1. 08 2月, 2023 11 次提交
    • O
      !386 Backport CVEs and bugfixes · b982dab6
      openeuler-ci-bot 提交于
      Merge Pull Request from: @zhangjialin11 
       
      Pull new CVEs:
      CVE-2022-3707
      CVE-2023-0394
      
      net bugfixes from Zhengchao Shao
      fs bugfixes from Baokun Li and Li Nan
      mm bugfixes form Liu Shixin
       
       
      Link:https://gitee.com/openeuler/kernel/pulls/386 
      
      Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
      Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 
      b982dab6
    • E
      net: sched: fix race condition in qdisc_graft() · 47b72618
      Eric Dumazet 提交于
      stable inclusion
      from stable-v5.10.152
      commit 7aa3d623c11b9ab60f86b7833666e5d55bac4be9
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I64L17
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7aa3d623c11b9ab60f86b7833666e5d55bac4be9
      
      --------------------------------
      
      [ Upstream commit ebda44da ]
      
      We had one syzbot report [1] in syzbot queue for a while.
      I was waiting for more occurrences and/or a repro but
      Dmitry Vyukov spotted the issue right away.
      
      <quoting Dmitry>
      qdisc_graft() drops reference to qdisc in notify_and_destroy
      while it's still assigned to dev->qdisc
      </quoting>
      
      Indeed, RCU rules are clear when replacing a data structure.
      The visible pointer (dev->qdisc in this case) must be updated
      to the new object _before_ RCU grace period is started
      (qdisc_put(old) in this case).
      
      [1]
      BUG: KASAN: use-after-free in __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066
      Read of size 4 at addr ffff88802065e038 by task syz-executor.4/21027
      
      CPU: 0 PID: 21027 Comm: syz-executor.4 Not tainted 6.0.0-rc3-syzkaller-00363-g7726d4c3 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:317 [inline]
      print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
      kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
      __tcf_qdisc_find.part.0+0xa3a/0xac0 net/sched/cls_api.c:1066
      __tcf_qdisc_find net/sched/cls_api.c:1051 [inline]
      tc_new_tfilter+0x34f/0x2200 net/sched/cls_api.c:2018
      rtnetlink_rcv_msg+0x955/0xca0 net/core/rtnetlink.c:6081
      netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
      netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
      netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
      netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
      __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7f5efaa89279
      Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f5efbc31168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f5efab9bf80 RCX: 00007f5efaa89279
      RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
      RBP: 00007f5efaae32e9 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 00007f5efb0cfb1f R14: 00007f5efbc31300 R15: 0000000000022000
      </TASK>
      
      Allocated by task 21027:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      kasan_set_track mm/kasan/common.c:45 [inline]
      set_alloc_info mm/kasan/common.c:437 [inline]
      ____kasan_kmalloc mm/kasan/common.c:516 [inline]
      ____kasan_kmalloc mm/kasan/common.c:475 [inline]
      __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
      kmalloc_node include/linux/slab.h:623 [inline]
      kzalloc_node include/linux/slab.h:744 [inline]
      qdisc_alloc+0xb0/0xc50 net/sched/sch_generic.c:938
      qdisc_create_dflt+0x71/0x4a0 net/sched/sch_generic.c:997
      attach_one_default_qdisc net/sched/sch_generic.c:1152 [inline]
      netdev_for_each_tx_queue include/linux/netdevice.h:2437 [inline]
      attach_default_qdiscs net/sched/sch_generic.c:1170 [inline]
      dev_activate+0x760/0xcd0 net/sched/sch_generic.c:1229
      __dev_open+0x393/0x4d0 net/core/dev.c:1441
      __dev_change_flags+0x583/0x750 net/core/dev.c:8556
      rtnl_configure_link+0xee/0x240 net/core/rtnetlink.c:3189
      rtnl_newlink_create net/core/rtnetlink.c:3371 [inline]
      __rtnl_newlink+0x10b8/0x17e0 net/core/rtnetlink.c:3580
      rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593
      rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6090
      netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
      netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
      netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
      netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
      __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Freed by task 21020:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      kasan_set_track+0x21/0x30 mm/kasan/common.c:45
      kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
      ____kasan_slab_free mm/kasan/common.c:367 [inline]
      ____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
      kasan_slab_free include/linux/kasan.h:200 [inline]
      slab_free_hook mm/slub.c:1754 [inline]
      slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780
      slab_free mm/slub.c:3534 [inline]
      kfree+0xe2/0x580 mm/slub.c:4562
      rcu_do_batch kernel/rcu/tree.c:2245 [inline]
      rcu_core+0x7b5/0x1890 kernel/rcu/tree.c:2505
      __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
      
      Last potentially related work creation:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
      call_rcu+0x99/0x790 kernel/rcu/tree.c:2793
      qdisc_put+0xcd/0xe0 net/sched/sch_generic.c:1083
      notify_and_destroy net/sched/sch_api.c:1012 [inline]
      qdisc_graft+0xeb1/0x1270 net/sched/sch_api.c:1084
      tc_modify_qdisc+0xbb7/0x1a00 net/sched/sch_api.c:1671
      rtnetlink_rcv_msg+0x43a/0xca0 net/core/rtnetlink.c:6090
      netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
      netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
      netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
      netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482
      ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
      __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      Second to last potentially related work creation:
      kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
      __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
      kvfree_call_rcu+0x74/0x940 kernel/rcu/tree.c:3322
      neigh_destroy+0x431/0x630 net/core/neighbour.c:912
      neigh_release include/net/neighbour.h:454 [inline]
      neigh_cleanup_and_release+0x1f8/0x330 net/core/neighbour.c:103
      neigh_del net/core/neighbour.c:225 [inline]
      neigh_remove_one+0x37d/0x460 net/core/neighbour.c:246
      neigh_forced_gc net/core/neighbour.c:276 [inline]
      neigh_alloc net/core/neighbour.c:447 [inline]
      ___neigh_create+0x18b5/0x29a0 net/core/neighbour.c:642
      ip6_finish_output2+0xfb8/0x1520 net/ipv6/ip6_output.c:125
      __ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
      ip6_finish_output+0x690/0x1160 net/ipv6/ip6_output.c:206
      NF_HOOK_COND include/linux/netfilter.h:296 [inline]
      ip6_output+0x1ed/0x540 net/ipv6/ip6_output.c:227
      dst_output include/net/dst.h:451 [inline]
      NF_HOOK include/linux/netfilter.h:307 [inline]
      NF_HOOK include/linux/netfilter.h:301 [inline]
      mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820
      mld_send_cr net/ipv6/mcast.c:2121 [inline]
      mld_ifc_work+0x71c/0xdc0 net/ipv6/mcast.c:2653
      process_one_work+0x991/0x1610 kernel/workqueue.c:2289
      worker_thread+0x665/0x1080 kernel/workqueue.c:2436
      kthread+0x2e4/0x3a0 kernel/kthread.c:376
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
      
      The buggy address belongs to the object at ffff88802065e000
      which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 56 bytes inside of
      1024-byte region [ffff88802065e000, ffff88802065e400)
      
      The buggy address belongs to the physical page:
      page:ffffea0000819600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20658
      head:ffffea0000819600 order:3 compound_mapcount:0 compound_pincount:0
      flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
      raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011841dc0
      raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      page_owner tracks the page as allocated
      page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3523, tgid 3523 (sshd), ts 41495190986, free_ts 41417713212
      prep_new_page mm/page_alloc.c:2532 [inline]
      get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
      __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
      alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270
      alloc_slab_page mm/slub.c:1824 [inline]
      allocate_slab+0x27e/0x3d0 mm/slub.c:1969
      new_slab mm/slub.c:2029 [inline]
      ___slab_alloc+0x7f1/0xe10 mm/slub.c:3031
      __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3118
      slab_alloc_node mm/slub.c:3209 [inline]
      __kmalloc_node_track_caller+0x2f2/0x380 mm/slub.c:4955
      kmalloc_reserve net/core/skbuff.c:358 [inline]
      __alloc_skb+0xd9/0x2f0 net/core/skbuff.c:430
      alloc_skb_fclone include/linux/skbuff.h:1307 [inline]
      tcp_stream_alloc_skb+0x38/0x580 net/ipv4/tcp.c:861
      tcp_sendmsg_locked+0xc36/0x2f80 net/ipv4/tcp.c:1325
      tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1483
      inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
      sock_sendmsg_nosec net/socket.c:714 [inline]
      sock_sendmsg+0xcf/0x120 net/socket.c:734
      sock_write_iter+0x291/0x3d0 net/socket.c:1108
      call_write_iter include/linux/fs.h:2187 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x9e9/0xdd0 fs/read_write.c:578
      ksys_write+0x1e8/0x250 fs/read_write.c:631
      page last free stack trace:
      reset_page_owner include/linux/page_owner.h:24 [inline]
      free_pages_prepare mm/page_alloc.c:1449 [inline]
      free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
      free_unref_page_prepare mm/page_alloc.c:3380 [inline]
      free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
      __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2548
      qlink_free mm/kasan/quarantine.c:168 [inline]
      qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
      kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
      __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447
      kasan_slab_alloc include/linux/kasan.h:224 [inline]
      slab_post_alloc_hook mm/slab.h:727 [inline]
      slab_alloc_node mm/slub.c:3243 [inline]
      slab_alloc mm/slub.c:3251 [inline]
      __kmem_cache_alloc_lru mm/slub.c:3258 [inline]
      kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3268
      kmem_cache_zalloc include/linux/slab.h:723 [inline]
      alloc_buffer_head+0x20/0x140 fs/buffer.c:2974
      alloc_page_buffers+0x280/0x790 fs/buffer.c:829
      create_empty_buffers+0x2c/0xee0 fs/buffer.c:1558
      ext4_block_write_begin+0x1004/0x1530 fs/ext4/inode.c:1074
      ext4_da_write_begin+0x422/0xae0 fs/ext4/inode.c:2996
      generic_perform_write+0x246/0x560 mm/filemap.c:3738
      ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:270
      ext4_file_write_iter+0x44a/0x1660 fs/ext4/file.c:679
      call_write_iter include/linux/fs.h:2187 [inline]
      new_sync_write fs/read_write.c:491 [inline]
      vfs_write+0x9e9/0xdd0 fs/read_write.c:578
      
