[Devel] [PATCH RHEL7 COMMIT] ploop: Add @id argument to ->autodetect()
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-1127.18.2.vz7.163.9 --> commit 5c4a961d7209b18bb1001f2315d8650021b1805b Author: Kirill Tkhai Date: Tue Aug 25 09:04:49 2020 +0300 ploop: Add @id argument to ->autodetect() https://jira.sw.ru/browse/PSBM-105347 Signed-off-by: Kirill Tkhai --- drivers/block/ploop/io.c| 2 +- drivers/block/ploop/io_direct.c | 2 +- drivers/block/ploop/io_kaio.c | 2 +- include/linux/ploop/ploop.h | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/block/ploop/io.c b/drivers/block/ploop/io.c index 5499f97..ad1d365 100644 --- a/drivers/block/ploop/io.c +++ b/drivers/block/ploop/io.c @@ -43,7 +43,7 @@ static struct ploop_io_ops * ploop_io_get(struct ploop_io *io, unsigned int id) mutex_lock(&ploop_ios_mutex); list_for_each_entry(ops, &ploop_ios, list) { if ((id == ops->id || id == PLOOP_IO_AUTO) && - !ops->autodetect(io) && try_module_get(ops->owner)) { + !ops->autodetect(io, id) && try_module_get(ops->owner)) { mutex_unlock(&ploop_ios_mutex); return ops; } diff --git a/drivers/block/ploop/io_direct.c b/drivers/block/ploop/io_direct.c index 54c9954..db3eacd 100644 --- a/drivers/block/ploop/io_direct.c +++ b/drivers/block/ploop/io_direct.c @@ -1711,7 +1711,7 @@ static int dio_dump(struct ploop_io * io) return -1; } -static int dio_autodetect(struct ploop_io * io) +static int dio_autodetect(struct ploop_io *io, unsigned int id) { struct file * file = io->files.file; struct inode * inode = file->f_mapping->host; diff --git a/drivers/block/ploop/io_kaio.c b/drivers/block/ploop/io_kaio.c index 365e2e3..38599e2 100644 --- a/drivers/block/ploop/io_kaio.c +++ b/drivers/block/ploop/io_kaio.c @@ -1208,7 +1208,7 @@ static void kaio_issue_flush(struct ploop_io * io, struct ploop_request *preq) spin_unlock_irq(&io->plo->lock); } -static int kaio_autodetect(struct ploop_io * io) +static int kaio_autodetect(struct ploop_io *io, unsigned int id) { struct file * file = io->files.file; struct inode * inode = file->f_mapping->host; diff --git a/include/linux/ploop/ploop.h b/include/linux/ploop/ploop.h index fe6f94e..2dc0c26 100644 --- a/include/linux/ploop/ploop.h +++ b/include/linux/ploop/ploop.h @@ -208,7 +208,7 @@ struct ploop_io_ops loff_t (*i_size_read)(struct ploop_io*); fmode_t (*f_mode)(struct ploop_io*); - int (*autodetect)(struct ploop_io * io); + int (*autodetect)(struct ploop_io *io, unsigned int id); }; static inline loff_t generic_i_size_read(struct ploop_io *io) ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
[Devel] [PATCH RHEL7 COMMIT] ploop: Formulate "kaio_backed_ext4" module parameter purpose
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-1127.18.2.vz7.163.9 --> commit c1253660b825e125fdef5a270a8a6e0e75d3dad5 Author: Kirill Tkhai Date: Tue Aug 25 09:04:55 2020 +0300 ploop: Formulate "kaio_backed_ext4" module parameter purpose This matters in case of PLOOP_IO_AUTO is requested in struct ploop_ctl_chunk::pctl_type: 1)not-zero is to choose io_kaio engine for ext4; 2)zero is to choose io_direct. In case of certail PLOOP_IO_XXX is passed, the parameter is ignored. https://jira.sw.ru/browse/PSBM-105347 Signed-off-by: Kirill Tkhai --- drivers/block/ploop/dev.c| 6 ++ drivers/block/ploop/fmt_ploop1.c | 4 +++- drivers/block/ploop/io_direct.c | 5 +++-- drivers/block/ploop/io_kaio.c| 4 ++-- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/drivers/block/ploop/dev.c b/drivers/block/ploop/dev.c index 686d1b9..197faa5 100644 --- a/drivers/block/ploop/dev.c +++ b/drivers/block/ploop/dev.c @@ -61,6 +61,12 @@ static long user_threshold __read_mostly = 4L * 1024 * 1024; /* 4GB in KB */ static int large_disk_support __read_mostly = 1; /* true */ static int native_discard_support __read_mostly = 1; +/* + * This matters in case of PLOOP_IO_AUTO is requested + * in struct ploop_ctl_chunk::pctl_type: + * 1)not-zero is to choose io_kaio engine for ext4; + * 2)zero is to choose io_direct. + */ int kaio_backed_ext4 __read_mostly = 0; EXPORT_SYMBOL(kaio_backed_ext4); diff --git a/drivers/block/ploop/fmt_ploop1.c b/drivers/block/ploop/fmt_ploop1.c index b5f9594..0036e09 100644 --- a/drivers/block/ploop/fmt_ploop1.c +++ b/drivers/block/ploop/fmt_ploop1.c @@ -333,7 +333,9 @@ ploop1_open(struct ploop_delta * delta) ((u64)ph->bd_size + ph->l1_off) << 9) delta->flags |= PLOOP_FMT_PREALLOCATED; - if (delta->io.ops->id != PLOOP_IO_DIRECT && !kaio_backed_ext4) + /* FIXME: is there a better place for this? */ + if (delta->io.ops->id != PLOOP_IO_DIRECT && + delta->io.files.inode->i_sb->s_magic != EXT4_SUPER_MAGIC) set_bit(PLOOP_S_NO_FALLOC_DISCARD, &delta->plo->state); return 0; diff --git a/drivers/block/ploop/io_direct.c b/drivers/block/ploop/io_direct.c index db3eacd..4f82b8b 100644 --- a/drivers/block/ploop/io_direct.c +++ b/drivers/block/ploop/io_direct.c @@ -1721,11 +1721,12 @@ static int dio_autodetect(struct ploop_io *io, unsigned int id) mm_segment_t fs; unsigned int flags; - if (kaio_backed_ext4) - return -1; if (inode->i_sb->s_magic != EXT4_SUPER_MAGIC) return -1; /* not mine */ + if (id == PLOOP_IO_AUTO && kaio_backed_ext4) + return -1; + if (inode->i_sb->s_bdev == NULL) { printk("File on FS EXT(%s) without backing device\n", s_id); return -1; diff --git a/drivers/block/ploop/io_kaio.c b/drivers/block/ploop/io_kaio.c index 38599e2..2f6164c 100644 --- a/drivers/block/ploop/io_kaio.c +++ b/drivers/block/ploop/io_kaio.c @@ -1138,7 +1138,6 @@ static void kaio_queue_settings(struct ploop_io * io, struct request_queue * q) struct inode *inode = file->f_mapping->host; if (inode->i_sb->s_magic == EXT4_SUPER_MAGIC) { - WARN_ON(!kaio_backed_ext4); blk_queue_stack_limits(q, bdev_get_queue(io->files.bdev)); /* * There is no a way to force block engine to split a request @@ -1214,7 +1213,8 @@ static int kaio_autodetect(struct ploop_io *io, unsigned int id) struct inode * inode = file->f_mapping->host; if (inode->i_sb->s_magic != FUSE_SUPER_MAGIC && - (inode->i_sb->s_magic != EXT4_SUPER_MAGIC || !kaio_backed_ext4)) + (inode->i_sb->s_magic != EXT4_SUPER_MAGIC || +(id == PLOOP_IO_AUTO && !kaio_backed_ext4))) return -1; /* not mine */ if (!(file->f_flags & O_DIRECT)) { ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
[Devel] [PATCH RH7 1/2] ploop: Add @id argument to ->autodetect()
Signed-off-by: Kirill Tkhai --- drivers/block/ploop/io.c|2 +- drivers/block/ploop/io_direct.c |2 +- drivers/block/ploop/io_kaio.c |2 +- include/linux/ploop/ploop.h |2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/block/ploop/io.c b/drivers/block/ploop/io.c index 5499f9781151..ad1d365d7c6c 100644 --- a/drivers/block/ploop/io.c +++ b/drivers/block/ploop/io.c @@ -43,7 +43,7 @@ static struct ploop_io_ops * ploop_io_get(struct ploop_io *io, unsigned int id) mutex_lock(&ploop_ios_mutex); list_for_each_entry(ops, &ploop_ios, list) { if ((id == ops->id || id == PLOOP_IO_AUTO) && - !ops->autodetect(io) && try_module_get(ops->owner)) { + !ops->autodetect(io, id) && try_module_get(ops->owner)) { mutex_unlock(&ploop_ios_mutex); return ops; } diff --git a/drivers/block/ploop/io_direct.c b/drivers/block/ploop/io_direct.c index 54c995411c45..db3eacd2d845 100644 --- a/drivers/block/ploop/io_direct.c +++ b/drivers/block/ploop/io_direct.c @@ -1711,7 +1711,7 @@ static int dio_dump(struct ploop_io * io) return -1; } -static int dio_autodetect(struct ploop_io * io) +static int dio_autodetect(struct ploop_io *io, unsigned int id) { struct file * file = io->files.file; struct inode * inode = file->f_mapping->host; diff --git a/drivers/block/ploop/io_kaio.c b/drivers/block/ploop/io_kaio.c index 365e2e3850d4..38599e201163 100644 --- a/drivers/block/ploop/io_kaio.c +++ b/drivers/block/ploop/io_kaio.c @@ -1208,7 +1208,7 @@ static void kaio_issue_flush(struct ploop_io * io, struct ploop_request *preq) spin_unlock_irq(&io->plo->lock); } -static int kaio_autodetect(struct ploop_io * io) +static int kaio_autodetect(struct ploop_io *io, unsigned int id) { struct file * file = io->files.file; struct inode * inode = file->f_mapping->host; diff --git a/include/linux/ploop/ploop.h b/include/linux/ploop/ploop.h index fe6f94ef550c..2dc0c2690490 100644 --- a/include/linux/ploop/ploop.h +++ b/include/linux/ploop/ploop.h @@ -208,7 +208,7 @@ struct ploop_io_ops loff_t (*i_size_read)(struct ploop_io*); fmode_t (*f_mode)(struct ploop_io*); - int (*autodetect)(struct ploop_io * io); + int (*autodetect)(struct ploop_io *io, unsigned int id); }; static inline loff_t generic_i_size_read(struct ploop_io *io) ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
[Devel] [PATCH RH7 2/2] ploop: Formulate "kaio_backed_ext4" module parameter purpose
This matters in case of PLOOP_IO_AUTO is requested in struct ploop_ctl_chunk::pctl_type: 1)not-zero is to choose io_kaio engine for ext4; 2)zero is to choose io_direct. In case of certail PLOOP_IO_XXX is passed, the parameter is ignored. Signed-off-by: Kirill Tkhai --- drivers/block/ploop/dev.c|6 ++ drivers/block/ploop/fmt_ploop1.c |4 +++- drivers/block/ploop/io_direct.c |5 +++-- drivers/block/ploop/io_kaio.c|4 ++-- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/drivers/block/ploop/dev.c b/drivers/block/ploop/dev.c index 686d1b96bdae..197faa5db05d 100644 --- a/drivers/block/ploop/dev.c +++ b/drivers/block/ploop/dev.c @@ -61,6 +61,12 @@ static long user_threshold __read_mostly = 4L * 1024 * 1024; /* 4GB in KB */ static int large_disk_support __read_mostly = 1; /* true */ static int native_discard_support __read_mostly = 1; +/* + * This matters in case of PLOOP_IO_AUTO is requested + * in struct ploop_ctl_chunk::pctl_type: + * 1)not-zero is to choose io_kaio engine for ext4; + * 2)zero is to choose io_direct. + */ int kaio_backed_ext4 __read_mostly = 0; EXPORT_SYMBOL(kaio_backed_ext4); diff --git a/drivers/block/ploop/fmt_ploop1.c b/drivers/block/ploop/fmt_ploop1.c index b5f95946c801..0036e09b4bf4 100644 --- a/drivers/block/ploop/fmt_ploop1.c +++ b/drivers/block/ploop/fmt_ploop1.c @@ -333,7 +333,9 @@ ploop1_open(struct ploop_delta * delta) ((u64)ph->bd_size + ph->l1_off) << 9) delta->flags |= PLOOP_FMT_PREALLOCATED; - if (delta->io.ops->id != PLOOP_IO_DIRECT && !kaio_backed_ext4) + /* FIXME: is there a better place for this? */ + if (delta->io.ops->id != PLOOP_IO_DIRECT && + delta->io.files.inode->i_sb->s_magic != EXT4_SUPER_MAGIC) set_bit(PLOOP_S_NO_FALLOC_DISCARD, &delta->plo->state); return 0; diff --git a/drivers/block/ploop/io_direct.c b/drivers/block/ploop/io_direct.c index db3eacd2d845..4f82b8b5ce36 100644 --- a/drivers/block/ploop/io_direct.c +++ b/drivers/block/ploop/io_direct.c @@ -1721,11 +1721,12 @@ static int dio_autodetect(struct ploop_io *io, unsigned int id) mm_segment_t fs; unsigned int flags; - if (kaio_backed_ext4) - return -1; if (inode->i_sb->s_magic != EXT4_SUPER_MAGIC) return -1; /* not mine */ + if (id == PLOOP_IO_AUTO && kaio_backed_ext4) + return -1; + if (inode->i_sb->s_bdev == NULL) { printk("File on FS EXT(%s) without backing device\n", s_id); return -1; diff --git a/drivers/block/ploop/io_kaio.c b/drivers/block/ploop/io_kaio.c index 38599e201163..2f6164cc16fd 100644 --- a/drivers/block/ploop/io_kaio.c +++ b/drivers/block/ploop/io_kaio.c @@ -1138,7 +1138,6 @@ static void kaio_queue_settings(struct ploop_io * io, struct request_queue * q) struct inode *inode = file->f_mapping->host; if (inode->i_sb->s_magic == EXT4_SUPER_MAGIC) { - WARN_ON(!kaio_backed_ext4); blk_queue_stack_limits(q, bdev_get_queue(io->files.bdev)); /* * There is no a way to force block engine to split a request @@ -1214,7 +1213,8 @@ static int kaio_autodetect(struct ploop_io *io, unsigned int id) struct inode * inode = file->f_mapping->host; if (inode->i_sb->s_magic != FUSE_SUPER_MAGIC && - (inode->i_sb->s_magic != EXT4_SUPER_MAGIC || !kaio_backed_ext4)) + (inode->i_sb->s_magic != EXT4_SUPER_MAGIC || +(id == PLOOP_IO_AUTO && !kaio_backed_ext4))) return -1; /* not mine */ if (!(file->f_flags & O_DIRECT)) { ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
[Devel] [PATCH RHEL7 COMMIT] ms/kernel/kmod: fix use-after-free of the sub_info structure
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-1127.18.2.vz7.163.8 --> commit b970da536cb20510058d6013b29b0ef34e3228c6 Author: Martin Schwidefsky Date: Mon Aug 24 16:47:51 2020 +0300 ms/kernel/kmod: fix use-after-free of the sub_info structure Found this in the message log on a s390 system: BUG kmalloc-192 (Not tainted): Poison overwritten Disabling lock debugging due to kernel taint INFO: 0x684761f4-0x684761f7. First byte 0xff instead of 0x6b INFO: Allocated in call_usermodehelper_setup+0x70/0x128 age=71 cpu=2 pid=648 __slab_alloc.isra.47.constprop.56+0x5f6/0x658 kmem_cache_alloc_trace+0x106/0x408 call_usermodehelper_setup+0x70/0x128 call_usermodehelper+0x62/0x90 cgroup_release_agent+0x178/0x1c0 process_one_work+0x36e/0x680 worker_thread+0x2f0/0x4f8 kthread+0x10a/0x120 kernel_thread_starter+0x6/0xc kernel_thread_starter+0x0/0xc INFO: Freed in call_usermodehelper_exec+0x110/0x1b8 age=71 cpu=2 pid=648 __slab_free+0x94/0x560 kfree+0x364/0x3e0 call_usermodehelper_exec+0x110/0x1b8 cgroup_release_agent+0x178/0x1c0 process_one_work+0x36e/0x680 worker_thread+0x2f0/0x4f8 kthread+0x10a/0x120 kernel_thread_starter+0x6/0xc kernel_thread_starter+0x0/0xc There is a use-after-free bug on the subprocess_info structure allocated by the user mode helper. In case do_execve() returns with an error call_usermodehelper() stores the error code to sub_info->retval, but sub_info can already have been freed. Regarding UMH_NO_WAIT, the sub_info structure can be freed by __call_usermodehelper() before the worker thread returns from do_execve(), allowing memory corruption when do_execve() failed after exec_mmap() is called. Regarding UMH_WAIT_EXEC, the call to umh_complete() allows call_usermodehelper_exec() to continue which then frees sub_info. To fix this race the code needs to make sure that the call to call_usermodehelper_freeinfo() is always done after the last store to sub_info->retval. Signed-off-by: Martin Schwidefsky Reviewed-by: Oleg Nesterov Cc: Tetsuo Handa Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds https://jira.sw.ru/browse/PSBM-107061 (cherry-picked from commit 0baf2a4dbf75abb7c186fd6c8d55d27aaa354a29) Signed-off-by: Andrey Ryabinin --- kernel/kmod.c | 76 +-- 1 file changed, 37 insertions(+), 39 deletions(-) diff --git a/kernel/kmod.c b/kernel/kmod.c index 7fc0ba9..de2bcfd 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -585,12 +585,34 @@ int __request_module(bool wait, const char *fmt, ...) EXPORT_SYMBOL(__request_module); #endif /* CONFIG_MODULES */ +static void call_usermodehelper_freeinfo(struct