From: Greg Kroah-Hartman Date: Thu, 11 Oct 2018 13:34:12 +0000 (+0200) Subject: 4.18-stable patches X-Git-Tag: v3.18.124~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=54545ec31954e022da27d2dd64e615049f3e8505;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: f2fs-fix-invalid-memory-access.patch tipc-call-start-and-done-ops-directly-in-__tipc_nl_compat_dumpit.patch ubifs-check-for-name-being-null-while-mounting.patch ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch --- diff --git a/queue-4.18/f2fs-fix-invalid-memory-access.patch b/queue-4.18/f2fs-fix-invalid-memory-access.patch new file mode 100644 index 00000000000..82871dc9e42 --- /dev/null +++ b/queue-4.18/f2fs-fix-invalid-memory-access.patch @@ -0,0 +1,155 @@ +From d3f07c049dab1a3f1740f476afd3d5e5b738c21c Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Thu, 2 Aug 2018 22:59:12 +0800 +Subject: f2fs: fix invalid memory access + +From: Chao Yu + +commit d3f07c049dab1a3f1740f476afd3d5e5b738c21c upstream. + +syzbot found the following crash on: + +HEAD commit: d9bd94c0bcaa Add linux-next specific files for 20180801 +git tree: linux-next +console output: https://syzkaller.appspot.com/x/log.txt?x=1001189c400000 +kernel config: https://syzkaller.appspot.com/x/.config?x=cc8964ea4d04518c +dashboard link: https://syzkaller.appspot.com/bug?extid=c966a82db0b14aa37e81 +compiler: gcc (GCC) 8.0.1 20180413 (experimental) + +Unfortunately, I don't have any reproducer for this crash yet. + +IMPORTANT: if you fix the bug, please add the following tag to the commit: +Reported-by: syzbot+c966a82db0b14aa37e81@syzkaller.appspotmail.com + +loop7: rw=12288, want=8200, limit=20 +netlink: 65342 bytes leftover after parsing attributes in process `syz-executor4'. +openvswitch: netlink: Message has 8 unknown bytes. +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN +CPU: 1 PID: 7615 Comm: syz-executor7 Not tainted 4.18.0-rc7-next-20180801+ #29 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline] +RIP: 0010:compound_head include/linux/page-flags.h:142 [inline] +RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline] +RIP: 0010:f2fs_put_page fs/f2fs/f2fs.h:2011 [inline] +RIP: 0010:validate_checkpoint+0x66d/0xec0 fs/f2fs/checkpoint.c:835 +Code: e8 58 05 7f fe 4c 8d 6b 80 4d 8d 74 24 08 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 c6 04 02 00 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 06 00 00 4c 89 ea 4d 8b 7c 24 08 48 b8 00 00 +RSP: 0018:ffff8801937cebe8 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffff8801937cef30 RCX: ffffc90006035000 +RDX: 0000000000000000 RSI: ffffffff82fd9658 RDI: 0000000000000005 +RBP: ffff8801937cef58 R08: ffff8801ab254700 R09: fffff94000d9e026 +R10: fffff94000d9e026 R11: ffffea0006cf0137 R12: fffffffffffffffb +R13: ffff8801937ceeb0 R14: 0000000000000003 R15: ffff880193419b40 +FS: 00007f36a61d5700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fc04ff93000 CR3: 00000001d0562000 CR4: 00000000001426e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + f2fs_get_valid_checkpoint+0x436/0x1ec0 fs/f2fs/checkpoint.c:860 + f2fs_fill_super+0x2d42/0x8110 fs/f2fs/super.c:2883 + mount_bdev+0x314/0x3e0 fs/super.c:1344 + f2fs_mount+0x3c/0x50 fs/f2fs/super.c:3133 + legacy_get_tree+0x131/0x460 fs/fs_context.c:729 + vfs_get_tree+0x1cb/0x5c0 fs/super.c:1743 + do_new_mount fs/namespace.c:2603 [inline] + do_mount+0x6f2/0x1e20 fs/namespace.c:2927 + ksys_mount+0x12d/0x140 fs/namespace.c:3143 + __do_sys_mount fs/namespace.c:3157 [inline] + __se_sys_mount fs/namespace.c:3154 [inline] + __x64_sys_mount+0xbe/0x150 fs/namespace.c:3154 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x45943a +Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 