From: Greg Kroah-Hartman Date: Mon, 22 Aug 2022 10:09:39 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.9.326~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6d62d445c7a681fd32ed4961923fd56e30a88ae5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: fs-ntfs3-do-not-change-mode-if-ntfs_set_ea-failed.patch fs-ntfs3-don-t-clear-upper-bits-accidentally-in-log_replay.patch fs-ntfs3-fix-double-free-on-remount.patch fs-ntfs3-fix-missing-i_op-in-ntfs_read_mft.patch fs-ntfs3-fix-null-deref-in-ntfs_update_mftmirr.patch fs-ntfs3-fix-using-uninitialized-value-n-when-calling-indx_read.patch --- diff --git a/queue-5.15/fs-ntfs3-do-not-change-mode-if-ntfs_set_ea-failed.patch b/queue-5.15/fs-ntfs3-do-not-change-mode-if-ntfs_set_ea-failed.patch new file mode 100644 index 00000000000..1af005c8f6f --- /dev/null +++ b/queue-5.15/fs-ntfs3-do-not-change-mode-if-ntfs_set_ea-failed.patch @@ -0,0 +1,70 @@ +From 460bbf2990b3fdc597601c2cf669a3371c069242 Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Thu, 12 May 2022 19:08:40 +0300 +Subject: fs/ntfs3: Do not change mode if ntfs_set_ea failed + +From: Konstantin Komarov + +commit 460bbf2990b3fdc597601c2cf669a3371c069242 upstream. + +ntfs_set_ea can fail with NOSPC, so we don't need to +change mode in this situation. +Fixes xfstest generic/449 +Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations") + +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/xattr.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/fs/ntfs3/xattr.c ++++ b/fs/ntfs3/xattr.c +@@ -545,28 +545,23 @@ static noinline int ntfs_set_acl_ex(stru + { + const char *name; + size_t size, name_len; +- void *value = NULL; +- int err = 0; ++ void *value; ++ int err; + int flags; ++ umode_t mode; + + if (S_ISLNK(inode->i_mode)) + return -EOPNOTSUPP; + ++ mode = inode->i_mode; + switch (type) { + case ACL_TYPE_ACCESS: + /* Do not change i_mode if we are in init_acl */ + if (acl && !init_acl) { +- umode_t mode; +- + err = posix_acl_update_mode(mnt_userns, inode, &mode, + &acl); + if (err) + goto out; +- +- if (inode->i_mode != mode) { +- inode->i_mode = mode; +- mark_inode_dirty(inode); +- } + } + name = XATTR_NAME_POSIX_ACL_ACCESS; + name_len = sizeof(XATTR_NAME_POSIX_ACL_ACCESS) - 1; +@@ -602,8 +597,13 @@ static noinline int ntfs_set_acl_ex(stru + err = ntfs_set_ea(inode, name, name_len, value, size, flags); + if (err == -ENODATA && !size) + err = 0; /* Removing non existed xattr. */ +- if (!err) ++ if (!err) { + set_cached_acl(inode, type, acl); ++ if (inode->i_mode != mode) { ++ inode->i_mode = mode; ++ mark_inode_dirty(inode); ++ } ++ } + + out: + kfree(value); diff --git a/queue-5.15/fs-ntfs3-don-t-clear-upper-bits-accidentally-in-log_replay.patch b/queue-5.15/fs-ntfs3-don-t-clear-upper-bits-accidentally-in-log_replay.patch new file mode 100644 index 00000000000..c4cccb75a81 --- /dev/null +++ b/queue-5.15/fs-ntfs3-don-t-clear-upper-bits-accidentally-in-log_replay.patch @@ -0,0 +1,34 @@ +From 926034353d3c67db1ffeab47dcb7f6bdac02a263 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 9 May 2022 12:03:00 +0300 +Subject: fs/ntfs3: Don't clear upper bits accidentally in log_replay() + +From: Dan Carpenter + +commit 926034353d3c67db1ffeab47dcb7f6bdac02a263 upstream. + +The "vcn" variable is a 64 bit. The "log->clst_per_page" variable is a +u32. This means that the mask accidentally clears out the high 32 bits +when it was only supposed to clear some low bits. Fix this by adding a +cast to u64. + +Fixes: b46acd6a6a62 ("fs/ntfs3: Add