- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] fs/netfs/fscache_cookie: add missing "n_accesses" check
by Long Li 09 Sep '24

09 Sep '24

From: Max Kellermann <max.kellermann(a)ionos.com> stable inclusion from stable-v6.6.47 commit dfaa39b05a6cf34a16c525a2759ee6ab26b5fef6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZM CVE: CVE-2024-45000 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… -------------------------------- commit f71aa06398aabc2e3eaac25acdf3d62e0094ba70 upstream. This fixes a NULL pointer dereference bug due to a data race which looks like this: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43 Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018 Workqueue: events_unbound netfs_rreq_write_to_cache_work RIP: 0010:cachefiles_prepare_write+0x30/0xa0 Code: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8b 47 08 48 83 7f 10 00 48 89 34 24 48 8b 68 20 <48> 8b 45 08 4c 8b 38 74 45 49 8b 7f 50 e8 4e a9 b0 ff 48 8b 73 10 RSP: 0018:ffffb4e78113bde0 EFLAGS: 00010286 RAX: ffff976126be6d10 RBX: ffff97615cdb8438 RCX: 0000000000020000 RDX: ffff97605e6c4c68 RSI: ffff97605e6c4c60 RDI: ffff97615cdb8438 RBP: 0000000000000000 R08: 0000000000278333 R09: 0000000000000001 R10: ffff97605e6c4600 R11: 0000000000000001 R12: ffff97605e6c4c68 R13: 0000000000020000 R14: 0000000000000001 R15: ffff976064fe2c00 FS: 0000000000000000(0000) GS:ffff9776dfd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000005942c002 CR4: 00000000001706f0 Call Trace: <TASK> ? __die+0x1f/0x70 ? page_fault_oops+0x15d/0x440 ? search_module_extables+0xe/0x40 ? fixup_exception+0x22/0x2f0 ? exc_page_fault+0x5f/0x100 ? asm_exc_page_fault+0x22/0x30 ? cachefiles_prepare_write+0x30/0xa0 netfs_rreq_write_to_cache_work+0x135/0x2e0 process_one_work+0x137/0x2c0 worker_thread+0x2e9/0x400 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Modules linked in: CR2: 0000000000000008 ---[ end trace 0000000000000000 ]--- This happened because fscache_cookie_state_machine() was slow and was still running while another process invoked fscache_unuse_cookie(); this led to a fscache_cookie_lru_do_one() call, setting the FSCACHE_COOKIE_DO_LRU_DISCARD flag, which was picked up by fscache_cookie_state_machine(), withdrawing the cookie via cachefiles_withdraw_cookie(), clearing cookie->cache_priv. At the same time, yet another process invoked cachefiles_prepare_write(), which found a NULL pointer in this code line: struct cachefiles_object *object = cachefiles_cres_object(cres); The next line crashes, obviously: struct cachefiles_cache *cache = object->volume->cache; During cachefiles_prepare_write(), the "n_accesses" counter is non-zero (via fscache_begin_operation()). The cookie must not be withdrawn until it drops to zero. The counter is checked by fscache_cookie_state_machine() before switching to FSCACHE_COOKIE_STATE_RELINQUISHING and FSCACHE_COOKIE_STATE_WITHDRAWING (in "case FSCACHE_COOKIE_STATE_FAILED"), but not for FSCACHE_COOKIE_STATE_LRU_DISCARDING ("case FSCACHE_COOKIE_STATE_ACTIVE"). This patch adds the missing check. With a non-zero access counter, the function returns and the next fscache_end_cookie_access() call will queue another fscache_cookie_state_machine() call to handle the still-pending FSCACHE_COOKIE_DO_LRU_DISCARD. Fixes: 12bb21a29c19 ("fscache: Implement cookie user counting and resource pinning") Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> Signed-off-by: David Howells <dhowells(a)redhat.com> Link: https://lore.kernel.org/r/20240729162002.3436763-2-dhowells@redhat.com cc: Jeff Layton <jlayton(a)kernel.org> cc: netfs(a)lists.linux.dev cc: linux-fsdevel(a)vger.kernel.org cc: stable(a)vger.kernel.org Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/fscache/cookie.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c index bce2492186d0..d4d4b3a8b106 100644 --- a/fs/fscache/cookie.c +++ b/fs/fscache/cookie.c @@ -741,6 +741,10 @@ static void fscache_cookie_state_machine(struct fscache_cookie *cookie) spin_lock(&cookie->lock); } if (test_bit(FSCACHE_COOKIE_DO_LRU_DISCARD, &cookie->flags)) { + if (atomic_read(&cookie->n_accesses) != 0) + /* still being accessed: postpone it */ + break; + __fscache_set_cookie_state(cookie, FSCACHE_COOKIE_STATE_LRU_DISCARDING); wake = true; -- 2.39.2

2 1

[PATCH OLK-6.6] tracefs: Use generic inode RCU for synchronizing freeing
by Long Li 09 Sep '24

