May 2024 - Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1] padata: Fix refcnt handling in padata_free_shell()
by Zheng Zucheng 27 May '24

27 May '24

From: WangJinchao <wangjinchao(a)xfusion.com> stable inclusion from stable-v5.10.201 commit 41aad9d6953984d134fc50f631f24ef476875d4d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RQM3 CVE: CVE-2023-52854 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 7ddc21e317b360c3444de3023bcc83b85fabae2f ] In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead to system UAF (Use-After-Free) issues. Due to the lengthy analysis of the pcrypt_aead01 function call, I'll describe the problem scenario using a simplified model: Suppose there's a user of padata named `user_function` that adheres to the padata requirement of calling `padata_free_shell` after `serial()` has been invoked, as demonstrated in the following code: ```c struct request { struct padata_priv padata; struct completion *done; }; void parallel(struct padata_priv *padata) { do_something(); } void serial(struct padata_priv *padata) { struct request *request = container_of(padata, struct request, padata); complete(request->done); } void user_function() { DECLARE_COMPLETION(done) padata->parallel = parallel; padata->serial = serial; padata_do_parallel(); wait_for_completion(&done); padata_free_shell(); } ``` In the corresponding padata.c file, there's the following code: ```c static void padata_serial_worker(struct work_struct *serial_work) { ... cnt = 0; while (!list_empty(&local_list)) { ... padata->serial(padata); cnt++; } local_bh_enable(); if (refcount_sub_and_test(cnt, &pd->refcnt)) padata_free_pd(pd); } ``` Because of the high system load and the accumulation of unexecuted softirq at this moment, `local_bh_enable()` in padata takes longer to execute than usual. Subsequently, when accessing `pd->refcnt`, `pd` has already been released by `padata_free_shell()`, resulting in a UAF issue with `pd->refcnt`. The fix is straightforward: add `refcount_dec_and_test` before calling `padata_free_pd` in `padata_free_shell`. Fixes: 07928d9bfc81 ("padata: Remove broken queue flushing") Signed-off-by: WangJinchao <wangjinchao(a)xfusion.com> Acked-by: Daniel Jordan <daniel.m.jordan(a)oracle.com> Acked-by: Daniel Jordan <daniel.m.jordan(a)oracle.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: sanglipeng <sanglipeng1(a)jd.com> Signed-off-by: Zheng Zucheng <zhengzucheng(a)huawei.com> --- kernel/padata.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/padata.c b/kernel/padata.c index 4fd197de6f40..aa5882f2c062 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -1102,12 +1102,16 @@ EXPORT_SYMBOL(padata_alloc_shell); */ void padata_free_shell(struct padata_shell *ps) { + struct parallel_data *pd; + if (!ps) return; mutex_lock(&ps->pinst->lock); list_del(&ps->list); - padata_free_pd(rcu_dereference_protected(ps->pd, 1)); + pd = rcu_dereference_protected(ps->pd, 1); + if (refcount_dec_and_test(&pd->refcnt)) + padata_free_pd(pd); mutex_unlock(&ps->pinst->lock); kfree(ps); -- 2.34.1

2 1

[PATCH OLK-5.10] netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
by Ziyang Xuan 27 May '24

