From d0e7dae5851505169f00eb7c92c57937d7d11235 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 14 Mar 2021 23:01:12 -0400 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...-error-return-code-of-rsxx_pci_probe.patch | 39 ++++++ ...se-after-free-in-__configfs_open_fil.patch | 132 ++++++++++++++++++ ...rn-value-of-_nfs4_get_security_label.patch | 43 ++++++ ...fix-pr_set_mm_auxv-kernel-stack-leak.patch | 45 ++++++ queue-4.9/series | 5 + .../sh_eth-fix-trscer-mask-for-r7s72100.patch | 38 +++++ 6 files changed, 302 insertions(+) create mode 100644 queue-4.9/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch create mode 100644 queue-4.9/configfs-fix-a-use-after-free-in-__configfs_open_fil.patch create mode 100644 queue-4.9/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch create mode 100644 queue-4.9/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch create mode 100644 queue-4.9/sh_eth-fix-trscer-mask-for-r7s72100.patch diff --git a/queue-4.9/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch b/queue-4.9/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch new file mode 100644 index 00000000000..e817c0e569d --- /dev/null +++ b/queue-4.9/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch @@ -0,0 +1,39 @@ +From 16f9238c3d33e6477ead867ebaccc6c52e7d9c01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 19:30:17 -0800 +Subject: block: rsxx: fix error return code of rsxx_pci_probe() + +From: Jia-Ju Bai + +[ Upstream commit df66617bfe87487190a60783d26175b65d2502ce ] + +When create_singlethread_workqueue returns NULL to card->event_wq, no +error return code of rsxx_pci_probe() is assigned. + +To fix this bug, st is assigned with -ENOMEM in this case. + +Fixes: 8722ff8cdbfa ("block: IBM RamSan 70/80 device driver") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20210310033017.4023-1-baijiaju1990@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/rsxx/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c +index 97b678c0ea13..4ab96c7f8fd7 100644 +--- a/drivers/block/rsxx/core.c ++++ b/drivers/block/rsxx/core.c +@@ -892,6 +892,7 @@ static int rsxx_pci_probe(struct pci_dev *dev, + card->event_wq = create_singlethread_workqueue(DRIVER_NAME"_event"); + if (!card->event_wq) { + dev_err(CARD_TO_DEV(card), "Failed card event setup.\n"); ++ st = -ENOMEM; + goto failed_event_handler; + } + +-- +2.30.1 + diff --git a/queue-4.9/configfs-fix-a-use-after-free-in-__configfs_open_fil.patch b/queue-4.9/configfs-fix-a-use-after-free-in-__configfs_open_fil.patch new file mode 100644 index 00000000000..44c5cca0541 --- /dev/null +++ b/queue-4.9/configfs-fix-a-use-after-free-in-__configfs_open_fil.patch @@ -0,0 +1,132 @@ +From 295b3b08efc1e10ecac20a6801293797edadf974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 14:10:53 +0800 +Subject: configfs: fix a use-after-free in __configfs_open_file + +From: Daiyue Zhang + +[ Upstream commit 14fbbc8297728e880070f7b077b3301a8c698ef9 ] + +Commit b0841eefd969 ("configfs: provide exclusion between IO and removals") +uses ->frag_dead to mark the fragment state, thus no bothering with extra +refcount on config_item when opening a file. The configfs_get_config_item +was removed in __configfs_open_file, but not with config_item_put. So the +refcount on config_item will lost its balance, causing use-after-free +issues in some occasions like this: + +Test: +1. Mount configfs on /config with read-only items: +drwxrwx--- 289 root root 0 2021-04-01 11:55 /config +drwxr-xr-x 2 root root 0 2021-04-01 11:54 /config/a +--w--w--w- 1 root root 4096 2021-04-01 11:53 /config/a/1.txt +...... + +2. Then run: +for file in /config +do +echo $file +grep -R 'key' $file +done + +3. __configfs_open_file will be called in parallel, the first one +got called will do: +if (file->f_mode & FMODE_READ) { + if (!(inode->i_mode & S_IRUGO)) + goto out_put_module; + config_item_put(buffer->item); + kref_put() + package_details_release() + kfree() + +the other one will run into use-after-free issues like this: +BUG: KASAN: use-after-free in __configfs_open_file+0x1bc/0x3b0 +Read of size 8 at addr fffffff155f02480 by task grep/13096 +CPU: 0 PID: 13096 Comm: grep VIP: 00 Tainted: G W 4.14.116-kasan #1 +TGID: 13096 Comm: grep +Call trace: +dump_stack+0x118/0x160 +kasan_report+0x22c/0x294 +__asan_load8+0x80/0x88 +__configfs_open_file+0x1bc/0x3b0 +configfs_open_file+0x28/0x34 +do_dentry_open+0x2cc/0x5c0 +vfs_open+0x80/0xe0 +path_openat+0xd8c/0x2988 +do_filp_open+0x1c4/0x2fc +do_sys_open+0x23c/0x404 +SyS_openat+0x38/0x48 + +Allocated by task 2138: +kasan_kmalloc+0xe0/0x1ac +kmem_cache_alloc_trace+0x334/0x394 +packages_make_item+0x4c/0x180 +configfs_mkdir+0x358/0x740 +vfs_mkdir2+0x1bc/0x2e8 +SyS_mkdirat+0x154/0x23c +el0_svc_naked+0x34/0x38 + +Freed by task 13096: +kasan_slab_free+0xb8/0x194 +kfree+0x13c/0x910 +package_details_release+0x524/0x56c +kref_put+0xc4/0x104 +config_item_put+0x24/0x34 +__configfs_open_file+0x35c/0x3b0 +configfs_open_file+0x28/0x34 +do_dentry_open+0x2cc/0x5c0 +vfs_open+0x80/0xe0 +path_openat+0xd8c/0x2988 +do_filp_open+0x1c4/0x2fc +do_sys_open+0x23c/0x404 +SyS_openat+0x38/0x48 +el0_svc_naked+0x34/0x38 + +To fix this issue, remove the config_item_put in +__configfs_open_file to balance the refcount of config_item. + +Fixes: b0841eefd969 ("configfs: provide exclusion between IO and removals") +Signed-off-by: Daiyue Zhang +Signed-off-by: Yi Chen +Signed-off-by: Ge Qiu +Reviewed-by: Chao Yu +Acked-by: Al Viro +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/configfs/file.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/fs/configfs/file.c b/fs/configfs/file.c +index 7285440bc62e..896e90dc9193 100644 +--- a/fs/configfs/file.c ++++ b/fs/configfs/file.c +@@ -392,7 +392,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type + + attr = to_attr(dentry); + if (!attr) +- goto out_put_item; ++ goto out_free_buffer; + + if (type & CONFIGFS_ITEM_BIN_ATTR) { + buffer->bin_attr = to_bin_attr(dentry); +@@ -405,7 +405,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type + /* Grab the module reference for this attribute if we have one */ + error = -ENODEV; + if (!try_module_get(buffer->owner)) +- goto out_put_item; ++ goto out_free_buffer; + + error = -EACCES; + if (!buffer->item->ci_type) +@@ -449,8 +449,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type + + out_put_module: + module_put(buffer->owner); +-out_put_item: +- config_item_put(buffer->item); + out_free_buffer: + up_read(&frag->frag_sem); + kfree(buffer); +-- +2.30.1 + diff --git a/queue-4.9/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch b/queue-4.9/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch new file mode 100644 index 00000000000..c4c2413bf42 --- /dev/null +++ b/queue-4.9/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch @@ -0,0 +1,43 @@ +From 4b517c17701e8f77b040ea2b18108449cb87fac9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 18:43:56 +0100 +Subject: NFSv4.2: fix return value of _nfs4_get_security_label() + +From: Ondrej Mosnacek + +[ Upstream commit 53cb245454df5b13d7063162afd7a785aed6ebf2 ] + +An xattr 'get' handler is expected to return the length of the value on +success, yet _nfs4_get_security_label() (and consequently also +nfs4_xattr_get_nfs4_label(), which is used as an xattr handler) returns +just 0 on success. + +Fix this by returning label.len instead, which contains the length of +the result. + +Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: James Morris +Reviewed-by: Paul Moore +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 2abdb2070c87..0cebe0ca03b2 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -5218,7 +5218,7 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf, + return ret; + if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL)) + return -ENOENT; +- return 0; ++ return label.len; + } + + static int nfs4_get_security_label(struct inode *inode, void *buf, +-- +2.30.1 + diff --git a/queue-4.9/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-4.9/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch new file mode 100644 index 00000000000..7521a176dc3 --- /dev/null +++ b/queue-4.9/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch @@ -0,0 +1,45 @@ +From 941b8d3cf860169527e80a665fb4320460bec106 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Mar 2021 23:51:14 +0300 +Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak + +From: Alexey Dobriyan + +[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] + +Doing a + + prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); + +will copy 1 byte from userspace to (quite big) on-stack array +and then stash everything to mm->saved_auxv. +AT_NULL terminator will be inserted at the very end. + +/proc/*/auxv handler will find that AT_NULL terminator +and copy original stack contents to userspace. + +This devious scheme requires CAP_SYS_RESOURCE. + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sys.c b/kernel/sys.c +index 546cdc911dad..76b3d9262644 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1910,7 +1910,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, + * up to the caller to provide sane values here, otherwise userspace + * tools which use this vector might be unhappy. + */ +- unsigned long user_auxv[AT_VECTOR_SIZE]; ++ unsigned long user_auxv[AT_VECTOR_SIZE] = {}; + + if (len > sizeof(user_auxv)) + return -EINVAL; +-- +2.30.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 4360a7e0e6a..12aceb2c8c1 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -57,3 +57,8 @@ staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch +sh_eth-fix-trscer-mask-for-r7s72100.patch +nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch +block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch +configfs-fix-a-use-after-free-in-__configfs_open_fil.patch +prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch diff --git a/queue-4.9/sh_eth-fix-trscer-mask-for-r7s72100.patch b/queue-4.9/sh_eth-fix-trscer-mask-for-r7s72100.patch new file mode 100644 index 00000000000..9fc23aeb6c0 --- /dev/null +++ b/queue-4.9/sh_eth-fix-trscer-mask-for-r7s72100.patch @@ -0,0 +1,38 @@ +From 42ce1c35b3130d8328b28dfc85467c07a0a92a96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Feb 2021 23:26:34 +0300 +Subject: sh_eth: fix TRSCER mask for R7S72100 + +From: Sergey Shtylyov + +[ Upstream commit 75be7fb7f978202c4c3a1a713af4485afb2ff5f6 ] + +According to the RZ/A1H Group, RZ/A1M Group User's Manual: Hardware, +Rev. 4.00, the TRSCER register has bit 9 reserved, hence we can't use +the driver's default TRSCER mask. Add the explicit initializer for +sh_eth_cpu_data::trscer_err_mask for R7S72100. + +Fixes: db893473d313 ("sh_eth: Add support for r7s72100") +Signed-off-by: Sergey Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/sh_eth.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 7458b1a70e5d..0e5b1935af50 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -526,6 +526,8 @@ static struct sh_eth_cpu_data r7s72100_data = { + EESR_TDE | EESR_ECI, + .fdr_value = 0x0000070f, + ++ .trscer_err_mask = DESC_I_RINT8 | DESC_I_RINT5, ++ + .no_psr = 1, + .apr = 1, + .mpr = 1, +-- +2.30.1 + -- 2.47.3