From: Hagar Hemdan <hagarhem(a)amazon.com>
mainline inclusion
from mainline-v6.10-rc3
commit 73254a297c2dd094abec7c9efee32455ae875bdf
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEK8
CVE: CVE-2024-41080
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The io_register_iowq_max_workers() function calls io_put_sq_data(),
which acquires the sqd->lock without releasing the uring_lock.
Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock
before acquiring sqd->lock"), this can lead to a potential deadlock
situation.
To resolve this issue, the uring_lock is released before calling
io_put_sq_data(), and then it is re-acquired after the function call.
This change ensures that the locks are acquired in the correct
order, preventing the possibility of a deadlock.
Suggested-by: Maximilian Heyne <mheyne(a)amazon.de>
Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com>
Link: https://lore.kernel.org/r/20240604130527.3597-1-hagarhem@amazon.com
Signed-off-by: Jens Axboe <axboe(a)kernel.dk>
Conflicts:
io_uring/io_uring.c
io_uring/register.c
[Commit c43203154d8ac moves related functions from io_uring/io_uring.c
to io_uring/register.c.]
Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com>
---
io_uring/io_uring.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 5979f0fc28b2..40bd1406976c 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4340,8 +4340,10 @@ static __cold int io_register_iowq_max_workers(struct io_ring_ctx *ctx,
}
if (sqd) {
+ mutex_unlock(&ctx->uring_lock);
mutex_unlock(&sqd->lock);
io_put_sq_data(sqd);
+ mutex_lock(&ctx->uring_lock);
}
if (copy_to_user(arg, new_count, sizeof(new_count)))
@@ -4366,8 +4368,10 @@ static __cold int io_register_iowq_max_workers(struct io_ring_ctx *ctx,
return 0;
err:
if (sqd) {
+ mutex_unlock(&ctx->uring_lock);
mutex_unlock(&sqd->lock);
io_put_sq_data(sqd);
+ mutex_lock(&ctx->uring_lock);
}
return ret;
}
--
2.34.3
From: Hagar Hemdan <hagarhem(a)amazon.com>
mainline inclusion
from mainline-v6.10-rc3
commit 73254a297c2dd094abec7c9efee32455ae875bdf
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEK8
CVE: CVE-2024-41080
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The io_register_iowq_max_workers() function calls io_put_sq_data(),
which acquires the sqd->lock without releasing the uring_lock.
Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock
before acquiring sqd->lock"), this can lead to a potential deadlock
situation.
To resolve this issue, the uring_lock is released before calling
io_put_sq_data(), and then it is re-acquired after the function call.
This change ensures that the locks are acquired in the correct
order, preventing the possibility of a deadlock.
Suggested-by: Maximilian Heyne <mheyne(a)amazon.de>
Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com>
Link: https://lore.kernel.org/r/20240604130527.3597-1-hagarhem@amazon.com
Signed-off-by: Jens Axboe <axboe(a)kernel.dk>
Conflicts:
io_uring/io_uring.c
io_uring/register.c
[Commit c43203154d8ac moves related functions from io_uring/io_uring.c
to io_uring/register.c.]
Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com>
---
io_uring/io_uring.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 5979f0fc28b2..40bd1406976c 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4340,8 +4340,10 @@ static __cold int io_register_iowq_max_workers(struct io_ring_ctx *ctx,
}
if (sqd) {
+ mutex_unlock(&ctx->uring_lock);
mutex_unlock(&sqd->lock);
io_put_sq_data(sqd);
+ mutex_lock(&ctx->uring_lock);
}
if (copy_to_user(arg, new_count, sizeof(new_count)))
@@ -4366,8 +4368,10 @@ static __cold int io_register_iowq_max_workers(struct io_ring_ctx *ctx,
return 0;
err:
if (sqd) {
+ mutex_unlock(&ctx->uring_lock);
mutex_unlock(&sqd->lock);
io_put_sq_data(sqd);
+ mutex_lock(&ctx->uring_lock);
}
return ret;
}
--
2.34.3
From: Andreas Hindborg <a.hindborg(a)samsung.com>
stable inclusion
from stable-v6.6.42
commit 08f03186b96e25e3154916a2e70732557c770ea7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEMW
CVE: CVE-2024-41077
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
---------------------------
[ Upstream commit c462ecd659b5fce731f1d592285832fd6ad54053 ]
Block size should be between 512 and PAGE_SIZE and be a power of 2. The current
check does not validate this, so update the check.
