1. 28 Jan, 2022 1 commit
    • Vivek Goyal's avatar
      security, lsm: dentry_init_security() Handle multi LSM registration · 7f5056b9
      Vivek Goyal authored
      A ceph user has reported that ceph is crashing with kernel NULL pointer
      dereference. Following is the backtrace.
      
      /proc/version: Linux version 5.16.2-arch1-1 (linux@archlinux) (gcc (GCC)
      11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Thu, 20 Jan 2022
      16:18:29 +0000
      distro / arch: Arch Linux / x86_64
      SELinux is not enabled
      ceph cluster version: 16.2.7 (dd0603118f56ab514f133c8d2e3adfc983942503)
      
      relevant dmesg output:
      [   30.947129] BUG: kernel NULL pointer dereference, address:
      0000000000000000
      [   30.947206] #PF: supervisor read access in kernel mode
      [   30.947258] #PF: error_code(0x0000) - not-present page
      [   30.947310] PGD 0 P4D 0
      [   30.947342] Oops: 0000 [#1] PREEMPT SMP PTI
      [   30.947388] CPU: 5 PID: 778 Comm: touch Not tainted 5.16.2-arch1-1 #1
      86fbf2c313cc37a553d65deb81d98e9dcc2a3659
      [   30.947486] Hardware name: Gigabyte Technology Co., Ltd. B365M
      DS3H/B365M DS3H, BIOS F5 08/13/2019
      [   30.947569] RIP: 0010:strlen+0x0/0x20
      [   30.947616] Code: b6 07 38 d0 74 16 48 83 c7 01 84 c0 74 05 48 39 f7 75
      ec 31 c0 31 d2 89 d6 89 d7 c3 48 89 f8 31 d2 89 d6 89 d7 c3 0
      f 1f 40 00 <80> 3f 00 74 12 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 31
      ff
      [   30.947782] RSP: 0018:ffffa4ed80ffbbb8 EFLAGS: 00010246
      [   30.947836] RAX: 0000000000000000 RBX: ffffa4ed80ffbc60 RCX:
      0000000000000000
      [   30.947904] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
      0000000000000000
      [   30.947971] RBP: ffff94b0d15c0ae0 R08: 0000000000000000 R09:
      0000000000000000
      [   30.948040] R10: 0000000000000000 R11: 0000000000000000 R12:
      0000000000000000
      [   30.948106] R13: 0000000000000001 R14: ffffa4ed80ffbc60 R15:
      0000000000000000
      [   30.948174] FS:  00007fc7520f0740(0000) GS:ffff94b7ced40000(0000)
      knlGS:0000000000000000
      [   30.948252] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   30.948308] CR2: 0000000000000000 CR3: 0000000104a40001 CR4:
      00000000003706e0
      [   30.948376] Call Trace:
      [   30.948404]  <TASK>
      [   30.948431]  ceph_security_init_secctx+0x7b/0x240 [ceph
      49f9c4b9bf5be8760f19f1747e26da33920bce4b]
      [   30.948582]  ceph_atomic_open+0x51e/0x8a0 [ceph
      49f9c4b9bf5be8760f19f1747e26da33920bce4b]
      [   30.948708]  ? get_cached_acl+0x4d/0xa0
      [   30.948759]  path_openat+0x60d/0x1030
      [   30.948809]  do_filp_open+0xa5/0x150
      [   30.948859]  do_sys_openat2+0xc4/0x190
      [   30.948904]  __x64_sys_openat+0x53/0xa0
      [   30.948948]  do_syscall_64+0x5c/0x90
      [   30.948989]  ? exc_page_fault+0x72/0x180
      [   30.949034]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [   30.949091] RIP: 0033:0x7fc7521e25bb
      [   30.950849] Code: 25 00 00 41 00 3d 00 00 41 00 74 4b 64 8b 04 25 18 00
      00 00 85 c0 75 67 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 0
      0 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 91 00 00 00 48 8b 54 24 28 64 48 2b 14
      25
      
      Core of the problem is that ceph checks for return code from
      security_dentry_init_security() and if return code is 0, it assumes
      everything is fine and continues to call strlen(name), which crashes.
      
      Typically SELinux LSM returns 0 and sets name to "security.selinux" and
      it is not a problem. Or if selinux is not compiled in or disabled, it
      returns -EOPNOTSUP and ceph deals with it.
      
      But somehow in this configuration, 0 is being returned and "name" is
      not being initialized and that's creating the problem.
      
      Our suspicion is that BPF LSM is registering a hook for
      dentry_init_security() and returns hook default of 0.
      
      LSM_HOOK(int, 0, dentry_init_security, struct dentry *dentry,...)
      
      I have not been able to reproduce it just by doing CONFIG_BPF_LSM=y.
      Stephen has tested the patch though and confirms it solves the problem
      for him.
      
      dentry_init_security() is written in such a way that it expects only one
      LSM to register the hook. Atleast that's the expectation with current code.
      
      If another LSM returns a hook and returns default, it will simply return
      0 as of now and that will break ceph.
      
      Hence, suggestion is that change semantics of this hook a bit. If there
      are no LSMs or no LSM is taking ownership and initializing security context,
      then return -EOPNOTSUP. Also allow at max one LSM to initialize security
      context. This hook can't deal with multiple LSMs trying to init security
      context. This patch implements this new behavior.
      Reported-by: default avatarStephen Muth <smuth4@gmail.com>
      Tested-by: default avatarStephen Muth <smuth4@gmail.com>
      Suggested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Reviewed-by: default avatarSerge Hallyn <serge@hallyn.com>
      Cc: Jeff Layton <jlayton@kernel.org>
      Cc: Christian Brauner <brauner@kernel.org>
      Cc: Paul Moore <paul@paul-moore.com>
      Cc: <stable@vger.kernel.org> # 5.16.0
      Signed-off-by: default avatarVivek Goyal <vgoyal@redhat.com>
      Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Acked-by: default avatarChristian Brauner <brauner@kernel.org>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      7f5056b9
  2. 09 Jan, 2022 6 commits
  3. 08 Jan, 2022 5 commits
  4. 07 Jan, 2022 11 commits
  5. 06 Jan, 2022 11 commits
  6. 05 Jan, 2022 6 commits
    • Naveen N. Rao's avatar
      tracing: Tag trace_percpu_buffer as a percpu pointer · f28439db
      Naveen N. Rao authored
      Tag trace_percpu_buffer as a percpu pointer to resolve warnings
      reported by sparse:
        /linux/kernel/trace/trace.c:3218:46: warning: incorrect type in initializer (different address spaces)
        /linux/kernel/trace/trace.c:3218:46:    expected void const [noderef] __percpu *__vpp_verify
        /linux/kernel/trace/trace.c:3218:46:    got struct trace_buffer_struct *
        /linux/kernel/trace/trace.c:3234:9: warning: incorrect type in initializer (different address spaces)
        /linux/kernel/trace/trace.c:3234:9:    expected void const [noderef] __percpu *__vpp_verify
        /linux/kernel/trace/trace.c:3234:9:    got int *
      
      Link: https://lkml.kernel.org/r/ebabd3f23101d89cb75671b68b6f819f5edc830b.1640255304.git.naveen.n.rao@linux.vnet.ibm.com
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Fixes: 07d777fe ("tracing: Add percpu buffers for trace_printk()")
      Signed-off-by: default avatarNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      f28439db
    • Naveen N. Rao's avatar
      tracing: Fix check for trace_percpu_buffer validity in get_trace_buf() · 823e670f
      Naveen N. Rao authored
      With the new osnoise tracer, we are seeing the below splat:
          Kernel attempted to read user page (c7d880000) - exploit attempt? (uid: 0)
          BUG: Unable to handle kernel data access on read at 0xc7d880000
          Faulting instruction address: 0xc0000000002ffa10
          Oops: Kernel access of bad area, sig: 11 [#1]
          LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
          ...
          NIP [c0000000002ffa10] __trace_array_vprintk.part.0+0x70/0x2f0
          LR [c0000000002ff9fc] __trace_array_vprintk.part.0+0x5c/0x2f0
          Call Trace:
          [c0000008bdd73b80] [c0000000001c49cc] put_prev_task_fair+0x3c/0x60 (unreliable)
          [c0000008bdd73be0] [c000000000301430] trace_array_printk_buf+0x70/0x90
          [c0000008bdd73c00] [c0000000003178b0] trace_sched_switch_callback+0x250/0x290
          [c0000008bdd73c90] [c000000000e70d60] __schedule+0x410/0x710
          [c0000008bdd73d40] [c000000000e710c0] schedule+0x60/0x130
          [c0000008bdd73d70] [c000000000030614] interrupt_exit_user_prepare_main+0x264/0x270
          [c0000008bdd73de0] [c000000000030a70] syscall_exit_prepare+0x150/0x180
          [c0000008bdd73e10] [c00000000000c174] system_call_vectored_common+0xf4/0x278
      
