- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] sched/all: Change all BUG_ON() instances in the scheduler to WARN_ON_ONCE()
by Zhao Wenhui 21 May '24

21 May '24

From: Ingo Molnar <mingo(a)kernel.org> mainline inclusion from mainline-v6.1-rc1 commit 09348d75a6ce60eec85c86dd0ab7babc4db3caf6 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9QW75 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- There's no good reason to crash a user's system with a BUG_ON(), chances are high that they'll never even see the crash message on Xorg, and it won't make it into the syslog either. By using a WARN_ON_ONCE() we at least give the user a chance to report any bugs triggered here - instead of getting silent hangs. None of these WARN_ON_ONCE()s are supposed to trigger, ever - so we ignore cases where a NULL check is done via a BUG_ON() and we let a NULL pointer through after a WARN_ON_ONCE(). There's one exception: WARN_ON_ONCE() arguments with side-effects, such as locking - in this case we use the return value of the WARN_ON_ONCE(), such as in: - BUG_ON(!lock_task_sighand(p, &flags)); + if (WARN_ON_ONCE(!lock_task_sighand(p, &flags))) + return; Suggested-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Link: https://lore.kernel.org/r/YvSsKcAXISmshtHo@gmail.com Conflicts: kernel/sched/deadline.c kernel/sched/fair.c kernel/sched/core.c kernel/sched/sched.h [Some contexts around BUG_ON are different. No functional impact.] Signed-off-by: Zhao Wenhui <zhaowenhui8(a)huawei.com> --- kernel/sched/autogroup.c | 3 ++- kernel/sched/core.c | 2 +- kernel/sched/cpupri.c | 2 +- kernel/sched/deadline.c | 26 +++++++++++++------------- kernel/sched/fair.c | 10 +++++----- kernel/sched/rt.c | 2 +- kernel/sched/sched.h | 6 +++--- 7 files changed, 26 insertions(+), 25 deletions(-) diff --git a/kernel/sched/autogroup.c b/kernel/sched/autogroup.c index 640d4019deac..067f2e6d8546 100644 --- a/kernel/sched/autogroup.c +++ b/kernel/sched/autogroup.c @@ -139,7 +139,8 @@ autogroup_move_group(struct task_struct *p, struct autogroup *ag) struct task_struct *t; unsigned long flags; - BUG_ON(!lock_task_sighand(p, &flags)); + if (WARN_ON_ONCE(!lock_task_sighand(p, &flags))) + return; prev = p->signal->autogroup; if (prev == ag) { diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 7825ceaae0c4..fe9f91f39e2f 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -948,7 +948,7 @@ static struct rq *move_queued_task(struct rq *rq, struct rq_flags *rf, rq = cpu_rq(new_cpu); rq_lock(rq, rf); - BUG_ON(task_cpu(p) != new_cpu); + WARN_ON_ONCE(task_cpu(p) != new_cpu); enqueue_task(rq, p, 0); p->on_rq = TASK_ON_RQ_QUEUED; check_preempt_curr(rq, p, 0); diff --git a/kernel/sched/cpupri.c b/kernel/sched/cpupri.c index daaadf939ccb..324af8dcadc0 100644 --- a/kernel/sched/cpupri.c +++ b/kernel/sched/cpupri.c @@ -66,7 +66,7 @@ int cpupri_find(struct cpupri *cp, struct task_struct *p, int idx = 0; int task_pri = convert_prio(p->prio); - BUG_ON(task_pri >= CPUPRI_NR_PRIORITIES); + WARN_ON_ONCE(task_pri >= CPUPRI_NR_PRIORITIES); for (idx = 0; idx < task_pri; idx++) { struct cpupri_vec *vec = &cp->pri_to_cpu[idx]; diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c index 6c4f93af15db..43ecd27b37c8 100644 --- a/kernel/sched/deadline.c +++ b/kernel/sched/deadline.c @@ -157,7 +157,7 @@ void dl_change_utilization(struct task_struct *p, u64 new_bw) { struct rq *rq; - BUG_ON(p->dl.flags & SCHED_FLAG_SUGOV); + WARN_ON_ONCE(p->dl.flags & SCHED_FLAG_SUGOV); if (task_on_rq_queued(p)) return; @@ -450,7 +450,7 @@ static void enqueue_pushable_dl_task(struct rq *rq, struct task_struct *p) struct task_struct *entry; bool leftmost = true; - BUG_ON(!RB_EMPTY_NODE(&p->pushable_dl_tasks)); + WARN_ON_ONCE(!RB_EMPTY_NODE(&p->pushable_dl_tasks)); while (*link) { parent = *link; @@ -545,7 +545,7 @@ static struct rq *dl_task_offline_migration(struct rq *rq, struct task_struct *p * Failed to find any suitable CPU. * The task will never come back! */ - BUG_ON(dl_bandwidth_enabled()); + WARN_ON_ONCE(dl_bandwidth_enabled()); /* * If admission control is disabled we @@ -701,7 +701,7 @@ static void replenish_dl_entity(struct sched_dl_entity *dl_se, struct dl_rq *dl_rq = dl_rq_of_se(dl_se); struct rq *rq = rq_of_dl_rq(dl_rq); - BUG_ON(pi_se->dl_runtime <= 0); + WARN_ON_ONCE(pi_se->dl_runtime <= 0); /* * This could be the case for a !