Unverified Commit b2015a0b authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!10536 CVE-2024-42082 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/WH5UZFZFS3NB54R33YAZA2IBQM5TQIVH/ 
CVE-2024-42082

Daniil Dulov (1):

Jakub Kicinski (1):

Sebastian Andrzej Siewior (1):
  xdp: xdp_mem_allocator can be NULL in trace_mem_connect().

Toke Høiland-Jørgensen (1):


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/IAGENG 
 
Link:https://gitee.com/openeuler/kernel/pulls/10536

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parents 01b0e490 b978fa70

include/net/xdp.h

+3 −0
Original line number Diff line number Diff line
@@ -224,6 +224,9 @@ bool xdp_rxq_info_is_reg(struct xdp_rxq_info *xdp_rxq); 
int xdp_rxq_info_reg_mem_model(struct xdp_rxq_info *xdp_rxq,

			       enum xdp_mem_type type, void *allocator);

void xdp_rxq_info_unreg_mem_model(struct xdp_rxq_info *xdp_rxq);

int xdp_reg_mem_model(struct xdp_mem_info *mem,

		      enum xdp_mem_type type, void *allocator);

void xdp_unreg_mem_model(struct xdp_mem_info *mem);



/* Drivers not supporting XDP metadata can use this helper, which

 * rejects any room expansion for metadata as a result.

net/core/xdp.c

+66 −34
Original line number Diff line number Diff line
@@ -110,26 +110,37 @@ static void mem_allocator_disconnect(void *allocator) 
	mutex_unlock(&mem_id_lock);

}



void xdp_rxq_info_unreg_mem_model(struct xdp_rxq_info *xdp_rxq)

void xdp_unreg_mem_model(struct xdp_mem_info *mem)

{

	struct xdp_mem_allocator *xa;

	int id = xdp_rxq->mem.id;

	int type = mem->type;

	int id = mem->id;



	if (xdp_rxq->reg_state != REG_STATE_REGISTERED) {

		WARN(1, "Missing register, driver bug");

		return;

	}

	/* Reset mem info to defaults */

	mem->id = 0;

	mem->type = 0;



	if (id == 0)

		return;



	if (xdp_rxq->mem.type == MEM_TYPE_PAGE_POOL) {

	if (type == MEM_TYPE_PAGE_POOL) {

		rcu_read_lock();

		xa = rhashtable_lookup(mem_id_ht, &id, mem_id_rht_params);

		page_pool_destroy(xa->page_pool);

		rcu_read_unlock();

	}

}

EXPORT_SYMBOL_GPL(xdp_unreg_mem_model);



void xdp_rxq_info_unreg_mem_model(struct xdp_rxq_info *xdp_rxq)

{

	if (xdp_rxq->reg_state != REG_STATE_REGISTERED) {

		WARN(1, "Missing register, driver bug");

		return;

	}



	xdp_unreg_mem_model(&xdp_rxq->mem);

}

EXPORT_SYMBOL_GPL(xdp_rxq_info_unreg_mem_model);



void xdp_rxq_info_unreg(struct xdp_rxq_info *xdp_rxq)
@@ -144,10 +155,6 @@ void xdp_rxq_info_unreg(struct xdp_rxq_info *xdp_rxq) 


	xdp_rxq->reg_state = REG_STATE_UNREGISTERED;

	xdp_rxq->dev = NULL;



	/* Reset mem info to defaults */

	xdp_rxq->mem.id = 0;

	xdp_rxq->mem.type = 0;

}

EXPORT_SYMBOL_GPL(xdp_rxq_info_unreg);
@@ -259,28 +266,24 @@ static bool __is_supported_mem_type(enum xdp_mem_type type) 
	return true;

}



int xdp_rxq_info_reg_mem_model(struct xdp_rxq_info *xdp_rxq,

			       enum xdp_mem_type type, void *allocator)

static struct xdp_mem_allocator *__xdp_reg_mem_model(struct xdp_mem_info *mem,

						     enum xdp_mem_type type,

						     void *allocator)

