5.4-stable patches

added patches:
	nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch

diff --git a/queue-5.4/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch b/queue-5.4/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch
new file mode 100644 (file)
index 0000000..6284acf
--- /dev/null
+++ b/queue-5.4/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch
@@ -0,0 +1,69 @@
+From d325dc6eb763c10f591c239550b8c7e5466a5d09 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Tue, 4 Oct 2022 00:05:19 +0900
+Subject: nilfs2: fix use-after-free bug of struct nilfs_root
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream.
+
+If the beginning of the inode bitmap area is corrupted on disk, an inode
+with the same inode number as the root inode can be allocated and fail
+soon after.  In this case, the subsequent call to nilfs_clear_inode() on
+that bogus root inode will wrongly decrement the reference counter of
+struct nilfs_root, and this will erroneously free struct nilfs_root,
+causing kernel oopses.
+
+This fixes the problem by changing nilfs_new_inode() to skip reserved
+inode numbers while repairing the inode bitmap.
+
+Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com
+Reported-by: Khalid Masum <khalid.masum.92@gmail.com>
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/inode.c |   18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/fs/nilfs2/inode.c
++++ b/fs/nilfs2/inode.c
+@@ -340,6 +340,7 @@ struct inode *nilfs_new_inode(struct ino
+       struct inode *inode;
+       struct nilfs_inode_info *ii;
+       struct nilfs_root *root;
++      struct buffer_head *bh;
+       int err = -ENOMEM;
+       ino_t ino;
+ 
+@@ -355,11 +356,26 @@ struct inode *nilfs_new_inode(struct ino
+       ii->i_state = BIT(NILFS_I_NEW);
+       ii->i_root = root;
+ 
+-      err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh);
++      err = nilfs_ifile_create_inode(root->ifile, &ino, &bh);
+       if (unlikely(err))
+               goto failed_ifile_create_inode;
+       /* reference count of i_bh inherits from nilfs_mdt_read_block() */
+ 
++      if (unlikely(ino < NILFS_USER_INO)) {
++              nilfs_msg(sb, KERN_WARNING,
++                        "inode bitmap is inconsistent for reserved inodes");
++              do {
++                      brelse(bh);
++                      err = nilfs_ifile_create_inode(root->ifile, &ino, &bh);
++                      if (unlikely(err))
++                              goto failed_ifile_create_inode;
++              } while (ino < NILFS_USER_INO);
++
++              nilfs_msg(sb, KERN_INFO,
++                        "repaired inode bitmap for reserved inodes");
++      }
++      ii->i_bh = bh;
++
+       atomic64_inc(&root->inodes_count);
+       inode_init_owner(inode, dir, mode);
+       inode->i_ino = ino;

diff --git a/queue-5.4/series b/queue-5.4/series
index 737166ac3e4d39d42ac982bac58a56dc9057d07d..442626206de132492c6316121fd0c285c71506c9 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -36,3 +36,4 @@ btrfs-fix-race-between-quota-enable-and-quota-rescan-ioctl.patch
 f2fs-increase-the-limit-for-reserve_root.patch
 f2fs-fix-to-do-sanity-check-on-destination-blkaddr-during-recovery.patch
 f2fs-fix-to-do-sanity-check-on-summary-info.patch
+nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch