June 2022 - Kernel - mailweb.openeuler.org

openEuler kernel SIG例会&技术分享
by openEuler conference 20 Jun '22

20 Jun '22

您好！ Kernel SIG 邀请您参加 2022-06-24 14:00 召开的Zoom会议(自动录制) 会议主题：openEuler kernel SIG例会&技术分享会议内容： openEuler kernel 技术分享：执行实体创建与切换会议链接：https://us06web.zoom.us/j/81671713618?pwd=eWIxeGowd1hvNTNZQUlRRmplNlZydz09 会议纪要：https://etherpad.openeuler.org/p/Kernel-meetings 温馨提醒：建议接入会议后修改参会人的姓名，也可以使用您在gitee.com的ID 更多资讯尽在：https://openeuler.org/zh/ Hello! openEuler Kernel SIG invites you to attend the Zoom conference(auto recording) will be held at 2022-06-24 14:00, The subject of the conference is openEuler kernel SIG例会&技术分享, Summary: openEuler kernel 技术分享：执行实体创建与切换 You can join the meeting at https://us06web.zoom.us/j/81671713618?pwd=eWIxeGowd1hvNTNZQUlRRmplNlZydz09. Add topics at https://etherpad.openeuler.org/p/Kernel-meetings. Note: You are advised to change the participant name after joining the conference or use your ID at gitee.com. More information: https://openeuler.org/en/

1 0

[PATCH openEuler-1.0-LTS 1/8] xfs: abort xattr scrub if fatal signals are pending
by Laibin Qiu 18 Jun '22

18 Jun '22

From: "Darrick J. Wong" <darrick.wong(a)oracle.com> mainline inclusion from mainline-v5.1-rc1 commit 3258cb208caba74258ffdd8bd59972bbda9bfee1 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5BDCU CVE: NA -------------------------------- The extended attribute scrubber should abort the "read all attrs" loop if there's a fatal signal pending on the process. Signed-off-by: Darrick J. Wong <darrick.wong(a)oracle.com> Reviewed-by: Brian Foster <bfoster(a)redhat.com> Signed-off-by: tangbin <tangbin(a)cmss.chinamobile.com> Reviewed-by: Lihong Kou <koulihong(a)huawei.com> Reviewed-by: Xuenan Guo <guoxuenan(a)huawei.com> Signed-off-by: Laibin Qiu <qiulaibin(a)huawei.com> --- fs/xfs/scrub/attr.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/xfs/scrub/attr.c b/fs/xfs/scrub/attr.c index 81d5e90547a1..9960bc5b5d76 100644 --- a/fs/xfs/scrub/attr.c +++ b/fs/xfs/scrub/attr.c @@ -82,6 +82,11 @@ xchk_xattr_listent( sx = container_of(context, struct xchk_xattr, context); + if (xchk_should_terminate(sx->sc, &error)) { + context->seen_enough = 1; + return; + } + if (flags & XFS_ATTR_INCOMPLETE) { /* Incomplete attr key, just mark the inode for preening. */ xchk_ino_set_preen(sx->sc, context->dp->i_ino); -- 2.25.1

1 7

[PATCH openEuler-1.0-LTS 0/8] xfs: fix the xfstests problem
by tangbin 18 Jun '22

18 Jun '22

Hi all: These patches are used to resolve the xfs problem when perform xfstests. For details about how to fix the problem, we can see the link below: https://lore.kernel.org/linux-xfs/154697976479.2839.3584921201780682011.stg… https://lore.kernel.org/linux-xfs/157232182246.593721.4902116478429075171.s… Thanks --- Darrick J. Wong (8): xfs: abort xattr scrub if fatal signals are pending xfs: scrub should flag dir/attr offsets that aren't mappable with xfs_dablk_t xfs: check directory name validity xfs: check attribute name validity xfs: check attribute leaf block structure xfs: namecheck attribute names before listing them xfs: namecheck directory entry names before listing them xfs: replace -EIO with -EFSCORRUPTED for corrupt metadata fs/xfs/libxfs/xfs_attr.c | 17 +++++++++ fs/xfs/libxfs/xfs_attr.h | 2 +- fs/xfs/libxfs/xfs_attr_leaf.c | 68 +++++++++++++++++++++++++++++++++-- fs/xfs/libxfs/xfs_attr_leaf.h | 4 +-- fs/xfs/libxfs/xfs_bmap.c | 6 ++-- fs/xfs/libxfs/xfs_dir2.c | 17 +++++++++ fs/xfs/libxfs/xfs_dir2.h | 1 + fs/xfs/libxfs/xfs_types.c | 11 ++++++ fs/xfs/libxfs/xfs_types.h | 1 + fs/xfs/scrub/attr.c | 11 ++++++ fs/xfs/scrub/bmap.c | 27 ++++++++++++++ fs/xfs/scrub/dir.c | 6 ++++ fs/xfs/xfs_attr_inactive.c | 6 ++-- fs/xfs/xfs_attr_list.c | 60 ++++++++++++++++++++----------- fs/xfs/xfs_dir2_readdir.c | 27 +++++++++++--- fs/xfs/xfs_dquot.c | 2 +- 16 files changed, 228 insertions(+), 38 deletions(-) -- 2.18.4

