From: Greg Kroah-Hartman Date: Fri, 3 Jun 2022 13:37:36 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v4.9.317~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fd75434fc9305f9b46346fba305885151b948613;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: assoc_array-fix-bug_on-during-garbage-collect.patch i2c-ismt-prevent-memory-corruption-in-ismt_access.patch netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch pipe-fix-missing-lock-in-pipe_resize_ring.patch pipe-make-poll_usage-boolean-and-annotate-its-access.patch --- diff --git a/queue-5.17/assoc_array-fix-bug_on-during-garbage-collect.patch b/queue-5.17/assoc_array-fix-bug_on-during-garbage-collect.patch new file mode 100644 index 00000000000..5933b395572 --- /dev/null +++ b/queue-5.17/assoc_array-fix-bug_on-during-garbage-collect.patch @@ -0,0 +1,163 @@ +From d1dc87763f406d4e67caf16dbe438a5647692395 Mon Sep 17 00:00:00 2001 +From: Stephen Brennan +Date: Thu, 19 May 2022 09:50:30 +0100 +Subject: assoc_array: Fix BUG_ON during garbage collect + +From: Stephen Brennan + +commit d1dc87763f406d4e67caf16dbe438a5647692395 upstream. + +A rare BUG_ON triggered in assoc_array_gc: + + [3430308.818153] kernel BUG at lib/assoc_array.c:1609! + +Which corresponded to the statement currently at line 1593 upstream: + + BUG_ON(assoc_array_ptr_is_meta(p)); + +Using the data from the core dump, I was able to generate a userspace +reproducer[1] and determine the cause of the bug. + +[1]: https://github.com/brenns10/kernel_stuff/tree/master/assoc_array_gc + +After running the iterator on the entire branch, an internal tree node +looked like the following: + + NODE (nr_leaves_on_branch: 3) + SLOT [0] NODE (2 leaves) + SLOT [1] NODE (1 leaf) + SLOT [2..f] NODE (empty) + +In the userspace reproducer, the pr_devel output when compressing this +node was: + + -- compress node 0x5607cc089380 -- + free=0, leaves=0 + [0] retain node 2/1 [nx 0] + [1] fold node 1/1 [nx 0] + [2] fold node 0/1 [nx 2] + [3] fold node 0/2 [nx 2] + [4] fold node 0/3 [nx 2] + [5] fold node 0/4 [nx 2] + [6] fold node 0/5 [nx 2] + [7] fold node 0/6 [nx 2] + [8] fold node 0/7 [nx 2] + [9] fold node 0/8 [nx 2] + [10] fold node 0/9 [nx 2] + [11] fold node 0/10 [nx 2] + [12] fold node 0/11 [nx 2] + [13] fold node 0/12 [nx 2] + [14] fold node 0/13 [nx 2] + [15] fold node 0/14 [nx 2] + after: 3 + +At slot 0, an internal node with 2 leaves could not be folded into the +node, because there was only one available slot (slot 0). Thus, the +internal node was retained. At slot 1, the node had one leaf, and was +able to be folded in successfully. The remaining nodes had no leaves, +and so were removed. By the end of the compression stage, there were 14 +free slots, and only 3 leaf nodes. The tree was ascended and then its +parent node was compressed. When this node was seen, it could not be +folded, due to the internal node it contained. + +The invariant for compression in this function is: whenever +nr_leaves_on_branch < ASSOC_ARRAY_FAN_OUT, the node should contain all +leaf nodes. The compression step currently cannot guarantee this, given +the corner case shown above. + +To fix this issue, retry compression whenever we have retained a node, +and yet nr_leaves_on_branch < ASSOC_ARRAY_FAN_OUT. This second +compression will then allow the node in slot 1 to be folded in, +satisfying the invariant. Below is the output of the reproducer once the +fix is applied: + + -- compress node 0x560e9c562380 -- + free=0, leaves=0 + [0] retain node 2/1 [nx 0] + [1] fold node 1/1 [nx 