1. 09 3月, 2022 38 次提交
  2. 08 3月, 2022 2 次提交
    • L
      blk-throttle: Set BIO_THROTTLED when bio has been throttled · 2c7b5509
      Laibin Qiu 提交于
      hulk inclusion
      category: bugfix
      bugzilla: 185779, https://gitee.com/openeuler/kernel/issues/I4WFIY
      CVE: NA
      
      -------------------------------------------------
      
      1.In current process, all bio will set the BIO_THROTTLED flag
      after __blk_throtl_bio().
      
      2.If bio needs to be throttled, it will start the timer and
      stop submit bio directly. Bio will submit in
      blk_throtl_dispatch_work_fn() when the timer expires.But in
      the current process, if bio is throttled. The BIO_THROTTLED
      will be set to bio after timer start. If the bio has been
      completed, it may cause use-after-free blow.
      
      BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70
      Read of size 2 at addr ffff88801b8902d4 by task fio/26380
      
       dump_stack+0x9b/0xce
       print_address_description.constprop.6+0x3e/0x60
       kasan_report.cold.9+0x22/0x3a
       blk_throtl_bio+0x12f0/0x2c70
       submit_bio_checks+0x701/0x1550
       submit_bio_noacct+0x83/0xc80
       submit_bio+0xa7/0x330
       mpage_readahead+0x380/0x500
       read_pages+0x1c1/0xbf0
       page_cache_ra_unbounded+0x471/0x6f0
       do_page_cache_ra+0xda/0x110
       ondemand_readahead+0x442/0xae0
       page_cache_async_ra+0x210/0x300
       generic_file_buffered_read+0x4d9/0x2130
       generic_file_read_iter+0x315/0x490
       blkdev_read_iter+0x113/0x1b0
       aio_read+0x2ad/0x450
       io_submit_one+0xc8e/0x1d60
       __se_sys_io_submit+0x125/0x350
       do_syscall_64+0x2d/0x40
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Allocated by task 26380:
       kasan_save_stack+0x19/0x40
       __kasan_kmalloc.constprop.2+0xc1/0xd0
       kmem_cache_alloc+0x146/0x440
       mempool_alloc+0x125/0x2f0
       bio_alloc_bioset+0x353/0x590
       mpage_alloc+0x3b/0x240
       do_mpage_readpage+0xddf/0x1ef0
       mpage_readahead+0x264/0x500
       read_pages+0x1c1/0xbf0
       page_cache_ra_unbounded+0x471/0x6f0
       do_page_cache_ra+0xda/0x110
       ondemand_readahead+0x442/0xae0
       page_cache_async_ra+0x210/0x300
       generic_file_buffered_read+0x4d9/0x2130
       generic_file_read_iter+0x315/0x490
       blkdev_read_iter+0x113/0x1b0
       aio_read+0x2ad/0x450
       io_submit_one+0xc8e/0x1d60
       __se_sys_io_submit+0x125/0x350
       do_syscall_64+0x2d/0x40
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Freed by task 0:
       kasan_save_stack+0x19/0x40
       kasan_set_track+0x1c/0x30
       kasan_set_free_info+0x1b/0x30
       __kasan_slab_free+0x111/0x160
       kmem_cache_free+0x94/0x460
       mempool_free+0xd6/0x320
       bio_free+0xe0/0x130
       bio_put+0xab/0xe0
       bio_endio+0x3a6/0x5d0
       blk_update_request+0x590/0x1370
       scsi_end_request+0x7d/0x400
       scsi_io_completion+0x1aa/0xe50
       scsi_softirq_done+0x11b/0x240
       blk_mq_complete_request+0xd4/0x120
       scsi_mq_done+0xf0/0x200
       virtscsi_vq_done+0xbc/0x150
       vring_interrupt+0x179/0x390
       __handle_irq_event_percpu+0xf7/0x490
       handle_irq_event_percpu+0x7b/0x160
       handle_irq_event+0xcc/0x170
       handle_edge_irq+0x215/0xb20
       common_interrupt+0x60/0x120
       asm_common_interrupt+0x1e/0x40
      
      Fix this by move BIO_THROTTLED set into the queue_lock.
      Signed-off-by: NLaibin Qiu <qiulaibin@huawei.com>
      Reviewed-by: NHou Tao <houtao1@huawei.com>
      Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
      2c7b5509
    • D
      bpf, selftests: Add ringbuf memory type confusion test · 6b1836a9
      Daniel Borkmann 提交于
      mainline inclusion
      from mainline-v5.17-rc1
      commit 37c8d480
      category: bugfix
      bugzilla: https://gitee.com/openeuler/kernel/issues/I4WT90
      CVE: CVE-2021-4204
      
      Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=37c8d4807d1b8b521b30310dce97f6695dc2c2c6
      
      --------------------------------
      
      Add two tests, one which asserts that ring buffer memory can be passed to
      other helpers for populating its entry area, and another one where verifier
      rejects different type of memory passed to bpf_ringbuf_submit().
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NPu Lehui <pulehui@huawei.com>
      Reviewed-by: NKuohai Xu <xukuohai@huawei.com>
      Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
      6b1836a9