2 9

[PATCH OLK_5.10] update via-cputemp driver
by LeoLiuoc 17 Jun '22

17 Jun '22

zhaoxin inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I52DS7 CVE: NA -------------------------------- Optimize driver code and add support for Zhaoxin CPU. Signed-off-by: LeoLiuoc <LeoLiu-oc(a)zhaoxin.com> --- drivers/hwmon/Makefile | 3 +- drivers/hwmon/via-cputemp.c | 69 ++++++++++++++++++++----------------- 2 files changed, 39 insertions(+), 33 deletions(-) diff --git a/drivers/hwmon/Makefile b/drivers/hwmon/Makefile index c22a5316bd91..115c0e002718 100644 --- a/drivers/hwmon/Makefile +++ b/drivers/hwmon/Makefile @@ -183,7 +183,8 @@ obj-$(CONFIG_SENSORS_TMP401) += tmp401.o obj-$(CONFIG_SENSORS_TMP421) += tmp421.o obj-$(CONFIG_SENSORS_TMP513) += tmp513.o obj-$(CONFIG_SENSORS_VEXPRESS) += vexpress-hwmon.o -obj-$(CONFIG_SENSORS_VIA_CPUTEMP)+= via-cputemp.o +obj-$(CONFIG_SENSORS_VIA_CPUTEMP) += cputemp-hwmon.o +cputemp-hwmon-objs := via-cputemp.o obj-$(CONFIG_SENSORS_VIA686A) += via686a.o obj-$(CONFIG_SENSORS_VT1211) += vt1211.o obj-$(CONFIG_SENSORS_VT8231) += vt8231.o diff --git a/drivers/hwmon/via-cputemp.c b/drivers/hwmon/via-cputemp.c index e5d18dac8ee7..1599440cc451 100644 --- a/drivers/hwmon/via-cputemp.c +++ b/drivers/hwmon/via-cputemp.c @@ -26,7 +26,8 @@ #include <asm/processor.h> #include <asm/cpu_device_id.h> -#define DRVNAME "via_cputemp" +#define VIA_DRVNAME "via_cputemp" +#define ZHAOXIN_DRVNAME "zhaoxin_cputemp" enum { SHOW_TEMP, SHOW_LABEL, SHOW_NAME }; @@ -114,17 +115,17 @@ static int via_cputemp_probe(struct platform_device *pdev) int err; u32 eax, edx; - data = devm_kzalloc(&pdev->dev, sizeof(struct via_cputemp_data), - GFP_KERNEL); + data = devm_kzalloc(&pdev->dev, sizeof(struct via_cputemp_data), GFP_KERNEL); if (!data) return -ENOMEM; data->id = pdev->id; - data->name = "via_cputemp"; if (c->x86 == 7) { + data->name = ZHAOXIN_DRVNAME; data->msr_temp = 0x1423; } else { + data->name = VIA_DRVNAME; switch (c->x86_model) { case 0xA: /* C7 A */ @@ -145,8 +146,7 @@ static int via_cputemp_probe(struct platform_device *pdev) /* test if we can access the TEMPERATURE MSR */ err = rdmsr_safe_on_cpu(data->id, data->msr_temp, &eax, &edx); if (err) { - dev_err(&pdev->dev, - "Unable to access TEMPERATURE MSR, giving up\n"); + dev_err(&pdev->dev, "Unable to access TEMPERATURE MSR, giving up\n"); return err; } @@ -165,11 +165,10 @@ static int via_cputemp_probe(struct platform_device *pdev) goto exit_remove; } - data->hwmon_dev = hwmon_device_register(&pdev->dev); + data->hwmon_dev = hwmon_device_register_with_info(&pdev->dev, data->name, NULL, NULL, NULL); if (IS_ERR(data->hwmon_dev)) { err = PTR_ERR(data->hwmon_dev); - dev_err(&pdev->dev, "Class registration failed (%d)\n", - err); + dev_err(&pdev->dev, "Class registration failed (%d)\n", err); goto exit_remove; } @@ -194,13 +193,12 @@ static int via_cputemp_remove(struct platform_device *pdev) } static struct platform_driver via_cputemp_driver = { - .driver = { - .name = DRVNAME, - }, .probe = via_cputemp_probe, .remove = via_cputemp_remove, }; +static struct platform_device_info cputemp_device_info; + struct pdev_entry { struct list_head list; struct platform_device *pdev; @@ -216,23 +214,20 @@ static int via_cputemp_online(unsigned int cpu) struct platform_device *pdev; struct pdev_entry *pdev_entry; - pdev = platform_device_alloc(DRVNAME, cpu); - if (!pdev) { - err = -ENOMEM; - pr_err("Device allocation failed\n"); + cputemp_device_info.id = cpu; + + pdev = platform_device_register_full(&cputemp_device_info); + if (IS_ERR(pdev)) { + err = PTR_ERR(pdev); + pr_err("Device registration failed (%d)\n", err); goto exit; } pdev_entry = kzalloc(sizeof(struct pdev_entry), GFP_KERNEL); if (!pdev_entry) { err = -ENOMEM; - goto exit_device_put; - } - - err = platform_device_add(pdev); - if (err) { - pr_err("Device addition failed (%d)\n", err); - goto exit_device_free; + pr_err("Pdev_entry alloc failed (%d)\n", err); + goto exit_device_unregister; } pdev_entry->pdev = pdev; @@ -243,10 +238,8 @@ static int via_cputemp_online(unsigned int cpu) return 0; -exit_device_free: - kfree(pdev_entry); -exit_device_put: - platform_device_put(pdev); +exit_device_unregister: + platform_device_unregister(pdev); exit: return err; } @@ -270,10 +263,11 @@ static int via_cputemp_down_prep(unsigned int cpu) } static const struct x86_cpu_id __initconst cputemp_ids[] = { - X86_MATCH_VENDOR_FAM_MODEL(CENTAUR, 6, X86_CENTAUR_FAM6_C7_A, NULL), - X86_MATCH_VENDOR_FAM_MODEL(CENTAUR, 6, X86_CENTAUR_FAM6_C7_D, NULL), - X86_MATCH_VENDOR_FAM_MODEL(CENTAUR, 6, X86_CENTAUR_FAM6_NANO, NULL), - X86_MATCH_VENDOR_FAM_MODEL(CENTAUR, 7, X86_MODEL_ANY, NULL), + X86_MATCH_VENDOR_FAM_MODEL(CENTAUR, 6, X86_CENTAUR_FAM6_C7_A, NULL), + X86_MATCH_VENDOR_FAM_MODEL(CENTAUR, 6, X86_CENTAUR_FAM6_C7_D, NULL), + X86_MATCH_VENDOR_FAM_MODEL(CENTAUR, 6, X86_CENTAUR_FAM6_NANO, NULL), + X86_MATCH_VENDOR_FAM_MODEL(CENTAUR, 7, X86_MODEL_ANY, NULL), + X86_MATCH_VENDOR_FAM_MODEL(ZHAOXIN, 7, X86_MODEL_ANY, NULL), {} }; MODULE_DEVICE_TABLE(x86cpu, cputemp_ids); @@ -283,15 +277,26 @@ static enum cpuhp_state via_temp_online; static int __init via_cputemp_init(void) { int err; + char *cpuhp_name; if (!x86_match_cpu(cputemp_ids)) return -ENODEV; + if (boot_cpu_data.x86 == 0x7) { + via_cputemp_driver.driver.name = ZHAOXIN_DRVNAME; + cputemp_device_info.name = ZHAOXIN_DRVNAME; + cpuhp_name = "hwmon/zhaoxin:online"; + } else { + via_cputemp_driver.driver.name = VIA_DRVNAME; + cputemp_device_info.name = VIA_DRVNAME; + cpuhp_name = "hwmon/via:online"; + } + err = platform_driver_register(&via_cputemp_driver); if (err) goto exit; - err = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "hwmon/via:online", + err = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, cpuhp_name, via_cputemp_online, via_cputemp_down_prep); if (err < 0) goto exit_driver_unreg; -- 2.20.1

