From: Greg Kroah-Hartman Date: Mon, 14 Nov 2022 10:47:36 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v5.10.155~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b59bcf4b9ab79affb955ff900da802c3d4673d64;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch --- diff --git a/queue-4.19/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch b/queue-4.19/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch new file mode 100644 index 00000000000..beb9ee40a4f --- /dev/null +++ b/queue-4.19/btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch @@ -0,0 +1,56 @@ +From 9b2f20344d450137d015b380ff0c2e2a6a170135 Mon Sep 17 00:00:00 2001 +From: Zhang Xiaoxu +Date: Tue, 1 Nov 2022 10:53:54 +0800 +Subject: btrfs: selftests: fix wrong error check in btrfs_free_dummy_root() + +From: Zhang Xiaoxu + +commit 9b2f20344d450137d015b380ff0c2e2a6a170135 upstream. + +The btrfs_alloc_dummy_root() uses ERR_PTR as the error return value +rather than NULL, if error happened, there will be a NULL pointer +dereference: + + BUG: KASAN: null-ptr-deref in btrfs_free_dummy_root+0x21/0x50 [btrfs] + Read of size 8 at addr 000000000000002c by task insmod/258926 + + CPU: 2 PID: 258926 Comm: insmod Tainted: G W 6.1.0-rc2+ #5 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 + Call Trace: + + dump_stack_lvl+0x34/0x44 + kasan_report+0xb7/0x140 + kasan_check_range+0x145/0x1a0 + btrfs_free_dummy_root+0x21/0x50 [btrfs] + btrfs_test_free_space_cache+0x1a8c/0x1add [btrfs] + btrfs_run_sanity_tests+0x65/0x80 [btrfs] + init_btrfs_fs+0xec/0x154 [btrfs] + do_one_initcall+0x87/0x2a0 + do_init_module+0xdf/0x320 + load_module+0x3006/0x3390 + __do_sys_finit_module+0x113/0x1b0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Fixes: aaedb55bc08f ("Btrfs: add tests for btrfs_get_extent") +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Anand Jain +Signed-off-by: Zhang Xiaoxu +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tests/btrfs-tests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tests/btrfs-tests.c ++++ b/fs/btrfs/tests/btrfs-tests.c +@@ -174,7 +174,7 @@ void btrfs_free_dummy_fs_info(struct btr + + void btrfs_free_dummy_root(struct btrfs_root *root) + { +- if (!root) ++ if (IS_ERR_OR_NULL(root)) + return; + /* Will be freed by btrfs_free_fs_roots */ + if (WARN_ON(test_bit(BTRFS_ROOT_IN_RADIX, &root->state))) diff --git a/queue-4.19/cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch b/queue-4.19/cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch new file mode 100644 index 00000000000..e3395337aaa --- /dev/null +++ b/queue-4.19/cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch @@ -0,0 +1,35 @@ +From 6bfb56e93bcef41859c2d5ab234ffd80b691be35 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 8 Jun 2022 13:18:39 -0700 +Subject: cert host tools: Stop complaining about deprecated OpenSSL functions + +From: Linus Torvalds + +commit 6bfb56e93bcef41859c2d5ab234ffd80b691be35 upstream. + +OpenSSL 3.0 deprecated the OpenSSL's ENGINE API. That is as may be, but +the kernel build host tools still use it. Disable the warning about +deprecated declarations until somebody who cares fixes it. + +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + scripts/sign-file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/scripts/sign-file.c ++++ b/scripts/sign-file.c +@@ -30,6 +30,13 @@ + #include + + /* ++ * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. ++ * ++ * Remove this if/when that API is no longer used ++ */ ++#pragma GCC diagnostic ignored "-Wdeprecated-declarations" ++ ++/* + * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to + * assume that it's not available and its header file is missing and that we + * should use PKCS#7 instead. Switching to the older PKCS#7 format restricts diff --git a/queue-4.19/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch b/queue-4.19/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch new file mode 100644 index 00000000000..e87782f9972 --- /dev/null +++ b/queue-4.19/drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch @@ -0,0 +1,55 @@ +From f90daa975911961b65070ec72bd7dd8d448f9ef7 Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Fri, 28 Oct 2022 16:50:26 +0100 +Subject: drm/i915/dmabuf: fix sg_table handling in map_dma_buf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit f90daa975911961b65070ec72bd7dd8d448f9ef7 upstream. + +We need to iterate over the original entries here for the sg_table, +pulling out the struct page for each one, to be remapped. However +currently this incorrectly iterates over the final dma mapped entries, +which is likely just one gigantic sg entry if the iommu is enabled, +leading to us only mapping the first struct page (and any physically +contiguous pages following it), even if there is potentially lots more +data to follow. + +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7306 +Fixes: 1286ff739773 ("i915: add dmabuf/prime buffer sharing support.") +Signed-off-by: Matthew Auld +Cc: Lionel Landwerlin +Cc: Tvrtko Ursulin +Cc: Ville Syrjälä +Cc: Michael J. Ruhl +Cc: # v3.5+ +Reviewed-by: Michael J. Ruhl +Link: https://patchwork.freedesktop.org/patch/msgid/20221028155029.494736-1-matthew.auld@intel.com +(cherry picked from commit 28d52f99bbca7227008cf580c9194c9b3516968e) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/i915_gem_dmabuf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem_dmabuf.c ++++ b/drivers/gpu/drm/i915/i915_gem_dmabuf.c +@@ -55,13 +55,13 @@ static struct sg_table *i915_gem_map_dma + goto err_unpin_pages; + } + +- ret = sg_alloc_table(st, obj->mm.pages->nents, GFP_KERNEL); ++ ret = sg_alloc_table(st, obj->mm.pages->orig_nents, GFP_KERNEL); + if (ret) + goto err_free; + + src = obj->mm.pages->sgl; + dst = st->sgl; +- for (i = 0; i < obj->mm.pages->nents; i++) { ++ for (i = 0; i < obj->mm.pages->orig_nents; i++) { + sg_set_page(dst, sg_page(src), src->length, 0); + dst = sg_next(dst); + src = sg_next(src); diff --git a/queue-4.19/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch b/queue-4.19/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch new file mode 100644 index 00000000000..42d1f1bfa26 --- /dev/null +++ b/queue-4.19/nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch @@ -0,0 +1,81 @@ +From 8ac932a4921a96ca52f61935dbba64ea87bbd5dc Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sat, 29 Oct 2022 13:49:12 +0900 +Subject: nilfs2: fix deadlock in nilfs_count_free_blocks() + +From: Ryusuke Konishi + +commit 8ac932a4921a96ca52f61935dbba64ea87bbd5dc upstream. + +A semaphore deadlock can occur if nilfs_get_block() detects metadata +corruption while locating data blocks and a superblock writeback occurs at +the same time: + +task 1 task 2 +------ ------ +* A file operation * +nilfs_truncate() + nilfs_get_block() + down_read(rwsem A) <-- + nilfs_bmap_lookup_contig() + ... generic_shutdown_super() + nilfs_put_super() + * Prepare to write superblock * + down_write(rwsem B) <-- + nilfs_cleanup_super() + * Detect b-tree corruption * nilfs_set_log_cursor() + nilfs_bmap_convert_error() nilfs_count_free_blocks() + __nilfs_error() down_read(rwsem A) <-- + nilfs_set_error() + down_write(rwsem B) <-- + + *** DEADLOCK *** + +Here, nilfs_get_block() readlocks rwsem A (= NILFS_MDT(dat_inode)->mi_sem) +and then calls nilfs_bmap_lookup_contig(), but if it fails due to metadata +corruption, __nilfs_error() is called from nilfs_bmap_convert_error() +inside the lock section. + +Since __nilfs_error() calls nilfs_set_error() unless the filesystem is +read-only and nilfs_set_error() attempts to writelock rwsem B (= +nilfs->ns_sem) to write back superblock exclusively, hierarchical lock +acquisition occurs in the order rwsem A -> rwsem B. + +Now, if another task starts updating