1 From stable+bounces-25711-greg=kroah.com@vger.kernel.org Fri Mar 1 02:33:08 2024
2 From: Genjian <zhanggenjian@126.com>
3 Date: Fri, 1 Mar 2024 09:30:20 +0800
4 Subject: Revert "loop: Check for overflow while configuring loop"
5 To: stable@vger.kernel.org
6 Cc: axboe@kernel.dk, stable@kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, zhanggenjian123@gmail.com, Genjian Zhang <zhanggenjian@kylinos.cn>, k2ci <kernel-bot@kylinos.cn>
7 Message-ID: <20240301013028.2293831-2-zhanggenjian@126.com>
9 From: Genjian Zhang <zhanggenjian@kylinos.cn>
11 This reverts commit 2035c770bfdbcc82bd52e05871a7c82db9529e0f.
13 This patch lost a unlock loop_ctl_mutex in loop_get_status(...),
14 which caused syzbot to report a UAF issue.The upstream patch does not
15 have this issue. Therefore, we revert this patch and directly apply
16 the upstream patch later on.
18 Risk use-after-free as reported by syzbot:
20 [ 174.437352] BUG: KASAN: use-after-free in __mutex_lock.isra.10+0xbc4/0xc30
21 [ 174.437772] Read of size 4 at addr ffff8880bac49ab8 by task syz-executor.0/13897
23 [ 174.438306] CPU: 1 PID: 13897 Comm: syz-executor.0 Not tainted 4.19.306 #1
24 [ 174.438712] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1kylin1 04/01/2014
25 [ 174.439236] Call Trace:
26 [ 174.439392] dump_stack+0x94/0xc7
27 [ 174.439596] ? __mutex_lock.isra.10+0xbc4/0xc30
28 [ 174.439881] print_address_description+0x60/0x229
29 [ 174.440165] ? __mutex_lock.isra.10+0xbc4/0xc30
30 [ 174.440436] kasan_report.cold.6+0x241/0x2fd
31 [ 174.440696] __mutex_lock.isra.10+0xbc4/0xc30
32 [ 174.440959] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1
33 [ 174.441272] ? mutex_trylock+0xa0/0xa0
34 [ 174.441500] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1
35 [ 174.441816] ? kobject_get_unless_zero+0x129/0x1c0
36 [ 174.442106] ? kset_unregister+0x30/0x30
37 [ 174.442351] ? find_symbol_in_section+0x310/0x310
38 [ 174.442634] ? __mutex_lock_slowpath+0x10/0x10
39 [ 174.442901] mutex_lock_killable+0xb0/0xf0
40 [ 174.443149] ? __mutex_lock_killable_slowpath+0x10/0x10
41 [ 174.443465] ? __mutex_lock_slowpath+0x10/0x10
42 [ 174.443732] ? _cond_resched+0x10/0x20
43 [ 174.443966] ? kobject_get+0x54/0xa0
44 [ 174.444190] lo_open+0x16/0xc0
45 [ 174.444382] __blkdev_get+0x273/0x10f0
46 [ 174.444612] ? lo_fallocate.isra.20+0x150/0x150
47 [ 174.444886] ? bdev_disk_changed+0x190/0x190
48 [ 174.445146] ? path_init+0x1030/0x1030
49 [ 174.445371] ? do_syscall_64+0x9a/0x2d0
50 [ 174.445608] ? deref_stack_reg+0xab/0xe0
51 [ 174.445852] blkdev_get+0x97/0x880
52 [ 174.446061] ? walk_component+0x297/0xdc0
53 [ 174.446303] ? __blkdev_get+0x10f0/0x10f0
54 [ 174.446547] ? __fsnotify_inode_delete+0x20/0x20
55 [ 174.446822] blkdev_open+0x1bd/0x240
56 [ 174.447040] do_dentry_open+0x448/0xf80
57 [ 174.447274] ? blkdev_get_by_dev+0x60/0x60
58 [ 174.447522] ? __x64_sys_fchdir+0x1a0/0x1a0
59 [ 174.447775] ? inode_permission+0x86/0x320
60 [ 174.448022] path_openat+0xa83/0x3ed0
61 [ 174.448248] ? path_mountpoint+0xb50/0xb50
62 [ 174.448495] ? kasan_kmalloc+0xbf/0xe0
63 [ 174.448723] ? kmem_cache_alloc+0xbc/0x1b0
64 [ 174.448971] ? getname_flags+0xc4/0x560
65 [ 174.449203] ? do_sys_open+0x1ce/0x3f0
66 [ 174.449432] ? do_syscall_64+0x9a/0x2d0
67 [ 174.449706] ? entry_SYSCALL_64_after_hwframe+0x5c/0xc1
68 [ 174.450022] ? __d_alloc+0x2a/0xa50
69 [ 174.450232] ? kasan_unpoison_shadow+0x30/0x40
70 [ 174.450510] ? should_fail+0x117/0x6c0
71 [ 174.450737] ? timespec64_trunc+0xc1/0x150
72 [ 174.450986] ? inode_init_owner+0x2e0/0x2e0
73 [ 174.451237] ? timespec64_trunc+0xc1/0x150
74 [ 174.451484] ? inode_init_owner+0x2e0/0x2e0
75 [ 174.451736] do_filp_open+0x197/0x270
76 [ 174.451959] ? may_open_dev+0xd0/0xd0
77 [ 174.452182] ? kasan_unpoison_shadow+0x30/0x40
78 [ 174.452448] ? kasan_kmalloc+0xbf/0xe0
79 [ 174.452672] ? __alloc_fd+0x1a3/0x4b0
80 [ 174.452895] do_sys_open+0x2c7/0x3f0
81 [ 174.453114] ? filp_open+0x60/0x60
82 [ 174.453320] do_syscall_64+0x9a/0x2d0
83 [ 174.453541] ? prepare_exit_to_usermode+0xf3/0x170
84 [ 174.453832] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
85 [ 174.454136] RIP: 0033:0x41edee
86 [ 174.454321] Code: 25 00 00 41 00 3d 00 00 41 00 74 48 48 c7 c0 a4 af 0b 01 8b 00 85 c0 75 69 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 0f 87 a6 00 00 00 48 8b 4c 24 28 64 48 33 0c5
87 [ 174.455404] RSP: 002b:00007ffd2501fbd0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
88 [ 174.455854] RAX: ffffffffffffffda RBX: 00007ffd2501fc90 RCX: 000000000041edee
89 [ 174.456273] RDX: 0000000000000002 RSI: 00007ffd2501fcd0 RDI: 00000000ffffff9c
90 [ 174.456698] RBP: 0000000000000003 R08: 0000000000000001 R09: 00007ffd2501f9a7
91 [ 174.457116] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
92 [ 174.457535] R13: 0000000000565e48 R14: 00007ffd2501fcd0 R15: 0000000000400510
94 [ 174.458052] Allocated by task 945:
95 [ 174.458261] kasan_kmalloc+0xbf/0xe0
96 [ 174.458478] kmem_cache_alloc_node+0xb4/0x1d0
97 [ 174.458743] copy_process.part.57+0x14b0/0x7010
98 [ 174.459017] _do_fork+0x197/0x980
99 [ 174.459218] kernel_thread+0x2f/0x40
100 [ 174.459438] call_usermodehelper_exec_work+0xa8/0x240
101 [ 174.459742] process_one_work+0x933/0x13b0
102 [ 174.459986] worker_thread+0x8c/0x1000
103 [ 174.460212] kthread+0x343/0x410
104 [ 174.460408] ret_from_fork+0x35/0x40
106 [ 174.460716] Freed by task 22902:
107 [ 174.460913] __kasan_slab_free+0x125/0x170
108 [ 174.461159] kmem_cache_free+0x6e/0x1b0
109 [ 174.461391] __put_task_struct+0x1c4/0x440
110 [ 174.461636] delayed_put_task_struct+0x135/0x170
111 [ 174.461915] rcu_process_callbacks+0x578/0x15c0
112 [ 174.462184] __do_softirq+0x175/0x60e
114 [ 174.462501] The buggy address belongs to the object at ffff8880bac49a80
115 [ 174.462501] which belongs to the cache task_struct of size 3264
116 [ 174.463235] The buggy address is located 56 bytes inside of
117 [ 174.463235] 3264-byte region [ffff8880bac49a80, ffff8880bac4a740)
118 [ 174.463923] The buggy address belongs to the page:
119 [ 174.464210] page:ffffea0002eb1200 count:1 mapcount:0 mapping:ffff888188ca0a00 index:0x0 compound_mapcount: 0
120 [ 174.464784] flags: 0x100000000008100(slab|head)
121 [ 174.465079] raw: 0100000000008100 ffffea0002eaa400 0000000400000004 ffff888188ca0a00
122 [ 174.465533] raw: 0000000000000000 0000000000090009 00000001ffffffff 0000000000000000
123 [ 174.465988] page dumped because: kasan: bad access detected
125 [ 174.466322] Memory state around the buggy address:
126 [ 174.466325] ffff8880bac49980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
127 [ 174.466327] ffff8880bac49a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
128 [ 174.466329] >ffff8880bac49a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
130 [ 174.466331] ffff8880bac49b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
131 [ 174.466333] ffff8880bac49b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
132 [ 174.466333] ==================================================================
133 [ 174.466338] Disabling lock debugging due to kernel taint
135 Reported-by: k2ci <kernel-bot@kylinos.cn>
136 Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
137 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
139 drivers/block/loop.c | 5 -----
140 1 file changed, 5 deletions(-)
142 --- a/drivers/block/loop.c
143 +++ b/drivers/block/loop.c
144 @@ -1351,11 +1351,6 @@ loop_get_status(struct loop_device *lo,
145 info->lo_number = lo->lo_number;
146 info->lo_offset = lo->lo_offset;
147 info->lo_sizelimit = lo->lo_sizelimit;
149 - /* loff_t vars have been assigned __u64 */
150 - if (lo->lo_offset < 0 || lo->lo_sizelimit < 0)
153 info->lo_flags = lo->lo_flags;
154 memcpy(info->lo_file_name, lo->lo_file_name, LO_NAME_SIZE);
155 memcpy(info->lo_crypt_name, lo->lo_crypt_name, LO_NAME_SIZE);
projects / thirdparty / kernel / stable-queue.git / blob