March 2023 - Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS 1/2] scsi: fix use-after-free problem in scsi_remove_target
by Yongqiang Liu 13 Mar '23

13 Mar '23

From: Zhong Jinghua <zhongjinghua(a)huawei.com> hulk inclusion category: bugfix bugzilla: 188355, https://gitee.com/openeuler/kernel/issues/I6E4JF CVE: NA ---------------------------------------- A use-after-free problem like below: BUG: KASAN: use-after-free in scsi_target_reap+0x6c/0x70 Workqueue: scsi_wq_1 __iscsi_unbind_session [scsi_transport_iscsi] Call trace: dump_backtrace+0x0/0x320 show_stack+0x24/0x30 dump_stack+0xdc/0x128 print_address_description+0x68/0x278 kasan_report+0x1e4/0x308 __asan_report_load4_noabort+0x30/0x40 scsi_target_reap+0x6c/0x70 scsi_remove_target+0x430/0x640 __iscsi_unbind_session+0x164/0x268 [scsi_transport_iscsi] process_one_work+0x67c/0x1350 worker_thread+0x370/0xf90 kthread+0x2a4/0x320 ret_from_fork+0x10/0x18 The problem is caused by a concurrency scenario: T0: delete target // echo 1 > /sys/devices/platform/host1/session1/target1:0:0/1:0:0:1/delete T1: logout // iscsiadm -m node --logout T0 T1 sdev_store_delete scsi_remove_device device_remove_file __scsi_remove_device __iscsi_unbind_session scsi_remove_target spin_lock_irqsave list_for_each_entry scsi_target_reap // starget->reap_ref 1 -> 0 kref_get(&starget->reap_ref); // warn use-after-free. spin_unlock_irqrestore scsi_target_reap_ref_release scsi_target_destroy ... // delete starget scsi_target_reap // UAF When T0 reduces the reference count to 0, but has not been released, T1 can still enter list_for_each_entry, and then kref_get reports UAF. Fix it by using kref_get_unless_zero() to check for a reference count of 0. Signed-off-by: Zhong Jinghua <zhongjinghua(a)huawei.com> Reviewed-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/scsi/scsi_sysfs.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index 4030e1fa57e5..453f5a6fb96b 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -1500,7 +1500,16 @@ void scsi_remove_target(struct device *dev) starget->state == STARGET_CREATED_REMOVE) continue; if (starget->dev.parent == dev || &starget->dev == dev) { - kref_get(&starget->reap_ref); + /* + * If the reference count is already zero, skip + * this target. Calling kref_get_unless_zero() if + * the reference count is zero is safe because + * scsi_target_destroy() will wait until the host + * lock has been released before freeing starget. + */ + if (!kref_get_unless_zero(&starget->reap_ref)) + continue; + if (starget->state == STARGET_CREATED) starget->state = STARGET_CREATED_REMOVE; else -- 2.25.1

1 1

[OLK-5.10 v1] RDMA/hns: Support congestion control algorithm parameter configuration
by Chengchang Tang 13 Mar '23

