From: Greg Kroah-Hartman Date: Wed, 12 Oct 2022 20:24:25 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.4.218~64 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=064079384c9233b90330335915b75cbf93250931;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thread-creation-failure.patch nilfs2-fix-null-pointer-dereference-at-nilfs_bmap_lookup_at_level.patch nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch nilfs2-replace-warn_ons-by-nilfs_error-for-checkpoint-acquisition-failure.patch --- diff --git a/queue-4.9/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thread-creation-failure.patch b/queue-4.9/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thread-creation-failure.patch new file mode 100644 index 00000000000..c3a323c5760 --- /dev/null +++ b/queue-4.9/nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thread-creation-failure.patch @@ -0,0 +1,71 @@ +From d0d51a97063db4704a5ef6bc978dddab1636a306 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Fri, 7 Oct 2022 17:52:26 +0900 +Subject: nilfs2: fix leak of nilfs_root in case of writer thread creation failure + +From: Ryusuke Konishi + +commit d0d51a97063db4704a5ef6bc978dddab1636a306 upstream. + +If nilfs_attach_log_writer() failed to create a log writer thread, it +frees a data structure of the log writer without any cleanup. After +commit e912a5b66837 ("nilfs2: use root object to get ifile"), this causes +a leak of struct nilfs_root, which started to leak an ifile metadata inode +and a kobject on that struct. + +In addition, if the kernel is booted with panic_on_warn, the above +ifile metadata inode leak will cause the following panic when the +nilfs2 kernel module is removed: + + kmem_cache_destroy nilfs2_inode_cache: Slab cache still has objects when + called from nilfs_destroy_cachep+0x16/0x3a [nilfs2] + WARNING: CPU: 8 PID: 1464 at mm/slab_common.c:494 kmem_cache_destroy+0x138/0x140 + ... + RIP: 0010:kmem_cache_destroy+0x138/0x140 + Code: 00 20 00 00 e8 a9 55 d8 ff e9 76 ff ff ff 48 8b 53 60 48 c7 c6 20 70 65 86 48 c7 c7 d8 69 9c 86 48 8b 4c 24 28 e8 ef 71 c7 00 <0f> 0b e9 53 ff ff ff c3 48 81 ff ff 0f 00 00 77 03 31 c0 c3 53 48 + ... + Call Trace: + + ? nilfs_palloc_freev.cold.24+0x58/0x58 [nilfs2] + nilfs_destroy_cachep+0x16/0x3a [nilfs2] + exit_nilfs_fs+0xa/0x1b [nilfs2] + __x64_sys_delete_module+0x1d9/0x3a0 + ? __sanitizer_cov_trace_pc+0x1a/0x50 + ? syscall_trace_enter.isra.19+0x119/0x190 + do_syscall_64+0x34/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + ... + + Kernel panic - not syncing: panic_on_warn set ... + +This patch fixes these issues by calling nilfs_detach_log_writer() cleanup +function if spawning the log writer thread fails. + +Link: https://lkml.kernel.org/r/20221007085226.57667-1-konishi.ryusuke@gmail.com +Fixes: e912a5b66837 ("nilfs2: use root object to get ifile") +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+7381dc4ad60658ca4c05@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/segment.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -2796,10 +2796,9 @@ int nilfs_attach_log_writer(struct super + inode_attach_wb(nilfs->ns_bdev->bd_inode, NULL); + + err = nilfs_segctor_start_thread(nilfs->ns_writer); +- if (err) { +- kfree(nilfs->ns_writer); +- nilfs->ns_writer = NULL; +- } ++ if (unlikely(err)) ++ nilfs_detach_log_writer(sb); ++ + return err; + } + diff --git a/queue-4.9/nilfs2-fix-null-pointer-dereference-at-nilfs_bmap_lookup_at_level.patch b/queue-4.9/nilfs2-fix-null-pointer-dereference-at-nilfs_bmap_lookup_at_level.patch new file mode 100644 index 00000000000..cf164b7bd5b --- /dev/null +++ b/queue-4.9/nilfs2-fix-null-pointer-dereference-at-nilfs_bmap_lookup_at_level.patch @@ -0,0 +1,41 @@ +From 21a87d88c2253350e115029f14fe2a10a7e6c856 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sun, 2 Oct 2022 12:08:04 +0900 +Subject: nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() + +From: Ryusuke Konishi + +commit 21a87d88c2253350e115029f14fe2a10a7e6c856 upstream. + +If the i_mode field in inode of metadata files is corrupted on disk, it +can cause the initialization of bmap structure, which should have been +called from nilfs_read_inode_common(), not to be called. This causes a +lockdep warning followed by a NULL pointer dereference at +nilfs_bmap_lookup_at_level(). + +This patch fixes these issues by adding a missing sanitiy check for the +i_mode field of metadata file's inode. + +Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+2b32eb36c1a825b7a74c@syzkaller.appspotmail.com +Reported-by: Tetsuo Handa +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -455,6 +455,8 @@ int nilfs_read_inode_common(struct inode + inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); + inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec); + inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); ++ if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode)) ++ return -EIO; /* this inode is for metadata and corrupted */ + if (inode->i_nlink == 0) + return -ESTALE; /* this inode is deleted */ + diff --git a/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch b/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch new file mode 100644 index 00000000000..bb50f39638a --- /dev/null +++ b/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch @@ -0,0 +1,68 @@ +From d325dc6eb763c10f591c239550b8c7e5466a5d09 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Tue, 4 Oct 2022 00:05:19 +0900 +Subject: nilfs2: fix use-after-free bug of struct nilfs_root + +From: Ryusuke Konishi + +commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream. + +If the beginning of the inode bitmap area is corrupted on disk, an inode +with the same inode number as the root inode can be allocated and fail +soon after. In this case, the subsequent call to nilfs_clear_inode() on +that bogus root inode will wrongly decrement the reference counter of +struct nilfs_root, and this will erroneously free struct nilfs_root, +causing kernel oopses. + +This fixes the problem by changing nilfs_new_inode() to skip reserved +inode numbers while repairing the inode bitmap. + +Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com +Reported-by: Khalid Masum +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -344,6 +344,7 @@ struct inode *nilfs_new_inode(struct ino + struct inode *inode; + struct nilfs_inode_info *ii; + struct nilfs_root *root; ++ struct buffer_head *bh; + int err = -ENOMEM; + ino_t ino; + +@@ -359,11 +360,25 @@ struct inode *nilfs_new_inode(struct ino + ii->i_state = BIT(NILFS_I_NEW); + ii->i_root = root; + +- err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh); ++ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); + if (unlikely(err)) + goto failed_ifile_create_inode; + /* reference count of i_bh inherits from nilfs_mdt_read_block() */ + ++ if (unlikely(ino < NILFS_USER_INO)) { ++ nilfs_warn(sb, ++ "inode bitmap is inconsistent for reserved inodes"); ++ do { ++ brelse(bh); ++ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); ++ if (unlikely(err)) ++ goto failed_ifile_create_inode; ++ } while (ino < NILFS_USER_INO); ++ ++ nilfs_info(sb, "repaired inode bitmap for reserved inodes"); ++ } ++ ii->i_bh = bh; ++ + atomic64_inc(&root->inodes_count); + inode_init_owner(inode, dir, mode); + inode->i_ino = ino; diff --git a/queue-4.9/nilfs2-replace-warn_ons-by-nilfs_error-for-checkpoint-acquisition-failure.patch b/queue-4.9/nilfs2-replace-warn_ons-by-nilfs_error-for-checkpoint-acquisition-failure.patch new file mode 100644 index 00000000000..b2b8f63b474 --- /dev/null +++ b/queue-4.9/nilfs2-replace-warn_ons-by-nilfs_error-for-checkpoint-acquisition-failure.patch @@ -0,0 +1,58 @@ +From 723ac751208f6d6540191689cfbf6c77135a7a1b Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Thu, 29 Sep 2022 21:33:30 +0900 +Subject: nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure + +From: Ryusuke Konishi + +commit 723ac751208f6d6540191689cfbf6c77135a7a1b upstream. + +If creation or finalization of a checkpoint fails due to anomalies in the +checkpoint metadata on disk, a kernel warning is generated. + +This patch replaces the WARN_ONs by nilfs_error, so that a kernel, booted +with panic_on_warn, does not panic. A nilfs_error is appropriate here to +handle the abnormal filesystem condition. + +This also replaces the detected error codes with an I/O error so that +neither of the internal error codes is returned to callers. + +Link: https://lkml.kernel.org/r/20220929123330.19658-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+fbb3e0b24e8dae5a16ee@syzkaller.appspotmail.com +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/segment.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -888,9 +888,11 @@ static int nilfs_segctor_create_checkpoi + nilfs_mdt_mark_dirty(nilfs->ns_cpfile); + nilfs_cpfile_put_checkpoint( + nilfs->ns_cpfile, nilfs->ns_cno, bh_cp); +- } else +- WARN_ON(err == -EINVAL || err == -ENOENT); +- ++ } else if (err == -EINVAL || err == -ENOENT) { ++ nilfs_error(sci->sc_super, ++ "checkpoint creation failed due to metadata corruption."); ++ err = -EIO; ++ } + return err; + } + +@@ -904,7 +906,11 @@ static int nilfs_segctor_fill_in_checkpo + err = nilfs_cpfile_get_checkpoint(nilfs->ns_cpfile, nilfs->ns_cno, 0, + &raw_cp, &bh_cp); + if (unlikely(err)) { +- WARN_ON(err == -EINVAL || err == -ENOENT); ++ if (err == -EINVAL || err == -ENOENT) { ++ nilfs_error(sci->sc_super, ++ "checkpoint finalization failed due to metadata corruption."); ++ err = -EIO; ++ } + goto failed_ibh; + } + raw_cp->cp_snapshot_list.ssl_next = 0; diff --git a/queue-4.9/series b/queue-4.9/series index 4bc97ad7770..20fbdd9790c 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -24,3 +24,7 @@ um-cleanup-syscall_handler_t-cast-in-syscalls_32.h.patch um-cleanup-compiler-warning-in-arch-x86-um-tls_32.c.patch usb-mon-make-mmapped-memory-read-only.patch usb-serial-ftdi_sio-fix-300-bps-rate-for-sio.patch +nilfs2-fix-null-pointer-dereference-at-nilfs_bmap_lookup_at_level.patch +nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch +nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thread-creation-failure.patch +nilfs2-replace-warn_ons-by-nilfs_error-for-checkpoint-acquisition-failure.patch