[PATCH openEuler-1.0-LTS V2 0/2] Fix CVE-2023-52656

List overview All Threads
Download

newer

older

[PATCH OLK5.10 0/1] net-memcg: Fix...

[PATCH OLK-5.10 0/1] net-memcg:...

Zizhi Wo

23 May 2024 23 May '24

1:21 a.m.

V2: fix an undeclared error with io_uring_fops

V1: fix main error

Jens Axboe (2): io_uring/unix: drop usage of io_uring socket io_uring: drop any code related to SCM_RIGHTS

fs/io_uring.c | 212 +-------------------------------------------- include/linux/fs.h | 6 +- net/core/scm.c | 2 +- net/unix/scm.c | 4 +- 4 files changed, 8 insertions(+), 216 deletions(-)

-- 2.39.2

Show replies by date

patchwork bot

22 May 22 May

5:32 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/7794 邮件列表地址：https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/E...

FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/7794 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/E...

Zizhi Wo

23 May 23 May

1:21 a.m.

New subject: [PATCH openEuler-1.0-LTS V2 1/2] io_uring/unix: drop usage of io_uring socket

From: Jens Axboe axboe@kernel.dk

stable inclusion from stable-v5.10.214 commit 875f5fed30a182675f729f35bbd6ad62b52bd1ac category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9P06W CVE: CVE-2023-52656

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

Commit a4104821ad651d8a0b374f0b2474c345bbb42f82 upstream.

Since we no longer allow sending io_uring fds over SCM_RIGHTS, move to using io_is_uring_fops() to detect whether this is a io_uring fd or not. With that done, kill off io_uring_get_socket() as nobody calls it anymore.

This is in preparation to yanking out the rest of the core related to unix gc with io_uring.

Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Sasha Levin sashal@kernel.org

Conflicts: include/linux/io_uring.h include/linux/fs.h fs/io_uring.c io_uring/io_uring.c Signed-off-by: Zizhi Wo wozizhi@huawei.com --- fs/io_uring.c | 12 ++---------- include/linux/fs.h | 6 +++--- net/core/scm.c | 2 +- net/unix/scm.c | 4 +--- 4 files changed, 7 insertions(+), 17 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c index afac3197fd6c..4148912d8380 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -928,18 +928,10 @@ static struct kmem_cache *req_cachep;

static const struct file_operations io_uring_fops;

-struct sock *io_uring_get_socket(struct file *file) +bool io_is_uring_fops(struct file *file) { -#if defined(CONFIG_UNIX) - if (file->f_op == &io_uring_fops) { - struct io_ring_ctx *ctx = file->private_data; - - return ctx->ring_sock->sk; - } -#endif - return NULL; + return file->f_op == &io_uring_fops; } -EXPORT_SYMBOL(io_uring_get_socket);

static void io_get_req_task(struct io_kiocb *req) { diff --git a/include/linux/fs.h b/include/linux/fs.h index 1fad2c5c2fc2..1c9aac073db1 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3593,11 +3593,11 @@ static inline int inode_drain_writes(struct inode *inode) }

#if defined(CONFIG_IO_URING) -extern struct sock *io_uring_get_socket(struct file *file); +extern bool io_is_uring_fops(struct file *file); #else -static inline struct sock *io_uring_get_socket(struct file *file) +static inline bool io_is_uring_fops(struct file *file) { - return NULL; + return false; } #endif

diff --git a/net/core/scm.c b/net/core/scm.c index 4cf9ef6e0250..c71779287649 100644 --- a/net/core/scm.c +++ b/net/core/scm.c @@ -108,7 +108,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) if (fd < 0 || !(file = fget_raw(fd))) return -EBADF; /* don't allow io_uring files */ - if (io_uring_get_socket(file)) { + if (io_is_uring_fops(file)) { fput(file); return -EINVAL; } diff --git a/net/unix/scm.c b/net/unix/scm.c index e881a6e78af5..51b623de3be5 100644 --- a/net/unix/scm.c +++ b/net/unix/scm.c @@ -33,10 +33,8 @@ struct sock *unix_get_socket(struct file *filp) /* PF_UNIX ? */ if (s && sock->ops && sock->ops->family == PF_UNIX) u_sock = s; - } else { - /* Could be an io_uring instance */ - u_sock = io_uring_get_socket(filp); } + return u_sock; } EXPORT_SYMBOL(unix_get_socket);

-- 2.39.2

Zizhi Wo

1:21 a.m.

New subject: [PATCH openEuler-1.0-LTS V2 2/2] io_uring: drop any code related to SCM_RIGHTS

From: Jens Axboe axboe@kernel.dk

stable inclusion from stable-v5.10.214 commit a6771f343af90a25f3a14911634562bb5621df02 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9P06W CVE: CVE-2023-52656

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

Commit 6e5e6d274956305f1fc0340522b38f5f5be74bdb upstream.

This is dead code after we dropped support for passing io_uring fds over SCM_RIGHTS, get rid of it.

Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Sasha Levin sashal@kernel.org

Conflicts: io_uring/io_uring.c fs/io_uring.c Signed-off-by: Zizhi Wo wozizhi@huawei.com --- fs/io_uring.c | 200 +------------------------------------------------- 1 file changed, 1 insertion(+), 199 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c index 4148912d8380..dde9205fc287 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -64,7 +64,6 @@ #include <linux/net.h> #include <net/sock.h> #include <net/af_unix.h> -#include <net/scm.h> #include <linux/anon_inodes.h> #include <linux/sched/mm.h> #include <linux/uaccess.h> @@ -302,10 +301,6 @@ struct io_ring_ctx { /* if all else fails... */ struct io_kiocb *fallback_req;

-#if defined(CONFIG_UNIX) - struct socket *ring_sock; -#endif - struct idr io_buffer_idr;

struct idr personality_idr; @@ -6734,15 +6729,6 @@ static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,

static void __io_sqe_files_unregister(struct io_ring_ctx *ctx) { -#if defined(CONFIG_UNIX) - if (ctx->ring_sock) { - struct sock *sock = ctx->ring_sock->sk; - struct sk_buff *skb; - - while ((skb = skb_dequeue(&sock->sk_receive_queue)) != NULL) - kfree_skb(skb); - } -#else int i;

for (i = 0; i < ctx->nr_user_files; i++) { @@ -6752,7 +6738,6 @@ static void __io_sqe_files_unregister(struct io_ring_ctx *ctx) if (file) fput(file); } -#endif }

static void io_file_ref_kill(struct percpu_ref *ref) @@ -6821,104 +6806,6 @@ static void io_finish_async(struct io_ring_ctx *ctx) } }

-#if defined(CONFIG_UNIX) -/* - * Ensure the UNIX gc is aware of our file set, so we are certain that - * the io_uring can be safely unregistered on process exit, even if we have - * loops in the file referencing. - */ -static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset) -{ - struct sock *sk = ctx->ring_sock->sk; - struct scm_fp_list *fpl; - struct sk_buff *skb; - int i, nr_files; - - fpl = kzalloc(sizeof(*fpl), GFP_KERNEL); - if (!fpl) - return -ENOMEM; - - skb = alloc_skb(0, GFP_KERNEL); - if (!skb) { - kfree(fpl); - return -ENOMEM; - } - - skb->sk = sk; - skb->scm_io_uring = 1; - - nr_files = 0; - fpl->user = get_uid(ctx->user); - for (i = 0; i < nr; i++) { - struct file *file = io_file_from_index(ctx, i + offset); - - if (!file) - continue; - fpl->fp[nr_files] = get_file(file); - unix_inflight(fpl->user, fpl->fp[nr_files]); - nr_files++; - } - - if (nr_files) { - fpl->max = SCM_MAX_FD; - fpl->count = nr_files; - UNIXCB(skb).fp = fpl; - skb->destructor = unix_destruct_scm; - refcount_add(skb->truesize, &sk->sk_wmem_alloc); - skb_queue_head(&sk->sk_receive_queue, skb); - - for (i = 0; i < nr_files; i++) - fput(fpl->fp[i]); - } else { - kfree_skb(skb); - kfree(fpl); - } - - return 0; -} - -/* - * If UNIX sockets are enabled, fd passing can cause a reference cycle which - * causes regular reference counting to break down. We rely on the UNIX - * garbage collection to take care of this problem for us. - */ -static int io_sqe_files_scm(struct io_ring_ctx *ctx) -{ - unsigned left, total; - int ret = 0; - - total = 0; - left = ctx->nr_user_files; - while (left) { - unsigned this_files = min_t(unsigned, left, SCM_MAX_FD); - - ret = __io_sqe_files_scm(ctx, this_files, total); - if (ret) - break; - left -= this_files; - total += this_files; - } - - if (!ret) - return 0; - - while (total < ctx->nr_user_files) { - struct file *file = io_file_from_index(ctx, total); - - if (file) - fput(file); - total++; - } - - return ret; -} -#else -static int io_sqe_files_scm(struct io_ring_ctx *ctx) -{ - return 0; -} -#endif - static int io_sqe_alloc_file_tables(struct fixed_file_data *file_data, unsigned nr_tables, unsigned nr_files) { @@ -6948,64 +6835,7 @@ static int io_sqe_alloc_file_tables(struct fixed_file_data *file_data,