13 Mar '23

driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I6J5O7 --------------------------------------------------------------- hns roce support 4 congestion control algorithms. Each algorihm involves multiple parameters. This patch add port sysfs directory for each algorithm, which allows users to modify the parameters of these algorithms. Signed-off-by: Chengchang Tang <tangchengchang(a)huawei.com> Reviewed-by: Yangyang Li <liyangyang20(a)huawei.com> --- drivers/infiniband/hw/hns/Makefile | 2 +- drivers/infiniband/hw/hns/hns_roce_device.h | 42 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 77 ++++ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 132 ++++++ drivers/infiniband/hw/hns/hns_roce_main.c | 2 + drivers/infiniband/hw/hns/hns_roce_sysfs.c | 445 ++++++++++++++++++++ 6 files changed, 695 insertions(+), 5 deletions(-) create mode 100644 drivers/infiniband/hw/hns/hns_roce_sysfs.c diff --git a/drivers/infiniband/hw/hns/Makefile b/drivers/infiniband/hw/hns/Makefile index 77d8e41ffe7b..09f95fedd15d 100644 --- a/drivers/infiniband/hw/hns/Makefile +++ b/drivers/infiniband/hw/hns/Makefile @@ -10,7 +10,7 @@ ccflags-y += -I $(srctree)/drivers/net/ethernet/hisilicon/hns3/hns3_common hns-roce-objs := hns_roce_main.o hns_roce_cmd.o hns_roce_pd.o \ hns_roce_ah.o hns_roce_hem.o hns_roce_mr.o hns_roce_qp.o \ hns_roce_cq.o hns_roce_alloc.o hns_roce_db.o hns_roce_srq.o hns_roce_restrack.o \ - hns_roce_bond.o hns_roce_dca.o hns_roce_debugfs.o + hns_roce_bond.o hns_roce_dca.o hns_roce_debugfs.o hns_roce_sysfs.o ifdef CONFIG_INFINIBAND_HNS_HIP08 hns-roce-hw-v2-objs := hns_roce_hw_v2.o $(hns-roce-objs) diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h index 869d952b32b2..9d5580040e6b 100644 --- a/drivers/infiniband/hw/hns/hns_roce_device.h +++ b/drivers/infiniband/hw/hns/hns_roce_device.h @@ -767,11 +767,19 @@ struct hns_roce_eq_table { struct hns_roce_eq *eq; }; +enum hns_roce_scc_algo { + HNS_ROCE_SCC_ALGO_DCQCN = 0, + HNS_ROCE_SCC_ALGO_LDCP, + HNS_ROCE_SCC_ALGO_HC3, + HNS_ROCE_SCC_ALGO_DIP, + HNS_ROCE_SCC_ALGO_TOTAL, +}; + enum cong_type { - CONG_TYPE_DCQCN, - CONG_TYPE_LDCP, - CONG_TYPE_HC3, - CONG_TYPE_DIP, + CONG_TYPE_DCQCN = 1 << HNS_ROCE_SCC_ALGO_DCQCN, + CONG_TYPE_LDCP = 1 << HNS_ROCE_SCC_ALGO_LDCP, + CONG_TYPE_HC3 = 1 << HNS_ROCE_SCC_ALGO_HC3, + CONG_TYPE_DIP = 1 << HNS_ROCE_SCC_ALGO_DIP, }; struct hns_roce_caps { @@ -1016,6 +1024,28 @@ struct hns_roce_hw { int (*bond_init)(struct hns_roce_dev *hr_dev); bool (*bond_is_active)(struct hns_roce_dev *hr_dev); struct net_device *(*get_bond_netdev)(struct hns_roce_dev *hr_dev); + int (*config_scc_param)(struct hns_roce_dev *hr_dev, u8 port_num, + enum hns_roce_scc_algo algo); + int (*query_scc_param)(struct hns_roce_dev *hr_dev, u8 port_num, + enum hns_roce_scc_algo alog); +}; + +#define HNS_ROCE_SCC_PARAM_SIZE 4 +struct hns_roce_scc_param { + __le32 param[HNS_ROCE_SCC_PARAM_SIZE]; + u32 lifespan; + unsigned long timestamp; + enum hns_roce_scc_algo algo_type; + struct delayed_work scc_cfg_dwork; + struct hns_roce_dev *hr_dev; + u8 port_num; +}; + +struct hns_roce_port { + struct hns_roce_dev *hr_dev; + u8 port_num; + struct kobject kobj; + struct hns_roce_scc_param *scc_param; }; struct hns_roce_dev { @@ -1094,6 +1124,7 @@ struct hns_roce_dev { struct delayed_work bond_work; struct hns_roce_bond_group *bond_grp; struct netdev_lag_lower_state_info slave_state; + struct hns_roce_port port_data[HNS_ROCE_MAX_PORTS]; atomic64_t *dfx_cnt; }; @@ -1379,4 +1410,7 @@ struct hns_user_mmap_entry * hns_roce_user_mmap_entry_insert(struct ib_ucontext *ucontext, u64 address, size_t length, enum hns_roce_mmap_type mmap_type); +int hns_roce_create_port_files(struct ib_device *ibdev, u8 port_num, + struct kobject *kobj); +void hns_roce_unregister_sysfs(struct hns_roce_dev *hr_dev); #endif /* _HNS_ROCE_DEVICE_H */ diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index a76a57c7e36a..c9826a010f38 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -7146,6 +7146,81 @@ static void hns_roce_v2_cleanup_eq_table(struct hns_roce_dev *hr_dev) kfree(eq_table->eq); } +static enum hns_roce_opcode_type scc_opcode[] = { + HNS_ROCE_OPC_CFG_DCQCN_PARAM, + HNS_ROCE_OPC_CFG_LDCP_PARAM, + HNS_ROCE_OPC_CFG_HC3_PARAM, + HNS_ROCE_OPC_CFG_DIP_PARAM, +}; + +static int hns_roce_v2_config_scc_param(struct hns_roce_dev *hr_dev, + u8 port_num, + enum hns_roce_scc_algo algo) +{ + struct hns_roce_scc_param *scc_param; + struct hns_roce_cmq_desc desc; + struct hns_roce_port *pdata; + int ret; + + if (port_num > hr_dev->caps.num_ports) { + ibdev_err_ratelimited(&hr_dev->ib_dev, + "invalid port num %u.\n", port_num); + return -ENODEV; + } + + if (algo >= HNS_ROCE_SCC_ALGO_TOTAL) { + ibdev_err_ratelimited(&hr_dev->ib_dev, "invalid SCC algo.\n"); + return -EINVAL; + } + + hns_roce_cmq_setup_basic_desc(&desc, scc_opcode[algo], false); + pdata = &hr_dev->port_data[port_num - 1]; + scc_param = &pdata->scc_param[algo]; + memcpy(&desc.data, scc_param, sizeof(scc_param->param)); + + ret = hns_roce_cmq_send(hr_dev, &desc, 1); + if (ret) + ibdev_err_ratelimited(&hr_dev->ib_dev, + "failed to configure scc param, opcode: 0x%x, ret = %d.\n", + le16_to_cpu(desc.opcode), ret); + return ret; +} + +static int hns_roce_v2_query_scc_param(struct hns_roce_dev *hr_dev, + u8 port_num, enum hns_roce_scc_algo algo) +{ + struct hns_roce_scc_param *scc_param; + struct hns_roce_cmq_desc desc; + struct hns_roce_port *pdata; + int ret; + + if (port_num > hr_dev->caps.num_ports) { + ibdev_err_ratelimited(&hr_dev->ib_dev, + "invalid port num %u.\n", port_num); + return -ENODEV; + } + + if (algo >= HNS_ROCE_SCC_ALGO_TOTAL) { + ibdev_err_ratelimited(&hr_dev->ib_dev, "invalid SCC algo.\n"); + return -EINVAL; + } + + hns_roce_cmq_setup_basic_desc(&desc, scc_opcode[algo], true); + ret = hns_roce_cmq_send(hr_dev, &desc, 1); + if (ret) { + ibdev_err_ratelimited(&hr_dev->ib_dev, + "failed to query scc param, opcode: 0x%x, ret = %d.\n", + le16_to_cpu(desc.opcode), ret); + return ret; + } + + pdata = &hr_dev->port_data[port_num - 1]; + scc_param = &pdata->scc_param[algo]; + memcpy(scc_param, &desc.data, sizeof(scc_param->param)); + + return 0; +} + static const struct ib_device_ops hns_roce_v2_dev_ops = { .destroy_qp = hns_roce_v2_destroy_qp, .modify_cq = hns_roce_v2_modify_cq, @@ -7198,6 +7273,8 @@ static const struct hns_roce_hw hns_roce_hw_v2 = { .bond_is_active = hns_roce_bond_is_active, .get_bond_netdev = hns_roce_get_bond_netdev, .query_hw_counter = hns_roce_hw_v2_query_counter, + .config_scc_param = hns_roce_v2_config_scc_param, + .query_scc_param = hns_roce_v2_query_scc_param, }; static const struct pci_device_id hns_roce_hw_v2_pci_tbl[] = { diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h index 7d5c304a8342..90401577865e 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h @@ -227,6 +227,10 @@ enum { enum hns_roce_opcode_type { HNS_QUERY_FW_VER = 0x0001, HNS_QUERY_MAC_TYPE = 0x0389, + HNS_ROCE_OPC_CFG_DCQCN_PARAM = 0x1A80, + HNS_ROCE_OPC_CFG_LDCP_PARAM = 0x1A81, + HNS_ROCE_OPC_CFG_HC3_PARAM = 0x1A82, + HNS_ROCE_OPC_CFG_DIP_PARAM = 0x1A83, HNS_ROCE_OPC_QUERY_HW_VER = 0x8000, HNS_ROCE_OPC_CFG_GLOBAL_PARAM = 0x8001, HNS_ROCE_OPC_ALLOC_PF_RES = 0x8004, @@ -1468,6 +1472,134 @@ struct hns_roce_wqe_atomic_seg { __le64 cmp_data; }; +#define HNS_ROCE_DCQCN_AI_OFS 0 +#define HNS_ROCE_DCQCN_AI_SZ sizeof(u16) +#define HNS_ROCE_DCQCN_AI_MAX ((u16)(~0U)) +#define HNS_ROCE_DCQCN_F_OFS (HNS_ROCE_DCQCN_AI_OFS + HNS_ROCE_DCQCN_AI_SZ) +#define HNS_ROCE_DCQCN_F_SZ sizeof(u8) +#define HNS_ROCE_DCQCN_F_MAX ((u8)(~0U)) +#define HNS_ROCE_DCQCN_TKP_OFS (HNS_ROCE_DCQCN_F_OFS + HNS_ROCE_DCQCN_F_SZ) +#define HNS_ROCE_DCQCN_TKP_SZ sizeof(u8) +#define HNS_ROCE_DCQCN_TKP_MAX 15 +#define HNS_ROCE_DCQCN_TMP_OFS (HNS_ROCE_DCQCN_TKP_OFS + HNS_ROCE_DCQCN_TKP_SZ) +#define HNS_ROCE_DCQCN_TMP_SZ sizeof(u16) +#define HNS_ROCE_DCQCN_TMP_MAX 15 +#define HNS_ROCE_DCQCN_ALP_OFS (HNS_ROCE_DCQCN_TMP_OFS + HNS_ROCE_DCQCN_TMP_SZ) +#define HNS_ROCE_DCQCN_ALP_SZ sizeof(u16) +#define HNS_ROCE_DCQCN_ALP_MAX ((u16)(~0U)) +#define HNS_ROCE_DCQCN_MAX_SPEED_OFS (HNS_ROCE_DCQCN_ALP_OFS + \ + HNS_ROCE_DCQCN_ALP_SZ) +#define HNS_ROCE_DCQCN_MAX_SPEED_SZ sizeof(u32) +#define HNS_ROCE_DCQCN_MAX_SPEED_MAX ((u32)(~0U)) +#define HNS_ROCE_DCQCN_G_OFS (HNS_ROCE_DCQCN_MAX_SPEED_OFS + \ + HNS_ROCE_DCQCN_MAX_SPEED_SZ) +#define HNS_ROCE_DCQCN_G_SZ sizeof(u8) +#define HNS_ROCE_DCQCN_G_MAX 15 +#define HNS_ROCE_DCQCN_AL_OFS (HNS_ROCE_DCQCN_G_OFS + HNS_ROCE_DCQCN_G_SZ) +#define HNS_ROCE_DCQCN_AL_SZ sizeof(u8) +#define HNS_ROCE_DCQCN_AL_MAX ((u8)(~0U)) +#define HNS_ROCE_DCQCN_CNP_TIME_OFS (HNS_ROCE_DCQCN_AL_OFS + \ + HNS_ROCE_DCQCN_AL_SZ) +#define HNS_ROCE_DCQCN_CNP_TIME_SZ sizeof(u8) +#define HNS_ROCE_DCQCN_CNP_TIME_MAX ((u8)(~0U)) +#define HNS_ROCE_DCQCN_ASHIFT_OFS (HNS_ROCE_DCQCN_CNP_TIME_OFS + \ + HNS_ROCE_DCQCN_CNP_TIME_SZ) +#define HNS_ROCE_DCQCN_ASHIFT_SZ sizeof(u8) +#define HNS_ROCE_DCQCN_ASHIFT_MAX 15 +#define HNS_ROCE_DCQCN_LIFESPAN_OFS (HNS_ROCE_DCQCN_ASHIFT_OFS + \ + HNS_ROCE_DCQCN_ASHIFT_SZ) +#define HNS_ROCE_DCQCN_LIFESPAN_SZ sizeof(u32) +#define HNS_ROCE_DCQCN_LIFESPAN_MAX 