diff options
author | Sasha Levin <sashal@kernel.org> | 2024-04-17 13:16:42 -0400 |
---|---|---|
committer | Sasha Levin <sashal@kernel.org> | 2024-04-17 13:16:42 -0400 |
commit | 1110627f7e419cd6e89645f2bbd6474d1c31f73d (patch) | |
tree | baefab5756c66385ce881dcf4fbaf30ae300b3e2 | |
parent | df64f132b4a82da3810f79a516034e67200692ee (diff) | |
download | stable-queue-1110627f7e419cd6e89645f2bbd6474d1c31f73d.tar.gz |
Fixes for 5.15
Signed-off-by: Sasha Levin <sashal@kernel.org>
5 files changed, 266 insertions, 0 deletions
diff --git a/queue-5.15/btrfs-record-delayed-inode-root-in-transaction.patch b/queue-5.15/btrfs-record-delayed-inode-root-in-transaction.patch new file mode 100644 index 0000000000..4bdfc60e6c --- /dev/null +++ b/queue-5.15/btrfs-record-delayed-inode-root-in-transaction.patch @@ -0,0 +1,41 @@ +From 8d6681d7b99660644581b37eefda0dc95168b6d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 21 Mar 2024 10:14:24 -0700 +Subject: btrfs: record delayed inode root in transaction + +From: Boris Burkov <boris@bur.io> + +[ Upstream commit 71537e35c324ea6fbd68377a4f26bb93a831ae35 ] + +When running delayed inode updates, we do not record the inode's root in +the transaction, but we do allocate PREALLOC and thus converted PERTRANS +space for it. To be sure we free that PERTRANS meta rsv, we must ensure +that we record the root in the transaction. + +Fixes: 4f5427ccce5d ("btrfs: delayed-inode: Use new qgroup meta rsv for delayed inode and item") +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Qu Wenruo <wqu@suse.com> +Signed-off-by: Boris Burkov <boris@bur.io> +Signed-off-by: David Sterba <dsterba@suse.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/btrfs/delayed-inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c +index 5a98c5da12250..8d8b455992362 100644 +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -1046,6 +1046,9 @@ __btrfs_commit_inode_delayed_items(struct btrfs_trans_handle *trans, + if (ret) + return ret; + ++ ret = btrfs_record_root_in_trans(trans, node->root); ++ if (ret) ++ return ret; + ret = btrfs_update_delayed_inode(trans, node->root, path, node); + return ret; + } +-- +2.43.0 + diff --git a/queue-5.15/ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-.patch b/queue-5.15/ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-.patch new file mode 100644 index 0000000000..b69428b5b6 --- /dev/null +++ b/queue-5.15/ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-.patch @@ -0,0 +1,54 @@ +From dfbc3db0c11731064e06a0e64b24a307af72bf47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 2 Apr 2024 09:31:22 +0900 +Subject: ksmbd: do not set SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1 + +From: Namjae Jeon <linkinjeon@kernel.org> + +[ Upstream commit 5ed11af19e56f0434ce0959376d136005745a936 ] + +SMB2_GLOBAL_CAP_ENCRYPTION flag should be used only for 3.0 and +3.0.2 dialects. This flags set cause compatibility problems with +other SMB clients. + +Reported-by: James Christopher Adduono <jc@adduono.com> +Tested-by: James Christopher Adduono <jc@adduono.com> +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/ksmbd/smb2ops.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/ksmbd/smb2ops.c b/fs/ksmbd/smb2ops.c +index c69943d96565a..d0db9f32c423d 100644 +--- a/fs/ksmbd/smb2ops.c ++++ b/fs/ksmbd/smb2ops.c +@@ -229,6 +229,11 @@ void init_smb3_0_server(struct ksmbd_conn *conn) + conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; + ++ if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION || ++ (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) && ++ conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)) ++ conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; ++ + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL; + } +@@ -276,11 +281,6 @@ int init_smb3_11_server(struct ksmbd_conn *conn) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_LEASING | + SMB2_GLOBAL_CAP_DIRECTORY_LEASING; + +- if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION || +- (!(server_conf.flags & KSMBD_GLOBAL_FLAG_SMB2_ENCRYPTION_OFF) && +- conn->cli_cap & SMB2_GLOBAL_CAP_ENCRYPTION)) +- conn->vals->capabilities |= SMB2_GLOBAL_CAP_ENCRYPTION; +- + if (server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) + conn->vals->capabilities |= SMB2_GLOBAL_CAP_MULTI_CHANNEL; + +-- +2.43.0 + diff --git a/queue-5.15/ksmbd-don-t-send-oplock-break-if-rename-fails.patch b/queue-5.15/ksmbd-don-t-send-oplock-break-if-rename-fails.patch new file mode 100644 index 0000000000..bb6148c569 --- /dev/null +++ b/queue-5.15/ksmbd-don-t-send-oplock-break-if-rename-fails.patch @@ -0,0 +1,38 @@ +From 80960710db1e21efe6d1670b8457a44f25b8325d Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sun, 31 Mar 2024 21:58:26 +0900 +Subject: ksmbd: don't send oplock break if rename fails + +From: Namjae Jeon <linkinjeon@kernel.org> + +[ Upstream commit c1832f67035dc04fb89e6b591b64e4d515843cda ] + +Don't send oplock break if rename fails. This patch fix +smb2.oplock.batch20 test. + +Cc: stable@vger.kernel.org +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/ksmbd/smb2pdu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c +index 14cd86a14012f..86b1fb43104e9 100644 +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -5581,8 +5581,9 @@ static int smb2_rename(struct ksmbd_work *work, + if (!file_info->ReplaceIfExists) + flags = RENAME_NOREPLACE; + +- smb_break_all_levII_oplock(work, fp, 0); + rc = ksmbd_vfs_rename(work, &fp->filp->f_path, new_name, flags); ++ if (!rc) ++ smb_break_all_levII_oplock(work, fp, 0); + out: + kfree(new_name); + return rc; +-- +2.43.0 + diff --git a/queue-5.15/ksmbd-validate-payload-size-in-ipc-response.patch b/queue-5.15/ksmbd-validate-payload-size-in-ipc-response.patch new file mode 100644 index 0000000000..161d46e70a --- /dev/null +++ b/queue-5.15/ksmbd-validate-payload-size-in-ipc-response.patch @@ -0,0 +1,129 @@ +From 13154eaa0ec6e4115e8b58805c3e246bfca552da Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sun, 31 Mar 2024 21:59:10 +0900 +Subject: ksmbd: validate payload size in ipc response + +From: Namjae Jeon <linkinjeon@kernel.org> + +[ Upstream commit a677ebd8ca2f2632ccdecbad7b87641274e15aac ] + +If installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc +response to ksmbd kernel server. ksmbd should validate payload size of +ipc response from ksmbd.mountd to avoid memory overrun or +slab-out-of-bounds. This patch validate 3 ipc response that has payload. + +Cc: stable@vger.kernel.org +Reported-by: Chao Ma <machao2019@gmail.com> +Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/ksmbd/ksmbd_netlink.h | 3 ++- + fs/ksmbd/mgmt/share_config.c | 7 ++++++- + fs/ksmbd/transport_ipc.c | 37 ++++++++++++++++++++++++++++++++++++ + 3 files changed, 45 insertions(+), 2 deletions(-) + +diff --git a/fs/ksmbd/ksmbd_netlink.h b/fs/ksmbd/ksmbd_netlink.h +index ecffcb8a1557a..dc30cd0f6acd0 100644 +--- a/fs/ksmbd/ksmbd_netlink.h ++++ b/fs/ksmbd/ksmbd_netlink.h +@@ -166,7 +166,8 @@ struct ksmbd_share_config_response { + __u16 force_uid; + __u16 force_gid; + __s8 share_name[KSMBD_REQ_MAX_SHARE_NAME]; +- __u32 reserved[112]; /* Reserved room */ ++ __u32 reserved[111]; /* Reserved room */ ++ __u32 payload_sz; + __u32 veto_list_sz; + __s8 ____payload[]; + }; +diff --git a/fs/ksmbd/mgmt/share_config.c b/fs/ksmbd/mgmt/share_config.c +index 328a412259dc1..a2f0a2edceb8a 100644 +--- a/fs/ksmbd/mgmt/share_config.c ++++ b/fs/ksmbd/mgmt/share_config.c +@@ -158,7 +158,12 @@ static struct ksmbd_share_config *share_config_request(struct unicode_map *um, + share->name = kstrdup(name, GFP_KERNEL); + + if (!test_share_config_flag(share, KSMBD_SHARE_FLAG_PIPE)) { +- share->path = kstrdup(ksmbd_share_config_path(resp), ++ int path_len = PATH_MAX; ++ ++ if (resp->payload_sz) ++ path_len = resp->payload_sz - resp->veto_list_sz; ++ ++ share->path = kstrndup(ksmbd_share_config_path(resp), path_len, + GFP_KERNEL); + if (share->path) + share->path_sz = strlen(share->path); +diff --git a/fs/ksmbd/transport_ipc.c b/fs/ksmbd/transport_ipc.c +index 2c9662e327990..d62ebbff1e0f4 100644 +--- a/fs/ksmbd/transport_ipc.c ++++ b/fs/ksmbd/transport_ipc.c +@@ -65,6 +65,7 @@ struct ipc_msg_table_entry { + struct hlist_node ipc_table_hlist; + + void *response; ++ unsigned int msg_sz; + }; + + static struct delayed_work ipc_timer_work; +@@ -274,6 +275,7 @@ static int handle_response(int type, void *payload, size_t sz) + } + + memcpy(entry->response, payload, sz); ++ entry->msg_sz = sz; + wake_up_interruptible(&entry->wait); + ret = 0; + break; +@@ -452,6 +454,34 @@ static int ipc_msg_send(struct ksmbd_ipc_msg *msg) + return ret; + } + ++static int ipc_validate_msg(struct ipc_msg_table_entry *entry) ++{ ++ unsigned int msg_sz = entry->msg_sz; ++ ++ if (entry->type == KSMBD_EVENT_RPC_REQUEST) { ++ struct ksmbd_rpc_command *resp = entry->response; ++ ++ msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz; ++ } else if (entry->type == KSMBD_EVENT_SPNEGO_AUTHEN_REQUEST) { ++ struct ksmbd_spnego_authen_response *resp = entry->response; ++ ++ msg_sz = sizeof(struct ksmbd_spnego_authen_response) + ++ resp->session_key_len + resp->spnego_blob_len; ++ } else if (entry->type == KSMBD_EVENT_SHARE_CONFIG_REQUEST) { ++ struct ksmbd_share_config_response *resp = entry->response; ++ ++ if (resp->payload_sz) { ++ if (resp->payload_sz < resp->veto_list_sz) ++ return -EINVAL; ++ ++ msg_sz = sizeof(struct ksmbd_share_config_response) + ++ resp->payload_sz; ++ } ++ } ++ ++ return entry->msg_sz != msg_sz ? -EINVAL : 0; ++} ++ + static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle) + { + struct ipc_msg_table_entry entry; +@@ -476,6 +506,13 @@ static void *ipc_msg_send_request(struct ksmbd_ipc_msg *msg, unsigned int handle + ret = wait_event_interruptible_timeout(entry.wait, + entry.response != NULL, + IPC_WAIT_TIMEOUT); ++ if (entry.response) { ++ ret = ipc_validate_msg(&entry); ++ if (ret) { ++ kvfree(entry.response); ++ entry.response = NULL; ++ } ++ } + out: + down_write(&ipc_msg_table_lock); + hash_del(&entry.ipc_table_hlist); +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 0000000000..8fae40b568 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,4 @@ +ksmbd-don-t-send-oplock-break-if-rename-fails.patch +ksmbd-validate-payload-size-in-ipc-response.patch +ksmbd-do-not-set-smb2_global_cap_encryption-for-smb-.patch +btrfs-record-delayed-inode-root-in-transaction.patch |