From: Greg Kroah-Hartman Date: Tue, 31 Oct 2023 11:57:11 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.1.61~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4ca5a34734aa58ec0a0995f58b07f75354e8e644;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch kobject-fix-slab-out-of-bounds-in-fill_kobj_path.patch smbdirect-missing-rc-checks-while-waiting-for-rdma-events.patch --- diff --git a/queue-5.10/f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch b/queue-5.10/f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch new file mode 100644 index 00000000000..c862ad512b5 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch @@ -0,0 +1,66 @@ +From 9056d6489f5a41cfbb67f719d2c0ce61ead72d9f Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 6 Dec 2021 22:44:19 +0800 +Subject: f2fs: fix to do sanity check on inode type during garbage collection + +From: Chao Yu + +commit 9056d6489f5a41cfbb67f719d2c0ce61ead72d9f upstream. + +As report by Wenqing Liu in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=215231 + +- Overview +kernel NULL pointer dereference triggered in folio_mark_dirty() when mount and operate on a crafted f2fs image + +- Reproduce +tested on kernel 5.16-rc3, 5.15.X under root + +1. mkdir mnt +2. mount -t f2fs tmp1.img mnt +3. touch tmp +4. cp tmp mnt + +F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info [5942, 4294180864, 4] is incorrect, run fsck to fix +F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=31340049, run fsck to fix. +BUG: kernel NULL pointer dereference, address: 0000000000000000 + folio_mark_dirty+0x33/0x50 + move_data_page+0x2dd/0x460 [f2fs] + do_garbage_collect+0xc18/0x16a0 [f2fs] + f2fs_gc+0x1d3/0xd90 [f2fs] + f2fs_balance_fs+0x13a/0x570 [f2fs] + f2fs_create+0x285/0x840 [f2fs] + path_openat+0xe6d/0x1040 + do_filp_open+0xc5/0x140 + do_sys_openat2+0x23a/0x310 + do_sys_open+0x57/0x80 + +The root cause is for special file: e.g. character, block, fifo or socket file, +f2fs doesn't assign address space operations pointer array for mapping->a_ops field, +so, in a fuzzed image, SSA table indicates a data block belong to special file, when +f2fs tries to migrate that block, it causes NULL pointer access once move_data_page() +calls a_ops->set_dirty_page(). + +Cc: stable@vger.kernel.org +Reported-by: Wenqing Liu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Kazunori Kobayashi +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1451,7 +1451,8 @@ next_step: + + if (phase == 3) { + inode = f2fs_iget(sb, dni.ino); +- if (IS_ERR(inode) || is_bad_inode(inode)) { ++ if (IS_ERR(inode) || is_bad_inode(inode) || ++ special_file(inode->i_mode)) { + set_sbi_flag(sbi, SBI_NEED_FSCK); + continue; + } diff --git a/queue-5.10/kobject-fix-slab-out-of-bounds-in-fill_kobj_path.patch b/queue-5.10/kobject-fix-slab-out-of-bounds-in-fill_kobj_path.patch new file mode 100644 index 00000000000..09562f9f715 --- /dev/null +++ b/queue-5.10/kobject-fix-slab-out-of-bounds-in-fill_kobj_path.patch @@ -0,0 +1,143 @@ +From 3bb2a01caa813d3a1845d378bbe4169ef280d394 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Tue, 20 Dec 2022 09:21:43 +0800 +Subject: kobject: Fix slab-out-of-bounds in fill_kobj_path() + +From: Wang Hai + +commit 3bb2a01caa813d3a1845d378bbe4169ef280d394 upstream. + +In kobject_get_path(), if kobj->name is changed between calls +get_kobj_path_length() and fill_kobj_path() and the length becomes +longer, then fill_kobj_path() will have an out-of-bounds bug. + +The actual current problem occurs when the ixgbe probe. + +In ixgbe_mii_bus_init(), if the length of netdev->dev.kobj.name +length becomes longer, out-of-bounds will occur. + +cpu0 cpu1 +ixgbe_probe + register_netdev(netdev) + netdev_register_kobject + device_add + kobject_uevent // Sending ADD events + systemd-udevd // rename netdev + dev_change_name + device_rename + kobject_rename + ixgbe_mii_bus_init | + mdiobus_register | + __mdiobus_register | + device_register | + device_add | + kobject_uevent | + kobject_get_path | + len = get_kobj_path_length // old name | + path = kzalloc(len, gfp_mask); | + kobj->name = name; + /* name length becomes + * longer + */ + fill_kobj_path /* kobj path length is + * longer than path, + * resulting in out of + * bounds when filling path + */ + +This is the kasan report: + +================================================================== +BUG: KASAN: slab-out-of-bounds in fill_kobj_path+0x50/0xc0 +Write of size 7 at addr ff1100090573d1fd by task kworker/28:1/673 + + Workqueue: events work_for_cpu_fn + Call Trace: + + dump_stack_lvl+0x34/0x48 + print_address_description.constprop.0+0x86/0x1e7 + print_report+0x36/0x4f + kasan_report+0xad/0x130 + kasan_check_range+0x35/0x1c0 + memcpy+0x39/0x60 + fill_kobj_path+0x50/0xc0 + kobject_get_path+0x5a/0xc0 + kobject_uevent_env+0x140/0x460 + device_add+0x5c7/0x910 + __mdiobus_register+0x14e/0x490 + ixgbe_probe.cold+0x441/0x574 [ixgbe] + local_pci_probe+0x78/0xc0 + work_for_cpu_fn+0x26/0x40 + process_one_work+0x3b6/0x6a0 + worker_thread+0x368/0x520 + kthread+0x165/0x1a0 + ret_from_fork+0x1f/0x30 + +This reproducer triggers that bug: + +while: +do + rmmod ixgbe + sleep 0.5 + modprobe ixgbe + sleep 0.5 + +When calling fill_kobj_path() to fill path, if the name length of +kobj becomes longer, return failure and retry. This fixes the problem. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20221220012143.52141-1-wanghai38@huawei.com +Signed-off-by: Oleksandr Tymoshenko +Signed-off-by: Greg Kroah-Hartman +--- + lib/kobject.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -144,7 +144,7 @@ static int get_kobj_path_length(struct k + return length; + } + +-static void fill_kobj_path(struct kobject *kobj, char *path, int length) ++static int fill_kobj_path(struct kobject *kobj, char *path, int length) + { + struct kobject *parent; + +@@ -153,12 +153,16 @@ static void fill_kobj_path(struct kobjec + int cur = strlen(kobject_name(parent)); + /* back up enough to print this name with '/' */ + length -= cur; ++ if (length <= 0) ++ return -EINVAL; + memcpy(path + length, kobject_name(parent), cur); + *(path + --length) = '/'; + } + + pr_debug("kobject: '%s' (%p): %s: path = '%s'\n", kobject_name(kobj), + kobj, __func__, path); ++ ++ return 0; + } + + /** +@@ -173,13 +177,17 @@ char *kobject_get_path(struct kobject *k + char *path; + int len; + ++retry: + len = get_kobj_path_length(kobj); + if (len == 0) + return NULL; + path = kzalloc(len, gfp_mask); + if (!path) + return NULL; +- fill_kobj_path(kobj, path, len); ++ if (fill_kobj_path(kobj, path, len)) { ++ kfree(path); ++ goto retry; ++ } + + return path; + } diff --git a/queue-5.10/series b/queue-5.10/series index c2b6022cffe..ec1ff40b421 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -47,3 +47,6 @@ acpica-add-support-for-madt-online-enabled-bit.patch x86-acpi-don-t-add-cpus-that-are-not-online-capable.patch x86-acpi-boot-use-fadt-version-to-check-support-for-.patch x86-i8259-skip-probing-when-acpi-madt-advertises-pca.patch +kobject-fix-slab-out-of-bounds-in-fill_kobj_path.patch +smbdirect-missing-rc-checks-while-waiting-for-rdma-events.patch +f2fs-fix-to-do-sanity-check-on-inode-type-during-garbage-collection.patch diff --git a/queue-5.10/smbdirect-missing-rc-checks-while-waiting-for-rdma-events.patch b/queue-5.10/smbdirect-missing-rc-checks-while-waiting-for-rdma-events.patch new file mode 100644 index 00000000000..d1f22f23e4e --- /dev/null +++ b/queue-5.10/smbdirect-missing-rc-checks-while-waiting-for-rdma-events.patch @@ -0,0 +1,54 @@ +From 