09 Sep '24

From: Steven Rostedt <rostedt(a)goodmis.org> commit 0b6743bd60a56a701070b89fb80c327a44b7b3e2 upstream. With structure layout randomization enabled for 'struct inode' we need to avoid overlapping any of the RCU-used / initialized-only-once members, e.g. i_lru or i_sb_list to not corrupt related list traversals when making use of the rcu_head. For an unlucky structure layout of 'struct inode' we may end up with the following splat when running the ftrace selftests: [<...>] list_del corruption, ffff888103ee2cb0->next (tracefs_inode_cache+0x0/0x4e0 [slab object]) is NULL (prev is tracefs_inode_cache+0x78/0x4e0 [slab object]) [<...>] ------------[ cut here ]------------ [<...>] kernel BUG at lib/list_debug.c:54! [<...>] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [<...>] CPU: 3 PID: 2550 Comm: mount Tainted: G N 6.8.12-grsec+ #122 ed2f536ca62f28b087b90e3cc906a8d25b3ddc65 [<...>] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 [<...>] RIP: 0010:[<ffffffff84656018>] __list_del_entry_valid_or_report+0x138/0x3e0 [<...>] Code: 48 b8 99 fb 65 f2 ff ff ff ff e9 03 5c d9 fc cc 48 b8 99 fb 65 f2 ff ff ff ff e9 33 5a d9 fc cc 48 b8 99 fb 65 f2 ff ff ff ff <0f> 0b 4c 89 e9 48 89 ea 48 89 ee 48 c7 c7 60 8f dd 89 31 c0 e8 2f [<...>] RSP: 0018:fffffe80416afaf0 EFLAGS: 00010283 [<...>] RAX: 0000000000000098 RBX: ffff888103ee2cb0 RCX: 0000000000000000 [<...>] RDX: ffffffff84655fe8 RSI: ffffffff89dd8b60 RDI: 0000000000000001 [<...>] RBP: ffff888103ee2cb0 R08: 0000000000000001 R09: fffffbd0082d5f25 [<...>] R10: fffffe80416af92f R11: 0000000000000001 R12: fdf99c16731d9b6d [<...>] R13: 0000000000000000 R14: ffff88819ad4b8b8 R15: 0000000000000000 [<...>] RBX: tracefs_inode_cache+0x0/0x4e0 [slab object] [<...>] RDX: __list_del_entry_valid_or_report+0x108/0x3e0 [<...>] RSI: __func__.47+0x4340/0x4400 [<...>] RBP: tracefs_inode_cache+0x0/0x4e0 [slab object] [<...>] RSP: process kstack fffffe80416afaf0+0x7af0/0x8000 [mount 2550 2550] [<...>] R09: kasan shadow of process kstack fffffe80416af928+0x7928/0x8000 [mount 2550 2550] [<...>] R10: process kstack fffffe80416af92f+0x792f/0x8000 [mount 2550 2550] [<...>] R14: tracefs_inode_cache+0x78/0x4e0 [slab object] [<...>] FS: 00006dcb380c1840(0000) GS:ffff8881e0600000(0000) knlGS:0000000000000000 [<...>] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [<...>] CR2: 000076ab72b30e84 CR3: 000000000b088004 CR4: 0000000000360ef0 shadow CR4: 0000000000360ef0 [<...>] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [<...>] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [<...>] ASID: 0003 [<...>] Stack: [<...>] ffffffff818a2315 00000000f5c856ee ffffffff896f1840 ffff888103ee2cb0 [<...>] ffff88812b6b9750 0000000079d714b6 fffffbfff1e9280b ffffffff8f49405f [<...>] 0000000000000001 0000000000000000 ffff888104457280 ffffffff8248b392 [<...>] Call Trace: [<...>] <TASK> [<...>] [<ffffffff818a2315>] ? lock_release+0x175/0x380 fffffe80416afaf0 [<...>] [<ffffffff8248b392>] list_lru_del+0x152/0x740 fffffe80416afb48 [<...>] [<ffffffff8248ba93>] list_lru_del_obj+0x113/0x280 fffffe80416afb88 [<...>] [<ffffffff8940fd19>] ? _atomic_dec_and_lock+0x119/0x200 fffffe80416afb90 [<...>] [<ffffffff8295b244>] iput_final+0x1c4/0x9a0 fffffe80416afbb8 [<...>] [<ffffffff8293a52b>] dentry_unlink_inode+0x44b/0xaa0 fffffe80416afbf8 [<...>] [<ffffffff8293fefc>] __dentry_kill+0x23c/0xf00 fffffe80416afc40 [<...>] [<ffffffff8953a85f>] ? __this_cpu_preempt_check+0x1f/0xa0 fffffe80416afc48 [<...>] [<ffffffff82949ce5>] ? shrink_dentry_list+0x1c5/0x760 fffffe80416afc70 [<...>] [<ffffffff82949b71>] ? shrink_dentry_list+0x51/0x760 fffffe80416afc78 [<...>] [<ffffffff82949da8>] shrink_dentry_list+0x288/0x760 fffffe80416afc80 [<...>] [<ffffffff8294ae75>] shrink_dcache_sb+0x155/0x420 fffffe80416afcc8 [<...>] [<ffffffff8953a7c3>] ? debug_smp_processor_id+0x23/0xa0 fffffe80416afce0 [<...>] [<ffffffff8294ad20>] ? do_one_tree+0x140/0x140 fffffe80416afcf8 [<...>] [<ffffffff82997349>] ? do_remount+0x329/0xa00 fffffe80416afd18 [<...>] [<ffffffff83ebf7a1>] ? security_sb_remount+0x81/0x1c0 fffffe80416afd38 [<...>] [<ffffffff82892096>] reconfigure_super+0x856/0x14e0 fffffe80416afd70 [<...>] [<ffffffff815d1327>] ? ns_capable_common+0xe7/0x2a0 fffffe80416afd90 [<...>] [<ffffffff82997436>] do_remount+0x416/0xa00 fffffe80416afdd0 [<...>] [<ffffffff829b2ba4>] path_mount+0x5c4/0x900 fffffe80416afe28 [<...>] [<ffffffff829b25e0>] ? finish_automount+0x13a0/0x13a0 fffffe80416afe60 [<...>] [<ffffffff82903812>] ? user_path_at_empty+0xb2/0x140 fffffe80416afe88 [<...>] [<ffffffff829b2ff5>] do_mount+0x115/0x1c0 fffffe80416afeb8 [<...>] [<ffffffff829b2ee0>] ? path_mount+0x900/0x900 fffffe80416afed8 [<...>] [<ffffffff8272461c>] ? __kasan_check_write+0x1c/0xa0 fffffe80416afee0 [<...>] [<ffffffff829b31cf>] __do_sys_mount+0x12f/0x280 fffffe80416aff30 [<...>] [<ffffffff829b36cd>] __x64_sys_mount+0xcd/0x2e0 fffffe80416aff70 [<...>] [<ffffffff819f8818>] ? syscall_trace_enter+0x218/0x380 fffffe80416aff88 [<...>] [<ffffffff8111655e>] x64_sys_call+0x5d5e/0x6720 fffffe80416affa8 [<...>] [<ffffffff8952756d>] do_syscall_64+0xcd/0x3c0 fffffe80416affb8 [<...>] [<ffffffff8100119b>] entry_SYSCALL_64_safe_stack+0x4c/0x87 fffffe80416affe8 [<...>] </TASK> [<...>] <PTREGS> [<...>] RIP: 0033:[<00006dcb382ff66a>] vm_area_struct[mount 2550 2550 file 6dcb38225000-6dcb3837e000 22 55(read|exec|mayread|mayexec)]+0x0/0xb8 [userland map] [<...>] Code: 48 8b 0d 29 18 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f6 17 0d 00 f7 d8 64 89 01 48 [<...>] RSP: 002b:0000763d68192558 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [<...>] RAX: ffffffffffffffda RBX: 00006dcb38433264 RCX: 00006dcb382ff66a [<...>] RDX: 000017c3e0d11210 RSI: 000017c3e0d1a5a0 RDI: 000017c3e0d1ae70 [<...>] RBP: 000017c3e0d10fb0 R08: 000017c3e0d11260 R09: 00006dcb383d1be0 [<...>] R10: 000000000020002e R11: 0000000000000246 R12: 0000000000000000 [<...>] R13: 000017c3e0d1ae70 R14: 000017c3e0d11210 R15: 000017c3e0d10fb0 [<...>] RBX: vm_area_struct[mount 2550 2550 file 6dcb38433000-6dcb38434000 5b 100033(read|write|mayread|maywrite|account)]+0x0/0xb8 [userland map] [<...>] RCX: vm_area_struct[mount 2550 2550 file 6dcb38225000-6dcb3837e000 22 55(read|exec|mayread|mayexec)]+0x0/0xb8 [userland map] [<...