subprocess_info *info) +{ + if (info->cleanup) + (*info->cleanup)(info); + kfree(info); +} + +static void umh_complete(struct subprocess_info *sub_info) +{ + struct completion *comp = xchg(&sub_info->complete, NULL); + /* +* See call_usermodehelper_exec(). If xchg() returns NULL +* we own sub_info, the UMH_KILLABLE caller has gone away +* or the caller used UMH_NO_WAIT. +*/ + if (comp) + complete(comp); + else + call_usermodehelper_freeinfo(sub_info); +} + /* * This is the task which runs the usermode application */ static int call_usermodehelper(void *data) { struct subprocess_info *sub_info = data; + int wait = sub_info->wait & ~UMH_KILLABLE; struct cred *new; int retval; @@ -607,7 +629,7 @@ static int call_usermodehelper(void *data) retval = -ENOMEM; new = prepare_kernel_cred(current); if (!new) - goto fail; + goto out; spin_lock(&umh_sysctl_lock); new->cap_bset = cap_intersect(usermodehelper_bset, new->cap_bset); @@ -619,7 +641,7 @@ static int call_usermodehelper(void *data) retval = sub_info->init(sub_info, new); if (retval) { abort_creds(new); - goto fail; + goto out; } } @@ -628,12 +650,13 @@ static int call_usermodehelper(void *data) retval = do_execve(getname_kernel(sub_info->path), (const char __user *const __user *)sub_info->argv, (const char __user *const __user *)sub_info->envp); +out: + sub_info->retval = retval; + /* wait_for_helper() will call umh_complete if UHM_WAIT_PROC. */ + if (wait != UMH_WAIT_PROC) + um
[Devel] [PATCH rh7] ms/kernel/kmod: fix use-after-free of the sub_info structure
From: Martin Schwidefsky Found this in the message log on a s390 system: BUG kmalloc-192 (Not tainted): Poison overwritten Disabling lock debugging due to kernel taint INFO: 0x684761f4-0x684761f7. First byte 0xff instead of 0x6b INFO: Allocated in call_usermodehelper_setup+0x70/0x128 age=71 cpu=2 pid=648 __slab_alloc.isra.47.constprop.56+0x5f6/0x658 kmem_cache_alloc_trace+0x106/0x408 call_usermodehelper_setup+0x70/0x128 call_usermodehelper+0x62/0x90 cgroup_release_agent+0x178/0x1c0 process_one_work+0x36e/0x680 worker_thread+0x2f0/0x4f8 kthread+0x10a/0x120 kernel_thread_starter+0x6/0xc kernel_thread_starter+0x0/0xc INFO: Freed in call_usermodehelper_exec+0x110/0x1b8 age=71 cpu=2 pid=648 __slab_free+0x94/0x560 kfree+0x364/0x3e0 call_usermodehelper_exec+0x110/0x1b8 cgroup_release_agent+0x178/0x1c0 process_one_work+0x36e/0x680 worker_thread+0x2f0/0x4f8 kthread+0x10a/0x120 kernel_thread_starter+0x6/0xc kernel_thread_starter+0x0/0xc There is a use-after-free bug on the subprocess_info structure allocated by the user mode helper. In case do_execve() returns with an error call_usermodehelper() stores the error code to sub_info->retval, but sub_info can already have been freed. Regarding UMH_NO_WAIT, the sub_info structure can be freed by __call_usermodehelper() before the worker thread returns from do_execve(), allowing memory corruption when do_execve() failed after exec_mmap() is called. Regarding UMH_WAIT_EXEC, the call to umh_complete() allows call_usermodehelper_exec() to continue which then frees sub_info. To fix this race the code needs to make sure that the call to call_usermodehelper_freeinfo() is always done after the last store to sub_info->retval. Signed-off-by: Martin Schwidefsky Reviewed-by: Oleg Nesterov Cc: Tetsuo Handa Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds https://jira.sw.ru/browse/PSBM-107061 (cherry-picked from commit 0baf2a4dbf75abb7c186fd6c8d55d27aaa354a29) Signed-off-by: Andrey Ryabinin --- kernel/kmod.c | 76 +-- 1 file changed, 37 insertions(+), 39 deletions(-) diff --git a/kernel/kmod.c b/kernel/kmod.c index 7fc0ba9e3216..de2bcfdc94d0 