From: Greg Kroah-Hartman Date: Mon, 7 Oct 2024 12:31:08 +0000 (+0200) Subject: fix up some ext4 patches by dropping them X-Git-Tag: v6.6.55~94 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7badd3874aeae56ad08d8419bb401d5a74f333df;p=thirdparty%2Fkernel%2Fstable-queue.git fix up some ext4 patches by dropping them --- diff --git a/queue-4.19/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch b/queue-4.19/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch deleted file mode 100644 index b0bbb5fed9f..00000000000 --- a/queue-4.19/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch +++ /dev/null @@ -1,127 +0,0 @@ -From c26ab35702f8cd0cdc78f96aa5856bfb77be798f Mon Sep 17 00:00:00 2001 -From: Baokun Li -Date: Thu, 22 Aug 2024 10:35:23 +0800 -Subject: ext4: fix slab-use-after-free in ext4_split_extent_at() - -From: Baokun Li - -commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f upstream. - -We hit the following use-after-free: - -================================================================== -BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 -Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 -CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 -Call Trace: - - kasan_report+0x93/0xc0 - ext4_split_extent_at+0xba8/0xcc0 - ext4_split_extent.isra.0+0x18f/0x500 - ext4_split_convert_extents+0x275/0x750 - ext4_ext_handle_unwritten_extents+0x73e/0x1580 - ext4_ext_map_blocks+0xe20/0x2dc0 - ext4_map_blocks+0x724/0x1700 - ext4_do_writepages+0x12d6/0x2a70 -[...] - -Allocated by task 40: - __kmalloc_noprof+0x1ac/0x480 - ext4_find_extent+0xf3b/0x1e70 - ext4_ext_map_blocks+0x188/0x2dc0 - ext4_map_blocks+0x724/0x1700 - ext4_do_writepages+0x12d6/0x2a70 -[...] - -Freed by task 40: - kfree+0xf1/0x2b0 - ext4_find_extent+0xa71/0x1e70 - ext4_ext_insert_extent+0xa22/0x3260 - ext4_split_extent_at+0x3ef/0xcc0 - ext4_split_extent.isra.0+0x18f/0x500 - ext4_split_convert_extents+0x275/0x750 - ext4_ext_handle_unwritten_extents+0x73e/0x1580 - ext4_ext_map_blocks+0xe20/0x2dc0 - ext4_map_blocks+0x724/0x1700 - ext4_do_writepages+0x12d6/0x2a70 -[...] -================================================================== - -The flow of issue triggering is as follows: - -ext4_split_extent_at - path = *ppath - ext4_ext_insert_extent(ppath) - ext4_ext_create_new_leaf(ppath) - ext4_find_extent(orig_path) - path = *orig_path - read_extent_tree_block - // return -ENOMEM or -EIO - ext4_free_ext_path(path) - kfree(path) - *orig_path = NULL - a. If err is -ENOMEM: - ext4_ext_dirty(path + path->p_depth) - // path use-after-free !!! - b. If err is -EIO and we have EXT_DEBUG defined: - ext4_ext_show_leaf(path) - eh = path[depth].p_hdr - // path also use-after-free !!! - -So when trying to zeroout or fix the extent length, call ext4_find_extent() -to update the path. - -In addition we use *ppath directly as an ext4_ext_show_leaf() input to -avoid possible use-after-free when EXT_DEBUG is defined, and to avoid -unnecessary path updates. - -Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code") -Cc: stable@kernel.org -Signed-off-by: Baokun Li -Reviewed-by: Jan Kara -Reviewed-by: Ojaswin Mujoo -Tested-by: Ojaswin Mujoo -Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/extents.c | 21 ++++++++++++++++++++- - 1 file changed, 20 insertions(+), 1 deletion(-) - ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -3276,6 +3276,25 @@ static int ext4_split_extent_at(handle_t - if (err != -ENOSPC && err != -EDQUOT) - goto out; - -+ /* -+ * Update path is required because previous ext4_ext_insert_extent() -+ * may have freed or reallocated the path. Using EXT4_EX_NOFAIL -+ * guarantees that ext4_find_extent() will not return -ENOMEM, -+ * otherwise -ENOMEM will cause a retry in do_writepages(), and a -+ * WARN_ON may be triggered in ext4_da_update_reserve_space() due to -+ * an incorrect ee_len causing the i_reserved_data_blocks exception. -+ */ -+ path = ext4_find_extent(inode, ee_block, ppath, -+ flags | EXT4_EX_NOFAIL); -+ if (IS_ERR(path)) { -+ EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld", -+ split, PTR_ERR(path)); -+ return PTR_ERR(path); -+ } -+ depth = ext_depth(inode); -+ ex = path[depth].p_ext; -+ *ppath = path; -+ - if (EXT4_EXT_MAY_ZEROOUT & split_flag) { - if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { - if (split_flag & EXT4_EXT_DATA_VALID1) { -@@ -3324,7 +3343,7 @@ fix_extent_len: - ext4_ext_dirty(handle, inode, path + path->p_depth); - return err; - out: -- ext4_ext_show_leaf(inode, path); -+ ext4_ext_show_leaf(inode, *ppath); - return err; - } - diff --git a/queue-4.19/ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch b/queue-4.19/ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch index 8ee32be9dd1..4e6fc813935 100644 --- a/queue-4.19/ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch +++ b/queue-4.19/ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch @@ -27,7 +27,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c -@@ -5750,6 +5750,7 @@ int ext4_insert_range(struct inode *inod +@@ -5731,6 +5731,7 @@ int ext4_insert_range(struct inode *inod path = ext4_find_extent(inode, offset_lblk, NULL, 0); if (IS_ERR(path)) { up_write(&EXT4_I(inode)->i_data_sem); diff --git a/queue-4.19/ext4-update-orig_path-in-ext4_find_extent.patch b/queue-4.19/ext4-update-orig_path-in-ext4_find_extent.patch deleted file mode 100644 index d0613f266d2..00000000000 --- a/queue-4.19/ext4-update-orig_path-in-ext4_find_extent.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 Mon Sep 17 00:00:00 2001 -From: Baokun Li -Date: Thu, 22 Aug 2024 10:35:25 +0800 -Subject: ext4: update orig_path in ext4_find_extent() - -From: Baokun Li - -commit 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 upstream. - -In ext4_find_extent(), if the path is not big enough, we free it and set -*orig_path to NULL. But after reallocating and successfully initializing -the path, we don't update *orig_path, in which case the caller gets a -valid path but a NULL ppath, and this may cause a NULL pointer dereference -or a path memory leak. For example: - -ext4_split_extent - path = *ppath = 2000 - ext4_find_extent - if (depth > path[0].p_maxdepth) - kfree(path = 2000); - *orig_path = path = NULL; - path = kcalloc() = 3000 - ext4_split_extent_at(*ppath = NULL) - path = *ppath; - ex = path[depth].p_ext; - // NULL pointer dereference! - -================================================================== -BUG: kernel NULL pointer dereference, address: 0000000000000010 -CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847 -RIP: 0010:ext4_split_extent_at+0x6d/0x560 -Call Trace: - - ext4_split_extent.isra.0+0xcb/0x1b0 - ext4_ext_convert_to_initialized+0x168/0x6c0 - ext4_ext_handle_unwritten_extents+0x325/0x4d0 - ext4_ext_map_blocks+0x520/0xdb0 - ext4_map_blocks+0x2b0/0x690 - ext4_iomap_begin+0x20e/0x2c0 -[...] -================================================================== - -Therefore, *orig_path is updated when the extent lookup succeeds, so that -the caller can safely use path or *ppath. - -Fixes: 10809df84a4d ("ext4: teach ext4_ext_find_extent() to realloc path if necessary") -Cc: stable@kernel.org -Signed-off-by: Baokun Li -Reviewed-by: Jan Kara -Link: https://patch.msgid.link/20240822023545.1994557-6-libaokun@huaweicloud.