June 2023 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] livepatch/powerpc: Fix issue that miss one layer on stack checking
by Zheng Yejian 19 Jun '23

19 Jun '23

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7BMC9 CVE: NA -------------------------------- Suppose task 'T' is running in function 'B', and user is doing livepatch for function 'A', and function 'A' is calling 'B'. Then task 'T' will be interrupted by stop_machine, and suppose that 'B' has not saved the link register (which point to address in 'A') into stack memory, and data in link register position may be invalid, then 'A' would be missed on stack checking. To find a solution, we list following cases (suppose calling chain: P -> A -> B, A runs `bl B`, 'nip' means instruction pointer found in interrupt frame, 'lr' means link register found in interrupt frame, 'frame->pc' means link register saved in first stack frame): 1. 'nip' is in 'A', `bl B` is not executed, then: 'lr' is in 'P', 'frame->pc' should be ignored; 2. 'nip' is in some ppc64_stub or ppc32_plt which also not save link register, then: 'lr' is in 'A', 'frame->pc' should be ignored; 3. 'nip' is in 'B', but 'B' has not saved link register, then: 'lr' is in 'A', 'frame->pc' should be ignored; 4. 'nip' is in 'B', 'B' has saved link register, then: 'lr' is in 'A', 'frame->pc' is also in 'A'; 5. 'nip' is in 'A', 'B' has returned but its stack pointer is not moved, then 'lr' is in 'A', 'frame->pc' is also in 'A'; 6. 'nip' is in 'A', 'B' has returned and its stack pointer is moved, then 'lr' is in 'A', 'frame->pc' is in 'P'. As a conclusion, we need to: 1. check 'nip' or 'lr' or both if they are not in same function; 2. ignore 'frame->pc' if 'nip' and 'lr' are not in same function. Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- arch/powerpc/include/asm/livepatch.h | 11 ++++++++++ arch/powerpc/kernel/livepatch.c | 28 +++++++++++++++++++++++-- arch/powerpc/kernel/livepatch_32.c | 31 +++++++++++++++++++--------- arch/powerpc/kernel/livepatch_64.c | 31 +++++++++++++++++++--------- 4 files changed, 79 insertions(+), 22 deletions(-) diff --git a/arch/powerpc/include/asm/livepatch.h b/arch/powerpc/include/asm/livepatch.h index ae674ea59ab3..285602e637f1 100644 --- a/arch/powerpc/include/asm/livepatch.h +++ b/arch/powerpc/include/asm/livepatch.h @@ -121,9 +121,20 @@ struct arch_klp_data { #define KLP_MAX_REPLACE_SIZE sizeof_field(struct arch_klp_data, old_insns) struct stackframe { + /* stack frame to be unwinded */ unsigned long sp; + /* link register saved in last stack frame */ unsigned long pc; + /* instruction register saved in pt_regs */ unsigned long nip; + /* link register saved in pt_regs */ + unsigned long link; + /* stack frame pointer (r1 register) saved in pt_regs */ + unsigned long sfp; + /* check if nip and link are in same function */ + unsigned int nip_link_in_same_func; + /* check if it is top frame before interrupt */ + unsigned int is_top_frame; }; #ifdef PPC64_ELF_ABI_v1 diff --git a/arch/powerpc/kernel/livepatch.c b/arch/powerpc/kernel/livepatch.c index d568e8c8b16b..5ba38c2c7c5c 100644 --- a/arch/powerpc/kernel/livepatch.c +++ b/arch/powerpc/kernel/livepatch.c @@ -23,6 +23,7 @@ #include <linux/module.h> #include <linux/ftrace.h> #include <linux/livepatch.h> +#include <linux/kallsyms.h> #include <asm/probes.h> #include <asm/livepatch.h> #include <asm/code-patching.h> @@ -67,6 +68,22 @@ int klp_brk_handler(struct pt_regs *regs) return 1; } +static int check_addr_in_same_func(unsigned long addr1, unsigned long addr2) +{ + unsigned long size = 0; + unsigned long offset = 0; + unsigned long start; + + if (addr1 == 0 || addr2 == 0) + return 0; + if (addr1 == addr2) + return 1; + if (!kallsyms_lookup_size_offset(addr1, &size, &offset)) + return 0; + start = addr1 - offset; + return (addr2 >= start) && (addr2 - start < size); +} + int klp_unwind_frame(struct task_struct *tsk, struct stackframe *frame) { unsigned long *stack; @@ -79,7 +96,10 @@ int klp_unwind_frame(struct task_struct *tsk, struct stackframe *frame) if (frame->nip != 0) frame->nip = 0; + if (frame->link != 0) + frame->link = 0; + frame->is_top_frame = (frame->sfp == frame->sp); stack = (unsigned long *)frame->sp; /* @@ -94,10 +114,14 @@ int klp_unwind_frame(struct task_struct *tsk, struct stackframe *frame) struct pt_regs *regs = (struct pt_regs *) (frame->sp + STACK_FRAME_OVERHEAD); frame->nip = regs->nip; - pr_debug("--- interrupt: task = %d/%s, trap %lx at NIP=x%lx/%pS, LR=0x%lx/%pS\n", + frame->link = regs->link; + frame->sfp = regs->gpr[PT_R1]; + frame->nip_link_in_same_func = check_addr_in_same_func(frame->nip, frame->link); + pr_debug("--- interrupt: task = %d/%s, trap %lx at NIP=0x%lx/%pS, LR=0x%lx/%pS, SFP=0x%lx, nip_link_in_same_func=%u\n", tsk->pid, tsk->comm, regs->trap, regs->nip, (void *)regs->nip, - regs->link, (void *)regs->link); + regs->link, (void *)regs->link, + frame->sfp, frame->nip_link_in_same_func); } frame->sp = stack[0]; diff --git a/arch/powerpc/kernel/livepatch_32.c b/arch/powerpc/kernel/livepatch_32.c index 7b4ed23bf2ca..4ca060db93b2 100644 --- a/arch/powerpc/kernel/livepatch_32.c +++ b/arch/powerpc/kernel/livepatch_32.c @@ -254,13 +254,21 @@ static int klp_check_jump_func(struct stackframe *frame, void *data) struct walk_stackframe_args *args = data; struct klp_func_list *check_funcs = args->check_funcs; - /* check the PC first */ - if (!check_func_list(check_funcs, &args->ret, frame->pc)) - return args->ret; - /* check NIP when the exception stack switching */ if (frame->nip && !check_func_list(check_funcs, &args->ret, frame->nip)) return args->ret; + if (frame->link && !frame->nip_link_in_same_func && + !check_func_list(check_funcs, &args->ret, frame->link)) + return args->ret; + /* + * There are two cases that frame->pc is reliable: + * 1. frame->pc is not in top frame before interrupt; + * 2. nip and link are in same function; + */ + if (!frame->is_top_frame || frame->nip_link_in_same_func) { + if (!check_func_list(check_funcs, &args->ret, frame->pc)) + return args->ret; + } return 0; } @@ -280,10 +288,11 @@ static int do_check_calltrace(struct walk_stackframe_args *args, int (*fn)(struct stackframe *, void *)) { struct task_struct *g, *t; - struct stackframe frame; unsigned long *stack; for_each_process_thread(g, t) { + struct stackframe frame = { 0 }; + if (t == current) { /* * Handle the current carefully on each CPUs, we shouldn't @@ -311,7 +320,6 @@ static int do_check_calltrace(struct walk_stackframe_args *args, frame.sp = (unsigned long)stack; frame.pc = stack[STACK_FRAME_LR_SAVE]; - frame.nip = 0; klp_walk_stackframe(&frame, fn, t, args); if (args->ret) { pr_info("PID: %d Comm: %.20s\n", t->pid, t->comm); @@ -350,13 +358,16 @@ static int check_module_calltrace(struct stackframe *frame, void *data) { struct walk_stackframe_args *args = data; - /* check the PC first */ - if (within_module_core(frame->pc, args->mod)) - goto err_out; - /* check NIP when the exception stack switching */ if (frame->nip && within_module_core(frame->nip, args->mod)) goto err_out; + if (frame->link && !frame->nip_link_in_same_func && + within_module_core(frame->link, args->mod)) + goto err_out; + if (!frame->is_top_frame || frame->nip_link_in_same_func) { + if (within_module_core(frame->pc, args->mod)) + goto err_out; + } return 0; diff --git a/arch/powerpc/kernel/livepatch_64.c b/arch/powerpc/kernel/livepatch_64.c index a2ec7c8c1bad..b33839b5916a 100644 --- a/arch/powerpc/kernel/livepatch_64.c +++ b/arch/powerpc/kernel/livepatch_64.c @@ -273,13 +273,21 @@ static int klp_check_jump_func(struct stackframe *frame, void *data) struct walk_stackframe_args *args = data; struct klp_func_list *check_funcs = args->check_funcs; - /* check the PC first */ - if (!check_func_list(check_funcs, &args->ret, frame->pc)) - return args->ret; - /* check NIP when the exception stack switching */ if (frame->nip && !check_func_list(check_funcs, &args->ret, frame->nip)) return args->ret; + if (frame->link && !frame->nip_link_in_same_func && + !check_func_list(check_funcs, &args->ret, frame->link)) + return args->ret; + /* + * There are two cases that frame->pc is reliable: + * 1. frame->pc is not in top frame before interrupt; + * 2. nip and link are in same function; + */ + if (!frame->is_top_frame || frame->nip_link_in_same_func) { + if (!check_func_list(check_funcs, &args->ret, frame->pc)) + return args->ret; + } return 0; } @@ -299,10 +307,11 @@ static int do_check_calltrace(struct walk_stackframe_args *args, int (*fn)(struct stackframe *, void *)) { struct task_struct *g, *t; - struct stackframe frame; unsigned long *stack; for_each_process_thread(g, t) { + struct stackframe frame = { 0 }; + if (t == current) { /* * Handle the current carefully on each CPUs, @@ -332,7 +341,6 @@ static int do_check_calltrace(struct walk_stackframe_args *args, frame.sp = (unsigned long)stack; frame.pc = stack[STACK_FRAME_LR_SAVE]; - frame.nip = 0; klp_walk_stackframe(&frame, fn, t, args); if (args->ret) { pr_debug("%s FAILED when %s\n", __func__, @@ -373,13 +381,16 @@ static int check_module_calltrace(struct stackframe *frame, void *data) { struct walk_stackframe_args *args = data; - /* check the PC first */ - if (within_module_core(frame->pc, args->mod)) - goto err_out; - /* check NIP when the exception stack switching */ if (frame->nip && within_module_core(frame->nip, args->mod)) goto err_out; + if (frame->link && !frame->nip_link_in_same_func && + within_module_core(frame->link, args->mod)) + goto err_out; + if (!frame->is_top_frame || frame->nip_link_in_same_func) { + if (within_module_core(frame->pc, args->mod)) + goto err_out; + } return 0; -- 2.25.1