1000 + +#define HNS_ROCE_LDCP_CWD0_OFS 0 +#define HNS_ROCE_LDCP_CWD0_SZ sizeof(u32) +#define HNS_ROCE_LDCP_CWD0_MAX ((u32)(~0U)) +#define HNS_ROCE_LDCP_ALPHA_OFS (HNS_ROCE_LDCP_CWD0_OFS + HNS_ROCE_LDCP_CWD0_SZ) +#define HNS_ROCE_LDCP_ALPHA_SZ sizeof(u8) +#define HNS_ROCE_LDCP_ALPHA_MAX ((u8)(~0U)) +#define HNS_ROCE_LDCP_GAMMA_OFS (HNS_ROCE_LDCP_ALPHA_OFS + \ + HNS_ROCE_LDCP_ALPHA_SZ) +#define HNS_ROCE_LDCP_GAMMA_SZ sizeof(u8) +#define HNS_ROCE_LDCP_GAMMA_MAX ((u8)(~0U)) +#define HNS_ROCE_LDCP_BETA_OFS (HNS_ROCE_LDCP_GAMMA_OFS + \ + HNS_ROCE_LDCP_GAMMA_SZ) +#define HNS_ROCE_LDCP_BETA_SZ sizeof(u8) +#define HNS_ROCE_LDCP_BETA_MAX ((u8)(~0U)) +#define HNS_ROCE_LDCP_ETA_OFS (HNS_ROCE_LDCP_BETA_OFS + HNS_ROCE_LDCP_BETA_SZ) +#define HNS_ROCE_LDCP_ETA_SZ sizeof(u8) +#define HNS_ROCE_LDCP_ETA_MAX ((u8)(~0U)) +#define HNS_ROCE_LDCP_LIFESPAN_OFS (4 * sizeof(u32)) +#define HNS_ROCE_LDCP_LIFESPAN_SZ sizeof(u32) +#define HNS_ROCE_LDCP_LIFESPAN_MAX 1000 + +#define HNS_ROCE_HC3_INITIAL_WINDOW_OFS 0 +#define HNS_ROCE_HC3_INITIAL_WINDOW_SZ sizeof(u32) +#define HNS_ROCE_HC3_INITIAL_WINDOW_MAX ((u32)(~0U)) +#define HNS_ROCE_HC3_BANDWIDTH_OFS (HNS_ROCE_HC3_INITIAL_WINDOW_OFS + \ + HNS_ROCE_HC3_INITIAL_WINDOW_SZ) +#define HNS_ROCE_HC3_BANDWIDTH_SZ sizeof(u32) +#define HNS_ROCE_HC3_BANDWIDTH_MAX ((u32)(~0U)) +#define HNS_ROCE_HC3_QLEN_SHIFT_OFS (HNS_ROCE_HC3_BANDWIDTH_OFS + \ + HNS_ROCE_HC3_BANDWIDTH_SZ) +#define HNS_ROCE_HC3_QLEN_SHIFT_SZ sizeof(u8) +#define HNS_ROCE_HC3_QLEN_SHIFT_MAX ((u8)(~0U)) +#define HNS_ROCE_HC3_PORT_USAGE_SHIFT_OFS (HNS_ROCE_HC3_QLEN_SHIFT_OFS + \ + HNS_ROCE_HC3_QLEN_SHIFT_SZ) +#define HNS_ROCE_HC3_PORT_USAGE_SHIFT_SZ sizeof(u8) +#define HNS_ROCE_HC3_PORT_USAGE_SHIFT_MAX ((u8)(~0U)) +#define HNS_ROCE_HC3_OVER_PERIOD_OFS (HNS_ROCE_HC3_PORT_USAGE_SHIFT_OFS + \ + HNS_ROCE_HC3_PORT_USAGE_SHIFT_SZ) +#define HNS_ROCE_HC3_OVER_PERIOD_SZ sizeof(u8) +#define HNS_ROCE_HC3_OVER_PERIOD_MAX ((u8)(~0U)) +#define HNS_ROCE_HC3_MAX_STAGE_OFS (HNS_ROCE_HC3_OVER_PERIOD_OFS + \ + HNS_ROCE_HC3_OVER_PERIOD_SZ) +#define HNS_ROCE_HC3_MAX_STAGE_SZ sizeof(u8) +#define HNS_ROCE_HC3_MAX_STAGE_MAX ((u8)(~0U)) +#define HNS_ROCE_HC3_GAMMA_SHIFT_OFS (HNS_ROCE_HC3_MAX_STAGE_OFS + \ + HNS_ROCE_HC3_MAX_STAGE_SZ) +#define HNS_ROCE_HC3_GAMMA_SHIFT_SZ sizeof(u8) +#define HNS_ROCE_HC3_GAMMA_SHIFT_MAX 15 +#define HNS_ROCE_HC3_LIFESPAN_OFS (4 * sizeof(u32)) +#define HNS_ROCE_HC3_LIFESPAN_SZ sizeof(u32) +#define HNS_ROCE_HC3_LIFESPAN_MAX 1000 + +#define HNS_ROCE_DIP_AI_OFS 0 +#define HNS_ROCE_DIP_AI_SZ sizeof(u16) +#define HNS_ROCE_DIP_AI_MAX ((u16)(~0U)) +#define HNS_ROCE_DIP_F_OFS (HNS_ROCE_DIP_AI_OFS + HNS_ROCE_DIP_AI_SZ) +#define HNS_ROCE_DIP_F_SZ sizeof(u8) +#define HNS_ROCE_DIP_F_MAX ((u8)(~0U)) +#define HNS_ROCE_DIP_TKP_OFS (HNS_ROCE_DIP_F_OFS + HNS_ROCE_DIP_F_SZ) +#define HNS_ROCE_DIP_TKP_SZ sizeof(u8) +#define HNS_ROCE_DIP_TKP_MAX 15 +#define HNS_ROCE_DIP_TMP_OFS (HNS_ROCE_DIP_TKP_OFS + HNS_ROCE_DIP_TKP_SZ) +#define HNS_ROCE_DIP_TMP_SZ sizeof(u16) +#define HNS_ROCE_DIP_TMP_MAX 15 +#define HNS_ROCE_DIP_ALP_OFS (HNS_ROCE_DIP_TMP_OFS + HNS_ROCE_DIP_TMP_SZ) +#define HNS_ROCE_DIP_ALP_SZ sizeof(u16) +#define HNS_ROCE_DIP_ALP_MAX ((u16)(~0U)) +#define HNS_ROCE_DIP_MAX_SPEED_OFS (HNS_ROCE_DIP_ALP_OFS + HNS_ROCE_DIP_ALP_SZ) +#define HNS_ROCE_DIP_MAX_SPEED_SZ sizeof(u32) +#define HNS_ROCE_DIP_MAX_SPEED_MAX ((u32)(~0U)) +#define HNS_ROCE_DIP_G_OFS (HNS_ROCE_DIP_MAX_SPEED_OFS + \ + HNS_ROCE_DIP_MAX_SPEED_SZ) +#define HNS_ROCE_DIP_G_SZ sizeof(u8) +#define HNS_ROCE_DIP_G_MAX 15 +#define HNS_ROCE_DIP_AL_OFS (HNS_ROCE_DIP_G_OFS + HNS_ROCE_DIP_G_SZ) +#define HNS_ROCE_DIP_AL_SZ sizeof(u8) +#define HNS_ROCE_DIP_AL_MAX ((u8)(~0U)) +#define HNS_ROCE_DIP_CNP_TIME_OFS (HNS_ROCE_DIP_AL_OFS + HNS_ROCE_DIP_AL_SZ) +#define HNS_ROCE_DIP_CNP_TIME_SZ sizeof(u8) +#define HNS_ROCE_DIP_CNP_TIME_MAX ((u8)(~0U)) +#define HNS_ROCE_DIP_ASHIFT_OFS (HNS_ROCE_DIP_CNP_TIME_OFS + \ + HNS_ROCE_DIP_CNP_TIME_SZ) +#define HNS_ROCE_DIP_ASHIFT_SZ sizeof(u8) +#define HNS_ROCE_DIP_ASHIFT_MAX 15 +#define HNS_ROCE_DIP_LIFESPAN_OFS (HNS_ROCE_DIP_ASHIFT_OFS + \ + HNS_ROCE_DIP_ASHIFT_SZ) +#define HNS_ROCE_DIP_LIFESPAN_SZ sizeof(u32) +#define HNS_ROCE_DIP_LIFESPAN_MAX 1000 + struct hns_roce_sccc_clr { __le32 qpn; __le32 rsv[5]; diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c index d98825154a82..4d1d2629d8f0 100644 --- a/drivers/infiniband/hw/hns/hns_roce_main.c +++ b/drivers/infiniband/hw/hns/hns_roce_main.c @@ -870,6 +870,7 @@ static const struct ib_device_ops hns_roce_dev_ops = { .reg_user_mr = hns_roce_reg_user_mr, .alloc_hw_stats = hns_roce_alloc_hw_port_stats, .get_hw_stats = hns_roce_get_hw_stats, + .init_port = hns_roce_create_port_files, INIT_RDMA_OBJ_SIZE(ib_ah, hns_roce_ah, ibah), INIT_RDMA_OBJ_SIZE(ib_cq, hns_roce_cq, ib_cq), @@ -1441,6 +1442,7 @@ int hns_roce_init(struct hns_roce_dev *hr_dev) void hns_roce_exit(struct hns_roce_dev *hr_dev) { + hns_roce_unregister_sysfs(hr_dev); hns_roce_unregister_device(hr_dev); hns_roce_unregister_debugfs(hr_dev); diff --git a/drivers/infiniband/hw/hns/hns_roce_sysfs.c b/drivers/infiniband/hw/hns/hns_roce_sysfs.c new file mode 100644 index 000000000000..507cc7147a2e --- /dev/null +++ b/drivers/infiniband/hw/hns/hns_roce_sysfs.c @@ -0,0 +1,445 @@ +// SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB +/* + * Copyright (c) 2023 Hisilicon Limited. + */ + +#include "hnae3.h" +#include "hns_roce_device.h" +#include "hns_roce_hw_v2.h" + +struct hns_port_attribute { + struct attribute attr; + ssize_t (*show)(struct hns_roce_port *pdata, + struct hns_port_attribute *attr, char *buf); + ssize_t (*store)(struct hns_roce_port *pdata, + struct hns_port_attribute *attr, const char *buf, + size_t count); +}; + +static void scc_param_config_work(struct work_struct *work) +{ + struct hns_roce_scc_param *scc_param = container_of(work, + struct hns_roce_scc_param, scc_cfg_dwork.work); + struct hns_roce_dev *hr_dev = scc_param->hr_dev; + + hr_dev->hw->config_scc_param(hr_dev, scc_param->port_num, + scc_param->algo_type); +} + +static int alloc_scc_param(struct hns_roce_dev *hr_dev, + struct hns_roce_port *pdata) +{ + struct hns_roce_scc_param *scc_param; + int i; + + scc_param = kcalloc(HNS_ROCE_SCC_ALGO_TOTAL, sizeof(*scc_param), + GFP_KERNEL); + if (!scc_param) + return -ENOMEM; + + for (i = 0; i < HNS_ROCE_SCC_ALGO_TOTAL; i++) { + scc_param[i].algo_type = i; + scc_param[i].timestamp = jiffies; + scc_param[i].hr_dev = hr_dev; + scc_param[i].port_num = pdata->port_num; + INIT_DELAYED_WORK(&scc_param[i].scc_cfg_dwork, + scc_param_config_work); + } + + pdata->scc_param = scc_param; + return 0; +} + +struct hns_port_cc_attr { + struct hns_port_attribute port_attr; + enum hns_roce_scc_algo algo_type; + u32 offset; + u32 size; + u32 max; + u32 min; +}; + +static int scc_attr_check(struct hns_port_cc_attr *scc_attr) +{ + if (WARN_ON(scc_attr->size > sizeof(u32))) + return -EINVAL; + + if (WARN_ON(scc_attr->algo_type >= HNS_ROCE_SCC_ALGO_TOTAL)) + return -EINVAL; + return 0; +} + +static ssize_t scc_attr_show(struct hns_roce_port *pdata, + struct hns_port_attribute *attr, char *buf) +{ + struct hns_port_cc_attr *scc_attr = + container_of(attr, struct hns_port_cc_attr, port_attr); + struct hns_roce_scc_param *scc_param; + unsigned long exp_time; + __le32 val = 0; + int ret; + + ret = scc_attr_check(scc_attr); + if (ret) + return ret; + + scc_param = &pdata->scc_param[scc_attr->algo_type]; + + /* Only HW param need be queried */ + if (scc_attr->offset < offsetof(typeof(*scc_param), lifespan)) { + exp_time = scc_param->timestamp + + msecs_to_jiffies(scc_param->lifespan); + + if (time_is_before_eq_jiffies(exp_time)) { + scc_param->timestamp = jiffies; + pdata->hr_dev->hw->query_scc_param(pdata->hr_dev, + pdata->port_num, scc_attr->algo_type); + } + } + + memcpy(&val, (void *)scc_param + scc_attr->offset, scc_attr->size); + + return sysfs_emit(buf, "%u\n", le32_to_cpu(val)); +} + +static ssize_t scc_attr_store(struct hns_roce_port *pdata, + struct hns_port_attribute *attr, + const char *buf, size_t count) +{ + struct hns_port_cc_attr *scc_attr = + container_of(attr, struct hns_port_cc_attr, port_attr); + struct hns_roce_scc_param *scc_param; + unsigned long lifespan_jiffies; + unsigned long exp_time; + __le32 attr_val; + u32 val; + int ret; + + ret = scc_attr_check(scc_attr); + if (ret) + return ret; + + if (kstrtou32(buf, 0, &val)) + return -EINVAL; + + if (val > scc_attr->max || val < scc_attr->min) + return -EINVAL; + + attr_val = cpu_to_le32(val); + scc_param = &pdata->scc_param[scc_attr->algo_type]; + memcpy((void *)scc_param + scc_attr->offset, &attr_val, + scc_attr->size); + + /* lifespan is only used for driver */ + if (scc_attr->offset >= offsetof(typeof(*scc_param), lifespan)) + return count; + + lifespan_jiffies = msecs_to_jiffies(scc_param->lifespan); + exp_time = scc_param->timestamp + lifespan_jiffies; + + if (time_is_before_eq_jiffies(exp_time)) { + scc_param->timestamp = jiffies; + queue_delayed_work(pdata->hr_dev->irq_workq, + &scc_param->scc_cfg_dwork, lifespan_jiffies); + } + + return count; +} + +static umode_t scc_attr_is_visible(struct kobject *kobj, + struct attribute *attr, int i) +{ + struct hns_port_attribute *port_attr = + container_of(attr, struct hns_port_attribute, attr); + struct hns_port_cc_attr *scc_attr = + container_of(port_attr, struct hns_port_cc_attr, port_attr); + struct hns_roce_port *pdata = + container_of(kobj, struct hns_roce_port, kobj); + struct hns_roce_dev *hr_dev = pdata->hr_dev; + + if (hr_dev->is_vf || + !(hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_QP_FLOW_CTRL)) + return 0; + + if (!(hr_dev->caps.cong_type & (1 << scc_attr->algo_type))) + return 0; + + return 0644; +} + +#define __HNS_SCC_ATTR(_name, _type, _offset, _size, _min, _max) { \ + .port_attr = __ATTR(_name, 0644, scc_attr_show, scc_attr_store), \ + .algo_type = _type, \ + .offset = _offset, \ + .size = _size, \ + .min = _min, \ + .max = _max, \ +} + +#define HNS_PORT_DCQCN_CC_ATTR_RW(_name, NAME) \ + struct hns_port_cc_attr hns_roce_port_attr_dcqcn_##_name = \ + __HNS_SCC_ATTR(_name, HNS_ROCE_SCC_ALGO_DCQCN, \ + HNS_ROCE_DCQCN_##NAME##_OFS, \ + HNS_ROCE_DCQCN_##NAME##_SZ, \ + 0, HNS_ROCE_DCQCN_##NAME##_MAX) + +HNS_PORT_DCQCN_CC_ATTR_RW(ai, AI); +HNS_PORT_DCQCN_CC_ATTR_RW(f, F); +HNS_PORT_DCQCN_CC_ATTR_RW(tkp, TKP); +HNS_PORT_DCQCN_CC_ATTR_RW(tmp, TMP); +HNS_PORT_DCQCN_CC_ATTR_RW(alp, ALP); +HNS_PORT_DCQCN_CC_ATTR_RW(max_speed, MAX_SPEED); +HNS_PORT_DCQCN_CC_ATTR_RW(g, G); +HNS_PORT_DCQCN_CC_ATTR_RW(al, AL); +HNS_PORT_DCQCN_CC_ATTR_RW(cnp_time, CNP_TIME); +HNS_PORT_DCQCN_CC_ATTR_RW(ashift, ASHIFT); +HNS_PORT_DCQCN_CC_ATTR_RW(lifespan, LIFESPAN); + +static struct attribute *dcqcn_param_attrs[] = { + &hns_roce_port_attr_dcqcn_ai.port_attr.attr, + &hns_roce_port_attr_dcqcn_f.port_attr.attr, + &hns_roce_port_attr_dcqcn_tkp.port_attr.attr, + &hns_roce_port_attr_dcqcn_tmp.port_attr.attr, + &hns_roce_port_attr_dcqcn_alp.port_attr.attr, + &hns_roce_port_attr_dcqcn_max_speed.port_attr.attr, + &hns_roce_port_attr_dcqcn_g.port_attr.attr, + &hns_roce_port_attr_dcqcn_al.port_attr.attr, + &hns_roce_port_attr_dcqcn_cnp_time.port_attr.attr, + &hns_roce_port_attr_dcqcn_ashift.port_attr.attr, + &hns_roce_port_attr_dcqcn_lifespan.port_attr.attr, + NULL, +}; + +static const struct attribute_group dcqcn_cc_param_group = { + .name = "dcqcn_cc_param", + .attrs = dcqcn_param_attrs, + .is_visible = scc_attr_is_visible, +}; + +#define HNS_PORT_LDCP_CC_ATTR_RW(_name, NAME) \ + struct hns_port_cc_attr hns_roce_port_attr_ldcp_##_name = \ + __HNS_SCC_ATTR(_name, HNS_ROCE_SCC_ALGO_LDCP, \ + HNS_ROCE_LDCP_##NAME##_OFS, \ + HNS_ROCE_LDCP_##NAME##_SZ, \ + 0, HNS_ROCE_LDCP_##NAME##_MAX) + +HNS_PORT_LDCP_CC_ATTR_RW(cwd0, CWD0); +HNS_PORT_LDCP_CC_ATTR_RW(alpha, ALPHA); +HNS_PORT_LDCP_CC_ATTR_RW(gamma, GAMMA); +HNS_PORT_LDCP_CC_ATTR_RW(beta, BETA); +HNS_PORT_LDCP_CC_ATTR_RW(eta, ETA); +HNS_PORT_LDCP_CC_ATTR_RW(lifespan, LIFESPAN); + +static struct attribute *ldcp_param_attrs[] = { + &hns_roce_port_attr_ldcp_cwd0.port_attr.attr, + &hns_roce_port_attr_ldcp_alpha.port_attr.attr, + &hns_roce_port_attr_ldcp_gamma.port_attr.attr, + &hns_roce_port_attr_ldcp_beta.port_attr.attr, + &hns_roce_port_attr_ldcp_eta.port_attr.attr, + &hns_roce_port_attr_ldcp_lifespan.port_attr.attr, + NULL, +}; + +static const struct attribute_group ldcp_cc_param_group = { + .name = "ldcp_cc_param", + .attrs = ldcp_param_attrs, + .is_visible = scc_attr_is_visible, +}; + +#define HNS_PORT_HC3_CC_ATTR_RW(_name, NAME) \ + struct hns_port_cc_attr hns_roce_port_attr_hc3_##_name = \ + __HNS_SCC_ATTR(_name, HNS_ROCE_SCC_ALGO_HC3, \ + HNS_ROCE_HC3_##NAME##_OFS, \ + HNS_ROCE_HC3_##NAME##_SZ, \ + 0, HNS_ROCE_HC3_##NAME##_MAX) + +HNS_PORT_HC3_CC_ATTR_RW(initial_window, INITIAL_WINDOW); +HNS_PORT_HC3_CC_ATTR_RW(bandwidth, BANDWIDTH); +HNS_PORT_HC3_CC_ATTR_RW(qlen_shift, QLEN_SHIFT); +HNS_PORT_HC3_CC_ATTR_RW(port_usage_shift, PORT_USAGE_SHIFT); +HNS_PORT_HC3_CC_ATTR_RW(over_period, OVER_PERIOD); +HNS_PORT_HC3_CC_ATTR_RW(max_stage, MAX_STAGE); +HNS_PORT_HC3_CC_ATTR_RW(gamma_shift, GAMMA_SHIFT); +HNS_PORT_HC3_CC_ATTR_RW(lifespan, LIFESPAN); + +static struct attribute *hc3_param_attrs[] = { + &hns_roce_port_attr_hc3_initial_window.port_attr.attr, + &hns_roce_port_attr_hc3_bandwidth.port_attr.attr, + &hns_roce_port_attr_hc3_qlen_shift.port_attr.attr, + &hns_roce_port_attr_hc3_port_usage_shift.port_attr.attr, + &hns_roce_port_attr_hc3_over_period.port_attr.attr, + &hns_roce_port_attr_hc3_max_stage.port_attr.attr, + &hns_roce_port_attr_hc3_gamma_shift.port_attr.attr, + &hns_roce_port_attr_hc3_lifespan.port_attr.attr, + NULL, +}; + +static const struct attribute_group hc3_cc_param_group = { + .name = "hc3_cc_param", + .attrs = hc3_param_attrs, + .is_visible = scc_attr_is_visible, +}; + +#define HNS_PORT_DIP_CC_ATTR_RW(_name, NAME) \ + struct hns_port_cc_attr hns_roce_port_attr_dip_##_name = \ + __HNS_SCC_ATTR(_name, HNS_ROCE_SCC_ALGO_DIP, \ + HNS_ROCE_DIP_##NAME##_OFS, \ + HNS_ROCE_DIP_##NAME##_SZ, \ + 0, HNS_ROCE_DIP_##NAME##_MAX) + +HNS_PORT_DIP_CC_ATTR_RW(ai, AI); +HNS_PORT_DIP_CC_ATTR_RW(f, F); +HNS_PORT_DIP_CC_ATTR_RW(tkp, TKP); +HNS_PORT_DIP_CC_ATTR_RW(tmp, TMP); +HNS_PORT_DIP_CC_ATTR_RW(alp, ALP); +HNS_PORT_DIP_CC_ATTR_RW(max_speed, MAX_SPEED); +HNS_PORT_DIP_CC_ATTR_RW(g, G); +HNS_PORT_DIP_CC_ATTR_RW(al, AL); +HNS_PORT_DIP_CC_ATTR_RW(cnp_time, CNP_TIME); +HNS_PORT_DIP_CC_ATTR_RW(ashift, ASHIFT); +HNS_PORT_DIP_CC_ATTR_RW(lifespan, LIFESPAN); + +static struct attribute *dip_param_attrs[] = { + &hns_roce_port_attr_dip_ai.port_attr.attr, + &hns_roce_port_attr_dip_f.port_attr.attr, + &hns_roce_port_attr_dip_tkp.port_attr.attr, + &hns_roce_port_attr_dip_tmp.port_attr.attr, + &hns_roce_port_attr_dip_alp.port_attr.attr, + &hns_roce_port_attr_dip_max_speed.port_attr.attr, + &hns_roce_port_attr_dip_g.port_attr.attr, + &hns_roce_port_attr_dip_al.port_attr.attr, + &hns_roce_port_attr_dip_cnp_time.port_attr.attr, + &hns_roce_port_attr_dip_ashift.port_attr.attr, + &hns_roce_port_attr_dip_lifespan.port_attr.attr, + NULL, +}; + +static const struct attribute_group dip_cc_param_group = { + .name = "dip_cc_param", + .attrs = dip_param_attrs, + .is_visible = scc_attr_is_visible, +}; + +const struct attribute_group *hns_attr_port_groups[] = { + &dcqcn_cc_param_group, + &ldcp_cc_param_group, + &hc3_cc_param_group, + &dip_cc_param_group, + NULL, +}; + +static ssize_t hns_roce_port_attr_show(struct kobject *kobj, + struct attribute *attr, char *buf) +{ + struct hns_port_attribute *port_attr = + container_of(attr, struct hns_port_attribute, attr); + struct hns_roce_port *p = + container_of(kobj, struct hns_roce_port, kobj); + + if (!port_attr->show) + return -EIO; + + return port_attr->show(p, port_attr, buf); +} + +static ssize_t hns_roce_port_attr_store(struct kobject *kobj, + struct attribute *attr, + const char *buf, size_t count) +{ + struct hns_port_attribute *port_attr = + container_of(attr, struct hns_port_attribute, attr); + struct hns_roce_port *p = + container_of(kobj, struct hns_roce_port, kobj); + + if (!port_attr->store) + return -EIO; + + return port_attr->store(p, port_attr, buf, count); +} + +static void hns_roce_port_release(struct kobject *kobj) +{ + struct hns_roce_port *pdata = + container_of(kobj, struct hns_roce_port, kobj); + + kfree(pdata->scc_param); +} + +static const struct sysfs_ops hns_roce_port_ops = { + .show = hns_roce_port_attr_show, + .store = hns_roce_port_attr_store, +}; + +static struct kobj_type hns_roce_port_ktype = { + .release = hns_roce_port_release, + .sysfs_ops = &hns_roce_port_ops, +}; + +int hns_roce_create_port_files(struct ib_device *ibdev, u8 port_num, + struct kobject *kobj) +{ + struct hns_roce_dev *hr_dev = to_hr_dev(ibdev); + struct hns_roce_port *pdata; + int ret; + + if (!port_num || port_num > hr_dev->caps.num_ports) { + ibdev_err(ibdev, "fail to create port sysfs for invalid port %u.\n", + port_num); + return -ENODEV; + } + + pdata = &hr_dev->port_data[port_num - 1]; + pdata->hr_dev = hr_dev; + pdata->port_num = port_num; + ret = kobject_init_and_add(&pdata->kobj, &hns_roce_port_ktype, + kobj, "cc_param"); + if (ret) { + ibdev_err(ibdev, "fail to create port(%u) sysfs, ret = %d.\n", + port_num, ret); + goto fail_kobj; + } + kobject_uevent(&pdata->kobj, KOBJ_ADD); + + ret = sysfs_create_groups(&pdata->kobj, hns_attr_port_groups); + if (ret) { + ibdev_err(ibdev, + "fail to create port(%u) cc param sysfs, ret = %d.\n", + port_num, ret); + goto fail_kobj; + } + + ret = alloc_scc_param(hr_dev, pdata); + if (ret) { + dev_err(hr_dev->dev, "alloc scc param failed, ret = %d!\n", + ret); + goto fail_group; + } + + return ret; + +fail_group: + sysfs_remove_groups(&pdata->kobj, hns_attr_port_groups); + +fail_kobj: + kobject_put(&pdata->kobj); + + return ret; +} + +static void hns_roce_unregister_port_sysfs(struct hns_roce_dev *hr_dev, + u8 port_num) +{ + struct hns_roce_port *pdata; + + pdata = &hr_dev->port_data[port_num]; + sysfs_remove_groups(&pdata->kobj, hns_attr_port_groups); + kobject_put(&pdata->kobj); +} + +void hns_roce_unregister_sysfs(struct hns_roce_dev *hr_dev) +{ + int i; + + for (i = 0; i < hr_dev->caps.num_ports; i++) + hns_roce_unregister_port_sysfs(hr_dev, i); +} -- 2.30.0

