November 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] f2fs: get rid of online repaire on corrupted directory
by Long Li 04 Nov '24

04 Nov '24

From: Chao Yu <chao(a)kernel.org> stable inclusion from stable-v5.15.167 commit e8d64f598eeb079c42a52deaa3a91312c736a49d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPKA CVE: CVE-2024-47690 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- [ Upstream commit 884ee6dc85b959bc152f15bca80c30f06069e6c4 ] syzbot reports a f2fs bug as below: kernel BUG at fs/f2fs/inode.c:896! RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896 Call Trace: evict+0x532/0x950 fs/inode.c:704 dispose_list fs/inode.c:747 [inline] evict_inodes+0x5f9/0x690 fs/inode.c:797 generic_shutdown_super+0x9d/0x2d0 fs/super.c:627 kill_block_super+0x44/0x90 fs/super.c:1696 kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898 deactivate_locked_super+0xc4/0x130 fs/super.c:473 cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373 task_work_run+0x24f/0x310 kernel/task_work.c:228 ptrace_notify+0x2d2/0x380 kernel/signal.c:2402 ptrace_report_syscall include/linux/ptrace.h:415 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline] syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline] syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896 Online repaire on corrupted directory in f2fs_lookup() can generate dirty data/meta while racing w/ readonly remount, it may leave dirty inode after filesystem becomes readonly, however, checkpoint() will skips flushing dirty inode in a state of readonly mode, result in above panic. Let's get rid of online repaire in f2fs_lookup(), and leave the work to fsck.f2fs. Fixes: 510022a85839 ("f2fs: add F2FS_INLINE_DOTS to recover missing dot dentries") Reported-by: syzbot+ebea2790904673d7c618(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a7b20f061ff2d56a@google.com Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/f2fs/f2fs.h fs/f2fs/namei.c include/linux/f2fs_fs.h [0cab715836db ("f2fs: introduce F2FS_IPU_HONOR_OPU_WRITE ipu policy")] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/f2fs/f2fs.h | 11 -------- fs/f2fs/namei.c | 62 ----------------------------------------- include/linux/f2fs_fs.h | 2 +- 3 files changed, 1 insertion(+), 74 deletions(-) diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 6bcd3f875207..49e74f45a5cd 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -672,7 +672,6 @@ enum { FI_FIRST_BLOCK_WRITTEN, /* indicate #0 data block was written */ FI_DROP_CACHE, /* drop dirty page cache */ FI_DATA_EXIST, /* indicate data exists */ - FI_INLINE_DOTS, /* indicate inline dot dentries */ FI_DO_DEFRAG, /* indicate defragment is running */ FI_DIRTY_FILE, /* indicate regular/symlink has dirty pages */ FI_NO_PREALLOC, /* indicate skipped preallocated blocks */ @@ -2632,7 +2631,6 @@ static inline void __mark_inode_dirty_flag(struct inode *inode, return; fallthrough; case FI_DATA_EXIST: - case FI_INLINE_DOTS: case FI_PIN_FILE: f2fs_mark_inode_dirty_sync(inode, true); } @@ -2749,8 +2747,6 @@ static inline void get_inline_info(struct inode *inode, struct f2fs_inode *ri) set_bit(FI_INLINE_DENTRY, fi->flags); if (ri->i_inline & F2FS_DATA_EXIST) set_bit(FI_DATA_EXIST, fi->flags); - if (ri->i_inline & F2FS_INLINE_DOTS) - set_bit(FI_INLINE_DOTS, fi->flags); if (ri->i_inline & F2FS_EXTRA_ATTR) set_bit(FI_EXTRA_ATTR, fi->flags); if (ri->i_inline & F2FS_PIN_FILE) @@ -2769,8 +2765,6 @@ static inline void set_raw_inline(struct inode *inode, struct f2fs_inode *ri) ri->i_inline |= F2FS_INLINE_DENTRY; if (is_inode_flag_set(inode, FI_DATA_EXIST)) ri->i_inline |= F2FS_DATA_EXIST; - if (is_inode_flag_set(inode, FI_INLINE_DOTS)) - ri->i_inline |= F2FS_INLINE_DOTS; if (is_inode_flag_set(inode, FI_EXTRA_ATTR)) ri->i_inline |= F2FS_EXTRA_ATTR; if (is_inode_flag_set(inode, FI_PIN_FILE)) @@ -2835,11 +2829,6 @@ static inline int f2fs_exist_data(struct inode *inode) return is_inode_flag_set(inode, FI_DATA_EXIST); } -static inline int f2fs_has_inline_dots(struct inode *inode) -{ - return is_inode_flag_set(inode, FI_INLINE_DOTS); -} - static inline int f2fs_is_mmap_file(struct inode *inode) { return is_inode_flag_set(inode, FI_MMAP_FILE); diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c index 99e4ec48d2a4..4c5a39a5d6be 100644 --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -440,56 +440,6 @@ struct dentry *f2fs_get_parent(struct dentry *child) return d_obtain_alias(f2fs_iget(child->d_sb, ino)); } -static int __recover_dot_dentries(struct inode *dir, nid_t pino) -{ - struct f2fs_sb_info *sbi = F2FS_I_SB(dir); - struct qstr dot = QSTR_INIT(".", 1); - struct qstr dotdot = QSTR_INIT("..", 2); - struct f2fs_dir_entry *de; - struct page *page; - int err = 0; - - if (f2fs_readonly(sbi->sb)) { - f2fs_info(sbi, "skip recovering inline_dots inode (ino:%lu, pino:%u) in readonly mountpoint", - dir->i_ino, pino); - return 0; - } - - err = dquot_initialize(dir); - if (err) - return err; - - f2fs_balance_fs(sbi, true); - - f2fs_lock_op(sbi); - - de = f2fs_find_entry(dir, &dot, &page); - if (de) { - f2fs_put_page(page, 0); - } else if (IS_ERR(page)) { - err = PTR_ERR(page); - goto out; - } else { - err = f2fs_do_add_link(dir, &dot, NULL, dir->i_ino, S_IFDIR); - if (err) - goto out; - } - - de = f2fs_find_entry(dir, &dotdot, &page); - if (de) - f2fs_put_page(page, 0); - else if (IS_ERR(page)) - err = PTR_ERR(page); - else - err = f2fs_do_add_link(dir, &dotdot, NULL, pino, S_IFDIR); -out: - if (!err) - clear_inode_flag(dir, FI_INLINE_DOTS); - - f2fs_unlock_op(sbi); - return err; -} - static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) { @@ -499,7 +449,6 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry, struct dentry *new; nid_t ino = -1; int err = 0; - unsigned int root_ino = F2FS_ROOT_INO(F2FS_I_SB(dir)); struct f2fs_filename fname; trace_f2fs_lookup_start(dir, dentry, flags); @@ -535,17 +484,6 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry, goto out; } - if ((dir->i_ino == root_ino) && f2fs_has_inline_dots(dir)) { - err = __recover_dot_dentries(dir, root_ino); - if (err) - goto out_iput; - } - - if (f2fs_has_inline_dots(inode)) { - err = __recover_dot_dentries(inode, dir->i_ino); - if (err) - goto out_iput; - } if (IS_ENCRYPTED(dir) && (S_ISDIR(inode->i_mode) || S_ISLNK(inode->i_mode)) && !fscrypt_has_permitted_context(dir, inode)) { diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h index 7fd4bea6be64..9e377f158e6c 100644 --- a/include/linux/f2fs_fs.h +++ b/include/linux/f2fs_fs.h @@ -227,7 +227,7 @@ struct f2fs_extent { #define F2FS_INLINE_DATA 0x02 /* file inline data flag */ #define F2FS_INLINE_DENTRY 0x04 /* file inline dentry flag */ #define F2FS_DATA_EXIST 0x08 /* file inline data exist flag */ -#define F2FS_INLINE_DOTS 0x10 /* file having implicit dot dentries */ +#define F2FS_INLINE_DOTS 0x10 /* file having implicit dot dentries (obsolete) */ #define F2FS_EXTRA_ATTR 0x20 /* file having extra attribute */ #define F2FS_PIN_FILE 0x40 /* file should not be gced */ -- 2.39.2

