From f33c5762f75e2d35abf0cf69aacbc1578e790068 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 14 Mar 2021 23:01:11 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...-error-return-code-of-rsxx_pci_probe.patch | 39 ++++++ ...se-after-free-in-__configfs_open_fil.patch | 132 ++++++++++++++++++ ...hed-mm.h-use-rcu_dereference-in-in_v.patch | 43 ++++++ ...rn-value-of-_nfs4_get_security_label.patch | 43 ++++++ ...fix-pr_set_mm_auxv-kernel-stack-leak.patch | 45 ++++++ queue-4.14/series | 7 + .../sh_eth-fix-trscer-mask-for-r7s72100.patch | 38 +++++ ...machine-mark-helpers-__always_inline.patch | 83 +++++++++++ 8 files changed, 430 insertions(+) create mode 100644 queue-4.14/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch create mode 100644 queue-4.14/configfs-fix-a-use-after-free-in-__configfs_open_fil.patch create mode 100644 queue-4.14/include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch create mode 100644 queue-4.14/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch create mode 100644 queue-4.14/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch create mode 100644 queue-4.14/sh_eth-fix-trscer-mask-for-r7s72100.patch create mode 100644 queue-4.14/stop_machine-mark-helpers-__always_inline.patch diff --git a/queue-4.14/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch b/queue-4.14/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch new file mode 100644 index 00000000000..21ec08f2ee8 --- /dev/null +++ b/queue-4.14/block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch @@ -0,0 +1,39 @@ +From c94c7dfeffd7dd1acd7dd740b8d474392550e95c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 19:30:17 -0800 +Subject: block: rsxx: fix error return code of rsxx_pci_probe() + +From: Jia-Ju Bai + +[ Upstream commit df66617bfe87487190a60783d26175b65d2502ce ] + +When create_singlethread_workqueue returns NULL to card->event_wq, no +error return code of rsxx_pci_probe() is assigned. + +To fix this bug, st is assigned with -ENOMEM in this case. + +Fixes: 8722ff8cdbfa ("block: IBM RamSan 70/80 device driver") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20210310033017.4023-1-baijiaju1990@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/rsxx/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c +index 97b678c0ea13..4ab96c7f8fd7 100644 +--- a/drivers/block/rsxx/core.c ++++ b/drivers/block/rsxx/core.c +@@ -892,6 +892,7 @@ static int rsxx_pci_probe(struct pci_dev *dev, + card->event_wq = create_singlethread_workqueue(DRIVER_NAME"_event"); + if (!card->event_wq) { + dev_err(CARD_TO_DEV(card), "Failed card event setup.\n"); ++ st = -ENOMEM; + goto failed_event_handler; + } + +-- +2.30.1 + diff --git a/queue-4.14/configfs-fix-a-use-after-free-in-__configfs_open_fil.patch b/queue-4.14/configfs-fix-a-use-after-free-in-__configfs_open_fil.patch new file mode 100644 index 00000000000..5e9e421c281 --- /dev/null +++ b/queue-4.14/configfs-fix-a-use-after-free-in-__configfs_open_fil.patch @@ -0,0 +1,132 @@ +From 30978273cfe9e5063f233dc6af50cceff053f724 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Mar 2021 14:10:53 +0800 +Subject: configfs: fix a use-after-free in __configfs_open_file + +From: Daiyue Zhang + +[ Upstream commit 14fbbc8297728e880070f7b077b3301a8c698ef9 ] + +Commit b0841eefd969 ("configfs: provide exclusion between IO and removals") +uses ->frag_dead to mark the fragment state, thus no bothering with extra +refcount on config_item when opening a file. The configfs_get_config_item +was removed in __configfs_open_file, but not with config_item_put. So the +refcount on config_item will lost its balance, causing use-after-free +issues in some occasions like this: + +Test: +1. Mount configfs on /config with read-only items: +drwxrwx--- 289 root root 0 2021-04-01 11:55 /config +drwxr-xr-x 2 root root 0 2021-04-01 11:54 /config/a +--w--w--w- 1 root root 4096 2021-04-01 11:53 /config/a/1.txt +...... + +2. Then run: +for file in /config +do +echo $file +grep -R 'key' $file +done + +3. __configfs_open_file will be called in parallel, the first one +got called will do: +if (file->f_mode & FMODE_READ) { + if (!(inode->i_mode & S_IRUGO)) + goto out_put_module; + config_item_put(buffer->item); + kref_put() + package_details_release() + kfree() + +the other one will run into use-after-free issues like this: +BUG: KASAN: use-after-free in __configfs_open_file+0x1bc/0x3b0 +Read of size 8 at addr fffffff155f02480 by task grep/13096 +CPU: 0 PID: 13096 Comm: grep VIP: 00 Tainted: G W 4.14.116-kasan #1 +TGID: 13096 Comm: grep +Call trace: +dump_stack+0x118/0x160 +kasan_report+0x22c/0x294 +__asan_load8+0x80/0x88 +__configfs_open_file+0x1bc/0x3b0 +configfs_open_file+0x28/0x34 +do_dentry_open+0x2cc/0x5c0 +vfs_open+0x80/0xe0 +path_openat+0xd8c/0x2988 +do_filp_open+0x1c4/0x2fc +do_sys_open+0x23c/0x404 +SyS_openat+0x38/0x48 + +Allocated by task 2138: +kasan_kmalloc+0xe0/0x1ac +kmem_cache_alloc_trace+0x334/0x394 +packages_make_item+0x4c/0x180 +configfs_mkdir+0x358/0x740 +vfs_mkdir2+0x1bc/0x2e8 +SyS_mkdirat+0x154/0x23c +el0_svc_naked+0x34/0x38 + +Freed by task 13096: +kasan_slab_free+0xb8/0x194 +kfree+0x13c/0x910 +package_details_release+0x524/0x56c +kref_put+0xc4/0x104 +config_item_put+0x24/0x34 +__configfs_open_file+0x35c/0x3b0 +configfs_open_file+0x28/0x34 +do_dentry_open+0x2cc/0x5c0 +vfs_open+0x80/0xe0 +path_openat+0xd8c/0x2988 +do_filp_open+0x1c4/0x2fc +do_sys_open+0x23c/0x404 +SyS_openat+0x38/0x48 +el0_svc_naked+0x34/0x38 + +To fix this issue, remove the config_item_put in +__configfs_open_file to balance the refcount of config_item. + +Fixes: b0841eefd969 ("configfs: provide exclusion between IO and removals") +Signed-off-by: Daiyue Zhang +Signed-off-by: Yi Chen +Signed-off-by: Ge Qiu +Reviewed-by: Chao Yu +Acked-by: Al Viro +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/configfs/file.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/fs/configfs/file.c b/fs/configfs/file.c +index bb0a427517e9..50b7c4c4310e 100644 +--- a/fs/configfs/file.c ++++ b/fs/configfs/file.c +@@ -392,7 +392,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type + + attr = to_attr(dentry); + if (!attr) +- goto out_put_item; ++ goto out_free_buffer; + + if (type & CONFIGFS_ITEM_BIN_ATTR) { + buffer->bin_attr = to_bin_attr(dentry); +@@ -405,7 +405,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type + /* Grab the module reference for this attribute if we have one */ + error = -ENODEV; + if (!try_module_get(buffer->owner)) +- goto out_put_item; ++ goto out_free_buffer; + + error = -EACCES; + if (!buffer->item->ci_type) +@@ -449,8 +449,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type + + out_put_module: + module_put(buffer->owner); +-out_put_item: +- config_item_put(buffer->item); + out_free_buffer: + up_read(&frag->frag_sem); + kfree(buffer); +-- +2.30.1 + diff --git a/queue-4.14/include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch b/queue-4.14/include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch new file mode 100644 index 00000000000..62275ffe01c --- /dev/null +++ b/queue-4.14/include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch @@ -0,0 +1,43 @@ +From fe5f760fa0f6d76acaaa1a5bb2570b3fec5087c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 21:08:03 -0800 +Subject: include/linux/sched/mm.h: use rcu_dereference in in_vfork() + +From: Matthew Wilcox (Oracle) + +[ Upstream commit 149fc787353f65b7e72e05e7b75d34863266c3e2 ] + +Fix a sparse warning by using rcu_dereference(). Technically this is a +bug and a sufficiently aggressive compiler could reload the `real_parent' +pointer outside the protection of the rcu lock (and access freed memory), +but I think it's pretty unlikely to happen. + +Link: https://lkml.kernel.org/r/20210221194207.1351703-1-willy@infradead.org +Fixes: b18dc5f291c0 ("mm, oom: skip vforked tasks from being selected") +Signed-off-by: Matthew Wilcox (Oracle) +Reviewed-by: Miaohe Lin +Acked-by: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/sched/mm.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h +index efb9e12e7f91..c16f927570b0 100644 +--- a/include/linux/sched/mm.h ++++ b/include/linux/sched/mm.h +@@ -171,7 +171,8 @@ static inline bool in_vfork(struct task_struct *tsk) + * another oom-unkillable task does this it should blame itself. + */ + rcu_read_lock(); +- ret = tsk->vfork_done && tsk->real_parent->mm == tsk->mm; ++ ret = tsk->vfork_done && ++ rcu_dereference(tsk->real_parent)->mm == tsk->mm; + rcu_read_unlock(); + + return ret; +-- +2.30.1 + diff --git a/queue-4.14/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch b/queue-4.14/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch new file mode 100644 index 00000000000..2ccf1097fe8 --- /dev/null +++ b/queue-4.14/nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch @@ -0,0 +1,43 @@ +From 42cdbabf074fc247629400eceb74158ed2c23f80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 18:43:56 +0100 +Subject: NFSv4.2: fix return value of _nfs4_get_security_label() + +From: Ondrej Mosnacek + +[ Upstream commit 53cb245454df5b13d7063162afd7a785aed6ebf2 ] + +An xattr 'get' handler is expected to return the length of the value on +success, yet _nfs4_get_security_label() (and consequently also +nfs4_xattr_get_nfs4_label(), which is used as an xattr handler) returns +just 0 on success. + +Fix this by returning label.len instead, which contains the length of +the result. + +Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") +Signed-off-by: Ondrej Mosnacek +Reviewed-by: James Morris +Reviewed-by: Paul Moore +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index cbfea2c7d516..7f50767af46b 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -5329,7 +5329,7 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf, + return ret; + if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL)) + return -ENOENT; +- return 0; ++ return label.len; + } + + static int nfs4_get_security_label(struct inode *inode, void *buf, +-- +2.30.1 + diff --git a/queue-4.14/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch b/queue-4.14/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch new file mode 100644 index 00000000000..d203041ddbf --- /dev/null +++ b/queue-4.14/prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch @@ -0,0 +1,45 @@ +From 47b47fc59d25cad965dabdcc10a9261e63d168cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Mar 2021 23:51:14 +0300 +Subject: prctl: fix PR_SET_MM_AUXV kernel stack leak + +From: Alexey Dobriyan + +[ Upstream commit c995f12ad8842dbf5cfed113fb52cdd083f5afd1 ] + +Doing a + + prctl(PR_SET_MM, PR_SET_MM_AUXV, addr, 1); + +will copy 1 byte from userspace to (quite big) on-stack array +and then stash everything to mm->saved_auxv. +AT_NULL terminator will be inserted at the very end. + +/proc/*/auxv handler will find that AT_NULL terminator +and copy original stack contents to userspace. + +This devious scheme requires CAP_SYS_RESOURCE. + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sys.c b/kernel/sys.c +index 2e4f017f7c5a..03fc0152cc54 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -2005,7 +2005,7 @@ static int prctl_set_auxv(struct mm_struct *mm, unsigned long addr, + * up to the caller to provide sane values here, otherwise userspace + * tools which use this vector might be unhappy. + */ +- unsigned long user_auxv[AT_VECTOR_SIZE]; ++ unsigned long user_auxv[AT_VECTOR_SIZE] = {}; + + if (len > sizeof(user_auxv)) + return -EINVAL; +-- +2.30.1 + diff --git a/queue-4.14/series b/queue-4.14/series index ea02175b0e8..35c9b3980fa 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -78,3 +78,10 @@ staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch +sh_eth-fix-trscer-mask-for-r7s72100.patch +nfsv4.2-fix-return-value-of-_nfs4_get_security_label.patch +block-rsxx-fix-error-return-code-of-rsxx_pci_probe.patch +configfs-fix-a-use-after-free-in-__configfs_open_fil.patch +stop_machine-mark-helpers-__always_inline.patch +include-linux-sched-mm.h-use-rcu_dereference-in-in_v.patch +prctl-fix-pr_set_mm_auxv-kernel-stack-leak.patch diff --git a/queue-4.14/sh_eth-fix-trscer-mask-for-r7s72100.patch b/queue-4.14/sh_eth-fix-trscer-mask-for-r7s72100.patch new file mode 100644 index 00000000000..4d3b1189230 --- /dev/null +++ b/queue-4.14/sh_eth-fix-trscer-mask-for-r7s72100.patch @@ -0,0 +1,38 @@ +From 275b74b9dad75f4042ed33d69badb19207d34fba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Feb 2021 23:26:34 +0300 +Subject: sh_eth: fix TRSCER mask for R7S72100 + +From: Sergey Shtylyov + +[ Upstream commit 75be7fb7f978202c4c3a1a713af4485afb2ff5f6 ] + +According to the RZ/A1H Group, RZ/A1M Group User's Manual: Hardware, +Rev. 4.00, the TRSCER register has bit 9 reserved, hence we can't use +the driver's default TRSCER mask. Add the explicit initializer for +sh_eth_cpu_data::trscer_err_mask for R7S72100. + +Fixes: db893473d313 ("sh_eth: Add support for r7s72100") +Signed-off-by: Sergey Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/sh_eth.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 23edf1909e58..dab1597287b9 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -533,6 +533,8 @@ static struct sh_eth_cpu_data r7s72100_data = { + EESR_TDE, + .fdr_value = 0x0000070f, + ++ .trscer_err_mask = DESC_I_RINT8 | DESC_I_RINT5, ++ + .no_psr = 1, + .apr = 1, + .mpr = 1, +-- +2.30.1 + diff --git a/queue-4.14/stop_machine-mark-helpers-__always_inline.patch b/queue-4.14/stop_machine-mark-helpers-__always_inline.patch new file mode 100644 index 00000000000..646e63c4f12 --- /dev/null +++ b/queue-4.14/stop_machine-mark-helpers-__always_inline.patch @@ -0,0 +1,83 @@ +From a4c0a1a21bab20e434e4afb1d1ff260d9a9805c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Mar 2021 21:07:04 -0800 +Subject: stop_machine: mark helpers __always_inline + +From: Arnd Bergmann + +[ Upstream commit cbf78d85079cee662c45749ef4f744d41be85d48 ] + +With clang-13, some functions only get partially inlined, with a +specialized version referring to a global variable. This triggers a +harmless build-time check for the intel-rng driver: + +WARNING: modpost: drivers/char/hw_random/intel-rng.o(.text+0xe): Section mismatch in reference from the function stop_machine() to the function .init.text:intel_rng_hw_init() +The function stop_machine() references +the function __init intel_rng_hw_init(). +This is often because stop_machine lacks a __init +annotation or the annotation of intel_rng_hw_init is wrong. + +In this instance, an easy workaround is to force the stop_machine() +function to be inline, along with related interfaces that did not show the +same behavior at the moment, but theoretically could. + +The combination of the two patches listed below triggers the behavior in +clang-13, but individually these commits are correct. + +Link: https://lkml.kernel.org/r/20210225130153.1956990-1-arnd@kernel.org +Fixes: fe5595c07400 ("stop_machine: Provide stop_machine_cpuslocked()") +Fixes: ee527cd3a20c ("Use stop_machine_run in the Intel RNG driver") +Signed-off-by: Arnd Bergmann +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Thomas Gleixner +Cc: Sebastian Andrzej Siewior +Cc: "Paul E. McKenney" +Cc: Ingo Molnar +Cc: Prarit Bhargava +Cc: Daniel Bristot de Oliveira +Cc: Peter Zijlstra +Cc: Valentin Schneider +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/stop_machine.h | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/include/linux/stop_machine.h b/include/linux/stop_machine.h +index 6d3635c86dbe..ccdaa8fd5657 100644 +--- a/include/linux/stop_machine.h ++++ b/include/linux/stop_machine.h +@@ -138,7 +138,7 @@ int stop_machine_from_inactive_cpu(cpu_stop_fn_t fn, void *data, + const struct cpumask *cpus); + #else /* CONFIG_SMP || CONFIG_HOTPLUG_CPU */ + +-static inline int stop_machine_cpuslocked(cpu_stop_fn_t fn, void *data, ++static __always_inline int stop_machine_cpuslocked(cpu_stop_fn_t fn, void *data, + const struct cpumask *cpus) + { + unsigned long flags; +@@ -149,14 +149,15 @@ static inline int stop_machine_cpuslocked(cpu_stop_fn_t fn, void *data, + return ret; + } + +-static inline int stop_machine(cpu_stop_fn_t fn, void *data, +- const struct cpumask *cpus) ++static __always_inline int ++stop_machine(cpu_stop_fn_t fn, void *data, const struct cpumask *cpus) + { + return stop_machine_cpuslocked(fn, data, cpus); + } + +-static inline int stop_machine_from_inactive_cpu(cpu_stop_fn_t fn, void *data, +- const struct cpumask *cpus) ++static __always_inline int ++stop_machine_from_inactive_cpu(cpu_stop_fn_t fn, void *data, ++ const struct cpumask *cpus) + { + return stop_machine(fn, data, cpus); + } +-- +2.30.1 + -- 2.47.3