--- /dev/null
+From cb7a95af78d29442b8294683eca4897544b8ef46 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 4 Jan 2023 11:06:28 -0800
+Subject: hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit cb7a95af78d29442b8294683eca4897544b8ef46 upstream.
+
+Commit 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check") fixed
+a build warning by turning a comment into a WARN_ON(), but it turns out
+that syzbot then complains because it can trigger said warning with a
+corrupted hfs image.
+
+The warning actually does warn about a bad situation, but we are much
+better off just handling it as the error it is. So rather than warn
+about us doing bad things, stop doing the bad things and return -EIO.
+
+While at it, also fix a memory leak that was introduced by an earlier
+fix for a similar syzbot warning situation, and add a check for one case
+that historically wasn't handled at all (ie neither comment nor
+subsequent WARN_ON).
+
+Reported-by: syzbot+7bb7cd3595533513a9e7@syzkaller.appspotmail.com
+Fixes: 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check")
+Fixes: 8d824e69d9f3 ("hfs: fix OOB Read in __hfs_brec_find")
+Link: https://lore.kernel.org/lkml/000000000000dbce4e05f170f289@google.com/
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfs/inode.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/fs/hfs/inode.c
++++ b/fs/hfs/inode.c
+@@ -454,15 +454,16 @@ int hfs_write_inode(struct inode *inode,
+ /* panic? */
+ return -EIO;
+
++ res = -EIO;
+ if (HFS_I(main_inode)->cat_key.CName.len > HFS_NAMELEN)
+- return -EIO;
++ goto out;
+ fd.search_key->cat = HFS_I(main_inode)->cat_key;
+ if (hfs_brec_find(&fd))
+- /* panic? */
+ goto out;
+
+ if (S_ISDIR(main_inode->i_mode)) {
+- WARN_ON(fd.entrylength < sizeof(struct hfs_cat_dir));
++ if (fd.entrylength < sizeof(struct hfs_cat_dir))
++ goto out;
+ hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
+ sizeof(struct hfs_cat_dir));
+ if (rec.type != HFS_CDR_DIR ||
+@@ -475,6 +476,8 @@ int hfs_write_inode(struct inode *inode,
+ hfs_bnode_write(fd.bnode, &rec, fd.entryoffset,
+ sizeof(struct hfs_cat_dir));
+ } else if (HFS_IS_RSRC(inode)) {
++ if (fd.entrylength < sizeof(struct hfs_cat_file))
++ goto out;
+ hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
+ sizeof(struct hfs_cat_file));
+ hfs_inode_write_fork(inode, rec.file.RExtRec,
+@@ -482,7 +485,8 @@ int hfs_write_inode(struct inode *inode,
+ hfs_bnode_write(fd.bnode, &rec, fd.entryoffset,
+ sizeof(struct hfs_cat_file));
+ } else {
+- WARN_ON(fd.entrylength < sizeof(struct hfs_cat_file));
++ if (fd.entrylength < sizeof(struct hfs_cat_file))
++ goto out;
+ hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
+ sizeof(struct hfs_cat_file));
+ if (rec.type != HFS_CDR_FIL ||
+@@ -499,9 +503,10 @@ int hfs_write_inode(struct inode *inode,
+ hfs_bnode_write(fd.bnode, &rec, fd.entryoffset,
+ sizeof(struct hfs_cat_file));
+ }
++ res = 0;
+ out:
+ hfs_find_exit(&fd);
+- return 0;
++ return res;
+ }
+
+ static struct dentry *hfs_file_lookup(struct inode *dir, struct dentry *dentry,
--- /dev/null
+From 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 8 Nov 2021 18:35:04 -0800
+Subject: hfs/hfsplus: use WARN_ON for sanity check
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb upstream.
