- Kernel - mailweb.openeuler.org

[PATCH kernel-4.19 1/3] bpf: Inherit expanded/patched seen count from old aux data
by Yang Yingliang 05 Jul '21

05 Jul '21

From: Daniel Borkmann <daniel(a)iogearbox.net> mainline inclusion from mainline-v5.13-rc7 commit d203b0fd863a2261e5d00b97f3d060c4c2a6db71 category: bugfix bugzilla: NA CVE: CVE-2021-33624 -------------------------------- Instead of relying on current env->pass_cnt, use the seen count from the old aux data in adjust_insn_aux_data(), and expand it to the new range of patched instructions. This change is valid given we always expand 1:n with n>=1, so what applies to the old/original instruction needs to apply for the replacement as well. Not relying on env->pass_cnt is a prerequisite for a later change where we want to avoid marking an instruction seen when verified under speculative execution path. Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Reviewed-by: John Fastabend <john.fastabend(a)gmail.com> Reviewed-by: Benedict Schlueter <benedict.schlueter(a)rub.de> Reviewed-by: Piotr Krysiuk <piotras(a)gmail.com> Acked-by: Alexei Starovoitov <ast(a)kernel.org> Conflicts: kernel/bpf/verifier.c seen of bpf_insn_aux_data is bool in kernel-4.19. Signed-off-by: He Fengqing <hefengqing(a)huawei.com> Reviewed-by: Kuohai Xu <xukuohai(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- kernel/bpf/verifier.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index ac02469d0f154..6b919fba40c00 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5853,6 +5853,7 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len, u32 off, u32 cnt) { struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; + bool old_seen = old_data[off].seen; int i; if (cnt == 1) @@ -5864,8 +5865,10 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len, memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off); memcpy(new_data + off + cnt - 1, old_data + off, sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); - for (i = off; i < off + cnt - 1; i++) - new_data[i].seen = true; + for (i = off; i < off + cnt - 1; i++) { + /* Expand insni[off]'s seen count to the patched range. */ + new_data[i].seen = old_seen; + } env->insn_aux_data = new_data; vfree(old_data); return 0; -- 2.25.1

1 2

[PATCH kernel-4.19] nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout
by Yang Yingliang 02 Jul '21

02 Jul '21

From: Chao Leng <lengchao(a)huawei.com> mainline inclusion from mainline-v5.11-rc5 commit 7674073b2ed35ac951a49c425dec6b39d5a57140 category: bugfix bugzilla: NA CVE: NA Link: https://gitee.com/openeuler/kernel/issues/I1WGZE ------------------------------------------------- A crash happens when inject completing request long time(nearly 30s). Each name space has a request queue, when inject completing request long time, multi request queues may have time out requests at the same time, nvme_rdma_timeout will execute concurrently. Multi requests in different request queues may be queued in the same rdma queue, multi nvme_rdma_timeout may call nvme_rdma_stop_queue at the same time. The first nvme_rdma_timeout will clear NVME_RDMA_Q_LIVE and continue stopping the rdma queue(drain qp), but the others check NVME_RDMA_Q_LIVE is already cleared, and then directly complete the requests, complete request before the qp is fully drained may lead to a use-after-free condition. Add a multex lock to serialize nvme_rdma_stop_queue. Signed-off-by: Chao Leng <lengchao(a)huawei.com> Tested-by: Israel Rukshin <israelr(a)nvidia.com> Reviewed-by: Israel Rukshin <israelr(a)nvidia.com> Signed-off-by: Christoph Hellwig <hch(a)lst.de> conflicts: drivers/nvme/host/rdma.c [lrz: adjust context] Signed-off-by: Ruozhu Li <liruozhu(a)huawei.com> Reviewed-by: Hou Tao <houtao1(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/nvme/host/rdma.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c index 158d7417bcea6..91ff9262f6729 100644 --- a/drivers/nvme/host/rdma.c +++ b/drivers/nvme/host/rdma.c @@ -93,6 +93,7 @@ struct nvme_rdma_queue { struct rdma_cm_id *cm_id; int cm_error; struct completion cm_done; + struct mutex queue_lock; }; struct nvme_rdma_ctrl { @@ -503,6 +504,7 @@ static int nvme_rdma_alloc_queue(struct nvme_rdma_ctrl *ctrl, int ret; queue = &ctrl->queues[idx]; + mutex_init(&queue->queue_lock); queue->ctrl = ctrl; init_completion(&queue->cm_done); @@ -518,7 +520,8 @@ static int nvme_rdma_alloc_queue(struct nvme_rdma_ctrl *ctrl, if (IS_ERR(queue->cm_id)) { dev_info(ctrl->ctrl.device, "failed to create CM ID: %ld\n", PTR_ERR(queue->cm_id)); - return PTR_ERR(queue->cm_id); + ret = PTR_ERR(queue->cm_id); + goto out_destroy_mutex; } if (ctrl->ctrl.opts->mask & NVMF_OPT_HOST_TRADDR) @@ -548,6 +551,8 @@ static int nvme_rdma_alloc_queue(struct nvme_rdma_ctrl *ctrl, out_destroy_cm_id: rdma_destroy_id(queue->cm_id); nvme_rdma_destroy_queue_ib(queue); +out_destroy_mutex: + mutex_destroy(&queue->queue_lock); return ret; } @@ -559,10 +564,10 @@ static void __nvme_rdma_stop_queue(struct nvme_rdma_queue *queue) static void nvme_rdma_stop_queue(struct nvme_rdma_queue *queue) { - if (!test_and_clear_bit(NVME_RDMA_Q_LIVE, &queue->flags)) - return; - - __nvme_rdma_stop_queue(queue); + mutex_lock(&queue->queue_lock); + if (test_and_clear_bit(NVME_RDMA_Q_LIVE, &queue->flags)) + __nvme_rdma_stop_queue(queue); + mutex_unlock(&queue->queue_lock); } static void nvme_rdma_free_queue(struct nvme_rdma_queue *queue) @@ -572,6 +577,7 @@ static void nvme_rdma_free_queue(struct nvme_rdma_queue *queue) nvme_rdma_destroy_queue_ib(queue); rdma_destroy_id(queue->cm_id); + mutex_destroy(&queue->queue_lock); } static void nvme_rdma_free_io_queues(struct nvme_rdma_ctrl *ctrl) -- 2.25.1

