From: Greg Kroah-Hartman Date: Mon, 15 May 2023 04:20:15 +0000 (+0200) Subject: 6.2-stable patches X-Git-Tag: v4.14.315~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b762c687671469b6a43f2c529ce2dc8964ef4e7;p=thirdparty%2Fkernel%2Fstable-queue.git 6.2-stable patches added patches: ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch ext4-avoid-deadlock-in-fs-reclaim-with-page-writeback.patch ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch ext4-fix-data-races-when-using-cached-status-extents.patch ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch ext4-fix-lockdep-warning-when-enabling-mmp.patch ext4-improve-error-handling-from-ext4_dirhash.patch ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch --- diff --git a/queue-6.2/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch b/queue-6.2/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch new file mode 100644 index 00000000000..2dcbdb9b6dd --- /dev/null +++ b/queue-6.2/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch @@ -0,0 +1,59 @@ +From 2220eaf90992c11d888fe771055d4de330385f01 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 12 May 2023 15:11:02 -0400 +Subject: ext4: add bounds checking in get_max_inline_xattr_value_size() + +From: Theodore Ts'o + +commit 2220eaf90992c11d888fe771055d4de330385f01 upstream. + +Normally the extended attributes in the inode body would have been +checked when the inode is first opened, but if someone is writing to +the block device while the file system is mounted, it's possible for +the inode table to get corrupted. Add bounds checking to avoid +reading beyond the end of allocated memory if this happens. + +Reported-by: syzbot+1966db24521e5f6e23f7@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=1966db24521e5f6e23f7 +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inline.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -34,6 +34,7 @@ static int get_max_inline_xattr_value_si + struct ext4_xattr_ibody_header *header; + struct ext4_xattr_entry *entry; + struct ext4_inode *raw_inode; ++ void *end; + int free, min_offs; + + if (!EXT4_INODE_HAS_XATTR_SPACE(inode)) +@@ -57,14 +58,23 @@ static int get_max_inline_xattr_value_si + raw_inode = ext4_raw_inode(iloc); + header = IHDR(inode, raw_inode); + entry = IFIRST(header); ++ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; + + /* Compute min_offs. */ +- for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) { ++ while (!IS_LAST_ENTRY(entry)) { ++ void *next = EXT4_XATTR_NEXT(entry); ++ ++ if (next >= end) { ++ EXT4_ERROR_INODE(inode, ++ "corrupt xattr in inline inode"); ++ return 0; ++ } + if (!entry->e_value_inum && entry->e_value_size) { + size_t offs = le16_to_cpu(entry->e_value_offs); + if (offs < min_offs) + min_offs = offs; + } ++ entry = next; + } + free = min_offs - + ((void *)entry - (void *)IFIRST(header)) - sizeof(__u32); diff --git a/queue-6.2/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch b/queue-6.2/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch new file mode 100644 index 00000000000..450e1792519 --- /dev/null +++ b/queue-6.2/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch @@ -0,0 +1,99 @@ +From 4f04351888a83e595571de672e0a4a8b74f4fb31 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Thu, 4 May 2023 12:15:25 +0000 +Subject: ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum + +From: Tudor Ambarus + +commit 4f04351888a83e595571de672e0a4a8b74f4fb31 upstream. + +When modifying the block device while it is mounted by the filesystem, +syzbot reported the following: + +BUG: KASAN: slab-out-of-bounds in crc16+0x206/0x280 lib/crc16.c:58 +Read of size 1 at addr ffff888075f5c0a8 by task syz-executor.2/15586 + +CPU: 1 PID: 15586 Comm: syz-executor.2 Not tainted 6.2.0-rc5-syzkaller-00205-gc96618275234 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:306 + print_report+0x107/0x1f0 mm/kasan/report.c:417 + kasan_report+0xcd/0x100 mm/kasan/report.c:517 + crc16+0x206/0x280 lib/crc16.c:58 + ext4_group_desc_csum+0x81b/0xb20 fs/ext4/super.c:3187 + ext4_group_desc_csum_set+0x195/0x230 fs/ext4/super.c:3210 + ext4_mb_clear_bb fs/ext4/mballoc.c:6027 [inline] + ext4_free_blocks+0x191a/0x2810 fs/ext4/mballoc.c:6173 + ext4_remove_blocks fs/ext4/extents.c:2527 [inline] + ext4_ext_rm_leaf fs/ext4/extents.c:2710 [inline] + ext4_ext_remove_space+0x24ef/0x46a0 fs/ext4/extents.c:2958 + ext4_ext_truncate+0x177/0x220 fs/ext4/extents.c:4416 + ext4_truncate+0xa6a/0xea0 fs/ext4/inode.c:4342 + ext4_setattr+0x10c8/0x1930 fs/ext4/inode.c:5622 + notify_change+0xe50/0x1100 fs/attr.c:482 + do_truncate+0x200/0x2f0 