Unverified Commit d25e57f4 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!11543 Fix CVE-2024-45025 

Merge Pull Request from: @ci-robot 
 
PR sync from: Long Li <leo.lilong@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/JFFMLJYDYLZIXHA6QRC7OHHENM25HCJQ/ 
This patch set fix CVE-2024-45025.

Al Viro (1):
  fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE

Alexander Lobakin (3):
  s390/cio: rename bitmap_size() -> idset_bitmap_size()
  fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()
  bitmap: introduce generic optimized bitmap_size()


-- 
2.39.2
 
https://gitee.com/src-openeuler/kernel/issues/IAQOJ9 
 
Link:https://gitee.com/openeuler/kernel/pulls/11543

 

Reviewed-by: default avatarZhang Peng <zhangpeng362@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents cc3dc797 0f4b688e

drivers/md/dm-clone-metadata.c

+0 −5
Original line number Diff line number Diff line
@@ -465,11 +465,6 @@ static void __destroy_persistent_data_structures(struct dm_clone_metadata *cmd) 


/*---------------------------------------------------------------------------*/



static size_t bitmap_size(unsigned long nr_bits)

{

	return BITS_TO_LONGS(nr_bits) * sizeof(long);

}



static int __dirty_map_init(struct dirty_map *dmap, unsigned long nr_words,

			    unsigned long nr_regions)

{

drivers/s390/cio/idset.c

+7 −5
Original line number Diff line number Diff line
@@ -16,20 +16,21 @@ struct idset { 
	unsigned long bitmap[];

};



static inline unsigned long bitmap_size(int num_ssid, int num_id)

static inline unsigned long idset_bitmap_size(int num_ssid, int num_id)

{

	return BITS_TO_LONGS(num_ssid * num_id) * sizeof(unsigned long);

	return bitmap_size(size_mul(num_ssid, num_id));

}



static struct idset *idset_new(int num_ssid, int num_id)

{

	struct idset *set;



	set = vmalloc(sizeof(struct idset) + bitmap_size(num_ssid, num_id));

	set = vmalloc(sizeof(struct idset) +

		      idset_bitmap_size(num_ssid, num_id));

	if (set) {

		set->num_ssid = num_ssid;

		set->num_id = num_id;

		memset(set->bitmap, 0, bitmap_size(num_ssid, num_id));

		memset(set->bitmap, 0, idset_bitmap_size(num_ssid, num_id));

	}

	return set;

}
@@ -41,7 +42,8 @@ void idset_free(struct idset *set) 


void idset_fill(struct idset *set)

{

	memset(set->bitmap, 0xff, bitmap_size(set->num_ssid, set->num_id));

	memset(set->bitmap, 0xff,

	       idset_bitmap_size(set->num_ssid, set->num_id));

}



static inline void idset_add(struct idset *set, int ssid, int id)

fs/file.c

+13 −17
Original line number Diff line number Diff line
@@ -47,27 +47,23 @@ static void free_fdtable_rcu(struct rcu_head *rcu) 
#define BITBIT_NR(nr)	BITS_TO_LONGS(BITS_TO_LONGS(nr))

#define BITBIT_SIZE(nr)	(BITBIT_NR(nr) * sizeof(long))



#define fdt_words(fdt) ((fdt)->max_fds / BITS_PER_LONG) // words in ->open_fds

/*

 * Copy 'count' fd bits from the old table to the new table and clear the extra

 * space if any.  This does not copy the file pointers.  Called with the files

 * spinlock held for write.

 */

static void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt,

			    unsigned int count)

static inline void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt,

			    unsigned int copy_words)

{

	unsigned int cpy, set;

	unsigned int nwords = fdt_words(nfdt);



	cpy = count / BITS_PER_BYTE;

	set = (nfdt->max_fds - count) / BITS_PER_BYTE;

	memcpy(nfdt->open_fds, ofdt->open_fds, cpy);

	memset((char *)nfdt->open_fds + cpy, 0, set);

	memcpy(nfdt->close_on_exec, ofdt->close_on_exec, cpy);

	memset((char *)nfdt->close_on_exec + cpy, 0, set);



	cpy = BITBIT_SIZE(count);

	set = BITBIT_SIZE(nfdt->max_fds) - cpy;

	memcpy(nfdt->full_fds_bits, ofdt->full_fds_bits, cpy);

	memset((char *)nfdt->full_fds_bits + cpy, 0, set);

	bitmap_copy_and_extend(nfdt->open_fds, ofdt->open_fds,

			copy_words * BITS_PER_LONG, nwords * BITS_PER_LONG);

	bitmap_copy_and_extend(nfdt->close_on_exec, ofdt->close_on_exec,

			copy_words * BITS_PER_LONG, nwords * BITS_PER_LONG);

	bitmap_copy_and_extend(nfdt->full_fds_bits, ofdt->full_fds_bits,

			copy_words, nwords);

}



/*
@@ -85,7 +81,7 @@ static void copy_fdtable(struct fdtable *nfdt, struct fdtable *ofdt) 
	memcpy(nfdt->fd, ofdt->fd, cpy);

	memset((char *)nfdt->fd + cpy, 0, set);



	copy_fd_bitmaps(nfdt, ofdt, ofdt->max_fds);

	copy_fd_bitmaps(nfdt, ofdt, fdt_words(ofdt));

}



/*
@@ -376,7 +372,7 @@ struct files_struct *dup_fd(struct files_struct *oldf, unsigned int max_fds, int 
		open_files = sane_fdtable_size(old_fdt, max_fds);

	}



	copy_fd_bitmaps(new_fdt, old_fdt, open_files);

	copy_fd_bitmaps(new_fdt, old_fdt, open_files / BITS_PER_LONG);



	old_fds = old_fdt->fd;

	new_fds = new_fdt->fd;

fs/ntfs3/bitmap.c

+2 −2
Original line number Diff line number Diff line
@@ -654,7 +654,7 @@ int wnd_init(struct wnd_bitmap *wnd, struct super_block *sb, size_t nbits) 
	wnd->total_zeroes = nbits;

	wnd->extent_max = MINUS_ONE_T;

	wnd->zone_bit = wnd->zone_end = 0;

	wnd->nwnd = bytes_to_block(sb, bitmap_size(nbits));

	wnd->nwnd = bytes_to_block(sb, ntfs3_bitmap_size(nbits));

	wnd->bits_last = nbits & (wbits - 1);

	if (!wnd->bits_last)

		wnd->bits_last = wbits;
@@ -1347,7 +1347,7 @@ int wnd_extend(struct wnd_bitmap *wnd, size_t new_bits) 
		return -EINVAL;



	/* Align to 8 byte boundary. */

	new_wnd = bytes_to_block(sb, bitmap_size(new_bits));

	new_wnd = bytes_to_block(sb, ntfs3_bitmap_size(new_bits));

	new_last = new_bits & (wbits - 1);

	if (!new_last)

		new_last = wbits;

fs/ntfs3/fsntfs.c

+1 −1
Original line number Diff line number Diff line
@@ -522,7 +522,7 @@ static int ntfs_extend_mft(struct ntfs_sb_info *sbi) 
	ni->mi.dirty = true;



	/* Step 2: Resize $MFT::BITMAP. */

	new_bitmap_bytes = bitmap_size(new_mft_total);

	new_bitmap_bytes = ntfs3_bitmap_size(new_mft_total);



	err = attr_set_size(ni, ATTR_BITMAP, NULL, 0, &sbi->mft.bitmap.run,

			    new_bitmap_bytes, &new_bitmap_bytes, true, NULL);