1 0

[PATCH kernel-4.19] binfmt: Move install_exec_creds after setup_new_exec to match binfmt_elf
by Yang Yingliang 02 Jul '21

02 Jul '21

From: "Eric W. Biederman" <ebiederm(a)xmission.com> mainline inclusion from mainline-v5.8-rc1 commit e7f7785449a1f459a4a3ca92f82f56fb054dd2b9 category: bugfix bugzilla: 36868 CVE: NA ----------------------------------------------- In 2016 Linus moved install_exec_creds immediately after setup_new_exec, in binfmt_elf as a cleanup and as part of closing a potential information leak. Perform the same cleanup for the other binary formats. Different binary formats doing the same things the same way makes exec easier to reason about and easier to maintain. Greg Ungerer reports: > I tested the the whole series on non-MMU m68k and non-MMU arm > (exercising binfmt_flat) and it all tested out with no problems, > so for the binfmt_flat changes: Tested-by: Greg Ungerer <gerg(a)linux-m68k.org> Ref: 9f834ec18def ("binfmt_elf: switch to new creds when switching to new mm") Reviewed-by: Kees Cook <keescook(a)chromium.org> Reviewed-by: Greg Ungerer <gerg(a)linux-m68k.org> Signed-off-by: "Eric W. Biederman" <ebiederm(a)xmission.com> Signed-off-by: Ye Bin <yebin10(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- arch/x86/ia32/ia32_aout.c | 3 +-- fs/binfmt_aout.c | 2 +- fs/binfmt_elf_fdpic.c | 2 +- fs/binfmt_flat.c | 3 +-- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c index 7dbbe9ffda173..8d78ea00d75fe 100644 --- a/arch/x86/ia32/ia32_aout.c +++ b/arch/x86/ia32/ia32_aout.c @@ -298,6 +298,7 @@ static int load_aout_binary(struct linux_binprm *bprm) set_personality_ia32(false); setup_new_exec(bprm); + install_exec_creds(bprm); regs->cs = __USER32_CS; regs->r8 = regs->r9 = regs->r10 = regs->r11 = regs->r12 = @@ -314,8 +315,6 @@ static int load_aout_binary(struct linux_binprm *bprm) if (retval < 0) return retval; - install_exec_creds(bprm); - if (N_MAGIC(ex) == OMAGIC) { unsigned long text_addr, map_size; diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c index ca9725f18e005..af09b55d5ac52 100644 --- a/fs/binfmt_aout.c +++ b/fs/binfmt_aout.c @@ -244,6 +244,7 @@ static int load_aout_binary(struct linux_binprm * bprm) set_personality(PER_LINUX); #endif setup_new_exec(bprm); + install_exec_creds(bprm); current->mm->end_code = ex.a_text + (current->mm->start_code = N_TXTADDR(ex)); @@ -256,7 +257,6 @@ static int load_aout_binary(struct linux_binprm * bprm) if (retval < 0) return retval; - install_exec_creds(bprm); if (N_MAGIC(ex) == OMAGIC) { unsigned long text_addr, map_size; diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index b53bb3729ac1e..60896c16f103c 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -357,6 +357,7 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm) current->personality |= READ_IMPLIES_EXEC; setup_new_exec(bprm); + install_exec_creds(bprm); set_binfmt(&elf_fdpic_format); @@ -438,7 +439,6 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm) current->mm->start_stack = current->mm->start_brk + stack_size; #endif - install_exec_creds(bprm); if (create_elf_fdpic_tables(bprm, current->mm, &exec_params, &interp_params) < 0) goto error; diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c index e4b59e76afb0d..bbeff9385d609 100644 --- a/fs/binfmt_flat.c +++ b/fs/binfmt_flat.c @@ -517,6 +517,7 @@ static int load_flat_file(struct linux_binprm *bprm, /* OK, This is the point of no return */ set_personality(PER_LINUX_32BIT); setup_new_exec(bprm); + install_exec_creds(bprm); } /* @@ -940,8 +941,6 @@ static int load_flat_binary(struct linux_binprm *bprm) } } - install_exec_creds(bprm); - set_binfmt(&flat_format); #ifdef CONFIG_MMU -- 2.25.1

