From: Greg Kroah-Hartman Date: Wed, 23 Feb 2022 18:21:29 +0000 (+0100) Subject: 5.16-stable patches X-Git-Tag: v4.9.304~76 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be62a5625f16736c2a53455ddef942de82d4fdbd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.16-stable patches added patches: btrfs-tree-checker-check-item_size-for-dev_item.patch btrfs-tree-checker-check-item_size-for-inode_item.patch cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch cgroup-v1-correct-privileges-check-in-release_agent-writes.patch mm-filemap-fix-handling-of-thps-in-generic_file_buffered_read.patch --- diff --git a/queue-5.16/btrfs-tree-checker-check-item_size-for-dev_item.patch b/queue-5.16/btrfs-tree-checker-check-item_size-for-dev_item.patch new file mode 100644 index 00000000000..b0cc4b58d17 --- /dev/null +++ b/queue-5.16/btrfs-tree-checker-check-item_size-for-dev_item.patch @@ -0,0 +1,44 @@ +From ea1d1ca4025ac6c075709f549f9aa036b5b6597d Mon Sep 17 00:00:00 2001 +From: Su Yue +Date: Fri, 21 Jan 2022 17:33:35 +0800 +Subject: btrfs: tree-checker: check item_size for dev_item + +From: Su Yue + +commit ea1d1ca4025ac6c075709f549f9aa036b5b6597d upstream. + +Check item size before accessing the device item to avoid out of bound +access, similar to inode_item check. + +Signed-off-by: Su Yue +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-checker.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -965,6 +965,7 @@ static int check_dev_item(struct extent_ + struct btrfs_key *key, int slot) + { + struct btrfs_dev_item *ditem; ++ const u32 item_size = btrfs_item_size_nr(leaf, slot); + + if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) { + dev_item_err(leaf, slot, +@@ -972,6 +973,13 @@ static int check_dev_item(struct extent_ + key->objectid, BTRFS_DEV_ITEMS_OBJECTID); + return -EUCLEAN; + } ++ ++ if (unlikely(item_size != sizeof(*ditem))) { ++ dev_item_err(leaf, slot, "invalid item size: has %u expect %zu", ++ item_size, sizeof(*ditem)); ++ return -EUCLEAN; ++ } ++ + ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item); + if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) { + dev_item_err(leaf, slot, diff --git a/queue-5.16/btrfs-tree-checker-check-item_size-for-inode_item.patch b/queue-5.16/btrfs-tree-checker-check-item_size-for-inode_item.patch new file mode 100644 index 00000000000..ca374fac47f --- /dev/null +++ b/queue-5.16/btrfs-tree-checker-check-item_size-for-inode_item.patch @@ -0,0 +1,113 @@ +From 0c982944af27d131d3b74242f3528169f66950ad Mon Sep 17 00:00:00 2001 +From: Su Yue +Date: Fri, 21 Jan 2022 17:33:34 +0800 +Subject: btrfs: tree-checker: check item_size for inode_item + +From: Su Yue + +commit 0c982944af27d131d3b74242f3528169f66950ad upstream. + +while mounting the crafted image, out-of-bounds access happens: + + [350.429619] UBSAN: array-index-out-of-bounds in fs/btrfs/struct-funcs.c:161:1 + [350.429636] index 1048096 is out of range for type 'page *[16]' + [350.429650] CPU: 0 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1 + [350.429652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 + [350.429653] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs] + [350.429772] Call Trace: + [350.429774] + [350.429776] dump_stack_lvl+0x47/0x5c + [350.429780] ubsan_epilogue+0x5/0x50 + [350.429786] __ubsan_handle_out_of_bounds+0x66/0x70 + [350.429791] btrfs_get_16+0xfd/0x120 [btrfs] + [350.429832] check_leaf+0x754/0x1a40 [btrfs] + [350.429874] ? filemap_read+0x34a/0x390 + [350.429878] ? load_balance+0x175/0xfc0 + [350.429881] validate_extent_buffer+0x244/0x310 [btrfs] + [350.429911] btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs] + [350.429935] end_bio_extent_readpage+0x3af/0x850 [btrfs] + [350.429969] ? newidle_balance+0x259/0x480 + [350.429972] end_workqueue_fn+0x29/0x40 [btrfs] + [350.429995] btrfs_work_helper+0x71/0x330 [btrfs] + [350.430030] ? __schedule+0x2fb/0xa40 + [350.430033] process_one_work+0x1f6/0x400 + [350.430035] ? process_one_work+0x400/0x400 + [350.430036] worker_thread+0x2d/0x3d0 + [350.430037] ? process_one_work+0x400/0x400 + [350.430038] kthread+0x165/0x190 + [350.430041] ? set_kthread_struct+0x40/0x40 + [350.430043] ret_from_fork+0x1f/0x30 + [350.430047] + [350.430077] BTRFS warning (device loop0): bad eb member start: ptr 0xffe20f4e start 20975616 member offset 4293005178 size 2 + +check_leaf() is checking the leaf: + + corrupt leaf: root=4 block=29396992 slot=1, bad key order, prev (16140901064495857664 1 0) current (1 204 12582912) + leaf 29396992 items 6 free space 3565 generation 6 owner DEV_TREE + leaf 29396992 flags 0x1(WRITTEN) backref revision 1 + fs uuid a62e00e8-e94e-4200-8217-12444de93c2e + chunk uuid cecbd0f7-9ca0-441e-ae9f-f782f9732bd8 + item 0 key (16140901064495857664 INODE_ITEM 0) itemoff 3955 itemsize 40 + generation 0 transid 0 size 0 nbytes 17592186044416 + block group 0 mode 52667 links 33 uid 0 gid 2104132511 rdev 94223634821136 + sequence 100305 flags 0x2409000(none) + atime 0.0 (1970-01-01 08:00:00) + ctime 2973280098083405823.4294967295 (-269783007-01-01 21:37:03) + mtime 18446744071572723616.4026825121 (1902-04-16 12:40:00) + otime 9249929404488876031.4294967295 (622322949-04-16 04:25:58) + item 1 key (1 DEV_EXTENT 12582912) itemoff 3907 itemsize 48 + dev extent chunk_tree 3 + chunk_objectid 256 chunk_offset 12582912 length 8388608 + chunk_tree_uuid cecbd0f7-9ca0-441e-ae9f-f782f9732bd8 + +The corrupted leaf of device tree has an inode item. The leaf passed +checksum and others checks in validate_extent_buffer until check_leaf_item(). +Because of the key type BTRFS_INODE_ITEM, check_inode_item() is called even we +are in the device tree. Since the +item offset + sizeof(struct btrfs_inode_item) > eb->len, out-of-bounds access +is triggered. + +The item end vs leaf boundary check has been done before +check_leaf_item(), so fix it by checking item size in check_inode_item() +before access of the inode item in extent buffer. + +Other check functions except check_dev_item() in check_leaf_item() +have their item size checks. +The commit for check_dev_item() is followed. + +No regression observed during running fstests. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215299 +CC: stable@vger.kernel.org # 5.10+ +CC: Wenqing Liu +Signed-off-by: Su Yue +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-checker.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1007,6 +1007,7 @@ static int check_inode_item(struct exten + struct btrfs_inode_item *iitem; + u64 super_gen = btrfs_super_generation(fs_info->super_copy); + u32 valid_mask = (S_IFMT | S_ISUID | S_ISGID | S_ISVTX | 0777); ++ const u32 item_size = btrfs_item_size_nr(leaf, slot); + u32 mode; + int ret; + u32 flags; +@@ -1016,6 +1017,12 @@ static int check_inode_item(struct exten + if (unlikely(ret < 0)) + return ret; + ++ if (unlikely(item_size != sizeof(*iitem))) { ++ generic_err(leaf, slot, "invalid item size: has %u expect %zu", ++ item_size, sizeof(*iitem)); ++ return -EUCLEAN; ++ } ++ + iitem = btrfs_item_ptr(leaf, slot, struct btrfs_inode_item); + + /* Here