- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS 0/3] jfs: fix two cve issue
by Long Li 15 Mar '24

15 Mar '24

This patch set fix two cve issue. Dongliang Mu (1): JFS: fix memleak in jfs_mount Edward Adam Davis (2): jfs: fix uaf in jfs_evict_inode jfs: fix array-index-out-of-bounds in diNewExt fs/jfs/jfs_imap.c | 3 +++ fs/jfs/jfs_mount.c | 57 ++++++++++++++++++++-------------------------- 2 files changed, 28 insertions(+), 32 deletions(-) -- 2.31.1

2 4

[PATCH openEuler-1.0-LTS] ceph: fix deadlock or deadcode of misusing dget()
by Yifan Qiao 15 Mar '24

15 Mar '24

From: Xiubo Li <xiubli(a)redhat.com> mainline inclusion from mainline-v6.8-rc1 commit b493ad718b1f0357394d2cdecbf00a44a36fa085 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I96G92 CVE: CVE-2023-52583 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let's just remove it. Link: https://lore.kernel.org/r/20231116081919.GZ1957730@ZenIV Reported-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Xiubo Li <xiubli(a)redhat.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Ilya Dryomov <idryomov(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/ceph/caps.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 4c0b220e20ba..1cc433de4200 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -4174,12 +4174,14 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, struct inode *dir, int mds, int drop, int unless) { - struct dentry *parent = NULL; struct ceph_mds_request_release *rel = *p; struct ceph_dentry_info *di = ceph_dentry(dentry); int force = 0; int ret; + /* This shouldn't happen */ + BUG_ON(!dir); + /* * force an record for the directory caps if we have a dentry lease. * this is racy (can't take i_ceph_lock and d_lock together), but it @@ -4189,14 +4191,9 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, spin_lock(&dentry->d_lock); if (di->lease_session && di->lease_session->s_mds == mds) force = 1; - if (!dir) { - parent = dget(dentry->d_parent); - dir = d_inode(parent); - } spin_unlock(&dentry->d_lock); ret = ceph_encode_inode_release(p, dir, mds, drop, unless, force); - dput(parent); spin_lock(&dentry->d_lock); if (ret && di->lease_session && di->lease_session->s_mds == mds) { -- 2.39.2

2 1

[PATCH OLK-5.10] ceph: fix deadlock or deadcode of misusing dget()
by Yifan Qiao 15 Mar '24

15 Mar '24

From: Xiubo Li <xiubli(a)redhat.com> mainline inclusion from mainline-v6.8-rc1 commit b493ad718b1f0357394d2cdecbf00a44a36fa085 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I96G92 CVE: CVE-2023-52583 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let's just remove it. Link: https://lore.kernel.org/r/20231116081919.GZ1957730@ZenIV Reported-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Xiubo Li <xiubli(a)redhat.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Ilya Dryomov <idryomov(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/ceph/caps.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 4c0b220e20ba..1cc433de4200 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -4174,12 +4174,14 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, struct inode *dir, int mds, int drop, int unless) { - struct dentry *parent = NULL; struct ceph_mds_request_release *rel = *p; struct ceph_dentry_info *di = ceph_dentry(dentry); int force = 0; int ret; + /* This shouldn't happen */ + BUG_ON(!dir); + /* * force an record for the directory caps if we have a dentry lease. * this is racy (can't take i_ceph_lock and d_lock together), but it @@ -4189,14 +4191,9 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, spin_lock(&dentry->d_lock); if (di->lease_session && di->lease_session->s_mds == mds) force = 1; - if (!dir) { - parent = dget(dentry->d_parent); - dir = d_inode(parent); - } spin_unlock(&dentry->d_lock); ret = ceph_encode_inode_release(p, dir, mds, drop, unless, force); - dput(parent); spin_lock(&dentry->d_lock); if (ret && di->lease_session && di->lease_session->s_mds == mds) { -- 2.39.2

2 1

[PATCH OLK-6.6] ceph: fix deadlock or deadcode of misusing dget()
by Yifan Qiao 15 Mar '24

15 Mar '24

From: Xiubo Li <xiubli(a)redhat.com> mainline inclusion from mainline-v6.8-rc1 commit b493ad718b1f0357394d2cdecbf00a44a36fa085 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I96G92 CVE: CVE-2023-52583 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let's just remove it. Link: https://lore.kernel.org/r/20231116081919.GZ1957730@ZenIV Reported-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Xiubo Li <xiubli(a)redhat.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Ilya Dryomov <idryomov(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/ceph/caps.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 4c0b220e20ba..1cc433de4200 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -4174,12 +4174,14 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, struct inode *dir, int mds, int drop, int unless) { - struct dentry *parent = NULL; struct ceph_mds_request_release *rel = *p; struct ceph_dentry_info *di = ceph_dentry(dentry); int force = 0; int ret; + /* This shouldn't happen */ + BUG_ON(!dir); + /* * force an record for the directory caps if we have a dentry lease. * this is racy (can't take i_ceph_lock and d_lock together), but it @@ -4189,14 +4191,9 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, spin_lock(&dentry->d_lock); if (di->lease_session && di->lease_session->s_mds == mds) force = 1; - if (!dir) { - parent = dget(dentry->d_parent); - dir = d_inode(parent); - } spin_unlock(&dentry->d_lock); ret = ceph_encode_inode_release(p, dir, mds, drop, unless, force); - dput(parent); spin_lock(&dentry->d_lock); if (ret && di->lease_session && di->lease_session->s_mds == mds) { -- 2.39.2

2 1

[PATCH OLK-5.10 0/2] Revert two stable patches to keep binary compatible
by Jialin Zhang 15 Mar '24

