--- /dev/null
+From 1da52815d5f1b654c89044db0cdc6adce43da1f1 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Mon, 29 Aug 2022 20:12:48 +0000
+Subject: binder: fix alloc->vma_vm_mm null-ptr dereference
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 1da52815d5f1b654c89044db0cdc6adce43da1f1 upstream.
+
+Syzbot reported a couple issues introduced by commit 44e602b4e52f
+("binder_alloc: add missing mmap_lock calls when using the VMA"), in
+which we attempt to acquire the mmap_lock when alloc->vma_vm_mm has not
+been initialized yet.
+
+This can happen if a binder_proc receives a transaction without having
+previously called mmap() to setup the binder_proc->alloc space in [1].
+Also, a similar issue occurs via binder_alloc_print_pages() when we try
+to dump the debugfs binder stats file in [2].
+
+Sample of syzbot's crash report:
+ ==================================================================
+ KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]
+ CPU: 0 PID: 3755 Comm: syz-executor229 Not tainted 6.0.0-rc1-next-20220819-syzkaller #0
+ syz-executor229[3755] cmdline: ./syz-executor2294415195
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
+ RIP: 0010:__lock_acquire+0xd83/0x56d0 kernel/locking/lockdep.c:4923
+ [...]
+ Call Trace:
+ <TASK>
+ lock_acquire kernel/locking/lockdep.c:5666 [inline]
+ lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
+ down_read+0x98/0x450 kernel/locking/rwsem.c:1499
+ mmap_read_lock include/linux/mmap_lock.h:117 [inline]
+ binder_alloc_new_buf_locked drivers/android/binder_alloc.c:405 [inline]
+ binder_alloc_new_buf+0xa5/0x19e0 drivers/android/binder_alloc.c:593
+ binder_transaction+0x242e/0x9a80 drivers/android/binder.c:3199
+ binder_thread_write+0x664/0x3220 drivers/android/binder.c:3986
+ binder_ioctl_write_read drivers/android/binder.c:5036 [inline]
+ binder_ioctl+0x3470/0x6d00 drivers/android/binder.c:5323
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:870 [inline]
+ __se_sys_ioctl fs/ioctl.c:856 [inline]
+ __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ [...]
+ ==================================================================
+
+Fix these issues by setting up alloc->vma_vm_mm pointer during open()
+and caching directly from current->mm. This guarantees we have a valid
+reference to take the mmap_lock during scenarios described above.
+
+[1] https://syzkaller.appspot.com/bug?extid=f7dc54e5be28950ac459
+[2] https://syzkaller.appspot.com/bug?extid=a75ebe0452711c9e56d9
+
+Fixes: 44e602b4e52f ("binder_alloc: add missing mmap_lock calls when using the VMA")
+Cc: <stable@vger.kernel.org> # v5.15+
+Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
+Reported-by: syzbot+f7dc54e5be28950ac459@syzkaller.appspotmail.com
+Reported-by: syzbot+a75ebe0452711c9e56d9@syzkaller.appspotmail.com
+Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Acked-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20220829201254.1814484-2-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder_alloc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -322,7 +322,6 @@ static inline void binder_alloc_set_vma(
+ */
+ if (vma) {
+ vm_start = vma->vm_start;
+- alloc->vma_vm_mm = vma->vm_mm;
+ mmap_assert_write_locked(alloc->vma_vm_mm);
+ } else {
+ mmap_assert_locked(alloc->vma_vm_mm);
+@@ -795,7 +794,6 @@ int binder_alloc_mmap_handler(struct bin
+ binder_insert_free_buffer(alloc, buffer);
+ alloc->free_async_space = alloc->buffer_size / 2;
+ binder_alloc_set_vma(alloc, vma);
+- mmgrab(alloc->vma_vm_mm);
+
+ return 0;
+
+@@ -1091,6 +1089,8 @@ static struct shrinker binder_shrinker =
+ void binder_alloc_init(struct binder_alloc *alloc)
+ {
+ alloc->pid = current->group_leader->pid;
++ alloc->vma_vm_mm = current->mm;
++ mmgrab(alloc->vma_vm_mm);
+ mutex_init(&alloc->mutex);
+ INIT_LIST_HEAD(&alloc->buffers);
+ }
--- /dev/null
+From a0e44c64b6061dda7e00b7c458e4523e2331b739 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Mon, 1 Aug 2022 18:25:11 +0000
+Subject: binder: fix UAF of ref->proc caused by race condition
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit a0e44c64b6061dda7e00b7c458e4523e2331b739 upstream.
+
+A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the
+reference for a node. In this case, the target proc normally releases
+the failed reference upon close as expected. However, if the target is
+dying in parallel the call will race with binder_deferred_release(), so
+the target could have released all of its references by now leaving the
+cleanup of the new failed reference unhandled.
+
+The transaction then ends and the target proc gets released making the
+ref->proc now a dangling pointer. Later on, ref->node is closed and we
+attempt to take spin_lock(&ref->proc->inner_lock), which leads to the
+use-after-free bug reported below. Let's fix this by cleaning up the
+failed reference on the spot instead of relying on the target to do so.