1 0

[PATCH kernel-4.19 000/106] backport linux-4.19.196
by Yang Yingliang 02 Jul '21

02 Jul '21

Andreas Gruenbacher (1): gfs2: Prevent direct-I/O write fallback errors from getting lost Andrew Lunn (1): usb: core: hub: Disable autosuspend for Cypress CY7C65632 Andrew Morton (1): mm/slub.c: include swab.h Anirudh Rayabharam (1): HID: usbhid: fix info leak in hid_submit_ctrl Antti Järvinen (1): PCI: Mark TI C667X to avoid bus reset Arnaldo Carvalho de Melo (1): tools headers UAPI: Sync linux/in.h copy with the kernel sources Arnd Bergmann (1): ARM: 9081/1: fix gcc-10 thumb2-kernel regression Austin Kim (1): net: ethtool: clear heap allocations for ethtool function Aya Levin (1): net/mlx5e: Block offload of outer header csum for UDP tunnels Bixuan Cui (1): HID: gt683r: add missing MODULE_DEVICE_TABLE Bumyong Lee (1): dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc Changbin Du (1): net: make get_net_ns return error if NET_NS is disabled Chen Li (1): radeon: use memcpy_to/fromio for UVD fw upload Chengyang Fan (1): net: ipv4: fix memory leak in ip_mc_add1_src Christian König (2): drm/nouveau: wait for moving fence after pinning v2 drm/radeon: wait for moving fence after pinning Christophe JAILLET (4): alx: Fix an error handling path in 'alx_probe()' qlcnic: Fix an error handling path in 'qlcnic_probe()' netxen_nic: Fix an error handling path in 'netxen_nic_probe()' be2net: Fix an error handling path in 'be_probe()' Dan Carpenter (1): afs: Fix an IS_ERR() vs NULL check Dan Robertson (1): net: ieee802154: fix null deref in parse dev addr Dongliang Mu (1): net: usb: fix possible use-after-free in smsc75xx_bind Du Cheng (1): cfg80211: call cfg80211_leave_ocb when switching away from OCB Eric Auger (1): KVM: arm/arm64: Fix KVM_VGIC_V3_ADDR_TYPE_REDIST read Eric Dumazet (5): net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock inet: use bigger hash table for IP ID generation inet: annotate date races around sk->sk_txhash net/packet: annotate accesses to po->bind net/packet: annotate accesses to po->ifindex Esben Haabendal (1): net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY Ewan D. Milne (1): scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V Fabien Dessenne (1): pinctrl: stm32: fix the reported number of GPIO lines per bank Fuad Tabba (1): KVM: selftests: Fix kvm_check_cap() assertion Fugang Duan (1): net: fec_ptp: add clock rate zero check Hannes Reinecke (3): nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Hillf Danton (1): gfs2: Fix use-after-free in gfs2_glock_shrink_scan Huy Nguyen (1): net/mlx5e: Remove dependency in IPsec initialization flows Ido Schimmel (1): rtnetlink: Fix regression in bridge VLAN configuration Jack Pham (1): usb: dwc3: debugfs: Add and remove endpoint dirs dynamically Jack Yu (1): ASoC: rt5659: Fix the lost powers for the HDA header Jakub Kicinski (1): ptp: improve max_adj check against unreasonable values Jiapeng Chong (2): ethernet: myri10ge: Fix missing error code in myri10ge_probe() rtnetlink: Fix missing error code in rtnl_bridge_notify() Jisheng Zhang (1): net: stmmac: dwmac1000: Fix extended MAC address registers definition Joakim Zhang (1): net: fec_ptp: fix issue caused by refactor the fec_devtype Johan Hovold (1): i2c: robotfuzz-osif: fix control-request directions Johannes Berg (3): cfg80211: make certificate generation more robust mac80211: remove warning in ieee80211_get_sband() mac80211: drop multicast fragments Josh Triplett (1): net: ipconfig: Don't override command-line hostnames or domains Kees Cook (5): mm/slub: clarify verification reporting r8152: Avoid memcpy() over-reading of ETH_SS_STATS sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS r8169: Avoid memcpy() over-reading of ETH_SS_STATS net: qed: Fix memcpy() overflow of qed_dcbx_params() Linyu Yuan (1): net: cdc_eem: fix tx fixup skb leak Maciej Żenczykowski (1): net: cdc_ncm: switch to eth%d interface naming Mark Bolhuis (1): HID: Add BUS_VIRTUAL to hid_connect logging Maurizio Lombardi (1): scsi: target: core: Fix warning on realtime kernels Maxim Mikityanskiy (2): netfilter: synproxy: Fix out of bounds when parsing TCP options sch_cake: Fix out of bounds when parsing TCP options and header Mikel Rychliski (1): PCI: Add AMD RS690 quirk to enable 64-bit DMA Mimi Zohar (1): module: limit enabling module.sig_enforce Nanyong Sun (1): net: ipv4: fix memory leak in netlbl_cipsov4_add_std Nathan Chancellor (2): Makefile: Move -Wno-unused-but-set-variable out of GCC only block MIPS: generic: Update node names to avoid unit addresses Nikolay Aleksandrov (2): net: bridge: fix vlan tunnel dst null pointer dereference net: bridge: fix vlan tunnel dst refcnt when egressing Nirenjan Krishnan (1): HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 Paolo Abeni (1): udp: fix race between close() and udp_abort() Pavel Skripkin (7): net: rds: fix memory leak in rds_recvmsg net: qrtr: fix OOB Read in qrtr_endpoint_post net: hamradio: fix memory leak in mkiss_close net: ethernet: fix potential use-after-free in ec_bhf_remove can: mcba_usb: fix memory leak in mcba_usb net: caif: fix memory leak in ldisc_open nilfs2: fix memory leak in nilfs_sysfs_delete_device_group Pedro Tammela (1): net: add documentation to socket.c Peter Chen (1): usb: dwc3: core: fix kernel panic when do reboot Rafael J. Wysocki (1): Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" Randy Dunlap (2): dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM Riwen Lu (1): hwmon: (scpi-hwmon) shows the negative temperature properly Sasha Levin (1): Linux 4.19.196 Sergio Paracuellos (1): pinctrl: ralink: rt2880: avoid to error in calls is pin is already enabled Shalom Toledo (1): ptp: ptp_clock: Publish scaled_ppm_to_ppb Shanker Donthineni (1): PCI: Mark some NVIDIA GPUs to avoid bus reset Sriharsha Basavapatna (1): PCI: Add ACS quirk for Broadcom BCM57414 NIC Srinivas Pandruvada (1): HID: hid-sensor-hub: Return error for hid_set_field() failure Steven Rostedt (VMware) (3): tracing: Do not stop recording cmdlines when tracing is off tracing: Do not stop recording comms if the trace file is being read tracing: Do no increment trace_clock_global() by one Sven Eckelmann (1): batman-adv: Avoid WARN_ON timing related checks Tetsuo Handa (1): can: bcm/raw/isotp: use per module netdevice notifier Thomas Gleixner (1): x86/fpu: Reset state for all signal restore failures Toke Høiland-Jørgensen (1): icmp: don't send out ICMP messages with a source address of 0.0.0.0 Vineet Gupta (1): ARCv2: save ABI registers across signal handling Yang Yingliang (1): dmaengine: stedma40: add missing iounmap() on error in d40_probe() Yongqiang Liu (1): ARM: OMAP2+: Fix build warning when mmc_omap is not built Zheng Yongjun (4): net/x25: Return the correct errno code net: Return the correct errno code fib: Return the correct errno code ping: Check return value of function 'ping_queue_rcv_skb' Documentation/vm/slub.rst | 10 +- Makefile | 5 +- arch/arc/include/uapi/asm/sigcontext.h | 1 + arch/arc/kernel/signal.c | 43 +++ arch/arm/kernel/setup.c | 16 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/mips/generic/board-boston.its.S | 10 +- arch/mips/generic/board-ni169445.its.S | 10 +- arch/mips/generic/board-xilfpga.its.S | 10 +- arch/mips/generic/vmlinux.its.S | 10 +- arch/x86/kernel/fpu/signal.c | 31 +- arch/x86/pci/fixup.c | 44 +++ drivers/dma/Kconfig | 1 + drivers/dma/pl330.c | 6 +- drivers/dma/qcom/Kconfig | 1 + drivers/dma/ste_dma40.c | 3 + drivers/gpu/drm/nouveau/nouveau_prime.c | 17 +- drivers/gpu/drm/radeon/radeon_prime.c | 16 +- drivers/gpu/drm/radeon/radeon_uvd.c | 4 +- drivers/hid/hid-core.c | 3 + drivers/hid/hid-gt683r.c | 1 + drivers/hid/hid-ids.h | 1 + drivers/hid/hid-quirks.c | 1 + drivers/hid/hid-sensor-hub.c | 13 +- drivers/hid/usbhid/hid-core.c | 2 +- drivers/hwmon/scpi-hwmon.c | 9 + drivers/i2c/busses/i2c-robotfuzz-osif.c | 4 +- drivers/net/caif/caif_serial.c | 1 + drivers/net/can/usb/mcba_usb.c | 17 +- drivers/net/ethernet/atheros/alx/main.c | 1 + drivers/net/ethernet/ec_bhf.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 1 + drivers/net/ethernet/freescale/fec_ptp.c | 8 +- .../mellanox/mlx5/core/en_accel/ipsec.c | 3 - .../net/ethernet/mellanox/mlx5/core/en_main.c | 7 +- .../net/ethernet/myricom/myri10ge/myri10ge.c | 1 + .../ethernet/qlogic/netxen/netxen_nic_main.c | 2 + drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 + drivers/net/ethernet/realtek/r8169.c | 2 +- drivers/net/ethernet/renesas/sh_eth.c | 2 +- .../net/ethernet/stmicro/stmmac/dwmac1000.h | 8 +- drivers/net/ethernet/xilinx/ll_temac_main.c | 5 + drivers/net/hamradio/mkiss.c | 1 + drivers/net/usb/cdc_eem.c | 2 +- drivers/net/usb/cdc_ncm.c | 2 +- drivers/net/usb/r8152.c | 2 +- drivers/net/usb/smsc75xx.c | 10 +- drivers/nvme/target/loop.c | 5 +- drivers/pci/pci.c | 16 +- drivers/pci/quirks.c | 24 ++ drivers/pinctrl/stm32/pinctrl-stm32.c | 9 +- drivers/ptp/ptp_clock.c | 7 +- drivers/scsi/scsi_devinfo.c | 1 + .../staging/mt7621-pinctrl/pinctrl-rt2880.c | 2 +- drivers/target/target_core_transport.c | 4 +- drivers/usb/core/hub.c | 7 + drivers/usb/dwc3/core.c | 2 +- drivers/usb/dwc3/debug.h | 3 + drivers/usb/dwc3/debugfs.c | 21 +- drivers/usb/dwc3/gadget.c | 3 + fs/afs/main.c | 4 +- fs/gfs2/file.c | 5 +- fs/gfs2/glock.c | 2 +- fs/nilfs2/sysfs.c | 1 + include/linux/hid.h | 3 +- include/linux/net.h | 6 + include/linux/ptp_clock_kernel.h | 8 + include/linux/socket.h | 14 +- include/net/net_namespace.h | 7 + include/net/sock.h | 10 +- include/uapi/linux/in.h | 3 + kernel/module.c | 9 + kernel/trace/trace.c | 11 - kernel/trace/trace_clock.c | 6 +- mm/slub.c | 15 +- net/batman-adv/bat_iv_ogm.c | 4 +- net/bridge/br_private.h | 4 +- net/bridge/br_vlan_tunnel.c | 38 ++- net/can/bcm.c | 59 +++- net/can/raw.c | 62 +++- net/compat.c | 2 +- net/core/ethtool.c | 10 +- net/core/fib_rules.c | 2 +- net/core/net_namespace.c | 12 + net/core/rtnetlink.c | 4 + net/ieee802154/nl802154.c | 9 +- net/ipv4/cipso_ipv4.c | 1 + net/ipv4/icmp.c | 7 + net/ipv4/igmp.c | 1 + net/ipv4/ipconfig.c | 13 +- net/ipv4/ping.c | 12 +- net/ipv4/route.c | 42 ++- net/ipv4/udp.c | 10 + net/ipv6/udp.c | 3 + net/mac80211/ieee80211_i.h | 2 +- net/mac80211/rx.c | 9 +- net/netfilter/nf_synproxy_core.c | 5 + net/packet/af_packet.c | 32 +- net/qrtr/qrtr.c | 2 +- net/rds/recv.c | 2 +- net/sched/sch_cake.c | 6 +- net/socket.c | 276 ++++++++++++++++-- net/unix/af_unix.c | 7 +- net/wireless/Makefile | 2 +- net/wireless/util.c | 3 + net/x25/af_x25.c | 2 +- sound/soc/codecs/rt5659.c | 26 +- tools/include/uapi/linux/in.h | 3 + tools/testing/selftests/kvm/lib/kvm_util.c | 2 +- virt/kvm/arm/vgic/vgic-kvm-device.c | 4 +- 111 files changed, 942 insertions(+), 302 deletions(-) -- 2.25.1

