[pve-devel] [PATCH kernel 0/2] likely fix #6746: cherry-pick fix for md issue during shutdown

[pve-devel] [PATCH kernel 0/2] likely fix #6746: cherry-pick fix for md issue during shutdown

[Fiona Ebner]

The same commit is already present in Ubuntu's 6.14 kernel as
c1cf81e4153b ("md: fix mddev uaf while iterating all_mddevs list") as
well as upstream stable branches, e.g. in 6.6.x it's d69a23d8e925
("md: fix mddev uaf while iterating all_mddevs list").

Fiona Ebner (2):
  re-export patches with export-patchqueue script
  fix #6746: cherry-pick fix for md issue during shutdown

 ...-accept-an-alternate-timestamp-strin.patch |   2 +-
 ...d-Debian-wireless-regdb-certificates.patch |   2 +-
 ...idge-keep-MAC-of-first-assigned-port.patch |   2 +-
 ...ides-for-missing-ACS-capabilities-4..patch |   4 +-
 ...-default-dynamic-halt-polling-growth.patch |   2 +-
 ...de-unregister_netdevice-refcount-lea.patch |   2 +-
 ...fortify-Do-not-cast-to-unsigned-char.patch |   2 +-
 ...sk-out-PKRU-bit-in-xfeatures-if-vCPU.patch |   6 +-
 ...allow-pass-through-on-broken-hardwar.patch |   2 +-
 ...-Advertise-support-for-flush-by-ASID.patch |   2 +-
 ...rove-userspace-warnings-for-missing-.patch |   2 +-
 ...pect-msg_namelen-0-for-recvmsg-calls.patch |   2 +-
 ...ix-pagecache-leak-when-do-writepages.patch |   2 +-
 ...UCE-iommu-intel-disable-DMAR-for-SKL.patch |   2 +-
 ...et-subreq-iov-iter-before-tail-clean.patch |   2 +-
 ...-uaf-while-iterating-all_mddevs-list.patch | 136 ++++++++++++++++++
 16 files changed, 154 insertions(+), 18 deletions(-)
 create mode 100644 patches/kernel/0016-md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch

-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH kernel 1/2] re-export patches with export-patchqueue script

