[PATCH OLK-5.10 0/2] CVE merge OLK-5.10

List overview All Threads
Download

newer

older

[PATCH openEuler-1.0-LTS]...

[PATCH OLK-6.6] pmdomain:...

Kaixiong Yu

25 Dec 2024 25 Dec '24

3:50 p.m.

the patches' CVE-Number as listed: CVE-2024-50280 CVE-2024-50228

Jeongjun Park (1): mm: shmem: fix data-race in shmem_getattr()

Ming-Hung Tsai (1): dm cache: fix flushing uninitialized delayed_work on cache_ctr error

drivers/md/dm-cache-target.c | 24 +++++++++++++++--------- mm/shmem.c | 2 ++ 2 files changed, 17 insertions(+), 9 deletions(-)

-- 2.34.1

Show replies by date

Kaixiong Yu

25 Dec 25 Dec

3:50 p.m.

New subject: [PATCH OLK-5.10 1/2] dm cache: fix flushing uninitialized delayed_work on cache_ctr error

From: Ming-Hung Tsai mtsai@redhat.com

stable inclusion from stable-v6.6.61 commit 8cc12dab635333c4ea28e72d7b947be7d0543c2c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVP CVE: CVE-2024-50280

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

commit 135496c208ba26fd68cdef10b64ed7a91ac9a7ff upstream.

An unexpected WARN_ON from flush_work() may occur when cache creation fails, caused by destroying the uninitialized delayed_work waker in the error path of cache_create(). For example, the warning appears on the superblock checksum error.

Reproduce steps:

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"

Kernel logs:

(snip) WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890

Fix by pulling out the cancel_delayed_work_sync() from the constructor's error path. This patch doesn't affect the use-after-free fix for concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix UAF in destroy()")) as cache_dtr is not changed.

Signed-off-by: Ming-Hung Tsai mtsai@redhat.com Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()") Cc: stable@vger.kernel.org Signed-off-by: Mikulas Patocka mpatocka@redhat.com Acked-by: Joe Thornber thornber@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Conflicts: drivers/md/dm-cache-target.c [Because HULK-5.10 don't merge mainline patch 86a3238c7b9b759cb864f4f768ab2e24687dc0e6("dm: change "unsigned" to "unsigned int" ")] Signed-off-by: Kaixiong Yu yukaixiong@huawei.com --- drivers/md/dm-cache-target.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c index e94409aa2f40..d3821837641b 100644 --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -1960,16 +1960,13 @@ static void check_migrations(struct work_struct *ws) * This function gets called on the error paths of the constructor, so we * have to cope with a partially initialised struct. */ -static void destroy(struct cache *cache) +static void __destroy(struct cache *cache) { - unsigned i; - mempool_exit(&cache->migration_pool);

if (cache->prison) dm_bio_prison_destroy_v2(cache->prison);

- cancel_delayed_work_sync(&cache->waker); if (cache->wq) destroy_workqueue(cache->wq);

@@ -1997,13 +1994,22 @@ static void destroy(struct cache *cache) if (cache->policy) dm_cache_policy_destroy(cache->policy);

+ bioset_exit(&cache->bs); + + kfree(cache); +} + +static void destroy(struct cache *cache) +{ + unsigned int i; + + cancel_delayed_work_sync(&cache->waker); + for (i = 0; i < cache->nr_ctr_args ; i++) kfree(cache->ctr_args[i]); kfree(cache->ctr_args);

- bioset_exit(&cache->bs); - - kfree(cache); + __destroy(cache); }

static void cache_dtr(struct dm_target *ti) @@ -2616,7 +2622,7 @@ static int cache_create(struct cache_args *ca, struct cache **result) *result = cache; return 0; bad: - destroy(cache); + __destroy(cache); return r; }

@@ -2667,7 +2673,7 @@ static int cache_ctr(struct dm_target *ti, unsigned argc, char **argv)

r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3); if (r) { - destroy(cache); + __destroy(cache); goto out; }

-- 2.34.1

Kaixiong Yu

3:50 p.m.