1 0

Kernel sig 3.10 14:00-15:30 例会议题情况//答复: openEuler Kernel SIG双周例会
by liaotao (C) 10 Mar '23

10 Mar '23

当前例会议题：议题一：进展update（10min） --- 张伽琳 & 郑增凯议题二：内核热升级使用及技术探讨和规划 --- 桑琰欢迎大家继续申报~ 上期遗留问题： 1、openEuler缺陷issue处理流程介绍 2、内核热升级下一步规划，需求讨论 -----原始约会----- 发件人: openEuler conference <public(a)openeuler.org> 发送时间: 2023年3月7日 15:49 收件人: dev@openeuler.org,kernel-discuss@openeuler.org,kernel@openeuler.org 主题: openEuler Kernel SIG双周例会时间: 2023年3月10日星期五 14:00-15:30(UTC+08:00) 北京，重庆，香港特别行政区，乌鲁木齐。地点: 您好！ Kernel SIG 邀请您参加 2023-03-10 14:00 召开的Zoom会议(自动录制) 会议主题：openEuler Kernel SIG双周例会会议内容：欢迎您参加 Kernel SIG 双周例会，当前议题： 1. 进展update 2. 议题征集中欢迎大家积极申报议题（新增议题可以直接回复邮件，或录入会议看板）会议链接：https://us06web.zoom.us/j/87191608489?pwd=eG96T0p2Y0NDRUdHOW9SYys5SElTQT09 会议纪要：https://etherpad.openeuler.org/p/Kernel-meetings 温馨提醒：建议接入会议后修改参会人的姓名，也可以使用您在gitee.com的ID 更多资讯尽在：https://openeuler.org/zh/ Hello! openEuler Kernel SIG invites you to attend the Zoom conference(auto recording) will be held at 2023-03-10 14:00, The subject of the conference is openEuler Kernel SIG双周例会, Summary: 欢迎您参加 Kernel SIG 双周例会，当前议题： 1. 进展update 2. 议题征集中欢迎大家积极申报议题（新增议题可以直接回复邮件，或录入会议看板） You can join the meeting at https://us06web.zoom.us/j/87191608489?pwd=eG96T0p2Y0NDRUdHOW9SYys5SElTQT09. Add topics at https://etherpad.openeuler.org/p/Kernel-meetings. Note: You are advised to change the participant name after joining the conference or use your ID at gitee.com. More information: https://openeuler.org/en/

1 0

[PATCH openEuler-5.10-LTS-SP1] Revert "scsi: fix iscsi rescan fails to create block"
by Jialin Zhang 09 Mar '23

09 Mar '23

From: Zhong Jinghua <zhongjinghua(a)huawei.com> hulk inclusion category: bugfix bugzilla: 188150, https://gitee.com/openeuler/kernel/issues/I643OL ---------------------------------------- This reverts commit 7f10ea522db56188ae46c5bbee7052a2b2797515. This commit has a soft lock problem: watchdog: BUG: soft lockup - CPU#22 stuck for 67s! [iscsid:16369] Call Trace: scsi_remove_target+0x548/0x7b0 ? sdev_store_delete+0x90/0x90 ? __mutex_lock_slowpath+0x10/0x10 ? device_remove_class_symlinks+0x1b0/0x1b0 __iscsi_unbind_session+0x16b/0x250 [scsi_transport_iscsi] iscsi_remove_session+0x1d3/0x2f0 [scsi_transport_iscsi] iscsi_session_remove+0x5c/0x80 [libiscsi] iscsi_sw_tcp_session_destroy+0xd3/0x160 [iscsi_tcp] iscsi_if_rx+0x2369/0x5060 [scsi_transport_iscsi] The reason is that if other threads hold the reference count of the kobject while waiting for the device to be released, it will keep waiting in a loop. Fixes: 7f10ea522db5 ("scsi: fix iscsi rescan fails to create block") Signed-off-by: Zhong Jinghua <zhongjinghua(a)huawei.com> Reviewed-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11(a)huawei.com> --- drivers/scsi/scsi_sysfs.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c index e7893835b99a..42db9c52208e 100644 --- a/drivers/scsi/scsi_sysfs.c +++ b/drivers/scsi/scsi_sysfs.c @@ -1503,13 +1503,6 @@ void scsi_remove_device(struct scsi_device *sdev) } EXPORT_SYMBOL(scsi_remove_device); -static int scsi_device_try_get(struct scsi_device *sdev) -{ - if (!kobject_get_unless_zero(&sdev->sdev_gendev.kobj)) - return -ENXIO; - return 0; -} - static void __scsi_remove_target(struct scsi_target *starget) { struct Scsi_Host *shost = dev_to_shost(starget->dev.parent); @@ -1528,7 +1521,9 @@ static void __scsi_remove_target(struct scsi_target *starget) if (sdev->channel != starget->channel || sdev->id != starget->id) continue; - if (scsi_device_try_get(sdev)) + if (sdev->sdev_state == SDEV_DEL || + sdev->sdev_state == SDEV_CANCEL || + !get_device(&sdev->sdev_gendev)) continue; spin_unlock_irqrestore(shost->host_lock, flags); scsi_remove_device(sdev); -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS 1/3] HID: asus: Remove check for same LED brightness on set
by Yongqiang Liu 09 Mar '23

09 Mar '23

From: "Luke D. Jones" <luke(a)ljones.dev> mainline inclusion from mainline-v5.14-rc4 commit 3fdcf7cdfc229346d028242e73562704ad644dd0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6I7U9 CVE: CVE-2023-1079 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Remove the early return on LED brightness set so that any controller application, daemon, or desktop may set the same brightness at any stage. This is required because many ASUS ROG keyboards will default to max brightness on laptop resume if the LEDs were set to off before sleep. Signed-off-by: Luke D Jones <luke(a)ljones.dev> Signed-off-by: Jiri Kosina <jkosina(a)suse.cz> Signed-off-by: Yuyao Lin <linyuyao1(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Reviewed-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/hid/hid-asus.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c index 800b2364e29e..9ae8e3d5edf1 100644 --- a/drivers/hid/hid-asus.c +++ b/drivers/hid/hid-asus.c @@ -318,9 +318,6 @@ static void asus_kbd_backlight_set(struct led_classdev *led_cdev, { struct asus_kbd_leds *led = container_of(led_cdev, struct asus_kbd_leds, cdev); - if (led->brightness == brightness) - return; - led->brightness = brightness; schedule_work(&led->work); } -- 2.25.1

1 2

[PATCH openEuler-1.0-LTS 01/16] netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
by Yongqiang Liu 08 Mar '23

08 Mar '23

From: Florian Westphal <fw(a)strlen.de> stable inclusion from stable-v4.19.272 commit 01687e35df44dd09cc6943306db35d9efc507907 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6KOHU CVE: NA -------------------------------- [ Upstream commit e15d4cdf27cb0c1e977270270b2cea12e0955edd ] Consider: client -----> conntrack ---> Host client sends a SYN, but $Host is unreachable/silent. Client eventually gives up and the conntrack entry will time out. However, if the client is restarted with same addr/port pair, it may prevent the conntrack entry from timing out. This is noticeable when the existing conntrack entry has no NAT transformation or an outdated one and port reuse happens either on client or due to a NAT middlebox. This change prevents refresh of the timeout for SYN retransmits, so entry is going away after nf_conntrack_tcp_timeout_syn_sent seconds (default: 60). Entry will be re-created on next connection attempt, but then nat rules will be evaluated again. Signed-off-by: Florian Westphal <fw(a)strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/netfilter/nf_conntrack_proto_tcp.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index aab532b8c8c6..1600f35bfd49 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -1089,6 +1089,16 @@ static int tcp_packet(struct nf_conn *ct, nf_ct_kill_acct(ct, ctinfo, skb); return NF_ACCEPT; } + + if (index == TCP_SYN_SET && old_state == TCP_CONNTRACK_SYN_SENT) { + /* do not renew timeout on SYN retransmit. + * + * Else port reuse by client or NAT middlebox can keep + * entry alive indefinitely (including nat info). + */ + return NF_ACCEPT; + } + /* ESTABLISHED without SEEN_REPLY, i.e. mid-connection * pickup with loose=1. Avoid large ESTABLISHED timeout. */ -- 2.25.1

1 15

[PATCH openEuler-1.0-LTS 01/31] binder: use standard functions to allocate fds
by Yongqiang Liu 08 Mar '23