2 1

[openeuler:openEuler-1.0-LTS 1231/1231] arch/arm64/kernel/mpam/mpam_ctrlmon.c:300: warning: Function parameter or member 's' not described in 'show_doms'
by kernel test robot 04 Nov '24

04 Nov '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: d9cf86e2fe8e5c014fd3e46c31f3415549ab813f commit: 7243df9bf3ab4130b2c8f5dfa9a620afc964cc72 [1231/1231] arm64/mpam: resctrl: Write and read schemata by schema_list config: arm64-randconfig-001-20241029 (https://download.01.org/0day-ci/archive/20241104/202411041549.sgcRhuo9-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241104/202411041549.sgcRhuo9-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411041549.sgcRhuo9-lkp@intel.com/ All warnings (new ones prefixed by >>): >> arch/arm64/kernel/mpam/mpam_ctrlmon.c:300: warning: Function parameter or member 's' not described in 'show_doms' >> arch/arm64/kernel/mpam/mpam_ctrlmon.c:300: warning: Function parameter or member 'r' not described in 'show_doms' >> arch/arm64/kernel/mpam/mpam_ctrlmon.c:300: warning: Function parameter or member 'schema_name' not described in 'show_doms' arch/arm64/kernel/mpam/mpam_ctrlmon.c:300: warning: Function parameter or member 'partid' not described in 'show_doms' vim +300 arch/arm64/kernel/mpam/mpam_ctrlmon.c 1abcabe9dab59ec arch/arm64/kernel/mpam_ctrlmon.c Yang Yingliang 2019-01-30 287 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 288 /** 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 289 * MPAM resources such as L2 may have too many domains for arm64, 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 290 * at this time we should rearrange this display for brevity and 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 291 * harmonious interaction. 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 292 * 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 293 * Before rearrangement: L2:0=ff;1=ff;2=fc;3=ff;4=f;....;255=ff 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 294 * After rearrangement: L2:S;2=fc;S;4=f;S 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 295 * Those continuous fully sharable domains will be combined into 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 296 * a single "S" simply. 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 297 */ 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 298 static void show_doms(struct seq_file *s, struct resctrl_resource *r, 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 299 char *schema_name, int partid) be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 @300 { 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 301 struct raw_resctrl_resource *rr = r->res; be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 302 struct rdt_domain *dom; be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 303 bool sep = false; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 304 bool rg = false; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 305 bool prev_auto_fill = false; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 306 u32 reg_val; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 307 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 308 if (r->dom_num > RESCTRL_SHOW_DOM_MAX_NUM) 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 309 rg = true; be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 310 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 311 seq_printf(s, "%*s:", max_name_width, schema_name); be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 312 list_for_each_entry(dom, &r->domains, list) { 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 313 reg_val = rr->msr_read(dom, partid); 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 314 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 315 if (rg && reg_val == r->default_ctrl && 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 316 prev_auto_fill == true) 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 317 continue; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 318 be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 319 if (sep) be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 320 seq_puts(s, ";"); 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 321 if (rg && reg_val == r->default_ctrl) { 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 322 prev_auto_fill = true; 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 323 seq_puts(s, "S"); 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 324 } else { 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 325 seq_printf(s, rr->format_str, dom->id, 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 326 max_data_width, reg_val); 7243df9bf3ab413 arch/arm64/kernel/mpam/mpam_ctrlmon.c Wang ShaoBo 2021-02-24 327 } be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 328 sep = true; be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 329 } be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 330 seq_puts(s, "\n"); be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 331 } be2167d2a188dc2 arch/arm64/kernel/mpam_ctrlmon.c Xie XiuQi 2019-01-29 332 :::::: The code at line 300 was first introduced by commit :::::: be2167d2a188dc20648fa10c2c5ccd56ba579533 arm64/mpam: support resctrl_group_schemata_show :::::: TO: Xie XiuQi <xiexiuqi(a)huawei.com> :::::: CC: Xie XiuQi <xiexiuqi(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] net: fix crash when config small gso_max_size/gso_ipv4_max_size
by Wang Liang 04 Nov '24

04 Nov '24

mainline inclusion from mainline-v6.12-rc6 commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAY2B4 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) Add check for the minimum value of gso_max_size and gso_ipv4_max_size. Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") Conflicts: net/core/rtnetlink.c [conflicts due to not mergered 3e48be05f3c7 ("netlink: add attribute range validation to policy"), conflicts due to not mergered 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")] Signed-off-by: Wang Liang <wangliang74(a)huawei.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> --- net/core/rtnetlink.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 9209623ab644..c66f60941e5b 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -2072,6 +2072,11 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[]) if (tb[IFLA_BROADCAST] && nla_len(tb[IFLA_BROADCAST]) < dev->addr_len) return -EINVAL; + + if (tb[IFLA_GSO_MAX_SIZE] && + (nla_get_u32(tb[IFLA_GSO_MAX_SIZE]) < MAX_TCP_HEADER + 1)) { + return -EINVAL; + } } if (tb[IFLA_AF_SPEC]) { -- 2.34.1

