October 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] security/keys: fix slab-out-of-bounds in key_task_permission
by Yi Yang 30 Oct '24

30 Oct '24

From: Chen Ridong <chenridong(a)huawei.com> maillist inclusion category: Bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAU173 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/comm… ---------------------------------------------------------------------- KASAN reports an out of bounds read: BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 security/keys/permission.c:54 Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0x107/0x167 lib/dump_stack.c:123 print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 __kuid_val include/linux/uidgid.h:36 [inline] uid_eq include/linux/uidgid.h:63 [inline] key_task_permission+0x394/0x410 security/keys/permission.c:54 search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 This issue was also reported by syzbot. It can be reproduced by following these steps(more details [1]): 1. Obtain more than 32 inputs that have similar hashes, which ends with the pattern '0xxxxxxxe6'. 2. Reboot and add the keys obtained in step 1. The reproducer demonstrates how this issue happened: 1. In the search_nested_keyrings function, when it iterates through the slots in a node(below tag ascend_to_node), if the slot pointer is meta and node->back_pointer != NULL(it means a root), it will proceed to descend_to_node. However, there is an exception. If node is the root, and one of the slots points to a shortcut, it will be treated as a keyring. 2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function. However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as ASSOC_ARRAY_PTR_SUBTYPE_MASK. 3. When 32 keys with the similar hashes are added to the tree, the ROOT has keys with hashes that are not similar (e.g. slot 0) and it splits NODE A without using a shortcut. When NODE A is filled with keys that all hashes are xxe6, the keys are similar, NODE A will split with a shortcut. Finally, it forms the tree as shown below, where slot 6 points to a shortcut. NODE A +------>+---+ ROOT | | 0 | xxe6 +---+ | +---+ xxxx | 0 | shortcut : : xxe6 +---+ | +---+ xxe6 : : | | | xxe6 +---+ | +---+ | 6 |---+ : : xxe6 +---+ +---+ xxe6 : : | f | xxe6 +---+ +---+ xxe6 | f | +---+ 4. As mentioned above, If a slot(slot 6) of the root points to a shortcut, it may be mistakenly transferred to a key*, leading to a read out-of-bounds read. To fix this issue, one should jump to descend_to_node if the ptr is a shortcut, regardless of whether the node is root or not. [1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@h… [jarkko: tweaked the commit message a bit to have an appropriate closes tag.] Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") Reported-by: syzbot+5b415c07907a2990d1a3(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000cbb7860611f61147@google.com/T/ Signed-off-by: Chen Ridong <chenridong(a)huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- security/keys/keyring.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 14abfe765b7e..9f0fc81a3a7b 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -772,8 +772,11 @@ static bool search_nested_keyrings(struct key *keyring, for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { ptr = READ_ONCE(node->slots[slot]); - if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) - goto descend_to_node; + if (assoc_array_ptr_is_meta(ptr)) { + if (node->back_pointer || + assoc_array_ptr_is_shortcut(ptr)) + goto descend_to_node; + } if (!keyring_ptr_is_keyring(ptr)) continue; -- 2.25.1

2 1

[PATCH OLK-6.6] scsi: sd: Fix off-by-one error in sd_read_block_characteristics()
by Zheng Qixing 30 Oct '24

30 Oct '24

From: Martin Wilck <mwilck(a)suse.com> stable inclusion from stable-v6.6.54 commit 568c7c4c77eee6df7677bb861b7cee7398a3255d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPK3 CVE: CVE-2024-47682 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------- commit f81eaf08385ddd474a2f41595a7757502870c0eb upstream. Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for example), sd_read_block_characteristics() may attempt an out-of-bounds memory access when accessing the zoned field at offset 8. Fixes: 7fb019c46eee ("scsi: sd: Switch to using scsi_device VPD pages") Cc: stable(a)vger.kernel.org Signed-off-by: Martin Wilck <mwilck(a)suse.com> Link: https://lore.kernel.org/r/20240912134308.282824-1-mwilck@suse.com Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 9ebf64a91586..11245bf46f85 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3118,7 +3118,7 @@ static void sd_read_block_characteristics(struct scsi_disk *sdkp) rcu_read_lock(); vpd = rcu_dereference(sdkp->device->vpd_pgb1); - if (!vpd || vpd->len < 8) { + if (!vpd || vpd->len <= 8) { rcu_read_unlock(); return; } -- 2.39.2

2 1

[openEuler-22.03-LTS-SP1] ocfs2: reserve space for inline xattr before attaching reflink tree
by Yi Yang 30 Oct '24