      Fixes: af356afa ("net_sched: reintroduce dev->qdisc for use by sch_api")
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Diagnosed-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221018203258.2793282-1-edumazet@google.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
      Reviewed-by: NLiu Jian <liujian56@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      47b72618
    • E
      macvlan: enforce a consistent minimal mtu · 07c986e8
      Eric Dumazet 提交于
      stable inclusion
      from stable-v5.10.156
      commit e929ec98c0c3b10d9c07f3776df0c1a02d7a763e
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I67UR2
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e929ec98c0c3b10d9c07f3776df0c1a02d7a763e
      
      --------------------------------
      
      commit b64085b0 upstream.
      
      macvlan should enforce a minimal mtu of 68, even at link creation.
      
      This patch avoids the current behavior (which could lead to crashes
      in ipv6 stack if the link is brought up)
      
      $ ip link add macvlan1 link eno1 mtu 8 type macvlan  # This should fail !
      $ ip link sh dev macvlan1
      5: macvlan1@eno1: <BROADCAST,MULTICAST> mtu 8 qdisc noop
          state DOWN mode DEFAULT group default qlen 1000
          link/ether 02:47:6c:24:74:82 brd ff:ff:ff:ff:ff:ff
      $ ip link set macvlan1 mtu 67
      Error: mtu less than device minimum.
      $ ip link set macvlan1 mtu 68
      $ ip link set macvlan1 mtu 8
      Error: mtu less than device minimum.
      
      Fixes: 91572088 ("net: use core MTU range checking in core net infra")
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
      Reviewed-by: NLiu Jian <liujian56@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      07c986e8
    • M
      net: switch to storing KCOV handle directly in sk_buff · d671df2d
      Marco Elver 提交于
      stable inclusion
      from stable-v5.10.163
      commit 67349025f00d0749e36386cfcfc32c2887f47fdb
      category: bugfix
      bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6D0MR
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=67349025f00d0749e36386cfcfc32c2887f47fdb
      
      --------------------------------
      
      [ Upstream commit fa69ee5a ]
      
      It turns out that usage of skb extensions can cause memory leaks. Ido
      Schimmel reported: "[...] there are instances that blindly overwrite
      'skb->extensions' by invoking skb_copy_header() after __alloc_skb()."
      
      Therefore, give up on using skb extensions for KCOV handle, and instead
      directly store kcov_handle in sk_buff.
      
      Fixes: 6370cc3b ("net: add kcov handle to skb extensions")
      Fixes: 85ce50d3 ("net: kcov: don't select SKB_EXTENSIONS when there is no NET")
      Fixes: 97f53a08 ("net: linux/skbuff.h: combine SKB_EXTENSIONS + KCOV handling")
      Link: https://lore.kernel.org/linux-wireless/20201121160941.GA485907@shredder.lan/Reported-by: NIdo Schimmel <idosch@idosch.org>
      Signed-off-by: NMarco Elver <elver@google.com>
      Link: https://lore.kernel.org/r/20201125224840.2014773-1-elver@google.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      Stable-dep-of: db0b124f ("igc: Enhance Qbv scheduling by using first flag bit")
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      
      Conflicts:
      	include/linux/skbuff.h
      Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
      Reviewed-by: NLiu Jian <liujian56@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      d671df2d
    • Z
      drm/i915/gvt: fix double free bug in split_2MB_gtt_entry · 17a26a1d
      Zheng Wang 提交于
      mainline inclusion
      from mainline-v6.2-rc3
      commit 4a61648a
      category: bugfix
      bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5XXFF
      CVE: CVE-2022-3707
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4a61648af68f5ba4884f0e3b494ee1cabc4b6620
      
      --------------------------------
      
      If intel_gvt_dma_map_guest_page failed, it will call
      ppgtt_invalidate_spt, which will finally free the spt.
      But the caller function ppgtt_populate_spt_by_guest_entry
      does not notice that, it will free spt again in its error
      path.
      
      Fix this by canceling the mapping of DMA address and freeing sub_spt.
      Besides, leave the handle of spt destroy to caller function instead
      of callee function when error occurs.
      
      conflicts:
        drivers/gpu/drm/i915/gvt/gtt.c
      
      Fixes: b901b252 ("drm/i915/gvt: Add 2M huge gtt support")
      Signed-off-by: NZheng Wang <zyytlz.wz@163.com>
      Reviewed-by: NZhenyu Wang <zhenyuw@linux.intel.com>
      Signed-off-by: NZhenyu Wang <zhenyuw@linux.intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/20221229165641.1192455-1-zyytlz.wz@163.comSigned-off-by: NWang ShaoBo <bobo.shaobowang@huawei.com>
      Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
      Reviewed-by: NWei Li <liwei391@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      17a26a1d
    • L
      mm/memcg_memfs_info: fix potential oom_lock recursion deadlock · 13328365
      Liu Shixin 提交于
      hulk inclusion
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I6ADCF
      CVE: NA
      
      --------------------------------
      
      syzbot is reporting GFP_KERNEL allocation with oom_lock held when
      reporting memcg OOM [1]. If this allocation triggers the global OOM
      situation then the system can livelock because the GFP_KERNEL
      allocation with oom_lock held cannot trigger the global OOM killer
      because __alloc_pages_may_oom() fails to hold oom_lock.
      
      The problem mentioned above has been fixed by patch[2]. The is the same
      problem in memcg_memfs_info feature too. Refer to the patch[2], fix it by
      removing the allocation from mem_cgroup_print_memfs_info() completely,
      and pass static buffer when calling from memcg OOM path.
      
      Link: https://syzkaller.appspot.com/bug?extid=2d2aeadc6ce1e1f11d45 [1]
      Link: https://lkml.kernel.org/r/86afb39f-8c65-bec2-6cfc-c5e3cd600c0b@I-love.SAKURA.ne.jp [2]
      Fixes: 6b1d4d3a ("mm/memcg_memfs_info: show files that having pages charged in mem_cgroup")
      Signed-off-by: NLiu Shixin <liushixin2@huawei.com>
      Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      13328365
    • T
      mm: memcontrol: fix potential oom_lock recursion deadlock · 264a3de6
      Tetsuo Handa 提交于
      mainline inclusion
      from mainline-v6.0-rc1
      commit 68aaee14
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I6ADCF
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=68aaee147e597b495622b7c9038e5922c7c61f57
      
      --------------------------------
      
      syzbot is reporting GFP_KERNEL allocation with oom_lock held when
      reporting memcg OOM [1].  If this allocation triggers the global OOM
      situation then the system can livelock because the GFP_KERNEL
      allocation with oom_lock held cannot trigger the global OOM killer
      because __alloc_pages_may_oom() fails to hold oom_lock.
      
      Fix this problem by removing the allocation from memory_stat_format()
      completely, and pass static buffer when calling from memcg OOM path.
      
      Note that the caller holding filesystem lock was the trigger for syzbot
      to report this locking dependency.  Doing GFP_KERNEL allocation with
      filesystem lock held can deadlock the system even without involving OOM
      situation.
      