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...ke-mkcompile_h-accept-an-alternate-timestamp-strin.patch | 2 +-
 ...02-wireless-Add-Debian-wireless-regdb-certificates.patch | 2 +-
 .../0003-bridge-keep-MAC-of-first-assigned-port.patch       | 2 +-
 ...i-Enable-overrides-for-missing-ACS-capabilities-4..patch | 4 ++--
 ...05-kvm-disable-default-dynamic-halt-polling-growth.patch | 2 +-
 ...t-core-downgrade-unregister_netdevice-refcount-lea.patch | 2 +-
 .../0007-Revert-fortify-Do-not-cast-to-unsigned-char.patch  | 2 +-
 ...m-xsave-set-mask-out-PKRU-bit-in-xfeatures-if-vCPU.patch | 6 +++---
 ...low-opt-in-to-allow-pass-through-on-broken-hardwar.patch | 2 +-
 .../0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch | 2 +-
 ...vert-memfd-improve-userspace-warnings-for-missing-.patch | 2 +-
 ...12-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch | 2 +-
 .../0013-cifs-fix-pagecache-leak-when-do-writepages.patch   | 2 +-
 ...vert-UBUNTU-SAUCE-iommu-intel-disable-DMAR-for-SKL.patch | 2 +-
 ...0015-netfs-reset-subreq-iov-iter-before-tail-clean.patch | 2 +-
 15 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch b/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch
index 93dba9f..e626b45 100644
--- a/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch
+++ b/patches/kernel/0001-Make-mkcompile_h-accept-an-alternate-timestamp-strin.patch
@@ -21,7 +21,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/init/Makefile b/init/Makefile
-index cbac576c57d6..479b1253fcbe 100644
+index cbac576c57d63f20fda8720762f80225e0bcb542..479b1253fcbe2438afed4632882ff9a958472e2b 100644
 --- a/init/Makefile
 +++ b/init/Makefile
 @@ -29,7 +29,7 @@ preempt-flag-$(CONFIG_PREEMPT_DYNAMIC)	:= PREEMPT_DYNAMIC
diff --git a/patches/kernel/0002-wireless-Add-Debian-wireless-regdb-certificates.patch b/patches/kernel/0002-wireless-Add-Debian-wireless-regdb-certificates.patch
index 4c0ac0f..274b7ff 100644
--- a/patches/kernel/0002-wireless-Add-Debian-wireless-regdb-certificates.patch
+++ b/patches/kernel/0002-wireless-Add-Debian-wireless-regdb-certificates.patch
@@ -19,7 +19,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 
 diff --git a/net/wireless/certs/debian.hex b/net/wireless/certs/debian.hex
 new file mode 100644
-index 000000000000..c5ab03f8c500
+index 0000000000000000000000000000000000000000..c5ab03f8c500d2f0e5b7931d5790bd22983c3660
 --- /dev/null
 +++ b/net/wireless/certs/debian.hex
 @@ -0,0 +1,1426 @@
diff --git a/patches/kernel/0003-bridge-keep-MAC-of-first-assigned-port.patch b/patches/kernel/0003-bridge-keep-MAC-of-first-assigned-port.patch
index 135d17c..efa47df 100644
--- a/patches/kernel/0003-bridge-keep-MAC-of-first-assigned-port.patch
+++ b/patches/kernel/0003-bridge-keep-MAC-of-first-assigned-port.patch
@@ -19,7 +19,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 4 deletions(-)
 
 diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
-index 75204d36d7f9..1fb5ff73ec1e 100644
+index 75204d36d7f9062306dfc66c3c35448e16257215..1fb5ff73ec1ef3bd79960182c87a0ba312b3635d 100644
 --- a/net/bridge/br_stp_if.c
 +++ b/net/bridge/br_stp_if.c
 @@ -265,10 +265,7 @@ bool br_stp_recalculate_bridge_id(struct net_bridge *br)
diff --git a/patches/kernel/0004-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch b/patches/kernel/0004-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
index 3d30801..323a918 100644
--- a/patches/kernel/0004-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
+++ b/patches/kernel/0004-pci-Enable-overrides-for-missing-ACS-capabilities-4..patch
@@ -55,7 +55,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  2 files changed, 111 insertions(+)
 
 diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
-index cefbb2aeacbc..95252280f9ff 100644
+index cefbb2aeacbc5f7bb6f86e78351ef3142674884b..95252280f9ff811d76815dd06212717dd38958f8 100644
 --- a/Documentation/admin-guide/kernel-parameters.txt
 +++ b/Documentation/admin-guide/kernel-parameters.txt
 @@ -4398,6 +4398,15 @@
@@ -75,7 +75,7 @@ index cefbb2aeacbc..95252280f9ff 100644
  				Safety option to keep boot IRQs enabled. This
  				should never be necessary.
 diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
-index 7f7d08b93107..a4fbf6ce2ab6 100644
+index 7f7d08b93107a5064d3e5422ec547d6625eee910..a4fbf6ce2ab653e72abb0afddcbb2d1634e07581 100644
 --- a/drivers/pci/quirks.c
 +++ b/drivers/pci/quirks.c
 @@ -300,6 +300,106 @@ static int __init pci_apply_final_quirks(void)
diff --git a/patches/kernel/0005-kvm-disable-default-dynamic-halt-polling-growth.patch b/patches/kernel/0005-kvm-disable-default-dynamic-halt-polling-growth.patch
index e241e8d..546ca1a 100644
--- a/patches/kernel/0005-kvm-disable-default-dynamic-halt-polling-growth.patch
+++ b/patches/kernel/0005-kvm-disable-default-dynamic-halt-polling-growth.patch
@@ -13,7 +13,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
-index f55eadb0baf3..2d3e39b7b1bb 100644
+index f55eadb0baf33fd0f2987db9e917c60d213b04ea..2d3e39b7b1bb82604711019e6d0d9b71b33a2b8b 100644
 --- a/virt/kvm/kvm_main.c
 +++ b/virt/kvm/kvm_main.c
 @@ -82,7 +82,7 @@ module_param(halt_poll_ns, uint, 0644);
diff --git a/patches/kernel/0006-net-core-downgrade-unregister_netdevice-refcount-lea.patch b/patches/kernel/0006-net-core-downgrade-unregister_netdevice-refcount-lea.patch
index c027a4b..a27e619 100644
--- a/patches/kernel/0006-net-core-downgrade-unregister_netdevice-refcount-lea.patch
+++ b/patches/kernel/0006-net-core-downgrade-unregister_netdevice-refcount-lea.patch
@@ -15,7 +15,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/net/core/dev.c b/net/core/dev.c
-index 1564fe7b4809..ef41224ef31b 100644
+index 1564fe7b480989f29df5a642b34284b678cd24d3..ef41224ef31b1592ab36106f88fe8b0f759c35f9 100644
 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -10533,7 +10533,7 @@ static struct net_device *netdev_wait_allrefs_any(struct list_head *list)
diff --git a/patches/kernel/0007-Revert-fortify-Do-not-cast-to-unsigned-char.patch b/patches/kernel/0007-Revert-fortify-Do-not-cast-to-unsigned-char.patch
index f6186d1..2d4fd6f 100644
--- a/patches/kernel/0007-Revert-fortify-Do-not-cast-to-unsigned-char.patch
+++ b/patches/kernel/0007-Revert-fortify-Do-not-cast-to-unsigned-char.patch
@@ -16,7 +16,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
-index e99dbc052575..9e9cdb198b82 100644
+index e99dbc0525751dacf0bcd49c208e45f59312f986..9e9cdb198b825ff315a336af36e4fc3b6c09fb7d 100644
 --- a/include/linux/fortify-string.h
 +++ b/include/linux/fortify-string.h
 @@ -18,7 +18,7 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
diff --git a/patches/kernel/0008-kvm-xsave-set-mask-out-PKRU-bit-in-xfeatures-if-vCPU.patch b/patches/kernel/0008-kvm-xsave-set-mask-out-PKRU-bit-in-xfeatures-if-vCPU.patch
index 7d250e4..0ec86d1 100644
--- a/patches/kernel/0008-kvm-xsave-set-mask-out-PKRU-bit-in-xfeatures-if-vCPU.patch
+++ b/patches/kernel/0008-kvm-xsave-set-mask-out-PKRU-bit-in-xfeatures-if-vCPU.patch
@@ -78,7 +78,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  3 files changed, 22 insertions(+)
 
 diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
-index d845ae6b1cfd..2919977683bd 100644
+index d845ae6b1cfdf395799d672e902af4e2871b5784..2919977683bd473f3b9963cf5877b357ee119ab1 100644
 --- a/arch/x86/kvm/cpuid.c
 +++ b/arch/x86/kvm/cpuid.c
 @@ -283,6 +283,12 @@ static u64 cpuid_get_supported_xcr0(struct kvm_cpuid_entry2 *entries, int nent)
@@ -95,7 +95,7 @@ index d845ae6b1cfd..2919977683bd 100644
  				       int nent)
  {
 diff --git a/arch/x86/kvm/cpuid.h b/arch/x86/kvm/cpuid.h
-index da4e23e32cff..e33c2269c5a0 100644
+index da4e23e32cffa430f04d1589d6fa2d4a856ed714..e33c2269c5a075d57c53d817ebeaf1b6a1d6a227 100644
 --- a/arch/x86/kvm/cpuid.h
 +++ b/arch/x86/kvm/cpuid.h
 @@ -32,7 +32,10 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
@@ -110,7 +110,7 @@ index da4e23e32cff..e33c2269c5a0 100644
  
  int cpuid_query_maxphyaddr(struct kvm_vcpu *vcpu);
 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index a5fac89589f9..850b1e9ef98c 100644
+index a5fac89589f924f4e1ec3e529c740cb2e96c8067..850b1e9ef98c48bb489d591c40ee78cbc768d95a 100644
 --- a/arch/x86/kvm/x86.c
 +++ b/arch/x86/kvm/x86.c
 @@ -5569,6 +5569,19 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
diff --git a/patches/kernel/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch b/patches/kernel/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch
index e651c0f..259d9a5 100644
--- a/patches/kernel/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch
+++ b/patches/kernel/0009-allow-opt-in-to-allow-pass-through-on-broken-hardwar.patch
@@ -11,7 +11,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 5 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
-index cfaa45df8ece..2596661e7806 100644
+index cfaa45df8eced0d8b11c07e2121e033210c530d4..2596661e7806062953cc05cbc0613f0bec8c11f4 100644
 --- a/drivers/iommu/intel/iommu.c
 +++ b/drivers/iommu/intel/iommu.c
 @@ -234,6 +234,7 @@ static int dmar_map_gfx = 1;
diff --git a/patches/kernel/0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch b/patches/kernel/0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch
index a101740..478a985 100644
--- a/patches/kernel/0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch
+++ b/patches/kernel/0010-KVM-nSVM-Advertise-support-for-flush-by-ASID.patch
@@ -24,7 +24,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
-index edba31feb085..4b7c2c51eed2 100644
+index edba31feb085577fcf7c4e1906a9651a9a02ad61..4b7c2c51eed2905e187c21de2e4bdb8b16872ec5 100644
 --- a/arch/x86/kvm/svm/svm.c
 +++ b/arch/x86/kvm/svm/svm.c
 @@ -5164,6 +5164,7 @@ static __init void svm_set_cpu_caps(void)
diff --git a/patches/kernel/0011-revert-memfd-improve-userspace-warnings-for-missing-.patch b/patches/kernel/0011-revert-memfd-improve-userspace-warnings-for-missing-.patch
index bd778f9..054b59c 100644
--- a/patches/kernel/0011-revert-memfd-improve-userspace-warnings-for-missing-.patch
+++ b/patches/kernel/0011-revert-memfd-improve-userspace-warnings-for-missing-.patch
@@ -30,7 +30,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/mm/memfd.c b/mm/memfd.c
-index 890e9b2a4fa1..a70508d0233b 100644
+index 890e9b2a4fa1dd0013cb71f869005cfe15ac1bc4..a70508d0233b45df7b4356800fdb3d9bfbcb670c 100644
 --- a/mm/memfd.c
 +++ b/mm/memfd.c
 @@ -282,7 +282,7 @@ static int check_sysctl_memfd_noexec(unsigned int *flags)
diff --git a/patches/kernel/0012-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch b/patches/kernel/0012-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch
index ccb679d..5acb2c8 100644
--- a/patches/kernel/0012-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch
+++ b/patches/kernel/0012-apparmor-expect-msg_namelen-0-for-recvmsg-calls.patch
@@ -18,7 +18,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/security/apparmor/af_inet.c b/security/apparmor/af_inet.c
-index 57b710054a76..35f905d9b960 100644
+index 57b710054a76582346f37671843f3f8d6e99331c..35f905d9b960f62fa2ecb80b5c1a8e9edecd9b5d 100644
 --- a/security/apparmor/af_inet.c
 +++ b/security/apparmor/af_inet.c
 @@ -766,7 +766,7 @@ int aa_inet_msg_perm(const char *op, u32 request, struct socket *sock,
diff --git a/patches/kernel/0013-cifs-fix-pagecache-leak-when-do-writepages.patch b/patches/kernel/0013-cifs-fix-pagecache-leak-when-do-writepages.patch
index 1fd9a13..91ca2d6 100644
--- a/patches/kernel/0013-cifs-fix-pagecache-leak-when-do-writepages.patch
+++ b/patches/kernel/0013-cifs-fix-pagecache-leak-when-do-writepages.patch
@@ -48,7 +48,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 13 insertions(+), 3 deletions(-)
 
 diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c
-index d495e3511014..e755ae643c09 100644
+index d495e3511014b9e628d0592d328f63b4a680de97..e755ae643c090e595bf2431e471eddff7b868e9f 100644
 --- a/fs/smb/client/file.c
 +++ b/fs/smb/client/file.c
 @@ -2845,17 +2845,21 @@ static ssize_t cifs_write_back_from_locked_folio(struct address_space *mapping,
diff --git a/patches/kernel/0014-Revert-UBUNTU-SAUCE-iommu-intel-disable-DMAR-for-SKL.patch b/patches/kernel/0014-Revert-UBUNTU-SAUCE-iommu-intel-disable-DMAR-for-SKL.patch
index c0fd5da..6a3bf67 100644
--- a/patches/kernel/0014-Revert-UBUNTU-SAUCE-iommu-intel-disable-DMAR-for-SKL.patch
+++ b/patches/kernel/0014-Revert-UBUNTU-SAUCE-iommu-intel-disable-DMAR-for-SKL.patch
@@ -19,7 +19,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 68 deletions(-)
 
 diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
-index 2596661e7806..c53b6257890c 100644
+index 2596661e7806062953cc05cbc0613f0bec8c11f4..c53b6257890cac07a420d5329abd7409b1035dcc 100644
 --- a/drivers/iommu/intel/iommu.c
 +++ b/drivers/iommu/intel/iommu.c
 @@ -5048,74 +5048,6 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x1632, quirk_iommu_igfx);
diff --git a/patches/kernel/0015-netfs-reset-subreq-iov-iter-before-tail-clean.patch b/patches/kernel/0015-netfs-reset-subreq-iov-iter-before-tail-clean.patch
index 7fc49f0..f670a4d 100644
--- a/patches/kernel/0015-netfs-reset-subreq-iov-iter-before-tail-clean.patch
+++ b/patches/kernel/0015-netfs-reset-subreq-iov-iter-before-tail-clean.patch
@@ -16,7 +16,7 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/fs/netfs/io.c b/fs/netfs/io.c
-index aaff3844e9b7..e8a884040e2b 100644
+index aaff3844e9b708e20b885cfdcc378f91d3335d4c..e8a884040e2b377b48d6da9f1b5096f8fcd99f92 100644
 --- a/fs/netfs/io.c
 +++ b/fs/netfs/io.c
 @@ -517,6 +517,7 @@ void netfs_subreq_terminated(struct netfs_io_subrequest *subreq,
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH kernel 2/2] likely fix #6746: cherry-pick fix for md issue during shutdown

[Fiona Ebner]

The same commit is already present in Ubuntu's 6.14 kernel as
c1cf81e4153b ("md: fix mddev uaf while iterating all_mddevs list") as
well as upstream stable branches, e.g. in 6.6.x it's d69a23d8e925
("md: fix mddev uaf while iterating all_mddevs list").