1 0

[PATCH openEuler-1.0-LTS 1/2] tcp: change source port randomizarion at connect() time
by Yongqiang Liu 17 Jun '22

17 Jun '22

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v4.19.246 commit ddec440133913a6b8880e53b896d521a4b7ff24f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5C3A9 CVE: CVE-2022-32296 -------------------------------- commit 190cc82489f46f9d88e73c81a47e14f80a791e1a upstream. RFC 6056 (Recommendations for Transport-Protocol Port Randomization) provides good summary of why source selection needs extra care. David Dworken reminded us that linux implements Algorithm 3 as described in RFC 6056 3.3.3 Quoting David : In the context of the web, this creates an interesting info leak where websites can count how many TCP connections a user's computer is establishing over time. For example, this allows a website to count exactly how many subresources a third party website loaded. This also allows: - Distinguishing between different users behind a VPN based on distinct source port ranges. - Tracking users over time across multiple networks. - Covert communication channels between different browsers/browser profiles running on the same computer - Tracking what applications are running on a computer based on the pattern of how fast source ports are getting incremented. Section 3.3.4 describes an enhancement, that reduces attackers ability to use the basic information currently stored into the shared 'u32 hint'. This change also decreases collision rate when multiple applications need to connect() to different destinations. Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reported-by: David Dworken <ddworken(a)google.com> Cc: Willem de Bruijn <willemb(a)google.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> [SG: Adjusted context] Signed-off-by: Stefan Ghinea <stefan.ghinea(a)windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: net/ipv4/inet_hashtables.c Signed-off-by: Baisong Zhong <zhongbaisong(a)huawei.com> Reviewed-by: Wei Yongjun <weiyongjun1(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/ipv4/inet_hashtables.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index bd0108aaa45b..72b8b6f44add 100644 --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c @@ -666,6 +666,17 @@ void inet_unhash(struct sock *sk) } EXPORT_SYMBOL_GPL(inet_unhash); +/* RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm + * Note that we use 32bit integers (vs RFC 'short integers') + * because 2^16 is not a multiple of num_ephemeral and this + * property might be used by clever attacker. + * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, + * we use 256 instead to really give more isolation and + * privacy, this only consumes 1 KB of kernel memory. + */ +#define INET_TABLE_PERTURB_SHIFT 8 +static u32 table_perturb[1 << INET_TABLE_PERTURB_SHIFT]; + int __inet_hash_connect(struct inet_timewait_death_row *death_row, struct sock *sk, u64 port_offset, int (*check_established)(struct inet_timewait_death_row *, @@ -679,8 +690,8 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, struct inet_bind_bucket *tb; u32 remaining, offset; int ret, i, low, high; - static u32 hint; int l3mdev; + u32 index; if (port) { head = &hinfo->bhash[inet_bhashfn(net, port, @@ -707,7 +718,10 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, if (likely(remaining > 1)) remaining &= ~1U; - offset = hint + port_offset; + net_get_random_once(table_perturb, sizeof(table_perturb)); + index = hash_32(port_offset, INET_TABLE_PERTURB_SHIFT); + + offset = READ_ONCE(table_perturb[index]) + port_offset; offset %= remaining; /* In first pass we try ports of @low parity. * inet_csk_get_port() does the opposite choice. @@ -762,7 +776,7 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, return -EADDRNOTAVAIL; ok: - hint += i + 2; + WRITE_ONCE(table_perturb[index], READ_ONCE(table_perturb[index]) + i + 2); /* Head lock still held and bh's disabled */ inet_bind_hash(sk, tb, port); -- 2.25.1

1 1

[PATCH openEuler-1.0-LTS] arm64: fix extra cpucaps setup problem
by Yongqiang Liu 16 Jun '22

16 Jun '22

From: Chen Jiahao <chenjiahao16(a)huawei.com> hulk inclusion category: bugfix bugzilla: 186460, https://gitee.com/src-openeuler/kernel/issues/I53MHA CVE: CVE-2022-23960 -------------------------------- When introducing a new cpucaps macro ARM64_SPECTRE_BHB, ARM64_NCAPS was not able to modified easily due to KABI consistency. Here introduce a workaround to properly setup ARM64_SPECTRE_BHB beyond ARM64_NCAPS range. Fixes: def2df575d30 ("KVM: arm64: Add templates for BHB mitigation sequences") Signed-off-by: Chen Jiahao <chenjiahao16(a)huawei.com> Reviewed-by: Zhang Jianhua <chris.zjh(a)huawei.com> Reviewed-by: Liao Chang <liaochang1(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- arch/arm64/include/asm/cpufeature.h | 15 +++++++++++++++ arch/arm64/kernel/alternative.c | 5 +++++ arch/arm64/kernel/cpufeature.c | 3 +++ 3 files changed, 23 insertions(+) diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h index bfb699957880..ffb0a1ec0088 100644 --- a/arch/arm64/include/asm/cpufeature.h +++ b/arch/arm64/include/asm/cpufeature.h @@ -368,6 +368,8 @@ extern struct static_key_false arm64_const_caps_ready; #define ARM64_NPATCHABLE (ARM64_NCAPS + 1) extern DECLARE_BITMAP(boot_capabilities, ARM64_NPATCHABLE); +extern bool set_cap_spectre_bhb; + bool this_cpu_has_cap(unsigned int cap); static inline bool cpu_have_feature(unsigned int num) @@ -378,15 +380,23 @@ static inline bool cpu_have_feature(unsigned int num) /* System capability check for constant caps */ static __always_inline bool __cpus_have_const_cap(int num) { + if (num == ARM64_SPECTRE_BHB) + return set_cap_spectre_bhb; + if (num >= ARM64_NCAPS) return false; + return static_branch_unlikely(&cpu_hwcap_keys[num]); } static inline bool cpus_have_cap(unsigned int num) { + if (num == ARM64_SPECTRE_BHB) + return set_cap_spectre_bhb; + if (num >= ARM64_NCAPS) return false; + return test_bit(num, cpu_hwcaps); } @@ -400,6 +410,11 @@ static __always_inline bool cpus_have_const_cap(int num) static inline void cpus_set_cap(unsigned int num) { + if (num == ARM64_SPECTRE_BHB) { + set_cap_spectre_bhb = true; + return; + } + if (num >= ARM64_NCAPS) { pr_warn("Attempt to set an illegal CPU capability (%d >= %d)\n", num, ARM64_NCAPS); diff --git a/arch/arm64/kernel/alternative.c b/arch/arm64/kernel/alternative.c index 8511fc3b94bb..ce5a26080b46 100644 --- a/arch/arm64/kernel/alternative.c +++ b/arch/arm64/kernel/alternative.c @@ -41,8 +41,13 @@ struct alt_region { struct alt_instr *end; }; +bool set_cap_spectre_bhb; + bool alternative_is_applied(u16 cpufeature) { + if (cpufeature == ARM64_SPECTRE_BHB) + return set_cap_spectre_bhb; + if (WARN_ON(cpufeature >= ARM64_NCAPS)) return false; diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index aa9178e9acc6..996d3476f3c8 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -1732,6 +1732,9 @@ __enable_cpu_capabilities(const struct arm64_cpu_capabilities *caps, for (; caps->matches; caps++) { unsigned int num = caps->capability; + if (num == ARM64_SPECTRE_BHB) + set_cap_spectre_bhb = true; + if (!(caps->type & scope_mask) || !cpus_have_cap(num)) continue; -- 2.25.1