2 1

[PATCH OLK-5.10] drm/amd/display: Check BIOS images before it is used
by Kaixiong Yu 04 Nov '24

04 Nov '24

From: Alex Hung <alex.hung(a)amd.com> stable inclusion from stable-v6.6.50 commit e50bec62acaeec03afc6fa5dfb2426e52d049cf5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAU9OU CVE: CVE-2024-46809 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 8b0ddf19cca2a352b2a7e01d99d3ba949a99c84c ] BIOS images may fail to load and null checks are added before they are used. This fixes 6 NULL_RETURNS issues reported by Coverity. Reviewed-by: Harry Wentland <harry.wentland(a)amd.com> Acked-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpu/drm/amd/display/dc/bios/bios_parser.c [Because OLK-5.10 did not merge the mainline commit bd3fe587f898 ("drm/amdgpu: Replace one-elements array with flex-array members")] Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c index ad394aefa5d9..cd485b1350eb 100644 --- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c +++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c @@ -664,6 +664,9 @@ static enum bp_result get_ss_info_v3_1( ss_table_header_include = GET_IMAGE(ATOM_ASIC_INTERNAL_SS_INFO_V3, DATA_TABLES(ASIC_InternalSS_Info)); + if (!ss_table_header_include) + return BP_RESULT_UNSUPPORTED; + table_size = (le16_to_cpu(ss_table_header_include->sHeader.usStructureSize) - sizeof(ATOM_COMMON_TABLE_HEADER)) @@ -1030,6 +1033,8 @@ static enum bp_result get_ss_info_from_internal_ss_info_tbl_V2_1( header = GET_IMAGE(ATOM_ASIC_INTERNAL_SS_INFO_V2, DATA_TABLES(ASIC_InternalSS_Info)); + if (!header) + return result; memset(info, 0, sizeof(struct spread_spectrum_info)); @@ -1102,6 +1107,8 @@ static enum bp_result get_ss_info_from_ss_info_table( get_atom_data_table_revision(header, &revision); tbl = GET_IMAGE(ATOM_SPREAD_SPECTRUM_INFO, DATA_TABLES(SS_Info)); + if (!tbl) + return result; if (1 != revision.major || 2 > revision.minor) return result; @@ -1634,6 +1641,8 @@ static uint32_t get_ss_entry_number_from_ss_info_tbl( tbl = GET_IMAGE(ATOM_SPREAD_SPECTRUM_INFO, DATA_TABLES(SS_Info)); + if (!tbl) + return number; if (1 != revision.major || 2 > revision.minor) return number; @@ -1712,6 +1721,8 @@ static uint32_t get_ss_entry_number_from_internal_ss_info_tbl_v2_1( header_include = GET_IMAGE(ATOM_ASIC_INTERNAL_SS_INFO_V2, DATA_TABLES(ASIC_InternalSS_Info)); + if (!header_include) + return 0; size = (le16_to_cpu(header_include->sHeader.usStructureSize) - sizeof(ATOM_COMMON_TABLE_HEADER)) @@ -1748,6 +1759,9 @@ static uint32_t get_ss_entry_number_from_internal_ss_info_tbl_V3_1( header_include = GET_IMAGE(ATOM_ASIC_INTERNAL_SS_INFO_V3, DATA_TABLES(ASIC_InternalSS_Info)); + if (!header_include) + return number; + size = (le16_to_cpu(header_include->sHeader.usStructureSize) - sizeof(ATOM_COMMON_TABLE_HEADER)) / sizeof(ATOM_ASIC_SS_ASSIGNMENT_V3); -- 2.34.1

2 3

[PATCH OLK-6.6] igb: Do not bring the device up after non-fatal error
by Kaixiong Yu 04 Nov '24