static void io_ring_file_put(struct io_ring_ctx *ctx, struct file *file) { -#if defined(CONFIG_UNIX) - struct sock *sock = ctx->ring_sock->sk; - struct sk_buff_head list, *head = &sock->sk_receive_queue; - struct sk_buff *skb; - int i; - - __skb_queue_head_init(&list); - - /* - * Find the skb that holds this file in its SCM_RIGHTS. When found, - * remove this entry and rearrange the file array. - */ - skb = skb_dequeue(head); - while (skb) { - struct scm_fp_list *fp; - - fp = UNIXCB(skb).fp; - for (i = 0; i < fp->count; i++) { - int left; - - if (fp->fp[i] != file) - continue; - - unix_notinflight(fp->user, fp->fp[i]); - left = fp->count - 1 - i; - if (left) { - memmove(&fp->fp[i], &fp->fp[i + 1], - left * sizeof(struct file *)); - } - fp->count--; - if (!fp->count) { - kfree_skb(skb); - skb = NULL; - } else { - __skb_queue_tail(&list, skb); - } - fput(file); - file = NULL; - break; - } - - if (!file) - break; - - __skb_queue_tail(&list, skb); - - skb = skb_dequeue(head); - } - - if (skb_peek(&list)) { - spin_lock_irq(&head->lock); - while ((skb = __skb_dequeue(&list)) != NULL) - __skb_queue_tail(head, skb); - spin_unlock_irq(&head->lock); - } -#else fput(file); -#endif }

struct io_file_put { @@ -7182,12 +7012,6 @@ static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg, table->files[index] = file; }

- ret = io_sqe_files_scm(ctx); - if (ret) { - io_sqe_files_unregister(ctx); - return ret; - } - ref_node = alloc_fixed_file_ref_node(ctx); if (IS_ERR(ref_node)) { io_sqe_files_unregister(ctx); @@ -7812,13 +7636,6 @@ static void io_ring_ctx_free(struct io_ring_ctx *ctx) io_destroy_buffers(ctx); idr_destroy(&ctx->personality_idr);

-#if defined(CONFIG_UNIX) - if (ctx->ring_sock) { - ctx->ring_sock->file = NULL; /* so that iput() is called */ - sock_release(ctx->ring_sock); - } -#endif - io_mem_free(ctx->rings); io_mem_free(ctx->sq_sqes);

@@ -8439,21 +8256,13 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx, /* * Allocate an anonymous fd, this is what constitutes the application * visible backing of an io_uring instance. The application mmaps this - * fd to gain access to the SQ/CQ ring details. If UNIX sockets are enabled, - * we have to tie this fd to a socket for file garbage collection purposes. + * fd to gain access to the SQ/CQ ring details. */ static int io_uring_get_fd(struct io_ring_ctx *ctx) { struct file *file; int ret;

-#if defined(CONFIG_UNIX) - ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP, - &ctx->ring_sock); - if (ret) - return ret; -#endif - ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC); if (ret < 0) goto err; @@ -8466,16 +8275,9 @@ static int io_uring_get_fd(struct io_ring_ctx *ctx) goto err; }

-#if defined(CONFIG_UNIX) - ctx->ring_sock->file = file; -#endif fd_install(ret, file); return ret; err: -#if defined(CONFIG_UNIX) - sock_release(ctx->ring_sock); - ctx->ring_sock = NULL; -#endif return ret; }

-- 2.39.2

188

Age (days ago)

188

Last active (days ago)

kernel@openeuler.org

3 comments

2 participants

tags (0)

participants (2)

patchwork bot
Zizhi Wo