      Link: https://syzkaller.appspot.com/bug?extid=2d2aeadc6ce1e1f11d45 [1]
      Link: https://lkml.kernel.org/r/86afb39f-8c65-bec2-6cfc-c5e3cd600c0b@I-love.SAKURA.ne.jp
      Fixes: c8713d0b ("mm: memcontrol: dump memory.stat during cgroup OOM")
      Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: Nsyzbot <syzbot+2d2aeadc6ce1e1f11d45@syzkaller.appspotmail.com>
      Suggested-by: NMichal Hocko <mhocko@suse.com>
      Acked-by: NMichal Hocko <mhocko@suse.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Roman Gushchin <roman.gushchin@linux.dev>
      Cc: Shakeel Butt <shakeelb@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      
      conflicts:
      	mm/memcontrol.c
      Signed-off-by: NCai Xinchen <caixinchen1@huawei.com>
      Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      264a3de6
    • H
      ipv6: raw: Deduct extension header length in rawv6_push_pending_frames · 7bcbd57a
      Herbert Xu 提交于
      stable inclusion
      from stable-v5.10.164
      commit 6c9e2c11c33c35563d34d12b343d43b5c12200b5
      category: bugfix
      bugzilla: 188291, https://gitee.com/src-openeuler/kernel/issues/I6B1V2
      CVE: CVE-2023-0394
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6c9e2c11c33c35563d34d12b343d43b5c12200b5
      
      --------------------------------
      
      commit cb3e9864 upstream.
      
      The total cork length created by ip6_append_data includes extension
      headers, so we must exclude them when comparing them against the
      IPV6_CHECKSUM offset which does not include extension headers.
      Reported-by: NKyle Zeng <zengyhkyle@gmail.com>
      Fixes: 357b40a1 ("[IPV6]: IPV6_CHECKSUM socket option can corrupt kernel memory")
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NLu Wei <luwei32@huawei.com>
      Reviewed-by: NLiu Jian <liujian56@huawei.com>
      Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      7bcbd57a
    • B
      ext4: fix use-after-free in ext4_orphan_cleanup · a7bf058d
      Baokun Li 提交于
      stable inclusion
      from stable-v5.10.163
      commit 7223d5e75f26352354ea2c0ccf8b579821b52adf
      category: bugfix
      bugzilla: 187904,https://gitee.com/openeuler/kernel/issues/I6BJAR
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7223d5e75f26352354ea2c0ccf8b579821b52adf
      
      --------------------------------
      
      commit a71248b1 upstream.
      
      I caught a issue as follows:
      
      ==================================================================
       BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0
       Read of size 8 at addr ffff88814b13f378 by task mount/710
      
       CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370
       Call Trace:
        <TASK>
        dump_stack_lvl+0x73/0x9f
        print_report+0x25d/0x759
        kasan_report+0xc0/0x120
        __asan_load8+0x99/0x140
        __list_add_valid+0x28/0x1a0
        ext4_orphan_cleanup+0x564/0x9d0 [ext4]
        __ext4_fill_super+0x48e2/0x5300 [ext4]
        ext4_fill_super+0x19f/0x3a0 [ext4]
        get_tree_bdev+0x27b/0x450
        ext4_get_tree+0x19/0x30 [ext4]
        vfs_get_tree+0x49/0x150
        path_mount+0xaae/0x1350
        do_mount+0xe2/0x110
        __x64_sys_mount+0xf0/0x190
        do_syscall_64+0x35/0x80
        entry_SYSCALL_64_after_hwframe+0x63/0xcd
        </TASK>
       [...]
      ==================================================================
      
      Above issue may happen as follows:
      -------------------------------------
      ext4_fill_super
        ext4_orphan_cleanup
         --- loop1: assume last_orphan is 12 ---
          list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)
          ext4_truncate --> return 0
            ext4_inode_attach_jinode --> return -ENOMEM
          iput(inode) --> free inode<12>
         --- loop2: last_orphan is still 12 ---
          list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);
          // use inode<12> and trigger UAF
      
      To solve this issue, we need to propagate the return value of
      ext4_inode_attach_jinode() appropriately.
      Signed-off-by: NBaokun Li <libaokun1@huawei.com>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20221102080633.1630225-1-libaokun1@huawei.comSigned-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NBaokun Li <libaokun1@huawei.com>
      Reviewed-by: NZhang Yi <yi.zhang@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      a7bf058d
    • B
      ext4: fix null-ptr-deref in ext4_write_info · 1575b7b3
      Baokun Li 提交于
      stable inclusion
      from stable-v5.10.150
      commit f34ab95162763cd7352f46df169296eec28b688d
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I6BJ5F
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f34ab95162763cd7352f46df169296eec28b688d
      
      --------------------------------
      
      commit f9c1f248 upstream.
      
      I caught a null-ptr-deref bug as follows:
      
      ==================================================================
      KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
      CPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339
      RIP: 0010:ext4_write_info+0x53/0x1b0
      [...]
      Call Trace:
       dquot_writeback_dquots+0x341/0x9a0
       ext4_sync_fs+0x19e/0x800
       __sync_filesystem+0x83/0x100
       sync_filesystem+0x89/0xf0
       generic_shutdown_super+0x79/0x3e0
       kill_block_super+0xa1/0x110
       deactivate_locked_super+0xac/0x130
       deactivate_super+0xb6/0xd0
       cleanup_mnt+0x289/0x400
       __cleanup_mnt+0x16/0x20
       task_work_run+0x11c/0x1c0
       exit_to_user_mode_prepare+0x203/0x210
       syscall_exit_to_user_mode+0x5b/0x3a0
       do_syscall_64+0x59/0x70
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
       ==================================================================
      
      Above issue may happen as follows:
      -------------------------------------
      exit_to_user_mode_prepare
       task_work_run
        __cleanup_mnt
         cleanup_mnt
          deactivate_super
           deactivate_locked_super
            kill_block_super
             generic_shutdown_super
              shrink_dcache_for_umount
               dentry = sb->s_root
               sb->s_root = NULL              <--- Here set NULL
              sync_filesystem
               __sync_filesystem
                sb->s_op->sync_fs > ext4_sync_fs
                 dquot_writeback_dquots
                  sb->dq_op->write_info > ext4_write_info
                   ext4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2)
                    d_inode(sb->s_root)
                     s_root->d_inode          <--- Null pointer dereference
      
      To solve this problem, we use ext4_journal_start_sb directly
      to avoid s_root being used.
      
      Cc: stable@kernel.org
      Signed-off-by: NBaokun Li <libaokun1@huawei.com>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20220805123947.565152-1-libaokun1@huawei.comSigned-off-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NBaokun Li <libaokun1@huawei.com>
      Reviewed-by: NZhang Yi <yi.zhang@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      1575b7b3
    • D
      xfs: fix potential log item leak · 732e7ddd
      Dave Chinner 提交于
      mainline inclusion
      from mainline-v5.19-rc1
      commit c230a4a8
      category: bugfix
      bugzilla: 187372, https://gitee.com/openeuler/kernel/issues/I5K0OM
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c230a4a85bcdbfc1a7415deec6caf04e8fca1301
      
      --------------------------------
      
      Ever since we added shadown format buffers to the log items, log
      items need to handle the item being released with shadow buffers
      attached. Due to the fact this requirement was added at the same
      time we added new rmap/reflink intents, we missed the cleanup of
      those items.
      
      In theory, this means shadow buffers can be leaked in a very small
      window when a shutdown is initiated. Testing with KASAN shows this
      leak does not happen in practice - we haven't identified a single
      leak in several years of shutdown testing since ~v4.8 kernels.
      
      However, the intent whiteout cleanup mechanism results in every
      cancelled intent in exactly the same state as this tiny race window
      creates and so if intents down clean up shadow buffers on final
      release we will leak the shadow buffer for just about every intent
      we create.
      