>] RDX: vm_area_struct[mount 2550 2550 anon 17c3e0d0f000-17c3e0d31000 17c3e0d0f 100033(read|write|mayread|maywrite|account)]+0x0/0xb8 [userland map] [<...>] RSI: vm_area_struct[mount 2550 2550 anon 17c3e0d0f000-17c3e0d31000 17c3e0d0f 100033(read|write|mayread|maywrite|account)]+0x0/0xb8 [userland map] [<...>] RDI: vm_area_struct[mount 2550 2550 anon 17c3e0d0f000-17c3e0d31000 17c3e0d0f 100033(read|write|mayread|maywrite|account)]+0x0/0xb8 [userland map] [<...>] RBP: vm_area_struct[mount 2550 2550 anon 17c3e0d0f000-17c3e0d31000 17c3e0d0f 100033(read|write|mayread|maywrite|account)]+0x0/0xb8 [userland map] [<...>] RSP: vm_area_struct[mount 2550 2550 anon 763d68173000-763d68195000 7ffffffdd 100133(read|write|mayread|maywrite|growsdown|account)]+0x0/0xb8 [userland map] [<...>] R08: vm_area_struct[mount 2550 2550 anon 17c3e0d0f000-17c3e0d31000 17c3e0d0f 100033(read|write|mayread|maywrite|account)]+0x0/0xb8 [userland map] [<...>] R09: vm_area_struct[mount 2550 2550 file 6dcb383d1000-6dcb383d3000 1cd 100033(read|write|mayread|maywrite|account)]+0x0/0xb8 [userland map] [<...>] R13: vm_area_struct[mount 2550 2550 anon 17c3e0d0f000-17c3e0d31000 17c3e0d0f 100033(read|write|mayread|maywrite|account)]+0x0/0xb8 [userland map] [<...>] R14: vm_area_struct[mount 2550 2550 anon 17c3e0d0f000-17c3e0d31000 17c3e0d0f 100033(read|write|mayread|maywrite|account)]+0x0/0xb8 [userland map] [<...>] R15: vm_area_struct[mount 2550 2550 anon 17c3e0d0f000-17c3e0d31000 17c3e0d0f 100033(read|write|mayread|maywrite|account)]+0x0/0xb8 [userland map] [<...>] </PTREGS> [<...>] Modules linked in: [<...>] ---[ end trace 0000000000000000 ]--- The list debug message as well as RBX's symbolic value point out that the object in question was allocated from 'tracefs_inode_cache' and that the list's '->next' member is at offset 0. Dumping the layout of the relevant parts of 'struct tracefs_inode' gives the following: struct tracefs_inode { union { struct inode { struct list_head { struct list_head * next; /* 0 8 */ struct list_head * prev; /* 8 8 */ } i_lru; [...] } vfs_inode; struct callback_head { void (*func)(struct callback_head *); /* 0 8 */ struct callback_head * next; /* 8 8 */ } rcu; }; [...] }; Above shows that 'vfs_inode.i_lru' overlaps with 'rcu' which will destroy the 'i_lru' list as soon as the 'rcu' member gets used, e.g. in call_rcu() or later when calling the RCU callback. This will disturb concurrent list traversals as well as object reuse which assumes these list heads will keep their integrity. For reproduction, the following diff manually overlays 'i_lru' with 'rcu' as, otherwise, one would require some good portion of luck for gambling an unlucky RANDSTRUCT seed: --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -629,6 +629,7 @@ struct inode { umode_t i_mode; unsigned short i_opflags; kuid_t i_uid; + struct list_head i_lru; /* inode LRU list */ kgid_t i_gid; unsigned int i_flags; @@ -690,7 +691,6 @@ struct inode { u16 i_wb_frn_avg_time; u16 i_wb_frn_history; #endif - struct list_head i_lru; /* inode LRU list */ struct list_head i_sb_list; struct list_head i_wb_list; /* backing dev writeback list */ union { The tracefs inode does not need to supply its own RCU delayed destruction of its inode. The inode code itself offers both a "destroy_inode()" callback that gets called when the last reference of the inode is released, and the "free_inode()" which is called after a RCU synchronization period from the "destroy_inode()". The tracefs code can unlink the inode from its list in the destroy_inode() callback, and the simply free it from the free_inode() callback. This should provide the same protection. Link: https://lore.kernel.org/all/20240807115143.45927-3-minipli@grsecurity.net/ Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Ajay Kaher <ajay.kaher(a)broadcom.com> Cc: Ilkka =?utf-8?b?TmF1bGFww6TDpA==?= <digirigawa(a)gmail.com> Link: https://lore.kernel.org/20240807185402.61410544@gandalf.local.home Fixes: baa23a8d4360 ("tracefs: Reset permissions on remount if permissions are options") Reported-by: Mathias Krause <minipli(a)grsecurity.net> Reported-by: Brad Spengler <spender(a)grsecurity.net> Suggested-by: Al Viro <viro(a)zeniv.linux.org.uk> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: include/linux/fs.h [The patch which merged into stable-v6.6 has error, it shouldn't modify include/linux/fs.h] Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/tracefs/inode.c | 10 ++++------ fs/tracefs/internal.h | 5 +---- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c index 859442b5371e..7d389dd5ed51 100644 --- a/fs/tracefs/inode.c +++ b/fs/tracefs/inode.c @@ -53,15 +53,14 @@ static struct inode *tracefs_alloc_inode(struct super_block *sb) return &ti->vfs_inode; } -static void tracefs_free_inode_rcu(struct rcu_head *rcu) +static void tracefs_free_inode(struct inode *inode) { - struct tracefs_inode *ti; + struct tracefs_inode *ti = get_tracefs(inode); - ti = container_of(rcu, struct tracefs_inode, rcu); kmem_cache_free(tracefs_inode_cachep, ti); } -static void tracefs_free_inode(struct inode *inode) +static void tracefs_destroy_inode(struct inode *inode) { struct tracefs_inode *ti = get_tracefs(inode); unsigned long flags; @@ -69,8 +68,6 @@ static void tracefs_free_inode(struct inode *inode) spin_lock_irqsave(&tracefs_inode_lock, flags); list_del_rcu(&ti->list); spin_unlock_irqrestore(&tracefs_inode_lock, flags); - - call_rcu(&ti->rcu, tracefs_free_inode_rcu); } static ssize_t default_read_file(struct file *file, char __user *buf, @@ -458,6 +455,7 @@ static int tracefs_drop_inode(struct inode *inode) static const struct super_operations tracefs_super_operations = { .alloc_inode = tracefs_alloc_inode, .free_inode = tracefs_free_inode, + .destroy_inode = tracefs_destroy_inode, .drop_inode = tracefs_drop_inode, .statfs = simple_statfs, .remount_fs = tracefs_remount, diff --git a/fs/tracefs/internal.h b/fs/tracefs/internal.h index f704d8348357..d83c2a25f288 100644 --- a/fs/tracefs/internal.h +++ b/fs/tracefs/internal.h @@ -10,10 +10,7 @@ enum { }; struct tracefs_inode { - union { - struct inode vfs_inode; - struct rcu_head rcu; - }; + struct inode vfs_inode; /* The below gets initialized with memset_after(ti, 0, vfs_inode) */ struct list_head list; unsigned long flags; -- 2.39.2