-dl task that is boosted. @@ -1407,7 +1407,7 @@ static void __enqueue_dl_entity(struct sched_dl_entity *dl_se) struct sched_dl_entity *entry; int leftmost = 1; - BUG_ON(!RB_EMPTY_NODE(&dl_se->rb_node)); + WARN_ON_ONCE(!RB_EMPTY_NODE(&dl_se->rb_node)); while (*link) { parent = *link; @@ -1443,7 +1443,7 @@ static void enqueue_dl_entity(struct sched_dl_entity *dl_se, struct sched_dl_entity *pi_se, int flags) { - BUG_ON(on_dl_rq(dl_se)); + WARN_ON_ONCE(on_dl_rq(dl_se)); /* * If this is a wakeup or a new instance, the scheduling @@ -1780,7 +1780,7 @@ pick_next_task_dl(struct rq *rq, struct task_struct *prev, struct rq_flags *rf) put_prev_task(rq, prev); dl_se = pick_next_dl_entity(rq, dl_rq); - BUG_ON(!dl_se); + WARN_ON_ONCE(!dl_se); p = dl_task_of(dl_se); p->se.exec_start = rq_clock_task(rq); @@ -1987,12 +1987,12 @@ static struct task_struct *pick_next_pushable_dl_task(struct rq *rq) p = rb_entry(rq->dl.pushable_dl_tasks_root.rb_leftmost, struct task_struct, pushable_dl_tasks); - BUG_ON(rq->cpu != task_cpu(p)); - BUG_ON(task_current(rq, p)); - BUG_ON(p->nr_cpus_allowed <= 1); + WARN_ON_ONCE(rq->cpu != task_cpu(p)); + WARN_ON_ONCE(task_current(rq, p)); + WARN_ON_ONCE(p->nr_cpus_allowed <= 1); - BUG_ON(!task_on_rq_queued(p)); - BUG_ON(!dl_task(p)); + WARN_ON_ONCE(!task_on_rq_queued(p)); + WARN_ON_ONCE(!dl_task(p)); return p; } @@ -2266,7 +2266,7 @@ static void set_cpus_allowed_dl(struct task_struct *p, struct root_domain *src_rd; struct rq *rq; - BUG_ON(!dl_task(p)); + WARN_ON_ONCE(!dl_task(p)); rq = task_rq(p); src_rd = rq->rd; diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 6d0ec315f7be..3bd5aa6dedb3 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -2411,7 +2411,7 @@ static void task_numa_group(struct task_struct *p, int cpupid, int flags, if (!join) return; - BUG_ON(irqs_disabled()); + WARN_ON_ONCE(irqs_disabled()); double_lock_irq(&my_grp->lock, &grp->lock); for (i = 0; i < NR_NUMA_HINT_FAULT_STATS * nr_node_ids; i++) { @@ -7595,7 +7595,7 @@ static void check_preempt_wakeup(struct rq *rq, struct task_struct *p, int wake_ find_matching_se(&se, &pse); update_curr(cfs_rq_of(se)); - BUG_ON(!pse); + WARN_ON_ONCE(!pse); if (wakeup_preempt_entity(se, pse) == 1) { /* * Bias pick_next to pick the sched entity that is @@ -8608,7 +8608,7 @@ static void attach_task(struct rq *rq, struct task_struct *p) { lockdep_assert_held(&rq->lock); - BUG_ON(task_rq(p) != rq); + WARN_ON_ONCE(task_rq(p) != rq); activate_task(rq, p, ENQUEUE_NOCLOCK); p->on_rq = TASK_ON_RQ_QUEUED; check_preempt_curr(rq, p, 0); @@ -9916,7 +9916,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, goto out_balanced; } - BUG_ON(busiest == env.dst_rq); + WARN_ON_ONCE(busiest == env.dst_rq); schedstat_add(sd->lb_imbalance[idle], env.imbalance); @@ -10212,7 +10212,7 @@ static int active_load_balance_cpu_stop(void *data) * we need to fix it. Originally reported by * Bjorn Helgaas on a 128-CPU setup. */ - BUG_ON(busiest_rq == target_rq); + WARN_ON_ONCE(busiest_rq == target_rq); /* Search for an sd spanning us and the target CPU. */ rcu_read_lock(); diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c index ad893ec818cd..58364f489529 100644 --- a/kernel/sched/rt.c +++ b/kernel/sched/rt.c @@ -758,7 +758,7 @@ static void __disable_runtime(struct rq *rq) * We cannot be left wanting - that would mean some runtime * leaked out of the system. */ - BUG_ON(want); + WARN_ON_ONCE(want); balanced: /* * Disable all the borrow logic by pretending we have inf diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h index 1d882a2b8d5f..4dd0e4de0aab 100644 --- a/kernel/sched/sched.h +++ b/kernel/sched/sched.h @@ -2146,8 +2146,8 @@ static inline void double_rq_lock(struct rq *rq1, struct rq *rq2) __acquires(rq1->lock) __acquires(rq2->lock) { - BUG_ON(!irqs_disabled()); - BUG_ON(rq1 != rq2); + WARN_ON_ONCE(!irqs_disabled()); + WARN_ON_ONCE(rq1 != rq2); raw_spin_lock(&rq1->lock); __acquire(rq2->lock); /* Fake it out ;) */ } @@ -2162,7 +2162,7 @@ static inline void double_rq_unlock(struct rq *rq1, struct rq *rq2) __releases(rq1->lock) __releases(rq2->lock) { - BUG_ON(rq1 != rq2); + WARN_ON_ONCE(rq1 != rq2); raw_spin_unlock(&rq1->lock); __release(rq2->lock); } -- 2.34.1

