From bd985a82db1f479cf8952e502dc35dd1a75a88f7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 26 Jun 2020 16:29:10 +0200 Subject: [PATCH] 4.19-stable patches added patches: block-bio-integrity-don-t-free-buf-if-bio_integrity_add_page-failed.patch fanotify-fix-ignore-mask-logic-for-events-on-child-and-on-dir.patch net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch --- ...buf-if-bio_integrity_add_page-failed.patch | 37 ++++++++++ ...logic-for-events-on-child-and-on-dir.patch | 64 +++++++++++++++++ ...-silly-gso-requests-coming-from-user.patch | 71 +++++++++++++++++++ 3 files changed, 172 insertions(+) create mode 100644 queue-4.19/block-bio-integrity-don-t-free-buf-if-bio_integrity_add_page-failed.patch create mode 100644 queue-4.19/fanotify-fix-ignore-mask-logic-for-events-on-child-and-on-dir.patch create mode 100644 queue-4.19/net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch diff --git a/queue-4.19/block-bio-integrity-don-t-free-buf-if-bio_integrity_add_page-failed.patch b/queue-4.19/block-bio-integrity-don-t-free-buf-if-bio_integrity_add_page-failed.patch new file mode 100644 index 00000000000..095f1d1add8 --- /dev/null +++ b/queue-4.19/block-bio-integrity-don-t-free-buf-if-bio_integrity_add_page-failed.patch @@ -0,0 +1,37 @@ +From a75ca9303175d36af93c0937dd9b1a6422908b8d Mon Sep 17 00:00:00 2001 +From: yu kuai +Date: Mon, 1 Jun 2020 20:38:56 +0800 +Subject: block/bio-integrity: don't free 'buf' if bio_integrity_add_page() failed + +From: yu kuai + +commit a75ca9303175d36af93c0937dd9b1a6422908b8d upstream. + +commit e7bf90e5afe3 ("block/bio-integrity: fix a memory leak bug") added +a kfree() for 'buf' if bio_integrity_add_page() returns '0'. However, +the object will be freed in bio_integrity_free() since 'bio->bi_opf' and +'bio->bi_integrity' were set previousy in bio_integrity_alloc(). + +Fixes: commit e7bf90e5afe3 ("block/bio-integrity: fix a memory leak bug") +Signed-off-by: yu kuai +Reviewed-by: Ming Lei +Reviewed-by: Bob Liu +Acked-by: Martin K. Petersen +Signed-off-by: Jens Axboe +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + block/bio-integrity.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -293,7 +293,6 @@ bool bio_integrity_prep(struct bio *bio) + + if (ret == 0) { + printk(KERN_ERR "could not attach integrity payload\n"); +- kfree(buf); + status = BLK_STS_RESOURCE; + goto err_end_io; + } diff --git a/queue-4.19/fanotify-fix-ignore-mask-logic-for-events-on-child-and-on-dir.patch b/queue-4.19/fanotify-fix-ignore-mask-logic-for-events-on-child-and-on-dir.patch new file mode 100644 index 00000000000..254e2922842 --- /dev/null +++ b/queue-4.19/fanotify-fix-ignore-mask-logic-for-events-on-child-and-on-dir.patch @@ -0,0 +1,64 @@ +From 2f02fd3fa13e51713b630164f8a8e5b42de8283b Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Sun, 24 May 2020 10:24:41 +0300 +Subject: fanotify: fix ignore mask logic for events on child and on dir + +From: Amir Goldstein + +commit 2f02fd3fa13e51713b630164f8a8e5b42de8283b upstream. + +The comments in fanotify_group_event_mask() say: + + "If the event is on dir/child and this mark doesn't care about + events on dir/child, don't send it!" + +Specifically, mount and filesystem marks do not care about events +on child, but they can still specify an ignore mask for those events. +For example, a group that has: +- A mount mark with mask 0 and ignore_mask FAN_OPEN +- An inode mark on a directory with mask FAN_OPEN | FAN_OPEN_EXEC + with flag FAN_EVENT_ON_CHILD + +A child file open for exec would be reported to group with the FAN_OPEN +event despite the fact that FAN_OPEN is in ignore mask of mount mark, +because the mark iteration loop skips over non-inode marks for events +on child when calculating the ignore mask. + +Move ignore mask calculation to the top of the iteration loop block +before excluding marks for events on dir/child. + +Link: https://lore.kernel.org/r/20200524072441.18258-1-amir73il@gmail.com +Reported-by: Jan Kara +Link: https://lore.kernel.org/linux-fsdevel/20200521162443.GA26052@quack2.suse.cz/ +Fixes: 55bf882c7f13 "fanotify: fix merging marks masks with FAN_ONDIR" +Fixes: b469e7e47c8a "fanotify: fix handling of events on child..." +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/fanotify/fanotify.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/notify/fanotify/fanotify.c ++++ b/fs/notify/fanotify/fanotify.c +@@ -114,6 +114,10 @@ static bool fanotify_should_send_event(s + if (!fsnotify_iter_should_report_type(iter_info, type)) + continue; + mark = iter_info->marks[type]; ++ ++ /* Apply ignore mask regardless of ISDIR and ON_CHILD flags */ ++ marks_ignored_mask |= mark->ignored_mask; ++ + /* + * If the event is for a child and this mark doesn't care about + * events on a child, don't send it! +@@ -124,7 +128,6 @@ static bool fanotify_should_send_event(s + continue; + + marks_mask |= mark->mask; +- marks_ignored_mask |= mark->ignored_mask; + } + + if (d_is_dir(path->dentry) && diff --git a/queue-4.19/net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch b/queue-4.19/net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch new file mode 100644 index 00000000000..6f7abcbce72 --- /dev/null +++ b/queue-4.19/net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch @@ -0,0 +1,71 @@ +From 7c6d2ecbda83150b2036a2b36b21381ad4667762 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 28 May 2020 14:57:47 -0700 +Subject: net: be more gentle about silly gso requests coming from user + +From: Eric Dumazet + +commit 7c6d2ecbda83150b2036a2b36b21381ad4667762 upstream. + +Recent change in virtio_net_hdr_to_skb() broke some packetdrill tests. + +When --mss=XXX option is set, packetdrill always provide gso_type & gso_size +for its inbound packets, regardless of packet size. + + if (packet->tcp && packet->mss) { + if (packet->ipv4) + gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4; + else + gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6; + gso.gso_size = packet->mss; + } + +Since many other programs could do the same, relax virtio_net_hdr_to_skb() +to no longer return an error, but instead ignore gso settings. + +This keeps Willem intent to make sure no malicious packet could +reach gso stack. + +Note that TCP stack has a special logic in tcp_set_skb_tso_segs() +to clear gso_size for small packets. + +Fixes: 6dd912f82680 ("net: check untrusted gso_size at kernel entry") +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Cc: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/virtio_net.h | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/include/linux/virtio_net.h ++++ b/include/linux/virtio_net.h +@@ -109,16 +109,17 @@ retry: + + if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { + u16 gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size); ++ struct skb_shared_info *shinfo = skb_shinfo(skb); + +- if (skb->len - p_off <= gso_size) +- return -EINVAL; ++ /* Too small packets are not really GSO ones. */ ++ if (skb->len - p_off > gso_size) { ++ shinfo->gso_size = gso_size; ++ shinfo->gso_type = gso_type; + +- skb_shinfo(skb)->gso_size = gso_size; +- skb_shinfo(skb)->gso_type = gso_type; +- +- /* Header must be checked, and gso_segs computed. */ +- skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY; +- skb_shinfo(skb)->gso_segs = 0; ++ /* Header must be checked, and gso_segs computed. */ ++ shinfo->gso_type |= SKB_GSO_DODGY; ++ shinfo->gso_segs = 0; ++ } + } + + return 0; -- 2.47.3