2 1

[PATCH openEuler-22.03-LTS-SP1] mptcp: pm: avoid possible UaF when selecting endp
by Liu Jian 09 Sep '24

09 Sep '24

From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> mainline inclusion from mainline-v6.11-rc5 commit 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOY17 CVE: CVE-2024-44974 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------------- select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with. Reported-by: Paolo Abeni <pabeni(a)redhat.com> Closes: https://lore.kernel.org/45cd30d3-7710-491c-ae4d-a1368c00beb1@redhat.com Fixes: 01cacb00b35c ("mptcp: add netlink-based PM") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-14-38035d40de5… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/mptcp/pm_netlink.c [Did not backport 90d930882139 ("mptcp: constify a bunch of of helpers"), 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set"), 86e39e04482b ("mptcp: keep track of local endpoint still available for each msk").] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/mptcp/pm_netlink.c | 44 ++++++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 0d6f3d912891..824420c4e8f9 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -128,11 +128,13 @@ static bool lookup_subflow_by_saddr(const struct list_head *list, return false; } -static struct mptcp_pm_addr_entry * +static bool select_local_address(const struct pm_nl_pernet *pernet, - struct mptcp_sock *msk) + struct mptcp_sock *msk, + struct mptcp_pm_addr_entry *new_entry) { - struct mptcp_pm_addr_entry *entry, *ret = NULL; + struct mptcp_pm_addr_entry *entry; + bool found = false; rcu_read_lock(); spin_lock_bh(&msk->join_list_lock); @@ -146,19 +148,23 @@ select_local_address(const struct pm_nl_pernet *pernet, if (entry->addr.family == ((struct sock *)msk)->sk_family && !lookup_subflow_by_saddr(&msk->conn_list, &entry->addr) && !lookup_subflow_by_saddr(&msk->join_list, &entry->addr)) { - ret = entry; + *new_entry = *entry; + found = true; break; } } spin_unlock_bh(&msk->join_list_lock); rcu_read_unlock(); - return ret; + + return found; } -static struct mptcp_pm_addr_entry * -select_signal_address(struct pm_nl_pernet *pernet, unsigned int pos) +static bool +select_signal_address(struct pm_nl_pernet *pernet, unsigned int pos, + struct mptcp_pm_addr_entry *new_entry) { - struct mptcp_pm_addr_entry *entry, *ret = NULL; + struct mptcp_pm_addr_entry *entry; + bool found = false; int i = 0; rcu_read_lock(); @@ -171,12 +177,14 @@ select_signal_address(struct pm_nl_pernet *pernet, unsigned int pos) if (!(entry->addr.flags & MPTCP_PM_ADDR_FLAG_SIGNAL)) continue; if (i++ == pos) { - ret = entry; + *new_entry = *entry; + found = true; break; } } rcu_read_unlock(); - return ret; + + return found; } static void check_work_pending(struct mptcp_sock *msk) @@ -306,7 +314,7 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) { struct mptcp_addr_info remote = { 0 }; struct sock *sk = (struct sock *)msk; - struct mptcp_pm_addr_entry *local; + struct mptcp_pm_addr_entry local; struct pm_nl_pernet *pernet; pernet = net_generic(sock_net((struct sock *)msk), pm_nl_pernet_id); @@ -318,13 +326,12 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) /* check first for announce */ if (msk->pm.add_addr_signaled < msk->pm.add_addr_signal_max) { - local = select_signal_address(pernet, - msk->pm.add_addr_signaled); - if (local) { - if (mptcp_pm_alloc_anno_list(msk, local)) { + if (select_signal_address(pernet, + msk->pm.add_addr_signaled, &local)) { + if (mptcp_pm_alloc_anno_list(msk, &local)) { msk->pm.add_addr_signaled++; - mptcp_pm_announce_addr(msk, &local->addr, false); + mptcp_pm_announce_addr(msk, &local.addr, false); } } else { /* pick failed, avoid fourther attempts later */ @@ -339,13 +346,12 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) msk->pm.subflows < msk->pm.subflows_max) { remote_address((struct sock_common *)sk, &remote); - local = select_local_address(pernet, msk); - if (local) { + if (select_local_address(pernet, msk, &local)) { msk->pm.local_addr_used++; msk->pm.subflows++; check_work_pending(msk); spin_unlock_bh(&msk->pm.lock); - __mptcp_subflow_connect(sk, &local->addr, &remote); + __mptcp_subflow_connect(sk, &local.addr, &remote); spin_lock_bh(&msk->pm.lock); return; } -- 2.34.1

