- Kernel - mailweb.openeuler.org

[PATCH v2 OLK-5.10] fs/open: use unlikely modification of filp_close anomaly detection branch
by liwei 17 Jun '24

17 Jun '24

hulk inclusion category: performance bugzilla: https://gitee.com/openeuler/kernel/issues/IA5PIS --------------------------- The probability of obtaining file_count() equal to 0 in filp_close() is relatively small. Using unlikely modification can improve efficiency. Signed-off-by: liwei <liwei728(a)huawei.com> --- fs/open.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/open.c b/fs/open.c index 8092178ceab0..68de475df5ec 100644 --- a/fs/open.c +++ b/fs/open.c @@ -1285,7 +1285,7 @@ int filp_close(struct file *filp, fl_owner_t id) { int retval = 0; - if (!file_count(filp)) { + if (unlikely(!file_count(filp))) { printk(KERN_ERR "VFS: Close: file count is 0\n"); return 0; } -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1 v2] ksmbd: validate request buffer size in smb2_allocate_rsp_buf()
by Long Li 17 Jun '24

17 Jun '24

From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-v6.9-rc4 commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4XI CVE: CVE-2024-26936 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The response buffer should be allocated in smb2_allocate_rsp_buf before validating request. But the fields in payload as well as smb2 header is used in smb2_allocate_rsp_buf(). This patch add simple buffer size validation to avoid potencial out-of-bounds in request buffer. Cc: stable(a)vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/server/smb2pdu.c fs/ksmbd/smb2pdu.c [lc:file path is not same] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 4df7108a886f..7937f860ea8f 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -539,6 +539,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) if (cmd == SMB2_QUERY_INFO_HE) { struct smb2_query_info_req *req; + if (get_rfc1002_len(work->request_buf) < + offsetof(struct smb2_query_info_req, OutputBufferLength)) + return -EINVAL; + req = smb2_get_msg(work->request_buf); if ((req->InfoType == SMB2_O_INFO_FILE && (req->FileInfoClass == FILE_FULL_EA_INFORMATION || -- 2.39.2

2 1

[PATCH OLK-5.10 v2] ksmbd: validate request buffer size in smb2_allocate_rsp_buf()
by Long Li 17 Jun '24

17 Jun '24

From: Namjae Jeon <linkinjeon(a)kernel.org> mainline inclusion from mainline-v6.9-rc4 commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4XI CVE: CVE-2024-26936 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The response buffer should be allocated in smb2_allocate_rsp_buf before validating request. But the fields in payload as well as smb2 header is used in smb2_allocate_rsp_buf(). This patch add simple buffer size validation to avoid potencial out-of-bounds in request buffer. Cc: stable(a)vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/server/smb2pdu.c fs/ksmbd/smb2pdu.c [lc:file path is not same] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 4df7108a886f..7937f860ea8f 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -539,6 +539,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) if (cmd == SMB2_QUERY_INFO_HE) { struct smb2_query_info_req *req; + if (get_rfc1002_len(work->request_buf) < + offsetof(struct smb2_query_info_req, OutputBufferLength)) + return -EINVAL; + req = smb2_get_msg(work->request_buf); if ((req->InfoType == SMB2_O_INFO_FILE && (req->FileInfoClass == FILE_FULL_EA_INFORMATION || -- 2.39.2

2 1

[PATCH] fs/open: use unlikely modification of filp_close anomaly detection branch
by liwei 17 Jun '24

17 Jun '24

hulk inclusion category: performance bugzilla: https://gitee.com/openeuler/kernel/issues/IA5PIS --------------------------- The probability of obtaining file_count() equal to 0 in filp_close() is relatively small. Using unlikely modification can improve efficiency. Signed-off-by: liwei <liwei728(a)huawei.com> --- fs/open.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/open.c b/fs/open.c index 8092178ceab0..68de475df5ec 100644 --- a/fs/open.c +++ b/fs/open.c @@ -1285,7 +1285,7 @@ int filp_close(struct file *filp, fl_owner_t id) { int retval = 0; - if (!file_count(filp)) { + if (unlikely(!file_count(filp))) { printk(KERN_ERR "VFS: Close: file count is 0\n"); return 0; } -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS] RDMA/cma: Fix rdma_resolve_route() memory leak
by Zhao Wenhui 17 Jun '24

17 Jun '24

From: Gerd Rausch <gerd.rausch(a)oracle.com> stable inclusion from stable-v4.19.198 commit 4893c938f2a140a74be91779e45e4a7fa111198f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4ER CVE: CVE-2021-47345 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 74f160ead74bfe5f2b38afb4fcf86189f9ff40c9 ] Fix a memory leak when "mda_resolve_route() is called more than once on the same "rdma_cm_id". This is possible if cma_query_handler() triggers the RDMA_CM_EVENT_ROUTE_ERROR flow which puts the state machine back and allows rdma_resolve_route() to be called again. Link: https://lore.kernel.org/r/f6662b7b-bdb7-2706-1e12-47c61d3474b6@oracle.com Signed-off-by: Gerd Rausch <gerd.rausch(a)oracle.com> Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhao Wenhui <zhaowenhui8(a)huawei.com> --- drivers/infiniband/core/cma.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c index 20a5501b740a..127ebd481689 100644 --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c @@ -2547,7 +2547,8 @@ static int cma_resolve_ib_route(struct rdma_id_private *id_priv, int timeout_ms) cma_init_resolve_route_work(work, id_priv); - route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL); + if (!route->path_rec) + route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL); if (!route->path_rec) { ret = -ENOMEM; goto err1; -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ksmbd: validate request buffer size in smb2_allocate_rsp_buf()
by Long Li 17 Jun '24

