From: Greg Kroah-Hartman Date: Mon, 7 Aug 2023 09:08:21 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.14.321~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=818ed13adfba8cca1311afbae060946a839c0790;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: ext2-drop-fragment-support.patch fs-protect-reconfiguration-of-sb-read-write-from-racing-writes.patch net-usbnet-fix-warning-in-usbnet_start_xmit-usb_submit_urb.patch --- diff --git a/queue-5.10/ext2-drop-fragment-support.patch b/queue-5.10/ext2-drop-fragment-support.patch new file mode 100644 index 00000000000..dcfa402d51f --- /dev/null +++ b/queue-5.10/ext2-drop-fragment-support.patch @@ -0,0 +1,106 @@ +From 404615d7f1dcd4cca200e9a7a9df3a1dcae1dd62 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 13 Jun 2023 12:25:52 +0200 +Subject: ext2: Drop fragment support + +From: Jan Kara + +commit 404615d7f1dcd4cca200e9a7a9df3a1dcae1dd62 upstream. + +Ext2 has fields in superblock reserved for subblock allocation support. +However that never landed. Drop the many years dead code. + +Reported-by: syzbot+af5e10f73dbff48f70af@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext2/ext2.h | 12 ------------ + fs/ext2/super.c | 23 ++++------------------- + 2 files changed, 4 insertions(+), 31 deletions(-) + +--- a/fs/ext2/ext2.h ++++ b/fs/ext2/ext2.h +@@ -68,10 +68,7 @@ struct mb_cache; + * second extended-fs super-block data in memory + */ + struct ext2_sb_info { +- unsigned long s_frag_size; /* Size of a fragment in bytes */ +- unsigned long s_frags_per_block;/* Number of fragments per block */ + unsigned long s_inodes_per_block;/* Number of inodes per block */ +- unsigned long s_frags_per_group;/* Number of fragments in a group */ + unsigned long s_blocks_per_group;/* Number of blocks in a group */ + unsigned long s_inodes_per_group;/* Number of inodes in a group */ + unsigned long s_itb_per_group; /* Number of inode table blocks per group */ +@@ -186,15 +183,6 @@ static inline struct ext2_sb_info *EXT2_ + #define EXT2_FIRST_INO(s) (EXT2_SB(s)->s_first_ino) + + /* +- * Macro-instructions used to manage fragments +- */ +-#define EXT2_MIN_FRAG_SIZE 1024 +-#define EXT2_MAX_FRAG_SIZE 4096 +-#define EXT2_MIN_FRAG_LOG_SIZE 10 +-#define EXT2_FRAG_SIZE(s) (EXT2_SB(s)->s_frag_size) +-#define EXT2_FRAGS_PER_BLOCK(s) (EXT2_SB(s)->s_frags_per_block) +- +-/* + * Structure of a blocks group descriptor + */ + struct ext2_group_desc +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -673,10 +673,9 @@ static int ext2_setup_super (struct supe + es->s_max_mnt_count = cpu_to_le16(EXT2_DFL_MAX_MNT_COUNT); + le16_add_cpu(&es->s_mnt_count, 1); + if (test_opt (sb, DEBUG)) +- ext2_msg(sb, KERN_INFO, "%s, %s, bs=%lu, fs=%lu, gc=%lu, " ++ ext2_msg(sb, KERN_INFO, "%s, %s, bs=%lu, gc=%lu, " + "bpg=%lu, ipg=%lu, mo=%04lx]", + EXT2FS_VERSION, EXT2FS_DATE, sb->s_blocksize, +- sbi->s_frag_size, + sbi->s_groups_count, + EXT2_BLOCKS_PER_GROUP(sb), + EXT2_INODES_PER_GROUP(sb), +@@ -1014,14 +1013,7 @@ static int ext2_fill_super(struct super_ + } + } + +- sbi->s_frag_size = EXT2_MIN_FRAG_SIZE << +- le32_to_cpu(es->s_log_frag_size); +- if (sbi->s_frag_size == 0) +- goto cantfind_ext2; +- sbi->s_frags_per_block = sb->s_blocksize / sbi->s_frag_size; +- + sbi->s_blocks_per_group = le32_to_cpu(es->s_blocks_per_group); +- sbi->s_frags_per_group = le32_to_cpu(es->s_frags_per_group); + sbi->s_inodes_per_group = le32_to_cpu(es->s_inodes_per_group); + + sbi->s_inodes_per_block = sb->s_blocksize / EXT2_INODE_SIZE(sb); +@@ -1047,11 +1039,10 @@ static int ext2_fill_super(struct super_ + goto failed_mount; + } + +- if (sb->s_blocksize != sbi->s_frag_size) { ++ if (es->s_log_frag_size != es->s_log_block_size) { + ext2_msg(sb, KERN_ERR, +- "error: fragsize %lu != blocksize %lu" +- "(not supported yet)", +- sbi->s_frag_size, sb->s_blocksize); ++ "error: fragsize log %u != blocksize log %u", ++ le32_to_cpu(es->s_log_frag_size), sb->s_blocksize_bits); + goto failed_mount; + } + +@@ -1061,12 +1052,6 @@ static int ext2_fill_super(struct super_ + sbi->s_blocks_per_group); + goto failed_mount; + } +- if (sbi->s_frags_per_group > sb->s_blocksize * 8) { +- ext2_msg(sb, KERN_ERR, +- "error: #fragments per group too big: %lu", +- sbi->s_frags_per_group); +- goto failed_mount; +- } + if (sbi->s_inodes_per_group < sbi->s_inodes_per_block || + sbi->s_inodes_per_group > sb->s_blocksize * 8) { + ext2_msg(sb, KERN_ERR, diff --git a/queue-5.10/fs-protect-reconfiguration-of-sb-read-write-from-racing-writes.patch b/queue-5.10/fs-protect-reconfiguration-of-sb-read-write-from-racing-writes.patch new file mode 100644 index 00000000000..e1e1741db4d --- /dev/null +++ b/queue-5.10/fs-protect-reconfiguration-of-sb-read-write-from-racing-writes.patch @@ -0,0 +1,68 @@ +From c541dce86c537714b6761a79a969c1623dfa222b Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 15 Jun 2023 13:38:48 +0200 +Subject: fs: Protect reconfiguration of sb read-write from racing writes + +From: Jan Kara + +commit c541dce86c537714b6761a79a969c1623dfa222b upstream. + +The reconfigure / remount code takes a lot of effort to protect +filesystem's reconfiguration code from racing writes on remounting +read-only. However during remounting read-only filesystem to read-write +mode userspace writes can start immediately once we clear SB_RDONLY +flag. This is inconvenient for example for ext4 because we need to do +some writes to the filesystem (such as preparation of quota files) +before we can take userspace writes so we are clearing SB_RDONLY flag +before we are fully ready to accept userpace writes and syzbot has found +a way to exploit this [1]. Also as far as I'm reading the code +the filesystem remount code was protected from racing writes in the +legacy mount path by the mount's MNT_READONLY flag so this is relatively +new problem. It is actually fairly easy to protect remount read-write +from racing writes using sb->s_readonly_remount flag so let's just do +that instead of having to workaround these races in the filesystem code. + +[1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/ + +Signed-off-by: Jan Kara +Message-Id: <20230615113848.8439-1-jack@suse.cz> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/super.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/super.c ++++ b/fs/super.c +@@ -906,6 +906,7 @@ int reconfigure_super(struct fs_context + struct super_block *sb = fc->root->d_sb; + int retval; + bool remount_ro = false; ++ bool remount_rw = false; + bool force = fc->sb_flags & SB_FORCE; + + if (fc->sb_flags_mask & ~MS_RMT_MASK) +@@ -922,7 +923,7 @@ int reconfigure_super(struct fs_context + if (!(fc->sb_flags & SB_RDONLY) && bdev_read_only(sb->s_bdev)) + return -EACCES; + #endif +- ++ remount_rw = !(fc->sb_flags & SB_RDONLY) && sb_rdonly(sb); + remount_ro = (fc->sb_flags & SB_RDONLY) && !sb_rdonly(sb); + } + +@@ -952,6 +953,14 @@ int reconfigure_super(struct fs_context + if (retval) + return retval; + } ++ } else if (remount_rw) { ++ /* ++ * We set s_readonly_remount here to protect filesystem's ++ * reconfigure code from writes from userspace until ++ * reconfigure finishes. ++ */ ++ sb->s_readonly_remount = 1; ++ smp_wmb(); + } + + if (fc->ops->reconfigure) { diff --git a/queue-5.10/net-usbnet-fix-warning-in-usbnet_start_xmit-usb_submit_urb.patch b/queue-5.10/net-usbnet-fix-warning-in-usbnet_start_xmit-usb_submit_urb.patch new file mode 100644 index 00000000000..065b666a35d --- /dev/null +++ b/queue-5.10/net-usbnet-fix-warning-in-usbnet_start_xmit-usb_submit_urb.patch @@ -0,0 +1,77 @@ +From 5e1627cb43ddf1b24b92eb26f8d958a3f5676ccb Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 12 Jul 2023 10:15:10 -0400 +Subject: net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb + +From: Alan Stern + +commit 5e1627cb43ddf1b24b92eb26f8d958a3f5676ccb upstream. + +The syzbot fuzzer identified a problem in the usbnet driver: + +usb 1-1: BOGUS urb xfer, pipe 3 != type 1 +WARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 +Modules linked in: +CPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +Workqueue: mld mld_ifc_work +RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 +Code: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7 +RSP: 0018:ffffc9000463f568 EFLAGS: 00010086 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 +RDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001 +RBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003 +R13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500 +FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0 +Call Trace: + + usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453 + __netdev_start_xmit include/linux/netdevice.h:4918 [inline] + netdev_start_xmit include/linux/netdevice.h:4932 [inline] + xmit_one net/core/dev.c:3578 [inline] + dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594 +... + +This bug is caused by the fact that usbnet trusts the bulk endpoint +addresses its probe routine receives in the driver_info structure, and +it does not check to see that these endpoints actually exist and have +the expected type and directions. + +The fix is simply to add such a check. + +Reported-and-tested-by: syzbot+63ee658b9a100ffadbe2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-usb/000000000000a56e9105d0cec021@google.com/ +Signed-off-by: Alan Stern +CC: Oliver Neukum +Link: https://lore.kernel.org/r/ea152b6d-44df-4f8a-95c6-4db51143dcc1@rowland.harvard.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1738,6 +1738,10 @@ usbnet_probe (struct usb_interface *udev + } else if (!info->in || !info->out) + status = usbnet_get_endpoints (dev, udev); + else { ++ u8 ep_addrs[3] = { ++ info->in + USB_DIR_IN, info->out + USB_DIR_OUT, 0 ++ }; ++ + dev->in = usb_rcvbulkpipe (xdev, info->in); + dev->out = usb_sndbulkpipe (xdev, info->out); + if (!(info->flags & FLAG_NO_SETINT)) +@@ -1747,6 +1751,8 @@ usbnet_probe (struct usb_interface *udev + else + status = 0; + ++ if (status == 0 && !usb_check_bulk_endpoints(udev, ep_addrs)) ++ status = -EINVAL; + } + if (status >= 0 && dev->status) + status = init_status (dev, udev); diff --git a/queue-5.10/series b/queue-5.10/series index de235cbb4ca..3a62ed7d391 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -177,3 +177,6 @@ file-reinstate-f_pos-locking-optimization-for-regular-files.patch tracing-fix-sleeping-while-atomic-in-kdb-ftdump.patch fs-sysv-null-check-to-prevent-null-ptr-deref-bug.patch bluetooth-l2cap-fix-use-after-free-in-l2cap_sock_ready_cb.patch +net-usbnet-fix-warning-in-usbnet_start_xmit-usb_submit_urb.patch +fs-protect-reconfiguration-of-sb-read-write-from-racing-writes.patch +ext2-drop-fragment-support.patch