2 1

[PATCH OLK-5.10] bpf: Guard stack limits against 32bit overflow
by Pu Lehui 21 May '24

21 May '24

From: Andrei Matei <andreimatei1(a)gmail.com> mainline inclusion from mainline-v6.8-rc1 commit 1d38a9ee81570c4bd61f557832dead4d6f816760 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9EW CVE: CVE-2023-52676 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- This patch promotes the arithmetic around checking stack bounds to be done in the 64-bit domain, instead of the current 32bit. The arithmetic implies adding together a 64-bit register with a int offset. The register was checked to be below 1<<29 when it was variable, but not when it was fixed. The offset either comes from an instruction (in which case it is 16 bit), from another register (in which case the caller checked it to be below 1<<29 [1]), or from the size of an argument to a kfunc (in which case it can be a u32 [2]). Between the register being inconsistently checked to be below 1<<29, and the offset being up to an u32, it appears that we were open to overflowing the `int`s which were currently used for arithmetic. [1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235f… [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235f… Reported-by: Andrii Nakryiko <andrii.nakryiko(a)gmail.com> Signed-off-by: Andrei Matei <andreimatei1(a)gmail.com> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Acked-by: Andrii Nakryiko <andrii(a)kernel.org> Link: https://lore.kernel.org/bpf/20231207041150.229139-4-andreimatei1@gmail.com Conflicts: kernel/bpf/verifier.c [The conflict is because some modifications were merged by the commit 8463d83a25f00 ("bpf: Fix accesses to uninit stack slots")] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/bpf/verifier.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index b45dbd8b6348..34292a48e59c 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3917,7 +3917,7 @@ static int check_stack_access_within_bounds( struct bpf_reg_state *regs = cur_regs(env); struct bpf_reg_state *reg = regs + regno; struct bpf_func_state *state = func(env, reg); - int min_off, max_off; + s64 min_off, max_off; int err; char *err_extra; @@ -3930,7 +3930,7 @@ static int check_stack_access_within_bounds( err_extra = " write to"; if (tnum_is_const(reg->var_off)) { - min_off = reg->var_off.value + off; + min_off = (s64)reg->var_off.value + off; max_off = min_off + access_size; } else { if (reg->smax_value >= BPF_MAX_VAR_OFF || -- 2.34.1

