From: Greg Kroah-Hartman Date: Fri, 25 Feb 2022 09:03:14 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.9.304~73 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f909805d5e0e32c002499b1d3837567d72fe8d58;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: btrfs-tree-checker-check-item_size-for-dev_item.patch btrfs-tree-checker-check-item_size-for-inode_item.patch cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch cgroup-v1-correct-privileges-check-in-release_agent-writes.patch x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch --- diff --git a/queue-5.15/btrfs-tree-checker-check-item_size-for-dev_item.patch b/queue-5.15/btrfs-tree-checker-check-item_size-for-dev_item.patch new file mode 100644 index 00000000000..b0cc4b58d17 --- /dev/null +++ b/queue-5.15/btrfs-tree-checker-check-item_size-for-dev_item.patch @@ -0,0 +1,44 @@ +From ea1d1ca4025ac6c075709f549f9aa036b5b6597d Mon Sep 17 00:00:00 2001 +From: Su Yue +Date: Fri, 21 Jan 2022 17:33:35 +0800 +Subject: btrfs: tree-checker: check item_size for dev_item + +From: Su Yue + +commit ea1d1ca4025ac6c075709f549f9aa036b5b6597d upstream. + +Check item size before accessing the device item to avoid out of bound +access, similar to inode_item check. + +Signed-off-by: Su Yue +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-checker.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -965,6 +965,7 @@ static int check_dev_item(struct extent_ + struct btrfs_key *key, int slot) + { + struct btrfs_dev_item *ditem; ++ const u32 item_size = btrfs_item_size_nr(leaf, slot); + + if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) { + dev_item_err(leaf, slot, +@@ -972,6 +973,13 @@ static int check_dev_item(struct extent_ + key->objectid, BTRFS_DEV_ITEMS_OBJECTID); + return -EUCLEAN; + } ++ ++ if (unlikely(item_size != sizeof(*ditem))) { ++ dev_item_err(leaf, slot, "invalid item size: has %u expect %zu", ++ item_size, sizeof(*ditem)); ++ return -EUCLEAN; ++ } ++ + ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item); + if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) { + dev_item_err(leaf, slot, diff --git a/queue-5.15/btrfs-tree-checker-check-item_size-for-inode_item.patch b/queue-5.15/btrfs-tree-checker-check-item_size-for-inode_item.patch new file mode 100644 index 00000000000..ca374fac47f --- /dev/null +++ b/queue-5.15/btrfs-tree-checker-check-item_size-for-inode_item.patch @@ -0,0 +1,113 @@ +From 0c982944af27d131d3b74242f3528169f66950ad Mon Sep 17 00:00:00 2001 +From: Su Yue +Date: Fri, 21 Jan 2022 17:33:34 +0800 +Subject: btrfs: tree-checker: check item_size for inode_item + +From: Su Yue + +commit 0c982944af27d131d3b74242f3528169f66950ad upstream. + +while mounting the crafted image, out-of-bounds access happens: + + [350.429619] UBSAN: array-index-out-of-bounds in fs/btrfs/struct-funcs.c:161:1 + [350.429636] index 1048096 is out of range for type 'page *[16]' + [350.429650] CPU: 0 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1 + [350.429652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 + [350.429653] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs] + [350.429772] Call Trace: + [350.429774] + [350.429776] dump_stack_lvl+0x47/0x5c + [350.429780] ubsan_epilogue+0x5/0x50 + [350.429786] __ubsan_handle_out_of_bounds+0x66/0x70 + [350.429791] btrfs_get_16+0xfd/0x120 [btrfs] + [350.429832] check_leaf+0x754/0x1a40 [btrfs] + [350.429874] ? filemap_read+0x34a/0x390 + [350.429878] ? load_balance+0x175/0xfc0 + [350.429881] validate_extent_buffer+0x244/0x310 [btrfs] + [350.429911] btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs] + [350.429935] end_bio_extent_readpage+0x3af/0x850 [btrfs] + [350.429969] ? newidle_balance+0x259/0x480 + [350.429972] end_workqueue_fn+0x29/0x40 [btrfs] + [350.429995] btrfs_work_helper+0x71/0x330 [btrfs] + [350.430030] ? __schedule+0x2fb/0xa40 + [350.430033] process_one_work+0x1f6/0x400 + [350.430035] ? process_one_work+0x400/0x400 + [350.430036] worker_thread+0x2d/0x3d0 + [350.430037] ? process_one_work+0x400/0x400 + [350.430038] kthread+0x165/0x190 + [350.430041] ? set_kthread_struct+0x40/0x40 + [350.430043] ret_from_fork+0x1f/0x30 + [350.430047] + [350.430077] BTRFS warning (device loop0): bad eb member start: ptr 0xffe20f4e start 20975616 member offset 4293005178 size 2 + +check_leaf() is checking the leaf: + + corrupt leaf: root=4 block=29396992 slot=1, bad key order, prev (16140901064495857664 1 0) current (1 204 12582912) + leaf 29396992 items 6 free space 3565 generation 6 owner DEV_TREE + leaf 29396992 flags 0x1(WRITTEN) backref revision 1 + fs uuid a62e00e8-e94e-4200-8217-12444de93c2e + chunk uuid cecbd0f7-9ca0-441e-ae9f-f782f9732bd8 + item 0 key (16140901064495857664 INODE_ITEM 0) itemoff 3955 itemsize 40 + generation 0 transid 0 size 0 nbytes 17592186044416 + block group 0 mode 52667 links 33 uid 0 gid 2104132511 rdev 94223634821136 + sequence 100305 flags 0x2409000(none) + atime 0.0 (1970-01-01 08:00:00) + ctime 2973280098083405823.4294967295 (-269783007-01-01 21:37:03) + mtime 18446744071572723616.4026825121 (1902-04-16 12:40:00) + otime 9249929404488876031.4294967295 (622322949-04-16 04:25:58) + item 1 key (1 DEV_EXTENT 12582912) itemoff 3907 itemsize 48 + dev extent chunk_tree 3 + chunk_objectid 256 chunk_offset 12582912 length 8388608 + chunk_tree_uuid cecbd0f7-9ca0-441e-ae9f-f782f9732bd8 + +The corrupted leaf of device tree has an inode item. The leaf passed +checksum and others checks in validate_extent_buffer until check_leaf_item(). +Because of the key type BTRFS_INODE_ITEM, check_inode_item() is called even we +are in the device tree. Since the +item offset + sizeof(struct btrfs_inode_item) > eb->len, out-of-bounds access +is triggered. + +The item end vs leaf boundary check has been done before +check_leaf_item(), so fix it by checking item size in check_inode_item() +before access of the inode item in extent buffer. + +Other check functions except check_dev_item() in check_leaf_item() +have their item size checks. +The commit for check_dev_item() is followed. + +No regression observed during running fstests. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215299 +CC: stable@vger.kernel.org # 5.10+ +CC: Wenqing Liu +Signed-off-by: Su Yue +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-checker.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/btrfs/tree-checker.c ++++ b/fs/btrfs/tree-checker.c +@@ -1007,6 +1007,7 @@ static int check_inode_item(struct exten + struct btrfs_inode_item *iitem; + u64 super_gen = btrfs_super_generation(fs_info->super_copy); + u32 valid_mask = (S_IFMT | S_ISUID | S_ISGID | S_ISVTX | 0777); ++ const u32 item_size = btrfs_item_size_nr(leaf, slot); + u32 mode; + int ret; + u32 flags; +@@ -1016,6 +1017,12 @@ static int check_inode_item(struct exten + if (unlikely(ret < 0)) + return ret; + ++ if (unlikely(item_size != sizeof(*iitem))) { ++ generic_err(leaf, slot, "invalid item size: has %u expect %zu", ++ item_size, sizeof(*iitem)); ++ return -EUCLEAN; ++ } ++ + iitem = btrfs_item_ptr(leaf, slot, struct btrfs_inode_item); + + /* Here we use super block generation + 1 to handle log tree */ diff --git a/queue-5.15/cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch b/queue-5.15/cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch new file mode 100644 index 00000000000..25d7133eb7c --- /dev/null +++ b/queue-5.15/cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch @@ -0,0 +1,62 @@ +From 05c7b7a92cc87ff8d7fde189d0fade250697573c Mon Sep 17 00:00:00 2001 +From: Zhang Qiao +Date: Fri, 21 Jan 2022 18:12:10 +0800 +Subject: cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhang Qiao + +commit 