMEM) || - (err == -ENOSPC && ext4_count_free_clusters(sb))) { + (err == -ENOSPC && EXT4_SB(sb)->s_mb_free_pending)) { if (progress) goto update_disksize; return err; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index a40990da0b62..84a3e09433ac 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -4921,8 +4921,9 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode, * consistency guarantees. */ if (ext4_handle_valid(handle) && - ((flags & EXT4_FREE_BLOCKS_METADATA) || - !ext4_should_writeback_data(inode))) { + (((flags & EXT4_FREE_BLOCKS_METADATA) || + !ext4_should_writeback_data(inode)) && + !(flags & EXT4_FREE_BLOCKS_DONT_WAIT_JOURNAL))) { struct ext4_free_data *new_entry; /* * We use __GFP_NOFAIL because ext4_free_blocks() is not allowed -- 2.31.1

2 1

[PATCH OLK-5.10] ext4: Stop trying writing pages if no free blocks generated
by Zhihao Cheng 05 Jul '23

05 Jul '23

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7CBCS -------------------------------- Folllowing steps could make ext4_wripages trap into a dead loop: 1. Consume free_clusters until free_clusters > 2 * sbi->s_resv_clusters, and free_clusters > EXT4_FREECLUSTERS_WATERMARK. // eg. free_clusters = 1422, sbi->s_resv_clusters = 512 // nr_cpus = 4, EXT4_FREECLUSTERS_WATERMARK = 512 2. umount && mount. // dirty_clusters = 0 3. Run free_clusters tasks concurrently to write different files, many tasks write(appendant) 4K data by da_write method. And each inode will consume one data block and one extent block in map_block. // There are (free_clusters - EXT4_FREECLUSTERS_WATERMARK = 910) // tasks choosing da_write method, left 512 tasks choose write_begin // method. If tasks which chooses da_write path run first. // dirty_clusters = 910, free_clusters = 1422 // Tasks which choose write_begin path will get ENOSPC: // free_clusters < (nclusters + dirty_clusters + resv_clusters) // 1422 < (1 + 910 + 512) 4. After certain number of map_block iterations in ext4_writepages. // free_clusters = 0, // dirty_clusters = 910 - (1422 / 2) = 199 5. Delete one 4K file. // free_clusters = 1 6. ext4_writepages traps into dead loop: mpage_map_and_submit_extent mpage_map_one_extent // ret = ENOSPC ext4_map_blocks -> ext4_ext_map_blocks -> ext4_mb_new_blocks -> ext4_claim_free_clusters: if (free_clusters >= (nclusters + dirty_clusters)) // false if (err == -ENOSPC && ext4_count_free_clusters(sb)) // true return err *give_up_on_write = true // won't be executed Fix it by terminating ext4_writepages if no free blocks generated. Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> --- fs/ext4/ext4.h | 1 + fs/ext4/extents.c | 4 +++- fs/ext4/inode.c | 2 +- fs/ext4/mballoc.c | 5 +++-- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index 5d5ae6f44510..48d02bea4984 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -700,6 +700,7 @@ enum { #define EXT4_FREE_BLOCKS_NOFREE_FIRST_CLUSTER 0x0010 #define EXT4_FREE_BLOCKS_NOFREE_LAST_CLUSTER 0x0020 #define EXT4_FREE_BLOCKS_RERESERVE_CLUSTER 0x0040 +#define EXT4_FREE_BLOCKS_DONT_WAIT_JOURNAL 0x0080 /* * ioctl commands diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index e42a78170109..b1eb4ea2c68a 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -1294,7 +1294,8 @@ static int ext4_ext_split(handle_t *handle, struct inode *inode, if (!ablocks[i]) continue; ext4_free_blocks(handle, inode, NULL, ablocks[i], 1, - EXT4_FREE_BLOCKS_METADATA); + EXT4_FREE_BLOCKS_METADATA | + EXT4_FREE_BLOCKS_DONT_WAIT_JOURNAL); } } kfree(ablocks); @@ -4329,6 +4330,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, ext4_discard_preallocations(inode, 0); if (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) fb_flags = EXT4_FREE_BLOCKS_NO_QUOT_UPDATE; + fb_flags |= EXT4_FREE_BLOCKS_DONT_WAIT_JOURNAL; ext4_free_blocks(handle, inode, NULL, newblock, EXT4_C2B(sbi, allocated_clusters), fb_flags); diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 44018d1da27e..ebb794fed3a7 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -2479,7 +2479,7 @@ static int mpage_map_and_submit_extent(handle_t *handle, * is non-zero, a commit should free up blocks. */ if ((err == -ENOMEM) || - (err == -ENOSPC && ext4_count_free_clusters(sb))) { + (err == -ENOSPC && EXT4_SB(sb)->s_mb_free_pending)) { if (progress) goto update_disksize; return err; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index fd8464aadf00..3870dff5f2e7 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -5498,8 +5498,9 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode, * consistency guarantees. */ if (ext4_handle_valid(handle) && - ((flags & EXT4_FREE_BLOCKS_METADATA) || - !ext4_should_writeback_data(inode))) { + (((flags & EXT4_FREE_BLOCKS_METADATA) || + !ext4_should_writeback_data(inode)) && + !(flags & EXT4_FREE_BLOCKS_DONT_WAIT_JOURNAL))) { struct ext4_free_data *new_entry; /* * We use __GFP_NOFAIL because ext4_free_blocks() is not allowed -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS] ipv6: sr: fix out-of-bounds read when setting HMAC data.
by Ziyang Xuan 05 Jul '23

05 Jul '23

From: David Lebrun <dlebrun(a)google.com> stable inclusion from stable-v5.10.143 commit 076f2479fc5a15c4a970ca3b5e57d42ba09a31fa category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7ASU6 CVE: CVE-2023-2860 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 84a53580c5d2138c7361c7c3eea5b31827e63b35 ] The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations (e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET. Reported-by: Lucas Leong <wmliang.tw(a)gmail.com> Tested: verified that EINVAL is correctly returned when secretlen > len(secret) Fixes: 4f4853dc1c9c1 ("ipv6: sr: implement API to control SR HMAC structure") Signed-off-by: David Lebrun <dlebrun(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- net/ipv6/seg6.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c index bff6bc75cfb7..45e3f1b552e0 100644 --- a/net/ipv6/seg6.c +++ b/net/ipv6/seg6.c @@ -135,6 +135,11 @@ static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info) goto out_unlock; } + if (slen > nla_len(info->attrs[SEG6_ATTR_SECRET])) { + err = -EINVAL; + goto out_unlock; + } + if (hinfo) { err = seg6_hmac_info_del(net, hmackeyid); if (err) -- 2.25.1

2 1

[PATCH OLK-5.10 0/5] quota: fix race condition between dqput() and dquot_mark_dquot_dirty()
by Baokun Li 05 Jul '23

05 Jul '23

Baokun Li (5): quota: factor out dquot_write_dquot() quota: rename dquot_active() to inode_quota_active() quota: add new helper dquot_active() quota: fix dqput() to follow the guarantees dquot_srcu should provide quota: simplify drop_dquot_ref() fs/quota/dquot.c | 244 ++++++++++++++++++++++++----------------------- 1 file changed, 125 insertions(+), 119 deletions(-) -- 2.31.1

2 6