From: Namjae Jeon <linkinjeon(a)kernel.org>
mainline inclusion
from mainline-v6.9-rc4
commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4XI
CVE: CVE-2024-26936
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The response buffer should be allocated in smb2_allocate_rsp_buf
before validating request. But the fields in payload as well as smb2 header
is used in smb2_allocate_rsp_buf(). This patch add simple buffer size
validation to avoid potencial out-of-bounds in request buffer.
Cc: stable(a)vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org>
Signed-off-by: Steve French <stfrench(a)microsoft.com>
Conflicts:
fs/smb/server/smb2pdu.c
fs/ksmbd/smb2pdu.c
[lc:file path is not same]
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/ksmbd/smb2pdu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 4df7108a886f..7937f860ea8f 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -539,6 +539,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work)
if (cmd == SMB2_QUERY_INFO_HE) {
struct smb2_query_info_req *req;
+ if (get_rfc1002_len(work->request_buf) <
+ offsetof(struct smb2_query_info_req, OutputBufferLength))
+ return -EINVAL;
+
req = smb2_get_msg(work->request_buf);
if ((req->InfoType == SMB2_O_INFO_FILE &&
(req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
--
2.39.2
From: Namjae Jeon <linkinjeon(a)kernel.org>
mainline inclusion
from mainline-v6.9-rc4
commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4XI
CVE: CVE-2024-26936
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The response buffer should be allocated in smb2_allocate_rsp_buf
before validating request. But the fields in payload as well as smb2 header
is used in smb2_allocate_rsp_buf(). This patch add simple buffer size
validation to avoid potencial out-of-bounds in request buffer.
Cc: stable(a)vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org>
Signed-off-by: Steve French <stfrench(a)microsoft.com>
Conflicts:
fs/smb/server/smb2pdu.c
fs/ksmbd/smb2pdu.c
[lc:file path is not same]
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/ksmbd/smb2pdu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 4df7108a886f..7937f860ea8f 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -539,6 +539,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work)
if (cmd == SMB2_QUERY_INFO_HE) {
struct smb2_query_info_req *req;
+ if (get_rfc1002_len(work->request_buf) <
+ offsetof(struct smb2_query_info_req, OutputBufferLength))
+ return -EINVAL;
+
req = smb2_get_msg(work->request_buf);
if ((req->InfoType == SMB2_O_INFO_FILE &&
(req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
--
2.39.2
From: Gerd Rausch <gerd.rausch(a)oracle.com>
stable inclusion
from stable-v4.19.198
commit 4893c938f2a140a74be91779e45e4a7fa111198f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4ER
CVE: CVE-2021-47345
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 74f160ead74bfe5f2b38afb4fcf86189f9ff40c9 ]
Fix a memory leak when "mda_resolve_route() is called more than once on
the same "rdma_cm_id".
This is possible if cma_query_handler() triggers the
RDMA_CM_EVENT_ROUTE_ERROR flow which puts the state machine back and
allows rdma_resolve_route() to be called again.
Link: https://lore.kernel.org/r/f6662b7b-bdb7-2706-1e12-47c61d3474b6@oracle.com
Signed-off-by: Gerd Rausch <gerd.rausch(a)oracle.com>
Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Zhao Wenhui <zhaowenhui8(a)huawei.com>
---
drivers/infiniband/core/cma.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index 20a5501b740a..127ebd481689 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -2547,7 +2547,8 @@ static int cma_resolve_ib_route(struct rdma_id_private *id_priv, int timeout_ms)
cma_init_resolve_route_work(work, id_priv);
- route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL);
+ if (!route->path_rec)
+ route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL);
if (!route->path_rec) {
ret = -ENOMEM;
goto err1;
--
2.34.1
From: Yang Xiongwei <yangxiongwei6(a)huawei.com>
mainline inclusion
from mainline-v6.9-rc4
commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4XI
CVE: CVE-2024-26936
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The response buffer should be allocated in smb2_allocate_rsp_buf
before validating request. But the fields in payload as well as smb2 header
is used in smb2_allocate_rsp_buf(). This patch add simple buffer size
validation to avoid potencial out-of-bounds in request buffer.
