--- /dev/null
+From 163f0ec1df33cf468509ff38cbcbb5eb0d7fac60 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 22 Feb 2021 18:16:26 +0100
+Subject: ext4: add reclaim checks to xattr code
+
+From: Jan Kara <jack@suse.cz>
+
+commit 163f0ec1df33cf468509ff38cbcbb5eb0d7fac60 upstream.
+
+Syzbot is reporting that ext4 can enter fs reclaim from kvmalloc() while
+the transaction is started like:
+
+ fs_reclaim_acquire+0x117/0x150 mm/page_alloc.c:4340
+ might_alloc include/linux/sched/mm.h:193 [inline]
+ slab_pre_alloc_hook mm/slab.h:493 [inline]
+ slab_alloc_node mm/slub.c:2817 [inline]
+ __kmalloc_node+0x5f/0x430 mm/slub.c:4015
+ kmalloc_node include/linux/slab.h:575 [inline]
+ kvmalloc_node+0x61/0xf0 mm/util.c:587
+ kvmalloc include/linux/mm.h:781 [inline]
+ ext4_xattr_inode_cache_find fs/ext4/xattr.c:1465 [inline]
+ ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1508 [inline]
+ ext4_xattr_set_entry+0x1ce6/0x3780 fs/ext4/xattr.c:1649
+ ext4_xattr_ibody_set+0x78/0x2b0 fs/ext4/xattr.c:2224
+ ext4_xattr_set_handle+0x8f4/0x13e0 fs/ext4/xattr.c:2380
+ ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2493
+
+This should be impossible since transaction start sets PF_MEMALLOC_NOFS.
+Add some assertions to the code to catch if something isn't working as
+expected early.
+
+Link: https://lore.kernel.org/linux-ext4/000000000000563a0205bafb7970@google.com/
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20210222171626.21884-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1479,6 +1479,9 @@ ext4_xattr_inode_cache_find(struct inode
+ if (!ce)
+ return NULL;
+
++ WARN_ON_ONCE(ext4_handle_valid(journal_current_handle()) &&
++ !(current->flags & PF_MEMALLOC_NOFS));
++
+ ea_data = ext4_kvmalloc(value_len, GFP_NOFS);
+ if (!ea_data) {
+ mb_cache_entry_put(ea_inode_cache, ce);
+@@ -2345,6 +2348,7 @@ ext4_xattr_set_handle(handle_t *handle,
+ error = -ENOSPC;
+ goto cleanup;
+ }
++ WARN_ON_ONCE(!(current->flags & PF_MEMALLOC_NOFS));
+ }
+
+ error = ext4_reserve_inode_write(handle, inode, &is.iloc);
--- /dev/null
+From 3bd801b14e0c5d29eeddc7336558beb3344efaa3 Mon Sep 17 00:00:00 2001
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+Date: Sat, 13 Feb 2021 14:36:53 +0100
+Subject: mac80211: fix double free in ibss_leave
+
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+
+commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream.
+
+Clear beacon ie pointer and ie length after free
+in order to prevent double free.
+
+==================================================================
+BUG: KASAN: double-free or invalid-free \
+in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
+
+CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
+ kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
+ ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341
+ kasan_slab_free include/linux/kasan.h:192 [inline]
+ __cache_free mm/slab.c:3424 [inline]
+ kfree+0xed/0x270 mm/slab.c:3760
+ ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
+ rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
+ __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212
+ __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172
+ cfg80211_leave net/wireless/core.c:1221 [inline]
+ cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
+ call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040
+ call_netdevice_notifiers_extack net/core/dev.c:2052 [inline]
+ call_netdevice_notifiers net/core/dev.c:2066 [inline]
+ __dev_close_many+0xee/0x2e0 net/core/dev.c:1586
+ __dev_close net/core/dev.c:1624 [inline]
+ __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476
+ dev_change_flags+0x8a/0x160 net/core/dev.c:8549
+ dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265
+ dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511
+ sock_do_ioctl+0x148/0x2d0 net/socket.c:1060
+ sock_ioctl+0x477/0x6a0 net/socket.c:1177
+ vfs_ioctl fs/ioctl.c:48 [inline]
+ __do_sys_ioctl fs/ioctl.c:753 [inline]
+ __se_sys_ioctl fs/ioctl.c:739 [inline]
+ __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com
+Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
+Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ibss.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -1861,6 +1861,8 @@ int ieee80211_ibss_leave(struct ieee8021
+
+ /* remove beacon */
+ kfree(sdata->u.ibss.ie);
++ sdata->u.ibss.ie = NULL;
++ sdata->u.ibss.ie_len = 0;
+
+ /* on the next join, re-program HT parameters */
+ memset(&ifibss->ht_capa, 0, sizeof(ifibss->ht_capa));
--- /dev/null
+From 50535249f624d0072cd885bcdce4e4b6fb770160 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 12 Mar 2021 08:59:48 -0800
+Subject: net: qrtr: fix a kernel-infoleak in qrtr_recvmsg()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 50535249f624d0072cd885bcdce4e4b6fb770160 upstream.