30 Oct '24

From: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> stable inclusion from stable-v5.10.227 commit aac31d654a0a31cb0d2fa36ae694f4e164a52707 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA7 CVE: CVE-2024-49958 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 5ca60b86f57a4d9648f68418a725b3a7de2816b0 upstream. One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case up to 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Link: https://lkml.kernel.org/r/20240918063844.1830332-1-gautham.ananthakrishna@o… Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c index 3b397fa9c9e8..85d25c211c87 100644 --- a/fs/ocfs2/refcounttree.c +++ b/fs/ocfs2/refcounttree.c @@ -27,6 +27,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4184,8 +4185,9 @@ static int __ocfs2_reflink(struct dentry *old_dentry, int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4211,6 +4213,26 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data; + struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4218,7 +4240,7 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 495fb5b7a087..42368577786e 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -6526,16 +6526,7 @@ static int ocfs2_reflink_xattr_inline(struct ocfs2_xattr_reflink *args) } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); -- 2.25.1

1 0

[PATCH OLK-5.10] block: fix potential invalid pointer dereference in blk_add_partition
by Zheng Qixing 30 Oct '24

30 Oct '24

From: Riyan Dhiman <riyandhiman14(a)gmail.com> stable inclusion from stable-v5.10.227 commit 4bc4272e2506941c3f3d4fb8b0c659ee814dcf6f category: bugifx bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJH CVE: CVE-2024-47705 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 26e197b7f9240a4ac301dd0ad520c0c697c2ea7d ] The blk_add_partition() function initially used a single if-condition (IS_ERR(part)) to check for errors when adding a partition. This was modified to handle the specific case of -ENXIO separately, allowing the function to proceed without logging the error in this case. However, this change unintentionally left a path where md_autodetect_dev() could be called without confirming that part is a valid pointer. This commit separates the error handling logic by splitting the initial if-condition, improving code readability and handling specific error scenarios explicitly. The function now distinguishes the general error case from -ENXIO without altering the existing behavior of md_autodetect_dev() calls. Fixes: b72053072c0b (block: allow partitions on host aware zone devices) Signed-off-by: Riyan Dhiman <riyandhiman14(a)gmail.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://lore.kernel.org/r/20240911132954.5874-1-riyandhiman14@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: block/partitions/core.c [Context inconsistency.] Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- block/partitions/core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/block/partitions/core.c b/block/partitions/core.c index 8e0bddf0fa51..7e1fd93a5634 100644 --- a/block/partitions/core.c +++ b/block/partitions/core.c @@ -705,9 +705,11 @@ static bool blk_add_partition(struct gendisk *disk, struct block_device *bdev, part = add_partition(disk, p, from, size, state->parts[p].flags, &state->parts[p].info); - if (IS_ERR(part) && PTR_ERR(part) != -ENXIO) { - printk(KERN_ERR " %s: p%d could not be added: %ld\n", - disk->disk_name, p, -PTR_ERR(part)); + if (IS_ERR(part)) { + if (PTR_ERR(part) != -ENXIO) { + printk(KERN_ERR " %s: p%d could not be added: %ld\n", + disk->disk_name, p, -PTR_ERR(part)); + } return true; } -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1] block: fix potential invalid pointer dereference in blk_add_partition
by Zheng Qixing 30 Oct '24

30 Oct '24

From: Riyan Dhiman <riyandhiman14(a)gmail.com> stable inclusion from stable-v5.10.227 commit 4bc4272e2506941c3f3d4fb8b0c659ee814dcf6f category: bugifx bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJH CVE: CVE-2024-47705 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 26e197b7f9240a4ac301dd0ad520c0c697c2ea7d ] The blk_add_partition() function initially used a single if-condition (IS_ERR(part)) to check for errors when adding a partition. This was modified to handle the specific case of -ENXIO separately, allowing the function to proceed without logging the error in this case. However, this change unintentionally left a path where md_autodetect_dev() could be called without confirming that part is a valid pointer. This commit separates the error handling logic by splitting the initial if-condition, improving code readability and handling specific error scenarios explicitly. The function now distinguishes the general error case from -ENXIO without altering the existing behavior of md_autodetect_dev() calls. Fixes: b72053072c0b (block: allow partitions on host aware zone devices) Signed-off-by: Riyan Dhiman <riyandhiman14(a)gmail.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://lore.kernel.org/r/20240911132954.5874-1-riyandhiman14@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: block/partitions/core.c [Context inconsistency.] Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- block/partitions/core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/block/partitions/core.c b/block/partitions/core.c index 8e0bddf0fa51..7e1fd93a5634 100644 --- a/block/partitions/core.c +++ b/block/partitions/core.c @@ -705,9 +705,11 @@ static bool blk_add_partition(struct gendisk *disk, struct block_device *bdev, part = add_partition(disk, p, from, size, state->parts[p].flags, &state->parts[p].info); - if (IS_ERR(part) && PTR_ERR(part) != -ENXIO) { - printk(KERN_ERR " %s: p%d could not be added: %ld\n", - disk->disk_name, p, -PTR_ERR(part)); + if (IS_ERR(part)) { + if (PTR_ERR(part) != -ENXIO) { + printk(KERN_ERR " %s: p%d could not be added: %ld\n", + disk->disk_name, p, -PTR_ERR(part)); + } return true; } -- 2.39.2

2 1

[PATCH openEuler-1.0-LTS] nilfs2: fix state management in error path of log writing function
by Chen Ridong 30 Oct '24

30 Oct '24

From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> mainline inclusion from mainline-v6.11-rc7 commit 6576dd6695f2afca3f4954029ac4a64f82ba60ab category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAVUFV CVE: CVE-2024-47669 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- After commit a694291a6211 ("nilfs2: separate wait function from nilfs_segctor_write") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the "sc_dirty_files" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared. Link: https://lkml.kernel.org/r/20240814101119.4070-1-konishi.ryusuke@gmail.com Fixes: a694291a6211 ("nilfs2: separate wait function from nilfs_segctor_write") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Chen Ridong <chenridong(a)huawei.com> --- fs/nilfs2/segment.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index 633809581852..6c48d2b27707 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -1799,6 +1799,9 @@ static void nilfs_segctor_abort_construction(struct nilfs_sc_info *sci, nilfs_abort_logs(&logs, ret ? : err); list_splice_tail_init(&sci->sc_segbufs, &logs); + if (list_empty(&logs)) + return; /* if the first segment buffer preparation failed */ + nilfs_cancel_segusage(&logs, nilfs->ns_sufile); nilfs_free_incomplete_logs(&logs, nilfs); @@ -2040,7 +2043,7 @@ static int nilfs_segctor_do_construct(struct nilfs_sc_info *sci, int mode) err = nilfs_segctor_begin_construction(sci, nilfs); if (unlikely(err)) - goto out; + goto failed; /* Update time stamp */ sci->sc_seg_ctime = ktime_get_real_seconds(); @@ -2103,10 +2106,9 @@ static int nilfs_segctor_do_construct(struct nilfs_sc_info *sci, int mode) return err; failed_to_write: - if (sci->sc_stage.flags & NILFS_CF_IFILE_STARTED) - nilfs_redirty_inodes(&sci->sc_dirty_files); - failed: + if (mode == SC_LSEG_SR && nilfs_sc_cstage_get(sci) >= NILFS_ST_IFILE) + nilfs_redirty_inodes(&sci->sc_dirty_files); if (nilfs_doing_gc()) nilfs_redirty_inodes(&sci->sc_gc_inodes); nilfs_segctor_abort_construction(sci, nilfs, err); -- 2.34.1

