drop queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch

diff --git a/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch b/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch
deleted file mode 100644 (file)
index bb50f39..0000000
--- a/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From d325dc6eb763c10f591c239550b8c7e5466a5d09 Mon Sep 17 00:00:00 2001
-From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
-Date: Tue, 4 Oct 2022 00:05:19 +0900
-Subject: nilfs2: fix use-after-free bug of struct nilfs_root
-
-From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
-
-commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream.
-
-If the beginning of the inode bitmap area is corrupted on disk, an inode
-with the same inode number as the root inode can be allocated and fail
-soon after.  In this case, the subsequent call to nilfs_clear_inode() on
-that bogus root inode will wrongly decrement the reference counter of
-struct nilfs_root, and this will erroneously free struct nilfs_root,
-causing kernel oopses.
-
-This fixes the problem by changing nilfs_new_inode() to skip reserved
-inode numbers while repairing the inode bitmap.
-
-Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com
-Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
-Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com
-Reported-by: Khalid Masum <khalid.masum.92@gmail.com>
-Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/nilfs2/inode.c |   17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
---- a/fs/nilfs2/inode.c
-+++ b/fs/nilfs2/inode.c
-@@ -344,6 +344,7 @@ struct inode *nilfs_new_inode(struct ino
-       struct inode *inode;
-       struct nilfs_inode_info *ii;
-       struct nilfs_root *root;
-+      struct buffer_head *bh;
-       int err = -ENOMEM;
-       ino_t ino;
- 
-@@ -359,11 +360,25 @@ struct inode *nilfs_new_inode(struct ino
-       ii->i_state = BIT(NILFS_I_NEW);
-       ii->i_root = root;
- 
--      err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh);
-+      err = nilfs_ifile_create_inode(root->ifile, &ino, &bh);
-       if (unlikely(err))
-               goto failed_ifile_create_inode;
-       /* reference count of i_bh inherits from nilfs_mdt_read_block() */
- 
-+      if (unlikely(ino < NILFS_USER_INO)) {
-+              nilfs_warn(sb,
-+                         "inode bitmap is inconsistent for reserved inodes");
-+              do {
-+                      brelse(bh);
-+                      err = nilfs_ifile_create_inode(root->ifile, &ino, &bh);
-+                      if (unlikely(err))
-+                              goto failed_ifile_create_inode;
-+              } while (ino < NILFS_USER_INO);
-+
-+              nilfs_info(sb, "repaired inode bitmap for reserved inodes");
-+      }
-+      ii->i_bh = bh;
-+
-       atomic64_inc(&root->inodes_count);
-       inode_init_owner(inode, dir, mode);
-       inode->i_ino = ino;

diff --git a/queue-4.9/series b/queue-4.9/series
index 20fbdd9790c5056c58298a0390517c2a2f487cfa..7226696e7dace037b91f44c011362f0c2ccde6b1 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -25,6 +25,5 @@ um-cleanup-compiler-warning-in-arch-x86-um-tls_32.c.patch
 usb-mon-make-mmapped-memory-read-only.patch
 usb-serial-ftdi_sio-fix-300-bps-rate-for-sio.patch
 nilfs2-fix-null-pointer-dereference-at-nilfs_bmap_lookup_at_level.patch
-nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch
 nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thread-creation-failure.patch
 nilfs2-replace-warn_ons-by-nilfs_error-for-checkpoint-acquisition-failure.patch