fs/open.c:65 + handle_truncate fs/namei.c:3216 [inline] + do_open fs/namei.c:3561 [inline] + path_openat+0x272b/0x2dd0 fs/namei.c:3714 + do_filp_open+0x264/0x4f0 fs/namei.c:3741 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f72f8a8c0c9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f72f97e3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 +RAX: ffffffffffffffda RBX: 00007f72f8bac050 RCX: 00007f72f8a8c0c9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000280 +RBP: 00007f72f8ae7ae9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffd165348bf R14: 00007f72f97e3300 R15: 0000000000022000 + +Replace + le16_to_cpu(sbi->s_es->s_desc_size) +with + sbi->s_desc_size + +It reduces ext4's compiled text size, and makes the code more efficient +(we remove an extra indirect reference and a potential byte +swap on big endian systems), and there is no downside. It also avoids the +potential KASAN / syzkaller failure, as a bonus. + +Reported-by: syzbot+fc51227e7100c9294894@syzkaller.appspotmail.com +Reported-by: syzbot+8785e41224a3afd04321@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=70d28d11ab14bd7938f3e088365252aa923cff42 +Link: https://syzkaller.appspot.com/bug?id=b85721b38583ecc6b5e72ff524c67302abbc30f3 +Link: https://lore.kernel.org/all/000000000000ece18705f3b20934@google.com/ +Fixes: 717d50e4971b ("Ext4: Uninitialized Block Groups") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20230504121525.3275886-1-tudor.ambarus@linaro.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3195,11 +3195,9 @@ static __le16 ext4_group_desc_csum(struc + crc = crc16(crc, (__u8 *)gdp, offset); + offset += sizeof(gdp->bg_checksum); /* skip checksum */ + /* for checksum of struct ext4_group_desc do the rest...*/ +- if (ext4_has_feature_64bit(sb) && +- offset < le16_to_cpu(sbi->s_es->s_desc_size)) ++ if (ext4_has_feature_64bit(sb) && offset < sbi->s_desc_size) + crc = crc16(crc, (__u8 *)gdp + offset, +- le16_to_cpu(sbi->s_es->s_desc_size) - +- offset); ++ sbi->s_desc_size - offset); + + out: + return cpu_to_le16(crc); diff --git a/queue-6.2/ext4-avoid-deadlock-in-fs-reclaim-with-page-writeback.patch b/queue-6.2/ext4-avoid-deadlock-in-fs-reclaim-with-page-writeback.patch new file mode 100644 index 00000000000..ecd8328f7de --- /dev/null +++ b/queue-6.2/ext4-avoid-deadlock-in-fs-reclaim-with-page-writeback.patch @@ -0,0 +1,218 @@ +From 00d873c17e29cc32d90ca852b82685f1673acaa5 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 4 May 2023 14:47:23 +0200 +Subject: ext4: avoid deadlock in fs reclaim with page writeback + +From: Jan Kara + +commit 00d873c17e29cc32d90ca852b82685f1673acaa5 upstream. + +Ext4 has a filesystem wide lock protecting ext4_writepages() calls to +avoid races with switching of journalled data flag or inode format. This +lock can however cause a deadlock like: + +CPU0 CPU1 + +ext4_writepages() + percpu_down_read(sbi->s_writepages_rwsem); + ext4_change_inode_journal_flag() + percpu_down_write(sbi->s_writepages_rwsem); + - blocks, all readers block from now on + ext4_do_writepages() + ext4_init_io_end() + kmem_cache_zalloc(io_end_cachep, GFP_KERNEL) + fs_reclaim frees dentry... + dentry_unlink_inode() + iput() - last ref => + iput_final() - inode dirty => + write_inode_now()... + ext4_writepages() tries to acquire sbi->s_writepages_rwsem + and blocks forever + +Make sure we cannot recurse into filesystem reclaim from writeback code +to avoid the deadlock. + +Reported-by: syzbot+6898da502aef574c5f8a@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/0000000000004c66b405fa108e27@google.com +Fixes: c8585c6fcaf2 ("ext4: fix races between changing inode journal mode and ext4_writepages") +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20230504124723.20205-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 24 ++++++++++++++++++++++++ + fs/ext4/inode.c | 18 ++++++++++-------- + fs/ext4/migrate.c | 11 ++++++----- + 3 files changed, 40 insertions(+), 13 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1774,6 +1774,30 @@ static inline struct ext4_inode_info *EX + return container_of(inode, struct ext4_inode_info, vfs_inode); + } + ++static inline int ext4_writepages_down_read(struct super_block *sb) ++{ ++ percpu_down_read(&EXT4_SB(sb)->s_writepages_rwsem); ++ return memalloc_nofs_save(); ++} ++ ++static inline void ext4_writepages_up_read(struct super_block *sb, int ctx) ++{ ++ memalloc_nofs_restore(ctx); ++ percpu_up_read(&EXT4_SB(sb)->s_writepages_rwsem); ++} ++ ++static inline int ext4_writepages_down_write(struct super_block *sb) ++{ ++ percpu_down_write(&EXT4_SB(sb)->s_writepages_rwsem); ++ return memalloc_nofs_save(); ++} ++ ++static inline void ext4_writepages_up_write(struct super_block *sb, int ctx) ++{ ++ memalloc_nofs_restore(ctx); ++ percpu_up_write(&EXT4_SB(sb)->s_writepages_rwsem); ++} ++ + static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) + { + return ino == EXT4_ROOT_INO || +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -2957,13 +2957,14 @@ static int ext4_writepages(struct addres + .can_map = 1, + }; + int ret; ++ int alloc_ctx; + + if (unlikely(ext4_forced_shutdown(EXT4_SB(sb)))) + return -EIO; + +- percpu_down_read(&EXT4_SB(sb)->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_read(sb); + ret = ext4_do_writepages(&mpd); +- percpu_up_read(&EXT4_SB(sb)->s_writepages_rwsem); ++ ext4_writepages_up_read(sb, alloc_ctx); + + return ret; + } +@@ -2991,17 +2992,18 @@ static int ext4_dax_writepages(struct ad + long nr_to_write = wbc->nr_to_write; + struct inode *inode = mapping->host; + struct ext4_sb_info *sbi = EXT4_SB(mapping->host->i_sb); ++ int alloc_ctx; + + if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb)))) + return -EIO; + +- percpu_down_read(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_read(inode->i_sb); + trace_ext4_writepages(inode, wbc); + + ret = dax_writeback_mapping_range(mapping, sbi->s_daxdev, wbc); + trace_ext4_writepages_result(inode, wbc, ret, + nr_to_write - wbc->nr_to_write); +- percpu_up_read(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_read(inode->i_sb, alloc_ctx); + return ret; + } + +@@ -6124,7 +6126,7 @@ int ext4_change_inode_journal_flag(struc + journal_t *journal; + handle_t *handle; + int err; +- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); ++ int alloc_ctx; + + /* + * We have to be very careful here: changing a data block's +@@ -6162,7 +6164,7 @@ int ext4_change_inode_journal_flag(struc + } + } + +- percpu_down_write(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_write(inode->i_sb); + jbd2_journal_lock_updates(journal); + + /* +@@ -6179,7 +6181,7 @@ int ext4_change_inode_journal_flag(struc + err = jbd2_journal_flush(journal, 0); + if (err < 0) { + jbd2_journal_unlock_updates(journal); +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + return err; + } + ext4_clear_inode_flag(inode, EXT4_INODE_JOURNAL_DATA); +@@ -6187,7 +6189,7 @@ int ext4_change_inode_journal_flag(struc + ext4_set_aops(inode); + + jbd2_journal_unlock_updates(journal); +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + + if (val) + filemap_invalidate_unlock(inode->i_mapping); +--- a/fs/ext4/migrate.c ++++ b/fs/ext4/migrate.c +@@ -408,7 +408,6 @@ static int free_ext_block(handle_t *hand + + int ext4_ext_migrate(struct inode *inode) + { +- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); + handle_t *handle; + int retval = 0, i; + __le32 *i_data; +@@ -418,6 +417,7 @@ int ext4_ext_migrate(struct inode *inode + unsigned long max_entries; + __u32 goal, tmp_csum_seed; + uid_t owner[2]; ++ int alloc_ctx; + + /* + * If the filesystem does not support extents, or the inode +@@ -434,7 +434,7 @@ int ext4_ext_migrate(struct inode *inode + */ + return retval; + +- percpu_down_write(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_write(inode->i_sb); + + /* + * Worst case we can touch the allocation bitmaps and a block +@@ -586,7 +586,7 @@ out_tmp_inode: + unlock_new_inode(tmp_inode); + iput(tmp_inode); + out_unlock: +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + return retval; + } + +@@ -605,6 +605,7 @@ int ext4_ind_migrate(struct inode *inode + ext4_fsblk_t blk; + handle_t *handle; + int ret, ret2 = 0; ++ int alloc_ctx; + + if (!ext4_has_feature_extents(inode->i_sb) || + (!ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) +@@ -621,7 +622,7 @@ int ext4_ind_migrate(struct inode *inode + if (test_opt(inode->i_sb, DELALLOC)) + ext4_alloc_da_blocks(inode); + +- percpu_down_write(&sbi->s_writepages_rwsem); ++ alloc_ctx = ext4_writepages_down_write(inode->i_sb); + + handle = ext4_journal_start(inode, EXT4_HT_MIGRATE, 1); + if (IS_ERR(handle)) { +@@ -665,6 +666,6 @@ errout: + ext4_journal_stop(handle); + up_write(&EXT4_I(inode)->i_data_sem); + out_unlock: +- percpu_up_write(&sbi->s_writepages_rwsem); ++ ext4_writepages_up_write(inode->i_sb, alloc_ctx); + return ret; + } diff --git a/queue-6.2/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch b/queue-6.2/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch new file mode 100644 index 00000000000..8b570b529bf --- /dev/null +++ b/queue-6.2/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch @@ -0,0 +1,31 @@ +From 