March 2024 - Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] dm: limit the number of targets and parameter size area
by Li Lingfeng 08 Mar '24

08 Mar '24

From: Mikulas Patocka <mpatocka(a)redhat.com> mainline inclusion from mainline-v6.8-rc3 commit bd504bcfec41a503b32054da5472904b404341a4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YCAG CVE: CVE-2024-23851 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The kvmalloc function fails with a warning if the size is larger than INT_MAX. The warning was triggered by a syscall testing robot. In order to avoid the warning, this commit limits the number of targets to 1048576 and the size of the parameter area to 1073741824. Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/md/dm-core.h | 2 ++ drivers/md/dm-ioctl.c | 3 ++- drivers/md/dm-table.c | 9 +++++++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h index 095b9b49aa82..e6757a30dcca 100644 --- a/drivers/md/dm-core.h +++ b/drivers/md/dm-core.h @@ -22,6 +22,8 @@ #include "dm-ima.h" #define DM_RESERVED_MAX_IOS 1024 +#define DM_MAX_TARGETS 1048576 +#define DM_MAX_TARGET_PARAMS 1024 struct dm_io; diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 5efe0193b2e8..3bda85ad73ec 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1952,7 +1952,8 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern minimum_data_size - sizeof(param_kernel->version))) return -EFAULT; - if (param_kernel->data_size < minimum_data_size) { + if (unlikely(param_kernel->data_size < minimum_data_size) || + unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS)) { DMERR("Invalid data size in the ioctl structure: %u", param_kernel->data_size); return -EINVAL; diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 37b48f63ae6a..fd84e06670e8 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -129,7 +129,12 @@ static int alloc_targets(struct dm_table *t, unsigned int num) int dm_table_create(struct dm_table **result, blk_mode_t mode, unsigned int num_targets, struct mapped_device *md) { - struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL); + struct dm_table *t; + + if (num_targets > DM_MAX_TARGETS) + return -EOVERFLOW; + + t = kzalloc(sizeof(*t), GFP_KERNEL); if (!t) return -ENOMEM; @@ -144,7 +149,7 @@ int dm_table_create(struct dm_table **result, blk_mode_t mode, if (!num_targets) { kfree(t); - return -ENOMEM; + return -EOVERFLOW; } if (alloc_targets(t, num_targets)) { -- 2.31.1

2 1

[PATCH OLK-5.10] net: fix possible store tearing in neigh_periodic_work()
by Zhengchao Shao 08 Mar '24

08 Mar '24

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v5.10.198 commit 2ea52a2fb8e87067e26bbab4efb8872639240eb0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95AWK CVE: CVE-2023-52522 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd ] While looking at a related syzbot report involving neigh_periodic_work(), I found that I forgot to add an annotation when deleting an RCU protected item from a list. Readers use rcu_deference(*np), we need to use either rcu_assign_pointer() or WRITE_ONCE() on writer side to prevent store tearing. I use rcu_assign_pointer() to have lockdep support, this was the choice made in neigh_flush_dev(). Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: David Ahern <dsahern(a)kernel.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/core/neighbour.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 3b642c412cf3..15267428c4f8 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -935,7 +935,9 @@ static void neigh_periodic_work(struct work_struct *work) (state == NUD_FAILED || !time_in_range_open(jiffies, n->used, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) { - *np = n->next; + rcu_assign_pointer(*np, + rcu_dereference_protected(n->next, + lockdep_is_held(&tbl->lock))); neigh_mark_dead(n); write_unlock(&n->lock); neigh_cleanup_and_release(n); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] net: fix possible store tearing in neigh_periodic_work()
by Zhengchao Shao 08 Mar '24

