From 35213adb00e6fe920c7213e29c4eedf088b1578b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 21 Jan 2023 11:32:49 +0100 Subject: [PATCH] 4.19-stable patches added patches: add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch --- ...r-vd-in-axi_chan_handle_err-function.patch | 99 +++++++++++++++++ ...otection-fault-in-nilfs_btree_insert.patch | 102 ++++++++++++++++++ queue-4.19/series | 2 + 3 files changed, 203 insertions(+) create mode 100644 queue-4.19/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch create mode 100644 queue-4.19/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch diff --git a/queue-4.19/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch b/queue-4.19/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch new file mode 100644 index 00000000000..6015c56862a --- /dev/null +++ b/queue-4.19/add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch @@ -0,0 +1,99 @@ +From 57054fe516d59d03a7bcf1888e82479ccc244f87 Mon Sep 17 00:00:00 2001 +From: "Shawn.Shao" +Date: Thu, 12 Jan 2023 13:58:02 +0800 +Subject: Add exception protection processing for vd in axi_chan_handle_err function + +From: Shawn.Shao + +commit 57054fe516d59d03a7bcf1888e82479ccc244f87 upstream. + +Since there is no protection for vd, a kernel panic will be +triggered here in exceptional cases. + +You can refer to the processing of axi_chan_block_xfer_complete function + +The triggered kernel panic is as follows: + +[ 67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 +[ 67.848447] Mem abort info: +[ 67.848449] ESR = 0x96000004 +[ 67.848451] EC = 0x25: DABT (current EL), IL = 32 bits +[ 67.848454] SET = 0, FnV = 0 +[ 67.848456] EA = 0, S1PTW = 0 +[ 67.848458] Data abort info: +[ 67.848460] ISV = 0, ISS = 0x00000004 +[ 67.848462] CM = 0, WnR = 0 +[ 67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000 +[ 67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000 +[ 67.848472] Internal error: Oops: 96000004 [#1] SMP +[ 67.848475] Modules linked in: dmatest +[ 67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11 +[ 67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--) +[ 67.848487] pc : axi_chan_handle_err+0xc4/0x230 +[ 67.848491] lr : axi_chan_handle_err+0x30/0x230 +[ 67.848493] sp : ffff0803fe55ae50 +[ 67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200 +[ 67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080 +[ 67.848504] x25: ffff800010d33880 x24: ffff80001139d850 +[ 67.848508] x23: ffff0800c097c168 x22: 0000000000000000 +[ 67.848512] x21: 0000000000000080 x20: 0000000000002000 +[ 67.848517] x19: ffff0800c097c080 x18: 0000000000000000 +[ 67.848521] x17: 0000000000000000 x16: 0000000000000000 +[ 67.848525] x15: 0000000000000000 x14: 0000000000000000 +[ 67.848529] x13: 0000000000000000 x12: 0000000000000040 +[ 67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a +[ 67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270 +[ 67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0 +[ 67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480 +[ 67.848550] x3 : dead000000000100 x2 : dead000000000122 +[ 67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168 +[ 67.848559] Call trace: +[ 67.848562] axi_chan_handle_err+0xc4/0x230 +[ 67.848566] dw_axi_dma_interrupt+0xf4/0x590 +[ 67.848569] __handle_irq_event_percpu+0x60/0x220 +[ 67.848573] handle_irq_event+0x64/0x120 +[ 67.848576] handle_fasteoi_irq+0xc4/0x220 +[ 67.848580] __handle_domain_irq+0x80/0xe0 +[ 67.848583] gic_handle_irq+0xc0/0x138 +[ 67.848585] el1_irq+0xc8/0x180 +[ 67.848588] arch_cpu_idle+0x14/0x2c +[ 67.848591] default_idle_call+0x40/0x16c +[ 67.848594] do_idle+0x1f0/0x250 +[ 67.848597] cpu_startup_entry+0x2c/0x60 +[ 67.848600] rest_init+0xc0/0xcc +[ 67.848603] arch_call_rest_init+0x14/0x1c +[ 67.848606] start_kernel+0x4cc/0x500 +[ 67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1) +[ 67.848613] ---[ end trace 585a97036f88203a ]--- + +Signed-off-by: Shawn.Shao +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230112055802.1764-1-shawn.shao@jaguarmicro.