From aacd346f67c6f2aeb3bb5ddfca979691078b8bad Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 13 Aug 2022 16:36:17 +0200 Subject: [PATCH] 5.19-stable patches added patches: fuse-fix-deadlock-between-atomic-o_trunc-and-page-invalidation.patch fuse-ioctl-translate-enosys.patch fuse-limit-nsec.patch fuse-write-inode-in-fuse_release.patch ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch ksmbd-prevent-out-of-bound-read-for-smb2_write.patch mbcache-add-functions-to-delete-entry-if-unused.patch mbcache-don-t-reclaim-used-entries.patch md-raid-destroy-the-bitmap-after-destroying-the-thread.patch md-raid10-fix-kasan-warning.patch media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch serial-mvebu-uart-uart2-error-bits-clearing.patch --- ...atomic-o_trunc-and-page-invalidation.patch | 169 +++++++ queue-5.19/fuse-ioctl-translate-enosys.patch | 84 ++++ queue-5.19/fuse-limit-nsec.patch | 34 ++ .../fuse-write-inode-in-fuse_release.patch | 43 ++ ...atible-pointer-types-in-ia64_get_irr.patch | 44 ++ ...eap-based-overflow-in-set_ntacl_dacl.patch | 430 ++++++++++++++++++ ...memory-leak-in-smb2_handle_negotiate.patch | 42 ++ ...fter-free-bug-in-smb2_tree_disconect.patch | 59 +++ ...of-bound-read-for-smb2_tree_connnect.patch | 69 +++ ...ent-out-of-bound-read-for-smb2_write.patch | 121 +++++ ...-functions-to-delete-entry-if-unused.patch | 148 ++++++ .../mbcache-don-t-reclaim-used-entries.patch | 50 ++ ...e-bitmap-after-destroying-the-thread.patch | 129 ++++++ queue-5.19/md-raid10-fix-kasan-warning.patch | 148 ++++++ ...elect-v4l2_fwnode-to-fix-build-error.patch | 39 ++ ...hree-missing-checks-on-list-iterator.patch | 142 ++++++ ...mvebu-uart-uart2-error-bits-clearing.patch | 58 +++ queue-5.19/series | 17 + 18 files changed, 1826 insertions(+) create mode 100644 queue-5.19/fuse-fix-deadlock-between-atomic-o_trunc-and-page-invalidation.patch create mode 100644 queue-5.19/fuse-ioctl-translate-enosys.patch create mode 100644 queue-5.19/fuse-limit-nsec.patch create mode 100644 queue-5.19/fuse-write-inode-in-fuse_release.patch create mode 100644 queue-5.19/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch create mode 100644 queue-5.19/ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch create mode 100644 queue-5.19/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch create mode 100644 queue-5.19/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch create mode 100644 queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch create mode 100644 queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_write.patch create mode 100644 queue-5.19/mbcache-add-functions-to-delete-entry-if-unused.patch create mode 100644 queue-5.19/mbcache-don-t-reclaim-used-entries.patch create mode 100644 queue-5.19/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch create mode 100644 queue-5.19/md-raid10-fix-kasan-warning.patch create mode 100644 queue-5.19/media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch create mode 100644 queue-5.19/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch create mode 100644 queue-5.19/serial-mvebu-uart-uart2-error-bits-clearing.patch diff --git a/queue-5.19/fuse-fix-deadlock-between-atomic-o_trunc-and-page-invalidation.patch b/queue-5.19/fuse-fix-deadlock-between-atomic-o_trunc-and-page-invalidation.patch new file mode 100644 index 00000000000..0725302e7dc --- /dev/null +++ b/queue-5.19/fuse-fix-deadlock-between-atomic-o_trunc-and-page-invalidation.patch @@ -0,0 +1,169 @@ +From 2fdbb8dd01556e1501132b5ad3826e8f71e24a8b Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Fri, 22 Apr 2022 15:48:53 +0200 +Subject: fuse: fix deadlock between atomic O_TRUNC and page invalidation + +From: Miklos Szeredi + +commit 2fdbb8dd01556e1501132b5ad3826e8f71e24a8b upstream. + +fuse_finish_open() will be called with FUSE_NOWRITE set in case of atomic +O_TRUNC open(), so commit 76224355db75 ("fuse: truncate pagecache on +atomic_o_trunc") replaced invalidate_inode_pages2() by truncate_pagecache() +in such a case to avoid the A-A deadlock. However, we found another A-B-B-A +deadlock related to the case above, which will cause the xfstests +generic/464 testcase hung in our virtio-fs test environment. + +For example, consider two processes concurrently open one same file, one +with O_TRUNC and another without O_TRUNC. The deadlock case is described +below, if open(O_TRUNC) is already set_nowrite(acquired A), and is trying +to lock a page (acquiring B), open() could have held the page lock +(acquired B), and waiting on the page writeback (acquiring A). This would +lead to deadlocks. + +open(O_TRUNC) +---------------------------------------------------------------- +fuse_open_common + inode_lock [C acquire] + fuse_set_nowrite [A acquire] + + fuse_finish_open + truncate_pagecache + lock_page [B acquire] + truncate_inode_page + unlock_page [B release] + + fuse_release_nowrite [A release] + inode_unlock [C release] +---------------------------------------------------------------- + +open() +---------------------------------------------------------------- +fuse_open_common + fuse_finish_open + invalidate_inode_pages2 + lock_page [B acquire] + fuse_launder_page + fuse_wait_on_page_writeback [A acquire & release] + unlock_page [B release] +---------------------------------------------------------------- + +Besides this case, all calls of invalidate_inode_pages2() and +invalidate_inode_pages2_range() in fuse code also can deadlock with +open(O_TRUNC). + +Fix by moving the truncate_pagecache() call outside the nowrite protected +region. The nowrite protection is only for delayed writeback +(writeback_cache) case, where inode lock does not protect against +truncation racing with writes on the server. Write syscalls racing with +page cache truncation still get the inode lock protection. + +This patch also changes the order of filemap_invalidate_lock() +vs. fuse_set_nowrite() in fuse_open_common(). This new order matches the +order found in fuse_file_fallocate() and fuse_do_setattr(). + +Reported-by: Jiachen Zhang +Tested-by: Jiachen Zhang +Fixes: e4648309b85a ("fuse: truncate pending writes on O_TRUNC") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dir.c | 7 ++++++- + fs/fuse/file.c | 30 +++++++++++++++++------------- + 2 files changed, 23 insertions(+), 14 deletions(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -537,6 +537,7 @@ static int fuse_create_open(struct inode + struct fuse_file *ff; + void *security_ctx = NULL; + u32 security_ctxlen; ++ bool trunc = flags & O_TRUNC; + + /* Userspace expects S_IFREG in create mode */ + BUG_ON((mode & S_IFMT) != S_IFREG); +@@ -561,7 +562,7 @@ static int fuse_create_open(struct inode + inarg.mode = mode; + inarg.umask = current_umask(); + +- if (fm->fc->handle_killpriv_v2 && (flags & O_TRUNC) && ++ if (fm->fc->handle_killpriv_v2 && trunc && + !(flags & O_EXCL) && !capable(CAP_FSETID)) { + inarg.open_flags |= FUSE_OPEN_KILL_SUIDGID; + } +@@ -623,6 +624,10 @@ static int fuse_create_open(struct inode + } else { + file->private_data = ff; + fuse_finish_open(inode, file); ++ if (fm->fc->atomic_o_trunc && trunc) ++ truncate_pagecache(inode, 0); ++ else if (!(ff->open_flags & FOPEN_KEEP_CACHE)) ++ invalidate_inode_pages2(inode->i_mapping); + } + return err; + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -210,13 +210,9 @@ void fuse_finish_open(struct inode *inod + fi->attr_version = atomic64_inc_return(&fc->attr_version); + i_size_write(inode, 0); + spin_unlock(&fi->lock); +- truncate_pagecache(inode, 0); + file_update_time(file); + fuse_invalidate_attr_mask(inode, FUSE_STATX_MODSIZE); +- } else if (!(ff->open_flags & FOPEN_KEEP_CACHE)) { +- invalidate_inode_pages2(inode->i_mapping); + } +- + if ((file->f_mode & FMODE_WRITE) && fc->writeback_cache) + fuse_link_write_file(file); + } +@@ -239,30 +235,38 @@ int fuse_open_common(struct inode *inode + if (err) + return err; + +- if (is_wb_truncate || dax_truncate) { ++ if (is_wb_truncate || dax_truncate) + inode_lock(inode); +- fuse_set_nowrite(inode); +- } + + if (dax_truncate) { + filemap_invalidate_lock(inode->i_mapping); + err = fuse_dax_break_layouts(inode, 0, 0); + if (err) +- goto out; ++ goto out_inode_unlock; + } + ++ if (is_wb_truncate || dax_truncate) ++ fuse_set_nowrite(inode); ++ + err = fuse_do_open(fm, get_node_id(inode), file, isdir); + if (!err) + fuse_finish_open(inode, file); + +-out: ++ if (is_wb_truncate || dax_truncate) ++ fuse_release_nowrite(inode); ++ if (!err) { ++ struct fuse_file *ff = file->private_data; ++ ++ if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) ++ truncate_pagecache(inode, 0); ++ else if (!