27 May '24

stable inclusion from stable-v5.10.215 commit 940d41caa71f0d3a52df2fde5fada524a993e331 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG2A CVE: CVE-2024-35898 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 24225011d81b471acc0e1e315b7d9905459a6304 upstream. nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable(). And thhere is not any protection when iterate over nf_tables_flowtables list in __nft_flowtable_type_get(). Therefore, there is pertential data-race of nf_tables_flowtables list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller nft_flowtable_type_get() to protect the entire type query process. Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- net/netfilter/nf_tables_api.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 7c102a4ce930..e11a1cad0763 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -6901,11 +6901,12 @@ static int nft_flowtable_parse_hook(const struct nft_ctx *ctx, return err; } +/* call under rcu_read_lock */ static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) { const struct nf_flowtable_type *type; - list_for_each_entry(type, &nf_tables_flowtables, list) { + list_for_each_entry_rcu(type, &nf_tables_flowtables, list) { if (family == type->family) return type; } @@ -6917,9 +6918,13 @@ nft_flowtable_type_get(struct net *net, u8 family) { const struct nf_flowtable_type *type; + rcu_read_lock(); type = __nft_flowtable_type_get(family); - if (type != NULL && try_module_get(type->owner)) + if (type != NULL && try_module_get(type->owner)) { + rcu_read_unlock(); return type; + } + rcu_read_unlock(); lockdep_nfnl_nft_mutex_not_held(); #ifdef CONFIG_MODULES -- 2.25.1

2 1

[PATCH OLK-5.10 0/2] mm: introduce vm_swap_extension sysctl
by Liu Shixin 27 May '24

27 May '24

Backport two patches which introduce vm_swap_extension sysctl. Liu Shixin (2): mm/vmscan: introduce vm_swap_extension sysctl openeuler_defconfig: enable swap_extension for x86 and arm64 Documentation/admin-guide/sysctl/vm.rst | 11 +++++++++ arch/arm64/configs/openeuler_defconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 + include/linux/swap.h | 3 +++ kernel/sysctl.c | 11 +++++++++ mm/Kconfig | 6 +++++ mm/vmscan.c | 30 +++++++++++++++++++++++++ 7 files changed, 63 insertions(+) -- 2.25.1

2 3

[PATCH OLK-5.10 0/7] dynamic_hugetlb: backport some bugfix
by Liu Shixin 27 May '24

27 May '24

Backport some bugfix to enhance the feature. Liu Shixin (6): mm/dynamic_hugetlb: reduce the number of migration attempts mm/dynamic_hugetlb: add cond_resched() in hpool_merge_page() mm/dynamic_hugetlb: add lru_add_drain_all() before migration mm/dynamic_hugetlb: check NULL pointer for early parameter mm/dynamic_hugetlb: make free_huge_page_to_dhugetlb_pool irq safe mm/dynamic_hugetlb: refine error info in the destruction Ma Wupeng (1): mm/dpool: Use helper function to lock/unlock mm/dynamic_hugetlb.c | 176 ++++++++++++++++++++++++++++++------------- mm/hugetlb.c | 4 +- 2 files changed, 124 insertions(+), 56 deletions(-) -- 2.25.1

2 8

[PATCH openEuler-1.0-LTS] drm/client: Fully protect modes[] with dev->mode_config.mutex
by Yi Yang 27 May '24

27 May '24

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> stable inclusion from stable-v5.10.216 commit 41586487769eede64ab1aa6c65c74cbf76c12ef0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRRC CVE: CVE-2024-35950 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 3eadd887dbac1df8f25f701e5d404d1b90fd0fea upstream. The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory. Cc: stable(a)vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240404203336.10454-2-ville.… Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Reviewed-by: Jani Nikula <jani.nikula(a)intel.com> Reviewed-by: Thomas Zimmermann <tzimmermann(a)suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/gpu/drm/drm_fb_helper.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index 8b546fde139d..4f5e3b3513d8 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -2507,6 +2507,7 @@ static void drm_setup_crtcs(struct drm_fb_helper *fb_helper, { struct drm_device *dev = fb_helper->dev; struct drm_fb_helper_crtc **crtcs; + /* points to modes protected by mode_config.mutex */ struct drm_display_mode **modes; struct drm_fb_offset *offsets; bool *enabled; @@ -2553,7 +2554,6 @@ static void drm_setup_crtcs(struct drm_fb_helper *fb_helper, drm_pick_crtcs(fb_helper, crtcs, modes, 0, width, height); } - mutex_unlock(&fb_helper->dev->mode_config.mutex); /* need to set the modesets up here for use later */ /* fill out the connector<->crtc mappings into the modesets */ @@ -2587,6 +2587,8 @@ static void drm_setup_crtcs(struct drm_fb_helper *fb_helper, modeset->y = offset->y; } } + mutex_unlock(&fb_helper->dev->mode_config.mutex); + out: kfree(crtcs); kfree(modes); -- 2.25.1

