From 2cd7942917f2504a1c5f9c1a21324734c186a09d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 11 Oct 2018 15:34:45 +0200 Subject: [PATCH] 4.9-stable patches added patches: f2fs-fix-invalid-memory-access.patch ubifs-check-for-name-being-null-while-mounting.patch ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch --- .../f2fs-fix-invalid-memory-access.patch | 155 ++++++++++++++++++ queue-4.9/series | 3 + ...k-for-name-being-null-while-mounting.patch | 34 ++++ ...-a-use-after-free-in-ucma_resolve_ip.patch | 65 ++++++++ 4 files changed, 257 insertions(+) create mode 100644 queue-4.9/f2fs-fix-invalid-memory-access.patch create mode 100644 queue-4.9/ubifs-check-for-name-being-null-while-mounting.patch create mode 100644 queue-4.9/ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch diff --git a/queue-4.9/f2fs-fix-invalid-memory-access.patch b/queue-4.9/f2fs-fix-invalid-memory-access.patch new file mode 100644 index 00000000000..9f606865ce1 --- /dev/null +++ b/queue-4.9/f2fs-fix-invalid-memory-access.patch @@ -0,0 +1,155 @@ +From d3f07c049dab1a3f1740f476afd3d5e5b738c21c Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Thu, 2 Aug 2018 22:59:12 +0800 +Subject: f2fs: fix invalid memory access + +From: Chao Yu + +commit d3f07c049dab1a3f1740f476afd3d5e5b738c21c upstream. + +syzbot found the following crash on: + +HEAD commit: d9bd94c0bcaa Add linux-next specific files for 20180801 +git tree: linux-next +console output: https://syzkaller.appspot.com/x/log.txt?x=1001189c400000 +kernel config: https://syzkaller.appspot.com/x/.config?x=cc8964ea4d04518c +dashboard link: https://syzkaller.appspot.com/bug?extid=c966a82db0b14aa37e81 +compiler: gcc (GCC) 8.0.1 20180413 (experimental) + +Unfortunately, I don't have any reproducer for this crash yet. + +IMPORTANT: if you fix the bug, please add the following tag to the commit: +Reported-by: syzbot+c966a82db0b14aa37e81@syzkaller.appspotmail.com + +loop7: rw=12288, want=8200, limit=20 +netlink: 65342 bytes leftover after parsing attributes in process `syz-executor4'. +openvswitch: netlink: Message has 8 unknown bytes. +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] SMP KASAN +CPU: 1 PID: 7615 Comm: syz-executor7 Not tainted 4.18.0-rc7-next-20180801+ #29 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline] +RIP: 0010:compound_head include/linux/page-flags.h:142 [inline] +RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline] +RIP: 0010:f2fs_put_page fs/f2fs/f2fs.h:2011 [inline] +RIP: 0010:validate_checkpoint+0x66d/0xec0 fs/f2fs/checkpoint.c:835 +Code: e8 58 05 7f fe 4c 8d 6b 80 4d 8d 74 24 08 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 c6 04 02 00 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 06 00 00 4c 89 ea 4d 8b 7c 24 08 48 b8 00 00 +RSP: 0018:ffff8801937cebe8 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffff8801937cef30 RCX: ffffc90006035000 +RDX: 0000000000000000 RSI: ffffffff82fd9658 RDI: 0000000000000005 +RBP: ffff8801937cef58 R08: ffff8801ab254700 R09: fffff94000d9e026 +R10: fffff94000d9e026 R11: ffffea0006cf0137 R12: fffffffffffffffb +R13: ffff8801937ceeb0 R14: 0000000000000003 R15: ffff880193419b40 +FS: 00007f36a61d5700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fc04ff93000 CR3: 00000001d0562000 CR4: 00000000001426e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + f2fs_get_valid_checkpoint+0x436/0x1ec0 fs/f2fs/checkpoint.c:860 + f2fs_fill_super+0x2d42/0x8110 fs/f2fs/super.c:2883 + mount_bdev+0x314/0x3e0 fs/super.c:1344 + f2fs_mount+0x3c/0x50 fs/f2fs/super.c:3133 + legacy_get_tree+0x131/0x460 fs/fs_context.c:729 + vfs_get_tree+0x1cb/0x5c0 fs/super.c:1743 + do_new_mount fs/namespace.c:2603 [inline] + do_mount+0x6f2/0x1e20 fs/namespace.c:2927 + ksys_mount+0x12d/0x140 fs/namespace.c:3143 + __do_sys_mount fs/namespace.c:3157 [inline] + __se_sys_mount fs/namespace.c:3154 [inline] + __x64_sys_mount+0xbe/0x150 fs/namespace.c:3154 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x45943a +Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 bd 8a fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 9a 8a fb ff c3 66 0f 1f 84 00 00 00 00 00 +RSP: 002b:00007f36a61d4a88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +RAX: ffffffffffffffda RBX: 00007f36a61d4b30 RCX: 000000000045943a +RDX: 00007f36a61d4ad0 RSI: 0000000020000100 RDI: 00007f36a61d4af0 +RBP: 0000000020000100 R08: 00007f36a61d4b30 R09: 00007f36a61d4ad0 +R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000013 +R13: 0000000000000000 R14: 00000000004c8ea0 R15: 0000000000000000 +Modules linked in: +Dumping ftrace buffer: + (ftrace buffer empty) +---[ end trace bd8550c129352286 ]--- +RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline] +RIP: 0010:compound_head include/linux/page-flags.h:142 [inline] +RIP: 0010:PageLocked include/linux/page-flags.h:272 [inline] +RIP: 0010:f2fs_put_page fs/f2fs/f2fs.h:2011 [inline] +RIP: 0010:validate_checkpoint+0x66d/0xec0 fs/f2fs/checkpoint.c:835 +Code: e8 58 05 7f fe 4c 8d 6b 80 4d 8d 74 24 08 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 c6 04 02 00 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 06 00 00 4c 89 ea 4d 8b 7c 24 08 48 b8 00 00 +RSP: 0018:ffff8801937cebe8 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffff8801937cef30 RCX: ffffc90006035000 +RDX: 0000000000000000 RSI: ffffffff82fd9658 RDI: 0000000000000005 +netlink: 65342 bytes leftover after parsing attributes in process `syz-executor4'. +RBP: ffff8801937cef58 R08: ffff8801ab254700 R09: fffff94000d9e026 +openvswitch: netlink: Message has 8 unknown bytes. +R10: fffff94000d9e026 R11: ffffea0006cf0137 R12: fffffffffffffffb +R13: ffff8801937ceeb0 R14: 0000000000000003 R15: ffff880193419b40 +FS: 00007f36a61d5700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fc04ff93000 CR3: 00000001d0562000 CR4: 00000000001426e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +In validate_checkpoint(), if we failed to call get_checkpoint_version(), we +will pass returned invalid page pointer into f2fs_put_page, cause accessing +invalid memory, this patch tries to handle error path correctly to fix this +issue. + +Signed-off-by: Chao Yu +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Jaegeuk Kim + +--- + fs/f2fs/checkpoint.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -676,6 +676,7 @@ static int get_checkpoint_version(struct + + crc_offset = le32_to_cpu((*cp_block)->checksum_offset); + if (crc_offset >= blk_size) { ++ f2fs_put_page(*cp_page, 1); + f2fs_msg(sbi->sb, KERN_WARNING, + "invalid crc_offset: %zu", crc_offset); + return -EINVAL; +@@ -684,6 +685,7 @@ static int get_checkpoint_version(struct + crc = le32_to_cpu(*((__le32 *)((unsigned char *)*cp_block + + crc_offset))); + if (!f2fs_crc_valid(sbi, crc, *cp_block, crc_offset)) { ++ f2fs_put_page(*cp_page, 1); + f2fs_msg(sbi->sb, KERN_WARNING, "invalid crc value"); + return -EINVAL; + } +@@ -703,14 +705,14 @@ static struct page *validate_checkpoint( + err = get_checkpoint_version(sbi, cp_addr, &cp_block, + &cp_page_1, version); + if (err) +- goto invalid_cp1; ++ return NULL; + pre_version = *version; + + cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1; + err = get_checkpoint_version(sbi, cp_addr, &cp_block, + &cp_page_2, version); + if (err) +- goto invalid_cp2; ++ goto invalid_cp; + cur_version = *version; + + if (cur_version == pre_version) { +@@ -718,9 +720,8 @@ static struct page *validate_checkpoint( + f2fs_put_page(cp_page_2, 1); + return cp_page_1; + } +-invalid_cp2: + f2fs_put_page(cp_page_2, 1); +-invalid_cp1: ++invalid_cp: + f2fs_put_page(cp_page_1, 1); + return NULL; + } diff --git a/queue-4.9/series