NTFS journal") +Signed-off-by: Dan Carpenter +Reviewed-by: Namjae Jeon +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/fslog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ntfs3/fslog.c ++++ b/fs/ntfs3/fslog.c +@@ -5057,7 +5057,7 @@ undo_action_next: + goto add_allocated_vcns; + + vcn = le64_to_cpu(lrh->target_vcn); +- vcn &= ~(log->clst_per_page - 1); ++ vcn &= ~(u64)(log->clst_per_page - 1); + + add_allocated_vcns: + for (i = 0, vcn = le64_to_cpu(lrh->target_vcn), diff --git a/queue-5.15/fs-ntfs3-fix-double-free-on-remount.patch b/queue-5.15/fs-ntfs3-fix-double-free-on-remount.patch new file mode 100644 index 00000000000..cced76af5db --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-double-free-on-remount.patch @@ -0,0 +1,64 @@ +From cd39981fb92adf0cc736112f87e3e61602baa415 Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Wed, 11 May 2022 19:58:36 +0300 +Subject: fs/ntfs3: Fix double free on remount + +From: Konstantin Komarov + +commit cd39981fb92adf0cc736112f87e3e61602baa415 upstream. + +Pointer to options was freed twice on remount +Fixes xfstest generic/361 +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") + +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/super.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/ntfs3/super.c ++++ b/fs/ntfs3/super.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -390,7 +391,7 @@ static int ntfs_fs_reconfigure(struct fs + return -EINVAL; + } + +- memcpy(sbi->options, new_opts, sizeof(*new_opts)); ++ swap(sbi->options, fc->fs_private); + + return 0; + } +@@ -901,6 +902,8 @@ static int ntfs_fill_super(struct super_ + ref.high = 0; + + sbi->sb = sb; ++ sbi->options = fc->fs_private; ++ fc->fs_private = NULL; + sb->s_flags |= SB_NODIRATIME; + sb->s_magic = 0x7366746e; // "ntfs" + sb->s_op = &ntfs_sops; +@@ -1264,8 +1267,6 @@ load_root: + goto put_inode_out; + } + +- fc->fs_private = NULL; +- + return 0; + + put_inode_out: +@@ -1418,7 +1419,6 @@ static int ntfs_init_fs_context(struct f + mutex_init(&sbi->compress.mtx_lzx); + #endif + +- sbi->options = opts; + fc->s_fs_info = sbi; + ok: + fc->fs_private = opts; diff --git a/queue-5.15/fs-ntfs3-fix-missing-i_op-in-ntfs_read_mft.patch b/queue-5.15/fs-ntfs3-fix-missing-i_op-in-ntfs_read_mft.patch new file mode 100644 index 00000000000..523df5c5d5a --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-missing-i_op-in-ntfs_read_mft.patch @@ -0,0 +1,30 @@ +From 37a530bfe56ca9a0d3129598803f2794c7428aae Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Thu, 26 May 2022 12:51:03 +0300 +Subject: fs/ntfs3: Fix missing i_op in ntfs_read_mft + +From: Konstantin Komarov + +commit 37a530bfe56ca9a0d3129598803f2794c7428aae upstream. + +There is null pointer dereference because i_op == NULL. +The bug happens because we don't initialize i_op for records in $Extend. +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") + +Reported-by: Liangbin Lian +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -430,6 +430,7 @@ end_enum: + } else if (fname && fname->home.low == cpu_to_le32(MFT_REC_EXTEND) && + fname->home.seq == cpu_to_le16(MFT_REC_EXTEND)) { + /* Records in $Extend are not a files or general directories. */ ++ inode->i_op = &ntfs_file_inode_operations; + } else { + err = -EINVAL; + goto out; diff --git a/queue-5.15/fs-ntfs3-fix-null-deref-in-ntfs_update_mftmirr.patch b/queue-5.15/fs-ntfs3-fix-null-deref-in-ntfs_update_mftmirr.patch new file mode 100644 index 00000000000..43810c7946a --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-null-deref-in-ntfs_update_mftmirr.patch @@ -0,0 +1,56 @@ +From 321460ca3b55f48b3ba6008248264ab2bd6407d9 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 21 Apr 2022 23:53:36 +0300 +Subject: fs/ntfs3: Fix NULL deref in ntfs_update_mftmirr + +From: Pavel Skripkin + +commit 321460ca3b55f48b3ba6008248264ab2bd6407d9 upstream. + +If ntfs_fill_super() wasn't called then sbi->sb will be equal to NULL. +Code should check this ptr before dereferencing. Syzbot hit this issue +via passing wrong mount param as can be seen from log below + +Fail log: +ntfs3: Unknown parameter 'iochvrset' +general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] +CPU: 1 PID: 3589 Comm: syz-executor210 Not tainted 5.18.0-rc3-syzkaller-00016-gb253435746d9 #0 +... +Call Trace: + + put_ntfs+0x1ed/0x2a0 fs/ntfs3/super.c:463 + ntfs_fs_free+0x6a/0xe0 fs/ntfs3/super.c:1363 + put_fs_context+0x119/0x7a0 fs/fs_context.c:469 + do_new_mount+0x2b4/0xad0 fs/namespace.c:3044 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") +Reported-and-tested-by: syzbot+c95173762127ad76a824@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/fsntfs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/ntfs3/fsntfs.c ++++ b/fs/ntfs3/fsntfs.c +@@ -831,10 +831,15 @@ int ntfs_update_mftmirr(struct ntfs_sb_i + { + int err; + struct super_block *sb = sbi->sb; +- u32 blocksize = sb->s_blocksize; ++ u32 blocksize; + sector_t block1, block2; + u32 bytes; + ++ if (!sb) ++ return -EINVAL; ++ ++ blocksize = sb->s_blocksize; ++ + if (!(sbi->flags & NTFS_FLAGS_MFTMIRR)) + return 0; + diff --git a/queue-5.15/fs-ntfs3-fix-using-uninitialized-value-n-when-calling-indx_read.patch b/queue-5.15/fs-ntfs3-fix-using-uninitialized-value-n-when-calling-indx_read.patch new file mode 100644 index 00000000000..e390e64e3e1 --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-using-uninitialized-value-n-when-calling-indx_read.patch @@ -0,0 +1,30 @@ +From ae5a4e46916fc307288227b64c1d062352eb93b7 Mon Sep 17 00:00:00 2001 +From: Yan Lei +Date: Sun, 10 Apr 2022 09:09:00 +0300 +Subject: fs/ntfs3: Fix using uninitialized value n when calling indx_read + +From: Yan Lei + +commit ae5a4e46916fc307288227b64c1d062352eb93b7 upstream. + +This value is checked in indx_read, so it must be initialized +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") + +Signed-off-by: Yan Lei +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/index.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ntfs3/index.c ++++ b/fs/ntfs3/index.c +@@ -1994,7 +1994,7 @@ static int indx_free_children(struct ntf + const struct NTFS_DE *e, bool trim) + { + int err; +- struct indx_node *n; ++ struct indx_node *n = NULL; + struct INDEX_HDR *hdr; + CLST vbn = de_get_vbn(e); + size_t i; diff --git a/queue-5.15/series b/queue-5.15/series index 60b5cbfa211..8e230377a3b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -100,3 +100,9 @@ perf-probe-fix-an-error-handling-path-in-parse_perf_probe_command.patch perf-parse-events-fix-segfault-when-event-parser-gets-an-error.patch perf-tests-fix-track-with-sched_switch-test-for-hybrid-case.patch dpaa2-eth-trace-the-allocated-address-instead-of-page-struct.patch +fs-ntfs3-fix-using-uninitialized-value-n-when-calling-indx_read.patch +fs-ntfs3-fix-null-deref-in-ntfs_update_mftmirr.patch +fs-ntfs3-don-t-clear-upper-bits-accidentally-in-log_replay.patch +fs-ntfs3-fix-double-free-on-remount.patch +fs-ntfs3-do-not-change-mode-if-ntfs_set_ea-failed.patch +fs-ntfs3-fix-missing-i_op-in-ntfs_read_mft.patch