- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] nvmet: nul-terminate the NQNs passed in the connect command
by Cheng Yu 08 Jan '24

08 Jan '24

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-v6.7-rc3 commit 1c22e0295a5eb571c27b53c7371f95699ef705ff category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8H4UJ CVE: CVE-2023-6121 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The host and subsystem NQNs are passed in the connect command payload and interpreted as nul-terminated strings. Ensure they actually are nul-terminated before using them. Fixes: a07b4970f464 "nvmet: add a generic NVMe target") Reported-by: Alon Zahavi <zahavi.alon(a)gmail.com> Reviewed-by: Chaitanya Kulkarni <kch(a)nvidia.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/nvme/target/fabrics-cmd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c index d84ae004cb85..637160deb3ac 100644 --- a/drivers/nvme/target/fabrics-cmd.c +++ b/drivers/nvme/target/fabrics-cmd.c @@ -153,6 +153,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req) goto out; } + d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req, le32_to_cpu(c->kato), &ctrl); if (status) @@ -203,6 +205,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req) goto out; } + d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; status = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn, le16_to_cpu(d->cntlid), req, &ctrl); -- 2.25.1

2 1

[PATCH OLK-6.6 0/2] ext4: fix slab-out-of-bounds in ext4_find_extent()
by Baokun Li 08 Jan '24

08 Jan '24

yangerkun (2): ext4: avoid recheck extent for EXT4_EX_FORCE_CACHE ext4: check magic even the extent block bh is verified fs/ext4/extents.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) -- 2.31.1

2 3

[PATCH openEuler-1.0-LTS] netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()
by Dong Chenchen 08 Jan '24

08 Jan '24

From: Hangyu Hua <hbh25y(a)gmail.com> stable inclusion from stable-v4.19.275 commit 43b9a9c78e37a5532c2a9260dff9d9989f2bbb23 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8SL4W CVE: CVE-2023-7192 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ac4893980bbe79ce383daf9a0885666a30fe4c83 ] nf_ct_put() needs to be called to put the refcount got by nf_conntrack_find_get() to avoid refcount leak when nf_conntrack_hash_check_insert() fails. Fixes: 7d367e06688d ("netfilter: ctnetlink: fix soft lockup when netlink adds new entries (v2)") Signed-off-by: Hangyu Hua <hbh25y(a)gmail.com> Acked-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> --- net/netfilter/nf_conntrack_netlink.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 2850a638401d..58bba2e2691f 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -2056,12 +2056,15 @@ ctnetlink_create_conntrack(struct net *net, err = nf_conntrack_hash_check_insert(ct); if (err < 0) - goto err2; + goto err3; rcu_read_unlock(); return ct; +err3: + if (ct->master) + nf_ct_put(ct->master); err2: rcu_read_unlock(); err1: -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS V1] nvmet: nul-terminate the NQNs passed in the connect command
by Cheng Yu 08 Jan '24

08 Jan '24

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-v6.7-rc3 commit 1c22e0295a5eb571c27b53c7371f95699ef705ff category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8U4HU CVE: CVE-2023-6121 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The host and subsystem NQNs are passed in the connect command payload and interpreted as nul-terminated strings. Ensure they actually are nul-terminated before using them. Fixes: a07b4970f464 "nvmet: add a generic NVMe target") Reported-by: Alon Zahavi <zahavi.alon(a)gmail.com> Reviewed-by: Chaitanya Kulkarni <kch(a)nvidia.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/nvme/target/fabrics-cmd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c index d84ae004cb85..637160deb3ac 100644 --- a/drivers/nvme/target/fabrics-cmd.c +++ b/drivers/nvme/target/fabrics-cmd.c @@ -153,6 +153,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req) goto out; } + d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req, le32_to_cpu(c->kato), &ctrl); if (status) @@ -203,6 +205,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req) goto out; } + d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; status = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn, le16_to_cpu(d->cntlid), req, &ctrl); -- 2.25.1

2 1

[PATCH OLK-6.6] cgroup: Export cgroup.stat from cgroupv2 to cgroupv1
by Lu Jialin 07 Jan '24

