From: Greg Kroah-Hartman Date: Tue, 7 Feb 2023 09:19:20 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.15.93~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6e3294a0eabf3df578f6beabb1a7e3f174e825ab;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: mm-swapfile-add-cond_resched-in-get_swap_pages.patch squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch --- diff --git a/queue-4.14/mm-swapfile-add-cond_resched-in-get_swap_pages.patch b/queue-4.14/mm-swapfile-add-cond_resched-in-get_swap_pages.patch new file mode 100644 index 00000000000..1128c98534e --- /dev/null +++ b/queue-4.14/mm-swapfile-add-cond_resched-in-get_swap_pages.patch @@ -0,0 +1,45 @@ +From 7717fc1a12f88701573f9ed897cc4f6699c661e3 Mon Sep 17 00:00:00 2001 +From: Longlong Xia +Date: Sat, 28 Jan 2023 09:47:57 +0000 +Subject: mm/swapfile: add cond_resched() in get_swap_pages() + +From: Longlong Xia + +commit 7717fc1a12f88701573f9ed897cc4f6699c661e3 upstream. + +The softlockup still occurs in get_swap_pages() under memory pressure. 64 +CPU cores, 64GB memory, and 28 zram devices, the disksize of each zram +device is 50MB with same priority as si. Use the stress-ng tool to +increase memory pressure, causing the system to oom frequently. + +The plist_for_each_entry_safe() loops in get_swap_pages() could reach tens +of thousands of times to find available space (extreme case: +cond_resched() is not called in scan_swap_map_slots()). Let's add +cond_resched() into get_swap_pages() when failed to find available space +to avoid softlockup. + +Link: https://lkml.kernel.org/r/20230128094757.1060525-1-xialonglong1@huawei.com +Signed-off-by: Longlong Xia +Reviewed-by: "Huang, Ying" +Cc: Chen Wandun +Cc: Huang Ying +Cc: Kefeng Wang +Cc: Nanyong Sun +Cc: Hugh Dickins +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/swapfile.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -983,6 +983,7 @@ start_over: + goto check_out; + pr_debug("scan_swap_map of si %d failed to find offset\n", + si->type); ++ cond_resched(); + + spin_lock(&swap_avail_lock); + nextsi: diff --git a/queue-4.14/series b/queue-4.14/series index 674b48db9cc..165870c57a9 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -19,3 +19,5 @@ iio-adc-twl6030-enable-measurements-of-vusb-vbat-and-others.patch parisc-fix-return-code-of-pdc_iodc_print.patch parisc-wire-up-ptrace_getregs-ptrace_setregs-for-compat-case.patch mm-hugetlb-proc-check-for-hugetlb-shared-pmd-in-proc-pid-smaps.patch +mm-swapfile-add-cond_resched-in-get_swap_pages.patch +squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch diff --git a/queue-4.14/squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch b/queue-4.14/squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch new file mode 100644 index 00000000000..782e8b0084d --- /dev/null +++ b/queue-4.14/squashfs-fix-handling-and-sanity-checking-of-xattr_ids-count.patch @@ -0,0 +1,143 @@ +From f65c4bbbd682b0877b669828b4e033b8d5d0a2dc Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Fri, 27 Jan 2023 06:18:42 +0000 +Subject: Squashfs: fix handling and sanity checking of xattr_ids count + +From: Phillip Lougher + +commit f65c4bbbd682b0877b669828b4e033b8d5d0a2dc upstream. + +A Sysbot [1] corrupted filesystem exposes two flaws in the handling and +sanity checking of the xattr_ids count in the filesystem. Both of these +flaws cause computation overflow due to incorrect typing. + +In the corrupted filesystem the xattr_ids value is 4294967071, which +stored in a signed variable becomes the negative number -225. + +Flaw 1 (64-bit systems only): + +The signed integer xattr_ids variable causes sign extension. + +This causes variable overflow in the SQUASHFS_XATTR_*(A) macros. The +variable is first multiplied by sizeof(struct squashfs_xattr_id) where the +type of the sizeof operator is "unsigned long". + +On a 64-bit system this is 64-bits in size, and causes the negative number +to be sign extended and widened to 64-bits and then become unsigned. This +produces the very large number 18446744073709548016 or 2^64 - 3600. This +number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and +divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0 +(stored in len). + +Flaw 2 (32-bit systems only): + +On a 32-bit system the integer variable is not widened by the unsigned +long type of the sizeof operator (32-bits), and the signedness of the +variable has no effect due it always being treated as unsigned. + +The above corrupted xattr_ids value of 4294967071, when multiplied +overflows and produces the number 4294963696 or 2^32 - 3400. This number +when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by +SQUASHFS_METADATA_SIZE overflows again and produces a length of 0. + +The effect of the 0 length computation: + +In conjunction with the corrupted xattr_ids field, the filesystem also has +a corrupted xattr_table_start value, where it matches the end of +filesystem value of 850. + +This causes the following sanity check code to fail because the +incorrectly computed len of 0 matches the incorrect size of the table +reported by the superblock (0 bytes). + + len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids); + indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids); + + /* + * The computed size of the index table (len bytes) should exactly + * match the table start and end points + */ + start = table_start + sizeof(*id_table); + end = msblk->bytes_used; + + if (len != (end - start)) + return ERR_PTR(-EINVAL); + +Changing the xattr_ids variable to be "usigned int" fixes the flaw on a +64-bit system. This relies on the fact the computation is widened by the +unsigned long type of the sizeof operator. + +Casting the variable to u64 in the above macro fixes this flaw on a 32-bit +system. + +It also means 64-bit systems do not implicitly rely on the type of the +sizeof operator to widen the computation. + +[1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/ + +Link: https://lkml.kernel.org/r/20230127061842.10965-1-phillip@squashfs.org.uk +Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup") +Signed-off-by: Phillip Lougher +Reported-by: +Cc: Alexey Khoroshilov +Cc: Fedor Pchelkin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/squashfs_fs.h | 2 +- + fs/squashfs/squashfs_fs_sb.h | 2 +- + fs/squashfs/xattr.h | 4 ++-- + fs/squashfs/xattr_id.c | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/squashfs/squashfs_fs.h ++++ b/fs/squashfs/squashfs_fs.h +@@ -196,7 +196,7 @@ static inline int squashfs_block_size(__ + #define SQUASHFS_ID_BLOCK_BYTES(A) (SQUASHFS_ID_BLOCKS(A) *\ + sizeof(u64)) + /* xattr id lookup table defines */ +-#define SQUASHFS_XATTR_BYTES(A) ((A) * sizeof(struct squashfs_xattr_id)) ++#define SQUASHFS_XATTR_BYTES(A) (((u64) (A)) * sizeof(struct squashfs_xattr_id)) + + #define SQUASHFS_XATTR_BLOCK(A) (SQUASHFS_XATTR_BYTES(A) / \ + SQUASHFS_METADATA_SIZE) +--- a/fs/squashfs/squashfs_fs_sb.h ++++ b/fs/squashfs/squashfs_fs_sb.h +@@ -76,7 +76,7 @@ struct squashfs_sb_info { + long long bytes_used; + unsigned int inodes; + unsigned int fragments; +- int xattr_ids; ++ unsigned int xattr_ids; + unsigned int ids; + }; + #endif +--- a/fs/squashfs/xattr.h ++++ b/fs/squashfs/xattr.h +@@ -23,12 +23,12 @@ + + #ifdef CONFIG_SQUASHFS_XATTR + extern __le64 *squashfs_read_xattr_id_table(struct super_block *, u64, +- u64 *, int *); ++ u64 *, unsigned int *); + extern int squashfs_xattr_lookup(struct super_block *, unsigned int, int *, + unsigned int *, unsigned long long *); + #else + static inline __le64 *squashfs_read_xattr_id_table(struct super_block *sb, +- u64 start, u64 *xattr_table_start, int *xattr_ids) ++ u64 start, u64 *xattr_table_start, unsigned int *xattr_ids) + { + struct squashfs_xattr_id_table *id_table; + +--- a/fs/squashfs/xattr_id.c ++++ b/fs/squashfs/xattr_id.c +@@ -69,7 +69,7 @@ int squashfs_xattr_lookup(struct super_b + * Read uncompressed xattr id lookup table indexes from disk into memory + */ + __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start, +- u64 *xattr_table_start, int *xattr_ids) ++ u64 *xattr_table_start, unsigned int *xattr_ids) + { + struct squashfs_sb_info *msblk = sb->s_fs_info; + unsigned int len, indexes;