--- /dev/null
+From 2220eaf90992c11d888fe771055d4de330385f01 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 12 May 2023 15:11:02 -0400
+Subject: ext4: add bounds checking in get_max_inline_xattr_value_size()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 2220eaf90992c11d888fe771055d4de330385f01 upstream.
+
+Normally the extended attributes in the inode body would have been
+checked when the inode is first opened, but if someone is writing to
+the block device while the file system is mounted, it's possible for
+the inode table to get corrupted. Add bounds checking to avoid
+reading beyond the end of allocated memory if this happens.
+
+Reported-by: syzbot+1966db24521e5f6e23f7@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=1966db24521e5f6e23f7
+Cc: stable@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inline.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -32,6 +32,7 @@ static int get_max_inline_xattr_value_si
+ struct ext4_xattr_ibody_header *header;
+ struct ext4_xattr_entry *entry;
+ struct ext4_inode *raw_inode;
++ void *end;
+ int free, min_offs;
+
+ if (!EXT4_INODE_HAS_XATTR_SPACE(inode))
+@@ -55,14 +56,23 @@ static int get_max_inline_xattr_value_si
+ raw_inode = ext4_raw_inode(iloc);
+ header = IHDR(inode, raw_inode);
+ entry = IFIRST(header);
++ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+
+ /* Compute min_offs. */
+- for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) {
++ while (!IS_LAST_ENTRY(entry)) {
++ void *next = EXT4_XATTR_NEXT(entry);
++
++ if (next >= end) {
++ EXT4_ERROR_INODE(inode,
++ "corrupt xattr in inline inode");
++ return 0;
++ }
+ if (!entry->e_value_inum && entry->e_value_size) {
+ size_t offs = le16_to_cpu(entry->e_value_offs);
+ if (offs < min_offs)
+ min_offs = offs;
+ }
++ entry = next;
+ }
+ free = min_offs -
+ ((void *)entry - (void *)IFIRST(header)) - sizeof(__u32);
--- /dev/null
+From 4f04351888a83e595571de672e0a4a8b74f4fb31 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+Date: Thu, 4 May 2023 12:15:25 +0000
+Subject: ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+commit 4f04351888a83e595571de672e0a4a8b74f4fb31 upstream.
+
+When modifying the block device while it is mounted by the filesystem,
+syzbot reported the following:
+
+BUG: KASAN: slab-out-of-bounds in crc16+0x206/0x280 lib/crc16.c:58
+Read of size 1 at addr ffff888075f5c0a8 by task syz-executor.2/15586
+
+CPU: 1 PID: 15586 Comm: syz-executor.2 Not tainted 6.2.0-rc5-syzkaller-00205-gc96618275234 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
+ print_address_description+0x74/0x340 mm/kasan/report.c:306
+ print_report+0x107/0x1f0 mm/kasan/report.c:417
+ kasan_report+0xcd/0x100 mm/kasan/report.c:517
+ crc16+0x206/0x280 lib/crc16.c:58
+ ext4_group_desc_csum+0x81b/0xb20 fs/ext4/super.c:3187
+ ext4_group_desc_csum_set+0x195/0x230 fs/ext4/super.c:3210
+ ext4_mb_clear_bb fs/ext4/mballoc.c:6027 [inline]
+ ext4_free_blocks+0x191a/0x2810 fs/ext4/mballoc.c:6173
+ ext4_remove_blocks fs/ext4/extents.c:2527 [inline]
+ ext4_ext_rm_leaf fs/ext4/extents.c:2710 [inline]
+ ext4_ext_remove_space+0x24ef/0x46a0 fs/ext4/extents.c:2958
+ ext4_ext_truncate+0x177/0x220 fs/ext4/extents.c:4416
+ ext4_truncate+0xa6a/0xea0 fs/ext4/inode.c:4342
+ ext4_setattr+0x10c8/0x1930 fs/ext4/inode.c:5622
+ notify_change+0xe50/0x1100 fs/attr.c:482
+ do_truncate+0x200/0x2f0 fs/open.c:65
+ handle_truncate fs/namei.c:3216 [inline]
+ do_open fs/namei.c:3561 [inline]
+ path_openat+0x272b/0x2dd0 fs/namei.c:3714
+ do_filp_open+0x264/0x4f0 fs/namei.c:3741
+ do_sys_openat2+0x124/0x4e0 fs/open.c:1310
+ do_sys_open fs/open.c:1326 [inline]
+ __do_sys_creat fs/open.c:1402 [inline]
+ __se_sys_creat fs/open.c:1396 [inline]
+ __x64_sys_creat+0x11f/0x160 fs/open.c:1396
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f72f8a8c0c9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f72f97e3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
+RAX: ffffffffffffffda RBX: 00007f72f8bac050 RCX: 00007f72f8a8c0c9
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000280
+RBP: 00007f72f8ae7ae9 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007ffd165348bf R14: 00007f72f97e3300 R15: 0000000000022000
+
+Replace
+ le16_to_cpu(sbi->s_es->s_desc_size)
+with
+ sbi->s_desc_size
+
+It reduces ext4's compiled text size, and makes the code more efficient
+(we remove an extra indirect reference and a potential byte
+swap on big endian systems), and there is no downside. It also avoids the
+potential KASAN / syzkaller failure, as a bonus.
+
+Reported-by: syzbot+fc51227e7100c9294894@syzkaller.appspotmail.com
+Reported-by: syzbot+8785e41224a3afd04321@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=70d28d11ab14bd7938f3e088365252aa923cff42
+Link: https://syzkaller.appspot.com/bug?id=b85721b38583ecc6b5e72ff524c67302abbc30f3
+Link: https://lore.kernel.org/all/000000000000ece18705f3b20934@google.com/
+Fixes: 717d50e4971b ("Ext4: Uninitialized Block Groups")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Link: https://lore.kernel.org/r/20230504121525.3275886-1-tudor.ambarus@linaro.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2423,11 +2423,9 @@ static __le16 ext4_group_desc_csum(struc
+ crc = crc16(crc, (__u8 *)gdp, offset);
+ offset += sizeof(gdp->bg_checksum); /* skip checksum */
+ /* for checksum of struct ext4_group_desc do the rest...*/
+- if (ext4_has_feature_64bit(sb) &&
+- offset < le16_to_cpu(sbi->s_es->s_desc_size))
++ if (ext4_has_feature_64bit(sb) && offset < sbi->s_desc_size)
+ crc = crc16(crc, (__u8 *)gdp + offset,
+- le16_to_cpu(sbi->s_es->s_desc_size) -
+- offset);
++ sbi->s_desc_size - offset);
+
+ out:
+ return cpu_to_le16(crc);
--- /dev/null
+From 2a534e1d0d1591e951f9ece2fb460b2ff92edabd Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 12 May 2023 15:16:27 -0400
+Subject: ext4: bail out of ext4_xattr_ibody_get() fails for any reason
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 2a534e1d0d1591e951f9ece2fb460b2ff92edabd upstream.
+
+In ext4_update_inline_data(), if ext4_xattr_ibody_get() fails for any
+reason, it's best if we just fail as opposed to stumbling on,
+especially if the failure is EFSCORRUPTED.
+
+Cc: stable@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -358,7 +358,7 @@ static int ext4_update_inline_data(handl
+
+ error = ext4_xattr_ibody_get(inode, i.name_index, i.name,
+ value, len);
+- if (error == -ENODATA)
++ if (error < 0)
+ goto out;
+
+ BUFFER_TRACE(is.iloc.bh, "get_write_access");
--- /dev/null
+From b87c7cdf2bed4928b899e1ce91ef0d147017ba45 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sun, 30 Apr 2023 03:04:13 -0400
+Subject: ext4: fix invalid free tracking in ext4_xattr_move_to_block()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit b87c7cdf2bed4928b899e1ce91ef0d147017ba45 upstream.
+
+In ext4_xattr_move_to_block(), the value of the extended attribute
+which we need to move to an external block may be allocated by
+kvmalloc() if the value is stored in an external inode. So at the end
+of the function the code tried to check if this was the case by
+testing entry->e_value_inum.
+
+However, at this point, the pointer to the xattr entry is no longer
+valid, because it was removed from the original location where it had
+been stored. So we could end up calling kvfree() on a pointer which
+was not allocated by kvmalloc(); or we could also potentially leak
+memory by not freeing the buffer when it should be freed. Fix this by
+storing whether it should be freed in a separate variable.
+
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/20230430160426.581366-1-tytso@mit.edu
+Link: https://syzkaller.appspot.com/bug?id=5c2aee8256e30b55ccf57312c16d88417adbd5e1
+Link: https://syzkaller.appspot.com/bug?id=41a6b5d4917c0412eb3b3c3c604965bed7d7420b
+Reported-by: syzbot+64b645917ce07d89bde5@syzkaller.appspotmail.com
+Reported-by: syzbot+0d042627c4f2ad332195@syzkaller.appspotmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -2573,6 +2573,7 @@ static int ext4_xattr_move_to_block(hand
+ .in_inode = !!entry->e_value_inum,
+ };
+ struct ext4_xattr_ibody_header *header = IHDR(inode, raw_inode);
++ int needs_kvfree = 0;
+ int error;
+
+ is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS);
+@@ -2595,7 +2596,7 @@ static int ext4_xattr_move_to_block(hand
+ error = -ENOMEM;
+ goto out;
+ }
+-
++ needs_kvfree = 1;
+ error = ext4_xattr_inode_get(inode, entry, buffer, value_size);
+ if (error)
+ goto out;
+@@ -2634,7 +2635,7 @@ static int ext4_xattr_move_to_block(hand
+
+ out:
+ kfree(b_entry_name);
+- if (entry->e_value_inum && buffer)
++ if (needs_kvfree && buffer)
+ kvfree(buffer);
+ if (is)
+ brelse(is->iloc.bh);
--- /dev/null
+From 4c0b4818b1f636bc96359f7817a2d8bab6370162 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 5 May 2023 22:20:29 -0400
+Subject: ext4: improve error recovery code paths in __ext4_remount()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 4c0b4818b1f636bc96359f7817a2d8bab6370162 upstream.
+
+If there are failures while changing the mount options in
+__ext4_remount(), we need to restore the old mount options.
+
+This commit fixes two problem. The first is there is a chance that we
+will free the old quota file names before a potential failure leading
+to a use-after-free. The second problem addressed in this commit is
+if there is a failed read/write to read-only transition, if the quota
+has already been suspended, we need to renable quota handling.
+
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/20230506142419.984260-2-tytso@mit.edu
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5501,9 +5501,6 @@ static int ext4_remount(struct super_blo
+ }
+
+ #ifdef CONFIG_QUOTA
+- /* Release old quota file names */
+- for (i = 0; i < EXT4_MAXQUOTAS; i++)
+- kfree(old_opts.s_qf_names[i]);
+ if (enable_quota) {
+ if (sb_any_quota_suspended(sb))
+ dquot_resume(sb, -1);
+@@ -5513,6 +5510,9 @@ static int ext4_remount(struct super_blo
+ goto restore_opts;
+ }
+ }
++ /* Release old quota file names */
++ for (i = 0; i < EXT4_MAXQUOTAS; i++)
++ kfree(old_opts.s_qf_names[i]);
+ #endif
+ if (!test_opt(sb, BLOCK_VALIDITY) && sbi->system_blks)
+ ext4_release_system_zone(sb);
+@@ -5529,6 +5529,13 @@ static int ext4_remount(struct super_blo
+ return 0;
+
+ restore_opts:
++ /*
++ * If there was a failing r/w to ro transition, we may need to
++ * re-enable quota
++ */
++ if ((sb->s_flags & SB_RDONLY) && !(old_sb_flags & SB_RDONLY) &&
++ sb_any_quota_suspended(sb))
++ dquot_resume(sb, -1);
+ sb->s_flags = old_sb_flags;
+ sbi->s_mount_opt = old_opts.s_mount_opt;
+ sbi->s_mount_opt2 = old_opts.s_mount_opt2;
--- /dev/null
+From 463808f237cf73e98a1a45ff7460c2406a150a0b Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 29 Apr 2023 16:14:46 -0400
+Subject: ext4: remove a BUG_ON in ext4_mb_release_group_pa()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 463808f237cf73e98a1a45ff7460c2406a150a0b upstream.
+
+If a malicious fuzzer overwrites the ext4 superblock while it is
+mounted such that the s_first_data_block is set to a very large
+number, the calculation of the block group can underflow, and trigger
+a BUG_ON check. Change this to be an ext4_warning so that we don't
+crash the kernel.
+
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/20230430154311.579720-3-tytso@mit.edu
+Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/mballoc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -3893,7 +3893,11 @@ ext4_mb_release_group_pa(struct ext4_bud
+ trace_ext4_mb_release_group_pa(sb, pa);
+ BUG_ON(pa->pa_deleted == 0);
+ ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
+- BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
++ if (unlikely(group != e4b->bd_group && pa->pa_len != 0)) {
++ ext4_warning(sb, "bad group: expected %u, group %u, pa_start %llu",
++ e4b->bd_group, group, pa->pa_pstart);
++ return 0;
++ }
+ mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
+ atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
+ trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
drm-panel-otm8009a-set-backlight-parent-to-panel-device.patch
hid-wacom-set-a-default-resolution-for-older-tablets.patch
ext4-fix-warning-in-mb_find_extent.patch
+ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch
+ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch
+ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch
+ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch
+ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch
+ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
