- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] nilfs2: fix leak of nilfs_root in case of writer thread creation failure
by Yongqiang Liu 29 Oct '22

29 Oct '22

From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> mainline inclusion from mainline-v6.1-rc1 commit d0d51a97063db4704a5ef6bc978dddab1636a306 category: bugfix bugzilla: 187884, https://gitee.com/src-openeuler/kernel/issues/I5X2OB CVE: CVE-2022-3646 -------------------------------- If nilfs_attach_log_writer() failed to create a log writer thread, it frees a data structure of the log writer without any cleanup. After commit e912a5b66837 ("nilfs2: use root object to get ifile"), this causes a leak of struct nilfs_root, which started to leak an ifile metadata inode and a kobject on that struct. In addition, if the kernel is booted with panic_on_warn, the above ifile metadata inode leak will cause the following panic when the nilfs2 kernel module is removed: kmem_cache_destroy nilfs2_inode_cache: Slab cache still has objects when called from nilfs_destroy_cachep+0x16/0x3a [nilfs2] WARNING: CPU: 8 PID: 1464 at mm/slab_common.c:494 kmem_cache_destroy+0x138/0x140 ... RIP: 0010:kmem_cache_destroy+0x138/0x140 Code: 00 20 00 00 e8 a9 55 d8 ff e9 76 ff ff ff 48 8b 53 60 48 c7 c6 20 70 65 86 48 c7 c7 d8 69 9c 86 48 8b 4c 24 28 e8 ef 71 c7 00 <0f> 0b e9 53 ff ff ff c3 48 81 ff ff 0f 00 00 77 03 31 c0 c3 53 48 ... Call Trace: <TASK> ? nilfs_palloc_freev.cold.24+0x58/0x58 [nilfs2] nilfs_destroy_cachep+0x16/0x3a [nilfs2] exit_nilfs_fs+0xa/0x1b [nilfs2] __x64_sys_delete_module+0x1d9/0x3a0 ? __sanitizer_cov_trace_pc+0x1a/0x50 ? syscall_trace_enter.isra.19+0x119/0x190 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd ... </TASK> Kernel panic - not syncing: panic_on_warn set ... This patch fixes these issues by calling nilfs_detach_log_writer() cleanup function if spawning the log writer thread fails. Link: https://lkml.kernel.org/r/20221007085226.57667-1-konishi.ryusuke@gmail.com Fixes: e912a5b66837 ("nilfs2: use root object to get ifile") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+7381dc4ad60658ca4c05(a)syzkaller.appspotmail.com Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Conflict: fs/nilfs2/segment.c Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/nilfs2/segment.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index 445eef41bfaf..2104be29417b 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -2781,10 +2781,9 @@ int nilfs_attach_log_writer(struct super_block *sb, struct nilfs_root *root) return -ENOMEM; err = nilfs_segctor_start_thread(nilfs->ns_writer); - if (err) { - kfree(nilfs->ns_writer); - nilfs->ns_writer = NULL; - } + if (unlikely(err)) + nilfs_detach_log_writer(sb); + return err; } -- 2.25.1

1 1

[PATCH openEuler-1.0-LTS] vsock: Fix memory leak in vsock_connect()
by Yongqiang Liu 29 Oct '22

29 Oct '22

From: Peilin Ye <peilin.ye(a)bytedance.com> stable inclusion from stable-v4.19.256 commit 2fc2a7767f661e6083f69588718cdf6f07cb9330 category: bugfix bugzilla: 187891, https://gitee.com/src-openeuler/kernel/issues/I5WYLL CVE: CVE-2022-3629 -------------------------------- commit 7e97cfed9929eaabc41829c395eb0d1350fccb9d upstream. An O_NONBLOCK vsock_connect() request may try to reschedule @connect_work. Imagine the following sequence of vsock_connect() requests: 1. The 1st, non-blocking request schedules @connect_work, which will expire after 200 jiffies. Socket state is now SS_CONNECTING; 2. Later, the 2nd, blocking request gets interrupted by a signal after a few jiffies while waiting for the connection to be established. Socket state is back to SS_UNCONNECTED, but @connect_work is still pending, and will expire after 100 jiffies. 3. Now, the 3rd, non-blocking request tries to schedule @connect_work again. Since @connect_work is already scheduled, schedule_delayed_work() silently returns. sock_hold() is called twice, but sock_put() will only be called once in vsock_connect_timeout(), causing a memory leak reported by syzbot: BUG: memory leak unreferenced object 0xffff88810ea56a40 (size 1232): comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............ backtrace: [<ffffffff837c830e>] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930 [<ffffffff837cbe22>] sk_alloc+0x32/0x2e0 net/core/sock.c:1989 [<ffffffff842ccf68>] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734 [<ffffffff842ce8f1>] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2203 [<ffffffff837c0cbb>] __sock_create+0x1ab/0x2b0 net/socket.c:1468 [<ffffffff837c3acf>] sock_create net/socket.c:1519 [inline] [<ffffffff837c3acf>] __sys_socket+0x6f/0x140 net/socket.c:1561 [<ffffffff837c3bba>] __do_sys_socket net/socket.c:1570 [inline] [<ffffffff837c3bba>] __se_sys_socket net/socket.c:1568 [inline] [<ffffffff837c3bba>] __x64_sys_socket+0x1a/0x20 net/socket.c:1568 [<ffffffff84512815>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84512815>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 [<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae <...> Use mod_delayed_work() instead: if @connect_work is already scheduled, reschedule it, and undo sock_hold() to keep the reference count balanced. Reported-and-tested-by: syzbot+b03f55bf128f9a38f064(a)syzkaller.appspotmail.com Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Co-developed-by: Stefano Garzarella <sgarzare(a)redhat.com> Signed-off-by: Stefano Garzarella <sgarzare(a)redhat.com> Reviewed-by: Stefano Garzarella <sgarzare(a)redhat.com> Signed-off-by: Peilin Ye <peilin.ye(a)bytedance.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Dong Chenchen <dongchenchen2(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/vmw_vsock/af_vsock.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index 4f9a0635d723..ed715ccca9a9 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -1213,7 +1213,14 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, * timeout fires. */ sock_hold(sk); - schedule_delayed_work(&vsk->connect_work, timeout); + + /* If the timeout function is already scheduled, + * reschedule it, then ungrab the socket refcount to + * keep it balanced. + */ + if (mod_delayed_work(system_wq, &vsk->connect_work, + timeout)) + sock_put(sk); /* Skip ahead to preserve error code set above. */ goto out_wait; -- 2.25.1

