From 92a501d11000de7697a01ae13754c313d792b1d3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 11 Oct 2018 11:23:05 +0200 Subject: [PATCH] 4.4-stable patches added patches: cgroup-fix-deadlock-in-cpu-hotplug-path.patch ext4-add-corruption-check-in-ext4_xattr_set_entry.patch ext4-always-verify-the-magic-number-in-xattr-blocks.patch --- ...oup-fix-deadlock-in-cpu-hotplug-path.patch | 81 ++++++++++++++ ...uption-check-in-ext4_xattr_set_entry.patch | 102 ++++++++++++++++++ ...ify-the-magic-number-in-xattr-blocks.patch | 49 +++++++++ queue-4.4/series | 3 + 4 files changed, 235 insertions(+) create mode 100644 queue-4.4/cgroup-fix-deadlock-in-cpu-hotplug-path.patch create mode 100644 queue-4.4/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch create mode 100644 queue-4.4/ext4-always-verify-the-magic-number-in-xattr-blocks.patch diff --git a/queue-4.4/cgroup-fix-deadlock-in-cpu-hotplug-path.patch b/queue-4.4/cgroup-fix-deadlock-in-cpu-hotplug-path.patch new file mode 100644 index 00000000000..5b68f9d4411 --- /dev/null +++ b/queue-4.4/cgroup-fix-deadlock-in-cpu-hotplug-path.patch @@ -0,0 +1,81 @@ +From 116d2f7496c51b2e02e8e4ecdd2bdf5fb9d5a641 Mon Sep 17 00:00:00 2001 +From: Prateek Sood +Date: Tue, 19 Dec 2017 12:56:57 +0530 +Subject: cgroup: Fix deadlock in cpu hotplug path + +From: Prateek Sood + +commit 116d2f7496c51b2e02e8e4ecdd2bdf5fb9d5a641 upstream. + +Deadlock during cgroup migration from cpu hotplug path when a task T is +being moved from source to destination cgroup. + +kworker/0:0 +cpuset_hotplug_workfn() + cpuset_hotplug_update_tasks() + hotplug_update_tasks_legacy() + remove_tasks_in_empty_cpuset() + cgroup_transfer_tasks() // stuck in iterator loop + cgroup_migrate() + cgroup_migrate_add_task() + +In cgroup_migrate_add_task() it checks for PF_EXITING flag of task T. +Task T will not migrate to destination cgroup. css_task_iter_start() +will keep pointing to task T in loop waiting for task T cg_list node +to be removed. + +Task T +do_exit() + exit_signals() // sets PF_EXITING + exit_task_namespaces() + switch_task_namespaces() + free_nsproxy() + put_mnt_ns() + drop_collected_mounts() + namespace_unlock() + synchronize_rcu() + _synchronize_rcu_expedited() + schedule_work() // on cpu0 low priority worker pool + wait_event() // waiting for work item to execute + +Task T inserted a work item in the worklist of cpu0 low priority +worker pool. It is waiting for expedited grace period work item +to execute. This work item will only be executed once kworker/0:0 +complete execution of cpuset_hotplug_workfn(). + +kworker/0:0 ==> Task T ==>kworker/0:0 + +In case of PF_EXITING task being migrated from source to destination +cgroup, migrate next available task in source cgroup. + +Signed-off-by: Prateek Sood +Signed-off-by: Tejun Heo +[AmitP: Upstream commit cherry-pick failed, so I picked the + backported changes from CAF/msm-4.9 tree instead: + https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?id=49b74f1696417b270c89cd893ca9f37088928078] +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman +--- +This patch can be cleanly applied and build tested on 4.4.y and 3.18.y +as well but I couldn't find it in msm-4.4 and msm-3.18 trees. So this +patch is really untested on those stable trees. +Build tested on 4.9.131, 4.4.159 and 3.18.123 for ARCH=arm/arm64 allmodconfig. + + kernel/cgroup.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -4083,7 +4083,11 @@ int cgroup_transfer_tasks(struct cgroup + */ + do { + css_task_iter_start(&from->self, &it); +- task = css_task_iter_next(&it); ++ ++ do { ++ task = css_task_iter_next(&it); ++ } while (task && (task->flags & PF_EXITING)); ++ + if (task) + get_task_struct(task); + css_task_iter_end(&it); diff --git a/queue-4.4/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch b/queue-4.4/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch new file mode 100644 index 00000000000..04d2eb58d42 --- /dev/null +++ b/queue-4.4/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch @@ -0,0 +1,102 @@ +From 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 13 Jun 2018 00:23:11 -0400 +Subject: ext4: add corruption check in ext4_xattr_set_entry() + +From: Theodore Ts'o + +commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream. + +In theory this should have been caught earlier when the xattr list was +verified, but in case it got missed, it's simple enough to add check +to make sure we don't overrun the xattr buffer. + +This addresses CVE-2018-10879. + +https://bugzilla.kernel.org/show_bug.cgi?id=200001 + +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +[bwh: Backported to 3.16: + - Add inode parameter to ext4_xattr_set_entry() and update callers + - Return -EIO instead of -EFSCORRUPTED on