{

	struct xdp_mem_allocator *xdp_alloc;

	gfp_t gfp = GFP_KERNEL;

	int id, errno, ret;

	void *ptr;



	if (xdp_rxq->reg_state != REG_STATE_REGISTERED) {

		WARN(1, "Missing register, driver bug");

		return -EFAULT;

	}



	if (!__is_supported_mem_type(type))

		return -EOPNOTSUPP;

		return ERR_PTR(-EOPNOTSUPP);



	xdp_rxq->mem.type = type;

	mem->type = type;



	if (!allocator) {

		if (type == MEM_TYPE_PAGE_POOL)

			return -EINVAL; /* Setup time check page_pool req */

		return 0;

			return ERR_PTR(-EINVAL); /* Setup time check page_pool req */

		return NULL;

	}



	/* Delay init of rhashtable to save memory if feature isn't used */
@@ -288,15 +291,13 @@ int xdp_rxq_info_reg_mem_model(struct xdp_rxq_info *xdp_rxq, 
		mutex_lock(&mem_id_lock);

		ret = __mem_id_init_hash_table();

		mutex_unlock(&mem_id_lock);

		if (ret < 0) {

			WARN_ON(1);

			return ret;

		}

		if (ret < 0)

			return ERR_PTR(ret);

	}



	xdp_alloc = kzalloc(sizeof(*xdp_alloc), gfp);

	if (!xdp_alloc)

		return -ENOMEM;

		return ERR_PTR(-ENOMEM);



	mutex_lock(&mem_id_lock);

	id = __mem_id_cyclic_get(gfp);
@@ -304,15 +305,15 @@ int xdp_rxq_info_reg_mem_model(struct xdp_rxq_info *xdp_rxq, 
		errno = id;

		goto err;

	}

	xdp_rxq->mem.id = id;

	xdp_alloc->mem  = xdp_rxq->mem;

	mem->id = id;

	xdp_alloc->mem = *mem;

	xdp_alloc->allocator = allocator;



	/* Insert allocator into ID lookup table */

	ptr = rhashtable_insert_slow(mem_id_ht, &id, &xdp_alloc->node);

	if (IS_ERR(ptr)) {

		ida_simple_remove(&mem_id_pool, xdp_rxq->mem.id);

		xdp_rxq->mem.id = 0;

		ida_simple_remove(&mem_id_pool, mem->id);

		mem->id = 0;

		errno = PTR_ERR(ptr);

		goto err;

	}
@@ -322,13 +323,44 @@ int xdp_rxq_info_reg_mem_model(struct xdp_rxq_info *xdp_rxq, 


	mutex_unlock(&mem_id_lock);



	trace_mem_connect(xdp_alloc, xdp_rxq);

	return 0;

	return xdp_alloc;

err:

	mutex_unlock(&mem_id_lock);

	kfree(xdp_alloc);

	return errno;

	return ERR_PTR(errno);

}



int xdp_reg_mem_model(struct xdp_mem_info *mem,

		      enum xdp_mem_type type, void *allocator)

{

	struct xdp_mem_allocator *xdp_alloc;



	xdp_alloc = __xdp_reg_mem_model(mem, type, allocator);

	if (IS_ERR(xdp_alloc))

		return PTR_ERR(xdp_alloc);

	return 0;

}

EXPORT_SYMBOL_GPL(xdp_reg_mem_model);



int xdp_rxq_info_reg_mem_model(struct xdp_rxq_info *xdp_rxq,

			       enum xdp_mem_type type, void *allocator)

{

	struct xdp_mem_allocator *xdp_alloc;



	if (xdp_rxq->reg_state != REG_STATE_REGISTERED) {

		WARN(1, "Missing register, driver bug");

		return -EFAULT;

	}



	xdp_alloc = __xdp_reg_mem_model(&xdp_rxq->mem, type, allocator);

	if (IS_ERR(xdp_alloc))

		return PTR_ERR(xdp_alloc);



	if (trace_mem_connect_enabled() && xdp_alloc)

		trace_mem_connect(xdp_alloc, xdp_rxq);

	return 0;

}



EXPORT_SYMBOL_GPL(xdp_rxq_info_reg_mem_model);



/* XDP RX runs under NAPI protection, and in different delivery error