--- /dev/null
+From 9c4f1aee334bdd1f64aea3df5c726699d56a6955 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Jan 2021 17:28:04 +0800
+Subject: btrfs: tree-checker: check if chunk item end overflows
+
+From: Su Yue <l@damenly.su>
+
+[ Upstream commit 347fb0cfc9bab5195c6701e62eda488310d7938f ]
+
+While mounting a crafted image provided by user, kernel panics due to
+the invalid chunk item whose end is less than start.
+
+ [66.387422] loop: module loaded
+ [66.389773] loop0: detected capacity change from 262144 to 0
+ [66.427708] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 12 /dev/loop0 scanned by mount (613)
+ [66.431061] BTRFS info (device loop0): disk space caching is enabled
+ [66.431078] BTRFS info (device loop0): has skinny extents
+ [66.437101] BTRFS error: insert state: end < start 29360127 37748736
+ [66.437136] ------------[ cut here ]------------
+ [66.437140] WARNING: CPU: 16 PID: 613 at fs/btrfs/extent_io.c:557 insert_state.cold+0x1a/0x46 [btrfs]
+ [66.437369] CPU: 16 PID: 613 Comm: mount Tainted: G O 5.11.0-rc1-custom #45
+ [66.437374] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
+ [66.437378] RIP: 0010:insert_state.cold+0x1a/0x46 [btrfs]
+ [66.437420] RSP: 0018:ffff93e5414c3908 EFLAGS: 00010286
+ [66.437427] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
+ [66.437431] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
+ [66.437434] RBP: ffff93e5414c3938 R08: 0000000000000001 R09: 0000000000000001
+ [66.437438] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d72aa0
+ [66.437441] R13: ffff8ec78bc71628 R14: 0000000000000000 R15: 0000000002400000
+ [66.437447] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
+ [66.437451] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [66.437455] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
+ [66.437460] PKRU: 55555554
+ [66.437464] Call Trace:
+ [66.437475] set_extent_bit+0x652/0x740 [btrfs]
+ [66.437539] set_extent_bits_nowait+0x1d/0x20 [btrfs]
+ [66.437576] add_extent_mapping+0x1e0/0x2f0 [btrfs]
+ [66.437621] read_one_chunk+0x33c/0x420 [btrfs]
+ [66.437674] btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
+ [66.437708] ? kvm_sched_clock_read+0x18/0x40
+ [66.437739] open_ctree+0xb32/0x1734 [btrfs]
+ [66.437781] ? bdi_register_va+0x1b/0x20
+ [66.437788] ? super_setup_bdi_name+0x79/0xd0
+ [66.437810] btrfs_mount_root.cold+0x12/0xeb [btrfs]
+ [66.437854] ? __kmalloc_track_caller+0x217/0x3b0
+ [66.437873] legacy_get_tree+0x34/0x60
+ [66.437880] vfs_get_tree+0x2d/0xc0
+ [66.437888] vfs_kern_mount.part.0+0x78/0xc0
+ [66.437897] vfs_kern_mount+0x13/0x20
+ [66.437902] btrfs_mount+0x11f/0x3c0 [btrfs]
+ [66.437940] ? kfree+0x5ff/0x670
+ [66.437944] ? __kmalloc_track_caller+0x217/0x3b0
+ [66.437962] legacy_get_tree+0x34/0x60
+ [66.437974] vfs_get_tree+0x2d/0xc0
+ [66.437983] path_mount+0x48c/0xd30
+ [66.437998] __x64_sys_mount+0x108/0x140
+ [66.438011] do_syscall_64+0x38/0x50
+ [66.438018] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [66.438023] RIP: 0033:0x7f0138827f6e
+ [66.438033] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
+ [66.438040] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
+ [66.438044] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
+ [66.438047] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
+ [66.438050] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ [66.438054] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
+ [66.438078] irq event stamp: 18169
+ [66.438082] hardirqs last enabled at (18175): [<ffffffffb81154bf>] console_unlock+0x4ff/0x5f0
+ [66.438088] hardirqs last disabled at (18180): [<ffffffffb8115427>] console_unlock+0x467/0x5f0
+ [66.438092] softirqs last enabled at (16910): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
+ [66.438097] softirqs last disabled at (16905): [<ffffffffb8a00fe2>] asm_call_irq_on_stack+0x12/0x20
+ [66.438103] ---[ end trace e114b111db64298b ]---
+ [66.438107] BTRFS error: found node 12582912 29360127 on insert of 37748736 29360127
+ [66.438127] BTRFS critical: panic in extent_io_tree_panic:679: locking error: extent tree was modified by another thread while locked (errno=-17 Object already exists)
+ [66.441069] ------------[ cut here ]------------
+ [66.441072] kernel BUG at fs/btrfs/extent_io.c:679!
