From: Duoming Zhou <duoming(a)zju.edu.cn>
mainline inclusion
from mainline-v6.10-rc1
commit 36e56b1b002bb26440403053f19f9e1a8bc075b2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4
CVE: CVE-2024-38554
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
There is a reference count leak issue of the object "net_device" in
ax25_dev_device_down(). When the ax25 device is shutting down, the
ax25_dev_device_down() drops the reference count of net_device one
or zero times depending on if we goto unlock_put or not, which will
cause memory leak.
In order to solve the above issue, decrease the reference count of
net_device after dev->ax25_ptr is set to null.
Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn>
Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470…
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Conflicts:
net/ax25/ax25_dev.c
[The conflict occurs because the commit a968c799eb1d("ax25: merge repeat
codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel
universal linked list to implement ax25_dev_list") are not merged]
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
net/ax25/ax25_dev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index 55a611f7239b..68a417cee39c 100644
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -141,6 +141,7 @@ void ax25_dev_device_down(struct net_device *dev)
}
spin_unlock_bh(&ax25_dev_lock);
dev->ax25_ptr = NULL;
+ dev_put(dev);
ax25_dev_put(ax25_dev);
}
--
2.34.1
From: Duoming Zhou <duoming(a)zju.edu.cn>
mainline inclusion
from mainline-v6.10-rc1
commit 36e56b1b002bb26440403053f19f9e1a8bc075b2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4
CVE: CVE-2024-38554
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
There is a reference count leak issue of the object "net_device" in
ax25_dev_device_down(). When the ax25 device is shutting down, the
ax25_dev_device_down() drops the reference count of net_device one
or zero times depending on if we goto unlock_put or not, which will
cause memory leak.
In order to solve the above issue, decrease the reference count of
net_device after dev->ax25_ptr is set to null.
Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn>
Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470…
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Conflicts:
net/ax25/ax25_dev.c
[The conflict occurs because the commit a968c799eb1d("ax25: merge repeat
codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel
universal linked list to implement ax25_dev_list") are not merged]
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
net/ax25/ax25_dev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index d1d8d8a21ddd..f68f42c083c8 100644
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -138,6 +138,7 @@ void ax25_dev_device_down(struct net_device *dev)
}
spin_unlock_bh(&ax25_dev_lock);
dev->ax25_ptr = NULL;
+ dev_put(dev);
ax25_dev_put(ax25_dev);
}
--
2.34.1
From: Duoming Zhou <duoming(a)zju.edu.cn>
mainline inclusion
from mainline-v6.10-rc1
commit 36e56b1b002bb26440403053f19f9e1a8bc075b2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4
CVE: CVE-2024-38554
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
There is a reference count leak issue of the object "net_device" in
ax25_dev_device_down(). When the ax25 device is shutting down, the
ax25_dev_device_down() drops the reference count of net_device one
or zero times depending on if we goto unlock_put or not, which will
cause memory leak.
In order to solve the above issue, decrease the reference count of
net_device after dev->ax25_ptr is set to null.
Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn>
Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470…
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Conflicts:
net/ax25/ax25_dev.c
[The conflict occurs because the commit a968c799eb1d("ax25: merge repeat
codes in ax25_dev_device_down()") and a7d6e36b9ad0("ax25: Use kernel
universal linked list to implement ax25_dev_list") are not merged]
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
net/ax25/ax25_dev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index d1d8d8a21ddd..f68f42c083c8 100644
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -138,6 +138,7 @@ void ax25_dev_device_down(struct net_device *dev)
}
spin_unlock_bh(&ax25_dev_lock);
dev->ax25_ptr = NULL;
+ dev_put(dev);
ax25_dev_put(ax25_dev);
}
--
2.34.1
From: "Dae R. Jeong" <threeearcat(a)gmail.com>
stable inclusion
from stable-v6.6.33
commit ab67c2fd3d070a21914d0c31319d3858ab4e199c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D88
CVE: CVE-2024-36489
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
---------------------------
[ Upstream commit 91e61dd7a0af660408e87372d8330ceb218be302 ]
In tls_init(), a write memory barrier is missing, and store-store
reordering may cause NULL dereference in tls_{setsockopt,getsockopt}.
CPU0 CPU1
----- -----
// In tls_init()
// In tls_ctx_create()
ctx = kzalloc()
ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)
// In update_sk_prot()
WRITE_ONCE(sk->sk_prot, tls_prots) -(2)
// In sock_common_setsockopt()
READ_ONCE(sk->sk_prot)->setsockopt()
// In tls_{setsockopt,getsockopt}()
ctx->sk_proto->setsockopt() -(3)
In the above scenario, when (1) and (2) are reordered, (3) can observe
the NULL value of ctx->sk_proto, causing NULL dereference.
To fix it, we rely on rcu_assign_pointer() which implies the release
barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is
initialized, we can ensure that ctx->sk_proto are visible when
changing sk->sk_prot.
Fixes: d5bee7374b68 ("net/tls: Annotate access to sk_prot with READ_ONCE/WRITE_ONCE")
Signed-off-by: Yewon Choi <woni9911(a)gmail.com>
Signed-off-by: Dae R. Jeong <threeearcat(a)gmail.com>
Link: https://lore.kernel.org/netdev/ZU4OJG56g2V9z_H7@dragonet/T/
Link: https://lore.kernel.org/r/Zkx4vjSFp0mfpjQ2@libra05
Signed-off-by: Paolo Abeni <pabeni(a)redhat.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Liu Jian <liujian56(a)huawei.com>
---
net/tls/tls_main.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index e97fcb502115..0a67b93a52ec 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -814,9 +814,17 @@ struct tls_context *tls_ctx_create(struct sock *sk)
return NULL;
mutex_init(&ctx->tx_lock);
- rcu_assign_pointer(icsk->icsk_ulp_data, ctx);
ctx->sk_proto = READ_ONCE(sk->sk_prot);
ctx->sk = sk;
+ /* Release semantic of rcu_assign_pointer() ensures that
+ * ctx->sk_proto is visible before changing sk->sk_prot in
+ * update_sk_prot(), and prevents reading uninitialized value in
+ * tls_{getsockopt, setsockopt}. Note that we do not need a
+ * read barrier in tls_{getsockopt,setsockopt} as there is an
+ * address dependency between sk->sk_proto->{getsockopt,setsockopt}
+ * and ctx->sk_proto.
+ */
+ rcu_assign_pointer(icsk->icsk_ulp_data, ctx);
return ctx;
}
--
2.34.1
From: Duoming Zhou <duoming(a)zju.edu.cn>
stable inclusion
from stable-v6.6.33
commit 965d940fb7414b310a22666503d2af69459c981b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SG4
CVE: CVE-2024-38554
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
[ Upstream commit 36e56b1b002bb26440403053f19f9e1a8bc075b2 ]
There is a reference count leak issue of the object "net_device" in
ax25_dev_device_down(). When the ax25 device is shutting down, the
ax25_dev_device_down() drops the reference count of net_device one
or zero times depending on if we goto unlock_put or not, which will
cause memory leak.
In order to solve the above issue, decrease the reference count of
net_device after dev->ax25_ptr is set to null.
Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs")
Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn>
Reviewed-by: Dan Carpenter <dan.carpenter(a)linaro.org>
Link: https://lore.kernel.org/r/7ce3b23a40d9084657ba1125432f0ecc380cbc80.17152470…
Signed-off-by: Jakub Kicinski <kuba(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Conflicts:
net/ax25/ax25_dev.c
[The conflict occurs because the commit a7d6e36b9ad0("ax25: Use kernel
universal linked list to implement ax25_dev_list") is not merged]
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
net/ax25/ax25_dev.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/net/ax25/ax25_dev.c b/net/ax25/ax25_dev.c
index 282ec581c072..6f4ccb735653 100644
--- a/net/ax25/ax25_dev.c
+++ b/net/ax25/ax25_dev.c
@@ -128,10 +128,6 @@ void ax25_dev_device_down(struct net_device *dev)
s = s->next;
}
- spin_unlock_bh(&ax25_dev_lock);
- dev->ax25_ptr = NULL;
- ax25_dev_put(ax25_dev);
- return;
unlock_put:
spin_unlock_bh(&ax25_dev_lock);
--
2.34.1
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAA3U5
CVE: NA
---------------------------
Lockdep report that:
WARNING: suspicious RCU usage
./include/linux/rcupdate.h:625 rcu_read_lock() used illegally while idle!
other info that might help us debug this:
RCU used illegally from idle CPU!
rcu_scheduler_active = 2, debug_locks = 1
RCU used illegally from extended quiescent state!
1 lock held by swapper/0/0:
#0: 000000003f648ecc (rcu_read_lock){....}, at:
ftrace_location_range+0x0/0x400 kernel/trace/ftrace.c:1326
[...]
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x125/0x1ae lib/dump_stack.c:117
rcu_read_lock include/linux/rcupdate.h:624 [inline]
ftrace_location_range+0x2e4/0x400 kernel/trace/ftrace.c:1613
ftrace_int3_handler+0x47/0x220 arch/x86/kernel/ftrace.c:304
do_int3+0x1d2/0x260 arch/x86/kernel/traps.c:592
int3+0x33/0x40 arch/x86/entry/entry_64.S:1170
[...]
default_idle_call+0x3c/0x60 kernel/sched/idle.c:95
cpuidle_idle_call kernel/sched/idle.c:155 [inline]
do_idle+0x28a/0x380 kernel/sched/idle.c:257
cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:363
start_kernel+0x8bc/0x8fb init/main.c:744
secondary_startup_64+0xb7/0xc0 arch/x86/kernel/head_64.S:243
When function tracer is enabling, an 'int3' will be put at the fentry
location of traced function, and before the fentry location being fully
replaced as ftrace caller, any calls to the traced function will first
redirect to call ftrace caller through ftrace_int3_handler(). When the
traced function is called by idle task and rcu_read_lock() is indirectly
called in ftrace_int3_handler(), then lockdep will warn that is illegal.
RCU lock is not needed when ftrace_location() is called by
ftrace_int3_handler() because that is an atomic context, so
add in_atomic() check before hold or release RCU lock.
Fixes: 85b642bd0701 ("ftrace: Fix possible use-after-free issue in ftrace_location()")
Signed-off-by: Zheng Yejian <zhengyejian1(a)huawei.com>
---
kernel/trace/ftrace.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 6704150cb655..ad4440da5b78 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1581,7 +1581,12 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
key.ip = start;
key.flags = end; /* overload flags, as it is unsigned long */
- rcu_read_lock();
+ /*
+ * It is in atomic context when called from ftrace_int3_handler(),
+ * in this case rcu lock is not needed.
+ */
+ if (!in_atomic())
+ rcu_read_lock();
for (pg = ftrace_pages_start; pg; pg = pg->next) {
if (pg->index == 0 ||
end < pg->records[0].ip ||
@@ -1595,7 +1600,8 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
break;
}
}
- rcu_read_unlock();
+ if (!in_atomic())
+ rcu_read_unlock();
return ip;
}
--
2.25.1