--- /dev/null
+From 74d5d229b1bf60f93bff244b2dfc0eb21ec32a07 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 21 Nov 2018 14:05:45 -0500
+Subject: btrfs: wait on ordered extents on abort cleanup
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 74d5d229b1bf60f93bff244b2dfc0eb21ec32a07 upstream.
+
+If we flip read-only before we initiate writeback on all dirty pages for
+ordered extents we've created then we'll have ordered extents left over
+on umount, which results in all sorts of bad things happening. Fix this
+by making sure we wait on ordered extents if we have to do the aborted
+transaction cleanup stuff.
+
+generic/475 can produce this warning:
+
+ [ 8531.177332] WARNING: CPU: 2 PID: 11997 at fs/btrfs/disk-io.c:3856 btrfs_free_fs_root+0x95/0xa0 [btrfs]
+ [ 8531.183282] CPU: 2 PID: 11997 Comm: umount Tainted: G W 5.0.0-rc1-default+ #394
+ [ 8531.185164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),BIOS rel-1.11.2-0-gf9626cc-prebuilt.qemu-project.org 04/01/2014
+ [ 8531.187851] RIP: 0010:btrfs_free_fs_root+0x95/0xa0 [btrfs]
+ [ 8531.193082] RSP: 0018:ffffb1ab86163d98 EFLAGS: 00010286
+ [ 8531.194198] RAX: ffff9f3449494d18 RBX: ffff9f34a2695000 RCX:0000000000000000
+ [ 8531.195629] RDX: 0000000000000002 RSI: 0000000000000001 RDI:0000000000000000
+ [ 8531.197315] RBP: ffff9f344e930000 R08: 0000000000000001 R09:0000000000000000
+ [ 8531.199095] R10: 0000000000000000 R11: ffff9f34494d4ff8 R12:ffffb1ab86163dc0
+ [ 8531.200870] R13: ffff9f344e9300b0 R14: ffffb1ab86163db8 R15:0000000000000000
+ [ 8531.202707] FS: 00007fc68e949fc0(0000) GS:ffff9f34bd800000(0000)knlGS:0000000000000000
+ [ 8531.204851] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 8531.205942] CR2: 00007ffde8114dd8 CR3: 000000002dfbd000 CR4:00000000000006e0
+ [ 8531.207516] Call Trace:
+ [ 8531.208175] btrfs_free_fs_roots+0xdb/0x170 [btrfs]
+ [ 8531.210209] ? wait_for_completion+0x5b/0x190
+ [ 8531.211303] close_ctree+0x157/0x350 [btrfs]
+ [ 8531.212412] generic_shutdown_super+0x64/0x100
+ [ 8531.213485] kill_anon_super+0x14/0x30
+ [ 8531.214430] btrfs_kill_super+0x12/0xa0 [btrfs]
+ [ 8531.215539] deactivate_locked_super+0x29/0x60
+ [ 8531.216633] cleanup_mnt+0x3b/0x70
+ [ 8531.217497] task_work_run+0x98/0xc0
+ [ 8531.218397] exit_to_usermode_loop+0x83/0x90
+ [ 8531.219324] do_syscall_64+0x15b/0x180
+ [ 8531.220192] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [ 8531.221286] RIP: 0033:0x7fc68e5e4d07
+ [ 8531.225621] RSP: 002b:00007ffde8116608 EFLAGS: 00000246 ORIG_RAX:00000000000000a6
+ [ 8531.227512] RAX: 0000000000000000 RBX: 00005580c2175970 RCX:00007fc68e5e4d07
+ [ 8531.229098] RDX: 0000000000000001 RSI: 0000000000000000 RDI:00005580c2175b80
+ [ 8531.230730] RBP: 0000000000000000 R08: 00005580c2175ba0 R09:00007ffde8114e80
+ [ 8531.232269] R10: 0000000000000000 R11: 0000000000000246 R12:00005580c2175b80
+ [ 8531.233839] R13: 00007fc68eac61c4 R14: 00005580c2175a68 R15:0000000000000000
+
+Leaving a tree in the rb-tree:
+
+3853 void btrfs_free_fs_root(struct btrfs_root *root)
+3854 {
+3855 iput(root->ino_cache_inode);
+3856 WARN_ON(!RB_EMPTY_ROOT(&root->inode_tree));
+
+CC: stable@vger.kernel.org
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+[ add stacktrace ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/disk-io.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -4111,6 +4111,14 @@ static void btrfs_destroy_all_ordered_ex
+ spin_lock(&fs_info->ordered_root_lock);
+ }
+ spin_unlock(&fs_info->ordered_root_lock);
++
++ /*
++ * We need this here because if we've been flipped read-only we won't
++ * get sync() from the umount, so we need to make sure any ordered
++ * extents that haven't had their dirty pages IO start writeout yet
++ * actually get run and error out properly.