we use super block generation + 1 to handle log tree */ diff --git a/queue-5.16/cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch b/queue-5.16/cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch new file mode 100644 index 00000000000..d5ceadf3202 --- /dev/null +++ b/queue-5.16/cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch @@ -0,0 +1,62 @@ +From 05c7b7a92cc87ff8d7fde189d0fade250697573c Mon Sep 17 00:00:00 2001 +From: Zhang Qiao +Date: Fri, 21 Jan 2022 18:12:10 +0800 +Subject: cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhang Qiao + +commit 05c7b7a92cc87ff8d7fde189d0fade250697573c upstream. + +As previously discussed(https://lkml.org/lkml/2022/1/20/51), +cpuset_attach() is affected with similar cpu hotplug race, +as follow scenario: + + cpuset_attach() cpu hotplug + --------------------------- ---------------------- + down_write(cpuset_rwsem) + guarantee_online_cpus() // (load cpus_attach) + sched_cpu_deactivate + set_cpu_active() + // will change cpu_active_mask + set_cpus_allowed_ptr(cpus_attach) + __set_cpus_allowed_ptr_locked() + // (if the intersection of cpus_attach and + cpu_active_mask is empty, will return -EINVAL) + up_write(cpuset_rwsem) + +To avoid races such as described above, protect cpuset_attach() call +with cpu_hotplug_lock. + +Fixes: be367d099270 ("cgroups: let ss->can_attach and ss->attach do whole threadgroups at a time") +Cc: stable@vger.kernel.org # v2.6.32+ +Reported-by: Zhao Gongyi +Signed-off-by: Zhang Qiao +Acked-by: Waiman Long +Reviewed-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -2269,6 +2269,7 @@ static void cpuset_attach(struct cgroup_ + cgroup_taskset_first(tset, &css); + cs = css_cs(css); + ++ cpus_read_lock(); + percpu_down_write(&cpuset_rwsem); + + guarantee_online_mems(cs, &cpuset_attach_nodemask_to); +@@ -2322,6 +2323,7 @@ static void cpuset_attach(struct cgroup_ + wake_up(&cpuset_attach_wq); + + percpu_up_write(&cpuset_rwsem); ++ cpus_read_unlock(); + } + + /* The various types of files and directories in a cpuset file system */ diff --git a/queue-5.16/cgroup-v1-correct-privileges-check-in-release_agent-writes.patch b/queue-5.16/cgroup-v1-correct-privileges-check-in-release_agent-writes.patch new file mode 100644 index 00000000000..a9f1b2172b0 --- /dev/null +++ b/queue-5.16/cgroup-v1-correct-privileges-check-in-release_agent-writes.patch @@ -0,0 +1,55 @@ +From 467a726b754f474936980da793b4ff2ec3e382a7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Thu, 17 Feb 2022 17:11:28 +0100 +Subject: cgroup-v1: Correct privileges check in release_agent writes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +commit 467a726b754f474936980da793b4ff2ec3e382a7 upstream. + +The idea is to check: a) the owning user_ns of cgroup_ns, b) +capabilities in init_user_ns. + +The commit 24f600856418 ("cgroup-v1: Require capabilities to set +release_agent") got this wrong in the write handler of release_agent +since it checked user_ns of the opener (may be different from the owning +user_ns of cgroup_ns). +Secondly, to avoid possibly confused deputy, the capability of the +opener must be checked. + +Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/stable/20220216121142.GB30035@blackbody.suse.cz/ +Signed-off-by: Michal Koutný +Reviewed-by: Masami Ichikawa(CIP) +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cgroup-v1.