0] + [2] fold node 0/1 [nx 2] + [3] fold node 0/2 [nx 2] + [4] fold node 0/3 [nx 2] + [5] fold node 0/4 [nx 2] + [6] fold node 0/5 [nx 2] + [7] fold node 0/6 [nx 2] + [8] fold node 0/7 [nx 2] + [9] fold node 0/8 [nx 2] + [10] fold node 0/9 [nx 2] + [11] fold node 0/10 [nx 2] + [12] fold node 0/11 [nx 2] + [13] fold node 0/12 [nx 2] + [14] fold node 0/13 [nx 2] + [15] fold node 0/14 [nx 2] + internal nodes remain despite enough space, retrying + -- compress node 0x560e9c562380 -- + free=14, leaves=1 + [0] fold node 2/15 [nx 0] + after: 3 + +Changes +======= +DH: + - Use false instead of 0. + - Reorder the inserted lines in a couple of places to put retained before + next_slot. + +ver #2) + - Fix typo in pr_devel, correct comparison to "<=" + +Fixes: 3cb989501c26 ("Add a generic associative array implementation.") +Cc: +Signed-off-by: Stephen Brennan +Signed-off-by: David Howells +cc: Andrew Morton +cc: keyrings@vger.kernel.org +Link: https://lore.kernel.org/r/20220511225517.407935-1-stephen.s.brennan@oracle.com/ # v1 +Link: https://lore.kernel.org/r/20220512215045.489140-1-stephen.s.brennan@oracle.com/ # v2 +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + lib/assoc_array.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/lib/assoc_array.c ++++ b/lib/assoc_array.c +@@ -1461,6 +1461,7 @@ int assoc_array_gc(struct assoc_array *a + struct assoc_array_ptr *cursor, *ptr; + struct assoc_array_ptr *new_root, *new_parent, **new_ptr_pp; + unsigned long nr_leaves_on_tree; ++ bool retained; + int keylen, slot, nr_free, next_slot, i; + + pr_devel("-->%s()\n", __func__); +@@ -1536,6 +1537,7 @@ continue_node: + goto descend; + } + ++retry_compress: + pr_devel("-- compress node %p --\n", new_n); + + /* Count up the number of empty slots in this node and work out the +@@ -1553,6 +1555,7 @@ continue_node: + pr_devel("free=%d, leaves=%lu\n", nr_free, new_n->nr_leaves_on_branch); + + /* See what we can fold in */ ++ retained = false; + next_slot = 0; + for (slot = 0; slot < ASSOC_ARRAY_FAN_OUT; slot++) { + struct assoc_array_shortcut *s; +@@ -1602,9 +1605,14 @@ continue_node: + pr_devel("[%d] retain node %lu/%d [nx %d]\n", + slot, child->nr_leaves_on_branch, nr_free + 1, + next_slot); ++ retained = true; + } + } + ++ if (retained && new_n->nr_leaves_on_branch <= ASSOC_ARRAY_FAN_OUT) { ++ pr_devel("internal nodes remain despite enough space, retrying\n"); ++ goto retry_compress; ++ } + pr_devel("after: %lu\n", new_n->nr_leaves_on_branch); + + nr_leaves_on_tree = new_n->nr_leaves_on_branch; diff --git a/queue-5.17/i2c-ismt-prevent-memory-corruption-in-ismt_access.patch b/queue-5.17/i2c-ismt-prevent-memory-corruption-in-ismt_access.patch new file mode 100644 index 00000000000..ad3ca38949b --- /dev/null +++ b/queue-5.17/i2c-ismt-prevent-memory-corruption-in-ismt_access.patch @@ -0,0 +1,35 @@ +From 690b2549b19563ec5ad53e5c82f6a944d910086e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 2 Jun 2022 14:02:18 +0300 +Subject: i2c: ismt: prevent memory corruption in ismt_access() + +From: Dan Carpenter + +commit 690b2549b19563ec5ad53e5c82f6a944d910086e upstream. + +The "data->block[0]" variable comes from the user and is a number +between 0-255. It needs to be capped to prevent writing beyond the end +of dma_buffer[]. + +Fixes: 5e9a97b1f449 ("i2c: ismt: Adding support for I2C_SMBUS_BLOCK_PROC_CALL") +Reported-and-tested-by: Zheyu Ma +Signed-off-by: Dan Carpenter +Reviewed-by: Mika Westerberg +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-ismt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -528,6 +528,9 @@ static int ismt_access(struct i2c_adapte + + case I2C_SMBUS_BLOCK_PROC_CALL: + dev_dbg(dev, "I2C_SMBUS_BLOCK_PROC_CALL\n"); ++ if (data->block[0] > I2C_SMBUS_BLOCK_MAX) ++ return -EINVAL; ++ + dma_size = I2C_SMBUS_BLOCK_MAX; + desc->tgtaddr_rw = ISMT_DESC_ADDR_RW(addr, 1); + desc->wr_len_cmd = data->block[0] + 1; diff --git a/queue-5.17/netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch b/queue-5.17/netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch new file mode 100644 index 00000000000..85fbf91fb2d --- /dev/null +++ b/queue-5.17/netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch @@ -0,0 +1,98 @@ +From 520778042ccca019f3ffa136dd0ca565c486cedd Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 25 May 2022 10:36:38 +0200 +Subject: netfilter: nf_tables: disallow non-stateful expression in sets earlier + +From: Pablo Neira Ayuso + +commit 520778042ccca019f3ffa136dd0ca565c486cedd upstream. + +Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression +instantiation"), it is possible to attach stateful expressions to set +elements. + +cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate +and destroy phase") introduces conditional destruction on the object to +accomodate transaction semantics. + +nft_expr_init() calls expr->ops->init() first, then check for +NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful +lookup expressions which points to a set, which might lead to UAF since +the set is not properly detached from the set->binding for this case. +Anyway, this combination is non-sense from nf_tables perspective. + +This patch fixes this problem by checking for NFT_STATEFUL_EXPR before +expr->ops->init() is called. + +The reporter provides a KASAN splat and a poc reproducer (similar to +those autogenerated by syzbot to report use-after-free errors). It is +unknown to me if they are using syzbot or if they use similar automated +tool to locate the bug that they are reporting. + +For the record, this is the KASAN splat. + +[ 85.431824] ================================================================== +[ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20 +[ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776 +[ 85.434756] +[ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2 +[ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 + +Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling") +Reported-and-tested-by: Aaron Adams +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2794,27 +2794,31 @@ static struct nft_expr *nft_expr_init(co + + err = nf_tables_expr_parse(ctx, nla, &expr_info); + if (err < 0) +- goto err1; ++ goto err_expr_parse; ++ ++ err = -EOPNOTSUPP; ++ if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL)) ++ goto err_expr_stateful; + + err = -ENOMEM; + expr = kzalloc(expr_info.ops->size, GFP_KERNEL); + if (expr == NULL) +- goto err2; ++ goto err_expr_stateful; + + err = nf_tables_newexpr(ctx, &expr_info, expr); + if (err < 0) +- goto err3; ++ goto err_expr_new; + + return expr; +-err3: ++err_expr_new: + kfree(expr); +-err2: ++err_expr_stateful: + owner = expr_info.ops->type->owner; + if (expr_info.ops->type->release_ops) + expr_info.ops->type->release_ops(expr_info.ops); + + module_put(owner); +-err1: ++err_expr_parse: + return ERR_PTR(err); + } + +@@ -5334,9 +5338,6 @@ struct nft_expr *nft_set_elem_expr_alloc + return expr; + + err = -EOPNOTSUPP; +- if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) +- goto err_set_elem_expr; +- + if (expr->ops->type->flags & NFT_EXPR_GC) { + if (set->flags & NFT_SET_TIMEOUT) + goto err_set_elem_expr; diff --git a/queue-5.17/pipe-fix-missing-lock-in-pipe_resize_ring.patch b/queue-5.17/pipe-fix-missing-lock-in-pipe_resize_ring.patch new file mode 100644 index 00000000000..d6c88f9d62d --- /dev/null +++ b/queue-5.17/pipe-fix-missing-lock-in-pipe_resize_ring.patch @@ -0,0 +1,100 @@ +From 189b0ddc245139af81198d1a3637cac74f96e13a Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 26 May 2022 07:34:52 +0100 +Subject: pipe: Fix missing lock in pipe_resize_ring() + +From: David Howells + +commit 189b0ddc245139af81198d1a3637cac74f96e13a upstream. + +pipe_resize_ring() needs to take the pipe->rd_wait.lock spinlock to +prevent post_one_notification() from trying to insert into the ring +whilst the ring is being replaced. + +The occupancy check must be done after the lock is taken, and the lock +must be taken after the new ring is allocated. + +The bug can lead to an oops looking something like: + + BUG: KASAN: use-after-free in post_one_notification.isra.0+0x62e/0x840 + Read of size 4 at addr ffff88801cc72a70 by task poc/27196 + ... + Call Trace: + post_one_notification.isra.0+0x62e/0x840 + __post_watch_notification+0x3b7/0x650 + key_create_or_update+0xb8b/0xd20 + __do_sys_add_key+0x175/0x340 + __x64_sys_add_key+0xbe/0x140 + do_syscall_64+0x5c/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Reported by Selim Enes Karaduman @Enesdex working with Trend Micro Zero +Day Initiative. + +Fixes: c73be61cede5 ("pipe: Add general notification queue support") +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17291 +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/pipe.c | 31 ++++++++++++++++++------------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -1245,30 +1245,33 @@ unsigned int round_pipe_size(unsigned lo + + /* + * Resize the pipe ring to a number of slots. ++ * ++ * Note the pipe can be reduced in capacity, but only if the current ++ * occupancy doesn't exceed nr_slots; if it does, EBUSY will be ++ * returned instead. + */ + int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) + { + struct pipe_buffer *bufs; + unsigned int head, tail, mask, n; + +- /* +- * We can shrink the pipe, if arg is greater than the ring occupancy. +- * Since we don't expect a lot of shrink+grow operations, just free and +- * allocate again like we would do for growing. If the pipe currently +- * contains more buffers than arg, then return busy. +- */ +- mask = pipe->ring_size - 1; +- head = pipe->head; +- tail = pipe->tail; +- n = pipe_occupancy(pipe->head, pipe->tail); +- if (nr_slots < n) +- return -EBUSY; +- + bufs = kcalloc(nr_slots, sizeof(*bufs), + GFP_KERNEL_ACCOUNT | __GFP_NOWARN); + if (unlikely(!bufs)) + return -ENOMEM; + ++ spin_lock_irq(&pipe->rd_wait.lock); ++ mask = pipe->ring_size - 1; ++ head = pipe->head; ++ tail = pipe->tail; ++ ++ n = pipe_occupancy(head, tail); ++ if (nr_slots < n) { ++ spin_unlock_irq(&pipe->rd_wait.lock); ++ kfree(bufs); ++ return -EBUSY; ++ } ++ + /* + * The pipe array wraps around, so just start the new one at zero + * and adjust the indices. +@@ -1300,6 +1303,8 @@ int pipe_resize_ring(struct pipe_inode_i + pipe->tail = tail; + pipe->head = head; + ++ spin_unlock_irq(&pipe->rd_wait.lock); ++ + /* This might have made more room for writers */ + wake_up_interruptible(&pipe->wr_wait); + return 0; diff --git a/queue-5.17/pipe-make-poll_usage-boolean-and-annotate-its-access.patch b/queue-5.17/pipe-make-poll_usage-boolean-and-annotate-its-access.patch new file mode 100644 index 