2 1

[PATCH OLK-6.6] smb: client: fix UAF in async decryption
by Long Li 30 Oct '24

30 Oct '24

From: Enzo Matsumiya <ematsumiya(a)suse.de> mainline inclusion from mainline-v6.10-rc2 commit b0abcd65ec545701b8793e12bc27dc98042b151a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRE5 CVE: CVE-2024-50047 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation. Signed-off-by: Enzo Matsumiya <ematsumiya(a)suse.de> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/smb/client/smb2ops.c | 47 ++++++++++++++++++++++++----------------- fs/smb/client/smb2pdu.c | 6 ++++++ 2 files changed, 34 insertions(+), 19 deletions(-) diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index acd5d7d79352..a484bbe9e9de 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -4245,7 +4245,7 @@ smb2_get_enc_key(struct TCP_Server_Info *server, __u64 ses_id, int enc, u8 *key) */ static int crypt_message(struct TCP_Server_Info *server, int num_rqst, - struct smb_rqst *rqst, int enc) + struct smb_rqst *rqst, int enc, struct crypto_aead *tfm) { struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)rqst[0].rq_iov[0].iov_base; @@ -4256,8 +4256,6 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, u8 key[SMB3_ENC_DEC_KEY_SIZE]; struct aead_request *req; u8 *iv; - DECLARE_CRYPTO_WAIT(wait); - struct crypto_aead *tfm; unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); void *creq; size_t sensitive_size; @@ -4269,14 +4267,6 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, return rc; } - rc = smb3_crypto_aead_allocate(server); - if (rc) { - cifs_server_dbg(VFS, "%s: crypto alloc failed\n", __func__); - return rc; - } - - tfm = enc ? server->secmech.enc : server->secmech.dec; - if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) || (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) rc = crypto_aead_setkey(tfm, key, SMB3_GCM256_CRYPTKEY_SIZE); @@ -4316,11 +4306,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, aead_request_set_crypt(req, sg, sg, crypt_len, iv); aead_request_set_ad(req, assoc_data_len); - aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, - crypto_req_done, &wait); - - rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) - : crypto_aead_decrypt(req), &wait); + rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); if (!rc && enc) memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); @@ -4427,7 +4413,7 @@ smb3_init_transform_rq(struct TCP_Server_Info *server, int num_rqst, /* fill the 1st iov with a transform header */ fill_transform_hdr(tr_hdr, orig_len, old_rq, server->cipher_type); - rc = crypt_message(server, num_rqst, new_rq, 1); + rc = crypt_message(server, num_rqst, new_rq, 1, server->secmech.enc); cifs_dbg(FYI, "Encrypt message returned %d\n", rc); if (rc) goto err_free; @@ -4452,8 +4438,9 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf, unsigned int buf_data_size, struct iov_iter *iter, bool is_offloaded) { - struct kvec iov[2]; + struct crypto_aead *tfm; struct smb_rqst rqst = {NULL}; + struct kvec iov[2]; size_t iter_size = 0; int rc; @@ -4470,9 +4457,31 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf, iter_size = iov_iter_count(iter); } - rc = crypt_message(server, 1, &rqst, 0); + if (is_offloaded) { + if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) || + (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) + tfm = crypto_alloc_aead("gcm(aes)", 0, 0); + else + tfm = crypto_alloc_aead("ccm(aes)", 0, 0); + if (IS_ERR(tfm)) { + rc = PTR_ERR(tfm); + cifs_server_dbg(VFS, "%s: Failed alloc decrypt TFM, rc=%d\n", __func__, rc); + + return rc; + } + } else { + if (unlikely(!server->secmech.dec)) + return -EIO; + + tfm = server->secmech.dec; + } + + rc = crypt_message(server, 1, &rqst, 0, tfm); cifs_dbg(FYI, "Decrypt message returned %d\n", rc); + if (is_offloaded) + crypto_free_aead(tfm); + if (rc) return rc; diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index bf45b8652e58..83a03201bb86 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -1263,6 +1263,12 @@ SMB2_negotiate(const unsigned int xid, else cifs_server_dbg(VFS, "Missing expected negotiate contexts\n"); } + + if (server->cipher_type && !rc) { + rc = smb3_crypto_aead_allocate(server); + if (rc) + cifs_server_dbg(VFS, "%s: crypto alloc failed, rc=%d\n", __func__, rc); + } neg_exit: free_rsp_buf(resp_buftype, rsp); return rc; -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1] smb: client: fix UAF in async decryption
by Long Li 30 Oct '24