(ff->open_flags & FOPEN_KEEP_CACHE)) ++ invalidate_inode_pages2(inode->i_mapping); ++ } + if (dax_truncate) + filemap_invalidate_unlock(inode->i_mapping); +- +- if (is_wb_truncate | dax_truncate) { +- fuse_release_nowrite(inode); ++out_inode_unlock: ++ if (is_wb_truncate || dax_truncate) + inode_unlock(inode); +- } + + return err; + } diff --git a/queue-5.19/fuse-ioctl-translate-enosys.patch b/queue-5.19/fuse-ioctl-translate-enosys.patch new file mode 100644 index 00000000000..2783df115f4 --- /dev/null +++ b/queue-5.19/fuse-ioctl-translate-enosys.patch @@ -0,0 +1,84 @@ +From 02c0cab8e7345b06f1c0838df444e2902e4138d3 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 21 Jul 2022 16:06:18 +0200 +Subject: fuse: ioctl: translate ENOSYS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miklos Szeredi + +commit 02c0cab8e7345b06f1c0838df444e2902e4138d3 upstream. + +Overlayfs may fail to complete updates when a filesystem lacks +fileattr/xattr syscall support and responds with an ENOSYS error code, +resulting in an unexpected "Function not implemented" error. + +This bug may occur with FUSE filesystems, such as davfs2. + +Steps to reproduce: + + # install davfs2, e.g., apk add davfs2 + mkdir /test mkdir /test/lower /test/upper /test/work /test/mnt + yes '' | mount -t davfs -o ro http://some-web-dav-server/path \ + /test/lower + mount -t overlay -o upperdir=/test/upper,lowerdir=/test/lower \ + -o workdir=/test/work overlay /test/mnt + + # when "some-file" exists in the lowerdir, this fails with "Function + # not implemented", with dmesg showing "overlayfs: failed to retrieve + # lower fileattr (/some-file, err=-38)" + touch /test/mnt/some-file + +The underlying cause of this regresion is actually in FUSE, which fails to +translate the ENOSYS error code returned by userspace filesystem (which +means that the ioctl operation is not supported) to ENOTTY. + +Reported-by: Christian Kohlschütter +Fixes: 72db82115d2b ("ovl: copy up sync/noatime fileattr flags") +Fixes: 59efec7b9039 ("fuse: implement ioctl support") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/ioctl.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/fs/fuse/ioctl.c ++++ b/fs/fuse/ioctl.c +@@ -9,6 +9,17 @@ + #include + #include + ++static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args) ++{ ++ ssize_t ret = fuse_simple_request(fm, args); ++ ++ /* Translate ENOSYS, which shouldn't be returned from fs */ ++ if (ret == -ENOSYS) ++ ret = -ENOTTY; ++ ++ return ret; ++} ++ + /* + * CUSE servers compiled on 32bit broke on 64bit kernels because the + * ABI was defined to be 'struct iovec' which is different on 32bit +@@ -259,7 +270,7 @@ long fuse_do_ioctl(struct file *file, un + ap.args.out_pages = true; + ap.args.out_argvar = true; + +- transferred = fuse_simple_request(fm, &ap.args); ++ transferred = fuse_send_ioctl(fm, &ap.args); + err = transferred; + if (transferred < 0) + goto out; +@@ -393,7 +404,7 @@ static int fuse_priv_ioctl(struct inode + args.out_args[1].size = inarg.out_size; + args.out_args[1].value = ptr; + +- err = fuse_simple_request(fm, &args); ++ err = fuse_send_ioctl(fm, &args); + if (!err) { + if (outarg.result < 0) + err = outarg.result; diff --git a/queue-5.19/fuse-limit-nsec.patch b/queue-5.19/fuse-limit-nsec.patch new file mode 100644 index 00000000000..5a37d104a40 --- /dev/null +++ b/queue-5.19/fuse-limit-nsec.patch @@ -0,0 +1,34 @@ +From 47912eaa061a6a81e4aa790591a1874c650733c0 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 21 Jul 2022 16:06:18 +0200 +Subject: fuse: limit nsec + +From: Miklos Szeredi + +commit 47912eaa061a6a81e4aa790591a1874c650733c0 upstream. + +Limit nanoseconds to 0..999999999. + +Fixes: d8a5ba45457e ("[PATCH] FUSE - core") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -180,6 +180,12 @@ void fuse_change_attributes_common(struc + inode->i_uid = make_kuid(fc->user_ns, attr->uid); + inode->i_gid = make_kgid(fc->user_ns, attr->gid); + inode->i_blocks = attr->blocks; ++ ++ /* Sanitize nsecs */ ++ attr->atimensec = min_t(u32, attr->atimensec, NSEC_PER_SEC - 1); ++ attr->mtimensec = min_t(u32, attr->mtimensec, NSEC_PER_SEC - 1); ++ attr->ctimensec = min_t(u32, attr->ctimensec, NSEC_PER_SEC - 1); ++ + inode->i_atime.tv_sec = attr->atime; + inode->i_atime.tv_nsec = attr->atimensec; + /* mtime from server may be stale due to local buffered write */ diff --git a/queue-5.19/fuse-write-inode-in-fuse_release.patch b/queue-5.19/fuse-write-inode-in-fuse_release.patch new file mode 100644 index 00000000000..bcad718444e --- /dev/null +++ b/queue-5.19/fuse-write-inode-in-fuse_release.patch @@ -0,0 +1,43 @@ +From 035ff33cf4db101250fb980a3941bf078f37a544 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 20 Apr 2022 16:05:41 +0200 +Subject: fuse: write inode in fuse_release() + +From: Miklos Szeredi + +commit 035ff33cf4db101250fb980a3941bf078f37a544 upstream. + +A race between write(2) and close(2) allows pages to be dirtied after +fuse_flush -> write_inode_now(). If these pages are not flushed from +fuse_release(), then there might not be a writable open file later. So any +remaining dirty pages must be written back before the file is released. + +This is a partial revert of the blamed commit. + +Reported-by: syzbot+6e1efbd8efaaa6860e91@syzkaller.appspotmail.com +Fixes: 36ea23374d1f ("fuse: write inode in fuse_vma_close() instead of fuse_release()") +Cc: # v5.16 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -338,6 +338,15 @@ static int fuse_open(struct inode *inode + + static int fuse_release(struct inode *inode, struct file *file) + { ++ struct fuse_conn *fc = get_fuse_conn(inode); ++ ++ /* ++ * Dirty pages might remain despite write_inode_now() call from ++ * fuse_flush() due to writes racing with the close. ++ */ ++ if (fc->writeback_cache) ++ write_inode_now(inode, 1); ++ + fuse_release_common(file, false); + + /* return value is ignored by VFS */ diff --git a/queue-5.19/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch b/queue-5.19/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch new file mode 100644 index 00000000000..30e026b287e --- /dev/null +++ b/queue-5.19/ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch @@ -0,0 +1,44 @@ +From e5a16a5c4602c119262f350274021f90465f479d Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Fri, 24 Jun 2022 14:13:05 +0200 +Subject: ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() + +From: Alexander Lobakin + +commit e5a16a5c4602c119262f350274021f90465f479d upstream. + +test_bit(), as any other bitmap op, takes `unsigned long *` as a +second argument (pointer to the actual bitmap), as any bitmap +itself is an array of unsigned longs. However, the ia64_get_irr() +code passes a ref to `u64` as a second argument. +This works with the ia64 bitops implementation due to that they +have `void *` as the second argument and then cast it later on. +This works with the bitmap API itself due to that `unsigned long` +has the same size on ia64 as `u64` (`unsigned long long`), but +from the compiler PoV those two are different. +Define @irr as `unsigned long` to fix that. That implies no +functional changes. Has been hidden for 16 years! + +Fixes: a58786917ce2 ("[IA64] avoid broken SAL_CACHE_FLUSH implementations") +Cc: stable@vger.kernel.org # 2.6.16+ +Reported-by: kernel test robot +Signed-off-by: Alexander Lobakin +Reviewed-by: Andy Shevchenko +Reviewed-by: Yury Norov +Signed-off-by: Yury Norov +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/include/asm/processor.