error + - Adjust context] +Signed-off-by: Ben Hutchings +[adjusted for 4.4 context] +Signed-off-by: Daniel Rosenberg +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -638,14 +638,20 @@ static size_t ext4_xattr_free_space(stru + } + + static int +-ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s) ++ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s, ++ struct inode *inode) + { +- struct ext4_xattr_entry *last; ++ struct ext4_xattr_entry *last, *next; + size_t free, min_offs = s->end - s->base, name_len = strlen(i->name); + + /* Compute min_offs and last. */ + last = s->first; +- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { ++ for (; !IS_LAST_ENTRY(last); last = next) { ++ next = EXT4_XATTR_NEXT(last); ++ if ((void *)next >= s->end) { ++ EXT4_ERROR_INODE(inode, "corrupted xattr entries"); ++ return -EIO; ++ } + if (!last->e_value_block && last->e_value_size) { + size_t offs = le16_to_cpu(last->e_value_offs); + if (offs < min_offs) +@@ -825,7 +831,7 @@ ext4_xattr_block_set(handle_t *handle, s + ce = NULL; + } + ea_bdebug(bs->bh, "modifying in-place"); +- error = ext4_xattr_set_entry(i, s); ++ error = ext4_xattr_set_entry(i, s, inode); + if (!error) { + if (!IS_LAST_ENTRY(s->first)) + ext4_xattr_rehash(header(s->base), +@@ -875,7 +881,7 @@ ext4_xattr_block_set(handle_t *handle, s + s->end = s->base + sb->s_blocksize; + } + +- error = ext4_xattr_set_entry(i, s); ++ error = ext4_xattr_set_entry(i, s, inode); + if (error == -EFSCORRUPTED) + goto bad_block; + if (error) +@@ -1037,7 +1043,7 @@ int ext4_xattr_ibody_inline_set(handle_t + + if (EXT4_I(inode)->i_extra_isize == 0) + return -ENOSPC; +- error = ext4_xattr_set_entry(i, s); ++ error = ext4_xattr_set_entry(i, s, inode); + if (error) { + if (error == -ENOSPC && + ext4_has_inline_data(inode)) { +@@ -1049,7 +1055,7 @@ int ext4_xattr_ibody_inline_set(handle_t + error = ext4_xattr_ibody_find(inode, i, is); + if (error) + return error; +- error = ext4_xattr_set_entry(i, s); ++ error = ext4_xattr_set_entry(i, s, inode); + } + if (error) + return error; +@@ -1075,7 +1081,7 @@ static int ext4_xattr_ibody_set(handle_t + + if (EXT4_I(inode)->i_extra_isize == 0) + return -ENOSPC; +- error = ext4_xattr_set_entry(i, s); ++ error = ext4_xattr_set_entry(i, s, inode); + if (error) + return error; + header = IHDR(inode, ext4_raw_inode(&is->iloc)); diff --git a/queue-4.4/ext4-always-verify-the-magic-number-in-xattr-blocks.patch b/queue-4.4/ext4-always-verify-the-magic-number-in-xattr-blocks.patch new file mode 100644 index 00000000000..c7705237df5 --- /dev/null +++ b/queue-4.4/ext4-always-verify-the-magic-number-in-xattr-blocks.patch @@ -0,0 +1,49 @@ +From 513f86d73855ce556ea9522b6bfd79f87356dc3a Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 13 Jun 2018 00:51:28 -0400 +Subject: ext4: always verify the magic number in xattr blocks + +From: Theodore Ts'o + +commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream. + +If there an inode points to a block which is also some other type of +metadata block (such as a block allocation bitmap), the +buffer_verified flag can be set when it was validated as that other +metadata block type; however, it would make a really terrible external +attribute block. The reason why we use the verified flag is to avoid +constantly reverifying the block. However, it doesn't take much +overhead to make sure the magic number of the xattr block is correct, +and this will avoid potential crashes. + +This addresses CVE-2018-10879. + +https://bugzilla.kernel.org/show_bug.cgi?id=200001 + +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +[Backported to 4.4: adjust context] +Signed-off-by: Daniel Rosenberg +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -220,12 +220,12 @@ ext4_xattr_check_block(struct inode *ino + { + int error; + +- if (buffer_verified(bh)) +- return 0; +- + if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || + BHDR(bh)->h_blocks != cpu_to_le32(1)) + return -EFSCORRUPTED; ++ if (buffer_verified(bh)) ++ return 0; ++ + if (!ext4_xattr_block_csum_verify(inode, bh->b_blocknr, BHDR(bh))) + return -EFSBADCRC; + error = ext4_xattr_check_names(BFIRST(bh), bh->b_data + bh->b_size, diff --git a/queue-4.4/series b/queue-4.4/series index 445eba8fcfd..f1b2c6d45ea 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -9,3 +9,6 @@ dm-cache-fix-resize-crash-if-user-doesn-t-reload-cache-table.patch xhci-add-missing-cas-workaround-for-intel-sunrise-point-xhci.patch usb-serial-simple-add-motorola-tetra-mtp6550-id.patch of-unittest-disable-interrupt-node-tests-for-old-world-mac-systems.patch +ext4-add-corruption-check-in-ext4_xattr_set_entry.patch +ext4-always-verify-the-magic-number-in-xattr-blocks.patch +cgroup-fix-deadlock-in-cpu-hotplug-path.patch -- 2.47.2