1 0

[PATCH OLK-5.10 00/39] sharepool: Update patches from hulk
by Wang Wensheng 28 Oct '22

28 Oct '22

This patch set contains code optimizations and bugfixes for the sharepool. Chen Jun (5): sharepool: Make the definitions of MMAP_SHARE_POOL_{START|16G_START} more readable sharepool: Rename sp_mapping.flag to sp_mapping.type sharepool: replace spg->{dvpp|normal} with spg->mapping[SP_MAPPING_{DVPP|NORMAL}] sharepool: Extract sp_mapping_find sharepool: Support alloc ro mapping Guo Mengqi (14): mm: sharepool: remove deprecated interfaces mm: sharepool: proc_sp_group_state bugfix mm: sharepool: fix dvpp spm redundant print error mm: sharepool: fix statistics error mm: sharepool: fix static code-check errors mm: sharepool: delete redundant codes mm: sharepool: fix softlockup in high pressure use case. mm: sharepool: fix deadlock in spa_stat_of_mapping_show mm: sharepool: fix deadlock in sp_check_mmap_addr mm: sharepool: delete unused codes mm: sharepool: fix potential AA deadlock mm: sharepool: check size=0 in mg_sp_make_share_k2u() mm: sharepool: fix hugepage_rsvd count increase error Fix sharepool hugepage cgroup uncount error. Wang Wensheng (3): mm/sharepool: Delete unused sysctl interface mm/sharepool: Fix UAF reported by KASAN mm/sharepool: Rebind the numa node when fallback to normal pages Zhang Zekun (11): mm: sharepool: Remove unused sp_dev_va_start and sp_dev_va_size mm: sharepool: Remove sp_device_number_detect function mm: sharepool: Remove enable_mdc_default_group and change the definition of is_process_in_group() mm: sharepool: Remove the comment and fix a bug in mg_sp_group_id_by_pid() mm: sharepool: Add a read lock in proc_usage_show() mm: share_pool: Fix CodeCheck2.0 static warning Fix CodeCheck2.0 static check warning Fix the broken logic in mg_sp_group_add_task() Renaming __insert_sp_area to insert_sp_area Renaming __find_sp_area_locked to find_sp_area_locked Use space instead of tap before '*normal' and '*dvpp' Zhou Guanghui (6): mm/share pool: delete unnecessary judgment mm/share pool: Avoid UAF on spa mm/share pool: Check the maximum value of spg_id mm/share pool: Avoid UAF on mm mm/sharepool: bugfix for 2M U2K mm/share pool: fix the incorrect judgement of the addr range fs/hugetlbfs/inode.c | 19 +- include/linux/hugetlb.h | 6 +- include/linux/share_pool.h | 168 ++----- kernel/sysctl.c | 67 --- mm/hugetlb.c | 3 + mm/share_pool.c | 882 +++++++++++++------------------------ 6 files changed, 363 insertions(+), 782 deletions(-) -- 2.17.1

1 39

[PATCH openEuler-1.0-LTS 1/2] sch_sfb: Don't assume the skb is still around after enqueueing to child
by Yongqiang Liu 27 Oct '22

27 Oct '22

From: Toke Høiland-Jørgensen <toke(a)toke.dk> stable inclusion from stable-v4.19.258 commit 9245ed20950afe225bc6d1c4b9d28d55aa152e25 category: bugfix bugzilla: 187862, https://gitee.com/src-openeuler/kernel/issues/I5WF14 CVE: CVE-2022-3586 -------------------------------- [ Upstream commit 9efd23297cca530bb35e1848665805d3fcdd7889 ] The sch_sfb enqueue() routine assumes the skb is still alive after it has been enqueued into a child qdisc, using the data in the skb cb field in the increment_qlen() routine after enqueue. However, the skb may in fact have been freed, causing a use-after-free in this case. In particular, this happens if sch_cake is used as a child of sfb, and the GSO splitting mode of CAKE is enabled (in which case the skb will be split into segments and the original skb freed). Fix this by copying the sfb cb data to the stack before enqueueing the skb, and using this stack copy in increment_qlen() instead of the skb pointer itself. Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-18231 Fixes: e13e02a3c68d ("net_sched: SFB flow scheduler") Signed-off-by: Toke Høiland-Jørgensen <toke(a)toke.dk> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> Reviewed-by: chenweilong <chenweilong(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- net/sched/sch_sfb.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c index 1aa95e761671..5e237f978075 100644 --- a/net/sched/sch_sfb.c +++ b/net/sched/sch_sfb.c @@ -139,15 +139,15 @@ static void increment_one_qlen(u32 sfbhash, u32 slot, struct sfb_sched_data *q) } } -static void increment_qlen(const struct sk_buff *skb, struct sfb_sched_data *q) +static void increment_qlen(const struct sfb_skb_cb *cb, struct sfb_sched_data *q) { u32 sfbhash; - sfbhash = sfb_hash(skb, 0); + sfbhash = cb->hashes[0]; if (sfbhash) increment_one_qlen(sfbhash, 0, q); - sfbhash = sfb_hash(skb, 1); + sfbhash = cb->hashes[1]; if (sfbhash) increment_one_qlen(sfbhash, 1, q); } @@ -287,6 +287,7 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sfb_sched_data *q = qdisc_priv(sch); struct Qdisc *child = q->qdisc; struct tcf_proto *fl; + struct sfb_skb_cb cb; int i; u32 p_min = ~0; u32 minqlen = ~0; @@ -403,11 +404,12 @@ static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch, } enqueue: + memcpy(&cb, sfb_skb_cb(skb), sizeof(cb)); ret = qdisc_enqueue(skb, child, to_free); if (likely(ret == NET_XMIT_SUCCESS)) { qdisc_qstats_backlog_inc(sch, skb); sch->q.qlen++; - increment_qlen(skb, q); + increment_qlen(&cb, q); } else if (net_xmit_drop_count(ret)) { q->stats.childdrop++; qdisc_qstats_drop(sch); -- 2.25.1

1 1

[PATCH openEuler-1.0-LTS 1/4] inet: factor out inet_send_prepare()
by Yongqiang Liu 27 Oct '22

27 Oct '22

From: Paolo Abeni <pabeni(a)redhat.com> mainline inclusion from mainline-v5.3-rc1 commit e473093639945cb0a07ad4d51d5fd3fc3c3708cf category: bugfix bugzilla: 187846, https://gitee.com/src-openeuler/kernel/issues/I5W7YP CVE: CVE-2022-3567 --------------------------- The same code is replicated verbatim in multiple places, and the next patches will introduce an additional user for it. Factor out a helper and use it where appropriate. No functional change intended. Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Xu Jia <xujia39(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- include/net/inet_common.h | 1 + net/ipv4/af_inet.c | 21 +++++++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/include/net/inet_common.h b/include/net/inet_common.h index 3ca969cbd161..4c2a6b175b34 100644 --- a/include/net/inet_common.h +++ b/include/net/inet_common.h @@ -23,6 +23,7 @@ int inet_dgram_connect(struct socket *sock, struct sockaddr *uaddr, int addr_len, int flags); int inet_accept(struct socket *sock, struct socket *newsock, int flags, bool kern); +int inet_send_prepare(struct sock *sk); int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size); ssize_t inet_sendpage(struct socket *sock, struct page *page, int offset, size_t size, int flags); diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index ba716480f2f1..d526dd68589d 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -784,10 +784,8 @@ int inet_getname(struct socket *sock, struct sockaddr *uaddr, } EXPORT_SYMBOL(inet_getname); -int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) +int inet_send_prepare(struct sock *sk) { - struct sock *sk = sock->sk; - sock_rps_record_flow(sk); /* We may need to bind the socket. */ @@ -795,6 +793,17 @@ int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) inet_autobind(sk)) return -EAGAIN; + return 0; +} +EXPORT_SYMBOL_GPL(inet_send_prepare); + +int inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) +{ + struct sock *sk = sock->sk; + + if (unlikely(inet_send_prepare(sk))) + return -EAGAIN; + return sk->sk_prot->sendmsg(sk, msg, size); } EXPORT_SYMBOL(inet_sendmsg); @@ -804,11 +813,7 @@ ssize_t inet_sendpage(struct socket *sock, struct page *page, int offset, { struct sock *sk = sock->sk; - sock_rps_record_flow(sk); - - /* We may need to bind the socket. */ - if (!inet_sk(sk)->inet_num && !sk->sk_prot->no_autobind && - inet_autobind(sk)) + if (unlikely(inet_send_prepare(sk))) return -EAGAIN; if (sk->sk_prot->sendpage) -- 2.25.1

1 3

[PATCH openEuler-5.10 01/53] ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted
by Zheng Zengkai 27 Oct '22

27 Oct '22

From: Zhihao Cheng <chengzhihao1(a)huawei.com> hulk inclusion category: bugfix bugzilla: 187685, https://gitee.com/openeuler/kernel/issues/I5VVZX CVE: NA -------------------------------- Fix bad space budget when symlink file is encrypted. Bad space budget may let make_reservation() return with -ENOSPC, which could turn ubifs to read-only mode in do_writepage() process. Fetch a reproducer in [Link]. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216490 Fixes: ca7f85be8d6cf9 ("ubifs: Add support for encrypted symlinks") Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- fs/ubifs/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c index acd7e83a35e4..647a47ade5bd 100644 --- a/fs/ubifs/dir.c +++ b/fs/ubifs/dir.c @@ -1148,7 +1148,6 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry, int err, sz_change, len = strlen(symname); struct fscrypt_str disk_link; struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1, - .new_ino_d = ALIGN(len, 8), .dirtied_ino = 1 }; struct fscrypt_name nm; @@ -1164,6 +1163,7 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry, * Budget request settings: new inode, new direntry and changing parent * directory inode. */ + req.new_ino_d = ALIGN(disk_link.len - 1, 8); err = ubifs_budget_space(c, &req); if (err) return err; -- 2.20.1

