From: Greg Kroah-Hartman Date: Tue, 10 Mar 2020 07:11:29 +0000 (+0100) Subject: drop locks-fix-a-potential-use-after-free-problem-when-wakeup-a-waiter.patch X-Git-Tag: v4.4.216~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6fa58bbc8b028c555573ac5cf8510a02748678e9;p=thirdparty%2Fkernel%2Fstable-queue.git drop locks-fix-a-potential-use-after-free-problem-when-wakeup-a-waiter.patch --- diff --git a/queue-5.4/locks-fix-a-potential-use-after-free-problem-when-wakeup-a-waiter.patch b/queue-5.4/locks-fix-a-potential-use-after-free-problem-when-wakeup-a-waiter.patch deleted file mode 100644 index dc5fd5dac4e..00000000000 --- a/queue-5.4/locks-fix-a-potential-use-after-free-problem-when-wakeup-a-waiter.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 6d390e4b5d48ec03bb87e63cf0a2bff5f4e116da Mon Sep 17 00:00:00 2001 -From: yangerkun -Date: Wed, 4 Mar 2020 15:25:56 +0800 -Subject: locks: fix a potential use-after-free problem when wakeup a waiter -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: yangerkun - -commit 6d390e4b5d48ec03bb87e63cf0a2bff5f4e116da upstream. - -'16306a61d3b7 ("fs/locks: always delete_block after waiting.")' add the -logic to check waiter->fl_blocker without blocked_lock_lock. And it will -trigger a UAF when we try to wakeup some waiter: - -Thread 1 has create a write flock a on file, and now thread 2 try to -unlock and delete flock a, thread 3 try to add flock b on the same file. - -Thread2 Thread3 - flock syscall(create flock b) - ...flock_lock_inode_wait - flock_lock_inode(will insert - our fl_blocked_member list - to flock a's fl_blocked_requests) - sleep -flock syscall(unlock) -...flock_lock_inode_wait - locks_delete_lock_ctx - ...__locks_wake_up_blocks - __locks_delete_blocks( - b->fl_blocker = NULL) - ... - break by a signal - locks_delete_block - b->fl_blocker == NULL && - list_empty(&b->fl_blocked_requests) - success, return directly - locks_free_lock b - wake_up(&b->fl_waiter) - trigger UAF - -Fix it by remove this logic, and this patch may also fix CVE-2019-19769. - -Cc: stable@vger.kernel.org -Fixes: 16306a61d3b7 ("fs/locks: always delete_block after waiting.") -Signed-off-by: yangerkun -Signed-off-by: Jeff Layton -Signed-off-by: Greg Kroah-Hartman - ---- - fs/locks.c | 14 -------------- - 1 file changed, 14 deletions(-) - ---- a/fs/locks.c -+++ b/fs/locks.c -@@ -753,20 +753,6 @@ int locks_delete_block(struct file_lock - { - int status = -ENOENT; - -- /* -- * If fl_blocker is NULL, it won't be set again as this thread -- * "owns" the lock and is the only one that might try to claim -- * the lock. So it is safe to test fl_blocker locklessly. -- * Also if fl_blocker is NULL, this waiter is not listed on -- * fl_blocked_requests for some lock, so no other request can -- * be added to the list of fl_blocked_requests for this -- * request. So if fl_blocker is NULL, it is safe to -- * locklessly check if fl_blocked_requests is empty. If both -- * of these checks succeed, there is no need to take the lock. -- */ -- if (waiter->fl_blocker == NULL && -- list_empty(&waiter->fl_blocked_requests)) -- return status; - spin_lock(&blocked_lock_lock); - if (waiter->fl_blocker) - status = 0; diff --git a/queue-5.4/series b/queue-5.4/series index f3ca991eca1..1e5cf485bbc 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -72,7 +72,6 @@ usb-core-hub-fix-unhandled-return-by-employing-a-void-function.patch usb-core-hub-do-error-out-if-usb_autopm_get_interface-fails.patch usb-core-port-do-error-out-if-usb_autopm_get_interface-fails.patch vgacon-fix-a-uaf-in-vgacon_invert_region.patch -locks-fix-a-potential-use-after-free-problem-when-wakeup-a-waiter.patch mm-numa-fix-bad-pmd-by-atomically-check-for-pmd_trans_huge-when-marking-page-tables-prot_numa.patch mm-fix-possible-pmd-dirty-bit-lost-in-set_pmd_migration_entry.patch mm-hotplug-fix-page-online-with-debug_pagealloc-compiled-but-not-enabled.patch diff --git a/queue-5.5/locks-fix-a-potential-use-after-free-problem-when-wakeup-a-waiter.patch b/queue-5.5/locks-fix-a-potential-use-after-free-problem-when-wakeup-a-waiter.patch deleted file mode 100644 index dc5fd5dac4e..00000000000 --- a/queue-5.5/locks-fix-a-potential-use-after-free-problem-when-wakeup-a-waiter.