      osnoise tracer on ppc64le is triggering osnoise_taint() for negative
      duration in get_int_safe_duration() called from
      trace_sched_switch_callback()->thread_exit().
      
      The problem though is that the check for a valid trace_percpu_buffer is
      incorrect in get_trace_buf(). The check is being done after calculating
      the pointer for the current cpu, rather than on the main percpu pointer.
      Fix the check to be against trace_percpu_buffer.
      
      Link: https://lkml.kernel.org/r/a920e4272e0b0635cf20c444707cbce1b2c8973d.1640255304.git.naveen.n.rao@linux.vnet.ibm.com
      
      Cc: stable@vger.kernel.org
      Fixes: e2ace001 ("tracing: Choose static tp_printk buffer by explicit nesting count")
      Signed-off-by: default avatarNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      823e670f
    • Jiri Olsa's avatar
      ftrace/samples: Add missing prototypes direct functions · 0daf5cb2
      Jiri Olsa authored
      There's another compilation fail (first here [1]) reported by kernel
      test robot for W=1 clang build:
      
        >> samples/ftrace/ftrace-direct-multi-modify.c:7:6: warning: no previous
        prototype for function 'my_direct_func1' [-Wmissing-prototypes]
           void my_direct_func1(unsigned long ip)
      
      Direct functions in ftrace direct sample modules need to have prototypes
      defined. They are already global in order to be visible for the inline
      assembly, so there's no problem.
      
      The kernel test robot reported just error for ftrace-direct-multi-modify,
      but I got same errors also for the rest of the modules touched by this patch.
      
      [1] 67d4f6e3 ftrace/samples: Add missing prototype for my_direct_func
      
      Link: https://lkml.kernel.org/r/20211219135317.212430-1-jolsa@kernel.orgReported-by: default avatarkernel test robot <lkp@intel.com>
      Fixes: e1067a07 ("ftrace/samples: Add module to test multi direct modify interface")
      Fixes: ae0cc3b7 ("ftrace/samples: Add a sample module that implements modify_ftrace_direct()")
      Fixes: 156473a0 ("ftrace: Add another example of register_ftrace_direct() use case")
      Fixes: b06457c8 ("ftrace: Add sample module that uses register_ftrace_direct()")
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      0daf5cb2
    • Linus Torvalds's avatar
      Merge tag 'net-5.16-final' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 75acfdb6
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski"
       "Networking fixes, including fixes from bpf, and WiFi. One last pull
        request, turns out some of the recent fixes did more harm than good.
      
        Current release - regressions:
      
         - Revert "xsk: Do not sleep in poll() when need_wakeup set", made the
           problem worse
      
         - Revert "net: phy: fixed_phy: Fix NULL vs IS_ERR() checking in
           __fixed_phy_register", broke EPROBE_DEFER handling
      
         - Revert "net: usb: r8152: Add MAC pass-through support for more
           Lenovo Docks", broke setups without a Lenovo dock
      
        Current release - new code bugs:
      
         - selftests: set amt.sh executable
      
        Previous releases - regressions:
      
         - batman-adv: mcast: don't send link-local multicast to mcast routers
      
        Previous releases - always broken:
      
         - ipv4/ipv6: check attribute length for RTA_FLOW / RTA_GATEWAY
      
         - sctp: hold endpoint before calling cb in
           sctp_transport_lookup_process
      
