4.9-stable patches

added patches:
	nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch

diff --git a/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch b/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch
new file mode 100644 (file)
index 0000000..a0d9da6
--- /dev/null
+++ b/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch
@@ -0,0 +1,69 @@
+From d325dc6eb763c10f591c239550b8c7e5466a5d09 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Tue, 4 Oct 2022 00:05:19 +0900
+Subject: nilfs2: fix use-after-free bug of struct nilfs_root
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream.
+
+If the beginning of the inode bitmap area is corrupted on disk, an inode
+with the same inode number as the root inode can be allocated and fail
+soon after.  In this case, the subsequent call to nilfs_clear_inode() on
+that bogus root inode will wrongly decrement the reference counter of
+struct nilfs_root, and this will erroneously free struct nilfs_root,
+causing kernel oopses.
+
+This fixes the problem by changing nilfs_new_inode() to skip reserved
+inode numbers while repairing the inode bitmap.
+
+Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com
+Reported-by: Khalid Masum <khalid.masum.92@gmail.com>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/inode.c |   18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/fs/nilfs2/inode.c
++++ b/fs/nilfs2/inode.c
+@@ -344,6 +344,7 @@ struct inode *nilfs_new_inode(struct ino
+       struct inode *inode;
+       struct nilfs_inode_info *ii;
+       struct nilfs_root *root;
++      struct buffer_head *bh;
+       int err = -ENOMEM;
+       ino_t ino;
+ 
+@@ -359,11 +360,26 @@ struct inode *nilfs_new_inode(struct ino
+       ii->i_state = BIT(NILFS_I_NEW);
+       ii->i_root = root;
+ 
+-      err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh);
++      err = nilfs_ifile_create_inode(root->ifile, &ino, &bh);
+       if (unlikely(err))
+               goto failed_ifile_create_inode;
+       /* reference count of i_bh inherits from nilfs_mdt_read_block() */
+ 
++      if (unlikely(ino < NILFS_USER_INO)) {
++              nilfs_msg(sb, KERN_WARNING,
++                        "inode bitmap is inconsistent for reserved inodes");
++              do {
++                      brelse(bh);
++                      err = nilfs_ifile_create_inode(root->ifile, &ino, &bh);
++                      if (unlikely(err))
++                              goto failed_ifile_create_inode;
++              } while (ino < NILFS_USER_INO);
++
++              nilfs_msg(sb, KERN_INFO,
++                        "repaired inode bitmap for reserved inodes");
++      }
++      ii->i_bh = bh;
++
+       atomic64_inc(&root->inodes_count);
+       inode_init_owner(inode, dir, mode);
+       inode->i_ino = ino;

diff --git a/queue-4.9/series b/queue-4.9/series
index b3d78f290a3c79e847c26baeaa8dd2126ac2ac43..9afece0fc8db626277efacb98450e7bee18522b1 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -51,3 +51,4 @@ parisc-fbdev-stifb-align-graphics-memory-size-to-4mb.patch
 um-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch
 pci-sanitise-firmware-bar-assignments-behind-a-pci-pci-bridge.patch
 fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch
+nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch