From: Greg Kroah-Hartman Date: Mon, 29 Mar 2021 06:41:10 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.11.11~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6e5f6973a3d25f2d55e0b4c1f249d934c6f0ecfa;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: ext4-add-reclaim-checks-to-xattr-code.patch mac80211-fix-double-free-in-ibss_leave.patch net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch --- diff --git a/queue-5.4/ext4-add-reclaim-checks-to-xattr-code.patch b/queue-5.4/ext4-add-reclaim-checks-to-xattr-code.patch new file mode 100644 index 00000000000..5b9ff0f7800 --- /dev/null +++ b/queue-5.4/ext4-add-reclaim-checks-to-xattr-code.patch @@ -0,0 +1,60 @@ +From 163f0ec1df33cf468509ff38cbcbb5eb0d7fac60 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 22 Feb 2021 18:16:26 +0100 +Subject: ext4: add reclaim checks to xattr code + +From: Jan Kara + +commit 163f0ec1df33cf468509ff38cbcbb5eb0d7fac60 upstream. + +Syzbot is reporting that ext4 can enter fs reclaim from kvmalloc() while +the transaction is started like: + + fs_reclaim_acquire+0x117/0x150 mm/page_alloc.c:4340 + might_alloc include/linux/sched/mm.h:193 [inline] + slab_pre_alloc_hook mm/slab.h:493 [inline] + slab_alloc_node mm/slub.c:2817 [inline] + __kmalloc_node+0x5f/0x430 mm/slub.c:4015 + kmalloc_node include/linux/slab.h:575 [inline] + kvmalloc_node+0x61/0xf0 mm/util.c:587 + kvmalloc include/linux/mm.h:781 [inline] + ext4_xattr_inode_cache_find fs/ext4/xattr.c:1465 [inline] + ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1508 [inline] + ext4_xattr_set_entry+0x1ce6/0x3780 fs/ext4/xattr.c:1649 + ext4_xattr_ibody_set+0x78/0x2b0 fs/ext4/xattr.c:2224 + ext4_xattr_set_handle+0x8f4/0x13e0 fs/ext4/xattr.c:2380 + ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2493 + +This should be impossible since transaction start sets PF_MEMALLOC_NOFS. +Add some assertions to the code to catch if something isn't working as +expected early. + +Link: https://lore.kernel.org/linux-ext4/000000000000563a0205bafb7970@google.com/ +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20210222171626.21884-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1476,6 +1476,9 @@ ext4_xattr_inode_cache_find(struct inode + if (!ce) + return NULL; + ++ WARN_ON_ONCE(ext4_handle_valid(journal_current_handle()) && ++ !(current->flags & PF_MEMALLOC_NOFS)); ++ + ea_data = ext4_kvmalloc(value_len, GFP_NOFS); + if (!ea_data) { + mb_cache_entry_put(ea_inode_cache, ce); +@@ -2342,6 +2345,7 @@ ext4_xattr_set_handle(handle_t *handle, + error = -ENOSPC; + goto cleanup; + } ++ WARN_ON_ONCE(!(current->flags & PF_MEMALLOC_NOFS)); + } + + error = ext4_reserve_inode_write(handle, inode, &is.iloc); diff --git a/queue-5.4/mac80211-fix-double-free-in-ibss_leave.patch b/queue-5.4/mac80211-fix-double-free-in-ibss_leave.patch new file mode 100644 index 00000000000..57819e79817 --- /dev/null +++ b/queue-5.4/mac80211-fix-double-free-in-ibss_leave.patch @@ -0,0 +1,71 @@ +From 3bd801b14e0c5d29eeddc7336558beb3344efaa3 Mon Sep 17 00:00:00 2001 +From: Markus Theil +Date: Sat, 13 Feb 2021 14:36:53 +0100 +Subject: mac80211: fix double free in ibss_leave + +From: Markus Theil + +commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream. + +Clear beacon ie pointer and ie length after free +in order to prevent double free. + +================================================================== +BUG: KASAN: double-free or invalid-free \ +in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 + +CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230 + kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355 + ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341 + kasan_slab_free include/linux/kasan.h:192 [inline] + __cache_free mm/slab.c:3424 [inline] + kfree+0xed/0x270 mm/slab.c:3760 + ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 + rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline] + __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212 + __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172 + cfg80211_leave net/wireless/core.c:1221 [inline] + cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 + call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040 + call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] + call_netdevice_notifiers net/core/dev.c:2066 [inline] + __dev_close_many+0xee/0x2e0 net/core/dev.c:1586 + __dev_close net/core/dev.c:1624 [inline] + __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476 + dev_change_flags+0x8a/0x160 net/core/dev.c:8549 + dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265 + dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511 + sock_do_ioctl+0x148/0x2d0 net/socket.c:1060 + sock_ioctl+0x477/0x6a0 net/socket.c:1177 + vfs_ioctl fs/ioctl.c:48 [inline] + __do_sys_ioctl fs/ioctl.c:753 [inline] + __se_sys_ioctl fs/ioctl.c:739 [inline] + __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com +Signed-off-by: Markus Theil +Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ibss.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -1868,6 +1868,8 @@ int ieee80211_ibss_leave(struct ieee8021 + + /* remove beacon */ + kfree(sdata->u.ibss.ie); ++ sdata->u.ibss.ie = NULL; ++ sdata->u.ibss.ie_len = 0; + + /* on the next join, re-program HT parameters */ + memset(&ifibss->ht_capa, 0, sizeof(ifibss->ht_capa)); diff --git a/queue-5.4/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch b/queue-5.4/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch new file mode 100644 index 00000000000..17e52221d56 --- /dev/null +++ b/queue-5.4/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch @@ -0,0 +1,77 @@ +From 50535249f624d0072cd885bcdce4e4b6fb770160 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 12 Mar 2021 08:59:48 -0800 +Subject: net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() + +From: Eric Dumazet + +commit 50535249f624d0072cd885bcdce4e4b6fb770160 upstream. + +struct sockaddr_qrtr has a 2-byte hole, and qrtr_recvmsg() currently +does not clear it before copying kernel data to user space. + +It might be too late to name the hole since sockaddr_qrtr structure is uapi. + +BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 +CPU: 0 PID: 29705 Comm: syz-executor.3 Not tainted 5.11.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:120 + kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 + kmsan_internal_check_memory+0x202/0x520 mm/kmsan/kmsan.c:402 + kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + _copy_to_user+0x1ac/0x270 lib/usercopy.c:33 + copy_to_user include/linux/uaccess.h:209 [inline] + move_addr_to_user+0x3a2/0x640 net/socket.c:237 + ____sys_recvmsg+0x696/0xd50 net/socket.c:2575 + ___sys_recvmsg net/socket.c:2610 [inline] + do_recvmmsg+0xa97/0x22d0 net/socket.c:2710 + __sys_recvmmsg net/socket.c:2789 [inline] + __do_sys_recvmmsg net/socket.c:2812 [inline] + __se_sys_recvmmsg+0x24a/0x410 net/socket.c:2805 + __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2805 + do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x465f69 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f43659d6188 EFLAGS: 00000246 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465f69 +RDX: 0000000000000008 RSI: 0000000020003e40 RDI: 0000000000000003 +RBP: 00000000004bfa8f R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000010060 R11: 0000000000000246 R12: 000000000056bf60 +R13: 0000000000a9fb1f R14: 00007f43659d6300 R15: 0000000000022000 + +Local variable ----addr@____sys_recvmsg created at: + ____sys_recvmsg+0x168/0xd50 net/socket.c:2550 + ____sys_recvmsg+0x168/0xd50 net/socket.c:2550 + +Bytes 2-3 of 12 are uninitialized +Memory access of size 12 starts at ffff88817c627b40 +Data copied to user address 0000000020000140 + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Signed-off-by: Eric Dumazet +Cc: Courtney Cavin +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -862,6 +862,11 @@ static int qrtr_recvmsg(struct socket *s + rc = copied; + + if (addr) { ++ /* There is an anonymous 2-byte hole after sq_family, ++ * make sure to clear it. ++ */ ++ memset(addr, 0, sizeof(*addr)); ++ + cb = (struct qrtr_cb *)skb->cb; + addr->sq_family = AF_QIPCRTR; + addr->sq_node = cb->src_node; diff --git a/queue-5.4/series b/queue-5.4/series index b1e4c86d1a8..46c7e758082 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -105,3 +105,6 @@ locking-mutex-fix-non-debug-version-of-mutex_lock_io_nested.patch x86-mem_encrypt-correct-physical-address-calculation-in-__set_clr_pte_enc.patch can-dev-move-device-back-to-init-netns-on-owning-netns-delete.patch net-dsa-b53-vlan-filtering-is-global-to-all-users.patch +net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch +mac80211-fix-double-free-in-ibss_leave.patch +ext4-add-reclaim-checks-to-xattr-code.patch