From 471d4b71e8c278717ae1cd61e7cb132cd50472ba Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Mar 2021 08:40:53 +0200 Subject: [PATCH] 4.19-stable patches added patches: ext4-add-reclaim-checks-to-xattr-code.patch mac80211-fix-double-free-in-ibss_leave.patch net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch net-sched-validate-stab-values.patch --- ...xt4-add-reclaim-checks-to-xattr-code.patch | 60 ++++++ ...c80211-fix-double-free-in-ibss_leave.patch | 71 +++++++ ...ix-a-kernel-infoleak-in-qrtr_recvmsg.patch | 77 ++++++++ .../net-sched-validate-stab-values.patch | 178 ++++++++++++++++++ queue-4.19/series | 4 + 5 files changed, 390 insertions(+) create mode 100644 queue-4.19/ext4-add-reclaim-checks-to-xattr-code.patch create mode 100644 queue-4.19/mac80211-fix-double-free-in-ibss_leave.patch create mode 100644 queue-4.19/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch create mode 100644 queue-4.19/net-sched-validate-stab-values.patch diff --git a/queue-4.19/ext4-add-reclaim-checks-to-xattr-code.patch b/queue-4.19/ext4-add-reclaim-checks-to-xattr-code.patch new file mode 100644 index 00000000000..0e77b0d9df9 --- /dev/null +++ b/queue-4.19/ext4-add-reclaim-checks-to-xattr-code.patch @@ -0,0 +1,60 @@ +From 163f0ec1df33cf468509ff38cbcbb5eb0d7fac60 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 22 Feb 2021 18:16:26 +0100 +Subject: ext4: add reclaim checks to xattr code + +From: Jan Kara + +commit 163f0ec1df33cf468509ff38cbcbb5eb0d7fac60 upstream. + +Syzbot is reporting that ext4 can enter fs reclaim from kvmalloc() while +the transaction is started like: + + fs_reclaim_acquire+0x117/0x150 mm/page_alloc.c:4340 + might_alloc include/linux/sched/mm.h:193 [inline] + slab_pre_alloc_hook mm/slab.h:493 [inline] + slab_alloc_node mm/slub.c:2817 [inline] + __kmalloc_node+0x5f/0x430 mm/slub.c:4015 + kmalloc_node include/linux/slab.h:575 [inline] + kvmalloc_node+0x61/0xf0 mm/util.c:587 + kvmalloc include/linux/mm.h:781 [inline] + ext4_xattr_inode_cache_find fs/ext4/xattr.c:1465 [inline] + ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1508 [inline] + ext4_xattr_set_entry+0x1ce6/0x3780 fs/ext4/xattr.c:1649 + ext4_xattr_ibody_set+0x78/0x2b0 fs/ext4/xattr.c:2224 + ext4_xattr_set_handle+0x8f4/0x13e0 fs/ext4/xattr.c:2380 + ext4_xattr_set+0x13a/0x340 fs/ext4/xattr.c:2493 + +This should be impossible since transaction start sets PF_MEMALLOC_NOFS. +Add some assertions to the code to catch if something isn't working as +expected early. + +Link: https://lore.kernel.org/linux-ext4/000000000000563a0205bafb7970@google.com/ +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20210222171626.21884-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1480,6 +1480,9 @@ ext4_xattr_inode_cache_find(struct inode + if (!ce) + return NULL; + ++ WARN_ON_ONCE(ext4_handle_valid(journal_current_handle()) && ++ !(current->flags & PF_MEMALLOC_NOFS)); ++ + ea_data = ext4_kvmalloc(value_len, GFP_NOFS); + if (!ea_data) { + mb_cache_entry_put(ea_inode_cache, ce); +@@ -2346,6 +2349,7 @@ ext4_xattr_set_handle(handle_t *handle, + error = -ENOSPC; + goto cleanup; + } ++ WARN_ON_ONCE(!(current->flags & PF_MEMALLOC_NOFS)); + } + + error = ext4_reserve_inode_write(handle, inode, &is.iloc); diff --git a/queue-4.19/mac80211-fix-double-free-in-ibss_leave.patch b/queue-4.19/mac80211-fix-double-free-in-ibss_leave.patch new file mode 100644 index 00000000000..16688a24b5b --- /dev/null +++ b/queue-4.19/mac80211-fix-double-free-in-ibss_leave.patch @@ -0,0 +1,71 @@ +From 3bd801b14e0c5d29eeddc7336558beb3344efaa3 Mon Sep 17 00:00:00 2001 +From: Markus Theil +Date: Sat, 13 Feb 2021 14:36:53 +0100 +Subject: mac80211: fix double free in ibss_leave + +From: Markus Theil + +commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream. + +Clear beacon ie pointer and ie length after free +in order to prevent