scsi-qla2xxx-fix-warning-for-missing-error-code.patch
scsi-qla2xxx-suppress-a-kernel-complaint-in-qla_create_qpair.patch
kvm-prevent-module-exit-until-all-vms-are-freed.patch
+ubifs-rename_whiteout-fix-double-free-for-whiteout_ui-data.patch
+ubifs-add-missing-iput-if-do_tmpfile-failed-in-rename-whiteout.patch
+ubifs-setflags-make-dirtied_ino_d-8-bytes-aligned.patch
+ubifs-rename_whiteout-correct-old_dir-size-computing.patch
--- /dev/null
+From 716b4573026bcbfa7b58ed19fe15554bac66b082 Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Mon, 27 Dec 2021 11:22:35 +0800
+Subject: ubifs: Add missing iput if do_tmpfile() failed in rename whiteout
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit 716b4573026bcbfa7b58ed19fe15554bac66b082 upstream.
+
+whiteout inode should be put when do_tmpfile() failed if inode has been
+initialized. Otherwise we will get following warning during umount:
+ UBIFS error (ubi0:0 pid 1494): ubifs_assert_failed [ubifs]: UBIFS
+ assert failed: c->bi.dd_growth == 0, in fs/ubifs/super.c:1930
+ VFS: Busy inodes after unmount of ubifs. Self-destruct in 5 seconds.
+
+Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Suggested-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/dir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -468,6 +468,8 @@ out_inode:
+ make_bad_inode(inode);
+ if (!instantiated)
+ iput(inode);
++ else if (whiteout)
++ iput(*whiteout);
+ out_budg:
+ ubifs_release_budget(c, &req);
+ if (!instantiated)
--- /dev/null
+From 705757274599e2e064dd3054aabc74e8af31a095 Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Tue, 15 Feb 2022 12:07:36 +0800
+Subject: ubifs: rename_whiteout: correct old_dir size computing
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit 705757274599e2e064dd3054aabc74e8af31a095 upstream.
+
+When renaming the whiteout file, the old whiteout file is not deleted.
+Therefore, we add the old dentry size to the old dir like XFS.
+Otherwise, an error may be reported due to `fscki->calc_sz != fscki->size`
+in check_indes.
+
+Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT")
+Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/dir.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1452,6 +1452,9 @@ static int do_rename(struct inode *old_d
+ if (unlink)
+ drop_nlink(old_dir);
+ }
++
++ /* Add the old_dentry size to the old_dir size. */
++ old_sz -= CALC_DENT_SIZE(fname_len(&old_nm));
+ }
+
+ old_dir->i_size -= old_sz;
--- /dev/null
+From 40a8f0d5e7b3999f096570edab71c345da812e3e Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Mon, 27 Dec 2021 11:22:32 +0800
+Subject: ubifs: rename_whiteout: Fix double free for whiteout_ui->data
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit 40a8f0d5e7b3999f096570edab71c345da812e3e upstream.
+
+'whiteout_ui->data' will be freed twice if space budget fail for
+rename whiteout operation as following process:
+
+rename_whiteout
+ dev = kmalloc
+ whiteout_ui->data = dev
+ kfree(whiteout_ui->data) // Free first time
+ iput(whiteout)
+ ubifs_free_inode
+ kfree(ui->data) // Double free!
+
+KASAN reports:
+==================================================================
+BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70
+Call Trace:
+ kfree+0x117/0x490
+ ubifs_free_inode+0x4f/0x70 [ubifs]
+ i_callback+0x30/0x60
+ rcu_do_batch+0x366/0xac0
+ __do_softirq+0x133/0x57f
+
+Allocated by task 1506:
+ kmem_cache_alloc_trace+0x3c2/0x7a0
+ do_rename+0x9b7/0x1150 [ubifs]
+ ubifs_rename+0x106/0x1f0 [ubifs]
+ do_syscall_64+0x35/0x80
+
+Freed by task 1506:
+ kfree+0x117/0x490
+ do_rename.cold+0x53/0x8a [ubifs]
+ ubifs_rename+0x106/0x1f0 [ubifs]
+ do_syscall_64+0x35/0x80
+
+The buggy address belongs to the object at ffff88810238bed8 which
+belongs to the cache kmalloc-8 of size 8
+==================================================================
+
+Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused
+assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode()
+-> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it
+(because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release',
+ and the nlink of whiteout inode is 0).
+
+Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/dir.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1496,8 +1496,6 @@ static int do_rename(struct inode *old_d
+
+ err = ubifs_budget_space(c, &wht_req);
+ if (err) {
+- kfree(whiteout_ui->data);
+- whiteout_ui->data_len = 0;
+ iput(whiteout);
+ goto out_release;
+ }
--- /dev/null
+From 1b83ec057db16b4d0697dc21ef7a9743b6041f72 Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Mon, 27 Dec 2021 11:22:39 +0800
+Subject: ubifs: setflags: Make dirtied_ino_d 8 bytes aligned
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit 1b83ec057db16b4d0697dc21ef7a9743b6041f72 upstream.
+
+Make 'ui->data_len' aligned with 8 bytes before it is assigned to
+dirtied_ino_d. Since 8871d84c8f8b0c6b("ubifs: convert to fileattr")
+applied, 'setflags()' only affects regular files and directories, only
+xattr inode, symlink inode and special inode(pipe/char_dev/block_dev)
+have none- zero 'ui->data_len' field, so assertion
+'!(req->dirtied_ino_d & 7)' cannot fail in ubifs_budget_space().
+To avoid assertion fails in future evolution(eg. setflags can operate
+special inodes), it's better to make dirtied_ino_d 8 bytes aligned,
+after all aligned size is still zero for regular files.
+
+Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ubifs/ioctl.c
++++ b/fs/ubifs/ioctl.c
+@@ -110,7 +110,7 @@ static int setflags(struct inode *inode,
+ struct ubifs_inode *ui = ubifs_inode(inode);
+ struct ubifs_info *c = inode->i_sb->s_fs_info;
+ struct ubifs_budget_req req = { .dirtied_ino = 1,
+- .dirtied_ino_d = ui->data_len };
++ .dirtied_ino_d = ALIGN(ui->data_len, 8) };
+
+ err = ubifs_budget_space(c, &req);
+ if (err)
projects / thirdparty / kernel / stable-queue.git / commitdiff