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -546,6 +546,7 @@ static ssize_t cgroup_release_agent_writ + char *buf, size_t nbytes, loff_t off) + { + struct cgroup *cgrp; ++ struct cgroup_file_ctx *ctx; + + BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); + +@@ -553,8 +554,9 @@ static ssize_t cgroup_release_agent_writ + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ +- if ((of->file->f_cred->user_ns != &init_user_ns) || +- !capable(CAP_SYS_ADMIN)) ++ ctx = of->priv; ++ if ((ctx->ns->user_ns != &init_user_ns) || ++ !file_ns_capable(of->file, &init_user_ns, CAP_SYS_ADMIN)) + return -EPERM; + + cgrp = cgroup_kn_lock_live(of->kn, false); diff --git a/queue-5.16/mm-filemap-fix-handling-of-thps-in-generic_file_buffered_read.patch b/queue-5.16/mm-filemap-fix-handling-of-thps-in-generic_file_buffered_read.patch new file mode 100644 index 00000000000..8e58e35cefc --- /dev/null +++ b/queue-5.16/mm-filemap-fix-handling-of-thps-in-generic_file_buffered_read.patch @@ -0,0 +1,55 @@ +From willy@infradead.org Wed Feb 23 18:42:46 2022 +From: "Matthew Wilcox (Oracle)" +Date: Wed, 23 Feb 2022 15:59:18 +0000 +Subject: mm/filemap: Fix handling of THPs in generic_file_buffered_read() +To: stable@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kirill.shutemov@linux.intel.com, Song Liu +Cc: "Matthew Wilcox (Oracle)" , Adam Majer , Dirk Mueller , Takashi Iwai , Vlastimil Babka +Message-ID: <20220223155918.927140-1-willy@infradead.org> + +From: "Matthew Wilcox (Oracle)" + +When a THP is present in the page cache, we can return it several times, +leading to userspace seeing the same data repeatedly if doing a read() +that crosses a 64-page boundary. This is probably not a security issue +(since the data all comes from the same file), but it can be interpreted +as a transient data corruption issue. Fortunately, it is very rare as +it can only occur when CONFIG_READ_ONLY_THP_FOR_FS is enabled, and it can +only happen to executables. We don't often call read() on executables. + +This bug is fixed differently in v5.17 by commit 6b24ca4a1a8d +("mm: Use multi-index entries in the page cache"). That commit is +unsuitable for backporting, so fix this in the clearest way. It +sacrifices a little performance for clarity, but this should never +be a performance path in these kernel versions. + +Fixes: cbd59c48ae2b ("mm/filemap: use head pages in generic_file_buffered_read") +Cc: stable@vger.kernel.org # v5.15, v5.16 +Link: https://lore.kernel.org/r/df3b5d1c-a36b-2c73-3e27-99e74983de3a@suse.cz/ +Analyzed-by: Adam Majer +Analyzed-by: Dirk Mueller +Bisected-by: Takashi Iwai +Reported-by: Vlastimil Babka +Tested-by: Vlastimil Babka +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + mm/filemap.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2365,8 +2365,12 @@ static void filemap_get_read_batch(struc + break; + if (PageReadahead(head)) + break; +- xas.xa_index = head->index + thp_nr_pages(head) - 1; +- xas.xa_offset = (xas.xa_index >> xas.xa_shift) & XA_CHUNK_MASK; ++ if (PageHead(head)) { ++ xas_set(&xas, head->index + thp_nr_pages(head)); ++ /* Handle wrap correctly */ ++ if (xas.xa_index - 1 >= max) ++ break; ++ } + continue; + put_page: + put_page(head); diff --git a/queue-5.16/series b/queue-5.16/series new file mode 100644 index 00000000000..6e9c8f0413c --- /dev/null +++ b/queue-5.16/series @@ -0,0 +1,5 @@ +mm-filemap-fix-handling-of-thps-in-generic_file_buffered_read.patch +cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch +cgroup-v1-correct-privileges-check-in-release_agent-writes.patch +btrfs-tree-checker-check-item_size-for-inode_item.patch +btrfs-tree-checker-check-item_size-for-dev_item.patch