2 1

[PATCH OLK-5.10] fs/ntfs3: Fixed overflow check in mi_enum_attr()
by Zheng Yejian 27 May '24

27 May '24

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> mainline inclusion from mainline-v6.8-rc4 commit 652cfeb43d6b9aba5c7c4902bed7a7340df131fb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8M4 CVE: CVE-2024-27407 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… --------------------------- Reported-by: Robert Morris <rtm(a)csail.mit.edu> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Conflicts: fs/ntfs3/record.c [Resolve conflicts due to several refactor patches not merged] Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com> --- fs/ntfs3/record.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index b06af26c00a0..31ff5d3e23c1 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -257,7 +257,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) return NULL; t32 = le32_to_cpu(attr->res.data_size); - if (t16 + t32 > asize) + if (t32 > asize - t16) return NULL; if (attr->name_len && -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP2] media: bttv: fix use after free error due to btv->timeout timer
by Ye Bin 27 May '24

27 May '24

From: Zheng Wang <zyytlz.wz(a)163.com> stable inclusion from stable-v5.10.201 commit 2f3d9198cdae1cb079ec8652f4defacd481eab2b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9DFT4 CVE: CVE-2023-52847 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit bd5b50b329e850d467e7bcc07b2b6bde3752fbda ] There may be some a race condition between timer function bttv_irq_timeout and bttv_remove. The timer is setup in probe and there is no timer_delete operation in remove function. When it hit kfree btv, the function might still be invoked, which will cause use after free bug. This bug is found by static analysis, it may be false positive. Fix it by adding del_timer_sync invoking to the remove function. cpu0 cpu1 bttv_probe ->timer_setup ->bttv_set_dma ->mod_timer; bttv_remove ->kfree(btv); ->bttv_irq_timeout ->USE btv Fixes: 162e6376ac58 ("media: pci: Convert timers to use timer_setup()") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: sanglipeng <sanglipeng1(a)jd.com> Signed-off-by: Ye Bin <yebin10(a)huawei.com> --- drivers/media/pci/bt8xx/bttv-driver.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c index 1f0e4b913a05..5f1bd9b38e75 100644 --- a/drivers/media/pci/bt8xx/bttv-driver.c +++ b/drivers/media/pci/bt8xx/bttv-driver.c @@ -4258,6 +4258,7 @@ static void bttv_remove(struct pci_dev *pci_dev) /* free resources */ free_irq(btv->c.pci->irq,btv); + del_timer_sync(&btv->timeout); iounmap(btv->bt848_mmio); release_mem_region(pci_resource_start(btv->c.pci,0), pci_resource_len(btv->c.pci,0)); -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS] media: bttv: fix use after free error due to btv->timeout timer
by Ye Bin 27 May '24