1 52

[openEuler-5.10] roh/core: Add ROH device driver
by Zheng Zengkai 27 Oct '22

27 Oct '22

From: Ke Chen <chenke54(a)huawei.com> driver inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5WKYW ----------------------------------------------------------------------- Add ROH device driver support, include: 1. roh core initialization 2. provide a registration framework for roh device. 3. etc. Signed-off-by: Ke Chen <chenke54(a)huawei.com> Reviewed-by: Gang Zhang <gang.zhang(a)huawei.com> Reviewed-by: Yefeng Yan <yanyefeng(a)huawei.com> Reviewed-by: Jingchao Dai <daijingchao1(a)huawei.com> --- drivers/Kconfig | 3 + drivers/Makefile | 1 + drivers/roh/Kconfig | 16 ++ drivers/roh/Makefile | 6 + drivers/roh/core/Makefile | 7 + drivers/roh/core/core.c | 481 +++++++++++++++++++++++++++++++++++ drivers/roh/core/core.h | 103 ++++++++ drivers/roh/core/core_priv.h | 21 ++ drivers/roh/core/main.c | 28 ++ 9 files changed, 666 insertions(+) create mode 100644 drivers/roh/Kconfig create mode 100644 drivers/roh/Makefile create mode 100644 drivers/roh/core/Makefile create mode 100644 drivers/roh/core/core.c create mode 100644 drivers/roh/core/core.h create mode 100644 drivers/roh/core/core_priv.h create mode 100644 drivers/roh/core/main.c diff --git a/drivers/Kconfig b/drivers/Kconfig index 9310808ee385..b1b3d958f065 100644 --- a/drivers/Kconfig +++ b/drivers/Kconfig @@ -237,4 +237,7 @@ source "drivers/interconnect/Kconfig" source "drivers/counter/Kconfig" source "drivers/most/Kconfig" + +source "drivers/roh/Kconfig" + endmenu diff --git a/drivers/Makefile b/drivers/Makefile index fd9c0b3da5f1..57e3773affcd 100644 --- a/drivers/Makefile +++ b/drivers/Makefile @@ -191,3 +191,4 @@ obj-$(CONFIG_GNSS) += gnss/ obj-$(CONFIG_INTERCONNECT) += interconnect/ obj-$(CONFIG_COUNTER) += counter/ obj-$(CONFIG_MOST) += most/ +obj-$(CONFIG_ROH) += roh/ diff --git a/drivers/roh/Kconfig b/drivers/roh/Kconfig new file mode 100644 index 000000000000..0ff2de261827 --- /dev/null +++ b/drivers/roh/Kconfig @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: GPL-2.0+ + +menuconfig ROH + tristate "ROH support" + depends on HAS_IOMEM && HAS_DMA + depends on NET + depends on INET + depends on m + select IRQ_POLL + select DIMLIB + help + Core support for ROH. Make sure to also select + any protocols you wish to use as well as drivers + for your ROH hardware. + + To compile ROH core as module, choose M here. diff --git a/drivers/roh/Makefile b/drivers/roh/Makefile new file mode 100644 index 000000000000..e5ea16bd6b21 --- /dev/null +++ b/drivers/roh/Makefile @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0+ +# +# Makefile for the Linux kernel ROH device drivers. +# + +obj-$(CONFIG_ROH) += core/ diff --git a/drivers/roh/core/Makefile b/drivers/roh/core/Makefile new file mode 100644 index 000000000000..1c5ab1fc08ea --- /dev/null +++ b/drivers/roh/core/Makefile @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: GPL-2.0+ +# +# Makefile for the Linux kernel ROH Core drivers. +# + +roh_core-objs := main.o core.o +obj-$(CONFIG_ROH) += roh_core.o diff --git a/drivers/roh/core/core.c b/drivers/roh/core/core.c new file mode 100644 index 000000000000..39c1404e0d97 --- /dev/null +++ b/drivers/roh/core/core.c @@ -0,0 +1,481 @@ +// SPDX-License-Identifier: GPL-2.0+ +// Copyright (c) 2022 Hisilicon Limited. + +#include <linux/pci.h> +#include <net/rtnetlink.h> + +#include "core.h" +#include "core_priv.h" + +static DEFINE_XARRAY_FLAGS(devices, XA_FLAGS_ALLOC); +static DECLARE_RWSEM(devices_rwsem); +#define DEVICE_REGISTERED XA_MARK_1 + +static u32 highest_client_id; +#define CLIENT_REGISTERED XA_MARK_1 +static DEFINE_XARRAY_FLAGS(clients, XA_FLAGS_ALLOC); +static DECLARE_RWSEM(clients_rwsem); + +static void roh_client_put(struct roh_client *client) +{ + if (refcount_dec_and_test(&client->uses)) + complete(&client->uses_zero); +} + +#define CLIENT_DATA_REGISTERED XA_MARK_1 + +static int add_client_context(struct roh_device *device, + struct roh_client *client); +static void remove_client_context(struct roh_device *device, + unsigned int client_id); +static void __roh_unregister_device(struct roh_device *device); + +static void roh_device_release(struct device *device) +{ + struct roh_device *dev = container_of(device, struct roh_device, dev); + + WARN_ON(refcount_read(&dev->refcount)); + + mutex_destroy(&dev->unregistration_lock); + xa_destroy(&dev->client_data); + kfree(dev); +} + +static int roh_device_uevent(struct device *device, struct kobj_uevent_env *env) +{ + struct roh_device *dev = container_of(device, struct roh_device, dev); + + if (add_uevent_var(env, "NAME=%s", dev->name)) { + pr_err("failed to do add_uevent_var.