1 106

[PATCH kernel-4.19] ext4: fix memory leak in ext4_fill_super
by Yang Yingliang 01 Jul '21

01 Jul '21

From: Pavel Skripkin <paskripkin(a)gmail.com> mainline inclusion from mainline-5.14 commit 618f003199c6188e01472b03cdbba227f1dc5f24 category: bugfix bugzilla: 167360 CVE: NA ------------------------------------------------- static int kthread(void *_create) will return -ENOMEM or -EINTR in case of internal failure or kthread_stop() call happens before threadfn call. To prevent fancy error checking and make code more straightforward we moved all cleanup code out of kmmpd threadfn. Also, dropped struct mmpd_data at all. Now struct super_block is a threadfn data and struct buffer_head embedded into struct ext4_sb_info. Reported-by: syzbot+d9e482e303930fa4f6ff(a)syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin <paskripkin(a)gmail.com> Link: https://lore.kernel.org/r/20210430185046.15742-1-paskripkin@gmail.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Conflicts: fs/ext4/ext4.h fs/ext4/super.c Signed-off-by: Baokun Li <libaokun1(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/ext4/ext4.h | 4 ++++ fs/ext4/mmp.c | 28 +++++++++++++--------------- fs/ext4/super.c | 11 +++++------ 3 files changed, 22 insertions(+), 21 deletions(-) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index d4e98941c5ad4..b3e3f93385684 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -1407,6 +1407,7 @@ struct ext4_sb_info { struct kobject s_kobj; struct completion s_kobj_unregister; struct super_block *s_sb; + struct buffer_head *s_mmp_bh; /* Journaling */ struct journal_s *s_journal; @@ -3391,6 +3392,9 @@ extern int ext4_bio_write_page(struct ext4_io_submit *io, /* mmp.c */ extern int ext4_multi_mount_protect(struct super_block *, ext4_fsblk_t); +/* mmp.c */ +extern void ext4_stop_mmpd(struct ext4_sb_info *sbi); + /* * Add new method to test whether block and inode bitmaps are properly * initialized. With uninit_bg reading the block from disk is not enough diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c index 795c3ff2907c2..623bad399612f 100644 --- a/fs/ext4/mmp.c +++ b/fs/ext4/mmp.c @@ -127,9 +127,9 @@ void __dump_mmp_msg(struct super_block *sb, struct mmp_struct *mmp, */ static int kmmpd(void *data) { - struct super_block *sb = ((struct mmpd_data *) data)->sb; - struct buffer_head *bh = ((struct mmpd_data *) data)->bh; + struct super_block *sb = (struct super_block *) data; struct ext4_super_block *es = EXT4_SB(sb)->s_es; + struct buffer_head *bh = EXT4_SB(sb)->s_mmp_bh; struct mmp_struct *mmp; ext4_fsblk_t mmp_block; u32 seq = 0; @@ -245,12 +245,18 @@ static int kmmpd(void *data) retval = write_mmp_block(sb, bh); exit_thread: - EXT4_SB(sb)->s_mmp_tsk = NULL; - kfree(data); - brelse(bh); return retval; } +void ext4_stop_mmpd(struct ext4_sb_info *sbi) +{ + if (sbi->s_mmp_tsk) { + kthread_stop(sbi->s_mmp_tsk); + brelse(sbi->s_mmp_bh); + sbi->s_mmp_tsk = NULL; + } +} + /* * Get a random new sequence number but make sure it is not greater than * EXT4_MMP_SEQ_MAX. @@ -275,7 +281,6 @@ int ext4_multi_mount_protect(struct super_block *sb, struct ext4_super_block *es = EXT4_SB(sb)->s_es; struct buffer_head *bh = NULL; struct mmp_struct *mmp = NULL; - struct mmpd_data *mmpd_data; u32 seq; unsigned int mmp_check_interval = le16_to_cpu(es->s_mmp_update_interval); unsigned int wait_time = 0; @@ -364,24 +369,17 @@ int ext4_multi_mount_protect(struct super_block *sb, goto failed; } - mmpd_data = kmalloc(sizeof(*mmpd_data), GFP_KERNEL); - if (!mmpd_data) { - ext4_warning(sb, "not enough memory for mmpd_data"); - goto failed; - } - mmpd_data->sb = sb; - mmpd_data->bh = bh; + EXT4_SB(sb)->s_mmp_bh = bh; /* * Start a kernel thread to update the MMP block periodically. */ - EXT4_SB(sb)->s_mmp_tsk = kthread_run(kmmpd, mmpd_data, "kmmpd-%.*s", + EXT4_SB(sb)->s_mmp_tsk = kthread_run(kmmpd, sb, "kmmpd-%.*s", (int)sizeof(mmp->mmp_bdevname), bdevname(bh->b_bdev, mmp->mmp_bdevname)); if (IS_ERR(EXT4_SB(sb)->s_mmp_tsk)) { EXT4_SB(sb)->s_mmp_tsk = NULL; - kfree(mmpd_data); ext4_warning(sb, "Unable to create kmmpd thread for %s.", sb->s_id); goto failed; diff --git a/fs/ext4/super.c b/fs/ext4/super.c index f66bbe73d1a94..ef7b7267b2ae8 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1225,8 +1225,9 @@ static void ext4_put_super(struct super_block *sb) ext4_xattr_destroy_cache(sbi->s_ea_block_cache); sbi->s_ea_block_cache = NULL; } - if (sbi->s_mmp_tsk) - kthread_stop(sbi->s_mmp_tsk); + + ext4_stop_mmpd(sbi); + brelse(sbi->s_sbh); sb->s_fs_info = NULL; /* @@ -4851,8 +4852,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) failed_mount3: flush_work(&sbi->s_error_work); del_timer_sync(&sbi->s_err_report); - if (sbi->s_mmp_tsk) - kthread_stop(sbi->s_mmp_tsk); + ext4_stop_mmpd(sbi); failed_mount2: rcu_read_lock(); group_desc = rcu_dereference(sbi->s_group_desc); @@ -5647,8 +5647,7 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data) */ ext4_mark_recovery_complete(sb, es); } - if (sbi->s_mmp_tsk) - kthread_stop(sbi->s_mmp_tsk); + ext4_stop_mmpd(sbi); } else { /* Make sure we can mount this feature set readwrite */ if (ext4_has_feature_readonly(sb) || -- 2.25.1

1 0

[PATCH kernel-4.19 01/13] RDMA/verbs: Add a DMA iterator to return aligned contiguous memory blocks
by Yang Yingliang 01 Jul '21