      Hence we start with this patch to close this condition off and
      ensure that when whiteouts start to be used we don't leak lots of
      memory.
      Signed-off-by: NDave Chinner <dchinner@redhat.com>
      Reviewed-by: NDarrick J. Wong <djwong@kernel.org>
      Reviewed-by: NAllison Henderson <allison.henderson@oracle.com>
      Signed-off-by: NDave Chinner <david@fromorbit.com>
      
      conflicts:
      	fs/xfs/xfs_bmap_item.c
      	fs/xfs/xfs_icreate_item.c
      	fs/xfs/xfs_refcount_item.c
      	fs/xfs/xfs_rmap_item.c
      Signed-off-by: NLi Nan <linan122@huawei.com>
      Reviewed-by: NYang Erkun <yangerkun@huawei.com>
      Reviewed-by: NZhang Yi <yi.zhang@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      732e7ddd
  2. 31 1月, 2023 12 次提交
    • O
      !369 Backport CVEs and bugfixes · 6ff43716
      openeuler-ci-bot 提交于
      Merge Pull Request from: @zhangjialin11 
       
      Pull new CVEs:
      CVE-2022-47929
      CVE-2023-0179
      CVE-2023-23454
      CVE-2023-23455
      CVE-2023-23559
      
      mm bugfixes from Cai Xinchen and Ma Wupeng
      fdt and cmdline bugfixes from Zhang Zekun
      xfs bugfix from Guo Xuenan
      scsi bugfix from Li Nan 
       
      Link:https://gitee.com/openeuler/kernel/pulls/369 
      
      Reviewed-by: Zheng Zengkai <zhengzengkai@huawei.com> 
      Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> 
      6ff43716
    • Y
      mm/vmpressure: fix data-race with memcg->socket_pressure · b49d51d0
      Yuanzheng Song 提交于
      mainline inclusion
      from mainline-v5.16-rc1
      commit 7e6ec49c
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I6AW65
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6ec49c18988f1b8dab0677271dafde5f8d9a43
      
      --------------------------------
      
      When reading memcg->socket_pressure in mem_cgroup_under_socket_pressure()
      and writing memcg->socket_pressure in vmpressure() at the same time, the
      following data-race occurs:
      
        BUG: KCSAN: data-race in __sk_mem_reduce_allocated / vmpressure
      
        write to 0xffff8881286f4938 of 8 bytes by task 24550 on cpu 3:
         vmpressure+0x218/0x230 mm/vmpressure.c:307
         shrink_node_memcgs+0x2b9/0x410 mm/vmscan.c:2658
         shrink_node+0x9d2/0x11d0 mm/vmscan.c:2769
         shrink_zones+0x29f/0x470 mm/vmscan.c:2972
         do_try_to_free_pages+0x193/0x6e0 mm/vmscan.c:3027
         try_to_free_mem_cgroup_pages+0x1c0/0x3f0 mm/vmscan.c:3345
         reclaim_high mm/memcontrol.c:2440 [inline]
         mem_cgroup_handle_over_high+0x18b/0x4d0 mm/memcontrol.c:2624
         tracehook_notify_resume include/linux/tracehook.h:197 [inline]
         exit_to_user_mode_loop kernel/entry/common.c:164 [inline]
         exit_to_user_mode_prepare+0x110/0x170 kernel/entry/common.c:191
         syscall_exit_to_user_mode+0x16/0x30 kernel/entry/common.c:266
         ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:289
      
        read to 0xffff8881286f4938 of 8 bytes by interrupt on cpu 1:
         mem_cgroup_under_socket_pressure include/linux/memcontrol.h:1483 [inline]
         sk_under_memory_pressure include/net/sock.h:1314 [inline]
         __sk_mem_reduce_allocated+0x1d2/0x270 net/core/sock.c:2696
         __sk_mem_reclaim+0x44/0x50 net/core/sock.c:2711
         sk_mem_reclaim include/net/sock.h:1490 [inline]
         ......
         net_rx_action+0x17a/0x480 net/core/dev.c:6864
         __do_softirq+0x12c/0x2af kernel/softirq.c:298
         run_ksoftirqd+0x13/0x20 kernel/softirq.c:653
         smpboot_thread_fn+0x33f/0x510 kernel/smpboot.c:165
         kthread+0x1fc/0x220 kernel/kthread.c:292
         ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
      
      Fix it by using READ_ONCE() and WRITE_ONCE() to read and write
      memcg->socket_pressure.
      
      Link: https://lkml.kernel.org/r/20211025082843.671690-1-songyuanzheng@huawei.comSigned-off-by: NYuanzheng Song <songyuanzheng@huawei.com>
      Reviewed-by: NMuchun Song <songmuchun@bytedance.com>
      Cc: Shakeel Butt <shakeelb@google.com>
      Cc: Roman Gushchin <guro@fb.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
      Cc: Alex Shi <alexs@kernel.org>
      Cc: Wei Yang <richard.weiyang@gmail.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NCai Xinchen <caixinchen1@huawei.com>
      Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      b49d51d0
    • M
      of/fdt: Don't calculate initrd size from DT if start > end · 0c7e527a
      Marek Bykowski 提交于
      mainline inclusion
      from mainline-v6.1-rc1
      commit d5e3050c
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I6AXHU
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=d5e3050c0feb8bf7b9a75482fafcc31b90257926
      
      --------------------------------------------
      
      If the properties 'linux,initrd-start' and 'linux,initrd-end' of
      the chosen node populated from the bootloader, eg. U-Boot, are so that
      start > end, then the phys_initrd_size calculated from end - start is
      negative that subsequently gets converted to a high positive value for
      being unsigned long long. Then, the memory region with the (invalid)
      size is added to the bootmem and attempted being paged in paging_init()
      that results in the kernel fault.
      
      For example, on the FVP ARM64 system I'm running, the U-Boot populates
      the 'linux,initrd-start' with 8800_0000 and 'linux,initrd-end' with 0.
      The phys_initrd_size calculated is then ffff_ffff_7800_0000
      (= 0 - 8800_0000 = -8800_0000 + ULLONG_MAX + 1). paging_init() then
      attempts to map the address 8800_0000 + ffff_ffff_7800_0000 and oops'es
      as below.
      
      It should be stressed, it is generally a fault of the bootloader's with
      the kernel relying on it, however we should not allow the bootloader's
      misconfiguration to lead to the kernel oops. Not only the kernel should be
      bullet proof against it but also finding the root cause of the paging
      fault spanning over the bootloader, DT, and kernel may happen is not so
      easy.
      
        Unable to handle kernel paging request at virtual address fffffffefe43c000
        Mem abort info:
          ESR = 0x96000007
          EC = 0x25: DABT (current EL), IL = 32 bits
          SET = 0, FnV = 0
          EA = 0, S1PTW = 0
        Data abort info:
          ISV = 0, ISS = 0x00000007
          CM = 0, WnR = 0
        swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000080e3d000
        [fffffffefe43c000] pgd=0000000080de9003, pud=0000000080de9003
        Unable to handle kernel paging request at virtual address ffffff8000de9f90
        Mem abort info:
          ESR = 0x96000005
          EC = 0x25: DABT (current EL), IL = 32 bits
          SET = 0, FnV = 0
          EA = 0, S1PTW = 0
        Data abort info:
          ISV = 0, ISS = 0x00000005
          CM = 0, WnR = 0
        swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000080e3d000
        [ffffff8000de9f90] pgd=0000000000000000, pud=0000000000000000
        Internal error: Oops: 96000005 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 0 Comm: swapper Not tainted 5.4.51-yocto-standard #1
        Hardware name: FVP Base (DT)
        pstate: 60000085 (nZCv daIf -PAN -UAO)
        pc : show_pte+0x12c/0x1b4
        lr : show_pte+0x100/0x1b4
        sp : ffffffc010ce3b30
        x29: ffffffc010ce3b30 x28: ffffffc010ceed80
        x27: fffffffefe43c000 x26: fffffffefe43a028
        x25: 0000000080bf0000 x24: 0000000000000025
        x23: ffffffc010b8d000 x22: ffffffc010e3d000
        x23: ffffffc010b8d000 x22: ffffffc010e3d000
        x21: 0000000080de9000 x20: ffffff7f80000f90
        x19: fffffffefe43c000 x18: 0000000000000030
        x17: 0000000000001400 x16: 0000000000001c00
        x15: ffffffc010cef1b8 x14: ffffffffffffffff
        x13: ffffffc010df1f40 x12: ffffffc010df1b70
        x11: ffffffc010ce3b30 x10: ffffffc010ce3b30
        x9 : 00000000ffffffc8 x8 : 0000000000000000
        x7 : 000000000000000f x6 : ffffffc010df16e8
        x5 : 0000000000000000 x4 : 0000000000000000
        x3 : 00000000ffffffff x2 : 0000000000000000
        x1 : 0000008080000000 x0 : ffffffc010af1d68
        Call trace:
         show_pte+0x12c/0x1b4
         die_kernel_fault+0x54/0x78
         __do_kernel_fault+0x11c/0x128
         do_translation_fault+0x58/0xac
         do_mem_abort+0x50/0xb0
         el1_da+0x1c/0x90
         __create_pgd_mapping+0x348/0x598
         paging_init+0x3f0/0x70d0
         setup_arch+0x2c0/0x5d4
         start_kernel+0x94/0x49c
        Code: 92748eb5 900052a0 9135a000 cb010294 (f8756a96) 
      Signed-off-by: NMarek Bykowski <marek.bykowski@gmail.com>
      Link: https://lore.kernel.org/r/20220909023358.76881-1-marek.bykowski@gmail.comSigned-off-by: NRob Herring <robh@kernel.org>
      Signed-off-by: NZhang Zekun <zhangzekun11@huawei.com>
      Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      0c7e527a
    • N
      lib/cmdline: avoid page fault in next_arg · 8eabde4c
      Neel Natu 提交于
      mainline inclusion
      from mainline-v6.1-rc1
      commit 9847f212
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I6AXHU
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=9847f21225c4eb0b843cb2b72ed83b32edb1e6f2
      
      -----------------------------------------
      
      An argument list like "arg=val arg2 \"" can trigger a page fault if the
      page pointed by 'args[0xffffffff]' is not mapped and potential memory
      corruption otherwise (unlikely but possible if the bogus address is mapped
      and contents happen to match the ascii value of the quote character).
      