08 Mar '24

From: Eric Dumazet <edumazet(a)google.com> mainline inclusion from mainline-v6.6-rc5 commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95AWK CVE: CVE-2023-52522 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- While looking at a related syzbot report involving neigh_periodic_work(), I found that I forgot to add an annotation when deleting an RCU protected item from a list. Readers use rcu_deference(*np), we need to use either rcu_assign_pointer() or WRITE_ONCE() on writer side to prevent store tearing. I use rcu_assign_pointer() to have lockdep support, this was the choice made in neigh_flush_dev(). Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: David Ahern <dsahern(a)kernel.org> Reviewed-by: Simon Horman <horms(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/core/neighbour.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 778be5866d0a..3f1520755282 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -855,7 +855,9 @@ static void neigh_periodic_work(struct work_struct *work) if (refcount_read(&n->refcnt) == 1 && (state == NUD_FAILED || time_after(jiffies, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) { - *np = n->next; + rcu_assign_pointer(*np, + rcu_dereference_protected(n->next, + lockdep_is_held(&tbl->lock))); n->dead = 1; write_unlock(&n->lock); neigh_cleanup_and_release(n); -- 2.34.1

2 1

[PATCH OLK-6.6] erofs: fix handling kern_mount() failure
by Zizhi Wo 08 Mar '24

08 Mar '24

From: Al Viro <viro(a)zeniv.linux.org.uk> mainline inclusion from mainline-v6.8-rc6 commit 2c88c16dc20e88dd54d2f6f4d01ae1dce6cc9654 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I971F0 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- if you have a variable that holds NULL or a pointer to live struct mount, do not shove ERR_PTR() into it - not if you later treat "not NULL" as "holds a pointer to object". Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/erofs/fscache.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/erofs/fscache.c b/fs/erofs/fscache.c index 87ff35bff8d5..1052f75d1dfa 100644 --- a/fs/erofs/fscache.c +++ b/fs/erofs/fscache.c @@ -381,11 +381,12 @@ static int erofs_fscache_init_domain(struct super_block *sb) goto out; if (!erofs_pseudo_mnt) { - erofs_pseudo_mnt = kern_mount(&erofs_fs_type); - if (IS_ERR(erofs_pseudo_mnt)) { - err = PTR_ERR(erofs_pseudo_mnt); + struct vfsmount *mnt = kern_mount(&erofs_fs_type); + if (IS_ERR(mnt)) { + err = PTR_ERR(mnt); goto out; } + erofs_pseudo_mnt = mnt; } domain->volume = sbi->volume; -- 2.39.2

2 1

[PATCH OLK-5.10] arm64/mpam: Remove warning about no msc corresponding to the online cpu
by Zeng Heng 08 Mar '24

08 Mar '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I96YK9 CVE: NA ----------------------------- It's fine that the associated msc is not found when the CPU comes online. For example, the device platform does not support L3 cache and there is no any L3 cache msc indeed. Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- arch/arm64/kernel/mpam/mpam_setup.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kernel/mpam/mpam_setup.c b/arch/arm64/kernel/mpam/mpam_setup.c index 4d0ec0052133..a9e97d8d2bad 100644 --- a/arch/arm64/kernel/mpam/mpam_setup.c +++ b/arch/arm64/kernel/mpam/mpam_setup.c @@ -78,9 +78,11 @@ static int mpam_resctrl_setup_domain(unsigned int cpu, } } - /* cpu with unknown exported component? */ - if (WARN_ON_ONCE(!comp)) + if (!comp) { + pr_info("There is no msc corresponding to CPU%d.\n", cpu); return 0; + } + dom = kzalloc_node(sizeof(*dom), GFP_KERNEL, cpu_to_node(cpu)); if (!dom) @@ -168,8 +170,8 @@ int mpam_resctrl_cpu_offline(unsigned int cpu) for_each_supported_resctrl_exports(res) { d = resctrl_get_domain_from_cpu(cpu, &res->resctrl_res); - /* cpu with unknown exported component? */ - if (WARN_ON_ONCE(!d)) + /* There is no msc corresponding to the CPU */ + if (!d) continue; cpumask_clear_cpu(cpu, &d->cpu_mask); -- 2.25.1

2 1

[PATCH OLK-5.10] arm64/mpam: Remove warning about no msc corresponding to the online cpu
by Zeng Heng 08 Mar '24

