--- /dev/null
+From 3c0315424f5e3d2a4113c7272367bee1e8e6a174 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 4 Mar 2021 21:43:10 -0800
+Subject: f2fs: fix error handling in f2fs_end_enable_verity()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 3c0315424f5e3d2a4113c7272367bee1e8e6a174 upstream.
+
+f2fs didn't properly clean up if verity failed to be enabled on a file:
+
+- It left verity metadata (pages past EOF) in the page cache, which
+ would be exposed to userspace if the file was later extended.
+
+- It didn't truncate the verity metadata at all (either from cache or
+ from disk) if an error occurred while setting the verity bit.
+
+Fix these bugs by adding a call to truncate_inode_pages() and ensuring
+that we truncate the verity metadata (both from cache and from disk) in
+all error paths. Also rework the code to cleanly separate the success
+path from the error paths, which makes it much easier to understand.
+
+Finally, log a message if f2fs_truncate() fails, since it might
+otherwise fail silently.
+
+Reported-by: Yunlei He <heyunlei@hihonor.com>
+Fixes: 95ae251fe828 ("f2fs: add fs-verity support")
+Cc: <stable@vger.kernel.org> # v5.4+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/verity.c | 79 ++++++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 56 insertions(+), 23 deletions(-)
+
+--- a/fs/f2fs/verity.c
++++ b/fs/f2fs/verity.c
+@@ -152,40 +152,73 @@ static int f2fs_end_enable_verity(struct
+ size_t desc_size, u64 merkle_tree_size)
+ {
+ struct inode *inode = file_inode(filp);
++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ u64 desc_pos = f2fs_verity_metadata_pos(inode) + merkle_tree_size;
+ struct fsverity_descriptor_location dloc = {
+ .version = cpu_to_le32(F2FS_VERIFY_VER),
+ .size = cpu_to_le32(desc_size),
+ .pos = cpu_to_le64(desc_pos),
+ };
+- int err = 0;
++ int err = 0, err2 = 0;
+
+- if (desc != NULL) {
+- /* Succeeded; write the verity descriptor. */
+- err = pagecache_write(inode, desc, desc_size, desc_pos);
+-
+- /* Write all pages before clearing FI_VERITY_IN_PROGRESS. */
+- if (!err)
+- err = filemap_write_and_wait(inode->i_mapping);
+- }
+-
+- /* If we failed, truncate anything we wrote past i_size. */
+- if (desc == NULL || err)
+- f2fs_truncate(inode);
++ /*
++ * If an error already occurred (which fs/verity/ signals by passing
++ * desc == NULL), then only clean-up is needed.
++ */
++ if (desc == NULL)
++ goto cleanup;
++
++ /* Append the verity descriptor. */
++ err = pagecache_write(inode, desc, desc_size, desc_pos);
++ if (err)
++ goto cleanup;
++
++ /*
++ * Write all pages (both data and verity metadata). Note that this must
++ * happen before clearing FI_VERITY_IN_PROGRESS; otherwise pages beyond
++ * i_size won't be written properly. For crash consistency, this also
++ * must happen before the verity inode flag gets persisted.
++ */
++ err = filemap_write_and_wait(inode->i_mapping);
++ if (err)
++ goto cleanup;
++
++ /* Set the verity xattr. */
++ err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_VERITY,
++ F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc),
++ NULL, XATTR_CREATE);
++ if (err)
++ goto cleanup;
++
++ /* Finally, set the verity inode flag. */
++ file_set_verity(inode);
++ f2fs_set_inode_flags(inode);
++ f2fs_mark_inode_dirty_sync(inode, true);
+
+ clear_inode_flag(inode, FI_VERITY_IN_PROGRESS);
++ return 0;
+
+- if (desc != NULL && !err) {
+- err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_VERITY,
+- F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc),
+- NULL, XATTR_CREATE);
+- if (!err) {
+- file_set_verity(inode);
+- f2fs_set_inode_flags(inode);
+- f2fs_mark_inode_dirty_sync(inode, true);
+- }
++cleanup:
++ /*
++ * Verity failed to be enabled, so clean up by truncating any verity
++ * metadata that was written beyond i_size (both from cache and from
++ * disk) and clearing FI_VERITY_IN_PROGRESS.
++ *
++ * Taking i_gc_rwsem[WRITE] is needed to stop f2fs garbage collection
++ * from re-instantiating cached pages we are truncating (since unlike
++ * normal file accesses, garbage collection isn't limited by i_size).