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/extents.c | 3 ++- - fs/ext4/move_extent.c | 1 - - 2 files changed, 2 insertions(+), 2 deletions(-) - ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -945,6 +945,8 @@ ext4_find_extent(struct inode *inode, ex - - ext4_ext_show_path(inode, path); - -+ if (orig_path) -+ *orig_path = path; - return path; - - err: -@@ -3295,7 +3297,6 @@ static int ext4_split_extent_at(handle_t - } - depth = ext_depth(inode); - ex = path[depth].p_ext; -- *ppath = path; - - if (EXT4_EXT_MAY_ZEROOUT & split_flag) { - if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { ---- a/fs/ext4/move_extent.c -+++ b/fs/ext4/move_extent.c -@@ -37,7 +37,6 @@ get_ext_path(struct inode *inode, ext4_l - *ppath = NULL; - return -ENODATA; - } -- *ppath = path; - return 0; - } - diff --git a/queue-4.19/series b/queue-4.19/series index 08153a62260..33a0da588c4 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -187,10 +187,8 @@ perf-core-fix-small-negative-period-being-ignored.patch parisc-fix-itlb-miss-handler-for-64-bit-programs.patch alsa-core-add-isascii-check-to-card-id-generator.patch ext4-no-need-to-continue-when-the-number-of-entries-is-1.patch -ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch ext4-fix-incorrect-tid-assumption-in-__jbd2_log_wait_for_space.patch ext4-aovid-use-after-free-in-ext4_ext_insert_extent.patch ext4-fix-double-brelse-the-buffer-of-the-extents-path.patch -ext4-update-orig_path-in-ext4_find_extent.patch ext4-fix-incorrect-tid-assumption-in-ext4_wait_for_tail_page_commit.patch diff --git a/queue-5.4/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch b/queue-5.4/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch deleted file mode 100644 index cd6d108011d..00000000000 --- a/queue-5.4/ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch +++ /dev/null @@ -1,127 +0,0 @@ -From c26ab35702f8cd0cdc78f96aa5856bfb77be798f Mon Sep 17 00:00:00 2001 -From: Baokun Li -Date: Thu, 22 Aug 2024 10:35:23 +0800 -Subject: ext4: fix slab-use-after-free in ext4_split_extent_at() - -From: Baokun Li - -commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f upstream. - -We hit the following use-after-free: - -================================================================== -BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 -Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 -CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 -Call Trace: - - kasan_report+0x93/0xc0 - ext4_split_extent_at+0xba8/0xcc0 - ext4_split_extent.isra.0+0x18f/0x500 - ext4_split_convert_extents+0x275/0x750 - ext4_ext_handle_unwritten_extents+0x73e/0x1580 - ext4_ext_map_blocks+0xe20/0x2dc0 - ext4_map_blocks+0x724/0x1700 - ext4_do_writepages+0x12d6/0x2a70 -[...] - -Allocated by task 40: - __kmalloc_noprof+0x1ac/0x480 - ext4_find_extent+0xf3b/0x1e70 - ext4_ext_map_blocks+0x188/0x2dc0 - ext4_map_blocks+0x724/0x1700 - ext4_do_writepages+0x12d6/0x2a70 -[...] - -Freed by task 40: - kfree+0xf1/0x2b0 - ext4_find_extent+0xa71/0x1e70 - ext4_ext_insert_extent+0xa22/0x3260 - ext4_split_extent_at+0x3ef/0xcc0 - ext4_split_extent.isra.0+0x18f/0x500 - ext4_split_convert_extents+0x275/0x750 - ext4_ext_handle_unwritten_extents+0x73e/0x1580 - ext4_ext_map_blocks+0xe20/0x2dc0 - ext4_map_blocks+0x724/0x1700 - ext4_do_writepages+0x12d6/0x2a70 -[...] -================================================================== - -The flow of issue triggering is as follows: - -ext4_split_extent_at - path = *ppath - ext4_ext_insert_extent(ppath) - ext4_ext_create_new_leaf(ppath) - ext4_find_extent(orig_path) - path = *orig_path - read_extent_tree_block - // return -ENOMEM or -EIO - ext4_free_ext_path(path) - kfree(path) - *orig_path = NULL - a. If err is -ENOMEM: - ext4_ext_dirty(path + path->p_depth) - // path use-after-free !!! - b. If err is -EIO and we have EXT_DEBUG defined: - ext4_ext_show_leaf(path) - eh = path[depth].p_hdr - // path also use-after-free !!! - -So when trying to zeroout or fix the extent length, call ext4_find_extent() -to update the path. - -In addition we use *ppath directly as an ext4_ext_show_leaf() input to -avoid possible use-after-free when EXT_DEBUG is defined, and to avoid -unnecessary path updates. - -Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code") -Cc: stable@kernel.org -Signed-off-by: Baokun Li -Reviewed-by: Jan Kara -Reviewed-by: Ojaswin Mujoo -Tested-by: Ojaswin Mujoo -Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/extents.c | 21 ++++++++++++++++++++- - 1 file changed, 20 insertions(+), 1 deletion(-) - ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -3422,6 +3422,25 @@ static int ext4_split_extent_at(handle_t - if (err != -ENOSPC && err != -EDQUOT) - goto out; - -+ /* -+ * Update path is required because previous ext4_ext_insert_extent() -+ * may have freed or reallocated the path. Using EXT4_EX_NOFAIL -+ * guarantees that ext4_find_extent() will not return -ENOMEM, -+ * otherwise -ENOMEM will cause a retry in do_writepages(), and a -+ * WARN_ON may be triggered in ext4_da_update_reserve_space() due to -+ * an incorrect ee_len causing the i_reserved_data_blocks exception. -+ */ -+ path = ext4_find_extent(inode, ee_block, ppath, -+ flags | EXT4_EX_NOFAIL); -+ if (IS_ERR(path)) { -+ EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld", -+ split, PTR_ERR(path)); -+ return PTR_ERR(path); -+ } -+ depth = ext_depth(inode); -+ ex = path[depth].p_ext; -+ *ppath = path; -+ - if (EXT4_EXT_MAY_ZEROOUT & split_flag) { - if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { - if (split_flag & EXT4_EXT_DATA_VALID1) { -@@ -3470,7 +3489,7 @@ fix_extent_len: - ext4_ext_dirty(handle, inode, path + path->p_depth); - return err; - out: -- ext4_ext_show_leaf(inode, path); -+ ext4_ext_show_leaf(inode, *ppath); - return err; - } - diff --git a/queue-5.4/ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch b/queue-5.4/ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch index cc31ca9ba78..20ad68781ad 100644 --- a/queue-5.4/ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch +++ b/queue-5.4/ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch @@ -27,7 +27,7 @@ Signed-off-by: Greg Kroah-Hartman --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c -@@ -5760,6 +5760,7 @@ int ext4_insert_range(struct inode *inod +@@ -5741,6 +5741,7 @@ int ext4_insert_range(struct inode *inod path = ext4_find_extent(inode, offset_lblk, NULL, 0); if (IS_ERR(path)) { up_write(&EXT4_I(inode)->i_data_sem); diff --git a/queue-5.4/ext4-update-orig_path-in-ext4_find_extent.patch b/queue-5.4/ext4-update-orig_path-in-ext4_find_extent.patch deleted file mode 100644 index 757290f9787..00000000000 --- a/queue-5.4/ext4-update-orig_path-in-ext4_find_extent.