b/queue-4.9/series index a6083a987e9..288984f54d6 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -21,3 +21,6 @@ ath10k-fix-kernel-panic-issue-during-pci-probe.patch powerpc-fadump-return-error-when-fadump-registration-fails.patch arc-clone-syscall-to-setp-r25-as-thread-pointer.patch x86-mm-expand-static-page-table-for-fixmap-space.patch +f2fs-fix-invalid-memory-access.patch +ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch +ubifs-check-for-name-being-null-while-mounting.patch diff --git a/queue-4.9/ubifs-check-for-name-being-null-while-mounting.patch b/queue-4.9/ubifs-check-for-name-being-null-while-mounting.patch new file mode 100644 index 00000000000..14a9b9b82d7 --- /dev/null +++ b/queue-4.9/ubifs-check-for-name-being-null-while-mounting.patch @@ -0,0 +1,34 @@ +From 37f31b6ca4311b94d985fb398a72e5399ad57925 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Mon, 3 Sep 2018 23:06:23 +0200 +Subject: ubifs: Check for name being NULL while mounting + +From: Richard Weinberger + +commit 37f31b6ca4311b94d985fb398a72e5399ad57925 upstream. + +The requested device name can be NULL or an empty string. +Check for that and refuse to continue. UBIFS has to do this manually +since we cannot use mount_bdev(), which checks for this condition. + +Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system") +Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/super.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1918,6 +1918,9 @@ static struct ubi_volume_desc *open_ubi( + int dev, vol; + char *endptr; + ++ if (!name || !*name) ++ return ERR_PTR(-EINVAL); ++ + /* First, try to open using the device node path method */ + ubi = ubi_open_volume_path(name, mode); + if (!IS_ERR(ubi)) diff --git a/queue-4.9/ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch b/queue-4.9/ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch new file mode 100644 index 00000000000..fc295b9865c --- /dev/null +++ b/queue-4.9/ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch @@ -0,0 +1,65 @@ +From 5fe23f262e0548ca7f19fb79f89059a60d087d22 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Wed, 12 Sep 2018 16:27:44 -0700 +Subject: ucma: fix a use-after-free in ucma_resolve_ip() + +From: Cong Wang + +commit 5fe23f262e0548ca7f19fb79f89059a60d087d22 upstream. + +There is a race condition between ucma_close() and ucma_resolve_ip(): + +CPU0 CPU1 +ucma_resolve_ip(): ucma_close(): + +ctx = ucma_get_ctx(file, cmd.id); + + list_for_each_entry_safe(ctx, tmp, &file->ctx_list, list) { + mutex_lock(&mut); + idr_remove(&ctx_idr, ctx->id); + mutex_unlock(&mut); + ... + mutex_lock(&mut); + if (!ctx->closing) { + mutex_unlock(&mut); + rdma_destroy_id(ctx->cm_id); + ... + ucma_free_ctx(ctx); + +ret = rdma_resolve_addr(); +ucma_put_ctx(ctx); + +Before idr_remove(), ucma_get_ctx() could still find the ctx +and after rdma_destroy_id(), rdma_resolve_addr() may still +access id_priv pointer. Also, ucma_put_ctx() may use ctx after +ucma_free_ctx() too. + +ucma_close() should call ucma_put_ctx() too which tests the +refcnt and waits for the last one releasing it. The similar +pattern is already used by ucma_destroy_id(). + +Reported-and-tested-by: syzbot+da2591e115d57a9cbb8b@syzkaller.appspotmail.com +Reported-by: syzbot+cfe3c1e8ef634ba8964b@syzkaller.appspotmail.com +Cc: Jason Gunthorpe +Cc: Doug Ledford +Cc: Leon Romanovsky +Signed-off-by: Cong Wang +Reviewed-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/ucma.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1720,6 +1720,8 @@ static int ucma_close(struct inode *inod + mutex_lock(&mut); + if (!ctx->closing) { + mutex_unlock(&mut); ++ ucma_put_ctx(ctx); ++ wait_for_completion(&ctx->comp); + /* rdma_destroy_id ensures that no event handlers are + * inflight for that id before releasing it. + */ -- 2.47.2