2a534e1d0d1591e951f9ece2fb460b2ff92edabd Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 12 May 2023 15:16:27 -0400 +Subject: ext4: bail out of ext4_xattr_ibody_get() fails for any reason + +From: Theodore Ts'o + +commit 2a534e1d0d1591e951f9ece2fb460b2ff92edabd upstream. + +In ext4_update_inline_data(), if ext4_xattr_ibody_get() fails for any +reason, it's best if we just fail as opposed to stumbling on, +especially if the failure is EFSCORRUPTED. + +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -360,7 +360,7 @@ static int ext4_update_inline_data(handl + + error = ext4_xattr_ibody_get(inode, i.name_index, i.name, + value, len); +- if (error == -ENODATA) ++ if (error < 0) + goto out; + + BUFFER_TRACE(is.iloc.bh, "get_write_access"); diff --git a/queue-6.2/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch b/queue-6.2/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch new file mode 100644 index 00000000000..e67ef739bcb --- /dev/null +++ b/queue-6.2/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch @@ -0,0 +1,39 @@ +From fa83c34e3e56b3c672af38059e066242655271b1 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Fri, 5 May 2023 21:24:29 +0800 +Subject: ext4: check iomap type only if ext4_iomap_begin() does not fail + +From: Baokun Li + +commit fa83c34e3e56b3c672af38059e066242655271b1 upstream. + +When ext4_iomap_overwrite_begin() calls ext4_iomap_begin() map blocks may +fail for some reason (e.g. memory allocation failure, bare disk write), and +later because "iomap->type ! = IOMAP_MAPPED" triggers WARN_ON(). When ext4 +iomap_begin() returns an error, it is normal that the type of iomap->type +may not match the expectation. Therefore, we only determine if iomap->type +is as expected when ext4_iomap_begin() is executed successfully. + +Cc: stable@kernel.org +Reported-by: syzbot+08106c4b7d60702dbc14@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/00000000000015760b05f9b4eee9@google.com +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230505132429.714648-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3577,7 +3577,7 @@ static int ext4_iomap_overwrite_begin(st + */ + flags &= ~IOMAP_WRITE; + ret = ext4_iomap_begin(inode, offset, length, flags, iomap, srcmap); +- WARN_ON_ONCE(iomap->type != IOMAP_MAPPED); ++ WARN_ON_ONCE(!ret && iomap->type != IOMAP_MAPPED); + return ret; + } + diff --git a/queue-6.2/ext4-fix-data-races-when-using-cached-status-extents.patch b/queue-6.2/ext4-fix-data-races-when-using-cached-status-extents.patch new file mode 100644 index 00000000000..97d38188cf2 --- /dev/null +++ b/queue-6.2/ext4-fix-data-races-when-using-cached-status-extents.patch @@ -0,0 +1,81 @@ +From 492888df0c7b42fc0843631168b0021bc4caee84 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 4 May 2023 14:55:24 +0200 +Subject: ext4: fix data races when using cached status extents + +From: Jan Kara + +commit 492888df0c7b42fc0843631168b0021bc4caee84 upstream. + +When using cached extent stored in extent status tree in tree->cache_es +another process holding ei->i_es_lock for reading can be racing with us +setting new value of tree->cache_es. If the compiler would decide to +refetch tree->cache_es at an unfortunate moment, it could result in a +bogus in_range() check. Fix the possible race by using READ_ONCE() when +using tree->cache_es only under ei->i_es_lock for reading. + +Cc: stable@kernel.org +Reported-by: syzbot+4a03518df1e31b537066@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000d3b33905fa0fd4a6@google.com +Suggested-by: Dmitry Vyukov +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20230504125524.10802-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents_status.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -267,14 +267,12 @@ static void __es_find_extent_range(struc + + /* see if the extent has been cached */ + es->es_lblk = es->es_len = es->es_pblk = 0; +- if (tree->cache_es) { +- es1 = tree->cache_es; +- if (in_range(lblk, es1->es_lblk, es1->es_len)) { +- es_debug("%u cached by [%u/%u) %llu %x\n", +- lblk, es1->es_lblk, es1->es_len, +- ext4_es_pblock(es1), ext4_es_status(es1)); +- goto out; +- } ++ es1 = READ_ONCE(tree->cache_es); ++ if (es1 && in_range(lblk, es1->es_lblk, es1->es_len)) { ++ es_debug("%u cached by [%u/%u) %llu %x\n", ++ lblk, es1->es_lblk, es1->es_len, ++ ext4_es_pblock(es1), ext4_es_status(es1)); ++ goto out; + } + + es1 = __es_tree_search(&tree->root, lblk); +@@ -293,7 +291,7 @@ out: + } + + if (es1 && matching_fn(es1)) { +- tree->cache_es = es1; ++ WRITE_ONCE(tree->cache_es, es1); + es->es_lblk = es1->es_lblk; + es->es_len = es1->es_len; + es->es_pblk = es1->es_pblk; +@@ -931,14 +929,12 @@ int ext4_es_lookup_extent(struct inode * + + /* find extent in cache firstly */ + es->es_lblk = es->es_len = es->es_pblk = 0; +- if (tree->cache_es) { +- es1 = tree->cache_es; +- if (in_range(lblk, es1->es_lblk, es1->es_len)) { +- es_debug("%u cached by [%u/%u)\n", +- lblk, es1->es_lblk, es1->es_len); +- found = 1; +- goto out; +- } ++ es1 = READ_ONCE(tree->cache_es); ++ if (es1 && in_range(lblk, es1->es_lblk, es1->es_len)) { ++ es_debug("%u cached by [%u/%u)\n", ++ lblk, es1->es_lblk, es1->es_len); ++ found = 1; ++ goto out; + } + + node = tree->root.rb_node; diff --git a/queue-6.2/ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch b/queue-6.2/ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch new file mode 100644 index 00000000000..8f91366f73c --- /dev/null +++ b/queue-6.2/ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch @@ -0,0 +1,63 @@ +From f4ce24f54d9cca4f09a395f3eecce20d6bec4663 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 6 May 2023 21:04:01 -0400 +Subject: ext4: fix deadlock when converting an inline directory in nojournal mode + +From: Theodore Ts'o + +commit f4ce24f54d9cca4f09a395f3eecce20d6bec4663 upstream. + +In no journal mode, ext4_finish_convert_inline_dir() can self-deadlock +by calling ext4_handle_dirty_dirblock() when it already has taken the +directory lock. There is a similar self-deadlock in +ext4_incvert_inline_data_nolock() for data files which we'll fix at +the same time. + +A simple reproducer demonstrating the problem: + + mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc 64 + mount -t ext4 -o dirsync /dev/vdc /vdc + cd /vdc + mkdir file0 + cd file0 + touch file0 + touch file1 + attr -s BurnSpaceInEA -V abcde . + touch supercalifragilisticexpialidocious + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230507021608.1290720-1-tytso@mit.edu +Reported-by: syzbot+91dccab7c64e2850a4e5@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=ba84cc80a9491d65416bc7877e1650c87530fe8a +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inline.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1177,6 +1177,7 @@ static int ext4_finish_convert_inline_di + ext4_initialize_dirent_tail(dir_block, + inode->i_sb->s_blocksize); + set_buffer_uptodate(dir_block); ++ unlock_buffer(dir_block); + err = ext4_handle_dirty_dirblock(handle, inode, dir_block); + if (err) + return err; +@@ -1251,6 +1252,7 @@ static int ext4_convert_inline_data_nolo + if (!S_ISDIR(inode->i_mode)) { + memcpy(data_bh->b_data, buf, inline_size); + set_buffer_uptodate(data_bh); ++ unlock_buffer(data_bh); + error = ext4_handle_dirty_metadata(handle, + inode, data_bh); + } else { +@@ -1258,7 +1260,6 @@ static int ext4_convert_inline_data_nolo + buf, inline_size); + } + +- unlock_buffer(data_bh); + out_restore: + if (error) + ext4_restore_inline_data(handle, inode, iloc, buf, inline_size); diff --git a/queue-6.2/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch b/queue-6.2/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch new file mode 100644 index 00000000000..0713a5d2163 --- /dev/null +++ b/queue-6.2/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch @@ -0,0 +1,62 @@ +From b87c7cdf2bed4928b899e1ce91ef0d147017ba45 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 30 Apr 2023 03:04:13 -0400 +Subject: ext4: fix invalid free tracking in ext4_xattr_move_to_block() + +From: Theodore Ts'o + +commit b87c7cdf2bed4928b899e1ce91ef0d147017ba45 upstream. + +In ext4_xattr_move_to_block(), the value of the extended attribute +which we need to move to an external block may be allocated by +kvmalloc() if the value is stored in an external inode. So at the end +of the function the code tried to check if this was the case by +testing entry->e_value_inum. + +However, at this point, the pointer to the xattr entry is no longer +valid, because it was removed from the original location where it had +been stored. So we could end up calling kvfree() on a pointer which +was not allocated by kvmalloc(); or we could also potentially leak +memory by not freeing the buffer when it should be freed. Fix this by +storing whether it should be freed in a separate variable. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230430160426.581366-1-tytso@mit.edu +Link: https://syzkaller.appspot.com/bug?id=5c2aee8256e30b55ccf57312c16d88417adbd5e1 +Link: https://syzkaller.appspot.com/bug?id=41a6b5d4917c0412eb3b3c3c604965bed7d7420b +Reported-by: syzbot+64b645917ce07d89bde5@syzkaller.appspotmail.com +Reported-by: syzbot+0d042627c4f2ad332195@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2581,6 +2581,7 @@ static int ext4_xattr_move_to_block(hand + .in_inode = !!entry->e_value_inum, + }; + struct ext4_xattr_ibody_header *header = IHDR(inode, raw_inode); ++ int needs_kvfree = 0; + int error; + + is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS); +@@ -2603,7 +2604,7 @@ static int ext4_xattr_move_to_block(hand + error = -ENOMEM; + goto out; + } +- ++ needs_kvfree = 1; + error = ext4_xattr_inode_get(inode, entry, buffer, value_size); + if (error) + goto out; +@@ -2642,7 +2643,7 @@ static int ext4_xattr_move_to_block(hand + + out: + kfree(b_entry_name); +- if (entry->e_value_inum && buffer) ++ if (needs_kvfree && buffer) + kvfree(buffer); + if (is) + brelse(is->iloc.bh); diff --git a/queue-6.2/ext4-fix-lockdep-warning-when-enabling-mmp.patch b/queue-6.2/ext4-fix-lockdep-warning-when-enabling-mmp.patch new file mode 100644 index 00000000000..a80b228ad20 --- /dev/null +++ b/queue-6.2/ext4-fix-lockdep-warning-when-enabling-mmp.patch @@ -0,0 +1,89 @@ +From 949f95ff39bf188e594e7ecd8e29b82eb108f5bf Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 11 Apr 2023 14:10:19 +0200 +Subject: ext4: fix lockdep warning when enabling MMP + +From: Jan Kara + +commit 949f95ff39bf188e594e7ecd8e29b82eb108f5bf upstream. + +When we enable MMP in ext4_multi_mount_protect() during mount or +remount, we end up calling sb_start_write() from write_mmp_block(). This +triggers lockdep warning because freeze protection ranks above s_umount +semaphore we are holding during mount / remount. The problem is harmless +because we are guaranteed the filesystem is not frozen during mount / +remount but still let's fix the warning by not grabbing freeze +protection from ext4_multi_mount_protect(). + +Cc: stable@kernel.org +Reported-by: syzbot+6b7df7d5506b32467149@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=ab7e5b6f400b7778d46f01841422e5718fb81843 +Signed-off-by: Jan Kara +Reviewed-by: Christian Brauner +Link: https://lore.kernel.org/r/20230411121019.21940-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mmp.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/fs/ext4/mmp.c ++++ b/fs/ext4/mmp.c +@@ -39,28 +39,36 @@ static void ext4_mmp_csum_set(struct sup + * Write the MMP block using REQ_SYNC to try to get the block on-disk + * faster. + */ +-static int write_mmp_block(struct super_block *sb, struct buffer_head *bh) ++static int write_mmp_block_thawed(struct super_block *sb, ++ struct buffer_head *bh) + { + struct mmp_struct *mmp = (struct mmp_struct *)(bh->b_data); + +- /* +- * We protect against freezing so that we don't create dirty buffers +- * on frozen filesystem. +- */ +- sb_start_write(sb); + ext4_mmp_csum_set(sb, mmp); + lock_buffer(bh); + bh->b_end_io = end_buffer_write_sync; + get_bh(bh); + submit_bh(REQ_OP_WRITE | REQ_SYNC | REQ_META | REQ_PRIO, bh); + wait_on_buffer(bh); +- sb_end_write(sb); + if (unlikely(!buffer_uptodate(bh))) + return -EIO; +- + return 0; + } + ++static int write_mmp_block(struct super_block *sb, struct buffer_head *bh) ++{ ++ int err; ++ ++ /* ++ * We protect against freezing so that we don't create dirty buffers ++ * on frozen filesystem. ++ */ ++ sb_start_write(sb); ++ err = write_mmp_block_thawed(sb, bh); ++ sb_end_write(sb); ++ return err; ++} ++ + /* + * Read the MMP block. It _must_ be read from disk and hence we clear the + * uptodate flag on the buffer. +@@ -340,7 +348,11 @@ skip: + seq = mmp_new_seq(); + mmp->mmp_seq = cpu_to_le32(seq); + +- retval = write_mmp_block(sb, bh); ++ /* ++ * On mount / remount we are protected against fs freezing (by s_umount ++ * semaphore) and grabbing freeze protection upsets lockdep ++ */ ++ retval = write_mmp_block_thawed(sb, bh); + if (retval) + goto failed; + diff --git a/queue-6.2/ext4-improve-error-handling-from-ext4_dirhash.patch b/queue-6.2/ext4-improve-error-handling-from-ext4_dirhash.patch new file mode 100644 index 00000000000..b0735d33fb3 --- /dev/null +++ b/queue-6.2/ext4-improve-error-handling-from-ext4_dirhash.patch @@ -0,0 +1,156 @@ +From 4b3cb1d108bfc2aebb0d7c8a52261a53cf7f5786 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 6 May 2023 11:59:13 -0400 +Subject: ext4: improve error handling from ext4_dirhash() + +From: Theodore Ts'o + +commit 4b3cb1d108bfc2aebb0d7c8a52261a53cf7f5786 upstream. + +The ext4_dirhash() will *almost* never fail, especially when the hash +tree feature was first introduced. However, with the addition of +support of encrypted, casefolded file names, that function can most +certainly fail today. + +So make sure the callers of ext4_dirhash() properly check for +failures, and reflect the errors back up to their callers. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230506142419.984260-1-tytso@mit.edu +Reported-by: syzbot+394aa8a792cb99dbc837@syzkaller.appspotmail.com +Reported-by: syzbot+344aaa8697ebd232bfc8@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=db56459ea4ac4a676ae4b4678f633e55da005a9b +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/hash.c | 6 +++++- + fs/ext4/namei.c | 53 +++++++++++++++++++++++++++++++++++++---------------- + 2 files changed, 42 insertions(+), 17 deletions(-) + +--- a/fs/ext4/hash.c ++++ b/fs/ext4/hash.c +@@ -277,7 +277,11 @@ static int __ext4fs_dirhash(const struct + } + default: + hinfo->hash = 0; +- return -1; ++ hinfo->minor_hash = 0; ++ ext4_warning(dir->i_sb, ++ "invalid/unsupported hash tree version %u", ++ hinfo->hash_version); ++ return -EINVAL; + } + hash = hash & ~1; + if (hash == (EXT4_HTREE_EOF_32BIT << 1)) +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -674,7 +674,7 @@ static struct stats dx_show_leaf(struct + len = de->name_len; + if (!IS_ENCRYPTED(dir)) { + /* Directory is not encrypted */ +- ext4fs_dirhash(dir, de->name, ++ (void) ext4fs_dirhash(dir, de->name, + de->name_len, &h); + printk("%*.s:(U)%x.%u ", len, + name, h.hash, +@@ -709,8 +709,9 @@ static struct stats dx_show_leaf(struct + if (IS_CASEFOLDED(dir)) + h.hash = EXT4_DIRENT_HASH(de); + else +- ext4fs_dirhash(dir, de->name, +- de->name_len, &h); ++ (void) ext4fs_dirhash(dir, ++ de->name, ++ de->name_len, &h); + printk("%*.s:(E)%x.%u ", len, name, + h.hash, (unsigned) ((char *) de + - base)); +@@ -720,7 +721,8 @@ static struct stats dx_show_leaf(struct + #else + int len = de->name_len; + char *name = de->name; +- ext4fs_dirhash(dir, de->name, de->name_len, &h); ++ (void) ext4fs_dirhash(dir, de->name, ++ de->name_len, &h); + printk("%*.s:%x.%u ", len, name, h.hash, + (unsigned) ((char *) de - base)); + #endif +@@ -849,8 +851,14 @@ dx_probe(struct ext4_filename *fname, st + hinfo->seed = EXT4_SB(dir->i_sb)->s_hash_seed; + /* hash is already computed for encrypted casefolded directory */ + if (fname && fname_name(fname) && +- !(IS_ENCRYPTED(dir) && IS_CASEFOLDED(dir))) +- ext4fs_dirhash(dir, fname_name(fname), fname_len(fname), hinfo); ++ !(IS_ENCRYPTED(dir) && IS_CASEFOLDED(dir))) { ++ int ret = ext4fs_dirhash(dir, fname_name(fname), ++ fname_len(fname), hinfo); ++ if (ret < 0) { ++ ret_err = ERR_PTR(ret); ++ goto fail; ++ } ++ } + hash = hinfo->hash; + + if (root->info.unused_flags & 1) { +@@ -1111,7 +1119,12 @@ static int htree_dirblock_to_tree(struct + hinfo->minor_hash = 0; + } + } else { +- ext4fs_dirhash(dir, de->name, de->name_len, hinfo); ++ err = ext4fs_dirhash(dir, de->name, ++ de->name_len, hinfo); ++ if (err < 0) { ++ count = err; ++ goto errout; ++ } + } + if ((hinfo->hash < start_hash) || + ((hinfo->hash == start_hash) && +@@ -1313,8 +1326,12 @@ static int dx_make_map(struct inode *dir + if (de->name_len && de->inode) { + if (ext4_hash_in_dirent(dir)) + h.hash = EXT4_DIRENT_HASH(de); +- else +- ext4fs_dirhash(dir, de->name, de->name_len, &h); ++ else { ++ int err = ext4fs_dirhash(dir, de->name, ++ de->name_len, &h); ++ if (err < 0) ++ return err; ++ } + map_tail--; + map_tail->hash = h.hash; + map_tail->offs = ((char *) de - base)>>2; +@@ -1452,10 +1469,9 @@ int ext4_fname_setup_ci_filename(struct + hinfo->hash_version = DX_HASH_SIPHASH; + hinfo->seed = NULL; + if (cf_name->name) +- ext4fs_dirhash(dir, cf_name->name, cf_name->len, hinfo); ++ return ext4fs_dirhash(dir, cf_name->name, cf_name->len, hinfo); + else +- ext4fs_dirhash(dir, iname->name, iname->len, hinfo); +- return 0; ++ return ext4fs_dirhash(dir, iname->name, iname->len, hinfo); + } + #endif + +@@ -2298,10 +2314,15 @@ static int make_indexed_dir(handle_t *ha + fname->hinfo.seed = EXT4_SB(dir->i_sb)->s_hash_seed; + + /* casefolded encrypted hashes are computed on fname setup */ +- if (!ext4_hash_in_dirent(dir)) +- ext4fs_dirhash(dir, fname_name(fname), +- fname_len(fname), &fname->hinfo); +- ++ if (!ext4_hash_in_dirent(dir)) { ++ int err = ext4fs_dirhash(dir, fname_name(fname), ++ fname_len(fname), &fname->hinfo); ++ if (err < 0) { ++ brelse(bh2); ++ brelse(bh); ++ return err; ++ } ++ } + memset(frames, 0, sizeof(frames)); + frame = frames; + frame->entries = entries; diff --git a/queue-6.2/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch b/queue-6.2/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch new file mode 100644 index 00000000000..85d9a1c8c68 --- /dev/null +++ b/queue-6.2/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch @@ -0,0 +1,62 @@ +From 