From: Greg Kroah-Hartman Date: Fri, 7 May 2021 15:33:02 +0000 (+0200) Subject: 5.12-stable patches X-Git-Tag: v5.4.118~91 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=87d10c6c5f843604a9d537ea69e04dd55cacb3b8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.12-stable patches added patches: btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch btrfs-fix-race-between-transaction-aborts-and-fsyncs-leading-to-use-after-free.patch btrfs-handle-remount-to-no-compress-during-compression.patch btrfs-zoned-fail-mount-if-the-device-does-not-support-zone-append.patch btrfs-zoned-fix-unpaired-block-group-unfreeze-during-device-replace.patch cifs-detect-dead-connections-only-when-echoes-are-enabled.patch cifs-fix-leak-in-cifs_smb3_do_mount-ctx.patch cifs-fix-out-of-bound-memory-access-when-calling-smb3_notify-at-mount-point.patch cifs-fix-regression-when-mounting-shares-with-prefix-paths.patch cifs-return-correct-error-code-from-smb2_get_enc_key.patch intel_th-pci-add-rocket-lake-cpu-support.patch irqchip-gic-v3-do-not-enable-irqs-when-handling-spurious-interrups.patch smb2-fix-use-after-free-in-smb2_ioctl_query_info.patch x86-build-disable-highmem64g-selection-for-m486sx.patch --- diff --git a/queue-5.12/btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch b/queue-5.12/btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch new file mode 100644 index 00000000000..13e558aef73 --- /dev/null +++ b/queue-5.12/btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch @@ -0,0 +1,95 @@ +From 67addf29004c5be9fa0383c82a364bb59afc7f84 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Tue, 20 Apr 2021 10:55:12 +0100 +Subject: btrfs: fix metadata extent leak after failure to create subvolume + +From: Filipe Manana + +commit 67addf29004c5be9fa0383c82a364bb59afc7f84 upstream. + +When creating a subvolume we allocate an extent buffer for its root node +after starting a transaction. We setup a root item for the subvolume that +points to that extent buffer and then attempt to insert the root item into +the root tree - however if that fails, due to ENOMEM for example, we do +not free the extent buffer previously allocated and we do not abort the +transaction (as at that point we did nothing that can not be undone). + +This means that we effectively do not return the metadata extent back to +the free space cache/tree and we leave a delayed reference for it which +causes a metadata extent item to be added to the extent tree, in the next +transaction commit, without having backreferences. When this happens +'btrfs check' reports the following: + + $ btrfs check /dev/sdi + Opening filesystem to check... + Checking filesystem on /dev/sdi + UUID: dce2cb9d-025f-4b05-a4bf-cee0ad3785eb + [1/7] checking root items + [2/7] checking extents + ref mismatch on [30425088 16384] extent item 1, found 0 + backref 30425088 root 256 not referenced back 0x564a91c23d70 + incorrect global backref count on 30425088 found 1 wanted 0 + backpointer mismatch on [30425088 16384] + owner ref check failed [30425088 16384] + ERROR: errors found in extent allocation tree or chunk allocation + [3/7] checking free space cache + [4/7] checking fs roots + [5/7] checking only csums items (without verifying data) + [6/7] checking root refs + [7/7] checking quota groups skipped (not enabled on this FS) + found 212992 bytes used, error(s) found + total csum bytes: 0 + total tree bytes: 131072 + total fs tree bytes: 32768 + total extent tree bytes: 16384 + btree space waste bytes: 124669 + file data blocks allocated: 65536 + referenced 65536 + +So fix this by freeing the metadata extent if btrfs_insert_root() returns +an error. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ioctl.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -697,8 +697,6 @@ static noinline int create_subvol(struct + btrfs_set_root_otransid(root_item, trans->transid); + + btrfs_tree_unlock(leaf); +- free_extent_buffer(leaf); +- leaf = NULL; + + btrfs_set_root_dirid(root_item, BTRFS_FIRST_FREE_OBJECTID); + +@@ -707,8 +705,22 @@ static noinline int create_subvol(struct + key.type = BTRFS_ROOT_ITEM_KEY; + ret = btrfs_insert_root(trans, fs_info->tree_root, &key, + root_item); +- if (ret) ++ if (ret) { ++ /* ++ * Since we don't abort the transaction in this case, free the ++ * tree block so that we don't leak space and leave the ++ * filesystem in an inconsistent state (an extent item in the ++ * extent tree without backreferences). Also no need to have ++ * the tree block locked since it is not in any tree at this ++ * point, so no other task can find it and use it. ++ */ ++ btrfs_free_tree_block(trans, root, leaf, 0, 1); ++ free_extent_buffer(leaf); + goto fail; ++ } ++ ++ free_extent_buffer(leaf); ++ leaf = NULL; + + key.offset = (u64)-1; + new_root = btrfs_get_new_fs_root(fs_info, objectid, anon_dev); diff --git a/queue-5.12/btrfs-fix-race-between-transaction-aborts-and-fsyncs-leading-to-use-after-free.patch b/queue-5.12/btrfs-fix-race-between-transaction-aborts-and-fsyncs-leading-to-use-after-free.patch new file mode 100644 index 00000000000..8002cebbc95 --- /dev/null +++ b/queue-5.12/btrfs-fix-race-between-transaction-aborts-and-fsyncs-leading-to-use-after-free.patch @@ -0,0 +1,151 @@ +From 061dde8245356d8864d29e25207aa4daa0be4d3c Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 5 Apr 2021 12:32:16 +0100 +Subject: btrfs: fix race between transaction aborts and fsyncs leading to use-after-free + +From: Filipe Manana + +commit 061dde8245356d8864d29e25207aa4daa0be4d3c