05c7b7a92cc87ff8d7fde189d0fade250697573c upstream. + +As previously discussed(https://lkml.org/lkml/2022/1/20/51), +cpuset_attach() is affected with similar cpu hotplug race, +as follow scenario: + + cpuset_attach() cpu hotplug + --------------------------- ---------------------- + down_write(cpuset_rwsem) + guarantee_online_cpus() // (load cpus_attach) + sched_cpu_deactivate + set_cpu_active() + // will change cpu_active_mask + set_cpus_allowed_ptr(cpus_attach) + __set_cpus_allowed_ptr_locked() + // (if the intersection of cpus_attach and + cpu_active_mask is empty, will return -EINVAL) + up_write(cpuset_rwsem) + +To avoid races such as described above, protect cpuset_attach() call +with cpu_hotplug_lock. + +Fixes: be367d099270 ("cgroups: let ss->can_attach and ss->attach do whole threadgroups at a time") +Cc: stable@vger.kernel.org # v2.6.32+ +Reported-by: Zhao Gongyi +Signed-off-by: Zhang Qiao +Acked-by: Waiman Long +Reviewed-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -2249,6 +2249,7 @@ static void cpuset_attach(struct cgroup_ + cgroup_taskset_first(tset, &css); + cs = css_cs(css); + ++ cpus_read_lock(); + percpu_down_write(&cpuset_rwsem); + + guarantee_online_mems(cs, &cpuset_attach_nodemask_to); +@@ -2302,6 +2303,7 @@ static void cpuset_attach(struct cgroup_ + wake_up(&cpuset_attach_wq); + + percpu_up_write(&cpuset_rwsem); ++ cpus_read_unlock(); + } + + /* The various types of files and directories in a cpuset file system */ diff --git a/queue-5.15/cgroup-v1-correct-privileges-check-in-release_agent-writes.patch b/queue-5.15/cgroup-v1-correct-privileges-check-in-release_agent-writes.patch new file mode 100644 index 00000000000..a1ecb4d3d79 --- /dev/null +++ b/queue-5.15/cgroup-v1-correct-privileges-check-in-release_agent-writes.patch @@ -0,0 +1,55 @@ +From 467a726b754f474936980da793b4ff2ec3e382a7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Thu, 17 Feb 2022 17:11:28 +0100 +Subject: cgroup-v1: Correct privileges check in release_agent writes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +commit 467a726b754f474936980da793b4ff2ec3e382a7 upstream. + +The idea is to check: a) the owning user_ns of cgroup_ns, b) +capabilities in init_user_ns. + +The commit 24f600856418 ("cgroup-v1: Require capabilities to set +release_agent") got this wrong in the write handler of release_agent +since it checked user_ns of the opener (may be different from the owning +user_ns of cgroup_ns). +Secondly, to avoid possibly confused deputy, the capability of the +opener must be checked. + +Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/stable/20220216121142.GB30035@blackbody.suse.cz/ +Signed-off-by: Michal Koutný +Reviewed-by: Masami Ichikawa(CIP) +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cgroup-v1.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/kernel/cgroup/cgroup-v1.c ++++ b/kernel/cgroup/cgroup-v1.c +@@ -549,6 +549,7 @@ static ssize_t cgroup_release_agent_writ + char *buf, size_t nbytes, loff_t off) + { + struct cgroup *cgrp; ++ struct cgroup_file_ctx *ctx; + + BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); + +@@ -556,8 +557,9 @@ static ssize_t cgroup_release_agent_writ + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ +- if ((of->file->f_cred->user_ns != &init_user_ns) || +- !capable(CAP_SYS_ADMIN)) ++ ctx = of->priv; ++ if ((ctx->ns->user_ns != &init_user_ns) || ++ !file_ns_capable(of->file, &init_user_ns, CAP_SYS_ADMIN)) + return -EPERM; + + cgrp = cgroup_kn_lock_live(of->kn, false); diff --git a/queue-5.15/series b/queue-5.15/series index 5f27f760ffa..31df633a32a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -1 +1,6 @@ mm-filemap-fix-handling-of-thps-in-generic_file_buffered_read.patch +cgroup-cpuset-fix-a-race-between-cpuset_attach-and-cpu-hotplug.patch +cgroup-v1-correct-privileges-check-in-release_agent-writes.patch +x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch +btrfs-tree-checker-check-item_size-for-inode_item.patch +btrfs-tree-checker-check-item_size-for-dev_item.patch diff --git a/queue-5.15/x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch b/queue-5.15/x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch new file mode 100644 index 00000000000..879c385a1a5 --- /dev/null +++ b/queue-5.15/x86-ptrace-fix-xfpregs_set-s-incorrect-xmm-clearing.patch @@ -0,0 +1,87 @@ +From 44cad52cc14ae10062f142ec16ede489bccf4469 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Mon, 14 Feb 2022 13:05:49 +0100 +Subject: x86/ptrace: Fix xfpregs_set()'s incorrect xmm clearing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Lutomirski + +commit 44cad52cc14ae10062f142ec16ede489bccf4469 upstream. + +xfpregs_set() handles 32-bit REGSET_XFP and 64-bit REGSET_FP. The actual +code treats these regsets as modern FX state (i.e. the beginning part of +XSTATE). The declarations of the regsets thought they were the legacy +i387 format. The code thought they were the 32-bit (no xmm8..15) variant +of XSTATE and, for good measure, made the high bits disappear by zeroing +the wrong part of the buffer. The latter broke ptrace, and everything +else confused anyone trying to understand the code. In particular, the +nonsense definitions of the regsets confused me when I wrote this code. + +Clean this all up. Change the declarations to match reality (which +shouldn't change the generated code, let alone the ABI) and fix +xfpregs_set() to clear the correct bits and to only do so for 32-bit +callers. + +Fixes: 6164331d15f7 ("x86/fpu: Rewrite xfpregs_set()") +Reported-by: Luís Ferreira +Signed-off-by: Andy Lutomirski +Signed-off-by: Borislav Petkov +Cc: +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215524 +Link: https://lore.kernel.org/r/YgpFnZpF01WwR8wU@zn.tnic +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/fpu/regset.c | 9 ++++----- + arch/x86/kernel/ptrace.c | 4 ++-- + 2 files changed, 6 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/fpu/regset.c ++++ b/arch/x86/kernel/fpu/regset.c +@@ -87,11 +87,9 @@ int xfpregs_set(struct task_struct *targ + const void *kbuf, const void __user *ubuf) + { + struct fpu *fpu = &target->thread.fpu; +- struct user32_fxsr_struct newstate; ++ struct fxregs_state newstate; + int ret; + +- BUILD_BUG_ON(sizeof(newstate) != sizeof(struct fxregs_state)); +- + if (!cpu_feature_enabled(X86_FEATURE_FXSR)) + return -ENODEV; + +@@ -112,9 +110,10 @@ int xfpregs_set(struct task_struct *targ + /* Copy the state */ + memcpy(&fpu->state.fxsave, &newstate, sizeof(newstate)); + +- /* Clear xmm8..15 */ ++ /* Clear xmm8..15 for 32-bit callers */ + BUILD_BUG_ON(sizeof(fpu->state.fxsave.xmm_space) != 16 * 16); +- memset(&fpu->state.fxsave.xmm_space[8], 0, 8 * 16); ++ if (in_ia32_syscall()) ++ memset(&fpu->state.fxsave.xmm_space[8*4], 0, 8 * 16); + + /* Mark FP and SSE as in use when XSAVE is enabled */ + if (use_xsave()) +--- a/arch/x86/kernel/ptrace.c ++++ b/arch/x86/kernel/ptrace.c +@@ -1224,7 +1224,7 @@ static struct user_regset x86_64_regsets + }, + [REGSET_FP] = { + .core_note_type = NT_PRFPREG, +- .n = sizeof(struct user_i387_struct) / sizeof(long), ++ .n = sizeof(struct fxregs_state) / sizeof(long), + .size = sizeof(long), .align = sizeof(long), + .active = regset_xregset_fpregs_active, .regset_get = xfpregs_get, .set = xfpregs_set + }, +@@ -1271,7 +1271,7 @@ static struct user_regset x86_32_regsets + }, + [REGSET_XFP] = { + .core_note_type = NT_PRXFPREG, +- .n = sizeof(struct user32_fxsr_struct) / sizeof(u32), ++ .n = sizeof(struct fxregs_state) / sizeof(u32), + .size = sizeof(u32), .align = sizeof(u32), + .active = regset_xregset_fpregs_active, .regset_get = xfpregs_get, .set = xfpregs_set + },