March 2024 - Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] tomoyo: fix UAF write bug in tomoyo_write_control()
by felix 15 Mar '24

15 Mar '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> stable inclusion from stable-v5.10.212 commit a23ac1788e2c828c097119e9a3178f0b7e503fee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95LPF CVE: CVE-2024-26622 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 upstream. Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji… Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: <stable(a)vger.kernel.org> # Linux 3.1+ Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 4bee32bfe16d..6235c3be832a 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2657,13 +2657,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */ -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS 20704/21867] kernel/sched/grid/qos.c:84:26: error: no member named 'v' in 'struct mempolicy'
by kernel test robot 15 Mar '24

15 Mar '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 200e028b39abd7f9d901a50673f9a5f54d3eeb1e commit: ce35ded5d5774f055f6850b15032066ff4936414 [20704/21867] sched: smart grid: init sched_grid_qos structure on QOS purpose config: x86_64-randconfig-r111-20240313 (https://download.01.org/0day-ci/archive/20240315/202403151634.PfWUhfUu-lkp@…) compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240315/202403151634.PfWUhfUu-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202403151634.PfWUhfUu-lkp@intel.com/ All errors (new ones prefixed by >>): kernel/sched/grid/qos.c:84:13: sparse: sparse: using member 'v' in incomplete struct mempolicy kernel/sched/grid/qos.c:91:9: sparse: sparse: using member 'v' in incomplete struct mempolicy kernel/sched/grid/qos.c:95:16: sparse: sparse: no member 'il_prev' in struct task_struct kernel/sched/grid/qos.c:97:19: sparse: sparse: no member 'il_prev' in struct task_struct In file included from kernel/sched/grid/qos.c:20: In file included from include/linux/mempolicy.h:16: include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict] 425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> kernel/sched/grid/qos.c:84:26: error: no member named 'v' in 'struct mempolicy' 84 | if (nodes_equal(policy->v.nodes, *preferred_nmask)) | ~~~~~~ ^ include/linux/nodemask.h:202:20: note: expanded from macro 'nodes_equal' 202 | __nodes_equal(&(src1), &(src2), MAX_NUMNODES) | ^~~~ kernel/sched/grid/qos.c:91:27: error: no member named 'v' in 'struct mempolicy' 91 | nodes_and(nmask, policy->v.nodes, *preferred_nmask); | ~~~~~~ ^ include/linux/nodemask.h:162:26: note: expanded from macro 'nodes_and' 162 | __nodes_and(&(dst), &(src1), &(src2), MAX_NUMNODES) | ^~~~ >> kernel/sched/grid/qos.c:95:26: error: no member named 'il_prev' in 'struct task_struct' 95 | next = next_node_in(me->il_prev, nmask); | ~~ ^ include/linux/nodemask.h:278:46: note: expanded from macro 'next_node_in' 278 | #define next_node_in(n, src) __next_node_in((n), &(src)) | ^ kernel/sched/grid/qos.c:97:7: error: no member named 'il_prev' in 'struct task_struct' 97 | me->il_prev = next; | ~~ ^ 1 warning and 4 errors generated. -- In file included from kernel/sched/grid/qos.c:20: In file included from include/linux/mempolicy.h:16: include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict] 425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> kernel/sched/grid/qos.c:84:26: error: no member named 'v' in 'struct mempolicy' 84 | if (nodes_equal(policy->v.nodes, *preferred_nmask)) | ~~~~~~ ^ include/linux/nodemask.h:202:20: note: expanded from macro 'nodes_equal' 202 | __nodes_equal(&(src1), &(src2), MAX_NUMNODES) | ^~~~ kernel/sched/grid/qos.c:91:27: error: no member named 'v' in 'struct mempolicy' 91 | nodes_and(nmask, policy->v.nodes, *preferred_nmask); | ~~~~~~ ^ include/linux/nodemask.h:162:26: note: expanded from macro 'nodes_and' 162 | __nodes_and(&(dst), &(src1), &(src2), MAX_NUMNODES) | ^~~~ >> kernel/sched/grid/qos.c:95:26: error: no member named 'il_prev' in 'struct task_struct' 95 | next = next_node_in(me->il_prev, nmask); | ~~ ^ include/linux/nodemask.h:278:46: note: expanded from macro 'next_node_in' 278 | #define next_node_in(n, src) __next_node_in((n), &(src)) | ^ kernel/sched/grid/qos.c:97:7: error: no member named 'il_prev' in 'struct task_struct' 97 | me->il_prev = next; | ~~ ^ 1 warning and 4 errors generated. vim +84 kernel/sched/grid/qos.c 68 69 /* dynamic select a more appropriate preferred interleave nid for process */ 70 int sched_grid_preferred_interleave_nid(struct mempolicy *policy) 71 { 72 nodemask_t nmask; 73 unsigned int next; 74 struct task_struct *me = current; 75 nodemask_t *preferred_nmask = NULL; 76 77 if (likely(me->grid_qos)) 78 preferred_nmask = 79 &me->grid_qos->affinity.mem_preferred_node_mask; 80 81 if (!preferred_nmask || !policy) 82 return NUMA_NO_NODE; 83 > 84 if (nodes_equal(policy->v.nodes, *preferred_nmask)) 85 return NUMA_NO_NODE; 86 /* 87 * We perceive the actual consumption of memory bandwidth 88 * in each node and post a preferred interleave nid in 89 * more appropriate range. 90 */ > 91 nodes_and(nmask, policy->v.nodes, *preferred_nmask); 92 if (nodes_empty(nmask)) 93 return NUMA_NO_NODE; 94 > 95 next = next_node_in(me->il_prev, nmask); 96 if (next < MAX_NUMNODES) 97 me->il_prev = next; 98 return next; 99 } 100 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] tomoyo: fix UAF write bug in tomoyo_write_control()
by felix 15 Mar '24

15 Mar '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> stable inclusion from stable-v5.10.212 commit a23ac1788e2c828c097119e9a3178f0b7e503fee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95LPF CVE: CVE-2024-26622 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 upstream. Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji… Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: <stable(a)vger.kernel.org> # Linux 3.1+ Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 4bee32bfe16d..6235c3be832a 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2657,13 +2657,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */ -- 2.34.1

2 1

[PATCH OLK-5.10] tomoyo: fix UAF write bug in tomoyo_write_control()
by felix 15 Mar '24

15 Mar '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> stable inclusion from stable-v5.10.212 commit a23ac1788e2c828c097119e9a3178f0b7e503fee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95LPF CVE: CVE-2024-26622 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 upstream. Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji… Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: <stable(a)vger.kernel.org> # Linux 3.1+ Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 4bee32bfe16d..6235c3be832a 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2657,13 +2657,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */ -- 2.34.1

2 1

[PATCH OLK-6.6] tomoyo: fix UAF write bug in tomoyo_write_control()
by felix 15 Mar '24

15 Mar '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> mainline inclusion from mainline-v6.8-rc7 commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95LPF CVE: CVE-2024-26622 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji… Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: <stable(a)vger.kernel.org> # Linux 3.1+ Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 57ee70ae50f2..ea3140d510ec 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2649,13 +2649,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */ -- 2.34.1

2 1

[PATCH] tomoyo: fix UAF write bug in tomoyo_write_control()
by felix 15 Mar '24

15 Mar '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> mainline inclusion from mainline-v6.8-rc7 commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95LPF CVE: CVE-2024-26622 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji… Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: <stable(a)vger.kernel.org> # Linux 3.1+ Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 57ee70ae50f2..ea3140d510ec 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2649,13 +2649,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */ -- 2.34.1

1 0

[PATCH OLK-5.10] serial: imx: fix tx statemachine deadlock
by felix 15 Mar '24

15 Mar '24

From: Paul Geurts <paul_geurts(a)live.nl> stable inclusion from stable-v5.10.209 commit 6e04a9d30509fb53ba6df5d655ed61d607a7cfda category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I93EEE CVE: CVE-2023-52456 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 78d60dae9a0c9f09aa3d6477c94047df2fe6f7b0 ] When using the serial port as RS485 port, the tx statemachine is used to control the RTS pin to drive the RS485 transceiver TX_EN pin. When the TTY port is closed in the middle of a transmission (for instance during userland application crash), imx_uart_shutdown disables the interface and disables the Transmission Complete interrupt. afer that, imx_uart_stop_tx bails on an incomplete transmission, to be retriggered by the TC interrupt. This interrupt is disabled and therefore the tx statemachine never transitions out of SEND. The statemachine is in deadlock now, and the TX_EN remains low, making the interface useless. imx_uart_stop_tx now checks for incomplete transmission AND whether TC interrupts are enabled before bailing to be retriggered. This makes sure the state machine handling is reached, and is properly set to WAIT_AFTER_SEND. Fixes: cb1a60923609 ("serial: imx: implement rts delaying for rs485") Signed-off-by: Paul Geurts <paul_geurts(a)live.nl> Tested-by: Rasmus Villemoes <rasmus.villemoes(a)prevas.dk> Tested-by: Eberhard Stoll <eberhard.stoll(a)gmx.de> Link: https://lore.kernel.org/r/AM0PR09MB26758F651BC1B742EB45775995B8A@AM0PR09MB2… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- drivers/tty/serial/imx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c index da63ef345e81..6a7add3ac4d5 100644 --- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -461,13 +461,13 @@ static void imx_uart_stop_tx(struct uart_port *port) ucr1 = imx_uart_readl(sport, UCR1); imx_uart_writel(sport, ucr1 & ~UCR1_TRDYEN, UCR1); + ucr4 = imx_uart_readl(sport, UCR4); usr2 = imx_uart_readl(sport, USR2); - if (!(usr2 & USR2_TXDC)) { + if ((!(usr2 & USR2_TXDC)) && (ucr4 & UCR4_TCEN)) { /* The shifter is still busy, so retry once TC triggers */ return; } - ucr4 = imx_uart_readl(sport, UCR4); ucr4 &= ~UCR4_TCEN; imx_uart_writel(sport, ucr4, UCR4); -- 2.34.1

2 2

[PATCH] tomoyo: fix UAF write bug in tomoyo_write_control()
by felix 15 Mar '24

15 Mar '24

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> stable inclusion from stable-v5.10.212 commit a23ac1788e2c828c097119e9a3178f0b7e503fee category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95LPF CVE: CVE-2024-26622 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 upstream. Since tomoyo_write_control() updates head->write_buf when write() of long lines is requested, we need to fetch head->write_buf after head->io_sem is held. Otherwise, concurrent write() requests can cause use-after-free-write and double-free problems. Reported-by: Sam Sun <samsun1006219(a)gmail.com> Closes: https://lkml.kernel.org/r/CAEkJfYNDspuGxYx5kym8Lvp--D36CMDUErg4rxfWFJuPbbji… Fixes: bd03a3e4c9a9 ("TOMOYO: Add policy namespace support.") Cc: <stable(a)vger.kernel.org> # Linux 3.1+ Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Felix Fu <fuzhen5(a)huawei.com> --- security/tomoyo/common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 4bee32bfe16d..6235c3be832a 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -2657,13 +2657,14 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head, { int error = buffer_len; size_t avail_len = buffer_len; - char *cp0 = head->write_buf; + char *cp0; int idx; if (!head->write) return -EINVAL; if (mutex_lock_interruptible(&head->io_sem)) return -EINTR; + cp0 = head->write_buf; head->read_user_buf_avail = 0; idx = tomoyo_read_lock(); /* Read a line and dispatch it to the policy handler. */ -- 2.34.1

1 0

[PATCH openEuler-1.0-LTS 0/3] jfs: fix two cve issue
by Long Li 15 Mar '24

15 Mar '24

This patch set fix two cve issue. Dongliang Mu (1): JFS: fix memleak in jfs_mount Edward Adam Davis (2): jfs: fix uaf in jfs_evict_inode jfs: fix array-index-out-of-bounds in diNewExt fs/jfs/jfs_imap.c | 3 +++ fs/jfs/jfs_mount.c | 57 ++++++++++++++++++++-------------------------- 2 files changed, 28 insertions(+), 32 deletions(-) -- 2.31.1

2 4

[PATCH OLK-6.6] f2fs: fix to tag gcing flag on page during block migration
by Yifan Qiao 15 Mar '24

15 Mar '24

From: Chao Yu <chao(a)kernel.org> mainline inclusion from mainline-v6.8-rc1 commit 4961acdd65c956e97c1a000c82d91a8c1cdbe44b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I96GPF CVE: CVE-2023-52588 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- It needs to add missing gcing flag on page during block migration, in order to garantee migrated data be persisted during checkpoint, otherwise out-of-order persistency between data and node may cause data corruption after SPOR. Similar issue was fixed by commit 2d1fe8a86bf5 ("f2fs: fix to tag gcing flag on page during file defragment"). Signed-off-by: Chao Yu <chao(a)kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com> --- fs/f2fs/compress.c | 4 +++- fs/f2fs/file.c | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/f2fs/compress.c b/fs/f2fs/compress.c index 7514661bbfbb..372616ca8fb5 100644 --- a/fs/f2fs/compress.c +++ b/fs/f2fs/compress.c @@ -1029,8 +1029,10 @@ static void set_cluster_dirty(struct compress_ctx *cc) int i; for (i = 0; i < cc->cluster_size; i++) - if (cc->rpages[i]) + if (cc->rpages[i]) { set_page_dirty(cc->rpages[i]); + set_page_private_gcing(cc->rpages[i]); + } } static int prepare_compress_overwrite(struct compress_ctx *cc, diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index a06f03d23762..d6962f4ccad3 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -1317,6 +1317,7 @@ static int __clone_blkaddrs(struct inode *src_inode, struct inode *dst_inode, } memcpy_page(pdst, 0, psrc, 0, PAGE_SIZE); set_page_dirty(pdst); + set_page_private_gcing(pdst); f2fs_put_page(pdst, 1); f2fs_put_page(psrc, 1); @@ -4054,6 +4055,7 @@ static int redirty_blocks(struct inode *inode, pgoff_t page_idx, int len) f2fs_bug_on(F2FS_I_SB(inode), !page); set_page_dirty(page); + set_page_private_gcing(page); f2fs_put_page(page, 1); f2fs_put_page(page, 0); } -- 2.39.2

2 1