1 0

[Cancel] openEuler kernel SIG例会&技术分享
by openEuler conference 16 Jun '22

16 Jun '22

Sorry! The Zoom meeting will be held at 2022-06-17 14:00 scheduled by openEuler Kernel SIG has been cancelled.

1 0

[PATCH openEuler-1.0-LTS 1/3] powerpc/32: Fix overread/overwrite of thread_struct via ptrace
by Yongqiang Liu 15 Jun '22

15 Jun '22

From: Michael Ellerman <mpe(a)ellerman.id.au> mainline inclusion from mainline-v5.19-rc2 commit 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5C43D CVE: CVE-2022-32981 -------------------------------- The ptrace PEEKUSR/POKEUSR (aka PEEKUSER/POKEUSER) API allows a process to read/write registers of another process. To get/set a register, the API takes an index into an imaginary address space called the "USER area", where the registers of the process are laid out in some fashion. The kernel then maps that index to a particular register in its own data structures and gets/sets the value. The API only allows a single machine-word to be read/written at a time. So 4 bytes on 32-bit kernels and 8 bytes on 64-bit kernels. The way floating point registers (FPRs) are addressed is somewhat complicated, because double precision float values are 64-bit even on 32-bit CPUs. That means on 32-bit kernels each FPR occupies two word-sized locations in the USER area. On 64-bit kernels each FPR occupies one word-sized location in the USER area. Internally the kernel stores the FPRs in an array of u64s, or if VSX is enabled, an array of pairs of u64s where one half of each pair stores the FPR. Which half of the pair stores the FPR depends on the kernel's endianness. To handle the different layouts of the FPRs depending on VSX/no-VSX and big/little endian, the TS_FPR() macro was introduced. Unfortunately the TS_FPR() macro does not take into account the fact that the addressing of each FPR differs between 32-bit and 64-bit kernels. It just takes the index into the "USER area" passed from userspace and indexes into the fp_state.fpr array. On 32-bit there are 64 indexes that address FPRs, but only 32 entries in the fp_state.fpr array, meaning the user can read/write 256 bytes past the end of the array. Because the fp_state sits in the middle of the thread_struct there are various fields than can be overwritten, including some pointers. As such it may be exploitable. It has also been observed to cause systems to hang or otherwise misbehave when using gdbserver, and is probably the root cause of this report which could not be easily reproduced: https://lore.kernel.org/linuxppc-dev/dc38afe9-6b78-f3f5-666b-986939e40fc6@k… Rather than trying to make the TS_FPR() macro even more complicated to fix the bug, or add more macros, instead add a special-case for 32-bit kernels. This is more obvious and hopefully avoids a similar bug happening again in future. Note that because 32-bit kernels never have VSX enabled the code doesn't need to consider TS_FPRWIDTH/OFFSET at all. Add a BUILD_BUG_ON() to ensure that 32-bit && VSX is never enabled. Fixes: 87fec0514f61 ("powerpc: PTRACE_PEEKUSR/PTRACE_POKEUSER of FPR registers in little endian builds") Cc: stable(a)vger.kernel.org # v3.13+ Reported-by: Ariel Miculas <ariel.miculas(a)belden.com> Tested-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://lore.kernel.org/r/20220609133245.573565-1-mpe@ellerman.id.au Conflicts: arch/powerpc/kernel/ptrace/ptrace-fpu.c arch/powerpc/kernel/ptrace/ptrace.c Signed-off-by: Yipeng Zou <zouyipeng(a)huawei.com> Reviewed-by: Zhang Jianhua <chris.zjh(a)huawei.com> Reviewed-by: Liao Chang <liaochang1(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- arch/powerpc/kernel/ptrace.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index e08b32ccf1d9..d245f0af412a 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -2980,6 +2980,9 @@ long arch_ptrace(struct task_struct *child, long request, void __user *datavp = (void __user *) data; unsigned long __user *datalp = datavp; + // ptrace_get/put_fpr() rely on PPC32 and VSX being incompatible + BUILD_BUG_ON(IS_ENABLED(CONFIG_PPC32) && IS_ENABLED(CONFIG_VSX)); + switch (request) { /* read the word at location addr in the USER area. */ case PTRACE_PEEKUSR: { @@ -3006,10 +3009,13 @@ long arch_ptrace(struct task_struct *child, long request, unsigned int fpidx = index - PT_FPR0; flush_fp_to_thread(child); - if (fpidx < (PT_FPSCR - PT_FPR0)) - memcpy(&tmp, &child->thread.TS_FPR(fpidx), - sizeof(long)); - else + if (fpidx < (PT_FPSCR - PT_FPR0)) { + if (IS_ENABLED(CONFIG_PPC32)) + // On 32-bit the index we are passed refers to 32-bit words + tmp = ((u32 *)child->thread.fp_state.fpr)[fpidx]; + else + memcpy(&tmp, &child->thread.TS_FPR(fpidx), sizeof(long)); + } else tmp = child->thread.fp_state.fpscr; } ret = put_user(tmp, datalp); @@ -3039,10 +3045,13 @@ long arch_ptrace(struct task_struct *child, long request, unsigned int fpidx = index - PT_FPR0; flush_fp_to_thread(child); - if (fpidx < (PT_FPSCR - PT_FPR0)) - memcpy(&child->thread.TS_FPR(fpidx), &data, - sizeof(long)); - else + if (fpidx < (PT_FPSCR - PT_FPR0)) { + if (IS_ENABLED(CONFIG_PPC32)) + // On 32-bit the index we are passed refers to 32-bit words + ((u32 *)child->thread.fp_state.fpr)[fpidx] = data; + else + memcpy(&child->thread.TS_FPR(fpidx), &data, sizeof(long)); + } else child->thread.fp_state.fpscr = data; ret = 0; } -- 2.25.1

1 2

[PATCH openEuler-1.0-LTS] sctp: use call_rcu to free endpoint
by Yongqiang Liu 14 Jun '22

14 Jun '22

From: Xin Long <lucien.xin(a)gmail.com> stable inclusion from stable-v4.19.224 commit af6e6e58f7ebf86b4e7201694b1e4f3a62cbc3ec category: bugfix bugzilla: 186701, https://gitee.com/src-openeuler/kernel/issues/I5CAM2 CVE: CVE-2022-20154 -------------------------------- [ Upstream commit 5ec7d18d1813a5bead0b495045606c93873aecbb ] This patch is to delay the endpoint free by calling call_rcu() to fix another use-after-free issue in sctp_sock_dump(): BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20 Call Trace: __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:334 [inline] __lock_sock+0x203/0x350 net/core/sock.c:2253 lock_sock_nested+0xfe/0x120 net/core/sock.c:2774 lock_sock include/net/sock.h:1492 [inline] sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324 sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091 sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527 __inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049 inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065 netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244 __netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352 netlink_dump_start include/linux/netlink.h:216 [inline] inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170 __sock_diag_cmd net/core/sock_diag.c:232 [inline] sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477 sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274 This issue occurs when asoc is peeled off and the old sk is freed after getting it by asoc->base.sk and before calling lock_sock(sk). To prevent the sk free, as a holder of the sk, ep should be alive when calling lock_sock(). This patch uses call_rcu() and moves sock_put and ep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to hold the ep under rcu_read_lock in sctp_transport_traverse_process(). If sctp_endpoint_hold() returns true, it means this ep is still alive and we have held it and can continue to dump it; If it returns false, it means this ep is dead and can be freed after rcu_read_unlock, and we should skip it. In sctp_sock_dump(), after locking the sk, if this ep is different from tsp->asoc->ep, it means during this dumping, this asoc was peeled off before calling lock_sock(), and the sk should be skipped; If this ep is the same with tsp->asoc->ep, it means no peeloff happens on this asoc, and due to lock_sock, no peeloff will happen either until release_sock. Note that delaying endpoint free won't delay the port release, as the port release happens in sctp_endpoint_destroy() before calling call_rcu(). Also, freeing endpoint by call_rcu() makes it safe to access the sk by asoc->base.sk in sctp_assocs_seq_show() and sctp_rcv(). Thanks Jones to bring this issue up. v1->v2: - improve the changelog. - add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed. Reported-by: syzbot+9276d76e83e3bcde6c99(a)syzkaller.appspotmail.com Reported-by: Lee Jones <lee.jones(a)linaro.org> Fixes: d25adbeb0cdb ("sctp: fix an use-after-free issue in sctp_sock_dump") Signed-off-by: Xin Long <lucien.xin(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Huang Guobin <huangguobin4(a)huawei.com> Reviewed-by: Wei Yongjun <weiyongjun1(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- include/net/sctp/sctp.h | 6 +++--- include/net/sctp/structs.h | 3 ++- net/sctp/diag.c | 12 ++++++------ net/sctp/endpointola.c | 23 +++++++++++++++-------- net/sctp/socket.c | 23 +++++++++++++++-------- 5 files changed, 41 insertions(+), 26 deletions(-) diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index fef8c3372aee..6d201c6700be 100644 --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h @@ -118,6 +118,7 @@ extern struct percpu_counter sctp_sockets_allocated; int sctp_asconf_mgmt(struct sctp_sock *, struct sctp_sockaddr_entry *); struct sk_buff *sctp_skb_recv_datagram(struct sock *, int, int, int *); +typedef int (*sctp_callback_t)(struct sctp_endpoint *, struct sctp_transport *, void *); void sctp_transport_walk_start(struct rhashtable_iter *iter); void sctp_transport_walk_stop(struct rhashtable_iter *iter); struct sctp_transport *sctp_transport_get_next(struct net *net, @@ -128,9 +129,8 @@ int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *), struct net *net, const union sctp_addr *laddr, const union sctp_addr *paddr, void *p); -int sctp_for_each_transport(int (*cb)(struct sctp_transport *, void *), - int (*cb_done)(struct sctp_transport *, void *), - struct net *net, int *pos, void *p); +int sctp_transport_traverse_process(sctp_callback_t cb, sctp_callback_t cb_done, + struct net *net, int *pos, void *p); int sctp_for_each_endpoint(int (*cb)(struct sctp_endpoint *, void *), void *p); int sctp_get_sctp_info(struct sock *sk, struct sctp_association *asoc, struct sctp_info *info); diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index 2882bc7a5b4b..18f9924aa250 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -1348,6 +1348,7 @@ struct