From: Zhang Yi yi.zhang@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4VAQC?from=project-issue CVE: NA
--------------------------------
Fix a compile error on arm32 architecture.
build failed: arm, allmodconfig
ERROR: modpost: "__aeabi_ldivmod" [fs/ext4/ext4.ko] undefined! make[1]: *** [modules-only.symvers] Error 1 make[1]: *** Deleting file 'modules-only.symvers' make: *** [modules] Error 2
Fixes: 356efe60eb78 ("ext4: fix underflow in ext4_max_bitmap_size()") Signed-off-by: Zhang Yi yi.zhang@huawei.com Reviewed-by: Yang Erkun yangerkun@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- fs/ext4/super.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 19539be45aec..f1a089ebe848 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3274,15 +3274,15 @@ static loff_t ext4_max_bitmap_size(int bits, int has_huge_files) upper_limit -= ppb; /* double indirect blocks */ if (upper_limit < ppb * ppb) { - meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb); + meta_blocks += 1 + DIV_ROUND_UP_ULL(upper_limit, ppb); res -= meta_blocks; goto check_lfs; } meta_blocks += 1 + ppb; upper_limit -= ppb * ppb; /* tripple indirect blocks for the rest */ - meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb) + - DIV_ROUND_UP(upper_limit, ppb*ppb); + meta_blocks += 1 + DIV_ROUND_UP_ULL(upper_limit, ppb) + + DIV_ROUND_UP_ULL(upper_limit, ppb*ppb); res -= meta_blocks; check_lfs: res <<= bits;
From: fuyufan fuyufan@huawei.com
euler inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4URME CVE: NA
--------------------------------
Enable CONFIG_INTEL_IDXD in openeuler_defconfig for x86. Support Intel Data Accelerators on Xeon hardware.
Signed-off-by: fuyufan fuyufan@huawei.com Reviewed-by: Kai Liu kai.liu@suse.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- arch/x86/configs/openeuler_defconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index cfb6ad605eef..6c0f50e766a7 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -6354,7 +6354,7 @@ CONFIG_DMA_VIRTUAL_CHANNELS=y CONFIG_DMA_ACPI=y # CONFIG_ALTERA_MSGDMA is not set CONFIG_INTEL_IDMA64=m -# CONFIG_INTEL_IDXD is not set +CONFIG_INTEL_IDXD=m CONFIG_INTEL_IOATDMA=m # CONFIG_PLX_DMA is not set # CONFIG_QCOM_HIDMA_MGMT is not set
From: Kunkun Jiang jiangkunkun@huawei.com
virt inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4V39D CVE: NA
------------------------------
We will add IO_PGTABLE_QUIRK_ARM_HD to pgtbl_cfg->quirks when smmuv3 supports HTTU. However, this flag is not processed in the arm_64_lpae_alloc_pgtable_s1. As a result, device can't be attached. There are two similar flags: IO_PGTABLE_QUIRK_ARM_BBML1 and IO_PGTABLE_QUIRK_ARM_BBML2. This patch solves this problem.
Fixes: 341497bb2613 (iommu/io-pgtable-arm: Add quirk ARM_HD and ARM_BBMLx) Reported-by: Junxin Chen chenjunxin1@huawei.com Signed-off-by: Kunkun Jiang jiangkunkun@huawei.com Reviewed-by: Keqian Zhu zhukeqian1@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- drivers/iommu/io-pgtable-arm.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c index b878acad4104..6c1280215b31 100644 --- a/drivers/iommu/io-pgtable-arm.c +++ b/drivers/iommu/io-pgtable-arm.c @@ -1172,7 +1172,10 @@ arm_64_lpae_alloc_pgtable_s1(struct io_pgtable_cfg *cfg, void *cookie)
if (cfg->quirks & ~(IO_PGTABLE_QUIRK_ARM_NS | IO_PGTABLE_QUIRK_NON_STRICT | - IO_PGTABLE_QUIRK_ARM_TTBR1)) + IO_PGTABLE_QUIRK_ARM_TTBR1 | + IO_PGTABLE_QUIRK_ARM_HD | + IO_PGTABLE_QUIRK_ARM_BBML1 | + IO_PGTABLE_QUIRK_ARM_BBML2)) return NULL;
data = arm_lpae_alloc_pgtable(cfg); @@ -1269,7 +1272,10 @@ arm_64_lpae_alloc_pgtable_s2(struct io_pgtable_cfg *cfg, void *cookie) typeof(&cfg->arm_lpae_s2_cfg.vtcr) vtcr = &cfg->arm_lpae_s2_cfg.vtcr;
/* The NS quirk doesn't apply at stage 2 */ - if (cfg->quirks & ~(IO_PGTABLE_QUIRK_NON_STRICT)) + if (cfg->quirks & ~(IO_PGTABLE_QUIRK_NON_STRICT | + IO_PGTABLE_QUIRK_ARM_HD | + IO_PGTABLE_QUIRK_ARM_BBML1 | + IO_PGTABLE_QUIRK_ARM_BBML2)) return NULL;
data = arm_lpae_alloc_pgtable(cfg);
From: Chao Yu chao@kernel.org
mainline inclusion from mainline-v5.16-rc1 commit 9056d6489f5a41cfbb67f719d2c0ce61ead72d9f category: bugfix bugzilla: 186264,https://gitee.com/openeuler/kernel/issues/I4VCWN CVE: CVE-2021-44879
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
As report by Wenqing Liu in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=215231
- Overview kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image
- Reproduce tested on kernel 5.16-rc3, 5.15.X under root
1. mkdir mnt 2. mount -t f2fs tmp1.img mnt 3. touch tmp 4. cp tmp mnt
F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info [5942, 4294180864, 4] is incorrect, run fsck to fix F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=31340049, run fsck to fix. BUG: kernel NULL pointer dereference, address: 0000000000000000 folio_mark_dirty+0x33/0x50 move_data_page+0x2dd/0x460 [f2fs] do_garbage_collect+0xc18/0x16a0 [f2fs] f2fs_gc+0x1d3/0xd90 [f2fs] f2fs_balance_fs+0x13a/0x570 [f2fs] f2fs_create+0x285/0x840 [f2fs] path_openat+0xe6d/0x1040 do_filp_open+0xc5/0x140 do_sys_openat2+0x23a/0x310 do_sys_open+0x57/0x80
The root cause is for special file: e.g. character, block, fifo or socket file, f2fs doesn't assign address space operations pointer array for mapping->a_ops field, so, in a fuzzed image, SSA table indicates a data block belong to special file, when f2fs tries to migrate that block, it causes NULL pointer access once move_data_page() calls a_ops->set_dirty_page().
Cc: stable@vger.kernel.org Reported-by: Wenqing Liu wenqingliu0120@gmail.com Signed-off-by: Chao Yu chao@kernel.org Signed-off-by: Jaegeuk Kim jaegeuk@kernel.org Signed-off-by: Guo Xuenan guoxuenan@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Reviewed-by: fang wei fangwei1@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- fs/f2fs/gc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 72f227f6ebad..8719f2e2e64e 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1429,7 +1429,8 @@ static int gc_data_segment(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
if (phase == 3) { inode = f2fs_iget(sb, dni.ino); - if (IS_ERR(inode) || is_bad_inode(inode)) { + if (IS_ERR(inode) || is_bad_inode(inode) || + special_file(inode->i_mode)) { set_sbi_flag(sbi, SBI_NEED_FSCK); continue; }
From: Chao Yu chao@kernel.org
mainline inclusion from mainline-v5.16-rc1 commit f6db43076d190d9bf75559dec28e18b9d12e4ce5 category: bugfix bugzilla: 186264,https://gitee.com/openeuler/kernel/issues/I4VCWN CVE: CVE-2021-44879
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
As report by Wenqing Liu in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=215231
If we enable CONFIG_F2FS_CHECK_FS config, and with fuzzed image attached in above link, we will encounter panic when executing below script:
1. mkdir mnt 2. mount -t f2fs tmp1.img mnt 3. touch tmp
F2FS-fs (loop11): mismatched blkaddr 5765 (source_blkaddr 1) in seg 3 kernel BUG at fs/f2fs/gc.c:1042! do_garbage_collect+0x90f/0xa80 [f2fs] f2fs_gc+0x294/0x12a0 [f2fs] f2fs_balance_fs+0x2c5/0x7d0 [f2fs] f2fs_create+0x239/0xd90 [f2fs] lookup_open+0x45e/0xa90 open_last_lookups+0x203/0x670 path_openat+0xae/0x490 do_filp_open+0xbc/0x160 do_sys_openat2+0x2f1/0x500 do_sys_open+0x5e/0xa0 __x64_sys_openat+0x28/0x40
Previously, f2fs tries to catch data inconcistency exception in between SSA and SIT table during GC, however once the exception is caught, it will call f2fs_bug_on to hang kernel, it's not needed, instead, let's set SBI_NEED_FSCK flag and skip migrating current block.
Fixes: bbf9f7d90f21 ("f2fs: Fix indefinite loop in f2fs_gc()") Signed-off-by: Chao Yu chao@kernel.org Signed-off-by: Jaegeuk Kim jaegeuk@kernel.org Signed-off-by: Guo Xuenan guoxuenan@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Reviewed-by: fang wei fangwei1@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- fs/f2fs/gc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 8719f2e2e64e..1e7e98dddb07 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -1011,7 +1011,7 @@ static bool is_alive(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, if (!test_and_set_bit(segno, SIT_I(sbi)->invalid_segmap)) { f2fs_err(sbi, "mismatched blkaddr %u (source_blkaddr %u) in seg %u\n", blkaddr, source_blkaddr, segno); - f2fs_bug_on(sbi, 1); + set_sbi_flag(sbi, SBI_NEED_FSCK); } } #endif
From: Chao Yu chao@kernel.org
mainline inclusion from mainline-v5.16-rc1 commit 77900c45ee5cd5da63bd4d818a41dbdf367e81cd category: bugfix bugzilla: 186264,https://gitee.com/openeuler/kernel/issues/I4VCWN CVE: CVE-2021-44879
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
In fuzzed image, SSA table may indicate that a data block belongs to invalid node, which node ID is out-of-range (0, 1, 2 or max_nid), in order to avoid migrating inconsistent data in such corrupted image, let's do sanity check anyway before data block migration.
Cc: stable@vger.kernel.org Signed-off-by: Chao Yu chao@kernel.org Signed-off-by: Jaegeuk Kim jaegeuk@kernel.org Signed-off-by: Guo Xuenan guoxuenan@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Reviewed-by: fang wei fangwei1@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- fs/f2fs/gc.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index 1e7e98dddb07..6153b29de331 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -998,6 +998,9 @@ static bool is_alive(struct f2fs_sb_info *sbi, struct f2fs_summary *sum, set_sbi_flag(sbi, SBI_NEED_FSCK); }
+ if (f2fs_check_nid_range(sbi, dni->ino)) + return false; + *nofs = ofs_of_node(node_page); source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node); f2fs_put_page(node_page, 1);
-
Zheng Zengkai