++ */
++ down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
++ truncate_inode_pages(inode->i_mapping, inode->i_size);
++ err2 = f2fs_truncate(inode);
++ if (err2) {
++ f2fs_err(sbi, "Truncating verity metadata failed (errno=%d)",
++ err2);
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ }
+- return err;
++ up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
++ clear_inode_flag(inode, FI_VERITY_IN_PROGRESS);
++ return err ?: err2;
+ }
+
+ static int f2fs_get_verity_descriptor(struct inode *inode, void *buf,
--- /dev/null
+From b862676e371715456c9dade7990c8004996d0d9e Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Mon, 22 Mar 2021 19:47:30 +0800
+Subject: f2fs: fix to avoid out-of-bounds memory access
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit b862676e371715456c9dade7990c8004996d0d9e upstream.
+
+butt3rflyh4ck <butterflyhuangxx@gmail.com> reported a bug found by
+syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]:
+
+ dump_stack+0xfa/0x151 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232
+ __kasan_report mm/kasan/report.c:399 [inline]
+ kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
+ f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
+ current_nat_addr fs/f2fs/node.h:213 [inline]
+ get_next_nat_page fs/f2fs/node.c:123 [inline]
+ __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
+ f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991
+ f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640
+ f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807
+ f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454
+ __sync_filesystem fs/sync.c:39 [inline]
+ sync_filesystem fs/sync.c:67 [inline]
+ sync_filesystem+0x1b5/0x260 fs/sync.c:48
+ generic_shutdown_super+0x70/0x370 fs/super.c:448
+ kill_block_super+0x97/0xf0 fs/super.c:1394
+
+The root cause is, if nat entry in checkpoint journal area is corrupted,
+e.g. nid of journalled nat entry exceeds max nid value, during checkpoint,
+once it tries to flush nat journal to NAT area, get_next_nat_page() may
+access out-of-bounds memory on nat_bitmap due to it uses wrong nid value
+as bitmap offset.
+
+[1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u
+
+Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -2787,6 +2787,9 @@ static void remove_nats_in_journal(struc
+ struct f2fs_nat_entry raw_ne;
+ nid_t nid = le32_to_cpu(nid_in_journal(journal, i));
+
++ if (f2fs_check_nid_range(sbi, nid))
++ continue;
++
+ raw_ne = nat_in_journal(journal, i);
+
+ ne = __lookup_nat_cache(nm_i, nid);
--- /dev/null
+From 5afa7e8b70d65819245fece61a65fd753b4aae33 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 17 Apr 2021 23:03:50 -0400
+Subject: fs: fix reporting supported extra file attributes for statx()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 5afa7e8b70d65819245fece61a65fd753b4aae33 upstream.
+
+statx(2) notes that any attribute that is not indicated as supported
+by stx_attributes_mask has no usable value. Commits 801e523796004
+("fs: move generic stat response attr handling to vfs_getattr_nosec")
+and 712b2698e4c02 ("fs/stat: Define DAX statx attribute") sets
+STATX_ATTR_AUTOMOUNT and STATX_ATTR_DAX, respectively, without setting
+stx_attributes_mask, which can cause xfstests generic/532 to fail.
+
+Fix this in the same way as commit 1b9598c8fb99 ("xfs: fix reporting
+supported extra file attributes for statx()")
+
+Fixes: 801e523796004 ("fs: move generic stat response attr handling to vfs_getattr_nosec")
+Fixes: 712b2698e4c02 ("fs/stat: Define DAX statx attribute")
+Cc: stable@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/stat.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/stat.c
++++ b/fs/stat.c
+@@ -77,12 +77,20 @@ int vfs_getattr_nosec(const struct path
+ /* SB_NOATIME means filesystem supplies dummy atime value */
+ if (inode->i_sb->s_flags & SB_NOATIME)
+ stat->result_mask &= ~STATX_ATIME;
++
++ /*
++ * Note: If you add another clause to set an attribute flag, please
++ * update attributes_mask below.
++ */
+ if (IS_AUTOMOUNT(inode))
+ stat->attributes |= STATX_ATTR_AUTOMOUNT;
+
+ if (IS_DAX(inode))
+ stat->attributes |= STATX_ATTR_DAX;
+
++ stat->attributes_mask |= (STATX_ATTR_AUTOMOUNT |
++ STATX_ATTR_DAX);
++
+ if (inode->i_op->getattr)
+ return inode->i_op->getattr(path, stat, request_mask,
+ query_flags);
--- /dev/null
+From e36299efe7d749976fbdaaf756dee6ef32543c2c Mon Sep 17 00:00:00 2001
+From: Marco Elver <elver@google.com>
+Date: Wed, 3 Mar 2021 10:38:45 +0100
+Subject: kcsan, debugfs: Move debugfs file creation out of early init
+
+From: Marco Elver <elver@google.com>
+
+commit e36299efe7d749976fbdaaf756dee6ef32543c2c upstream.
+
+Commit 56348560d495 ("debugfs: do not attempt to create a new file
+before the filesystem is initalized") forbids creating new debugfs files
+until debugfs is fully initialized. This means that KCSAN's debugfs
+file creation, which happened at the end of __init(), no longer works.
+And was apparently never supposed to work!
+
+However, there is no reason to create KCSAN's debugfs file so early.
+This commit therefore moves its creation to a late_initcall() callback.
+
+Cc: "Rafael J. Wysocki" <rafael@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 56348560d495 ("debugfs: do not attempt to create a new file before the filesystem is initalized")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kcsan/core.c | 2 --
+ kernel/kcsan/debugfs.c | 4 +++-
+ kernel/kcsan/kcsan.h | 5 -----
+ 3 files changed, 3 insertions(+), 8 deletions(-)
+
+--- a/kernel/kcsan/core.c
++++ b/kernel/kcsan/core.c
+@@ -639,8 +639,6 @@ void __init kcsan_init(void)
+
+ BUG_ON(!in_task());
+
+- kcsan_debugfs_init();
+-
+ for_each_possible_cpu(cpu)
+ per_cpu(kcsan_rand_state, cpu) = (u32)get_cycles();
+
+--- a/kernel/kcsan/debugfs.c
++++ b/kernel/kcsan/debugfs.c
+@@ -261,7 +261,9 @@ static const struct file_operations debu
+ .release = single_release
+ };
+
+-void __init kcsan_debugfs_init(void)
++static void __init kcsan_debugfs_init(void)
+ {
+ debugfs_create_file("kcsan", 0644, NULL, NULL, &debugfs_ops);
+ }
++
++late_initcall(kcsan_debugfs_init);
+--- a/kernel/kcsan/kcsan.h
++++ b/kernel/kcsan/kcsan.h
+@@ -31,11 +31,6 @@ void kcsan_save_irqtrace(struct task_str
+ void kcsan_restore_irqtrace(struct task_struct *task);
+
+ /*
+- * Initialize debugfs file.
+- */
+-void kcsan_debugfs_init(void);
+-
+-/*
+ * Statistics counters displayed via debugfs; should only be modified in
+ * slow-paths.
+ */
--- /dev/null
+From 885480b084696331bea61a4f7eba10652999a9c1 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 28 Apr 2021 18:23:50 -0700
+Subject: Makefile: Move -Wno-unused-but-set-variable out of GCC only block
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 885480b084696331bea61a4f7eba10652999a9c1 upstream.
+
+Currently, -Wunused-but-set-variable is only supported by GCC so it is
+disabled unconditionally in a GCC only block (it is enabled with W=1).
+clang currently has its implementation for this warning in review so
+preemptively move this statement out of the GCC only block and wrap it
+with cc-disable-warning so that both compilers function the same.
+
+Cc: stable@vger.kernel.org
+Link: https://reviews.llvm.org/D100581
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -774,16 +774,16 @@ KBUILD_CFLAGS += -Wno-gnu
+ KBUILD_CFLAGS += -mno-global-merge
+ else
+
+-# These warnings generated too much noise in a regular build.
+-# Use make W=1 to enable them (see scripts/Makefile.extrawarn)
+-KBUILD_CFLAGS += -Wno-unused-but-set-variable
+-
+ # Warn about unmarked fall-throughs in switch statement.
+ # Disabled for clang while comment to attribute conversion happens and
+ # https://github.com/ClangBuiltLinux/linux/issues/636 is discussed.
+ KBUILD_CFLAGS += $(call cc-option,-Wimplicit-fallthrough,)
+ endif
+
++# These warnings generated too much noise in a regular build.
