From cf467bd6b97f86e80f75ad29ccec3d74d8311ba0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 29 Dec 2019 17:09:41 +0100 Subject: [PATCH] 4.9-stable patches added patches: ext4-check-for-directory-entries-too-close-to-block-end.patch ext4-fix-ext4_empty_dir-for-directories-with-holes.patch mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch powerpc-irq-fix-stack-overflow-verification.patch --- ...ctory-entries-too-close-to-block-end.patch | 39 ++++++++ ...empty_dir-for-directories-with-holes.patch | 97 +++++++++++++++++++ ...i-of-esdhc-fix-p2020-errata-handling.patch | 47 +++++++++ ...-irq-fix-stack-overflow-verification.patch | 50 ++++++++++ queue-4.9/series | 4 + 5 files changed, 237 insertions(+) create mode 100644 queue-4.9/ext4-check-for-directory-entries-too-close-to-block-end.patch create mode 100644 queue-4.9/ext4-fix-ext4_empty_dir-for-directories-with-holes.patch create mode 100644 queue-4.9/mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch create mode 100644 queue-4.9/powerpc-irq-fix-stack-overflow-verification.patch diff --git a/queue-4.9/ext4-check-for-directory-entries-too-close-to-block-end.patch b/queue-4.9/ext4-check-for-directory-entries-too-close-to-block-end.patch new file mode 100644 index 00000000000..9f6a5f933f2 --- /dev/null +++ b/queue-4.9/ext4-check-for-directory-entries-too-close-to-block-end.patch @@ -0,0 +1,39 @@ +From 109ba779d6cca2d519c5dd624a3276d03e21948e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 2 Dec 2019 18:02:13 +0100 +Subject: ext4: check for directory entries too close to block end + +From: Jan Kara + +commit 109ba779d6cca2d519c5dd624a3276d03e21948e upstream. + +ext4_check_dir_entry() currently does not catch a case when a directory +entry ends so close to the block end that the header of the next +directory entry would not fit in the remaining space. This can lead to +directory iteration code trying to access address beyond end of current +buffer head leading to oops. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20191202170213.4761-3-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/dir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ext4/dir.c ++++ b/fs/ext4/dir.c +@@ -75,6 +75,11 @@ int __ext4_check_dir_entry(const char *f + error_msg = "rec_len is too small for name_len"; + else if (unlikely(((char *) de - buf) + rlen > size)) + error_msg = "directory entry overrun"; ++ else if (unlikely(((char *) de - buf) + rlen > ++ size - EXT4_DIR_REC_LEN(1) && ++ ((char *) de - buf) + rlen != size)) { ++ error_msg = "directory entry too close to block end"; ++ } + else if (unlikely(le32_to_cpu(de->inode) > + le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count))) + error_msg = "inode out of bounds"; diff --git a/queue-4.9/ext4-fix-ext4_empty_dir-for-directories-with-holes.patch b/queue-4.9/ext4-fix-ext4_empty_dir-for-directories-with-holes.patch new file mode 100644 index 00000000000..62009de704c --- /dev/null +++ b/queue-4.9/ext4-fix-ext4_empty_dir-for-directories-with-holes.patch @@ -0,0 +1,97 @@ +From 64d4ce892383b2ad6d782e080d25502f91bf2a38 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 2 Dec 2019 18:02:12 +0100 +Subject: ext4: fix ext4_empty_dir() for directories with holes + +From: Jan Kara + +commit 64d4ce892383b2ad6d782e080d25502f91bf2a38 upstream. + +Function ext4_empty_dir() doesn't correctly handle directories with +holes and crashes on bh->b_data dereference when bh is NULL. Reorganize +the loop to use 'offset' variable all the times instead of comparing +pointers to current direntry with bh->b_data pointer. Also add more +strict checking of '.' and '..' directory entries to avoid entering loop +in possibly invalid state on corrupted filesystems. + +References: CVE-2019-19037 +CC: stable@vger.kernel.org +Fixes: 4e19d6b65fb4 ("ext4: allow directory holes") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20191202170213.4761-2-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/namei.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -2721,7 +2721,7 @@ bool ext4_empty_dir(struct inode *inode) + { + unsigned int offset; + struct buffer_head *bh; +- struct ext4_dir_entry_2 *de, *de1; ++ struct ext4_dir_entry_2 *de; + struct super_block *sb; + + if (ext4_has_inline_data(inode)) { +@@ -2746,19 +2746,25 @@ bool ext4_empty_dir(struct inode *inode) + return true; + + de = (struct ext4_dir_entry_2 *) bh->b_data; +- de1 = ext4_next_entry(de, sb->s_blocksize); +- if (le32_to_cpu(de->inode) != inode->i_ino || +- le32_to_cpu(de1->inode) == 0 || +- strcmp(".", de->name) || strcmp("..", de1->name)) { +- ext4_warning_inode(inode, "directory missing '.' and/or '..'"); ++ if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size, ++ 0) || ++ le32_to_cpu(de->inode) != inode->i_ino || strcmp(".", de->name)) { ++ ext4_warning_inode(inode, "directory missing '.'"); + brelse(bh); + return true; + } +- offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize) + +- ext4_rec_len_from_disk(de1->rec_len, sb->s_blocksize); +- de = ext4_next_entry(de1, sb->s_blocksize); ++ offset = ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize); ++ de = ext4_next_entry(de, sb->s_blocksize); ++ if (ext4_check_dir_entry(inode, NULL, de, bh, bh->b_data, bh->b_size, ++ offset) || ++ le32_to_cpu(de->inode) == 0 || strcmp("..", de->name)) { ++ ext4_warning_inode(inode, "directory missing '..'"); ++ brelse(bh); ++ return true; ++ } ++ offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize); + while (offset < inode->i_size) { +- if ((void *) de >= (void *) (bh->b_data+sb->s_blocksize)) { ++ if (!