The commit was identified by Roland in a bugzilla comment.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 ...-uaf-while-iterating-all_mddevs-list.patch | 136 ++++++++++++++++++
 1 file changed, 136 insertions(+)
 create mode 100644 patches/kernel/0016-md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch

diff --git a/patches/kernel/0016-md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch b/patches/kernel/0016-md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch
new file mode 100644
index 0000000..9886cc1
--- /dev/null
+++ b/patches/kernel/0016-md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch
@@ -0,0 +1,136 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Thu, 20 Feb 2025 20:43:48 +0800
+Subject: [PATCH] md: fix mddev uaf while iterating all_mddevs list
+
+BugLink: https://bugs.launchpad.net/bugs/2107212
+
+[ Upstream commit 8542870237c3a48ff049b6c5df5f50c8728284fa ]
+
+While iterating all_mddevs list from md_notify_reboot() and md_exit(),
+list_for_each_entry_safe is used, and this can race with deletint the
+next mddev, causing UAF:
+
+t1:
+spin_lock
+//list_for_each_entry_safe(mddev, n, ...)
+ mddev_get(mddev1)
+ // assume mddev2 is the next entry
+ spin_unlock
+            t2:
+            //remove mddev2
+            ...
+            mddev_free
+            spin_lock
+            list_del
+            spin_unlock
+            kfree(mddev2)
+ mddev_put(mddev1)
+ spin_lock
+ //continue dereference mddev2->all_mddevs
+
+The old helper for_each_mddev() actually grab the reference of mddev2
+while holding the lock, to prevent from being freed. This problem can be
+fixed the same way, however, the code will be complex.
+
+Hence switch to use list_for_each_entry, in this case mddev_put() can free
+the mddev1 and it's not safe as well. Refer to md_seq_show(), also factor
+out a helper mddev_put_locked() to fix this problem.
+
+Cc: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/linux-raid/20250220124348.845222-1-yukuai1@huaweicloud.com
+Fixes: f26514342255 ("md: stop using for_each_mddev in md_notify_reboot")
+Fixes: 16648bac862f ("md: stop using for_each_mddev in md_exit")
+Reported-and-tested-by: Guillaume Morin <guillaume@morinfr.org>
+Closes: https://lore.kernel.org/all/Z7Y0SURoA8xwg7vn@bender.morinfr.org/
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>
+Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>
+(cherry picked from commit c1cf81e4153b46ab94188c72e615014e7f9ae547)
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+---
+ drivers/md/md.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 260abee6dbcc587873e0127b94f237429319ee47..3a5d8fe64999a254e4acb108ef26a3afc0a33988 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -689,6 +689,12 @@ static void __mddev_put(struct mddev *mddev)
+ 	queue_work(md_misc_wq, &mddev->del_work);
+ }
+ 
++static void mddev_put_locked(struct mddev *mddev)
++{
++	if (atomic_dec_and_test(&mddev->active))
++		__mddev_put(mddev);
++}
++
+ void mddev_put(struct mddev *mddev)
+ {
+ 	if (!atomic_dec_and_lock(&mddev->active, &all_mddevs_lock))
+@@ -8455,9 +8461,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
+ 	if (mddev == list_last_entry(&all_mddevs, struct mddev, all_mddevs))
+ 		status_unused(seq);
+ 
+-	if (atomic_dec_and_test(&mddev->active))
+-		__mddev_put(mddev);
+-
++	mddev_put_locked(mddev);
+ 	return 0;
+ }
+ 
+@@ -9862,11 +9866,11 @@ EXPORT_SYMBOL_GPL(rdev_clear_badblocks);
+ static int md_notify_reboot(struct notifier_block *this,
+ 			    unsigned long code, void *x)
+ {
+-	struct mddev *mddev, *n;
++	struct mddev *mddev;
+ 	int need_delay = 0;
+ 
+ 	spin_lock(&all_mddevs_lock);
+-	list_for_each_entry_safe(mddev, n, &all_mddevs, all_mddevs) {
++	list_for_each_entry(mddev, &all_mddevs, all_mddevs) {
+ 		if (!mddev_get(mddev))
+ 			continue;
+ 		spin_unlock(&all_mddevs_lock);
+@@ -9878,8 +9882,8 @@ static int md_notify_reboot(struct notifier_block *this,
+ 			mddev_unlock(mddev);
+ 		}
+ 		need_delay = 1;
+-		mddev_put(mddev);
+ 		spin_lock(&all_mddevs_lock);
++		mddev_put_locked(mddev);
+ 	}
+ 	spin_unlock(&all_mddevs_lock);
+ 
+@@ -10202,7 +10206,7 @@ void md_autostart_arrays(int part)
+ 
+ static __exit void md_exit(void)
+ {
+-	struct mddev *mddev, *n;
++	struct mddev *mddev;
+ 	int delay = 1;
+ 
+ 	unregister_blkdev(MD_MAJOR,"md");
+@@ -10223,7 +10227,7 @@ static __exit void md_exit(void)
+ 	remove_proc_entry("mdstat", NULL);
+ 
+ 	spin_lock(&all_mddevs_lock);
+-	list_for_each_entry_safe(mddev, n, &all_mddevs, all_mddevs) {
++	list_for_each_entry(mddev, &all_mddevs, all_mddevs) {
+ 		if (!mddev_get(mddev))
+ 			continue;
+ 		spin_unlock(&all_mddevs_lock);
+@@ -10235,8 +10239,8 @@ static __exit void md_exit(void)
+ 		 * the mddev for destruction by a workqueue, and the
+ 		 * destroy_workqueue() below will wait for that to complete.
+ 		 */
+-		mddev_put(mddev);
+ 		spin_lock(&all_mddevs_lock);
++		mddev_put_locked(mddev);
+ 	}
+ 	spin_unlock(&all_mddevs_lock);
+ 
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH kernel 0/2] likely fix #6746: cherry-pick fix for md issue during shutdown