upstream. + +There is a race between a task aborting a transaction during a commit, +a task doing an fsync and the transaction kthread, which leads to an +use-after-free of the log root tree. When this happens, it results in a +stack trace like the following: + + BTRFS info (device dm-0): forced readonly + BTRFS warning (device dm-0): Skipping commit of aborted transaction. + BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure + BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5) + BTRFS warning (device dm-0): Skipping commit of aborted transaction. + BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10 + BTRFS error (device dm-0): error writing primary super block to device 1 + BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10 + BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10 + BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10 + BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers) + BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure + general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI + CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 + RIP: 0010:__mutex_lock+0x139/0xa40 + Code: c0 74 19 (...) + RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202 + RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002 + RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000 + R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040 + R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358 + FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + ? __btrfs_handle_fs_error+0xde/0x146 [btrfs] + ? btrfs_sync_log+0x7c1/0xf20 [btrfs] + ? btrfs_sync_log+0x7c1/0xf20 [btrfs] + btrfs_sync_log+0x7c1/0xf20 [btrfs] + btrfs_sync_file+0x40c/0x580 [btrfs] + do_fsync+0x38/0x70 + __x64_sys_fsync+0x10/0x20 + do_syscall_64+0x33/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7fa9142a55c3 + Code: 8b 15 09 (...) + RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a + RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3 + RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005 + RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340 + R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0 + Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...) + ---[ end trace ee2f1b19327d791d ]--- + +The steps that lead to this crash are the following: + +1) We are at transaction N; + +2) We have two tasks with a transaction handle attached to transaction N. + Task A and Task B. Task B is doing an fsync; + +3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree + into a local variable named 'log_root_tree' at the top of + btrfs_sync_log(). Task B is about to call write_all_supers(), but + before that... + +4) Task A calls btrfs_commit_transaction(), and after it sets the + transaction state to TRANS_STATE_COMMIT_START, an error happens before + it waits for the transaction's 'num_writers' counter to reach a value + of 1 (no one else attached to the transaction), so it jumps to the + label "cleanup_transaction"; + +5) Task A then calls cleanup_transaction(), where it aborts the + transaction, setting BTRFS_FS_STATE_TRANS_ABORTED on fs_info->fs_state, + setting the ->aborted field of the transaction and the handle to an + errno value and also setting BTRFS_FS_STATE_ERROR on fs_info->fs_state. + + After that, at cleanup_transaction(), it deletes the transaction from + the list of transactions (fs_info->trans_list), sets the transaction + to the state TRANS_STATE_COMMIT_DOING and then waits for the number + of writers to go down to 1, as it's currently 2 (1 for task A and 1 + for task B); + +6) The transaction kthread is running and sees that BTRFS_FS_STATE_ERROR + is set in fs_info->fs_state, so it calls btrfs_cleanup_transaction(). + + There it sees the list fs_info->trans_list is empty, and then proceeds + into calling btrfs_drop_all_logs(), which frees the log root tree with + a call to btrfs_free_log_root_tree(); + +7) Task B calls write_all_supers() and, shortly after, under the label + 'out_wake_log_root', it deferences the pointer stored in + 'log_root_tree', which was already freed in the previous step by the + transaction kthread. This results in a use-after-free leading to a + crash. + +Fix this by deleting the transaction from the list of transactions at +cleanup_transaction() only after setting the transaction state to +TRANS_STATE_COMMIT_DOING and waiting for all existing tasks that are +attached to the transaction to release their transaction handles. +This makes the transaction kthread wait for all the tasks attached to +the transaction to be done with the transaction before dropping the +log roots and doing other cleanups. + +Fixes: ef67963dac255b ("btrfs: drop logs when we've aborted a transaction") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1961,7 +1961,6 @@ static void cleanup_transaction(struct b + */ + BUG_ON(list_empty(&cur_trans->list)); + +- list_del_init(&cur_trans->list); + if (cur_trans == fs_info->running_transaction) { + cur_trans->state = TRANS_STATE_COMMIT_DOING; + spin_unlock(&fs_info->trans_lock); +@@ -1970,6 +1969,17 @@ static void cleanup_transaction(struct b + + spin_lock(&fs_info->trans_lock); + } ++ ++ /* ++ * Now that we know no one else is still using the transaction we can ++ * remove the transaction from the list of transactions. This avoids ++ * the transaction kthread from cleaning up the transaction while some ++ * other task is still using it, which could result in a use-after-free ++ * on things like log trees, as it forces the transaction kthread to ++ * wait for this transaction to be cleaned up by us. ++ */ ++ list_del_init(&cur_trans->list); ++ + spin_unlock(&fs_info->trans_lock); + + btrfs_cleanup_one_transaction(trans->transaction, fs_info); diff --git a/queue-5.12/btrfs-handle-remount-to-no-compress-during-compression.patch b/queue-5.12/btrfs-handle-remount-to-no-compress-during-compression.patch new file mode 100644 index 00000000000..8b6fa8a3198 --- /dev/null +++ b/queue-5.12/btrfs-handle-remount-to-no-compress-during-compression.patch @@ -0,0 +1,115 @@ +From 1d8ba9e7e785b6625f4d8e978e8a284b144a7077 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 4 Aug 2020 15:25:47 +0800 +Subject: btrfs: handle remount to no compress during compression + +From: Qu Wenruo + +commit 1d8ba9e7e785b6625f4d8e978e8a284b144a7077 upstream. + +[BUG] +When running btrfs/071 with inode_need_compress() removed from +compress_file_range(), we got the following crash: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + Workqueue: btrfs-delalloc btrfs_work_helper [btrfs] + RIP: 0010:compress_file_range+0x476/0x7b0 [btrfs] + Call Trace: + ? submit_compressed_extents+0x450/0x450 [btrfs] + async_cow_start+0x16/0x40 [btrfs] + btrfs_work_helper+0xf2/0x3e0 [btrfs] + process_one_work+0x278/0x5e0 + worker_thread+0x55/0x400 + ? process_one_work+0x5e0/0x5e0 + kthread+0x168/0x190 + ? kthread_create_worker_on_cpu+0x70/0x70 + ret_from_fork+0x22/0x30 + ---[ end trace 65faf4eae941fa7d ]--- + +This is already after the patch "btrfs: inode: fix NULL pointer +dereference if inode doesn't need compression." + +[CAUSE] +@pages is firstly created by kcalloc() in compress_file_extent(): + pages = kcalloc(nr_pages, sizeof(struct page *), GFP_NOFS); + +Then passed to btrfs_compress_pages() to be utilized there: + + ret = btrfs_compress_pages(... + pages, + &nr_pages, + ...); + +btrfs_compress_pages() will initialize each page as output, in +zlib_compress_pages() we have: + + pages[nr_pages] = out_page; + nr_pages++; + +Normally this is completely fine, but there is a special case which +is in btrfs_compress_pages() itself: + + switch (type) { + default: + return -E2BIG; + } + +In this case, we didn't modify @pages nor @out_pages, leaving them +untouched, then when we cleanup pages, the we can hit NULL pointer +dereference again: + + if (pages) { + for (i = 0; i < nr_pages; i++) { + WARN_ON(pages[i]->mapping); + put_page(pages[i]); + } + ... + } + +Since pages[i] are all initialized to zero, and btrfs_compress_pages() +doesn't change them at all, accessing pages[i]->mapping would lead to +NULL pointer dereference. + +This is not possible for current kernel, as we check +inode_need_compress() before doing pages allocation. +But if we're going to remove that inode_need_compress() in +compress_file_extent(), then it's going to be a problem. + +[FIX] +When btrfs_compress_pages() hits its default case, modify @out_pages to +0 to prevent such problem from happening. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212331 +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Josef Bacik +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/compression.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/compression.c ++++ b/fs/btrfs/compression.c +@@ -80,10 +80,15 @@ static int compression_compress_pages(in + case BTRFS_COMPRESS_NONE: + default: + /* +- * This can't happen, the type is validated several times +- * before we get here. As a sane fallback, return what the +- * callers will understand as 'no compression happened'. ++ * This can happen when compression races with remount setting ++ * it to 'no compress', while caller doesn't call ++ * inode_need_compress() to check if we really need to ++ * compress. ++ * ++ * Not a big deal, just need to inform caller that we ++ * haven't allocated any pages yet. + */ ++ *out_pages = 0; + return -E2BIG; + } + } diff --git a/queue-5.12/btrfs-zoned-fail-mount-if-the-device-does-not-support-zone-append.patch b/queue-5.12/btrfs-zoned-fail-mount-if-the-device-does-not-support-zone-append.patch new file mode 100644 index 00000000000..4f41f1b327c --- /dev/null +++ b/queue-5.12/btrfs-zoned-fail-mount-if-the-device-does-not-support-zone-append.patch @@ -0,0 +1,42 @@ +From 1d68128c107a0b8c0c9125cb05d4771ddc438369 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Fri, 16 Apr 2021 12:05:27 +0900 +Subject: btrfs: zoned: fail mount if the device does not support zone append + +From: Johannes Thumshirn + +commit 1d68128c107a0b8c0c9125cb05d4771ddc438369 upstream. + +For zoned btrfs, zone append is mandatory to write to a sequential write +only zone, otherwise parallel writes to the same zone could result in +unaligned write errors. + +If a zoned block device does not support zone append (e.g. a dm-crypt +zoned device using a non-NULL IV cypher), fail to mount. + +CC: stable@vger.kernel.org # 5.12 +Signed-off-by: Johannes Thumshirn +Signed-off-by: Damien Le Moal +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/zoned.