From: Ziyang Xuan william.xuanziyang@huawei.com

hulk inclusion category: bugfix bugzilla: 187826, https://gitee.com/openeuler/kernel/issues/I9K8D1

--------------------------------

Format '%u' specifies type 'unsigned int' which is nominally inconsistent with ntohs() result of promoted type 'unsigned short int'.

Use '%u' for ntohs() result will trigger warnings. Fix them by using '%hu' for ntohs() result.

Fixes: 877e893ac68e ("[Huawei] bpf: Add new bpf helper to get SO_ORIGINAL_DST/REPLY_SRC") Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com Signed-off-by: Dong Chenchen dongchenchen2@huawei.com --- net/netfilter/nf_conntrack_proto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index dd1fff72c736..1922620c8405 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c @@ -340,14 +340,14 @@ bpf_getorigdst_impl(struct sock *sk, int optval, void *user, int *len, int dir) } memset(sin.sin_zero, 0, sizeof(sin.sin_zero));

- pr_debug("SO_ORIGINAL_DST: %pI4 %u\n", + pr_debug("SO_ORIGINAL_DST: %pI4 %hu\n", &sin.sin_addr.s_addr, ntohs(sin.sin_port)); nf_ct_put(ct);

memcpy(user, &sin, sizeof(sin)); return 0; } - pr_debug("SO_ORIGINAL_DST: Can't find %pI4/%u-%pI4/%u.\n", + pr_debug("SO_ORIGINAL_DST: Can't find %pI4/%hu-%pI4/%hu.\n", &tuple.src.u3.ip, ntohs(tuple.src.u.tcp.port), &tuple.dst.u3.ip, ntohs(tuple.dst.u.tcp.port)); return -ENOENT;

From: Lu Wei luwei32@huawei.com

hulk inclusion category: bugfix bugzilla: 187830, https://gitee.com/openeuler/kernel/issues/I9K8D1

--------------------------------

The return-type-of-the-function should be on the same line as the function-name.

Fixes: 877e893ac68e ("bpf: Add new bpf helper to get SO_ORIGINAL_DST/REPLY_SRC") Signed-off-by: Lu Wei luwei32@huawei.com Signed-off-by: Dong Chenchen dongchenchen2@huawei.com --- net/netfilter/nf_conntrack_proto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index ca4bfbc8afd8..b0fc4d881d76 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c @@ -292,8 +292,8 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len) return -ENOENT; }

-static int -bpf_getorigdst_impl(struct sock *sk, int optval, void *user, int *len, int dir) +static int bpf_getorigdst_impl(struct sock *sk, int optval, void *user, + int *len, int dir) { const struct inet_sock *inet = inet_sk(sk); const struct nf_conntrack_tuple_hash *h;

From: Lu Wei luwei32@huawei.com

hulk inclusion category: feature bugzilla: 187986, https://gitee.com/openeuler/kernel/issues/I9K8D1

-------------------------------

Add Kconfig for customized socketmap for EulerOS.

Signed-off-by: Lu Wei luwei32@huawei.com Signed-off-by: Dong Chenchen dongchenchen2@huawei.com --- arch/arm64/configs/openeuler_defconfig | 1 + arch/x86/configs/openeuler_defconfig | 1 + include/net/netfilter/nf_conntrack.h | 2 ++ include/net/sock.h | 6 +++++- net/Kconfig | 10 ++++++++++ net/core/filter.c | 8 ++++++++ net/core/sock.c | 4 ++++ net/netfilter/nf_conntrack_proto.c | 6 ++++++ net/socket.c | 2 ++ 9 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index a83bf85e289b..7547c26698b6 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -1835,6 +1835,7 @@ CONFIG_NET_RX_BUSY_POLL=y CONFIG_BQL=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y +CONFIG_EULER_SOCKETMAP=y CONFIG_NET_FLOW_LIMIT=y

# diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index 9a570231e72a..d5087a9bd0da 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -1769,6 +1769,7 @@ CONFIG_NET_RX_BUSY_POLL=y CONFIG_BQL=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y +CONFIG_EULER_SOCKETMAP=y CONFIG_NET_FLOW_LIMIT=y

# diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 2b2d9deed907..d4b628317781 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -342,8 +342,10 @@ nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info) #define MODULE_ALIAS_NFCT_HELPER(helper) \ MODULE_ALIAS("nfct-helper-" helper)

+#ifdef CONFIG_EULER_SOCKETMAP typedef int (*bpf_getorigdst_opt_func)(struct sock *sk, int optname, void *optval, int *optlen, int dir); extern bpf_getorigdst_opt_func bpf_getorigdst_opt; +#endif

#endif /* _NF_CONNTRACK_H */ diff --git a/include/net/sock.h b/include/net/sock.h index 7078c98f9726..eb05a34499cf 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -525,7 +525,7 @@ struct sock { #endif struct rcu_head sk_rcu;