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c @@ -585,12 +585,34 @@ int __request_module(bool wait, const char *fmt, ...) EXPORT_SYMBOL(__request_module); #endif /* CONFIG_MODULES */ +static void call_usermodehelper_freeinfo(struct subprocess_info *info) +{ + if (info->cleanup) + (*info->cleanup)(info); + kfree(info); +} + +static void umh_complete(struct subprocess_info *sub_info) +{ + struct completion *comp = xchg(&sub_info->complete, NULL); + /* +* See call_usermodehelper_exec(). If xchg() returns NULL +* we own sub_info, the UMH_KILLABLE caller has gone away +* or the caller used UMH_NO_WAIT. +*/ + if (comp) + complete(comp); + else + call_usermodehelper_freeinfo(sub_info); +} + /* * This is the task which runs the usermode application */ static int call_usermodehelper(void *data) { struct subprocess_info *sub_info = data; + int wait = sub_info->wait & ~UMH_KILLABLE; struct cred *new; int retval; @@ -607,7 +629,7 @@ static int call_usermodehelper(void *data) retval = -ENOMEM; new = prepare_kernel_cred(current); if (!new) - goto fail; + goto out; spin_lock(&umh_sysctl_lock); new->cap_bset = cap_intersect(usermodehelper_bset, new->cap_bset); @@ -619,7 +641,7 @@ static int call_usermodehelper(void *data) retval = sub_info->init(sub_info, new); if (retval) { abort_creds(new); - goto fail; + goto out; } } @@ -628,12 +650,13 @@ static int call_usermodehelper(void *data) retval = do_execve(getname_kernel(sub_info->path), (const char __user *const __user *)sub_info->argv, (const char __user *const __user *)sub_info->envp); +out: + sub_info->retval = retval; + /* wait_for_helper() will call umh_complete if UHM_WAIT_PROC. */ + if (wait != UMH_WAIT_PROC) + umh_complete(sub_info); if (!retval) return 0; - - /* Exec failed? */ -fail: - sub_info->retval = retval; do_exit(0); } @@ -644,26 +667,6 @@ static int call_helper(void *data) return call_usermodehelper(data); } -static void call_usermodehelper_freeinfo(struct subprocess_info *info) -{ - if (info->cleanup) - (*info->cleanup)(info); - kfree(info); -} - -static void umh_complete(struct subprocess_info *sub_info) -{ - struct completion *comp = xchg(&sub_i
[Devel] [PATCH RHEL7 COMMIT] ms/netfilter: nfnetlink: correctly validate length of batch messages (take 2)
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-1127.18.2.vz7.163.6 --> commit 57932314acbae8fac4f907029f29a15b1497ea10 Author: Andrey Ryabinin Date: Mon Aug 24 12:02:45 2020 +0300 ms/netfilter: nfnetlink: correctly validate length of batch messages (take 2) We did backport of the upstream commit c58d6c93680f ("netfilter: nfnetlink: correctly validate length of batch messages") a while ago in scope of https://jira.sw.ru/browse/PSBM-57511. Our backport is commit defecd27dbb0 ("ms/netfilter: nfnetlink: correctly validate length of batch messages") However the backport was incomplete, hence we can observe: skbuff: skb_over_panic: text:b0b5ea8a len:-48 put:-48 head:880055082c80 data:880055082c80 tail:0xffd0 end:0xc0 dev: [ cut here ] kernel BUG at net/core/skbuff.c:131! Backport the missing part to finally fix this. https://jira.sw.ru/browse/PSBM-106395 Signed-off-by: Andrey Ryabinin --- net/netfilter/nfnetlink.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index a48f185..e22f84b 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c @@ -331,8 +331,9 @@ replay: if (nlh->nlmsg_len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len || nlmsg_len(nlh) < sizeof(struct nfgenmsg)) { - err = -EINVAL; - goto ack; + nfnl_err_reset(&err_list); + status |= NFNL_BATCH_FAILURE; + goto done; } /* Only requests are handled by the kernel */ ___ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel