+++ /dev/null
-From c26ab35702f8cd0cdc78f96aa5856bfb77be798f Mon Sep 17 00:00:00 2001
-From: Baokun Li <libaokun1@huawei.com>
-Date: Thu, 22 Aug 2024 10:35:23 +0800
-Subject: ext4: fix slab-use-after-free in ext4_split_extent_at()
-
-From: Baokun Li <libaokun1@huawei.com>
-
-commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f upstream.
-
-We hit the following use-after-free:
-
-==================================================================
-BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
-Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
-CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
-Call Trace:
- <TASK>
- kasan_report+0x93/0xc0
- ext4_split_extent_at+0xba8/0xcc0
- ext4_split_extent.isra.0+0x18f/0x500
- ext4_split_convert_extents+0x275/0x750
- ext4_ext_handle_unwritten_extents+0x73e/0x1580
- ext4_ext_map_blocks+0xe20/0x2dc0
- ext4_map_blocks+0x724/0x1700
- ext4_do_writepages+0x12d6/0x2a70
-[...]
-
-Allocated by task 40:
- __kmalloc_noprof+0x1ac/0x480
- ext4_find_extent+0xf3b/0x1e70
- ext4_ext_map_blocks+0x188/0x2dc0
- ext4_map_blocks+0x724/0x1700
- ext4_do_writepages+0x12d6/0x2a70
-[...]
-
-Freed by task 40:
- kfree+0xf1/0x2b0
- ext4_find_extent+0xa71/0x1e70
- ext4_ext_insert_extent+0xa22/0x3260
- ext4_split_extent_at+0x3ef/0xcc0
- ext4_split_extent.isra.0+0x18f/0x500
- ext4_split_convert_extents+0x275/0x750
- ext4_ext_handle_unwritten_extents+0x73e/0x1580
- ext4_ext_map_blocks+0xe20/0x2dc0
- ext4_map_blocks+0x724/0x1700
- ext4_do_writepages+0x12d6/0x2a70
-[...]
-==================================================================
-
-The flow of issue triggering is as follows:
-
-ext4_split_extent_at
- path = *ppath
- ext4_ext_insert_extent(ppath)
- ext4_ext_create_new_leaf(ppath)
- ext4_find_extent(orig_path)
- path = *orig_path
- read_extent_tree_block
- // return -ENOMEM or -EIO
- ext4_free_ext_path(path)
- kfree(path)
- *orig_path = NULL
- a. If err is -ENOMEM:
- ext4_ext_dirty(path + path->p_depth)
- // path use-after-free !!!
- b. If err is -EIO and we have EXT_DEBUG defined:
- ext4_ext_show_leaf(path)
- eh = path[depth].p_hdr
- // path also use-after-free !!!
-
-So when trying to zeroout or fix the extent length, call ext4_find_extent()
-to update the path.
-
-In addition we use *ppath directly as an ext4_ext_show_leaf() input to
-avoid possible use-after-free when EXT_DEBUG is defined, and to avoid
-unnecessary path updates.
-
-Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code")
-Cc: stable@kernel.org
-Signed-off-by: Baokun Li <libaokun1@huawei.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
-Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
-Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/extents.c | 21 ++++++++++++++++++++-
- 1 file changed, 20 insertions(+), 1 deletion(-)
-
---- a/fs/ext4/extents.c
-+++ b/fs/ext4/extents.c
-@@ -3276,6 +3276,25 @@ static int ext4_split_extent_at(handle_t
- if (err != -ENOSPC && err != -EDQUOT)
- goto out;
-
-+ /*
-+ * Update path is required because previous ext4_ext_insert_extent()
-+ * may have freed or reallocated the path. Using EXT4_EX_NOFAIL
-+ * guarantees that ext4_find_extent() will not return -ENOMEM,
-+ * otherwise -ENOMEM will cause a retry in do_writepages(), and a
-+ * WARN_ON may be triggered in ext4_da_update_reserve_space() due to
-+ * an incorrect ee_len causing the i_reserved_data_blocks exception.
-+ */
-+ path = ext4_find_extent(inode, ee_block, ppath,
-+ flags | EXT4_EX_NOFAIL);
-+ if (IS_ERR(path)) {
-+ EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
-+ split, PTR_ERR(path));
-+ return PTR_ERR(path);
-+ }
-+ depth = ext_depth(inode);
-+ ex = path[depth].p_ext;
-+ *ppath = path;
-+
- if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
- if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
- if (split_flag & EXT4_EXT_DATA_VALID1) {
-@@ -3324,7 +3343,7 @@ fix_extent_len:
- ext4_ext_dirty(handle, inode, path + path->p_depth);
- return err;
- out:
-- ext4_ext_show_leaf(inode, path);
-+ ext4_ext_show_leaf(inode, *ppath);
- return err;
- }
-
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
-@@ -5750,6 +5750,7 @@ int ext4_insert_range(struct inode *inod
+@@ -5731,6 +5731,7 @@ int ext4_insert_range(struct inode *inod
path = ext4_find_extent(inode, offset_lblk, NULL, 0);
if (IS_ERR(path)) {
up_write(&EXT4_I(inode)->i_data_sem);
+++ /dev/null
-From 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 Mon Sep 17 00:00:00 2001
-From: Baokun Li <libaokun1@huawei.com>
-Date: Thu, 22 Aug 2024 10:35:25 +0800
-Subject: ext4: update orig_path in ext4_find_extent()
-
-From: Baokun Li <libaokun1@huawei.com>
-
-commit 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 upstream.
-
-In ext4_find_extent(), if the path is not big enough, we free it and set
-*orig_path to NULL. But after reallocating and successfully initializing
-the path, we don't update *orig_path, in which case the caller gets a
-valid path but a NULL ppath, and this may cause a NULL pointer dereference
-or a path memory leak. For example:
-
-ext4_split_extent
- path = *ppath = 2000
- ext4_find_extent
- if (depth > path[0].p_maxdepth)
- kfree(path = 2000);
- *orig_path = path = NULL;
- path = kcalloc() = 3000
- ext4_split_extent_at(*ppath = NULL)
- path = *ppath;
- ex = path[depth].p_ext;
- // NULL pointer dereference!
-
-==================================================================
-BUG: kernel NULL pointer dereference, address: 0000000000000010
-CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847
-RIP: 0010:ext4_split_extent_at+0x6d/0x560
-Call Trace:
- <TASK>
- ext4_split_extent.isra.0+0xcb/0x1b0
- ext4_ext_convert_to_initialized+0x168/0x6c0
- ext4_ext_handle_unwritten_extents+0x325/0x4d0
- ext4_ext_map_blocks+0x520/0xdb0
- ext4_map_blocks+0x2b0/0x690
- ext4_iomap_begin+0x20e/0x2c0
-[...]
-==================================================================
-
-Therefore, *orig_path is updated when the extent lookup succeeds, so that
-the caller can safely use path or *ppath.
-
-Fixes: 10809df84a4d ("ext4: teach ext4_ext_find_extent() to realloc path if necessary")
-Cc: stable@kernel.org
-Signed-off-by: Baokun Li <libaokun1@huawei.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Link: https://patch.msgid.link/20240822023545.1994557-6-libaokun@huaweicloud.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/extents.c | 3 ++-
- fs/ext4/move_extent.c | 1 -
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
---- a/fs/ext4/extents.c
-+++ b/fs/ext4/extents.c
-@@ -945,6 +945,8 @@ ext4_find_extent(struct inode *inode, ex
-
- ext4_ext_show_path(inode, path);
-
-+ if (orig_path)
-+ *orig_path = path;
- return path;
-
- err:
-@@ -3295,7 +3297,6 @@ static int ext4_split_extent_at(handle_t
- }
- depth = ext_depth(inode);
- ex = path[depth].p_ext;
-- *ppath = path;
-
- if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
- if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
---- a/fs/ext4/move_extent.c
-+++ b/fs/ext4/move_extent.c
-@@ -37,7 +37,6 @@ get_ext_path(struct inode *inode, ext4_l
- *ppath = NULL;
- return -ENODATA;
- }
-- *ppath = path;
- return 0;
- }
-
parisc-fix-itlb-miss-handler-for-64-bit-programs.patch
alsa-core-add-isascii-check-to-card-id-generator.patch
ext4-no-need-to-continue-when-the-number-of-entries-is-1.patch
-ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch
ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch
ext4-fix-incorrect-tid-assumption-in-__jbd2_log_wait_for_space.patch
ext4-aovid-use-after-free-in-ext4_ext_insert_extent.patch
ext4-fix-double-brelse-the-buffer-of-the-extents-path.patch
-ext4-update-orig_path-in-ext4_find_extent.patch
ext4-fix-incorrect-tid-assumption-in-ext4_wait_for_tail_page_commit.patch
+++ /dev/null
-From c26ab35702f8cd0cdc78f96aa5856bfb77be798f Mon Sep 17 00:00:00 2001
-From: Baokun Li <libaokun1@huawei.com>
-Date: Thu, 22 Aug 2024 10:35:23 +0800
-Subject: ext4: fix slab-use-after-free in ext4_split_extent_at()
-
-From: Baokun Li <libaokun1@huawei.com>
-
-commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f upstream.
