From 861233c96f3bec6fa7505360bb302fa4bee97640 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 4 Mar 2021 15:33:40 +0100 Subject: [PATCH] 4.4-stable patches added patches: jfs-more-checks-for-invalid-superblock.patch net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch xfs-fix-assert-failure-in-xfs_setattr_size.patch --- ...s-more-checks-for-invalid-superblock.patch | 82 +++++++++++++++++++ ...-cloned-skb-in-skb_prepare_for_shift.patch | 54 ++++++++++++ queue-4.4/series | 3 + ...x-assert-failure-in-xfs_setattr_size.patch | 35 ++++++++ 4 files changed, 174 insertions(+) create mode 100644 queue-4.4/jfs-more-checks-for-invalid-superblock.patch create mode 100644 queue-4.4/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch create mode 100644 queue-4.4/xfs-fix-assert-failure-in-xfs_setattr_size.patch diff --git a/queue-4.4/jfs-more-checks-for-invalid-superblock.patch b/queue-4.4/jfs-more-checks-for-invalid-superblock.patch new file mode 100644 index 00000000000..09a4a2be88a --- /dev/null +++ b/queue-4.4/jfs-more-checks-for-invalid-superblock.patch @@ -0,0 +1,82 @@ +From 3bef198f1b17d1bb89260bad947ef084c0a2d1a6 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Fri, 18 Dec 2020 12:17:16 -0800 +Subject: JFS: more checks for invalid superblock + +From: Randy Dunlap + +commit 3bef198f1b17d1bb89260bad947ef084c0a2d1a6 upstream. + +syzbot is feeding invalid superblock data to JFS for mount testing. +JFS does not check several of the fields -- just assumes that they +are good since the JFS_MAGIC and version fields are good. + +In this case (syzbot reproducer), we have s_l2bsize == 0xda0c, +pad == 0xf045, and s_state == 0x50, all of which are invalid IMO. +Having s_l2bsize == 0xda0c causes this UBSAN warning: + UBSAN: shift-out-of-bounds in fs/jfs/jfs_mount.c:373:25 + shift exponent -9716 is negative + +s_l2bsize can be tested for correctness. pad can be tested for non-0 +and punted. s_state can be tested for its valid values and punted. + +Do those 3 tests and if any of them fails, report the superblock as +invalid/corrupt and let fsck handle it. + +With this patch, chkSuper() says this when JFS_DEBUG is enabled: + jfs_mount: Mount Failure: superblock is corrupt! + Mount JFS Failure: -22 + jfs_mount failed w/return code = -22 + +The obvious problem with this method is that next week there could +be another syzbot test that uses different fields for invalid values, +this making this like a game of whack-a-mole. + +syzkaller link: https://syzkaller.appspot.com/bug?extid=36315852ece4132ec193 + +Reported-by: syzbot+36315852ece4132ec193@syzkaller.appspotmail.com +Reported-by: kernel test robot # v2 +Signed-off-by: Randy Dunlap +Signed-off-by: Dave Kleikamp +Cc: jfs-discussion@lists.sourceforge.net +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_filsys.h | 1 + + fs/jfs/jfs_mount.c | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +--- a/fs/jfs/jfs_filsys.h ++++ b/fs/jfs/jfs_filsys.h +@@ -281,5 +281,6 @@ + * fsck() must be run to repair + */ + #define FM_EXTENDFS 0x00000008 /* file system extendfs() in progress */ ++#define FM_STATE_MAX 0x0000000f /* max value of s_state */ + + #endif /* _H_JFS_FILSYS */ +--- a/fs/jfs/jfs_mount.c ++++ b/fs/jfs/jfs_mount.c +@@ -49,6 +49,7 @@ + + #include + #include ++#include + + #include "jfs_incore.h" + #include "jfs_filsys.h" +@@ -378,6 +379,15 @@ static int chkSuper(struct super_block * + sbi->bsize = bsize; + sbi->l2bsize = le16_to_cpu(j_sb->s_l2bsize); + ++ /* check some fields for possible corruption */ ++ if (sbi->l2bsize != ilog2((u32)bsize) || ++ j_sb->pad != 0 || ++ le32_to_cpu(j_sb->s_state) > FM_STATE_MAX) { ++ rc = -EINVAL; ++ jfs_err("jfs_mount: Mount Failure: superblock is corrupt!"); ++ goto out; ++ } ++ + /* + * For now, ignore s_pbsize, l2bfactor. All I/O going through buffer + * cache. diff --git a/queue-4.4/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch b/queue-4.4/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch new file mode 100644 index 00000000000..44c3762cad6 --- /dev/null +++ b/queue-4.4/net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch @@ -0,0 +1,54 @@ +From 097b9146c0e26aabaa6ff3e5ea536a53f5254a79 Mon Sep 17 00:00:00 2001 +From: Marco Elver +Date: Mon, 1 Feb 2021 17:04:20 +0100 +Subject: net: fix up truesize of cloned skb in skb_prepare_for_shift() + +From: Marco Elver + +commit 097b9146c0e26aabaa6ff3e5ea536a53f5254a79 upstream. + +Avoid the assumption that ksize(kmalloc(S)) == ksize(kmalloc(S)): when +cloning an skb, save and restore truesize after pskb_expand_head(). This +can occur if the allocator decides to service an allocation of the same +size differently (e.g. use a different size class, or pass the +allocation on to KFENCE). + +Because truesize is used for bookkeeping (such as sk_wmem_queued), a +modified truesize of a cloned skb may result in corrupt bookkeeping and +relevant warnings (such as in sk_stream_kill_queues()). + +Link: https://lkml.kernel.org/r/X9JR/J6dMMOy1obu@elver.google.com +Reported-by: syzbot+7b99aafdcc2eedea6178@syzkaller.appspotmail.com +Suggested-by: Eric Dumazet +Signed-off-by: Marco Elver +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20210201160420.2826895-1-elver@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2628,7 +2628,19 @@ EXPORT_SYMBOL(skb_split); + */ + static int skb_prepare_for_shift(struct sk_buff *skb) + { +- return skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC); ++ int ret = 0; ++ ++ if (skb_cloned(skb)) { ++ /* Save and restore truesize: pskb_expand_head() may reallocate ++ * memory where ksize(kmalloc(S)) != ksize(kmalloc(S)), but we ++ * cannot change truesize at this point. ++ */ ++ unsigned int save_truesize = skb->truesize; ++ ++ ret = pskb_expand_head(skb, 0, 0, GFP_ATOMIC); ++ skb->truesize = save_truesize; ++ } ++ return ret; + } + + /** diff --git a/queue-4.4/series b/queue-4.4/series index a1af25cb248..3c66509271a 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -5,3 +5,6 @@ mmc-sdhci-esdhc-imx-fix-kernel-panic-when-remove-module.patch scripts-use-pkg-config-to-locate-libcrypto.patch scripts-set-proper-openssl-include-dir-also-for-sign-file.patch hugetlb-fix-update_and_free_page-contig-page-struct-assumption.patch +jfs-more-checks-for-invalid-superblock.patch +xfs-fix-assert-failure-in-xfs_setattr_size.patch +net-fix-up-truesize-of-cloned-skb-in-skb_prepare_for_shift.patch diff --git a/queue-4.4/xfs-fix-assert-failure-in-xfs_setattr_size.patch b/queue-4.4/xfs-fix-assert-failure-in-xfs_setattr_size.patch new file mode 100644 index 00000000000..a7927063188 --- /dev/null +++ b/queue-4.4/xfs-fix-assert-failure-in-xfs_setattr_size.patch @@ -0,0 +1,35 @@ +From 88a9e03beef22cc5fabea344f54b9a0dfe63de08 Mon Sep 17 00:00:00 2001 +From: Yumei Huang +Date: Fri, 22 Jan 2021 16:48:19 -0800 +Subject: xfs: Fix assert failure in xfs_setattr_size() + +From: Yumei Huang + +commit 88a9e03beef22cc5fabea344f54b9a0dfe63de08 upstream. + +An assert failure is triggered by syzkaller test due to +ATTR_KILL_PRIV is not cleared before xfs_setattr_size. +As ATTR_KILL_PRIV is not checked/used by xfs_setattr_size, +just remove it from the assert. + +Signed-off-by: Yumei Huang +Reviewed-by: Brian Foster +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_iops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -770,7 +770,7 @@ xfs_setattr_size( + ASSERT(xfs_isilocked(ip, XFS_MMAPLOCK_EXCL)); + ASSERT(S_ISREG(ip->i_d.di_mode)); + ASSERT((iattr->ia_valid & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| +- ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); ++ ATTR_MTIME_SET|ATTR_TIMES_SET)) == 0); + + oldsize = inode->i_size; + newsize = iattr->ia_size; -- 2.47.3