08 Mar '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I96YK9 CVE: NA ----------------------------- It's fine that the associated msc is not found when the CPU comes online. For example, the device platform does not support L3 cache and there is no any L3 cache msc indeed. Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- arch/arm64/kernel/mpam/mpam_setup.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kernel/mpam/mpam_setup.c b/arch/arm64/kernel/mpam/mpam_setup.c index 4d0ec0052133..eb7110c4ec0c 100644 --- a/arch/arm64/kernel/mpam/mpam_setup.c +++ b/arch/arm64/kernel/mpam/mpam_setup.c @@ -71,6 +71,7 @@ static int mpam_resctrl_setup_domain(unsigned int cpu, num_partid = mpam_sysprops_num_partid(); comp = NULL; + list_for_each_entry(comp_iter, &class->components, class_list) { if (cpumask_test_cpu(cpu, &comp_iter->fw_affinity)) { comp = comp_iter; @@ -78,9 +79,11 @@ static int mpam_resctrl_setup_domain(unsigned int cpu, } } - /* cpu with unknown exported component? */ - if (WARN_ON_ONCE(!comp)) + if (!comp) { + pr_info("There is no msc corresponding to CPU%d.\n", cpu); return 0; + } + dom = kzalloc_node(sizeof(*dom), GFP_KERNEL, cpu_to_node(cpu)); if (!dom) @@ -168,8 +171,8 @@ int mpam_resctrl_cpu_offline(unsigned int cpu) for_each_supported_resctrl_exports(res) { d = resctrl_get_domain_from_cpu(cpu, &res->resctrl_res); - /* cpu with unknown exported component? */ - if (WARN_ON_ONCE(!d)) + /* There is no msc corresponding to the CPU */ + if (!d) continue; cpumask_clear_cpu(cpu, &d->cpu_mask); -- 2.25.1

2 1

[PATCH OLK-6.6] arm64/mpam: Remove warning about no msc corresponding to the online cpu
by Zeng Heng 08 Mar '24

08 Mar '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I96YK9 CVE: NA ----------------------------- It's fine that the associated msc is not found when the CPU comes online. For example, the device platform does not support L3 cache and there is no any L3 cache msc indeed. Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- arch/arm64/kernel/mpam/mpam_setup.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/arm64/kernel/mpam/mpam_setup.c b/arch/arm64/kernel/mpam/mpam_setup.c index 4d0ec0052133..eb7110c4ec0c 100644 --- a/arch/arm64/kernel/mpam/mpam_setup.c +++ b/arch/arm64/kernel/mpam/mpam_setup.c @@ -71,6 +71,7 @@ static int mpam_resctrl_setup_domain(unsigned int cpu, num_partid = mpam_sysprops_num_partid(); comp = NULL; + list_for_each_entry(comp_iter, &class->components, class_list) { if (cpumask_test_cpu(cpu, &comp_iter->fw_affinity)) { comp = comp_iter; @@ -78,9 +79,11 @@ static int mpam_resctrl_setup_domain(unsigned int cpu, } } - /* cpu with unknown exported component? */ - if (WARN_ON_ONCE(!comp)) + if (!comp) { + pr_info("There is no msc corresponding to CPU%d.\n", cpu); return 0; + } + dom = kzalloc_node(sizeof(*dom), GFP_KERNEL, cpu_to_node(cpu)); if (!dom) @@ -168,8 +171,8 @@ int mpam_resctrl_cpu_offline(unsigned int cpu) for_each_supported_resctrl_exports(res) { d = resctrl_get_domain_from_cpu(cpu, &res->resctrl_res); - /* cpu with unknown exported component? */ - if (WARN_ON_ONCE(!d)) + /* There is no msc corresponding to the CPU */ + if (!d) continue; cpumask_clear_cpu(cpu, &d->cpu_mask); -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS V3 0/2] Remove WQ_FLAG_BOOKMARK flag
by Zizhi Wo 08 Mar '24

08 Mar '24

Fix softlockup by removing the wait_queue flag: WQ_FLAG_BOOKMARK. The commit b0b598ee08f9 (filemap: remove use of wait bookmarks) said the overly long list of waiters on a locked page was solved by commit: 9a1ea439b16b ("mm: put_and_wait_on_page_locked() while page is migrated"). But actually the problem was solved by another commit: 3510ca20ece0 ("Minor page waitqueue cleanups"), so we can remove the bookmark flag now to solve the softlockup problem. Changes in V3: - fixed incorrect mainline patch adaptation: wake_fags -> wake_flags. - Readapt __wake_up_common_lock() Changes in V2: - modified the commit message. Matthew Wilcox (Oracle) (2): filemap: remove use of wait bookmarks sched: remove wait bookmarks include/linux/wait.h | 3 --- kernel/sched/wait.c | 57 ++++++-------------------------------------- mm/filemap.c | 21 +--------------- 3 files changed, 8 insertions(+), 73 deletions(-) -- 2.39.2

2 3

[PATCH OLK-5.10] dm: limit the number of targets and parameter size area
by Li Lingfeng 08 Mar '24

08 Mar '24

From: Mikulas Patocka <mpatocka(a)redhat.com> mainline inclusion from mainline-v6.8-rc3 commit bd504bcfec41a503b32054da5472904b404341a4 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8YCAG CVE: CVE-2024-23851 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The kvmalloc function fails with a warning if the size is larger than INT_MAX. The warning was triggered by a syscall testing robot. In order to avoid the warning, this commit limits the number of targets to 1048576 and the size of the parameter area to 1073741824. Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Signed-off-by: Mike Snitzer <snitzer(a)kernel.org> Conflicts: drivers/md/dm-core.h drivers/md/dm-ioctl.c drivers/md/dm-table.c commit 91ccbbac1747 ("dm ima: measure data on table load") add "dm ima.h"; commit 8b211aaccb91 ("dm: add two stage requeue mechanism") add "struct dm_io;"; commit 249bed821b4d ("dm ioctl: Avoid double-fetch of version") delete second copy of version; commit dbdcc906d978 ("dm ioctl: log an error if the ioctl structure is corrupted") add log of error when check data_size fail; commit 05bdb9965305 ("block: replace fmode_t with a block-specific type for block open flags") change the type of mode and num_targets. Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- drivers/md/dm-core.h | 2 ++ drivers/md/dm-ioctl.c | 3 ++- drivers/md/dm-table.c | 9 +++++++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h index 595e87e03d43..ed7285836692 100644 --- a/drivers/md/dm-core.h +++ b/drivers/md/dm-core.h @@ -19,6 +19,8 @@ #include "dm.h" #define DM_RESERVED_MAX_IOS 1024 +#define DM_MAX_TARGETS 1048576 +#define DM_MAX_TARGET_PARAMS 1024 struct dm_kobject_holder { struct kobject kobj; diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index b95f8c4ed6e9..ea519c4fa7b3 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1771,7 +1771,8 @@ static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kern if (copy_from_user(param_kernel, user, minimum_data_size)) return -EFAULT; - if (param_kernel->data_size < minimum_data_size) + if (unlikely(param_kernel->data_size < minimum_data_size) || + unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS)) return -EINVAL; secure_data = param_kernel->flags & DM_SECURE_DATA_FLAG; diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 78627402b5fb..eb95b5ce7b8f 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -144,7 +144,12 @@ static int alloc_targets(struct dm_table *t, unsigned int num) int dm_table_create(struct dm_table **result, fmode_t mode, unsigned num_targets, struct mapped_device *md) { - struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL); + struct dm_table *t; + + if (num_targets > DM_MAX_TARGETS) + return -EOVERFLOW; + + t = kzalloc(sizeof(*t), GFP_KERNEL); if (!t) return -ENOMEM; @@ -158,7 +163,7 @@ int dm_table_create(struct dm_table **result, fmode_t mode, if (!num_targets) { kfree(t); - return -ENOMEM; + return -EOVERFLOW; } if (alloc_targets(t, num_targets)) { -- 2.31.1

2 1

[PATCH openEuler-1.0-LTS v2 0/2] CVE-2021-47074
by Li Nan 08 Mar '24

08 Mar '24

v2: add CVE tag to first patch. Chaitanya Kulkarni (1): nvme-loop: don't put ctrl on nvme_init_ctrl error Wu Bo (1): nvme-loop: fix memory leak in nvme_loop_create_ctrl() drivers/nvme/target/loop.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) -- 2.39.2

2 3