08 Mar '23

From: Todd Kjos <tkjos(a)android.com> mainline inclusion from mainline-v4.20-rc1 commit 44d8047f1d87adc2fd7eccc88533794f6d88c15e category: bugfix bugzilla: 188431, https://gitee.com/src-openeuler/kernel/issues/I6DKVG CVE: CVE-2023-20938 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Binder uses internal fs interfaces to allocate and install fds: __alloc_fd __fd_install __close_fd get_files_struct put_files_struct These were used to support the passing of fds between processes as part of a transaction. The actual allocation and installation of the fds in the target process was handled by the sending process so the standard functions, alloc_fd() and fd_install() which assume task==current couldn't be used. This patch refactors this mechanism so that the fds are allocated and installed by the target process allowing the standard functions to be used. The sender now creates a list of fd fixups that contains the struct *file and the address to fixup with the new fd once it is allocated. This list is processed by the target process when the transaction is dequeued. A new error case is introduced by this change. If an async transaction with file descriptors cannot allocate new fds in the target (probably due to out of file descriptors), the transaction is discarded with a log message. In the old implementation this would have been detected in the sender context and failed prior to sending. Signed-off-by: Todd Kjos <tkjos(a)google.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/android/binder.c Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Reviewed-by: Zheng Yejian <zhengyejian1(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/android/Kconfig | 2 +- drivers/android/binder.c | 391 ++++++++++++++++++++------------- drivers/android/binder_trace.h | 36 ++- 3 files changed, 262 insertions(+), 167 deletions(-) diff --git a/drivers/android/Kconfig b/drivers/android/Kconfig index 432e9ad77070..51e8250d113f 100644 --- a/drivers/android/Kconfig +++ b/drivers/android/Kconfig @@ -10,7 +10,7 @@ if ANDROID config ANDROID_BINDER_IPC bool "Android Binder IPC Driver" - depends on MMU + depends on MMU && !CPU_CACHE_VIVT default n ---help--- Binder is used in Android for both communication between processes, diff --git a/drivers/android/binder.c b/drivers/android/binder.c index c5a39b8ae886..8a72aacd7a39 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -71,6 +71,7 @@ #include <linux/security.h> #include <linux/spinlock.h> #include <linux/ratelimit.h> +#include <linux/syscalls.h> #include <uapi/linux/android/binder.h> @@ -457,9 +458,8 @@ struct binder_ref { }; enum binder_deferred_state { - BINDER_DEFERRED_PUT_FILES = 0x01, - BINDER_DEFERRED_FLUSH = 0x02, - BINDER_DEFERRED_RELEASE = 0x04, + BINDER_DEFERRED_FLUSH = 0x01, + BINDER_DEFERRED_RELEASE = 0x02, }; /** @@ -480,9 +480,6 @@ enum binder_deferred_state { * (invariant after initialized) * @tsk task_struct for group_leader of process * (invariant after initialized) - * @files files_struct for process - * (protected by @files_lock) - * @files_lock mutex to protect @files * @cred struct cred associated with the `struct file` * in binder_open() * (invariant after initialized) @@ -530,8 +527,6 @@ struct binder_proc { struct list_head waiting_threads; int pid; struct task_struct *tsk; - struct files_struct *files; - struct mutex files_lock; const struct cred *cred; struct hlist_node deferred_work_node; int deferred_work; @@ -615,6 +610,23 @@ struct binder_thread { bool is_dead; }; +/** + * struct binder_txn_fd_fixup - transaction fd fixup list element + * @fixup_entry: list entry + * @file: struct file to be associated with new fd + * @offset: offset in buffer data to this fixup + * + * List element for fd fixups in a transaction. Since file + * descriptors need to be allocated in the context of the + * target process, we pass each fd to be processed in this + * struct. + */ +struct binder_txn_fd_fixup { + struct list_head fixup_entry; + struct file *file; + size_t offset; +}; + struct binder_transaction { int debug_id; struct binder_work work; @@ -632,6 +644,7 @@ struct binder_transaction { long priority; long saved_priority; kuid_t sender_euid; + struct list_head fd_fixups; /** * @lock: protects @from, @to_proc, and @to_thread * @@ -905,66 +918,6 @@ static void binder_free_thread(struct binder_thread *thread); static void binder_free_proc(struct binder_proc *proc); static void binder_inc_node_tmpref_ilocked(struct binder_node *node); -static int task_get_unused_fd_flags(struct binder_proc *proc, int flags) -{ - unsigned long rlim_cur; - unsigned long irqs; - int ret; - - mutex_lock(&proc->files_lock); - if (proc->files == NULL) { - ret = -ESRCH; - goto err; - } - if (!lock_task_sighand(proc->tsk, &irqs)) { - ret = -EMFILE; - goto err; - } - rlim_cur = task_rlimit(proc->tsk, RLIMIT_NOFILE); - unlock_task_sighand(proc->tsk, &irqs); - - ret = __alloc_fd(proc->files, 0, rlim_cur, flags); -err: - mutex_unlock(&proc->files_lock); - return ret; -} - -/* - * copied from fd_install - */ -static void task_fd_install( - struct binder_proc *proc, unsigned int fd, struct file *file) -{ - mutex_lock(&proc->files_lock); - if (proc->files) - __fd_install(proc->files, fd, file); - mutex_unlock(&proc->files_lock); -} - -/* - * copied from sys_close - */ -static long task_close_fd(struct binder_proc *proc, unsigned int fd) -{ - int retval; - - mutex_lock(&proc->files_lock); - if (proc->files == NULL) { - retval = -ESRCH; - goto err; - } - retval = __close_fd(proc->files, fd); - /* can't restart close syscall because file table entry was cleared */ - if (unlikely(retval == -ERESTARTSYS || - retval == -ERESTARTNOINTR || - retval == -ERESTARTNOHAND || - retval == -ERESTART_RESTARTBLOCK)) - retval = -EINTR; -err: - mutex_unlock(&proc->files_lock); - return retval; -} - static bool binder_has_work_ilocked(struct binder_thread *thread, bool do_proc_work) { @@ -1948,6 +1901,27 @@ static struct binder_thread *binder_get_txn_from_and_acq_inner( return NULL; } +/** + * binder_free_txn_fixups() - free unprocessed fd fixups + * @t: binder transaction for t->from + * + * If the transaction is being torn down prior to being + * processed by the target process, free all of the + * fd fixups and fput the file structs. It is safe to + * call this function after the fixups have been + * processed -- in that case, the list will be empty. + */ +static void binder_free_txn_fixups(struct binder_transaction *t) +{ + struct binder_txn_fd_fixup *fixup, *tmp; + + list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) { + fput(fixup->file); + list_del(&fixup->fixup_entry); + kfree(fixup); + } +} + static void binder_free_transaction(struct binder_transaction *t) { struct binder_proc *target_proc = t->to_proc; @@ -1962,6 +1936,7 @@ static void binder_free_transaction(struct binder_transaction *t) * If the transaction has no target_proc, then * t->buffer->transaction has already been cleared. */ + binder_free_txn_fixups(t); kfree(t); binder_stats_deleted(BINDER_STAT_TRANSACTION); } @@ -2262,12 +2237,17 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, } break; case BINDER_TYPE_FD: { - struct binder_fd_object *fp = to_binder_fd_object(hdr); - - binder_debug(BINDER_DEBUG_TRANSACTION, - " fd %d\n", fp->fd); - if (failed_at) - task_close_fd(proc, fp->fd); + /* + * No need to close the file here since user-space + * closes it for for successfully delivered + * transactions. For transactions that weren't + * delivered, the new fd was never allocated so + * there is no need to close and the fput on the + * file is done when the transaction is torn + * down. + */ + WARN_ON(failed_at && + proc->tsk == current->group_leader); } break; case BINDER_TYPE_PTR: /* @@ -2283,6 +2263,15 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, size_t fd_index; binder_size_t fd_buf_size; + if (proc->tsk != current->group_leader) { + /* + * Nothing to do if running in sender context + * The fd fixups have not been applied so no + * fds need to be closed. + */ + continue; + } + fda = to_binder_fd_array_object(hdr); parent = binder_validate_ptr(buffer, fda->parent, off_start, @@ -2315,7 +2304,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, } fd_array = (u32 *)(parent_buffer + (uintptr_t)fda->parent_offset); for (fd_index = 0; fd_index < fda->num_fds; fd_index++) - task_close_fd(proc, fd_array[fd_index]); + ksys_close(fd_array[fd_index]); } break; default: pr_err("transaction release %d bad object type %x\n", @@ -2447,17 +2436,18 @@ static int binder_translate_handle(struct flat_binder_object *fp, return ret; } -static int binder_translate_fd(int fd, +static int binder_translate_fd(u32 *fdp, struct binder_transaction *t, struct binder_thread *thread, struct binder_transaction *in_reply_to) { struct binder_proc *proc = thread->proc; struct binder_proc *target_proc = t->to_proc; - int target_fd; + struct binder_txn_fd_fixup *fixup; struct file *file; - int ret; + int ret = 0; bool target_allows_fd; + int fd = *fdp; if (in_reply_to) target_allows_fd = !!(in_reply_to->flags & TF_ACCEPT_FDS); @@ -2485,19 +2475,24 @@ static int binder_translate_fd(int fd, goto err_security; } - target_fd = task_get_unused_fd_flags(target_proc, O_CLOEXEC); - if (target_fd < 0) { + /* + * Add fixup record for this transaction. The allocation + * of the fd in the target needs to be done from a + * target thread. + */ + fixup = kzalloc(sizeof(*fixup), GFP_KERNEL); + if (!fixup) { ret = -ENOMEM; - goto err_get_unused_fd; + goto err_alloc; } - task_fd_install(target_proc, target_fd, file); - trace_binder_transaction_fd(t, fd, target_fd); - binder_debug(BINDER_DEBUG_TRANSACTION, " fd %d -> %d\n", - fd, target_fd); + fixup->file = file; + fixup->offset = (uintptr_t)fdp - (uintptr_t)t->buffer->data; + trace_binder_transaction_fd_send(t, fd, fixup->offset); + list_add_tail(&fixup->fixup_entry, &t->fd_fixups); - return target_fd; + return ret; -err_get_unused_fd: +err_alloc: err_security: fput(file); err_fget: @@ -2511,8 +2506,7 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda, struct binder_thread *thread, struct binder_transaction *in_reply_to) { - binder_size_t fdi, fd_buf_size, num_installed_fds; - int target_fd; + binder_size_t fdi, fd_buf_size; uintptr_t parent_buffer; u32 *fd_array; struct binder_proc *proc = thread->proc; @@ -2544,23 +2538,12 @@ static int binder_translate_fd_array(struct binder_fd_array_object *fda, return -EINVAL; } for (fdi = 0; fdi < fda->num_fds; fdi++) { - target_fd = binder_translate_fd(fd_array[fdi], t, thread, + int ret = binder_translate_fd(&fd_array[fdi], t, thread, in_reply_to); - if (target_fd < 0) - goto err_translate_fd_failed; - fd_array[fdi] = target_fd; + if (ret < 0) + return ret; } return 0; - -err_translate_fd_failed: - /* - * Failed to allocate fd or security error, free fds - * installed so far. - */ - num_installed_fds = fdi; - for (fdi = 0; fdi < num_installed_fds; fdi++) - task_close_fd(target_proc, fd_array[fdi]); - return target_fd; } static int binder_fixup_parent(struct binder_transaction *t, @@ -2935,6 +2918,7 @@ static void binder_transaction(struct binder_proc *proc, return_error_line = __LINE__; goto err_alloc_t_failed; } + INIT_LIST_HEAD(&t->fd_fixups); binder_stats_created(BINDER_STAT_TRANSACTION); spin_lock_init(&t->lock); @@ -3089,17 +3073,16 @@ static void binder_transaction(struct binder_proc *proc, case BINDER_TYPE_FD: { struct binder_fd_object *fp = to_binder_fd_object(hdr); - int target_fd = binder_translate_fd(fp->fd, t, thread, - in_reply_to); + int ret = binder_translate_fd(&fp->fd, t, thread, + in_reply_to); - if (target_fd < 0) { + if (ret < 0) { return_error = BR_FAILED_REPLY; - return_error_param = target_fd; + return_error_param = ret; return_error_line = __LINE__; goto err_translate_failed; } fp->pad_binder = 0; - fp->fd = target_fd; } break; case BINDER_TYPE_FDA: { struct binder_fd_array_object *fda = @@ -3256,6 +3239,7 @@ static void binder_transaction(struct binder_proc *proc, err_bad_offset: err_bad_parent: err_copy_data_failed: + binder_free_txn_fixups(t); trace_binder_transaction_failed_buffer_release(t->buffer); binder_transaction_buffer_release(target_proc, t->buffer, offp); if (target_node) @@ -3318,6 +3302,49 @@ static void binder_transaction(struct binder_proc *proc, } } +/** + * binder_free_buf() - free the specified buffer + * @proc: binder proc that owns buffer + * @buffer: buffer to be freed + * + * If buffer for an async transaction, enqueue the next async + * transaction from the node. + * + * Cleanup buffer and free it. + */ +void +binder_free_buf(struct binder_proc *proc, struct binder_buffer *buffer) +{ + binder_inner_proc_lock(proc); + if (buffer->transaction) { + buffer->transaction->buffer = NULL; + buffer->transaction = NULL; + } + binder_inner_proc_unlock(proc); + if (buffer->async_transaction && buffer->target_node) { + struct binder_node *buf_node; + struct binder_work *w; + + buf_node = buffer->target_node; + binder_node_inner_lock(buf_node); + BUG_ON(!buf_node->has_async_transaction); + BUG_ON(buf_node->proc != proc); + w = binder_dequeue_work_head_ilocked( + &buf_node->async_todo); + if (!w) { + buf_node->has_async_transaction = false; + } else { + binder_enqueue_work_ilocked( + w, &proc->todo); + binder_wakeup_proc_ilocked(proc); + } + binder_node_inner_unlock(buf_node); + } + trace_binder_transaction_buffer_release(buffer); + binder_transaction_buffer_release(proc, buffer, NULL); + binder_alloc_free_buf(&proc->alloc, buffer); +} + static int binder_thread_write(struct binder_proc *proc, struct binder_thread *thread, binder_uintptr_t binder_buffer, size_t size, @@ -3508,35 +3535,7 @@ static int binder_thread_write(struct binder_proc *proc, proc->pid, thread->pid, (u64)data_ptr, buffer->debug_id, buffer->transaction ? "active" : "finished"); - - binder_inner_proc_lock(proc); - if (buffer->transaction) { - buffer->transaction->buffer = NULL; - buffer->transaction = NULL; - } - binder_inner_proc_unlock(proc); - if (buffer->async_transaction && buffer->target_node) { - struct binder_node *buf_node; - struct binder_work *w; - - buf_node = buffer->target_node; - binder_node_inner_lock(buf_node); - BUG_ON(!buf_node->has_async_transaction); - BUG_ON(buf_node->proc != proc); - w = binder_dequeue_work_head_ilocked( - &buf_node->async_todo); - if (!w) { - buf_node->has_async_transaction = false; - } else { - binder_enqueue_work_ilocked( - w, &proc->todo); - binder_wakeup_proc_ilocked(proc); - } - binder_node_inner_unlock(buf_node); - } - trace_binder_transaction_buffer_release(buffer); - binder_transaction_buffer_release(proc, buffer, NULL); - binder_alloc_free_buf(&proc->alloc, buffer); + binder_free_buf(proc, buffer); break; } @@ -3859,6 +3858,76 @@ static int binder_wait_for_work(struct binder_thread *thread, return ret; } +/** + * binder_apply_fd_fixups() - finish fd translation + * @t: binder transaction with list of fd fixups + * + * Now that we are in the context of the transaction target + * process, we can allocate and install fds. Process the + * list of fds to translate and fixup the buffer with the + * new fds. + * + * If we fail to allocate an fd, then free the resources by + * fput'ing files that have not been processed and ksys_close'ing + * any fds that have already been allocated. + */ +static int binder_apply_fd_fixups(struct binder_transaction *t) +{ + struct binder_txn_fd_fixup *fixup, *tmp; + int ret = 0; + + list_for_each_entry(fixup, &t->fd_fixups, fixup_entry) { + int fd = get_unused_fd_flags(O_CLOEXEC); + u32 *fdp; + + if (fd < 0) { + binder_debug(BINDER_DEBUG_TRANSACTION, + "failed fd fixup txn %d fd %d\n", + t->debug_id, fd); + ret = -ENOMEM; + break; + } + binder_debug(BINDER_DEBUG_TRANSACTION, + "fd fixup txn %d fd %d\n", + t->debug_id, fd); + trace_binder_transaction_fd_recv(t, fd, fixup->offset); + fd_install(fd, fixup->file); + fixup->file = NULL; + fdp = (u32 *)(t->buffer->data + fixup->offset); + /* + * This store can cause problems for CPUs with a + * VIVT cache (eg ARMv5) since the cache cannot + * detect virtual aliases to the same physical cacheline. + * To support VIVT, this address and the user-space VA + * would both need to be flushed. Since this kernel + * VA is not constructed via page_to_virt(), we can't + * use flush_dcache_page() on it, so we'd have to use + * an internal function. If devices with VIVT ever + * need to run Android, we'll either need to go back + * to patching the translated fd from the sender side + * (using the non-standard kernel functions), or rework + * how the kernel uses the buffer to use page_to_virt() + * addresses instead of allocating in our own vm area. + * + * For now, we disable compilation if CONFIG_CPU_CACHE_VIVT. + */ + *fdp = fd; + } + list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) { + if (fixup->file) { + fput(fixup->file); + } else if (ret) { + u32 *fdp = (u32 *)(t->buffer->data + fixup->offset); + + ksys_close(*fdp); + } + list_del(&fixup->fixup_entry); + kfree(fixup); + } + + return ret; +} + static int binder_thread_read(struct binder_proc *proc, struct binder_thread *thread, binder_uintptr_t binder_buffer, size_t size, @@ -4140,6 +4209,34 @@ static int binder_thread_read(struct binder_proc *proc, tr.sender_pid = 0; } + ret = binder_apply_fd_fixups(t); + if (ret) { + struct binder_buffer *buffer = t->buffer; + bool oneway = !!(t->flags & TF_ONE_WAY); + int tid = t->debug_id; + + if (t_from) + binder_thread_dec_tmpref(t_from); + buffer->transaction = NULL; + binder_cleanup_transaction(t, "fd fixups failed", + BR_FAILED_REPLY); + binder_free_buf(proc, buffer); + binder_debug(BINDER_DEBUG_FAILED_TRANSACTION, + "%d:%d %stransaction %d fd fixups failed %d/%d, line %d\n", + proc->pid, thread->pid, + oneway ? "async " : + (cmd == BR_REPLY ? "reply " : ""), + tid, BR_FAILED_REPLY, ret, __LINE__); + if (cmd == BR_REPLY) { + cmd = BR_FAILED_REPLY; + if (put_user(cmd, (uint32_t __user *)ptr)) + return -EFAULT; + ptr += sizeof(uint32_t); + binder_stat_br(proc, thread, cmd); + break; + } + continue; + } tr.data_size = t->buffer->data_size; tr.offsets_size = t->buffer->offsets_size; tr.data.ptr.buffer = (binder_uintptr_t) @@ -4730,7 +4827,6 @@ static void binder_vma_close(struct vm_area_struct *vma) (vma->vm_end - vma->vm_start) / SZ_1K, vma->vm_flags, (unsigned long)pgprot_val(vma->vm_page_prot)); binder_alloc_vma_close(&proc->alloc); - binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES); } static vm_fault_t binder_vm_fault(struct vm_fault *vmf) @@ -4776,9 +4872,6 @@ static int binder_mmap(struct file *filp, struct vm_area_struct *vma) ret = binder_alloc_mmap_handler(&proc->alloc, vma); if (ret) return ret; - mutex_lock(&proc->files_lock); - proc->files = get_files_struct(current); - mutex_unlock(&proc->files_lock); return 0; err_bad_arg: @@ -4802,7 +4895,6 @@ static int binder_open(struct inode *nodp, struct file *filp) spin_lock_init(&proc->outer_lock); get_task_struct(current->group_leader); proc->tsk = current->group_leader; - mutex_init(&proc->files_lock); proc->cred = get_cred(filp->f_cred); INIT_LIST_HEAD(&proc->todo); proc->default_priority = task_nice(current); @@ -4953,8 +5045,6 @@ static void binder_deferred_release(struct binder_proc *proc) struct rb_node *n; int threads, nodes, incoming_refs, outgoing_refs, active_transactions; - BUG_ON(proc->files); - mutex_lock(&binder_procs_lock); hlist_del(&proc->proc_node); mutex_unlock(&binder_procs_lock); @@ -5036,7 +5126,6 @@ static void binder_deferred_release(struct binder_proc *proc) static void binder_deferred_func(struct work_struct *work) { struct binder_proc *proc; - struct files_struct *files; int defer; @@ -5054,23 +5143,11 @@ static void binder_deferred_func(struct work_struct *work) } mutex_unlock(&binder_deferred_lock); - files = NULL; - if (defer & BINDER_DEFERRED_PUT_FILES) { - mutex_lock(&proc->files_lock); - files = proc->files; - if (files) - proc->files = NULL; - mutex_unlock(&proc->files_lock); - } - if (defer & BINDER_DEFERRED_FLUSH) binder_deferred_flush(proc); if (defer & BINDER_DEFERRED_RELEASE) binder_deferred_release(proc); /* frees proc */ - - if (files) - put_files_struct(files); } while (proc); } static DECLARE_WORK(binder_deferred_work, binder_deferred_func); diff --git a/drivers/android/binder_trace.h b/drivers/android/binder_trace.h index 588eb3ec3507..14de7ac57a34 100644 --- a/drivers/android/binder_trace.h +++ b/drivers/android/binder_trace.h @@ -223,22 +223,40 @@ TRACE_EVENT(binder_transaction_ref_to_ref, __entry->dest_ref_debug_id, __entry->dest_ref_desc) ); -TRACE_EVENT(binder_transaction_fd, - TP_PROTO(struct binder_transaction *t, int src_fd, int dest_fd), - TP_ARGS(t, src_fd, dest_fd), +TRACE_EVENT(binder_transaction_fd_send, + TP_PROTO(struct binder_transaction *t, int fd, size_t offset), + TP_ARGS(t, fd, offset), TP_STRUCT__entry( __field(int, debug_id) - __field(int, src_fd) - __field(int, dest_fd) + __field(int, fd) + __field(size_t, offset) + ), + TP_fast_assign( + __entry->debug_id = t->debug_id; + __entry->fd = fd; + __entry->offset = offset; + ), + TP_printk("transaction=%d src_fd=%d offset=%zu", + __entry->debug_id, __entry->fd, __entry->offset) +); + +TRACE_EVENT(binder_transaction_fd_recv, + TP_PROTO(struct binder_transaction *t, int fd, size_t offset), + TP_ARGS(t, fd, offset), + + TP_STRUCT__entry( + __field(int, debug_id) + __field(int, fd) + __field(size_t, offset) ), TP_fast_assign( __entry->debug_id = t->debug_id; - __entry->src_fd = src_fd; - __entry->dest_fd = dest_fd; + __entry->fd = fd; + __entry->offset = offset; ), - TP_printk("transaction=%d src_fd=%d ==> dest_fd=%d", - __entry->debug_id, __entry->src_fd, __entry->dest_fd) + TP_printk("transaction=%d dest_fd=%d offset=%zu", + __entry->debug_id, __entry->fd, __entry->offset) ); DECLARE_EVENT_CLASS(binder_buffer_class, -- 2.25.1