Without this patch, null_blk would Oops due to a null pointer deref when
loaded with bs=1536 [1].
Link: https://lore.kernel.org/all/87wmn8mocd.fsf@metaspace.dk/
Signed-off-by: Andreas Hindborg <a.hindborg(a)samsung.com>
Reviewed-by: Ming Lei <ming.lei(a)redhat.com>
Link: https://lore.kernel.org/r/20240603192645.977968-1-nmi@metaspace.dk
[axboe: remove unnecessary braces and != 0 check]
Signed-off-by: Jens Axboe <axboe(a)kernel.dk>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Zeng Heng <zengheng4(a)huawei.com>
---
drivers/block/null_blk/main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
index c70c1b9caf2f..644f86eef744 100644
--- a/drivers/block/null_blk/main.c
+++ b/drivers/block/null_blk/main.c
@@ -2029,8 +2029,8 @@ static int null_validate_conf(struct nullb_device *dev)
return -EINVAL;
}
- dev->blocksize = round_down(dev->blocksize, 512);
- dev->blocksize = clamp_t(unsigned int, dev->blocksize, 512, 4096);
+ if (blk_validate_block_size(dev->blocksize))
+ return -EINVAL;
if (dev->queue_mode == NULL_Q_MQ && dev->use_per_node_hctx) {
if (dev->submit_queues != nr_online_nodes)
--
2.25.1
From: Andreas Hindborg <a.hindborg(a)samsung.com>
stable inclusion
from stable-v5.10.223
commit 9625afe1dd4a158a14bb50f81af9e2dac634c0b1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEMW
CVE: CVE-2024-41077
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
---------------------------
[ Upstream commit c462ecd659b5fce731f1d592285832fd6ad54053 ]
Block size should be between 512 and PAGE_SIZE and be a power of 2. The current
check does not validate this, so update the check.
Without this patch, null_blk would Oops due to a null pointer deref when
loaded with bs=1536 [1].
Link: https://lore.kernel.org/all/87wmn8mocd.fsf@metaspace.dk/
Signed-off-by: Andreas Hindborg <a.hindborg(a)samsung.com>
Reviewed-by: Ming Lei <ming.lei(a)redhat.com>
Link: https://lore.kernel.org/r/20240603192645.977968-1-nmi@metaspace.dk
[axboe: remove unnecessary braces and != 0 check]
Signed-off-by: Jens Axboe <axboe(a)kernel.dk>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Zeng Heng <zengheng4(a)huawei.com>
---
drivers/block/null_blk/main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
index 91c8412442d0..8ecabf025512 100644
--- a/drivers/block/null_blk/main.c
+++ b/drivers/block/null_blk/main.c
@@ -1756,8 +1756,8 @@ static int null_validate_conf(struct nullb_device *dev)
return -EINVAL;
}
- dev->blocksize = round_down(dev->blocksize, 512);
- dev->blocksize = clamp_t(unsigned int, dev->blocksize, 512, 4096);
+ if (blk_validate_block_size(dev->blocksize))
+ return -EINVAL;
if (dev->queue_mode == NULL_Q_MQ && dev->use_per_node_hctx) {
if (dev->submit_queues != nr_online_nodes)
--
2.25.1
From: Andreas Hindborg <a.hindborg(a)samsung.com>
stable inclusion
from stable-v5.10.223
commit 9625afe1dd4a158a14bb50f81af9e2dac634c0b1
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEMW
CVE: CVE-2024-41077
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
---------------------------
[ Upstream commit c462ecd659b5fce731f1d592285832fd6ad54053 ]
Block size should be between 512 and PAGE_SIZE and be a power of 2. The current
check does not validate this, so update the check.
