--- /dev/null
+From d82dcd9e21b77d338dc4875f3d4111f0db314a7c Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Fri, 31 Mar 2023 14:32:18 +0200
+Subject: reiserfs: Add security prefix to xattr name in reiserfs_security_write()
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit d82dcd9e21b77d338dc4875f3d4111f0db314a7c upstream.
+
+Reiserfs sets a security xattr at inode creation time in two stages: first,
+it calls reiserfs_security_init() to obtain the xattr from active LSMs;
+then, it calls reiserfs_security_write() to actually write that xattr.
+
+Unfortunately, it seems there is a wrong expectation that LSMs provide the
+full xattr name in the form 'security.<suffix>'. However, LSMs always
+provided just the suffix, causing reiserfs to not write the xattr at all
+(if the suffix is shorter than the prefix), or to write an xattr with the
+wrong name.
+
+Add a temporary buffer in reiserfs_security_write(), and write to it the
+full xattr name, before passing it to reiserfs_xattr_set_handle().
+
+Also replace the name length check with a check that the full xattr name is
+not larger than XATTR_NAME_MAX.
+
+Cc: stable@vger.kernel.org # v2.6.x
+Fixes: 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/reiserfs/xattr_security.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/reiserfs/xattr_security.c
++++ b/fs/reiserfs/xattr_security.c
+@@ -81,11 +81,15 @@ int reiserfs_security_write(struct reise
+ struct inode *inode,
+ struct reiserfs_security_handle *sec)
+ {
++ char xattr_name[XATTR_NAME_MAX + 1] = XATTR_SECURITY_PREFIX;
+ int error;
+- if (strlen(sec->name) < sizeof(XATTR_SECURITY_PREFIX))
++
++ if (XATTR_SECURITY_PREFIX_LEN + strlen(sec->name) > XATTR_NAME_MAX)
+ return -EINVAL;
+
+- error = reiserfs_xattr_set_handle(th, inode, sec->name, sec->value,
++ strlcat(xattr_name, sec->name, sizeof(xattr_name));
++
++ error = reiserfs_xattr_set_handle(th, inode, xattr_name, sec->value,
+ sec->length, XATTR_CREATE);
+ if (error == -ENODATA || error == -EOPNOTSUPP)
+ error = 0;
--- /dev/null
+From 675751bb20634f981498c7d66161584080cc061e Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 27 Apr 2023 17:59:20 +0200
+Subject: ring-buffer: Sync IRQ works before buffer destruction
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 675751bb20634f981498c7d66161584080cc061e upstream.
+
+If something was written to the buffer just before destruction,
+it may be possible (maybe not in a real system, but it did
+happen in ARCH=um with time-travel) to destroy the ringbuffer
+before the IRQ work ran, leading this KASAN report (or a crash
+without KASAN):
+
+ BUG: KASAN: slab-use-after-free in irq_work_run_list+0x11a/0x13a
+ Read of size 8 at addr 000000006d640a48 by task swapper/0
+
+ CPU: 0 PID: 0 Comm: swapper Tainted: G W O 6.3.0-rc1 #7
+ Stack:
+ 60c4f20f 0c203d48 41b58ab3 60f224fc
+ 600477fa 60f35687 60c4f20f 601273dd
+ 00000008 6101eb00 6101eab0 615be548
+ Call Trace:
+ [<60047a58>] show_stack+0x25e/0x282
+ [<60c609e0>] dump_stack_lvl+0x96/0xfd
+ [<60c50d4c>] print_report+0x1a7/0x5a8
+ [<603078d3>] kasan_report+0xc1/0xe9
+ [<60308950>] __asan_report_load8_noabort+0x1b/0x1d
+ [<60232844>] irq_work_run_list+0x11a/0x13a
+ [<602328b4>] irq_work_tick+0x24/0x34
+ [<6017f9dc>] update_process_times+0x162/0x196
+ [<6019f335>] tick_sched_handle+0x1a4/0x1c3
+ [<6019fd9e>] tick_sched_timer+0x79/0x10c
+ [<601812b9>] __hrtimer_run_queues.constprop.0+0x425/0x695
+ [<60182913>] hrtimer_interrupt+0x16c/0x2c4
+ [<600486a3>] um_timer+0x164/0x183
+ [...]
+
+ Allocated by task 411:
+ save_stack_trace+0x99/0xb5
+ stack_trace_save+0x81/0x9b
+ kasan_save_stack+0x2d/0x54
+ kasan_set_track+0x34/0x3e
+ kasan_save_alloc_info+0x25/0x28
+ ____kasan_kmalloc+0x8b/0x97
+ __kasan_kmalloc+0x10/0x12
+ __kmalloc+0xb2/0xe8
+ load_elf_phdrs+0xee/0x182
+ [...]
+
+ The buggy address belongs to the object at 000000006d640800
+ which belongs to the cache kmalloc-1k of size 1024
+ The buggy address is located 584 bytes inside of
+ freed 1024-byte region [000000006d640800, 000000006d640c00)
+
+Add the appropriate irq_work_sync() so the work finishes before
+the buffers are destroyed.
+
+Prior to the commit in the Fixes tag below, there was only a
+single global IRQ work, so this issue didn't exist.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230427175920.a76159263122.I8295e405c44362a86c995e9c2c37e3e03810aa56@changeid
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Fixes: 15693458c4bc ("tracing/ring-buffer: Move poll wake ups into ring buffer code")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ring_buffer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -1269,6 +1269,8 @@ static void rb_free_cpu_buffer(struct ri
+ struct list_head *head = cpu_buffer->pages;
+ struct buffer_page *bpage, *tmp;
+
++ irq_work_sync(&cpu_buffer->irq_work.work);
++
+ free_buffer_page(cpu_buffer->reader_page);
+
+ if (head) {
+@@ -1374,6 +1376,8 @@ ring_buffer_free(struct ring_buffer *buf
+
+ cpuhp_state_remove_instance(CPUHP_TRACE_RB_PREPARE, &buffer->node);
+
++ irq_work_sync(&buffer->irq_work.work);
++
+ for_each_buffer_cpu(buffer, cpu)
+ rb_free_cpu_buffer(buffer->buffers[cpu]);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
