From: Jann Horn <jannh(a)google.com>
stable inclusion
from stable-v6.6.48
commit ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOAMF
CVE: CVE-2024-44947
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream.
fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
zeroing (because it can be used to change partial page contents).
So fuse_notify_store() must be more careful to fully initialize page
contents (including parts of the page that are beyond end-of-file)
before marking the page uptodate.
The current code can leave beyond-EOF page contents uninitialized, which
makes these uninitialized page contents visible to userspace via mmap().
This is an information leak, but only affects systems which do not
enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
corresponding kernel command line parameter).
Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574
Cc: stable(a)kernel.org
Fixes: a1d75f258230 ("fuse: add store request")
Signed-off-by: Jann Horn <jannh(a)google.com>
Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com>
---
fs/fuse/dev.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 8ac91ba05d6d..e6cbed7aedcb 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1627,9 +1627,11 @@ static int fuse_notify_store(struct fuse_conn *fc, unsigned int size,
this_num = min_t(unsigned, num, PAGE_SIZE - offset);
err = fuse_copy_page(cs, &page, offset, this_num, 0);
- if (!err && offset == 0 &&
- (this_num == PAGE_SIZE || file_size == end))
+ if (!PageUptodate(page) && !err && offset == 0 &&
+ (this_num == PAGE_SIZE || file_size == end)) {
+ zero_user_segment(page, this_num, PAGE_SIZE);
SetPageUptodate(page);
+ }
unlock_page(page);
put_page(page);
--
2.39.2
From: Jann Horn <jannh(a)google.com>
stable inclusion
from stable-v6.6.48
commit ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOAMF
CVE: CVE-2024-44947
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream.
fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
zeroing (because it can be used to change partial page contents).
So fuse_notify_store() must be more careful to fully initialize page
contents (including parts of the page that are beyond end-of-file)
before marking the page uptodate.
The current code can leave beyond-EOF page contents uninitialized, which
makes these uninitialized page contents visible to userspace via mmap().
This is an information leak, but only affects systems which do not
enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
corresponding kernel command line parameter).
Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574
Cc: stable(a)kernel.org
Fixes: a1d75f258230 ("fuse: add store request")
Signed-off-by: Jann Horn <jannh(a)google.com>
Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com>
---
fs/fuse/dev.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 8ac91ba05d6d..e6cbed7aedcb 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1627,9 +1627,11 @@ static int fuse_notify_store(struct fuse_conn *fc, unsigned int size,
this_num = min_t(unsigned, num, PAGE_SIZE - offset);
err = fuse_copy_page(cs, &page, offset, this_num, 0);
- if (!err && offset == 0 &&
- (this_num == PAGE_SIZE || file_size == end))
+ if (!PageUptodate(page) && !err && offset == 0 &&
+ (this_num == PAGE_SIZE || file_size == end)) {
+ zero_user_segment(page, this_num, PAGE_SIZE);
SetPageUptodate(page);
+ }
unlock_page(page);
put_page(page);
--
2.39.2
From: Jann Horn <jannh(a)google.com>
stable inclusion
from stable-v6.6.48
commit ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAOAMF
CVE: CVE-2024-44947
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit 3c0da3d163eb32f1f91891efaade027fa9b245b9 upstream.
fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
zeroing (because it can be used to change partial page contents).
So fuse_notify_store() must be more careful to fully initialize page
contents (including parts of the page that are beyond end-of-file)
before marking the page uptodate.
The current code can leave beyond-EOF page contents uninitialized, which
makes these uninitialized page contents visible to userspace via mmap().
This is an information leak, but only affects systems which do not
enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
corresponding kernel command line parameter).
Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574
Cc: stable(a)kernel.org
Fixes: a1d75f258230 ("fuse: add store request")
Signed-off-by: Jann Horn <jannh(a)google.com>
Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Yifan Qiao <qiaoyifan4(a)huawei.com>
---
fs/fuse/dev.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 1a8f82f478cb..8573d79ef29c 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1618,9 +1618,11 @@ static int fuse_notify_store(struct fuse_conn *fc, unsigned int size,
this_num = min_t(unsigned, num, PAGE_SIZE - offset);
err = fuse_copy_page(cs, &page, offset, this_num, 0);
- if (!err && offset == 0 &&
- (this_num == PAGE_SIZE || file_size == end))
+ if (!PageUptodate(page) && !err && offset == 0 &&
+ (this_num == PAGE_SIZE || file_size == end)) {
+ zero_user_segment(page, this_num, PAGE_SIZE);
SetPageUptodate(page);
+ }
unlock_page(page);
put_page(page);
--
2.39.2
From: Reinette Chatre <reinette.chatre(a)intel.com>
stable inclusion
from stable-v6.1.8
commit b9e8e3fcfec625fc1c2f68f684448aeeb882625b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALILE
CVE: CVE-2022-48867
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit 1beeec45f9ac31eba52478379f70a5fa9c2ad005 upstream.