2 1

[PATCH OLK-5.10 0/1] xhci:fix USB xhci controller issue
by liulongfang 16 Jun '23

16 Jun '23

When the current HiSilicon USB xhci controller formats the faulty U disk, it will trigger a controller exception error. This will cause errors in the control logic of the xhci controller and driver software. In the end, all USB devices on the xhci controller cannot be used. By introducing a noop command operation, restore the logic of the xhci controller and driver software, and restore all USB devices on the xhci controller to normal. Longfang Liu (1): xhci:fix USB xhci controller issue drivers/usb/host/xhci-pci.c | 4 ++++ drivers/usb/host/xhci-ring.c | 6 +++++- drivers/usb/host/xhci.h | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) -- 2.24.0

2 2

[PATCH openEuler-1.0-LTS] net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
by Yongqiang Liu 15 Jun '23

15 Jun '23

From: Dong Chenchen <dongchenchen2(a)huawei.com> stable inclusion from stable-v4.19.283 commit d2309e0cb27b6871b273fbc1725e93be62570d86 category: bugfix bugzilla: 188702, https://gitee.com/openeuler/kernel/issues/I7DUPI CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ] As the call trace shows, skb_panic was caused by wrong skb->mac_header in nsh_gso_segment(): invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skb_panic+0xda/0xe0 call Trace: skb_push+0x91/0xa0 nsh_gso_segment+0x4f3/0x570 skb_mac_gso_segment+0x19e/0x270 __skb_gso_segment+0x1e8/0x3c0 validate_xmit_skb+0x452/0x890 validate_xmit_skb_list+0x99/0xd0 sch_direct_xmit+0x294/0x7c0 __dev_queue_xmit+0x16f0/0x1d70 packet_xmit+0x185/0x210 packet_snd+0xc15/0x1170 packet_sendmsg+0x7b/0xa0 sock_sendmsg+0x14f/0x160 The root cause is: nsh_gso_segment() use skb->network_header - nhoff to reset mac_header in skb_gso_error_unwind() if inner-layer protocol gso fails. However, skb->network_header may be reset by inner-layer protocol gso function e.g. mpls_gso_segment. skb->mac_header reset by the inaccurate network_header will be larger than skb headroom. nsh_gso_segment nhoff = skb->network_header - skb->mac_header; __skb_pull(skb,nsh_len) skb_mac_gso_segment mpls_gso_segment skb_reset_network_header(skb);//skb->network_header+=nsh_len return -EINVAL; skb_gso_error_unwind skb_push(skb, nsh_len); skb->mac_header = skb->network_header - nhoff; // skb->mac_header > skb->headroom, cause skb_push panic Use correct mac_offset to restore mac_header and get rid of nhoff. Fixes: c411ed854584 ("nsh: add GSO support") Reported-by: syzbot+632b5d9964208bfef8c0(a)syzkaller.appspotmail.com Suggested-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/nsh/nsh.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c index 1a30e165eeb4..a5fa25555d7e 100644 --- a/net/nsh/nsh.c +++ b/net/nsh/nsh.c @@ -80,13 +80,12 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, netdev_features_t features) { struct sk_buff *segs = ERR_PTR(-EINVAL); + u16 mac_offset = skb->mac_header; unsigned int nsh_len, mac_len; __be16 proto; - int nhoff; skb_reset_network_header(skb); - nhoff = skb->network_header - skb->mac_header; mac_len = skb->mac_len; if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN))) @@ -111,15 +110,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb, segs = skb_mac_gso_segment(skb, features); if (IS_ERR_OR_NULL(segs)) { skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len, - skb->network_header - nhoff, - mac_len); + mac_offset, mac_len); goto out; } for (skb = segs; skb; skb = skb->next) { skb->protocol = htons(ETH_P_NSH); __skb_push(skb, nsh_len); - skb_set_mac_header(skb, -nhoff); + skb->mac_header = mac_offset; skb->network_header = skb->mac_header + mac_len; skb->mac_len = mac_len; } -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS 0/5] Some fixes for smart grid
by Zhang Changzhong 15 Jun '23

15 Jun '23

Some fixes for smart grid, as follows: Hui Tang (5): sched: Add static key to reduce noise sched: fix smart grid usage count sched: fix WARN found by deadlock detect sched: Fix possible deadlock in tg_set_dynamic_affinity_mode sched: Fix negative count for jump label include/linux/sched.h | 1 + include/linux/sched/grid_qos.h | 12 ++++ kernel/cgroup/cpuset.c | 3 + kernel/sched/core.c | 9 +-- kernel/sched/fair.c | 148 +++++++++++++++++++++++++++++------------ kernel/sched/grid/qos.c | 14 ++-- 6 files changed, 132 insertions(+), 55 deletions(-) -- 2.9.5

1 5

[openEuler-22.03-LTS] ipv6: rpl: Fix Route of Death.
by Wang Yufen 15 Jun '23

15 Jun '23

From: Kuniyuki Iwashima <kuniyu(a)amazon.com> mainline inclusion from mainline-v6.4-rc6 commit a2f4c143d76b1a47c91ef9bc46907116b111da0b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I70CLW CVE: CVE-2023-2156 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A remote DoS vulnerability of RPL Source Routing is assigned CVE-2023-2156. The Source Routing Header (SRH) has the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len | Routing Type | Segments Left | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | CmprI | CmprE | Pad | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Addresses[1..n] . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The originator of an SRH places the first hop's IPv6 address in the IPv6 header's IPv6 Destination Address and the second hop's IPv6 address as the first address in Addresses[1..n]. The CmprI and CmprE fields indicate the number of prefix octets that are shared with the IPv6 Destination Address. When CmprI or CmprE is not 0, Addresses[1..n] are compressed as follows: 1..n-1 : (16 - CmprI) bytes n : (16 - CmprE) bytes Segments Left indicates the number of route segments remaining. When the value is not zero, the SRH is forwarded to the next hop. Its address is extracted from Addresses[n - Segment Left + 1] and swapped with IPv6 Destination Address. When Segment Left is greater than or equal to 2, the size of SRH is not changed because Addresses[1..n-1] are decompressed and recompressed with CmprI. OTOH, when Segment Left changes from 1 to 0, the new SRH could have a different size because Addresses[1..n-1] are decompressed with CmprI and recompressed with CmprE. Let's say CmprI is 15 and CmprE is 0. When we receive SRH with Segment Left >= 2, Addresses[1..n-1] have 1 byte for each, and Addresses[n] has 16 bytes. When Segment Left is 1, Addresses[1..n-1] is decompressed to 16 bytes and not recompressed. Finally, the new SRH will need more room in the header, and the size is (16 - 1) * (n - 1) bytes. Here the max value of n is 255 as Segment Left is u8, so in the worst case, we have to allocate 3825 bytes in the skb headroom. However, now we only allocate a small fixed buffer that is IPV6_RPL_SRH_WORST_SWAP_SIZE (16 + 7 bytes). If the decompressed size overflows the room, skb_push() hits BUG() below [0]. Instead of allocating the fixed buffer for every packet, let's allocate enough headroom only when we receive SRH with Segment Left 1. [0]: skbuff: skb_under_panic: text:ffffffff81c9f6e2 len:576 put:576 head:ffff8880070b5180 data:ffff8880070b4fb0 tail:0x70 end:0x140 dev:lo kernel BUG at net/core/skbuff.c:200! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 154 Comm: python3 Not tainted 6.4.0-rc4-00190-gc308e9ec0047 #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:skb_panic (net/core/skbuff.c:200) Code: 4f 70 50 8b 87 bc 00 00 00 50 8b 87 b8 00 00 00 50 ff b7 c8 00 00 00 4c 8b 8f c0 00 00 00 48 c7 c7 80 6e 77 82 e8 ad 8b 60 ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90000003da0 EFLAGS: 00000246 RAX: 0000000000000085 RBX: ffff8880058a6600 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88807dc1c540 RDI: ffff88807dc1c540 RBP: ffffc90000003e48 R08: ffffffff82b392c8 R09: 00000000ffffdfff R10: ffffffff82a592e0 R11: ffffffff82b092e0 R12: ffff888005b1c800 R13: ffff8880070b51b8 R14: ffff888005b1ca18 R15: ffff8880070b5190 FS: 00007f4539f0b740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055670baf3000 CR3: 0000000005b0e000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> skb_push (net/core/skbuff.c:210) ipv6_rthdr_rcv (./include/linux/skbuff.h:2880 net/ipv6/exthdrs.c:634 net/ipv6/exthdrs.c:718) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) ip6_input_finish (./include/linux/rcupdate.h:805 net/ipv6/ip6_input.c:483) __netif_receive_skb_one_core (net/core/dev.c:5494) process_backlog (./include/linux/rcupdate.h:805 net/core/dev.c:5934) __napi_poll (net/core/dev.c:6496) net_rx_action (net/core/dev.c:6565 net/core/dev.c:6696) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) do_softirq (kernel/softirq.c:472 kernel/softirq.c:459) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:396) __dev_queue_xmit (net/core/dev.c:4272) ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:134) rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) sock_sendmsg (net/socket.c:724 net/socket.c:747) __sys_sendto (net/socket.c:2144) __x64_sys_sendto (net/socket.c:2156 net/socket.c:2152 net/socket.c:2152) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x7f453a138aea Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 RSP: 002b:00007ffcc212a1c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007ffcc212a288 RCX: 00007f453a138aea RDX: 0000000000000060 RSI: 00007f4539084c20 RDI: 0000000000000003 RBP: 00007f4538308e80 R08: 00007ffcc212a300 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f4539712d1b </TASK> Modules linked in: Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr") Reported-by: Max VA Closes: https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20230605180617.67284-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Wang Yufen <wangyufen(a)huawei.com> --- include/net/rpl.h | 3 --- net/ipv6/exthdrs.c | 29 +++++++++++------------------ 2 files changed, 11 insertions(+), 21 deletions(-) diff --git a/include/net/rpl.h b/include/net/rpl.h index 308ef0a..30fe780 100644 --- a/include/net/rpl.h +++ b/include/net/rpl.h @@ -23,9 +23,6 @@ static inline int rpl_init(void) static inline void rpl_exit(void) {} #endif -/* Worst decompression memory usage ipv6 address (16) + pad 7 */ -#define IPV6_RPL_SRH_WORST_SWAP_SIZE (sizeof(struct in6_addr) + 7) - size_t ipv6_rpl_srh_size(unsigned char n, unsigned char cmpri, unsigned char cmpre); diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c index 4932dea..cdad901 100644 --- a/net/ipv6/exthdrs.c +++ b/net/ipv6/exthdrs.c @@ -552,24 +552,6 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb) return -1; } - if (skb_cloned(skb)) { - if (pskb_expand_head(skb, IPV6_RPL_SRH_WORST_SWAP_SIZE, 0, - GFP_ATOMIC)) { - __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), - IPSTATS_MIB_OUTDISCARDS); - kfree_skb(skb); - return -1; - } - } else { - err = skb_cow_head(skb, IPV6_RPL_SRH_WORST_SWAP_SIZE); - if (unlikely(err)) { - kfree_skb(skb); - return -1; - } - } - - hdr = (struct ipv6_rpl_sr_hdr *)skb_transport_header(skb); - if (!pskb_may_pull(skb, ipv6_rpl_srh_size(n, hdr->cmpri, hdr->cmpre))) { kfree_skb(skb); @@ -615,6 +597,17 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb) skb_pull(skb, ((hdr->hdrlen + 1) << 3)); skb_postpull_rcsum(skb, oldhdr, sizeof(struct ipv6hdr) + ((hdr->hdrlen + 1) << 3)); + if (unlikely(!hdr->segments_left)) { + if (pskb_expand_head(skb, sizeof(struct ipv6hdr) + ((chdr->hdrlen + 1) << 3), 0, + GFP_ATOMIC)) { + __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_OUTDISCARDS); + kfree_skb(skb); + kfree(buf); + return -1; + } + + oldhdr = ipv6_hdr(skb); + } skb_push(skb, ((chdr->hdrlen + 1) << 3) + sizeof(struct ipv6hdr)); skb_reset_network_header(skb); skb_mac_header_rebuild(skb); -- 1.8.3.1

