4.19-stable patches

added patches:
	f2fs-fix-to-avoid-out-of-bounds-memory-access.patch
	ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch

diff --git a/queue-4.19/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch b/queue-4.19/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch
new file mode 100644 (file)
index 0000000..68a65ac
--- /dev/null
+++ b/queue-4.19/f2fs-fix-to-avoid-out-of-bounds-memory-access.patch
@@ -0,0 +1,58 @@
+From b862676e371715456c9dade7990c8004996d0d9e Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Mon, 22 Mar 2021 19:47:30 +0800
+Subject: f2fs: fix to avoid out-of-bounds memory access
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit b862676e371715456c9dade7990c8004996d0d9e upstream.
+
+butt3rflyh4ck <butterflyhuangxx@gmail.com> reported a bug found by
+syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]:
+
+ dump_stack+0xfa/0x151 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232
+ __kasan_report mm/kasan/report.c:399 [inline]
+ kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
+ f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
+ current_nat_addr fs/f2fs/node.h:213 [inline]
+ get_next_nat_page fs/f2fs/node.c:123 [inline]
+ __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
+ f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991
+ f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640
+ f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807
+ f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454
+ __sync_filesystem fs/sync.c:39 [inline]
+ sync_filesystem fs/sync.c:67 [inline]
+ sync_filesystem+0x1b5/0x260 fs/sync.c:48
+ generic_shutdown_super+0x70/0x370 fs/super.c:448
+ kill_block_super+0x97/0xf0 fs/super.c:1394
+
+The root cause is, if nat entry in checkpoint journal area is corrupted,
+e.g. nid of journalled nat entry exceeds max nid value, during checkpoint,
+once it tries to flush nat journal to NAT area, get_next_nat_page() may
+access out-of-bounds memory on nat_bitmap due to it uses wrong nid value
+as bitmap offset.
+
+[1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u
+
+Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -2654,6 +2654,9 @@ static void remove_nats_in_journal(struc
+               struct f2fs_nat_entry raw_ne;
+               nid_t nid = le32_to_cpu(nid_in_journal(journal, i));
+ 
++              if (f2fs_check_nid_range(sbi, nid))
++                      continue;
++
+               raw_ne = nat_in_journal(journal, i);
+ 
+               ne = __lookup_nat_cache(nm_i, nid);

diff --git a/queue-4.19/series b/queue-4.19/series
index b0627fe72757892747548129813c544d14607300..885ecd92cb4b95b31f78f9455863413272a56118 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -81,3 +81,5 @@ alsa-usb-audio-add-db-range-mapping-for-sennheiser-communications-headset-pc-8.p
 alsa-hda-realtek-add-quirk-for-intel-clevo-pcx0dx.patch
 btrfs-fix-race-when-picking-most-recent-mod-log-oper.patch
 arm64-vdso-discard-.note.gnu.property-sections-in-vd.patch
+ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch
+f2fs-fix-to-avoid-out-of-bounds-memory-access.patch

diff --git a/queue-4.19/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch b/queue-4.19/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch
new file mode 100644 (file)
index 0000000..473d3b0
--- /dev/null
+++ b/queue-4.19/ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch
@@ -0,0 +1,46 @@
+From 3e903315790baf4a966436e7f32e9c97864570ac Mon Sep 17 00:00:00 2001
+From: Guochun Mao <guochun.mao@mediatek.com>
+Date: Tue, 16 Mar 2021 16:52:14 +0800
+Subject: ubifs: Only check replay with inode type to judge if inode linked
+
+From: Guochun Mao <guochun.mao@mediatek.com>
+
+commit 3e903315790baf4a966436e7f32e9c97864570ac upstream.
+
+Conside the following case, it just write a big file into flash,
+when complete writing, delete the file, and then power off promptly.
+Next time power on, we'll get a replay list like:
+...
+LEB 1105:211344 len 4144 deletion 0 sqnum 428783 key type 1 inode 80
+LEB 15:233544 len 160 deletion 1 sqnum 428785 key type 0 inode 80
+LEB 1105:215488 len 4144 deletion 0 sqnum 428787 key type 1 inode 80
+...
+In the replay list, data nodes' deletion are 0, and the inode node's
+deletion is 1. In current logic, the file's dentry will be removed,
+but inode and the flash space it occupied will be reserved.
+User will see that much free space been disappeared.
+
+We only need to check the deletion value of the following inode type
+node of the replay entry.
+
+Fixes: e58725d51fa8 ("ubifs: Handle re-linking of inodes correctly while recovery")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guochun Mao <guochun.mao@mediatek.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/replay.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ubifs/replay.c
++++ b/fs/ubifs/replay.c
+@@ -232,7 +232,8 @@ static bool inode_still_linked(struct ub
+        */
+       list_for_each_entry_reverse(r, &c->replay_list, list) {
+               ubifs_assert(c, r->sqnum >= rino->sqnum);
+-              if (key_inum(c, &r->key) == key_inum(c, &rino->key))
++              if (key_inum(c, &r->key) == key_inum(c, &rino->key) &&
++                  key_type(c, &r->key) == UBIFS_INO_KEY)
+                       return r->deletion == 0;
+ 
+       }