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 Mon Sep 17 00:00:00 2001 -From: Baokun Li -Date: Thu, 22 Aug 2024 10:35:25 +0800 -Subject: ext4: update orig_path in ext4_find_extent() - -From: Baokun Li - -commit 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 upstream. - -In ext4_find_extent(), if the path is not big enough, we free it and set -*orig_path to NULL. But after reallocating and successfully initializing -the path, we don't update *orig_path, in which case the caller gets a -valid path but a NULL ppath, and this may cause a NULL pointer dereference -or a path memory leak. For example: - -ext4_split_extent - path = *ppath = 2000 - ext4_find_extent - if (depth > path[0].p_maxdepth) - kfree(path = 2000); - *orig_path = path = NULL; - path = kcalloc() = 3000 - ext4_split_extent_at(*ppath = NULL) - path = *ppath; - ex = path[depth].p_ext; - // NULL pointer dereference! - -================================================================== -BUG: kernel NULL pointer dereference, address: 0000000000000010 -CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847 -RIP: 0010:ext4_split_extent_at+0x6d/0x560 -Call Trace: - - ext4_split_extent.isra.0+0xcb/0x1b0 - ext4_ext_convert_to_initialized+0x168/0x6c0 - ext4_ext_handle_unwritten_extents+0x325/0x4d0 - ext4_ext_map_blocks+0x520/0xdb0 - ext4_map_blocks+0x2b0/0x690 - ext4_iomap_begin+0x20e/0x2c0 -[...] -================================================================== - -Therefore, *orig_path is updated when the extent lookup succeeds, so that -the caller can safely use path or *ppath. - -Fixes: 10809df84a4d ("ext4: teach ext4_ext_find_extent() to realloc path if necessary") -Cc: stable@kernel.org -Signed-off-by: Baokun Li -Reviewed-by: Jan Kara -Link: https://patch.msgid.link/20240822023545.1994557-6-libaokun@huaweicloud.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Greg Kroah-Hartman ---- - fs/ext4/extents.c | 3 ++- - fs/ext4/move_extent.c | 1 - - 2 files changed, 2 insertions(+), 2 deletions(-) - ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -984,6 +984,8 @@ ext4_find_extent(struct inode *inode, ex - - ext4_ext_show_path(inode, path); - -+ if (orig_path) -+ *orig_path = path; - return path; - - err: -@@ -3441,7 +3443,6 @@ static int ext4_split_extent_at(handle_t - } - depth = ext_depth(inode); - ex = path[depth].p_ext; -- *ppath = path; - - if (EXT4_EXT_MAY_ZEROOUT & split_flag) { - if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { ---- a/fs/ext4/move_extent.c -+++ b/fs/ext4/move_extent.c -@@ -36,7 +36,6 @@ get_ext_path(struct inode *inode, ext4_l - *ppath = NULL; - return -ENODATA; - } -- *ppath = path; - return 0; - } - diff --git a/queue-5.4/series b/queue-5.4/series index c55c5a21f10..ee7ccc56c9c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -251,10 +251,8 @@ drm-consistently-use-struct-drm_mode_rect-for-fb_damage_clips.patch alsa-core-add-isascii-check-to-card-id-generator.patch alsa-hda-realtek-add-quirk-for-huawei-matebook-13-klv-wx9.patch ext4-no-need-to-continue-when-the-number-of-entries-is-1.patch -ext4-fix-slab-use-after-free-in-ext4_split_extent_at.patch ext4-propagate-errors-from-ext4_find_extent-in-ext4_insert_range.patch ext4-fix-incorrect-tid-assumption-in-__jbd2_log_wait_for_space.patch ext4-aovid-use-after-free-in-ext4_ext_insert_extent.patch ext4-fix-double-brelse-the-buffer-of-the-extents-path.patch -ext4-update-orig_path-in-ext4_find_extent.patch ext4-fix-incorrect-tid-assumption-in-ext4_wait_for_tail_page_commit.patch