1. 18 Dec, 2023 2 commits
    • Paulo Alcantara's avatar
      smb: client: fix OOB in SMB2_query_info_init() · 33eae65c
      Paulo Alcantara authored
      A small CIFS buffer (448 bytes) isn't big enough to hold
      SMB2_QUERY_INFO request along with user's input data from
      CIFS_QUERY_INFO ioctl.  That is, if the user passed an input buffer >
      344 bytes, the client will memcpy() off the end of @req->Buffer in
      SMB2_query_info_init() thus causing the following KASAN splat:
      
        BUG: KASAN: slab-out-of-bounds in SMB2_query_info_init+0x242/0x250 [cifs]
        Write of size 1023 at addr ffff88801308c5a8 by task a.out/1240
      
        CPU: 1 PID: 1240 Comm: a.out Not tainted 6.7.0-rc4 #5
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
        rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
        Call Trace:
         <TASK>
         dump_stack_lvl+0x4a/0x80
         print_report+0xcf/0x650
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? __phys_addr+0x46/0x90
         kasan_report+0xd8/0x110
         ? SMB2_query_info_init+0x242/0x250 [cifs]
         ? SMB2_query_info_init+0x242/0x250 [cifs]
         kasan_check_range+0x105/0x1b0
         __asan_memcpy+0x3c/0x60
         SMB2_query_info_init+0x242/0x250 [cifs]
         ? __pfx_SMB2_query_info_init+0x10/0x10 [cifs]
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? smb_rqst_len+0xa6/0xc0 [cifs]
         smb2_ioctl_query_info+0x4f4/0x9a0 [cifs]
         ? __pfx_smb2_ioctl_query_info+0x10/0x10 [cifs]
         ? __pfx_cifsConvertToUTF16+0x10/0x10 [cifs]
         ? kasan_set_track+0x25/0x30
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? __kasan_kmalloc+0x8f/0xa0
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? cifs_strndup_to_utf16+0x12d/0x1a0 [cifs]
         ? __build_path_from_dentry_optional_prefix+0x19d/0x2d0 [cifs]
         ? __pfx_smb2_ioctl_query_info+0x10/0x10 [cifs]
         cifs_ioctl+0x11c7/0x1de0 [cifs]
         ? __pfx_cifs_ioctl+0x10/0x10 [cifs]
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? rcu_is_watching+0x23/0x50
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? __rseq_handle_notify_resume+0x6cd/0x850
         ? __pfx___schedule+0x10/0x10
         ? blkcg_iostat_update+0x250/0x290
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? ksys_write+0xe9/0x170
         __x64_sys_ioctl+0xc9/0x100
         do_syscall_64+0x47/0xf0
         entry_SYSCALL_64_after_hwframe+0x6f/0x77
        RIP: 0033:0x7f893dde49cf
        Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48
        89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89>
        c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
        RSP: 002b:00007ffc03ff4160 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
        RAX: ffffffffffffffda RBX: 00007ffc03ff4378 RCX: 00007f893dde49cf
        RDX: 00007ffc03ff41d0 RSI: 00000000c018cf07 RDI: 0000000000000003
        RBP: 00007ffc03ff4260 R08: 0000000000000410 R09: 0000000000000001
        R10: 00007f893dce7300 R11: 0000000000000246 R12: 0000000000000000
        R13: 00007ffc03ff4388 R14: 00007f893df15000 R15: 0000000000406de0
         </TASK>
      
      Fix this by increasing size of SMB2_QUERY_INFO request buffers and
      validating input length to prevent other callers from overflowing @req
      in SMB2_query_info_init() as well.
      
      Fixes: f5b05d62 ("cifs: add IOCTL for QUERY_INFO passthrough to userspace")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarRobert Morris <rtm@csail.mit.edu>
      Signed-off-by: default avatarPaulo Alcantara <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      33eae65c
    • Paulo Alcantara's avatar
      smb: client: fix OOB in cifsd when receiving compounded resps · a8f68b11
      Paulo Alcantara authored
      Validate next header's offset in ->next_header() so that it isn't
      smaller than MID_HEADER_SIZE(server) and then standard_receive3() or
      ->receive() ends up writing off the end of the buffer because
      'pdu_length - MID_HEADER_SIZE(server)' wraps up to a huge length:
      
        BUG: KASAN: slab-out-of-bounds in _copy_to_iter+0x4fc/0x840
        Write of size 701 at addr ffff88800caf407f by task cifsd/1090
      
        CPU: 0 PID: 1090 Comm: cifsd Not tainted 6.7.0-rc4 #5
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
        rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
        Call Trace:
         <TASK>
         dump_stack_lvl+0x4a/0x80
         print_report+0xcf/0x650
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? __phys_addr+0x46/0x90
         kasan_report+0xd8/0x110
         ? _copy_to_iter+0x4fc/0x840
         ? _copy_to_iter+0x4fc/0x840
         kasan_check_range+0x105/0x1b0
         __asan_memcpy+0x3c/0x60
         _copy_to_iter+0x4fc/0x840
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? hlock_class+0x32/0xc0
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? __pfx__copy_to_iter+0x10/0x10
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? lock_is_held_type+0x90/0x100
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? __might_resched+0x278/0x360
         ? __pfx___might_resched+0x10/0x10
         ? srso_alias_return_thunk+0x5/0xfbef5
         __skb_datagram_iter+0x2c2/0x460
         ? __pfx_simple_copy_to_iter+0x10/0x10
         skb_copy_datagram_iter+0x6c/0x110
         tcp_recvmsg_locked+0x9be/0xf40
         ? __pfx_tcp_recvmsg_locked+0x10/0x10
         ? mark_held_locks+0x5d/0x90
         ? srso_alias_return_thunk+0x5/0xfbef5
         tcp_recvmsg+0xe2/0x310
         ? __pfx_tcp_recvmsg+0x10/0x10
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? lock_acquire+0x14a/0x3a0
         ? srso_alias_return_thunk+0x5/0xfbef5
         inet_recvmsg+0xd0/0x370
         ? __pfx_inet_recvmsg+0x10/0x10
         ? __pfx_lock_release+0x10/0x10
         ? do_raw_spin_trylock+0xd1/0x120
         sock_recvmsg+0x10d/0x150
         cifs_readv_from_socket+0x25a/0x490 [cifs]
         ? __pfx_cifs_readv_from_socket+0x10/0x10 [cifs]
         ? srso_alias_return_thunk+0x5/0xfbef5
         cifs_read_from_socket+0xb5/0x100 [cifs]
         ? __pfx_cifs_read_from_socket+0x10/0x10 [cifs]
         ? __pfx_lock_release+0x10/0x10
         ? do_raw_spin_trylock+0xd1/0x120
         ? _raw_spin_unlock+0x23/0x40
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? __smb2_find_mid+0x126/0x230 [cifs]
         cifs_demultiplex_thread+0xd39/0x1270 [cifs]
         ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
         ? __pfx_lock_release+0x10/0x10
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? mark_held_locks+0x1a/0x90
         ? lockdep_hardirqs_on_prepare+0x136/0x210
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? srso_alias_return_thunk+0x5/0xfbef5
         ? __kthread_parkme+0xce/0xf0
         ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]
         kthread+0x18d/0x1d0
         ? kthread+0xdb/0x1d0
         ? __pfx_kthread+0x10/0x10
         ret_from_fork+0x34/0x60
         ? __pfx_kthread+0x10/0x10
         ret_from_fork_asm+0x1b/0x30
         </TASK>
      
      Fixes: 8ce79ec3 ("cifs: update multiplex loop to handle compounded responses")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarRobert Morris <rtm@csail.mit.edu>
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      a8f68b11
  2. 17 Dec, 2023 10 commits
  3. 16 Dec, 2023 3 commits
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 3b8a9b2e
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Fix eventfs to check creating new files for events with names greater
         than NAME_MAX. The eventfs lookup needs to check the return result of
         simple_lookup().
      
       - Fix the ring buffer to check the proper max data size. Events must be
         able to fit on the ring buffer sub-buffer, if it cannot, then it
         fails to be written and the logic to add the event is avoided. The
         code to check if an event can fit failed to add the possible absolute
         timestamp which may make the event not be able to fit. This causes
         the ring buffer to go into an infinite loop trying to find a
         sub-buffer that would fit the event. Luckily, there's a check that
         will bail out if it looped over a 1000 times and it also warns.
      
         The real fix is not to add the absolute timestamp to an event that is
         starting at the beginning of a sub-buffer because it uses the
         sub-buffer timestamp.
      
         By avoiding the timestamp at the start of the sub-buffer allows
         events that pass the first check to always find a sub-buffer that it
         can fit on.
      
       - Have large events that do not fit on a trace_seq to print "LINE TOO
         BIG" like it does for the trace_pipe instead of what it does now
         which is to silently drop the output.
      
       - Fix a memory leak of forgetting to free the spare page that is saved
         by a trace instance.
      
       - Update the size of the snapshot buffer when the main buffer is
         updated if the snapshot buffer is allocated.
      
       - Fix ring buffer timestamp logic by removing all the places that tried
         to put the before_stamp back to the write stamp so that the next
         event doesn't add an absolute timestamp. But each of these updates
         added a race where by making the two timestamp equal, it was
         validating the write_stamp so that it can be incorrectly used for
         calculating the delta of an event.
      
       - There's a temp buffer used for printing the event that was using the
         event data size for allocation when it needed to use the size of the
         entire event (meta-data and payload data)
      
       - For hardening, use "%.*s" for printing the trace_marker output, to
         limit the amount that is printed by the size of the event. This was
         discovered by development that added a bug that truncated the '\0'
         and caused a crash.
      
       - Fix a use-after-free bug in the use of the histogram files when an
         instance is being removed.
      
       - Remove a useless update in the rb_try_to_discard of the write_stamp.
         The before_stamp was already changed to force the next event to add
         an absolute timestamp that the write_stamp is not used. But the
         write_stamp is modified again using an unneeded 64-bit cmpxchg.
      