++ */
++ btrfs_wait_ordered_roots(fs_info, -1, 0, (u64)-1);
+ }
+
+ static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
--- /dev/null
+From 8f9c469348487844328e162db57112f7d347c49f Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 16 Dec 2018 23:23:22 -0800
+Subject: crypto: authenc - fix parsing key with misaligned rta_len
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 8f9c469348487844328e162db57112f7d347c49f upstream.
+
+Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
+'enckeylen', followed by an authentication key and an encryption key.
+crypto_authenc_extractkeys() parses the key to find the inner keys.
+
+However, it fails to consider the case where the rtattr's payload is
+longer than 4 bytes but not 4-byte aligned, and where the key ends
+before the next 4-byte aligned boundary. In this case, 'keylen -=
+RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This
+causes a buffer overread and crash during crypto_ahash_setkey().
+
+Fix it by restricting the rtattr payload to the expected size.
+
+Reproducer using AF_ALG:
+
+ #include <linux/if_alg.h>
+ #include <linux/rtnetlink.h>
+ #include <sys/socket.h>
+
+ int main()
+ {
+ int fd;
+ struct sockaddr_alg addr = {
+ .salg_type = "aead",
+ .salg_name = "authenc(hmac(sha256),cbc(aes))",
+ };
+ struct {
+ struct rtattr attr;
+ __be32 enckeylen;
+ char keys[1];
+ } __attribute__((packed)) key = {
+ .attr.rta_len = sizeof(key),
+ .attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
+ };
+
+ fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ bind(fd, (void *)&addr, sizeof(addr));
+ setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
+ }
+
+It caused:
+
+ BUG: unable to handle kernel paging request at ffff88007ffdc000
+ PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
+ Oops: 0000 [#1] SMP
+ CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37a7f27 #13
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
+ RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
+ [...]
+ Call Trace:
+ sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
+ crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
+ shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
+ crypto_shash_digest+0x24/0x40 crypto/shash.c:202
+ hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
+ crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
+ shash_async_setkey+0x10/0x20 crypto/shash.c:223
+ crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
+ crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
+ crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
+ aead_setkey+0xc/0x10 crypto/algif_aead.c:526
+ alg_setkey crypto/af_alg.c:223 [inline]
+ alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
+ __sys_setsockopt+0x6d/0xd0 net/socket.c:1902
+ __do_sys_setsockopt net/socket.c:1913 [inline]
+ __se_sys_setsockopt net/socket.c:1910 [inline]
+ __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
+ do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: e236d4a89a2f ("[CRYPTO] authenc: Move enckeylen into key itself")
+Cc: <stable@vger.kernel.org> # v2.6.25+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/authenc.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/crypto/authenc.c
++++ b/crypto/authenc.c
+@@ -58,14 +58,22 @@ int crypto_authenc_extractkeys(struct cr
+ return -EINVAL;
+ if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
+ return -EINVAL;
+- if (RTA_PAYLOAD(rta) < sizeof(*param))
++
++ /*
++ * RTA_OK() didn't align the rtattr's payload when validating that it
++ * fits in the buffer. Yet, the keys should start on the next 4-byte
++ * aligned boundary. To avoid confusion, require that the rtattr
++ * payload be exactly the param struct, which has a 4-byte aligned size.