-#ifndef __GENKSYMS__ +#if defined(CONFIG_EULER_SOCKETMAP) && !defined(__GENKSYMS__) union { kgid_t sk_gid; u64 sk_gid_padding; @@ -1985,7 +1985,9 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) parent->sk = sk; sk_set_socket(sk, parent); sk->sk_uid = SOCK_INODE(parent)->i_uid; +#ifdef CONFIG_EULER_SOCKETMAP sk->sk_gid = SOCK_INODE(parent)->i_gid; +#endif security_sock_graft(sk, parent); write_unlock_bh(&sk->sk_callback_lock); } @@ -1999,10 +2001,12 @@ static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk) return sk ? sk->sk_uid : make_kuid(net->user_ns, 0); }

+#ifdef CONFIG_EULER_SOCKETMAP static inline kgid_t sock_net_gid(const struct net *net, const struct sock *sk) { return sk ? sk->sk_gid : make_kgid(net->user_ns, 0); } +#endif

static inline u32 net_tx_rndhash(void) { diff --git a/net/Kconfig b/net/Kconfig index 6186e9ad88a3..51a934426f9f 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -318,6 +318,16 @@ config BPF_STREAM_PARSER It can be used to enforce socket policy, implement socket redirects, etc.

+config EULER_SOCKETMAP + bool "enable EulerOS SOCKETMAP" + depends on INET + depends on BPF_SYSCALL + depends on CGROUP_BPF + select NET_SOCK_MSG + default n + help + Enabling this support socket map in EulerOS. + config NET_FLOW_LIMIT bool depends on RPS diff --git a/net/core/filter.c b/net/core/filter.c index 96a3e7f5c9e3..838813229564 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -5095,6 +5095,7 @@ static const struct bpf_func_proto bpf_sock_addr_setsockopt_proto = { .arg5_type = ARG_CONST_SIZE, };

+#ifdef CONFIG_EULER_SOCKETMAP BPF_CALL_1(bpf_get_sockops_uid_gid, struct bpf_sock_ops_kern *, bpf_sock) { struct sock *sk = bpf_sock->sk; @@ -5165,6 +5166,7 @@ static const struct bpf_func_proto bpf_sk_original_addr_proto = { .arg3_type = ARG_PTR_TO_UNINIT_MEM, .arg4_type = ARG_CONST_SIZE, }; +#endif

BPF_CALL_5(bpf_sock_addr_getsockopt, struct bpf_sock_addr_kern *, ctx, int, level, int, optname, char *, optval, int, optlen) @@ -7470,10 +7472,12 @@ sock_ops_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return &bpf_sk_storage_delete_proto; case BPF_FUNC_get_netns_cookie: return &bpf_get_netns_cookie_sock_ops_proto; +#ifdef CONFIG_EULER_SOCKETMAP case BPF_FUNC_get_sockops_uid_gid: return &bpf_get_sockops_uid_gid_proto; case BPF_FUNC_sk_original_addr: return &bpf_sk_original_addr_proto; +#endif #ifdef CONFIG_INET case BPF_FUNC_load_hdr_opt: return &bpf_sock_ops_load_hdr_opt_proto; @@ -7870,7 +7874,9 @@ static bool __sock_filter_check_attach_type(int off, case bpf_ctx_range(struct bpf_sock, src_ip4): switch (attach_type) { case BPF_CGROUP_INET4_POST_BIND: +#ifdef CONFIG_EULER_SOCKETMAP case BPF_CGROUP_INET_SOCK_RELEASE: +#endif goto read_only; default: return false; @@ -7886,7 +7892,9 @@ static bool __sock_filter_check_attach_type(int off, switch (attach_type) { case BPF_CGROUP_INET4_POST_BIND: case BPF_CGROUP_INET6_POST_BIND: +#ifdef CONFIG_EULER_SOCKETMAP case BPF_CGROUP_INET_SOCK_RELEASE: +#endif goto read_only; default: return false; diff --git a/net/core/sock.c b/net/core/sock.c index da0c980ad238..a64ad3aeea8e 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3029,10 +3029,14 @@ void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid) sk->sk_type = sock->type; RCU_INIT_POINTER(sk->sk_wq, &sock->wq); sock->sk = sk; +#ifdef CONFIG_EULER_SOCKETMAP sk->sk_gid = SOCK_INODE(sock)->i_gid; +#endif } else { RCU_INIT_POINTER(sk->sk_wq, NULL); +#ifdef CONFIG_EULER_SOCKETMAP sk->sk_gid = make_kgid(sock_net(sk)->user_ns, 0); +#endif } sk->sk_uid = uid;

diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index b0fc4d881d76..f4d62fced6dd 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c @@ -292,6 +292,7 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len) return -ENOENT; }

+#ifdef CONFIG_EULER_SOCKETMAP static int bpf_getorigdst_impl(struct sock *sk, int optval, void *user, int *len, int dir) { @@ -352,6 +353,7 @@ static int bpf_getorigdst_impl(struct sock *sk, int optval, void *user, &tuple.dst.u3.ip, ntohs(tuple.dst.u.tcp.port)); return -ENOENT; } +#endif

static struct nf_sockopt_ops so_getorigdst = { .pf = PF_INET, @@ -717,7 +719,9 @@ int nf_conntrack_proto_init(void) goto cleanup_sockopt; #endif