2 1

[PATCH OLK-5.10] net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()
by Zhengchao Shao 21 May '24

21 May '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v5.10.215 commit bc4d1ebca11b4f194e262326bd45938e857c59d2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGJZ CVE: CVE-2024-35934 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 00af2aa93b76b1bade471ad0d0525d4d29ca5cc0 ] Many syzbot reports show extreme rtnl pressure, and many of them hint that smc acquires rtnl in netns creation for no good reason [1] This patch returns early from smc_pnet_net_init() if there is no netdevice yet. I am not even sure why smc_pnet_create_pnetids_list() even exists, because smc_pnet_netdev_event() is also calling smc_pnet_add_base_pnetid() when handling NETDEV_UP event. [1] extract of typical syzbot reports 2 locks held by syz-executor.3/12252: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.4/12253: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.1/12257: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.2/12261: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.0/12265: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.3/12268: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.4/12271: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.1/12274: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 2 locks held by syz-executor.2/12280: #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491 #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline] #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878 Signed-off-by: Eric Dumazet <edumazet(a)google.com> Cc: Wenjia Zhang <wenjia(a)linux.ibm.com> Cc: Jan Karcher <jaka(a)linux.ibm.com> Cc: "D. Wythe" <alibuda(a)linux.alibaba.com> Cc: Tony Lu <tonylu(a)linux.alibaba.com> Cc: Wen Gu <guwen(a)linux.alibaba.com> Reviewed-by: Wenjia Zhang <wenjia(a)linux.ibm.com> Link: https://lore.kernel.org/r/20240302100744.3868021-1-edumazet@google.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/smc/smc_pnet.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c index eb0971a1797a..bf8c662a6116 100644 --- a/net/smc/smc_pnet.c +++ b/net/smc/smc_pnet.c @@ -797,6 +797,16 @@ static void smc_pnet_create_pnetids_list(struct net *net) u8 ndev_pnetid[SMC_MAX_PNETID_LEN]; struct net_device *dev; + /* Newly created netns do not have devices. + * Do not even acquire rtnl. + */ + if (list_empty(&net->dev_base_head)) + return; + + /* Note: This might not be needed, because smc_pnet_netdev_event() + * is also calling smc_pnet_add_base_pnetid() when handling + * NETDEV_UP event. + */ rtnl_lock(); for_each_netdev(net, dev) smc_pnet_add_base_pnetid(net, dev, ndev_pnetid); -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS] btrfs: send: handle path ref underflow in header iterate_inode_ref()
by Wang Zhaolong 21 May '24

21 May '24

From: David Sterba <dsterba(a)suse.com> mainline inclusion from mainline-v6.9-rc1 commit 3c6ee34c6f9cd12802326da26631232a61743501 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIK CVE: CVE-2024-35935 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Change BUG_ON to proper error handling if building the path buffer fails. The pointers are not printed so we don't accidentally leak kernel addresses. Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/btrfs/send.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index 6b80dee17f49..23981c31c35f 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -966,7 +966,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path, ret = PTR_ERR(start); goto out; } - BUG_ON(start < p->buf); + if (unlikely(start < p->buf)) { + btrfs_err(root->fs_info, + "send: path ref buffer underflow for key (%llu %u %llu)", + found_key->objectid, + found_key->type, + found_key->offset); + ret = -EINVAL; + goto out; + } } p->start = start; } else { -- 2.34.3

