--- /dev/null
+From 3bef198f1b17d1bb89260bad947ef084c0a2d1a6 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 18 Dec 2020 12:17:16 -0800
+Subject: JFS: more checks for invalid superblock
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 3bef198f1b17d1bb89260bad947ef084c0a2d1a6 upstream.
+
+syzbot is feeding invalid superblock data to JFS for mount testing.
+JFS does not check several of the fields -- just assumes that they
+are good since the JFS_MAGIC and version fields are good.
+
+In this case (syzbot reproducer), we have s_l2bsize == 0xda0c,
+pad == 0xf045, and s_state == 0x50, all of which are invalid IMO.
+Having s_l2bsize == 0xda0c causes this UBSAN warning:
+ UBSAN: shift-out-of-bounds in fs/jfs/jfs_mount.c:373:25
+ shift exponent -9716 is negative
+
+s_l2bsize can be tested for correctness. pad can be tested for non-0
+and punted. s_state can be tested for its valid values and punted.
+
+Do those 3 tests and if any of them fails, report the superblock as
+invalid/corrupt and let fsck handle it.
+
+With this patch, chkSuper() says this when JFS_DEBUG is enabled:
+ jfs_mount: Mount Failure: superblock is corrupt!
+ Mount JFS Failure: -22
+ jfs_mount failed w/return code = -22
+
+The obvious problem with this method is that next week there could
+be another syzbot test that uses different fields for invalid values,
+this making this like a game of whack-a-mole.
+
+syzkaller link: https://syzkaller.appspot.com/bug?extid=36315852ece4132ec193
+
+Reported-by: syzbot+36315852ece4132ec193@syzkaller.appspotmail.com
+Reported-by: kernel test robot <lkp@intel.com> # v2
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Cc: jfs-discussion@lists.sourceforge.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jfs/jfs_filsys.h | 1 +
+ fs/jfs/jfs_mount.c | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/fs/jfs/jfs_filsys.h
++++ b/fs/jfs/jfs_filsys.h
+@@ -281,5 +281,6 @@
+ * fsck() must be run to repair
+ */
+ #define FM_EXTENDFS 0x00000008 /* file system extendfs() in progress */
++#define FM_STATE_MAX 0x0000000f /* max value of s_state */
+
+ #endif /* _H_JFS_FILSYS */
+--- a/fs/jfs/jfs_mount.c
++++ b/fs/jfs/jfs_mount.c
+@@ -49,6 +49,7 @@
+
+ #include <linux/fs.h>
+ #include <linux/buffer_head.h>
++#include <linux/log2.h>
+
+ #include "jfs_incore.h"
+ #include "jfs_filsys.h"
+@@ -378,6 +379,15 @@ static int chkSuper(struct super_block *
+ sbi->bsize = bsize;
+ sbi->l2bsize = le16_to_cpu(j_sb->s_l2bsize);
+
++ /* check some fields for possible corruption */
++ if (sbi->l2bsize != ilog2((u32)bsize) ||
++ j_sb->pad != 0 ||
++ le32_to_cpu(j_sb->s_state) > FM_STATE_MAX) {
++ rc = -EINVAL;
++ jfs_err("jfs_mount: Mount Failure: superblock is corrupt!");
++ goto out;
++ }
++
+ /*
+ * For now, ignore s_pbsize, l2bfactor. All I/O going through buffer
+ * cache.
--- /dev/null
+From 097b9146c0e26aabaa6ff3e5ea536a53f5254a79 Mon Sep 17 00:00:00 2001
+From: Marco Elver <elver@google.com>
+Date: Mon, 1 Feb 2021 17:04:20 +0100
+Subject: net: fix up truesize of cloned skb in skb_prepare_for_shift()
+
+From: Marco Elver <elver@google.com>
+
+commit 097b9146c0e26aabaa6ff3e5ea536a53f5254a79 upstream.
+
+Avoid the assumption that ksize(kmalloc(S)) == ksize(kmalloc(S)): when
+cloning an skb, save and restore truesize after pskb_expand_head(). This
+can occur if the allocator decides to service an allocation of the same
+size differently (e.g. use a different size class, or pass the
+allocation on to KFENCE).
+
+Because truesize is used for bookkeeping (such as sk_wmem_queued), a
+modified truesize of a cloned skb may result in corrupt bookkeeping and
+relevant warnings (such as in sk_stream_kill_queues()).
+
+Link: https://lkml.kernel.org/r/X9JR/J6dMMOy1obu@elver.google.com
+Reported-by: syzbot+7b99aafdcc2eedea6178@syzkaller.appspotmail.com
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210201160420.2826895-1-elver@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2628,7 +2628,19 @@ EXPORT_SYMBOL(skb_split);
+ */
+ static int skb_prepare_for_shift(struct sk_buff *skb)
+ {
+- return skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
++ int ret = 0;
++
++ if (skb_cloned(skb)) {
++ /* Save and restore truesize: pskb_expand_head() may reallocate
++ * memory where ksize(kmalloc(S)) != ksize(kmalloc(S)), but we
++ * cannot change truesize at this point.
++ */
++ unsigned int save_truesize = skb->truesize;
++
++ ret = pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
++ skb->truesize = save_truesize;
++ }
++ return ret;
+ }
+
+ /**
scripts-use-pkg-config-to-locate-libcrypto.patch
scripts-set-proper-openssl-include-dir-also-for-sign-file.patch
hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch
+jfs-more-checks-for-invalid-superblock.patch
+xfs-fix-assert-failure-in-xfs_setattr_size.patch
+net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch
--- /dev/null
+From 88a9e03beef22cc5fabea344f54b9a0dfe63de08 Mon Sep 17 00:00:00 2001
+From: Yumei Huang <yuhuang@redhat.com>
+Date: Fri, 22 Jan 2021 16:48:19 -0800
+Subject: xfs: Fix assert failure in xfs_setattr_size()
+
+From: Yumei Huang <yuhuang@redhat.com>
+
+commit 88a9e03beef22cc5fabea344f54b9a0dfe63de08 upstream.
+
+An assert failure is triggered by syzkaller test due to
+ATTR_KILL_PRIV is not cleared before xfs_setattr_size.
+As ATTR_KILL_PRIV is not checked/used by xfs_setattr_size,
+just remove it from the assert.
+
+Signed-off-by: Yumei Huang <yuhuang@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_iops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -770,7 +770,7 @@ xfs_setattr_size(
+ ASSERT(xfs_isilocked(ip, XFS_MMAPLOCK_EXCL));
+ ASSERT(S_ISREG(ip->i_d.di_mode));
+ ASSERT((iattr->ia_valid & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET|
+- ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0);
++ ATTR_MTIME_SET|ATTR_TIMES_SET)) == 0);
+
+ oldsize = inode->i_size;
+ newsize = iattr->ia_size;
projects / thirdparty / kernel / stable-queue.git / commitdiff