+
+struct sockaddr_qrtr has a 2-byte hole, and qrtr_recvmsg() currently
+does not clear it before copying kernel data to user space.
+
+It might be too late to name the hole since sockaddr_qrtr structure is uapi.
+
+BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249
+CPU: 0 PID: 29705 Comm: syz-executor.3 Not tainted 5.11.0-rc7-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x21c/0x280 lib/dump_stack.c:120
+ kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
+ kmsan_internal_check_memory+0x202/0x520 mm/kmsan/kmsan.c:402
+ kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249
+ instrument_copy_to_user include/linux/instrumented.h:121 [inline]
+ _copy_to_user+0x1ac/0x270 lib/usercopy.c:33
+ copy_to_user include/linux/uaccess.h:209 [inline]
+ move_addr_to_user+0x3a2/0x640 net/socket.c:237
+ ____sys_recvmsg+0x696/0xd50 net/socket.c:2575
+ ___sys_recvmsg net/socket.c:2610 [inline]
+ do_recvmmsg+0xa97/0x22d0 net/socket.c:2710
+ __sys_recvmmsg net/socket.c:2789 [inline]
+ __do_sys_recvmmsg net/socket.c:2812 [inline]
+ __se_sys_recvmmsg+0x24a/0x410 net/socket.c:2805
+ __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2805
+ do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x465f69
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f43659d6188 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465f69
+RDX: 0000000000000008 RSI: 0000000020003e40 RDI: 0000000000000003
+RBP: 00000000004bfa8f R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000010060 R11: 0000000000000246 R12: 000000000056bf60
+R13: 0000000000a9fb1f R14: 00007f43659d6300 R15: 0000000000022000
+
+Local variable ----addr@____sys_recvmsg created at:
+ ____sys_recvmsg+0x168/0xd50 net/socket.c:2550
+ ____sys_recvmsg+0x168/0xd50 net/socket.c:2550
+
+Bytes 2-3 of 12 are uninitialized
+Memory access of size 12 starts at ffff88817c627b40
+Data copied to user address 0000000020000140
+
+Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Courtney Cavin <courtney.cavin@sonymobile.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/qrtr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -819,6 +819,11 @@ static int qrtr_recvmsg(struct socket *s
+ rc = copied;
+
+ if (addr) {
++ /* There is an anonymous 2-byte hole after sq_family,
++ * make sure to clear it.
++ */
++ memset(addr, 0, sizeof(*addr));
++
+ addr->sq_family = AF_QIPCRTR;
+ addr->sq_node = le32_to_cpu(phdr->src_node_id);
+ addr->sq_port = le32_to_cpu(phdr->src_port_id);
--- /dev/null
+From e323d865b36134e8c5c82c834df89109a5c60dab Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 10 Mar 2021 08:26:41 -0800
+Subject: net: sched: validate stab values
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e323d865b36134e8c5c82c834df89109a5c60dab upstream.
+
+iproute2 package is well behaved, but malicious user space can
+provide illegal shift values and trigger UBSAN reports.
+
+Add stab parameter to red_check_params() to validate user input.
+
+syzbot reported:
+
+UBSAN: shift-out-of-bounds in ./include/net/red.h:312:18
+shift exponent 111 is too large for 64-bit type 'long unsigned int'
+CPU: 1 PID: 14662 Comm: syz-executor.3 Not tainted 5.12.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
+ red_calc_qavg_from_idle_time include/net/red.h:312 [inline]
+ red_calc_qavg include/net/red.h:353 [inline]
+ choke_enqueue.cold+0x18/0x3dd net/sched/sch_choke.c:221
+ __dev_xmit_skb net/core/dev.c:3837 [inline]
+ __dev_queue_xmit+0x1943/0x2e00 net/core/dev.c:4150
+ neigh_hh_output include/net/neighbour.h:499 [inline]
+ neigh_output include/net/neighbour.h:508 [inline]
+ ip6_finish_output2+0x911/0x1700 net/ipv6/ip6_output.c:117
+ __ip6_finish_output net/ipv6/ip6_output.c:182 [inline]
+ __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161
+ ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192
+ NF_HOOK_COND include/linux/netfilter.h:290 [inline]
+ ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:215
+ dst_output include/net/dst.h:448 [inline]
+ NF_HOOK include/linux/netfilter.h:301 [inline]
+ NF_HOOK include/linux/netfilter.h:295 [inline]
+ ip6_xmit+0x127e/0x1eb0 net/ipv6/ip6_output.c:320
+ inet6_csk_xmit+0x358/0x630 net/ipv6/inet6_connection_sock.c:135
+ dccp_transmit_skb+0x973/0x12c0 net/dccp/output.c:138
+ dccp_send_reset+0x21b/0x2b0 net/dccp/output.c:535
+ dccp_finish_passive_close net/dccp/proto.c:123 [inline]
+ dccp_finish_passive_close+0xed/0x140 net/dccp/proto.c:118
+ dccp_terminate_connection net/dccp/proto.c:958 [inline]
+ dccp_close+0xb3c/0xe60 net/dccp/proto.c:1028
+ inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
+ inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478
+ __sock_release+0xcd/0x280 net/socket.c:599
+ sock_close+0x18/0x20 net/socket.c:1258
+ __fput+0x288/0x920 fs/file_table.c:280
+ task_work_run+0xdd/0x1a0 kernel/task_work.c:140
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+
+Fixes: 8afa10cbe281 ("net_sched: red: Avoid illegal values")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/red.h | 10 +++++++++-
+ net/sched/sch_choke.c | 7 ++++---
+ net/sched/sch_gred.c | 2 +-
+ net/sched/sch_red.c | 7 +++++--
+ net/sched/sch_sfq.c | 2 +-
+ 5 files changed, 20 insertions(+), 8 deletions(-)
+
+--- a/include/net/red.h
++++ b/include/net/red.h
+@@ -168,7 +168,8 @@ static inline void red_set_vars(struct r
+ v->qcount = -1;
+ }
+
+-static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog, u8 Scell_log)
++static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog,
++ u8 Scell_log, u8 *stab)
+ {
+ if (fls(qth_min) + Wlog > 32)
+ return false;
+@@ -178,6 +179,13 @@ static inline bool red_check_params(u32
+ return false;
+ if (qth_max < qth_min)
+ return false;
++ if (stab) {
++ int i;
++
++ for (i = 0; i < RED_STAB_SIZE; i++)
++ if (stab[i] >= 32)
++ return false;
++ }
+ return true;
+ }
+
+--- a/net/sched/sch_choke.c
++++ b/net/sched/sch_choke.c
+@@ -354,6 +354,7 @@ static int choke_change(struct Qdisc *sc
+ struct sk_buff **old = NULL;
+ unsigned int mask;
+ u32 max_P;
++ u8 *stab;
+
+ if (opt == NULL)
+ return -EINVAL;
+@@ -369,8 +370,8 @@ static int choke_change(struct Qdisc *sc
+ max_P = tb[TCA_CHOKE_MAX_P] ? nla_get_u32(tb[TCA_CHOKE_MAX_P]) : 0;
+
+ ctl = nla_data(tb[TCA_CHOKE_PARMS]);
+-
+- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log))
++ stab = nla_data(tb[TCA_CHOKE_STAB]);
++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log, stab))
+ return -EINVAL;
+
+ if (ctl->limit > CHOKE_MAX_QUEUE)
+@@ -420,7 +421,7 @@ static int choke_change(struct Qdisc *sc
+
+ red_set_parms(&q->parms, ctl->qth_min, ctl->qth_max, ctl->Wlog,
+ ctl->Plog, ctl->Scell_log,
+- nla_data(tb[TCA_CHOKE_STAB]),
++ stab,
+ max_P);
+ red_set_vars(&q->vars);
+
+--- a/net/sched/sch_gred.c
++++ b/net/sched/sch_gred.c
+@@ -356,7 +356,7 @@ static inline int gred_change_vq(struct
+ struct gred_sched *table = qdisc_priv(sch);
+ struct gred_sched_data *q = table->tab[dp];
+
+- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log))
++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log, stab))
+ return -EINVAL;
+
+ if (!q) {
+--- a/net/sched/sch_red.c
++++ b/net/sched/sch_red.c
+@@ -169,6 +169,7 @@ static int red_change(struct Qdisc *sch,
+ struct Qdisc *child = NULL;
+ int err;
+ u32 max_P;
++ u8 *stab;
+
+ if (opt == NULL)
+ return -EINVAL;
+@@ -184,7 +185,9 @@ static int red_change(struct Qdisc *sch,
+ max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0;
+
+ ctl = nla_data(tb[TCA_RED_PARMS]);
+- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log))
++ stab = nla_data(tb[TCA_RED_STAB]);
++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog,
++ ctl->Scell_log, stab))
+ return -EINVAL;
+
+ if (ctl->limit > 0) {
+@@ -209,7 +212,7 @@ static int red_change(struct Qdisc *sch,
+ red_set_parms(&q->parms,
+ ctl->qth_min, ctl->qth_max, ctl->Wlog,
+ ctl->Plog, ctl->Scell_log,
+- nla_data(tb[TCA_RED_STAB]),
++ stab,
+ max_P);
+ red_set_vars(&q->vars);
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -649,7 +649,7 @@ static int sfq_change(struct Qdisc *sch,
+ }
+
+ if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
+- ctl_v1->Wlog, ctl_v1->Scell_log))
++ ctl_v1->Wlog, ctl_v1->Scell_log, NULL))
+ return -EINVAL;
+ if (ctl_v1 && ctl_v1->qth_min) {
+ p = kmalloc(sizeof(*p), GFP_KERNEL);
scsi-mpt3sas-fix-error-return-code-of-mpt3sas_base_a.patch
locking-mutex-fix-non-debug-version-of-mutex_lock_io_nested.patch
can-dev-move-device-back-to-init-netns-on-owning-netns-delete.patch
+net-sched-validate-stab-values.patch
+net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch
+mac80211-fix-double-free-in-ibss_leave.patch
+ext4-add-reclaim-checks-to-xattr-code.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