New subject: [PATCH OLK-5.10 2/2] mm: shmem: fix data-race in shmem_getattr()

From: Jeongjun Park aha310510@gmail.com

stable inclusion from stable-v5.10.230 commit bda1a99a0dd644f31a87d636ac624eeb975cb65a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB379Q CVE: CVE-2024-50228

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

I got the following KCSAN report during syzbot testing:

================================================================== BUG: KCSAN: data-race in generic_fillattr / inode_set_ctime_current

write to 0xffff888102eb3260 of 4 bytes by task 6565 on cpu 1: inode_set_ctime_to_ts include/linux/fs.h:1638 [inline] inode_set_ctime_current+0x169/0x1d0 fs/inode.c:2626 shmem_mknod+0x117/0x180 mm/shmem.c:3443 shmem_create+0x34/0x40 mm/shmem.c:3497 lookup_open fs/namei.c:3578 [inline] open_last_lookups fs/namei.c:3647 [inline] path_openat+0xdbc/0x1f00 fs/namei.c:3883 do_filp_open+0xf7/0x200 fs/namei.c:3913 do_sys_openat2+0xab/0x120 fs/open.c:1416 do_sys_open fs/open.c:1431 [inline] __do_sys_openat fs/open.c:1447 [inline] __se_sys_openat fs/open.c:1442 [inline] __x64_sys_openat+0xf3/0x120 fs/open.c:1442 x64_sys_call+0x1025/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:258 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e

read to 0xffff888102eb3260 of 4 bytes by task 3498 on cpu 0: inode_get_ctime_nsec include/linux/fs.h:1623 [inline] inode_get_ctime include/linux/fs.h:1629 [inline] generic_fillattr+0x1dd/0x2f0 fs/stat.c:62 shmem_getattr+0x17b/0x200 mm/shmem.c:1157 vfs_getattr_nosec fs/stat.c:166 [inline] vfs_getattr+0x19b/0x1e0 fs/stat.c:207 vfs_statx_path fs/stat.c:251 [inline] vfs_statx+0x134/0x2f0 fs/stat.c:315 vfs_fstatat+0xec/0x110 fs/stat.c:341 __do_sys_newfstatat fs/stat.c:505 [inline] __se_sys_newfstatat+0x58/0x260 fs/stat.c:499 __x64_sys_newfstatat+0x55/0x70 fs/stat.c:499 x64_sys_call+0x141f/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:263 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x54/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e

value changed: 0x2755ae53 -> 0x27ee44d3

Reported by Kernel Concurrency Sanitizer on: CPU: 0 UID: 0 PID: 3498 Comm: udevd Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 ==================================================================

When calling generic_fillattr(), if you don't hold read lock, data-race will occur in inode member variables, which can cause unexpected behavior.

Since there is no special protection when shmem_getattr() calls generic_fillattr(), data-race occurs by functions such as shmem_unlink() or shmem_mknod(). This can cause unexpected results, so commenting it out is not enough.

Therefore, when calling generic_fillattr() from shmem_getattr(), it is appropriate to protect the inode using inode_lock_shared() and inode_unlock_shared() to prevent data-race.

Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") Signed-off-by: Jeongjun Park aha310510@gmail.com Reported-by: syzbot syzkaller@googlegroup.com Cc: Hugh Dickins hughd@google.com Cc: Yu Zhao yuzhao@google.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org

Conflicts: mm/shmem.c [Context differences.]

Signed-off-by: Lulu Yao yaolulu5@huawei.com --- mm/shmem.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/mm/shmem.c b/mm/shmem.c index 9cb612d1153b..9f2adf60351e 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1083,7 +1083,9 @@ static int shmem_getattr(const struct path *path, struct kstat *stat, shmem_recalc_inode(inode); spin_unlock_irq(&info->lock); } + inode_lock_shared(inode); generic_fillattr(inode, stat); + inode_unlock_shared(inode);

if (is_huge_enabled(sb_info)) stat->blksize = HPAGE_PMD_SIZE;

-- 2.34.1

patchwork bot

3:56 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/14296 邮件列表地址：https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/S...

FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/14296 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/S...

Age (days ago)

Last active (days ago)

kernel@openeuler.org

3 comments

2 participants

tags (0)

participants (2)

Kaixiong Yu
patchwork bot