0555b221528e9cb11f5766dcdee19c809187e42e Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Mon, 21 Jun 2021 16:25:20 -0500 +Subject: smbdirect: missing rc checks while waiting for rdma events + +From: Steve French + +commit 0555b221528e9cb11f5766dcdee19c809187e42e upstream. + +There were two places where we weren't checking for error +(e.g. ERESTARTSYS) while waiting for rdma resolution. + +Addresses-Coverity: 1462165 ("Unchecked return value") +Reviewed-by: Tom Talpey +Reviewed-by: Long Li +Signed-off-by: Steve French +Signed-off-by: Anastasia Belova +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smbdirect.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smbdirect.c ++++ b/fs/cifs/smbdirect.c +@@ -571,8 +571,13 @@ static struct rdma_cm_id *smbd_create_id + log_rdma_event(ERR, "rdma_resolve_addr() failed %i\n", rc); + goto out; + } +- wait_for_completion_interruptible_timeout( ++ rc = wait_for_completion_interruptible_timeout( + &info->ri_done, msecs_to_jiffies(RDMA_RESOLVE_TIMEOUT)); ++ /* e.g. if interrupted returns -ERESTARTSYS */ ++ if (rc < 0) { ++ log_rdma_event(ERR, "rdma_resolve_addr timeout rc: %i\n", rc); ++ goto out; ++ } + rc = info->ri_rc; + if (rc) { + log_rdma_event(ERR, "rdma_resolve_addr() completed %i\n", rc); +@@ -585,8 +590,13 @@ static struct rdma_cm_id *smbd_create_id + log_rdma_event(ERR, "rdma_resolve_route() failed %i\n", rc); + goto out; + } +- wait_for_completion_interruptible_timeout( ++ rc = wait_for_completion_interruptible_timeout( + &info->ri_done, msecs_to_jiffies(RDMA_RESOLVE_TIMEOUT)); ++ /* e.g. if interrupted returns -ERESTARTSYS */ ++ if (rc < 0) { ++ log_rdma_event(ERR, "rdma_resolve_addr timeout rc: %i\n", rc); ++ goto out; ++ } + rc = info->ri_rc; + if (rc) { + log_rdma_event(ERR, "rdma_resolve_route() completed %i\n", rc); diff --git a/queue-5.10/x86-i8259-skip-probing-when-acpi-madt-advertises-pca.patch b/queue-5.10/x86-i8259-skip-probing-when-acpi-madt-advertises-pca.patch index a999e76690f..2798d348901 100644 --- a/queue-5.10/x86-i8259-skip-probing-when-acpi-madt-advertises-pca.patch +++ b/queue-5.10/x86-i8259-skip-probing-when-acpi-madt-advertises-pca.patch @@ -51,13 +51,11 @@ Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218003 Link: https://lore.kernel.org/r/875y2u5s8g.ffs@tglx Signed-off-by: Sasha Levin --- - arch/x86/include/asm/i8259.h | 2 ++ - arch/x86/kernel/acpi/boot.c | 3 +++ - arch/x86/kernel/i8259.c | 38 ++++++++++++++++++++++++++++-------- + arch/x86/include/asm/i8259.h | 2 ++ + arch/x86/kernel/acpi/boot.c | 3 +++ + arch/x86/kernel/i8259.c | 38 ++++++++++++++++++++++++++++++-------- 3 files changed, 35 insertions(+), 8 deletions(-) -diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h -index 89789e8c80f66..e16574c16e933 100644 --- a/arch/x86/include/asm/i8259.h +++ b/arch/x86/include/asm/i8259.h @@ -67,6 +67,8 @@ struct legacy_pic { @@ -69,11 +67,9 @@ index 89789e8c80f66..e16574c16e933 100644 extern struct legacy_pic *legacy_pic; extern struct legacy_pic null_legacy_pic; -diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c -index 2f7f72b6f1235..5f325d9204455 100644 --- a/arch/x86/kernel/acpi/boot.c +++ b/arch/x86/kernel/acpi/boot.c -@@ -142,6 +142,9 @@ static int __init acpi_parse_madt(struct acpi_table_header *table) +@@ -142,6 +142,9 @@ static int __init acpi_parse_madt(struct madt->address); } @@ -83,8 +79,6 @@ index 2f7f72b6f1235..5f325d9204455 100644 /* ACPI 6.3 and newer support the online capable bit. */ if (acpi_gbl_FADT.header.revision > 6 || (acpi_gbl_FADT.header.revision == 6 && -diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c -index f325389d03516..4c9f559e1388b 100644 --- a/arch/x86/kernel/i8259.c +++ b/arch/x86/kernel/i8259.c @@ -32,6 +32,7 @@ @@ -146,6 +140,3 @@ index f325389d03516..4c9f559e1388b 100644 +{ + pcat_compat = true; +} --- -2.42.0 -