2 1

[PATCH openEuler-22.03-LTS-SP1] net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()
by Liu Jian 09 Sep '24

09 Sep '24

From: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> stable inclusion from stable-v5.10.224 commit b7b8d9f5e679af60c94251fd6728dde34be69a71 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXYL CVE: CVE-2024-44971 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit e3862093ee93fcfbdadcb7957f5f8974fffa806a ] bcm_sf2_mdio_register() calls of_phy_find_device() and then phy_device_remove() in a loop to remove existing PHY devices. of_phy_find_device() eventually calls bus_find_device(), which calls get_device() on the returned struct device * to increment the refcount. The current implementation does not decrement the refcount, which causes memory leak. This commit adds the missing phy_device_free() call to decrement the refcount via put_device() to balance the refcount. Fixes: 771089c2a485 ("net: dsa: bcm_sf2: Ensure that MDIO diversion is used") Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Tested-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Reviewed-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Link: https://patch.msgid.link/20240806011327.3817861-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/dsa/bcm_sf2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c index c6563d212476..7b8bdc34caa5 100644 --- a/drivers/net/dsa/bcm_sf2.c +++ b/drivers/net/dsa/bcm_sf2.c @@ -559,8 +559,10 @@ static int bcm_sf2_mdio_register(struct dsa_switch *ds) of_remove_property(child, prop); phydev = of_phy_find_device(child); - if (phydev) + if (phydev) { phy_device_remove(phydev); + phy_device_free(phydev); + } } err = mdiobus_register(priv->slave_mii_bus); -- 2.34.1

2 1

[openeuler:OLK-5.10 29989/30000] versioncheck: ./drivers/misc/sdma-dae/sdma_cdev.c: 9 linux/version.h not needed.
by kernel test robot 09 Sep '24

09 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 3e6d44ea60eb8609ba59273c12276e3236cd76b2 commit: 1eb55075d727b4f06ceeb95a71670e2a0d7d026c [29989/30000] drivers:misc:sdma-dae: fix icsl code check problems reproduce: (https://download.01.org/0day-ci/archive/20240909/202409091107.diXxqb2W-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409091107.diXxqb2W-lkp@intel.com/ versioncheck warnings: (new ones prefixed by >>) INFO PATH=/opt/cross/rustc-1.58.0-bindgen-0.56.0/cargo/bin:/opt/cross/clang-18/bin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /usr/bin/timeout -k 100 3h /usr/bin/make KCFLAGS= -Wtautological-compare -Wno-error=return-type -Wreturn-type -Wcast-function-type -funsigned-char -Wundef -fstrict-flex-arrays=3 -Wformat-overflow -Wformat-truncation -Wenum-conversion W=1 --keep-going LLVM=1 -j32 ARCH=x86_64 versioncheck find ./* \( -name SCCS -o -name BitKeeper -o -name .svn -o -name CVS -o -name .pc -o -name .hg -o -name .git \) -prune -o \ -name '*.[hcS]' -type f -print | sort \ | xargs perl -w ./scripts/checkversion.pl ./arch/csky/include/asm/atomic.h: 6 linux/version.h not needed. ./arch/csky/include/asm/io.h: 9 linux/version.h not needed. ./arch/csky/include/asm/thread_info.h: 9 linux/version.h not needed. ./arch/csky/include/asm/uaccess.h: 15 linux/version.h not needed. ./arch/csky/kernel/process.c: 5 linux/version.h not needed. ./arch/csky/mm/dma-mapping.c: 12 linux/version.h not needed. ./arch/csky/mm/fault.c: 16 linux/version.h not needed. ./arch/s390/include/asm/setup.h: 183: need linux/version.h ./arch/um/drivers/vector_kern.c: 11 linux/version.h not needed. ./drivers/block/rsxx/rsxx_priv.h: 14 linux/version.h not needed. ./drivers/char/ipmi/ipmi_si_ls2k500.c: 19 linux/version.h not needed. ./drivers/crypto/cavium/cpt/cptpf_main.c: 13 linux/version.h not needed. ./drivers/crypto/cavium/zip/common.h: 59 linux/version.h not needed. ./drivers/crypto/ccree/cc_driver.h: 26 linux/version.h not needed. ./drivers/crypto/montage/tsse/tsse_vuart.c: 21 linux/version.h not needed. ./drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c: 62 linux/version.h not needed. ./drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c: 28 linux/version.h not needed. ./drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c: 26 linux/version.h not needed. ./drivers/gpu/drm/inspur/inspur_drm_de.c: 513: need linux/version.h ./drivers/gpu/drm/inspur/inspur_drm_drv.c: 456: need linux/version.h ./drivers/gpu/drm/pl111/pl111_display.c: 14 linux/version.h not needed. ./drivers/gpu/drm/pl111/pl111_drv.c: 47 linux/version.h not needed. ./drivers/gpu/drm/tve200/tve200_display.c: 14 linux/version.h not needed. ./drivers/gpu/drm/tve200/tve200_drv.c: 38 linux/version.h not needed. ./drivers/hv/hv.c: 16 linux/version.h not needed. ./drivers/i2c/busses/i2c-brcmstb.c: 25 linux/version.h not needed. ./drivers/i2c/busses/i2c-xgene-slimpro.c: 22 linux/version.h not needed. ./drivers/media/pci/cx25821/cx25821.h: 31 linux/version.h not needed. ./drivers/media/platform/s3c-camif/camif-core.c: 26 linux/version.h not needed. ./drivers/media/platform/sti/c8sectpfe/c8sectpfe-common.h: 16 linux/version.h not needed. ./drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c: 31 linux/version.h not needed. ./drivers/media/platform/sti/c8sectpfe/c8sectpfe-dvb.c: 14 linux/version.h not needed. ./drivers/media/usb/uvc/uvc_driver.c: 18 linux/version.h not needed. >> ./drivers/misc/sdma-dae/sdma_cdev.c: 9 linux/version.h not needed. ./drivers/net/ethernet/3snic/sssnic/include/kernel/sss_linux_kernel.h: 12 linux/version.h not needed. ./drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c: 21 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/edma_drv/bma_include.h: 32 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/edma_drv/bma_pci.c: 17 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/kbox_drv/kbox_include.h: 20 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/kbox_drv/kbox_main.c: 22 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/kbox_drv/kbox_mce.c: 16 linux/version.h not needed. ./drivers/net/ethernet/huawei/bma/kbox_drv/kbox_ram_op.c: 16 linux/version.h not needed. ./drivers/net/ethernet/huawei/hinic/ossl_knl.h: 22 linux/version.h not needed. ./drivers/net/ethernet/huawei/hinic3/ossl_knl_linux.h: 12 linux/version.h not needed. ./drivers/net/ethernet/mucse/rnpm/rnpm_common.h: 7 linux/version.h not needed. ./drivers/net/ethernet/nebula-matrix/m1600/common.h: 12 linux/version.h not needed. ./drivers/net/ethernet/nebula-matrix/m1600/txrx.c: 9 linux/version.h not needed. ./drivers/net/ethernet/qlogic/qede/qede.h: 10 linux/version.h not needed. ./drivers/net/ethernet/qlogic/qede/qede_ethtool.c: 7 linux/version.h not needed. ./drivers/net/ethernet/qlogic/qede/qede_main.c: 10 linux/version.h not needed. ./drivers/net/ethernet/yunsilicon/xsc/common/xsc_core.h: 26 linux/version.h not needed. ./drivers/net/usb/lan78xx.c: 5 linux/version.h not needed. ./drivers/net/wireless/rsi/rsi_91x_ps.c: 19 linux/version.h not needed. ./drivers/scsi/cxgbi/libcxgbi.h: 27 linux/version.h not needed. ./drivers/scsi/hisi_raid/hiraid_main.c: 9 linux/version.h not needed. ./drivers/scsi/huawei/hifc/hifc_knl_adp.h: 23 linux/version.h not needed. ./drivers/scsi/qedf/qedf.h: 15 linux/version.h not needed. ./drivers/scsi/qedf/qedf_dbg.h: 13 linux/version.h not needed. ./drivers/scsi/qedi/qedi_dbg.h: 14 linux/version.h not needed. ./drivers/scsi/sssraid/sssraid_fw.c: 6 linux/version.h not needed. ./drivers/scsi/sssraid/sssraid_os.c: 6 linux/version.h not needed. ./drivers/soc/tegra/powergate-bpmp.c: 10 linux/version.h not needed. ./drivers/staging/media/atomisp/include/linux/atomisp.h: 23 linux/version.h not needed. ./drivers/staging/rtl8723bs/include/drv_types.h: 17 linux/version.h not needed. ./drivers/staging/rtl8723bs/include/ioctl_cfg80211.h: 10 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_cdev_file.c: 23 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_device.c: 33 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_genl.c: 26 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_genl_admin.c: 20 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_main.c: 28 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_tp.c: 26 linux/version.h not needed. ./drivers/ub/urma/ubcore/ubcore_umem.c: 26 linux/version.h not needed. ./drivers/ub/urma/uburma/uburma_main.c: 29 linux/version.h not needed. ./drivers/ub/urma/uburma/uburma_mmap.c: 21 linux/version.h not needed. ./drivers/watchdog/ziirave_wdt.c: 21 linux/version.h not needed. ./fs/eulerfs/euler.h: 20 linux/version.h not needed. ./fs/eulerfs/euler_common.h: 25 linux/version.h not needed. ./fs/proc/etmem_scan.c: 13 linux/version.h not needed. ./include/linux/qed/qed_ll2_if.h: 15 linux/version.h not needed. ./kernel/bpf/syscall.c: 20 linux/version.h not needed. ./samples/bpf/sampleip_kern.c: 7 linux/version.h not needed. ./samples/bpf/trace_event_kern.c: 8 linux/version.h not needed. ./sound/soc/codecs/cs35l35.c: 12 linux/version.h not needed. ./sound/soc/codecs/cs42l42.c: 14 linux/version.h not needed. ./tools/lib/bpf/libbpf_sched.h: 21 linux/version.h not needed. ./tools/perf/include/bpf/bpf.h: 70: need linux/version.h ./tools/perf/tests/bpf-script-example.c: 49: need linux/version.h ./tools/perf/tests/bpf-script-test-kbuild.c: 21: need linux/version.h ./tools/perf/tests/bpf-script-test-prologue.c: 47: need linux/version.h ./tools/perf/tests/bpf-script-test-relocation.c: 51: need linux/version.h ./tools/testing/selftests/bpf/progs/test_map_lock.c: 4 linux/version.h not needed. ./tools/testing/selftests/bpf/progs/test_send_signal_kern.c: 4 linux/version.h not needed. ./tools/testing/selftests/bpf/progs/test_spin_lock.c: 4 linux/version.h not needed. ./tools/testing/selftests/bpf/progs/test_tcp_estats.c: 37 linux/version.h not needed. ./tools/testing/selftests/wireguard/qemu/init.c: 25 linux/version.h not needed. -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6 0/2] mm/ksm: fix ksm_zero_pages accounting
by Kaixiong Yu 09 Sep '24

09 Sep '24

fix the bug from mainline inclusion commits e2942062e01d ("ksm: count all zero pages placed by KSM") and 6080d19f0704 ("ksm: add ksm zero pages for each process") Chengming Zhou (1): mm/ksm: fix ksm_zero_pages accounting Kaixiong Yu (1): mm_types: Fix kabi breakage in struct mm_struct fs/proc/base.c | 2 +- include/linux/ksm.h | 17 ++++++++++++++--- include/linux/mm_types.h | 3 ++- mm/ksm.c | 11 +++++------ 4 files changed, 22 insertions(+), 11 deletions(-) -- 2.25.1