1 0

[OLK-5.10] ipv6: rpl: Fix Route of Death.
by Wang Yufen 15 Jun '23

15 Jun '23

From: Kuniyuki Iwashima <kuniyu(a)amazon.com> mainline inclusion from mainline-v6.4-rc6 commit a2f4c143d76b1a47c91ef9bc46907116b111da0b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I70CLW CVE: CVE-2023-2156 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- A remote DoS vulnerability of RPL Source Routing is assigned CVE-2023-2156. The Source Routing Header (SRH) has the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len | Routing Type | Segments Left | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | CmprI | CmprE | Pad | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Addresses[1..n] . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The originator of an SRH places the first hop's IPv6 address in the IPv6 header's IPv6 Destination Address and the second hop's IPv6 address as the first address in Addresses[1..n]. The CmprI and CmprE fields indicate the number of prefix octets that are shared with the IPv6 Destination Address. When CmprI or CmprE is not 0, Addresses[1..n] are compressed as follows: 1..n-1 : (16 - CmprI) bytes n : (16 - CmprE) bytes Segments Left indicates the number of route segments remaining. When the value is not zero, the SRH is forwarded to the next hop. Its address is extracted from Addresses[n - Segment Left + 1] and swapped with IPv6 Destination Address. When Segment Left is greater than or equal to 2, the size of SRH is not changed because Addresses[1..n-1] are decompressed and recompressed with CmprI. OTOH, when Segment Left changes from 1 to 0, the new SRH could have a different size because Addresses[1..n-1] are decompressed with CmprI and recompressed with CmprE. Let's say CmprI is 15 and CmprE is 0. When we receive SRH with Segment Left >= 2, Addresses[1..n-1] have 1 byte for each, and Addresses[n] has 16 bytes. When Segment Left is 1, Addresses[1..n-1] is decompressed to 16 bytes and not recompressed. Finally, the new SRH will need more room in the header, and the size is (16 - 1) * (n - 1) bytes. Here the max value of n is 255 as Segment Left is u8, so in the worst case, we have to allocate 3825 bytes in the skb headroom. However, now we only allocate a small fixed buffer that is IPV6_RPL_SRH_WORST_SWAP_SIZE (16 + 7 bytes). If the decompressed size overflows the room, skb_push() hits BUG() below [0]. Instead of allocating the fixed buffer for every packet, let's allocate enough headroom only when we receive SRH with Segment Left 1. [0]: skbuff: skb_under_panic: text:ffffffff81c9f6e2 len:576 put:576 head:ffff8880070b5180 data:ffff8880070b4fb0 tail:0x70 end:0x140 dev:lo kernel BUG at net/core/skbuff.c:200! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 154 Comm: python3 Not tainted 6.4.0-rc4-00190-gc308e9ec0047 #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:skb_panic (net/core/skbuff.c:200) Code: 4f 70 50 8b 87 bc 00 00 00 50 8b 87 b8 00 00 00 50 ff b7 c8 00 00 00 4c 8b 8f c0 00 00 00 48 c7 c7 80 6e 77 82 e8 ad 8b 60 ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90000003da0 EFLAGS: 00000246 RAX: 0000000000000085 RBX: ffff8880058a6600 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88807dc1c540 RDI: ffff88807dc1c540 RBP: ffffc90000003e48 R08: ffffffff82b392c8 R09: 00000000ffffdfff R10: ffffffff82a592e0 R11: ffffffff82b092e0 R12: ffff888005b1c800 R13: ffff8880070b51b8 R14: ffff888005b1ca18 R15: ffff8880070b5190 FS: 00007f4539f0b740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055670baf3000 CR3: 0000000005b0e000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <IRQ> skb_push (net/core/skbuff.c:210) ipv6_rthdr_rcv (./include/linux/skbuff.h:2880 net/ipv6/exthdrs.c:634 net/ipv6/exthdrs.c:718) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) ip6_input_finish (./include/linux/rcupdate.h:805 net/ipv6/ip6_input.c:483) __netif_receive_skb_one_core (net/core/dev.c:5494) process_backlog (./include/linux/rcupdate.h:805 net/core/dev.c:5934) __napi_poll (net/core/dev.c:6496) net_rx_action (net/core/dev.c:6565 net/core/dev.c:6696) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) do_softirq (kernel/softirq.c:472 kernel/softirq.c:459) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:396) __dev_queue_xmit (net/core/dev.c:4272) ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:134) rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) sock_sendmsg (net/socket.c:724 net/socket.c:747) __sys_sendto (net/socket.c:2144) __x64_sys_sendto (net/socket.c:2156 net/socket.c:2152 net/socket.c:2152) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x7f453a138aea Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 RSP: 002b:00007ffcc212a1c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007ffcc212a288 RCX: 00007f453a138aea RDX: 0000000000000060 RSI: 00007f4539084c20 RDI: 0000000000000003 RBP: 00007f4538308e80 R08: 00007ffcc212a300 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f4539712d1b </TASK> Modules linked in: Fixes: 8610c7c6e3bd ("net: ipv6: add support for rpl sr exthdr") Reported-by: Max VA Closes: https://www.interruptlabs.co.uk/articles/linux-ipv6-route-of-death Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20230605180617.67284-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Wang Yufen <wangyufen(a)huawei.com> --- include/net/rpl.h | 3 --- net/ipv6/exthdrs.c | 29 +++++++++++------------------ 2 files changed, 11 insertions(+), 21 deletions(-) diff --git a/include/net/rpl.h b/include/net/rpl.h index 308ef0a..30fe780 100644 --- a/include/net/rpl.h +++ b/include/net/rpl.h @@ -23,9 +23,6 @@ static inline int rpl_init(void) static inline void rpl_exit(void) {} #endif -/* Worst decompression memory usage ipv6 address (16) + pad 7 */ -#define IPV6_RPL_SRH_WORST_SWAP_SIZE (sizeof(struct in6_addr) + 7) - size_t ipv6_rpl_srh_size(unsigned char n, unsigned char cmpri, unsigned char cmpre); diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c index 4932dea..cdad901 100644 --- a/net/ipv6/exthdrs.c +++ b/net/ipv6/exthdrs.c @@ -552,24 +552,6 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb) return -1; } - if (skb_cloned(skb)) { - if (pskb_expand_head(skb, IPV6_RPL_SRH_WORST_SWAP_SIZE, 0, - GFP_ATOMIC)) { - __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), - IPSTATS_MIB_OUTDISCARDS); - kfree_skb(skb); - return -1; - } - } else { - err = skb_cow_head(skb, IPV6_RPL_SRH_WORST_SWAP_SIZE); - if (unlikely(err)) { - kfree_skb(skb); - return -1; - } - } - - hdr = (struct ipv6_rpl_sr_hdr *)skb_transport_header(skb); - if (!pskb_may_pull(skb, ipv6_rpl_srh_size(n, hdr->cmpri, hdr->cmpre))) { kfree_skb(skb); @@ -615,6 +597,17 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb) skb_pull(skb, ((hdr->hdrlen + 1) << 3)); skb_postpull_rcsum(skb, oldhdr, sizeof(struct ipv6hdr) + ((hdr->hdrlen + 1) << 3)); + if (unlikely(!hdr->segments_left)) { + if (pskb_expand_head(skb, sizeof(struct ipv6hdr) + ((chdr->hdrlen + 1) << 3), 0, + GFP_ATOMIC)) { + __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_OUTDISCARDS); + kfree_skb(skb); + kfree(buf); + return -1; + } + + oldhdr = ipv6_hdr(skb); + } skb_push(skb, ((chdr->hdrlen + 1) << 3) + sizeof(struct ipv6hdr)); skb_reset_network_header(skb); skb_mac_header_rebuild(skb); -- 1.8.3.1

1 0

[PATCH openEuler-1.0-LTS] firewire: fix potential uaf in outbound_phy_packet_callback()
by Yongqiang Liu 15 Jun '23

15 Jun '23

From: Chengfeng Ye <cyeaa(a)connect.ust.hk> stable inclusion from stable-v4.19.242 commit 34380b5647f13fecb458fea9a3eb3d8b3a454709 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7BYU9 CVE: CVE-2023-3159 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b7c81f80246fac44077166f3e07103affe6db8ff upstream. &e->event and e point to the same address, and &e->event could be freed in queue_event. So there is a potential uaf issue if we dereference e after calling queue_event(). Fix this by adding a temporary variable to maintain e->client in advance, this can avoid the potential uaf issue. Cc: <stable(a)vger.kernel.org> Signed-off-by: Chengfeng Ye <cyeaa(a)connect.ust.hk> Signed-off-by: Takashi Sakamoto <o-takashi(a)sakamocchi.jp> Link: https://lore.kernel.org/r/20220409041243.603210-2-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wei Li <liwei391(a)huawei.com> Reviewed-by: Wang Weiyang <wangweiyang2(a)huawei.com> Reviewed-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/firewire/core-cdev.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c index 16a7045736a9..3b4a396d76cd 100644 --- a/drivers/firewire/core-cdev.c +++ b/drivers/firewire/core-cdev.c @@ -1495,6 +1495,7 @@ static void outbound_phy_packet_callback(struct fw_packet *packet, { struct outbound_phy_packet_event *e = container_of(packet, struct outbound_phy_packet_event, p); + struct client *e_client; switch (status) { /* expected: */ @@ -1511,9 +1512,10 @@ static void outbound_phy_packet_callback(struct fw_packet *packet, } e->phy_packet.data[0] = packet->timestamp; + e_client = e->client; queue_event(e->client, &e->event, &e->phy_packet, sizeof(e->phy_packet) + e->phy_packet.length, NULL, 0); - client_put(e->client); + client_put(e_client); } static int ioctl_send_phy_packet(struct client *client, union ioctl_arg *arg) -- 2.25.1

1 0

[PATCH openEuler-22.03-LTS-SP2 v2] tools: add sample sockmap code for redis
by Liu Jian 15 Jun '23

15 Jun '23

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7DNAP CVE: N/A ---------------------------------------------------- add sample sockmap code for redis Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- tools/netacc/Makefile | 24 +++ tools/netacc/bpf_sockmap.h | 148 +++++++++++++++++++ tools/netacc/net-acc | 34 +++++ tools/netacc/redis_acc.c | 280 +++++++++++++++++++++++++++++++++++ tools/netacc/redissockmap.c | 287 ++++++++++++++++++++++++++++++++++++ 5 files changed, 773 insertions(+) create mode 100644 tools/netacc/Makefile create mode 100644 tools/netacc/bpf_sockmap.h create mode 100755 tools/netacc/net-acc create mode 100644 tools/netacc/redis_acc.c create mode 100644 tools/netacc/redissockmap.c diff --git a/tools/netacc/Makefile b/tools/netacc/Makefile new file mode 100644 index 000000000000..bf1db37414d8 --- /dev/null +++ b/tools/netacc/Makefile @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: GPL-2.0 + +INSTALL ?= install +CLANG ?= clang +CC ?= gcc +BPFTOOL ?= bpftool +TOPDIR = ../.. +MKFLAGS = -I$(TOPDIR)/tools/lib +LDLIBBPF = -L$(TOPDIR)/tools/lib/bpf/ -l:libbpf.a + +all: + $(CLANG) -O2 -g -Wall -target bpf $(MKFLAGS) -c redissockmap.c -o redissockmap.o + $(BPFTOOL) gen skeleton redissockmap.o > redis_acc.skel.h + $(CC) -O2 -g -Wall $(MKFLAGS) redis_acc.c -o redis_acc $(LDLIBBPF) -lelf -lz + +clean: + rm -f redis_acc + rm -f redis_acc.skel.h + rm -f *.o + +install: + mkdir -p $(INSTALL_ROOT)/usr/sbin/tuned_acc/ + $(INSTALL) -m 755 net-acc $(INSTALL_ROOT)/usr/sbin/ + $(INSTALL) -m 755 redis_acc $(INSTALL_ROOT)/usr/sbin/tuned_acc/ diff --git a/tools/netacc/bpf_sockmap.h b/tools/netacc/bpf_sockmap.h new file mode 100644 index 000000000000..8edcc6624593 --- /dev/null +++ b/tools/netacc/bpf_sockmap.h @@ -0,0 +1,148 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* Copyright(c) 2023 Huawei Technologies Co., Ltd + */ + +#ifndef __BPF_SOCKMAP_H__ +#define __BPF_SOCKMAP_H__ + +#include <stddef.h> +#include <stdbool.h> +#include <linux/types.h> +#include <linux/bpf.h> + +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_endian.h> + +#define LOG_DEBUG 0 +#define SOCKMAP_SIZE 100000 + +#if LOG_DEBUG +#define net_dbg bpf_printk +#define net_err bpf_printk +#else +#define net_dbg(fmt, ...) do {} while (0) +#define net_err bpf_printk +#endif + +struct sock_key { + __u32 sip4; + __u32 dip4; + __u32 sport; + __u32 dport; +} __attribute__((packed)); + +struct { + __uint(type, BPF_MAP_TYPE_SOCKHASH); + __type(key, struct sock_key); + __type(value, int); + __uint(max_entries, SOCKMAP_SIZE); + __uint(map_flags, 0); +} redissock_map SEC(".maps"); + +struct sock_info { + __u64 redir_rx_cnt; + __u64 redir_tx_cnt; + int sk_flags; +}; + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __type(key, struct sock_key); + __type(value, struct sock_info); + __uint(max_entries, SOCKMAP_SIZE); + __uint(map_flags, 0); +} sockflag_map SEC(".maps"); + +static inline void sock_key2peerkey(struct sock_key *key, struct sock_key *peer_key) +{ + peer_key->sip4 = key->dip4; + peer_key->sport = key->dport; + peer_key->dip4 = key->sip4; + peer_key->dport = key->sport; +} + +static inline void extract_key4_from_ops(struct bpf_sock_ops *ops, struct sock_key *key) +{ + key->dip4 = ops->remote_ip4; + key->sip4 = ops->local_ip4; + + // local_port is in host byte order + // and remote_port is in network byte order + key->sport = ops->local_port; + key->dport = bpf_ntohl(ops->remote_port); +} + +static inline void bpf_sock_ops_ipv4(struct bpf_sock_ops *skops) +{ + struct sock_key key = {}; + + extract_key4_from_ops(skops, &key); + bpf_sock_hash_update(skops, &redissock_map, &key, BPF_NOEXIST); +} + +static inline void bpf_sockmap_ipv4_insert(struct bpf_sock_ops *skops) +{ + if (bpf_ntohl(skops->remote_port) == 22 || skops->local_port == 22) + return; + + bpf_sock_ops_ipv4(skops); +} + +static inline void bpf_sockmap_ipv4_cleanup(struct bpf_sock_ops *skops, __u64 *cnt) +{ + struct sock_info *p_skinfo = NULL; + struct sock_key key = {}; + + extract_key4_from_ops(skops, &key); + p_skinfo = bpf_map_lookup_elem(&sockflag_map, &key); + if (p_skinfo) { + if (cnt) + *cnt = p_skinfo->redir_tx_cnt; + bpf_map_delete_elem(&sockflag_map, &key); + } +} + +static inline void extract_key4_from_msg(struct sk_msg_md *msg, struct sock_key *key) +{ + key->sip4 = msg->local_ip4; + key->dip4 = msg->remote_ip4; + + // local_port is in host byte order + // and remote_port is in network byte order + key->sport = msg->local_port; + key->dport = bpf_ntohl(msg->remote_port); +} + +SEC("sk_msg") int redis_redir(struct sk_msg_md *msg) +{ + struct sock_info *p_skinfo = NULL; + struct sock_info skinfo = {0}; + struct sock_key peer_key = {}; + struct sock_key key = {}; + int ret, addinfo = 0; + + extract_key4_from_msg(msg, &key); + sock_key2peerkey(&key, &peer_key); + + p_skinfo = bpf_map_lookup_elem(&sockflag_map, &key); + if (p_skinfo != NULL && p_skinfo->sk_flags == 1) + return SK_PASS; + + if (p_skinfo == NULL) { + addinfo = 1; + p_skinfo = &skinfo; + } + + ret = bpf_msg_redirect_hash(msg, &redissock_map, &peer_key, BPF_F_INGRESS); + if (ret == SK_DROP) { + if (p_skinfo->sk_flags != 1) + p_skinfo->sk_flags = 1; + } + + p_skinfo->redir_tx_cnt++; + if (addinfo) + bpf_map_update_elem(&sockflag_map, &key, p_skinfo, BPF_ANY); + + return SK_PASS; +} +#endif diff --git a/tools/netacc/net-acc b/tools/netacc/net-acc new file mode 100755 index 000000000000..f3db4803ced3 --- /dev/null +++ b/tools/netacc/net-acc @@ -0,0 +1,34 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 + +function usage() { + echo "" + echo "Usage:" + echo " $0 [enable | disable]" + echo "" +} + +function mount_cgp2() { + CGP2=`mount | grep cgroup2` + if [[ "$CGP2"X == "X" ]]; then + CGP2_PATCH=/sys/fs/cgroup/tunned-acc + mount -o rw,remount /sys/fs/cgroup + mkdir -p ${CGP2_PATCH} + mount -t cgroup2 -o nosuid,nodev,noexec none ${CGP2_PATCH} + mount -o ro,remount /sys/fs/cgroup + fi +} + +CMD=$1 + +if [[ "$CMD"X == "enableX" ]]; then + mount_cgp2 + modprobe localip + /usr/sbin/tuned_acc/redis_acc enable +elif [[ "$CMD"X == "disableX" ]]; then + /usr/sbin/tuned_acc/redis_acc disable + rmmod localip + exit 0 +else + usage; +fi diff --git a/tools/netacc/redis_acc.c b/tools/netacc/redis_acc.c new file mode 100644 index 000000000000..2c41d8b06fac --- /dev/null +++ b/tools/netacc/redis_acc.c @@ -0,0 +1,280 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright(c) 2023 Huawei Technologies Co., Ltd + */ + +#include <argp.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/resource.h> +#include <time.h> +#include <unistd.h> +#include <sys/stat.h> +#include <fcntl.h> + +#include <bpf/libbpf.h> +#include <bpf/bpf.h> +#include "redis_acc.skel.h" + +#ifndef ARRAY_SIZE +#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) +#endif + +#define CG_PATH "/sys/fs/cgroup/tunned-acc" +#define PIN_PATH "/sys/fs/bpf/redis/" + +static int bump_memlock_rlimit(void) +{ + struct rlimit rlim_new = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, + }; + + return setrlimit(RLIMIT_MEMLOCK, &rlim_new); +} + +struct net_acc_prog_info { + const char *prog_name; + const char *pin_path; + void **prog; + int *fd; +}; + +struct net_acc_map_info { + const char *map_name; + char *pin_path; + void **map; + int *fd; +}; + +struct { + int redis_sockops_fd; + int redis_redir_fd; + int redissock_map_fd; +} net_acc_fds; + +struct { + void *redis_sockops_obj; + void *redis_redir_obj; + void *redissock_map_obj; +} net_acc_obj; + +static struct net_acc_prog_info prog_infos[] = { + { + .prog_name = "redis_sockops", + .pin_path = PIN_PATH"sockops", + .prog = &net_acc_obj.redis_sockops_obj, + .fd = &net_acc_fds.redis_sockops_fd, + }, + { + .prog_name = "redis_redir", + .pin_path = PIN_PATH"sk_msg", + .prog = &net_acc_obj.redis_redir_obj, + .fd = &net_acc_fds.redis_redir_fd, + } +}; + +static struct net_acc_map_info map_infos[] = { + { + .map_name = "redissock_map", + .pin_path = PIN_PATH"redissock_map", + .map = &net_acc_obj.redissock_map_obj, + .fd = &net_acc_fds.redissock_map_fd, + } +}; + +int cg_fd = -1; +struct redissockmap *skel; + +int net_acc_enabled(void) +{ + int map_fd; + + map_fd = bpf_obj_get(map_infos[0].pin_path); + if (map_fd < 0) + return 0; + + close(map_fd); + return 1; +} + +int pin_prog_map(void) +{ + int i, mapj, progj; + int err = 0; + + mapj = ARRAY_SIZE(map_infos); + for (i = 0; i < mapj; i++) { + if (*map_infos[i].map) + err = bpf_map__pin(*map_infos[i].map, map_infos[i].pin_path); + if (err) { + mapj = i; + goto err1; + } + } + + progj = ARRAY_SIZE(prog_infos); + for (i = 0; i < progj; i++) { + if (*prog_infos[i].prog) + err = bpf_program__pin(*prog_infos[i].prog, prog_infos[i].pin_path); + if (err) { + progj = i; + goto err2; + } + } + return 0; +err2: + for (i = 0; i < progj; i++) { + if (*prog_infos[i].prog) + bpf_program__unpin(*prog_infos[i].prog, prog_infos[i].pin_path); + } +err1: + for (i = 0; i < mapj; i++) { + if (*map_infos[i].map) + bpf_map__unpin(*map_infos[i].map, map_infos[i].pin_path); + } + return 1; +} + +int attach_manually(void) +{ + int err; + + err = bpf_prog_attach(bpf_program__fd(skel->progs.redis_sockops), cg_fd, BPF_CGROUP_SOCK_OPS, 0); + if (err) { + fprintf(stderr, "failed to attach sockops programs\n"); + return -1; + } + + err = bpf_prog_attach(bpf_program__fd(skel->progs.redis_redir), + bpf_map__fd(skel->maps.redissock_map), BPF_SK_MSG_VERDICT, 0); + if (err) { + fprintf(stderr, "failed to attach msg_verdict programs\n"); + goto cleanup1; + } + + net_acc_obj.redis_sockops_obj = skel->progs.redis_sockops; + net_acc_obj.redis_redir_obj = skel->progs.redis_redir; + net_acc_obj.redissock_map_obj = skel->maps.redissock_map; + return 0; +cleanup1: + bpf_prog_detach2(bpf_program__fd(skel->progs.redis_sockops), cg_fd, BPF_CGROUP_SOCK_OPS); + return -1; +} + +void detach_manually(void) +{ + bpf_prog_detach2(bpf_program__fd(skel->progs.redis_redir), + bpf_map__fd(skel->maps.redissock_map), BPF_SK_MSG_VERDICT); + bpf_prog_detach2(bpf_program__fd(skel->progs.redis_sockops), cg_fd, BPF_CGROUP_SOCK_OPS); +} + +int net_acc_enable(void) +{ + int err; + + if (net_acc_enabled()) + return 0; + + err = bump_memlock_rlimit(); + if (err) { + fprintf(stderr, "failed to increase rlimit: %d", err); + close(cg_fd); + return 1; + } + + skel = redissockmap__open(); + if (!skel) { + fprintf(stderr, "failed to open and/or load BPF object\n"); + return 1; + } + + err = redissockmap__load(skel); + if (err) { + fprintf(stderr, "failed to load BPF object: %d\n", err); + goto cleanup; + } + + err = redissockmap__attach(skel); + if (err) { + fprintf(stderr, "failed to attach BPF programs\n"); + goto cleanup; + } + + err = attach_manually(); + if (err) { + fprintf(stderr, "failed to attach BPF programs\n"); + goto cleanup; + } + + err = pin_prog_map(); + if (err) { + fprintf(stderr, "failed to pin BPF programs and maps\n"); + goto cleanup1; + } + + return 0; + +cleanup1: + detach_manually(); +cleanup: + redissockmap__destroy(skel); + close(cg_fd); + + return err != 0; +} + + +int net_acc_disable(void) +{ + int i; + + if (!net_acc_enabled()) + return 0; + + for (i = 0; i < ARRAY_SIZE(map_infos); i++) { + if (map_infos[i].fd) { + *map_infos[i].fd = bpf_obj_get(map_infos[i].pin_path); + unlink(map_infos[i].pin_path); + } + } + + for (i = 0; i < ARRAY_SIZE(prog_infos); i++) { + if (prog_infos[i].fd) { + *prog_infos[i].fd = bpf_obj_get(prog_infos[i].pin_path); + unlink(prog_infos[i].pin_path); + } + } + + bpf_prog_detach2(net_acc_fds.redis_redir_fd, + net_acc_fds.redissock_map_fd, BPF_SK_MSG_VERDICT); + bpf_prog_detach2(net_acc_fds.redis_sockops_fd, cg_fd, BPF_CGROUP_SOCK_OPS); + + close(net_acc_fds.redis_redir_fd); + close(net_acc_fds.redis_redir_fd); + close(net_acc_fds.redis_redir_fd); + rmdir(PIN_PATH); + return 0; +} + +int main(int argc, char **argv) +{ + int ret = 1; + + if (argc != 2) + return 1; + + cg_fd = open(CG_PATH, O_DIRECTORY, O_RDONLY); + if (cg_fd < 0) { + fprintf(stderr, "ERROR: (%i) open cgroup2 path failed: %s\n", cg_fd, CG_PATH); + return 1; + } + + if (strncmp(argv[1], "enable", 6) == 0) + ret = net_acc_enable(); + else if (strncmp(argv[1], "disable", 7) == 0) + ret = net_acc_disable(); + + close(cg_fd); + return ret; +} diff --git a/tools/netacc/redissockmap.c b/tools/netacc/redissockmap.c new file mode 100644 index 000000000000..b23df1aa3e6c --- /dev/null +++ b/tools/netacc/redissockmap.c @@ -0,0 +1,287 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright(c) 2023 Huawei Technologies Co., Ltd + */ + +#include "bpf_sockmap.h" + +#define REDIS_BIND_MAP_SIZE 100 +#define BLOCKLIST_SIZE 1000 + +#define ENABLE_BLOCKLIST 0 +#define SHORT_THR 10 +#define BLOCK_THR 10000 + +struct local_ip { + __u32 ip4; +}; + +struct ipaddr_port { + __u32 ip4; + __u32 port; +} __attribute__((packed)); + +#if ENABLE_BLOCKLIST +struct { + __uint(type, BPF_MAP_TYPE_LRU_HASH); + __type(key, struct ipaddr_port); + __type(value, int); + __uint(max_entries, BLOCKLIST_SIZE); + __uint(map_flags, 0); +} blocklist_map SEC(".maps"); +#endif + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __type(key, struct ipaddr_port); + __type(value, int); + __uint(max_entries, REDIS_BIND_MAP_SIZE); + __uint(map_flags, 0); +} redis_bind_map SEC(".maps"); + + +static inline void extract_ipaddrport_from_ops(struct bpf_sock_ops *skops, + struct ipaddr_port *key1, struct ipaddr_port *key2) +{ + key1->ip4 = skops->remote_ip4; + // remote_port is in network byte order + key1->port = bpf_ntohl(skops->remote_port); + + key2->ip4 = skops->local_ip4; + // local_port is in host byte order + key2->port = skops->local_port; +} + +static inline int __is_redis_sock(struct ipaddr_port *key) +{ + int *pv = NULL; + + pv = bpf_map_lookup_elem(&redis_bind_map, key); + if (pv) + return 1; + + return 0; +} + +static inline int is_redis_sock(struct ipaddr_port *key1, struct ipaddr_port *key2, + struct ipaddr_port *key10, struct ipaddr_port *key20) +{ + net_dbg("is_redis, ip1:0x%x, port1:0x%x\n", key1->ip4, key1->port); + net_dbg("is_redis, ip2:0x%x, port2:0x%x\n", key2->ip4, key2->port); + + if (__is_redis_sock(key1)) + return 1; + + if (__is_redis_sock(key2)) + return 1; + + if (__is_redis_sock(key10)) + return 1; + + if (__is_redis_sock(key20)) + return 1; + + return 0; +} + +static inline int is_localip_sock(struct bpf_sock_ops *skops) +{ + struct local_ip remoteip; + + net_dbg("is_localip, ip1:0x%x, ip2:0x%x\n", + skops->local_ip4, skops->remote_ip4); + + // skops->local_ip4 must be the local IP address + remoteip.ip4 = skops->remote_ip4; + + if ((remoteip.ip4 & 0xff) == 0x7f) + return 1; + + if (!bpf_is_local_ipaddr(remoteip.ip4)) + return 0; + + return 1; +} + +#if ENABLE_BLOCKLIST +static inline int __is_in_block_list(struct ipaddr_port *key) +{ + int *pv = NULL; + + pv = bpf_map_lookup_elem(&blocklist_map, key); + if (pv && *pv > BLOCK_THR) + return 1; + + return 0; +} + +static inline int is_in_block_list(struct ipaddr_port *key1, struct ipaddr_port *key2, + struct ipaddr_port *key10, struct ipaddr_port *key20) +{ + + if (__is_in_block_list(key1)) + return 1; + if (__is_in_block_list(key2)) + return 1; + if (__is_in_block_list(key10)) + return 1; + if (__is_in_block_list(key20)) + return 1; + + return 0; +} + +static inline int __add_task2block_list(struct ipaddr_port *block) +{ + int *pv = NULL; + int value = 1; + + pv = bpf_map_lookup_elem(&blocklist_map, block); + if (pv == NULL) { + bpf_map_update_elem(&blocklist_map, block, &value, BPF_NOEXIST); + return 0; + } + + if (*pv > BLOCK_THR) + return 0; + + *pv += 1; + return 0; +} + +static inline int add_task2block_list(struct bpf_sock_ops *skops) +{ + struct ipaddr_port block1; + struct ipaddr_port block2; + + extract_ipaddrport_from_ops(skops, &block1, &block2); + + if (__is_redis_sock(&block1)) + return __add_task2block_list(&block1); + + if (__is_redis_sock(&block2)) + return __add_task2block_list(&block2); + + block1.ip4 = 0; + if (__is_redis_sock(&block1)) + return __add_task2block_list(&block1); + + block2.ip4 = 0; + if (__is_redis_sock(&block2)) + return __add_task2block_list(&block2); + + return 0; +} +#else +static inline int add_task2block_list(struct bpf_sock_ops *skops) +{ + return 0; +} +static inline int is_in_block_list(struct ipaddr_port *key1, struct ipaddr_port *key2, + struct ipaddr_port *key10, struct ipaddr_port *key20) +{ + return 0; +} +#endif + +static inline int is_redis_loopback_tcp(struct bpf_sock_ops *skops) +{ + struct ipaddr_port key10; + struct ipaddr_port key20; + struct ipaddr_port key1; + struct ipaddr_port key2; + + if (!is_localip_sock(skops)) + return 0; + net_dbg("this is localip\n"); + + extract_ipaddrport_from_ops(skops, &key1, &key2); + key10.ip4 = 0; + key10.port = key1.port; + key20.ip4 = 0; + key20.port = key2.port; + + if (!is_redis_sock(&key1, &key2, &key10, &key20)) + return 0; + net_dbg("this is redis sock\n"); + + if (is_in_block_list(&key1, &key2, &key10, &key20)) + return 0; + + net_dbg("the sock is redis loopback sock\n"); + return 1; +} + +static inline int update_redis_info(struct bpf_sock_ops *skops) +{ + struct ipaddr_port key; + int value = 1; + char comm[16] = {0}; + + bpf_get_current_comm(comm, sizeof(comm)); + if (comm[0] != 'r' || comm[1] != 'e' || comm[2] != 'd' || comm[3] != 'i' || + comm[4] != 's' || comm[5] != '-' || comm[6] != 's' || comm[7] != 'e' || + comm[8] != 'r' || comm[9] != 'v' || comm[10] != 'e' || comm[11] != 'r') + return 0; + + key.ip4 = skops->local_ip4; + key.port = skops->local_port; // host order + + bpf_map_update_elem(&redis_bind_map, &key, &value, BPF_NOEXIST); + net_dbg("%s, update redisinfo: sip:0x%x, sport:%d\n", comm, key.ip4, key.port); + return 1; +} + +static inline void clean_redis_info(struct bpf_sock_ops *skops) +{ + struct ipaddr_port key; + + key.ip4 = skops->local_ip4; + key.port = skops->local_port; // host order + net_dbg("clean redisinfo, 0x%x:%d\n", key.ip4, key.port); + bpf_map_delete_elem(&redis_bind_map, &key); +} + +SEC("sockops") int redis_sockops(struct bpf_sock_ops *skops) +{ + switch (skops->op) { + case BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB: + case BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB: + if (skops->family == 2) {// AF_INET + if (is_redis_loopback_tcp(skops)) { + net_dbg("bpf_sockops, sockmap, op:%d, sk:%p\n", + skops->op, skops->sk); + bpf_sock_ops_cb_flags_set(skops, BPF_SOCK_OPS_STATE_CB_FLAG); + bpf_sockmap_ipv4_insert(skops); + } else { + bpf_sock_ops_cb_flags_set(skops, 0); + } + } + break; + case BPF_SOCK_OPS_STATE_CB: + if (skops->family == 2 && skops->args[0] == BPF_TCP_LISTEN && + skops->args[1] == BPF_TCP_CLOSE) { + clean_redis_info(skops); + } else if (skops->family == 2 && (skops->args[1] == BPF_TCP_CLOSE || + skops->args[1] == BPF_TCP_CLOSE_WAIT || + skops->args[1] == BPF_TCP_FIN_WAIT1)) { + __u64 tx_cnt = SHORT_THR; + + bpf_sockmap_ipv4_cleanup(skops, &tx_cnt); + net_dbg("sockops sk:%p, state:%d, tx_cnt:%llu\n", + skops->sk, skops->args[1], tx_cnt); + if (tx_cnt < SHORT_THR) + add_task2block_list(skops); + } + break; + case BPF_SOCK_OPS_TCP_LISTEN_CB: + if (skops->family == 2 && update_redis_info(skops)) + bpf_sock_ops_cb_flags_set(skops, BPF_SOCK_OPS_STATE_CB_FLAG); + break; + default: + break; + } + return 1; +} + +char _license[] SEC("license") = "GPL"; +int _version SEC("version") = 1; -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP2] tools: add sample sockmap code for redis
by Liu Jian 15 Jun '23

15 Jun '23

hulk inclusion category: feature bugzilla: NA CVE: N/A ---------------------------------------------------- add sample sockmap code for redis Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- tools/netacc/Makefile | 24 +++ tools/netacc/bpf_sockmap.h | 148 +++++++++++++++++++ tools/netacc/net-acc | 34 +++++ tools/netacc/redis_acc.c | 276 ++++++++++++++++++++++++++++++++++ tools/netacc/redissockmap.c | 287 ++++++++++++++++++++++++++++++++++++ 5 files changed, 769 insertions(+) create mode 100644 tools/netacc/Makefile create mode 100644 tools/netacc/bpf_sockmap.h create mode 100755 tools/netacc/net-acc create mode 100644 tools/netacc/redis_acc.c create mode 100644 tools/netacc/redissockmap.c diff --git a/tools/netacc/Makefile b/tools/netacc/Makefile new file mode 100644 index 000000000000..bf1db37414d8 --- /dev/null +++ b/tools/netacc/Makefile @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: GPL-2.0 + +INSTALL ?= install +CLANG ?= clang +CC ?= gcc +BPFTOOL ?= bpftool +TOPDIR = ../.. +MKFLAGS = -I$(TOPDIR)/tools/lib +LDLIBBPF = -L$(TOPDIR)/tools/lib/bpf/ -l:libbpf.a + +all: + $(CLANG) -O2 -g -Wall -target bpf $(MKFLAGS) -c redissockmap.c -o redissockmap.o + $(BPFTOOL) gen skeleton redissockmap.o > redis_acc.skel.h + $(CC) -O2 -g -Wall $(MKFLAGS) redis_acc.c -o redis_acc $(LDLIBBPF) -lelf -lz + +clean: + rm -f redis_acc + rm -f redis_acc.skel.h + rm -f *.o + +install: + mkdir -p $(INSTALL_ROOT)/usr/sbin/tuned_acc/ + $(INSTALL) -m 755 net-acc $(INSTALL_ROOT)/usr/sbin/ + $(INSTALL) -m 755 redis_acc $(INSTALL_ROOT)/usr/sbin/tuned_acc/ diff --git a/tools/netacc/bpf_sockmap.h b/tools/netacc/bpf_sockmap.h new file mode 100644 index 000000000000..8edcc6624593 --- /dev/null +++ b/tools/netacc/bpf_sockmap.h @@ -0,0 +1,148 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* Copyright(c) 2023 Huawei Technologies Co., Ltd + */ + +#ifndef __BPF_SOCKMAP_H__ +#define __BPF_SOCKMAP_H__ + +#include <stddef.h> +#include <stdbool.h> +#include <linux/types.h> +#include <linux/bpf.h> + +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_endian.h> + +#define LOG_DEBUG 0 +#define SOCKMAP_SIZE 100000 + +#if LOG_DEBUG +#define net_dbg bpf_printk +#define net_err bpf_printk +#else +#define net_dbg(fmt, ...) do {} while (0) +#define net_err bpf_printk +#endif + +struct sock_key { + __u32 sip4; + __u32 dip4; + __u32 sport; + __u32 dport; +} __attribute__((packed)); + +struct { + __uint(type, BPF_MAP_TYPE_SOCKHASH); + __type(key, struct sock_key); + __type(value, int); + __uint(max_entries, SOCKMAP_SIZE); + __uint(map_flags, 0); +} redissock_map SEC(".maps"); + +struct sock_info { + __u64 redir_rx_cnt; + __u64 redir_tx_cnt; + int sk_flags; +}; + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __type(key, struct sock_key); + __type(value, struct sock_info); + __uint(max_entries, SOCKMAP_SIZE); + __uint(map_flags, 0); +} sockflag_map SEC(".maps"); + +static inline void sock_key2peerkey(struct sock_key *key, struct sock_key *peer_key) +{ + peer_key->sip4 = key->dip4; + peer_key->sport = key->dport; + peer_key->dip4 = key->sip4; + peer_key->dport = key->sport; +} + +static inline void extract_key4_from_ops(struct bpf_sock_ops *ops, struct sock_key *key) +{ + key->dip4 = ops->remote_ip4; + key->sip4 = ops->local_ip4; + + // local_port is in host byte order + // and remote_port is in network byte order + key->sport = ops->local_port; + key->dport = bpf_ntohl(ops->remote_port); +} + +static inline void bpf_sock_ops_ipv4(struct bpf_sock_ops *skops) +{ + struct sock_key key = {}; + + extract_key4_from_ops(skops, &key); + bpf_sock_hash_update(skops, &redissock_map, &key, BPF_NOEXIST); +} + +static inline void bpf_sockmap_ipv4_insert(struct bpf_sock_ops *skops) +{ + if (bpf_ntohl(skops->remote_port) == 22 || skops->local_port == 22) + return; + + bpf_sock_ops_ipv4(skops); +} + +static inline void bpf_sockmap_ipv4_cleanup(struct bpf_sock_ops *skops, __u64 *cnt) +{ + struct sock_info *p_skinfo = NULL; + struct sock_key key = {}; + + extract_key4_from_ops(skops, &key); + p_skinfo = bpf_map_lookup_elem(&sockflag_map, &key); + if (p_skinfo) { + if (cnt) + *cnt = p_skinfo->redir_tx_cnt; + bpf_map_delete_elem(&sockflag_map, &key); + } +} + +static inline void extract_key4_from_msg(struct sk_msg_md *msg, struct sock_key *key) +{ + key->sip4 = msg->local_ip4; + key->dip4 = msg->remote_ip4; + + // local_port is in host byte order + // and remote_port is in network byte order + key->sport = msg->local_port; + key->dport = bpf_ntohl(msg->remote_port); +} + +SEC("sk_msg") int redis_redir(struct sk_msg_md *msg) +{ + struct sock_info *p_skinfo = NULL; + struct sock_info skinfo = {0}; + struct sock_key peer_key = {}; + struct sock_key key = {}; + int ret, addinfo = 0; + + extract_key4_from_msg(msg, &key); + sock_key2peerkey(&key, &peer_key); + + p_skinfo = bpf_map_lookup_elem(&sockflag_map, &key); + if (p_skinfo != NULL && p_skinfo->sk_flags == 1) + return SK_PASS; + + if (p_skinfo == NULL) { + addinfo = 1; + p_skinfo = &skinfo; + } + + ret = bpf_msg_redirect_hash(msg, &redissock_map, &peer_key, BPF_F_INGRESS); + if (ret == SK_DROP) { + if (p_skinfo->sk_flags != 1) + p_skinfo->sk_flags = 1; + } + + p_skinfo->redir_tx_cnt++; + if (addinfo) + bpf_map_update_elem(&sockflag_map, &key, p_skinfo, BPF_ANY); + + return SK_PASS; +} +#endif diff --git a/tools/netacc/net-acc b/tools/netacc/net-acc new file mode 100755 index 000000000000..f3db4803ced3 --- /dev/null +++ b/tools/netacc/net-acc @@ -0,0 +1,34 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 + +function usage() { + echo "" + echo "Usage:" + echo " $0 [enable | disable]" + echo "" +} + +function mount_cgp2() { + CGP2=`mount | grep cgroup2` + if [[ "$CGP2"X == "X" ]]; then + CGP2_PATCH=/sys/fs/cgroup/tunned-acc + mount -o rw,remount /sys/fs/cgroup + mkdir -p ${CGP2_PATCH} + mount -t cgroup2 -o nosuid,nodev,noexec none ${CGP2_PATCH} + mount -o ro,remount /sys/fs/cgroup + fi +} + +CMD=$1 + +if [[ "$CMD"X == "enableX" ]]; then + mount_cgp2 + modprobe localip + /usr/sbin/tuned_acc/redis_acc enable +elif [[ "$CMD"X == "disableX" ]]; then + /usr/sbin/tuned_acc/redis_acc disable + rmmod localip + exit 0 +else + usage; +fi diff --git a/tools/netacc/redis_acc.c b/tools/netacc/redis_acc.c new file mode 100644 index 000000000000..ae81ec56ea7e --- /dev/null +++ b/tools/netacc/redis_acc.c @@ -0,0 +1,276 @@ +#include <argp.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/resource.h> +#include <time.h> +#include <unistd.h> +#include <sys/stat.h> +#include <fcntl.h> + +#include <bpf/libbpf.h> +#include <bpf/bpf.h> +#include "redis_acc.skel.h" + +#ifndef ARRAY_SIZE +#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) +#endif + +#define CG_PATH "/sys/fs/cgroup/tunned-acc" +#define PIN_PATH "/sys/fs/bpf/redis/" + +static int bump_memlock_rlimit(void) +{ + struct rlimit rlim_new = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, + }; + + return setrlimit(RLIMIT_MEMLOCK, &rlim_new); +} + +struct net_acc_prog_info { + const char *prog_name; + const char *pin_path; + void **prog; + int *fd; +}; + +struct net_acc_map_info { + const char *map_name; + char *pin_path; + void **map; + int *fd; +}; + +struct { + int redis_sockops_fd; + int redis_redir_fd; + int redissock_map_fd; +} net_acc_fds; + +struct { + void *redis_sockops_obj; + void *redis_redir_obj; + void *redissock_map_obj; +} net_acc_obj; + +static struct net_acc_prog_info prog_infos[] = { + { + .prog_name = "redis_sockops", + .pin_path = PIN_PATH"sockops", + .prog = &net_acc_obj.redis_sockops_obj, + .fd = &net_acc_fds.redis_sockops_fd, + }, + { + .prog_name = "redis_redir", + .pin_path = PIN_PATH"sk_msg", + .prog = &net_acc_obj.redis_redir_obj, + .fd = &net_acc_fds.redis_redir_fd, + } +}; + +static struct net_acc_map_info map_infos[] = { + { + .map_name = "redissock_map", + .pin_path = PIN_PATH"redissock_map", + .map = &net_acc_obj.redissock_map_obj, + .fd = &net_acc_fds.redissock_map_fd, + } +}; + +int cg_fd = -1; +struct redissockmap *skel; + +int net_acc_enabled(void) +{ + int map_fd; + + map_fd = bpf_obj_get(map_infos[0].pin_path); + if (map_fd < 0) + return 0; + + close(map_fd); + return 1; +} + +int pin_prog_map(void) +{ + int i, mapj, progj; + int err = 0; + + mapj = ARRAY_SIZE(map_infos); + for (i = 0; i < mapj; i++) { + if (*map_infos[i].map) + err = bpf_map__pin(*map_infos[i].map, map_infos[i].pin_path); + if (err) { + mapj = i; + goto err1; + } + } + + progj = ARRAY_SIZE(prog_infos); + for (i = 0; i < progj; i++) { + if (*prog_infos[i].prog) + err = bpf_program__pin(*prog_infos[i].prog, prog_infos[i].pin_path); + if (err) { + progj = i; + goto err2; + } + } + return 0; +err2: + for (i = 0; i < progj; i++) { + if (*prog_infos[i].prog) + bpf_program__unpin(*prog_infos[i].prog, prog_infos[i].pin_path); + } +err1: + for (i = 0; i < mapj; i++) { + if (*map_infos[i].map) + bpf_map__unpin(*map_infos[i].map, map_infos[i].pin_path); + } + return 1; +} + +int attach_manually(void) +{ + int err; + + err = bpf_prog_attach(bpf_program__fd(skel->progs.redis_sockops), cg_fd, BPF_CGROUP_SOCK_OPS, 0); + if (err) { + fprintf(stderr, "failed to attach sockops programs\n"); + return -1; + } + + err = bpf_prog_attach(bpf_program__fd(skel->progs.redis_redir), + bpf_map__fd(skel->maps.redissock_map), BPF_SK_MSG_VERDICT, 0); + if (err) { + fprintf(stderr, "failed to attach msg_verdict programs\n"); + goto cleanup1; + } + + net_acc_obj.redis_sockops_obj = skel->progs.redis_sockops; + net_acc_obj.redis_redir_obj = skel->progs.redis_redir; + net_acc_obj.redissock_map_obj = skel->maps.redissock_map; + return 0; +cleanup1: + bpf_prog_detach2(bpf_program__fd(skel->progs.redis_sockops), cg_fd, BPF_CGROUP_SOCK_OPS); + return -1; +} + +void detach_manually(void) +{ + bpf_prog_detach2(bpf_program__fd(skel->progs.redis_redir), + bpf_map__fd(skel->maps.redissock_map), BPF_SK_MSG_VERDICT); + bpf_prog_detach2(bpf_program__fd(skel->progs.redis_sockops), cg_fd, BPF_CGROUP_SOCK_OPS); +} + +int net_acc_enable(void) +{ + int err; + + if (net_acc_enabled()) + return 0; + + err = bump_memlock_rlimit(); + if (err) { + fprintf(stderr, "failed to increase rlimit: %d", err); + close(cg_fd); + return 1; + } + + skel = redissockmap__open(); + if (!skel) { + fprintf(stderr, "failed to open and/or load BPF object\n"); + return 1; + } + + err = redissockmap__load(skel); + if (err) { + fprintf(stderr, "failed to load BPF object: %d\n", err); + goto cleanup; + } + + err = redissockmap__attach(skel); + if (err) { + fprintf(stderr, "failed to attach BPF programs\n"); + goto cleanup; + } + + err = attach_manually(); + if (err) { + fprintf(stderr, "failed to attach BPF programs\n"); + goto cleanup; + } + + err = pin_prog_map(); + if (err) { + fprintf(stderr, "failed to pin BPF programs and maps\n"); + goto cleanup1; + } + + return 0; + +cleanup1: + detach_manually(); +cleanup: + redissockmap__destroy(skel); + close(cg_fd); + + return err != 0; +} + + +int net_acc_disable(void) +{ + int i; + + if (!net_acc_enabled()) + return 0; + + for (i = 0; i < ARRAY_SIZE(map_infos); i++) { + if (map_infos[i].fd) { + *map_infos[i].fd = bpf_obj_get(map_infos[i].pin_path); + unlink(map_infos[i].pin_path); + } + } + + for (i = 0; i < ARRAY_SIZE(prog_infos); i++) { + if (prog_infos[i].fd) { + *prog_infos[i].fd = bpf_obj_get(prog_infos[i].pin_path); + unlink(prog_infos[i].pin_path); + } + } + + bpf_prog_detach2(net_acc_fds.redis_redir_fd, + net_acc_fds.redissock_map_fd, BPF_SK_MSG_VERDICT); + bpf_prog_detach2(net_acc_fds.redis_sockops_fd, cg_fd, BPF_CGROUP_SOCK_OPS); + + close(net_acc_fds.redis_redir_fd); + close(net_acc_fds.redis_redir_fd); + close(net_acc_fds.redis_redir_fd); + rmdir(PIN_PATH); + return 0; +} + +int main(int argc, char **argv) +{ + int ret = 1; + + if (argc != 2) + return 1; + + cg_fd = open(CG_PATH, O_DIRECTORY, O_RDONLY); + if (cg_fd < 0) { + fprintf(stderr, "ERROR: (%i) open cgroup2 path failed: %s\n", cg_fd, CG_PATH); + return 1; + } + + if (strncmp(argv[1], "enable", 6) == 0) + ret = net_acc_enable(); + else if (strncmp(argv[1], "disable", 7) == 0) + ret = net_acc_disable(); + + close(cg_fd); + return ret; +} diff --git a/tools/netacc/redissockmap.c b/tools/netacc/redissockmap.c new file mode 100644 index 000000000000..b23df1aa3e6c --- /dev/null +++ b/tools/netacc/redissockmap.c @@ -0,0 +1,287 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright(c) 2023 Huawei Technologies Co., Ltd + */ + +#include "bpf_sockmap.h" + +#define REDIS_BIND_MAP_SIZE 100 +#define BLOCKLIST_SIZE 1000 + +#define ENABLE_BLOCKLIST 0 +#define SHORT_THR 10 +#define BLOCK_THR 10000 + +struct local_ip { + __u32 ip4; +}; + +struct ipaddr_port { + __u32 ip4; + __u32 port; +} __attribute__((packed)); + +#if ENABLE_BLOCKLIST +struct { + __uint(type, BPF_MAP_TYPE_LRU_HASH); + __type(key, struct ipaddr_port); + __type(value, int); + __uint(max_entries, BLOCKLIST_SIZE); + __uint(map_flags, 0); +} blocklist_map SEC(".maps"); +#endif + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __type(key, struct ipaddr_port); + __type(value, int); + __uint(max_entries, REDIS_BIND_MAP_SIZE); + __uint(map_flags, 0); +} redis_bind_map SEC(".maps"); + + +static inline void extract_ipaddrport_from_ops(struct bpf_sock_ops *skops, + struct ipaddr_port *key1, struct ipaddr_port *key2) +{ + key1->ip4 = skops->remote_ip4; + // remote_port is in network byte order + key1->port = bpf_ntohl(skops->remote_port); + + key2->ip4 = skops->local_ip4; + // local_port is in host byte order + key2->port = skops->local_port; +} + +static inline int __is_redis_sock(struct ipaddr_port *key) +{ + int *pv = NULL; + + pv = bpf_map_lookup_elem(&redis_bind_map, key); + if (pv) + return 1; + + return 0; +} + +static inline int is_redis_sock(struct ipaddr_port *key1, struct ipaddr_port *key2, + struct ipaddr_port *key10, struct ipaddr_port *key20) +{ + net_dbg("is_redis, ip1:0x%x, port1:0x%x\n", key1->ip4, key1->port); + net_dbg("is_redis, ip2:0x%x, port2:0x%x\n", key2->ip4, key2->port); + + if (__is_redis_sock(key1)) + return 1; + + if (__is_redis_sock(key2)) + return 1; + + if (__is_redis_sock(key10)) + return 1; + + if (__is_redis_sock(key20)) + return 1; + + return 0; +} + +static inline int is_localip_sock(struct bpf_sock_ops *skops) +{ + struct local_ip remoteip; + + net_dbg("is_localip, ip1:0x%x, ip2:0x%x\n", + skops->local_ip4, skops->remote_ip4); + + // skops->local_ip4 must be the local IP address + remoteip.ip4 = skops->remote_ip4; + + if ((remoteip.ip4 & 0xff) == 0x7f) + return 1; + + if (!bpf_is_local_ipaddr(remoteip.ip4)) + return 0; + + return 1; +} + +#if ENABLE_BLOCKLIST +static inline int __is_in_block_list(struct ipaddr_port *key) +{ + int *pv = NULL; + + pv = bpf_map_lookup_elem(&blocklist_map, key); + if (pv && *pv > BLOCK_THR) + return 1; + + return 0; +} + +static inline int is_in_block_list(struct ipaddr_port *key1, struct ipaddr_port *key2, + struct ipaddr_port *key10, struct ipaddr_port *key20) +{ + + if (__is_in_block_list(key1)) + return 1; + if (__is_in_block_list(key2)) + return 1; + if (__is_in_block_list(key10)) + return 1; + if (__is_in_block_list(key20)) + return 1; + + return 0; +} + +static inline int __add_task2block_list(struct ipaddr_port *block) +{ + int *pv = NULL; + int value = 1; + + pv = bpf_map_lookup_elem(&blocklist_map, block); + if (pv == NULL) { + bpf_map_update_elem(&blocklist_map, block, &value, BPF_NOEXIST); + return 0; + } + + if (*pv > BLOCK_THR) + return 0; + + *pv += 1; + return 0; +} + +static inline int add_task2block_list(struct bpf_sock_ops *skops) +{ + struct ipaddr_port block1; + struct ipaddr_port block2; + + extract_ipaddrport_from_ops(skops, &block1, &block2); + + if (__is_redis_sock(&block1)) + return __add_task2block_list(&block1); + + if (__is_redis_sock(&block2)) + return __add_task2block_list(&block2); + + block1.ip4 = 0; + if (__is_redis_sock(&block1)) + return __add_task2block_list(&block1); + + block2.ip4 = 0; + if (__is_redis_sock(&block2)) + return __add_task2block_list(&block2); + + return 0; +} +#else +static inline int add_task2block_list(struct bpf_sock_ops *skops) +{ + return 0; +} +static inline int is_in_block_list(struct ipaddr_port *key1, struct ipaddr_port *key2, + struct ipaddr_port *key10, struct ipaddr_port *key20) +{ + return 0; +} +#endif + +static inline int is_redis_loopback_tcp(struct bpf_sock_ops *skops) +{ + struct ipaddr_port key10; + struct ipaddr_port key20; + struct ipaddr_port key1; + struct ipaddr_port key2; + + if (!is_localip_sock(skops)) + return 0; + net_dbg("this is localip\n"); + + extract_ipaddrport_from_ops(skops, &key1, &key2); + key10.ip4 = 0; + key10.port = key1.port; + key20.ip4 = 0; + key20.port = key2.port; + + if (!is_redis_sock(&key1, &key2, &key10, &key20)) + return 0; + net_dbg("this is redis sock\n"); + + if (is_in_block_list(&key1, &key2, &key10, &key20)) + return 0; + + net_dbg("the sock is redis loopback sock\n"); + return 1; +} + +static inline int update_redis_info(struct bpf_sock_ops *skops) +{ + struct ipaddr_port key; + int value = 1; + char comm[16] = {0}; + + bpf_get_current_comm(comm, sizeof(comm)); + if (comm[0] != 'r' || comm[1] != 'e' || comm[2] != 'd' || comm[3] != 'i' || + comm[4] != 's' || comm[5] != '-' || comm[6] != 's' || comm[7] != 'e' || + comm[8] != 'r' || comm[9] != 'v' || comm[10] != 'e' || comm[11] != 'r') + return 0; + + key.ip4 = skops->local_ip4; + key.port = skops->local_port; // host order + + bpf_map_update_elem(&redis_bind_map, &key, &value, BPF_NOEXIST); + net_dbg("%s, update redisinfo: sip:0x%x, sport:%d\n", comm, key.ip4, key.port); + return 1; +} + +static inline void clean_redis_info(struct bpf_sock_ops *skops) +{ + struct ipaddr_port key; + + key.ip4 = skops->local_ip4; + key.port = skops->local_port; // host order + net_dbg("clean redisinfo, 0x%x:%d\n", key.ip4, key.port); + bpf_map_delete_elem(&redis_bind_map, &key); +} + +SEC("sockops") int redis_sockops(struct bpf_sock_ops *skops) +{ + switch (skops->op) { + case BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB: + case BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB: + if (skops->family == 2) {// AF_INET + if (is_redis_loopback_tcp(skops)) { + net_dbg("bpf_sockops, sockmap, op:%d, sk:%p\n", + skops->op, skops->sk); + bpf_sock_ops_cb_flags_set(skops, BPF_SOCK_OPS_STATE_CB_FLAG); + bpf_sockmap_ipv4_insert(skops); + } else { + bpf_sock_ops_cb_flags_set(skops, 0); + } + } + break; + case BPF_SOCK_OPS_STATE_CB: + if (skops->family == 2 && skops->args[0] == BPF_TCP_LISTEN && + skops->args[1] == BPF_TCP_CLOSE) { + clean_redis_info(skops); + } else if (skops->family == 2 && (skops->args[1] == BPF_TCP_CLOSE || + skops->args[1] == BPF_TCP_CLOSE_WAIT || + skops->args[1] == BPF_TCP_FIN_WAIT1)) { + __u64 tx_cnt = SHORT_THR; + + bpf_sockmap_ipv4_cleanup(skops, &tx_cnt); + net_dbg("sockops sk:%p, state:%d, tx_cnt:%llu\n", + skops->sk, skops->args[1], tx_cnt); + if (tx_cnt < SHORT_THR) + add_task2block_list(skops); + } + break; + case BPF_SOCK_OPS_TCP_LISTEN_CB: + if (skops->family == 2 && update_redis_info(skops)) + bpf_sock_ops_cb_flags_set(skops, BPF_SOCK_OPS_STATE_CB_FLAG); + break; + default: + break; + } + return 1; +} + +char _license[] SEC("license") = "GPL"; +int _version SEC("version") = 1; -- 2.34.1