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -342,6 +342,13 @@ int btrfs_get_dev_zone_info(struct btrfs + if (!IS_ALIGNED(nr_sectors, zone_sectors)) + zone_info->nr_zones++; + ++ if (bdev_is_zoned(bdev) && zone_info->max_zone_append_size == 0) { ++ btrfs_err(fs_info, "zoned: device %pg does not support zone append", ++ bdev); ++ ret = -EINVAL; ++ goto out; ++ } ++ + zone_info->seq_zones = bitmap_zalloc(zone_info->nr_zones, GFP_KERNEL); + if (!zone_info->seq_zones) { + ret = -ENOMEM; diff --git a/queue-5.12/btrfs-zoned-fix-unpaired-block-group-unfreeze-during-device-replace.patch b/queue-5.12/btrfs-zoned-fix-unpaired-block-group-unfreeze-during-device-replace.patch new file mode 100644 index 00000000000..e54d6b7a361 --- /dev/null +++ b/queue-5.12/btrfs-zoned-fix-unpaired-block-group-unfreeze-during-device-replace.patch @@ -0,0 +1,51 @@ +From 0dc16ef4f6c2708407fab6d141908d46a3b737bc Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Wed, 14 Apr 2021 14:05:26 +0100 +Subject: btrfs: zoned: fix unpaired block group unfreeze during device replace + +From: Filipe Manana + +commit 0dc16ef4f6c2708407fab6d141908d46a3b737bc upstream. + +When doing a device replace on a zoned filesystem, if we find a block +group with ->to_copy == 0, we jump to the label 'done', which will result +in later calling btrfs_unfreeze_block_group(), even though at this point +we never called btrfs_freeze_block_group(). + +Since at this point we have neither turned the block group to RO mode nor +made any progress, we don't need to jump to the label 'done'. So fix this +by jumping instead to the label 'skip' and dropping our reference on the +block group before the jump. + +Fixes: 78ce9fc269af6e ("btrfs: zoned: mark block groups to copy for device-replace") +CC: stable@vger.kernel.org # 5.12 +Reviewed-by: Johannes Thumshirn +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/scrub.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -3682,8 +3682,8 @@ int scrub_enumerate_chunks(struct scrub_ + spin_lock(&cache->lock); + if (!cache->to_copy) { + spin_unlock(&cache->lock); +- ro_set = 0; +- goto done; ++ btrfs_put_block_group(cache); ++ goto skip; + } + spin_unlock(&cache->lock); + } +@@ -3841,7 +3841,6 @@ int scrub_enumerate_chunks(struct scrub_ + cache, found_key.offset)) + ro_set = 0; + +-done: + down_write(&dev_replace->rwsem); + dev_replace->cursor_left = dev_replace->cursor_right; + dev_replace->item_needs_writeback = 1; diff --git a/queue-5.12/cifs-detect-dead-connections-only-when-echoes-are-enabled.patch b/queue-5.12/cifs-detect-dead-connections-only-when-echoes-are-enabled.patch new file mode 100644 index 00000000000..198547e6d5f --- /dev/null +++ b/queue-5.12/cifs-detect-dead-connections-only-when-echoes-are-enabled.patch @@ -0,0 +1,36 @@ +From f4916649f98e2c7bdba38c6597a98c456c17317d Mon Sep 17 00:00:00 2001 +From: Shyam Prasad N +Date: Thu, 29 Apr 2021 07:53:18 +0000 +Subject: cifs: detect dead connections only when echoes are enabled. + +From: Shyam Prasad N + +commit f4916649f98e2c7bdba38c6597a98c456c17317d upstream. + +We can detect server unresponsiveness only if echoes are enabled. +Echoes can be disabled under two scenarios: +1. The connection is low on credits, so we've disabled echoes/oplocks. +2. The connection has not seen any request till now (other than +negotiate/sess-setup), which is when we enable these two, based on +the credits available. + +So this fix will check for dead connection, only when echo is enabled. + +Signed-off-by: Shyam Prasad N +CC: # v5.8+ +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/connect.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -488,6 +488,7 @@ server_unresponsive(struct TCP_Server_In + */ + if ((server->tcpStatus == CifsGood || + server->tcpStatus == CifsNeedNegotiate) && ++ (!server->ops->can_echo || server->ops->can_echo(server)) && + time_after(jiffies, server->lstrp + 3 * server->echo_interval)) { + cifs_server_dbg(VFS, "has not responded in %lu seconds. Reconnecting...\n", + (3 * server->echo_interval) / HZ); diff --git a/queue-5.12/cifs-fix-leak-in-cifs_smb3_do_mount-ctx.patch b/queue-5.12/cifs-fix-leak-in-cifs_smb3_do_mount-ctx.patch new file mode 100644 index 00000000000..696de91ec90 --- /dev/null +++ b/queue-5.12/cifs-fix-leak-in-cifs_smb3_do_mount-ctx.patch @@ -0,0 +1,59 @@ +From 315db9a05b7a56810728589baa930864107e4634 Mon Sep 17 00:00:00 2001 +From: David Disseldorp +Date: Fri, 23 Apr 2021 00:14:03 +0200 +Subject: cifs: fix leak in cifs_smb3_do_mount() ctx + +From: David Disseldorp + +commit 315db9a05b7a56810728589baa930864107e4634 upstream. + +cifs_smb3_do_mount() calls smb3_fs_context_dup() and then +cifs_setup_volume_info(). The latter's subsequent smb3_parse_devname() +call overwrites the cifs_sb->ctx->UNC string already dup'ed by +smb3_fs_context_dup(), resulting in a leak. E.g. + +unreferenced object 0xffff888002980420 (size 32): + comm "mount", pid 160, jiffies 4294892541 (age 30.416s) + hex dump (first 32 bytes): + 5c 5c 31 39 32 2e 31 36 38 2e 31 37 34 2e 31 30 \\192.168.174.10 + 34 5c 72 61 70 69 64 6f 2d 73 68 61 72 65 00 00 4\rapido-share.. + backtrace: + [<00000000069e12f6>] kstrdup+0x28/0x50 + [<00000000b61f4032>] smb3_fs_context_dup+0x127/0x1d0 [cifs] + [<00000000c6e3e3bf>] cifs_smb3_do_mount+0x77/0x660 [cifs] + [<0000000063467a6b>] smb3_get_tree+0xdf/0x220 [cifs] + [<00000000716f731e>] vfs_get_tree+0x1b/0x90 + [<00000000491d3892>] path_mount+0x62a/0x910 + [<0000000046b2e774>] do_mount+0x50/0x70 + [<00000000ca7b64dd>] __x64_sys_mount+0x81/0xd0 + [<00000000b5122496>] do_syscall_64+0x33/0x40 + [<000000002dd397af>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +This change is a bandaid until the cifs_setup_volume_info() TODO and +error handling issues are resolved. + +Signed-off-by: David Disseldorp +Acked-by: Ronnie Sahlberg +Reviewed-by: Paulo Alcantara (SUSE) +CC: # v5.11+ +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsfs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -834,6 +834,12 @@ cifs_smb3_do_mount(struct file_system_ty + goto out; + } + ++ /* cifs_setup_volume_info->smb3_parse_devname() redups UNC & prepath */ ++ kfree(cifs_sb->ctx->UNC); ++ cifs_sb->ctx->UNC = NULL; ++ kfree(cifs_sb->ctx->prepath); ++ cifs_sb->ctx->prepath = NULL; ++ + rc = cifs_setup_volume_info(cifs_sb->ctx, NULL, old_ctx->UNC); + if (rc) { + root = ERR_PTR(rc); diff --git a/queue-5.12/cifs-fix-out-of-bound-memory-access-when-calling-smb3_notify-at-mount-point.patch b/queue-5.12/cifs-fix-out-of-bound-memory-access-when-calling-smb3_notify-at-mount-point.patch new file mode 100644 index 00000000000..025258be8a4 --- /dev/null +++ b/queue-5.12/cifs-fix-out-of-bound-memory-access-when-calling-smb3_notify-at-mount-point.patch @@ -0,0 +1,40 @@ +From a637f4ae037e1e0604ac008564934d63261a8fd1 Mon Sep 17 00:00:00 2001 +From: Eugene Korenevsky +Date: Fri, 16 Apr 2021 10:35:30 +0300 +Subject: cifs: fix out-of-bound memory access when calling smb3_notify() at mount point + +From: Eugene Korenevsky + +commit a637f4ae037e1e0604ac008564934d63261a8fd1 upstream. + +If smb3_notify() is called at mount point of CIFS, build_path_from_dentry() +returns the pointer to kmalloc-ed memory with terminating zero (this is +empty FileName to be passed to SMB2 CREATE request). This pointer is assigned +to the `path` variable. +Then `path + 1` (to skip first backslash symbol) is passed to +cifs_convert_path_to_utf16(). This is incorrect for empty path and causes +out-of-bound memory access. + +Get rid of this "increase by one". cifs_convert_path_to_utf16() already +contains the check for leading backslash in the path. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212693 +CC: # v5.6+ +Signed-off-by: Eugene Korenevsky +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -2232,7 +2232,7 @@ smb3_notify(const unsigned int xid, stru + + cifs_sb = CIFS_SB(inode->i_sb); + +- utf16_path = cifs_convert_path_to_utf16(path + 1, cifs_sb); ++ utf16_path = cifs_convert_path_to_utf16(path, cifs_sb); + if (utf16_path == NULL) { + rc = -ENOMEM; + goto notify_exit; diff --git a/queue-5.12/cifs-fix-regression-when-mounting-shares-with-prefix-paths.patch b/queue-5.12/cifs-fix-regression-when-mounting-shares-with-prefix-paths.patch new file mode 100644 index 00000000000..29cd0199634 --- /dev/null +++ b/queue-5.12/cifs-fix-regression-when-mounting-shares-with-prefix-paths.patch @@ -0,0 +1,119 @@ +From 5c1acf3fe05ce443edba5e2110c9e581765f66a8 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Mon, 3 May 2021 11:55:26 -0300 +Subject: cifs: fix regression when mounting shares with prefix paths + +From: Paulo Alcantara + +commit 5c1acf3fe05ce443edba5e2110c9e581765f66a8 upstream. + +The commit 315db9a05b7a ("cifs: fix leak in cifs_smb3_do_mount() ctx") +revealed an existing bug when mounting shares that contain a prefix +path or DFS links. + +cifs_setup_volume_info() requires the @devname to contain the full +path (UNC + prefix) to update the fs context with the new UNC and +prepath values, however we were passing only the UNC +path (old_ctx->UNC) in @device thus discarding any prefix paths. + +Instead of concatenating both old_ctx->{UNC,prepath} and pass it in +@devname, just keep the dup'ed values of UNC and prepath in +cifs_sb->ctx after calling smb3_fs_context_dup(), and fix +smb3_parse_devname() to correctly parse and not leak the new UNC and +prefix paths. + +Cc: # v5.11+ +Fixes: 315db9a05b7a ("cifs: fix leak in cifs_smb3_do_mount() ctx") +Signed-off-by: Paulo Alcantara (SUSE) +Acked-by: David Disseldorp +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsfs.c | 8 +------- + fs/cifs/connect.c | 24 ++++++++++++++++++------ + fs/cifs/fs_context.c | 4 ++++ + 3 files changed, 23 insertions(+), 13 deletions(-) + +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -834,13 +834,7 @@ cifs_smb3_do_mount(struct file_system_ty + goto out; + } + +- /* cifs_setup_volume_info->smb3_parse_devname() redups UNC & prepath */ +- kfree(cifs_sb->ctx->UNC); +- cifs_sb->ctx->UNC = NULL; +- kfree(cifs_sb->ctx->prepath); +- cifs_sb->ctx->prepath = NULL; +- +- rc = cifs_setup_volume_info(cifs_sb->ctx, NULL, old_ctx->UNC); ++ rc = cifs_setup_volume_info(cifs_sb->ctx, NULL, NULL); + if (rc) { + root = ERR_PTR(rc); + goto out; +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -3176,17 +3176,29 @@ out: + int + cifs_setup_volume_info(struct smb3_fs_context *ctx, const char *mntopts, const char *devname) + { +- int rc = 0; ++ int rc; + +- smb3_parse_devname(devname, ctx); ++ if (devname) { ++ cifs_dbg(FYI, "%s: devname=%s\n", __func__, devname); ++ rc = smb3_parse_devname(devname, ctx); ++ if (rc) { ++ cifs_dbg(VFS, "%s: failed to parse %s: %d\n", __func__, devname, rc); ++ return rc; ++ } ++ } + + if (mntopts) { + char *ip; + +- cifs_dbg(FYI, "%s: mntopts=%s\n", __func__, mntopts); + rc = smb3_parse_opt(mntopts, "ip", &ip); +- if (!rc && !cifs_convert_address((struct sockaddr *)&ctx->dstaddr, ip, +- strlen(ip))) { ++ if (rc) { ++ cifs_dbg(VFS, "%s: failed to parse ip options: %d\n", __func__, rc); ++ return rc; ++ } ++ ++ rc = cifs_convert_address((struct sockaddr *)&ctx->dstaddr, ip, strlen(ip)); ++ kfree(ip); ++ if (!rc) { + cifs_dbg(VFS, "%s: failed to convert ip address\n", __func__); + return -EINVAL; + } +@@ -3206,7 +3218,7 @@ cifs_setup_volume_info(struct smb3_fs_co + return -EINVAL; + } + +- return rc; ++ return 0; + } + + static int +--- a/fs/cifs/fs_context.c ++++ b/fs/cifs/fs_context.c +@@ -475,6 +475,7 @@ smb3_parse_devname(const char *devname, + + /* move "pos" up to delimiter or NULL */ + pos += len; ++ kfree(ctx->UNC); + ctx->UNC = kstrndup(devname, pos - devname, GFP_KERNEL); + if (!ctx->UNC) + return -ENOMEM; +@@ -485,6 +486,9 @@ smb3_parse_devname(const char *devname, + if (*pos == '/' || *pos == '\\') + pos++; + ++ kfree(ctx->prepath); ++ ctx->prepath = NULL; ++ + /* If pos is NULL then no prepath */ + if (!