\n"); + return -ENOMEM; + } + + return 0; +} + +static struct class roh_class = { + .name = "roh", + .dev_release = roh_device_release, + .dev_uevent = roh_device_uevent, +}; + +struct roh_device *roh_alloc_device(size_t size) +{ + struct roh_device *device; + + if (WARN_ON(size < sizeof(struct roh_device))) + return NULL; + + device = kzalloc(size, GFP_KERNEL); + if (!device) + return NULL; + + device->dev.class = &roh_class; + + device_initialize(&device->dev); + dev_set_drvdata(&device->dev, device); + + mutex_init(&device->unregistration_lock); + + xa_init_flags(&device->client_data, XA_FLAGS_ALLOC); + init_rwsem(&device->client_data_rwsem); + init_completion(&device->unreg_completion); + + return device; +} +EXPORT_SYMBOL(roh_alloc_device); + +void roh_dealloc_device(struct roh_device *device) +{ + down_write(&devices_rwsem); + if (xa_load(&devices, device->index) == device) + xa_erase(&devices, device->index); + up_write(&devices_rwsem); + + WARN_ON(!xa_empty(&device->client_data)); + WARN_ON(refcount_read(&device->refcount)); + + put_device(&device->dev); +} +EXPORT_SYMBOL(roh_dealloc_device); + +static int alloc_name(struct roh_device *device) +{ + struct roh_device *dev; + unsigned long index; + struct ida inuse; + int rc; + int i; + + lockdep_assert_held_write(&devices_rwsem); + + ida_init(&inuse); + xa_for_each(&devices, index, dev) { + char buf[ROH_DEVICE_NAME_MAX]; + + if (sscanf(dev_name(&dev->dev), device->name, &i) != 1) + continue; + if (i < 0 || i >= INT_MAX) + continue; + rc = snprintf(buf, sizeof(buf), device->name, i); + if (rc >= sizeof(buf) || rc < 0) { + ida_destroy(&inuse); + pr_err("device name is too long.\n"); + return -EINVAL; + } + + if (strcmp(buf, dev_name(&dev->dev)) != 0) + continue; + + rc = ida_alloc_range(&inuse, i, i, GFP_KERNEL); + if (rc < 0) + goto out; + } + + rc = ida_alloc(&inuse, GFP_KERNEL); + if (rc < 0) + goto out; + + rc = dev_set_name(&device->dev, device->name, rc); + +out: + ida_destroy(&inuse); + return rc; +} + +static void roh_device_put(struct roh_device *device) +{ + if (refcount_dec_and_test(&device->refcount)) + complete(&device->unreg_completion); +} + +struct roh_device *__roh_device_get_by_name(const char *name) +{ + struct roh_device *device; + unsigned long index; + + xa_for_each(&devices, index, device) + if (!strcmp(name, dev_name(&device->dev))) + return device; + + return NULL; +} + +static int assign_name(struct roh_device *device) +{ + static u32 last_id; + int ret; + + down_write(&devices_rwsem); + if (strchr(device->name, '%')) + ret = alloc_name(device); + else + ret = dev_set_name(&device->dev, device->name); + + if (ret) + goto out; + + if (__roh_device_get_by_name(dev_name(&device->dev))) { + ret = -ENFILE; + goto out; + } + + strlcpy(device->name, dev_name(&device->dev), ROH_DEVICE_NAME_MAX); + ret = xa_alloc_cyclic(&devices, &device->index, device, xa_limit_31b, + &last_id, GFP_KERNEL); + if (ret > 0) + ret = 0; + +out: + up_write(&devices_rwsem); + return ret; +} + +static void disable_device(struct roh_device *device) +{ + u32 cid; + + WARN_ON(!refcount_read(&device->refcount)); + + down_write(&devices_rwsem); + xa_clear_mark(&devices, device->index, DEVICE_REGISTERED); + up_write(&devices_rwsem); + + down_read(&clients_rwsem); + cid = highest_client_id; + up_read(&clients_rwsem); + while (cid) { + cid--; + remove_client_context(device, cid); + } + + roh_device_put(device); + wait_for_completion(&device->unreg_completion); +} + +static int enable_device_and_get(struct roh_device *device) +{ + struct roh_client *client; + unsigned long index; + int ret = 0; + + refcount_set(&device->refcount, MAX_DEVICE_REFCOUNT); + down_write(&devices_rwsem); + xa_set_mark(&devices, device->index, DEVICE_REGISTERED); + + downgrade_write(&devices_rwsem); + down_read(&clients_rwsem); + xa_for_each_marked(&clients, index, client, CLIENT_REGISTERED) { + ret = add_client_context(device, client); + if (ret) + break; + } + up_read(&clients_rwsem); + + up_read(&devices_rwsem); + + return ret; +} + +int roh_register_device(struct roh_device *device) +{ + int ret; + + ret = assign_name(device); + if (ret) { + pr_err("roh_core: failed to assigne name, ret = %d\n", ret); + return ret; + } + + dev_set_uevent_suppress(&device->dev, true); + ret = device_add(&device->dev); + if (ret) { + pr_err("roh_core: failed to add device, ret = %d\n", ret); + goto out; + } + + ret = enable_device_and_get(device); + dev_set_uevent_suppress(&device->dev, false); + kobject_uevent(&device->dev.kobj, KOBJ_ADD); + if (ret) { + roh_device_put(device); + __roh_unregister_device(device); + return ret; + } + + roh_device_put(device); + + return 0; +out: + dev_set_uevent_suppress(&device->dev, false); + return ret; +} +EXPORT_SYMBOL(roh_register_device); + +static void __roh_unregister_device(struct roh_device *device) +{ + mutex_lock(&device->unregistration_lock); + if (!refcount_read(&device->refcount)) + goto out; + + disable_device(device); + device_del(&device->dev); + +out: + mutex_unlock(&device->unregistration_lock); +} + +void roh_unregister_device(struct roh_device *device) +{ + get_device(&device->dev); + + __roh_unregister_device(device); + put_device(&device->dev); +} +EXPORT_SYMBOL(roh_unregister_device); + +void roh_set_client_data(struct roh_device *device, struct roh_client *client, + void *data) +{ + void *rc; + + if (WARN_ON(IS_ERR(data))) + data = NULL; + + rc = xa_store(&device->client_data, client->client_id, data, + GFP_KERNEL); + WARN_ON(xa_is_err(rc)); +} + +static void remove_client_context(struct roh_device *device, + unsigned int client_id) +{ + struct roh_client *client; + void *client_data; + + down_write(&device->client_data_rwsem); + if (!xa_get_mark(&device->client_data, client_id, + CLIENT_DATA_REGISTERED)) { + up_write(&device->client_data_rwsem); + return; + } + client_data = xa_load(&device->client_data, client_id); + xa_clear_mark(&device->client_data, client_id, CLIENT_DATA_REGISTERED); + client = xa_load(&clients, client_id); + up_write(&device->client_data_rwsem); + + if (client->remove) + client->remove(device, client_data); + + xa_erase(&device->client_data, client_id); + roh_device_put(device); + roh_client_put(client); +} + +static int add_client_context(struct roh_device *device, + struct roh_client *client) +{ + int ret = 0; + + down_write(&device->client_data_rwsem); + if (!refcount_inc_not_zero(&client->uses)) + goto out_unlock; + refcount_inc(&device->refcount); + + if (xa_get_mark(&device->client_data, client->client_id, + CLIENT_DATA_REGISTERED)) + goto out; + + ret = xa_err(xa_store(&device->client_data, client->client_id, NULL, + GFP_KERNEL)); + if (ret) + goto out; + + downgrade_write(&device->client_data_rwsem); + if (client->add) { + if (client->add(device)) { + xa_erase(&device->client_data, client->client_id); + up_read(&device->client_data_rwsem); + roh_device_put(device); + roh_client_put(client); + return 0; + } + } + + xa_set_mark(&device->client_data, client->client_id, + CLIENT_DATA_REGISTERED); + up_read(&device->client_data_rwsem); + + return 0; + +out: + roh_device_put(device); + roh_client_put(client); +out_unlock: + up_write(&device->client_data_rwsem); + return ret; +} + +static int assign_client_id(struct roh_client *client) +{ + int ret; + + down_write(&clients_rwsem); + + client->client_id = highest_client_id; + ret = xa_insert(&clients, client->client_id, client, GFP_KERNEL); + if (ret) + goto out; + + highest_client_id++; + xa_set_mark(&clients, client->client_id, CLIENT_REGISTERED); + +out: + up_write(&clients_rwsem); + return ret; +} + +static void remove_client_id(struct roh_client *client) +{ + down_write(&clients_rwsem); + xa_erase(&clients, client->client_id); + for (; highest_client_id; highest_client_id--) + if (xa_load(&clients, highest_client_id - 1)) + break; + up_write(&clients_rwsem); +} + +int roh_register_client(struct roh_client *client) +{ + struct roh_device *device; + unsigned long index; + int ret; + + refcount_set(&client->uses, 1); + init_completion(&client->uses_zero); + ret = assign_client_id(client); + if (ret) + return ret; + + down_read(&devices_rwsem); + xa_for_each_marked(&devices, index, device, DEVICE_REGISTERED) { + ret = add_client_context(device, client); + if (ret) { + up_read(&devices_rwsem); + roh_unregister_client(client); + return ret; + } + } + up_read(&devices_rwsem); + + return 0; +} + +void roh_unregister_client(struct roh_client *client) +{ + struct roh_device *device; + unsigned long index; + + down_write(&clients_rwsem); + roh_client_put(client); + xa_clear_mark(&clients, client->client_id, CLIENT_REGISTERED); + up_write(&clients_rwsem); + + rcu_read_lock(); + xa_for_each(&devices, index, device) { + if (!roh_device_try_get(device)) + continue; + rcu_read_unlock(); + + remove_client_context(device, client->client_id); + + roh_device_put(device); + rcu_read_lock(); + } + rcu_read_unlock(); + + wait_for_completion(&client->uses_zero); + remove_client_id(client); +} + +int roh_core_init(void) +{ + int ret; + + ret = class_register(&roh_class); + if (ret) { + pr_err("roh_core: couldn't create roh device class.\n"); + return ret; + } + + return 0; +} + +void roh_core_cleanup(void) +{ + class_unregister(&roh_class); +} + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Huawei Tech. Co., Ltd."); +MODULE_DESCRIPTION("ROH Core Driver"); diff --git a/drivers/roh/core/core.h b/drivers/roh/core/core.h new file mode 100644 index 000000000000..85f676a7a075 --- /dev/null +++ b/drivers/roh/core/core.h @@ -0,0 +1,103 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +// Copyright (c) 2022 Hisilicon Limited. + +#ifndef __CORE_H__ +#define __CORE_H__ + +#include <linux/types.h> +#include <linux/workqueue.h> +#include <linux/netdevice.h> +#include <net/bonding.h> + +#define ROH_DEVICE_NAME_MAX 64 +#define MAX_DEVICE_REFCOUNT 2 + +enum roh_dev_tx { + ROHDEV_TX_MIN = INT_MIN, /* make sure enum is signed */ + ROHDEV_TX_OK = 0x00, /* driver took care of packet */ + ROHDEV_TX_BUSY = 0x10, /* driver tx path was busy */ + ROHDEV_TX_LOCKED = 0x20 /* driver tx lock was already taken */ +}; + +enum roh_mib_type { ROH_MIB_PUBLIC = 0, ROH_MIB_PRIVATE }; + +static inline void convert_eid_to_mac(u8 mac[6], u32 eid) +{ + mac[0] = 0; + mac[1] = 0; + mac[2] = 0; + mac[3] = (eid >> 16) & 0xff; + mac[4] = (eid >> 8) & 0xff; + mac[5] = eid & 0xff; +} + +struct roh_eid_attr { + u32 base; + u32 num; +}; + +struct roh_guid_attr { + u8 data[16]; +}; + +struct roh_mib_stats { + struct mutex lock; /* Protect values[] */ + const char * const *names; + u32 num_counters; + u64 value[]; +}; + +struct roh_device; +struct roh_device_ops { + int (*query_guid)(struct roh_device *device, struct roh_guid_attr *attr); + int (*set_eid)(struct roh_device *device, struct roh_eid_attr *attr); + struct sk_buff *(*pkt_create)(struct net_device *ndev, + u8 *dest_mac, u8 *src_mac, int ptype, + struct roh_guid_attr *guid, u16 eid_nums); + int (*pkt_parse)(struct sk_buff *skb, struct roh_eid_attr *eid_attr, int ptype); + enum roh_dev_tx (*xmit_pkt)(struct roh_device *device, struct sk_buff *skb); + struct roh_mib_stats *(*alloc_hw_stats)(struct roh_device *device, enum roh_mib_type); + int (*get_hw_stats)(struct roh_device *device, + struct roh_mib_stats *stats, enum roh_mib_type); +}; + +struct roh_device { + struct device dev; + char name[ROH_DEVICE_NAME_MAX]; + struct roh_device_ops ops; + u32 abi_ver; + + struct rcu_head rcu_head; + struct rw_semaphore client_data_rwsem; + struct xarray client_data; + + struct module *owner; + struct net_device *netdev; + + u32 index; + /* + * Positive refcount indicates that the device is currently + * registered and cannot be unregistered. + */ + refcount_t refcount; + struct completion unreg_completion; + struct mutex unregistration_lock; /* lock for unregiste */ +}; + +static inline bool roh_device_try_get(struct roh_device *device) +{ + return refcount_inc_not_zero(&device->refcount); +} + +struct roh_device *__roh_device_get_by_name(const char *name); + +struct roh_device *roh_alloc_device(size_t size); +void roh_dealloc_device(struct roh_device *device); + +int roh_register_device(struct roh_device *device); +void roh_unregister_device(struct roh_device *device); + +int roh_core_init(void); +void roh_core_cleanup(void); + +#endif /* __CORE_H__ */ diff --git a/drivers/roh/core/core_priv.h b/drivers/roh/core/core_priv.h new file mode 100644 index 000000000000..7e21cc807044 --- /dev/null +++ b/drivers/roh/core/core_priv.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +// Copyright (c) 2022 Hisilicon Limited. + +#ifndef __CORE_PRIV_H__ +#define __CORE_PRIV_H__ + +struct roh_client { + char *name; + int (*add)(struct roh_device *device); + void (*remove)(struct roh_device *device, void *client_data); + refcount_t uses; + u32 client_id; + struct completion uses_zero; +}; + +int roh_register_client(struct roh_client *client); +void roh_unregister_client(struct roh_client *client); +void roh_set_client_data(struct roh_device *device, + struct roh_client *client, void *data); + +#endif /* __CORE_PRIV_H__ */ diff --git a/drivers/roh/core/main.c b/drivers/roh/core/main.c new file mode 100644 index 000000000000..0f766f85eaf5 --- /dev/null +++ b/drivers/roh/core/main.c @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: GPL-2.0+ +// Copyright (c) 2022 Hisilicon Limited. + +#include <linux/init.h> +#include <linux/module.h> + +#include "core.h" + +static int __init roh_init(void) +{ + int ret; + + ret = roh_core_init(); + if (ret) { + pr_err("roh_core: roh core init failed.\n"); + return ret; + } + + return 0; +} + +static void __exit roh_cleanup(void) +{ + roh_core_cleanup(); +} + +module_init(roh_init); +module_exit(roh_cleanup); -- 2.20.1