17 Jun '24

From: Yang Xiongwei <yangxiongwei6(a)huawei.com> mainline inclusion from mainline-v6.9-rc4 commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4XI CVE: CVE-2024-26936 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The response buffer should be allocated in smb2_allocate_rsp_buf before validating request. But the fields in payload as well as smb2 header is used in smb2_allocate_rsp_buf(). This patch add simple buffer size validation to avoid potencial out-of-bounds in request buffer. Cc: stable(a)vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/server/smb2pdu.c fs/ksmbd/smb2pdu.c [lc:file path is not same] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 4df7108a886f..7937f860ea8f 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -539,6 +539,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) if (cmd == SMB2_QUERY_INFO_HE) { struct smb2_query_info_req *req; + if (get_rfc1002_len(work->request_buf) < + offsetof(struct smb2_query_info_req, OutputBufferLength)) + return -EINVAL; + req = smb2_get_msg(work->request_buf); if ((req->InfoType == SMB2_O_INFO_FILE && (req->FileInfoClass == FILE_FULL_EA_INFORMATION || -- 2.39.2

2 1

[PATCH OLK-5.10] ksmbd: validate request buffer size in smb2_allocate_rsp_buf()
by Long Li 17 Jun '24

17 Jun '24

From: Yang Xiongwei <yangxiongwei6(a)huawei.com> mainline inclusion from mainline-v6.9-rc4 commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4XI CVE: CVE-2024-26936 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The response buffer should be allocated in smb2_allocate_rsp_buf before validating request. But the fields in payload as well as smb2 header is used in smb2_allocate_rsp_buf(). This patch add simple buffer size validation to avoid potencial out-of-bounds in request buffer. Cc: stable(a)vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/server/smb2pdu.c fs/ksmbd/smb2pdu.c [lc:file path is not same] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/ksmbd/smb2pdu.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c index 4df7108a886f..7937f860ea8f 100644 --- a/fs/ksmbd/smb2pdu.c +++ b/fs/ksmbd/smb2pdu.c @@ -539,6 +539,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work) if (cmd == SMB2_QUERY_INFO_HE) { struct smb2_query_info_req *req; + if (get_rfc1002_len(work->request_buf) < + offsetof(struct smb2_query_info_req, OutputBufferLength)) + return -EINVAL; + req = smb2_get_msg(work->request_buf); if ((req->InfoType == SMB2_O_INFO_FILE && (req->FileInfoClass == FILE_FULL_EA_INFORMATION || -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1] fs/9p: fix uninitialized values during inode evict
by Long Li 17 Jun '24

17 Jun '24

From: Eric Van Hensbergen <ericvh(a)kernel.org> mainline inclusion from mainline-v6.9-rc1 commit 6630036b7c228f57c7893ee0403e92c2db2cd21d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U997 CVE: CVE-2024-36923 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If an iget fails due to not being able to retrieve information from the server then the inode structure is only partially initialized. When the inode gets evicted, references to uninitialized structures (like fscache cookies) were being made. This patch checks for a bad_inode before doing anything other than clearing the inode from the cache. Since the inode is bad, it shouldn't have any state associated with it that needs to be written back (and there really isn't a way to complete those anyways). Reported-by: syzbot+eb83fe1cce5833cd66a0(a)syzkaller.appspotmail.com Signed-off-by: Eric Van Hensbergen <ericvh(a)kernel.org> Conflicts: fs/9p/vfs_inode.c [v9fs_evict_inode() function has been changed] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/9p/vfs_inode.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c index 88ca5015f987..483d777a8617 100644 --- a/fs/9p/vfs_inode.c +++ b/fs/9p/vfs_inode.c @@ -376,15 +376,19 @@ void v9fs_evict_inode(struct inode *inode) { struct v9fs_inode *v9inode = V9FS_I(inode); - truncate_inode_pages_final(&inode->i_data); - clear_inode(inode); - filemap_fdatawrite(&inode->i_data); - - v9fs_cache_inode_put_cookie(inode); - /* clunk the fid stashed in writeback_fid */ - if (v9inode->writeback_fid) { - p9_client_clunk(v9inode->writeback_fid); - v9inode->writeback_fid = NULL; + if (!is_bad_inode(inode)) { + truncate_inode_pages_final(&inode->i_data); + clear_inode(inode); + filemap_fdatawrite(&inode->i_data); + + v9fs_cache_inode_put_cookie(inode); + /* clunk the fid stashed in writeback_fid */ + if (v9inode->writeback_fid) { + p9_client_clunk(v9inode->writeback_fid); + v9inode->writeback_fid = NULL; + } + } else { + clear_inode(inode); } } -- 2.39.2