00000000000..1c9c26700e4 --- /dev/null +++ b/queue-5.17/pipe-make-poll_usage-boolean-and-annotate-its-access.patch @@ -0,0 +1,82 @@ +From f485922d8fe4e44f6d52a5bb95a603b7c65554bb Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Fri, 29 Apr 2022 14:38:01 -0700 +Subject: pipe: make poll_usage boolean and annotate its access + +From: Kuniyuki Iwashima + +commit f485922d8fe4e44f6d52a5bb95a603b7c65554bb upstream. + +Patch series "Fix data-races around epoll reported by KCSAN." + +This series suppresses a false positive KCSAN's message and fixes a real +data-race. + + +This patch (of 2): + +pipe_poll() runs locklessly and assigns 1 to poll_usage. Once poll_usage +is set to 1, it never changes in other places. However, concurrent writes +of a value trigger KCSAN, so let's make KCSAN happy. + +BUG: KCSAN: data-race in pipe_poll / pipe_poll + +write to 0xffff8880042f6678 of 4 bytes by task 174 on cpu 3: + pipe_poll (fs/pipe.c:656) + ep_item_poll.isra.0 (./include/linux/poll.h:88 fs/eventpoll.c:853) + do_epoll_wait (fs/eventpoll.c:1692 fs/eventpoll.c:1806 fs/eventpoll.c:2234) + __x64_sys_epoll_wait (fs/eventpoll.c:2246 fs/eventpoll.c:2241 fs/eventpoll.c:2241) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) + +write to 0xffff8880042f6678 of 4 bytes by task 177 on cpu 1: + pipe_poll (fs/pipe.c:656) + ep_item_poll.isra.0 (./include/linux/poll.h:88 fs/eventpoll.c:853) + do_epoll_wait (fs/eventpoll.c:1692 fs/eventpoll.c:1806 fs/eventpoll.c:2234) + __x64_sys_epoll_wait (fs/eventpoll.c:2246 fs/eventpoll.c:2241 fs/eventpoll.c:2241) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 177 Comm: epoll_race Not tainted 5.17.0-58927-gf443e374ae13 #6 +Hardware name: Red Hat KVM, BIOS 1.11.0-2.amzn2 04/01/2014 + +Link: https://lkml.kernel.org/r/20220322002653.33865-1-kuniyu@amazon.co.jp +Link: https://lkml.kernel.org/r/20220322002653.33865-2-kuniyu@amazon.co.jp +Fixes: 3b844826b6c6 ("pipe: avoid unnecessary EPOLLET wakeups under normal loads") +Signed-off-by: Kuniyuki Iwashima +Cc: Alexander Duyck +Cc: Al Viro +Cc: Davidlohr Bueso +Cc: Kuniyuki Iwashima +Cc: "Soheil Hassas Yeganeh" +Cc: "Sridhar Samudrala" +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/pipe.c | 2 +- + include/linux/pipe_fs_i.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -653,7 +653,7 @@ pipe_poll(struct file *filp, poll_table + unsigned int head, tail; + + /* Epoll has some historical nasty semantics, this enables them */ +- pipe->poll_usage = 1; ++ WRITE_ONCE(pipe->poll_usage, true); + + /* + * Reading pipe state only -- no need for acquiring the semaphore. +--- a/include/linux/pipe_fs_i.h ++++ b/include/linux/pipe_fs_i.h +@@ -71,7 +71,7 @@ struct pipe_inode_info { + unsigned int files; + unsigned int r_counter; + unsigned int w_counter; +- unsigned int poll_usage; ++ bool poll_usage; + struct page *tmp_page; + struct fasync_struct *fasync_readers; + struct fasync_struct *fasync_writers; diff --git a/queue-5.17/series b/queue-5.17/series index 76eacc7aa9f..075c0e0cbd5 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -9,3 +9,8 @@ nfc-pn533-fix-buggy-cleanup-order.patch net-ftgmac100-disable-hardware-checksum-on-ast2600.patch i2c-ismt-provide-a-dma-buffer-for-interrupt-cause-lo.patch drivers-i2c-thunderx-allow-driver-to-work-with-acpi-.patch +netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch +i2c-ismt-prevent-memory-corruption-in-ismt_access.patch +assoc_array-fix-bug_on-during-garbage-collect.patch +pipe-make-poll_usage-boolean-and-annotate-its-access.patch +pipe-fix-missing-lock-in-pipe_resize_ring.patch