15 Mar '24

Jialin Zhang (2): Revert "media: dvb: symbol fixup for dvb_attach()" Revert "modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules" drivers/media/dvb-frontends/ascot2e.c | 2 +- drivers/media/dvb-frontends/atbm8830.c | 2 +- drivers/media/dvb-frontends/au8522_dig.c | 2 +- drivers/media/dvb-frontends/bcm3510.c | 2 +- drivers/media/dvb-frontends/cx22700.c | 2 +- drivers/media/dvb-frontends/cx22702.c | 2 +- drivers/media/dvb-frontends/cx24110.c | 2 +- drivers/media/dvb-frontends/cx24113.c | 2 +- drivers/media/dvb-frontends/cx24116.c | 2 +- drivers/media/dvb-frontends/cx24120.c | 2 +- drivers/media/dvb-frontends/cx24123.c | 2 +- drivers/media/dvb-frontends/cxd2820r_core.c | 2 +- drivers/media/dvb-frontends/cxd2841er.c | 4 ++-- drivers/media/dvb-frontends/cxd2880/cxd2880_top.c | 2 +- drivers/media/dvb-frontends/dib0070.c | 2 +- drivers/media/dvb-frontends/dib0090.c | 4 ++-- drivers/media/dvb-frontends/dib3000mb.c | 2 +- drivers/media/dvb-frontends/dib3000mc.c | 2 +- drivers/media/dvb-frontends/dib7000m.c | 2 +- drivers/media/dvb-frontends/dib7000p.c | 2 +- drivers/media/dvb-frontends/dib8000.c | 2 +- drivers/media/dvb-frontends/dib9000.c | 2 +- drivers/media/dvb-frontends/drx39xyj/drxj.c | 2 +- drivers/media/dvb-frontends/drxd_hard.c | 2 +- drivers/media/dvb-frontends/drxk_hard.c | 2 +- drivers/media/dvb-frontends/ds3000.c | 2 +- drivers/media/dvb-frontends/dvb-pll.c | 2 +- drivers/media/dvb-frontends/ec100.c | 2 +- drivers/media/dvb-frontends/helene.c | 4 ++-- drivers/media/dvb-frontends/horus3a.c | 2 +- drivers/media/dvb-frontends/isl6405.c | 2 +- drivers/media/dvb-frontends/isl6421.c | 2 +- drivers/media/dvb-frontends/isl6423.c | 2 +- drivers/media/dvb-frontends/itd1000.c | 2 +- drivers/media/dvb-frontends/ix2505v.c | 2 +- drivers/media/dvb-frontends/l64781.c | 2 +- drivers/media/dvb-frontends/lg2160.c | 2 +- drivers/media/dvb-frontends/lgdt3305.c | 2 +- drivers/media/dvb-frontends/lgdt3306a.c | 2 +- drivers/media/dvb-frontends/lgdt330x.c | 2 +- drivers/media/dvb-frontends/lgs8gxx.c | 2 +- drivers/media/dvb-frontends/lnbh25.c | 2 +- drivers/media/dvb-frontends/lnbp21.c | 4 ++-- drivers/media/dvb-frontends/lnbp22.c | 2 +- drivers/media/dvb-frontends/m88ds3103.c | 2 +- drivers/media/dvb-frontends/m88rs2000.c | 2 +- drivers/media/dvb-frontends/mb86a16.c | 2 +- drivers/media/dvb-frontends/mb86a20s.c | 2 +- drivers/media/dvb-frontends/mt312.c | 2 +- drivers/media/dvb-frontends/mt352.c | 2 +- drivers/media/dvb-frontends/nxt200x.c | 2 +- drivers/media/dvb-frontends/nxt6000.c | 2 +- drivers/media/dvb-frontends/or51132.c | 2 +- drivers/media/dvb-frontends/or51211.c | 2 +- drivers/media/dvb-frontends/s5h1409.c | 2 +- drivers/media/dvb-frontends/s5h1411.c | 2 +- drivers/media/dvb-frontends/s5h1420.c | 2 +- drivers/media/dvb-frontends/s5h1432.c | 2 +- drivers/media/dvb-frontends/s921.c | 2 +- drivers/media/dvb-frontends/si21xx.c | 2 +- drivers/media/dvb-frontends/sp887x.c | 2 +- drivers/media/dvb-frontends/stb0899_drv.c | 2 +- drivers/media/dvb-frontends/stb6000.c | 2 +- drivers/media/dvb-frontends/stb6100.c | 2 +- drivers/media/dvb-frontends/stv0288.c | 2 +- drivers/media/dvb-frontends/stv0297.c | 2 +- drivers/media/dvb-frontends/stv0299.c | 2 +- drivers/media/dvb-frontends/stv0367.c | 6 +++--- drivers/media/dvb-frontends/stv0900_core.c | 2 +- drivers/media/dvb-frontends/stv090x.c | 2 +- drivers/media/dvb-frontends/stv6110.c | 2 +- drivers/media/dvb-frontends/stv6110x.c | 2 +- drivers/media/dvb-frontends/tda10021.c | 2 +- drivers/media/dvb-frontends/tda10023.c | 2 +- drivers/media/dvb-frontends/tda10048.c | 2 +- drivers/media/dvb-frontends/tda1004x.c | 4 ++-- drivers/media/dvb-frontends/tda10086.c | 2 +- drivers/media/dvb-frontends/tda665x.c | 2 +- drivers/media/dvb-frontends/tda8083.c | 2 +- drivers/media/dvb-frontends/tda8261.c | 2 +- drivers/media/dvb-frontends/tda826x.c | 2 +- drivers/media/dvb-frontends/ts2020.c | 2 +- drivers/media/dvb-frontends/tua6100.c | 2 +- drivers/media/dvb-frontends/ves1820.c | 2 +- drivers/media/dvb-frontends/ves1x93.c | 2 +- drivers/media/dvb-frontends/zl10036.c | 2 +- drivers/media/dvb-frontends/zl10039.c | 2 +- drivers/media/dvb-frontends/zl10353.c | 2 +- drivers/media/pci/bt8xx/dst.c | 2 +- drivers/media/pci/bt8xx/dst_ca.c | 2 +- drivers/media/pci/ddbridge/ddbridge-dummy-fe.c | 2 +- drivers/media/tuners/fc0011.c | 2 +- drivers/media/tuners/fc0012.c | 2 +- drivers/media/tuners/fc0013.c | 2 +- drivers/media/tuners/max2165.c | 2 +- drivers/media/tuners/mc44s803.c | 2 +- drivers/media/tuners/mt2060.c | 2 +- drivers/media/tuners/mt2131.c | 2 +- drivers/media/tuners/mt2266.c | 2 +- drivers/media/tuners/mxl5005s.c | 2 +- drivers/media/tuners/qt1010.c | 2 +- drivers/media/tuners/tda18218.c | 2 +- drivers/media/tuners/xc4000.c | 2 +- drivers/media/tuners/xc5000.c | 2 +- kernel/module.c | 15 ++------------- 105 files changed, 113 insertions(+), 124 deletions(-) -- 2.25.1

2 3

[PATCH openEuler-1.0-LTS] powerpc/lib: Validate size for vector operations
by Zhu Wang 15 Mar '24

15 Mar '24

From: Naveen N Rao <naveen(a)kernel.org> mainline inclusion from mainline-v6.8-rc1 commit 8f9abaa6d7de0a70fc68acaedce290c1f96e2e59 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I96G83 CVE: CVE-2023-52606 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Some of the fp/vmx code in sstep.c assume a certain maximum size for the instructions being emulated. The size of those operations however is determined separately in analyse_instr(). Add a check to validate the assumption on the maximum size of the operations, so as to prevent any unintended kernel stack corruption. Signed-off-by: Naveen N Rao <naveen(a)kernel.org> Reviewed-by: Gustavo A. R. Silva <gustavoars(a)kernel.org> Build-tested-by: Gustavo A. R. Silva <gustavoars(a)kernel.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20231123071705.397625-1-naveen@kernel.org Signed-off-by: Zhu Wang <wangzhu9(a)huawei.com> --- arch/powerpc/lib/sstep.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c index d81568f783e5..6c8531928274 100644 --- a/arch/powerpc/lib/sstep.c +++ b/arch/powerpc/lib/sstep.c @@ -473,6 +473,8 @@ static int do_fp_load(struct instruction_op *op, unsigned long ea, } u; nb = GETSIZE(op->type); + if (nb > sizeof(u)) + return -EINVAL; if (!address_ok(regs, ea, nb)) return -EFAULT; rn = op->reg; @@ -523,6 +525,8 @@ static int do_fp_store(struct instruction_op *op, unsigned long ea, } u; nb = GETSIZE(op->type); + if (nb > sizeof(u)) + return -EINVAL; if (!address_ok(regs, ea, nb)) return -EFAULT; rn = op->reg; @@ -567,6 +571,9 @@ static nokprobe_inline int do_vec_load(int rn, unsigned long ea, u8 b[sizeof(__vector128)]; } u = {}; + if (size > sizeof(u)) + return -EINVAL; + if (!address_ok(regs, ea & ~0xfUL, 16)) return -EFAULT; /* align to multiple of size */ @@ -594,6 +601,9 @@ static nokprobe_inline int do_vec_store(int rn, unsigned long ea, u8 b[sizeof(__vector128)]; } u; + if (size > sizeof(u)) + return -EINVAL; + if (!address_ok(regs, ea & ~0xfUL, 16)) return -EFAULT; /* align to multiple of size */ -- 2.34.1

2 1

[PATCH OLK-5.10] powerpc/lib: Validate size for vector operations
by Zhu Wang 15 Mar '24

15 Mar '24

From: Naveen N Rao <naveen(a)kernel.org> mainline inclusion from mainline-v6.8-rc1 commit 8f9abaa6d7de0a70fc68acaedce290c1f96e2e59 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I96G83 CVE: CVE-2023-52606 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Some of the fp/vmx code in sstep.c assume a certain maximum size for the instructions being emulated. The size of those operations however is determined separately in analyse_instr(). Add a check to validate the assumption on the maximum size of the operations, so as to prevent any unintended kernel stack corruption. Signed-off-by: Naveen N Rao <naveen(a)kernel.org> Reviewed-by: Gustavo A. R. Silva <gustavoars(a)kernel.org> Build-tested-by: Gustavo A. R. Silva <gustavoars(a)kernel.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20231123071705.397625-1-naveen@kernel.org Signed-off-by: Zhu Wang <wangzhu9(a)huawei.com> --- arch/powerpc/lib/sstep.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/powerpc/lib/sstep.c b/arch/powerpc/lib/sstep.c index d81568f783e5..6c8531928274 100644 --- a/arch/powerpc/lib/sstep.c +++ b/arch/powerpc/lib/sstep.c @@ -473,6 +473,8 @@ static int do_fp_load(struct instruction_op *op, unsigned long ea, } u; nb = GETSIZE(op->type); + if (nb > sizeof(u)) + return -EINVAL; if (!address_ok(regs, ea, nb)) return -EFAULT; rn = op->reg; @@ -523,6 +525,8 @@ static int do_fp_store(struct instruction_op *op, unsigned long ea, } u; nb = GETSIZE(op->type); + if (nb > sizeof(u)) + return -EINVAL; if (!address_ok(regs, ea, nb)) return -EFAULT; rn = op->reg; @@ -567,6 +571,9 @@ static nokprobe_inline int do_vec_load(int rn, unsigned long ea, u8 b[sizeof(__vector128)]; } u = {}; + if (size > sizeof(u)) + return -EINVAL; + if (!address_ok(regs, ea & ~0xfUL, 16)) return -EFAULT; /* align to multiple of size */ @@ -594,6 +601,9 @@ static nokprobe_inline int do_vec_store(int rn, unsigned long ea, u8 b[sizeof(__vector128)]; } u; + if (size > sizeof(u)) + return -EINVAL; + if (!address_ok(regs, ea & ~0xfUL, 16)) return -EFAULT; /* align to multiple of size */ -- 2.34.1

2 1

[PATCH OLK-6.6] ceph: fix deadlock or deadcode of misusing dget()
by q00831684 15 Mar '24

15 Mar '24

From: Xiubo Li <xiubli(a)redhat.com> mainline inclusion from mainline-v6.8-rc1 commit b493ad718b1f0357394d2cdecbf00a44a36fa085 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I96G92 CVE: CVE-2023-52583 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let's just remove it. Link: https://lore.kernel.org/r/20231116081919.GZ1957730@ZenIV Reported-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Xiubo Li <xiubli(a)redhat.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Ilya Dryomov <idryomov(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/ceph/caps.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 4c0b220e20ba..1cc433de4200 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -4174,12 +4174,14 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, struct inode *dir, int mds, int drop, int unless) { - struct dentry *parent = NULL; struct ceph_mds_request_release *rel = *p; struct ceph_dentry_info *di = ceph_dentry(dentry); int force = 0; int ret; + /* This shouldn't happen */ + BUG_ON(!dir); + /* * force an record for the directory caps if we have a dentry lease. * this is racy (can't take i_ceph_lock and d_lock together), but it @@ -4189,14 +4191,9 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, spin_lock(&dentry->d_lock); if (di->lease_session && di->lease_session->s_mds == mds) force = 1; - if (!dir) { - parent = dget(dentry->d_parent); - dir = d_inode(parent); - } spin_unlock(&dentry->d_lock); ret = ceph_encode_inode_release(p, dir, mds, drop, unless, force); - dput(parent); spin_lock(&dentry->d_lock); if (ret && di->lease_session && di->lease_session->s_mds == mds) { -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] ceph: fix deadlock or deadcode of misusing dget()
by q00831684 15 Mar '24

15 Mar '24

From: Xiubo Li <xiubli(a)redhat.com> mainline inclusion from mainline-v6.8-rc1 commit b493ad718b1f0357394d2cdecbf00a44a36fa085 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I96G92 CVE: CVE-2023-52583 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let's just remove it. Link: https://lore.kernel.org/r/20231116081919.GZ1957730@ZenIV Reported-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Xiubo Li <xiubli(a)redhat.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Ilya Dryomov <idryomov(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/ceph/caps.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 4c0b220e20ba..1cc433de4200 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -4174,12 +4174,14 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, struct inode *dir, int mds, int drop, int unless) { - struct dentry *parent = NULL; struct ceph_mds_request_release *rel = *p; struct ceph_dentry_info *di = ceph_dentry(dentry); int force = 0; int ret; + /* This shouldn't happen */ + BUG_ON(!dir); + /* * force an record for the directory caps if we have a dentry lease. * this is racy (can't take i_ceph_lock and d_lock together), but it @@ -4189,14 +4191,9 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, spin_lock(&dentry->d_lock); if (di->lease_session && di->lease_session->s_mds == mds) force = 1; - if (!dir) { - parent = dget(dentry->d_parent); - dir = d_inode(parent); - } spin_unlock(&dentry->d_lock); ret = ceph_encode_inode_release(p, dir, mds, drop, unless, force); - dput(parent); spin_lock(&dentry->d_lock); if (ret && di->lease_session && di->lease_session->s_mds == mds) { -- 2.39.2

2 1

[PATCH OLK-5.10] ceph: fix deadlock or deadcode of misusing dget()
by q00831684 15 Mar '24

15 Mar '24

From: Xiubo Li <xiubli(a)redhat.com> mainline inclusion from mainline-v6.8-rc1 commit b493ad718b1f0357394d2cdecbf00a44a36fa085 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I96G92 CVE: CVE-2023-52583 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let's just remove it. Link: https://lore.kernel.org/r/20231116081919.GZ1957730@ZenIV Reported-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Xiubo Li <xiubli(a)redhat.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Ilya Dryomov <idryomov(a)gmail.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/ceph/caps.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 4c0b220e20ba..1cc433de4200 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -4174,12 +4174,14 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, struct inode *dir, int mds, int drop, int unless) { - struct dentry *parent = NULL; struct ceph_mds_request_release *rel = *p; struct ceph_dentry_info *di = ceph_dentry(dentry); int force = 0; int ret; + /* This shouldn't happen */ + BUG_ON(!dir); + /* * force an record for the directory caps if we have a dentry lease. * this is racy (can't take i_ceph_lock and d_lock together), but it @@ -4189,14 +4191,9 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry, spin_lock(&dentry->d_lock); if (di->lease_session && di->lease_session->s_mds == mds) force = 1; - if (!dir) { - parent = dget(dentry->d_parent); - dir = d_inode(parent); - } spin_unlock(&dentry->d_lock); ret = ceph_encode_inode_release(p, dir, mds, drop, unless, force); - dput(parent); spin_lock(&dentry->d_lock); if (ret && di->lease_session && di->lease_session->s_mds == mds) { -- 2.39.2

2 1