Without this patch, null_blk would Oops due to a null pointer deref when
loaded with bs=1536 [1].
Link: https://lore.kernel.org/all/87wmn8mocd.fsf@metaspace.dk/
Signed-off-by: Andreas Hindborg <a.hindborg(a)samsung.com>
Reviewed-by: Ming Lei <ming.lei(a)redhat.com>
Link: https://lore.kernel.org/r/20240603192645.977968-1-nmi@metaspace.dk
[axboe: remove unnecessary braces and != 0 check]
Signed-off-by: Jens Axboe <axboe(a)kernel.dk>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Conflicts:
drivers/block/null_blk/main.c
[The conflicts were due to not backport some unnecessary patch.]
Signed-off-by: Zeng Heng <zengheng4(a)huawei.com>
---
drivers/block/null_blk/main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
index 209b95f88839..c36e8a4f805b 100644
--- a/drivers/block/null_blk/main.c
+++ b/drivers/block/null_blk/main.c
@@ -1751,8 +1751,8 @@ static int null_init_tag_set(struct nullb *nullb, struct blk_mq_tag_set *set)
static int null_validate_conf(struct nullb_device *dev)
{
- dev->blocksize = round_down(dev->blocksize, 512);
- dev->blocksize = clamp_t(unsigned int, dev->blocksize, 512, 4096);
+ if (blk_validate_block_size(dev->blocksize))
+ return -EINVAL;
if (dev->queue_mode == NULL_Q_MQ && dev->use_per_node_hctx) {
if (dev->submit_queues != nr_online_nodes)
--
2.25.1
From: Hagar Hemdan <hagarhem(a)amazon.com>
mainline inclusion
from mainline-v6.10-rc3
commit 73254a297c2dd094abec7c9efee32455ae875bdf
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEK8
CVE: CVE-2024-41080
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The io_register_iowq_max_workers() function calls io_put_sq_data(),
which acquires the sqd->lock without releasing the uring_lock.
Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock
before acquiring sqd->lock"), this can lead to a potential deadlock
situation.
To resolve this issue, the uring_lock is released before calling
io_put_sq_data(), and then it is re-acquired after the function call.
This change ensures that the locks are acquired in the correct
order, preventing the possibility of a deadlock.
Suggested-by: Maximilian Heyne <mheyne(a)amazon.de>
Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com>
Link: https://lore.kernel.org/r/20240604130527.3597-1-hagarhem@amazon.com
Signed-off-by: Jens Axboe <axboe(a)kernel.dk>
Conflicts:
io_uring/io_uring.c
io_uring/register.c
[Commit c43203154d8ac moves related functions from io_uring/io_uring.c
to io_uring/register.c.]
Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com>
---
io_uring/io_uring.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 5979f0fc28b2..40bd1406976c 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4340,8 +4340,10 @@ static __cold int io_register_iowq_max_workers(struct io_ring_ctx *ctx,
}
if (sqd) {
+ mutex_unlock(&ctx->uring_lock);
mutex_unlock(&sqd->lock);
io_put_sq_data(sqd);
+ mutex_lock(&ctx->uring_lock);
}
if (copy_to_user(arg, new_count, sizeof(new_count)))
@@ -4366,8 +4368,10 @@ static __cold int io_register_iowq_max_workers(struct io_ring_ctx *ctx,
return 0;
err:
if (sqd) {
+ mutex_unlock(&ctx->uring_lock);
mutex_unlock(&sqd->lock);
io_put_sq_data(sqd);
+ mutex_lock(&ctx->uring_lock);
}
return ret;
}
--
2.34.3