Fix CVE-2023-52672.
Lukas Schauer (1): pipe: wakeup wr_wait after setting max_usage
Max Kellermann (1): fs/pipe: move check to pipe_has_watch_queue()
fs/pipe.c | 19 ++++++++----------- include/linux/pipe_fs_i.h | 16 ++++++++++++++++ 2 files changed, 24 insertions(+), 11 deletions(-)
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/8222 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/O...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/8222 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/O...
From: Max Kellermann max.kellermann@ionos.com
stable inclusion from stable-v5.10.210 commit b6f27626f56e44c2437cf66e183e9e1a844cac19 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9EU CVE: CVE-2023-52672
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
[ Upstream commit b4bd6b4bac8edd61eb8f7b836969d12c0c6af165 ]
This declutters the code by reducing the number of #ifdefs and makes the watch_queue checks simpler. This has no runtime effect; the machine code is identical.
Signed-off-by: Max Kellermann max.kellermann@ionos.com Message-Id: 20230921075755.1378787-2-max.kellermann@ionos.com Reviewed-by: David Howells dhowells@redhat.com Signed-off-by: Christian Brauner brauner@kernel.org Stable-dep-of: e95aada4cb93 ("pipe: wakeup wr_wait after setting max_usage") Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Zizhi Wo wozizhi@huawei.com --- fs/pipe.c | 12 +++--------- include/linux/pipe_fs_i.h | 16 ++++++++++++++++ 2 files changed, 19 insertions(+), 9 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c index 981d30af7d7d..e7eaa5625d4c 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -435,12 +435,10 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from) goto out; }
-#ifdef CONFIG_WATCH_QUEUE - if (pipe->watch_queue) { + if (pipe_has_watch_queue(pipe)) { ret = -EXDEV; goto out; } -#endif
/* * If it wasn't empty we try to merge new data into @@ -1321,10 +1319,8 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg) unsigned int nr_slots, size; long ret = 0;
-#ifdef CONFIG_WATCH_QUEUE - if (pipe->watch_queue) + if (pipe_has_watch_queue(pipe)) return -EBUSY; -#endif
size = round_pipe_size(arg); nr_slots = size >> PAGE_SHIFT; @@ -1377,10 +1373,8 @@ struct pipe_inode_info *get_pipe_info(struct file *file, bool for_splice)
if (file->f_op != &pipefifo_fops || !pipe) return NULL; -#ifdef CONFIG_WATCH_QUEUE - if (for_splice && pipe->watch_queue) + if (for_splice && pipe_has_watch_queue(pipe)) return NULL; -#endif return pipe; }
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h index 34f793b55a3a..e701188837e0 100644 --- a/include/linux/pipe_fs_i.h +++ b/include/linux/pipe_fs_i.h @@ -124,6 +124,22 @@ struct pipe_buf_operations { bool (*get)(struct pipe_inode_info *, struct pipe_buffer *); };
+/** + * pipe_has_watch_queue - Check whether the pipe is a watch_queue, + * i.e. it was created with O_NOTIFICATION_PIPE + * @pipe: The pipe to check + * + * Return: true if pipe is a watch queue, false otherwise. + */ +static inline bool pipe_has_watch_queue(const struct pipe_inode_info *pipe) +{ +#ifdef CONFIG_WATCH_QUEUE + return pipe->watch_queue != NULL; +#else + return false; +#endif +} + /** * pipe_empty - Return true if the pipe is empty * @head: The pipe ring head pointer
From: Lukas Schauer lukas@schauer.dev
stable inclusion from stable-v5.10.210 commit 162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9EU CVE: CVE-2023-52672
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
[ Upstream commit e95aada4cb93d42e25c30a0ef9eb2923d9711d4a ]
Commit c73be61cede5 ("pipe: Add general notification queue support") a regression was introduced that would lock up resized pipes under certain conditions. See the reproducer in [1].
The commit resizing the pipe ring size was moved to a different function, doing that moved the wakeup for pipe->wr_wait before actually raising pipe->max_usage. If a pipe was full before the resize occured it would result in the wakeup never actually triggering pipe_write.
Set @max_usage and @nr_accounted before waking writers if this isn't a watch queue.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=212295 [1] Link: https://lore.kernel.org/r/20231201-orchideen-modewelt-e009de4562c6@brauner Fixes: c73be61cede5 ("pipe: Add general notification queue support") Reviewed-by: David Howells dhowells@redhat.com Cc: stable@vger.kernel.org Signed-off-by: Lukas Schauer lukas@schauer.dev [Christian Brauner brauner@kernel.org: rewrite to account for watch queues] Signed-off-by: Christian Brauner brauner@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Zizhi Wo wozizhi@huawei.com --- fs/pipe.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c index e7eaa5625d4c..b1bf4d6f6923 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -1302,6 +1302,11 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) pipe->tail = tail; pipe->head = head;
+ if (!pipe_has_watch_queue(pipe)) { + pipe->max_usage = nr_slots; + pipe->nr_accounted = nr_slots; + } + spin_unlock_irq(&pipe->rd_wait.lock);
/* This might have made more room for writers */ @@ -1353,8 +1358,6 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg) if (ret < 0) goto out_revert_acct;
- pipe->max_usage = nr_slots; - pipe->nr_accounted = nr_slots; return pipe->max_usage * PAGE_SIZE;
out_revert_acct:
-
patchwork bot -
Zizhi Wo