bd 8a fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 9a 8a fb ff c3 66 0f 1f 84 00 00 00 00 00 +RSP: 002b:00007f36a61d4a88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 00007f36a61d4b30 RCX: 000000000045943a +RDX: 00007f36a61d4ad0 RSI: 0000000020000100 RDI: 00007f36a61d4af0 +RBP: 0000000020000100 R08: 00007f36a61d4b30 R09: 00007f36a61d4ad0 +R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000013 +R13: 0000000000000000 R14: 00000000004c8ea0 R15: 0000000000000000 +Modules linked in: +Dumping ftrace buffer: + (ftrace buffer empty) +---[ end trace bd8550c129352286 ]--- +RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline] +RIP: 0010:compound_head include/linux/page-flags.h:142 [inline] +RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline] +RIP: 0010:f2fs_put_page fs/f2fs/f2fs.h:2011 [inline] +RIP: 0010:validate_checkpoint+0x66d/0xec0 fs/f2fs/checkpoint.c:835 +Code: e8 58 05 7f fe 4c 8d 6b 80 4d 8d 74 24 08 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 c6 04 02 00 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 06 00 00 4c 89 ea 4d 8b 7c 24 08 48 b8 00 00 +RSP: 0018:ffff8801937cebe8 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffff8801937cef30 RCX: ffffc90006035000 +RDX: 0000000000000000 RSI: ffffffff82fd9658 RDI: 0000000000000005 +netlink: 65342 bytes leftover after parsing attributes in process `syz-executor4'. +RBP: ffff8801937cef58 R08: ffff8801ab254700 R09: fffff94000d9e026 +openvswitch: netlink: Message has 8 unknown bytes. +R10: fffff94000d9e026 R11: ffffea0006cf0137 R12: fffffffffffffffb +R13: ffff8801937ceeb0 R14: 0000000000000003 R15: ffff880193419b40 +FS: 00007f36a61d5700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fc04ff93000 CR3: 00000001d0562000 CR4: 00000000001426e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +In validate_checkpoint(), if we failed to call get_checkpoint_version(), we +will pass returned invalid page pointer into f2fs_put_page, cause accessing +invalid memory, this patch tries to handle error path correctly to fix this +issue. + +Signed-off-by: Chao Yu +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Jaegeuk Kim + +--- + fs/f2fs/checkpoint.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -746,6 +746,7 @@ static int get_checkpoint_version(struct + + crc_offset = le32_to_cpu((*cp_block)->checksum_offset); + if (crc_offset > (blk_size - sizeof(__le32))) { ++ f2fs_put_page(*cp_page, 1); + f2fs_msg(sbi->sb, KERN_WARNING, + "invalid crc_offset: %zu", crc_offset); + return -EINVAL; +@@ -753,6 +754,7 @@ static int get_checkpoint_version(struct + + crc = cur_cp_crc(*cp_block); + if (!f2fs_crc_valid(sbi, crc, *cp_block, crc_offset)) { ++ f2fs_put_page(*cp_page, 1); + f2fs_msg(sbi->sb, KERN_WARNING, "invalid crc value"); + return -EINVAL; + } +@@ -772,14 +774,14 @@ static struct page *validate_checkpoint( + err = get_checkpoint_version(sbi, cp_addr, &cp_block, + &cp_page_1, version); + if (err) +- goto invalid_cp1; ++ return NULL; + pre_version = *version; + + cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1; + err = get_checkpoint_version(sbi, cp_addr, &cp_block, + &cp_page_2, version); + if (err) +- goto invalid_cp2; ++ goto invalid_cp; + cur_version = *version; + + if (cur_version == pre_version) { +@@ -787,9 +789,8 @@ static struct page *validate_checkpoint( + f2fs_put_page(cp_page_2, 1); + return cp_page_1; + } +-invalid_cp2: + f2fs_put_page(cp_page_2, 1); +-invalid_cp1: ++invalid_cp: + f2fs_put_page(cp_page_1, 1); + return NULL; + } diff --git a/queue-4.18/series b/queue-4.18/series index 110b2f390b8..3a30fe6de8d 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -36,3 +36,7 @@ of-unittest-disable-interrupt-node-tests-for-old-world-mac-systems.patch powerpc-avoid-code-patching-freed-init-sections.patch powerpc-lib-fix-book3s-32-boot-failure-due-to-code-patching.patch arc-clone-syscall-to-setp-r25-as-thread-pointer.patch +f2fs-fix-invalid-memory-access.patch +tipc-call-start-and-done-ops-directly-in-__tipc_nl_compat_dumpit.patch +ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch +ubifs-check-for-name-being-null-while-mounting.patch diff --git a/queue-4.18/tipc-call-start-and-done-ops-directly-in-__tipc_nl_compat_dumpit.patch b/queue-4.18/tipc-call-start-and-done-ops-directly-in-__tipc_nl_compat_dumpit.patch new file mode 100644 index 00000000000..9a1833faa61 --- /dev/null +++ b/queue-4.18/tipc-call-start-and-done-ops-directly-in-__tipc_nl_compat_dumpit.patch @@ -0,0 +1,114 @@ +From 8f5c5fcf353302374b36232d6885c1a3b579e5ca Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Tue, 4 Sep 2018 14:54:55 -0700 +Subject: tipc: call start and done ops directly in __tipc_nl_compat_dumpit() + +From: Cong Wang + +commit 8f5c5fcf353302374b36232d6885c1a3b579e5ca upstream. + +__tipc_nl_compat_dumpit() uses a netlink_callback on stack, +so the only way to align it with other ->dumpit() call path +is calling tipc_dump_start() and tipc_dump_done() directly +inside it. Otherwise ->dumpit() would always get NULL from +cb->args[]. + +But tipc_dump_start() uses sock_net(cb->skb->sk) to retrieve +net pointer, the cb->skb here doesn't set skb->sk, the net pointer +is saved in msg->net instead, so introduce a helper function +__tipc_dump_start() to pass in msg->net. + +Ying pointed out cb->args[0...3] are already used by other +callbacks on this call path, so we can't use cb->args[0] any +more, use cb->args[4] instead. + +Fixes: 9a07efa9aea2 ("tipc: switch to rhashtable iterator") +Reported-and-tested-by: syzbot+e93a2c41f91b8e2c7d9b@syzkaller.appspotmail.com +Cc: Jon Maloy +Cc: Ying Xue +Signed-off-by: Cong Wang +Acked-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 2 ++ + net/tipc/socket.c | 17 +++++++++++------ + net/tipc/socket.h | 1 + + 3 files changed, 14 insertions(+), 6 deletions(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -185,6 +185,7 @@ static int __tipc_nl_compat_dumpit(struc + return -ENOMEM; + + buf->sk = msg->dst_sk; ++ __tipc_dump_start(&cb, msg->net); + + do { + int rem; +@@ -216,6 +217,7 @@ static int __tipc_nl_compat_dumpit(struc + err = 0; + + err_out: ++ tipc_dump_done(&cb); + kfree_skb(buf); + + if (err == -EMSGSIZE) { +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -3233,7 +3233,7 @@ int tipc_nl_sk_walk(struct sk_buff *skb, + struct netlink_callback *cb, + struct tipc_sock *tsk)) + { +- struct rhashtable_iter *iter = (void *)cb->args[0]; ++ struct rhashtable_iter *iter = (void *)cb->args[4]; + struct tipc_sock *tsk; + int err; + +@@ -3269,8 +3269,14 @@ EXPORT_SYMBOL(tipc_nl_sk_walk); + + int tipc_dump_start(struct netlink_callback *cb) + { +- struct rhashtable_iter *iter = (void *)cb->args[0]; +- struct net *net = sock_net(cb->skb->sk); ++ return __tipc_dump_start(cb, sock_net(cb->skb->sk)); ++} ++EXPORT_SYMBOL(tipc_dump_start); ++ ++int __tipc_dump_start(struct netlink_callback *cb, struct net *net) ++{ ++ /* tipc_nl_name_table_dump() uses cb->args[0...3]. */ ++ struct rhashtable_iter *iter = (void *)cb->args[4]; + struct tipc_net *tn = tipc_net(net); + + if (!iter) { +@@ -3278,17 +3284,16 @@ int tipc_dump_start(struct netlink_callb + if (!iter) + return -ENOMEM; + +- cb->args[0] = (long)iter; ++ cb->args[4] = (long)iter; + } + + rhashtable_walk_enter(&tn->sk_rht, iter); + return 0; + } +-EXPORT_SYMBOL(tipc_dump_start); + + int tipc_dump_done(struct netlink_callback *cb) + { +- struct rhashtable_iter *hti = (void *)cb->args[0]; ++ struct rhashtable_iter *hti = (void *)cb->args[4]; + + rhashtable_walk_exit(hti); + kfree(hti); +--- a/net/tipc/socket.h ++++ b/net/tipc/socket.h +@@ -69,5 +69,6 @@ int tipc_nl_sk_walk(struct sk_buff *skb, + struct netlink_callback *cb, + struct tipc_sock *tsk)); + int tipc_dump_start(struct netlink_callback *cb); ++int __tipc_dump_start(struct netlink_callback *cb, struct net *net); + int tipc_dump_done(struct netlink_callback *cb); + #endif diff --git a/queue-4.18/ubifs-check-for-name-being-null-while-mounting.patch b/queue-4.18/ubifs-check-for-name-being-null-while-mounting.patch new file mode 100644 index 00000000000..9f0d7df6b8c --- /dev/null +++ b/queue-4.18/ubifs-check-for-name-being-null-while-mounting.patch @@ -0,0 +1,34 @@ +From 37f31b6ca4311b94d985fb398a72e5399ad57925 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Mon, 3 Sep 2018 23:06:23 +0200 +Subject: ubifs: Check for name being NULL while mounting + +From: Richard Weinberger + +commit 37f31b6ca4311b94d985fb398a72e5399ad57925 upstream. + +The requested device name can be NULL or an empty string. +Check for that and refuse to continue. UBIFS has to do this manually +since we cannot use mount_bdev(), which checks for this condition. + +Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") +Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/super.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1929,6 +1929,9 @@ static struct ubi_volume_desc *open_ubi( + int dev, vol; + char *endptr; + ++ if (!name || !*name) ++ return ERR_PTR(-EINVAL); ++ + /* First, try to open using the device node path method */ + ubi = ubi_open_volume_path(name, mode); + if (!IS_ERR(ubi)) diff --git a/queue-4.18/ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch b/queue-4.18/ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch new file mode 100644 index 00000000000..68e063c5c0f --- /dev/null +++ b/queue-4.18/ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch @@ -0,0 +1,65 @@ +From 5fe23f262e0548ca7f19fb79f89059a60d087d22 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Wed, 12 Sep 2018 16:27:44 -0700 +Subject: ucma: fix a use-after-free in ucma_resolve_ip() + +From: Cong Wang + +commit 5fe23f262e0548ca7f19fb79f89059a60d087d22 upstream. + +There is a race condition between ucma_close() and ucma_resolve_ip(): + +CPU0 CPU1 +ucma_resolve_ip(): ucma_close(): + +ctx = ucma_get_ctx(file, cmd.id); + + list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) { + mutex_lock(&mut); + idr_remove(&ctx_idr, ctx->id); + mutex_unlock(&mut); + ... + mutex_lock(&mut); + if (!ctx->closing) { + mutex_unlock(&mut); + rdma_destroy_id(ctx->cm_id); + ... + ucma_free_ctx(ctx); + +ret = rdma_resolve_addr(); +ucma_put_ctx(ctx); + +Before idr_remove(), ucma_get_ctx() could still find the ctx +and after rdma_destroy_id(), rdma_resolve_addr() may still +access id_priv pointer. Also, ucma_put_ctx() may use ctx after +ucma_free_ctx() too. + +ucma_close() should call ucma_put_ctx() too which tests the +refcnt and waits for the last one releasing it. The similar +pattern is already used by ucma_destroy_id(). + +Reported-and-tested-by: syzbot+da2591e115d57a9cbb8b@syzkaller.appspotmail.com +Reported-by: syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com +Cc: Jason Gunthorpe +Cc: Doug Ledford +Cc: Leon Romanovsky +Signed-off-by: Cong Wang +Reviewed-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1759,6 +1759,8 @@ static int ucma_close(struct inode *inod + mutex_lock(&mut); + if (!ctx->closing) { + mutex_unlock(&mut); ++ ucma_put_ctx(ctx); ++ wait_for_completion(&ctx->comp); + /* rdma_destroy_id ensures that no event handlers are + * inflight for that id before releasing it. + */