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c ++++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c +@@ -551,6 +551,11 @@ static noinline void axi_chan_handle_err + + /* The bad descriptor currently is in the head of vc list */ + vd = vchan_next_desc(&chan->vc); ++ if (!vd) { ++ dev_err(chan2dev(chan), "BUG: %s, IRQ with no descriptors\n", ++ axi_chan_name(chan)); ++ goto out; ++ } + /* Remove the completed descriptor from issued list */ + list_del(&vd->node); + +@@ -565,6 +570,7 @@ static noinline void axi_chan_handle_err + /* Try to restart the controller */ + axi_chan_start_first_queued(chan); + ++out: + spin_unlock_irqrestore(&chan->vc.lock, flags); + } + diff --git a/queue-4.19/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch b/queue-4.19/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch new file mode 100644 index 00000000000..b0645fc0d4d --- /dev/null +++ b/queue-4.19/nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch @@ -0,0 +1,102 @@ +From 7633355e5c7f29c049a9048e461427d1d8ed3051 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 5 Jan 2023 14:53:56 +0900 +Subject: nilfs2: fix general protection fault in nilfs_btree_insert() + +From: Ryusuke Konishi + +commit 7633355e5c7f29c049a9048e461427d1d8ed3051 upstream. + +If nilfs2 reads a corrupted disk image and tries to reads a b-tree node +block by calling __nilfs_btree_get_block() against an invalid virtual +block address, it returns -ENOENT because conversion of the virtual block +address to a disk block address fails. However, this return value is the +same as the internal code that b-tree lookup routines return to indicate +that the block being searched does not exist, so functions that operate on +that b-tree may misbehave. + +When nilfs_btree_insert() receives this spurious 'not found' code from +nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was +successful and continues the insert operation using incomplete lookup path +data, causing the following crash: + + general protection fault, probably for non-canonical address + 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN + KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] + ... + RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline] + RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline] + RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238 + Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 + ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c + 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02 + ... + Call Trace: + + nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline] + nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147 + nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101 + __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991 + __block_write_begin fs/buffer.c:2041 [inline] + block_write_begin+0x93/0x1e0 fs/buffer.c:2102 + nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261 + generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 + __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900 + generic_file_write_iter+0xab/0x310 mm/filemap.c:3932 + call_write_iter include/linux/fs.h:2186 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x7dc/0xc50 fs/read_write.c:584 + ksys_write+0x177/0x2a0 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + ... + + +This patch fixes the root cause of this problem by replacing the error +code that __nilfs_btree_get_block() returns on block address conversion +failure from -ENOENT to another internal code -EINVAL which means that the +b-tree metadata is corrupted. + +By returning -EINVAL, it propagates without glitches, and for all relevant +b-tree operations, functions in the upper bmap layer output an error +message indicating corrupted b-tree metadata via +nilfs_bmap_convert_error(), and code -EIO will be eventually returned as +it should be. + +Link: https://lkml.kernel.org/r/000000000000bd89e205f0e38355@google.com +Link: https://lkml.kernel.org/r/20230105055356.8811-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+ede796cecd5296353515@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/btree.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -480,9 +480,18 @@ static int __nilfs_btree_get_block(const + ret = nilfs_btnode_submit_block(btnc, ptr, 0, REQ_OP_READ, 0, &bh, + &submit_ptr); + if (ret) { +- if (ret != -EEXIST) +- return ret; +- goto out_check; ++ if (likely(ret == -EEXIST)) ++ goto out_check; ++ if (ret == -ENOENT) { ++ /* ++ * Block address translation failed due to invalid ++ * value of 'ptr'. In this case, return internal code ++ * -EINVAL (broken bmap) to notify bmap layer of fatal ++ * metadata corruption. ++ */ ++ ret = -EINVAL; ++ } ++ return ret; + } + + if (ra) { diff --git a/queue-4.19/series b/queue-4.19/series index ef85acc01e3..01fb6cfcc9b 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -2,3 +2,5 @@ pnfs-filelayout-fix-coalescing-test-for-single-ds.patch net-ethtool-ioctl-return-eopnotsupp-if-we-have-no-ph.patch rdma-srp-move-large-values-to-a-new-enum-for-gcc13.patch f2fs-let-s-avoid-panic-if-extent_tree-is-not-created.patch +add-exception-protection-processing-for-vd-in-axi_chan_handle_err-function.patch +nilfs2-fix-general-protection-fault-in-nilfs_btree_insert.patch -- 2.47.3