++ */
++ if (RTA_PAYLOAD(rta) != sizeof(*param))
+ return -EINVAL;
++ BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);
+
+ param = RTA_DATA(rta);
+ keys->enckeylen = be32_to_cpu(param->enckeylen);
+
+- key += RTA_ALIGN(rta->rta_len);
+- keylen -= RTA_ALIGN(rta->rta_len);
++ key += rta->rta_len;
++ keylen -= rta->rta_len;
+
+ if (keylen < keys->enckeylen)
+ return -EINVAL;
--- /dev/null
+From a7773363624b034ab198c738661253d20a8055c2 Mon Sep 17 00:00:00 2001
+From: Harsh Jain <harsh@chelsio.com>
+Date: Thu, 3 Jan 2019 14:21:05 +0530
+Subject: crypto: authencesn - Avoid twice completion call in decrypt path
+
+From: Harsh Jain <harsh@chelsio.com>
+
+commit a7773363624b034ab198c738661253d20a8055c2 upstream.
+
+Authencesn template in decrypt path unconditionally calls aead_request_complete
+after ahash_verify which leads to following kernel panic in after decryption.
+
+[ 338.539800] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
+[ 338.548372] PGD 0 P4D 0
+[ 338.551157] Oops: 0000 [#1] SMP PTI
+[ 338.554919] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Tainted: G W I 4.19.7+ #13
+[ 338.564431] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0 07/29/10
+[ 338.572212] RIP: 0010:esp_input_done2+0x350/0x410 [esp4]
+[ 338.578030] Code: ff 0f b6 68 10 48 8b 83 c8 00 00 00 e9 8e fe ff ff 8b 04 25 04 00 00 00 83 e8 01 48 98 48 8b 3c c5 10 00 00 00 e9 f7 fd ff ff <8b> 04 25 04 00 00 00 83 e8 01 48 98 4c 8b 24 c5 10 00 00 00 e9 3b
+[ 338.598547] RSP: 0018:ffff911c97803c00 EFLAGS: 00010246
+[ 338.604268] RAX: 0000000000000002 RBX: ffff911c4469ee00 RCX: 0000000000000000
+[ 338.612090] RDX: 0000000000000000 RSI: 0000000000000130 RDI: ffff911b87c20400
+[ 338.619874] RBP: 0000000000000000 R08: ffff911b87c20498 R09: 000000000000000a
+[ 338.627610] R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000000000
+[ 338.635402] R13: ffff911c89590000 R14: ffff911c91730000 R15: 0000000000000000
+[ 338.643234] FS: 0000000000000000(0000) GS:ffff911c97800000(0000) knlGS:0000000000000000
+[ 338.652047] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 338.658299] CR2: 0000000000000004 CR3: 00000001ec20a000 CR4: 00000000000006f0
+[ 338.666382] Call Trace:
+[ 338.669051] <IRQ>
+[ 338.671254] esp_input_done+0x12/0x20 [esp4]
+[ 338.675922] chcr_handle_resp+0x3b5/0x790 [chcr]
+[ 338.680949] cpl_fw6_pld_handler+0x37/0x60 [chcr]
+[ 338.686080] chcr_uld_rx_handler+0x22/0x50 [chcr]
+[ 338.691233] uldrx_handler+0x8c/0xc0 [cxgb4]
+[ 338.695923] process_responses+0x2f0/0x5d0 [cxgb4]
+[ 338.701177] ? bitmap_find_next_zero_area_off+0x3a/0x90
+[ 338.706882] ? matrix_alloc_area.constprop.7+0x60/0x90
+[ 338.712517] ? apic_update_irq_cfg+0x82/0xf0
+[ 338.717177] napi_rx_handler+0x14/0xe0 [cxgb4]
+[ 338.722015] net_rx_action+0x2aa/0x3e0
+[ 338.726136] __do_softirq+0xcb/0x280
+[ 338.730054] irq_exit+0xde/0xf0
+[ 338.733504] do_IRQ+0x54/0xd0
+[ 338.736745] common_interrupt+0xf/0xf
+
+Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD...")
+Signed-off-by: Harsh Jain <harsh@chelsio.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/authencesn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -276,7 +276,7 @@ static void authenc_esn_verify_ahash_don
+ struct aead_request *req = areq->data;
+
+ err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
+- aead_request_complete(req, err);
++ authenc_esn_request_complete(req, err);
+ }
+
+ static int crypto_authenc_esn_decrypt(struct aead_request *req)
--- /dev/null
+From 44759979a49bfd2d20d789add7fa81a21eb1a4ab Mon Sep 17 00:00:00 2001
+From: Ivan Mironov <mironov.ivan@gmail.com>
+Date: Sun, 23 Dec 2018 12:41:58 +0500
+Subject: scsi: sd: Fix cache_type_store()
+
+From: Ivan Mironov <mironov.ivan@gmail.com>
+
+commit 44759979a49bfd2d20d789add7fa81a21eb1a4ab upstream.
+
+Changing of caching mode via /sys/devices/.../scsi_disk/.../cache_type may
+fail if device responds to MODE SENSE command with DPOFUA flag set, and
+then checks this flag to be not set on MODE SELECT command.
+
+In this scenario, when trying to change cache_type, write always fails:
+
+ # echo "none" >cache_type
+ bash: echo: write error: Invalid argument
+
+And following appears in dmesg:
+
+ [13007.865745] sd 1:0:1:0: [sda] Sense Key : Illegal Request [current]
+ [13007.865753] sd 1:0:1:0: [sda] Add. Sense: Invalid field in parameter list
+
+From SBC-4 r15, 6.5.1 "Mode pages overview", description of DEVICE-SPECIFIC
+PARAMETER field in the mode parameter header:
+ ...
+ The write protect (WP) bit for mode data sent with a MODE SELECT
+ command shall be ignored by the device server.
+ ...
+ The DPOFUA bit is reserved for mode data sent with a MODE SELECT
+ command.
+ ...
+
+The remaining bits in the DEVICE-SPECIFIC PARAMETER byte are also reserved
+and shall be set to zero.
+
+[mkp: shuffled commentary to commit description]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Mironov <mironov.ivan@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -207,6 +207,12 @@ cache_type_store(struct device *dev, str
+ sp = buffer_data[0] & 0x80 ? 1 : 0;
+ buffer_data[0] &= ~0x80;
+
++ /*
++ * Ensure WP, DPOFUA, and RESERVED fields are cleared in
++ * received mode parameter buffer before doing MODE SELECT.
++ */
++ data.device_specific = 0;
++
+ if (scsi_mode_select(sdp, 1, sp, 8, buffer_data, len, SD_TIMEOUT,
+ SD_MAX_RETRIES, &data, &sshdr)) {
+ if (scsi_sense_valid(&sshdr))
net-bridge-fix-a-bug-on-using-a-neighbour-cache-entry-without-checking-its-state.patch
packet-do-not-leak-dev-refcounts-on-error-exit.patch
ip-on-queued-skb-use-skb_header_pointer-instead-of-pskb_may_pull.patch
+crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch
+crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch
+btrfs-wait-on-ordered-extents-on-abort-cleanup.patch
+yama-check-for-pid-death-before-checking-ancestry.patch
+scsi-sd-fix-cache_type_store.patch
--- /dev/null
+From 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 16 Jan 2019 10:31:09 -0800
+Subject: Yama: Check for pid death before checking ancestry
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream.
+
+It's possible that a pid has died before we take the rcu lock, in which
+case we can't walk the ancestry list as it may be detached. Instead, check
+for death first before doing the walk.
+
+Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
+Fixes: 2d514487faf1 ("security: Yama LSM")
+Cc: stable@vger.kernel.org
+Suggested-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/yama/yama_lsm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -288,7 +288,9 @@ static int yama_ptrace_access_check(stru
+ break;
+ case YAMA_SCOPE_RELATIONAL:
+ rcu_read_lock();
+- if (!task_is_descendant(current, child) &&
++ if (!pid_alive(child))
++ rc = -EPERM;
++ if (!rc && !task_is_descendant(current, child) &&
+ !ptracer_exception_found(current, child) &&
+ !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
+ rc = -EPERM;
projects / thirdparty / kernel / stable-queue.git / commitdiff