double free. + +================================================================== +BUG: KASAN: double-free or invalid-free \ +in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 + +CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230 + kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355 + ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341 + kasan_slab_free include/linux/kasan.h:192 [inline] + __cache_free mm/slab.c:3424 [inline] + kfree+0xed/0x270 mm/slab.c:3760 + ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 + rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline] + __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212 + __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172 + cfg80211_leave net/wireless/core.c:1221 [inline] + cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 + call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040 + call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] + call_netdevice_notifiers net/core/dev.c:2066 [inline] + __dev_close_many+0xee/0x2e0 net/core/dev.c:1586 + __dev_close net/core/dev.c:1624 [inline] + __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476 + dev_change_flags+0x8a/0x160 net/core/dev.c:8549 + dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265 + dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511 + sock_do_ioctl+0x148/0x2d0 net/socket.c:1060 + sock_ioctl+0x477/0x6a0 net/socket.c:1177 + vfs_ioctl fs/ioctl.c:48 [inline] + __do_sys_ioctl fs/ioctl.c:753 [inline] + __se_sys_ioctl fs/ioctl.c:739 [inline] + __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com +Signed-off-by: Markus Theil +Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ibss.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -1861,6 +1861,8 @@ int ieee80211_ibss_leave(struct ieee8021 + + /* remove beacon */ + kfree(sdata->u.ibss.ie); ++ sdata->u.ibss.ie = NULL; ++ sdata->u.ibss.ie_len = 0; + + /* on the next join, re-program HT parameters */ + memset(&ifibss->ht_capa, 0, sizeof(ifibss->ht_capa)); diff --git a/queue-4.19/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch b/queue-4.19/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch new file mode 100644 index 00000000000..33492fdc007 --- /dev/null +++ b/queue-4.19/net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch @@ -0,0 +1,77 @@ +From 50535249f624d0072cd885bcdce4e4b6fb770160 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 12 Mar 2021 08:59:48 -0800 +Subject: net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() + +From: Eric Dumazet + +commit 50535249f624d0072cd885bcdce4e4b6fb770160 upstream. + +struct sockaddr_qrtr has a 2-byte hole, and qrtr_recvmsg() currently +does not clear it before copying kernel data to user space. + +It might be too late to name the hole since sockaddr_qrtr structure is uapi. + +BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 +CPU: 0 PID: 29705 Comm: syz-executor.3 Not tainted 5.11.0-rc7-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:120 + kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 + kmsan_internal_check_memory+0x202/0x520 mm/kmsan/kmsan.c:402 + kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + _copy_to_user+0x1ac/0x270 lib/usercopy.c:33 + copy_to_user include/linux/uaccess.h:209 [inline] + move_addr_to_user+0x3a2/0x640 net/socket.c:237 + ____sys_recvmsg+0x696/0xd50 net/socket.c:2575 + ___sys_recvmsg net/socket.c:2610 [inline] + do_recvmmsg+0xa97/0x22d0 net/socket.c:2710 + __sys_recvmmsg net/socket.c:2789 [inline] + __do_sys_recvmmsg net/socket.c:2812 [inline] + __se_sys_recvmmsg+0x24a/0x410 net/socket.c:2805 + __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2805 + do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x465f69 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f43659d6188 EFLAGS: 00000246 