01 Jul '21

From: Xi Wang <wangxi11(a)huawei.com> driver inclusion category: bugfix bugzilla: NA CVE: NA This helper iterates over a DMA-mapped SGL and returns contiguous memory blocks aligned to a HW supported page size. Suggested-by: Jason Gunthorpe <jgg(a)ziepe.ca> Signed-off-by: Shiraz Saleem <shiraz.saleem(a)intel.com> Signed-off-by: Jason Gunthorpe <jgg(a)mellanox.com> Signed-off-by: Xi Wang <wangxi11(a)huawei.com> Signed-off-by: Shunfeng Yang <yangshunfeng2(a)huawei.com> Reviewed-by: chunzhi hu <huchunzhi(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/infiniband/core/verbs.c | 34 ++++++++++++++++++++++++ include/rdma/ib_verbs.h | 47 +++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c index e1ecd4682c096..6467645c84d09 100644 --- a/drivers/infiniband/core/verbs.c +++ b/drivers/infiniband/core/verbs.c @@ -2628,3 +2628,37 @@ void ib_drain_qp(struct ib_qp *qp) ib_drain_rq(qp); } EXPORT_SYMBOL(ib_drain_qp); + +void __rdma_block_iter_start(struct ib_block_iter *biter, + struct scatterlist *sglist, unsigned int nents, + unsigned long pgsz) +{ + memset(biter, 0, sizeof(struct ib_block_iter)); + biter->__sg = sglist; + biter->__sg_nents = nents; + + /* Driver provides best block size to use */ + biter->__pg_bit = __fls(pgsz); +} +EXPORT_SYMBOL(__rdma_block_iter_start); + +bool __rdma_block_iter_next(struct ib_block_iter *biter) +{ + unsigned int block_offset; + + if (!biter->__sg_nents || !biter->__sg) + return false; + + biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance; + block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1); + biter->__sg_advance += BIT_ULL(biter->__pg_bit) - block_offset; + + if (biter->__sg_advance >= sg_dma_len(biter->__sg)) { + biter->__sg_advance = 0; + biter->__sg = sg_next(biter->__sg); + biter->__sg_nents--; + } + + return true; +} +EXPORT_SYMBOL(__rdma_block_iter_next); diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h index c1c1a61d81f6e..43a7426b43a15 100644 --- a/include/rdma/ib_verbs.h +++ b/include/rdma/ib_verbs.h @@ -2629,6 +2629,21 @@ struct ib_client { struct list_head list; }; +/* + * IB block DMA iterator + * + * Iterates the DMA-mapped SGL in contiguous memory blocks aligned + * to a HW supported page size. + */ +struct ib_block_iter { + /* internal states */ + struct scatterlist *__sg; /* sg holding the current aligned block */ + dma_addr_t __dma_addr; /* unaligned DMA address of this block */ + unsigned int __sg_nents; /* number of SG entries */ + unsigned int __sg_advance; /* number of bytes to advance in sg in next step */ + unsigned int __pg_bit; /* alignment of current block */ +}; + struct ib_device *ib_alloc_device(size_t size); void ib_dealloc_device(struct ib_device *device); @@ -2642,6 +2657,38 @@ void ib_unregister_device(struct ib_device *device); int ib_register_client (struct ib_client *client); void ib_unregister_client(struct ib_client *client); +void __rdma_block_iter_start(struct ib_block_iter *biter, + struct scatterlist *sglist, + unsigned int nents, + unsigned long pgsz); +bool __rdma_block_iter_next(struct ib_block_iter *biter); + +/** + * rdma_block_iter_dma_address - get the aligned dma address of the current + * block held by the block iterator. + * @biter: block iterator holding the memory block + */ +static inline dma_addr_t +rdma_block_iter_dma_address(struct ib_block_iter *biter) +{ + return biter->__dma_addr & ~(BIT_ULL(biter->__pg_bit) - 1); +} + +/** + * rdma_for_each_block - iterate over contiguous memory blocks of the sg list + * @sglist: sglist to iterate over + * @biter: block iterator holding the memory block + * @nents: maximum number of sg entries to iterate over + * @pgsz: best HW supported page size to use + * + * Callers may use rdma_block_iter_dma_address() to get each + * blocks aligned DMA address. + */ +#define rdma_for_each_block(sglist, biter, nents, pgsz) \ + for (__rdma_block_iter_start(biter, sglist, nents, \ + pgsz); \ + __rdma_block_iter_next(biter);) + void *ib_get_client_data(struct ib_device *device, struct ib_client *client); void ib_set_client_data(struct ib_device *device, struct ib_client *client, void *data); -- 2.25.1

1 12

[PATCH kernel-4.19] can: bcm: delay release of struct bcm_op after synchronize_rcu()
by Yang Yingliang 01 Jul '21

01 Jul '21

From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> mainline inclusion from mainline-v5.14-rc1 commit d5f9023fa61ee8b94f37a93f08e94b136cf1e463 category: bugfix bugzilla: NA CVE: CVE-2021-3609 -------------------------------- can_rx_register() callbacks may be called concurrently to the call to can_rx_unregister(). The callbacks and callback data, though, are protected by RCU and the struct sock reference count. So the callback data is really attached to the life of sk, meaning that it should be released on sk_destruct. However, bcm_remove_op() calls tasklet_kill(), and RCU callbacks may be called under RCU softirq, so that cannot be used on kernels before the introduction of HRTIMER_MODE_SOFT. However, bcm_rx_handler() is called under RCU protection, so after calling can_rx_unregister(), we may call synchronize_rcu() in order to wait for any RCU read-side critical sections to finish. That is, bcm_rx_handler() won't be called anymore for those ops. So, we only free them, after we do that synchronize_rcu(). Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com Cc: linux-stable <stable(a)vger.kernel.org> Reported-by: syzbot+0f7e7e5e2f4f40fa89c0(a)syzkaller.appspotmail.com Reported-by: Norbert Slusarek <nslusarek(a)gmx.net> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Acked-by: Oliver Hartkopp <socketcan(a)hartkopp.net> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- net/can/bcm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/can/bcm.c b/net/can/bcm.c index 0f09838ebef6e..e66377e764ba9 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c @@ -824,6 +824,7 @@ static int bcm_delete_rx_op(struct list_head *ops, struct bcm_msg_head *mh, bcm_rx_handler, op); list_del(&op->list); + synchronize_rcu(); bcm_remove_op(op); return 1; /* done */ } @@ -1557,9 +1558,13 @@ static int bcm_release(struct socket *sock) REGMASK(op->can_id), bcm_rx_handler, op); - bcm_remove_op(op); } + synchronize_rcu(); + + list_for_each_entry_safe(op, next, &bo->rx_ops, list) + bcm_remove_op(op); + #if IS_ENABLED(CONFIG_PROC_FS) /* remove procfs entry */ if (net->can.bcmproc_dir && bo->bcm_proc_read) -- 2.25.1

1 0

[PATCH kernel-4.19] etmem_scan: fix memleak in vm_idle_read
by Yang Yingliang 01 Jul '21