27 May '24

From: Zheng Wang <zyytlz.wz(a)163.com> stable inclusion from stable-v5.10.201 commit 2f3d9198cdae1cb079ec8652f4defacd481eab2b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9DFT4 CVE: CVE-2023-52847 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit bd5b50b329e850d467e7bcc07b2b6bde3752fbda ] There may be some a race condition between timer function bttv_irq_timeout and bttv_remove. The timer is setup in probe and there is no timer_delete operation in remove function. When it hit kfree btv, the function might still be invoked, which will cause use after free bug. This bug is found by static analysis, it may be false positive. Fix it by adding del_timer_sync invoking to the remove function. cpu0 cpu1 bttv_probe ->timer_setup ->bttv_set_dma ->mod_timer; bttv_remove ->kfree(btv); ->bttv_irq_timeout ->USE btv Fixes: 162e6376ac58 ("media: pci: Convert timers to use timer_setup()") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: sanglipeng <sanglipeng1(a)jd.com> Signed-off-by: Ye Bin <yebin10(a)huawei.com> --- drivers/media/pci/bt8xx/bttv-driver.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c index 1f0e4b913a05..5f1bd9b38e75 100644 --- a/drivers/media/pci/bt8xx/bttv-driver.c +++ b/drivers/media/pci/bt8xx/bttv-driver.c @@ -4258,6 +4258,7 @@ static void bttv_remove(struct pci_dev *pci_dev) /* free resources */ free_irq(btv->c.pci->irq,btv); + del_timer_sync(&btv->timeout); iounmap(btv->bt848_mmio); release_mem_region(pci_resource_start(btv->c.pci,0), pci_resource_len(btv->c.pci,0)); -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1] media: bttv: fix use after free error due to btv->timeout timer
by Ye Bin 27 May '24

27 May '24

From: Zheng Wang <zyytlz.wz(a)163.com> stable inclusion from stable-v5.10.201 commit 2f3d9198cdae1cb079ec8652f4defacd481eab2b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9DFT4 CVE: CVE-2023-52847 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit bd5b50b329e850d467e7bcc07b2b6bde3752fbda ] There may be some a race condition between timer function bttv_irq_timeout and bttv_remove. The timer is setup in probe and there is no timer_delete operation in remove function. When it hit kfree btv, the function might still be invoked, which will cause use after free bug. This bug is found by static analysis, it may be false positive. Fix it by adding del_timer_sync invoking to the remove function. cpu0 cpu1 bttv_probe ->timer_setup ->bttv_set_dma ->mod_timer; bttv_remove ->kfree(btv); ->bttv_irq_timeout ->USE btv Fixes: 162e6376ac58 ("media: pci: Convert timers to use timer_setup()") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: sanglipeng <sanglipeng1(a)jd.com> Signed-off-by: Ye Bin <yebin10(a)huawei.com> --- drivers/media/pci/bt8xx/bttv-driver.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c index 1f0e4b913a05..5f1bd9b38e75 100644 --- a/drivers/media/pci/bt8xx/bttv-driver.c +++ b/drivers/media/pci/bt8xx/bttv-driver.c @@ -4258,6 +4258,7 @@ static void bttv_remove(struct pci_dev *pci_dev) /* free resources */ free_irq(btv->c.pci->irq,btv); + del_timer_sync(&btv->timeout); iounmap(btv->bt848_mmio); release_mem_region(pci_resource_start(btv->c.pci,0), pci_resource_len(btv->c.pci,0)); -- 2.31.1

2 1

[PATCH OLK-5.10] pstore/zone: Add a null pointer check to the psz_kmsg_read
by Zeng Heng 27 May '24

27 May '24

From: Kunwu Chan <chentao(a)kylinos.cn> mainline inclusion from mainline-v6.9-rc1 commit 98bc7e26e14fbb26a6abf97603d59532475e97f8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QGKD CVE: CVE-2024-35940 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity. Signed-off-by: Kunwu Chan <chentao(a)kylinos.cn> Link: https://lore.kernel.org/r/20240118100206.213928-1-chentao@kylinos.cn Signed-off-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- fs/pstore/zone.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/pstore/zone.c b/fs/pstore/zone.c index b50fc33f2ab2..2426fb6794fd 100644 --- a/fs/pstore/zone.c +++ b/fs/pstore/zone.c @@ -973,6 +973,8 @@ static ssize_t psz_kmsg_read(struct pstore_zone *zone, char *buf = kasprintf(GFP_KERNEL, "%s: Total %d times\n", kmsg_dump_reason_str(record->reason), record->count); + if (!buf) + return -ENOMEM; hlen = strlen(buf); record->buf = krealloc(buf, hlen + size, GFP_KERNEL); if (!record->buf) { -- 2.25.1

2 1