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 6d390e4b5d48ec03bb87e63cf0a2bff5f4e116da Mon Sep 17 00:00:00 2001 -From: yangerkun -Date: Wed, 4 Mar 2020 15:25:56 +0800 -Subject: locks: fix a potential use-after-free problem when wakeup a waiter -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: yangerkun - -commit 6d390e4b5d48ec03bb87e63cf0a2bff5f4e116da upstream. - -'16306a61d3b7 ("fs/locks: always delete_block after waiting.")' add the -logic to check waiter->fl_blocker without blocked_lock_lock. And it will -trigger a UAF when we try to wakeup some waiter: - -Thread 1 has create a write flock a on file, and now thread 2 try to -unlock and delete flock a, thread 3 try to add flock b on the same file. - -Thread2 Thread3 - flock syscall(create flock b) - ...flock_lock_inode_wait - flock_lock_inode(will insert - our fl_blocked_member list - to flock a's fl_blocked_requests) - sleep -flock syscall(unlock) -...flock_lock_inode_wait - locks_delete_lock_ctx - ...__locks_wake_up_blocks - __locks_delete_blocks( - b->fl_blocker = NULL) - ... - break by a signal - locks_delete_block - b->fl_blocker == NULL && - list_empty(&b->fl_blocked_requests) - success, return directly - locks_free_lock b - wake_up(&b->fl_waiter) - trigger UAF - -Fix it by remove this logic, and this patch may also fix CVE-2019-19769. - -Cc: stable@vger.kernel.org -Fixes: 16306a61d3b7 ("fs/locks: always delete_block after waiting.") -Signed-off-by: yangerkun -Signed-off-by: Jeff Layton -Signed-off-by: Greg Kroah-Hartman - ---- - fs/locks.c | 14 -------------- - 1 file changed, 14 deletions(-) - ---- a/fs/locks.c -+++ b/fs/locks.c -@@ -753,20 +753,6 @@ int locks_delete_block(struct file_lock - { - int status = -ENOENT; - -- /* -- * If fl_blocker is NULL, it won't be set again as this thread -- * "owns" the lock and is the only one that might try to claim -- * the lock. So it is safe to test fl_blocker locklessly. -- * Also if fl_blocker is NULL, this waiter is not listed on -- * fl_blocked_requests for some lock, so no other request can -- * be added to the list of fl_blocked_requests for this -- * request. So if fl_blocker is NULL, it is safe to -- * locklessly check if fl_blocked_requests is empty. If both -- * of these checks succeed, there is no need to take the lock. -- */ -- if (waiter->fl_blocker == NULL && -- list_empty(&waiter->fl_blocked_requests)) -- return status; - spin_lock(&blocked_lock_lock); - if (waiter->fl_blocker) - status = 0; diff --git a/queue-5.5/series b/queue-5.5/series index 40feaf4811a..15a5fed5389 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -76,7 +76,6 @@ usb-core-hub-fix-unhandled-return-by-employing-a-void-function.patch usb-core-hub-do-error-out-if-usb_autopm_get_interface-fails.patch usb-core-port-do-error-out-if-usb_autopm_get_interface-fails.patch vgacon-fix-a-uaf-in-vgacon_invert_region.patch -locks-fix-a-potential-use-after-free-problem-when-wakeup-a-waiter.patch mm-numa-fix-bad-pmd-by-atomically-check-for-pmd_trans_huge-when-marking-page-tables-prot_numa.patch mm-fix-possible-pmd-dirty-bit-lost-in-set_pmd_migration_entry.patch mm-avoid-data-corruption-on-cow-fault-into-pfn-mapped-vma.patch