5.15-stable patches

added patches:
	btrfs-tree-checker-check-item_size-for-dev_item.patch
	btrfs-tree-checker-check-item_size-for-inode_item.patch
	cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch
	cgroup-v1-correct-privileges-check-in-release_agent-writes.patch
	x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch

diff --git a/queue-5.15/btrfs-tree-checker-check-item_size-for-dev_item.patch b/queue-5.15/btrfs-tree-checker-check-item_size-for-dev_item.patch
new file mode 100644 (file)
index 0000000..b0cc4b5
--- /dev/null
+++ b/queue-5.15/btrfs-tree-checker-check-item_size-for-dev_item.patch
@@ -0,0 +1,44 @@
+From ea1d1ca4025ac6c075709f549f9aa036b5b6597d Mon Sep 17 00:00:00 2001
+From: Su Yue <l@damenly.su>
+Date: Fri, 21 Jan 2022 17:33:35 +0800
+Subject: btrfs: tree-checker: check item_size for dev_item
+
+From: Su Yue <l@damenly.su>
+
+commit ea1d1ca4025ac6c075709f549f9aa036b5b6597d upstream.
+
+Check item size before accessing the device item to avoid out of bound
+access, similar to inode_item check.
+
+Signed-off-by: Su Yue <l@damenly.su>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-checker.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -965,6 +965,7 @@ static int check_dev_item(struct extent_
+                         struct btrfs_key *key, int slot)
+ {
+       struct btrfs_dev_item *ditem;
++      const u32 item_size = btrfs_item_size_nr(leaf, slot);
+ 
+       if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) {
+               dev_item_err(leaf, slot,
+@@ -972,6 +973,13 @@ static int check_dev_item(struct extent_
+                            key->objectid, BTRFS_DEV_ITEMS_OBJECTID);
+               return -EUCLEAN;
+       }
++
++      if (unlikely(item_size != sizeof(*ditem))) {
++              dev_item_err(leaf, slot, "invalid item size: has %u expect %zu",
++                           item_size, sizeof(*ditem));
++              return -EUCLEAN;
++      }
++
+       ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item);
+       if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) {
+               dev_item_err(leaf, slot,

diff --git a/queue-5.15/btrfs-tree-checker-check-item_size-for-inode_item.patch b/queue-5.15/btrfs-tree-checker-check-item_size-for-inode_item.patch
new file mode 100644 (file)
index 0000000..ca374fa
--- /dev/null
+++ b/queue-5.15/btrfs-tree-checker-check-item_size-for-inode_item.patch
@@ -0,0 +1,113 @@
+From 0c982944af27d131d3b74242f3528169f66950ad Mon Sep 17 00:00:00 2001
+From: Su Yue <l@damenly.su>
+Date: Fri, 21 Jan 2022 17:33:34 +0800
+Subject: btrfs: tree-checker: check item_size for inode_item
+
+From: Su Yue <l@damenly.su>
+
+commit 0c982944af27d131d3b74242f3528169f66950ad upstream.
+
+while mounting the crafted image, out-of-bounds access happens:
+
+  [350.429619] UBSAN: array-index-out-of-bounds in fs/btrfs/struct-funcs.c:161:1
+  [350.429636] index 1048096 is out of range for type 'page *[16]'
+  [350.429650] CPU: 0 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1
+  [350.429652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+  [350.429653] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs]
+  [350.429772] Call Trace:
+  [350.429774]  <TASK>
+  [350.429776]  dump_stack_lvl+0x47/0x5c
+  [350.429780]  ubsan_epilogue+0x5/0x50
+  [350.429786]  __ubsan_handle_out_of_bounds+0x66/0x70
+  [350.429791]  btrfs_get_16+0xfd/0x120 [btrfs]
+  [350.429832]  check_leaf+0x754/0x1a40 [btrfs]
+  [350.429874]  ? filemap_read+0x34a/0x390
+  [350.429878]  ? load_balance+0x175/0xfc0
+  [350.429881]  validate_extent_buffer+0x244/0x310 [btrfs]
+  [350.429911]  btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs]
+  [350.429935]  end_bio_extent_readpage+0x3af/0x850 [btrfs]
+  [350.429969]  ? newidle_balance+0x259/0x480
+  [350.429972]  end_workqueue_fn+0x29/0x40 [btrfs]
+  [350.429995]  btrfs_work_helper+0x71/0x330 [btrfs]
+  [350.430030]  ? __schedule+0x2fb/0xa40
+  [350.430033]  process_one_work+0x1f6/0x400
+  [350.430035]  ? process_one_work+0x400/0x400
+  [350.430036]  worker_thread+0x2d/0x3d0
+  [350.430037]  ? process_one_work+0x400/0x400
+  [350.430038]  kthread+0x165/0x190
+  [350.430041]  ? set_kthread_struct+0x40/0x40
+  [350.430043]  ret_from_fork+0x1f/0x30
+  [350.430047]  </TASK>
+  [350.430077] BTRFS warning (device loop0): bad eb member start: ptr 0xffe20f4e start 20975616 member offset 4293005178 size 2
+
+check_leaf() is checking the leaf:
+
+  corrupt leaf: root=4 block=29396992 slot=1, bad key order, prev (16140901064495857664 1 0) current (1 204 12582912)
+  leaf 29396992 items 6 free space 3565 generation 6 owner DEV_TREE
+  leaf 29396992 flags 0x1(WRITTEN) backref revision 1
+  fs uuid a62e00e8-e94e-4200-8217-12444de93c2e
+  chunk uuid cecbd0f7-9ca0-441e-ae9f-f782f9732bd8
+         item 0 key (16140901064495857664 INODE_ITEM 0) itemoff 3955 itemsize 40
+                 generation 0 transid 0 size 0 nbytes 17592186044416
+                 block group 0 mode 52667 links 33 uid 0 gid 2104132511 rdev 94223634821136
+                 sequence 100305 flags 0x2409000(none)
+                 atime 0.0 (1970-01-01 08:00:00)
+                 ctime 2973280098083405823.4294967295 (-269783007-01-01 21:37:03)
+                 mtime 18446744071572723616.4026825121 (1902-04-16 12:40:00)
+                 otime 9249929404488876031.4294967295 (622322949-04-16 04:25:58)
+         item 1 key (1 DEV_EXTENT 12582912) itemoff 3907 itemsize 48
+                 dev extent chunk_tree 3
+                 chunk_objectid 256 chunk_offset 12582912 length 8388608
+                 chunk_tree_uuid cecbd0f7-9ca0-441e-ae9f-f782f9732bd8
+
+The corrupted leaf of device tree has an inode item. The leaf passed
+checksum and others checks in validate_extent_buffer until check_leaf_item().
+Because of the key type BTRFS_INODE_ITEM, check_inode_item() is called even we
+are in the device tree. Since the
+item offset + sizeof(struct btrfs_inode_item) > eb->len, out-of-bounds access
+is triggered.
+
+The item end vs leaf boundary check has been done before
+check_leaf_item(), so fix it by checking item size in check_inode_item()
+before access of the inode item in extent buffer.
+
+Other check functions except check_dev_item() in check_leaf_item()
+have their item size checks.
+The commit for check_dev_item() is followed.
+
+No regression observed during running fstests.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215299
+CC: stable@vger.kernel.org # 5.10+
+CC: Wenqing Liu <wenqingliu0120@gmail.com>
+Signed-off-by: Su Yue <l@damenly.su>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-checker.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -1007,6 +1007,7 @@ static int check_inode_item(struct exten
+       struct btrfs_inode_item *iitem;
+       u64 super_gen = btrfs_super_generation(fs_info->super_copy);
+       u32 valid_mask = (S_IFMT | S_ISUID | S_ISGID | S_ISVTX | 0777);
++      const u32 item_size = btrfs_item_size_nr(leaf, slot);
+       u32 mode;
+       int ret;
+       u32 flags;
+@@ -1016,6 +1017,12 @@ static int check_inode_item(struct exten
+       if (unlikely(ret < 0))
+               return ret;
+ 
++      if (unlikely(item_size != sizeof(*iitem))) {
++              generic_err(leaf, slot, "invalid item size: has %u expect %zu",
++                          item_size, sizeof(*iitem));
++              return -EUCLEAN;
++      }
++
+       iitem = btrfs_item_ptr(leaf, slot, struct btrfs_inode_item);
+ 
+       /* Here we use super block generation + 1 to handle log tree */

diff --git a/queue-5.15/cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch b/queue-5.15/cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch
new file mode 100644 (file)
index 0000000..25d7133
--- /dev/null
+++ b/queue-5.15/cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch
@@ -0,0 +1,62 @@
+From 05c7b7a92cc87ff8d7fde189d0fade250697573c Mon Sep 17 00:00:00 2001
+From: Zhang Qiao <zhangqiao22@huawei.com>
+Date: Fri, 21 Jan 2022 18:12:10 +0800
+Subject: cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zhang Qiao <zhangqiao22@huawei.com>
+
+commit 05c7b7a92cc87ff8d7fde189d0fade250697573c upstream.
+
+As previously discussed(https://lkml.org/lkml/2022/1/20/51),
+cpuset_attach() is affected with similar cpu hotplug race,
+as follow scenario:
+
+     cpuset_attach()                           cpu hotplug
+    ---------------------------            ----------------------
+    down_write(cpuset_rwsem)
+    guarantee_online_cpus() // (load cpus_attach)
+                                       sched_cpu_deactivate
+                                         set_cpu_active()
+                                         // will change cpu_active_mask
+    set_cpus_allowed_ptr(cpus_attach)
+      __set_cpus_allowed_ptr_locked()
+       // (if the intersection of cpus_attach and
+         cpu_active_mask is empty, will return -EINVAL)
+    up_write(cpuset_rwsem)
+
+To avoid races such as described above, protect cpuset_attach() call
+with cpu_hotplug_lock.
+
+Fixes: be367d099270 ("cgroups: let ss->can_attach and ss->attach do whole threadgroups at a time")
+Cc: stable@vger.kernel.org # v2.6.32+
+Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Signed-off-by: Zhang Qiao <zhangqiao22@huawei.com>
+Acked-by: Waiman Long <longman@redhat.com>
+Reviewed-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -2249,6 +2249,7 @@ static void cpuset_attach(struct cgroup_
+       cgroup_taskset_first(tset, &css);
+       cs = css_cs(css);
+ 
++      cpus_read_lock();
+       percpu_down_write(&cpuset_rwsem);
+ 
+       guarantee_online_mems(cs, &cpuset_attach_nodemask_to);
+@@ -2302,6 +2303,7 @@ static void cpuset_attach(struct cgroup_
+               wake_up(&cpuset_attach_wq);
+ 
+       percpu_up_write(&cpuset_rwsem);
++      cpus_read_unlock();
+ }
+ 
+ /* The various types of files and directories in a cpuset file system */

diff --git a/queue-5.15/cgroup-v1-correct-privileges-check-in-release_agent-writes.patch b/queue-5.15/cgroup-v1-correct-privileges-check-in-release_agent-writes.patch
new file mode 100644 (file)
index 0000000..a1ecb4d
--- /dev/null
+++ b/queue-5.15/cgroup-v1-correct-privileges-check-in-release_agent-writes.patch
@@ -0,0 +1,55 @@
+From 467a726b754f474936980da793b4ff2ec3e382a7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
+Date: Thu, 17 Feb 2022 17:11:28 +0100
+Subject: cgroup-v1: Correct privileges check in release_agent writes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Koutný <mkoutny@suse.com>
+
+commit 467a726b754f474936980da793b4ff2ec3e382a7 upstream.
+
+The idea is to check: a) the owning user_ns of cgroup_ns, b)
+capabilities in init_user_ns.
+
+The commit 24f600856418 ("cgroup-v1: Require capabilities to set
+release_agent") got this wrong in the write handler of release_agent
+since it checked user_ns of the opener (may be different from the owning
+user_ns of cgroup_ns).
+Secondly, to avoid possibly confused deputy, the capability of the
+opener must be checked.
+
+Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/stable/20220216121142.GB30035@blackbody.suse.cz/
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+Reviewed-by: Masami Ichikawa(CIP) <masami.ichikawa@cybertrust.co.jp>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cgroup-v1.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/cgroup/cgroup-v1.c
++++ b/kernel/cgroup/cgroup-v1.c
+@@ -549,6 +549,7 @@ static ssize_t cgroup_release_agent_writ
+                                         char *buf, size_t nbytes, loff_t off)
+ {
+       struct cgroup *cgrp;
++      struct cgroup_file_ctx *ctx;
+ 
+       BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+ 
+@@ -556,8 +557,9 @@ static ssize_t cgroup_release_agent_writ
+        * Release agent gets called with all capabilities,
+        * require capabilities to set release agent.
+        */
+-      if ((of->file->f_cred->user_ns != &init_user_ns) ||
+-          !capable(CAP_SYS_ADMIN))
++      ctx = of->priv;
++      if ((ctx->ns->user_ns != &init_user_ns) ||
++          !file_ns_capable(of->file, &init_user_ns, CAP_SYS_ADMIN))
+               return -EPERM;
+ 
+       cgrp = cgroup_kn_lock_live(of->kn, false);

diff --git a/queue-5.15/series b/queue-5.15/series
index 5f27f760ffa03f27d932326adac56c2a76ffbb04..31df633a32acb36ef9da04cc898f87b02ce4f5cb 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -1 +1,6 @@
 mm-filemap-fix-handling-of-thps-in-generic_file_buffered_read.patch
+cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch
+cgroup-v1-correct-privileges-check-in-release_agent-writes.patch
+x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch
+btrfs-tree-checker-check-item_size-for-inode_item.patch
+btrfs-tree-checker-check-item_size-for-dev_item.patch

diff --git a/queue-5.15/x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch b/queue-5.15/x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch
new file mode 100644 (file)
index 0000000..879c385
--- /dev/null
+++ b/queue-5.15/x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch
@@ -0,0 +1,87 @@
+From 44cad52cc14ae10062f142ec16ede489bccf4469 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Mon, 14 Feb 2022 13:05:49 +0100
+Subject: x86/ptrace: Fix xfpregs_set()'s incorrect xmm clearing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 44cad52cc14ae10062f142ec16ede489bccf4469 upstream.
+
+xfpregs_set() handles 32-bit REGSET_XFP and 64-bit REGSET_FP. The actual
+code treats these regsets as modern FX state (i.e. the beginning part of
+XSTATE). The declarations of the regsets thought they were the legacy
+i387 format. The code thought they were the 32-bit (no xmm8..15) variant
+of XSTATE and, for good measure, made the high bits disappear by zeroing
+the wrong part of the buffer. The latter broke ptrace, and everything
+else confused anyone trying to understand the code. In particular, the
+nonsense definitions of the regsets confused me when I wrote this code.
+
+Clean this all up. Change the declarations to match reality (which
+shouldn't change the generated code, let alone the ABI) and fix
+xfpregs_set() to clear the correct bits and to only do so for 32-bit
+callers.
+
+Fixes: 6164331d15f7 ("x86/fpu: Rewrite xfpregs_set()")
+Reported-by: Luís Ferreira <contact@lsferreira.net>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215524
+Link: https://lore.kernel.org/r/YgpFnZpF01WwR8wU@zn.tnic
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/fpu/regset.c |    9 ++++-----
+ arch/x86/kernel/ptrace.c     |    4 ++--
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/fpu/regset.c
++++ b/arch/x86/kernel/fpu/regset.c
+@@ -87,11 +87,9 @@ int xfpregs_set(struct task_struct *targ
+               const void *kbuf, const void __user *ubuf)
+ {
+       struct fpu *fpu = &target->thread.fpu;
+-      struct user32_fxsr_struct newstate;
++      struct fxregs_state newstate;
+       int ret;
+ 
+-      BUILD_BUG_ON(sizeof(newstate) != sizeof(struct fxregs_state));
+-
+       if (!cpu_feature_enabled(X86_FEATURE_FXSR))
+               return -ENODEV;
+ 
+@@ -112,9 +110,10 @@ int xfpregs_set(struct task_struct *targ
+       /* Copy the state  */
+       memcpy(&fpu->state.fxsave, &newstate, sizeof(newstate));
+ 
+-      /* Clear xmm8..15 */
++      /* Clear xmm8..15 for 32-bit callers */
+       BUILD_BUG_ON(sizeof(fpu->state.fxsave.xmm_space) != 16 * 16);
+-      memset(&fpu->state.fxsave.xmm_space[8], 0, 8 * 16);
++      if (in_ia32_syscall())
++              memset(&fpu->state.fxsave.xmm_space[8*4], 0, 8 * 16);
+ 
+       /* Mark FP and SSE as in use when XSAVE is enabled */
+       if (use_xsave())
+--- a/arch/x86/kernel/ptrace.c
++++ b/arch/x86/kernel/ptrace.c
+@@ -1224,7 +1224,7 @@ static struct user_regset x86_64_regsets
+       },
+       [REGSET_FP] = {
+               .core_note_type = NT_PRFPREG,
+-              .n = sizeof(struct user_i387_struct) / sizeof(long),
++              .n = sizeof(struct fxregs_state) / sizeof(long),
+               .size = sizeof(long), .align = sizeof(long),
+               .active = regset_xregset_fpregs_active, .regset_get = xfpregs_get, .set = xfpregs_set
+       },
+@@ -1271,7 +1271,7 @@ static struct user_regset x86_32_regsets
+       },
+       [REGSET_XFP] = {
+               .core_note_type = NT_PRXFPREG,
+-              .n = sizeof(struct user32_fxsr_struct) / sizeof(u32),
++              .n = sizeof(struct fxregs_state) / sizeof(u32),
+               .size = sizeof(u32), .align = sizeof(u32),
+               .active = regset_xregset_fpregs_active, .regset_get = xfpregs_get, .set = xfpregs_set
+       },