[Fiona Ebner]

Sorry, forgot to indicate that this is for the bookworm-6.8 branch

Am 22.10.25 um 4:57 PM schrieb Fiona Ebner:
> The same commit is already present in Ubuntu's 6.14 kernel as
> c1cf81e4153b ("md: fix mddev uaf while iterating all_mddevs list") as
> well as upstream stable branches, e.g. in 6.6.x it's d69a23d8e925
> ("md: fix mddev uaf while iterating all_mddevs list").
> 
> Fiona Ebner (2):
>   re-export patches with export-patchqueue script
>   fix #6746: cherry-pick fix for md issue during shutdown
> 
>  ...-accept-an-alternate-timestamp-strin.patch |   2 +-
>  ...d-Debian-wireless-regdb-certificates.patch |   2 +-
>  ...idge-keep-MAC-of-first-assigned-port.patch |   2 +-
>  ...ides-for-missing-ACS-capabilities-4..patch |   4 +-
>  ...-default-dynamic-halt-polling-growth.patch |   2 +-
>  ...de-unregister_netdevice-refcount-lea.patch |   2 +-
>  ...fortify-Do-not-cast-to-unsigned-char.patch |   2 +-
>  ...sk-out-PKRU-bit-in-xfeatures-if-vCPU.patch |   6 +-
>  ...allow-pass-through-on-broken-hardwar.patch |   2 +-
>  ...-Advertise-support-for-flush-by-ASID.patch |   2 +-
>  ...rove-userspace-warnings-for-missing-.patch |   2 +-
>  ...pect-msg_namelen-0-for-recvmsg-calls.patch |   2 +-
>  ...ix-pagecache-leak-when-do-writepages.patch |   2 +-
>  ...UCE-iommu-intel-disable-DMAR-for-SKL.patch |   2 +-
>  ...et-subreq-iov-iter-before-tail-clean.patch |   2 +-
>  ...-uaf-while-iterating-all_mddevs-list.patch | 136 ++++++++++++++++++
>  16 files changed, 154 insertions(+), 18 deletions(-)
>  create mode 100644 patches/kernel/0016-md-fix-mddev-uaf-while-iterating-all_mddevs-list.patch
> 



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel