From: Greg Kroah-Hartman Date: Thu, 15 Jul 2021 18:18:03 +0000 (+0200) Subject: 5.13-stable patches X-Git-Tag: v5.4.133~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6d399b408dbffeaabff9bd817ad94142f45c619d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.13-stable patches added patches: dm-writecache-write-at-least-4k-when-committing.patch drm-ast-remove-reference-to-struct-drm_device.pdev.patch ext4-fix-possible-uaf-when-remounting-r-o-a-mmp-protected-file-system.patch f2fs-fix-to-avoid-racing-on-fsync_entry_slab-by-multi-filesystem-instances.patch jfs-fix-gpf-in-difree.patch media-v4l2-core-explicitly-clear-ioctl-input-data.patch pinctrl-mcp23s08-fix-missing-unlock-on-error-in-mcp23s08_irq.patch smackfs-restrict-bytes-count-in-smk_set_cipso.patch --- diff --git a/queue-5.13/dm-writecache-write-at-least-4k-when-committing.patch b/queue-5.13/dm-writecache-write-at-least-4k-when-committing.patch new file mode 100644 index 00000000000..0822dbea8af --- /dev/null +++ b/queue-5.13/dm-writecache-write-at-least-4k-when-committing.patch @@ -0,0 +1,36 @@ +From 867de40c4c23e6d7f89f9ce4272a5d1b1484c122 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 21 Jun 2021 14:48:29 -0400 +Subject: dm writecache: write at least 4k when committing + +From: Mikulas Patocka + +commit 867de40c4c23e6d7f89f9ce4272a5d1b1484c122 upstream. + +SSDs perform badly with sub-4k writes (because they perfrorm +read-modify-write internally), so make sure writecache writes at least +4k when committing. + +Fixes: 991bd8d7bc78 ("dm writecache: commit just one block, not a full page") +Signed-off-by: Mikulas Patocka +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-writecache.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-writecache.c ++++ b/drivers/md/dm-writecache.c +@@ -532,7 +532,11 @@ static void ssd_commit_superblock(struct + + region.bdev = wc->ssd_dev->bdev; + region.sector = 0; +- region.count = wc->block_size >> SECTOR_SHIFT; ++ region.count = max(4096U, wc->block_size) >> SECTOR_SHIFT; ++ ++ if (unlikely(region.sector + region.count > wc->metadata_sectors)) ++ region.count = wc->metadata_sectors - region.sector; ++ + region.sector += wc->start_sector; + + req.bi_op = REQ_OP_WRITE; diff --git a/queue-5.13/drm-ast-remove-reference-to-struct-drm_device.pdev.patch b/queue-5.13/drm-ast-remove-reference-to-struct-drm_device.pdev.patch new file mode 100644 index 00000000000..a19bd40d156 --- /dev/null +++ b/queue-5.13/drm-ast-remove-reference-to-struct-drm_device.pdev.patch @@ -0,0 +1,50 @@ +From 0ecb51824e838372e01330752503ddf9c0430ef7 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Thu, 29 Apr 2021 12:50:57 +0200 +Subject: drm/ast: Remove reference to struct drm_device.pdev + +From: Thomas Zimmermann + +commit 0ecb51824e838372e01330752503ddf9c0430ef7 upstream. + +Using struct drm_device.pdev is deprecated. Upcast with to_pci_dev() +from struct drm_device.dev to get the PCI device structure. + +v9: + * fix remaining pdev references + +Signed-off-by: Thomas Zimmermann +Reviewed-by: Michael J. Ruhl +Fixes: ba4e0339a6a3 ("drm/ast: Fixed CVE for DP501") +Cc: KuoHsiang Chou +Cc: kernel test robot +Cc: Thomas Zimmermann +Cc: Dave Airlie +Cc: dri-devel@lists.freedesktop.org +Link: https://patchwork.freedesktop.org/patch/msgid/20210429105101.25667-2-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ast/ast_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -411,7 +411,6 @@ struct ast_private *ast_device_create(co + return ast; + dev = &ast->base; + +- dev->pdev = pdev; + pci_set_drvdata(pdev, dev); + + ast->regs = pcim_iomap(pdev, 1, 0); +@@ -453,8 +452,8 @@ struct ast_private *ast_device_create(co + + /* map reserved buffer */ + ast->dp501_fw_buf = NULL; +- if (dev->vram_mm->vram_size < pci_resource_len(dev->pdev, 0)) { +- ast->dp501_fw_buf = pci_iomap_range(dev->pdev, 0, dev->vram_mm->vram_size, 0); ++ if (dev->vram_mm->vram_size < pci_resource_len(pdev, 0)) { ++ ast->dp501_fw_buf = pci_iomap_range(pdev, 0, dev->vram_mm->vram_size, 0); + if (!ast->dp501_fw_buf) + drm_info(dev, "failed to map reserved buffer!\n"); + } diff --git a/queue-5.13/ext4-fix-possible-uaf-when-remounting-r-o-a-mmp-protected-file-system.patch b/queue-5.13/ext4-fix-possible-uaf-when-remounting-r-o-a-mmp-protected-file-system.patch new file mode 100644 index 00000000000..16cb842279d --- /dev/null +++ b/queue-5.13/ext4-fix-possible-uaf-when-remounting-r-o-a-mmp-protected-file-system.patch @@ -0,0 +1,130 @@ +From 61bb4a1c417e5b95d9edb4f887f131de32e419cb Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 2 Jul 2021 12:45:02 -0400 +Subject: ext4: fix possible UAF when remounting r/o a mmp-protected file system + +From: Theodore Ts'o + +commit 61bb4a1c417e5b95d9edb4f887f131de32e419cb upstream. + +After commit 618f003199c6 ("ext4: fix memory leak in +ext4_fill_super"), after the file system is remounted read-only, there +is a race where the kmmpd thread can exit, causing sbi->s_mmp_tsk to +point at freed memory, which the call to ext4_stop_mmpd() can trip +over. + +Fix this by only allowing kmmpd() to exit when it is stopped via +ext4_stop_mmpd(). + +Link: https://lore.kernel.org/r/20210707002433.3719773-1-tytso@mit.edu +Reported-by: Ye Bin +Bug-Report-Link: <20210629143603.2166962-1-yebin10@huawei.com> +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mmp.c | 31 +++++++++++++++---------------- + fs/ext4/super.c | 6 +++++- + 2 files changed, 20 insertions(+), 17 deletions(-) + +--- a/fs/ext4/mmp.c ++++ b/fs/ext4/mmp.c +@@ -156,7 +156,12 @@ static int kmmpd(void *data) + memcpy(mmp->mmp_nodename, init_utsname()->nodename, + sizeof(mmp->mmp_nodename)); + +- while (!kthread_should_stop()) { ++ while (!kthread_should_stop() && !sb_rdonly(sb)) { ++ if (!ext4_has_feature_mmp(sb)) { ++ ext4_warning(sb, "kmmpd being stopped since MMP feature" ++ " has been disabled."); ++ goto wait_to_exit; ++ } + if (++seq > EXT4_MMP_SEQ_MAX) + seq = 1; + +@@ -177,16 +182,6 @@ static int kmmpd(void *data) + failed_writes++; + } + +- if (!(le32_to_cpu(es->s_feature_incompat) & +- EXT4_FEATURE_INCOMPAT_MMP)) { +- ext4_warning(sb, "kmmpd being stopped since MMP feature" +- " has been disabled."); +- goto exit_thread; +- } +- +- if (sb_rdonly(sb)) +- break; +- + diff = jiffies - last_update_time; + if (diff < mmp_update_interval * HZ) + schedule_timeout_interruptible(mmp_update_interval * +@@ -207,7 +202,7 @@ static int kmmpd(void *data) + ext4_error_err(sb, -retval, + "error reading MMP data: %d", + retval); +- goto exit_thread; ++ goto wait_to_exit; + } + + mmp_check = (struct mmp_struct *)(bh_check->b_data); +@@ -221,7 +216,7 @@ static int kmmpd(void *data) + ext4_error_err(sb, EBUSY, "abort"); + put_bh(bh_check); + retval = -EBUSY; +- goto exit_thread; ++ goto wait_to_exit; + } + put_bh(bh_check); + } +@@ -244,7 +239,13 @@ static int kmmpd(void *data) + + retval = write_mmp_block(sb, bh); + +-exit_thread: ++wait_to_exit: ++ while (!kthread_should_stop()) { ++ set_current_state(TASK_INTERRUPTIBLE); ++ if (!kthread_should_stop()) ++ schedule(); ++ } ++ set_current_state(TASK_RUNNING); + return retval; + } + +@@ -391,5 +392,3 @@ failed: + brelse(bh); + return 1; + } +- +- +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -5996,7 +5996,6 @@ static int ext4_remount(struct super_blo + */ + ext4_mark_recovery_complete(sb, es); + } +- ext4_stop_mmpd(sbi); + } else { + /* Make sure we can mount this feature set readwrite */ + if (ext4_has_feature_readonly(sb) || +@@ -6110,6 +6109,9 @@ static int ext4_remount(struct super_blo + if (!test_opt(sb, BLOCK_VALIDITY) && sbi->s_system_blks) + ext4_release_system_zone(sb); + ++ if (!ext4_has_feature_mmp(sb) || sb_rdonly(sb)) ++ ext4_stop_mmpd(sbi); ++ + /* + * Some options can be enabled by ext4 and/or by VFS mount flag + * either way we need to make sure it matches in both *flags and +@@ -6143,6 +6145,8 @@ restore_opts: + for (i = 0; i < EXT4_MAXQUOTAS; i++) + kfree(to_free[i]); + #endif ++ if (!ext4_has_feature_mmp(sb) || sb_rdonly(sb)) ++ ext4_stop_mmpd(sbi); + kfree(orig_data); + return err; + } diff --git a/queue-5.13/f2fs-fix-to-avoid-racing-on-fsync_entry_slab-by-multi-filesystem-instances.patch b/queue-5.13/f2fs-fix-to-avoid-racing-on-fsync_entry_slab-by-multi-filesystem-instances.patch new file mode 100644 index 00000000000..dfc5be75506 --- /dev/null +++ b/queue-5.13/f2fs-fix-to-avoid-racing-on-fsync_entry_slab-by-multi-filesystem-instances.patch @@ -0,0 +1,128 @@ +From cad83c968c2ebe97905f900326988ed37146c347 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Fri, 7 May 2021 18:10:38 +0800 +Subject: f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances + +From: Chao Yu + +commit cad83c968c2ebe97905f900326988ed37146c347 upstream. + +As syzbot reported, there is an use-after-free issue during f2fs recovery: + +Use-after-free write at 0xffff88823bc16040 (in kfence-#10): + kmem_cache_destroy+0x1f/0x120 mm/slab_common.c:486 + f2fs_recover_fsync_data+0x75b0/0x8380 fs/f2fs/recovery.c:869 + f2fs_fill_super+0x9393/0xa420 fs/f2fs/super.c:3945 + mount_bdev+0x26c/0x3a0 fs/super.c:1367 + legacy_get_tree+0xea/0x180 fs/fs_context.c:592 + vfs_get_tree+0x86/0x270 fs/super.c:1497 + do_new_mount fs/namespace.c:2905 [inline] + path_mount+0x196f/0x2be0 fs/namespace.c:3235 + do_mount fs/namespace.c:3248 [inline] + __do_sys_mount fs/namespace.c:3456 [inline] + __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433 + do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The root cause is multi f2fs filesystem instances can race on accessing +global fsync_entry_slab pointer, result in use-after-free issue of slab +cache, fixes to init/destroy this slab cache only once during module +init/destroy procedure to avoid this issue. + +Reported-by: syzbot+9d90dad32dd9727ed084@syzkaller.appspotmail.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 2 ++ + fs/f2fs/recovery.c | 23 ++++++++++++++--------- + fs/f2fs/super.c | 8 +++++++- + 3 files changed, 23 insertions(+), 10 deletions(-) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3566,6 +3566,8 @@ void f2fs_destroy_garbage_collection_cac + */ + int f2fs_recover_fsync_data(struct f2fs_sb_info *sbi, bool check_only); + bool f2fs_space_for_roll_forward(struct f2fs_sb_info *sbi); ++int __init f2fs_create_recovery_cache(void); ++void f2fs_destroy_recovery_cache(void); + + /* + * debug.c +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -788,13 +788,6 @@ int f2fs_recover_fsync_data(struct f2fs_ + quota_enabled = f2fs_enable_quota_files(sbi, s_flags & SB_RDONLY); + #endif + +- fsync_entry_slab = f2fs_kmem_cache_create("f2fs_fsync_inode_entry", +- sizeof(struct fsync_inode_entry)); +- if (!fsync_entry_slab) { +- err = -ENOMEM; +- goto out; +- } +- + INIT_LIST_HEAD(&inode_list); + INIT_LIST_HEAD(&tmp_inode_list); + INIT_LIST_HEAD(&dir_list); +@@ -867,8 +860,6 @@ skip: + } + } + +- kmem_cache_destroy(fsync_entry_slab); +-out: + #ifdef CONFIG_QUOTA + /* Turn quotas off */ + if (quota_enabled) +@@ -878,3 +869,17 @@ out: + + return ret ? ret : err; + } ++ ++int __init f2fs_create_recovery_cache(void) ++{ ++ fsync_entry_slab = f2fs_kmem_cache_create("f2fs_fsync_inode_entry", ++ sizeof(struct fsync_inode_entry)); ++ if (!fsync_entry_slab) ++ return -ENOMEM; ++ return 0; ++} ++ ++void f2fs_destroy_recovery_cache(void) ++{ ++ kmem_cache_destroy(fsync_entry_slab); ++} +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -4227,9 +4227,12 @@ static int __init init_f2fs_fs(void) + err = f2fs_create_checkpoint_caches(); + if (err) + goto free_segment_manager_caches; +- err = f2fs_create_extent_cache(); ++ err = f2fs_create_recovery_cache(); + if (err) + goto free_checkpoint_caches; ++ err = f2fs_create_extent_cache(); ++ if (err) ++ goto free_recovery_cache; + err = f2fs_create_garbage_collection_cache(); + if (err) + goto free_extent_cache; +@@ -4278,6 +4281,8 @@ free_garbage_collection_cache: + f2fs_destroy_garbage_collection_cache(); + free_extent_cache: + f2fs_destroy_extent_cache(); ++free_recovery_cache: ++ f2fs_destroy_recovery_cache(); + free_checkpoint_caches: + f2fs_destroy_checkpoint_caches(); + free_segment_manager_caches: +@@ -4303,6 +4308,7 @@ static void __exit exit_f2fs_fs(void) + f2fs_exit_sysfs(); + f2fs_destroy_garbage_collection_cache(); + f2fs_destroy_extent_cache(); ++ f2fs_destroy_recovery_cache(); + f2fs_destroy_checkpoint_caches(); + f2fs_destroy_segment_manager_caches(); + f2fs_destroy_node_manager_caches(); diff --git a/queue-5.13/jfs-fix-gpf-in-difree.patch b/queue-5.13/jfs-fix-gpf-in-difree.patch new file mode 100644 index 00000000000..d6fb17e5939 --- /dev/null +++ b/queue-5.13/jfs-fix-gpf-in-difree.patch @@ -0,0 +1,46 @@ +From 9d574f985fe33efd6911f4d752de6f485a1ea732 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Sun, 6 Jun 2021 17:24:05 +0300 +Subject: jfs: fix GPF in diFree + +From: Pavel Skripkin + +commit 9d574f985fe33efd6911f4d752de6f485a1ea732 upstream. + +Avoid passing inode with +JFS_SBI(inode->i_sb)->ipimap == NULL to +diFree()[1]. GFP will appear: + + struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap; + struct inomap *imap = JFS_IP(ipimap)->i_imap; + +JFS_IP() will return invalid pointer when ipimap == NULL + +Call Trace: + diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1] + jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154 + evict+0x2ed/0x750 fs/inode.c:578 + iput_final fs/inode.c:1654 [inline] + iput.part.0+0x3fe/0x820 fs/inode.c:1680 + iput+0x58/0x70 fs/inode.c:1670 + +Reported-and-tested-by: syzbot+0a89a7b56db04c21a656@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/jfs/inode.c ++++ b/fs/jfs/inode.c +@@ -151,7 +151,8 @@ void jfs_evict_inode(struct inode *inode + if (test_cflag(COMMIT_Freewmap, inode)) + jfs_free_zero_link(inode); + +- diFree(inode); ++ if (JFS_SBI(inode->i_sb)->ipimap) ++ diFree(inode); + + /* + * Free the inode from the quota allocation. diff --git a/queue-5.13/media-v4l2-core-explicitly-clear-ioctl-input-data.patch b/queue-5.13/media-v4l2-core-explicitly-clear-ioctl-input-data.patch new file mode 100644 index 00000000000..431487347fa --- /dev/null +++ b/queue-5.13/media-v4l2-core-explicitly-clear-ioctl-input-data.patch @@ -0,0 +1,44 @@ +From 7b53cca764f9b291b7907fcd39d9e66ad728ee0b Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 14 Jun 2021 12:34:03 +0200 +Subject: media: v4l2-core: explicitly clear ioctl input data + +From: Arnd Bergmann + +commit 7b53cca764f9b291b7907fcd39d9e66ad728ee0b upstream. + +As seen from a recent syzbot bug report, mistakes in the compat ioctl +implementation can lead to uninitialized kernel stack data getting used +as input for driver ioctl handlers. + +The reported bug is now fixed, but it's possible that other related +bugs are still present or get added in the future. As the drivers need +to check user input already, the possible impact is fairly low, but it +might still cause an information leak. + +To be on the safe side, always clear the entire ioctl buffer before +calling the conversion handler functions that are meant to initialize +them. + +Signed-off-by: Arnd Bergmann +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -3124,8 +3124,10 @@ static int video_get_user(void __user *a + if (copy_from_user(parg, (void __user *)arg, n)) + err = -EFAULT; + } else if (in_compat_syscall()) { ++ memset(parg, 0, n); + err = v4l2_compat_get_user(arg, parg, cmd); + } else { ++ memset(parg, 0, n); + #if !defined(CONFIG_64BIT) && defined(CONFIG_COMPAT_32BIT_TIME) + switch (cmd) { + case VIDIOC_QUERYBUF_TIME32: diff --git a/queue-5.13/pinctrl-mcp23s08-fix-missing-unlock-on-error-in-mcp23s08_irq.patch b/queue-5.13/pinctrl-mcp23s08-fix-missing-unlock-on-error-in-mcp23s08_irq.patch new file mode 100644 index 00000000000..23048ffca4b --- /dev/null +++ b/queue-5.13/pinctrl-mcp23s08-fix-missing-unlock-on-error-in-mcp23s08_irq.patch @@ -0,0 +1,36 @@ +From 884af72c90016cfccd5717439c86b48702cbf184 Mon Sep 17 00:00:00 2001 +From: Zou Wei +Date: Tue, 8 Jun 2021 14:34:08 +0800 +Subject: pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq() + +From: Zou Wei + +commit 884af72c90016cfccd5717439c86b48702cbf184 upstream. + +Add the missing unlock before return from function mcp23s08_irq() +in the error handling case. + +v1-->v2: + remove the "return IRQ_HANDLED" line + +Fixes: 897120d41e7a ("pinctrl: mcp23s08: fix race condition in irq handler") +Reported-by: Hulk Robot +Signed-off-by: Zou Wei +Link: https://lore.kernel.org/r/1623134048-56051-1-git-send-email-zou_wei@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -353,7 +353,7 @@ static irqreturn_t mcp23s08_irq(int irq, + + if (intf == 0) { + /* There is no interrupt pending */ +- return IRQ_HANDLED; ++ goto unlock; + } + + if (mcp_read(mcp, MCP_INTCAP, &intcap)) diff --git a/queue-5.13/series b/queue-5.13/series index 6c62cd51cfb..e55cd4f03f5 100644 --- a/queue-5.13/series +++ b/queue-5.13/series @@ -256,3 +256,11 @@ s390-vdso64-add-sigreturn-rt_sigreturn-and-restart_syscall.patch s390-vdso-rename-vdso64_lbase-to-vdso_lbase.patch s390-vdso-add-minimal-compat-vdso.patch s390-signal-switch-to-using-vdso-for-sigreturn-and-syscall-restart.patch +dm-writecache-write-at-least-4k-when-committing.patch +pinctrl-mcp23s08-fix-missing-unlock-on-error-in-mcp23s08_irq.patch +drm-ast-remove-reference-to-struct-drm_device.pdev.patch +ext4-fix-possible-uaf-when-remounting-r-o-a-mmp-protected-file-system.patch +jfs-fix-gpf-in-difree.patch +media-v4l2-core-explicitly-clear-ioctl-input-data.patch +smackfs-restrict-bytes-count-in-smk_set_cipso.patch +f2fs-fix-to-avoid-racing-on-fsync_entry_slab-by-multi-filesystem-instances.patch diff --git a/queue-5.13/smackfs-restrict-bytes-count-in-smk_set_cipso.patch b/queue-5.13/smackfs-restrict-bytes-count-in-smk_set_cipso.patch new file mode 100644 index 00000000000..272af87de84 --- /dev/null +++ b/queue-5.13/smackfs-restrict-bytes-count-in-smk_set_cipso.patch @@ -0,0 +1,39 @@ +From 49ec114a6e62d8d320037ce71c1aaf9650b3cafd Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 12 Apr 2021 22:45:50 +0900 +Subject: smackfs: restrict bytes count in smk_set_cipso() + +From: Tetsuo Handa + +commit 49ec114a6e62d8d320037ce71c1aaf9650b3cafd upstream. + +Oops, I failed to update subject line. + +From 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 12 Apr 2021 22:25:06 +0900 +Subject: smackfs: restrict bytes count in smk_set_cipso() + +Commit 7ef4c19d245f3dc2 ("smackfs: restrict bytes count in smackfs write +functions") missed that count > SMK_CIPSOMAX check applies to only +format == SMK_FIXED24_FMT case. + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Casey Schaufler +Signed-off-by: Greg Kroah-Hartman +--- + security/smack/smackfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -855,6 +855,8 @@ static ssize_t smk_set_cipso(struct file + if (format == SMK_FIXED24_FMT && + (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX)) + return -EINVAL; ++ if (count > PAGE_SIZE) ++ return -EINVAL; + + data = memdup_user_nul(buf, count); + if (IS_ERR(data))