2 1

[PATCH openEuler-22.03-LTS-SP1] btrfs: send: handle path ref underflow in header iterate_inode_ref()
by Wang Zhaolong 21 May '24

21 May '24

From: David Sterba <dsterba(a)suse.com> mainline inclusion from mainline-v6.9-rc1 commit 3c6ee34c6f9cd12802326da26631232a61743501 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIK CVE: CVE-2024-35935 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Change BUG_ON to proper error handling if building the path buffer fails. The pointers are not printed so we don't accidentally leak kernel addresses. Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/btrfs/send.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index 6b80dee17f49..23981c31c35f 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -966,7 +966,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path, ret = PTR_ERR(start); goto out; } - BUG_ON(start < p->buf); + if (unlikely(start < p->buf)) { + btrfs_err(root->fs_info, + "send: path ref buffer underflow for key (%llu %u %llu)", + found_key->objectid, + found_key->type, + found_key->offset); + ret = -EINVAL; + goto out; + } } p->start = start; } else { -- 2.34.3

2 1

[PATCH openEuler-22.03-LTS-SP2] btrfs: send: handle path ref underflow in header iterate_inode_ref()
by Wang Zhaolong 21 May '24

21 May '24

From: David Sterba <dsterba(a)suse.com> mainline inclusion from mainline-v6.9-rc1 commit 3c6ee34c6f9cd12802326da26631232a61743501 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIK CVE: CVE-2024-35935 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Change BUG_ON to proper error handling if building the path buffer fails. The pointers are not printed so we don't accidentally leak kernel addresses. Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/btrfs/send.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index b081b61e97c8..9f28d235f611 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -966,7 +966,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path, ret = PTR_ERR(start); goto out; } - BUG_ON(start < p->buf); + if (unlikely(start < p->buf)) { + btrfs_err(root->fs_info, + "send: path ref buffer underflow for key (%llu %u %llu)", + found_key->objectid, + found_key->type, + found_key->offset); + ret = -EINVAL; + goto out; + } } p->start = start; } else { -- 2.34.3

2 1

[PATCH OLK-5.10] btrfs: send: handle path ref underflow in header iterate_inode_ref()
by Wang Zhaolong 21 May '24

21 May '24

From: David Sterba <dsterba(a)suse.com> mainline inclusion from mainline-v6.9-rc1 commit 3c6ee34c6f9cd12802326da26631232a61743501 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIK CVE: CVE-2024-35935 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Change BUG_ON to proper error handling if building the path buffer fails. The pointers are not printed so we don't accidentally leak kernel addresses. Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/btrfs/send.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index 4e7bf22a8c36..6e5a1ca3c1c2 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -966,7 +966,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path, ret = PTR_ERR(start); goto out; } - BUG_ON(start < p->buf); + if (unlikely(start < p->buf)) { + btrfs_err(root->fs_info, + "send: path ref buffer underflow for key (%llu %u %llu)", + found_key->objectid, + found_key->type, + found_key->offset); + ret = -EINVAL; + goto out; + } } p->start = start; } else { -- 2.34.3

2 1

[PATCH openEuler-1.0-LTS] btrfs: send: handle path ref underflow in header iterate_inode_ref()
by Wang Zhaolong 21 May '24

21 May '24

From: David Sterba <dsterba(a)suse.com> mainline inclusion from mainline-v6.9-rc1 commit 3c6ee34c6f9cd12802326da26631232a61743501 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGIK CVE: CVE-2024-35935 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Change BUG_ON to proper error handling if building the path buffer fails. The pointers are not printed so we don't accidentally leak kernel addresses. Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/btrfs/send.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index 606c90457ca3..c62e59a4065f 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -956,7 +956,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path, ret = PTR_ERR(start); goto out; } - BUG_ON(start < p->buf); + if (unlikely(start < p->buf)) { + btrfs_err(root->fs_info, + "send: path ref buffer underflow for key (%llu %u %llu)", + found_key->objectid, + found_key->type, + found_key->offset); + ret = -EINVAL; + goto out; + } } p->start = start; } else { -- 2.34.3