1 0

[PATCH openEuler-1.0-LTS] nilfs2: fix use-after-free bug of struct nilfs_root
by Yongqiang Liu 27 Oct '22

27 Oct '22

From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> mainline inclusion from mainline-v6.1-rc1 commit d325dc6eb763c10f591c239550b8c7e5466a5d09 category: bugfix bugzilla: 187877,https://gitee.com/src-openeuler/kernel/issues/I5X3MX CVE: CVE-2022-3649 -------------------------------- If the beginning of the inode bitmap area is corrupted on disk, an inode with the same inode number as the root inode can be allocated and fail soon after. In this case, the subsequent call to nilfs_clear_inode() on that bogus root inode will wrongly decrement the reference counter of struct nilfs_root, and this will erroneously free struct nilfs_root, causing kernel oopses. This fixes the problem by changing nilfs_new_inode() to skip reserved inode numbers while repairing the inode bitmap. Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+b8c672b0e22615c80fe0(a)syzkaller.appspotmail.com Reported-by: Khalid Masum <khalid.masum.92(a)gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Conflict: fs/nilfs2/inode.c Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yongqiang Liu <liuyongqiang13(a)huawei.com> --- fs/nilfs2/inode.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c index 671085512e0f..ca380c6d7825 100644 --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -335,6 +335,7 @@ struct inode *nilfs_new_inode(struct inode *dir, umode_t mode) struct inode *inode; struct nilfs_inode_info *ii; struct nilfs_root *root; + struct buffer_head *bh; int err = -ENOMEM; ino_t ino; @@ -350,11 +351,26 @@ struct inode *nilfs_new_inode(struct inode *dir, umode_t mode) ii->i_state = BIT(NILFS_I_NEW); ii->i_root = root; - err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh); + err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); if (unlikely(err)) goto failed_ifile_create_inode; /* reference count of i_bh inherits from nilfs_mdt_read_block() */ + if (unlikely(ino < NILFS_USER_INO)) { + nilfs_msg(sb, KERN_WARNING, + "inode bitmap is inconsistent for reserved inodes"); + do { + brelse(bh); + err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); + if (unlikely(err)) + goto failed_ifile_create_inode; + } while (ino < NILFS_USER_INO); + + nilfs_msg(sb, KERN_INFO, + "repaired inode bitmap for reserved inodes"); + } + ii->i_bh = bh; + atomic64_inc(&root->inodes_count); inode_init_owner(inode, dir, mode); inode->i_ino = ino; -- 2.25.1

1 0

[PATCH openEuler-5.10-LTS] nilfs2: fix use-after-free bug of struct nilfs_root
by Zheng Zengkai 27 Oct '22

27 Oct '22

From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> stable inclusion from stable-v5.10.148 commit 21ee3cffed8fbabb669435facfd576ba18ac8652 category: bugfix bugzilla:187877,https://gitee.com/src-openeuler/kernel/issues/I5X3MX CVE: CVE-2022-3649 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream. If the beginning of the inode bitmap area is corrupted on disk, an inode with the same inode number as the root inode can be allocated and fail soon after. In this case, the subsequent call to nilfs_clear_inode() on that bogus root inode will wrongly decrement the reference counter of struct nilfs_root, and this will erroneously free struct nilfs_root, causing kernel oopses. This fixes the problem by changing nilfs_new_inode() to skip reserved inode numbers while repairing the inode bitmap. Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+b8c672b0e22615c80fe0(a)syzkaller.appspotmail.com Reported-by: Khalid Masum <khalid.masum.92(a)gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- fs/nilfs2/inode.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c index 95684fa3c985..3e4874b0c55c 100644 --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -332,6 +332,7 @@ struct inode *nilfs_new_inode(struct inode *dir, umode_t mode) struct inode *inode; struct nilfs_inode_info *ii; struct nilfs_root *root; + struct buffer_head *bh; int err = -ENOMEM; ino_t ino; @@ -347,11 +348,25 @@ struct inode *nilfs_new_inode(struct inode *dir, umode_t mode) ii->i_state = BIT(NILFS_I_NEW); ii->i_root = root; - err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh); + err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); if (unlikely(err)) goto failed_ifile_create_inode; /* reference count of i_bh inherits from nilfs_mdt_read_block() */ + if (unlikely(ino < NILFS_USER_INO)) { + nilfs_warn(sb, + "inode bitmap is inconsistent for reserved inodes"); + do { + brelse(bh); + err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); + if (unlikely(err)) + goto failed_ifile_create_inode; + } while (ino < NILFS_USER_INO); + + nilfs_info(sb, "repaired inode bitmap for reserved inodes"); + } + ii->i_bh = bh; + atomic64_inc(&root->inodes_count); inode_init_owner(inode, dir, mode); inode->i_ino = ino; -- 2.20.1

1 0

[PATCH openEuler-5.10-LTS 01/31] ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted
by Zheng Zengkai 26 Oct '22

26 Oct '22

From: Zhihao Cheng <chengzhihao1(a)huawei.com> hulk inclusion category: bugfix bugzilla: 187685, https://gitee.com/openeuler/kernel/issues/I5VVZX CVE: NA -------------------------------- Fix bad space budget when symlink file is encrypted. Bad space budget may let make_reservation() return with -ENOSPC, which could turn ubifs to read-only mode in do_writepage() process. Fetch a reproducer in [Link]. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216490 Fixes: ca7f85be8d6cf9 ("ubifs: Add support for encrypted symlinks") Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai(a)huawei.com> --- fs/ubifs/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c index f5777f59a101..b73904c1fbf7 100644 --- a/fs/ubifs/dir.c +++ b/fs/ubifs/dir.c @@ -1145,7 +1145,6 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry, int err, sz_change, len = strlen(symname); struct fscrypt_str disk_link; struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1, - .new_ino_d = ALIGN(len, 8), .dirtied_ino = 1 }; struct fscrypt_name nm; @@ -1161,6 +1160,7 @@ static int ubifs_symlink(struct inode *dir, struct dentry *dentry, * Budget request settings: new inode, new direntry and changing parent * directory inode. */ + req.new_ino_d = ALIGN(disk_link.len - 1, 8); err = ubifs_budget_space(c, &req); if (err) return err; -- 2.20.1

1 30

2024

2023

2022

2021

2020

2019

Kernel