- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS 1/3] nbd: get config_lock before sock_shutdown
by Yongqiang Liu 07 Jun '23

07 Jun '23

From: Zhong Jinghua <zhongjinghua(a)huaweicloud.com> hulk inclusion category: bugfix bugzilla: 188799, https://gitee.com/openeuler/kernel/issues/I79QWO CVE: NA ---------------------------------------- Config->socks in sock_shutdown may trigger a UAF problem. The reason is that sock_shutdown does not hold the config_lock, so that nbd_ioctl can release config->socks at this time. T0: NBD_SET_SOCK T1: NBD_DO_IT T0 T1 nbd_ioctl mutex_lock(&nbd->config_lock) // get lock __nbd_ioctl nbd_start_device_ioctl nbd_start_device mutex_unlock(&nbd->config_lock) // relase lock wait_event_interruptible (kill, enter sock_shutdown) sock_shutdown nbd_ioctl mutex_lock(&nbd->config_lock) // get lock __nbd_ioctl nbd_add_socket krealloc kfree(p) //config->socks is NULL nbd_sock *nsock = config->socks // error Fix it by moving config_lock up before sock_shutdown. Signed-off-by: Zhong Jinghua <zhongjinghua(a)huawei.com> Reviewed-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- drivers/block/nbd.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 551b2f7da8ef..a08f35946718 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1347,11 +1347,16 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd, struct block_device *b mutex_unlock(&nbd->config_lock); ret = wait_event_interruptible(config->recv_wq, atomic_read(&config->recv_threads) == 0); + + /* + * recv_work in flush_workqueue will not get this lock, because nbd_open + * will hold nbd->config_refs + */ + mutex_lock(&nbd->config_lock); if (ret) sock_shutdown(nbd); flush_workqueue(nbd->recv_workq); - mutex_lock(&nbd->config_lock); nbd_bdev_reset(bdev); /* user requested, ignore socket errors */ if (test_bit(NBD_RT_DISCONNECT_REQUESTED, &config->runtime_flags)) -- 2.25.1

1 2

[PATCH OLK-5.10 0/2] ubi: Fix deadlock caused by recursively holding work_sem
by ZhaoLong Wang 07 Jun '23

07 Jun '23

Fix deadlock caused by recursively holding work_sem Lee Jones (1): mtd: ubi: wl: Fix a couple of kernel-doc issues ZhaoLong Wang (1): ubi: Fix deadlock caused by recursively holding work_sem drivers/mtd/ubi/wl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) -- 2.39.2

2 3

[PATCH OLK-5.10 0/4] io_uring: fix the problem of running
by Li Lingfeng 07 Jun '23

07 Jun '23

patch1: arch: setup PF_IO_WORKER threads like PF_KTHREAD pre patch of patch4 patch2: arch: ensure parisc/powerpc handle PF_IO_WORKER in copy_thread() fix patch of patch1 patch3: kernel: don't call do_exit() for PF_IO_WORKER threads fix the segfault patch4: x86/process: setup io_threads more like normal user space threads allow io worker to exit Jens Axboe (3): arch: setup PF_IO_WORKER threads like PF_KTHREAD arch: ensure parisc/powerpc handle PF_IO_WORKER in copy_thread() kernel: don't call do_exit() for PF_IO_WORKER threads Stefan Metzmacher (1): x86/process: setup io_threads more like normal user space threads arch/alpha/kernel/process.c | 2 +- arch/arc/kernel/process.c | 2 +- arch/arm/kernel/process.c | 2 +- arch/arm64/kernel/process.c | 2 +- arch/csky/kernel/process.c | 2 +- arch/h8300/kernel/process.c | 2 +- arch/hexagon/kernel/process.c | 2 +- arch/ia64/kernel/process.c | 2 +- arch/m68k/kernel/process.c | 2 +- arch/microblaze/kernel/process.c | 2 +- arch/mips/kernel/process.c | 2 +- arch/nds32/kernel/process.c | 2 +- arch/nios2/kernel/process.c | 2 +- arch/openrisc/kernel/process.c | 2 +- arch/parisc/kernel/process.c | 2 +- arch/powerpc/kernel/process.c | 2 +- arch/riscv/kernel/process.c | 2 +- arch/s390/kernel/process.c | 2 +- arch/sh/kernel/process_32.c | 2 +- arch/sparc/kernel/process_32.c | 2 +- arch/sparc/kernel/process_64.c | 2 +- arch/um/kernel/process.c | 2 +- arch/x86/kernel/process.c | 17 +++++++++++++++++ arch/xtensa/kernel/process.c | 2 +- kernel/signal.c | 10 +++++++++- 25 files changed, 49 insertions(+), 24 deletions(-) -- 2.31.1