-
-We hit the following use-after-free:
-
-==================================================================
-BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
-Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
-CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
-Call Trace:
- <TASK>
- kasan_report+0x93/0xc0
- ext4_split_extent_at+0xba8/0xcc0
- ext4_split_extent.isra.0+0x18f/0x500
- ext4_split_convert_extents+0x275/0x750
- ext4_ext_handle_unwritten_extents+0x73e/0x1580
- ext4_ext_map_blocks+0xe20/0x2dc0
- ext4_map_blocks+0x724/0x1700
- ext4_do_writepages+0x12d6/0x2a70
-[...]
-
-Allocated by task 40:
- __kmalloc_noprof+0x1ac/0x480
- ext4_find_extent+0xf3b/0x1e70
- ext4_ext_map_blocks+0x188/0x2dc0
- ext4_map_blocks+0x724/0x1700
- ext4_do_writepages+0x12d6/0x2a70
-[...]
-
-Freed by task 40:
- kfree+0xf1/0x2b0
- ext4_find_extent+0xa71/0x1e70
- ext4_ext_insert_extent+0xa22/0x3260
- ext4_split_extent_at+0x3ef/0xcc0
- ext4_split_extent.isra.0+0x18f/0x500
- ext4_split_convert_extents+0x275/0x750
- ext4_ext_handle_unwritten_extents+0x73e/0x1580
- ext4_ext_map_blocks+0xe20/0x2dc0
- ext4_map_blocks+0x724/0x1700
- ext4_do_writepages+0x12d6/0x2a70
-[...]
-==================================================================
-
-The flow of issue triggering is as follows:
-
-ext4_split_extent_at
- path = *ppath
- ext4_ext_insert_extent(ppath)
- ext4_ext_create_new_leaf(ppath)
- ext4_find_extent(orig_path)
- path = *orig_path
- read_extent_tree_block
- // return -ENOMEM or -EIO
- ext4_free_ext_path(path)
- kfree(path)
- *orig_path = NULL
- a. If err is -ENOMEM:
- ext4_ext_dirty(path + path->p_depth)
- // path use-after-free !!!
- b. If err is -EIO and we have EXT_DEBUG defined:
- ext4_ext_show_leaf(path)
- eh = path[depth].p_hdr
- // path also use-after-free !!!
-
-So when trying to zeroout or fix the extent length, call ext4_find_extent()
-to update the path.
-
-In addition we use *ppath directly as an ext4_ext_show_leaf() input to
-avoid possible use-after-free when EXT_DEBUG is defined, and to avoid
-unnecessary path updates.
-
-Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code")
-Cc: stable@kernel.org
-Signed-off-by: Baokun Li <libaokun1@huawei.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
-Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
-Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/extents.c | 21 ++++++++++++++++++++-
- 1 file changed, 20 insertions(+), 1 deletion(-)
-
---- a/fs/ext4/extents.c
-+++ b/fs/ext4/extents.c
-@@ -3422,6 +3422,25 @@ static int ext4_split_extent_at(handle_t
- if (err != -ENOSPC && err != -EDQUOT)
- goto out;
-
-+ /*
-+ * Update path is required because previous ext4_ext_insert_extent()
-+ * may have freed or reallocated the path. Using EXT4_EX_NOFAIL
-+ * guarantees that ext4_find_extent() will not return -ENOMEM,
-+ * otherwise -ENOMEM will cause a retry in do_writepages(), and a
-+ * WARN_ON may be triggered in ext4_da_update_reserve_space() due to
-+ * an incorrect ee_len causing the i_reserved_data_blocks exception.
-+ */
-+ path = ext4_find_extent(inode, ee_block, ppath,
-+ flags | EXT4_EX_NOFAIL);
-+ if (IS_ERR(path)) {
-+ EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
-+ split, PTR_ERR(path));
-+ return PTR_ERR(path);
-+ }
-+ depth = ext_depth(inode);
-+ ex = path[depth].p_ext;
-+ *ppath = path;
-+
- if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
- if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
- if (split_flag & EXT4_EXT_DATA_VALID1) {
-@@ -3470,7 +3489,7 @@ fix_extent_len:
- ext4_ext_dirty(handle, inode, path + path->p_depth);
- return err;
- out:
-- ext4_ext_show_leaf(inode, path);
-+ ext4_ext_show_leaf(inode, *ppath);
- return err;
- }
-
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
-@@ -5760,6 +5760,7 @@ int ext4_insert_range(struct inode *inod
+@@ -5741,6 +5741,7 @@ int ext4_insert_range(struct inode *inod
path = ext4_find_extent(inode, offset_lblk, NULL, 0);
if (IS_ERR(path)) {
up_write(&EXT4_I(inode)->i_data_sem);
+++ /dev/null
-From 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 Mon Sep 17 00:00:00 2001
-From: Baokun Li <libaokun1@huawei.com>
-Date: Thu, 22 Aug 2024 10:35:25 +0800
-Subject: ext4: update orig_path in ext4_find_extent()
-
-From: Baokun Li <libaokun1@huawei.com>
-
-commit 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 upstream.
-
-In ext4_find_extent(), if the path is not big enough, we free it and set
-*orig_path to NULL. But after reallocating and successfully initializing
-the path, we don't update *orig_path, in which case the caller gets a
-valid path but a NULL ppath, and this may cause a NULL pointer dereference
-or a path memory leak. For example:
-
-ext4_split_extent
- path = *ppath = 2000
- ext4_find_extent
- if (depth > path[0].p_maxdepth)
- kfree(path = 2000);
- *orig_path = path = NULL;
- path = kcalloc() = 3000
- ext4_split_extent_at(*ppath = NULL)
- path = *ppath;
- ex = path[depth].p_ext;
- // NULL pointer dereference!
-
-==================================================================
-BUG: kernel NULL pointer dereference, address: 0000000000000010
-CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847
-RIP: 0010:ext4_split_extent_at+0x6d/0x560
-Call Trace:
- <TASK>
- ext4_split_extent.isra.0+0xcb/0x1b0
- ext4_ext_convert_to_initialized+0x168/0x6c0
- ext4_ext_handle_unwritten_extents+0x325/0x4d0
- ext4_ext_map_blocks+0x520/0xdb0
- ext4_map_blocks+0x2b0/0x690
- ext4_iomap_begin+0x20e/0x2c0
-[...]
-==================================================================
-
-Therefore, *orig_path is updated when the extent lookup succeeds, so that
-the caller can safely use path or *ppath.
-
-Fixes: 10809df84a4d ("ext4: teach ext4_ext_find_extent() to realloc path if necessary")
-Cc: stable@kernel.org
-Signed-off-by: Baokun Li <libaokun1@huawei.com>
-Reviewed-by: Jan Kara <jack@suse.cz>
-Link: https://patch.msgid.link/20240822023545.1994557-6-libaokun@huaweicloud.com
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/ext4/extents.c | 3 ++-
- fs/ext4/move_extent.c | 1 -
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
---- a/fs/ext4/extents.c
-+++ b/fs/ext4/extents.c
-@@ -984,6 +984,8 @@ ext4_find_extent(struct inode *inode, ex
-
- ext4_ext_show_path(inode, path);
-
-+ if (orig_path)
-+ *orig_path = path;
- return path;
-
- err:
-@@ -3441,7 +3443,6 @@ static int ext4_split_extent_at(handle_t
- }
- depth = ext_depth(inode);
- ex = path[depth].p_ext;
-- *ppath = path;
-
- if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
- if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
---- a/fs/ext4/move_extent.c
-+++ b/fs/ext4/move_extent.c
-@@ -36,7 +36,6 @@ get_ext_path(struct inode *inode, ext4_l
- *ppath = NULL;
- return -ENODATA;
- }
-- *ppath = path;
- return 0;
- }
-
alsa-core-add-isascii-check-to-card-id-generator.patch
alsa-hda-realtek-add-quirk-for-huawei-matebook-13-klv-wx9.patch
ext4-no-need-to-continue-when-the-number-of-entries-is-1.patch
-ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch
ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch
ext4-fix-incorrect-tid-assumption-in-__jbd2_log_wait_for_space.patch
ext4-aovid-use-after-free-in-ext4_ext_insert_extent.patch
ext4-fix-double-brelse-the-buffer-of-the-extents-path.patch
-ext4-update-orig_path-in-ext4_find_extent.patch
ext4-fix-incorrect-tid-assumption-in-ext4_wait_for_tail_page_commit.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