      The fix is to ensure that we load 'args[i-1]' only when (i > 0).
      
      Prior to this commit the following command would trigger an
      unhandled page fault in the kernel:
      
      root@(none):/linus/fs/fat# insmod ./fat.ko  "foo=bar \""
      [   33.870507] BUG: unable to handle page fault for address: ffff888204252608
      [   33.872180] #PF: supervisor read access in kernel mode
      [   33.873414] #PF: error_code(0x0000) - not-present page
      [   33.874650] PGD 4401067 P4D 4401067 PUD 0
      [   33.875321] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
      [   33.876113] CPU: 16 PID: 399 Comm: insmod Not tainted 5.19.0-dbg-DEV #4
      [   33.877193] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
      [   33.878739] RIP: 0010:next_arg+0xd1/0x110
      [   33.879399] Code: 22 75 1d 41 c6 04 01 00 41 80 f8 22 74 18 eb 35 4c 89 0e 45 31 d2 4c 89 cf 48 c7 02 00 00 00 00 41 80 f8 22 75 1f 41 8d 42 ff <41> 80 3c 01 22 75 14 41 c6 04 01 00 eb 0d 48 c7 02 00 00 00 00 41
      [   33.882338] RSP: 0018:ffffc90001253d08 EFLAGS: 00010246
      [   33.883174] RAX: 00000000ffffffff RBX: ffff888104252608 RCX: 0fc317bba1c1dd00
      [   33.884311] RDX: ffffc90001253d40 RSI: ffffc90001253d48 RDI: ffff888104252609
      [   33.885450] RBP: ffffc90001253d10 R08: 0000000000000022 R09: ffff888104252609
      [   33.886595] R10: 0000000000000000 R11: ffffffff82c7ff20 R12: 0000000000000282
      [   33.887748] R13: 00000000ffff8000 R14: 0000000000000000 R15: 0000000000007fff
      [   33.888887] FS:  00007f04ec7432c0(0000) GS:ffff88813d300000(0000) knlGS:0000000000000000
      [   33.890183] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   33.891111] CR2: ffff888204252608 CR3: 0000000100f36005 CR4: 0000000000170ee0
      [   33.892241] Call Trace:
      [   33.892641]  <TASK>
      [   33.892989]  parse_args+0x8f/0x220
      [   33.893538]  load_module+0x138b/0x15a0
      [   33.894149]  ? prepare_coming_module+0x50/0x50
      [   33.894879]  ? kernel_read_file_from_fd+0x5f/0x90
      [   33.895639]  __se_sys_finit_module+0xce/0x130
      [   33.896342]  __x64_sys_finit_module+0x1d/0x20
      [   33.897042]  do_syscall_64+0x44/0xa0
      [   33.897622]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      [   33.898434] RIP: 0033:0x7f04ec85ef79
      [   33.899009] Code: 48 8d 3d da db 0d 00 0f 05 eb a5 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c7 9e 0d 00 f7 d8 64 89 01 48
      [   33.901912] RSP: 002b:00007fffae81bfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      [   33.903081] RAX: ffffffffffffffda RBX: 0000559c5f1d2640 RCX: 00007f04ec85ef79
      [   33.904191] RDX: 0000000000000000 RSI: 0000559c5f1d12a0 RDI: 0000000000000003
      [   33.905304] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      [   33.906421] R10: 0000000000000003 R11: 0000000000000246 R12: 0000559c5f1d12a0
      [   33.907526] R13: 0000000000000000 R14: 0000559c5f1d25f0 R15: 0000559c5f1d12a0
      [   33.908631]  </TASK>
      [   33.908986] Modules linked in: fat(+) [last unloaded: fat]
      [   33.909843] CR2: ffff888204252608
      [   33.910375] ---[ end trace 0000000000000000 ]---
      [   33.911172] RIP: 0010:next_arg+0xd1/0x110
      [   33.911796] Code: 22 75 1d 41 c6 04 01 00 41 80 f8 22 74 18 eb 35 4c 89 0e 45 31 d2 4c 89 cf 48 c7 02 00 00 00 00 41 80 f8 22 75 1f 41 8d 42 ff <41> 80 3c 01 22 75 14 41 c6 04 01 00 eb 0d 48 c7 02 00 00 00 00 41
      [   33.914643] RSP: 0018:ffffc90001253d08 EFLAGS: 00010246
      [   33.915446] RAX: 00000000ffffffff RBX: ffff888104252608 RCX: 0fc317bba1c1dd00
      [   33.916544] RDX: ffffc90001253d40 RSI: ffffc90001253d48 RDI: ffff888104252609
      [   33.917636] RBP: ffffc90001253d10 R08: 0000000000000022 R09: ffff888104252609
      [   33.918727] R10: 0000000000000000 R11: ffffffff82c7ff20 R12: 0000000000000282
      [   33.919821] R13: 00000000ffff8000 R14: 0000000000000000 R15: 0000000000007fff
      [   33.920908] FS:  00007f04ec7432c0(0000) GS:ffff88813d300000(0000) knlGS:0000000000000000
      [   33.922125] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   33.923017] CR2: ffff888204252608 CR3: 0000000100f36005 CR4: 0000000000170ee0
      [   33.924098] Kernel panic - not syncing: Fatal exception
      [   33.925776] Kernel Offset: disabled
      [   33.926347] Rebooting in 10 seconds..
      
      Link: https://lkml.kernel.org/r/20220728232434.1666488-1-neelnatu@google.comSigned-off-by: NNeel Natu <neelnatu@google.com>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NZhang Zekun <zhangzekun11@huawei.com>
      Reviewed-by: NWeilong Chen <chenweilong@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      8eabde4c
    • A
      mm/memory: return vm_fault_t result from migrate_to_ram() callback · ecee517d
      Alistair Popple 提交于
      mainline inclusion
      from mainline-v6.1-rc7
      commit 4a955bed
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I6BG56
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4a955bed882e734807024afd8f53213d4c61ff97
      
      --------------------------------
      
      The migrate_to_ram() callback should always succeed, but in rare cases can
      fail usually returning VM_FAULT_SIGBUS.  Commit 16ce101d
      ("mm/memory.c: fix race when faulting a device private page") incorrectly
      stopped passing the return code up the stack.  Fix this by setting the ret
      variable, restoring the previous behaviour on migrate_to_ram() failure.
      
      Link: https://lkml.kernel.org/r/20221114115537.727371-1-apopple@nvidia.com
      Fixes: 16ce101d ("mm/memory.c: fix race when faulting a device private page")
      Signed-off-by: NAlistair Popple <apopple@nvidia.com>
      Acked-by: NDavid Hildenbrand <david@redhat.com>
      Reviewed-by: NFelix Kuehling <Felix.Kuehling@amd.com>
      Cc: Ralph Campbell <rcampbell@nvidia.com>
      Cc: John Hubbard <jhubbard@nvidia.com>
      Cc: Alex Sierra <alex.sierra@amd.com>
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: Lyude Paul <lyude@redhat.com>
      Cc: Jason Gunthorpe <jgg@nvidia.com>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NMa Wupeng <mawupeng1@huawei.com>
      Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com>
      Reviewed-by: Ntong tiangen <tongtiangen@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      ecee517d
    • F
      net: sched: disallow noqueue for qdisc classes · f8aa3571
      Frederick Lawler 提交于
      stable inclusion
      from stable-v5.10.163
      commit 9f7bc28a6b8afc2274e25650511555e93f45470f
      category: bugfix
      bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6B0FA
      CVE: CVE-2022-47929
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9f7bc28a6b8afc2274e25650511555e93f45470f
      
      --------------------------------
      
      commit 96398560 upstream.
      
      While experimenting with applying noqueue to a classful queue discipline,
      we discovered a NULL pointer dereference in the __dev_queue_xmit()
      path that generates a kernel OOPS:
      
          # dev=enp0s5
          # tc qdisc replace dev $dev root handle 1: htb default 1
          # tc class add dev $dev parent 1: classid 1:1 htb rate 10mbit
          # tc qdisc add dev $dev parent 1:1 handle 10: noqueue
          # ping -I $dev -w 1 -c 1 1.1.1.1
      
      [    2.172856] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [    2.173217] #PF: supervisor instruction fetch in kernel mode
      ...
      [    2.178451] Call Trace:
      [    2.178577]  <TASK>
      [    2.178686]  htb_enqueue+0x1c8/0x370
      [    2.178880]  dev_qdisc_enqueue+0x15/0x90
      [    2.179093]  __dev_queue_xmit+0x798/0xd00
      [    2.179305]  ? _raw_write_lock_bh+0xe/0x30
      [    2.179522]  ? __local_bh_enable_ip+0x32/0x70
      [    2.179759]  ? ___neigh_create+0x610/0x840
      [    2.179968]  ? eth_header+0x21/0xc0
      [    2.180144]  ip_finish_output2+0x15e/0x4f0
      [    2.180348]  ? dst_output+0x30/0x30
      [    2.180525]  ip_push_pending_frames+0x9d/0xb0
      [    2.180739]  raw_sendmsg+0x601/0xcb0
      [    2.180916]  ? _raw_spin_trylock+0xe/0x50
      [    2.181112]  ? _raw_spin_unlock_irqrestore+0x16/0x30
      [    2.181354]  ? get_page_from_freelist+0xcd6/0xdf0
      [    2.181594]  ? sock_sendmsg+0x56/0x60
      [    2.181781]  sock_sendmsg+0x56/0x60
      [    2.181958]  __sys_sendto+0xf7/0x160
      [    2.182139]  ? handle_mm_fault+0x6e/0x1d0
      [    2.182366]  ? do_user_addr_fault+0x1e1/0x660
      [    2.182627]  __x64_sys_sendto+0x1b/0x30
      [    2.182881]  do_syscall_64+0x38/0x90
      [    2.183085]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
      ...
      [    2.187402]  </TASK>
      
      Previously in commit d66d6c31 ("net: sched: register noqueue
      qdisc"), NULL was set for the noqueue discipline on noqueue init
      so that __dev_queue_xmit() falls through for the noqueue case. This
      also sets a bypass of the enqueue NULL check in the
      register_qdisc() function for the struct noqueue_disc_ops.
      
      Classful queue disciplines make it past the NULL check in
      __dev_queue_xmit() because the discipline is set to htb (in this case),
      and then in the call to __dev_xmit_skb(), it calls into htb_enqueue()
      which grabs a leaf node for a class and then calls qdisc_enqueue() by
      passing in a queue discipline which assumes ->enqueue() is not set to NULL.
      
      Fix this by not allowing classes to be assigned to the noqueue
      discipline. Linux TC Notes states that classes cannot be set to
      the noqueue discipline. [1] Let's enforce that here.
      
      Links:
      1. https://linux-tc-notes.sourceforge.net/tc/doc/sch_noqueue.txt
      
      Fixes: d66d6c31 ("net: sched: register noqueue qdisc")
      Cc: stable@vger.kernel.org
      Signed-off-by: NFrederick Lawler <fred@cloudflare.com>
      Reviewed-by: NJakub Sitnicki <jakub@cloudflare.com>
      Link: https://lore.kernel.org/r/20230109163906.706000-1-fred@cloudflare.comSigned-off-by: NJakub Kicinski <kuba@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NBaisong Zhong <zhongbaisong@huawei.com>
      Reviewed-by: NLiu Jian <liujian56@huawei.com>
      Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      f8aa3571
    • P
      netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits · 90fd4a44
      Pablo Neira Ayuso 提交于
      stable inclusion
      from stable-v5.10.164
      commit 550efeff989b041f3746118c0ddd863c39ddc1aa
      category: bugfix
      bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6AOP8
      CVE: CVE-2023-0179
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=550efeff989b041f3746118c0ddd863c39ddc1aa
      
      --------------------------------
      
      commit 696e1a48 upstream.
      
      If the offset + length goes over the ethernet + vlan header, then the
      length is adjusted to copy the bytes that are within the boundaries of
      the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +
      vlan header are copied directly from the skbuff data area.
      
      Fix incorrect arithmetic operator: subtract, not add, the size of the
      vlan header in case of double-tagged packets to adjust the length
      accordingly to address CVE-2023-0179.
      Reported-by: NDavide Ornaghi <d.ornaghi97@gmail.com>
      Fixes: f6ae9f12 ("netfilter: nft_payload: add C-VLAN support")
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NZiyang Xuan <william.xuanziyang@huawei.com>
      Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
      Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      90fd4a44
    • W
      xfs: Fix deadlock on xfs_inodegc_worker · b6396746
      Wu Guanghao 提交于
      mainline inclusion
      from mainline-v6.2-rc1
      commit 4da11251
      category: bugfix
      bugzilla: 187874,https://gitee.com/openeuler/kernel/issues/I4KIAO
      CVE: NA
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4da112513c01d7d0acf1025b8764349d46e177d6
      
      --------------------------------
      
      We are doing a test about deleting a large number of files
      when memory is low. A deadlock problem was found.
      
      [ 1240.279183] -> #1 (fs_reclaim){+.+.}-{0:0}:
      [ 1240.280450]        lock_acquire+0x197/0x460
      [ 1240.281548]        fs_reclaim_acquire.part.0+0x20/0x30
      [ 1240.282625]        kmem_cache_alloc+0x2b/0x940
      [ 1240.283816]        xfs_trans_alloc+0x8a/0x8b0
      [ 1240.284757]        xfs_inactive_ifree+0xe4/0x4e0
      [ 1240.285935]        xfs_inactive+0x4e9/0x8a0
      [ 1240.286836]        xfs_inodegc_worker+0x160/0x5e0
      [ 1240.287969]        process_one_work+0xa19/0x16b0
      [ 1240.289030]        worker_thread+0x9e/0x1050
      [ 1240.290131]        kthread+0x34f/0x460
      [ 1240.290999]        ret_from_fork+0x22/0x30
      [ 1240.291905]
      [ 1240.291905] -> #0 ((work_completion)(&gc->work)){+.+.}-{0:0}:
      [ 1240.293569]        check_prev_add+0x160/0x2490
      [ 1240.294473]        __lock_acquire+0x2c4d/0x5160
      [ 1240.295544]        lock_acquire+0x197/0x460
      [ 1240.296403]        __flush_work+0x6bc/0xa20
      [ 1240.297522]        xfs_inode_mark_reclaimable+0x6f0/0xdc0
      [ 1240.298649]        destroy_inode+0xc6/0x1b0
      [ 1240.299677]        dispose_list+0xe1/0x1d0
      [ 1240.300567]        prune_icache_sb+0xec/0x150
      [ 1240.301794]        super_cache_scan+0x2c9/0x480
      [ 1240.302776]        do_shrink_slab+0x3f0/0xaa0
      [ 1240.303671]        shrink_slab+0x170/0x660
      [ 1240.304601]        shrink_node+0x7f7/0x1df0
      [ 1240.305515]        balance_pgdat+0x766/0xf50
      [ 1240.306657]        kswapd+0x5bd/0xd20
      [ 1240.307551]        kthread+0x34f/0x460
      [ 1240.308346]        ret_from_fork+0x22/0x30
      [ 1240.309247]
      [ 1240.309247] other info that might help us debug this:
      [ 1240.309247]
      [ 1240.310944]  Possible unsafe locking scenario:
      [ 1240.310944]
      [ 1240.312379]        CPU0                    CPU1
      [ 1240.313363]        ----                    ----
      [ 1240.314433]   lock(fs_reclaim);
      [ 1240.315107]                                lock((work_completion)(&gc->work));
      [ 1240.316828]                                lock(fs_reclaim);
      [ 1240.318088]   lock((work_completion)(&gc->work));
      [ 1240.319203]
      [ 1240.319203]  *** DEADLOCK ***
      ...
      [ 2438.431081] Workqueue: xfs-inodegc/sda xfs_inodegc_worker
      [ 2438.432089] Call Trace:
      [ 2438.432562]  __schedule+0xa94/0x1d20
      [ 2438.435787]  schedule+0xbf/0x270
      [ 2438.436397]  schedule_timeout+0x6f8/0x8b0
      [ 2438.445126]  wait_for_completion+0x163/0x260
      [ 2438.448610]  __flush_work+0x4c4/0xa40
      [ 2438.455011]  xfs_inode_mark_reclaimable+0x6ef/0xda0
      [ 2438.456695]  destroy_inode+0xc6/0x1b0
      [ 2438.457375]  dispose_list+0xe1/0x1d0
      [ 2438.458834]  prune_icache_sb+0xe8/0x150
      [ 2438.461181]  super_cache_scan+0x2b3/0x470
      [ 2438.461950]  do_shrink_slab+0x3cf/0xa50
      [ 2438.462687]  shrink_slab+0x17d/0x660
      [ 2438.466392]  shrink_node+0x87e/0x1d40
      [ 2438.467894]  do_try_to_free_pages+0x364/0x1300
      [ 2438.471188]  try_to_free_pages+0x26c/0x5b0
      [ 2438.473567]  __alloc_pages_slowpath.constprop.136+0x7aa/0x2100
      [ 2438.482577]  __alloc_pages+0x5db/0x710
      [ 2438.485231]  alloc_pages+0x100/0x200
      [ 2438.485923]  allocate_slab+0x2c0/0x380
      [ 2438.486623]  ___slab_alloc+0x41f/0x690
      [ 2438.490254]  __slab_alloc+0x54/0x70
      [ 2438.491692]  kmem_cache_alloc+0x23e/0x270
      [ 2438.492437]  xfs_trans_alloc+0x88/0x880
      [ 2438.493168]  xfs_inactive_ifree+0xe2/0x4e0
      [ 2438.496419]  xfs_inactive+0x4eb/0x8b0
      [ 2438.497123]  xfs_inodegc_worker+0x16b/0x5e0
      [ 2438.497918]  process_one_work+0xbf7/0x1a20
      [ 2438.500316]  worker_thread+0x8c/0x1060
      [ 2438.504938]  ret_from_fork+0x22/0x30
      
      When the memory is insufficient, xfs_inonodegc_worker will trigger memory
      reclamation when memory is allocated, then flush_work() may be called to
      wait for the work to complete. This causes a deadlock.
      