2 1

[PATCH openEuler-22.03-LTS-SP1] powerpc/imc-pmu: Add a null pointer check in update_events_in_group()
by Luo Gengkun 21 May '24

21 May '24

From: Kunwu Chan <chentao(a)kylinos.cn> mainline inclusion from mainline-v6.8-rc1 commit 0a233867a39078ebb0f575e2948593bbff5826b3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9J4 CVE: CVE-2023-52675 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Fixes: 885dcd709ba9 ("powerpc/perf: Add nest IMC PMU support") Signed-off-by: Kunwu Chan <chentao(a)kylinos.cn> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20231126093719.1440305-1-chentao@kylinos.cn Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- arch/powerpc/perf/imc-pmu.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/powerpc/perf/imc-pmu.c b/arch/powerpc/perf/imc-pmu.c index e8074d7f2401..ac28952cdf87 100644 --- a/arch/powerpc/perf/imc-pmu.c +++ b/arch/powerpc/perf/imc-pmu.c @@ -291,6 +291,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu) attr_group->attrs = attrs; do { ev_val_str = kasprintf(GFP_KERNEL, "event=0x%x", pmu->events[i].value); + if (!ev_val_str) + continue; dev_str = device_str_attr_create(pmu->events[i].name, ev_val_str); if (!dev_str) continue; @@ -298,6 +300,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu) attrs[j++] = dev_str; if (pmu->events[i].scale) { ev_scale_str = kasprintf(GFP_KERNEL, "%s.scale", pmu->events[i].name); + if (!ev_scale_str) + continue; dev_str = device_str_attr_create(ev_scale_str, pmu->events[i].scale); if (!dev_str) continue; @@ -307,6 +311,8 @@ static int update_events_in_group(struct device_node *node, struct imc_pmu *pmu) if (pmu->events[i].unit) { ev_unit_str = kasprintf(GFP_KERNEL, "%s.unit", pmu->events[i].name); + if (!ev_unit_str) + continue; dev_str = device_str_attr_create(ev_unit_str, pmu->events[i].unit); if (!dev_str) continue; -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS 13138/22448] kernel/livepatch/core.c:75:16: warning: no previous prototype for function 'klp_check_patch_kprobed'
by kernel test robot 21 May '24