the superblock, it may writelock +rwsem B during the lock sequence above, and can deadlock trying to +readlock rwsem A in nilfs_count_free_blocks(). + +However, there is actually no need to take rwsem A in +nilfs_count_free_blocks() because it, within the lock section, only reads +a single integer data on a shared struct with +nilfs_sufile_get_ncleansegs(). This has been the case after commit +aa474a220180 ("nilfs2: add local variable to cache the number of clean +segments"), that is, even before this bug was introduced. + +So, this resolves the deadlock problem by just not taking the semaphore in +nilfs_count_free_blocks(). + +Link: https://lkml.kernel.org/r/20221029044912.9139-1-konishi.ryusuke@gmail.com +Fixes: e828949e5b42 ("nilfs2: call nilfs_error inside bmap routines") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+45d6ce7b7ad7ef455d03@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Cc: [2.6.38+ +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/the_nilfs.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -695,9 +695,7 @@ int nilfs_count_free_blocks(struct the_n + { + unsigned long ncleansegs; + +- down_read(&NILFS_MDT(nilfs->ns_dat)->mi_sem); + ncleansegs = nilfs_sufile_get_ncleansegs(nilfs->ns_sufile); +- up_read(&NILFS_MDT(nilfs->ns_dat)->mi_sem); + *nblocks = (sector_t)ncleansegs * nilfs->ns_blocks_per_segment; + return 0; + } diff --git a/queue-4.19/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch b/queue-4.19/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch new file mode 100644 index 00000000000..e16f7a77670 --- /dev/null +++ b/queue-4.19/nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch @@ -0,0 +1,118 @@ +From 8cccf05fe857a18ee26e20d11a8455a73ffd4efd Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 4 Nov 2022 23:29:59 +0900 +Subject: nilfs2: fix use-after-free bug of ns_writer on remount + +From: Ryusuke Konishi + +commit 8cccf05fe857a18ee26e20d11a8455a73ffd4efd upstream. + +If a nilfs2 filesystem is downgraded to read-only due to metadata +corruption on disk and is remounted read/write, or if emergency read-only +remount is performed, detaching a log writer and synchronizing the +filesystem can be done at the same time. + +In these cases, use-after-free of the log writer (hereinafter +nilfs->ns_writer) can happen as shown in the scenario below: + + Task1 Task2 + -------------------------------- ------------------------------ + nilfs_construct_segment + nilfs_segctor_sync + init_wait + init_waitqueue_entry + add_wait_queue + schedule + nilfs_remount (R/W remount case) + nilfs_attach_log_writer + nilfs_detach_log_writer + nilfs_segctor_destroy + kfree + finish_wait + _raw_spin_lock_irqsave + __raw_spin_lock_irqsave + do_raw_spin_lock + debug_spin_lock_before <-- use-after-free + +While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1 +waked up, Task1 accesses nilfs->ns_writer which is already freed. This +scenario diagram is based on the Shigeru Yoshida's post [1]. + +This patch fixes the issue by not detaching nilfs->ns_writer on remount so +that this UAF race doesn't happen. Along with this change, this patch +also inserts a few necessary read-only checks with superblock instance +where only the ns_writer pointer was used to check if the filesystem is +read-only. + +Link: https://syzkaller.appspot.com/bug?id=79a4c002e960419ca173d55e863bd09e8112df8b +Link: https://lkml.kernel.org/r/20221103141759.1836312-1-syoshida@redhat.com [1] +Link: https://lkml.kernel.org/r/20221104142959.28296-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+f816fa82f8783f7a02bb@syzkaller.appspotmail.com +Reported-by: Shigeru Yoshida +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/segment.c | 15 ++++++++------- + fs/nilfs2/super.c | 2 -- + 2 files changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -322,7 +322,7 @@ void nilfs_relax_pressure_in_lock(struct + struct the_nilfs *nilfs = sb->s_fs_info; + struct nilfs_sc_info *sci = nilfs->ns_writer; + +- if (!sci || !sci->sc_flush_request) ++ if (sb_rdonly(sb) || unlikely(!sci) || !sci->sc_flush_request) + return; + + set_bit(NILFS_SC_PRIOR_FLUSH, &sci->sc_flags); +@@ -2243,7 +2243,7 @@ int nilfs_construct_segment(struct super + struct nilfs_transaction_info *ti; + int err; + +- if (!sci) ++ if (sb_rdonly(sb) || unlikely(!sci)) + return -EROFS; + + /* A call inside transactions causes a deadlock. */ +@@ -2282,7 +2282,7 @@ int nilfs_construct_dsync_segment(struct + struct nilfs_transaction_info ti; + int err = 0; + +- if (!sci) ++ if (sb_rdonly(sb) || unlikely(!sci)) + return -EROFS; + + nilfs_transaction_lock(sb, &ti, 0); +@@ -2778,11 +2778,12 @@ int nilfs_attach_log_writer(struct super + + if (nilfs->ns_writer) { + /* +- * This happens if the filesystem was remounted +- * read/write after nilfs_error degenerated it into a +- * read-only mount. ++ * This happens if the filesystem is made read-only by ++ * __nilfs_error or nilfs_remount and then remounted ++ * read/write. In these cases, reuse the existing ++ * writer. + */ +- nilfs_detach_log_writer(sb); ++ return 0; + } + + nilfs->ns_writer = nilfs_segctor_new(sb, root); +--- a/fs/nilfs2/super.c ++++ b/fs/nilfs2/super.c +@@ -1138,8 +1138,6 @@ static int nilfs_remount(struct super_bl + if ((bool)(*flags & SB_RDONLY) == sb_rdonly(sb)) + goto out; + if (*flags & SB_RDONLY) { +- /* Shutting down log writer */ +- nilfs_detach_log_writer(sb); + sb->s_flags |= SB_RDONLY; + + /* diff --git a/queue-4.19/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch b/queue-4.19/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch new file mode 100644 index 00000000000..ef8feb1d8cd --- /dev/null +++ b/queue-4.19/platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch @@ -0,0 +1,61 @@ +From 1598bfa8e1faa932de42e1ee7628a1c4c4263f0a Mon Sep 17 00:00:00 2001 +From: Jorge Lopez +Date: Fri, 28 Oct 2022 10:55:27 -0500 +Subject: platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi + +From: Jorge Lopez + +commit 1598bfa8e1faa932de42e1ee7628a1c4c4263f0a upstream. + +After upgrading BIOS to U82 01.02.01 Rev.A, the console is flooded +strange char "^@" which printed out every second and makes login +nearly impossible. Also the below messages were shown both in console +and journal/dmesg every second: + +usb 1-3: Device not responding to setup address. +usb 1-3: device not accepting address 4, error -71 +usb 1-3: device descriptor read/all, error -71 +usb usb1-port3: unable to enumerate USB device + +Wifi is soft blocked by checking rfkill. When unblocked manually, +after few seconds it would be soft blocked again. So I was suspecting +something triggered rfkill to soft block wifi. At the end it was +fixed by removing hp_wmi module. + +The root cause is the way hp-wmi driver handles command 1B on +post-2009 BIOS. In pre-2009 BIOS, command 1Bh return 0x4 to indicate +that BIOS no longer controls the power for the wireless devices. + +Signed-off-by: Jorge Lopez +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216468 +Reviewed-by: Mario Limonciello +Link: https://lore.kernel.org/r/20221028155527.7724-1-jorge.lopez2@hp.com +Cc: stable@vger.kernel.org +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/hp-wmi.