+#ifdef CONFIG_EULER_SOCKETMAP bpf_getorigdst_opt = bpf_getorigdst_impl; +#endif

return ret;

@@ -730,7 +734,9 @@ int nf_conntrack_proto_init(void)

void nf_conntrack_proto_fini(void) { +#ifdef CONFIG_EULER_SOCKETMAP bpf_getorigdst_opt = NULL; +#endif

nf_unregister_sockopt(&so_getorigdst); #if IS_ENABLED(CONFIG_IPV6) diff --git a/net/socket.c b/net/socket.c index 32136e9bebdb..a72baac5074e 100644 --- a/net/socket.c +++ b/net/socket.c @@ -545,7 +545,9 @@ static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr)

if (sock->sk) { sock->sk->sk_uid = iattr->ia_uid; +#ifdef CONFIG_EULER_SOCKETMAP sock->sk->sk_gid = iattr->ia_gid; +#endif } else { err = -ENOENT; }

mainline inclusion from mainline-v6.6-rc7 commit 6d41d4fe28724db16ca1016df0713a07e0cc7448 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9K8D1 CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

BUG: KASAN: slab-use-after-free in xfrm_policy_inexact_list_reinsert+0xb6/0x430 Read of size 1 at addr ffff8881051f3bf8 by task ip/668

CPU: 2 PID: 668 Comm: ip Not tainted 6.5.0-rc5-00182-g25aa0bebba72-dirty #64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x72/0xa0 print_report+0xd0/0x620 kasan_report+0xb6/0xf0 xfrm_policy_inexact_list_reinsert+0xb6/0x430 xfrm_policy_inexact_insert_node.constprop.0+0x537/0x800 xfrm_policy_inexact_alloc_chain+0x23f/0x320 xfrm_policy_inexact_insert+0x6b/0x590 xfrm_policy_insert+0x3b1/0x480 xfrm_add_policy+0x23c/0x3c0 xfrm_user_rcv_msg+0x2d0/0x510 netlink_rcv_skb+0x10d/0x2d0 xfrm_netlink_rcv+0x49/0x60 netlink_unicast+0x3fe/0x540 netlink_sendmsg+0x528/0x970 sock_sendmsg+0x14a/0x160 ____sys_sendmsg+0x4fc/0x580 ___sys_sendmsg+0xef/0x160 __sys_sendmsg+0xf7/0x1b0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x73/0xdd

The root cause is:

cpu 0 cpu1 xfrm_dump_policy xfrm_policy_walk list_move_tail xfrm_add_policy ... ... xfrm_policy_inexact_list_reinsert list_for_each_entry_reverse if (!policy->bydst_reinsert) //read non-existent policy xfrm_dump_policy_done xfrm_policy_walk_done list_del(&walk->walk.all);

If dump_one_policy() returns err (triggered by netlink socket), xfrm_policy_walk() will move walk initialized by socket to list net->xfrm.policy_all. so this socket becomes visible in the global policy list. The head *walk can be traversed when users add policies with different prefixlen and trigger xfrm_policy node merge.

The issue can also be triggered by policy list traversal while rehashing and flushing policies.

It can be fixed by skip such "policies" with walk.dead set to 1.

Fixes: 9cf545ebd591 ("xfrm: policy: store inexact policies in a tree ordered by destination address") Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list") Signed-off-by: Dong Chenchen dongchenchen2@huawei.com Signed-off-by: Steffen Klassert steffen.klassert@secunet.com Conflicts: net/xfrm/xfrm_policy.c [commit 919e43fad516 was not merged. xfrm_policy.c doesnt have implemention of xfrm_dev_policy_flush()] --- net/xfrm/xfrm_policy.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 8ec9c893a7ea..92803d2a8828 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -850,7 +850,7 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net, struct hlist_node *newpos = NULL; bool matches_s, matches_d;

- if (!policy->bydst_reinsert) + if (policy->walk.dead || !policy->bydst_reinsert) continue;

WARN_ON_ONCE(policy->family != family); @@ -1255,8 +1255,11 @@ static void xfrm_hash_rebuild(struct work_struct *work) struct xfrm_pol_inexact_bin *bin; u8 dbits, sbits;

+ if (policy->walk.dead) + continue; + dir = xfrm_policy_id2dir(policy->index); - if (policy->walk.dead || dir >= XFRM_POLICY_MAX) + if (dir >= XFRM_POLICY_MAX) continue;

if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) { @@ -1790,9 +1793,11 @@ int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)

again: list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) { + if (pol->walk.dead) + continue; + dir = xfrm_policy_id2dir(pol->index); - if (pol->walk.dead || - dir >= XFRM_POLICY_MAX || + if (dir >= XFRM_POLICY_MAX || pol->type != type) continue;