+
+gcc warns about a couple of instances in which a sanity check exists but
+the author wasn't sure how to react to it failing, which makes it look
+like a possible bug:
+
+ fs/hfsplus/inode.c: In function 'hfsplus_cat_read_inode':
+ fs/hfsplus/inode.c:503:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
+ 503 | /* panic? */;
+ | ^
+ fs/hfsplus/inode.c:524:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
+ 524 | /* panic? */;
+ | ^
+ fs/hfsplus/inode.c: In function 'hfsplus_cat_write_inode':
+ fs/hfsplus/inode.c:582:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
+ 582 | /* panic? */;
+ | ^
+ fs/hfsplus/inode.c:608:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
+ 608 | /* panic? */;
+ | ^
+ fs/hfs/inode.c: In function 'hfs_write_inode':
+ fs/hfs/inode.c:464:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
+ 464 | /* panic? */;
+ | ^
+ fs/hfs/inode.c:485:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
+ 485 | /* panic? */;
+ | ^
+
+panic() is probably not the correct choice here, but a WARN_ON
+seems appropriate and avoids the compile-time warning.
+
+Link: https://lkml.kernel.org/r/20210927102149.1809384-1-arnd@kernel.org
+Link: https://lore.kernel.org/all/20210322223249.2632268-1-arnd@kernel.org/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfs/inode.c | 6 ++----
+ fs/hfsplus/inode.c | 12 ++++--------
+ 2 files changed, 6 insertions(+), 12 deletions(-)
+
+--- a/fs/hfs/inode.c
++++ b/fs/hfs/inode.c
+@@ -462,8 +462,7 @@ int hfs_write_inode(struct inode *inode,
+ goto out;
+
+ if (S_ISDIR(main_inode->i_mode)) {
+- if (fd.entrylength < sizeof(struct hfs_cat_dir))
+- /* panic? */;
++ WARN_ON(fd.entrylength < sizeof(struct hfs_cat_dir));
+ hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
+ sizeof(struct hfs_cat_dir));
+ if (rec.type != HFS_CDR_DIR ||
+@@ -483,8 +482,7 @@ int hfs_write_inode(struct inode *inode,
+ hfs_bnode_write(fd.bnode, &rec, fd.entryoffset,
+ sizeof(struct hfs_cat_file));
+ } else {
+- if (fd.entrylength < sizeof(struct hfs_cat_file))
+- /* panic? */;
++ WARN_ON(fd.entrylength < sizeof(struct hfs_cat_file));
+ hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
+ sizeof(struct hfs_cat_file));
+ if (rec.type != HFS_CDR_FIL ||
+--- a/fs/hfsplus/inode.c
++++ b/fs/hfsplus/inode.c
+@@ -497,8 +497,7 @@ int hfsplus_cat_read_inode(struct inode
+ if (type == HFSPLUS_FOLDER) {
+ struct hfsplus_cat_folder *folder = &entry.folder;
+
+- if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
+- /* panic? */;
++ WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_folder));
+ hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
+ sizeof(struct hfsplus_cat_folder));
+ hfsplus_get_perms(inode, &folder->permissions, 1);
+@@ -518,8 +517,7 @@ int hfsplus_cat_read_inode(struct inode
+ } else if (type == HFSPLUS_FILE) {
+ struct hfsplus_cat_file *file = &entry.file;
+
+- if (fd->entrylength < sizeof(struct hfsplus_cat_file))
+- /* panic? */;
++ WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_file));
+ hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
+ sizeof(struct hfsplus_cat_file));
+
+@@ -576,8 +574,7 @@ int hfsplus_cat_write_inode(struct inode
+ if (S_ISDIR(main_inode->i_mode)) {
+ struct hfsplus_cat_folder *folder = &entry.folder;
+
+- if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
+- /* panic? */;
++ WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_folder));
+ hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
+ sizeof(struct hfsplus_cat_folder));
+ /* simple node checks? */
+@@ -602,8 +599,7 @@ int hfsplus_cat_write_inode(struct inode
+ } else {
+ struct hfsplus_cat_file *file = &entry.file;
+
+- if (fd.entrylength < sizeof(struct hfsplus_cat_file))
+- /* panic? */;
++ WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_file));
+ hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
+ sizeof(struct hfsplus_cat_file));
+ hfsplus_inode_write_fork(inode, &file->data_fork);
projects / thirdparty / kernel / stable-queue.git / commitdiff
