From: Greg Kroah-Hartman Date: Sun, 16 Oct 2022 13:03:40 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.4.219~122 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5c20aa4d8a9be17086edcffd276ea34782875b30;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch --- diff --git a/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch b/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch new file mode 100644 index 00000000000..a0d9da69a4c --- /dev/null +++ b/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch @@ -0,0 +1,69 @@ +From d325dc6eb763c10f591c239550b8c7e5466a5d09 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Tue, 4 Oct 2022 00:05:19 +0900 +Subject: nilfs2: fix use-after-free bug of struct nilfs_root + +From: Ryusuke Konishi + +commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream. + +If the beginning of the inode bitmap area is corrupted on disk, an inode +with the same inode number as the root inode can be allocated and fail +soon after. In this case, the subsequent call to nilfs_clear_inode() on +that bogus root inode will wrongly decrement the reference counter of +struct nilfs_root, and this will erroneously free struct nilfs_root, +causing kernel oopses. + +This fixes the problem by changing nilfs_new_inode() to skip reserved +inode numbers while repairing the inode bitmap. + +Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com +Reported-by: Khalid Masum +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/inode.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/inode.c ++++ b/fs/nilfs2/inode.c +@@ -344,6 +344,7 @@ struct inode *nilfs_new_inode(struct ino + struct inode *inode; + struct nilfs_inode_info *ii; + struct nilfs_root *root; ++ struct buffer_head *bh; + int err = -ENOMEM; + ino_t ino; + +@@ -359,11 +360,26 @@ struct inode *nilfs_new_inode(struct ino + ii->i_state = BIT(NILFS_I_NEW); + ii->i_root = root; + +- err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh); ++ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); + if (unlikely(err)) + goto failed_ifile_create_inode; + /* reference count of i_bh inherits from nilfs_mdt_read_block() */ + ++ if (unlikely(ino < NILFS_USER_INO)) { ++ nilfs_msg(sb, KERN_WARNING, ++ "inode bitmap is inconsistent for reserved inodes"); ++ do { ++ brelse(bh); ++ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); ++ if (unlikely(err)) ++ goto failed_ifile_create_inode; ++ } while (ino < NILFS_USER_INO); ++ ++ nilfs_msg(sb, KERN_INFO, ++ "repaired inode bitmap for reserved inodes"); ++ } ++ ii->i_bh = bh; ++ + atomic64_inc(&root->inodes_count); + inode_init_owner(inode, dir, mode); + inode->i_ino = ino; diff --git a/queue-4.9/series b/queue-4.9/series index b3d78f290a3..9afece0fc8d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -51,3 +51,4 @@ parisc-fbdev-stifb-align-graphics-memory-size-to-4mb.patch um-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch pci-sanitise-firmware-bar-assignments-behind-a-pci-pci-bridge.patch fbdev-smscufx-fix-use-after-free-in-ufx_ops_open.patch +nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch