From: Greg Kroah-Hartman Date: Mon, 15 May 2023 04:19:36 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.14.315~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e4e78aab70bbc8775a0f499993f12ced51ef981;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch ext4-fix-data-races-when-using-cached-status-extents.patch ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch --- diff --git a/queue-5.10/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch b/queue-5.10/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch new file mode 100644 index 00000000000..02c4086f067 --- /dev/null +++ b/queue-5.10/ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch @@ -0,0 +1,59 @@ +From 2220eaf90992c11d888fe771055d4de330385f01 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 12 May 2023 15:11:02 -0400 +Subject: ext4: add bounds checking in get_max_inline_xattr_value_size() + +From: Theodore Ts'o + +commit 2220eaf90992c11d888fe771055d4de330385f01 upstream. + +Normally the extended attributes in the inode body would have been +checked when the inode is first opened, but if someone is writing to +the block device while the file system is mounted, it's possible for +the inode table to get corrupted. Add bounds checking to avoid +reading beyond the end of allocated memory if this happens. + +Reported-by: syzbot+1966db24521e5f6e23f7@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=1966db24521e5f6e23f7 +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inline.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -32,6 +32,7 @@ static int get_max_inline_xattr_value_si + struct ext4_xattr_ibody_header *header; + struct ext4_xattr_entry *entry; + struct ext4_inode *raw_inode; ++ void *end; + int free, min_offs; + + if (!EXT4_INODE_HAS_XATTR_SPACE(inode)) +@@ -55,14 +56,23 @@ static int get_max_inline_xattr_value_si + raw_inode = ext4_raw_inode(iloc); + header = IHDR(inode, raw_inode); + entry = IFIRST(header); ++ end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size; + + /* Compute min_offs. */ +- for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) { ++ while (!IS_LAST_ENTRY(entry)) { ++ void *next = EXT4_XATTR_NEXT(entry); ++ ++ if (next >= end) { ++ EXT4_ERROR_INODE(inode, ++ "corrupt xattr in inline inode"); ++ return 0; ++ } + if (!entry->e_value_inum && entry->e_value_size) { + size_t offs = le16_to_cpu(entry->e_value_offs); + if (offs < min_offs) + min_offs = offs; + } ++ entry = next; + } + free = min_offs - + ((void *)entry - (void *)IFIRST(header)) - sizeof(__u32); diff --git a/queue-5.10/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch b/queue-5.10/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch new file mode 100644 index 00000000000..c4d793a1dd5 --- /dev/null +++ b/queue-5.10/ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch @@ -0,0 +1,99 @@ +From 4f04351888a83e595571de672e0a4a8b74f4fb31 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Thu, 4 May 2023 12:15:25 +0000 +Subject: ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum + +From: Tudor Ambarus + +commit 4f04351888a83e595571de672e0a4a8b74f4fb31 upstream. + +When modifying the block device while it is mounted by the filesystem, +syzbot reported the following: + +BUG: KASAN: slab-out-of-bounds in crc16+0x206/0x280 lib/crc16.c:58 +Read of size 1 at addr ffff888075f5c0a8 by task syz-executor.2/15586 + +CPU: 1 PID: 15586 Comm: syz-executor.2 Not tainted 6.2.0-rc5-syzkaller-00205-gc96618275234 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:306 + print_report+0x107/0x1f0 mm/kasan/report.c:417 + kasan_report+0xcd/0x100 mm/kasan/report.c:517 + crc16+0x206/0x280 lib/crc16.c:58 + ext4_group_desc_csum+0x81b/0xb20 fs/ext4/super.c:3187 + ext4_group_desc_csum_set+0x195/0x230 fs/ext4/super.c:3210 + ext4_mb_clear_bb fs/ext4/mballoc.c:6027 [inline] + ext4_free_blocks+0x191a/0x2810 fs/ext4/mballoc.c:6173 + ext4_remove_blocks fs/ext4/extents.c:2527 [inline] + ext4_ext_rm_leaf fs/ext4/extents.c:2710 [inline] + ext4_ext_remove_space+0x24ef/0x46a0 fs/ext4/extents.c:2958 + ext4_ext_truncate+0x177/0x220 fs/ext4/extents.c:4416 + ext4_truncate+0xa6a/0xea0 fs/ext4/inode.c:4342 + ext4_setattr+0x10c8/0x1930 fs/ext4/inode.c:5622 + notify_change+0xe50/0x1100 fs/attr.c:482 + do_truncate+0x200/0x2f0 fs/open.c:65 + handle_truncate fs/namei.c:3216 [inline] + do_open fs/namei.c:3561 [inline] + path_openat+0x272b/0x2dd0 fs/namei.c:3714 + do_filp_open+0x264/0x4f0 fs/namei.c:3741 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f72f8a8c0c9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f72f97e3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 +RAX: ffffffffffffffda RBX: 00007f72f8bac050 RCX: 00007f72f8a8c0c9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000280 +RBP: 00007f72f8ae7ae9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffd165348bf R14: 00007f72f97e3300 R15: 0000000000022000 + +Replace + le16_to_cpu(sbi->s_es->s_desc_size) +with + sbi->s_desc_size + +It reduces ext4's compiled text size, and makes the code more efficient +(we remove an extra indirect reference and a potential byte +swap on big endian systems), and there is no downside. It also avoids the +potential KASAN / syzkaller failure, as a bonus. + +Reported-by: syzbot+fc51227e7100c9294894@syzkaller.appspotmail.com +Reported-by: syzbot+8785e41224a3afd04321@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=70d28d11ab14bd7938f3e088365252aa923cff42 +Link: https://syzkaller.appspot.com/bug?id=b85721b38583ecc6b5e72ff524c67302abbc30f3 +Link: https://lore.kernel.org/all/000000000000ece18705f3b20934@google.com/ +Fixes: 717d50e4971b ("Ext4: Uninitialized Block Groups") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20230504121525.3275886-1-tudor.ambarus@linaro.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -2831,11 +2831,9 @@ static __le16 ext4_group_desc_csum(struc + crc = crc16(crc, (__u8 *)gdp, offset); + offset += sizeof(gdp->bg_checksum); /* skip checksum */ + /* for checksum of struct ext4_group_desc do the rest...*/ +- if (ext4_has_feature_64bit(sb) && +- offset < le16_to_cpu(sbi->s_es->s_desc_size)) ++ if (ext4_has_feature_64bit(sb) && offset < sbi->s_desc_size) + crc = crc16(crc, (__u8 *)gdp + offset, +- le16_to_cpu(sbi->s_es->s_desc_size) - +- offset); ++ sbi->s_desc_size - offset); + + out: + return cpu_to_le16(crc); diff --git a/queue-5.10/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch b/queue-5.10/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch new file mode 100644 index 00000000000..456be682134 --- /dev/null +++ b/queue-5.10/ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch @@ -0,0 +1,31 @@ +From 2a534e1d0d1591e951f9ece2fb460b2ff92edabd Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 12 May 2023 15:16:27 -0400 +Subject: ext4: bail out of ext4_xattr_ibody_get() fails for any reason + +From: Theodore Ts'o + +commit 2a534e1d0d1591e951f9ece2fb460b2ff92edabd upstream. + +In ext4_update_inline_data(), if ext4_xattr_ibody_get() fails for any +reason, it's best if we just fail as opposed to stumbling on, +especially if the failure is EFSCORRUPTED. + +Cc: stable@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -358,7 +358,7 @@ static int ext4_update_inline_data(handl + + error = ext4_xattr_ibody_get(inode, i.name_index, i.name, + value, len); +- if (error == -ENODATA) ++ if (error < 0) + goto out; + + BUFFER_TRACE(is.iloc.bh, "get_write_access"); diff --git a/queue-5.10/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch b/queue-5.10/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch new file mode 100644 index 00000000000..2f77067046b --- /dev/null +++ b/queue-5.10/ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch @@ -0,0 +1,39 @@ +From fa83c34e3e56b3c672af38059e066242655271b1 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Fri, 5 May 2023 21:24:29 +0800 +Subject: ext4: check iomap type only if ext4_iomap_begin() does not fail + +From: Baokun Li + +commit fa83c34e3e56b3c672af38059e066242655271b1 upstream. + +When ext4_iomap_overwrite_begin() calls ext4_iomap_begin() map blocks may +fail for some reason (e.g. memory allocation failure, bare disk write), and +later because "iomap->type ! = IOMAP_MAPPED" triggers WARN_ON(). When ext4 +iomap_begin() returns an error, it is normal that the type of iomap->type +may not match the expectation. Therefore, we only determine if iomap->type +is as expected when ext4_iomap_begin() is executed successfully. + +Cc: stable@kernel.org +Reported-by: syzbot+08106c4b7d60702dbc14@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/00000000000015760b05f9b4eee9@google.com +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230505132429.714648-1-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3564,7 +3564,7 @@ static int ext4_iomap_overwrite_begin(st + */ + flags &= ~IOMAP_WRITE; + ret = ext4_iomap_begin(inode, offset, length, flags, iomap, srcmap); +- WARN_ON_ONCE(iomap->type != IOMAP_MAPPED); ++ WARN_ON_ONCE(!ret && iomap->type != IOMAP_MAPPED); + return ret; + } + diff --git a/queue-5.10/ext4-fix-data-races-when-using-cached-status-extents.patch b/queue-5.10/ext4-fix-data-races-when-using-cached-status-extents.patch new file mode 100644 index 00000000000..6c81bad71b0 --- /dev/null +++ b/queue-5.10/ext4-fix-data-races-when-using-cached-status-extents.patch @@ -0,0 +1,81 @@ +From 492888df0c7b42fc0843631168b0021bc4caee84 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 4 May 2023 14:55:24 +0200 +Subject: ext4: fix data races when using cached status extents + +From: Jan Kara + +commit 492888df0c7b42fc0843631168b0021bc4caee84 upstream. + +When using cached extent stored in extent status tree in tree->cache_es +another process holding ei->i_es_lock for reading can be racing with us +setting new value of tree->cache_es. If the compiler would decide to +refetch tree->cache_es at an unfortunate moment, it could result in a +bogus in_range() check. Fix the possible race by using READ_ONCE() when +using tree->cache_es only under ei->i_es_lock for reading. + +Cc: stable@kernel.org +Reported-by: syzbot+4a03518df1e31b537066@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000d3b33905fa0fd4a6@google.com +Suggested-by: Dmitry Vyukov +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20230504125524.10802-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents_status.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +--- a/fs/ext4/extents_status.c ++++ b/fs/ext4/extents_status.c +@@ -269,14 +269,12 @@ static void __es_find_extent_range(struc + + /* see if the extent has been cached */ + es->es_lblk = es->es_len = es->es_pblk = 0; +- if (tree->cache_es) { +- es1 = tree->cache_es; +- if (in_range(lblk, es1->es_lblk, es1->es_len)) { +- es_debug("%u cached by [%u/%u) %llu %x\n", +- lblk, es1->es_lblk, es1->es_len, +- ext4_es_pblock(es1), ext4_es_status(es1)); +- goto out; +- } ++ es1 = READ_ONCE(tree->cache_es); ++ if (es1 && in_range(lblk, es1->es_lblk, es1->es_len)) { ++ es_debug("%u cached by [%u/%u) %llu %x\n", ++ lblk, es1->es_lblk, es1->es_len, ++ ext4_es_pblock(es1), ext4_es_status(es1)); ++ goto out; + } + + es1 = __es_tree_search(&tree->root, lblk); +@@ -295,7 +293,7 @@ out: + } + + if (es1 && matching_fn(es1)) { +- tree->cache_es = es1; ++ WRITE_ONCE(tree->cache_es, es1); + es->es_lblk = es1->es_lblk; + es->es_len = es1->es_len; + es->es_pblk = es1->es_pblk; +@@ -934,14 +932,12 @@ int ext4_es_lookup_extent(struct inode * + + /* find extent in cache firstly */ + es->es_lblk = es->es_len = es->es_pblk = 0; +- if (tree->cache_es) { +- es1 = tree->cache_es; +- if (in_range(lblk, es1->es_lblk, es1->es_len)) { +- es_debug("%u cached by [%u/%u)\n", +- lblk, es1->es_lblk, es1->es_len); +- found = 1; +- goto out; +- } ++ es1 = READ_ONCE(tree->cache_es); ++ if (es1 && in_range(lblk, es1->es_lblk, es1->es_len)) { ++ es_debug("%u cached by [%u/%u)\n", ++ lblk, es1->es_lblk, es1->es_len); ++ found = 1; ++ goto out; + } + + node = tree->root.rb_node; diff --git a/queue-5.10/ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch b/queue-5.10/ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch new file mode 100644 index 00000000000..e09cdb61a7e --- /dev/null +++ b/queue-5.10/ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch @@ -0,0 +1,63 @@ +From f4ce24f54d9cca4f09a395f3eecce20d6bec4663 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 6 May 2023 21:04:01 -0400 +Subject: ext4: fix deadlock when converting an inline directory in nojournal mode + +From: Theodore Ts'o + +commit f4ce24f54d9cca4f09a395f3eecce20d6bec4663 upstream. + +In no journal mode, ext4_finish_convert_inline_dir() can self-deadlock +by calling ext4_handle_dirty_dirblock() when it already has taken the +directory lock. There is a similar self-deadlock in +ext4_incvert_inline_data_nolock() for data files which we'll fix at +the same time. + +A simple reproducer demonstrating the problem: + + mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc 64 + mount -t ext4 -o dirsync /dev/vdc /vdc + cd /vdc + mkdir file0 + cd file0 + touch file0 + touch file1 + attr -s BurnSpaceInEA -V abcde . + touch supercalifragilisticexpialidocious + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230507021608.1290720-1-tytso@mit.edu +Reported-by: syzbot+91dccab7c64e2850a4e5@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=ba84cc80a9491d65416bc7877e1650c87530fe8a +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inline.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1172,6 +1172,7 @@ static int ext4_finish_convert_inline_di + ext4_initialize_dirent_tail(dir_block, + inode->i_sb->s_blocksize); + set_buffer_uptodate(dir_block); ++ unlock_buffer(dir_block); + err = ext4_handle_dirty_dirblock(handle, inode, dir_block); + if (err) + return err; +@@ -1245,6 +1246,7 @@ static int ext4_convert_inline_data_nolo + if (!S_ISDIR(inode->i_mode)) { + memcpy(data_bh->b_data, buf, inline_size); + set_buffer_uptodate(data_bh); ++ unlock_buffer(data_bh); + error = ext4_handle_dirty_metadata(handle, + inode, data_bh); + } else { +@@ -1252,7 +1254,6 @@ static int ext4_convert_inline_data_nolo + buf, inline_size); + } + +- unlock_buffer(data_bh); + out_restore: + if (error) + ext4_restore_inline_data(handle, inode, iloc, buf, inline_size); diff --git a/queue-5.10/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch b/queue-5.10/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch new file mode 100644 index 00000000000..9ebf6441a1e --- /dev/null +++ b/queue-5.10/ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch @@ -0,0 +1,62 @@ +From b87c7cdf2bed4928b899e1ce91ef0d147017ba45 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 30 Apr 2023 03:04:13 -0400 +Subject: ext4: fix invalid free tracking in ext4_xattr_move_to_block() + +From: Theodore Ts'o + +commit b87c7cdf2bed4928b899e1ce91ef0d147017ba45 upstream. + +In ext4_xattr_move_to_block(), the value of the extended attribute +which we need to move to an external block may be allocated by +kvmalloc() if the value is stored in an external inode. So at the end +of the function the code tried to check if this was the case by +testing entry->e_value_inum. + +However, at this point, the pointer to the xattr entry is no longer +valid, because it was removed from the original location where it had +been stored. So we could end up calling kvfree() on a pointer which +was not allocated by kvmalloc(); or we could also potentially leak +memory by not freeing the buffer when it should be freed. Fix this by +storing whether it should be freed in a separate variable. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230430160426.581366-1-tytso@mit.edu +Link: https://syzkaller.appspot.com/bug?id=5c2aee8256e30b55ccf57312c16d88417adbd5e1 +Link: https://syzkaller.appspot.com/bug?id=41a6b5d4917c0412eb3b3c3c604965bed7d7420b +Reported-by: syzbot+64b645917ce07d89bde5@syzkaller.appspotmail.com +Reported-by: syzbot+0d042627c4f2ad332195@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2554,6 +2554,7 @@ static int ext4_xattr_move_to_block(hand + .in_inode = !!entry->e_value_inum, + }; + struct ext4_xattr_ibody_header *header = IHDR(inode, raw_inode); ++ int needs_kvfree = 0; + int error; + + is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS); +@@ -2576,7 +2577,7 @@ static int ext4_xattr_move_to_block(hand + error = -ENOMEM; + goto out; + } +- ++ needs_kvfree = 1; + error = ext4_xattr_inode_get(inode, entry, buffer, value_size); + if (error) + goto out; +@@ -2615,7 +2616,7 @@ static int ext4_xattr_move_to_block(hand + + out: + kfree(b_entry_name); +- if (entry->e_value_inum && buffer) ++ if (needs_kvfree && buffer) + kvfree(buffer); + if (is) + brelse(is->iloc.bh); diff --git a/queue-5.10/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch b/queue-5.10/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch new file mode 100644 index 00000000000..ea74569f839 --- /dev/null +++ b/queue-5.10/ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch @@ -0,0 +1,62 @@ +From 4c0b4818b1f636bc96359f7817a2d8bab6370162 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Fri, 5 May 2023 22:20:29 -0400 +Subject: ext4: improve error recovery code paths in __ext4_remount() + +From: Theodore Ts'o + +commit 4c0b4818b1f636bc96359f7817a2d8bab6370162 upstream. + +If there are failures while changing the mount options in +__ext4_remount(), we need to restore the old mount options. + +This commit fixes two problem. The first is there is a chance that we +will free the old quota file names before a potential failure leading +to a use-after-free. The second problem addressed in this commit is +if there is a failed read/write to read-only transition, if the quota +has already been suspended, we need to renable quota handling. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230506142419.984260-2-tytso@mit.edu +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6028,9 +6028,6 @@ static int ext4_remount(struct super_blo + } + + #ifdef CONFIG_QUOTA +- /* Release old quota file names */ +- for (i = 0; i < EXT4_MAXQUOTAS; i++) +- kfree(old_opts.s_qf_names[i]); + if (enable_quota) { + if (sb_any_quota_suspended(sb)) + dquot_resume(sb, -1); +@@ -6040,6 +6037,9 @@ static int ext4_remount(struct super_blo + goto restore_opts; + } + } ++ /* Release old quota file names */ ++ for (i = 0; i < EXT4_MAXQUOTAS; i++) ++ kfree(old_opts.s_qf_names[i]); + #endif + if (!test_opt(sb, BLOCK_VALIDITY) && sbi->s_system_blks) + ext4_release_system_zone(sb); +@@ -6059,6 +6059,13 @@ static int ext4_remount(struct super_blo + return 0; + + restore_opts: ++ /* ++ * If there was a failing r/w to ro transition, we may need to ++ * re-enable quota ++ */ ++ if ((sb->s_flags & SB_RDONLY) && !(old_sb_flags & SB_RDONLY) && ++ sb_any_quota_suspended(sb)) ++ dquot_resume(sb, -1); + sb->s_flags = old_sb_flags; + sbi->s_mount_opt = old_opts.s_mount_opt; + sbi->s_mount_opt2 = old_opts.s_mount_opt2; diff --git a/queue-5.10/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch b/queue-5.10/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch new file mode 100644 index 00000000000..c1bd71f0e61 --- /dev/null +++ b/queue-5.10/ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch @@ -0,0 +1,40 @@ +From 463808f237cf73e98a1a45ff7460c2406a150a0b Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 29 Apr 2023 16:14:46 -0400 +Subject: ext4: remove a BUG_ON in ext4_mb_release_group_pa() + +From: Theodore Ts'o + +commit 463808f237cf73e98a1a45ff7460c2406a150a0b upstream. + +If a malicious fuzzer overwrites the ext4 superblock while it is +mounted such that the s_first_data_block is set to a very large +number, the calculation of the block group can underflow, and trigger +a BUG_ON check. Change this to be an ext4_warning so that we don't +crash the kernel. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230430154311.579720-3-tytso@mit.edu +Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220 +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4250,7 +4250,11 @@ ext4_mb_release_group_pa(struct ext4_bud + trace_ext4_mb_release_group_pa(sb, pa); + BUG_ON(pa->pa_deleted == 0); + ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit); +- BUG_ON(group != e4b->bd_group && pa->pa_len != 0); ++ if (unlikely(group != e4b->bd_group && pa->pa_len != 0)) { ++ ext4_warning(sb, "bad group: expected %u, group %u, pa_start %llu", ++ e4b->bd_group, group, pa->pa_pstart); ++ return 0; ++ } + mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len); + atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded); + trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len); diff --git a/queue-5.10/series b/queue-5.10/series index 5b9be55a663..7ed20692ecb 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -360,3 +360,12 @@ hid-wacom-insert-timestamp-to-packed-bluetooth-bt-events.patch kvm-x86-hyper-v-avoid-calling-kvm_make_vcpus_request_mask-with-vcpu_mask-null.patch kvm-x86-do-not-report-a-vcpu-as-preempted-outside-instruction-boundaries.patch ext4-fix-warning-in-mb_find_extent.patch +ext4-avoid-a-potential-slab-out-of-bounds-in-ext4_group_desc_csum.patch +ext4-fix-data-races-when-using-cached-status-extents.patch +ext4-check-iomap-type-only-if-ext4_iomap_begin-does-not-fail.patch +ext4-improve-error-recovery-code-paths-in-__ext4_remount.patch +ext4-fix-deadlock-when-converting-an-inline-directory-in-nojournal-mode.patch +ext4-add-bounds-checking-in-get_max_inline_xattr_value_size.patch +ext4-bail-out-of-ext4_xattr_ibody_get-fails-for-any-reason.patch +ext4-remove-a-bug_on-in-ext4_mb_release_group_pa.patch +ext4-fix-invalid-free-tracking-in-ext4_xattr_move_to_block.patch