*pos) + return 0; diff --git a/queue-5.12/cifs-return-correct-error-code-from-smb2_get_enc_key.patch b/queue-5.12/cifs-return-correct-error-code-from-smb2_get_enc_key.patch new file mode 100644 index 00000000000..c42d646f228 --- /dev/null +++ b/queue-5.12/cifs-return-correct-error-code-from-smb2_get_enc_key.patch @@ -0,0 +1,50 @@ +From 83728cbf366e334301091d5b808add468ab46b27 Mon Sep 17 00:00:00 2001 +From: Paul Aurich +Date: Tue, 13 Apr 2021 14:25:27 -0700 +Subject: cifs: Return correct error code from smb2_get_enc_key + +From: Paul Aurich + +commit 83728cbf366e334301091d5b808add468ab46b27 upstream. + +Avoid a warning if the error percolates back up: + +[440700.376476] CIFS VFS: \\otters.example.com crypt_message: Could not get encryption key +[440700.386947] ------------[ cut here ]------------ +[440700.386948] err = 1 +[440700.386977] WARNING: CPU: 11 PID: 2733 at /build/linux-hwe-5.4-p6lk6L/linux-hwe-5.4-5.4.0/lib/errseq.c:74 errseq_set+0x5c/0x70 +... +[440700.397304] CPU: 11 PID: 2733 Comm: tar Tainted: G OE 5.4.0-70-generic #78~18.04.1-Ubuntu +... +[440700.397334] Call Trace: +[440700.397346] __filemap_set_wb_err+0x1a/0x70 +[440700.397419] cifs_writepages+0x9c7/0xb30 [cifs] +[440700.397426] do_writepages+0x4b/0xe0 +[440700.397444] __filemap_fdatawrite_range+0xcb/0x100 +[440700.397455] filemap_write_and_wait+0x42/0xa0 +[440700.397486] cifs_setattr+0x68b/0xf30 [cifs] +[440700.397493] notify_change+0x358/0x4a0 +[440700.397500] utimes_common+0xe9/0x1c0 +[440700.397510] do_utimes+0xc5/0x150 +[440700.397520] __x64_sys_utimensat+0x88/0xd0 + +Fixes: 61cfac6f267d ("CIFS: Fix possible use after free in demultiplex thread") +Signed-off-by: Paul Aurich +CC: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -4178,7 +4178,7 @@ smb2_get_enc_key(struct TCP_Server_Info + } + spin_unlock(&cifs_tcp_ses_lock); + +- return 1; ++ return -EAGAIN; + } + /* + * Encrypt or decrypt @rqst message. @rqst[0] has the following format: diff --git a/queue-5.12/intel_th-pci-add-rocket-lake-cpu-support.patch b/queue-5.12/intel_th-pci-add-rocket-lake-cpu-support.patch new file mode 100644 index 00000000000..5c01374ce66 --- /dev/null +++ b/queue-5.12/intel_th-pci-add-rocket-lake-cpu-support.patch @@ -0,0 +1,35 @@ +From 9f7f2a5e01ab4ee56b6d9c0572536fe5fd56e376 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 14 Apr 2021 20:12:50 +0300 +Subject: intel_th: pci: Add Rocket Lake CPU support + +From: Alexander Shishkin + +commit 9f7f2a5e01ab4ee56b6d9c0572536fe5fd56e376 upstream. + +This adds support for the Trace Hub in Rocket Lake CPUs. + +Signed-off-by: Alexander Shishkin +Reviewed-by: Andy Shevchenko +Cc: stable # v4.14+ +Link: https://lore.kernel.org/r/20210414171251.14672-7-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -278,6 +278,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x466f), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, ++ { ++ /* Rocket Lake CPU */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x4c19), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, + { 0 }, + }; + diff --git a/queue-5.12/irqchip-gic-v3-do-not-enable-irqs-when-handling-spurious-interrups.patch b/queue-5.12/irqchip-gic-v3-do-not-enable-irqs-when-handling-spurious-interrups.patch new file mode 100644 index 00000000000..589f1555dab --- /dev/null +++ b/queue-5.12/irqchip-gic-v3-do-not-enable-irqs-when-handling-spurious-interrups.patch @@ -0,0 +1,116 @@ +From a97709f563a078e259bf0861cd259aa60332890a Mon Sep 17 00:00:00 2001 +From: He Ying +Date: Fri, 23 Apr 2021 04:35:16 -0400 +Subject: irqchip/gic-v3: Do not enable irqs when handling spurious interrups + +From: He Ying + +commit a97709f563a078e259bf0861cd259aa60332890a upstream. + +We triggered the following error while running our 4.19 kernel +with the pseudo-NMI patches backported to it: + +[ 14.816231] ------------[ cut here ]------------ +[ 14.816231] kernel BUG at irq.c:99! +[ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP +[ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____)) +[ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14 +[ 14.816233] Hardware name: evb (DT) +[ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO) +[ 14.816234] pc : asm_nmi_enter+0x94/0x98 +[ 14.816235] lr : asm_nmi_enter+0x18/0x98 +[ 14.816235] sp : ffff000008003c50 +[ 14.816235] pmr_save: 00000070 +[ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0 +[ 14.816238] x27: 0000000000000000 x26: ffff000008004000 +[ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000 +[ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc +[ 14.816241] x21: ffff000008003da0 x20: 0000000000000060 +[ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff +[ 14.816243] x17: 0000000000000008 x16: 003d090000000000 +[ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40 +[ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000 +[ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5 +[ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f +[ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e +[ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000 +[ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000 +[ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0 +[ 14.816251] Call trace: +[ 14.816251] asm_nmi_enter+0x94/0x98 +[ 14.816251] el1_irq+0x8c/0x180 (IRQ C) +[ 14.816252] gic_handle_irq+0xbc/0x2e4 +[ 14.816252] el1_irq+0xcc/0x180 (IRQ B) +[ 14.816253] arch_timer_handler_virt+0x38/0x58 +[ 14.816253] handle_percpu_devid_irq+0x90/0x240 +[ 14.816253] generic_handle_irq+0x34/0x50 +[ 14.816254] __handle_domain_irq+0x68/0xc0 +[ 14.816254] gic_handle_irq+0xf8/0x2e4 +[ 14.816255] el1_irq+0xcc/0x180 (IRQ A) +[ 14.816255] arch_cpu_idle+0x34/0x1c8 +[ 14.816255] default_idle_call+0x24/0x44 +[ 14.816256] do_idle+0x1d0/0x2c8 +[ 14.816256] cpu_startup_entry+0x28/0x30 +[ 14.816256] rest_init+0xb8/0xc8 +[ 14.816257] start_kernel+0x4c8/0x4f4 +[ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000) +[ 14.816258] Modules linked in: start_dp(O) smeth(O) +[ 15.103092] ---[ end trace 701753956cb14aa8 ]--- +[ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt +[ 15.103099] SMP: stopping secondary CPUs +[ 15.103100] Kernel Offset: disabled +[ 15.103100] CPU features: 0x36,a2400218 +[ 15.103100] Memory Limit: none + +which is cause by a 'BUG_ON(in_nmi())' in nmi_enter(). + +From the call trace, we can find three interrupts (noted A, B, C above): +interrupt (A) is preempted by (B), which is further interrupted by (C). + +Subsequent investigations show that (B) results in nmi_enter() being +called, but that it actually is a spurious interrupt. Furthermore, +interrupts are reenabled in the context of (B), and (C) fires with +NMI priority. We end-up with a nested NMI situation, something +we definitely do not want to (and cannot) handle. + +The bug here is that spurious interrupts should never result in any +state change, and we should just return to the interrupted context. +Moving the handling of spurious interrupts as early as possible in +the GICv3 handler fixes this issue. + +Fixes: 3f1f3234bc2d ("irqchip/gic-v3: Switch to PMR masking before calling IRQ handler") +Acked-by: Mark Rutland +Signed-off-by: He Ying +[maz: rewrote commit message, corrected Fixes: tag] +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210423083516.170111-1-heying24@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -648,6 +648,10 @@ static asmlinkage void __exception_irq_e + + irqnr = gic_read_iar(); + ++ /* Check for special IDs first */ ++ if ((irqnr >= 1020 && irqnr <= 1023)) ++ return; ++ + if (gic_supports_nmi() && + unlikely(gic_read_rpr() == GICD_INT_NMI_PRI)) { + gic_handle_nmi(irqnr, regs); +@@ -659,10 +663,6 @@ static asmlinkage void __exception_irq_e + gic_arch_enable_irqs(); + } + +- /* Check for special IDs first */ +- if ((irqnr >= 1020 && irqnr <= 1023)) +- return; +- + if (static_branch_likely(&supports_deactivate_key)) + gic_write_eoir(irqnr); + else diff --git a/queue-5.12/series b/queue-5.12/series index 529f6ff44d7..f46e689d559 100644 --- a/queue-5.12/series +++ b/queue-5.12/series @@ -48,3 +48,17 @@ mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch mmc-core-fix-hanging-on-i-o-during-system-suspend-for-removable-cards.patch +irqchip-gic-v3-do-not-enable-irqs-when-handling-spurious-interrups.patch +cifs-return-correct-error-code-from-smb2_get_enc_key.patch +cifs-fix-out-of-bound-memory-access-when-calling-smb3_notify-at-mount-point.patch +cifs-fix-leak-in-cifs_smb3_do_mount-ctx.patch +cifs-detect-dead-connections-only-when-echoes-are-enabled.patch +cifs-fix-regression-when-mounting-shares-with-prefix-paths.patch +smb2-fix-use-after-free-in-smb2_ioctl_query_info.patch +btrfs-handle-remount-to-no-compress-during-compression.patch +x86-build-disable-highmem64g-selection-for-m486sx.patch +btrfs-fix-metadata-extent-leak-after-failure-to-create-subvolume.patch +intel_th-pci-add-rocket-lake-cpu-support.patch +btrfs-fix-race-between-transaction-aborts-and-fsyncs-leading-to-use-after-free.patch +btrfs-zoned-fix-unpaired-block-group-unfreeze-during-device-replace.patch +btrfs-zoned-fail-mount-if-the-device-does-not-support-zone-append.patch diff --git a/queue-5.12/smb2-fix-use-after-free-in-smb2_ioctl_query_info.patch b/queue-5.12/smb2-fix-use-after-free-in-smb2_ioctl_query_info.patch new file mode 100644 index 00000000000..c082ddf2146 --- /dev/null +++ b/queue-5.12/smb2-fix-use-after-free-in-smb2_ioctl_query_info.patch @@ -0,0 +1,144 @@ +From ccd48ec3d4a6cc595b2d9c5146e63b6c23546701 Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Fri, 9 Apr 2021 15:47:01 +0200 +Subject: smb2: fix use-after-free in smb2_ioctl_query_info() + +From: Aurelien Aptel + +commit ccd48ec3d4a6cc595b2d9c5146e63b6c23546701 upstream. + +* rqst[1,2,3] is allocated in vars +* each rqst->rq_iov is also allocated in vars or using pooled memory + +SMB2_open_free, SMB2_ioctl_free, SMB2_query_info_free are iterating on +each rqst after vars has been freed (use-after-free), and they are +freeing the kvec a second time (double-free). + +How to trigger: + +* compile with KASAN +* mount a share + +$ smbinfo quota /mnt/foo +Segmentation fault +$ dmesg + + ================================================================== + BUG: KASAN: use-after-free in SMB2_open_free+0x1c/0xa0 + Read of size 8 at addr ffff888007b10c00 by task python3/1200 + + CPU: 2 PID: 1200 Comm: python3 Not tainted 5.12.0-rc6+ #107 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 + Call Trace: + dump_stack+0x93/0xc2 + print_address_description.constprop.0+0x18/0x130 + ? SMB2_open_free+0x1c/0xa0 + ? SMB2_open_free+0x1c/0xa0 + kasan_report.cold+0x7f/0x111 + ? smb2_ioctl_query_info+0x240/0x990 + ? SMB2_open_free+0x1c/0xa0 + SMB2_open_free+0x1c/0xa0 + smb2_ioctl_query_info+0x2bf/0x990 + ? smb2_query_reparse_tag+0x600/0x600 + ? cifs_mapchar+0x250/0x250 + ? rcu_read_lock_sched_held+0x3f/0x70 + ? cifs_strndup_to_utf16+0x12c/0x1c0 + ? rwlock_bug.part.0+0x60/0x60 + ? rcu_read_lock_sched_held+0x3f/0x70 + ? cifs_convert_path_to_utf16+0xf8/0x140 + ? smb2_check_message+0x6f0/0x6f0 + cifs_ioctl+0xf18/0x16b0 + ? smb2_query_reparse_tag+0x600/0x600 + ? cifs_readdir+0x1800/0x1800 + ? selinux_bprm_creds_for_exec+0x4d0/0x4d0 + ? do_user_addr_fault+0x30b/0x950 + ? __x64_sys_openat+0xce/0x140 + __x64_sys_ioctl+0xb9/0xf0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7fdcf1f4ba87 + Code: b3 66 90 48 8b 05 11 14 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 13 2c 00 f7 d8 64 89 01 48 + RSP: 002b:00007ffef1ce7748 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 00000000c018cf07 RCX: 00007fdcf1f4ba87 + RDX: 0000564c467c5590 RSI: 00000000c018cf07 RDI: 0000000000000003 + RBP: 00007ffef1ce7770 R08: 00007ffef1ce7420 R09: 00007fdcf0e0562b + R10: 0000000000000100 R11: 0000000000000246 R12: 0000000000004018 + R13: 0000000000000001 R14: 0000000000000003 R15: 0000564c467c5590 + + Allocated by task 1200: + kasan_save_stack+0x1b/0x40 + __kasan_kmalloc+0x7a/0x90 + smb2_ioctl_query_info+0x10e/0x990 + cifs_ioctl+0xf18/0x16b0 + __x64_sys_ioctl+0xb9/0xf0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + Freed by task 1200: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x20/0x30 + __kasan_slab_free+0xe5/0x110 + slab_free_freelist_hook+0x53/0x130 + kfree+0xcc/0x320 + smb2_ioctl_query_info+0x2ad/0x990 + cifs_ioctl+0xf18/0x16b0 + __x64_sys_ioctl+0xb9/0xf0 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + The buggy address belongs to the object at ffff888007b10c00 + which belongs to the cache kmalloc-512 of size 512 + The buggy address is located 0 bytes inside of + 512-byte region [ffff888007b10c00, ffff888007b10e00) + The buggy address belongs to the page: + page:0000000044e14b75 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b10 + head:0000000044e14b75 order:2 compound_mapcount:0 compound_pincount:0 + flags: 0x100000000010200(slab|head) + raw: 0100000000010200 ffffea000015f500 0000000400000004 ffff888001042c80 + raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888007b10b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff888007b10b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + >ffff888007b10c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888007b10c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888007b10d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + +Signed-off-by: Aurelien Aptel +CC: +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1763,18 +1763,14 @@ smb2_ioctl_query_info(const unsigned int + } + + iqinf_exit: +- kfree(vars); +- kfree(buffer); +- SMB2_open_free(&rqst[0]); +- if (qi.flags & PASSTHRU_FSCTL) +- SMB2_ioctl_free(&rqst[1]); +- else +- SMB2_query_info_free(&rqst[1]); +- +- SMB2_close_free(&rqst[2]); ++ cifs_small_buf_release(rqst[0].rq_iov[0].iov_base); ++ cifs_small_buf_release(rqst[1].rq_iov[0].iov_base); ++ cifs_small_buf_release(rqst[2].rq_iov[0].iov_base); + free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base); + free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base); + free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base); ++ kfree(vars); ++ kfree(buffer); + return rc; + + e_fault: diff --git a/queue-5.12/x86-build-disable-highmem64g-selection-for-m486sx.patch b/queue-5.12/x86-build-disable-highmem64g-selection-for-m486sx.patch new file mode 100644 index 00000000000..986c201fa96 --- /dev/null +++ b/queue-5.12/x86-build-disable-highmem64g-selection-for-m486sx.patch @@ -0,0 +1,51 @@ +From 0ef3439cd80ba7770723edb0470d15815914bb62 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Wed, 14 Apr 2021 12:38:28 +0200 +Subject: x86/build: Disable HIGHMEM64G selection for M486SX + +From: Maciej W. Rozycki + +commit 0ef3439cd80ba7770723edb0470d15815914bb62 upstream. + +Fix a regression caused by making the 486SX separately selectable in +Kconfig, for which the HIGHMEM64G setting has not been updated and +therefore has become exposed as a user-selectable option for the M486SX +configuration setting unlike with original M486 and all the other +settings that choose non-PAE-enabled processors: + + High Memory Support + > 1. off (NOHIGHMEM) + 2. 4GB (HIGHMEM4G) + 3. 64GB (HIGHMEM64G) + choice[1-3?]: + +With the fix in place the setting is now correctly removed: + + High Memory Support + > 1. off (NOHIGHMEM) + 2. 4GB (HIGHMEM4G) + choice[1-2?]: + + [ bp: Massage commit message. ] + +Fixes: 87d6021b8143 ("x86/math-emu: Limit MATH_EMULATION to 486SX compatibles") +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Borislav Petkov +Cc: stable@vger.kernel.org # v5.5+ +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.2104141221340.44318@angie.orcam.me.uk +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1406,7 +1406,7 @@ config HIGHMEM4G + + config HIGHMEM64G + bool "64GB" +- depends on !M486 && !M586 && !M586TSC && !M586MMX && !MGEODE_LX && !MGEODEGX1 && !MCYRIXIII && !MELAN && !MWINCHIPC6 && !WINCHIP3D && !MK6 ++ depends on !M486SX && !M486 && !M586 && !M586TSC && !M586MMX && !MGEODE_LX && !MGEODEGX1 && !MCYRIXIII && !MELAN && !MWINCHIPC6 && !WINCHIP3D && !MK6 + select X86_PAE + help + Select this if you have a 32-bit processor and more than 4