Cc: stable(a)vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org>
Signed-off-by: Steve French <stfrench(a)microsoft.com>
Conflicts:
fs/smb/server/smb2pdu.c
fs/ksmbd/smb2pdu.c
[lc:file path is not same]
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/ksmbd/smb2pdu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 4df7108a886f..7937f860ea8f 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -539,6 +539,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work)
if (cmd == SMB2_QUERY_INFO_HE) {
struct smb2_query_info_req *req;
+ if (get_rfc1002_len(work->request_buf) <
+ offsetof(struct smb2_query_info_req, OutputBufferLength))
+ return -EINVAL;
+
req = smb2_get_msg(work->request_buf);
if ((req->InfoType == SMB2_O_INFO_FILE &&
(req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
--
2.39.2
From: Yang Xiongwei <yangxiongwei6(a)huawei.com>
mainline inclusion
from mainline-v6.9-rc4
commit 17cf0c2794bdb6f39671265aa18aea5c22ee8c4a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L4XI
CVE: CVE-2024-26936
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
The response buffer should be allocated in smb2_allocate_rsp_buf
before validating request. But the fields in payload as well as smb2 header
is used in smb2_allocate_rsp_buf(). This patch add simple buffer size
validation to avoid potencial out-of-bounds in request buffer.
Cc: stable(a)vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org>
Signed-off-by: Steve French <stfrench(a)microsoft.com>
Conflicts:
fs/smb/server/smb2pdu.c
fs/ksmbd/smb2pdu.c
[lc:file path is not same]
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/ksmbd/smb2pdu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 4df7108a886f..7937f860ea8f 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -539,6 +539,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_work *work)
if (cmd == SMB2_QUERY_INFO_HE) {
struct smb2_query_info_req *req;
+ if (get_rfc1002_len(work->request_buf) <
+ offsetof(struct smb2_query_info_req, OutputBufferLength))
+ return -EINVAL;
+
req = smb2_get_msg(work->request_buf);
if ((req->InfoType == SMB2_O_INFO_FILE &&
(req->FileInfoClass == FILE_FULL_EA_INFORMATION ||
--
2.39.2
From: Eric Van Hensbergen <ericvh(a)kernel.org>
mainline inclusion
from mainline-v6.9-rc1
commit 6630036b7c228f57c7893ee0403e92c2db2cd21d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U997
CVE: CVE-2024-36923
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
If an iget fails due to not being able to retrieve information
from the server then the inode structure is only partially
initialized. When the inode gets evicted, references to
uninitialized structures (like fscache cookies) were being
made.
This patch checks for a bad_inode before doing anything other
than clearing the inode from the cache. Since the inode is
bad, it shouldn't have any state associated with it that needs
to be written back (and there really isn't a way to complete
those anyways).
Reported-by: syzbot+eb83fe1cce5833cd66a0(a)syzkaller.appspotmail.com
Signed-off-by: Eric Van Hensbergen <ericvh(a)kernel.org>
Conflicts:
fs/9p/vfs_inode.c
[v9fs_evict_inode() function has been changed]
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/9p/vfs_inode.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index 88ca5015f987..483d777a8617 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -376,15 +376,19 @@ void v9fs_evict_inode(struct inode *inode)
{
struct v9fs_inode *v9inode = V9FS_I(inode);
- truncate_inode_pages_final(&inode->i_data);
- clear_inode(inode);
- filemap_fdatawrite(&inode->i_data);
-
- v9fs_cache_inode_put_cookie(inode);
- /* clunk the fid stashed in writeback_fid */
- if (v9inode->writeback_fid) {
- p9_client_clunk(v9inode->writeback_fid);
- v9inode->writeback_fid = NULL;
+ if (!is_bad_inode(inode)) {
+ truncate_inode_pages_final(&inode->i_data);
+ clear_inode(inode);
+ filemap_fdatawrite(&inode->i_data);
+
+ v9fs_cache_inode_put_cookie(inode);
+ /* clunk the fid stashed in writeback_fid */
+ if (v9inode->writeback_fid) {
+ p9_client_clunk(v9inode->writeback_fid);
+ v9inode->writeback_fid = NULL;
+ }
+ } else {
+ clear_inode(inode);
}
}
--
2.39.2
From: Eric Van Hensbergen <ericvh(a)kernel.org>
mainline inclusion
from mainline-v6.9-rc1
commit 6630036b7c228f57c7893ee0403e92c2db2cd21d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U997
CVE: CVE-2024-36923
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
If an iget fails due to not being able to retrieve information
from the server then the inode structure is only partially
initialized. When the inode gets evicted, references to
uninitialized structures (like fscache cookies) were being
made.
This patch checks for a bad_inode before doing anything other
than clearing the inode from the cache. Since the inode is
bad, it shouldn't have any state associated with it that needs
to be written back (and there really isn't a way to complete
those anyways).
Reported-by: syzbot+eb83fe1cce5833cd66a0(a)syzkaller.appspotmail.com
Signed-off-by: Eric Van Hensbergen <ericvh(a)kernel.org>
Conflicts:
fs/9p/vfs_inode.c
[v9fs_evict_inode() function has been changed]
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/9p/vfs_inode.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index 88ca5015f987..483d777a8617 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -376,15 +376,19 @@ void v9fs_evict_inode(struct inode *inode)
{
struct v9fs_inode *v9inode = V9FS_I(inode);
- truncate_inode_pages_final(&inode->i_data);
- clear_inode(inode);
- filemap_fdatawrite(&inode->i_data);
-
- v9fs_cache_inode_put_cookie(inode);
- /* clunk the fid stashed in writeback_fid */
- if (v9inode->writeback_fid) {
- p9_client_clunk(v9inode->writeback_fid);
- v9inode->writeback_fid = NULL;
+ if (!is_bad_inode(inode)) {
+ truncate_inode_pages_final(&inode->i_data);
+ clear_inode(inode);
+ filemap_fdatawrite(&inode->i_data);
+
+ v9fs_cache_inode_put_cookie(inode);
+ /* clunk the fid stashed in writeback_fid */
+ if (v9inode->writeback_fid) {
+ p9_client_clunk(v9inode->writeback_fid);
+ v9inode->writeback_fid = NULL;
+ }
+ } else {
+ clear_inode(inode);
}
}
--
2.39.2
hulk inclusion
category: bugfix
bugzilla: 46904, https://gitee.com/openeuler/kernel/issues/IA5JXN
--------------------------------
In freeing process, set memcg->hpool or dpool_global_hpool to NULL and
then freeing it. To avoid UAF problem of hpool, we have to make sure the
users that already hold pointer to hpool don't use the pointer after
freeing hpool. The freeing of hpool should block until make sure all such
users don't use hpool. Since anyone who want to use hpool have to
increase its refcount at first. Use rcu_read_lock() and synchronize_rcu()
to guarantee all such users failed to get hpool before freeing hpool.
Fixes: 0bc0d0d57eda ("dhugetlb: backport dynamic hugetlb feature")
Signed-off-by: Liu Shixin <liushixin2(a)huawei.com>
---
mm/hugetlb.c | 6 ++++++
mm/memcontrol.c | 11 ++++++++---
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 4be708677ce6..18dd5bcd13a3 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3360,6 +3360,7 @@ void dhugetlb_pool_put(struct dhugetlb_pool *hpool)
if (atomic_dec_and_test(&hpool->refcnt)) {
css_put(&hpool->attach_memcg->css);
+ synchronize_rcu();
kfree(hpool);
}
}
@@ -3500,9 +3501,14 @@ struct dhugetlb_pool *get_dhugetlb_pool_from_task(struct task_struct *tsk)
rcu_read_lock();
memcg = mem_cgroup_from_task(tsk);
+ if (!memcg || !css_tryget(&memcg->css)) {
+ rcu_read_unlock();
+ return NULL;
+ }
rcu_read_unlock();
hpool = get_dhugetlb_pool_from_memcg(memcg);
+ css_put(&memcg->css);
return hpool;
}
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 7dc68b1792ef..4ecb6f09b68b 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -4701,14 +4701,19 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of,
struct dhugetlb_pool *get_dhugetlb_pool_from_memcg(struct mem_cgroup *memcg)
{
struct mem_cgroup_extension *memcg_ext;
+ struct dhugetlb_pool *hpool;
if (!memcg)
return NULL;
+ rcu_read_lock();
memcg_ext = container_of(memcg, struct mem_cgroup_extension, memcg);
- if (dhugetlb_pool_get(memcg_ext->hpool))
- return memcg_ext->hpool;
- return NULL;
+ hpool = memcg_ext->hpool;
+ if (!dhugetlb_pool_get(hpool))
+ hpool = NULL;
+ rcu_read_unlock();
+
+ return hpool;
}
static void set_dhugetlb_pool_to_memcg(struct mem_cgroup *memcg,
--
2.25.1