01 Jul '21

From: Kemeng Shi <shikemeng(a)huawei.com> euleros inclusion category: bugfix bugzilla: NA ------------------------------ Struct page_idle_ctrl is alloced at beginning of vm_idle_read, but it's not freed when vm_idle_read ends. Fixes: 2ca27c4642db5 ("etmem: add etmem-scan feature") Signed-off-by: Kemeng Shi <shikemeng(a)huawei.com> Reviewed-by: Jing Xiangfeng<jingxiangfeng(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/proc/etmem_scan.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/proc/etmem_scan.c b/fs/proc/etmem_scan.c index 94bf125de6072..2bac5ecd53164 100644 --- a/fs/proc/etmem_scan.c +++ b/fs/proc/etmem_scan.c @@ -753,6 +753,7 @@ static ssize_t vm_idle_read(struct file *file, char *buf, ret = pic->bytes_copied; *ppos = pic->next_hva; out_kvm: + kfree(pic); return ret; } -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS] x86/uprobes: Do not use prefixes.nbytes when looping over prefixes.bytes
by Yang Yingliang 01 Jul '21

01 Jul '21

From: Masami Hiramatsu <mhiramat(a)kernel.org> stable inclusion from linux-4.19.163 commit 6bb78b3fff90fcf76991f689822ae58a4feee36d -------------------------------- commit 4e9a5ae8df5b3365183150f6df49e49dece80d8c upstream. Since insn.prefixes.nbytes can be bigger than the size of insn.prefixes.bytes[] when a prefix is repeated, the proper check must be insn.prefixes.bytes[i] != 0 and i < 4 instead of using insn.prefixes.nbytes. Introduce a for_each_insn_prefix() macro for this purpose. Debugged by Kees Cook <keescook(a)chromium.org>. [ bp: Massage commit message, sync with the respective header in tools/ and drop "we". ] Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints") Reported-by: syzbot+9b64b619f10f19d19a7c(a)syzkaller.appspotmail.com Signed-off-by: Masami Hiramatsu <mhiramat(a)kernel.org> Signed-off-by: Borislav Petkov <bp(a)suse.de> Reviewed-by: Srikar Dronamraju <srikar(a)linux.vnet.ibm.com> Cc: stable(a)vger.kernel.org Link: https://lkml.kernel.org/r/160697103739.3146288.7437620795200799020.stgit@de… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- arch/x86/include/asm/insn.h | 15 +++++++++++++++ arch/x86/kernel/uprobes.c | 10 ++++++---- tools/objtool/arch/x86/include/asm/insn.h | 15 +++++++++++++++ tools/perf/util/intel-pt-decoder/insn.h | 15 +++++++++++++++ 4 files changed, 51 insertions(+), 4 deletions(-) diff --git a/arch/x86/include/asm/insn.h b/arch/x86/include/asm/insn.h index c2c01f84df75f..3e0e18d376d2c 100644 --- a/arch/x86/include/asm/insn.h +++ b/arch/x86/include/asm/insn.h @@ -208,6 +208,21 @@ static inline int insn_offset_immediate(struct insn *insn) return insn_offset_displacement(insn) + insn->displacement.nbytes; } +/** + * for_each_insn_prefix() -- Iterate prefixes in the instruction + * @insn: Pointer to struct insn. + * @idx: Index storage. + * @prefix: Prefix byte. + * + * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix + * and the index is stored in @idx (note that this @idx is just for a cursor, + * do not change it.) + * Since prefixes.nbytes can be bigger than 4 if some prefixes + * are repeated, it cannot be used for looping over the prefixes. + */ +#define for_each_insn_prefix(insn, idx, prefix) \ + for (idx = 0; idx < ARRAY_SIZE(insn->prefixes.bytes) && (prefix = insn->prefixes.bytes[idx]) != 0; idx++) + #define POP_SS_OPCODE 0x1f #define MOV_SREG_OPCODE 0x8e diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c index 420aa7d3a2e6b..ae9e806a11def 100644 --- a/arch/x86/kernel/uprobes.c +++ b/arch/x86/kernel/uprobes.c @@ -268,12 +268,13 @@ static volatile u32 good_2byte_insns[256 / 32] = { static bool is_prefix_bad(struct insn *insn) { + insn_byte_t p; int i; - for (i = 0; i < insn->prefixes.nbytes; i++) { + for_each_insn_prefix(insn, i, p) { insn_attr_t attr; - attr = inat_get_opcode_attribute(insn->prefixes.bytes[i]); + attr = inat_get_opcode_attribute(p); switch (attr) { case INAT_MAKE_PREFIX(INAT_PFX_ES): case INAT_MAKE_PREFIX(INAT_PFX_CS): @@ -728,6 +729,7 @@ static const struct uprobe_xol_ops push_xol_ops = { static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn) { u8 opc1 = OPCODE1(insn); + insn_byte_t p; int i; switch (opc1) { @@ -758,8 +760,8 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn) * Intel and AMD behavior differ in 64-bit mode: Intel ignores 66 prefix. * No one uses these insns, reject any branch insns with such prefix. */ - for (i = 0; i < insn->prefixes.nbytes; i++) { - if (insn->prefixes.bytes[i] == 0x66) + for_each_insn_prefix(insn, i, p) { + if (p == 0x66) return -ENOTSUPP; } diff --git a/tools/objtool/arch/x86/include/asm/insn.h b/tools/objtool/arch/x86/include/asm/insn.h index c2c01f84df75f..3e0e18d376d2c 100644 --- a/tools/objtool/arch/x86/include/asm/insn.h +++ b/tools/objtool/arch/x86/include/asm/insn.h @@ -208,6 +208,21 @@ static inline int insn_offset_immediate(struct insn *insn) return insn_offset_displacement(insn) + insn->displacement.nbytes; } +/** + * for_each_insn_prefix() -- Iterate prefixes in the instruction + * @insn: Pointer to struct insn. + * @idx: Index storage. + * @prefix: Prefix byte. + * + * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix + * and the index is stored in @idx (note that this @idx is just for a cursor, + * do not change it.) + * Since prefixes.nbytes can be bigger than 4 if some prefixes + * are repeated, it cannot be used for looping over the prefixes. + */ +#define for_each_insn_prefix(insn, idx, prefix) \ + for (idx = 0; idx < ARRAY_SIZE(insn->prefixes.bytes) && (prefix = insn->prefixes.bytes[idx]) != 0; idx++) + #define POP_SS_OPCODE 0x1f #define MOV_SREG_OPCODE 0x8e diff --git a/tools/perf/util/intel-pt-decoder/insn.h b/tools/perf/util/intel-pt-decoder/insn.h index 2669c9f748e4d..1a01d0a41ab8e 100644 --- a/tools/perf/util/intel-pt-decoder/insn.h +++ b/tools/perf/util/intel-pt-decoder/insn.h @@ -208,6 +208,21 @@ static inline int insn_offset_immediate(struct insn *insn) return insn_offset_displacement(insn) + insn->displacement.nbytes; } +/** + * for_each_insn_prefix() -- Iterate prefixes in the instruction + * @insn: Pointer to struct insn. + * @idx: Index storage. + * @prefix: Prefix byte. + * + * Iterate prefix bytes of given @insn. Each prefix byte is stored in @prefix + * and the index is stored in @idx (note that this @idx is just for a cursor, + * do not change it.) + * Since prefixes.nbytes can be bigger than 4 if some prefixes + * are repeated, it cannot be used for looping over the prefixes. + */ +#define for_each_insn_prefix(insn, idx, prefix) \ + for (idx = 0; idx < ARRAY_SIZE(insn->prefixes.bytes) && (prefix = insn->prefixes.bytes[idx]) != 0; idx++) + #define POP_SS_OPCODE 0x1f #define MOV_SREG_OPCODE 0x8e -- 2.25.1

