--- /dev/null
+From ea1d1ca4025ac6c075709f549f9aa036b5b6597d Mon Sep 17 00:00:00 2001
+From: Su Yue <l@damenly.su>
+Date: Fri, 21 Jan 2022 17:33:35 +0800
+Subject: btrfs: tree-checker: check item_size for dev_item
+
+From: Su Yue <l@damenly.su>
+
+commit ea1d1ca4025ac6c075709f549f9aa036b5b6597d upstream.
+
+Check item size before accessing the device item to avoid out of bound
+access, similar to inode_item check.
+
+Signed-off-by: Su Yue <l@damenly.su>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-checker.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -965,6 +965,7 @@ static int check_dev_item(struct extent_
+ struct btrfs_key *key, int slot)
+ {
+ struct btrfs_dev_item *ditem;
++ const u32 item_size = btrfs_item_size_nr(leaf, slot);
+
+ if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) {
+ dev_item_err(leaf, slot,
+@@ -972,6 +973,13 @@ static int check_dev_item(struct extent_
+ key->objectid, BTRFS_DEV_ITEMS_OBJECTID);
+ return -EUCLEAN;
+ }
++
++ if (unlikely(item_size != sizeof(*ditem))) {
++ dev_item_err(leaf, slot, "invalid item size: has %u expect %zu",
++ item_size, sizeof(*ditem));
++ return -EUCLEAN;
++ }
++
+ ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item);
+ if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) {
+ dev_item_err(leaf, slot,
--- /dev/null
+From 0c982944af27d131d3b74242f3528169f66950ad Mon Sep 17 00:00:00 2001
+From: Su Yue <l@damenly.su>
+Date: Fri, 21 Jan 2022 17:33:34 +0800
+Subject: btrfs: tree-checker: check item_size for inode_item
+
+From: Su Yue <l@damenly.su>
+
+commit 0c982944af27d131d3b74242f3528169f66950ad upstream.
+
+while mounting the crafted image, out-of-bounds access happens:
+
+ [350.429619] UBSAN: array-index-out-of-bounds in fs/btrfs/struct-funcs.c:161:1
+ [350.429636] index 1048096 is out of range for type 'page *[16]'
+ [350.429650] CPU: 0 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1
+ [350.429652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ [350.429653] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs]
+ [350.429772] Call Trace:
+ [350.429774] <TASK>
+ [350.429776] dump_stack_lvl+0x47/0x5c
+ [350.429780] ubsan_epilogue+0x5/0x50
+ [350.429786] __ubsan_handle_out_of_bounds+0x66/0x70
+ [350.429791] btrfs_get_16+0xfd/0x120 [btrfs]
+ [350.429832] check_leaf+0x754/0x1a40 [btrfs]
+ [350.429874] ? filemap_read+0x34a/0x390
+ [350.429878] ? load_balance+0x175/0xfc0
+ [350.429881] validate_extent_buffer+0x244/0x310 [btrfs]
+ [350.429911] btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs]
+ [350.429935] end_bio_extent_readpage+0x3af/0x850 [btrfs]
+ [350.429969] ? newidle_balance+0x259/0x480
+ [350.429972] end_workqueue_fn+0x29/0x40 [btrfs]
+ [350.429995] btrfs_work_helper+0x71/0x330 [btrfs]
+ [350.430030] ? __schedule+0x2fb/0xa40
+ [350.430033] process_one_work+0x1f6/0x400
+ [350.430035] ? process_one_work+0x400/0x400
+ [350.430036] worker_thread+0x2d/0x3d0
+ [350.430037] ? process_one_work+0x400/0x400
+ [350.430038] kthread+0x165/0x190
+ [350.430041] ? set_kthread_struct+0x40/0x40
+ [350.430043] ret_from_fork+0x1f/0x30
+ [350.430047] </TASK>
+ [350.430077] BTRFS warning (device loop0): bad eb member start: ptr 0xffe20f4e start 20975616 member offset 4293005178 size 2
+
+check_leaf() is checking the leaf:
+
+ corrupt leaf: root=4 block=29396992 slot=1, bad key order, prev (16140901064495857664 1 0) current (1 204 12582912)
+ leaf 29396992 items 6 free space 3565 generation 6 owner DEV_TREE
+ leaf 29396992 flags 0x1(WRITTEN) backref revision 1
+ fs uuid a62e00e8-e94e-4200-8217-12444de93c2e
+ chunk uuid cecbd0f7-9ca0-441e-ae9f-f782f9732bd8
+ item 0 key (16140901064495857664 INODE_ITEM 0) itemoff 3955 itemsize 40
+ generation 0 transid 0 size 0 nbytes 17592186044416
+ block group 0 mode 52667 links 33 uid 0 gid 2104132511 rdev 94223634821136
+ sequence 100305 flags 0x2409000(none)
+ atime 0.0 (1970-01-01 08:00:00)
+ ctime 2973280098083405823.4294967295 (-269783007-01-01 21:37:03)
+ mtime 18446744071572723616.4026825121 (1902-04-16 12:40:00)
+ otime 9249929404488876031.4294967295 (622322949-04-16 04:25:58)
+ item 1 key (1 DEV_EXTENT 12582912) itemoff 3907 itemsize 48
+ dev extent chunk_tree 3
+ chunk_objectid 256 chunk_offset 12582912 length 8388608
+ chunk_tree_uuid cecbd0f7-9ca0-441e-ae9f-f782f9732bd8
+
+The corrupted leaf of device tree has an inode item. The leaf passed
+checksum and others checks in validate_extent_buffer until check_leaf_item().
+Because of the key type BTRFS_INODE_ITEM, check_inode_item() is called even we
+are in the device tree. Since the
+item offset + sizeof(struct btrfs_inode_item) > eb->len, out-of-bounds access
+is triggered.
+
+The item end vs leaf boundary check has been done before
+check_leaf_item(), so fix it by checking item size in check_inode_item()
+before access of the inode item in extent buffer.
+
+Other check functions except check_dev_item() in check_leaf_item()
+have their item size checks.
+The commit for check_dev_item() is followed.
+
+No regression observed during running fstests.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215299
+CC: stable@vger.kernel.org # 5.10+
+CC: Wenqing Liu <wenqingliu0120@gmail.com>
+Signed-off-by: Su Yue <l@damenly.su>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-checker.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -1007,6 +1007,7 @@ static int check_inode_item(struct exten
+ struct btrfs_inode_item *iitem;
+ u64 super_gen = btrfs_super_generation(fs_info->super_copy);
+ u32 valid_mask = (S_IFMT | S_ISUID | S_ISGID | S_ISVTX | 0777);
++ const u32 item_size = btrfs_item_size_nr(leaf, slot);
+ u32 mode;
+ int ret;
+ u32 flags;
+@@ -1016,6 +1017,12 @@ static int check_inode_item(struct exten
+ if (unlikely(ret < 0))
+ return ret;
+
++ if (unlikely(item_size != sizeof(*iitem))) {
++ generic_err(leaf, slot, "invalid item size: has %u expect %zu",
++ item_size, sizeof(*iitem));
++ return -EUCLEAN;
++ }
++
+ iitem = btrfs_item_ptr(leaf, slot, struct btrfs_inode_item);
+
+ /* Here we use super block generation + 1 to handle log tree */
--- /dev/null
+From 05c7b7a92cc87ff8d7fde189d0fade250697573c Mon Sep 17 00:00:00 2001
+From: Zhang Qiao <zhangqiao22@huawei.com>
+Date: Fri, 21 Jan 2022 18:12:10 +0800
+Subject: cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zhang Qiao <zhangqiao22@huawei.com>
+
+commit 05c7b7a92cc87ff8d7fde189d0fade250697573c upstream.
+
+As previously discussed(https://lkml.org/lkml/2022/1/20/51),
+cpuset_attach() is affected with similar cpu hotplug race,
+as follow scenario:
+
+ cpuset_attach() cpu hotplug
+ --------------------------- ----------------------
+ down_write(cpuset_rwsem)
+ guarantee_online_cpus() // (load cpus_attach)
+ sched_cpu_deactivate
+ set_cpu_active()
+ // will change cpu_active_mask
+ set_cpus_allowed_ptr(cpus_attach)
+ __set_cpus_allowed_ptr_locked()
+ // (if the intersection of cpus_attach and
+ cpu_active_mask is empty, will return -EINVAL)
+ up_write(cpuset_rwsem)
+
+To avoid races such as described above, protect cpuset_attach() call
+with cpu_hotplug_lock.
+
+Fixes: be367d099270 ("cgroups: let ss->can_attach and ss->attach do whole threadgroups at a time")
+Cc: stable@vger.kernel.org # v2.6.32+
+Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Signed-off-by: Zhang Qiao <zhangqiao22@huawei.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Reviewed-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -2269,6 +2269,7 @@ static void cpuset_attach(struct cgroup_
+ cgroup_taskset_first(tset, &css);
+ cs = css_cs(css);
+
++ cpus_read_lock();
+ percpu_down_write(&cpuset_rwsem);
+
+ guarantee_online_mems(cs, &cpuset_attach_nodemask_to);
+@@ -2322,6 +2323,7 @@ static void cpuset_attach(struct cgroup_
+ wake_up(&cpuset_attach_wq);
+
+ percpu_up_write(&cpuset_rwsem);
++ cpus_read_unlock();
+ }
+
+ /* The various types of files and directories in a cpuset file system */
--- /dev/null
+From 467a726b754f474936980da793b4ff2ec3e382a7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
+Date: Thu, 17 Feb 2022 17:11:28 +0100
+Subject: cgroup-v1: Correct privileges check in release_agent writes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Koutný <mkoutny@suse.com>
+
+commit 467a726b754f474936980da793b4ff2ec3e382a7 upstream.
+
+The idea is to check: a) the owning user_ns of cgroup_ns, b)
+capabilities in init_user_ns.
+
+The commit 24f600856418 ("cgroup-v1: Require capabilities to set
+release_agent") got this wrong in the write handler of release_agent
+since it checked user_ns of the opener (may be different from the owning
+user_ns of cgroup_ns).
+Secondly, to avoid possibly confused deputy, the capability of the
+opener must be checked.
+
+Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/stable/20220216121142.GB30035@blackbody.suse.cz/
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+Reviewed-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cgroup-v1.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/cgroup/cgroup-v1.c
++++ b/kernel/cgroup/cgroup-v1.c
+@@ -546,6 +546,7 @@ static ssize_t cgroup_release_agent_writ
+ char *buf, size_t nbytes, loff_t off)
+ {
+ struct cgroup *cgrp;
++ struct cgroup_file_ctx *ctx;
+
+ BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+
+@@ -553,8 +554,9 @@ static ssize_t cgroup_release_agent_writ
+ * Release agent gets called with all capabilities,
+ * require capabilities to set release agent.
+ */
+- if ((of->file->f_cred->user_ns != &init_user_ns) ||
+- !capable(CAP_SYS_ADMIN))
++ ctx = of->priv;
++ if ((ctx->ns->user_ns != &init_user_ns) ||
++ !file_ns_capable(of->file, &init_user_ns, CAP_SYS_ADMIN))
+ return -EPERM;
+
+ cgrp = cgroup_kn_lock_live(of->kn, false);
--- /dev/null
+From willy@infradead.org Wed Feb 23 18:42:46 2022
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Wed, 23 Feb 2022 15:59:18 +0000
+Subject: mm/filemap: Fix handling of THPs in generic_file_buffered_read()
+To: stable@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kirill.shutemov@linux.intel.com, Song Liu <songliubraving@fb.com>
+Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>, Adam Majer <amajer@suse.com>, Dirk Mueller <dmueller@suse.com>, Takashi Iwai <tiwai@suse.de>, Vlastimil Babka <vbabka@suse.cz>
+Message-ID: <20220223155918.927140-1-willy@infradead.org>
+
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+
+When a THP is present in the page cache, we can return it several times,
+leading to userspace seeing the same data repeatedly if doing a read()
+that crosses a 64-page boundary. This is probably not a security issue
+(since the data all comes from the same file), but it can be interpreted
+as a transient data corruption issue. Fortunately, it is very rare as
+it can only occur when CONFIG_READ_ONLY_THP_FOR_FS is enabled, and it can
+only happen to executables. We don't often call read() on executables.
+
+This bug is fixed differently in v5.17 by commit 6b24ca4a1a8d
+("mm: Use multi-index entries in the page cache"). That commit is
+unsuitable for backporting, so fix this in the clearest way. It
+sacrifices a little performance for clarity, but this should never
+be a performance path in these kernel versions.
+
+Fixes: cbd59c48ae2b ("mm/filemap: use head pages in generic_file_buffered_read")
+Cc: stable@vger.kernel.org # v5.15, v5.16
+Link: https://lore.kernel.org/r/df3b5d1c-a36b-2c73-3e27-99e74983de3a@suse.cz/
+Analyzed-by: Adam Majer <amajer@suse.com>
+Analyzed-by: Dirk Mueller <dmueller@suse.com>
+Bisected-by: Takashi Iwai <tiwai@suse.de>
+Reported-by: Vlastimil Babka <vbabka@suse.cz>
+Tested-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -2365,8 +2365,12 @@ static void filemap_get_read_batch(struc
+ break;
+ if (PageReadahead(head))
+ break;
+- xas.xa_index = head->index + thp_nr_pages(head) - 1;
+- xas.xa_offset = (xas.xa_index >> xas.xa_shift) & XA_CHUNK_MASK;
++ if (PageHead(head)) {
++ xas_set(&xas, head->index + thp_nr_pages(head));
++ /* Handle wrap correctly */
++ if (xas.xa_index - 1 >= max)
++ break;
++ }
+ continue;
+ put_page:
+ put_page(head);
--- /dev/null
+mm-filemap-fix-handling-of-thps-in-generic_file_buffered_read.patch
+cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch
+cgroup-v1-correct-privileges-check-in-release_agent-writes.patch
+btrfs-tree-checker-check-item_size-for-inode_item.patch
+btrfs-tree-checker-check-item_size-for-dev_item.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