30 Oct '24

From: Enzo Matsumiya <ematsumiya(a)suse.de> mainline inclusion from mainline-v6.10-rc2 commit b0abcd65ec545701b8793e12bc27dc98042b151a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRE5 CVE: CVE-2024-50047 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation. Signed-off-by: Enzo Matsumiya <ematsumiya(a)suse.de> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/client/smb2ops.c fs/smb/client/smb2pdu.c fs/cifs/smb2ops.c fs/cifs/smb2pdu.c [Conflicts due to cifs rename to smb/clinet] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/cifs/smb2ops.c | 49 ++++++++++++++++++++++++++++------------------- fs/cifs/smb2pdu.c | 6 ++++++ 2 files changed, 35 insertions(+), 20 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 91c653c720a6..21622261fbf9 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -4258,7 +4258,7 @@ smb2_get_enc_key(struct TCP_Server_Info *server, __u64 ses_id, int enc, u8 *key) */ static int crypt_message(struct TCP_Server_Info *server, int num_rqst, - struct smb_rqst *rqst, int enc) + struct smb_rqst *rqst, int enc, struct crypto_aead *tfm) { struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)rqst[0].rq_iov[0].iov_base; @@ -4270,8 +4270,6 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, struct aead_request *req; char *iv; unsigned int iv_len; - DECLARE_CRYPTO_WAIT(wait); - struct crypto_aead *tfm; unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); rc = smb2_get_enc_key(server, tr_hdr->SessionId, enc, key); @@ -4281,15 +4279,6 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, return rc; } - rc = smb3_crypto_aead_allocate(server); - if (rc) { - cifs_server_dbg(VFS, "%s: crypto alloc failed\n", __func__); - return rc; - } - - tfm = enc ? server->secmech.ccmaesencrypt : - server->secmech.ccmaesdecrypt; - if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) || (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) rc = crypto_aead_setkey(tfm, key, SMB3_GCM256_CRYPTKEY_SIZE); @@ -4344,11 +4333,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, aead_request_set_crypt(req, sg, sg, crypt_len, iv); aead_request_set_ad(req, assoc_data_len); - aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, - crypto_req_done, &wait); - - rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) - : crypto_aead_decrypt(req), &wait); + rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); if (!rc && enc) memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); @@ -4441,7 +4426,8 @@ smb3_init_transform_rq(struct TCP_Server_Info *server, int num_rqst, /* fill the 1st iov with a transform header */ fill_transform_hdr(tr_hdr, orig_len, old_rq, server->cipher_type); - rc = crypt_message(server, num_rqst, new_rq, 1); + rc = crypt_message(server, num_rqst, new_rq, 1, + server->secmech.ccmaesencrypt); cifs_dbg(FYI, "Encrypt message returned %d\n", rc); if (rc) goto err_free; @@ -4467,8 +4453,9 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf, unsigned int npages, unsigned int page_data_size, bool is_offloaded) { - struct kvec iov[2]; + struct crypto_aead *tfm; struct smb_rqst rqst = {NULL}; + struct kvec iov[2]; int rc; iov[0].iov_base = buf; @@ -4483,9 +4470,31 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf, rqst.rq_pagesz = PAGE_SIZE; rqst.rq_tailsz = (page_data_size % PAGE_SIZE) ? : PAGE_SIZE; - rc = crypt_message(server, 1, &rqst, 0); + if (is_offloaded) { + if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) || + (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) + tfm = crypto_alloc_aead("gcm(aes)", 0, 0); + else + tfm = crypto_alloc_aead("ccm(aes)", 0, 0); + if (IS_ERR(tfm)) { + rc = PTR_ERR(tfm); + cifs_server_dbg(VFS, "%s: Failed alloc decrypt TFM, rc=%d\n", __func__, rc); + + return rc; + } + } else { + if (unlikely(!server->secmech.ccmaesdecrypt)) + return -EIO; + + tfm = server->secmech.ccmaesdecrypt; + } + + rc = crypt_message(server, 1, &rqst, 0, tfm); cifs_dbg(FYI, "Decrypt message returned %d\n", rc); + if (is_offloaded) + crypto_free_aead(tfm); + if (rc) return rc; diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 0c4a2474e75b..b1b0d26c8486 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -993,6 +993,12 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) else cifs_server_dbg(VFS, "Missing expected negotiate contexts\n"); } + + if (server->cipher_type && !rc) { + rc = smb3_crypto_aead_allocate(server); + if (rc) + cifs_server_dbg(VFS, "%s: crypto alloc failed, rc=%d\n", __func__, rc); + } neg_exit: free_rsp_buf(resp_buftype, rsp); return rc; -- 2.39.2