4c0b4818b1f636bc96359f7817a2d8bab6370162 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 5 May 2023 22:20:29 -0400 +Subject: ext4: improve error recovery code paths in __ext4_remount() + +From: Theodore Ts'o + +commit 4c0b4818b1f636bc96359f7817a2d8bab6370162 upstream. + +If there are failures while changing the mount options in +__ext4_remount(), we need to restore the old mount options. + +This commit fixes two problem. The first is there is a chance that we +will free the old quota file names before a potential failure leading +to a use-after-free. The second problem addressed in this commit is +if there is a failed read/write to read-only transition, if the quota +has already been suspended, we need to renable quota handling. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230506142419.984260-2-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6566,9 +6566,6 @@ static int __ext4_remount(struct fs_cont + } + + #ifdef CONFIG_QUOTA +- /* Release old quota file names */ +- for (i = 0; i < EXT4_MAXQUOTAS; i++) +- kfree(old_opts.s_qf_names[i]); + if (enable_quota) { + if (sb_any_quota_suspended(sb)) + dquot_resume(sb, -1); +@@ -6578,6 +6575,9 @@ static int __ext4_remount(struct fs_cont + goto restore_opts; + } + } ++ /* Release old quota file names */ ++ for (i = 0; i < EXT4_MAXQUOTAS; i++) ++ kfree(old_opts.s_qf_names[i]); + #endif + if (!test_opt(sb, BLOCK_VALIDITY) && sbi->s_system_blks) + ext4_release_system_zone(sb); +@@ -6588,6 +6588,13 @@ static int __ext4_remount(struct fs_cont + return 0; + + restore_opts: ++ /* ++ * If there was a failing r/w to ro transition, we may need to ++ * re-enable quota ++ */ ++ if ((sb->s_flags & SB_RDONLY) && !(old_sb_flags & SB_RDONLY) && ++ sb_any_quota_suspended(sb)) ++ dquot_resume(sb, -1); + sb->s_flags = old_sb_flags; + sbi->s_mount_opt = old_opts.s_mount_opt; + sbi->s_mount_opt2 = old_opts.s_mount_opt2; diff --git a/queue-6.2/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch b/queue-6.2/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch new file mode 100644 index 00000000000..fe47224df2e --- /dev/null +++ b/queue-6.2/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch @@ -0,0 +1,40 @@ +From 463808f237cf73e98a1a45ff7460c2406a150a0b Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 29 Apr 2023 16:14:46 -0400 +Subject: ext4: remove a BUG_ON in ext4_mb_release_group_pa() + +From: Theodore Ts'o + +commit 463808f237cf73e98a1a45ff7460c2406a150a0b upstream. + +If a malicious fuzzer overwrites the ext4 superblock while it is +mounted such that the s_first_data_block is set to a very large +number, the calculation of the block group can underflow, and trigger +a BUG_ON check. Change this to be an ext4_warning so that we don't +crash the kernel. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230430154311.579720-3-tytso@mit.edu +Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4820,7 +4820,11 @@ ext4_mb_release_group_pa(struct ext4_bud + trace_ext4_mb_release_group_pa(sb, pa); + BUG_ON(pa->pa_deleted == 0); + ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit); +- BUG_ON(group != e4b->bd_group && pa->pa_len != 0); ++ if (unlikely(group != e4b->bd_group && pa->pa_len != 0)) { ++ ext4_warning(sb, "bad group: expected %u, group %u, pa_start %llu", ++ e4b->bd_group, group, pa->pa_pstart); ++ return 0; ++ } + mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len); + atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded); + trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len); diff --git a/queue-6.2/series b/queue-6.2/series index 2ee8959760b..c357eee523d 100644 --- a/queue-6.2/series +++ b/queue-6.2/series @@ -222,3 +222,15 @@ drm-add-missing-dp-dsc-extended-capability-definitio.patch drm-dsc-fix-drm_edp_dsc_sink_output_bpp-dpcd-high-by.patch locking-rwsem-add-__always_inline-annotation-to-__down_read_common-and-inlined-callers.patch ext4-fix-warning-in-mb_find_extent.patch +ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch +ext4-fix-data-races-when-using-cached-status-extents.patch +ext4-avoid-deadlock-in-fs-reclaim-with-page-writeback.patch +ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch +ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch +ext4-improve-error-handling-from-ext4_dirhash.patch +ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch +ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch +ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch +ext4-fix-lockdep-warning-when-enabling-mmp.patch +ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch +ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch