diff --git a/patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch b/patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch new file mode 100644 index 0000000..3988918 --- /dev/null +++ b/patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch @@ -0,0 +1,38 @@ +From 1e9ac114c4428fdb7ff4635b45d4f46017e8916f Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Thu, 9 Mar 2023 16:07:39 +0800 +Subject: [PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work +Git-commit: 1e9ac114c4428fdb7ff4635b45d4f46017e8916f +Patch-mainline: v6.3-rc4 +References: CVE-2023-1989 bsc#1210336 + +In btsdio_probe, &data->work was bound with btsdio_work.In +btsdio_send_frame, it was started by schedule_work. + +If we call btsdio_remove with an unfinished job, there may +be a race condition and cause UAF bug on hdev. + +Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices") +Signed-off-by: Zheng Wang +Signed-off-by: Luiz Augusto von Dentz +Acked-by: Takashi Iwai + +--- + drivers/bluetooth/btsdio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c +index 795be33f2892..02893600db39 100644 +--- a/drivers/bluetooth/btsdio.c ++++ b/drivers/bluetooth/btsdio.c +@@ -354,6 +354,7 @@ static void btsdio_remove(struct sdio_func *func) + + BT_DBG("func %p", func); + ++ cancel_work_sync(&data->work); + if (!data) + return; + +-- +2.35.3 + diff --git a/patches.suse/Fix-double-fget-in-vhost_net_set_backend.patch b/patches.suse/Fix-double-fget-in-vhost_net_set_backend.patch new file mode 100644 index 0000000..d20d3de --- /dev/null +++ b/patches.suse/Fix-double-fget-in-vhost_net_set_backend.patch @@ -0,0 +1,67 @@ +From: Al Viro +Date: Mon, 16 May 2022 16:42:13 +0800 +Subject: Fix double fget() in vhost_net_set_backend() +Patch-mainline: v5.18 +Git-commit: fb4554c2232e44d595920f4d5c66cf8f7d13f9bc +References: bsc#1210203 CVE-2023-1838 + +Descriptor table is a shared resource; two fget() on the same descriptor +may return different struct file references. get_tap_ptr_ring() is +called after we'd found (and pinned) the socket we'll be using and it +tries to find the private tun/tap data structures associated with it. +Redoing the lookup by the same file descriptor we'd used to get the +socket is racy - we need to same struct file. + +Thanks to Jason for spotting a braino in the original variant of patch - +I'd missed the use of fd == -1 for disabling backend, and in that case +we can end up with sock == NULL and sock != oldsock. + +Cc: stable@kernel.org +Acked-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +Signed-off-by: Al Viro +Acked-by: Thomas Bogendoerfer +--- + drivers/vhost/net.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -1436,13 +1436,9 @@ err: + return ERR_PTR(r); + } + +-static struct ptr_ring *get_tap_ptr_ring(int fd) ++static struct ptr_ring *get_tap_ptr_ring(struct file *file) + { + struct ptr_ring *ring; +- struct file *file = fget(fd); +- +- if (!file) +- return NULL; + ring = tun_get_tx_ring(file); + if (!IS_ERR(ring)) + goto out; +@@ -1451,7 +1447,6 @@ static struct ptr_ring *get_tap_ptr_ring + goto out; + ring = NULL; + out: +- fput(file); + return ring; + } + +@@ -1538,8 +1533,12 @@ static long vhost_net_set_backend(struct + r = vhost_net_enable_vq(n, vq); + if (r) + goto err_used; +- if (index == VHOST_NET_VQ_RX) +- nvq->rx_ring = get_tap_ptr_ring(fd); ++ if (index == VHOST_NET_VQ_RX) { ++ if (sock) ++ nvq->rx_ring = get_tap_ptr_ring(sock->file); ++ else ++ nvq->rx_ring = NULL; ++ } + + oldubufs = nvq->ubufs; + nvq->ubufs = ubufs; diff --git a/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch index 8035acc..cec5cc7 100644 --- a/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch +++ b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch @@ -3,7 +3,7 @@ Date: Thu, 1 Sep 2022 15:10:18 -0400 Subject: [PATCH] NFSD: Protect against send buffer overflow in NFSv2 READ Git-commit: 401bc1f90874280a80b93f23be33a0e7e2d1f912 Patch-mainline: v6.1 -References: bsc#1205128 CVE-2022-43945 +References: bsc#1205128 CVE-2022-43945 bsc#1210124 Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send @@ -28,16 +28,33 @@ Reviewed-by: Jeff Layton Acked-by: NeilBrown --- - fs/nfsd/nfsxdr.c | 1 + - 1 file changed, 1 insertion(+) + fs/nfsd/nfsxdr.c | 8 ++++++++ + 1 file changed, 8 insertions(+) --- a/fs/nfsd/nfsxdr.c +++ b/fs/nfsd/nfsxdr.c -@@ -249,6 +249,7 @@ nfssvc_decode_readargs(struct svc_rqst * +@@ -239,16 +239,24 @@ nfssvc_decode_readargs(struct svc_rqst * + { + struct nfsd_readargs *args = rqstp->rq_argp; + unsigned int len; ++ unsigned int pages; + int v; ++ + p = decode_fh(p, &args->fh); + if (!p) + return 0; + ++ /* calculate available pages for reply body */ ++ pages = (rqstp->rq_server->sv_max_mesg / PAGE_SIZE + 1); ++ pages -= (rqstp->rq_next_page - rqstp->rq_pages); ++ + args->offset = ntohl(*p++); + len = args->count = ntohl(*p++); p++; /* totalcount - unused */ len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2); -+ len = min_t(unsigned int, len, rqstp->rq_res.buflen); ++ len = min_t(unsigned int, len, pages * PAGE_SIZE); ++ args->count = len; /* set up somewhere to store response. * We take pages, put them on reslist and include in iovec diff --git a/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch index 70f8071..4b661cf 100644 --- a/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch +++ b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch @@ -3,7 +3,7 @@ Date: Thu, 1 Sep 2022 15:10:24 -0400 Subject: [PATCH] NFSD: Protect against send buffer overflow in NFSv3 READ Git-commit: fa6be9cc6e80ec79892ddf08a8c10cabab9baf38 Patch-mainline: v6.1 -References: bsc#1205128 CVE-2022-43945 +References: bsc#1205128 CVE-2022-43945 bsc#1210124 Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send @@ -28,22 +28,13 @@ Reviewed-by: Jeff Layton Acked-by: NeilBrown --- - fs/nfsd/nfs3proc.c | 4 ++++ - fs/nfsd/nfs3xdr.c | 1 + - 2 files changed, 5 insertions(+) + fs/nfsd/nfs3proc.c | 2 ++ + fs/nfsd/nfs3xdr.c | 11 +++++++++-- + 2 files changed, 11 insertions(+), 2 deletions(-) --- a/fs/nfsd/nfs3proc.c +++ b/fs/nfsd/nfs3proc.c -@@ -156,6 +156,8 @@ nfsd3_proc_read(struct svc_rqst *rqstp) - u32 max_blocksize = svc_max_payload(rqstp); - unsigned long cnt = min(argp->count, max_blocksize); - -+ cnt = min_t(unsigned long, cnt, rqstp->rq_res.buflen); -+ - dprintk("nfsd: READ(3) %s %lu bytes at %Lu\n", - SVCFH_fmt(&argp->fh), - (unsigned long) argp->count, -@@ -166,6 +168,8 @@ nfsd3_proc_read(struct svc_rqst *rqstp) +@@ -171,6 +171,8 @@ nfsd3_proc_read(struct svc_rqst *rqstp) * + 1 (xdr opaque byte count) = 26 */ resp->count = cnt; @@ -54,11 +45,27 @@ Acked-by: NeilBrown fh_copy(&resp->fh, &argp->fh); --- a/fs/nfsd/nfs3xdr.c +++ b/fs/nfsd/nfs3xdr.c -@@ -377,6 +377,7 @@ nfs3svc_decode_readargs(struct svc_rqst +@@ -369,14 +369,21 @@ nfs3svc_decode_readargs(struct svc_rqst + unsigned int len; + int v; + u32 max_blocksize = svc_max_payload(rqstp); ++ unsigned int pages; ++ ++ /* calculate available pages for reply body */ ++ pages = (rqstp->rq_server->sv_max_mesg / PAGE_SIZE + 1); ++ pages -= (rqstp->rq_next_page - rqstp->rq_pages); + + p = decode_fh(p, &args->fh); + if (!p) + return 0; + p = xdr_decode_hyper(p, &args->offset); - args->count = ntohl(*p++); - len = min(args->count, max_blocksize); -+ len = min(len, rqstp->rq_res.buflen); +- args->count = ntohl(*p++); +- len = min(args->count, max_blocksize); ++ len = ntohl(*p++); ++ len = min(len, max_blocksize); ++ len = min_t(unsigned int, len, pages * PAGE_SIZE); ++ args->count = len; /* set up the kvec */ v=0; diff --git a/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch index 3210927..c72a8f1 100644 --- a/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch +++ b/patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch @@ -3,7 +3,7 @@ Date: Thu, 1 Sep 2022 15:10:12 -0400 Subject: [PATCH] NFSD: Protect against send buffer overflow in NFSv3 READDIR Git-commit: 640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991 Patch-mainline: v6.1 -References: bsc#1205128 CVE-2022-43945 +References: bsc#1205128 CVE-2022-43945 bsc#1210124 Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send @@ -32,18 +32,17 @@ Reviewed-by: Jeff Layton Acked-by: NeilBrown --- - fs/nfsd/nfs3proc.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) + fs/nfsd/nfs3proc.c | 19 ++++++++++++++++--- + fs/nfsd/nfs3xdr.c | 8 +++++++- + 2 files changed, 23 insertions(+), 4 deletions(-) --- a/fs/nfsd/nfs3proc.c +++ b/fs/nfsd/nfs3proc.c -@@ -450,9 +450,17 @@ nfsd3_proc_readdir(struct svc_rqst *rqst +@@ -459,9 +459,15 @@ nfsd3_proc_readdir(struct svc_rqst *rqst SVCFH_fmt(&argp->fh), argp->count, (u32) argp->cookie); + count = argp->count; -+ if (count > rqstp->rq_res.buflen) -+ count = rqstp->rq_res.buflen; + if (count > svc_max_payload(rqstp)) + count = svc_max_payload(rqstp); /* Make sure we've room for the NULL ptr & eof flag, and shrink to @@ -56,7 +55,7 @@ Acked-by: NeilBrown /* Read directory and encode entries on the fly */ fh_copy(&resp->fh, &argp->fh); -@@ -503,7 +511,7 @@ nfsd3_proc_readdirplus(struct svc_rqst * +@@ -512,7 +518,7 @@ nfsd3_proc_readdirplus(struct svc_rqst * struct nfsd3_readdirargs *argp = rqstp->rq_argp; struct nfsd3_readdirres *resp = rqstp->rq_resp; __be32 nfserr; @@ -65,13 +64,11 @@ Acked-by: NeilBrown loff_t offset; struct page **p; caddr_t page_addr = NULL; -@@ -512,9 +520,17 @@ nfsd3_proc_readdirplus(struct svc_rqst * +@@ -521,9 +527,15 @@ nfsd3_proc_readdirplus(struct svc_rqst * SVCFH_fmt(&argp->fh), argp->count, (u32) argp->cookie); + count = argp->count; -+ if (count > rqstp->rq_res.buflen) -+ count = rqstp->rq_res.buflen; + if (count > svc_max_payload(rqstp)) + count = svc_max_payload(rqstp); /* Convert byte count to number of words (i.e. >> 2), @@ -84,7 +81,7 @@ Acked-by: NeilBrown /* Read directory and encode entries on the fly */ fh_copy(&resp->fh, &argp->fh); -@@ -537,6 +553,7 @@ nfsd3_proc_readdirplus(struct svc_rqst * +@@ -546,6 +558,7 @@ nfsd3_proc_readdirplus(struct svc_rqst * &resp->common, nfs3svc_encode_entry_plus); memcpy(resp->verf, argp->verf, 8); @@ -92,3 +89,27 @@ Acked-by: NeilBrown for (p = rqstp->rq_respages + 1; p < rqstp->rq_next_page; p++) { page_addr = page_address(*p); +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -602,6 +602,11 @@ nfs3svc_decode_readdirplusargs(struct sv + struct nfsd3_readdirargs *args = rqstp->rq_argp; + int len; + u32 max_blocksize = svc_max_payload(rqstp); ++ unsigned int pages; ++ ++ /* calculate available pages for reply body */ ++ pages = (rqstp->rq_server->sv_max_mesg / PAGE_SIZE + 1); ++ pages -= (rqstp->rq_next_page - rqstp->rq_pages); + + p = decode_fh(p, &args->fh); + if (!p) +@@ -611,7 +616,8 @@ nfs3svc_decode_readdirplusargs(struct sv + args->dircount = ntohl(*p++); + args->count = ntohl(*p++); + +- len = args->count = min(args->count, max_blocksize); ++ args->count = min(args->count, max_blocksize); ++ len = args->count = min_t(unsigned int, args->count, pages * PAGE_SIZE); + while (len > 0) { + struct page *p = *(rqstp->rq_next_page++); + if (!args->buffer) diff --git a/patches.suse/btrfs-fix-race-between-quota-disable-and-quota-assig.patch b/patches.suse/btrfs-fix-race-between-quota-disable-and-quota-assig.patch new file mode 100644 index 0000000..77ea0ba --- /dev/null +++ b/patches.suse/btrfs-fix-race-between-quota-disable-and-quota-assig.patch @@ -0,0 +1,200 @@ +From: Filipe Manana +Date: Wed, 22 Mar 2023 10:33:28 +0000 +Git-commit: 2f1a6be12ab6c8470d5776e68644726c94257c54 +Patch-mainline: v6.3-rc5 +References: CVE-2023-1611 bsc#1209687 +Subject: [PATCH] btrfs: fix race between quota disable and quota assign ioctls + +The quota assign ioctl can currently run in parallel with a quota disable +ioctl call. The assign ioctl uses the quota root, while the disable ioctl +frees that root, and therefore we can have a use-after-free triggered in +the assign ioctl, leading to a trace like the following when KASAN is +enabled: + + [672.723][T736] BUG: KASAN: slab-use-after-free in btrfs_search_slot+0x2962/0x2db0 + [672.723][T736] Read of size 8 at addr ffff888022ec0208 by task btrfs_search_sl/27736 + [672.724][T736] + [672.725][T736] CPU: 1 PID: 27736 Comm: btrfs_search_sl Not tainted 6.3.0-rc3 #37 + [672.723][T736] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + [672.727][T736] Call Trace: + [672.728][T736] + [672.728][T736] dump_stack_lvl+0xd9/0x150 + [672.725][T736] print_report+0xc1/0x5e0 + [672.720][T736] ? __virt_addr_valid+0x61/0x2e0 + [672.727][T736] ? __phys_addr+0xc9/0x150 + [672.725][T736] ? btrfs_search_slot+0x2962/0x2db0 + [672.722][T736] kasan_report+0xc0/0xf0 + [672.729][T736] ? btrfs_search_slot+0x2962/0x2db0 + [672.724][T736] btrfs_search_slot+0x2962/0x2db0 + [672.723][T736] ? fs_reclaim_acquire+0xba/0x160 + [672.722][T736] ? split_leaf+0x13d0/0x13d0 + [672.726][T736] ? rcu_is_watching+0x12/0xb0 + [672.723][T736] ? kmem_cache_alloc+0x338/0x3c0 + [672.722][T736] update_qgroup_status_item+0xf7/0x320 + [672.724][T736] ? add_qgroup_rb+0x3d0/0x3d0 + [672.739][T736] ? do_raw_spin_lock+0x12d/0x2b0 + [672.730][T736] ? spin_bug+0x1d0/0x1d0 + [672.737][T736] btrfs_run_qgroups+0x5de/0x840 + [672.730][T736] ? btrfs_qgroup_rescan_worker+0xa70/0xa70 + [672.738][T736] ? __del_qgroup_relation+0x4ba/0xe00 + [672.738][T736] btrfs_ioctl+0x3d58/0x5d80 + [672.735][T736] ? tomoyo_path_number_perm+0x16a/0x550 + [672.737][T736] ? tomoyo_execute_permission+0x4a0/0x4a0 + [672.731][T736] ? btrfs_ioctl_get_supported_features+0x50/0x50 + [672.737][T736] ? __sanitizer_cov_trace_switch+0x54/0x90 + [672.734][T736] ? do_vfs_ioctl+0x132/0x1660 + [672.730][T736] ? vfs_fileattr_set+0xc40/0xc40 + [672.730][T736] ? _raw_spin_unlock_irq+0x2e/0x50 + [672.732][T736] ? sigprocmask+0xf2/0x340 + [672.737][T736] ? __fget_files+0x26a/0x480 + [672.732][T736] ? bpf_lsm_file_ioctl+0x9/0x10 + [672.738][T736] ? btrfs_ioctl_get_supported_features+0x50/0x50 + [672.736][T736] __x64_sys_ioctl+0x198/0x210 + [672.736][T736] do_syscall_64+0x39/0xb0 + [672.731][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [672.739][T736] RIP: 0033:0x4556ad + [672.742][T736] + [672.743][T736] + [672.748][T736] Allocated by task 27677: + [672.743][T736] kasan_save_stack+0x22/0x40 + [672.741][T736] kasan_set_track+0x25/0x30 + [672.741][T736] __kasan_kmalloc+0xa4/0xb0 + [672.749][T736] btrfs_alloc_root+0x48/0x90 + [672.746][T736] btrfs_create_tree+0x146/0xa20 + [672.744][T736] btrfs_quota_enable+0x461/0x1d20 + [672.743][T736] btrfs_ioctl+0x4a1c/0x5d80 + [672.747][T736] __x64_sys_ioctl+0x198/0x210 + [672.749][T736] do_syscall_64+0x39/0xb0 + [672.744][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [672.756][T736] + [672.757][T736] Freed by task 27677: + [672.759][T736] kasan_save_stack+0x22/0x40 + [672.759][T736] kasan_set_track+0x25/0x30 + [672.756][T736] kasan_save_free_info+0x2e/0x50 + [672.751][T736] ____kasan_slab_free+0x162/0x1c0 + [672.758][T736] slab_free_freelist_hook+0x89/0x1c0 + [672.752][T736] __kmem_cache_free+0xaf/0x2e0 + [672.752][T736] btrfs_put_root+0x1ff/0x2b0 + [672.759][T736] btrfs_quota_disable+0x80a/0xbc0 + [672.752][T736] btrfs_ioctl+0x3e5f/0x5d80 + [672.756][T736] __x64_sys_ioctl+0x198/0x210 + [672.753][T736] do_syscall_64+0x39/0xb0 + [672.765][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [672.769][T736] + [672.768][T736] The buggy address belongs to the object at ffff888022ec0000 + [672.768][T736] which belongs to the cache kmalloc-4k of size 4096 + [672.769][T736] The buggy address is located 520 bytes inside of + [672.769][T736] freed 4096-byte region [ffff888022ec0000, ffff888022ec1000) + [672.760][T736] + [672.764][T736] The buggy address belongs to the physical page: + [672.761][T736] page:ffffea00008bb000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22ec0 + [672.766][T736] head:ffffea00008bb000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 + [672.779][T736] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) + [672.770][T736] raw: 00fff00000010200 ffff888012842140 ffffea000054ba00 dead000000000002 + [672.770][T736] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 + [672.771][T736] page dumped because: kasan: bad access detected + [672.778][T736] page_owner tracks the page as allocated + [672.777][T736] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 88 + [672.779][T736] get_page_from_freelist+0x119c/0x2d50 + [672.779][T736] __alloc_pages+0x1cb/0x4a0 + [672.776][T736] alloc_pages+0x1aa/0x270 + [672.773][T736] allocate_slab+0x260/0x390 + [672.771][T736] ___slab_alloc+0xa9a/0x13e0 + [672.778][T736] __slab_alloc.constprop.0+0x56/0xb0 + [672.771][T736] __kmem_cache_alloc_node+0x136/0x320 + [672.789][T736] __kmalloc+0x4e/0x1a0 + [672.783][T736] tomoyo_realpath_from_path+0xc3/0x600 + [672.781][T736] tomoyo_path_perm+0x22f/0x420 + [672.782][T736] tomoyo_path_unlink+0x92/0xd0 + [672.780][T736] security_path_unlink+0xdb/0x150 + [672.788][T736] do_unlinkat+0x377/0x680 + [672.788][T736] __x64_sys_unlink+0xca/0x110 + [672.789][T736] do_syscall_64+0x39/0xb0 + [672.783][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [672.784][T736] page last free stack trace: + [672.787][T736] free_pcp_prepare+0x4e5/0x920 + [672.787][T736] free_unref_page+0x1d/0x4e0 + [672.784][T736] __unfreeze_partials+0x17c/0x1a0 + [672.797][T736] qlist_free_all+0x6a/0x180 + [672.796][T736] kasan_quarantine_reduce+0x189/0x1d0 + [672.797][T736] __kasan_slab_alloc+0x64/0x90 + [672.793][T736] kmem_cache_alloc+0x17c/0x3c0 + [672.799][T736] getname_flags.part.0+0x50/0x4e0 + [672.799][T736] getname_flags+0x9e/0xe0 + [672.792][T736] vfs_fstatat+0x77/0xb0 + [672.791][T736] __do_sys_newlstat+0x84/0x100 + [672.798][T736] do_syscall_64+0x39/0xb0 + [672.796][T736] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [672.790][T736] + [672.791][T736] Memory state around the buggy address: + [672.799][T736] ffff888022ec0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + [672.805][T736] ffff888022ec0180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + [672.802][T736] >ffff888022ec0200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + [672.809][T736] ^ + [672.809][T736] ffff888022ec0280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + [672.809][T736] ffff888022ec0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fix this by having the qgroup assign ioctl take the qgroup ioctl mutex +before calling btrfs_run_qgroups(), which is what all qgroup ioctls should +call. + +Reported-by: butt3rflyh4ck +Link: https://lore.kernel.org/linux-btrfs/CAFcO6XN3VD8ogmHwqRk4kbiwtpUSNySu2VAxN8waEPciCHJvMA@mail.gmail.com/ +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +--- + fs/btrfs/ioctl.c | 2 ++ + fs/btrfs/qgroup.c | 14 +++++++++++--- + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 6b554e788..b63450a58 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -4103,7 +4103,9 @@ static long btrfs_ioctl_qgroup_assign(struct file *file, void __user *arg) + } + + /* update qgroup status and info */ ++ mutex_lock(&fs_info->qgroup_ioctl_lock); + err = btrfs_run_qgroups(trans); ++ mutex_unlock(&fs_info->qgroup_ioctl_lock); + if (err < 0) + btrfs_handle_fs_error(fs_info, err, + "failed to update qgroup status and info"); +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index 9f22108a6..274e3007f 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2556,15 +2556,23 @@ int btrfs_qgroup_account_extents(struct btrfs_trans_handle *trans) + } + + /* +- * called from commit_transaction. Writes all changed qgroups to disk. ++ * Writes all changed qgroups to disk. ++ * Called by the transaction commit path and the qgroup assign ioctl. + */ + int btrfs_run_qgroups(struct btrfs_trans_handle *trans) + { + struct btrfs_fs_info *fs_info = trans->fs_info; +- struct btrfs_root *quota_root = fs_info->quota_root; + int ret = 0; + +- if (!quota_root) ++ /* ++ * In case we are called from the qgroup assign ioctl, assert that we ++ * are holding the qgroup_ioctl_lock, otherwise we can race with a quota ++ * disable operation (ioctl) and access a freed quota root. ++ */ ++ if (trans->transaction->state != TRANS_STATE_COMMIT_DOING) ++ lockdep_assert_held(&fs_info->qgroup_ioctl_lock); ++ ++ if (!fs_info->quota_root) + return ret; + + spin_lock(&fs_info->qgroup_lock); +-- +2.35.3 + diff --git a/patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch b/patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch new file mode 100644 index 0000000..f93e2d3 --- /dev/null +++ b/patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch @@ -0,0 +1,71 @@ +From 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Mon, 13 Mar 2023 00:08:37 +0800 +Subject: [PATCH] nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition +Git-commit: 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 +Patch-mainline: v6.3-rc3 +References: git-fixes bsc#1210337 CVE-2023-1990 + +This bug influences both st_nci_i2c_remove and st_nci_spi_remove. +Take st_nci_i2c_remove as an example. + +In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work +with llt_ndlc_sm_work. + +When it calls ndlc_recv or timeout handler, it will finally call +schedule_work to start the work. + +When we call st_nci_i2c_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in ndlc_remove + +CPU0 CPU1 + + |llt_ndlc_sm_work +st_nci_i2c_remove | + ndlc_remove | + st_nci_remove | + nci_free_device| + kfree(ndev) | +//free ndlc->ndev | + |llt_ndlc_rcv_queue + |nci_recv_frame + |//use ndlc->ndev + +Fixes: 35630df68d60 ("NFC: st21nfcb: Add driver for STMicroelectronics ST21NFCB NFC chip") +Signed-off-by: Zheng Wang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230312160837.2040857-1-zyytlz.wz@163.com +Signed-off-by: Jakub Kicinski +Acked-by: Takashi Iwai +Acked-by: Chester Lin +--- + drivers/nfc/st-nci/ndlc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/st-nci/ndlc.c b/drivers/nfc/st-nci/ndlc.c +index 755460a73c0d..d2aa9f766738 100644 +--- a/drivers/nfc/st-nci/ndlc.c ++++ b/drivers/nfc/st-nci/ndlc.c +@@ -282,13 +282,15 @@ EXPORT_SYMBOL(ndlc_probe); + + void ndlc_remove(struct llt_ndlc *ndlc) + { +- st_nci_remove(ndlc->ndev); +- + /* cancel timers */ + del_timer_sync(&ndlc->t1_timer); + del_timer_sync(&ndlc->t2_timer); + ndlc->t2_active = false; + ndlc->t1_active = false; ++ /* cancel work */ ++ cancel_work_sync(&ndlc->sm_work); ++ ++ st_nci_remove(ndlc->ndev); + + skb_queue_purge(&ndlc->rcv_q); + skb_queue_purge(&ndlc->send_q); +-- +2.35.3 + diff --git a/series.conf b/series.conf index e4f94d3..1413769 100644 --- a/series.conf +++ b/series.conf @@ -23362,6 +23362,7 @@ patches.suse/tcp-drop-the-hash_32-part-from-the-index-calculation.patch patches.suse/NFC-netlink-fix-sleep-in-atomic-bug-when-firmware-do.patch patches.suse/floppy-use-a-statically-allocated-error-counter.patch + patches.suse/Fix-double-fget-in-vhost_net_set_backend.patch patches.suse/perf-fix-sys_perf_event_open-race-against-self.patch patches.suse/md-bitmap-don-t-set-sb-values-if-can-t-pass-sanity-c.patch patches.suse/x86-entry-remove-skip_r11rcx.patch @@ -23585,6 +23586,9 @@ patches.suse/HID-bigben-use-spinlock-to-safely-schedule-workers.patch patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch patches.suse/0001-net-tls-fix-possible-race-condition-between-do_tls_g.patch + patches.suse/nfc-st-nci-Fix-use-after-free-bug-in-ndlc_remove-due.patch + patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch + patches.suse/btrfs-fix-race-between-quota-disable-and-quota-assig.patch ######################################################## # end of sorted patches