2 1

[PATCH OLK-5.10] smb: client: fix UAF in async decryption
by Long Li 30 Oct '24

30 Oct '24

From: Enzo Matsumiya <ematsumiya(a)suse.de> mainline inclusion from mainline-v6.10-rc2 commit b0abcd65ec545701b8793e12bc27dc98042b151a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRE5 CVE: CVE-2024-50047 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation. Signed-off-by: Enzo Matsumiya <ematsumiya(a)suse.de> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/client/smb2ops.c fs/smb/client/smb2pdu.c fs/cifs/smb2ops.c fs/cifs/smb2pdu.c [Conflicts due to cifs rename to smb/clinet] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/cifs/smb2ops.c | 49 ++++++++++++++++++++++++++++------------------- fs/cifs/smb2pdu.c | 6 ++++++ 2 files changed, 35 insertions(+), 20 deletions(-) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 580c90a13ca8..1b60b32ed4f7 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -4287,7 +4287,7 @@ smb2_get_enc_key(struct TCP_Server_Info *server, __u64 ses_id, int enc, u8 *key) */ static int crypt_message(struct TCP_Server_Info *server, int num_rqst, - struct smb_rqst *rqst, int enc) + struct smb_rqst *rqst, int enc, struct crypto_aead *tfm) { struct smb2_transform_hdr *tr_hdr = (struct smb2_transform_hdr *)rqst[0].rq_iov[0].iov_base; @@ -4298,8 +4298,6 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, u8 key[SMB3_ENC_DEC_KEY_SIZE]; struct aead_request *req; u8 *iv; - DECLARE_CRYPTO_WAIT(wait); - struct crypto_aead *tfm; unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize); void *creq; @@ -4310,15 +4308,6 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, return rc; } - rc = smb3_crypto_aead_allocate(server); - if (rc) { - cifs_server_dbg(VFS, "%s: crypto alloc failed\n", __func__); - return rc; - } - - tfm = enc ? server->secmech.ccmaesencrypt : - server->secmech.ccmaesdecrypt; - if ((server->cipher_type == SMB2_ENCRYPTION_AES256_CCM) || (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) rc = crypto_aead_setkey(tfm, key, SMB3_GCM256_CRYPTKEY_SIZE); @@ -4357,11 +4346,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst, aead_request_set_crypt(req, sg, sg, crypt_len, iv); aead_request_set_ad(req, assoc_data_len); - aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, - crypto_req_done, &wait); - - rc = crypto_wait_req(enc ? crypto_aead_encrypt(req) - : crypto_aead_decrypt(req), &wait); + rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); if (!rc && enc) memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE); @@ -4450,7 +4435,8 @@ smb3_init_transform_rq(struct TCP_Server_Info *server, int num_rqst, /* fill the 1st iov with a transform header */ fill_transform_hdr(tr_hdr, orig_len, old_rq, server->cipher_type); - rc = crypt_message(server, num_rqst, new_rq, 1); + rc = crypt_message(server, num_rqst, new_rq, 1, + server->secmech.ccmaesencrypt); cifs_dbg(FYI, "Encrypt message returned %d\n", rc); if (rc) goto err_free; @@ -4476,8 +4462,9 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf, unsigned int npages, unsigned int page_data_size, bool is_offloaded) { - struct kvec iov[2]; + struct crypto_aead *tfm; struct smb_rqst rqst = {NULL}; + struct kvec iov[2]; int rc; iov[0].iov_base = buf; @@ -4492,9 +4479,31 @@ decrypt_raw_data(struct TCP_Server_Info *server, char *buf, rqst.rq_pagesz = PAGE_SIZE; rqst.rq_tailsz = (page_data_size % PAGE_SIZE) ? : PAGE_SIZE; - rc = crypt_message(server, 1, &rqst, 0); + if (is_offloaded) { + if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) || + (server->cipher_type == SMB2_ENCRYPTION_AES256_GCM)) + tfm = crypto_alloc_aead("gcm(aes)", 0, 0); + else + tfm = crypto_alloc_aead("ccm(aes)", 0, 0); + if (IS_ERR(tfm)) { + rc = PTR_ERR(tfm); + cifs_server_dbg(VFS, "%s: Failed alloc decrypt TFM, rc=%d\n", __func__, rc); + + return rc; + } + } else { + if (unlikely(!server->secmech.ccmaesdecrypt)) + return -EIO; + + tfm = server->secmech.ccmaesdecrypt; + } + + rc = crypt_message(server, 1, &rqst, 0, tfm); cifs_dbg(FYI, "Decrypt message returned %d\n", rc); + if (is_offloaded) + crypto_free_aead(tfm); + if (rc) return rc; diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index aa3211d8cce3..d8e57bdabc88 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -998,6 +998,12 @@ SMB2_negotiate(const unsigned int xid, struct cifs_ses *ses) else cifs_server_dbg(VFS, "Missing expected negotiate contexts\n"); } + + if (server->cipher_type && !rc) { + rc = smb3_crypto_aead_allocate(server); + if (rc) + cifs_server_dbg(VFS, "%s: crypto alloc failed, rc=%d\n", __func__, rc); + } neg_exit: free_rsp_buf(resp_buftype, rsp); return rc; -- 2.39.2

2 1

[openeuler:OLK-6.6] BUILD REGRESSION 5b8789bdf0036a2c7127f6a0d942b4c2b6f8e42d
by kernel test robot 30 Oct '24