On driver unload any pending descriptors are flushed at the
time the interrupt is freed:
idxd_dmaengine_drv_remove() ->
drv_disable_wq() ->
idxd_wq_free_irq() ->
idxd_flush_pending_descs().
If there are any descriptors present that need to be flushed this
flow triggers a "not present" page fault as below:
BUG: unable to handle page fault for address: ff391c97c70c9040
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
The address that triggers the fault is the address of the
descriptor that was freed moments earlier via:
drv_disable_wq()->idxd_wq_free_resources()
Fix the use after free by freeing the descriptors after any possible
usage. This is done after idxd_wq_reset() to ensure that the memory
remains accessible during possible completion writes by the device.
Fixes: 63c14ae6c161 ("dmaengine: idxd: refactor wq driver enable/disable operations")
Suggested-by: Dave Jiang <dave.jiang(a)intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre(a)intel.com>
Reviewed-by: Dave Jiang <dave.jiang(a)intel.com>
Reviewed-by: Fenghua Yu <fenghua.yu(a)intel.com>
Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/6c4657d9cff0a0a00501a7b928297ac966e9ec9d.16704524…
Signed-off-by: Vinod Koul <vkoul(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
drivers/dma/idxd/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
index 06f5d3783d77..300ee3b5cf63 100644
--- a/drivers/dma/idxd/device.c
+++ b/drivers/dma/idxd/device.c
@@ -1408,11 +1408,11 @@ void drv_disable_wq(struct idxd_wq *wq)
dev_warn(dev, "Clients has claim on wq %d: %d\n",
wq->id, idxd_wq_refcount(wq));
- idxd_wq_free_resources(wq);
idxd_wq_unmap_portal(wq);
idxd_wq_drain(wq);
idxd_wq_free_irq(wq);
idxd_wq_reset(wq);
+ idxd_wq_free_resources(wq);
percpu_ref_exit(&wq->wq_active);
wq->type = IDXD_WQT_NONE;
wq->client_count = 0;
--
2.25.1
From: Reinette Chatre <reinette.chatre(a)intel.com>
stable inclusion
from stable-v6.1.8~66
commit b9e8e3fcfec625fc1c2f68f684448aeeb882625b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IALILE
CVE: CVE-2022-48867
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
--------------------------------
commit 1beeec45f9ac31eba52478379f70a5fa9c2ad005 upstream.
On driver unload any pending descriptors are flushed at the
time the interrupt is freed:
idxd_dmaengine_drv_remove() ->
drv_disable_wq() ->
idxd_wq_free_irq() ->
idxd_flush_pending_descs().
If there are any descriptors present that need to be flushed this
flow triggers a "not present" page fault as below:
BUG: unable to handle page fault for address: ff391c97c70c9040
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
The address that triggers the fault is the address of the
descriptor that was freed moments earlier via:
drv_disable_wq()->idxd_wq_free_resources()
Fix the use after free by freeing the descriptors after any possible
usage. This is done after idxd_wq_reset() to ensure that the memory
remains accessible during possible completion writes by the device.