sctp_endpoint { u32 secid; u32 peer_secid; + struct rcu_head rcu; }; /* Recover the outter endpoint structure. */ @@ -1363,7 +1364,7 @@ static inline struct sctp_endpoint *sctp_ep(struct sctp_ep_common *base) struct sctp_endpoint *sctp_endpoint_new(struct sock *, gfp_t); void sctp_endpoint_free(struct sctp_endpoint *); void sctp_endpoint_put(struct sctp_endpoint *); -void sctp_endpoint_hold(struct sctp_endpoint *); +int sctp_endpoint_hold(struct sctp_endpoint *ep); void sctp_endpoint_add_asoc(struct sctp_endpoint *, struct sctp_association *); struct sctp_association *sctp_endpoint_lookup_assoc( const struct sctp_endpoint *ep, diff --git a/net/sctp/diag.c b/net/sctp/diag.c index 8767405de9fa..0a9db0a7f423 100644 --- a/net/sctp/diag.c +++ b/net/sctp/diag.c @@ -307,9 +307,8 @@ static int sctp_tsp_dump_one(struct sctp_transport *tsp, void *p) return err; } -static int sctp_sock_dump(struct sctp_transport *tsp, void *p) +static int sctp_sock_dump(struct sctp_endpoint *ep, struct sctp_transport *tsp, void *p) { - struct sctp_endpoint *ep = tsp->asoc->ep; struct sctp_comm_param *commp = p; struct sock *sk = ep->base.sk; struct sk_buff *skb = commp->skb; @@ -319,6 +318,8 @@ static int sctp_sock_dump(struct sctp_transport *tsp, void *p) int err = 0; lock_sock(sk); + if (ep != tsp->asoc->ep) + goto release; list_for_each_entry(assoc, &ep->asocs, asocs) { if (cb->args[4] < cb->args[1]) goto next; @@ -361,9 +362,8 @@ static int sctp_sock_dump(struct sctp_transport *tsp, void *p) return err; } -static int sctp_sock_filter(struct sctp_transport *tsp, void *p) +static int sctp_sock_filter(struct sctp_endpoint *ep, struct sctp_transport *tsp, void *p) { - struct sctp_endpoint *ep = tsp->asoc->ep; struct sctp_comm_param *commp = p; struct sock *sk = ep->base.sk; const struct inet_diag_req_v2 *r = commp->r; @@ -521,8 +521,8 @@ static void sctp_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, if (!(idiag_states & ~(TCPF_LISTEN | TCPF_CLOSE))) goto done; - sctp_for_each_transport(sctp_sock_filter, sctp_sock_dump, - net, &pos, &commp); + sctp_transport_traverse_process(sctp_sock_filter, sctp_sock_dump, + net, &pos, &commp); cb->args[2] = pos; done: diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c index 8640dedcf64f..c4068451b9c7 100644 --- a/net/sctp/endpointola.c +++ b/net/sctp/endpointola.c @@ -242,6 +242,18 @@ void sctp_endpoint_free(struct sctp_endpoint *ep) } /* Final destructor for endpoint. */ +static void sctp_endpoint_destroy_rcu(struct rcu_head *head) +{ + struct sctp_endpoint *ep = container_of(head, struct sctp_endpoint, rcu); + struct sock *sk = ep->base.sk; + + sctp_sk(sk)->ep = NULL; + sock_put(sk); + + kfree(ep); + SCTP_DBG_OBJCNT_DEC(ep); +} + static void sctp_endpoint_destroy(struct sctp_endpoint *ep) { struct sock *sk; @@ -275,18 +287,13 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep) if (sctp_sk(sk)->bind_hash) sctp_put_port(sk); - sctp_sk(sk)->ep = NULL; - /* Give up our hold on the sock */ - sock_put(sk); - - kfree(ep); - SCTP_DBG_OBJCNT_DEC(ep); + call_rcu(&ep->rcu, sctp_endpoint_destroy_rcu); } /* Hold a reference to an endpoint. */ -void sctp_endpoint_hold(struct sctp_endpoint *ep) +int sctp_endpoint_hold(struct sctp_endpoint *ep) { - refcount_inc(&ep->base.refcnt); + return refcount_inc_not_zero(&ep->base.refcnt); } /* Release a reference to an endpoint and clean up if there are diff --git a/net/sctp/socket.c b/net/sctp/socket.c index cfa54e56add9..0e979a273dcd 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -5059,11 +5059,12 @@ int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *), } EXPORT_SYMBOL_GPL(sctp_transport_lookup_process); -int sctp_for_each_transport(int (*cb)(struct sctp_transport *, void *), - int (*cb_done)(struct sctp_transport *, void *), - struct net *net, int *pos, void *p) { +int sctp_transport_traverse_process(sctp_callback_t cb, sctp_callback_t cb_done, + struct net *net, int *pos, void *p) +{ struct rhashtable_iter hti; struct sctp_transport *tsp; + struct sctp_endpoint *ep; int ret; again: @@ -5072,26 +5073,32 @@ int sctp_for_each_transport(int (*cb)(struct sctp_transport *, void *), tsp = sctp_transport_get_idx(net, &hti, *pos + 1); for (; !IS_ERR_OR_NULL(tsp); tsp = sctp_transport_get_next(net, &hti)) { - ret = cb(tsp, p); - if (ret) - break; + ep = tsp->asoc->ep; + if (sctp_endpoint_hold(ep)) { /* asoc can be peeled off */ + ret = cb(ep, tsp, p); + if (ret) + break; + sctp_endpoint_put(ep); + } (*pos)++; sctp_transport_put(tsp); } sctp_transport_walk_stop(&hti); if (ret) { - if (cb_done && !cb_done(tsp, p)) { + if (cb_done && !cb_done(ep, tsp, p)) { (*pos)++; + sctp_endpoint_put(ep); sctp_transport_put(tsp); goto again; } + sctp_endpoint_put(ep); sctp_transport_put(tsp); } return ret; } -EXPORT_SYMBOL_GPL(sctp_for_each_transport); +EXPORT_SYMBOL_GPL(sctp_transport_traverse_process); /* 7.2.1 Association Status (SCTP_STATUS) -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS] ext4: convert from atomic_t to refcount_t on ext4_io_end->count
by Yongqiang Liu 14 Jun '22