2 3

[openeuler:OLK-5.10 4121/30000] fs/xfs/xfs_icache.c:52 xfs_icwalk_tag() warn: unsigned 'goal' is never less than zero.
by kernel test robot 09 Sep '24

09 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 3e6d44ea60eb8609ba59273c12276e3236cd76b2 commit: b12b4a14e6dc13b75697ebc80f513fedd068345e [4121/30000] xfs: remove xfs_dqrele_all_inodes config: x86_64-randconfig-161-20240906 (https://download.01.org/0day-ci/archive/20240909/202409091024.XP4R6muy-lkp@…) compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409091024.XP4R6muy-lkp@intel.com/ New smatch warnings: fs/xfs/xfs_icache.c:52 xfs_icwalk_tag() warn: unsigned 'goal' is never less than zero. Old smatch warnings: fs/xfs/xfs_icache.c:534 xfs_iget_cache_hit() warn: missing unwind goto? vim +/goal +52 fs/xfs/xfs_icache.c 656d89e710ffc0 Darrick J. Wong 2022-01-07 47 656d89e710ffc0 Darrick J. Wong 2022-01-07 48 /* Compute the inode radix tree tag for this goal. */ 656d89e710ffc0 Darrick J. Wong 2022-01-07 49 static inline unsigned int 656d89e710ffc0 Darrick J. Wong 2022-01-07 50 xfs_icwalk_tag(enum xfs_icwalk_goal goal) 656d89e710ffc0 Darrick J. Wong 2022-01-07 51 { 656d89e710ffc0 Darrick J. Wong 2022-01-07 @52 return goal < 0 ? XFS_ICWALK_NULL_TAG : goal; 656d89e710ffc0 Darrick J. Wong 2022-01-07 53 } 656d89e710ffc0 Darrick J. Wong 2022-01-07 54 :::::: The code at line 52 was first introduced by commit :::::: 656d89e710ffc01bc169a476208c84a0048cb554 xfs: pass the goal of the incore inode walk to xfs_inode_walk() :::::: TO: Darrick J. Wong <djwong(a)kernel.org> :::::: CC: Zheng Zengkai <zhengzengkai(a)huawei.com> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()
by Liu Jian 09 Sep '24

09 Sep '24

From: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> stable inclusion from stable-v5.10.224 commit b7b8d9f5e679af60c94251fd6728dde34be69a71 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXYL CVE: CVE-2024-44971 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit e3862093ee93fcfbdadcb7957f5f8974fffa806a ] bcm_sf2_mdio_register() calls of_phy_find_device() and then phy_device_remove() in a loop to remove existing PHY devices. of_phy_find_device() eventually calls bus_find_device(), which calls get_device() on the returned struct device * to increment the refcount. The current implementation does not decrement the refcount, which causes memory leak. This commit adds the missing phy_device_free() call to decrement the refcount via put_device() to balance the refcount. Fixes: 771089c2a485 ("net: dsa: bcm_sf2: Ensure that MDIO diversion is used") Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> Tested-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Reviewed-by: Florian Fainelli <florian.fainelli(a)broadcom.com> Link: https://patch.msgid.link/20240806011327.3817861-1-joe@pf.is.s.u-tokyo.ac.jp Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/dsa/bcm_sf2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/dsa/bcm_sf2.c b/drivers/net/dsa/bcm_sf2.c index a5849663f65c..d0f94a5fae5a 100644 --- a/drivers/net/dsa/bcm_sf2.c +++ b/drivers/net/dsa/bcm_sf2.c @@ -558,8 +558,10 @@ static int bcm_sf2_mdio_register(struct dsa_switch *ds) of_remove_property(child, prop); phydev = of_phy_find_device(child); - if (phydev) + if (phydev) { phy_device_remove(phydev); + phy_device_free(phydev); + } } err = mdiobus_register(priv->slave_mii_bus); -- 2.34.1

2 1

[PATCH OLK-5.10] mptcp: pm: avoid possible UaF when selecting endp
by Liu Jian 09 Sep '24