04 Nov '24

From: Mohamed Khalfella <mkhalfella(a)purestorage.com> stable inclusion from stable-v6.6.57 commit 57c5053eaa5f9a8a99e34732e37a86615318e464 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRF1 CVE: CVE-2024-50040 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 330a699ecbfc9c26ec92c6310686da1230b4e7eb ] Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal") changed igb_io_error_detected() to ignore non-fatal pcie errors in order to avoid hung task that can happen when igb_down() is called multiple times. This caused an issue when processing transient non-fatal errors. igb_io_resume(), which is called after igb_io_error_detected(), assumes that device is brought down by igb_io_error_detected() if the interface is up. This resulted in panic with stacktrace below. [ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down [ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0 [ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID) [ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000 [ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000 [ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message [ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported. [ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message [ T292] pcieport 0000:00:1c.5: AER: broadcast resume message [ T292] ------------[ cut here ]------------ [ T292] kernel BUG at net/core/dev.c:6539! [ T292] invalid opcode: 0000 [#1] PREEMPT SMP [ T292] RIP: 0010:napi_enable+0x37/0x40 [ T292] Call Trace: [ T292] <TASK> [ T292] ? die+0x33/0x90 [ T292] ? do_trap+0xdc/0x110 [ T292] ? napi_enable+0x37/0x40 [ T292] ? do_error_trap+0x70/0xb0 [ T292] ? napi_enable+0x37/0x40 [ T292] ? napi_enable+0x37/0x40 [ T292] ? exc_invalid_op+0x4e/0x70 [ T292] ? napi_enable+0x37/0x40 [ T292] ? asm_exc_invalid_op+0x16/0x20 [ T292] ? napi_enable+0x37/0x40 [ T292] igb_up+0x41/0x150 [ T292] igb_io_resume+0x25/0x70 [ T292] report_resume+0x54/0x70 [ T292] ? report_frozen_detected+0x20/0x20 [ T292] pci_walk_bus+0x6c/0x90 [ T292] ? aer_print_port_info+0xa0/0xa0 [ T292] pcie_do_recovery+0x22f/0x380 [ T292] aer_process_err_devices+0x110/0x160 [ T292] aer_isr+0x1c1/0x1e0 [ T292] ? disable_irq_nosync+0x10/0x10 [ T292] irq_thread_fn+0x1a/0x60 [ T292] irq_thread+0xe3/0x1a0 [ T292] ? irq_set_affinity_notifier+0x120/0x120 [ T292] ? irq_affinity_notify+0x100/0x100 [ T292] kthread+0xe2/0x110 [ T292] ? kthread_complete_and_exit+0x20/0x20 [ T292] ret_from_fork+0x2d/0x50 [ T292] ? kthread_complete_and_exit+0x20/0x20 [ T292] ret_from_fork_asm+0x11/0x20 [ T292] </TASK> To fix this issue igb_io_resume() checks if the interface is running and the device is not down this means igb_io_error_detected() did not bring the device down and there is no need to bring it up. Signed-off-by: Mohamed Khalfella <mkhalfella(a)purestorage.com> Reviewed-by: Yuanyuan Zhong <yzhong(a)purestorage.com> Fixes: 004d25060c78 ("igb: Fix igb_down hung on surprise removal") Reviewed-by: Simon Horman <horms(a)kernel.org> Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha(a)intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- drivers/net/ethernet/intel/igb/igb_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c index 986bcbf0a6ab..49b349fa2254 100644 --- a/drivers/net/ethernet/intel/igb/igb_main.c +++ b/drivers/net/ethernet/intel/igb/igb_main.c @@ -9672,6 +9672,10 @@ static void igb_io_resume(struct pci_dev *pdev) struct igb_adapter *adapter = netdev_priv(netdev); if (netif_running(netdev)) { + if (!test_bit(__IGB_DOWN, &adapter->state)) { + dev_dbg(&pdev->dev, "Resuming from non-fatal error, do nothing.\n"); + return; + } if (igb_up(adapter)) { dev_err(&pdev->dev, "igb_up failed after reset\n"); return; -- 2.34.1

2 1

[PATCH OLK-5.10] igb: Do not bring the device up after non-fatal error
by Kaixiong Yu 04 Nov '24

