5.10-stable patches

added patches:
	ext4-add-reclaim-checks-to-xattr-code.patch
	fs-ext4-fix-integer-overflow-in-s_log_groups_per_flex.patch
	mac80211-fix-double-free-in-ibss_leave.patch

diff --git a/queue-5.10/ext4-add-reclaim-checks-to-xattr-code.patch b/queue-5.10/ext4-add-reclaim-checks-to-xattr-code.patch
new file mode 100644 (file)
index 0000000..a0f2a93
--- /dev/null
+++ b/queue-5.10/ext4-add-reclaim-checks-to-xattr-code.patch
@@ -0,0 +1,60 @@
+From 163f0ec1df33cf468509ff38cbcbb5eb0d7fac60 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 22 Feb 2021 18:16:26 +0100
+Subject: ext4: add reclaim checks to xattr code
+
+From: Jan Kara <jack@suse.cz>
+
+commit 163f0ec1df33cf468509ff38cbcbb5eb0d7fac60 upstream.
+
+Syzbot is reporting that ext4 can enter fs reclaim from kvmalloc() while
+the transaction is started like:
+
+  fs_reclaim_acquire+0x117/0x150 mm/page_alloc.c:4340
+  might_alloc include/linux/sched/mm.h:193 [inline]
+  slab_pre_alloc_hook mm/slab.h:493 [inline]
+  slab_alloc_node mm/slub.c:2817 [inline]
+  __kmalloc_node+0x5f/0x430 mm/slub.c:4015
+  kmalloc_node include/linux/slab.h:575 [inline]
+  kvmalloc_node+0x61/0xf0 mm/util.c:587
+  kvmalloc include/linux/mm.h:781 [inline]
+  ext4_xattr_inode_cache_find fs/ext4/xattr.c:1465 [inline]
+  ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1508 [inline]
+  ext4_xattr_set_entry+0x1ce6/0x3780 fs/ext4/xattr.c:1649
+  ext4_xattr_ibody_set+0x78/0x2b0 fs/ext4/xattr.c:2224
+  ext4_xattr_set_handle+0x8f4/0x13e0 fs/ext4/xattr.c:2380
+  ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2493
+
+This should be impossible since transaction start sets PF_MEMALLOC_NOFS.
+Add some assertions to the code to catch if something isn't working as
+expected early.
+
+Link: https://lore.kernel.org/linux-ext4/000000000000563a0205bafb7970@google.com/
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20210222171626.21884-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1459,6 +1459,9 @@ ext4_xattr_inode_cache_find(struct inode
+       if (!ce)
+               return NULL;
+ 
++      WARN_ON_ONCE(ext4_handle_valid(journal_current_handle()) &&
++                   !(current->flags & PF_MEMALLOC_NOFS));
++
+       ea_data = kvmalloc(value_len, GFP_KERNEL);
+       if (!ea_data) {
+               mb_cache_entry_put(ea_inode_cache, ce);
+@@ -2325,6 +2328,7 @@ ext4_xattr_set_handle(handle_t *handle,
+                       error = -ENOSPC;
+                       goto cleanup;
+               }
++              WARN_ON_ONCE(!(current->flags & PF_MEMALLOC_NOFS));
+       }
+ 
+       error = ext4_reserve_inode_write(handle, inode, &is.iloc);

diff --git a/queue-5.10/fs-ext4-fix-integer-overflow-in-s_log_groups_per_flex.patch b/queue-5.10/fs-ext4-fix-integer-overflow-in-s_log_groups_per_flex.patch
new file mode 100644 (file)
index 0000000..37704d0
--- /dev/null
+++ b/queue-5.10/fs-ext4-fix-integer-overflow-in-s_log_groups_per_flex.patch
@@ -0,0 +1,63 @@
+From f91436d55a279f045987e8b8c1385585dca54be9 Mon Sep 17 00:00:00 2001
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Date: Wed, 24 Feb 2021 15:58:00 +0600
+Subject: fs/ext4: fix integer overflow in s_log_groups_per_flex
+
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+
+commit f91436d55a279f045987e8b8c1385585dca54be9 upstream.
+
+syzbot found UBSAN: shift-out-of-bounds in ext4_mb_init [1], when
+1 << sbi->s_es->s_log_groups_per_flex is bigger than UINT_MAX,
+where sbi->s_mb_prefetch is unsigned integer type.
+
+32 is the maximum allowed power of s_log_groups_per_flex. Following if
+check will also trigger UBSAN shift-out-of-bound:
+
+if (1 << sbi->s_es->s_log_groups_per_flex >= UINT_MAX) {
+
+So I'm checking it against the raw number, perhaps there is another way
+to calculate UINT_MAX max power. Also use min_t as to make sure it's
+uint type.
+
+[1] UBSAN: shift-out-of-bounds in fs/ext4/mballoc.c:2713:24
+shift exponent 60 is too large for 32-bit type 'int'
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x137/0x1be lib/dump_stack.c:120
+ ubsan_epilogue lib/ubsan.c:148 [inline]
+ __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395
+ ext4_mb_init_backend fs/ext4/mballoc.c:2713 [inline]
+ ext4_mb_init+0x19bc/0x19f0 fs/ext4/mballoc.c:2898
+ ext4_fill_super+0xc2ec/0xfbe0 fs/ext4/super.c:4983
+
+Reported-by: syzbot+a8b4b0c60155e87e9484@syzkaller.appspotmail.com
+Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20210224095800.3350002-1-snovitoll@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/mballoc.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -2732,8 +2732,15 @@ static int ext4_mb_init_backend(struct s
+       }
+ 
+       if (ext4_has_feature_flex_bg(sb)) {
+-              /* a single flex group is supposed to be read by a single IO */
+-              sbi->s_mb_prefetch = min(1 << sbi->s_es->s_log_groups_per_flex,
++              /* a single flex group is supposed to be read by a single IO.
++               * 2 ^ s_log_groups_per_flex != UINT_MAX as s_mb_prefetch is
++               * unsigned integer, so the maximum shift is 32.
++               */
++              if (sbi->s_es->s_log_groups_per_flex >= 32) {
++                      ext4_msg(sb, KERN_ERR, "too many log groups per flexible block group");
++                      goto err_freesgi;
++              }
++              sbi->s_mb_prefetch = min_t(uint, 1 << sbi->s_es->s_log_groups_per_flex,
+                       BLK_MAX_SEGMENT_SIZE >> (sb->s_blocksize_bits - 9));
+               sbi->s_mb_prefetch *= 8; /* 8 prefetch IOs in flight at most */
+       } else {

diff --git a/queue-5.10/mac80211-fix-double-free-in-ibss_leave.patch b/queue-5.10/mac80211-fix-double-free-in-ibss_leave.patch
new file mode 100644 (file)
index 0000000..79d253f
--- /dev/null
+++ b/queue-5.10/mac80211-fix-double-free-in-ibss_leave.patch
@@ -0,0 +1,71 @@
+From 3bd801b14e0c5d29eeddc7336558beb3344efaa3 Mon Sep 17 00:00:00 2001
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+Date: Sat, 13 Feb 2021 14:36:53 +0100
+Subject: mac80211: fix double free in ibss_leave
+
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+
+commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream.
+
+Clear beacon ie pointer and ie length after free
+in order to prevent double free.
+
+==================================================================
+BUG: KASAN: double-free or invalid-free \
+in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
+
+CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
+ kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
+ ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341
+ kasan_slab_free include/linux/kasan.h:192 [inline]
+ __cache_free mm/slab.c:3424 [inline]
+ kfree+0xed/0x270 mm/slab.c:3760
+ ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
+ rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
+ __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212
+ __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172
+ cfg80211_leave net/wireless/core.c:1221 [inline]
+ cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
+ call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040
+ call_netdevice_notifiers_extack net/core/dev.c:2052 [inline]
+ call_netdevice_notifiers net/core/dev.c:2066 [inline]
+ __dev_close_many+0xee/0x2e0 net/core/dev.c:1586
+ __dev_close net/core/dev.c:1624 [inline]
+ __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476
+ dev_change_flags+0x8a/0x160 net/core/dev.c:8549
+ dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265
+ dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511
+ sock_do_ioctl+0x148/0x2d0 net/socket.c:1060
+ sock_ioctl+0x477/0x6a0 net/socket.c:1177
+ vfs_ioctl fs/ioctl.c:48 [inline]
+ __do_sys_ioctl fs/ioctl.c:753 [inline]
+ __se_sys_ioctl fs/ioctl.c:739 [inline]
+ __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com
+Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
+Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ibss.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -1874,6 +1874,8 @@ int ieee80211_ibss_leave(struct ieee8021
+ 
+       /* remove beacon */
+       kfree(sdata->u.ibss.ie);
++      sdata->u.ibss.ie = NULL;
++      sdata->u.ibss.ie_len = 0;
+ 
+       /* on the next join, re-program HT parameters */
+       memset(&ifibss->ht_capa, 0, sizeof(ifibss->ht_capa));

diff --git a/queue-5.10/series b/queue-5.10/series
index 9c139fb9de64d5b163c6f880edc1d01af30ab86b..ac217a09e01f205a4a263dd4ec2f6fb719b3af4b 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -212,3 +212,6 @@ ch_ktls-fix-enum-conversion-warning.patch
 can-dev-move-device-back-to-init-netns-on-owning-netns-delete.patch
 r8169-fix-dma-being-used-after-buffer-free-if-wol-is-enabled.patch
 net-dsa-b53-vlan-filtering-is-global-to-all-users.patch
+mac80211-fix-double-free-in-ibss_leave.patch
+ext4-add-reclaim-checks-to-xattr-code.patch
+fs-ext4-fix-integer-overflow-in-s_log_groups_per_flex.patch