      So use memalloc_nofs_save() to avoid triggering memory reclamation in
      xfs_inodegc_worker.
      Signed-off-by: NWu Guanghao <wuguanghao3@huawei.com>
      Reviewed-by: NDarrick J. Wong <djwong@kernel.org>
      Signed-off-by: NDarrick J. Wong <djwong@kernel.org>
      Signed-off-by: NGuo Xuenan <guoxuenan@huawei.com>
      Reviewed-by: NZhang Yi <yi.zhang@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      b6396746
    • J
      net: sched: cbq: dont intepret cls results when asked to drop · 7cfa84c0
      Jamal Hadi Salim 提交于
      stable inclusion
      from stable-v5.10.163
      commit b2c917e510e5ddbc7896329c87d20036c8b82952
      category: bugfix
      bugzilla: 188272, https://gitee.com/src-openeuler/kernel/issues/I6AQIL
      CVE: CVE-2023-23454
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b2c917e510e5ddbc7896329c87d20036c8b82952
      
      -------------------------------------------------
      
      [ Upstream commit caa4b35b ]
      
      If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume that
      res.class contains a valid pointer
      
      Sample splat reported by Kyle Zeng
      
      [    5.405624] 0: reclassify loop, rule prio 0, protocol 800
      [    5.406326] ==================================================================
      [    5.407240] BUG: KASAN: slab-out-of-bounds in cbq_enqueue+0x54b/0xea0
      [    5.407987] Read of size 1 at addr ffff88800e3122aa by task poc/299
      [    5.408731]
      [    5.408897] CPU: 0 PID: 299 Comm: poc Not tainted 5.10.155+ #15
      [    5.409516] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS 1.15.0-1 04/01/2014
      [    5.410439] Call Trace:
      [    5.410764]  dump_stack+0x87/0xcd
      [    5.411153]  print_address_description+0x7a/0x6b0
      [    5.411687]  ? vprintk_func+0xb9/0xc0
      [    5.411905]  ? printk+0x76/0x96
      [    5.412110]  ? cbq_enqueue+0x54b/0xea0
      [    5.412323]  kasan_report+0x17d/0x220
      [    5.412591]  ? cbq_enqueue+0x54b/0xea0
      [    5.412803]  __asan_report_load1_noabort+0x10/0x20
      [    5.413119]  cbq_enqueue+0x54b/0xea0
      [    5.413400]  ? __kasan_check_write+0x10/0x20
      [    5.413679]  __dev_queue_xmit+0x9c0/0x1db0
      [    5.413922]  dev_queue_xmit+0xc/0x10
      [    5.414136]  ip_finish_output2+0x8bc/0xcd0
      [    5.414436]  __ip_finish_output+0x472/0x7a0
      [    5.414692]  ip_finish_output+0x5c/0x190
      [    5.414940]  ip_output+0x2d8/0x3c0
      [    5.415150]  ? ip_mc_finish_output+0x320/0x320
      [    5.415429]  __ip_queue_xmit+0x753/0x1760
      [    5.415664]  ip_queue_xmit+0x47/0x60
      [    5.415874]  __tcp_transmit_skb+0x1ef9/0x34c0
      [    5.416129]  tcp_connect+0x1f5e/0x4cb0
      [    5.416347]  tcp_v4_connect+0xc8d/0x18c0
      [    5.416577]  __inet_stream_connect+0x1ae/0xb40
      [    5.416836]  ? local_bh_enable+0x11/0x20
      [    5.417066]  ? lock_sock_nested+0x175/0x1d0
      [    5.417309]  inet_stream_connect+0x5d/0x90
      [    5.417548]  ? __inet_stream_connect+0xb40/0xb40
      [    5.417817]  __sys_connect+0x260/0x2b0
      [    5.418037]  __x64_sys_connect+0x76/0x80
      [    5.418267]  do_syscall_64+0x31/0x50
      [    5.418477]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
      [    5.418770] RIP: 0033:0x473bb7
      [    5.418952] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00
      00 00 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2a 00 00
      00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 18 89 54 24 0c 48 89 34
      24 89
      [    5.420046] RSP: 002b:00007fffd20eb0f8 EFLAGS: 00000246 ORIG_RAX:
      000000000000002a
      [    5.420472] RAX: ffffffffffffffda RBX: 00007fffd20eb578 RCX: 0000000000473bb7
      [    5.420872] RDX: 0000000000000010 RSI: 00007fffd20eb110 RDI: 0000000000000007
      [    5.421271] RBP: 00007fffd20eb150 R08: 0000000000000001 R09: 0000000000000004
      [    5.421671] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
      [    5.422071] R13: 00007fffd20eb568 R14: 00000000004fc740 R15: 0000000000000002
      [    5.422471]
      [    5.422562] Allocated by task 299:
      [    5.422782]  __kasan_kmalloc+0x12d/0x160
      [    5.423007]  kasan_kmalloc+0x5/0x10
      [    5.423208]  kmem_cache_alloc_trace+0x201/0x2e0
      [    5.423492]  tcf_proto_create+0x65/0x290
      [    5.423721]  tc_new_tfilter+0x137e/0x1830
      [    5.423957]  rtnetlink_rcv_msg+0x730/0x9f0
      [    5.424197]  netlink_rcv_skb+0x166/0x300
      [    5.424428]  rtnetlink_rcv+0x11/0x20
      [    5.424639]  netlink_unicast+0x673/0x860
      [    5.424870]  netlink_sendmsg+0x6af/0x9f0
      [    5.425100]  __sys_sendto+0x58d/0x5a0
      [    5.425315]  __x64_sys_sendto+0xda/0xf0
      [    5.425539]  do_syscall_64+0x31/0x50
      [    5.425764]  entry_SYSCALL_64_after_hwframe+0x61/0xc6
      [    5.426065]
      [    5.426157] The buggy address belongs to the object at ffff88800e312200
      [    5.426157]  which belongs to the cache kmalloc-128 of size 128
      [    5.426955] The buggy address is located 42 bytes to the right of
      [    5.426955]  128-byte region [ffff88800e312200, ffff88800e312280)
      [    5.427688] The buggy address belongs to the page:
      [    5.427992] page:000000009875fabc refcount:1 mapcount:0
      mapping:0000000000000000 index:0x0 pfn:0xe312
      [    5.428562] flags: 0x100000000000200(slab)
      [    5.428812] raw: 0100000000000200 dead000000000100 dead000000000122
      ffff888007843680
      [    5.429325] raw: 0000000000000000 0000000000100010 00000001ffffffff
      ffff88800e312401
      [    5.429875] page dumped because: kasan: bad access detected
      [    5.430214] page->mem_cgroup:ffff88800e312401
      [    5.430471]
      [    5.430564] Memory state around the buggy address:
      [    5.430846]  ffff88800e312180: fc fc fc fc fc fc fc fc fc fc fc fc
      fc fc fc fc
      [    5.431267]  ffff88800e312200: 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 fc
      [    5.431705] >ffff88800e312280: fc fc fc fc fc fc fc fc fc fc fc fc
      fc fc fc fc
      [    5.432123]                                   ^
      [    5.432391]  ffff88800e312300: 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 fc
      [    5.432810]  ffff88800e312380: fc fc fc fc fc fc fc fc fc fc fc fc
      fc fc fc fc
      [    5.433229] ==================================================================
      [    5.433648] Disabling lock debugging due to kernel taint
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-by: NKyle Zeng <zengyhkyle@gmail.com>
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
      Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
      Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      7cfa84c0
    • J
      net: sched: atm: dont intepret cls results when asked to drop · 112da66f
      Jamal Hadi Salim 提交于
      stable inclusion
      from stable-v5.10.162
      commit 5f65f48516bfeebaab1ccc52c8fad698ddf21282
      category: bugfix
      bugzilla: 188250, https://gitee.com/src-openeuler/kernel/issues/I6AQG9
      CVE: CVE-2023-23455
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5f65f48516bfeebaab1ccc52c8fad698ddf21282
      