+ [66.442064] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+ [66.443018] CPU: 16 PID: 613 Comm: mount Tainted: G W O 5.11.0-rc1-custom #45
+ [66.444538] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014
+ [66.446223] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
+ [66.450878] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
+ [66.451840] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
+ [66.453141] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
+ [66.454445] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
+ [66.455743] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
+ [66.457055] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
+ [66.458356] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
+ [66.459841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [66.460895] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
+ [66.462196] PKRU: 55555554
+ [66.462692] Call Trace:
+ [66.463139] set_extent_bit.cold+0x30/0x98 [btrfs]
+ [66.464049] set_extent_bits_nowait+0x1d/0x20 [btrfs]
+ [66.490466] add_extent_mapping+0x1e0/0x2f0 [btrfs]
+ [66.514097] read_one_chunk+0x33c/0x420 [btrfs]
+ [66.534976] btrfs_read_chunk_tree+0x6a4/0x870 [btrfs]
+ [66.555718] ? kvm_sched_clock_read+0x18/0x40
+ [66.575758] open_ctree+0xb32/0x1734 [btrfs]
+ [66.595272] ? bdi_register_va+0x1b/0x20
+ [66.614638] ? super_setup_bdi_name+0x79/0xd0
+ [66.633809] btrfs_mount_root.cold+0x12/0xeb [btrfs]
+ [66.652938] ? __kmalloc_track_caller+0x217/0x3b0
+ [66.671925] legacy_get_tree+0x34/0x60
+ [66.690300] vfs_get_tree+0x2d/0xc0
+ [66.708221] vfs_kern_mount.part.0+0x78/0xc0
+ [66.725808] vfs_kern_mount+0x13/0x20
+ [66.742730] btrfs_mount+0x11f/0x3c0 [btrfs]
+ [66.759350] ? kfree+0x5ff/0x670
+ [66.775441] ? __kmalloc_track_caller+0x217/0x3b0
+ [66.791750] legacy_get_tree+0x34/0x60
+ [66.807494] vfs_get_tree+0x2d/0xc0
+ [66.823349] path_mount+0x48c/0xd30
+ [66.838753] __x64_sys_mount+0x108/0x140
+ [66.854412] do_syscall_64+0x38/0x50
+ [66.869673] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [66.885093] RIP: 0033:0x7f0138827f6e
+ [66.945613] RSP: 002b:00007ffecd79edf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
+ [66.977214] RAX: ffffffffffffffda RBX: 00007f013894c264 RCX: 00007f0138827f6e
+ [66.994266] RDX: 00005593a4a41360 RSI: 00005593a4a33690 RDI: 00005593a4a3a6c0
+ [67.011544] RBP: 00005593a4a33440 R08: 0000000000000000 R09: 0000000000000001
+ [67.028836] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ [67.045812] R13: 00005593a4a3a6c0 R14: 00005593a4a41360 R15: 00005593a4a33440
+ [67.216138] ---[ end trace e114b111db64298c ]---
+ [67.237089] RIP: 0010:extent_io_tree_panic.isra.0+0x23/0x25 [btrfs]
+ [67.325317] RSP: 0018:ffff93e5414c3948 EFLAGS: 00010246
+ [67.347946] RAX: 0000000000000000 RBX: 0000000001bfffff RCX: 0000000000000000
+ [67.371343] RDX: 0000000000000000 RSI: ffffffffb90d4660 RDI: 00000000ffffffff
+ [67.394757] RBP: ffff93e5414c3948 R08: 0000000000000001 R09: 0000000000000001
+ [67.418409] R10: ffff93e5414c3658 R11: 0000000000000000 R12: ffff8ec782d728c0
+ [67.441906] R13: ffff8ec78bc71628 R14: ffff8ec782d72aa0 R15: 0000000002400000
+ [67.465436] FS: 00007f01386a8580(0000) GS:ffff8ec809000000(0000) knlGS:0000000000000000
+ [67.511660] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [67.535047] CR2: 00007f01382fa000 CR3: 0000000109a34000 CR4: 0000000000750ee0
+ [67.558449] PKRU: 55555554
+ [67.581146] note: mount[613] exited with preempt_count 2
+
+The image has a chunk item which has a logical start 37748736 and length
+18446744073701163008 (-8M). The calculated end 29360127 overflows.
+EEXIST was caught by insert_state() because of the duplicate end and
+extent_io_tree_panic() was called.
+
+Add overflow check of chunk item end to tree checker so it can be
+detected early at mount time.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=208929
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Su Yue <l@damenly.su>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-checker.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
+index ea2bb4cb58909..40845428b739c 100644
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -754,6 +754,7 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf,
+ {
+ struct btrfs_fs_info *fs_info = leaf->fs_info;
+ u64 length;
++ u64 chunk_end;
+ u64 stripe_len;
+ u16 num_stripes;
+ u16 sub_stripes;
+@@ -808,6 +809,12 @@ int btrfs_check_chunk_valid(struct extent_buffer *leaf,
+ "invalid chunk length, have %llu", length);
+ return -EUCLEAN;
+ }
++ if (unlikely(check_add_overflow(logical, length, &chunk_end))) {
++ chunk_err(leaf, chunk, logical,
++"invalid chunk logical start and length, have logical start %llu length %llu",
++ logical, length);
++ return -EUCLEAN;
++ }
+ if (!is_power_of_2(stripe_len) || stripe_len != BTRFS_STRIPE_LEN) {
+ chunk_err(leaf, chunk, logical,
+ "invalid chunk stripe length: %llu",
+--
+2.27.0
+
--- /dev/null
+From 797197fac0060441fb2b9841730cba795bd0491b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Dec 2020 13:24:15 -0500
+Subject: ext4: don't leak old mountpoint samples
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+[ Upstream commit 5a3b590d4b2db187faa6f06adc9a53d6199fb1f9 ]
+
+When the first file is opened, ext4 samples the mountpoint of the
+filesystem in 64 bytes of the super block. It does so using
+strlcpy(), this means that the remaining bytes in the super block
+string buffer are untouched. If the mount point before had a longer
+path than the current one, it can be reconstructed.
+
+Consider the case where the fs was mounted to "/media/johnjdeveloper"
+and later to "/". The super block buffer then contains
+"/\x00edia/johnjdeveloper".
+
+This case was seen in the wild and caused confusion how the name
+of a developer ands up on the super block of a filesystem used
+in production...
+
+Fix this by using strncpy() instead of strlcpy(). The superblock
+field is defined to be a fixed-size char array, and it is already
+marked using __nonstring in fs/ext4/ext4.h. The consumer of the field
+in e2fsprogs already assumes that in the case of a 64+ byte mount
+path, that s_last_mounted will not be NUL terminated.
+
+Link: https://lore.kernel.org/r/X9ujIOJG/HqMr88R@mit.edu
+Reported-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/file.c b/fs/ext4/file.c
+index 3ed8c048fb12c..b692355b8c770 100644
+--- a/fs/ext4/file.c
++++ b/fs/ext4/file.c
+@@ -809,7 +809,7 @@ static int ext4_sample_last_mounted(struct super_block *sb,
+ err = ext4_journal_get_write_access(handle, sbi->s_sbh);
+ if (err)
+ goto out_journal;
+- strlcpy(sbi->s_es->s_last_mounted, cp,
++ strncpy(sbi->s_es->s_last_mounted, cp,
+ sizeof(sbi->s_es->s_last_mounted));
+ ext4_handle_dirty_super(handle, sb);
+ out_journal:
+--
+2.27.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
