From: Greg Kroah-Hartman Date: Sat, 3 Apr 2021 08:52:49 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.265~51 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1e8da96721650358511b4195f59e19a4b125a478;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: mm-fix-race-by-making-init_zero_pfn-early_initcall.patch reiserfs-update-reiserfs_xattrs_initialized-condition.patch --- diff --git a/queue-4.4/mm-fix-race-by-making-init_zero_pfn-early_initcall.patch b/queue-4.4/mm-fix-race-by-making-init_zero_pfn-early_initcall.patch new file mode 100644 index 00000000000..6b90733c75d --- /dev/null +++ b/queue-4.4/mm-fix-race-by-making-init_zero_pfn-early_initcall.patch @@ -0,0 +1,87 @@ +From e720e7d0e983bf05de80b231bccc39f1487f0f16 Mon Sep 17 00:00:00 2001 +From: Ilya Lipnitskiy +Date: Mon, 29 Mar 2021 21:42:08 -0700 +Subject: mm: fix race by making init_zero_pfn() early_initcall +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilya Lipnitskiy + +commit e720e7d0e983bf05de80b231bccc39f1487f0f16 upstream. + +There are code paths that rely on zero_pfn to be fully initialized +before core_initcall. For example, wq_sysfs_init() is a core_initcall +function that eventually results in a call to kernel_execve, which +causes a page fault with a subsequent mmput. If zero_pfn is not +initialized by then it may not get cleaned up properly and result in an +error: + + BUG: Bad rss-counter state mm:(ptrval) type:MM_ANONPAGES val:1 + +Here is an analysis of the race as seen on a MIPS device. On this +particular MT7621 device (Ubiquiti ER-X), zero_pfn is PFN 0 until +initialized, at which point it becomes PFN 5120: + + 1. wq_sysfs_init calls into kobject_uevent_env at core_initcall: + kobject_uevent_env+0x7e4/0x7ec + kset_register+0x68/0x88 + bus_register+0xdc/0x34c + subsys_virtual_register+0x34/0x78 + wq_sysfs_init+0x1c/0x4c + do_one_initcall+0x50/0x1a8 + kernel_init_freeable+0x230/0x2c8 + kernel_init+0x10/0x100 + ret_from_kernel_thread+0x14/0x1c + + 2. kobject_uevent_env() calls call_usermodehelper_exec() which executes + kernel_execve asynchronously. + + 3. Memory allocations in kernel_execve cause a page fault, bumping the + MM reference counter: + add_mm_counter_fast+0xb4/0xc0 + handle_mm_fault+0x6e4/0xea0 + __get_user_pages.part.78+0x190/0x37c + __get_user_pages_remote+0x128/0x360 + get_arg_page+0x34/0xa0 + copy_string_kernel+0x194/0x2a4 + kernel_execve+0x11c/0x298 + call_usermodehelper_exec_async+0x114/0x194 + + 4. In case zero_pfn has not been initialized yet, zap_pte_range does + not decrement the MM_ANONPAGES RSS counter and the BUG message is + triggered shortly afterwards when __mmdrop checks the ref counters: + __mmdrop+0x98/0x1d0 + free_bprm+0x44/0x118 + kernel_execve+0x160/0x1d8 + call_usermodehelper_exec_async+0x114/0x194 + ret_from_kernel_thread+0x14/0x1c + +To avoid races such as described above, initialize init_zero_pfn at +early_initcall level. Depending on the architecture, ZERO_PAGE is +either constant or gets initialized even earlier, at paging_init, so +there is no issue with initializing zero_pfn earlier. + +Link: https://lkml.kernel.org/r/CALCv0x2YqOXEAy2Q=hafjhHCtTHVodChv1qpM=niAXOpqEbt7w@mail.gmail.com +Signed-off-by: Ilya Lipnitskiy +Cc: Hugh Dickins +Cc: "Eric W. Biederman" +Cc: stable@vger.kernel.org +Tested-by: 周琰杰 (Zhou Yanjie) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -129,7 +129,7 @@ static int __init init_zero_pfn(void) + zero_pfn = page_to_pfn(ZERO_PAGE(0)); + return 0; + } +-core_initcall(init_zero_pfn); ++early_initcall(init_zero_pfn); + + + #if defined(SPLIT_RSS_COUNTING) diff --git a/queue-4.4/reiserfs-update-reiserfs_xattrs_initialized-condition.patch b/queue-4.4/reiserfs-update-reiserfs_xattrs_initialized-condition.patch new file mode 100644 index 00000000000..f8684ef357e --- /dev/null +++ b/queue-4.4/reiserfs-update-reiserfs_xattrs_initialized-condition.patch @@ -0,0 +1,52 @@ +From 5e46d1b78a03d52306f21f77a4e4a144b6d31486 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sun, 21 Mar 2021 23:37:49 +0900 +Subject: reiserfs: update reiserfs_xattrs_initialized() condition + +From: Tetsuo Handa + +commit 5e46d1b78a03d52306f21f77a4e4a144b6d31486 upstream. + +syzbot is reporting NULL pointer dereference at reiserfs_security_init() +[1], for commit ab17c4f02156c4f7 ("reiserfs: fixup xattr_root caching") +is assuming that REISERFS_SB(s)->xattr_root != NULL in +reiserfs_xattr_jcreate_nblocks() despite that commit made +REISERFS_SB(sb)->priv_root != NULL && REISERFS_SB(s)->xattr_root == NULL +case possible. + +I guess that commit 6cb4aff0a77cc0e6 ("reiserfs: fix oops while creating +privroot with selinux enabled") wanted to check xattr_root != NULL +before reiserfs_xattr_jcreate_nblocks(), for the changelog is talking +about the xattr root. + + The issue is that while creating the privroot during mount + reiserfs_security_init calls reiserfs_xattr_jcreate_nblocks which + dereferences the xattr root. The xattr root doesn't exist, so we get + an oops. + +Therefore, update reiserfs_xattrs_initialized() to check both the +privroot and the xattr root. + +Link: https://syzkaller.appspot.com/bug?id=8abaedbdeb32c861dc5340544284167dd0e46cde # [1] +Reported-and-tested-by: syzbot +Signed-off-by: Tetsuo Handa +Fixes: 6cb4aff0a77c ("reiserfs: fix oops while creating privroot with selinux enabled") +Acked-by: Jeff Mahoney +Acked-by: Jan Kara +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/reiserfs/xattr.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/reiserfs/xattr.h ++++ b/fs/reiserfs/xattr.h +@@ -42,7 +42,7 @@ void reiserfs_security_free(struct reise + + static inline int reiserfs_xattrs_initialized(struct super_block *sb) + { +- return REISERFS_SB(sb)->priv_root != NULL; ++ return REISERFS_SB(sb)->priv_root && REISERFS_SB(sb)->xattr_root; + } + + #define xattr_size(size) ((size) + sizeof(struct reiserfs_xattr_header)) diff --git a/queue-4.4/series b/queue-4.4/series index da32bef98dc..b79688e8910 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -15,3 +15,5 @@ net-wan-lmc-unregister-device-when-no-matching-devic.patch alsa-usb-audio-apply-sample-rate-quirk-to-logitech-connect.patch alsa-hda-realtek-call-alc_update_headset_mode-in-hp_automute_hook.patch tracing-fix-stack-trace-event-size.patch +mm-fix-race-by-making-init_zero_pfn-early_initcall.patch +reiserfs-update-reiserfs_xattrs_initialized-condition.patch