04 Nov '24

From: Mohamed Khalfella <mkhalfella(a)purestorage.com> stable inclusion from stable-v5.10.227 commit d79af3af2f49c6aae9add3d492c04d60c1b85ce4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRF1 CVE: CVE-2024-50040 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 330a699ecbfc9c26ec92c6310686da1230b4e7eb ] Commit 004d25060c78 ("igb: Fix igb_down hung on surprise removal") changed igb_io_error_detected() to ignore non-fatal pcie errors in order to avoid hung task that can happen when igb_down() is called multiple times. This caused an issue when processing transient non-fatal errors. igb_io_resume(), which is called after igb_io_error_detected(), assumes that device is brought down by igb_io_error_detected() if the interface is up. This resulted in panic with stacktrace below. [ T3256] igb 0000:09:00.0 haeth0: igb: haeth0 NIC Link is Down [ T292] pcieport 0000:00:1c.5: AER: Uncorrected (Non-Fatal) error received: 0000:09:00.0 [ T292] igb 0000:09:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fatal), type=Transaction Layer, (Requester ID) [ T292] igb 0000:09:00.0: device [8086:1537] error status/mask=00004000/00000000 [ T292] igb 0000:09:00.0: [14] CmpltTO [ 200.105524,009][ T292] igb 0000:09:00.0: AER: TLP Header: 00000000 00000000 00000000 00000000 [ T292] pcieport 0000:00:1c.5: AER: broadcast error_detected message [ T292] igb 0000:09:00.0: Non-correctable non-fatal error reported. [ T292] pcieport 0000:00:1c.5: AER: broadcast mmio_enabled message [ T292] pcieport 0000:00:1c.5: AER: broadcast resume message [ T292] ------------[ cut here ]------------ [ T292] kernel BUG at net/core/dev.c:6539! [ T292] invalid opcode: 0000 [#1] PREEMPT SMP [ T292] RIP: 0010:napi_enable+0x37/0x40 [ T292] Call Trace: [ T292] <TASK> [ T292] ? die+0x33/0x90 [ T292] ? do_trap+0xdc/0x110 [ T292] ? napi_enable+0x37/0x40 [ T292] ? do_error_trap+0x70/0xb0 [ T292] ? napi_enable+0x37/0x40 [ T292] ? napi_enable+0x37/0x40 [ T292] ? exc_invalid_op+0x4e/0x70 [ T292] ? napi_enable+0x37/0x40 [ T292] ? asm_exc_invalid_op+0x16/0x20 [ T292] ? napi_enable+0x37/0x40 [ T292] igb_up+0x41/0x150 [ T292] igb_io_resume+0x25/0x70 [ T292] report_resume+0x54/0x70 [ T292] ? report_frozen_detected+0x20/0x20 [ T292] pci_walk_bus+0x6c/0x90 [ T292] ? aer_print_port_info+0xa0/0xa0 [ T292] pcie_do_recovery+0x22f/0x380 [ T292] aer_process_err_devices+0x110/0x160 [ T292] aer_isr+0x1c1/0x1e0 [ T292] ? disable_irq_nosync+0x10/0x10 [ T292] irq_thread_fn+0x1a/0x60 [ T292] irq_thread+0xe3/0x1a0 [ T292] ? irq_set_affinity_notifier+0x120/0x120 [ T292] ? irq_affinity_notify+0x100/0x100 [ T292] kthread+0xe2/0x110 [ T292] ? kthread_complete_and_exit+0x20/0x20 [ T292] ret_from_fork+0x2d/0x50 [ T292] ? kthread_complete_and_exit+0x20/0x20 [ T292] ret_from_fork_asm+0x11/0x20 [ T292] </TASK> To fix this issue igb_io_resume() checks if the interface is running and the device is not down this means igb_io_error_detected() did not bring the device down and there is no need to bring it up. Signed-off-by: Mohamed Khalfella <mkhalfella(a)purestorage.com> Reviewed-by: Yuanyuan Zhong <yzhong(a)purestorage.com> Fixes: 004d25060c78 ("igb: Fix igb_down hung on surprise removal") Reviewed-by: Simon Horman <horms(a)kernel.org> Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha(a)intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- drivers/net/ethernet/intel/igb/igb_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c index 1a3e07cf9162..16eaf3220f8b 100644 --- a/drivers/net/ethernet/intel/igb/igb_main.c +++ b/drivers/net/ethernet/intel/igb/igb_main.c @@ -9511,6 +9511,10 @@ static void igb_io_resume(struct pci_dev *pdev) struct igb_adapter *adapter = netdev_priv(netdev); if (netif_running(netdev)) { + if (!test_bit(__IGB_DOWN, &adapter->state)) { + dev_dbg(&pdev->dev, "Resuming from non-fatal error, do nothing.\n"); + return; + } if (igb_up(adapter)) { dev_err(&pdev->dev, "igb_up failed after reset\n"); return; -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
by Kaixiong Yu 04 Nov '24