2 5

[PATCH OLK-5.10 0/4] crypto: hisilicon - fix mailbox operation process
by Weili Qian 07 Jun '23

07 Jun '23

From: JiangShui Yang <yangjiangshui(a)h-partners.com> The mailbox of the Kunpeng accelerator is a special operation. Data(128 bits) needs to be read from hardware or written to hardware at one time. And the operation cannot be canceled by software. Therefore, the software process needs to be modified to avoid mailbox operation errors. Weili Qian (4): crypto: hisilicon/qm - obtain the mailbox configuration at one time vfio/migration: obtain the mailbox configuration at one time crypto: hisilicon/qm - fix the pf2vf timeout when device reset crypto: hisilicon/qm - alloc buffer to set and get xqc drivers/crypto/hisilicon/debugfs.c | 75 +-- .../hisilicon/migration/acc_vf_migration.c | 176 +++--- .../hisilicon/migration/acc_vf_migration.h | 8 +- drivers/crypto/hisilicon/qm.c | 532 +++++++++--------- drivers/crypto/hisilicon/qm_common.h | 5 +- include/linux/hisi_acc_qm.h | 18 +- 6 files changed, 429 insertions(+), 385 deletions(-) -- 2.30.0

1 4

[PATCH OLK-5.10] kobject: Fix slab-out-of-bounds in fill_kobj_path()
by Xia Fukun 07 Jun '23

07 Jun '23

mainline inclusion from mainline-v6.4-rc3 commit 3bb2a01caa813d3a1845d378bbe4169ef280d394 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I697JG CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------------- In kobject_get_path(), if kobj->name is changed between calls get_kobj_path_length() and fill_kobj_path() and the length becomes longer, then fill_kobj_path() will have an out-of-bounds bug. The actual current problem occurs when the ixgbe probe. In ixgbe_mii_bus_init(), if the length of netdev->dev.kobj.name length becomes longer, out-of-bounds will occur. cpu0 cpu1 ixgbe_probe register_netdev(netdev) netdev_register_kobject device_add kobject_uevent // Sending ADD events systemd-udevd // rename netdev dev_change_name device_rename kobject_rename ixgbe_mii_bus_init | mdiobus_register | __mdiobus_register | device_register | device_add | kobject_uevent | kobject_get_path | len = get_kobj_path_length // old name | path = kzalloc(len, gfp_mask); | kobj->name = name; /* name length becomes * longer */ fill_kobj_path /* kobj path length is * longer than path, * resulting in out of * bounds when filling path */ This is the kasan report: ================================================================== BUG: KASAN: slab-out-of-bounds in fill_kobj_path+0x50/0xc0 Write of size 7 at addr ff1100090573d1fd by task kworker/28:1/673 Workqueue: events work_for_cpu_fn Call Trace: <TASK> dump_stack_lvl+0x34/0x48 print_address_description.constprop.0+0x86/0x1e7 print_report+0x36/0x4f kasan_report+0xad/0x130 kasan_check_range+0x35/0x1c0 memcpy+0x39/0x60 fill_kobj_path+0x50/0xc0 kobject_get_path+0x5a/0xc0 kobject_uevent_env+0x140/0x460 device_add+0x5c7/0x910 __mdiobus_register+0x14e/0x490 ixgbe_probe.cold+0x441/0x574 [ixgbe] local_pci_probe+0x78/0xc0 work_for_cpu_fn+0x26/0x40 process_one_work+0x3b6/0x6a0 worker_thread+0x368/0x520 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 This reproducer triggers that bug: while: do rmmod ixgbe sleep 0.5 modprobe ixgbe sleep 0.5 When calling fill_kobj_path() to fill path, if the name length of kobj becomes longer, return failure and retry. This fixes the problem. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Link: https://lore.kernel.org/r/20221220012143.52141-1-wanghai38@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Xia Fukun <xiafukun(a)huawei.com> --- lib/kobject.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/kobject.c b/lib/kobject.c index ea53b30cf483..617a25ec355d 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -144,7 +144,7 @@ static int get_kobj_path_length(struct kobject *kobj) return length; } -static void fill_kobj_path(struct kobject *kobj, char *path, int length) +static int fill_kobj_path(struct kobject *kobj, char *path, int length) { struct kobject *parent; @@ -153,12 +153,16 @@ static void fill_kobj_path(struct kobject *kobj, char *path, int length) int cur = strlen(kobject_name(parent)); /* back up enough to print this name with '/' */ length -= cur; + if (length <= 0) + return -EINVAL; memcpy(path + length, kobject_name(parent), cur); *(path + --length) = '/'; } pr_debug("kobject: '%s' (%p): %s: path = '%s'\n", kobject_name(kobj), kobj, __func__, path); + + return 0; } /** @@ -173,13 +177,17 @@ char *kobject_get_path(struct kobject *kobj, gfp_t gfp_mask) char *path; int len; +retry: len = get_kobj_path_length(kobj); if (len == 0) return NULL; path = kzalloc(len, gfp_mask); if (!path) return NULL; - fill_kobj_path(kobj, path, len); + if (fill_kobj_path(kobj, path, len)) { + kfree(path); + goto retry; + } return path; } -- 2.17.1

