]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.14-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 7 Feb 2023 09:19:20 +0000 (10:19 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 7 Feb 2023 09:19:20 +0000 (10:19 +0100)
added patches:
mm-swapfile-add-cond_resched-in-get_swap_pages.patch
squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch

queue-4.14/mm-swapfile-add-cond_resched-in-get_swap_pages.patch [new file with mode: 0644]
queue-4.14/series
queue-4.14/squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch [new file with mode: 0644]

diff --git a/queue-4.14/mm-swapfile-add-cond_resched-in-get_swap_pages.patch b/queue-4.14/mm-swapfile-add-cond_resched-in-get_swap_pages.patch
new file mode 100644 (file)
index 0000000..1128c98
--- /dev/null
@@ -0,0 +1,45 @@
+From 7717fc1a12f88701573f9ed897cc4f6699c661e3 Mon Sep 17 00:00:00 2001
+From: Longlong Xia <xialonglong1@huawei.com>
+Date: Sat, 28 Jan 2023 09:47:57 +0000
+Subject: mm/swapfile: add cond_resched() in get_swap_pages()
+
+From: Longlong Xia <xialonglong1@huawei.com>
+
+commit 7717fc1a12f88701573f9ed897cc4f6699c661e3 upstream.
+
+The softlockup still occurs in get_swap_pages() under memory pressure.  64
+CPU cores, 64GB memory, and 28 zram devices, the disksize of each zram
+device is 50MB with same priority as si.  Use the stress-ng tool to
+increase memory pressure, causing the system to oom frequently.
+
+The plist_for_each_entry_safe() loops in get_swap_pages() could reach tens
+of thousands of times to find available space (extreme case:
+cond_resched() is not called in scan_swap_map_slots()).  Let's add
+cond_resched() into get_swap_pages() when failed to find available space
+to avoid softlockup.
+
+Link: https://lkml.kernel.org/r/20230128094757.1060525-1-xialonglong1@huawei.com
+Signed-off-by: Longlong Xia <xialonglong1@huawei.com>
+Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
+Cc: Chen Wandun <chenwandun@huawei.com>
+Cc: Huang Ying <ying.huang@intel.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Nanyong Sun <sunnanyong@huawei.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/swapfile.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -983,6 +983,7 @@ start_over:
+                       goto check_out;
+               pr_debug("scan_swap_map of si %d failed to find offset\n",
+                       si->type);
++              cond_resched();
+               spin_lock(&swap_avail_lock);
+ nextsi:
index 674b48db9ccc748e887cd463a4c36b723896f8d7..165870c57a9145b55272d17a5208e0f115569991 100644 (file)
@@ -19,3 +19,5 @@ iio-adc-twl6030-enable-measurements-of-vusb-vbat-and-others.patch
 parisc-fix-return-code-of-pdc_iodc_print.patch
 parisc-wire-up-ptrace_getregs-ptrace_setregs-for-compat-case.patch
 mm-hugetlb-proc-check-for-hugetlb-shared-pmd-in-proc-pid-smaps.patch
+mm-swapfile-add-cond_resched-in-get_swap_pages.patch
+squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch
diff --git a/queue-4.14/squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch b/queue-4.14/squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch
new file mode 100644 (file)
index 0000000..782e8b0
--- /dev/null
@@ -0,0 +1,143 @@
+From f65c4bbbd682b0877b669828b4e033b8d5d0a2dc Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Fri, 27 Jan 2023 06:18:42 +0000
+Subject: Squashfs: fix handling and sanity checking of xattr_ids count
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+commit f65c4bbbd682b0877b669828b4e033b8d5d0a2dc upstream.
+
+A Sysbot [1] corrupted filesystem exposes two flaws in the handling and
+sanity checking of the xattr_ids count in the filesystem.  Both of these
+flaws cause computation overflow due to incorrect typing.
+
+In the corrupted filesystem the xattr_ids value is 4294967071, which
+stored in a signed variable becomes the negative number -225.
+
+Flaw 1 (64-bit systems only):
+
+The signed integer xattr_ids variable causes sign extension.
+
+This causes variable overflow in the SQUASHFS_XATTR_*(A) macros.  The
+variable is first multiplied by sizeof(struct squashfs_xattr_id) where the
+type of the sizeof operator is "unsigned long".
+
+On a 64-bit system this is 64-bits in size, and causes the negative number
+to be sign extended and widened to 64-bits and then become unsigned.  This
+produces the very large number 18446744073709548016 or 2^64 - 3600.  This
+number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and
+divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0
+(stored in len).
+
+Flaw 2 (32-bit systems only):
+
+On a 32-bit system the integer variable is not widened by the unsigned
+long type of the sizeof operator (32-bits), and the signedness of the
+variable has no effect due it always being treated as unsigned.
+
+The above corrupted xattr_ids value of 4294967071, when multiplied
+overflows and produces the number 4294963696 or 2^32 - 3400.  This number
+when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by
+SQUASHFS_METADATA_SIZE overflows again and produces a length of 0.
+
+The effect of the 0 length computation:
+
+In conjunction with the corrupted xattr_ids field, the filesystem also has
+a corrupted xattr_table_start value, where it matches the end of
+filesystem value of 850.
+
+This causes the following sanity check code to fail because the
+incorrectly computed len of 0 matches the incorrect size of the table
+reported by the superblock (0 bytes).
+
+    len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);
+    indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids);
+
+    /*
+     * The computed size of the index table (len bytes) should exactly
+     * match the table start and end points
+    */
+    start = table_start + sizeof(*id_table);
+    end = msblk->bytes_used;
+
+    if (len != (end - start))
+            return ERR_PTR(-EINVAL);
+
+Changing the xattr_ids variable to be "usigned int" fixes the flaw on a
+64-bit system.  This relies on the fact the computation is widened by the
+unsigned long type of the sizeof operator.
+
+Casting the variable to u64 in the above macro fixes this flaw on a 32-bit
+system.
+
+It also means 64-bit systems do not implicitly rely on the type of the
+sizeof operator to widen the computation.
+
+[1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/
+
+Link: https://lkml.kernel.org/r/20230127061842.10965-1-phillip@squashfs.org.uk
+Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup")
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Reported-by: <syzbot+082fa4af80a5bb1a9843@syzkaller.appspotmail.com>
+Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Fedor Pchelkin <pchelkin@ispras.ru>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/squashfs/squashfs_fs.h    |    2 +-
+ fs/squashfs/squashfs_fs_sb.h |    2 +-
+ fs/squashfs/xattr.h          |    4 ++--
+ fs/squashfs/xattr_id.c       |    2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/squashfs/squashfs_fs.h
++++ b/fs/squashfs/squashfs_fs.h
+@@ -196,7 +196,7 @@ static inline int squashfs_block_size(__
+ #define SQUASHFS_ID_BLOCK_BYTES(A)    (SQUASHFS_ID_BLOCKS(A) *\
+                                       sizeof(u64))
+ /* xattr id lookup table defines */
+-#define SQUASHFS_XATTR_BYTES(A)               ((A) * sizeof(struct squashfs_xattr_id))
++#define SQUASHFS_XATTR_BYTES(A)               (((u64) (A)) * sizeof(struct squashfs_xattr_id))
+ #define SQUASHFS_XATTR_BLOCK(A)               (SQUASHFS_XATTR_BYTES(A) / \
+                                       SQUASHFS_METADATA_SIZE)
+--- a/fs/squashfs/squashfs_fs_sb.h
++++ b/fs/squashfs/squashfs_fs_sb.h
+@@ -76,7 +76,7 @@ struct squashfs_sb_info {
+       long long                               bytes_used;
+       unsigned int                            inodes;
+       unsigned int                            fragments;
+-      int                                     xattr_ids;
++      unsigned int                            xattr_ids;
+       unsigned int                            ids;
+ };
+ #endif
+--- a/fs/squashfs/xattr.h
++++ b/fs/squashfs/xattr.h
+@@ -23,12 +23,12 @@
+ #ifdef CONFIG_SQUASHFS_XATTR
+ extern __le64 *squashfs_read_xattr_id_table(struct super_block *, u64,
+-              u64 *, int *);
++              u64 *, unsigned int *);
+ extern int squashfs_xattr_lookup(struct super_block *, unsigned int, int *,
+               unsigned int *, unsigned long long *);
+ #else
+ static inline __le64 *squashfs_read_xattr_id_table(struct super_block *sb,
+-              u64 start, u64 *xattr_table_start, int *xattr_ids)
++              u64 start, u64 *xattr_table_start, unsigned int *xattr_ids)
+ {
+       struct squashfs_xattr_id_table *id_table;
+--- a/fs/squashfs/xattr_id.c
++++ b/fs/squashfs/xattr_id.c
+@@ -69,7 +69,7 @@ int squashfs_xattr_lookup(struct super_b
+  * Read uncompressed xattr id lookup table indexes from disk into memory
+  */
+ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start,
+-              u64 *xattr_table_start, int *xattr_ids)
++              u64 *xattr_table_start, unsigned int *xattr_ids)
+ {
+       struct squashfs_sb_info *msblk = sb->s_fs_info;
+       unsigned int len, indexes;