--- /dev/null
+From 02a22be3c0003af08df510cba3d79d00c6495b74 Mon Sep 17 00:00:00 2001
+From: Kent Overstreet <kent.overstreet@linux.dev>
+Date: Sat, 29 Mar 2025 19:01:09 -0400
+Subject: bcachefs: bch2_ioctl_subvolume_destroy() fixes
+
+From: Kent Overstreet <kent.overstreet@linux.dev>
+
+[ Upstream commit 707549600c4a012ed71c0204a7992a679880bf33 ]
+
+bch2_evict_subvolume_inodes() was getting stuck - due to incorrectly
+pruning the dcache.
+
+Also, fix missing permissions checks.
+
+Reported-by: Alexander Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/bcachefs/fs-ioctl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/bcachefs/fs-ioctl.c b/fs/bcachefs/fs-ioctl.c
+index 15725b4ce393..4d6193820483 100644
+--- a/fs/bcachefs/fs-ioctl.c
++++ b/fs/bcachefs/fs-ioctl.c
+@@ -515,10 +515,12 @@ static long bch2_ioctl_subvolume_destroy(struct bch_fs *c, struct file *filp,
+ ret = -ENOENT;
+ goto err;
+ }
+- ret = __bch2_unlink(dir, victim, true);
++
++ ret = inode_permission(file_mnt_idmap(filp), d_inode(victim), MAY_WRITE) ?:
++ __bch2_unlink(dir, victim, true);
+ if (!ret) {
+ fsnotify_rmdir(dir, victim);
+- d_delete(victim);
++ d_invalidate(victim);
+ }
+ err:
+ inode_unlock(dir);
+--
+2.49.0
+
--- /dev/null
+From 52b17bca7b20663e5df6dbfc24cc2030259b64b6 Mon Sep 17 00:00:00 2001
+From: Alan Huang <mmpgouride@gmail.com>
+Date: Fri, 2 May 2025 04:01:31 +0800
+Subject: bcachefs: Remove incorrect __counted_by annotation
+
+From: Alan Huang <mmpgouride@gmail.com>
+
+commit 6846100b00d97d3d6f05766ae86a0d821d849e78 upstream.
+
+This actually reverts 86e92eeeb237 ("bcachefs: Annotate struct bch_xattr
+with __counted_by()").
+
+After the x_name, there is a value. According to the disscussion[1],
+__counted_by assumes that the flexible array member contains exactly
+the amount of elements that are specified. Now there are users came across
+a false positive detection of an out of bounds write caused by
+the __counted_by here[2], so revert that.
+
+[1] https://lore.kernel.org/lkml/Zv8VDKWN1GzLRT-_@archlinux/T/#m0ce9541c5070146320efd4f928cc1ff8de69e9b2
+[2] https://privatebin.net/?a0d4e97d590d71e1#9bLmp2Kb5NU6X6cZEucchDcu88HzUQwHUah8okKPReEt
+
+Signed-off-by: Alan Huang <mmpgouride@gmail.com>
+Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/bcachefs/xattr_format.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/bcachefs/xattr_format.h
++++ b/fs/bcachefs/xattr_format.h
+@@ -13,7 +13,13 @@ struct bch_xattr {
+ __u8 x_type;
+ __u8 x_name_len;
+ __le16 x_val_len;
+- __u8 x_name[] __counted_by(x_name_len);
++ /*
++ * x_name contains the name and value counted by
++ * x_name_len + x_val_len. The introduction of
++ * __counted_by(x_name_len) caused a false positive
++ * detection of an out of bounds write.
++ */
++ __u8 x_name[];
+ } __packed __aligned(8);
+
+ #endif /* _BCACHEFS_XATTR_FORMAT_H */
cpufreq-avoid-using-inconsistent-policy-min-and-policy-max.patch
cpufreq-fix-setting-policy-limits-when-frequency-tables-are-used.patch
tracing-fix-oob-write-in-trace_seq_to_buffer.patch
+bcachefs-remove-incorrect-__counted_by-annotation.patch
+bcachefs-bch2_ioctl_subvolume_destroy-fixes.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