2 1

[PATCH OLK-5.10 0/2] Fix ORC unwinder on paravirt {save,restore}_fl
by Chen Zhongjin 07 Jun '23

07 Jun '23

ISSUE: gitee.com/openeuler/kernel/issues/I6DK3O Chen Zhongjin (2): x86/unwind: Fix orc entry for paravirt {save,restore}_fl x86/unwind: Fix check_paravirt() calls orc_find() before declaration arch/x86/kernel/unwind_orc.c | 45 +++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) -- 2.17.1

2 3

[PATCH OLK-5.10 0/6] Support dynamic_hugetlb on arm64 and fix some bug
by Liu Shixin 07 Jun '23

07 Jun '23

Support dynamic_hugetlb on arm64 and fix some bug. Liu Shixin (6): mm/dynamic_hugetlb: fix kabi broken when enable CONFIG_DYNAMIC_HUGETLB on arm64 mm/dynamic_hugetlb: support dynamic hugetlb on arm64 mm/dynamic_hugetlb: isolate hugepage without dissolve mm/dynamic_hugetlb: replace spin_lock with mutex_lock and fix kabi broken mm/dynamic_hugetlb: set PagePool to bad page mm/dynamic_hugetlb: fix type error of pfn in __hpool_split_gigantic_page() fs/Kconfig | 2 +- fs/hugetlbfs/inode.c | 2 +- include/linux/dynamic_hugetlb.h | 24 +++++++++++++-- include/linux/memcontrol.h | 6 +++- mm/dynamic_hugetlb.c | 54 +++++++++++++++++++++++++++------ mm/hugetlb.c | 7 +++++ 6 files changed, 80 insertions(+), 15 deletions(-) -- 2.25.1

2 7

[PATCH 0/4] crypto: hisilicon - fix mailbox operation process
by Weili Qian 07 Jun '23

07 Jun '23

The mailbox of the Kunpeng accelerator is a special operation. Data(128 bits) needs to be read from hardware or written to hardware at one time. And the operation cannot be canceled by software. Therefore, the software process needs to be modified to avoid mailbox operation errors. Weili Qian (4): crypto: hisilicon/qm - obtain the mailbox configuration at one time vfio/migration: obtain the mailbox configuration at one time crypto: hisilicon/qm - fix the pf2vf timeout when device reset crypto: hisilicon/qm - alloc buffer to set and get xqc drivers/crypto/hisilicon/debugfs.c | 75 +-- .../hisilicon/migration/acc_vf_migration.c | 176 +++--- .../hisilicon/migration/acc_vf_migration.h | 8 +- drivers/crypto/hisilicon/qm.c | 532 +++++++++--------- drivers/crypto/hisilicon/qm_common.h | 5 +- include/linux/hisi_acc_qm.h | 18 +- 6 files changed, 429 insertions(+), 385 deletions(-) -- 2.30.0

1 4

[PATCH OLK-5.10] kobject: Fix slab-out-of-bounds in fill_kobj_path()
by Xia Fukun 07 Jun '23

07 Jun '23

mainline inclusion from mainline-v6.4-rc3 commit 3bb2a01caa813d3a1845d378bbe4169ef280d394 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I697JG CVE: NA ---------------------------------------- In kobject_get_path(), if kobj->name is changed between calls get_kobj_path_length() and fill_kobj_path() and the length becomes longer, then fill_kobj_path() will have an out-of-bounds bug. The actual current problem occurs when the ixgbe probe. In ixgbe_mii_bus_init(), if the length of netdev->dev.kobj.name length becomes longer, out-of-bounds will occur. cpu0 cpu1 ixgbe_probe register_netdev(netdev) netdev_register_kobject device_add kobject_uevent // Sending ADD events systemd-udevd // rename netdev dev_change_name device_rename kobject_rename ixgbe_mii_bus_init | mdiobus_register | __mdiobus_register | device_register | device_add | kobject_uevent | kobject_get_path | len = get_kobj_path_length // old name | path = kzalloc(len, gfp_mask); | kobj->name = name; /* name length becomes * longer */ fill_kobj_path /* kobj path length is * longer than path, * resulting in out of * bounds when filling path */ This is the kasan report: ================================================================== BUG: KASAN: slab-out-of-bounds in fill_kobj_path+0x50/0xc0 Write of size 7 at addr ff1100090573d1fd by task kworker/28:1/673 Workqueue: events work_for_cpu_fn Call Trace: <TASK> dump_stack_lvl+0x34/0x48 print_address_description.constprop.0+0x86/0x1e7 print_report+0x36/0x4f kasan_report+0xad/0x130 kasan_check_range+0x35/0x1c0 memcpy+0x39/0x60 fill_kobj_path+0x50/0xc0 kobject_get_path+0x5a/0xc0 kobject_uevent_env+0x140/0x460 device_add+0x5c7/0x910 __mdiobus_register+0x14e/0x490 ixgbe_probe.cold+0x441/0x574 [ixgbe] local_pci_probe+0x78/0xc0 work_for_cpu_fn+0x26/0x40 process_one_work+0x3b6/0x6a0 worker_thread+0x368/0x520 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 This reproducer triggers that bug: while: do rmmod ixgbe sleep 0.5 modprobe ixgbe sleep 0.5 When calling fill_kobj_path() to fill path, if the name length of kobj becomes longer, return failure and retry. This fixes the problem. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Wang Hai <wanghai38(a)huawei.com> Link: https://lore.kernel.org/r/20221220012143.52141-1-wanghai38@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Xia Fukun <xiafukun(a)huawei.com> --- lib/kobject.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/kobject.c b/lib/kobject.c index ea53b30cf483..617a25ec355d 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -144,7 +144,7 @@ static int get_kobj_path_length(struct kobject *kobj) return length; } -static void fill_kobj_path(struct kobject *kobj, char *path, int length) +static int fill_kobj_path(struct kobject *kobj, char *path, int length) { struct kobject *parent; @@ -153,12 +153,16 @@ static void fill_kobj_path(struct kobject *kobj, char *path, int length) int cur = strlen(kobject_name(parent)); /* back up enough to print this name with '/' */ length -= cur; + if (length <= 0) + return -EINVAL; memcpy(path + length, kobject_name(parent), cur); *(path + --length) = '/'; } pr_debug("kobject: '%s' (%p): %s: path = '%s'\n", kobject_name(kobj), kobj, __func__, path); + + return 0; } /** @@ -173,13 +177,17 @@ char *kobject_get_path(struct kobject *kobj, gfp_t gfp_mask) char *path; int len; +retry: len = get_kobj_path_length(kobj); if (len == 0) return NULL; path = kzalloc(len, gfp_mask); if (!path) return NULL; - fill_kobj_path(kobj, path, len); + if (fill_kobj_path(kobj, path, len)) { + kfree(path); + goto retry; + } return path; } -- 2.17.1

2 1

[PATCH openEuler-1.0-LTS v5 0/2] introduce smart grid scheduler.
by Wang ShaoBo 07 Jun '23

07 Jun '23

introduce smart grid scheduler. v5: 调度部分已完成评审完成代码修改，逃逸部分仍然使用pelt. 内存策略调整模块已经按照review已将进行修改. v4: fix KABI add 'cpu.affinity_domain_mask' add some statistics v3: 修改了patchwork错误，但是KABI还有个问题待解决。 v2: formal version 1. Hui Tang (1): sched: Introduce smart grid scheduling strategy for cfs Wang ShaoBo (1): sched: smart grid: init sched_grid_qos structure on QOS purpose fs/proc/array.c | 13 + include/linux/sched.h | 18 ++ include/linux/sched/grid_qos.h | 84 +++++++ include/linux/sched/sysctl.h | 4 + init/Kconfig | 13 + kernel/fork.c | 9 + kernel/sched/Makefile | 1 + kernel/sched/core.c | 147 ++++++++++++ kernel/sched/fair.c | 425 ++++++++++++++++++++++++++++++++- kernel/sched/grid/Makefile | 2 + kernel/sched/grid/internal.h | 6 + kernel/sched/grid/power.c | 10 + kernel/sched/grid/qos.c | 125 ++++++++++ kernel/sched/grid/stat.c | 15 ++ kernel/sched/sched.h | 50 ++++ kernel/sysctl.c | 9 + mm/mempolicy.c | 12 +- 17 files changed, 940 insertions(+), 3 deletions(-) create mode 100644 include/linux/sched/grid_qos.h create mode 100644 kernel/sched/grid/Makefile create mode 100644 kernel/sched/grid/internal.h create mode 100644 kernel/sched/grid/power.c create mode 100644 kernel/sched/grid/qos.c create mode 100644 kernel/sched/grid/stat.c -- 2.25.1

1 2