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -894,8 +894,16 @@ static int __init hp_wmi_bios_setup(stru + wwan_rfkill = NULL; + rfkill2_count = 0; + +- if (hp_wmi_rfkill_setup(device)) +- hp_wmi_rfkill2_setup(device); ++ /* ++ * In pre-2009 BIOS, command 1Bh return 0x4 to indicate that ++ * BIOS no longer controls the power for the wireless ++ * devices. All features supported by this command will no ++ * longer be supported. ++ */ ++ if (!hp_wmi_bios_2009_later()) { ++ if (hp_wmi_rfkill_setup(device)) ++ hp_wmi_rfkill2_setup(device); ++ } + + err = device_create_file(&device->dev, &dev_attr_display); + if (err) diff --git a/queue-4.19/series b/queue-4.19/series index 142c8934416..77d632699f8 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -24,3 +24,11 @@ alsa-hda-ca0132-add-quirk-for-evga-z390-dark.patch alsa-hda-fix-potential-memleak-in-add_widget_node.patch alsa-usb-audio-add-quirk-entry-for-m-audio-micro.patch alsa-usb-audio-add-dsd-support-for-accuphase-dac-60.patch +vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch +nilfs2-fix-deadlock-in-nilfs_count_free_blocks.patch +nilfs2-fix-use-after-free-bug-of-ns_writer-on-remount.patch +drm-i915-dmabuf-fix-sg_table-handling-in-map_dma_buf.patch +platform-x86-hp_wmi-fix-rfkill-causing-soft-blocked-wifi.patch +btrfs-selftests-fix-wrong-error-check-in-btrfs_free_dummy_root.patch +udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch +cert-host-tools-stop-complaining-about-deprecated-openssl-functions.patch diff --git a/queue-4.19/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch b/queue-4.19/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch new file mode 100644 index 00000000000..125f5e4fe6a --- /dev/null +++ b/queue-4.19/udf-fix-a-slab-out-of-bounds-write-bug-in-udf_find_entry.patch @@ -0,0 +1,135 @@ +From c8af247de385ce49afabc3bf1cf4fd455c94bfe8 Mon Sep 17 00:00:00 2001 +From: ZhangPeng +Date: Wed, 9 Nov 2022 01:35:42 +0000 +Subject: udf: Fix a slab-out-of-bounds write bug in udf_find_entry() + +From: ZhangPeng + +commit c8af247de385ce49afabc3bf1cf4fd455c94bfe8 upstream. + +Syzbot reported a slab-out-of-bounds Write bug: + +loop0: detected capacity change from 0 to 2048 +================================================================== +BUG: KASAN: slab-out-of-bounds in udf_find_entry+0x8a5/0x14f0 +fs/udf/namei.c:253 +Write of size 105 at addr ffff8880123ff896 by task syz-executor323/3610 + +CPU: 0 PID: 3610 Comm: syz-executor323 Not tainted +6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS +Google 10/11/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:284 + print_report+0x107/0x1f0 mm/kasan/report.c:395 + kasan_report+0xcd/0x100 mm/kasan/report.c:495 + kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 + memcpy+0x3c/0x60 mm/kasan/shadow.c:66 + udf_find_entry+0x8a5/0x14f0 fs/udf/namei.c:253 + udf_lookup+0xef/0x340 fs/udf/namei.c:309 + lookup_open fs/namei.c:3391 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x10e6/0x2df0 fs/namei.c:3710 + do_filp_open+0x264/0x4f0 fs/namei.c:3740 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7ffab0d164d9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 +f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 +f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffe1a7e6bb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffab0d164d9 +RDX: 00007ffab0d164d9 RSI: 0000000000000000 RDI: 0000000020000180 +RBP: 00007ffab0cd5a10 R08: 0000000000000000 R09: 0000000000000000 +R10: 00005555573552c0 R11: 0000000000000246 R12: 00007ffab0cd5aa0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +Allocated by task 3610: + kasan_save_stack mm/kasan/common.c:45 [inline] + kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:371 [inline] + __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 + kmalloc include/linux/slab.h:576 [inline] + udf_find_entry+0x7b6/0x14f0 fs/udf/namei.c:243 + udf_lookup+0xef/0x340 fs/udf/namei.c:309 + lookup_open fs/namei.c:3391 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x10e6/0x2df0 fs/namei.c:3710 + do_filp_open+0x264/0x4f0 fs/namei.c:3740 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The buggy address belongs to the object at ffff8880123ff800 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 150 bytes inside of + 256-byte region [ffff8880123ff800, ffff8880123ff900) + +The buggy address belongs to the physical page: +page:ffffea000048ff80 refcount:1 mapcount:0 