From: Greg Kroah-Hartman Date: Sun, 11 Nov 2018 20:57:10 +0000 (-0800) Subject: 4.9-stable patches X-Git-Tag: v4.19.2~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4dc76172c2ed180fe849feef4b2bab67a927348f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: btrfs-fix-null-pointer-dereference-on-compressed-write-path-error.patch btrfs-set-max_extent_size-properly.patch --- diff --git a/queue-4.9/btrfs-fix-null-pointer-dereference-on-compressed-write-path-error.patch b/queue-4.9/btrfs-fix-null-pointer-dereference-on-compressed-write-path-error.patch new file mode 100644 index 00000000000..f80361c9962 --- /dev/null +++ b/queue-4.9/btrfs-fix-null-pointer-dereference-on-compressed-write-path-error.patch @@ -0,0 +1,46 @@ +From 3527a018c00e5dbada2f9d7ed5576437b6dd5cfb Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Sat, 13 Oct 2018 00:37:25 +0100 +Subject: Btrfs: fix null pointer dereference on compressed write path error + +From: Filipe Manana + +commit 3527a018c00e5dbada2f9d7ed5576437b6dd5cfb upstream. + +At inode.c:compress_file_range(), under the "free_pages_out" label, we can +end up dereferencing the "pages" pointer when it has a NULL value. This +case happens when "start" has a value of 0 and we fail to allocate memory +for the "pages" pointer. When that happens we jump to the "cont" label and +then enter the "if (start == 0)" branch where we immediately call the +cow_file_range_inline() function. If that function returns 0 (success +creating an inline extent) or an error (like -ENOMEM for example) we jump +to the "free_pages_out" label and then access "pages[i]" leading to a NULL +pointer dereference, since "nr_pages" has a value greater than zero at +that point. + +Fix this by setting "nr_pages" to 0 when we fail to allocate memory for +the "pages" pointer. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201119 +Fixes: 771ed689d2cd ("Btrfs: Optimize compressed writeback and reads") +CC: stable@vger.kernel.org # 4.4+ +Reviewed-by: Liu Bo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -489,6 +489,7 @@ again: + pages = kcalloc(nr_pages, sizeof(struct page *), GFP_NOFS); + if (!pages) { + /* just bail out to the uncompressed code */ ++ nr_pages = 0; + goto cont; + } + diff --git a/queue-4.9/btrfs-set-max_extent_size-properly.patch b/queue-4.9/btrfs-set-max_extent_size-properly.patch new file mode 100644 index 00000000000..a9b2eba2be4 --- /dev/null +++ b/queue-4.9/btrfs-set-max_extent_size-properly.patch @@ -0,0 +1,97 @@ +From ad22cf6ea47fa20fbe11ac324a0a15c0a9a4a2a9 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 12 Oct 2018 15:32:33 -0400 +Subject: btrfs: set max_extent_size properly + +From: Josef Bacik + +commit ad22cf6ea47fa20fbe11ac324a0a15c0a9a4a2a9 upstream. + +We can't use entry->bytes if our entry is a bitmap entry, we need to use +entry->max_extent_size in that case. Fix up all the logic to make this +consistent. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/free-space-cache.c | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -1778,6 +1778,13 @@ static int search_bitmap(struct btrfs_fr + return -1; + } + ++static inline u64 get_max_extent_size(struct btrfs_free_space *entry) ++{ ++ if (entry->bitmap) ++ return entry->max_extent_size; ++ return entry->bytes; ++} ++ + /* Cache the size of the max extent in bytes */ + static struct btrfs_free_space * + find_free_space(struct btrfs_free_space_ctl *ctl, u64 *offset, u64 *bytes, +@@ -1799,8 +1806,8 @@ find_free_space(struct btrfs_free_space_ + for (node = &entry->offset_index; node; node = rb_next(node)) { + entry = rb_entry(node, struct btrfs_free_space, offset_index); + if (entry->bytes < *bytes) { +- if (entry->bytes > *max_extent_size) +- *max_extent_size = entry->bytes; ++ *max_extent_size = max(get_max_extent_size(entry), ++ *max_extent_size); + continue; + } + +@@ -1818,8 +1825,8 @@ find_free_space(struct btrfs_free_space_ + } + + if (entry->bytes < *bytes + align_off) { +- if (entry->bytes > *max_extent_size) +- *max_extent_size = entry->bytes; ++ *max_extent_size = max(get_max_extent_size(entry), ++ *max_extent_size); + continue; + } + +@@ -1831,8 +1838,10 @@ find_free_space(struct btrfs_free_space_ + *offset = tmp; + *bytes = size; + return entry; +- } else if (size > *max_extent_size) { +- *max_extent_size = size; ++ } else { ++ *max_extent_size = ++ max(get_max_extent_size(entry), ++ *max_extent_size); + } + continue; + } +@@ -2691,8 +2700,8 @@ static u64 btrfs_alloc_from_bitmap(struc + + err = search_bitmap(ctl, entry, &search_start, &search_bytes, true); + if (err) { +- if (search_bytes > *max_extent_size) +- *max_extent_size = search_bytes; ++ *max_extent_size = max(get_max_extent_size(entry), ++ *max_extent_size); + return 0; + } + +@@ -2729,8 +2738,9 @@ u64 btrfs_alloc_from_cluster(struct btrf + + entry = rb_entry(node, struct btrfs_free_space, offset_index); + while (1) { +- if (entry->bytes < bytes && entry->bytes > *max_extent_size) +- *max_extent_size = entry->bytes; ++ if (entry->bytes < bytes) ++ *max_extent_size = max(get_max_extent_size(entry), ++ *max_extent_size); + + if (entry->bytes < bytes || + (!entry->bitmap && entry->offset < min_start)) { diff --git a/queue-4.9/series b/queue-4.9/series index 2eb9f3712c7..c4916c50ecd 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -137,3 +137,5 @@ btrfs-reset-max_extent_size-on-clear-in-a-bitmap.patch btrfs-make-sure-we-create-all-new-block-groups.patch btrfs-fix-wrong-dentries-after-fsync-of-file-that-got-its-parent-replaced.patch btrfs-qgroup-dirty-all-qgroups-before-rescan.patch +btrfs-fix-null-pointer-dereference-on-compressed-write-path-error.patch +btrfs-set-max_extent_size-properly.patch