2 1

[PATCH OLK-5.10] fs/9p: fix uninitialized values during inode evict
by Long Li 17 Jun '24

17 Jun '24

From: Eric Van Hensbergen <ericvh(a)kernel.org> mainline inclusion from mainline-v6.9-rc1 commit 6630036b7c228f57c7893ee0403e92c2db2cd21d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U997 CVE: CVE-2024-36923 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If an iget fails due to not being able to retrieve information from the server then the inode structure is only partially initialized. When the inode gets evicted, references to uninitialized structures (like fscache cookies) were being made. This patch checks for a bad_inode before doing anything other than clearing the inode from the cache. Since the inode is bad, it shouldn't have any state associated with it that needs to be written back (and there really isn't a way to complete those anyways). Reported-by: syzbot+eb83fe1cce5833cd66a0(a)syzkaller.appspotmail.com Signed-off-by: Eric Van Hensbergen <ericvh(a)kernel.org> Conflicts: fs/9p/vfs_inode.c [v9fs_evict_inode() function has been changed] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/9p/vfs_inode.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c index 88ca5015f987..483d777a8617 100644 --- a/fs/9p/vfs_inode.c +++ b/fs/9p/vfs_inode.c @@ -376,15 +376,19 @@ void v9fs_evict_inode(struct inode *inode) { struct v9fs_inode *v9inode = V9FS_I(inode); - truncate_inode_pages_final(&inode->i_data); - clear_inode(inode); - filemap_fdatawrite(&inode->i_data); - - v9fs_cache_inode_put_cookie(inode); - /* clunk the fid stashed in writeback_fid */ - if (v9inode->writeback_fid) { - p9_client_clunk(v9inode->writeback_fid); - v9inode->writeback_fid = NULL; + if (!is_bad_inode(inode)) { + truncate_inode_pages_final(&inode->i_data); + clear_inode(inode); + filemap_fdatawrite(&inode->i_data); + + v9fs_cache_inode_put_cookie(inode); + /* clunk the fid stashed in writeback_fid */ + if (v9inode->writeback_fid) { + p9_client_clunk(v9inode->writeback_fid); + v9inode->writeback_fid = NULL; + } + } else { + clear_inode(inode); } } -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS v2] dhugetlb: use rcu lock to protect hpool
by Liu Shixin 17 Jun '24

17 Jun '24

hulk inclusion category: bugfix bugzilla: 46904, https://gitee.com/openeuler/kernel/issues/IA5JXN -------------------------------- In freeing process, set memcg->hpool or dpool_global_hpool to NULL and then freeing it. To avoid UAF problem of hpool, we have to make sure the users that already hold pointer to hpool don't use the pointer after freeing hpool. The freeing of hpool should block until make sure all such users don't use hpool. Since anyone who want to use hpool have to increase its refcount at first. Use rcu_read_lock() and synchronize_rcu() to guarantee all such users failed to get hpool before freeing hpool. Fixes: 0bc0d0d57eda ("dhugetlb: backport dynamic hugetlb feature") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- mm/hugetlb.c | 6 ++++++ mm/memcontrol.c | 11 ++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 4be708677ce6..18dd5bcd13a3 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -3360,6 +3360,7 @@ void dhugetlb_pool_put(struct dhugetlb_pool *hpool) if (atomic_dec_and_test(&hpool->refcnt)) { css_put(&hpool->attach_memcg->css); + synchronize_rcu(); kfree(hpool); } } @@ -3500,9 +3501,14 @@ struct dhugetlb_pool *get_dhugetlb_pool_from_task(struct task_struct *tsk) rcu_read_lock(); memcg = mem_cgroup_from_task(tsk); + if (!memcg || !css_tryget(&memcg->css)) { + rcu_read_unlock(); + return NULL; + } rcu_read_unlock(); hpool = get_dhugetlb_pool_from_memcg(memcg); + css_put(&memcg->css); return hpool; } diff --git a/mm/memcontrol.c b/mm/memcontrol.c index 7dc68b1792ef..4ecb6f09b68b 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -4701,14 +4701,19 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, struct dhugetlb_pool *get_dhugetlb_pool_from_memcg(struct mem_cgroup *memcg) { struct mem_cgroup_extension *memcg_ext; + struct dhugetlb_pool *hpool; if (!memcg) return NULL; + rcu_read_lock(); memcg_ext = container_of(memcg, struct mem_cgroup_extension, memcg); - if (dhugetlb_pool_get(memcg_ext->hpool)) - return memcg_ext->hpool; - return NULL; + hpool = memcg_ext->hpool; + if (!dhugetlb_pool_get(hpool)) + hpool = NULL; + rcu_read_unlock(); + + return hpool; } static void set_dhugetlb_pool_to_memcg(struct mem_cgroup *memcg, -- 2.25.1

2 1