+
+ ==================================================================
+ BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150
+ Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590
+
+ CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10
+ Hardware name: linux,dummy-virt (DT)
+ Workqueue: events binder_deferred_func
+ Call trace:
+ dump_backtrace.part.0+0x1d0/0x1e0
+ show_stack+0x18/0x70
+ dump_stack_lvl+0x68/0x84
+ print_report+0x2e4/0x61c
+ kasan_report+0xa4/0x110
+ kasan_check_range+0xfc/0x1a4
+ __kasan_check_write+0x3c/0x50
+ _raw_spin_lock+0xa8/0x150
+ binder_deferred_func+0x5e0/0x9b0
+ process_one_work+0x38c/0x5f0
+ worker_thread+0x9c/0x694
+ kthread+0x188/0x190
+ ret_from_fork+0x10/0x20
+
+Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Cc: stable <stable@kernel.org> # 4.14+
+Link: https://lore.kernel.org/r/20220801182511.3371447-1-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/android/binder.c b/drivers/android/binder.c
+index c964d7c8c384..6428f6be69e3 100644
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -1385,6 +1385,18 @@ static int binder_inc_ref_for_node(struct binder_proc *proc,
+ }
+ ret = binder_inc_ref_olocked(ref, strong, target_list);
+ *rdata = ref->data;
++ if (ret && ref == new_ref) {
++ /*
++ * Cleanup the failed reference here as the target
++ * could now be dead and have already released its
++ * references by now. Calling on the new reference
++ * with strong=0 and a tmp_refs will not decrement
++ * the node. The new_ref gets kfree'd below.
++ */
++ binder_cleanup_ref_olocked(new_ref);
++ ref = NULL;
++ }
++
+ binder_proc_unlock(proc);
+ if (new_ref && ref != new_ref)
+ /*
+--
+2.37.3
+
--- /dev/null
+From 27893dfc1285f80f80f46b3b8c95f5d15d2e66d0 Mon Sep 17 00:00:00 2001
+From: Enzo Matsumiya <ematsumiya@suse.de>
+Date: Tue, 30 Aug 2022 19:51:51 -0300
+Subject: cifs: fix small mempool leak in SMB2_negotiate()
+
+From: Enzo Matsumiya <ematsumiya@suse.de>
+
+commit 27893dfc1285f80f80f46b3b8c95f5d15d2e66d0 upstream.
+
+In some cases of failure (dialect mismatches) in SMB2_negotiate(), after
+the request is sent, the checks would return -EIO when they should be
+rather setting rc = -EIO and jumping to neg_exit to free the response
+buffer from mempool.
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2pdu.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -964,16 +964,17 @@ SMB2_negotiate(const unsigned int xid,
+ } else if (rc != 0)
+ goto neg_exit;
+
++ rc = -EIO;
+ if (strcmp(server->vals->version_string,
+ SMB3ANY_VERSION_STRING) == 0) {
+ if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
+ cifs_server_dbg(VFS,
+ "SMB2 dialect returned but not requested\n");
+- return -EIO;
++ goto neg_exit;
+ } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
+ cifs_server_dbg(VFS,
+ "SMB2.1 dialect returned but not requested\n");
+- return -EIO;
++ goto neg_exit;
+ } else if (rsp->DialectRevision == cpu_to_le16(SMB311_PROT_ID)) {
+ /* ops set to 3.0 by default for default so update */
+ server->ops = &smb311_operations;
+@@ -984,7 +985,7 @@ SMB2_negotiate(const unsigned int xid,
+ if (rsp->DialectRevision == cpu_to_le16(SMB20_PROT_ID)) {
+ cifs_server_dbg(VFS,
+ "SMB2 dialect returned but not requested\n");
+- return -EIO;
++ goto neg_exit;
+ } else if (rsp->DialectRevision == cpu_to_le16(SMB21_PROT_ID)) {
+ /* ops set to 3.0 by default for default so update */
+ server->ops = &smb21_operations;
+@@ -998,7 +999,7 @@ SMB2_negotiate(const unsigned int xid,
+ /* if requested single dialect ensure returned dialect matched */
+ cifs_server_dbg(VFS, "Invalid 0x%x dialect returned: not requested\n",
+ le16_to_cpu(rsp->DialectRevision));
+- return -EIO;
++ goto neg_exit;
+ }
+
+ cifs_dbg(FYI, "mode 0x%x\n", rsp->SecurityMode);
+@@ -1016,9 +1017,10 @@ SMB2_negotiate(const unsigned int xid,
+ else {
+ cifs_server_dbg(VFS, "Invalid dialect returned by server 0x%x\n",
+ le16_to_cpu(rsp->DialectRevision));
+- rc = -EIO;
+ goto neg_exit;
+ }
++
++ rc = 0;
+ server->dialect = le16_to_cpu(rsp->DialectRevision);
+
+ /*
landlock-fix-file-reparenting-without-explicit-landlock_access_fs_refer.patch
mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch
mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch
+binder-fix-uaf-of-ref-proc-caused-by-race-condition.patch
+binder-fix-alloc-vma_vm_mm-null-ptr-dereference.patch
+cifs-fix-small-mempool-leak-in-smb2_negotiate.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