Fixes: 63c14ae6c161 ("dmaengine: idxd: refactor wq driver enable/disable operations")
Suggested-by: Dave Jiang <dave.jiang(a)intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre(a)intel.com>
Reviewed-by: Dave Jiang <dave.jiang(a)intel.com>
Reviewed-by: Fenghua Yu <fenghua.yu(a)intel.com>
Cc: stable(a)vger.kernel.org
Link: https://lore.kernel.org/r/6c4657d9cff0a0a00501a7b928297ac966e9ec9d.16704524…
Signed-off-by: Vinod Koul <vkoul(a)kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com>
---
drivers/dma/idxd/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c
index 06f5d3783d77..300ee3b5cf63 100644
--- a/drivers/dma/idxd/device.c
+++ b/drivers/dma/idxd/device.c
@@ -1408,11 +1408,11 @@ void drv_disable_wq(struct idxd_wq *wq)
dev_warn(dev, "Clients has claim on wq %d: %d\n",
wq->id, idxd_wq_refcount(wq));
- idxd_wq_free_resources(wq);
idxd_wq_unmap_portal(wq);
idxd_wq_drain(wq);
idxd_wq_free_irq(wq);
idxd_wq_reset(wq);
+ idxd_wq_free_resources(wq);
percpu_ref_exit(&wq->wq_active);
wq->type = IDXD_WQT_NONE;
wq->client_count = 0;
--
2.25.1
tree: https://gitee.com/openeuler/kernel.git OLK-5.10
head: b7bed6628b750ffd687d1da0a170dece4b0c08bd
commit: 2e1b00fcf1e3152a1e73846f5f9ec37cef088a65 [29999/30000] ACPI/HMAT: Add missing locality information for hot-added device
config: x86_64-randconfig-013-20240903 (https://download.01.org/0day-ci/archive/20240904/202409040825.59qJfROR-lkp@…)
compiler: gcc-11 (Debian 11.3.0-12) 11.3.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240904/202409040825.59qJfROR-lkp@…)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp(a)intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202409040825.59qJfROR-lkp@intel.com/
All errors (new ones prefixed by >>):
ld: drivers/acpi/acpi_memhotplug.o: in function `acpi_memory_enable_device':
>> drivers/acpi/acpi_memhotplug.c:236: undefined reference to `hmat_restore_target'
vim +236 drivers/acpi/acpi_memhotplug.c
171
172 static int acpi_memory_enable_device(struct acpi_memory_device *mem_device)
173 {
174 acpi_handle handle = mem_device->device->handle;
175 int result, num_enabled = 0;
176 struct acpi_memory_info *info;
177 int node;
178
179 node = acpi_get_node(handle);
180 /*
181 * Tell the VM there is more memory here...
182 * Note: Assume that this function returns zero on success
183 * We don't have memory-hot-add rollback function,now.
184 * (i.e. memory-hot-remove function)
185 */
186 list_for_each_entry(info, &mem_device->res_list, list) {
187 if (info->enabled) { /* just sanity check...*/
188 num_enabled++;
189 continue;
190 }
191 /*
192 * If the memory block size is zero, please ignore it.
193 * Don't try to do the following memory hotplug flowchart.
194 */
195 if (!info->length)
196 continue;
197 if (node < 0)
198 node = memory_add_physaddr_to_nid(info->start_addr);
199
200 result = __add_memory(node, info->start_addr, info->length,
201 MHP_NONE);
202
203 /*
204 * If the memory block has been used by the kernel, add_memory()
205 * returns -EEXIST. If add_memory() returns the other error, it
206 * means that this memory block is not used by the kernel.
207 */
208 if (result && result != -EEXIST)
209 continue;
210
211 result = acpi_bind_memory_blocks(info, mem_device->device);
212 if (result) {
213 acpi_unbind_memory_blocks(info);
214 return -ENODEV;
215 }
216
217 info->enabled = 1;
218
219 /*
220 * Add num_enable even if add_memory() returns -EEXIST, so the
221 * device is bound to this driver.
222 */
223
224 hotplug_mdev[node] = mem_device->device;
225 num_enabled++;
226 }
227 if (acpi_has_method(handle, "_HMA")) {
228 acpi_status status;
229 struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
230
231 status = acpi_evaluate_object(handle, "_HMA", NULL, &buffer);
232 if (ACPI_SUCCESS(status) && buffer.length) {
233 union acpi_object *obj = buffer.pointer;
234
235 if (!obj->buffer.length)
> 236 hmat_restore_target(node);
237 }
238 }
239
240 if (!num_enabled) {
241 dev_err(&mem_device->device->dev, "add_memory failed\n");
242 return -EINVAL;
243 }
244 /*
245 * Sometimes the memory device will contain several memory blocks.
246 * When one memory block is hot-added to the system memory, it will
247 * be regarded as a success.
248 * Otherwise if the last memory block can't be hot-added to the system
249 * memory, it will be failure and the memory device can't be bound with
250 * driver.
251 */
252 return 0;
253 }
254
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki