From: Greg Kroah-Hartman Date: Mon, 20 Feb 2023 11:20:36 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.14.306~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=278c934d81aa4ec5c0cb3662438a57e220cbba1d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: kvm-initialize-all-of-the-kvm_debugregs-structure-before-sending-it-to-userspace.patch nilfs2-fix-underflow-in-second-superblock-position-calculations.patch --- diff --git a/queue-4.19/kvm-initialize-all-of-the-kvm_debugregs-structure-before-sending-it-to-userspace.patch b/queue-4.19/kvm-initialize-all-of-the-kvm_debugregs-structure-before-sending-it-to-userspace.patch new file mode 100644 index 00000000000..d6f9a538be3 --- /dev/null +++ b/queue-4.19/kvm-initialize-all-of-the-kvm_debugregs-structure-before-sending-it-to-userspace.patch @@ -0,0 +1,53 @@ +From 2c10b61421a28e95a46ab489fd56c0f442ff6952 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 14 Feb 2023 11:33:04 +0100 +Subject: kvm: initialize all of the kvm_debugregs structure before sending it to userspace + +From: Greg Kroah-Hartman + +commit 2c10b61421a28e95a46ab489fd56c0f442ff6952 upstream. + +When calling the KVM_GET_DEBUGREGS ioctl, on some configurations, there +might be some unitialized portions of the kvm_debugregs structure that +could be copied to userspace. Prevent this as is done in the other kvm +ioctls, by setting the whole structure to 0 before copying anything into +it. + +Bonus is that this reduces the lines of code as the explicit flag +setting and reserved space zeroing out can be removed. + +Cc: Sean Christopherson +Cc: Paolo Bonzini +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: +Cc: "H. Peter Anvin" +Cc: stable +Reported-by: Xingyuan Mo +Signed-off-by: Greg Kroah-Hartman +Message-Id: <20230214103304.3689213-1-gregkh@linuxfoundation.org> +Tested-by: Xingyuan Mo +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3637,12 +3637,11 @@ static void kvm_vcpu_ioctl_x86_get_debug + { + unsigned long val; + ++ memset(dbgregs, 0, sizeof(*dbgregs)); + memcpy(dbgregs->db, vcpu->arch.db, sizeof(vcpu->arch.db)); + kvm_get_dr(vcpu, 6, &val); + dbgregs->dr6 = val; + dbgregs->dr7 = vcpu->arch.dr7; +- dbgregs->flags = 0; +- memset(&dbgregs->reserved, 0, sizeof(dbgregs->reserved)); + } + + static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu, diff --git a/queue-4.19/nilfs2-fix-underflow-in-second-superblock-position-calculations.patch b/queue-4.19/nilfs2-fix-underflow-in-second-superblock-position-calculations.patch new file mode 100644 index 00000000000..39fab855bac --- /dev/null +++ b/queue-4.19/nilfs2-fix-underflow-in-second-superblock-position-calculations.patch @@ -0,0 +1,135 @@ +From 99b9402a36f0799f25feee4465bfa4b8dfa74b4d Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Wed, 15 Feb 2023 07:40:43 +0900 +Subject: nilfs2: fix underflow in second superblock position calculations + +From: Ryusuke Konishi + +commit 99b9402a36f0799f25feee4465bfa4b8dfa74b4d upstream. + +Macro NILFS_SB2_OFFSET_BYTES, which computes the position of the second +superblock, underflows when the argument device size is less than 4096 +bytes. Therefore, when using this macro, it is necessary to check in +advance that the device size is not less than a lower limit, or at least +that underflow does not occur. + +The current nilfs2 implementation lacks this check, causing out-of-bound +block access when mounting devices smaller than 4096 bytes: + + I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0 + phys_seg 1 prio class 2 + NILFS (loop0): unable to read secondary superblock (blocksize = 1024) + +In addition, when trying to resize the filesystem to a size below 4096 +bytes, this underflow occurs in nilfs_resize_fs(), passing a huge number +of segments to nilfs_sufile_resize(), corrupting parameters such as the +number of segments in superblocks. This causes excessive loop iterations +in nilfs_sufile_resize() during a subsequent resize ioctl, causing +semaphore ns_segctor_sem to block for a long time and hang the writer +thread: + + INFO: task segctord:5067 blocked for more than 143 seconds. + Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:segctord state:D stack:23456 pid:5067 ppid:2 + flags:0x00004000 + Call Trace: + + context_switch kernel/sched/core.c:5293 [inline] + __schedule+0x1409/0x43f0 kernel/sched/core.c:6606 + schedule+0xc3/0x190 kernel/sched/core.c:6682 + rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190 + nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357 + nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline] + nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570 + kthread+0x270/0x300 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + + ... + Call Trace: + + folio_mark_accessed+0x51c/0xf00 mm/swap.c:515 + __nilfs_get_page_block fs/nilfs2/page.c:42 [inline] + nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61 + nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121 + nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176 + nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251 + nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline] + nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline] + nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777 + nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422 + nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline] + nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301 + ... + +This fixes these issues by inserting appropriate minimum device size +checks or anti-underflow checks, depending on where the macro is used. + +Link: https://lkml.kernel.org/r/0000000000004e1dfa05f4a48e6b@google.com +Link: https://lkml.kernel.org/r/20230214224043.24141-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/ioctl.c | 7 +++++++ + fs/nilfs2/super.c | 9 +++++++++ + fs/nilfs2/the_nilfs.c | 8 +++++++- + 3 files changed, 23 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/ioctl.c ++++ b/fs/nilfs2/ioctl.c +@@ -1135,7 +1135,14 @@ static int nilfs_ioctl_set_alloc_range(s + + minseg = range[0] + segbytes - 1; + do_div(minseg, segbytes); ++ ++ if (range[1] < 4096) ++ goto out; ++ + maxseg = NILFS_SB2_OFFSET_BYTES(range[1]); ++ if (maxseg < segbytes) ++ goto out; ++ + do_div(maxseg, segbytes); + maxseg--; + +--- a/fs/nilfs2/super.c ++++ b/fs/nilfs2/super.c +@@ -411,6 +411,15 @@ int nilfs_resize_fs(struct super_block * + goto out; + + /* ++ * Prevent underflow in second superblock position calculation. ++ * The exact minimum size check is done in nilfs_sufile_resize(). ++ */ ++ if (newsize < 4096) { ++ ret = -ENOSPC; ++ goto out; ++ } ++ ++ /* + * Write lock is required to protect some functions depending + * on the number of segments, the number of reserved segments, + * and so forth. +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -517,9 +517,15 @@ static int nilfs_load_super_block(struct + { + struct nilfs_super_block **sbp = nilfs->ns_sbp; + struct buffer_head **sbh = nilfs->ns_sbh; +- u64 sb2off = NILFS_SB2_OFFSET_BYTES(nilfs->ns_bdev->bd_inode->i_size); ++ u64 sb2off, devsize = nilfs->ns_bdev->bd_inode->i_size; + int valid[2], swp = 0; + ++ if (devsize < NILFS_SEG_MIN_BLOCKS * NILFS_MIN_BLOCK_SIZE + 4096) { ++ nilfs_msg(sb, KERN_ERR, "device size too small"); ++ return -EINVAL; ++ } ++ sb2off = NILFS_SB2_OFFSET_BYTES(devsize); ++ + sbp[0] = nilfs_read_super_block(sb, NILFS_SB_OFFSET_BYTES, blocksize, + &sbh[0]); + sbp[1] = nilfs_read_super_block(sb, sb2off, blocksize, &sbh[1]); diff --git a/queue-4.19/series b/queue-4.19/series index 5fbda07667b..81be78c4509 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -84,3 +84,5 @@ net-mpls-fix-stale-pointer-if-allocation-fails-during-device-rename.patch ipv6-fix-datagram-socket-connection-with-dscp.patch ipv6-fix-tcp-socket-connection-with-dscp.patch i40e-add-checking-for-null-for-nlmsg_find_attr.patch +kvm-initialize-all-of-the-kvm_debugregs-structure-before-sending-it-to-userspace.patch +nilfs2-fix-underflow-in-second-superblock-position-calculations.patch