1 30

[PATCH openEuler-1.0-LTS 1/7] sctp: fail if no bound addresses can be used for a given scope
by Yongqiang Liu 08 Mar '23

08 Mar '23

From: Marcelo Ricardo Leitner <marcelo.leitner(a)gmail.com> stable inclusion from stable-v4.19.271 commit 26436553aabfd9b40e1daa537a099bf5bb13fb55 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6I7U3 CVE: CVE-2023-1074 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 458e279f861d3f61796894cd158b780765a1569f ] Currently, if you bind the socket to something like: servaddr.sin6_family = AF_INET6; servaddr.sin6_port = htons(0); servaddr.sin6_scope_id = 0; inet_pton(AF_INET6, "::1", &servaddr.sin6_addr); And then request a connect to: connaddr.sin6_family = AF_INET6; connaddr.sin6_port = htons(20000); connaddr.sin6_scope_id = if_nametoindex("lo"); inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr); What the stack does is: - bind the socket - create a new asoc - to handle the connect - copy the addresses that can be used for the given scope - try to connect But the copy returns 0 addresses, and the effect is that it ends up trying to connect as if the socket wasn't bound, which is not the desired behavior. This unexpected behavior also allows KASLR leaks through SCTP diag interface. The fix here then is, if when trying to copy the addresses that can be used for the scope used in connect() it returns 0 addresses, bail out. This is what TCP does with a similar reproducer. Reported-by: Pietro Borrello <borrello(a)diag.uniroma1.it> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner(a)gmail.com> Reviewed-by: Xin Long <lucien.xin(a)gmail.com> Link: https://lore.kernel.org/r/9fcd182f1099f86c6661f3717f63712ddd1c676c.16744967… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/sctp/bind_addr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c index f8a283245672..d723942e5e65 100644 --- a/net/sctp/bind_addr.c +++ b/net/sctp/bind_addr.c @@ -88,6 +88,12 @@ int sctp_bind_addr_copy(struct net *net, struct sctp_bind_addr *dest, } } + /* If somehow no addresses were found that can be used with this + * scope, it's an error. + */ + if (list_empty(&dest->address_list)) + error = -ENETUNREACH; + out: if (error) sctp_bind_addr_clean(dest); -- 2.25.1

1 6

[PATCH openEuler-1.0-LTS] sctp: fail if no bound addresses can be used for a given scope
by Yongqiang Liu 08 Mar '23

08 Mar '23

From: Marcelo Ricardo Leitner <marcelo.leitner(a)gmail.com> stable inclusion from stable-v4.19.271 commit 26436553aabfd9b40e1daa537a099bf5bb13fb55 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6I7U3 CVE: CVE-2023-1074 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 458e279f861d3f61796894cd158b780765a1569f ] Currently, if you bind the socket to something like: servaddr.sin6_family = AF_INET6; servaddr.sin6_port = htons(0); servaddr.sin6_scope_id = 0; inet_pton(AF_INET6, "::1", &servaddr.sin6_addr); And then request a connect to: connaddr.sin6_family = AF_INET6; connaddr.sin6_port = htons(20000); connaddr.sin6_scope_id = if_nametoindex("lo"); inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr); What the stack does is: - bind the socket - create a new asoc - to handle the connect - copy the addresses that can be used for the given scope - try to connect But the copy returns 0 addresses, and the effect is that it ends up trying to connect as if the socket wasn't bound, which is not the desired behavior. This unexpected behavior also allows KASLR leaks through SCTP diag interface. The fix here then is, if when trying to copy the addresses that can be used for the scope used in connect() it returns 0 addresses, bail out. This is what TCP does with a similar reproducer. Reported-by: Pietro Borrello <borrello(a)diag.uniroma1.it> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner(a)gmail.com> Reviewed-by: Xin Long <lucien.xin(a)gmail.com> Link: https://lore.kernel.org/r/9fcd182f1099f86c6661f3717f63712ddd1c676c.16744967… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/sctp/bind_addr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c index f8a283245672..d723942e5e65 100644 --- a/net/sctp/bind_addr.c +++ b/net/sctp/bind_addr.c @@ -88,6 +88,12 @@ int sctp_bind_addr_copy(struct net *net, struct sctp_bind_addr *dest, } } + /* If somehow no addresses were found that can be used with this + * scope, it's an error. + */ + if (list_empty(&dest->address_list)) + error = -ENETUNREACH; + out: if (error) sctp_bind_addr_clean(dest); -- 2.25.1

1 0

[PATCH openEuler-5.10-LTS-SP1 01/30] ovl: fix use inode directly in rcu-walk mode
by Zheng Zengkai 08 Mar '23

08 Mar '23

From: Chen Zhongjin <chenzhongjin(a)huawei.com> stable inclusion from stable-v5.10.163 commit 740c537f52c1f54aff9094744483d1515c7c8b7b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6GCCV Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 672e4268b2863d7e4978dfed29552b31c2f9bd4e upstream. ovl_dentry_revalidate_common() can be called in rcu-walk mode. As document said, "in rcu-walk mode, d_parent and d_inode should not be used without care". Check inode here to protect access under rcu-walk mode. Fixes: bccece1ead36 ("ovl: allow remote upper") Reported-and-tested-by: syzbot+a4055c78774bbf3498bb(a)syzkaller.appspotmail.com Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> Cc: <stable(a)vger.kernel.org> # v5.7 Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Reviewed-by: Yang Erkun <yangerkun(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11(a)huawei.com> --- fs/overlayfs/super.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c index 45c596dfe3a3..e3cd5a00f880 100644 --- a/fs/overlayfs/super.c +++ b/fs/overlayfs/super.c @@ -138,11 +138,16 @@ static int ovl_dentry_revalidate_common(struct dentry *dentry, unsigned int flags, bool weak) { struct ovl_entry *oe = dentry->d_fsdata; + struct inode *inode = d_inode_rcu(dentry); struct dentry *upper; unsigned int i; int ret = 1; - upper = ovl_dentry_upper(dentry); + /* Careful in RCU mode */ + if (!inode) + return -ECHILD; + + upper = ovl_i_dentry_upper(inode); if (upper) ret = ovl_revalidate_real(upper, flags, weak); -- 2.25.1

1 29

2024

2023

2022

2021

2020

2019

Kernel March 2023