09 Sep '24

From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> mainline inclusion from mainline-v6.11-rc5 commit 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOY17 CVE: CVE-2024-44974 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------------- select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with. Reported-by: Paolo Abeni <pabeni(a)redhat.com> Closes: https://lore.kernel.org/45cd30d3-7710-491c-ae4d-a1368c00beb1@redhat.com Fixes: 01cacb00b35c ("mptcp: add netlink-based PM") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-14-38035d40de5… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/mptcp/pm_netlink.c [Did not backport 90d930882139 ("mptcp: constify a bunch of of helpers"), 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set"), 86e39e04482b ("mptcp: keep track of local endpoint still available for each msk").] Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- net/mptcp/pm_netlink.c | 44 ++++++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 0d6f3d912891..824420c4e8f9 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -128,11 +128,13 @@ static bool lookup_subflow_by_saddr(const struct list_head *list, return false; } -static struct mptcp_pm_addr_entry * +static bool select_local_address(const struct pm_nl_pernet *pernet, - struct mptcp_sock *msk) + struct mptcp_sock *msk, + struct mptcp_pm_addr_entry *new_entry) { - struct mptcp_pm_addr_entry *entry, *ret = NULL; + struct mptcp_pm_addr_entry *entry; + bool found = false; rcu_read_lock(); spin_lock_bh(&msk->join_list_lock); @@ -146,19 +148,23 @@ select_local_address(const struct pm_nl_pernet *pernet, if (entry->addr.family == ((struct sock *)msk)->sk_family && !lookup_subflow_by_saddr(&msk->conn_list, &entry->addr) && !lookup_subflow_by_saddr(&msk->join_list, &entry->addr)) { - ret = entry; + *new_entry = *entry; + found = true; break; } } spin_unlock_bh(&msk->join_list_lock); rcu_read_unlock(); - return ret; + + return found; } -static struct mptcp_pm_addr_entry * -select_signal_address(struct pm_nl_pernet *pernet, unsigned int pos) +static bool +select_signal_address(struct pm_nl_pernet *pernet, unsigned int pos, + struct mptcp_pm_addr_entry *new_entry) { - struct mptcp_pm_addr_entry *entry, *ret = NULL; + struct mptcp_pm_addr_entry *entry; + bool found = false; int i = 0; rcu_read_lock(); @@ -171,12 +177,14 @@ select_signal_address(struct pm_nl_pernet *pernet, unsigned int pos) if (!(entry->addr.flags & MPTCP_PM_ADDR_FLAG_SIGNAL)) continue; if (i++ == pos) { - ret = entry; + *new_entry = *entry; + found = true; break; } } rcu_read_unlock(); - return ret; + + return found; } static void check_work_pending(struct mptcp_sock *msk) @@ -306,7 +314,7 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) { struct mptcp_addr_info remote = { 0 }; struct sock *sk = (struct sock *)msk; - struct mptcp_pm_addr_entry *local; + struct mptcp_pm_addr_entry local; struct pm_nl_pernet *pernet; pernet = net_generic(sock_net((struct sock *)msk), pm_nl_pernet_id); @@ -318,13 +326,12 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) /* check first for announce */ if (msk->pm.add_addr_signaled < msk->pm.add_addr_signal_max) { - local = select_signal_address(pernet, - msk->pm.add_addr_signaled); - if (local) { - if (mptcp_pm_alloc_anno_list(msk, local)) { + if (select_signal_address(pernet, + msk->pm.add_addr_signaled, &local)) { + if (mptcp_pm_alloc_anno_list(msk, &local)) { msk->pm.add_addr_signaled++; - mptcp_pm_announce_addr(msk, &local->addr, false); + mptcp_pm_announce_addr(msk, &local.addr, false); } } else { /* pick failed, avoid fourther attempts later */ @@ -339,13 +346,12 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk) msk->pm.subflows < msk->pm.subflows_max) { remote_address((struct sock_common *)sk, &remote); - local = select_local_address(pernet, msk); - if (local) { + if (select_local_address(pernet, msk, &local)) { msk->pm.local_addr_used++; msk->pm.subflows++; check_work_pending(msk); spin_unlock_bh(&msk->pm.lock); - __mptcp_subflow_connect(sk, &local->addr, &remote); + __mptcp_subflow_connect(sk, &local.addr, &remote); spin_lock_bh(&msk->pm.lock); return; } -- 2.34.1

2 1

[PATCH OLK-6.6] bnxt_en: Fix double DMA unmapping for XDP_REDIRECT
by Liu Jian 09 Sep '24

09 Sep '24

From: Somnath Kotur <somnath.kotur(a)broadcom.com> stable inclusion from stable-v6.6.48 commit fa4e6ae38574d0fc5596272bee64727d8ab7052b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOXZU CVE: CVE-2024-44984 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------------------------- [ Upstream commit 8baeef7616d5194045c5a6b97fd1246b87c55b13 ] Remove the dma_unmap_page_attrs() call in the driver's XDP_REDIRECT code path. This should have been removed when we let the page pool handle the DMA mapping. This bug causes the warning: WARNING: CPU: 7 PID: 59 at drivers/iommu/dma-iommu.c:1198 iommu_dma_unmap_page+0xd5/0x100 CPU: 7 PID: 59 Comm: ksoftirqd/7 Tainted: G W 6.8.0-1010-gcp #11-Ubuntu Hardware name: Dell Inc. PowerEdge R7525/0PYVT1, BIOS 2.15.2 04/02/2024 RIP: 0010:iommu_dma_unmap_page+0xd5/0x100 Code: 89 ee 48 89 df e8 cb f2 69 ff 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 31 f6 31 ff 45 31 c0 e9 ab 17 71 00 <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 c9 RSP: 0018:ffffab1fc0597a48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff99ff838280c8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffab1fc0597a78 R08: 0000000000000002 R09: ffffab1fc0597c1c R10: ffffab1fc0597cd3 R11: ffff99ffe375acd8 R12: 00000000e65b9000 R13: 0000000000000050 R14: 0000000000001000 R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffff9a06efb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000565c34c37210 CR3: 00000005c7e3e000 CR4: 0000000000350ef0 ? show_regs+0x6d/0x80 ? __warn+0x89/0x150 ? iommu_dma_unmap_page+0xd5/0x100 ? report_bug+0x16a/0x190 ? handle_bug+0x51/0xa0 ? exc_invalid_op+0x18/0x80 ? iommu_dma_unmap_page+0xd5/0x100 ? iommu_dma_unmap_page+0x35/0x100 dma_unmap_page_attrs+0x55/0x220 ? bpf_prog_4d7e87c0d30db711_xdp_dispatcher+0x64/0x9f bnxt_rx_xdp+0x237/0x520 [bnxt_en] bnxt_rx_pkt+0x640/0xdd0 [bnxt_en] __bnxt_poll_work+0x1a1/0x3d0 [bnxt_en] bnxt_poll+0xaa/0x1e0 [bnxt_en] __napi_poll+0x33/0x1e0 net_rx_action+0x18a/0x2f0 Fixes: 578fcfd26e2a ("bnxt_en: Let the page pool manage the DMA mapping") Reviewed-by: Andy Gospodarek <andrew.gospodarek(a)broadcom.com> Reviewed-by: Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> Signed-off-by: Somnath Kotur <somnath.kotur(a)broadcom.com> Signed-off-by: Michael Chan <michael.chan(a)broadcom.com> Reviewed-by: Jacob Keller <jacob.e.keller(a)intel.com> Link: https://patch.msgid.link/20240820203415.168178-1-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Jian <liujian56(a)huawei.com> --- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c index 8cb9a99154aa..2845796f782c 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c @@ -297,11 +297,6 @@ bool bnxt_rx_xdp(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, u16 cons, * redirect is coming from a frame received by the * bnxt_en driver. */ - rx_buf = &rxr->rx_buf_ring[cons]; - mapping = rx_buf->mapping - bp->rx_dma_offset; - dma_unmap_page_attrs(&pdev->dev, mapping, - BNXT_RX_PAGE_SIZE, bp->rx_dir, - DMA_ATTR_WEAK_ORDERING); /* if we are unable to allocate a new buffer, abort and reuse */ if (bnxt_alloc_rx_data(bp, rxr, rxr->rx_prod, GFP_ATOMIC)) { -- 2.34.1

2 1