From 9945d9820f810becc9d3b604233de3900709543e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 23 Feb 2023 10:47:56 +0100 Subject: [PATCH] 5.10-stable patches added patches: nbd-fix-max-value-for-first_minor.patch nbd-fix-possible-overflow-for-first_minor-in-nbd_dev_add.patch nbd-fix-possible-overflow-on-first_minor-in-nbd_dev_add.patch revert-revert-block-nbd-add-sanity-check-for-first_minor.patch uaccess-add-speculation-barrier-to-copy_from_user.patch --- .../nbd-fix-max-value-for-first_minor.patch | 62 ++++++++++ ...rflow-for-first_minor-in-nbd_dev_add.patch | 41 +++++++ ...erflow-on-first_minor-in-nbd_dev_add.patch | 69 ++++++++++++ ...nbd-add-sanity-check-for-first_minor.patch | 49 ++++++++ queue-5.10/series | 5 + ...peculation-barrier-to-copy_from_user.patch | 106 ++++++++++++++++++ 6 files changed, 332 insertions(+) create mode 100644 queue-5.10/nbd-fix-max-value-for-first_minor.patch create mode 100644 queue-5.10/nbd-fix-possible-overflow-for-first_minor-in-nbd_dev_add.patch create mode 100644 queue-5.10/nbd-fix-possible-overflow-on-first_minor-in-nbd_dev_add.patch create mode 100644 queue-5.10/revert-revert-block-nbd-add-sanity-check-for-first_minor.patch create mode 100644 queue-5.10/uaccess-add-speculation-barrier-to-copy_from_user.patch diff --git a/queue-5.10/nbd-fix-max-value-for-first_minor.patch b/queue-5.10/nbd-fix-max-value-for-first_minor.patch new file mode 100644 index 00000000000..36810d7d2a0 --- /dev/null +++ b/queue-5.10/nbd-fix-max-value-for-first_minor.patch @@ -0,0 +1,62 @@ +From e4c4871a73944353ea23e319de27ef73ce546623 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Tue, 2 Nov 2021 09:52:34 +0800 +Subject: nbd: fix max value for 'first_minor' + +From: Yu Kuai + +commit e4c4871a73944353ea23e319de27ef73ce546623 upstream. + +commit b1a811633f73 ("block: nbd: add sanity check for first_minor") +checks that 'first_minor' should not be greater than 0xff, which is +wrong. Whitout the commit, the details that when user pass 0x100000, +it ends up create sysfs dir "/sys/block/43:0" are as follows: + +nbd_dev_add + disk->first_minor = index << part_shift + -> default part_shift is 5, first_minor is 0x2000000 + device_add_disk + ddev->devt = MKDEV(disk->major, disk->first_minor) + -> (0x2b << 20) | (0x2000000) = 0x2b00000 + device_add + device_create_sys_dev_entry + format_dev_t + sprintf(buffer, "%u:%u", MAJOR(dev), MINOR(dev)); + -> got 43:0 + sysfs_create_link -> /sys/block/43:0 + +By the way, with the wrong fix, when part_shift is the default value, +only 8 ndb devices can be created since 8 << 5 is greater than 0xff. + +Since the max bits for 'first_minor' should be the same as what +MKDEV() does, which is 20. Change the upper bound of 'first_minor' +from 0xff to 0xfffff. + +Fixes: b1a811633f73 ("block: nbd: add sanity check for first_minor") +Signed-off-by: Yu Kuai +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20211102015237.2309763-2-yebin10@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Wen Yang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/nbd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1773,11 +1773,11 @@ static int nbd_dev_add(int index) + disk->major = NBD_MAJOR; + + /* Too big first_minor can cause duplicate creation of +- * sysfs files/links, since first_minor will be truncated to +- * byte in __device_add_disk(). ++ * sysfs files/links, since MKDEV() expect that the max bits of ++ * first_minor is 20. + */ + disk->first_minor = index << part_shift; +- if (disk->first_minor > 0xff) { ++ if (disk->first_minor > MINORMASK) { + err = -EINVAL; + goto out_free_idr; + } diff --git a/queue-5.10/nbd-fix-possible-overflow-for-first_minor-in-nbd_dev_add.patch b/queue-5.10/nbd-fix-possible-overflow-for-first_minor-in-nbd_dev_add.patch new file mode 100644 index 00000000000..8958b08675c --- /dev/null +++ b/queue-5.10/nbd-fix-possible-overflow-for-first_minor-in-nbd_dev_add.patch @@ -0,0 +1,41 @@ +From 940c264984fd1457918393c49674f6b39ee16506 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Tue, 2 Nov 2021 09:52:35 +0800 +Subject: nbd: fix possible overflow for 'first_minor' in nbd_dev_add() + +From: Yu Kuai + +commit 940c264984fd1457918393c49674f6b39ee16506 upstream. + +If 'part_shift' is not zero, then 'index << part_shift' might +overflow to a value that is not greater than '0xfffff', then sysfs +might complains about duplicate creation. + +Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") +Signed-off-by: Yu Kuai +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20211102015237.2309763-3-yebin10@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Wen Yang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/nbd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1773,11 +1773,11 @@ static int nbd_dev_add(int index) + disk->major = NBD_MAJOR; + + /* Too big first_minor can cause duplicate creation of +- * sysfs files/links, since MKDEV() expect that the max bits of +- * first_minor is 20. ++ * sysfs files/links, since index << part_shift might overflow, or ++ * MKDEV() expect that the max bits of first_minor is 20. + */ + disk->first_minor = index << part_shift; +- if (disk->first_minor > MINORMASK) { ++ if (disk->first_minor < index || disk->first_minor > MINORMASK) { + err = -EINVAL; + goto out_free_idr; + } diff --git a/queue-5.10/nbd-fix-possible-overflow-on-first_minor-in-nbd_dev_add.patch b/queue-5.10/nbd-fix-possible-overflow-on-first_minor-in-nbd_dev_add.patch new file mode 100644 index 00000000000..043eab16f13 --- /dev/null +++ b/queue-5.10/nbd-fix-possible-overflow-on-first_minor-in-nbd_dev_add.patch @@ -0,0 +1,69 @@ +From 858f1bf65d3d9c00b5e2d8ca87dc79ed88267c98 Mon Sep 17 00:00:00 2001 +From: Zhang Wensheng +Date: Sat, 21 May 2022 15:37:48 +0800 +Subject: nbd: fix possible overflow on 'first_minor' in nbd_dev_add() + +From: Zhang Wensheng + +commit 858f1bf65d3d9c00b5e2d8ca87dc79ed88267c98 upstream. + +When 'index' is a big numbers, it may become negative which forced +to 'int'. then 'index << part_shift' might overflow to a positive +value that is not greater than '0xfffff', then sysfs might complains +about duplicate creation. Because of this, move the 'index' judgment +to the front will fix it and be better. + +Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") +Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()") +Signed-off-by: Zhang Wensheng +Signed-off-by: Yu Kuai +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20220521073749.3146892-6-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Wen Yang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/nbd.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1771,17 +1771,7 @@ static int nbd_dev_add(int index) + refcount_set(&nbd->refs, 1); + INIT_LIST_HEAD(&nbd->list); + disk->major = NBD_MAJOR; +- +- /* Too big first_minor can cause duplicate creation of +- * sysfs files/links, since index << part_shift might overflow, or +- * MKDEV() expect that the max bits of first_minor is 20. +- */ + disk->first_minor = index << part_shift; +- if (disk->first_minor < index || disk->first_minor > MINORMASK) { +- err = -EINVAL; +- goto out_free_idr; +- } +- + disk->fops = &nbd_fops; + disk->private_data = nbd; + sprintf(disk->disk_name, "nbd%d", index); +@@ -1875,8 +1865,19 @@ static int nbd_genl_connect(struct sk_bu + if (!netlink_capable(skb, CAP_SYS_ADMIN)) + return -EPERM; + +- if (info->attrs[NBD_ATTR_INDEX]) ++ if (info->attrs[NBD_ATTR_INDEX]) { + index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]); ++ ++ /* ++ * Too big first_minor can cause duplicate creation of ++ * sysfs files/links, since index << part_shift might overflow, or ++ * MKDEV() expect that the max bits of first_minor is 20. ++ */ ++ if (index < 0 || index > MINORMASK >> part_shift) { ++ printk(KERN_ERR "nbd: illegal input index %d\n", index); ++ return -EINVAL; ++ } ++ } + if (!info->attrs[NBD_ATTR_SOCKETS]) { + printk(KERN_ERR "nbd: must specify at least one socket\n"); + return -EINVAL; diff --git a/queue-5.10/revert-revert-block-nbd-add-sanity-check-for-first_minor.patch b/queue-5.10/revert-revert-block-nbd-add-sanity-check-for-first_minor.patch new file mode 100644 index 00000000000..8118f583525 --- /dev/null +++ b/queue-5.10/revert-revert-block-nbd-add-sanity-check-for-first_minor.patch @@ -0,0 +1,49 @@ +From wenyang.linux@foxmail.com Thu Feb 23 10:40:14 2023 +From: wenyang.linux@foxmail.com +Date: Tue, 21 Feb 2023 02:04:46 +0800 +Subject: Revert "Revert "block: nbd: add sanity check for first_minor"" +To: Sasha Levin , Greg Kroah-Hartman +Cc: Wen Yang , Joel Stanley , Christoph Hellwig , Pavel Skripkin , Jens Axboe , stable@vger.kernel.org +Message-ID: + +From: Wen Yang + +This reverts commit 0daa75bf750c400af0a0127fae37cd959d36dee7. + +These problems such as: +https://lore.kernel.org/all/CACPK8XfUWoOHr-0RwRoYoskia4fbAbZ7DYf5wWBnv6qUnGq18w@mail.gmail.com/ +It was introduced by introduced by commit b1a811633f73 ("block: nbd: add sanity check for first_minor") +and has been have been fixed by commit e4c4871a7394 ("nbd: fix max value for 'first_minor'"). + +Cc: Joel Stanley +Cc: Christoph Hellwig +Cc: Pavel Skripkin +Cc: Jens Axboe +Cc: Sasha Levin +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Wen Yang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/nbd.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1771,7 +1771,17 @@ static int nbd_dev_add(int index) + refcount_set(&nbd->refs, 1); + INIT_LIST_HEAD(&nbd->list); + disk->major = NBD_MAJOR; ++ ++ /* Too big first_minor can cause duplicate creation of ++ * sysfs files/links, since first_minor will be truncated to ++ * byte in __device_add_disk(). ++ */ + disk->first_minor = index << part_shift; ++ if (disk->first_minor > 0xff) { ++ err = -EINVAL; ++ goto out_free_idr; ++ } ++ + disk->fops = &nbd_fops; + disk->private_data = nbd; + sprintf(disk->disk_name, "nbd%d", index); diff --git a/queue-5.10/series b/queue-5.10/series index cb0c99363a7..b577fdfa8ed 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -14,3 +14,8 @@ can-kvaser_usb-hydra-help-gcc-13-to-figure-out-cmd_l.patch powerpc-dts-t208x-disable-10g-on-mac1-and-mac2.patch drm-i915-gvt-fix-double-free-bug-in-split_2mb_gtt_entry.patch mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch +uaccess-add-speculation-barrier-to-copy_from_user.patch +revert-revert-block-nbd-add-sanity-check-for-first_minor.patch +nbd-fix-max-value-for-first_minor.patch +nbd-fix-possible-overflow-for-first_minor-in-nbd_dev_add.patch +nbd-fix-possible-overflow-on-first_minor-in-nbd_dev_add.patch diff --git a/queue-5.10/uaccess-add-speculation-barrier-to-copy_from_user.patch b/queue-5.10/uaccess-add-speculation-barrier-to-copy_from_user.patch new file mode 100644 index 00000000000..193b27d911b --- /dev/null +++ b/queue-5.10/uaccess-add-speculation-barrier-to-copy_from_user.patch @@ -0,0 +1,106 @@ +From 74e19ef0ff8061ef55957c3abd71614ef0f42f47 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Tue, 21 Feb 2023 12:30:15 -0800 +Subject: uaccess: Add speculation barrier to copy_from_user() + +From: Dave Hansen + +commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47 upstream. + +The results of "access_ok()" can be mis-speculated. The result is that +you can end speculatively: + + if (access_ok(from, size)) + // Right here + +even for bad from/size combinations. On first glance, it would be ideal +to just add a speculation barrier to "access_ok()" so that its results +can never be mis-speculated. + +But there are lots of system calls just doing access_ok() via +"copy_to_user()" and friends (example: fstat() and friends). Those are +generally not problematic because they do not _consume_ data from +userspace other than the pointer. They are also very quick and common +system calls that should not be needlessly slowed down. + +"copy_from_user()" on the other hand uses a user-controller pointer and +is frequently followed up with code that might affect caches. Take +something like this: + + if (!copy_from_user(&kernelvar, uptr, size)) + do_something_with(kernelvar); + +If userspace passes in an evil 'uptr' that *actually* points to a kernel +addresses, and then do_something_with() has cache (or other) +side-effects, it could allow userspace to infer kernel data values. + +Add a barrier to the common copy_from_user() code to prevent +mis-speculated values which happen after the copy. + +Also add a stub for architectures that do not define barrier_nospec(). +This makes the macro usable in generic code. + +Since the barrier is now usable in generic code, the x86 #ifdef in the +BPF code can also go away. + +Reported-by: Jordy Zomer +Suggested-by: Linus Torvalds +Signed-off-by: Dave Hansen +Reviewed-by: Thomas Gleixner +Acked-by: Daniel Borkmann # BPF bits +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/nospec.h | 4 ++++ + kernel/bpf/core.c | 2 -- + lib/usercopy.c | 7 +++++++ + 3 files changed, 11 insertions(+), 2 deletions(-) + +--- a/include/linux/nospec.h ++++ b/include/linux/nospec.h +@@ -11,6 +11,10 @@ + + struct task_struct; + ++#ifndef barrier_nospec ++# define barrier_nospec() do { } while (0) ++#endif ++ + /** + * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise + * @index: array element index +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -1642,9 +1642,7 @@ out: + * reuse preexisting logic from Spectre v1 mitigation that + * happens to produce the required code on x86 for v4 as well. + */ +-#ifdef CONFIG_X86 + barrier_nospec(); +-#endif + CONT; + #define LDST(SIZEOP, SIZE) \ + STX_MEM_##SIZEOP: \ +--- a/lib/usercopy.c ++++ b/lib/usercopy.c +@@ -3,6 +3,7 @@ + #include + #include + #include ++#include + + /* out-of-line parts */ + +@@ -12,6 +13,12 @@ unsigned long _copy_from_user(void *to, + unsigned long res = n; + might_fault(); + if (!should_fail_usercopy() && likely(access_ok(from, n))) { ++ /* ++ * Ensure that bad access_ok() speculation will not ++ * lead to nasty side effects *after* the copy is ++ * finished: ++ */ ++ barrier_nospec(); + instrument_copy_from_user(to, from, n); + res = raw_copy_from_user(to, from, n); + } -- 2.47.3