30 Oct '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: 5b8789bdf0036a2c7127f6a0d942b4c2b6f8e42d !12632 ALSA: asihpi: Fix potential OOB array access Error/Warning (recently discovered and may have been fixed): https://lore.kernel.org/oe-kbuild-all/202410300643.xefa3uuI-lkp@intel.com arch/loongarch/include/asm/irq.h:47:23: error: 'NR_VECTORS' undeclared (first use in this function) arch/loongarch/include/asm/irq.h:47:23: error: 'NR_VECTORS' undeclared here (not in a function) Error/Warning ids grouped by kconfigs: recent_errors |-- arm64-allmodconfig | |-- arch-arm64-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvf-description-in-find_arm_smmu_domain | |-- arch-arm64-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvm-description-in-cvm_vfio_add_kvm_to_smmu_domain | |-- arch-arm64-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-smmu_domain_group_list-description-in-find_arm_smmu_domain | |-- arch-arm64-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-data-not-described-in-find_arm_smmu_domain | |-- arch-arm64-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-dev-not-described-in-find_arm_smmu_domain | |-- arch-arm64-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-kv-not-described-in-cvm_vfio_add_kvm_to_smmu_domain | |-- arch-arm64-kvm-virtcca_cvm.c:warning:no-previous-prototype-for-function-kvm_cvm_create_dev_ttt_levels | |-- clang:warning:no-such-include-directory:drivers-net-ethernet-nebula-matrix-nbl-nbl_export | |-- clang:warning:no-such-include-directory:drivers-net-ethernet-nebula-matrix-nbl-nbl_include | |-- drivers-net-ethernet-huawei-hinic3-cqm-cqm_bitmap_table.c:error:a-randomized-struct-can-only-be-initialized-with-a-designated-initializer | |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_core.h:fatal-error:nbl_product_base.h-file-not-found | |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_queue_leonis.h:fatal-error:nbl_resource.h-file-not-found | `-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_resource_leonis.h:fatal-error:nbl_resource.h-file-not-found |-- loongarch-allmodconfig | |-- arch-loongarch-include-asm-irq.h:error:NR_VECTORS-undeclared-(first-use-in-this-function) | `-- arch-loongarch-include-asm-irq.h:error:NR_VECTORS-undeclared-here-(not-in-a-function) |-- loongarch-allnoconfig | |-- arch-loongarch-kernel-efi.c:error:incompatible-types-when-assigning-to-type-pmd_t-from-type-int | `-- drivers-irqchip-irq-loongson-eiointc.c:error:NODES_PER_FLATMODE_NODE-undeclared-(first-use-in-this-function) |-- x86_64-allnoconfig | |-- Warning:drivers-net-ethernet-nebula-matrix-Kconfig-references-a-file-that-doesn-t-exist:file:Documentation-networking-device_drivers-ethernet-nebula-matrix-m18110.rst | `-- drivers-net-ethernet-nebula-matrix-nbl-nbl_include-nbl_include.h:linux-pci.h-is-included-more-than-once. |-- x86_64-allyesconfig | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvf-description-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvm-description-in-cvm_vfio_add_kvm_to_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-smmu_domain_group_list-description-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-data-not-described-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-dev-not-described-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-kv-not-described-in-cvm_vfio_add_kvm_to_smmu_domain | |-- clang:warning:no-such-include-directory:drivers-net-ethernet-nebula-matrix-nbl-nbl_export | |-- clang:warning:no-such-include-directory:drivers-net-ethernet-nebula-matrix-nbl-nbl_include | |-- drivers-gpu-drm-amd-amdgpu-..-display-dc-dml-calcs-dcn_calc_auto.c:warning:stack-frame-size-()-exceeds-limit-()-in-mode_support_and_system_configuration | |-- drivers-net-ethernet-huawei-hinic3-cqm-cqm_bitmap_table.c:error:a-randomized-struct-can-only-be-initialized-with-a-designated-initializer | |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_core.h:fatal-error:nbl_product_base.h-file-not-found | |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_queue_leonis.h:fatal-error:nbl_resource.h-file-not-found | `-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_resource_leonis.h:fatal-error:nbl_resource.h-file-not-found |-- x86_64-buildonly-randconfig-002-20241030 | |-- cc1:warning:drivers-net-ethernet-nebula-matrix-nbl-nbl_export:No-such-file-or-directory | |-- cc1:warning:drivers-net-ethernet-nebula-matrix-nbl-nbl_include:No-such-file-or-directory | |-- drivers-crypto-ccp-hygon-hct.c:error:struct-device-has-no-member-named-numa_node | |-- drivers-net-ethernet-huawei-hinic-hinic_main.c:warning:no-previous-prototype-for-hinic_netdev_event | |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_core.h:fatal-error:nbl_product_base.h:No-such-file-or-directory | |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_queue_leonis.h:fatal-error:nbl_resource.h:No-such-file-or-directory | `-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_resource_leonis.h:fatal-error:nbl_resource.h:No-such-file-or-directory |-- x86_64-kexec | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvf-description-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvm-description-in-cvm_vfio_add_kvm_to_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-smmu_domain_group_list-description-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-data-not-described-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-dev-not-described-in-find_arm_smmu_domain | `-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-kv-not-described-in-cvm_vfio_add_kvm_to_smmu_domain |-- x86_64-rhel-8.3 | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvf-description-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvm-description-in-cvm_vfio_add_kvm_to_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-smmu_domain_group_list-description-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-data-not-described-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-dev-not-described-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-kv-not-described-in-cvm_vfio_add_kvm_to_smmu_domain | |-- cc1:warning:drivers-net-ethernet-nebula-matrix-nbl-nbl_export:No-such-file-or-directory | |-- cc1:warning:drivers-net-ethernet-nebula-matrix-nbl-nbl_include:No-such-file-or-directory | |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_core.h:fatal-error:nbl_product_base.h:No-such-file-or-directory | |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_queue_leonis.h:fatal-error:nbl_resource.h:No-such-file-or-directory | `-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_resource_leonis.h:fatal-error:nbl_resource.h:No-such-file-or-directory |-- x86_64-rhel-8.3-func | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvf-description-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvm-description-in-cvm_vfio_add_kvm_to_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-smmu_domain_group_list-description-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-data-not-described-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-dev-not-described-in-find_arm_smmu_domain | |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-kv-not-described-in-cvm_vfio_add_kvm_to_smmu_domain | |-- cc1:warning:drivers-net-ethernet-nebula-matrix-nbl-nbl_export:No-such-file-or-directory | |-- cc1:warning:drivers-net-ethernet-nebula-matrix-nbl-nbl_include:No-such-file-or-directory | |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_core.h:fatal-error:nbl_product_base.h:No-such-file-or-directory | |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_queue_leonis.h:fatal-error:nbl_resource.h:No-such-file-or-directory | `-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_resource_leonis.h:fatal-error:nbl_resource.h:No-such-file-or-directory `-- x86_64-rhel-8.3-kselftests |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvf-description-in-find_arm_smmu_domain |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-kvm-description-in-cvm_vfio_add_kvm_to_smmu_domain |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Excess-function-parameter-smmu_domain_group_list-description-in-find_arm_smmu_domain |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-data-not-described-in-find_arm_smmu_domain |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-dev-not-described-in-find_arm_smmu_domain |-- arch-x86-kvm-..-..-..-virt-kvm-vfio.c:warning:Function-parameter-or-member-kv-not-described-in-cvm_vfio_add_kvm_to_smmu_domain |-- cc1:warning:drivers-net-ethernet-nebula-matrix-nbl-nbl_export:No-such-file-or-directory |-- cc1:warning:drivers-net-ethernet-nebula-matrix-nbl-nbl_include:No-such-file-or-directory |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_core.h:fatal-error:nbl_product_base.h:No-such-file-or-directory |-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_queue_leonis.h:fatal-error:nbl_resource.h:No-such-file-or-directory `-- drivers-net-ethernet-nebula-matrix-nbl-nbl_hw-nbl_hw_leonis-nbl_resource_leonis.h:fatal-error:nbl_resource.h:No-such-file-or-directory elapsed time: 722m configs tested: 14 configs skipped: 65 tested configs: arm64 allmodconfig clang-20 arm64 allnoconfig gcc-14.1.0 loongarch allmodconfig gcc-14.1.0 loongarch allnoconfig gcc-14.1.0 x86_64 allnoconfig clang-19 x86_64 allyesconfig clang-19 x86_64 buildonly-randconfig-001-20241030 clang-19 x86_64 buildonly-randconfig-002-20241030 gcc-12 x86_64 buildonly-randconfig-003-20241030 gcc-12 x86_64 buildonly-randconfig-004-20241030 gcc-12 x86_64 buildonly-randconfig-005-20241030 gcc-12 x86_64 defconfig gcc-11 x86_64 kexec clang-19 x86_64 rhel-8.3 gcc-12 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0