21 May '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 37e0a494c2c8c6f0570068ab47a3e8319dbac30b commit: 7e2ab91ea07673f855f16b54b7c6e6853b2efc1c [13138/22448] livepatch/x86: support livepatch without ftrace config: x86_64-randconfig-073-20240521 (https://download.01.org/0day-ci/archive/20240521/202405211203.buT47nPT-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240521/202405211203.buT47nPT-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202405211203.buT47nPT-lkp@intel.com/ All warnings (new ones prefixed by >>): >> kernel/livepatch/core.c:75:16: warning: no previous prototype for function 'klp_check_patch_kprobed' [-Wmissing-prototypes] 75 | struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch) | ^ kernel/livepatch/core.c:75:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 75 | struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch) | ^ | static kernel/livepatch/core.c:402:5: warning: no previous prototype for function 'klp_try_disable_patch' [-Wmissing-prototypes] 402 | int klp_try_disable_patch(void *data) | ^ kernel/livepatch/core.c:402:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 402 | int klp_try_disable_patch(void *data) | ^ | static kernel/livepatch/core.c:441:13: warning: no previous prototype for function 'arch_klp_code_modify_prepare' [-Wmissing-prototypes] 441 | void __weak arch_klp_code_modify_prepare(void) | ^ kernel/livepatch/core.c:441:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 441 | void __weak arch_klp_code_modify_prepare(void) | ^ | static kernel/livepatch/core.c:445:13: warning: no previous prototype for function 'arch_klp_code_modify_post_process' [-Wmissing-prototypes] 445 | void __weak arch_klp_code_modify_post_process(void) | ^ kernel/livepatch/core.c:445:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 445 | void __weak arch_klp_code_modify_post_process(void) | ^ | static kernel/livepatch/core.c:617:5: warning: no previous prototype for function 'klp_try_enable_patch' [-Wmissing-prototypes] 617 | int klp_try_enable_patch(void *data) | ^ kernel/livepatch/core.c:617:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 617 | int klp_try_enable_patch(void *data) | ^ | static kernel/livepatch/core.c:1013:12: warning: no previous prototype for function 'arch_klp_func_can_patch' [-Wmissing-prototypes] 1013 | int __weak arch_klp_func_can_patch(struct klp_func *func) | ^ kernel/livepatch/core.c:1013:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1013 | int __weak arch_klp_func_can_patch(struct klp_func *func) | ^ | static 6 warnings generated. vim +/klp_check_patch_kprobed +75 kernel/livepatch/core.c 7e8d223e3ef865 Cheng Jian 2019-01-28 69 c8f9d7a3aae362 Cheng Jian 2019-01-28 70 #ifdef CONFIG_LIVEPATCH_RESTRICT_KPROBE c8f9d7a3aae362 Cheng Jian 2019-01-28 71 /* c8f9d7a3aae362 Cheng Jian 2019-01-28 72 * Check whether a function has been registered with kprobes before patched. c8f9d7a3aae362 Cheng Jian 2019-01-28 73 * We can't patched this function util we unregisted the kprobes. c8f9d7a3aae362 Cheng Jian 2019-01-28 74 */ c8f9d7a3aae362 Cheng Jian 2019-01-28 @75 struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch) c8f9d7a3aae362 Cheng Jian 2019-01-28 76 { c8f9d7a3aae362 Cheng Jian 2019-01-28 77 struct klp_object *obj; c8f9d7a3aae362 Cheng Jian 2019-01-28 78 struct klp_func *func; c8f9d7a3aae362 Cheng Jian 2019-01-28 79 struct kprobe *kp; c8f9d7a3aae362 Cheng Jian 2019-01-28 80 int i; c8f9d7a3aae362 Cheng Jian 2019-01-28 81 c8f9d7a3aae362 Cheng Jian 2019-01-28 82 klp_for_each_object(patch, obj) { c8f9d7a3aae362 Cheng Jian 2019-01-28 83 klp_for_each_func(obj, func) { c8f9d7a3aae362 Cheng Jian 2019-01-28 84 for (i = 0; i < func->old_size; i++) { c8f9d7a3aae362 Cheng Jian 2019-01-28 85 kp = get_kprobe((void *)func->old_addr + i); c8f9d7a3aae362 Cheng Jian 2019-01-28 86 if (kp) { c8f9d7a3aae362 Cheng Jian 2019-01-28 87 pr_err("func %s has been probed, (un)patch failed\n", c8f9d7a3aae362 Cheng Jian 2019-01-28 88 func->old_name); c8f9d7a3aae362 Cheng Jian 2019-01-28 89 return kp; c8f9d7a3aae362 Cheng Jian 2019-01-28 90 } c8f9d7a3aae362 Cheng Jian 2019-01-28 91 } c8f9d7a3aae362 Cheng Jian 2019-01-28 92 } c8f9d7a3aae362 Cheng Jian 2019-01-28 93 } c8f9d7a3aae362 Cheng Jian 2019-01-28 94 c8f9d7a3aae362 Cheng Jian 2019-01-28 95 return NULL; c8f9d7a3aae362 Cheng Jian 2019-01-28 96 } c8f9d7a3aae362 Cheng Jian 2019-01-28 97 #else c8f9d7a3aae362 Cheng Jian 2019-01-28 98 static inline struct kprobe *klp_check_patch_kprobed(struct klp_patch *patch) c8f9d7a3aae362 Cheng Jian 2019-01-28 99 { c8f9d7a3aae362 Cheng Jian 2019-01-28 100 return NULL; c8f9d7a3aae362 Cheng Jian 2019-01-28 101 } c8f9d7a3aae362 Cheng Jian 2019-01-28 102 #endif /* CONFIG_LIVEPATCH_RESTRICT_KPROBE */ c8f9d7a3aae362 Cheng Jian 2019-01-28 103 :::::: The code at line 75 was first introduced by commit :::::: c8f9d7a3aae362482f81ba7c6819d410d66619ab livepatch/core: Restrict livepatch patched/unpatched when plant kprobe :::::: TO: Cheng Jian <cj.chengjian(a)huawei.com> :::::: CC: Xie XiuQi <xiexiuqi(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0