++# Use make W=1 to enable them (see scripts/Makefile.extrawarn)
++KBUILD_CFLAGS += $(call cc-disable-warning, unused-but-set-variable)
++
+ KBUILD_CFLAGS += $(call cc-disable-warning, unused-const-variable)
+ ifdef CONFIG_FRAME_POINTER
+ KBUILD_CFLAGS += -fno-omit-frame-pointer -fno-optimize-sibling-calls
tools-power-turbostat-fix-turbostat-for-amd-zen-cpus.patch
btrfs-fix-race-when-picking-most-recent-mod-log-oper.patch
arm64-vdso-discard-.note.gnu.property-sections-in-vd.patch
+makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch
+fs-fix-reporting-supported-extra-file-attributes-for-statx.patch
+virtiofs-fix-memory-leak-in-virtio_fs_probe.patch
+kcsan-debugfs-move-debugfs-file-creation-out-of-early-init.patch
+ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch
+f2fs-fix-error-handling-in-f2fs_end_enable_verity.patch
+f2fs-fix-to-avoid-out-of-bounds-memory-access.patch
--- /dev/null
+From 3e903315790baf4a966436e7f32e9c97864570ac Mon Sep 17 00:00:00 2001
+From: Guochun Mao <guochun.mao@mediatek.com>
+Date: Tue, 16 Mar 2021 16:52:14 +0800
+Subject: ubifs: Only check replay with inode type to judge if inode linked
+
+From: Guochun Mao <guochun.mao@mediatek.com>
+
+commit 3e903315790baf4a966436e7f32e9c97864570ac upstream.
+
+Conside the following case, it just write a big file into flash,
+when complete writing, delete the file, and then power off promptly.
+Next time power on, we'll get a replay list like:
+...
+LEB 1105:211344 len 4144 deletion 0 sqnum 428783 key type 1 inode 80
+LEB 15:233544 len 160 deletion 1 sqnum 428785 key type 0 inode 80
+LEB 1105:215488 len 4144 deletion 0 sqnum 428787 key type 1 inode 80
+...
+In the replay list, data nodes' deletion are 0, and the inode node's
+deletion is 1. In current logic, the file's dentry will be removed,
+but inode and the flash space it occupied will be reserved.
+User will see that much free space been disappeared.
+
+We only need to check the deletion value of the following inode type
+node of the replay entry.
+
+Fixes: e58725d51fa8 ("ubifs: Handle re-linking of inodes correctly while recovery")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guochun Mao <guochun.mao@mediatek.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/replay.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ubifs/replay.c
++++ b/fs/ubifs/replay.c
+@@ -223,7 +223,8 @@ static bool inode_still_linked(struct ub
+ */
+ list_for_each_entry_reverse(r, &c->replay_list, list) {
+ ubifs_assert(c, r->sqnum >= rino->sqnum);
+- if (key_inum(c, &r->key) == key_inum(c, &rino->key))
++ if (key_inum(c, &r->key) == key_inum(c, &rino->key) &&
++ key_type(c, &r->key) == UBIFS_INO_KEY)
+ return r->deletion == 0;
+
+ }
--- /dev/null
+From c79c5e0178922a9e092ec8fed026750f39dcaef4 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.de>
+Date: Wed, 17 Mar 2021 08:44:43 +0000
+Subject: virtiofs: fix memory leak in virtio_fs_probe()
+
+From: Luis Henriques <lhenriques@suse.de>
+
+commit c79c5e0178922a9e092ec8fed026750f39dcaef4 upstream.
+
+When accidentally passing twice the same tag to qemu, kmemleak ended up
+reporting a memory leak in virtiofs. Also, looking at the log I saw the
+following error (that's when I realised the duplicated tag):
+
+ virtiofs: probe of virtio5 failed with error -17
+
+Here's the kmemleak log for reference:
+
+unreferenced object 0xffff888103d47800 (size 1024):
+ comm "systemd-udevd", pid 118, jiffies 4294893780 (age 18.340s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
+ ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................
+ backtrace:
+ [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs]
+ [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210
+ [<000000004d6baf3c>] really_probe+0xea/0x430
+ [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0
+ [<00000000196f47a7>] __driver_attach+0x98/0x140
+ [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0
+ [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0
+ [<0000000032b09ba7>] driver_register+0x8f/0xe0
+ [<00000000cdd55998>] 0xffffffffa002c013
+ [<000000000ea196a2>] do_one_initcall+0x64/0x2e0
+ [<0000000008f727ce>] do_init_module+0x5c/0x260
+ [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120
+ [<00000000ad2f48c6>] do_syscall_64+0x33/0x40
+ [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Luis Henriques <lhenriques@suse.de>
+Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem")
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/virtio_fs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -896,6 +896,7 @@ static int virtio_fs_probe(struct virtio
+ out_vqs:
+ vdev->config->reset(vdev);
+ virtio_fs_cleanup_vqs(vdev, fs);
++ kfree(fs->vqs);
+
+ out:
+ vdev->priv = NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