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465f69 +RDX: 0000000000000008 RSI: 0000000020003e40 RDI: 0000000000000003 +RBP: 00000000004bfa8f R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000010060 R11: 0000000000000246 R12: 000000000056bf60 +R13: 0000000000a9fb1f R14: 00007f43659d6300 R15: 0000000000022000 + +Local variable ----addr@____sys_recvmsg created at: + ____sys_recvmsg+0x168/0xd50 net/socket.c:2550 + ____sys_recvmsg+0x168/0xd50 net/socket.c:2550 + +Bytes 2-3 of 12 are uninitialized +Memory access of size 12 starts at ffff88817c627b40 +Data copied to user address 0000000020000140 + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Signed-off-by: Eric Dumazet +Cc: Courtney Cavin +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -868,6 +868,11 @@ static int qrtr_recvmsg(struct socket *s + rc = copied; + + if (addr) { ++ /* There is an anonymous 2-byte hole after sq_family, ++ * make sure to clear it. ++ */ ++ memset(addr, 0, sizeof(*addr)); ++ + cb = (struct qrtr_cb *)skb->cb; + addr->sq_family = AF_QIPCRTR; + addr->sq_node = cb->src_node; diff --git a/queue-4.19/net-sched-validate-stab-values.patch b/queue-4.19/net-sched-validate-stab-values.patch new file mode 100644 index 00000000000..bad87d24ec6 --- /dev/null +++ b/queue-4.19/net-sched-validate-stab-values.patch @@ -0,0 +1,178 @@ +From e323d865b36134e8c5c82c834df89109a5c60dab Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 10 Mar 2021 08:26:41 -0800 +Subject: net: sched: validate stab values + +From: Eric Dumazet + +commit e323d865b36134e8c5c82c834df89109a5c60dab upstream. + +iproute2 package is well behaved, but malicious user space can +provide illegal shift values and trigger UBSAN reports. + +Add stab parameter to red_check_params() to validate user input. + +syzbot reported: + +UBSAN: shift-out-of-bounds in ./include/net/red.h:312:18 +shift exponent 111 is too large for 64-bit type 'long unsigned int' +CPU: 1 PID: 14662 Comm: syz-executor.3 Not tainted 5.12.0-rc2-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 + __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 + red_calc_qavg_from_idle_time include/net/red.h:312 [inline] + red_calc_qavg include/net/red.h:353 [inline] + choke_enqueue.cold+0x18/0x3dd net/sched/sch_choke.c:221 + __dev_xmit_skb net/core/dev.c:3837 [inline] + __dev_queue_xmit+0x1943/0x2e00 net/core/dev.c:4150 + neigh_hh_output include/net/neighbour.h:499 [inline] + neigh_output include/net/neighbour.h:508 [inline] + ip6_finish_output2+0x911/0x1700 net/ipv6/ip6_output.c:117 + __ip6_finish_output net/ipv6/ip6_output.c:182 [inline] + __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161 + ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192 + NF_HOOK_COND include/linux/netfilter.h:290 [inline] + ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:215 + dst_output include/net/dst.h:448 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + NF_HOOK include/linux/netfilter.h:295 [inline] + ip6_xmit+0x127e/0x1eb0 net/ipv6/ip6_output.c:320 + inet6_csk_xmit+0x358/0x630 net/ipv6/inet6_connection_sock.c:135 + dccp_transmit_skb+0x973/0x12c0 net/dccp/output.c:138 + dccp_send_reset+0x21b/0x2b0 net/dccp/output.c:535 + dccp_finish_passive_close net/dccp/proto.c:123 [inline] + dccp_finish_passive_close+0xed/0x140 net/dccp/proto.c:118 + dccp_terminate_connection net/dccp/proto.c:958 [inline] + dccp_close+0xb3c/0xe60 net/dccp/proto.c:1028 + inet_release+0x12e/0x280 net/ipv4/af_inet.c:431 + inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478 + __sock_release+0xcd/0x280 net/socket.c:599 + sock_close+0x18/0x20 net/socket.c:1258 + __fput+0x288/0x920 fs/file_table.c:280 + task_work_run+0xdd/0x1a0 kernel/task_work.c:140 + tracehook_notify_resume include/linux/tracehook.h:189 [inline] + +Fixes: 8afa10cbe281 ("net_sched: red: Avoid illegal values") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/red.h | 10 +++++++++- + net/sched/sch_choke.c | 7 ++++--- + net/sched/sch_gred.c | 2 +- + net/sched/sch_red.c | 7 +++++-- + net/sched/sch_sfq.c | 2 +- + 5 files changed, 20 insertions(+), 8 deletions(-) + +--- a/include/net/red.h ++++ b/include/net/red.h +@@ -168,7 +168,8 @@ static inline void red_set_vars(struct r + v->qcount = -1; + } + +-static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog, u8 Scell_log) ++static inline bool red_check_params(u32 qth_min, u32 qth_max, u8 Wlog, ++ u8 Scell_log, u8 *stab) + { + if (fls(qth_min) + Wlog > 32) + return false; +@@ -178,6 +179,13 @@ static inline bool red_check_params(u32 + return false; + if (qth_max < qth_min) + return false; ++ if (stab) { ++ int i; ++ ++ for (i = 0; i < RED_STAB_SIZE; i++) ++ if (stab[i] >= 32) ++ return false; ++ } + return true; + } + +--- a/net/sched/sch_choke.c ++++ b/net/sched/sch_choke.c +@@ -355,6 +355,7 @@ static int choke_change(struct Qdisc *sc + struct sk_buff **old = NULL; + unsigned int mask; + u32 max_P; ++ u8 *stab; + + if (opt == NULL) + return -EINVAL; +@@ -370,8 +371,8 @@ static int choke_change(struct Qdisc *sc + max_P = tb[TCA_CHOKE_MAX_P] ? nla_get_u32(tb[TCA_CHOKE_MAX_P]) : 0; + + ctl = nla_data(tb[TCA_CHOKE_PARMS]); +- +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) ++ stab = nla_data(tb[TCA_CHOKE_STAB]); ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log, stab)) + return -EINVAL; + + if (ctl->limit > CHOKE_MAX_QUEUE) +@@ -421,7 +422,7 @@ static int choke_change(struct Qdisc *sc + + red_set_parms(&q->parms, ctl->qth_min, ctl->qth_max, ctl->Wlog, + ctl->Plog, ctl->Scell_log, +- nla_data(tb[TCA_CHOKE_STAB]), ++ stab, + max_P); + red_set_vars(&q->vars); + +--- a/net/sched/sch_gred.c ++++ b/net/sched/sch_gred.c +@@ -357,7 +357,7 @@ static inline int gred_change_vq(struct + struct gred_sched *table = qdisc_priv(sch); + struct gred_sched_data *q = table->tab[dp]; + +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log, stab)) + return -EINVAL; + + if (!q) { +--- a/net/sched/sch_red.c ++++ b/net/sched/sch_red.c +@@ -199,6 +199,7 @@ static int red_change(struct Qdisc *sch, + struct Qdisc *child = NULL; + int err; + u32 max_P; ++ u8 *stab; + + if (opt == NULL) + return -EINVAL; +@@ -214,7 +215,9 @@ static int red_change(struct Qdisc *sch, + max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0; + + ctl = nla_data(tb[TCA_RED_PARMS]); +- if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ctl->Scell_log)) ++ stab = nla_data(tb[TCA_RED_STAB]); ++ if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog, ++ ctl->Scell_log, stab)) + return -EINVAL; + + if (ctl->limit > 0) { +@@ -240,7 +243,7 @@ static int red_change(struct Qdisc *sch, + red_set_parms(&q->parms, + ctl->qth_min, ctl->qth_max, ctl->Wlog, + ctl->Plog, ctl->Scell_log, +- nla_data(tb[TCA_RED_STAB]), ++ stab, + max_P); + red_set_vars(&q->vars); + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -651,7 +651,7 @@ static int sfq_change(struct Qdisc *sch, + } + + if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max, +- ctl_v1->Wlog, ctl_v1->Scell_log)) ++ ctl_v1->Wlog, ctl_v1->Scell_log, NULL)) + return -EINVAL; + if (ctl_v1 && ctl_v1->qth_min) { + p = kmalloc(sizeof(*p), GFP_KERNEL); diff --git a/queue-4.19/series b/queue-4.19/series index 12ffc5eee31..fbd3022e03d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -65,3 +65,7 @@ scsi-mpt3sas-fix-error-return-code-of-mpt3sas_base_a.patch locking-mutex-fix-non-debug-version-of-mutex_lock_io_nested.patch x86-mem_encrypt-correct-physical-address-calculation-in-__set_clr_pte_enc.patch can-dev-move-device-back-to-init-netns-on-owning-netns-delete.patch +net-sched-validate-stab-values.patch +net-qrtr-fix-a-kernel-infoleak-in-qrtr_recvmsg.patch +mac80211-fix-double-free-in-ibss_leave.patch +ext4-add-reclaim-checks-to-xattr-code.patch -- 2.47.3