04 Nov '24

From: Mark Brown <broonie(a)kernel.org> stable inclusion from stable-v5.10.160 commit 50b5f6d4d9d2d69a7498c44fd8b26e13d73d3d98 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6AVM6 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… CVE: CVE-2022-48951 -------------------------------- [ Upstream commit 97eea946b93961fffd29448dcda7398d0d51c4b2 ] The bounds checks in snd_soc_put_volsw_sx() are only being applied to the first channel, meaning it is possible to write out of bounds values to the second channel in stereo controls. Add appropriate checks. Signed-off-by: Mark Brown <broonie(a)kernel.org> Link: https://lore.kernel.org/r/20220511134137.169575-2-broonie@kernel.org Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- sound/soc/soc-ops.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c index 0f26d6c31ce5..49d22233d391 100644 --- a/sound/soc/soc-ops.c +++ b/sound/soc/soc-ops.c @@ -447,6 +447,12 @@ int snd_soc_put_volsw_sx(struct snd_kcontrol *kcontrol, if (snd_soc_volsw_is_stereo(mc)) { val_mask = mask << rshift; val2 = (ucontrol->value.integer.value[1] + min) & mask; + + if (mc->platform_max && val2 > mc->platform_max) + return -EINVAL; + if (val2 > max) + return -EINVAL; + val2 = val2 << rshift; err = snd_soc_component_update_bits(component, reg2, val_mask, -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()
by Kaixiong Yu 04 Nov '24

04 Nov '24

From: Haoran Zhang <wh1sper(a)zju.edu.cn> stable inclusion from stable-v5.10.227 commit 6592347f06e2b19a624270a85ad4b3ae48c3b241 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR8T CVE: CVE-2024-49863 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 221af82f606d928ccef19a16d35633c63026f1be upstream. Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") a null pointer dereference bug can be triggered when guest sends an SCSI AN request. In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with `&v_req.tmf.lun[1]` within a switch-case block and is then passed to vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is set to NULL in this branch. Later, in vhost_scsi_get_req(), `vc->target` is dereferenced without being checked, leading to a null pointer dereference bug. This bug can be triggered from guest. When this bug occurs, the vhost_worker process is killed while holding `vq->mutex` and the corresponding tpg will remain occupied indefinitely. Below is the KASAN report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vhost_scsi_get_req+0x165/0x3a0 Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6 04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00 RSP: 0018:ffff888017affb50 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8 RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000 FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0 Call Trace: <TASK> ? show_regs+0x86/0xa0 ? die_addr+0x4b/0xd0 ? exc_general_protection+0x163/0x260 ? asm_exc_general_protection+0x27/0x30 ? vhost_scsi_get_req+0x165/0x3a0 vhost_scsi_ctl_handle_vq+0x2a4/0xca0 ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10 ? __switch_to+0x721/0xeb0 ? __schedule+0xda5/0x5710 ? __kasan_check_write+0x14/0x30 ? _raw_spin_lock+0x82/0xf0 vhost_scsi_ctl_handle_kick+0x52/0x90 vhost_run_work_list+0x134/0x1b0 vhost_task_fn+0x121/0x350 ... </TASK> ---[ end trace 0000000000000000 ]--- Let's add a check in vhost_scsi_get_req. Fixes: 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") Signed-off-by: Haoran Zhang <wh1sper(a)zju.edu.cn> [whitespace fixes] Signed-off-by: Mike Christie <michael.christie(a)oracle.com> Message-Id: <b26d7ddd-b098-4361-88f8-17ca7f90adf7(a)oracle.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- drivers/vhost/scsi.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c index 4ce9f00ae10e..a23a65e7d828 100644 --- a/drivers/vhost/scsi.c +++ b/drivers/vhost/scsi.c @@ -919,20 +919,23 @@ vhost_scsi_get_req(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc, /* virtio-scsi spec requires byte 0 of the lun to be 1 */ vq_err(vq, "Illegal virtio-scsi lun: %u\n", *vc->lunp); } else { - struct vhost_scsi_tpg **vs_tpg, *tpg; - - vs_tpg = vhost_vq_get_backend(vq); /* validated at handler entry */ - - tpg = READ_ONCE(vs_tpg[*vc->target]); - if (unlikely(!tpg)) { - vq_err(vq, "Target 0x%x does not exist\n", *vc->target); - } else { - if (tpgp) - *tpgp = tpg; - ret = 0; + struct vhost_scsi_tpg **vs_tpg, *tpg = NULL; + + if (vc->target) { + /* validated at handler entry */ + vs_tpg = vhost_vq_get_backend(vq); + tpg = READ_ONCE(vs_tpg[*vc->target]); + if (unlikely(!tpg)) { + vq_err(vq, "Target 0x%x does not exist\n", *vc->target); + goto out; + } } - } + if (tpgp) + *tpgp = tpg; + ret = 0; + } +out: return ret; } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1 0/2] CVE-2022-48966
by Zeng Heng 04 Nov '24

