February 2023 - Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS 1/2] scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress
by Yongqiang Liu 28 Feb '23

28 Feb '23

From: Mike Christie <michael.christie(a)oracle.com> mainline inclusion from mainline-v6.2-rc6~31 commit 6f1d64b13097e85abda0f91b5638000afc5f9a06 category: bugfix bugzilla: 188443, https://gitee.com/openeuler/kernel/issues/I6I8YD CVE: NA ---------------------------------------- Bug report and analysis from Ding Hui. During iSCSI session logout, if another task accesses the shost ipaddress attr, we can get a KASAN UAF report like this: [ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0 [ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088 [ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3 [ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 276.944470] Call Trace: [ 276.944943] <TASK> [ 276.945397] dump_stack_lvl+0x34/0x48 [ 276.945887] print_address_description.constprop.0+0x86/0x1e7 [ 276.946421] print_report+0x36/0x4f [ 276.947358] kasan_report+0xad/0x130 [ 276.948234] kasan_check_range+0x35/0x1c0 [ 276.948674] _raw_spin_lock_bh+0x78/0xe0 [ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp] [ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi] [ 276.952185] dev_attr_show+0x3f/0x80 [ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0 [ 276.953401] seq_read_iter+0x402/0x1020 [ 276.954260] vfs_read+0x532/0x7b0 [ 276.955113] ksys_read+0xed/0x1c0 [ 276.955952] do_syscall_64+0x38/0x90 [ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.956769] RIP: 0033:0x7f5d3a679222 [ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24 [ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222 [ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003 [ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000 [ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000 [ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58 [ 276.960536] </TASK> [ 276.961357] Allocated by task 2209: [ 276.961756] kasan_save_stack+0x1e/0x40 [ 276.962170] kasan_set_track+0x21/0x30 [ 276.962557] __kasan_kmalloc+0x7e/0x90 [ 276.962923] __kmalloc+0x5b/0x140 [ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi] [ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi] [ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp] [ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi] [ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi] [ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.965546] netlink_unicast+0x4d5/0x7b0 [ 276.965905] netlink_sendmsg+0x78d/0xc30 [ 276.966236] sock_sendmsg+0xe5/0x120 [ 276.966576] ____sys_sendmsg+0x5fe/0x860 [ 276.966923] ___sys_sendmsg+0xe0/0x170 [ 276.967300] __sys_sendmsg+0xc8/0x170 [ 276.967666] do_syscall_64+0x38/0x90 [ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 276.968773] Freed by task 2209: [ 276.969111] kasan_save_stack+0x1e/0x40 [ 276.969449] kasan_set_track+0x21/0x30 [ 276.969789] kasan_save_free_info+0x2a/0x50 [ 276.970146] __kasan_slab_free+0x106/0x190 [ 276.970470] __kmem_cache_free+0x133/0x270 [ 276.970816] device_release+0x98/0x210 [ 276.971145] kobject_cleanup+0x101/0x360 [ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi] [ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp] [ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi] [ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi] [ 276.972808] netlink_unicast+0x4d5/0x7b0 [ 276.973201] netlink_sendmsg+0x78d/0xc30 [ 276.973544] sock_sendmsg+0xe5/0x120 [ 276.973864] ____sys_sendmsg+0x5fe/0x860 [ 276.974248] ___sys_sendmsg+0xe0/0x170 [ 276.974583] __sys_sendmsg+0xc8/0x170 [ 276.974891] do_syscall_64+0x38/0x90 [ 276.975216] entry_SYSCALL_64_after_hwframe+0x63/0xcd We can easily reproduce by two tasks: 1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done 2. while :; do cat \ /sys/devices/platform/host*/iscsi_host/host*/ipaddress; done iscsid | cat --------------------------------+--------------------------------------- |- iscsi_sw_tcp_session_destroy | |- iscsi_session_teardown | |- device_release | |- iscsi_session_release ||- dev_attr_show |- kfree | |- show_host_param_ | ISCSI_HOST_PARAM_IPADDRESS | |- iscsi_sw_tcp_host_get_param | |- r/w tcp_sw_host->session (UAF) |- iscsi_host_remove | |- iscsi_host_free | Fix the above bug by splitting the session removal into 2 parts: 1. removal from iSCSI class which includes sysfs and removal from host tracking. 2. freeing of session. During iscsi_tcp host and session removal we can remove the session from sysfs then remove the host from sysfs. At this point we know userspace is not accessing the kernel via sysfs so we can free the session and host. Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@oracle.com Signed-off-by: Mike Christie <michael.christie(a)oracle.com> Reviewed-by: Lee Duncan <lduncan(a)suse.com> Acked-by: Ding Hui <dinghui(a)sangfor.com.cn> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Wenchao Hao <haowenchao2(a)huawei.com> Signed-off-by: Zhong Jinghua <zhongjinghua(a)huawei.com> Reviewed-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/scsi/iscsi_tcp.c | 11 +++++++++-- drivers/scsi/libiscsi.c | 39 +++++++++++++++++++++++++++++++-------- include/scsi/libiscsi.h | 2 ++ 3 files changed, 42 insertions(+), 10 deletions(-) diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c index 241b1a310519..a5259fd39d6d 100644 --- a/drivers/scsi/iscsi_tcp.c +++ b/drivers/scsi/iscsi_tcp.c @@ -910,10 +910,17 @@ static void iscsi_sw_tcp_session_destroy(struct iscsi_cls_session *cls_session) if (WARN_ON_ONCE(session->leadconn)) return; + iscsi_session_remove(cls_session); + /* + * Our get_host_param needs to access the session, so remove the + * host from sysfs before freeing the session to make sure userspace + * is no longer accessing the callout. + */ + iscsi_host_remove(shost); + iscsi_tcp_r2tpool_free(cls_session->dd_data); - iscsi_session_teardown(cls_session); - iscsi_host_remove(shost); + iscsi_session_free(cls_session); iscsi_host_free(shost); } diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c index 9f625a4d53c0..72463874d7b4 100644 --- a/drivers/scsi/libiscsi.c +++ b/drivers/scsi/libiscsi.c @@ -3018,20 +3018,34 @@ iscsi_session_setup(struct iscsi_transport *iscsit, struct Scsi_Host *shost, } EXPORT_SYMBOL_GPL(iscsi_session_setup); +/* + * issi_session_remove - Remove session from iSCSI class. + */ +void iscsi_session_remove(struct iscsi_cls_session *cls_session) +{ + struct iscsi_session *session = cls_session->dd_data; + struct Scsi_Host *shost = session->host; + + iscsi_remove_session(cls_session); + /* + * host removal only has to wait for its children to be removed from + * sysfs, and iscsi_tcp needs to do iscsi_host_remove before freeing + * the session, so drop the session count here. + */ + iscsi_host_dec_session_cnt(shost); +} +EXPORT_SYMBOL_GPL(iscsi_session_remove); + /** - * iscsi_session_teardown - destroy session, host, and cls_session + * iscsi_session_free - Free iscsi session and it's resources * @cls_session: iscsi session */ -void iscsi_session_teardown(struct iscsi_cls_session *cls_session) +void iscsi_session_free(struct iscsi_cls_session *cls_session) { struct iscsi_session *session = cls_session->dd_data; struct module *owner = cls_session->transport->owner; - struct Scsi_Host *shost = session->host; iscsi_pool_free(&session->cmdpool); - - iscsi_remove_session(cls_session); - kfree(session->password); kfree(session->password_in); kfree(session->username); @@ -3047,10 +3061,19 @@ void iscsi_session_teardown(struct iscsi_cls_session *cls_session) kfree(session->discovery_parent_type); iscsi_free_session(cls_session); - - iscsi_host_dec_session_cnt(shost); module_put(owner); } +EXPORT_SYMBOL_GPL(iscsi_session_free); + +/** + * iscsi_session_teardown - destroy session and cls_session + * @cls_session: iscsi session + */ +void iscsi_session_teardown(struct iscsi_cls_session *cls_session) +{ + iscsi_session_remove(cls_session); + iscsi_session_free(cls_session); +} EXPORT_SYMBOL_GPL(iscsi_session_teardown); /** diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h index 254e72b46d10..2a8d1de70290 100644 --- a/include/scsi/libiscsi.h +++ b/include/scsi/libiscsi.h @@ -425,6 +425,8 @@ extern int iscsi_host_get_max_scsi_cmds(struct Scsi_Host *shost, extern struct iscsi_cls_session * iscsi_session_setup(struct iscsi_transport *, struct Scsi_Host *shost, uint16_t, int, int, uint32_t, unsigned int); +void iscsi_session_remove(struct iscsi_cls_session *cls_session); +void iscsi_session_free(struct iscsi_cls_session *cls_session); extern void iscsi_session_teardown(struct iscsi_cls_session *); extern void iscsi_session_recovery_timedout(struct iscsi_cls_session *); extern int iscsi_set_param(struct iscsi_cls_conn *cls_conn, -- 2.25.1

1 1

[PATCH openEuler-1.0-LTS] pciehp: fix the problem that the slot is powered on again after being powered off
by jiazhenyuan＠uniontech.com 28 Feb '23

28 Feb '23

From: jiazhenyuan <jiazhenyuan(a)uniontech.com> mainline inclusion from mainline-4.19-lts commit 32a8cef274feacd00b748a4f13b84d60aa6d82ff category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6ICDL CVE: NA ---------------------------------------- The DISABLE_SLOT event is lost when the slot is powered off. Signed-off-by: jiazhenyuan <jiazhenyuan(a)uniontech.com> --- drivers/pci/hotplug/pciehp_ctrl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c index 2d549c97ac42..dd67dc540279 100644 --- a/drivers/pci/hotplug/pciehp_ctrl.c +++ b/drivers/pci/hotplug/pciehp_ctrl.c @@ -463,6 +463,7 @@ int pciehp_sysfs_disable_slot(struct slot *p_slot) mutex_unlock(&p_slot->lock); pci_config_pm_runtime_get(pdev); down_read(&ctrl->reset_lock); + atomic_or(DISABLE_SLOT, &ctrl->pending_events); pciehp_handle_disable_request(p_slot); up_read(&ctrl->reset_lock); pci_config_pm_runtime_put(pdev); -- 2.27.0

1 0

[PATCH openEuler-1.0-LTS] net: mpls: fix stale pointer if allocation fails during device rename
by Yongqiang Liu 28 Feb '23

28 Feb '23

From: Jakub Kicinski <kuba(a)kernel.org> stable inclusion from stable-v4.19.273 commit aa07c86e43ed8780d610ecfb2ce13da326729201 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6HZHU CVE: CVE-2023-26545 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit fda6c89fe3d9aca073495a664e1d5aea28cd4377 upstream. lianhui reports that when MPLS fails to register the sysctl table under new location (during device rename) the old pointers won't get overwritten and may be freed again (double free). Handle this gracefully. The best option would be unregistering the MPLS from the device completely on failure, but unfortunately mpls_ifdown() can fail. So failing fully is also unreliable. Another option is to register the new table first then only remove old one if the new one succeeds. That requires more code, changes order of notifications and two tables may be visible at the same time. sysctl point is not used in the rest of the code - set to NULL on failures and skip unregister if already NULL. Reported-by: lianhui tang <bluetlh(a)gmail.com> Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> Reviewed-by: Liu Jian <liujian56(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/mpls/af_mpls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c index 7623d9aec636..c7fd387baa61 100644 --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -1375,6 +1375,7 @@ static int mpls_dev_sysctl_register(struct net_device *dev, free: kfree(table); out: + mdev->sysctl = NULL; return -ENOBUFS; } @@ -1384,6 +1385,9 @@ static void mpls_dev_sysctl_unregister(struct net_device *dev, struct net *net = dev_net(dev); struct ctl_table *table; + if (!mdev->sysctl) + return; + table = mdev->sysctl->ctl_table_arg; unregister_net_sysctl_table(mdev->sysctl); kfree(table); -- 2.25.1

1 0

[PATCH openEuler-5.10-LTS-SP1] net: mpls: fix stale pointer if allocation fails during device rename
by Jialin Zhang 28 Feb '23

28 Feb '23

From: Jakub Kicinski <kuba(a)kernel.org> stable inclusion from stable-v5.10.169 commit 7ff0fdba82298d1f456c685e24930da89703c0fb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6HZHU CVE: CVE-2023-26545 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit fda6c89fe3d9aca073495a664e1d5aea28cd4377 upstream. lianhui reports that when MPLS fails to register the sysctl table under new location (during device rename) the old pointers won't get overwritten and may be freed again (double free). Handle this gracefully. The best option would be unregistering the MPLS from the device completely on failure, but unfortunately mpls_ifdown() can fail. So failing fully is also unreliable. Another option is to register the new table first then only remove old one if the new one succeeds. That requires more code, changes order of notifications and two tables may be visible at the same time. sysctl point is not used in the rest of the code - set to NULL on failures and skip unregister if already NULL. Reported-by: lianhui tang <bluetlh(a)gmail.com> Fixes: 0fae3bf018d9 ("mpls: handle device renames for per-device sysctls") Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> Reviewed-by: Liu Jian <liujian56(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11(a)huawei.com> --- net/mpls/af_mpls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c index 72398149e4d4..1dcbdab9319b 100644 --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -1427,6 +1427,7 @@ static int mpls_dev_sysctl_register(struct net_device *dev, free: kfree(table); out: + mdev->sysctl = NULL; return -ENOBUFS; } @@ -1436,6 +1437,9 @@ static void mpls_dev_sysctl_unregister(struct net_device *dev, struct net *net = dev_net(dev); struct ctl_table *table; + if (!mdev->sysctl) + return; + table = mdev->sysctl->ctl_table_arg; unregister_net_sysctl_table(mdev->sysctl); kfree(table); -- 2.25.1

1 0

[PATCH openEuler-5.10-LTS 01/50] Revert "[Huawei] io_uring:drop identity before creating a private one"
by Jialin Zhang 28 Feb '23

28 Feb '23

From: Li Lingfeng <lilingfeng3(a)huawei.com> Offering: HULK hulk inclusion category: feature bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6BTWC ------------------------------- This reverts commit ab45921343c63dc9d461740e23003098697e0333. We need to apply patch 788d0824269bef (io_uring: import 5.15-stable io_uring) to move io_uring to separate directory and solve the problem of CVE-2023-0240. This patch fix a uaf problem of io_identity, and it can be reverted since io_identity is removed in patch 788d0824269bef. Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11(a)huawei.com> --- fs/io_uring.c | 42 ------------------------------------------ 1 file changed, 42 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 4ace89ae4832..2397c2a1d919 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -1364,47 +1364,6 @@ static bool io_identity_cow(struct io_kiocb *req) return true; } -static void io_drop_identity(struct io_kiocb *req) -{ - struct io_identity *id = req->work.identity; - - if (req->work.flags & IO_WQ_WORK_MM) { - mmdrop(id->mm); - req->work.flags &= ~IO_WQ_WORK_MM; - } -#ifdef CONFIG_BLK_CGROUP - if (req->work.flags & IO_WQ_WORK_BLKCG) { - css_put(id->blkcg_css); - req->work.flags &= ~IO_WQ_WORK_BLKCG; - } -#endif - if (req->work.flags & IO_WQ_WORK_CREDS) { - put_cred(id->creds); - req->work.flags &= ~IO_WQ_WORK_CREDS; - } - if (req->work.flags & IO_WQ_WORK_FILES) { - put_files_struct(req->work.identity->files); - put_nsproxy(req->work.identity->nsproxy); - req->work.flags &= ~IO_WQ_WORK_FILES; - } - if (req->work.flags & IO_WQ_WORK_CANCEL) - req->work.flags &= ~IO_WQ_WORK_CANCEL; - if (req->work.flags & IO_WQ_WORK_FS) { - struct fs_struct *fs = id->fs; - - spin_lock(&id->fs->lock); - if (--fs->users) - fs = NULL; - spin_unlock(&id->fs->lock); - - if (fs) - free_fs_struct(fs); - req->work.flags &= ~IO_WQ_WORK_FS; - } - if (req->work.flags & IO_WQ_WORK_FSIZE) - req->work.flags &= ~IO_WQ_WORK_FSIZE; -} - static bool io_grab_identity(struct io_kiocb *req) { const struct io_op_def *def = &io_op_defs[req->opcode]; @@ -1510,7 +1469,6 @@ static void io_prep_async_work(struct io_kiocb *req) if (io_grab_identity(req)) return; - io_drop_identity(req); if (!io_identity_cow(req)) return; -- 2.25.1

1 49

[PATCH openEuler-5.10-LTS-SP1 01/52] Revert "[Huawei] io_uring:drop identity before creating a private one"
by Jialin Zhang 28 Feb '23

28 Feb '23

From: Li Lingfeng <lilingfeng3(a)huawei.com> Offering: HULK hulk inclusion category: feature bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6BTWC ------------------------------- This reverts commit 6d9aaec1edb197ca7e05873c1930c418b7ecaa1e. We need to apply patch 788d0824269bef (io_uring: import 5.15-stable io_uring) to move io_uring to separate directory and solve the problem of CVE-2023-0240. This patch fix a uaf problem of io_identity, and it can be reverted since io_identity is removed in patch 788d0824269bef. Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11(a)huawei.com> --- fs/io_uring.c | 42 ------------------------------------------ 1 file changed, 42 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 21adb7ff7b2e..adb8fcef738a 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -1364,47 +1364,6 @@ static bool io_identity_cow(struct io_kiocb *req) return true; } -static void io_drop_identity(struct io_kiocb *req) -{ - struct io_identity *id = req->work.identity; - - if (req->work.flags & IO_WQ_WORK_MM) { - mmdrop(id->mm); - req->work.flags &= ~IO_WQ_WORK_MM; - } -#ifdef CONFIG_BLK_CGROUP - if (req->work.flags & IO_WQ_WORK_BLKCG) { - css_put(id->blkcg_css); - req->work.flags &= ~IO_WQ_WORK_BLKCG; - } -#endif - if (req->work.flags & IO_WQ_WORK_CREDS) { - put_cred(id->creds); - req->work.flags &= ~IO_WQ_WORK_CREDS; - } - if (req->work.flags & IO_WQ_WORK_FILES) { - put_files_struct(req->work.identity->files); - put_nsproxy(req->work.identity->nsproxy); - req->work.flags &= ~IO_WQ_WORK_FILES; - } - if (req->work.flags & IO_WQ_WORK_CANCEL) - req->work.flags &= ~IO_WQ_WORK_CANCEL; - if (req->work.flags & IO_WQ_WORK_FS) { - struct fs_struct *fs = id->fs; - - spin_lock(&id->fs->lock); - if (--fs->users) - fs = NULL; - spin_unlock(&id->fs->lock); - - if (fs) - free_fs_struct(fs); - req->work.flags &= ~IO_WQ_WORK_FS; - } - if (req->work.flags & IO_WQ_WORK_FSIZE) - req->work.flags &= ~IO_WQ_WORK_FSIZE; -} - static bool io_grab_identity(struct io_kiocb *req) { const struct io_op_def *def = &io_op_defs[req->opcode]; @@ -1510,7 +1469,6 @@ static void io_prep_async_work(struct io_kiocb *req) if (io_grab_identity(req)) return; - io_drop_identity(req); if (!io_identity_cow(req)) return; -- 2.25.1

1 51

[PATCH openEuler-1.0-LTS 1/3] selinux: further adjust init order for file_alloc_security hook
by Yongqiang Liu 27 Feb '23

27 Feb '23

From: "GONG, Ruiqi" <gongruiqi1(a)huawei.com> hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6DRJ1 CVE: NA ---------------------------------------- After backporting commit cfff75d8973a ("selinux: reorder hooks to make runtime disable less broken") to the 4.19 kernel of openEuler-1.0-LTS, another kernel panic was triggered by running the POC of the aforementioned commit: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 PGD 800000001840b067 P4D 800000001840b067 PUD 1840c067 PMD 0 Oops: 0002 [#1] SMP PTI CPU: 7 PID: 273 Comm: exe Tainted: G OE 4.19.90+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:selinux_file_open+0x49/0xf0 Code: 00 00 00 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 4c 89 e7 e8 a6 ec ff ff 49 8b 44 24 38 48 c7 c7 e0 a5 13 97 8b 40 1c <89> 45 08 e8 6f 80 ff ff ba 02 00 00 00 89 45 0c 8b 43 44 8b 73 40 RSP: 0018:ffffbb7300867ba0 EFLAGS: 00010246 RAX: 0000000000000003 RBX: ffff9dc301961400 RCX: 00000000000081ed RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffff9713a5e0 RBP: 0000000000000000 R08: 0000000000000001 R09: ffff9dc301fedcb0 R10: 0000000000000007 R11: 7fffffffffffffff R12: ffff9dc30204fd70 R13: 0000000000000000 R14: ffff9dc301961410 R15: ffffbb7300867c70 FS: 0000000000d258c0(0000) GS:ffff9dc33e9c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 00000000022bc000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? generic_permission+0x10a/0x190 security_file_open+0x26/0x90 do_dentry_open+0xd9/0x380 do_last+0x197/0x8d0 path_openat+0x89/0x280 do_filp_open+0x91/0x100 do_open_execat+0x79/0x180 __do_execve_file.isra.0+0x6dd/0x8b0 __x64_sys_execve+0x35/0x40 do_syscall_64+0x63/0x250 ? async_page_fault+0x8/0x30 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x49a5db Code: 41 89 01 eb da 66 2e 0f 1f 84 00 00 00 00 00 f7 d8 64 41 89 01 eb d6 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 3b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe7b1cebd8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b RAX: ffffffffffffffda RBX: 0000000000d27ee0 RCX: 000000000049a5db RDX: 0000000000d27f08 RSI: 0000000000d27ee0 RDI: 0000000000d27f48 RBP: 0000000000d27f48 R08: fefefefefefefeff R09: fefefeff666d686f R10: 0000000000d25b90 R11: 0000000000000246 R12: 0000000000d27f08 R13: 0000000000655894 R14: 0000000000d27f08 R15: 0000000000d26ed0 Modules linked in: e1000(OE) CR2: 0000000000000008 ---[ end trace e4eb884974c22e2d ]--- RIP: 0010:selinux_file_open+0x49/0xf0 Code: 00 00 00 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 4c 89 e7 e8 a6 ec ff ff 49 8b 44 24 38 48 c7 c7 e0 a5 13 97 8b 40 1c <89> 45 08 e8 6f 80 ff ff ba 02 00 00 00 89 45 0c 8b 43 44 8b 73 40 RSP: 0018:ffffbb7300867ba0 EFLAGS: 00010246 RAX: 0000000000000003 RBX: ffff9dc301961400 RCX: 00000000000081ed RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffff9713a5e0 RBP: 0000000000000000 R08: 0000000000000001 R09: ffff9dc301fedcb0 R10: 0000000000000007 R11: 7fffffffffffffff R12: ffff9dc30204fd70 R13: 0000000000000000 R14: ffff9dc301961410 R15: ffffbb7300867c70 FS: 0000000000d258c0(0000) GS:ffff9dc33e9c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 00000000022bc000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x14400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- The problem was caused by selinux_file_open() accessing a file's fsec being NULL, which indicated that the file_alloc_security hook should be deleted later (at least after the file_open hook) when disabling SELinux at runtime. Here I put it into the "allocating" part. Signed-off-by: GONG, Ruiqi <gongruiqi1(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- security/selinux/hooks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index cd26c1199353..85ac12d6b2f4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7040,7 +7040,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), LSM_HOOK_INIT(file_permission, selinux_file_permission), - LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), LSM_HOOK_INIT(file_free_security, selinux_file_free_security), LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl), LSM_HOOK_INIT(mmap_file, selinux_mmap_file), @@ -7207,6 +7206,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(shm_alloc_security, selinux_shm_alloc_security), LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), + LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), LSM_HOOK_INIT(cred_alloc_blank, selinux_cred_alloc_blank), LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security), LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), -- 2.25.1