07 Jan '24

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8U6EM -------------------------------- Export cgroup.stat feature from cgroupv2 to cgroupv1. Therefore, user can get dying descendants cgroup number and descendants number in cgroupv1. --- arch/arm64/configs/openeuler_defconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 + init/Kconfig | 5 +++++ kernel/cgroup/cgroup-internal.h | 1 + kernel/cgroup/cgroup-v1.c | 6 ++++++ kernel/cgroup/cgroup.c | 2 +- 6 files changed, 15 insertions(+), 1 deletion(-) diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index 9a053bc885dd..1fc527e975be 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -188,6 +188,7 @@ CONFIG_CGROUP_BPF=y # CONFIG_CGROUP_DEBUG is not set CONFIG_SOCK_CGROUP_DATA=y CONFIG_CGROUP_V1_KILL=y +CONFIG_CGROUP_V1_STAT=y CONFIG_CGROUP_FILES=y CONFIG_NAMESPACES=y CONFIG_UTS_NS=y diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index 4bf011ed6307..0980126766cc 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -209,6 +209,7 @@ CONFIG_CGROUP_BPF=y # CONFIG_CGROUP_DEBUG is not set CONFIG_SOCK_CGROUP_DATA=y CONFIG_CGROUP_V1_KILL=y +CONFIG_CGROUP_V1_STAT=y CONFIG_CGROUP_FILES=y CONFIG_NAMESPACES=y CONFIG_UTS_NS=y diff --git a/init/Kconfig b/init/Kconfig index 869eea4108d0..fad38e359428 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1254,6 +1254,11 @@ config CGROUP_V1_KILL default n depends on CGROUPS +config CGROUP_V1_STAT + bool "Getting Cgroup Stat in Cgroup V1" + default n + depends on CGROUPS + config CGROUP_FILES bool "Files Resource Controller for Control Groups" select PAGE_COUNTER diff --git a/kernel/cgroup/cgroup-internal.h b/kernel/cgroup/cgroup-internal.h index d5a197d4b0ec..96a9bd2c26f0 100644 --- a/kernel/cgroup/cgroup-internal.h +++ b/kernel/cgroup/cgroup-internal.h @@ -266,6 +266,7 @@ int cgroup_task_count(const struct cgroup *cgrp); ssize_t cgroup_kill_write(struct kernfs_open_file *of, char *buf, size_t nbytes, loff_t off); +int cgroup_stat_show(struct seq_file *seq, void *v); /* * rstat.c diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c index 622398d492b6..ece2f4e17197 100644 --- a/kernel/cgroup/cgroup-v1.c +++ b/kernel/cgroup/cgroup-v1.c @@ -666,6 +666,12 @@ struct cftype cgroup1_base_files[] = { .flags = CFTYPE_NOT_ON_ROOT, .write = cgroup_kill_write, }, +#endif +#ifdef CONFIG_CGROUP_V1_STAT + { + .name = "cgroup.stat", + .seq_show = cgroup_stat_show, + }, #endif { } /* terminate */ }; diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c index cfae217e6e7f..36707df23cfd 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -3657,7 +3657,7 @@ static int cgroup_events_show(struct seq_file *seq, void *v) return 0; } -static int cgroup_stat_show(struct seq_file *seq, void *v) +int cgroup_stat_show(struct seq_file *seq, void *v) { struct cgroup *cgroup = seq_css(seq)->cgroup; -- 2.34.1

2 1

[PATCH hulk-4.19 V1] nvmet: nul-terminate the NQNs passed in the connect command
by Cheng Yu 06 Jan '24

06 Jan '24

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-v6.7-rc3 commit 1c22e0295a5eb571c27b53c7371f95699ef705ff category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8U4HU CVE: CVE-2023-6121 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The host and subsystem NQNs are passed in the connect command payload and interpreted as nul-terminated strings. Ensure they actually are nul-terminated before using them. Fixes: a07b4970f464 "nvmet: add a generic NVMe target") Reported-by: Alon Zahavi <zahavi.alon(a)gmail.com> Reviewed-by: Chaitanya Kulkarni <kch(a)nvidia.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/nvme/target/fabrics-cmd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c index d84ae004cb85..637160deb3ac 100644 --- a/drivers/nvme/target/fabrics-cmd.c +++ b/drivers/nvme/target/fabrics-cmd.c @@ -153,6 +153,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req) goto out; } + d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req, le32_to_cpu(c->kato), &ctrl); if (status) @@ -203,6 +205,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req) goto out; } + d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; status = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn, le16_to_cpu(d->cntlid), req, &ctrl); -- 2.25.1

1 0

[PATCH OLK-6.6 0/4] xfs: fix block space problems
by Long Li 06 Jan '24

06 Jan '24

*** BLURB HERE *** This patch set fix block space problems Gao Xiang (1): xfs: account extra freespace btree splits for multiple allocations Guo Xuenan (1): xfs: set minleft correctly for randomly sparse inode allocations yangerkun (2): xfs: fix xfs shutdown since we reserve more blocks in agfl fixup xfs: longest free extent no need consider postalloc fs/xfs/libxfs/xfs_alloc.c | 49 ++++++++++++++++++++++++++++++++------ fs/xfs/libxfs/xfs_alloc.h | 1 + fs/xfs/libxfs/xfs_bmap.c | 1 + fs/xfs/libxfs/xfs_ialloc.c | 3 +++ fs/xfs/xfs_mount.c | 9 +++++++ 5 files changed, 56 insertions(+), 7 deletions(-) -- 2.31.1

2 5

[PATCH hulk-4.19 V1] nvmet: nul-terminate the NQNs passed in the connect command
by Cheng Yu 06 Jan '24

