From: Eric Dumazet <edumazet(a)google.com>
mainline inclusion
from mainline-v6.6-rc5
commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95AWK
CVE: CVE-2023-52522
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
While looking at a related syzbot report involving neigh_periodic_work(),
I found that I forgot to add an annotation when deleting an
RCU protected item from a list.
Readers use rcu_deference(*np), we need to use either
rcu_assign_pointer() or WRITE_ONCE() on writer side
to prevent store tearing.
I use rcu_assign_pointer() to have lockdep support,
this was the choice made in neigh_flush_dev().
Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour")
Signed-off-by: Eric Dumazet <edumazet(a)google.com>
Reviewed-by: David Ahern <dsahern(a)kernel.org>
Reviewed-by: Simon Horman <horms(a)kernel.org>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Conflicts:
net/core/neighbour.c
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
net/core/neighbour.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 778be5866d0a..3f1520755282 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -855,7 +855,9 @@ static void neigh_periodic_work(struct work_struct *work)
if (refcount_read(&n->refcnt) == 1 &&
(state == NUD_FAILED ||
time_after(jiffies, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) {
- *np = n->next;
+ rcu_assign_pointer(*np,
+ rcu_dereference_protected(n->next,
+ lockdep_is_held(&tbl->lock)));
n->dead = 1;
write_unlock(&n->lock);
neigh_cleanup_and_release(n);
--
2.34.1
From: Eric Dumazet <edumazet(a)google.com>
stable inclusion
from stable-v5.10.198
commit 2ea52a2fb8e87067e26bbab4efb8872639240eb0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95AWK
CVE: CVE-2023-52522
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
[ Upstream commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd ]
While looking at a related syzbot report involving neigh_periodic_work(),
I found that I forgot to add an annotation when deleting an
RCU protected item from a list.
Readers use rcu_deference(*np), we need to use either
rcu_assign_pointer() or WRITE_ONCE() on writer side
to prevent store tearing.
I use rcu_assign_pointer() to have lockdep support,
this was the choice made in neigh_flush_dev().
Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour")
Signed-off-by: Eric Dumazet <edumazet(a)google.com>
Reviewed-by: David Ahern <dsahern(a)kernel.org>
Reviewed-by: Simon Horman <horms(a)kernel.org>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
net/core/neighbour.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 3b642c412cf3..15267428c4f8 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -935,7 +935,9 @@ static void neigh_periodic_work(struct work_struct *work)
(state == NUD_FAILED ||
!time_in_range_open(jiffies, n->used,
n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) {
- *np = n->next;
+ rcu_assign_pointer(*np,
+ rcu_dereference_protected(n->next,
+ lockdep_is_held(&tbl->lock)));
neigh_mark_dead(n);
write_unlock(&n->lock);
neigh_cleanup_and_release(n);
--
2.34.1
From: Eric Dumazet <edumazet(a)google.com>
mainline inclusion
from mainline-v6.6-rc5
commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I95AWK
CVE: CVE-2023-52522
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
While looking at a related syzbot report involving neigh_periodic_work(),
I found that I forgot to add an annotation when deleting an
RCU protected item from a list.
Readers use rcu_deference(*np), we need to use either
rcu_assign_pointer() or WRITE_ONCE() on writer side
to prevent store tearing.
I use rcu_assign_pointer() to have lockdep support,
this was the choice made in neigh_flush_dev().
Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour")
Signed-off-by: Eric Dumazet <edumazet(a)google.com>
Reviewed-by: David Ahern <dsahern(a)kernel.org>
Reviewed-by: Simon Horman <horms(a)kernel.org>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com>
---
net/core/neighbour.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 778be5866d0a..3f1520755282 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -855,7 +855,9 @@ static void neigh_periodic_work(struct work_struct *work)
if (refcount_read(&n->refcnt) == 1 &&
(state == NUD_FAILED ||
time_after(jiffies, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) {
- *np = n->next;
+ rcu_assign_pointer(*np,
+ rcu_dereference_protected(n->next,
+ lockdep_is_held(&tbl->lock)));
n->dead = 1;
write_unlock(&n->lock);
neigh_cleanup_and_release(n);
--
2.34.1
From: Al Viro <viro(a)zeniv.linux.org.uk>
mainline inclusion
from mainline-v6.8-rc6
commit 2c88c16dc20e88dd54d2f6f4d01ae1dce6cc9654
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I971F0
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
if you have a variable that holds NULL or a pointer to live struct mount,
do not shove ERR_PTR() into it - not if you later treat "not NULL" as
"holds a pointer to object".
Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk>
Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com>
---
fs/erofs/fscache.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/erofs/fscache.c b/fs/erofs/fscache.c
index 87ff35bff8d5..1052f75d1dfa 100644
--- a/fs/erofs/fscache.c
+++ b/fs/erofs/fscache.c
@@ -381,11 +381,12 @@ static int erofs_fscache_init_domain(struct super_block *sb)
goto out;
if (!erofs_pseudo_mnt) {
- erofs_pseudo_mnt = kern_mount(&erofs_fs_type);
- if (IS_ERR(erofs_pseudo_mnt)) {
- err = PTR_ERR(erofs_pseudo_mnt);
+ struct vfsmount *mnt = kern_mount(&erofs_fs_type);
+ if (IS_ERR(mnt)) {
+ err = PTR_ERR(mnt);
goto out;
}
+ erofs_pseudo_mnt = mnt;
}
domain->volume = sbi->volume;
--
2.39.2
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I96YK9
CVE: NA
-----------------------------
It's fine that the associated msc is not found when the CPU comes online.
For example, the device platform does not support L3 cache and there is
no any L3 cache msc indeed.
Signed-off-by: Zeng Heng <zengheng4(a)huawei.com>
---
arch/arm64/kernel/mpam/mpam_setup.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/kernel/mpam/mpam_setup.c b/arch/arm64/kernel/mpam/mpam_setup.c
index 4d0ec0052133..a9e97d8d2bad 100644
--- a/arch/arm64/kernel/mpam/mpam_setup.c
+++ b/arch/arm64/kernel/mpam/mpam_setup.c
@@ -78,9 +78,11 @@ static int mpam_resctrl_setup_domain(unsigned int cpu,
}
}
- /* cpu with unknown exported component? */
- if (WARN_ON_ONCE(!comp))
+ if (!comp) {
+ pr_info("There is no msc corresponding to CPU%d.\n", cpu);
return 0;
+ }
+
dom = kzalloc_node(sizeof(*dom), GFP_KERNEL, cpu_to_node(cpu));
if (!dom)
@@ -168,8 +170,8 @@ int mpam_resctrl_cpu_offline(unsigned int cpu)
for_each_supported_resctrl_exports(res) {
d = resctrl_get_domain_from_cpu(cpu, &res->resctrl_res);
- /* cpu with unknown exported component? */
- if (WARN_ON_ONCE(!d))
+ /* There is no msc corresponding to the CPU */
+ if (!d)
continue;
cpumask_clear_cpu(cpu, &d->cpu_mask);
--
2.25.1
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I96YK9
CVE: NA
-----------------------------
It's fine that the associated msc is not found when the CPU comes online.
For example, the device platform does not support L3 cache and there is
no any L3 cache msc indeed.
Signed-off-by: Zeng Heng <zengheng4(a)huawei.com>
---
arch/arm64/kernel/mpam/mpam_setup.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/kernel/mpam/mpam_setup.c b/arch/arm64/kernel/mpam/mpam_setup.c
index 4d0ec0052133..eb7110c4ec0c 100644
--- a/arch/arm64/kernel/mpam/mpam_setup.c
+++ b/arch/arm64/kernel/mpam/mpam_setup.c
@@ -71,6 +71,7 @@ static int mpam_resctrl_setup_domain(unsigned int cpu,
num_partid = mpam_sysprops_num_partid();
comp = NULL;
+
list_for_each_entry(comp_iter, &class->components, class_list) {
if (cpumask_test_cpu(cpu, &comp_iter->fw_affinity)) {
comp = comp_iter;
@@ -78,9 +79,11 @@ static int mpam_resctrl_setup_domain(unsigned int cpu,
}
}
- /* cpu with unknown exported component? */
- if (WARN_ON_ONCE(!comp))
+ if (!comp) {
+ pr_info("There is no msc corresponding to CPU%d.\n", cpu);
return 0;
+ }
+
dom = kzalloc_node(sizeof(*dom), GFP_KERNEL, cpu_to_node(cpu));
if (!dom)
@@ -168,8 +171,8 @@ int mpam_resctrl_cpu_offline(unsigned int cpu)
for_each_supported_resctrl_exports(res) {
d = resctrl_get_domain_from_cpu(cpu, &res->resctrl_res);
- /* cpu with unknown exported component? */
- if (WARN_ON_ONCE(!d))
+ /* There is no msc corresponding to the CPU */
+ if (!d)
continue;
cpumask_clear_cpu(cpu, &d->cpu_mask);
--
2.25.1