         - mac80211: mesh: embed mesh_paths and mpp_paths into
           ieee80211_if_mesh to avoid complicated handling of sub-object
           allocation failures
      
         - seg6: fix traceroute in the presence of SRv6
      
         - tipc: fix a kernel-infoleak in __tipc_sendmsg()"
      
      * tag 'net-5.16-final' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (36 commits)
        selftests: set amt.sh executable
        Revert "net: usb: r8152: Add MAC passthrough support for more Lenovo Docks"
        sfc: The RX page_ring is optional
        iavf: Fix limit of total number of queues to active queues of VF
        i40e: Fix incorrect netdev's real number of RX/TX queues
        i40e: Fix for displaying message regarding NVM version
        i40e: fix use-after-free in i40e_sync_filters_subtask()
        i40e: Fix to not show opcode msg on unsuccessful VF MAC change
        ieee802154: atusb: fix uninit value in atusb_set_extended_addr
        mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh
        mac80211: initialize variable have_higher_than_11mbit
        sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc
        netrom: fix copying in user data in nr_setsockopt
        udp6: Use Segment Routing Header for dest address if present
        icmp: ICMPV6: Examine invoking packet for Segment Route Headers.
        seg6: export get_srh() for ICMP handling
        Revert "net: phy: fixed_phy: Fix NULL vs IS_ERR() checking in __fixed_phy_register"
        ipv6: Do cleanup if attribute validation fails in multipath route
        ipv6: Continue processing multipath route even if gateway attribute is invalid
        net/fsl: Remove leftover definition in xgmac_mdio
        ...
      75acfdb6
    • Leon Romanovsky's avatar
      RDMA/core: Don't infoleak GRH fields · b35a0f4d
      Leon Romanovsky authored
      If dst->is_global field is not set, the GRH fields are not cleared
      and the following infoleak is reported.
      
      =====================================================
      BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
      BUG: KMSAN: kernel-infoleak in _copy_to_user+0x1c9/0x270 lib/usercopy.c:33
       instrument_copy_to_user include/linux/instrumented.h:121 [inline]
       _copy_to_user+0x1c9/0x270 lib/usercopy.c:33
       copy_to_user include/linux/uaccess.h:209 [inline]
       ucma_init_qp_attr+0x8c7/0xb10 drivers/infiniband/core/ucma.c:1242
       ucma_write+0x637/0x6c0 drivers/infiniband/core/ucma.c:1732
       vfs_write+0x8ce/0x2030 fs/read_write.c:588
       ksys_write+0x28b/0x510 fs/read_write.c:643
       __do_sys_write fs/read_write.c:655 [inline]
       __se_sys_write fs/read_write.c:652 [inline]
       __ia32_sys_write+0xdb/0x120 fs/read_write.c:652
       do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
       __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
       do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
       do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
       entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
      
      Local variable resp created at:
       ucma_init_qp_attr+0xa4/0xb10 drivers/infiniband/core/ucma.c:1214
       ucma_write+0x637/0x6c0 drivers/infiniband/core/ucma.c:1732
      
      Bytes 40-59 of 144 are uninitialized
      Memory access of size 144 starts at ffff888167523b00
      Data copied to user address 0000000020000100
      
      CPU: 1 PID: 25910 Comm: syz-executor.1 Not tainted 5.16.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      =====================================================
      
      Fixes: 4ba66093 ("IB/core: Check for global flag when using ah_attr")
      Link: https://lore.kernel.org/r/0e9dd51f93410b7b2f4f5562f52befc878b71afa.1641298868.git.leonro@nvidia.com
      Reported-by: syzbot+6d532fa8f9463da290bc@syzkaller.appspotmail.com
      Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
      b35a0f4d
    • Taehee Yoo's avatar
      selftests: set amt.sh executable · db54c12a
      Taehee Yoo authored
      amt.sh test script will not work because it doesn't have execution
      permission. So, it adds execution permission.
      Reported-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Fixes: c08e8bae ("selftests: add amt interface selftest script")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Link: https://lore.kernel.org/r/20220105144436.13415-1-ap420073@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      db54c12a