mapping:0000000000000000 +index:0x0 pfn:0x123fe +head:ffffea000048ff80 order:1 compound_mapcount:0 compound_pincount:0 +flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) +raw: 00fff00000010200 ffffea00004b8500 dead000000000003 ffff888012041b40 +raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), +pid 1, tgid 1 (swapper/0), ts 1841222404, free_ts 0 + create_dummy_stack mm/page_owner.c:67 [inline] + register_early_stack+0x77/0xd0 mm/page_owner.c:83 + init_page_owner+0x3a/0x731 mm/page_owner.c:93 + kernel_init_freeable+0x41c/0x5d5 init/main.c:1629 + kernel_init+0x19/0x2b0 init/main.c:1519 +page_owner free stack trace missing + +Memory state around the buggy address: + ffff8880123ff780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8880123ff800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8880123ff880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 + ^ + ffff8880123ff900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8880123ff980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fix this by changing the memory size allocated for copy_name from +UDF_NAME_LEN(254) to UDF_NAME_LEN_CS0(255), because the total length +(lfi) of subsequent memcpy can be up to 255. + +CC: stable@vger.kernel.org +Reported-by: syzbot+69c9fdccc6dd08961d34@syzkaller.appspotmail.com +Fixes: 066b9cded00b ("udf: Use separate buffer for copying split names") +Signed-off-by: ZhangPeng +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20221109013542.442790-1-zhangpeng362@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -241,7 +241,7 @@ static struct fileIdentDesc *udf_find_en + poffset - lfi); + else { + if (!copy_name) { +- copy_name = kmalloc(UDF_NAME_LEN, ++ copy_name = kmalloc(UDF_NAME_LEN_CS0, + GFP_NOFS); + if (!copy_name) { + fi = ERR_PTR(-ENOMEM); diff --git a/queue-4.19/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch b/queue-4.19/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch new file mode 100644 index 00000000000..1384024dad1 --- /dev/null +++ b/queue-4.19/vmlinux.lds.h-fix-placement-of-.data..decrypted-section.patch @@ -0,0 +1,52 @@ +From 000f8870a47bdc36730357883b6aef42bced91ee Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 8 Nov 2022 10:49:34 -0700 +Subject: vmlinux.lds.h: Fix placement of '.data..decrypted' section + +From: Nathan Chancellor + +commit 000f8870a47bdc36730357883b6aef42bced91ee upstream. + +Commit d4c639990036 ("vmlinux.lds.h: Avoid orphan section with !SMP") +fixed an orphan section warning by adding the '.data..decrypted' section +to the linker script under the PERCPU_DECRYPTED_SECTION define but that +placement introduced a panic with !SMP, as the percpu sections are not +instantiated with that configuration so attempting to access variables +defined with DEFINE_PER_CPU_DECRYPTED() will result in a page fault. + +Move the '.data..decrypted' section to the DATA_MAIN define so that the +variables in it are properly instantiated at boot time with +CONFIG_SMP=n. + +Cc: stable@vger.kernel.org +Fixes: d4c639990036 ("vmlinux.lds.h: Avoid orphan section with !SMP") +Link: https://lore.kernel.org/cbbd3548-880c-d2ca-1b67-5bb93b291d5f@huawei.com/ +Debugged-by: Ard Biesheuvel +Reported-by: Zhao Wenhui +Tested-by: xiafukun +Signed-off-by: Nathan Chancellor +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221108174934.3384275-1-nathan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-generic/vmlinux.lds.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -242,6 +242,7 @@ + #define DATA_DATA \ + *(.xiptext) \ + *(DATA_MAIN) \ ++ *(.data..decrypted) \ + *(.ref.data) \ + *(.data..shared_aligned) /* percpu related */ \ + MEM_KEEP(init.data*) \ +@@ -843,7 +844,6 @@ + #ifdef CONFIG_AMD_MEM_ENCRYPT + #define PERCPU_DECRYPTED_SECTION \ + . = ALIGN(PAGE_SIZE); \ +- *(.data..decrypted) \ + *(.data..percpu..decrypted) \ + . = ALIGN(PAGE_SIZE); + #else