From: Greg Kroah-Hartman Date: Fri, 30 Aug 2024 13:03:59 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.19.321~59 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3a83ad765b0a09e193919eaf065a04ef89a9b43b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: ata-libata-core-fix-null-pointer-dereference-on-error.patch cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch net-rds-fix-possible-deadlock-in-rds_message_put.patch --- diff --git a/queue-5.15/ata-libata-core-fix-null-pointer-dereference-on-error.patch b/queue-5.15/ata-libata-core-fix-null-pointer-dereference-on-error.patch new file mode 100644 index 00000000000..16d92b5fe34 --- /dev/null +++ b/queue-5.15/ata-libata-core-fix-null-pointer-dereference-on-error.patch @@ -0,0 +1,73 @@ +From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Sat, 29 Jun 2024 14:42:11 +0200 +Subject: ata: libata-core: Fix null pointer dereference on error + +From: Niklas Cassel + +commit 5d92c7c566dc76d96e0e19e481d926bbe6631c1e upstream. + +If the ata_port_alloc() call in ata_host_alloc() fails, +ata_host_release() will get called. + +However, the code in ata_host_release() tries to free ata_port struct +members unconditionally, which can lead to the following: + +BUG: unable to handle page fault for address: 0000000000003990 +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI +CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] +Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 +RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 +RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 +RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 +R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 +R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 +FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 +PKRU: 55555554 +Call Trace: + + ? __die_body.cold+0x19/0x27 + ? page_fault_oops+0x15a/0x2f0 + ? exc_page_fault+0x7e/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? ata_host_release.cold+0x2f/0x6e [libata] + ? ata_host_release.cold+0x2f/0x6e [libata] + release_nodes+0x35/0xb0 + devres_release_group+0x113/0x140 + ata_host_alloc+0xed/0x120 [libata] + ata_host_alloc_pinfo+0x14/0xa0 [libata] + ahci_init_one+0x6c9/0xd20 [ahci] + +Do not access ata_port struct members unconditionally. + +Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") +Cc: stable@vger.kernel.org +Reviewed-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: John Garry +Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Oleksandr Tymoshenko +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -5391,6 +5391,9 @@ static void ata_host_release(struct kref + for (i = 0; i < host->n_ports; i++) { + struct ata_port *ap = host->ports[i]; + ++ if (!ap) ++ continue; ++ + kfree(ap->pmp_link); + kfree(ap->slave_link); + kfree(ap); diff --git a/queue-5.15/cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch b/queue-5.15/cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch new file mode 100644 index 00000000000..69bb16a25df --- /dev/null +++ b/queue-5.15/cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch @@ -0,0 +1,92 @@ +From 1be59c97c83ccd67a519d8a49486b3a8a73ca28a Mon Sep 17 00:00:00 2001 +From: Chen Ridong +Date: Fri, 28 Jun 2024 01:36:04 +0000 +Subject: cgroup/cpuset: Prevent UAF in proc_cpuset_show() + +From: Chen Ridong + +commit 1be59c97c83ccd67a519d8a49486b3a8a73ca28a upstream. + +An UAF can happen when /proc/cpuset is read as reported in [1]. + +This can be reproduced by the following methods: +1.add an mdelay(1000) before acquiring the cgroup_lock In the + cgroup_path_ns function. +2.$cat /proc//cpuset repeatly. +3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/ +$umount /sys/fs/cgroup/cpuset/ repeatly. + +The race that cause this bug can be shown as below: + +(umount) | (cat /proc//cpuset) +css_release | proc_cpuset_show +css_release_work_fn | css = task_get_css(tsk, cpuset_cgrp_id); +css_free_rwork_fn | cgroup_path_ns(css->cgroup, ...); +cgroup_destroy_root | mutex_lock(&cgroup_mutex); +rebind_subsystems | +cgroup_free_root | + | // cgrp was freed, UAF + | cgroup_path_ns_locked(cgrp,..); + +When the cpuset is initialized, the root node top_cpuset.css.cgrp +will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will +allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated +&cgroup_root.cgrp. When the umount operation is executed, +top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp. + +The problem is that when rebinding to cgrp_dfl_root, there are cases +where the cgroup_root allocated by setting up the root for cgroup v1 +is cached. This could lead to a Use-After-Free (UAF) if it is +subsequently freed. The descendant cgroups of cgroup v1 can only be +freed after the css is released. However, the css of the root will never +be released, yet the cgroup_root should be freed when it is unmounted. +This means that obtaining a reference to the css of the root does +not guarantee that css.cgrp->root will not be freed. + +Fix this problem by using rcu_read_lock in proc_cpuset_show(). +As cgroup_root is kfree_rcu after commit d23b5c577715 +("cgroup: Make operations on the cgroup root_list RCU safe"), +css->cgroup won't be freed during the critical section. +To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to +replace task_get_css with task_css. + +[1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd + +Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") +Signed-off-by: Chen Ridong +Signed-off-by: Tejun Heo +Signed-off-by: Shivani Agarwal +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -22,6 +22,7 @@ + * distribution for more details. + */ + ++#include "cgroup-internal.h" + #include + #include + #include +@@ -3780,10 +3781,14 @@ int proc_cpuset_show(struct seq_file *m, + if (!buf) + goto out; + +- css = task_get_css(tsk, cpuset_cgrp_id); +- retval = cgroup_path_ns(css->cgroup, buf, PATH_MAX, +- current->nsproxy->cgroup_ns); +- css_put(css); ++ rcu_read_lock(); ++ spin_lock_irq(&css_set_lock); ++ css = task_css(tsk, cpuset_cgrp_id); ++ retval = cgroup_path_ns_locked(css->cgroup, buf, PATH_MAX, ++ current->nsproxy->cgroup_ns); ++ spin_unlock_irq(&css_set_lock); ++ rcu_read_unlock(); ++ + if (retval >= PATH_MAX) + retval = -ENAMETOOLONG; + if (retval < 0) diff --git a/queue-5.15/net-rds-fix-possible-deadlock-in-rds_message_put.patch b/queue-5.15/net-rds-fix-possible-deadlock-in-rds_message_put.patch new file mode 100644 index 00000000000..530388ace9c --- /dev/null +++ b/queue-5.15/net-rds-fix-possible-deadlock-in-rds_message_put.patch @@ -0,0 +1,79 @@ +From f1acf1ac84d2ae97b7889b87223c1064df850069 Mon Sep 17 00:00:00 2001 +From: Allison Henderson +Date: Thu, 8 Feb 2024 19:28:54 -0700 +Subject: net:rds: Fix possible deadlock in rds_message_put + +From: Allison Henderson + +commit f1acf1ac84d2ae97b7889b87223c1064df850069 upstream. + +Functions rds_still_queued and rds_clear_recv_queue lock a given socket +in order to safely iterate over the incoming rds messages. However +calling rds_inc_put while under this lock creates a potential deadlock. +rds_inc_put may eventually call rds_message_purge, which will lock +m_rs_lock. This is the incorrect locking order since m_rs_lock is +meant to be locked before the socket. To fix this, we move the message +item to a local list or variable that wont need rs_recv_lock protection. +Then we can safely call rds_inc_put on any item stored locally after +rs_recv_lock is released. + +Fixes: bdbe6fbc6a2f ("RDS: recv.c") +Reported-by: syzbot+f9db6ff27b9bfdcfeca0@syzkaller.appspotmail.com +Reported-by: syzbot+dcd73ff9291e6d34b3ab@syzkaller.appspotmail.com +Signed-off-by: Allison Henderson +Link: https://lore.kernel.org/r/20240209022854.200292-1-allison.henderson@oracle.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/recv.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -424,6 +424,7 @@ static int rds_still_queued(struct rds_s + struct sock *sk = rds_rs_to_sk(rs); + int ret = 0; + unsigned long flags; ++ struct rds_incoming *to_drop = NULL; + + write_lock_irqsave(&rs->rs_recv_lock, flags); + if (!list_empty(&inc->i_item)) { +@@ -434,11 +435,14 @@ static int rds_still_queued(struct rds_s + -be32_to_cpu(inc->i_hdr.h_len), + inc->i_hdr.h_dport); + list_del_init(&inc->i_item); +- rds_inc_put(inc); ++ to_drop = inc; + } + } + write_unlock_irqrestore(&rs->rs_recv_lock, flags); + ++ if (to_drop) ++ rds_inc_put(to_drop); ++ + rdsdebug("inc %p rs %p still %d dropped %d\n", inc, rs, ret, drop); + return ret; + } +@@ -757,16 +761,21 @@ void rds_clear_recv_queue(struct rds_soc + struct sock *sk = rds_rs_to_sk(rs); + struct rds_incoming *inc, *tmp; + unsigned long flags; ++ LIST_HEAD(to_drop); + + write_lock_irqsave(&rs->rs_recv_lock, flags); + list_for_each_entry_safe(inc, tmp, &rs->rs_recv_queue, i_item) { + rds_recv_rcvbuf_delta(rs, sk, inc->i_conn->c_lcong, + -be32_to_cpu(inc->i_hdr.h_len), + inc->i_hdr.h_dport); ++ list_move(&inc->i_item, &to_drop); ++ } ++ write_unlock_irqrestore(&rs->rs_recv_lock, flags); ++ ++ list_for_each_entry_safe(inc, tmp, &to_drop, i_item) { + list_del_init(&inc->i_item); + rds_inc_put(inc); + } +- write_unlock_irqrestore(&rs->rs_recv_lock, flags); + } + + /* diff --git a/queue-5.15/series b/queue-5.15/series index e65f63d1d68..6fdcfdaf02d 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -181,3 +181,6 @@ net-mana-fix-race-of-mana_hwc_post_rx_wqe-and-new-hwc-response.patch mptcp-sched-check-both-backup-in-retrans.patch revert-mips-loongson64-reset-prioritise-firmware-service.patch drm-amdkfd-don-t-allow-mapping-the-mmio-hdp-page-with-large-pages.patch +ata-libata-core-fix-null-pointer-dereference-on-error.patch +cgroup-cpuset-prevent-uaf-in-proc_cpuset_show.patch +net-rds-fix-possible-deadlock-in-rds_message_put.patch