1 2

[PATCH openEuler-1.0-LTS 1/1] nbd: fix assignment error for first_minor in nbd_dev_add
by Yongqiang Liu 25 Feb '23

25 Feb '23

From: Zhong Jinghua <zhongjinghua(a)huawei.com> hulk inclusion category: bugfix bugzilla: 188413, https://gitee.com/openeuler/kernel/issues/I6GWYG CVE: NA ---------------------------------------- A panic error is like below: nbd_genl_connect nbd_dev_add first_minor = index << part_shift; // index =-1 ... __device_add_disk blk_alloc_devt *devt = MKDEV(disk->major, disk->first_minor + part->partno); // part->partno = 0， first_minor = 11...110000 major is covered There, index < 0 will reassign an index, but here disk->first_minor is assigned -1 << part_shift. This causes to the creation of the device with the same major and minor device numbers each time the incoming index<0, and this will lead to creation of kobject failed: Warning: kobject_add_internal failed for 4095:1048544 with -EEXIST, don't try to register things with the same name in the same directory. Fix it by moving the first_minor assignment down to after getting the new index. Fixes: 01f7594e62e9 ("nbd: Fix use-after-free in blk_mq_free_rqs") Signed-off-by: Zhong Jinghua <zhongjinghua(a)huawei.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/block/nbd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 8dbbd676d275..551b2f7da8ef 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1706,7 +1706,6 @@ static int nbd_dev_add(int index) struct gendisk *disk; struct request_queue *q; int err = -ENOMEM; - int first_minor = index << part_shift; nbd = kzalloc(sizeof(struct nbd_device), GFP_KERNEL); if (!nbd) @@ -1770,7 +1769,7 @@ static int nbd_dev_add(int index) refcount_set(&nbd->refs, 1); INIT_LIST_HEAD(&nbd->list); disk->major = NBD_MAJOR; - disk->first_minor = first_minor; + disk->first_minor = index << part_shift; disk->fops = &nbd_fops; disk->private_data = nbd; sprintf(disk->disk_name, "nbd%d", index); -- 2.25.1

2 1

openEuler缺陷issue处理流程_修正
by zhangjialin (F) 23 Feb '23

23 Feb '23

1 0

openEuler缺陷issue处理流程图
by zhangjialin (F) 23 Feb '23

23 Feb '23

1 0

2024

2023

2022

2021

2020

2019

Kernel February 2023