04 Nov '24

Dan Carpenter (2): net: mvneta: Prevent out of bounds read in mvneta_config_rss() net: mvneta: Fix an out of bounds check drivers/net/ethernet/marvell/mvneta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.25.1

2 3

[PATCH OLK-6.6] mm/mremap: fix move_normal_pmd/retract_page_tables race
by Kaixiong Yu 04 Nov '24

04 Nov '24

From: Jann Horn <jannh(a)google.com> stable inclusion from stable-v6.6.58 commit 17396e32f975130b3e6251f024c8807d192e4c3e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAZ7TE CVE: CVE-2024-50066 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 6fa1066fc5d00cb9f1b0e83b7ff6ef98d26ba2aa upstream. In mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held yet. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd(). move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination. The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after the PMD entry has been read and it has been decided how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise); note that process A accesses page tables through the MM while process B does it through the file rmap: process A process B ========= ========= mremap mremap_to move_vma move_page_tables get_old_pmd alloc_new_pmd *** PREEMPT *** madvise(MADV_COLLAPSE) do_madvise madvise_walk_vmas madvise_vma_behavior madvise_collapse hpage_collapse_scan_file collapse_file retract_page_tables i_mmap_lock_read(mapping) pmdp_collapse_flush i_mmap_unlock_read(mapping) move_pgt_entry(NORMAL_PMD, ...) take_rmap_locks move_normal_pmd drop_rmap_locks When this happens, move_normal_pmd() can end up creating bogus PMD entries in the line `pmd_populate(mm, new_pmd, pmd_pgtable(pmd))`. The effect depends on arch-specific and machine-specific details; on x86, you can end up with physical page 0 mapped as a page table, which is likely exploitable for user->kernel privilege escalation. Fix the race by letting process B recheck that the PMD still points to a page table after the rmap locks have been taken. Otherwise, we bail and let the caller fall back to the PTE-level copying path, which will then bail immediately at the pmd_none() check. Bug reachability: Reaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. As far as I know, getting shmem THP normally requires that you can mount your own tmpfs with the right mount flags, which would require creating your own user+mount namespace; though I don't know if some distros maybe enable shmem THP by default or something like that. Bug impact: This issue can likely be used for user->kernel privilege escalation when it is reachable. Link: https://lkml.kernel.org/r/20241007-move_normal_pmd-vs-collapse-fix-2-v1-1-5… Fixes: 1d65b771bc08 ("mm/khugepaged: retract_page_tables() without mmap or vma lock") Signed-off-by: Jann Horn <jannh(a)google.com> Signed-off-by: David Hildenbrand <david(a)redhat.com> Co-developed-by: David Hildenbrand <david(a)redhat.com> Closes: https://project-zero.issues.chromium.org/371047675 Acked-by: Qi Zheng <zhengqi.arch(a)bytedance.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Joel Fernandes <joel(a)joelfernandes.org> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Kaixiong Yu <yukaixiong(a)huawei.com> --- mm/mremap.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/mm/mremap.c b/mm/mremap.c index 5d701d3c4f6b..e990bb8c8918 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -240,6 +240,7 @@ static bool move_normal_pmd(struct vm_area_struct *vma, unsigned long old_addr, { spinlock_t *old_ptl, *new_ptl; struct mm_struct *mm = vma->vm_mm; + bool res = false; pmd_t pmd; if (!arch_supports_page_table_move()) @@ -279,19 +280,25 @@ static bool move_normal_pmd(struct vm_area_struct *vma, unsigned long old_addr, if (new_ptl != old_ptl) spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING); - /* Clear the pmd */ pmd = *old_pmd; + + /* Racing with collapse? */ + if (unlikely(!pmd_present(pmd) || pmd_leaf(pmd))) + goto out_unlock; + /* Clear the pmd */ pmd_clear(old_pmd); + res = true; VM_BUG_ON(!pmd_none(*new_pmd)); pmd_populate(mm, new_pmd, pmd_pgtable(pmd)); flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE); +out_unlock: if (new_ptl != old_ptl) spin_unlock(new_ptl); spin_unlock(old_ptl); - return true; + return res; } #else static inline bool move_normal_pmd(struct vm_area_struct *vma, -- 2.34.1

2 1

2024

2023

2022

2021

2020

2019

Kernel November 2024