06 Jan '24

From: Christoph Hellwig <hch(a)lst.de> mainline inclusion from mainline-v6.7-rc3 commit 1c22e0295a5eb571c27b53c7371f95699ef705ff category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8U4HU CVE: CVE-2023-6121 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The host and subsystem NQNs are passed in the connect command payload and interpreted as nul-terminated strings. Ensure they actually are nul-terminated before using them. Fixes: a07b4970f464 "nvmet: add a generic NVMe target") Reported-by: Alon Zahavi <zahavi.alon(a)gmail.com> Reviewed-by: Chaitanya Kulkarni <kch(a)nvidia.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Signed-off-by: Cheng Yu <serein.chengyu(a)huawei.com> --- drivers/nvme/target/fabrics-cmd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c index d84ae004cb85..637160deb3ac 100644 --- a/drivers/nvme/target/fabrics-cmd.c +++ b/drivers/nvme/target/fabrics-cmd.c @@ -153,6 +153,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req) goto out; } + d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req, le32_to_cpu(c->kato), &ctrl); if (status) @@ -203,6 +205,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req) goto out; } + d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; + d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0'; status = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn, le16_to_cpu(d->cntlid), req, &ctrl); -- 2.25.1

1 0

[PATCH OLK-6.6] aio: add timeout validity check for io_[p]getevents
by Baokun Li 06 Jan '24

06 Jan '24

From: "zhangyi (F)" <yi.zhang(a)huawei.com> maillist inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8U48M CVE: NA Reference: https://lore.kernel.org/lkml/1564451504-27906-1-git-send-email-yi.zhang@hua… --------------------------- io_[p]getevents syscall should return -EINVAL if timeout is out of range, add this validity check. Signed-off-by: zhangyi (F) <yi.zhang(a)huawei.com> Reviewed-by: Jeff Moyer <jmoyer(a)redhat.com> Cc: Jeff Moyer <jmoyer(a)redhat.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Deepa Dinamani <deepa.kernel(a)gmail.com> Signed-off-by: yangerkun <yangerkun(a)huawei.com> Reviewed-by: zhangyi (F) <yi.zhang(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> --- fs/aio.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/fs/aio.c b/fs/aio.c index f8589caef9c1..73555729bc36 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -2170,10 +2170,17 @@ static long do_io_getevents(aio_context_t ctx_id, struct io_event __user *events, struct timespec64 *ts) { - ktime_t until = ts ? timespec64_to_ktime(*ts) : KTIME_MAX; - struct kioctx *ioctx = lookup_ioctx(ctx_id); + ktime_t until = KTIME_MAX; + struct kioctx *ioctx = NULL; long ret = -EINVAL; + if (ts) { + if (!timespec64_valid(ts)) + return ret; + until = timespec64_to_ktime(*ts); + } + + ioctx = lookup_ioctx(ctx_id); if (likely(ioctx)) { if (likely(min_nr <= nr && min_nr >= 0)) ret = read_events(ioctx, min_nr, nr, events, until); -- 2.31.1

2 1

[PATCH OLK-6.6] pipe: Fix endless sleep problem due to the out-of-order
by Baokun Li 06 Jan '24

06 Jan '24

From: yangerkun <yangerkun(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8U3TT --------------------------- Thers is a out-of-order access problem which would cause endless sleep when we use pipe with epoll. The story is following, we assume the ring size is 2, the ring head is 1, the ring tail is 0, task0 is write task, task1 is read task, task2 is write task. Task0 Task1 Task2 epoll_ctl(fd, EPOLL_CTL_ADD, ...) pipe_poll() poll_wait() tail = READ_ONCE(pipe->tail); // Re-order and get tail=0 pipe_read tail++ //tail=1 pipe_write head++ //head=2 head = READ_ONCE(pipe->head); // head = 2 check ring is full by head - tail Task0 get head = 2 and tail = 0, so it mistake that the pipe ring is full, then task0 is not add into ready list. If the ring is not full anymore, task0 would not be woken up forever. The reason of this problem is that we got inconsistent head/tail value of the pipe ring, so we fix the problem by getting them protected. Signed-off-by: yangerkun <yangerkun(a)huawei.com> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Chen Jun <chenjun102(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> --- fs/pipe.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/pipe.c b/fs/pipe.c index 139190165a1c..34752ba942ab 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -672,8 +672,10 @@ pipe_poll(struct file *filp, poll_table *wait) * if something changes and you got it wrong, the poll * table entry will wake you up and fix it. */ + spin_lock_irq(&pipe->rd_wait.lock); head = READ_ONCE(pipe->head); tail = READ_ONCE(pipe->tail); + spin_unlock_irq(&pipe->rd_wait.lock); mask = 0; if (filp->f_mode & FMODE_READ) { -- 2.31.1

2 1