2 1

[PATCH OLK-5.10] gfs2: Don't deref jdesc in evict
by ZhaoLong Wang 14 Jun '23

14 Jun '23

From: Bob Peterson <rpeterso(a)redhat.com> mainline inclusion from mainline-v6.4-rc2 commit 504a10d9e46bc37b23d0a1ae2f28973c8516e636 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7CXJL CVE: CVE-2023-3212 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- On corrupt gfs2 file systems the evict code can try to reference the journal descriptor structure, jdesc, after it has been freed and set to NULL. The sequence of events is: init_journal() ... fail_jindex: gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL if (gfs2_holder_initialized(&ji_gh)) gfs2_glock_dq_uninit(&ji_gh); fail: iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode evict() gfs2_evict_inode() evict_linked_inode() ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks); <------references the now freed/zeroed sd_jdesc pointer. The call to gfs2_trans_begin is done because the truncate_inode_pages call can cause gfs2 events that require a transaction, such as removing journaled data (jdata) blocks from the journal. This patch fixes the problem by adding a check for sdp->sd_jdesc to function gfs2_evict_inode. In theory, this should only happen to corrupt gfs2 file systems, when gfs2 detects the problem, reports it, then tries to evict all the system inodes it has read in up to that point. Reported-by: Yang Lan <lanyang0908(a)gmail.com> Signed-off-by: Bob Peterson <rpeterso(a)redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> Signed-off-by: ZhaoLong Wang <wangzhaolong1(a)huawei.com> Conflicts: fs/gfs2/super.c --- fs/gfs2/super.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c index d14b98aa1c3e..9820aad4b19a 100644 --- a/fs/gfs2/super.c +++ b/fs/gfs2/super.c @@ -1412,6 +1412,14 @@ static void gfs2_evict_inode(struct inode *inode) if (inode->i_nlink || sb_rdonly(sb)) goto out; + /* + * In case of an incomplete mount, gfs2_evict_inode() may be called for + * system files without having an active journal to write to. In that + * case, skip the filesystem evict. + */ + if (!sdp->sd_jdesc) + goto out; + gfs2_holder_mark_uninitialized(&gh); ret = evict_should_delete(inode, &gh); if (ret == SHOULD_DEFER_EVICTION) -- 2.31.1

2 1

2024

2023

2022

2021

2020

2019

Kernel June 2023