      --------------------------------
      
      [ Upstream commit a2965c7b ]
      
      If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume
      res.class contains a valid pointer
      Fixes: b0188d4d ("[NET_SCHED]: sch_atm: Lindent")
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NDong Chenchen <dongchenchen2@huawei.com>
      Reviewed-by: NYue Haibing <yuehaibing@huawei.com>
      Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      112da66f
    • Z
      scsi: ses: fix slab-out-of-bounds in ses_enclosure_data_process · 79fccbfc
      Zhang Wensheng 提交于
      hulk inclusion
      category: bugfix
      bugzilla: 187025, https://gitee.com/openeuler/kernel/issues/I6B1LN
      CVE: NA
      
      --------------------------------
      
      Kasan report a bug like below:
      [  494.865170] ==================================================================
      [  494.901335] BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x234/0x6f0 [ses]
      [  494.901347] Write of size 1 at addr ffff8882f3181a70 by task systemd-udevd/1704
      [  494.931929] i801_smbus 0000:00:1f.4: SPD Write Disable is set
      
      [  494.944092] CPU: 12 PID: 1704 Comm: systemd-udevd Tainted: G
      [  494.944101] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 7.01 11/13/2019
      [  494.964003] i801_smbus 0000:00:1f.4: SMBus using PCI interrupt
      [  494.978532] Call Trace:
      [  494.978544]  dump_stack+0xbe/0xf9
      [  494.978558]  print_address_description.constprop.0+0x19/0x130
      [  495.092838]  ? ses_enclosure_data_process+0x234/0x6f0 [ses]
      [  495.092846]  __kasan_report.cold+0x68/0x80
      [  495.092855]  ? __kasan_kmalloc.constprop.0+0x71/0xd0
      [  495.092862]  ? ses_enclosure_data_process+0x234/0x6f0 [ses]
      [  495.092868]  kasan_report+0x3a/0x50
      [  495.092875]  ses_enclosure_data_process+0x234/0x6f0 [ses]
      [  495.092882]  ? mutex_unlock+0x1d/0x40
      [  495.092889]  ses_intf_add+0x57f/0x910 [ses]
      [  495.092900]  class_interface_register+0x26d/0x290
      [  495.092906]  ? class_destroy+0xd0/0xd0
      [  495.092912]  ? 0xffffffffc0bf8000
      [  495.092919]  ses_init+0x18/0x1000 [ses]
      [  495.092927]  do_one_initcall+0xcb/0x370
      [  495.092934]  ? initcall_blacklisted+0x1b0/0x1b0
      [  495.092942]  ? create_object.isra.0+0x330/0x3a0
      [  495.092950]  ? kasan_unpoison_shadow+0x33/0x40
      [  495.092957]  ? kasan_unpoison_shadow+0x33/0x40
      [  495.092966]  do_init_module+0xe4/0x3a0
      [  495.092972]  load_module+0xd0a/0xdd0
      [  495.092980]  ? layout_and_allocate+0x300/0x300
      [  495.092989]  ? seccomp_run_filters+0x1d6/0x2c0
      [  495.092999]  ? kernel_read_file_from_fd+0xb3/0xe0
      [  495.093006]  __se_sys_finit_module+0x11b/0x1b0
      [  495.093012]  ? __ia32_sys_init_module+0x40/0x40
      [  495.093023]  ? __audit_syscall_entry+0x226/0x290
      [  495.093032]  do_syscall_64+0x33/0x40
      [  495.093041]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  495.093046] RIP: 0033:0x7f39c3376089
      [  495.093054] Code: 00 48 81 c4 80 00 00 00 89 f0 c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e7 dd 0b 00 f7 d8 64 89 01 48
      [  495.093058] RSP: 002b:00007ffdc6009e18 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      [  495.093068] RAX: ffffffffffffffda RBX: 000055d4192801c0 RCX: 00007f39c3376089
      [  495.093072] RDX: 0000000000000000 RSI: 00007f39c2fae99d RDI: 000000000000000f
      [  495.093076] RBP: 00007f39c2fae99d R08: 0000000000000000 R09: 0000000000000001
      [  495.093080] R10: 000000000000000f R11: 0000000000000246 R12: 0000000000000000
      [  495.093084] R13: 000055d419282e00 R14: 0000000000020000 R15: 000055d41927f1f0
      
      [  495.093091] Allocated by task 1704:
      [  495.093098]  kasan_save_stack+0x1b/0x40
      [  495.093105]  __kasan_kmalloc.constprop.0+0xc2/0xd0
      [  495.093111]  ses_enclosure_data_process+0x65d/0x6f0 [ses]
      [  495.093117]  ses_intf_add+0x57f/0x910 [ses]
      [  495.093123]  class_interface_register+0x26d/0x290
      [  495.093129]  ses_init+0x18/0x1000 [ses]
      [  495.093134]  do_one_initcall+0xcb/0x370
      [  495.093139]  do_init_module+0xe4/0x3a0
      [  495.093144]  load_module+0xd0a/0xdd0
      [  495.093150]  __se_sys_finit_module+0x11b/0x1b0
      [  495.093155]  do_syscall_64+0x33/0x40
      [  495.093162]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  495.093168] The buggy address belongs to the object at ffff8882f3181a40
                      which belongs to the cache kmalloc-64 of size 64
      [  495.093173] The buggy address is located 48 bytes inside of
                      64-byte region [ffff8882f3181a40, ffff8882f3181a80)
      [  495.093175] The buggy address belongs to the page:
      [  495.093181] page:ffffea000bcc6000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2f3180
      [  495.093186] head:ffffea000bcc6000 order:2 compound_mapcount:0 compound_pincount:0
      [  495.093194] flags: 0x17ffe0000010200(slab|head|node=0|zone=2|lastcpupid=0x3fff)
      [  495.093204] raw: 017ffe0000010200 ffffea0016e5fb08 ffffea0016921508 ffff888100050e00
      [  495.093211] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
      [  495.093213] page dumped because: kasan: bad access detected
      
      [  495.093216] Memory state around the buggy address:
      [  495.093222]  ffff8882f3181900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  495.093227]  ffff8882f3181980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  495.093231] >ffff8882f3181a00: fc fc fc fc fc fc fc fc 00 00 00 00 01 fc fc fc
      [  495.093234]                                                              ^
      [  495.093239]  ffff8882f3181a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  495.093244]  ffff8882f3181b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  495.093246] ==================================================================
      
      After analysis on vmcore, it was found that the line "desc_ptr[len] =
      '\0';" has slab-out-of-bounds problem in ses_enclosure_data_process.
      In ses_enclosure_data_process, "desc_ptr" point to "buf", so it have
      to be limited in the memory of "buf", however. although there is
      "desc_ptr >= buf + page7_len" judgment, it does not work because
      "desc_ptr + 4 + len" may bigger than "buf + page7_len", which will
      lead to slab-out-of-bounds problem.
      Signed-off-by: NZhang Wensheng <zhangwensheng5@huawei.com>
      Signed-off-by: NLi Nan <linan122@huawei.com>
      Reviewed-by: NHou Tao <houtao1@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      79fccbfc
    • S
      rndis_wlan: Prevent buffer overflow in rndis_query_oid · fb5261e8
      Szymon Heidrich 提交于
      maillist inclusion
      category: bugfix
      bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6AQJP
      CVE: CVE-2023-23559
      
      Reference: https://patchwork.kernel.org/project/linux-wireless/patch/20230111175031.7049-1-szymon.heidrich@gmail.com/
      
      -------------------------------
      
      Since resplen and respoffs are signed integers sufficiently
      large values of unsigned int len and offset members of RNDIS
      response will result in negative values of prior variables.
      This may be utilized to bypass implemented security checks
      to either extract memory contents by manipulating offset or
      overflow the data buffer via memcpy by manipulating both
      offset and len.
      
      Additionally assure that sum of resplen and respoffs does not
      overflow so buffer boundaries are kept.
      
      Fixes: 80f8c5b4 ("rndis_wlan: copy only useful data from rndis_command respond")
      Signed-off-by: NSzymon Heidrich <szymon.heidrich@gmail.com>
      Signed-off-by: NWang Yufen <wangyufen@huawei.com>
      Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com>
      Reviewed-by: NWang Weiyang <wangweiyang2@huawei.com>
      Signed-off-by: NJialin Zhang <zhangjialin11@huawei.com>
      fb5261e8
  3. 18 1月, 2023 17 次提交