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/ia64/include/asm/processor.h ++++ b/arch/ia64/include/asm/processor.h +@@ -538,7 +538,7 @@ ia64_get_irr(unsigned int vector) + { + unsigned int reg = vector / 64; + unsigned int bit = vector % 64; +- u64 irr; ++ unsigned long irr; + + switch (reg) { + case 0: irr = ia64_getreg(_IA64_REG_CR_IRR0); break; diff --git a/queue-5.19/ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch b/queue-5.19/ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch new file mode 100644 index 00000000000..4ad818cd2a1 --- /dev/null +++ b/queue-5.19/ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch @@ -0,0 +1,430 @@ +From 8f0541186e9ad1b62accc9519cc2b7a7240272a7 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Tue, 2 Aug 2022 07:28:51 +0900 +Subject: ksmbd: fix heap-based overflow in set_ntacl_dacl() + +From: Namjae Jeon + +commit 8f0541186e9ad1b62accc9519cc2b7a7240272a7 upstream. + +The testcase use SMB2_SET_INFO_HE command to set a malformed file attribute +under the label `security.NTACL`. SMB2_QUERY_INFO_HE command in testcase +trigger the following overflow. + +[ 4712.003781] ================================================================== +[ 4712.003790] BUG: KASAN: slab-out-of-bounds in build_sec_desc+0x842/0x1dd0 [ksmbd] +[ 4712.003807] Write of size 1060 at addr ffff88801e34c068 by task kworker/0:0/4190 + +[ 4712.003813] CPU: 0 PID: 4190 Comm: kworker/0:0 Not tainted 5.19.0-rc5 #1 +[ 4712.003850] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] +[ 4712.003867] Call Trace: +[ 4712.003870] +[ 4712.003873] dump_stack_lvl+0x49/0x5f +[ 4712.003935] print_report.cold+0x5e/0x5cf +[ 4712.003972] ? ksmbd_vfs_get_sd_xattr+0x16d/0x500 [ksmbd] +[ 4712.003984] ? cmp_map_id+0x200/0x200 +[ 4712.003988] ? build_sec_desc+0x842/0x1dd0 [ksmbd] +[ 4712.004000] kasan_report+0xaa/0x120 +[ 4712.004045] ? build_sec_desc+0x842/0x1dd0 [ksmbd] +[ 4712.004056] kasan_check_range+0x100/0x1e0 +[ 4712.004060] memcpy+0x3c/0x60 +[ 4712.004064] build_sec_desc+0x842/0x1dd0 [ksmbd] +[ 4712.004076] ? parse_sec_desc+0x580/0x580 [ksmbd] +[ 4712.004088] ? ksmbd_acls_fattr+0x281/0x410 [ksmbd] +[ 4712.004099] smb2_query_info+0xa8f/0x6110 [ksmbd] +[ 4712.004111] ? psi_group_change+0x856/0xd70 +[ 4712.004148] ? update_load_avg+0x1c3/0x1af0 +[ 4712.004152] ? asym_cpu_capacity_scan+0x5d0/0x5d0 +[ 4712.004157] ? xas_load+0x23/0x300 +[ 4712.004162] ? smb2_query_dir+0x1530/0x1530 [ksmbd] +[ 4712.004173] ? _raw_spin_lock_bh+0xe0/0xe0 +[ 4712.004179] handle_ksmbd_work+0x30e/0x1020 [ksmbd] +[ 4712.004192] process_one_work+0x778/0x11c0 +[ 4712.004227] ? _raw_spin_lock_irq+0x8e/0xe0 +[ 4712.004231] worker_thread+0x544/0x1180 +[ 4712.004234] ? __cpuidle_text_end+0x4/0x4 +[ 4712.004239] kthread+0x282/0x320 +[ 4712.004243] ? process_one_work+0x11c0/0x11c0 +[ 4712.004246] ? kthread_complete_and_exit+0x30/0x30 +[ 4712.004282] ret_from_fork+0x1f/0x30 + +This patch add the buffer validation for security descriptor that is +stored by malformed SMB2_SET_INFO_HE command. and allocate large +response buffer about SMB2_O_INFO_SECURITY file info class. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17771 +Reviewed-by: Hyunchul Lee +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 39 ++++++++++----- + fs/ksmbd/smbacl.c | 130 +++++++++++++++++++++++++++++++++++------------------ + fs/ksmbd/smbacl.h | 2 + fs/ksmbd/vfs.c | 5 ++ + 4 files changed, 119 insertions(+), 57 deletions(-) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -535,9 +535,10 @@ int smb2_allocate_rsp_buf(struct ksmbd_w + struct smb2_query_info_req *req; + + req = smb2_get_msg(work->request_buf); +- if (req->InfoType == SMB2_O_INFO_FILE && +- (req->FileInfoClass == FILE_FULL_EA_INFORMATION || +- req->FileInfoClass == FILE_ALL_INFORMATION)) ++ if ((req->InfoType == SMB2_O_INFO_FILE && ++ (req->FileInfoClass == FILE_FULL_EA_INFORMATION || ++ req->FileInfoClass == FILE_ALL_INFORMATION)) || ++ req->InfoType == SMB2_O_INFO_SECURITY) + sz = large_sz; + } + +@@ -2974,7 +2975,7 @@ int smb2_open(struct ksmbd_work *work) + goto err_out; + + rc = build_sec_desc(user_ns, +- pntsd, NULL, ++ pntsd, NULL, 0, + OWNER_SECINFO | + GROUP_SECINFO | + DACL_SECINFO, +@@ -3819,6 +3820,15 @@ static int verify_info_level(int info_le + return 0; + } + ++static int smb2_resp_buf_len(struct ksmbd_work *work, unsigned short hdr2_len) ++{ ++ int free_len; ++ ++ free_len = (int)(work->response_sz - ++ (get_rfc1002_len(work->response_buf) + 4)) - hdr2_len; ++ return free_len; ++} ++ + static int smb2_calc_max_out_buf_len(struct ksmbd_work *work, + unsigned short hdr2_len, + unsigned int out_buf_len) +@@ -3828,9 +3838,7 @@ static int smb2_calc_max_out_buf_len(str + if (out_buf_len > work->conn->vals->max_trans_size) + return -EINVAL; + +- free_len = (int)(work->response_sz - +- (get_rfc1002_len(work->response_buf) + 4)) - +- hdr2_len; ++ free_len = smb2_resp_buf_len(work, hdr2_len); + if (free_len < 0) + return -EINVAL; + +@@ -5093,10 +5101,10 @@ static int smb2_get_info_sec(struct ksmb + struct smb_ntsd *pntsd = (struct smb_ntsd *)rsp->Buffer, *ppntsd = NULL; + struct smb_fattr fattr = {{0}}; + struct inode *inode; +- __u32 secdesclen; ++ __u32 secdesclen = 0; + unsigned int id = KSMBD_NO_FID, pid = KSMBD_NO_FID; + int addition_info = le32_to_cpu(req->AdditionalInformation); +- int rc; ++ int rc = 0, ppntsd_size = 0; + + if (addition_info & ~(OWNER_SECINFO | GROUP_SECINFO | DACL_SECINFO | + PROTECTED_DACL_SECINFO | +@@ -5142,11 +5150,14 @@ static int smb2_get_info_sec(struct ksmb + + if (test_share_config_flag(work->tcon->share_conf, + KSMBD_SHARE_FLAG_ACL_XATTR)) +- ksmbd_vfs_get_sd_xattr(work->conn, user_ns, +- fp->filp->f_path.dentry, &ppntsd); +- +- rc = build_sec_desc(user_ns, pntsd, ppntsd, addition_info, +- &secdesclen, &fattr); ++ ppntsd_size = ksmbd_vfs_get_sd_xattr(work->conn, user_ns, ++ fp->filp->f_path.dentry, ++ &ppntsd); ++ ++ /* Check if sd buffer size exceeds response buffer size */ ++ if (smb2_resp_buf_len(work, 8) > ppntsd_size) ++ rc = build_sec_desc(user_ns, pntsd, ppntsd, ppntsd_size, ++ addition_info, &secdesclen, &fattr); + posix_acl_release(fattr.cf_acls); + posix_acl_release(fattr.cf_dacls); + kfree(ppntsd); +--- a/fs/ksmbd/smbacl.c ++++ b/fs/ksmbd/smbacl.c +@@ -690,6 +690,7 @@ posix_default_acl: + static void set_ntacl_dacl(struct user_namespace *user_ns, + struct smb_acl *pndacl, + struct smb_acl *nt_dacl, ++ unsigned int aces_size, + const struct smb_sid *pownersid, + const struct smb_sid *pgrpsid, + struct smb_fattr *fattr) +@@ -703,9 +704,19 @@ static void set_ntacl_dacl(struct user_n + if (nt_num_aces) { + ntace = (struct smb_ace *)((char *)nt_dacl + sizeof(struct smb_acl)); + for (i = 0; i < nt_num_aces; i++) { +- memcpy((char *)pndace + size, ntace, le16_to_cpu(ntace->size)); +- size += le16_to_cpu(ntace->size); +- ntace = (struct smb_ace *)((char *)ntace + le16_to_cpu(ntace->size)); ++ unsigned short nt_ace_size; ++ ++ if (offsetof(struct smb_ace, access_req) > aces_size) ++ break; ++ ++ nt_ace_size = le16_to_cpu(ntace->size); ++ if (nt_ace_size > aces_size) ++ break; ++ ++ memcpy((char *)pndace + size, ntace, nt_ace_size); ++ size += nt_ace_size; ++ aces_size -= nt_ace_size; ++ ntace = (struct smb_ace *)((char *)ntace + nt_ace_size); + num_aces++; + } + } +@@ -878,7 +889,7 @@ int parse_sec_desc(struct user_namespace + /* Convert permission bits from mode to equivalent CIFS ACL */ + int build_sec_desc(struct user_namespace *user_ns, + struct smb_ntsd *pntsd, struct smb_ntsd *ppntsd, +- int addition_info, __u32 *secdesclen, ++ int ppntsd_size, int addition_info, __u32 *secdesclen, + struct smb_fattr *fattr) + { + int rc = 0; +@@ -938,15 +949,25 @@ int build_sec_desc(struct user_namespace + + if (!ppntsd) { + set_mode_dacl(user_ns, dacl_ptr, fattr); +- } else if (!ppntsd->dacloffset) { +- goto out; + } else { + struct smb_acl *ppdacl_ptr; ++ unsigned int dacl_offset = le32_to_cpu(ppntsd->dacloffset); ++ int ppdacl_size, ntacl_size = ppntsd_size - dacl_offset; ++ ++ if (!dacl_offset || ++ (dacl_offset + sizeof(struct smb_acl) > ppntsd_size)) ++ goto out; ++ ++ ppdacl_ptr = (struct smb_acl *)((char *)ppntsd + dacl_offset); ++ ppdacl_size = le16_to_cpu(ppdacl_ptr->size); ++ if (ppdacl_size > ntacl_size || ++ ppdacl_size < sizeof(struct smb_acl)) ++ goto out; + +- ppdacl_ptr = (struct smb_acl *)((char *)ppntsd + +- le32_to_cpu(ppntsd->dacloffset)); + set_ntacl_dacl(user_ns, dacl_ptr, ppdacl_ptr, +- nowner_sid_ptr, ngroup_sid_ptr, fattr); ++ ntacl_size - sizeof(struct smb_acl), ++ nowner_sid_ptr, ngroup_sid_ptr, ++ fattr); + } + pntsd->dacloffset = cpu_to_le32(offset); + offset += le16_to_cpu(dacl_ptr->size); +@@ -980,24 +1001,31 @@ int smb_inherit_dacl(struct ksmbd_conn * + struct smb_sid owner_sid, group_sid; + struct dentry *parent = path->dentry->d_parent; + struct user_namespace *user_ns = mnt_user_ns(path->mnt); +- int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0; +- int rc = 0, num_aces, dacloffset, pntsd_type, acl_len; ++ int inherited_flags = 0, flags = 0, i, ace_cnt = 0, nt_size = 0, pdacl_size; ++ int rc = 0, num_aces, dacloffset, pntsd_type, pntsd_size, acl_len, aces_size; + char *aces_base; + bool is_dir = S_ISDIR(d_inode(path->dentry)->i_mode); + +- acl_len = ksmbd_vfs_get_sd_xattr(conn, user_ns, +- parent, &parent_pntsd); +- if (acl_len <= 0) ++ pntsd_size = ksmbd_vfs_get_sd_xattr(conn, user_ns, ++ parent, &parent_pntsd); ++ if (pntsd_size <= 0) + return -ENOENT; + dacloffset = le32_to_cpu(parent_pntsd->dacloffset); +- if (!dacloffset) { ++ if (!dacloffset || (dacloffset + sizeof(struct smb_acl) > pntsd_size)) { + rc = -EINVAL; + goto free_parent_pntsd; + } + + parent_pdacl = (struct smb_acl *)((char *)parent_pntsd + dacloffset); ++ acl_len = pntsd_size - dacloffset; + num_aces = le32_to_cpu(parent_pdacl->num_aces); + pntsd_type = le16_to_cpu(parent_pntsd->type); ++ pdacl_size = le16_to_cpu(parent_pdacl->size); ++ ++ if (pdacl_size > acl_len || pdacl_size < sizeof(struct smb_acl)) { ++ rc = -EINVAL; ++ goto free_parent_pntsd; ++ } + + aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, GFP_KERNEL); + if (!aces_base) { +@@ -1008,11 +1036,23 @@ int smb_inherit_dacl(struct ksmbd_conn * + aces = (struct smb_ace *)aces_base; + parent_aces = (struct smb_ace *)((char *)parent_pdacl + + sizeof(struct smb_acl)); ++ aces_size = acl_len - sizeof(struct smb_acl); + + if (pntsd_type & DACL_AUTO_INHERITED) + inherited_flags = INHERITED_ACE; + + for (i = 0; i < num_aces; i++) { ++ int pace_size; ++ ++ if (offsetof(struct smb_ace, access_req) > aces_size) ++ break; ++ ++ pace_size = le16_to_cpu(parent_aces->size); ++ if (pace_size > aces_size) ++ break; ++ ++ aces_size -= pace_size; ++ + flags = parent_aces->flags; + if (!smb_inherit_flags(flags, is_dir)) + goto pass; +@@ -1057,8 +1097,7 @@ int smb_inherit_dacl(struct ksmbd_conn * + aces = (struct smb_ace *)((char *)aces + le16_to_cpu(aces->size)); + ace_cnt++; + pass: +- parent_aces = +- (struct smb_ace *)((char *)parent_aces + le16_to_cpu(parent_aces->size)); ++ parent_aces = (struct smb_ace *)((char *)parent_aces + pace_size); + } + + if (nt_size > 0) { +@@ -1153,7 +1192,7 @@ int smb_check_perm_dacl(struct ksmbd_con + struct smb_ntsd *pntsd = NULL; + struct smb_acl *pdacl; + struct posix_acl *posix_acls; +- int rc = 0, acl_size; ++ int rc = 0, pntsd_size, acl_size, aces_size, pdacl_size, dacl_offset; + struct smb_sid sid; + int granted = le32_to_cpu(*pdaccess & ~FILE_MAXIMAL_ACCESS_LE); + struct smb_ace *ace; +@@ -1162,37 +1201,33 @@ int smb_check_perm_dacl(struct ksmbd_con + struct smb_ace *others_ace = NULL; + struct posix_acl_entry *pa_entry; + unsigned int sid_type = SIDOWNER; +- char *end_of_acl; ++ unsigned short ace_size; + + ksmbd_debug(SMB, "check permission using windows acl\n"); +- acl_size = ksmbd_vfs_get_sd_xattr(conn, user_ns, +- path->dentry, &pntsd); +- if (acl_size <= 0 || !pntsd || !pntsd->dacloffset) { +- kfree(pntsd); +- return 0; +- } ++ pntsd_size = ksmbd_vfs_get_sd_xattr(conn, user_ns, ++ path->dentry, &pntsd); ++ if (pntsd_size <= 0 || !pntsd) ++ goto err_out; ++ ++ dacl_offset = le32_to_cpu(pntsd->dacloffset); ++ if (!dacl_offset || ++ (dacl_offset + sizeof(struct smb_acl) > pntsd_size)) ++ goto err_out; + + pdacl = (struct smb_acl *)((char *)pntsd + le32_to_cpu(pntsd->dacloffset)); +- end_of_acl = ((char *)pntsd) + acl_size; +- if (end_of_acl <= (char *)pdacl) { +- kfree(pntsd); +- return 0; +- } ++ acl_size = pntsd_size - dacl_offset; ++ pdacl_size = le16_to_cpu(pdacl->size); + +- if (end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size) || +- le16_to_cpu(pdacl->size) < sizeof(struct smb_acl)) { +- kfree(pntsd); +- return 0; +- } ++ if (pdacl_size > acl_size || pdacl_size < sizeof(struct smb_acl)) ++ goto err_out; + + if (!pdacl->num_aces) { +- if (!(le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) && ++ if (!(pdacl_size - sizeof(struct smb_acl)) && + *pdaccess & ~(FILE_READ_CONTROL_LE | FILE_WRITE_DAC_LE)) { + rc = -EACCES; + goto err_out; + } +- kfree(pntsd); +- return 0; ++ goto err_out; + } + + if (*pdaccess & FILE_MAXIMAL_ACCESS_LE) { +@@ -1200,11 +1235,16 @@ int smb_check_perm_dacl(struct ksmbd_con + DELETE; + + ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); ++ aces_size = acl_size - sizeof(struct smb_acl); + for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { ++ if (offsetof(struct smb_ace, access_req) > aces_size) ++ break; ++ ace_size = le16_to_cpu(ace->size); ++ if (ace_size > aces_size) ++ break; ++ aces_size -= ace_size; + granted |= le32_to_cpu(ace->access_req); + ace = (struct smb_ace *)((char *)ace + le16_to_cpu(ace->size)); +- if (end_of_acl < (char *)ace) +- goto err_out; + } + + if (!pdacl->num_aces) +@@ -1216,7 +1256,15 @@ int smb_check_perm_dacl(struct ksmbd_con + id_to_sid(uid, sid_type, &sid); + + ace = (struct smb_ace *)((char *)pdacl + sizeof(struct smb_acl)); ++ aces_size = acl_size - sizeof(struct smb_acl); + for (i = 0; i < le32_to_cpu(pdacl->num_aces); i++) { ++ if (offsetof(struct smb_ace, access_req) > aces_size) ++ break; ++ ace_size = le16_to_cpu(ace->size); ++ if (ace_size > aces_size) ++ break; ++ aces_size -= ace_size; ++ + if (!compare_sids(&sid, &ace->sid) || + !compare_sids(&sid_unix_NFS_mode, &ace->sid)) { + found = 1; +@@ -1226,8 +1274,6 @@ int smb_check_perm_dacl(struct ksmbd_con + others_ace = ace; + + ace = (struct smb_ace *)((char *)ace + le16_to_cpu(ace->size)); +- if (end_of_acl < (char *)ace) +- goto err_out; + } + + if (*pdaccess & FILE_MAXIMAL_ACCESS_LE && found) { +--- a/fs/ksmbd/smbacl.h ++++ b/fs/ksmbd/smbacl.h +@@ -193,7 +193,7 @@ struct posix_acl_state { + int parse_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, + int acl_len, struct smb_fattr *fattr); + int build_sec_desc(struct user_namespace *user_ns, struct smb_ntsd *pntsd, +- struct smb_ntsd *ppntsd, int addition_info, ++ struct smb_ntsd *ppntsd, int ppntsd_size, int addition_info, + __u32 *secdesclen, struct smb_fattr *fattr); + int init_acl_state(struct posix_acl_state *state, int cnt); + void free_acl_state(struct posix_acl_state *state); +--- a/fs/ksmbd/vfs.c ++++ b/fs/ksmbd/vfs.c +@@ -1540,6 +1540,11 @@ int ksmbd_vfs_get_sd_xattr(struct ksmbd_ + } + + *pntsd = acl.sd_buf; ++ if (acl.sd_size < sizeof(struct smb_ntsd)) { ++ pr_err("sd size is invalid\n"); ++ goto out_free; ++ } ++ + (*pntsd)->osidoffset = cpu_to_le32(le32_to_cpu((*pntsd)->osidoffset) - + NDR_NTSD_OFFSETOF); + (*pntsd)->gsidoffset = cpu_to_le32(le32_to_cpu((*pntsd)->gsidoffset) - diff --git a/queue-5.19/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch b/queue-5.19/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch new file mode 100644 index 00000000000..51e48a123a6 --- /dev/null +++ b/queue-5.19/ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch @@ -0,0 +1,42 @@ +From aa7253c2393f6dcd6a1468b0792f6da76edad917 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 28 Jul 2022 21:56:19 +0900 +Subject: ksmbd: fix memory leak in smb2_handle_negotiate + +From: Namjae Jeon + +commit aa7253c2393f6dcd6a1468b0792f6da76edad917 upstream. + +The allocated memory didn't free under an error +path in smb2_handle_negotiate(). + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17815 +Signed-off-by: Namjae Jeon +Reviewed-by: Hyunchul Lee +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -1139,12 +1139,16 @@ int smb2_handle_negotiate(struct ksmbd_w + status); + rsp->hdr.Status = status; + rc = -EINVAL; ++ kfree(conn->preauth_info); ++ conn->preauth_info = NULL; + goto err_out; + } + + rc = init_smb3_11_server(conn); + if (rc < 0) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; ++ kfree(conn->preauth_info); ++ conn->preauth_info = NULL; + goto err_out; + } + diff --git a/queue-5.19/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch b/queue-5.19/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch new file mode 100644 index 00000000000..42360eaab50 --- /dev/null +++ b/queue-5.19/ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch @@ -0,0 +1,59 @@ +From cf6531d98190fa2cf92a6d8bbc8af0a4740a223c Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 28 Jul 2022 21:57:08 +0900 +Subject: ksmbd: fix use-after-free bug in smb2_tree_disconect + +From: Namjae Jeon + +commit cf6531d98190fa2cf92a6d8bbc8af0a4740a223c upstream. + +smb2_tree_disconnect() freed the struct ksmbd_tree_connect, +but it left the dangling pointer. It can be accessed +again under compound requests. + +This bug can lead an oops looking something link: + +[ 1685.468014 ] BUG: KASAN: use-after-free in ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] +[ 1685.468068 ] Read of size 4 at addr ffff888102172180 by task kworker/1:2/4807 +... +[ 1685.468130 ] Call Trace: +[ 1685.468132 ] +[ 1685.468135 ] dump_stack_lvl+0x49/0x5f +[ 1685.468141 ] print_report.cold+0x5e/0x5cf +[ 1685.468145 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] +[ 1685.468157 ] kasan_report+0xaa/0x120 +[ 1685.468194 ] ? ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] +[ 1685.468206 ] __asan_report_load4_noabort+0x14/0x20 +[ 1685.468210 ] ksmbd_tree_conn_disconnect+0x131/0x160 [ksmbd] +[ 1685.468222 ] smb2_tree_disconnect+0x175/0x250 [ksmbd] +[ 1685.468235 ] handle_ksmbd_work+0x30e/0x1020 [ksmbd] +[ 1685.468247 ] process_one_work+0x778/0x11c0 +[ 1685.468251 ] ? _raw_spin_lock_irq+0x8e/0xe0 +[ 1685.468289 ] worker_thread+0x544/0x1180 +[ 1685.468293 ] ? __cpuidle_text_end+0x4/0x4 +[ 1685.468297 ] kthread+0x282/0x320 +[ 1685.468301 ] ? process_one_work+0x11c0/0x11c0 +[ 1685.468305 ] ? kthread_complete_and_exit+0x30/0x30 +[ 1685.468309 ] ret_from_fork+0x1f/0x30 + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17816 +Signed-off-by: Namjae Jeon +Reviewed-by: Hyunchul Lee +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2pdu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -2043,6 +2043,7 @@ int smb2_tree_disconnect(struct ksmbd_wo + + ksmbd_close_tree_conn_fds(work); + ksmbd_tree_conn_disconnect(sess, tcon); ++ work->tcon = NULL; + return 0; + } + diff --git a/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch b/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch new file mode 100644 index 00000000000..5dac44a1f93 --- /dev/null +++ b/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch @@ -0,0 +1,69 @@ +From 824d4f64c20093275f72fc8101394d75ff6a249e Mon Sep 17 00:00:00 2001 +From: Hyunchul Lee +Date: Thu, 28 Jul 2022 21:58:53 +0900 +Subject: ksmbd: prevent out of bound read for SMB2_TREE_CONNNECT + +From: Hyunchul Lee + +commit 824d4f64c20093275f72fc8101394d75ff6a249e upstream. + +if Status is not 0 and PathLength is long, +smb_strndup_from_utf16 could make out of bound +read in smb2_tree_connnect. + +This bug can lead an oops looking something like: + +[ 1553.882047] BUG: KASAN: slab-out-of-bounds in smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] +[ 1553.882064] Read of size 2 at addr ffff88802c4eda04 by task kworker/0:2/42805 +... +[ 1553.882095] Call Trace: +[ 1553.882098] +[ 1553.882101] dump_stack_lvl+0x49/0x5f +[ 1553.882107] print_report.cold+0x5e/0x5cf +[ 1553.882112] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] +[ 1553.882122] kasan_report+0xaa/0x120 +[ 1553.882128] ? smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] +[ 1553.882139] __asan_report_load_n_noabort+0xf/0x20 +[ 1553.882143] smb_strndup_from_utf16+0x469/0x4c0 [ksmbd] +[ 1553.882155] ? smb_strtoUTF16+0x3b0/0x3b0 [ksmbd] +[ 1553.882166] ? __kmalloc_node+0x185/0x430 +[ 1553.882171] smb2_tree_connect+0x140/0xab0 [ksmbd] +[ 1553.882185] handle_ksmbd_work+0x30e/0x1020 [ksmbd] +[ 1553.882197] process_one_work+0x778/0x11c0 +[ 1553.882201] ? _raw_spin_lock_irq+0x8e/0xe0 +[ 1553.882206] worker_thread+0x544/0x1180 +[ 1553.882209] ? __cpuidle_text_end+0x4/0x4 +[ 1553.882214] kthread+0x282/0x320 +[ 1553.882218] ? process_one_work+0x11c0/0x11c0 +[ 1553.882221] ? kthread_complete_and_exit+0x30/0x30 +[ 1553.882225] ret_from_fork+0x1f/0x30 +[ 1553.882231] + +There is no need to check error request validation in server. +This check allow invalid requests not to validate message. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17818 +Signed-off-by: Hyunchul Lee +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2misc.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/fs/ksmbd/smb2misc.c ++++ b/fs/ksmbd/smb2misc.c +@@ -90,11 +90,6 @@ static int smb2_get_data_area_len(unsign + *off = 0; + *len = 0; + +- /* error reqeusts do not have data area */ +- if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED && +- (((struct smb2_err_rsp *)hdr)->StructureSize) == SMB2_ERROR_STRUCTURE_SIZE2_LE) +- return ret; +- + /* + * Following commands have data areas so we have to get the location + * of the data buffer offset and data buffer length for the particular diff --git a/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_write.patch b/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_write.patch new file mode 100644 index 00000000000..a5d39ffc4cf --- /dev/null +++ b/queue-5.19/ksmbd-prevent-out-of-bound-read-for-smb2_write.patch @@ -0,0 +1,121 @@ +From ac60778b87e45576d7bfdbd6f53df902654e6f09 Mon Sep 17 00:00:00 2001 +From: Hyunchul Lee +Date: Thu, 28 Jul 2022 23:41:51 +0900 +Subject: ksmbd: prevent out of bound read for SMB2_WRITE + +From: Hyunchul Lee + +commit ac60778b87e45576d7bfdbd6f53df902654e6f09 upstream. + +OOB read memory can be written to a file, +if DataOffset is 0 and Length is too large +in SMB2_WRITE request of compound request. + +To prevent this, when checking the length of +the data area of SMB2_WRITE in smb2_get_data_area_len(), +let the minimum of DataOffset be the size of +SMB2 header + the size of SMB2_WRITE header. + +This bug can lead an oops looking something like: + +[ 798.008715] BUG: KASAN: slab-out-of-bounds in copy_page_from_iter_atomic+0xd3d/0x14b0 +[ 798.008724] Read of size 252 at addr ffff88800f863e90 by task kworker/0:2/2859 +... +[ 798.008754] Call Trace: +[ 798.008756] +[ 798.008759] dump_stack_lvl+0x49/0x5f +[ 798.008764] print_report.cold+0x5e/0x5cf +[ 798.008768] ? __filemap_get_folio+0x285/0x6d0 +[ 798.008774] ? copy_page_from_iter_atomic+0xd3d/0x14b0 +[ 798.008777] kasan_report+0xaa/0x120 +[ 798.008781] ? copy_page_from_iter_atomic+0xd3d/0x14b0 +[ 798.008784] kasan_check_range+0x100/0x1e0 +[ 798.008788] memcpy+0x24/0x60 +[ 798.008792] copy_page_from_iter_atomic+0xd3d/0x14b0 +[ 798.008795] ? pagecache_get_page+0x53/0x160 +[ 798.008799] ? iov_iter_get_pages_alloc+0x1590/0x1590 +[ 798.008803] ? ext4_write_begin+0xfc0/0xfc0 +[ 798.008807] ? current_time+0x72/0x210 +[ 798.008811] generic_perform_write+0x2c8/0x530 +[ 798.008816] ? filemap_fdatawrite_wbc+0x180/0x180 +[ 798.008820] ? down_write+0xb4/0x120 +[ 798.008824] ? down_write_killable+0x130/0x130 +[ 798.008829] ext4_buffered_write_iter+0x137/0x2c0 +[ 798.008833] ext4_file_write_iter+0x40b/0x1490 +[ 798.008837] ? __fsnotify_parent+0x275/0xb20 +[ 798.008842] ? __fsnotify_update_child_dentry_flags+0x2c0/0x2c0 +[ 798.008846] ? ext4_buffered_write_iter+0x2c0/0x2c0 +[ 798.008851] __kernel_write+0x3a1/0xa70 +[ 798.008855] ? __x64_sys_preadv2+0x160/0x160 +[ 798.008860] ? security_file_permission+0x4a/0xa0 +[ 798.008865] kernel_write+0xbb/0x360 +[ 798.008869] ksmbd_vfs_write+0x27e/0xb90 [ksmbd] +[ 798.008881] ? ksmbd_vfs_read+0x830/0x830 [ksmbd] +[ 798.008892] ? _raw_read_unlock+0x2a/0x50 +[ 798.008896] smb2_write+0xb45/0x14e0 [ksmbd] +[ 798.008909] ? __kasan_check_write+0x14/0x20 +[ 798.008912] ? _raw_spin_lock_bh+0xd0/0xe0 +[ 798.008916] ? smb2_read+0x15e0/0x15e0 [ksmbd] +[ 798.008927] ? memcpy+0x4e/0x60 +[ 798.008931] ? _raw_spin_unlock+0x19/0x30 +[ 798.008934] ? ksmbd_smb2_check_message+0x16af/0x2350 [ksmbd] +[ 798.008946] ? _raw_spin_lock_bh+0xe0/0xe0 +[ 798.008950] handle_ksmbd_work+0x30e/0x1020 [ksmbd] +[ 798.008962] process_one_work+0x778/0x11c0 +[ 798.008966] ? _raw_spin_lock_irq+0x8e/0xe0 +[ 798.008970] worker_thread+0x544/0x1180 +[ 798.008973] ? __cpuidle_text_end+0x4/0x4 +[ 798.008977] kthread+0x282/0x320 +[ 798.008982] ? process_one_work+0x11c0/0x11c0 +[ 798.008985] ? kthread_complete_and_exit+0x30/0x30 +[ 798.008989] ret_from_fork+0x1f/0x30 +[ 798.008995] + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17817 +Signed-off-by: Hyunchul Lee +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/smb2misc.c | 7 +++++-- + fs/ksmbd/smb2pdu.c | 8 +++----- + 2 files changed, 8 insertions(+), 7 deletions(-) + +--- a/fs/ksmbd/smb2misc.c ++++ b/fs/ksmbd/smb2misc.c +@@ -131,8 +131,11 @@ static int smb2_get_data_area_len(unsign + *len = le16_to_cpu(((struct smb2_read_req *)hdr)->ReadChannelInfoLength); + break; + case SMB2_WRITE: +- if (((struct smb2_write_req *)hdr)->DataOffset) { +- *off = le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset); ++ if (((struct smb2_write_req *)hdr)->DataOffset || ++ ((struct smb2_write_req *)hdr)->Length) { ++ *off = max_t(unsigned int, ++ le16_to_cpu(((struct smb2_write_req *)hdr)->DataOffset), ++ offsetof(struct smb2_write_req, Buffer)); + *len = le32_to_cpu(((struct smb2_write_req *)hdr)->Length); + break; + } +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -6499,14 +6499,12 @@ int smb2_write(struct ksmbd_work *work) + writethrough = true; + + if (is_rdma_channel == false) { +- if ((u64)le16_to_cpu(req->DataOffset) + length > +- get_rfc1002_len(work->request_buf)) { +- pr_err("invalid write data offset %u, smb_len %u\n", +- le16_to_cpu(req->DataOffset), +- get_rfc1002_len(work->request_buf)); ++ if (le16_to_cpu(req->DataOffset) < ++ offsetof(struct smb2_write_req, Buffer)) { + err = -EINVAL; + goto out; + } ++ + data_buf = (char *)(((char *)&req->hdr.ProtocolId) + + le16_to_cpu(req->DataOffset)); + diff --git a/queue-5.19/mbcache-add-functions-to-delete-entry-if-unused.patch b/queue-5.19/mbcache-add-functions-to-delete-entry-if-unused.patch new file mode 100644 index 00000000000..6ba6d9afbb8 --- /dev/null +++ b/queue-5.19/mbcache-add-functions-to-delete-entry-if-unused.patch @@ -0,0 +1,148 @@ +From 3dc96bba65f53daa217f0a8f43edad145286a8f5 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 12 Jul 2022 12:54:21 +0200 +Subject: mbcache: add functions to delete entry if unused + +From: Jan Kara + +commit 3dc96bba65f53daa217f0a8f43edad145286a8f5 upstream. + +Add function mb_cache_entry_delete_or_get() to delete mbcache entry if +it is unused and also add a function to wait for entry to become unused +- mb_cache_entry_wait_unused(). We do not share code between the two +deleting function as one of them will go away soon. + +CC: stable@vger.kernel.org +Fixes: 82939d7999df ("ext4: convert to mbcache2") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220712105436.32204-2-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/mbcache.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++-- + include/linux/mbcache.h | 10 ++++++- + 2 files changed, 73 insertions(+), 3 deletions(-) + +--- a/fs/mbcache.c ++++ b/fs/mbcache.c +@@ -11,7 +11,7 @@ + /* + * Mbcache is a simple key-value store. Keys need not be unique, however + * key-value pairs are expected to be unique (we use this fact in +- * mb_cache_entry_delete()). ++ * mb_cache_entry_delete_or_get()). + * + * Ext2 and ext4 use this cache for deduplication of extended attribute blocks. + * Ext4 also uses it for deduplication of xattr values stored in inodes. +@@ -125,6 +125,19 @@ void __mb_cache_entry_free(struct mb_cac + } + EXPORT_SYMBOL(__mb_cache_entry_free); + ++/* ++ * mb_cache_entry_wait_unused - wait to be the last user of the entry ++ * ++ * @entry - entry to work on ++ * ++ * Wait to be the last user of the entry. ++ */ ++void mb_cache_entry_wait_unused(struct mb_cache_entry *entry) ++{ ++ wait_var_event(&entry->e_refcnt, atomic_read(&entry->e_refcnt) <= 3); ++} ++EXPORT_SYMBOL(mb_cache_entry_wait_unused); ++ + static struct mb_cache_entry *__entry_find(struct mb_cache *cache, + struct mb_cache_entry *entry, + u32 key) +@@ -217,7 +230,7 @@ out: + } + EXPORT_SYMBOL(mb_cache_entry_get); + +-/* mb_cache_entry_delete - remove a cache entry ++/* mb_cache_entry_delete - try to remove a cache entry + * @cache - cache we work with + * @key - key + * @value - value +@@ -254,6 +267,55 @@ void mb_cache_entry_delete(struct mb_cac + } + EXPORT_SYMBOL(mb_cache_entry_delete); + ++/* mb_cache_entry_delete_or_get - remove a cache entry if it has no users ++ * @cache - cache we work with ++ * @key - key ++ * @value - value ++ * ++ * Remove entry from cache @cache with key @key and value @value. The removal ++ * happens only if the entry is unused. The function returns NULL in case the ++ * entry was successfully removed or there's no entry in cache. Otherwise the ++ * function grabs reference of the entry that we failed to delete because it ++ * still has users and return it. ++ */ ++struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache, ++ u32 key, u64 value) ++{ ++ struct hlist_bl_node *node; ++ struct hlist_bl_head *head; ++ struct mb_cache_entry *entry; ++ ++ head = mb_cache_entry_head(cache, key); ++ hlist_bl_lock(head); ++ hlist_bl_for_each_entry(entry, node, head, e_hash_list) { ++ if (entry->e_key == key && entry->e_value == value) { ++ if (atomic_read(&entry->e_refcnt) > 2) { ++ atomic_inc(&entry->e_refcnt); ++ hlist_bl_unlock(head); ++ return entry; ++ } ++ /* We keep hash list reference to keep entry alive */ ++ hlist_bl_del_init(&entry->e_hash_list); ++ hlist_bl_unlock(head); ++ spin_lock(&cache->c_list_lock); ++ if (!list_empty(&entry->e_list)) { ++ list_del_init(&entry->e_list); ++ if (!WARN_ONCE(cache->c_entry_count == 0, ++ "mbcache: attempt to decrement c_entry_count past zero")) ++ cache->c_entry_count--; ++ atomic_dec(&entry->e_refcnt); ++ } ++ spin_unlock(&cache->c_list_lock); ++ mb_cache_entry_put(cache, entry); ++ return NULL; ++ } ++ } ++ hlist_bl_unlock(head); ++ ++ return NULL; ++} ++EXPORT_SYMBOL(mb_cache_entry_delete_or_get); ++ + /* mb_cache_entry_touch - cache entry got used + * @cache - cache the entry belongs to + * @entry - entry that got used +--- a/include/linux/mbcache.h ++++ b/include/linux/mbcache.h +@@ -30,15 +30,23 @@ void mb_cache_destroy(struct mb_cache *c + int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key, + u64 value, bool reusable); + void __mb_cache_entry_free(struct mb_cache_entry *entry); ++void mb_cache_entry_wait_unused(struct mb_cache_entry *entry); + static inline int mb_cache_entry_put(struct mb_cache *cache, + struct mb_cache_entry *entry) + { +- if (!atomic_dec_and_test(&entry->e_refcnt)) ++ unsigned int cnt = atomic_dec_return(&entry->e_refcnt); ++ ++ if (cnt > 0) { ++ if (cnt <= 3) ++ wake_up_var(&entry->e_refcnt); + return 0; ++ } + __mb_cache_entry_free(entry); + return 1; + } + ++struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache, ++ u32 key, u64 value); + void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value); + struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key, + u64 value); diff --git a/queue-5.19/mbcache-don-t-reclaim-used-entries.patch b/queue-5.19/mbcache-don-t-reclaim-used-entries.patch new file mode 100644 index 00000000000..38b35d75c32 --- /dev/null +++ b/queue-5.19/mbcache-don-t-reclaim-used-entries.patch @@ -0,0 +1,50 @@ +From 58318914186c157477b978b1739dfe2f1b9dc0fe Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 12 Jul 2022 12:54:20 +0200 +Subject: mbcache: don't reclaim used entries + +From: Jan Kara + +commit 58318914186c157477b978b1739dfe2f1b9dc0fe upstream. + +Do not reclaim entries that are currently used by somebody from a +shrinker. Firstly, these entries are likely useful. Secondly, we will +need to keep such entries to protect pending increment of xattr block +refcount. + +CC: stable@vger.kernel.org +Fixes: 82939d7999df ("ext4: convert to mbcache2") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220712105436.32204-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/mbcache.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/mbcache.c ++++ b/fs/mbcache.c +@@ -288,7 +288,7 @@ static unsigned long mb_cache_shrink(str + while (nr_to_scan-- && !list_empty(&cache->c_list)) { + entry = list_first_entry(&cache->c_list, + struct mb_cache_entry, e_list); +- if (entry->e_referenced) { ++ if (entry->e_referenced || atomic_read(&entry->e_refcnt) > 2) { + entry->e_referenced = 0; + list_move_tail(&entry->e_list, &cache->c_list); + continue; +@@ -302,6 +302,14 @@ static unsigned long mb_cache_shrink(str + spin_unlock(&cache->c_list_lock); + head = mb_cache_entry_head(cache, entry->e_key); + hlist_bl_lock(head); ++ /* Now a reliable check if the entry didn't get used... */ ++ if (atomic_read(&entry->e_refcnt) > 2) { ++ hlist_bl_unlock(head); ++ spin_lock(&cache->c_list_lock); ++ list_add_tail(&entry->e_list, &cache->c_list); ++ cache->c_entry_count++; ++ continue; ++ } + if (!hlist_bl_unhashed(&entry->e_hash_list)) { + hlist_bl_del_init(&entry->e_hash_list); + atomic_dec(&entry->e_refcnt); diff --git a/queue-5.19/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch b/queue-5.19/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch new file mode 100644 index 00000000000..06a92e59f0f --- /dev/null +++ b/queue-5.19/md-raid-destroy-the-bitmap-after-destroying-the-thread.patch @@ -0,0 +1,129 @@ +From e151db8ecfb019b7da31d076130a794574c89f6f Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sun, 24 Jul 2022 14:26:12 -0400 +Subject: md-raid: destroy the bitmap after destroying the thread + +From: Mikulas Patocka + +commit e151db8ecfb019b7da31d076130a794574c89f6f upstream. + +When we ran the lvm test "shell/integrity-blocksize-3.sh" on a kernel with +kasan, we got failure in write_page. + +The reason for the failure is that md_bitmap_destroy is called before +destroying the thread and the thread may be waiting in the function +write_page for the bio to complete. When the thread finishes waiting, it +executes "if (test_bit(BITMAP_WRITE_ERROR, &bitmap->flags))", which +triggers the kasan warning. + +Note that the commit 48df498daf62 that caused this bug claims that it is +neede for md-cluster, you should check md-cluster and possibly find +another bugfix for it. + +BUG: KASAN: use-after-free in write_page+0x18d/0x680 [md_mod] +Read of size 8 at addr ffff889162030c78 by task mdX_raid1/5539 + +CPU: 10 PID: 5539 Comm: mdX_raid1 Not tainted 5.19.0-rc2 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0x34/0x44 + print_report.cold+0x45/0x57a + ? __lock_text_start+0x18/0x18 + ? write_page+0x18d/0x680 [md_mod] + kasan_report+0xa8/0xe0 + ? write_page+0x18d/0x680 [md_mod] + kasan_check_range+0x13f/0x180 + write_page+0x18d/0x680 [md_mod] + ? super_sync+0x4d5/0x560 [dm_raid] + ? md_bitmap_file_kick+0xa0/0xa0 [md_mod] + ? rs_set_dev_and_array_sectors+0x2e0/0x2e0 [dm_raid] + ? mutex_trylock+0x120/0x120 + ? preempt_count_add+0x6b/0xc0 + ? preempt_count_sub+0xf/0xc0 + md_update_sb+0x707/0xe40 [md_mod] + md_reap_sync_thread+0x1b2/0x4a0 [md_mod] + md_check_recovery+0x533/0x960 [md_mod] + raid1d+0xc8/0x2a20 [raid1] + ? var_wake_function+0xe0/0xe0 + ? psi_group_change+0x411/0x500 + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? raid1_end_read_request+0x2a0/0x2a0 [raid1] + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_unlock_irqrestore+0x19/0x40 + ? del_timer_sync+0xa9/0x100 + ? try_to_del_timer_sync+0xc0/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? __list_del_entry_valid+0x68/0xa0 + ? finish_wait+0xa3/0x100 + md_thread+0x161/0x260 [md_mod] + ? unregister_md_personality+0xa0/0xa0 [md_mod] + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? prepare_to_wait_event+0x2c0/0x2c0 + ? unregister_md_personality+0xa0/0xa0 [md_mod] + kthread+0x148/0x180 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Allocated by task 5522: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x80/0xa0 + md_bitmap_create+0xa8/0xe80 [md_mod] + md_run+0x777/0x1300 [md_mod] + raid_ctr+0x249c/0x4a30 [dm_raid] + dm_table_add_target+0x2b0/0x620 [dm_mod] + table_load+0x1c8/0x400 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Freed by task 5680: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x40 + kasan_set_free_info+0x20/0x40 + __kasan_slab_free+0xf7/0x140 + kfree+0x80/0x240 + md_bitmap_free+0x1c3/0x280 [md_mod] + __md_stop+0x21/0x120 [md_mod] + md_stop+0x9/0x40 [md_mod] + raid_dtr+0x1b/0x40 [dm_raid] + dm_table_destroy+0x98/0x1e0 [dm_mod] + __dm_destroy+0x199/0x360 [dm_mod] + dev_remove+0x10c/0x160 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Fixes: 48df498daf62 ("md: move bitmap_destroy to the beginning of __md_stop") +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6244,11 +6244,11 @@ static void mddev_detach(struct mddev *m + static void __md_stop(struct mddev *mddev) + { + struct md_personality *pers = mddev->pers; +- md_bitmap_destroy(mddev); + mddev_detach(mddev); + /* Ensure ->event_work is done */ + if (mddev->event_work.func) + flush_workqueue(md_misc_wq); ++ md_bitmap_destroy(mddev); + spin_lock(&mddev->lock); + mddev->pers = NULL; + spin_unlock(&mddev->lock); diff --git a/queue-5.19/md-raid10-fix-kasan-warning.patch b/queue-5.19/md-raid10-fix-kasan-warning.patch new file mode 100644 index 00000000000..20215fe1a24 --- /dev/null +++ b/queue-5.19/md-raid10-fix-kasan-warning.patch @@ -0,0 +1,148 @@ +From d17f744e883b2f8d13cca252d71cfe8ace346f7d Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 26 Jul 2022 04:33:12 -0400 +Subject: md-raid10: fix KASAN warning + +From: Mikulas Patocka + +commit d17f744e883b2f8d13cca252d71cfe8ace346f7d upstream. + +There's a KASAN warning in raid10_remove_disk when running the lvm +test lvconvert-raid-reshape.sh. We fix this warning by verifying that the +value "number" is valid. + +BUG: KASAN: slab-out-of-bounds in raid10_remove_disk+0x61/0x2a0 [raid10] +Read of size 8 at addr ffff889108f3d300 by task mdX_raid10/124682 + +CPU: 3 PID: 124682 Comm: mdX_raid10 Not tainted 5.19.0-rc6 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0x34/0x44 + print_report.cold+0x45/0x57a + ? __lock_text_start+0x18/0x18 + ? raid10_remove_disk+0x61/0x2a0 [raid10] + kasan_report+0xa8/0xe0 + ? raid10_remove_disk+0x61/0x2a0 [raid10] + raid10_remove_disk+0x61/0x2a0 [raid10] +Buffer I/O error on dev dm-76, logical block 15344, async page read + ? __mutex_unlock_slowpath.constprop.0+0x1e0/0x1e0 + remove_and_add_spares+0x367/0x8a0 [md_mod] + ? super_written+0x1c0/0x1c0 [md_mod] + ? mutex_trylock+0xac/0x120 + ? _raw_spin_lock+0x72/0xc0 + ? _raw_spin_lock_bh+0xc0/0xc0 + md_check_recovery+0x848/0x960 [md_mod] + raid10d+0xcf/0x3360 [raid10] + ? sched_clock_cpu+0x185/0x1a0 + ? rb_erase+0x4d4/0x620 + ? var_wake_function+0xe0/0xe0 + ? psi_group_change+0x411/0x500 + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? raid10_sync_request+0x36c0/0x36c0 [raid10] + ? preempt_count_sub+0xf/0xc0 + ? _raw_spin_unlock_irqrestore+0x19/0x40 + ? del_timer_sync+0xa9/0x100 + ? try_to_del_timer_sync+0xc0/0xc0 + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? __lock_text_start+0x18/0x18 + ? _raw_spin_unlock_irq+0x11/0x24 + ? __list_del_entry_valid+0x68/0xa0 + ? finish_wait+0xa3/0x100 + md_thread+0x161/0x260 [md_mod] + ? unregister_md_personality+0xa0/0xa0 [md_mod] + ? _raw_spin_lock_irqsave+0x78/0xc0 + ? prepare_to_wait_event+0x2c0/0x2c0 + ? unregister_md_personality+0xa0/0xa0 [md_mod] + kthread+0x148/0x180 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + + +Allocated by task 124495: + kasan_save_stack+0x1e/0x40 + __kasan_kmalloc+0x80/0xa0 + setup_conf+0x140/0x5c0 [raid10] + raid10_run+0x4cd/0x740 [raid10] + md_run+0x6f9/0x1300 [md_mod] + raid_ctr+0x2531/0x4ac0 [dm_raid] + dm_table_add_target+0x2b0/0x620 [dm_mod] + table_load+0x1c8/0x400 [dm_mod] + ctl_ioctl+0x29e/0x560 [dm_mod] + dm_compat_ctl_ioctl+0x7/0x20 [dm_mod] + __do_compat_sys_ioctl+0xfa/0x160 + do_syscall_64+0x90/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0x9e/0xc0 + kvfree_call_rcu+0x84/0x480 + timerfd_release+0x82/0x140 +L __fput+0xfa/0x400 + task_work_run+0x80/0xc0 + exit_to_user_mode_prepare+0x155/0x160 + syscall_exit_to_user_mode+0x12/0x40 + do_syscall_64+0x42/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Second to last potentially related work creation: + kasan_save_stack+0x1e/0x40 + __kasan_record_aux_stack+0x9e/0xc0 + kvfree_call_rcu+0x84/0x480 + timerfd_release+0x82/0x140 + __fput+0xfa/0x400 + task_work_run+0x80/0xc0 + exit_to_user_mode_prepare+0x155/0x160 + syscall_exit_to_user_mode+0x12/0x40 + do_syscall_64+0x42/0xc0 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +The buggy address belongs to the object at ffff889108f3d200 + which belongs to the cache kmalloc-256 of size 256 +The buggy address is located 0 bytes to the right of + 256-byte region [ffff889108f3d200, ffff889108f3d300) + +The buggy address belongs to the physical page: +page:000000007ef2a34c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1108f3c +head:000000007ef2a34c order:2 compound_mapcount:0 compound_pincount:0 +flags: 0x4000000000010200(slab|head|zone=2) +raw: 4000000000010200 0000000000000000 dead000000000001 ffff889100042b40 +raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff889108f3d200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff889108f3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff889108f3d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff889108f3d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff889108f3d400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2167,9 +2167,12 @@ static int raid10_remove_disk(struct mdd + int err = 0; + int number = rdev->raid_disk; + struct md_rdev **rdevp; +- struct raid10_info *p = conf->mirrors + number; ++ struct raid10_info *p; + + print_conf(conf); ++ if (unlikely(number >= mddev->raid_disks)) ++ return 0; ++ p = conf->mirrors + number; + if (rdev == p->rdev) + rdevp = &p->rdev; + else if (rdev == p->replacement) diff --git a/queue-5.19/media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch b/queue-5.19/media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch new file mode 100644 index 00000000000..48a5fc31c6c --- /dev/null +++ b/queue-5.19/media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch @@ -0,0 +1,39 @@ +From 81e005842d0b8167c059553a1c29c36d8a7a9329 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 30 Mar 2022 02:56:52 +0100 +Subject: media: isl7998x: select V4L2_FWNODE to fix build error + +From: Randy Dunlap + +commit 81e005842d0b8167c059553a1c29c36d8a7a9329 upstream. + +Fix build error when VIDEO_ISL7998X=y and V4L2_FWNODE=m +by selecting V4L2_FWNODE. + +microblaze-linux-ld: drivers/media/i2c/isl7998x.o: in function `isl7998x_probe': +(.text+0x8f4): undefined reference to `v4l2_fwnode_endpoint_parse' + +Cc: stable@vger.kernel.org # 5.18 and above +Fixes: 51ef2be546e2 ("media: i2c: isl7998x: Add driver for Intersil ISL7998x") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Marek Vasut +Cc: Pengutronix Kernel Team +Reviewed-by: Michael Tretter +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/i2c/Kconfig ++++ b/drivers/media/i2c/Kconfig +@@ -1178,6 +1178,7 @@ config VIDEO_ISL7998X + depends on OF_GPIO + select MEDIA_CONTROLLER + select VIDEO_V4L2_SUBDEV_API ++ select V4L2_FWNODE + help + Support for Intersil ISL7998x analog to MIPI-CSI2 or + BT.656 decoder. diff --git a/queue-5.19/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch b/queue-5.19/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch new file mode 100644 index 00000000000..0c3d635468d --- /dev/null +++ b/queue-5.19/media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch @@ -0,0 +1,142 @@ +From 09b204eb9de9fdf07d028c41c4331b5cfeb70dd7 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Thu, 14 Apr 2022 05:14:15 +0100 +Subject: media: [PATCH] pci: atomisp_cmd: fix three missing checks on list iterator + +From: Xiaomeng Tong + +commit 09b204eb9de9fdf07d028c41c4331b5cfeb70dd7 upstream. + +The three bugs are here: + __func__, s3a_buf->s3a_data->exp_id); + __func__, md_buf->metadata->exp_id); + __func__, dis_buf->dis_data->exp_id); + +The list iterator 's3a_buf/md_buf/dis_buf' will point to a bogus +position containing HEAD if the list is empty or no element is found. +This case must be checked before any use of the iterator, otherwise +it will lead to a invalid memory access. + +To fix this bug, add an check. Use a new variable '*_iter' as the +list iterator, while use the old variable '*_buf' as a dedicated +pointer to point to the found element. + +Link: https://lore.kernel.org/linux-media/20220414041415.3342-1-xiam0nd.tong@gmail.com +Cc: stable@vger.kernel.org +Fixes: ad85094b293e4 ("Revert "media: staging: atomisp: Remove driver"") +Signed-off-by: Xiaomeng Tong +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/atomisp/pci/atomisp_cmd.c | 57 +++++++++++++++--------- + 1 file changed, 36 insertions(+), 21 deletions(-) + +--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c +@@ -901,9 +901,9 @@ void atomisp_buf_done(struct atomisp_sub + int err; + unsigned long irqflags; + struct ia_css_frame *frame = NULL; +- struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp; +- struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp; +- struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp; ++ struct atomisp_s3a_buf *s3a_buf = NULL, *_s3a_buf_tmp, *s3a_iter; ++ struct atomisp_dis_buf *dis_buf = NULL, *_dis_buf_tmp, *dis_iter; ++ struct atomisp_metadata_buf *md_buf = NULL, *_md_buf_tmp, *md_iter; + enum atomisp_metadata_type md_type; + struct atomisp_device *isp = asd->isp; + struct v4l2_control ctrl; +@@ -942,60 +942,75 @@ void atomisp_buf_done(struct atomisp_sub + + switch (buf_type) { + case IA_CSS_BUFFER_TYPE_3A_STATISTICS: +- list_for_each_entry_safe(s3a_buf, _s3a_buf_tmp, ++ list_for_each_entry_safe(s3a_iter, _s3a_buf_tmp, + &asd->s3a_stats_in_css, list) { +- if (s3a_buf->s3a_data == ++ if (s3a_iter->s3a_data == + buffer.css_buffer.data.stats_3a) { +- list_del_init(&s3a_buf->list); +- list_add_tail(&s3a_buf->list, ++ list_del_init(&s3a_iter->list); ++ list_add_tail(&s3a_iter->list, + &asd->s3a_stats_ready); ++ s3a_buf = s3a_iter; + break; + } + } + + asd->s3a_bufs_in_css[css_pipe_id]--; + atomisp_3a_stats_ready_event(asd, buffer.css_buffer.exp_id); +- dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n", +- __func__, s3a_buf->s3a_data->exp_id); ++ if (s3a_buf) ++ dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n", ++ __func__, s3a_buf->s3a_data->exp_id); ++ else ++ dev_dbg(isp->dev, "%s: s3a stat is ready with no exp_id found\n", ++ __func__); + break; + case IA_CSS_BUFFER_TYPE_METADATA: + if (error) + break; + + md_type = atomisp_get_metadata_type(asd, css_pipe_id); +- list_for_each_entry_safe(md_buf, _md_buf_tmp, ++ list_for_each_entry_safe(md_iter, _md_buf_tmp, + &asd->metadata_in_css[md_type], list) { +- if (md_buf->metadata == ++ if (md_iter->metadata == + buffer.css_buffer.data.metadata) { +- list_del_init(&md_buf->list); +- list_add_tail(&md_buf->list, ++ list_del_init(&md_iter->list); ++ list_add_tail(&md_iter->list, + &asd->metadata_ready[md_type]); ++ md_buf = md_iter; + break; + } + } + asd->metadata_bufs_in_css[stream_id][css_pipe_id]--; + atomisp_metadata_ready_event(asd, md_type); +- dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n", +- __func__, md_buf->metadata->exp_id); ++ if (md_buf) ++ dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n", ++ __func__, md_buf->metadata->exp_id); ++ else ++ dev_dbg(isp->dev, "%s: metadata is ready with no exp_id found\n", ++ __func__); + break; + case IA_CSS_BUFFER_TYPE_DIS_STATISTICS: +- list_for_each_entry_safe(dis_buf, _dis_buf_tmp, ++ list_for_each_entry_safe(dis_iter, _dis_buf_tmp, + &asd->dis_stats_in_css, list) { +- if (dis_buf->dis_data == ++ if (dis_iter->dis_data == + buffer.css_buffer.data.stats_dvs) { + spin_lock_irqsave(&asd->dis_stats_lock, + irqflags); +- list_del_init(&dis_buf->list); +- list_add(&dis_buf->list, &asd->dis_stats); ++ list_del_init(&dis_iter->list); ++ list_add(&dis_iter->list, &asd->dis_stats); + asd->params.dis_proj_data_valid = true; + spin_unlock_irqrestore(&asd->dis_stats_lock, + irqflags); ++ dis_buf = dis_iter; + break; + } + } + asd->dis_bufs_in_css--; +- dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n", +- __func__, dis_buf->dis_data->exp_id); ++ if (dis_buf) ++ dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n", ++ __func__, dis_buf->dis_data->exp_id); ++ else ++ dev_dbg(isp->dev, "%s: dis stat is ready with no exp_id found\n", ++ __func__); + break; + case IA_CSS_BUFFER_TYPE_VF_OUTPUT_FRAME: + case IA_CSS_BUFFER_TYPE_SEC_VF_OUTPUT_FRAME: diff --git a/queue-5.19/serial-mvebu-uart-uart2-error-bits-clearing.patch b/queue-5.19/serial-mvebu-uart-uart2-error-bits-clearing.patch new file mode 100644 index 00000000000..f9e81428a3e --- /dev/null +++ b/queue-5.19/serial-mvebu-uart-uart2-error-bits-clearing.patch @@ -0,0 +1,58 @@ +From a7209541239e5dd44d981289e5f9059222d40fd1 Mon Sep 17 00:00:00 2001 +From: Narendra Hadke +Date: Tue, 26 Jul 2022 11:12:21 +0200 +Subject: serial: mvebu-uart: uart2 error bits clearing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Narendra Hadke + +commit a7209541239e5dd44d981289e5f9059222d40fd1 upstream. + +For mvebu uart2, error bits are not cleared on buffer read. +This causes interrupt loop and system hang. + +Cc: stable@vger.kernel.org +Reviewed-by: Yi Guo +Reviewed-by: Nadav Haklai +Signed-off-by: Narendra Hadke +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20220726091221.12358-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/mvebu-uart.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/tty/serial/mvebu-uart.c b/drivers/tty/serial/mvebu-uart.c +index 0429c2a54290..ff61a8d00014 100644 +--- a/drivers/tty/serial/mvebu-uart.c ++++ b/drivers/tty/serial/mvebu-uart.c +@@ -265,6 +265,7 @@ static void mvebu_uart_rx_chars(struct uart_port *port, unsigned int status) + struct tty_port *tport = &port->state->port; + unsigned char ch = 0; + char flag = 0; ++ int ret; + + do { + if (status & STAT_RX_RDY(port)) { +@@ -277,6 +278,16 @@ static void mvebu_uart_rx_chars(struct uart_port *port, unsigned int status) + port->icount.parity++; + } + ++ /* ++ * For UART2, error bits are not cleared on buffer read. ++ * This causes interrupt loop and system hang. ++ */ ++ if (IS_EXTENDED(port) && (status & STAT_BRK_ERR)) { ++ ret = readl(port->membase + UART_STAT); ++ ret |= STAT_BRK_ERR; ++ writel(ret, port->membase + UART_STAT); ++ } ++ + if (status & STAT_BRK_DET) { + port->icount.brk++; + status &= ~(STAT_FRM_ERR | STAT_PAR_ERR); +-- +2.37.1 + diff --git a/queue-5.19/series b/queue-5.19/series index d137aafb85e..753c445a126 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -105,3 +105,20 @@ scsi-sg-allow-waiting-for-commands-to-complete-on-removed-device.patch scsi-qla2xxx-fix-incorrect-display-of-max-frame-size.patch scsi-qla2xxx-zero-undefined-mailbox-in-registers.patch soundwire-qcom-check-device-status-before-reading-devid.patch +ksmbd-fix-memory-leak-in-smb2_handle_negotiate.patch +ksmbd-prevent-out-of-bound-read-for-smb2_tree_connnect.patch +ksmbd-prevent-out-of-bound-read-for-smb2_write.patch +ksmbd-fix-use-after-free-bug-in-smb2_tree_disconect.patch +ksmbd-fix-heap-based-overflow-in-set_ntacl_dacl.patch +fuse-limit-nsec.patch +fuse-ioctl-translate-enosys.patch +fuse-write-inode-in-fuse_release.patch +fuse-fix-deadlock-between-atomic-o_trunc-and-page-invalidation.patch +serial-mvebu-uart-uart2-error-bits-clearing.patch +md-raid-destroy-the-bitmap-after-destroying-the-thread.patch +md-raid10-fix-kasan-warning.patch +mbcache-don-t-reclaim-used-entries.patch +mbcache-add-functions-to-delete-entry-if-unused.patch +media-isl7998x-select-v4l2_fwnode-to-fix-build-error.patch +media-pci-atomisp_cmd-fix-three-missing-checks-on-list-iterator.patch +ia64-processor-fix-wincompatible-pointer-types-in-ia64_get_irr.patch -- 2.47.3