14 Jun '22

From: Xiyu Yang <xiyuyang19(a)fudan.edu.cn> hulk inclusion category: bugfix bugzilla: 186971, https://gitee.com/openeuler/kernel/issues/I5C8IW CVE: NA -------------------------------- refcount_t type and corresponding API can protect refcounters from accidental underflow and overflow and further use-after-free situations. Signed-off-by: Xiyu Yang <xiyuyang19(a)fudan.edu.cn> Signed-off-by: Xin Tan <tanxin.ctf(a)gmail.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Link: https://lore.kernel.org/r/1626674355-55795-1-git-send-email-xiyuyang19@fuda… Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Li Nan <linan122(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/ext4/ext4.h | 3 ++- fs/ext4/page-io.c | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index 16e2b719d47c..6efc710b07bf 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -17,6 +17,7 @@ #ifndef _EXT4_H #define _EXT4_H +#include <linux/refcount.h> #include <linux/types.h> #include <linux/blkdev.h> #include <linux/magic.h> @@ -231,7 +232,7 @@ typedef struct ext4_io_end { struct bio *bio; /* Linked list of completed * bios covering the extent */ unsigned int flag; /* unwritten or not */ - atomic_t count; /* reference counter */ + refcount_t count; /* reference counter */ loff_t offset; /* offset in the file */ ssize_t size; /* size of the extent */ } ext4_io_end_t; diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c index 3de933354a08..decae80aeb98 100644 --- a/fs/ext4/page-io.c +++ b/fs/ext4/page-io.c @@ -256,14 +256,14 @@ ext4_io_end_t *ext4_init_io_end(struct inode *inode, gfp_t flags) if (io) { io->inode = inode; INIT_LIST_HEAD(&io->list); - atomic_set(&io->count, 1); + refcount_set(&io->count, 1); } return io; } void ext4_put_io_end_defer(ext4_io_end_t *io_end) { - if (atomic_dec_and_test(&io_end->count)) { + if (refcount_dec_and_test(&io_end->count)) { if (!(io_end->flag & EXT4_IO_END_UNWRITTEN) || !io_end->size) { ext4_release_io_end(io_end); return; @@ -276,7 +276,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end) { int err = 0; - if (atomic_dec_and_test(&io_end->count)) { + if (refcount_dec_and_test(&io_end->count)) { if (io_end->flag & EXT4_IO_END_UNWRITTEN) { err = ext4_convert_unwritten_extents(io_end->handle, io_end->inode, io_end->offset, @@ -291,7 +291,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end) ext4_io_end_t *ext4_get_io_end(ext4_io_end_t *io_end) { - atomic_inc(&io_end->count); + refcount_inc(&io_end->count); return io_end; } -- 2.25.1

1 0