       - Fix several races in the 32-bit implementation of the
         rb_time_cmpxchg() that does a 64-bit cmpxchg.
      
       - While looking at fixing the 64-bit cmpxchg, I noticed that because
         the ring buffer uses normal cmpxchg, and this can be done in NMI
         context, there's some architectures that do not have a working
         cmpxchg in NMI context. For these architectures, fail recording
         events that happen in NMI context.
      
      * tag 'trace-v6.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        ring-buffer: Do not record in NMI if the arch does not support cmpxchg in NMI
        ring-buffer: Have rb_time_cmpxchg() set the msb counter too
        ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()
        ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs
        ring-buffer: Remove useless update to write_stamp in rb_try_to_discard()
        ring-buffer: Do not try to put back write_stamp
        tracing: Fix uaf issue when open the hist or hist_debug file
        tracing: Add size check when printing trace_marker output
        ring-buffer: Have saved event hold the entire event
        ring-buffer: Do not update before stamp when switching sub-buffers
        tracing: Update snapshot buffer on resize if it is allocated
        ring-buffer: Fix memory leak of free page
        eventfs: Fix events beyond NAME_MAX blocking tasks
        tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing
        ring-buffer: Fix writing to the buffer with max_data_size
      3b8a9b2e
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · c8e97fc6
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - Arm CMN perf: fix the DTC allocation failure path which can end up
         erroneously clearing live counters
      
       - arm64/mm: fix hugetlb handling of the dirty page state leading to a
         continuous fault loop in user on hardware without dirty bit
         management (DBM). That's caused by the dirty+writeable information
         not being properly preserved across a series of mprotect(PROT_NONE),
         mprotect(PROT_READ|PROT_WRITE)
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify
        perf/arm-cmn: Fail DTC counter allocation correctly
      c8e97fc6
    • Linus Torvalds's avatar
      Merge tag 'pci-v6.7-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci · 2e3f280b
      Linus Torvalds authored
      Pull pci fixes from Bjorn Helgaas:
      
       - Limit Max_Read_Request_Size (MRRS) on some MIPS Loongson systems
         because they don't all support MRRS > 256, and firmware doesn't
         always initialize it correctly, which meant some PCIe devices didn't
         work (Jiaxun Yang)
      
       - Add and use pci_enable_link_state_locked() to prevent potential
         deadlocks in vmd and qcom drivers (Johan Hovold)
      
       - Revert recent (v6.5) acpiphp resource assignment changes that fixed
         issues with hot-adding devices on a root bus or with large BARs, but
         introduced new issues with GPU initialization and hot-adding SCSI
         disks in QEMU VMs and (Bjorn Helgaas)
      
      * tag 'pci-v6.7-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci:
        Revert "PCI: acpiphp: Reassign resources on bridge if necessary"
        PCI/ASPM: Add pci_disable_link_state_locked() lockdep assert
        PCI/ASPM: Clean up __pci_disable_link_state() 'sem' parameter
        PCI: qcom: Clean up ASPM comment
        PCI: qcom: Fix potential deadlock when enabling ASPM
        PCI: vmd: Fix potential deadlock when enabling ASPM
        PCI/ASPM: Add pci_enable_link_state_locked()
        PCI: loongson: Limit MRRS to 256
      2e3f280b
  4. 15 Dec, 2023 24 commits
  5. 14 Dec, 2023 1 commit
    • Al Viro's avatar
      io_uring/cmd: fix breakage in SOCKET_URING_OP_SIOC* implementation · 1ba0e9d6
      Al Viro authored
      	In 8e9fad0e "io_uring: Add io_uring command support for sockets"
      you've got an include of asm-generic/ioctls.h done in io_uring/uring_cmd.c.
      That had been done for the sake of this chunk -
      +               ret = prot->ioctl(sk, SIOCINQ, &arg);
      +               if (ret)
      +                       return ret;
      +               return arg;
      +       case SOCKET_URING_OP_SIOCOUTQ:
      +               ret = prot->ioctl(sk, SIOCOUTQ, &arg);
      
      SIOC{IN,OUT}Q are defined to symbols (FIONREAD and TIOCOUTQ) that come from
      ioctls.h, all right, but the values vary by the architecture.
      
      FIONREAD is
      	0x467F on mips
      	0x4004667F on alpha, powerpc and sparc
      	0x8004667F on sh and xtensa
      	0x541B everywhere else
      TIOCOUTQ is
      	0x7472 on mips
      	0x40047473 on alpha, powerpc and sparc
      	0x80047473 on sh and xtensa
      	0x5411 everywhere else
      
      ->ioctl() expects the same values it would've gotten from userland; all
      places where we compare with SIOC{IN,OUT}Q are using asm/ioctls.h, so
      they pick the correct values.  io_uring_cmd_sock(), OTOH, ends up
      passing the default ones.
      
      Fixes: 8e9fad0e ("io_uring: Add io_uring command support for sockets")
      Cc:  <stable@vger.kernel.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Link: https://lore.kernel.org/r/20231214213408.GT1674809@ZenIVSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      1ba0e9d6