1 0

[PATCH kernel-4.19] share_pool: Fix memleak of concurrent sp_free and sp_group_add_task
by Yang Yingliang 30 Jun '21

30 Jun '21

From: Tang Yizhou <tangyizhou(a)huawei.com> ascend inclusion category: bugfix bugzilla: NA CVE: NA ------------------------------------------------- We found a concurrency problem of sp_group_add_task and sp_free which lead to memory leak. After process A calls __sp_free and vfs_fallocate but before calling __sp_area_drop, process B is being added to the same group by a manager process, the *dead* spa freed by sp_free may be mapped into process B again, then do_mm_populate is called. When sp_group_add_task is finished, this spa is dropped and can't be seen in /proc/sharepool/spa_stat, but the memory of spa still reside in the group. It can only be freed when the group is dead. To fix the problem, we add a member is_dead in spa. We can access it when spg->rw_lock is held. This may sound a little strange if not realizing the life cycle of spa has a direct relation with sp group. Suggested-by: Ding Tianhong <dingtianhong(a)huawei.com> Signed-off-by: Tang Yizhou <tangyizhou(a)huawei.com> Reviewed-by: Ding Tianhong <dingtianhong(a)huwei.com> Reviewed-by: 为珑陈 <chenweilong(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- mm/share_pool.c | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/mm/share_pool.c b/mm/share_pool.c index 61bbbd772c847..3e4e05f20c5ce 100644 --- a/mm/share_pool.c +++ b/mm/share_pool.c @@ -233,6 +233,7 @@ struct sp_area { unsigned long region_vstart; /* belong to normal region or DVPP region */ unsigned long flags; bool is_hugepage; + bool is_dead; atomic_t use_count; /* How many vmas use this VA region */ struct rb_node rb_node; /* address sorted rbtree */ struct list_head link; /* link to the spg->head */ @@ -736,6 +737,10 @@ int sp_group_add_task(int pid, int spg_id) prev = spa; atomic_inc(&spa->use_count); + + if (spa->is_dead == true) + continue; + spin_unlock(&sp_area_lock); if (spa->type == SPA_TYPE_K2SPG && spa->kva) { @@ -970,6 +975,7 @@ static struct sp_area *sp_alloc_area(unsigned long size, unsigned long flags, spa->region_vstart = vstart; spa->flags = flags; spa->is_hugepage = (flags & SP_HUGEPAGE); + spa->is_dead = false; spa->spg = spg; atomic_set(&spa->use_count, 1); spa->type = type; @@ -1271,10 +1277,14 @@ int sp_free(unsigned long addr) goto drop_spa; } - if (!spg_valid(spa->spg)) + down_write(&spa->spg->rw_lock); + if (!spg_valid(spa->spg)) { + up_write(&spa->spg->rw_lock); goto drop_spa; - - sp_dump_stack(); + } + /* the life cycle of spa has a direct relation with sp group */ + spa->is_dead = true; + up_write(&spa->spg->rw_lock); down_read(&spa->spg->rw_lock); @@ -1303,6 +1313,7 @@ int sp_free(unsigned long addr) drop_spa: __sp_area_drop(spa); out: + sp_dump_stack(); sp_try_to_compact(); return ret; } @@ -2362,15 +2373,6 @@ static int sp_unshare_uva(unsigned long uva, unsigned long size, int pid, int sp goto out_drop_area; } - down_read(&spa->spg->rw_lock); - if (!spg_valid(spa->spg)) { - up_read(&spa->spg->rw_lock); - pr_info_ratelimited("share pool: no need to unshare uva(to group), " - "sp group of spa is dead\n"); - goto out_clr_flag; - } - up_read(&spa->spg->rw_lock); - /* alway allow kthread and dvpp channel destroy procedure */ if (current->mm && current->mm->sp_group != spa->spg) { pr_err_ratelimited("share pool: unshare uva(to group) failed, " @@ -2379,6 +2381,17 @@ static int sp_unshare_uva(unsigned long uva, unsigned long size, int pid, int sp goto out_drop_area; } + down_write(&spa->spg->rw_lock); + if (!spg_valid(spa->spg)) { + up_write(&spa->spg->rw_lock); + pr_info_ratelimited("share pool: no need to unshare uva(to group), " + "sp group of spa is dead\n"); + goto out_clr_flag; + } + /* the life cycle of spa has a direct relation with sp group */ + spa->is_dead = true; + up_write(&spa->spg->rw_lock); + down_read(&spa->spg->rw_lock); __sp_free(spa->spg, uva_aligned, size_aligned, NULL); up_read(&spa->spg->rw_lock); -- 2.25.1

1 0

2024

2023

2022

2021

2020

2019

Kernel