(offset & (sb->s_blocksize - 1))) { + unsigned int lblock; + brelse(bh); + lblock = offset >> EXT4_BLOCK_SIZE_BITS(sb); +@@ -2769,12 +2775,11 @@ bool ext4_empty_dir(struct inode *inode) + } + if (IS_ERR(bh)) + return true; +- de = (struct ext4_dir_entry_2 *) bh->b_data; + } ++ de = (struct ext4_dir_entry_2 *) (bh->b_data + ++ (offset & (sb->s_blocksize - 1))); + if (ext4_check_dir_entry(inode, NULL, de, bh, + bh->b_data, bh->b_size, offset)) { +- de = (struct ext4_dir_entry_2 *)(bh->b_data + +- sb->s_blocksize); + offset = (offset | (sb->s_blocksize - 1)) + 1; + continue; + } +@@ -2783,7 +2788,6 @@ bool ext4_empty_dir(struct inode *inode) + return false; + } + offset += ext4_rec_len_from_disk(de->rec_len, sb->s_blocksize); +- de = ext4_next_entry(de, sb->s_blocksize); + } + brelse(bh); + return true; diff --git a/queue-4.9/mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch b/queue-4.9/mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch new file mode 100644 index 00000000000..31a65fc0c3d --- /dev/null +++ b/queue-4.9/mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch @@ -0,0 +1,47 @@ +From fe0acab448f68c3146235afe03fb932e242ec94c Mon Sep 17 00:00:00 2001 +From: Yangbo Lu +Date: Mon, 16 Dec 2019 11:18:42 +0800 +Subject: mmc: sdhci-of-esdhc: fix P2020 errata handling + +From: Yangbo Lu + +commit fe0acab448f68c3146235afe03fb932e242ec94c upstream. + +Two previous patches introduced below quirks for P2020 platforms. +- SDHCI_QUIRK_RESET_AFTER_REQUEST +- SDHCI_QUIRK_BROKEN_TIMEOUT_VAL + +The patches made a mistake to add them in quirks2 of sdhci_host +structure, while they were defined for quirks. + host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST; + host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; + +This patch is to fix them. + host->quirks |= SDHCI_QUIRK_RESET_AFTER_REQUEST; + host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; + +Fixes: 05cb6b2a66fa ("mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support") +Fixes: a46e42712596 ("mmc: sdhci-of-esdhc: add erratum eSDHC5 support") +Signed-off-by: Yangbo Lu +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191216031842.40068-1-yangbo.lu@nxp.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-esdhc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -637,8 +637,8 @@ static int sdhci_esdhc_probe(struct plat + host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ; + + if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) { +- host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST; +- host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; ++ host->quirks |= SDHCI_QUIRK_RESET_AFTER_REQUEST; ++ host->quirks |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL; + } + + if (of_device_is_compatible(np, "fsl,p5040-esdhc") || diff --git a/queue-4.9/powerpc-irq-fix-stack-overflow-verification.patch b/queue-4.9/powerpc-irq-fix-stack-overflow-verification.patch new file mode 100644 index 00000000000..d991a363390 --- /dev/null +++ b/queue-4.9/powerpc-irq-fix-stack-overflow-verification.patch @@ -0,0 +1,50 @@ +From 099bc4812f09155da77eeb960a983470249c9ce1 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 9 Dec 2019 06:19:08 +0000 +Subject: powerpc/irq: fix stack overflow verification + +From: Christophe Leroy + +commit 099bc4812f09155da77eeb960a983470249c9ce1 upstream. + +Before commit 0366a1c70b89 ("powerpc/irq: Run softirqs off the top of +the irq stack"), check_stack_overflow() was called by do_IRQ(), before +switching to the irq stack. +In that commit, do_IRQ() was renamed __do_irq(), and is now executing +on the irq stack, so check_stack_overflow() has just become almost +useless. + +Move check_stack_overflow() call in do_IRQ() to do the check while +still on the current stack. + +Fixes: 0366a1c70b89 ("powerpc/irq: Run softirqs off the top of the irq stack") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/e033aa8116ab12b7ca9a9c75189ad0741e3b9b5f.1575872340.git.christophe.leroy@c-s.fr +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -527,8 +527,6 @@ void __do_irq(struct pt_regs *regs) + + trace_irq_entry(regs); + +- check_stack_overflow(); +- + /* + * Query the platform PIC for the interrupt & ack it. + * +@@ -560,6 +558,8 @@ void do_IRQ(struct pt_regs *regs) + irqtp = hardirq_ctx[raw_smp_processor_id()]; + sirqtp = softirq_ctx[raw_smp_processor_id()]; + ++ check_stack_overflow(); ++ + /* Already there ? */ + if (unlikely(curtp == irqtp || curtp == sirqtp)) { + __do_irq(regs); diff --git a/queue-4.9/series b/queue-4.9/series index cad6410d7ac..9734b61e246 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -103,3 +103,7 @@ usbip-fix-error-path-of-vhci_recv_ret_submit.patch usb-ehci-do-not-return-epipe-when-hub-is-disconnected.patch platform-x86-hp-wmi-make-buffer-for-hpwmi_feature2_query-128-bytes.patch staging-comedi-gsc_hpdi-check-dma_alloc_coherent-return-value.patch +ext4-fix-ext4_empty_dir-for-directories-with-holes.patch +ext4-check-for-directory-entries-too-close-to-block-end.patch +powerpc-irq-fix-stack-overflow-verification.patch +mmc-sdhci-of-esdhc-fix-p2020-errata-handling.patch -- 2.47.3