From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 3 Apr 2022 11:45:40 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v5.17.2~145
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7f4e2edc42ea2aa9c73dbc72e2a450cac466d723;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	ubifs-add-missing-iput-if-do_tmpfile-failed-in-rename-whiteout.patch
	ubifs-rename_whiteout-correct-old_dir-size-computing.patch
	ubifs-rename_whiteout-fix-double-free-for-whiteout_ui-data.patch
	ubifs-setflags-make-dirtied_ino_d-8-bytes-aligned.patch
---

diff --git a/queue-4.14/series b/queue-4.14/series
index 7552a4fda23..d708c2152ae 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -187,3 +187,7 @@ powerpc-lib-sstep-fix-build-errors-with-newer-binutils.patch
 scsi-qla2xxx-fix-warning-for-missing-error-code.patch
 scsi-qla2xxx-suppress-a-kernel-complaint-in-qla_create_qpair.patch
 kvm-prevent-module-exit-until-all-vms-are-freed.patch
+ubifs-rename_whiteout-fix-double-free-for-whiteout_ui-data.patch
+ubifs-add-missing-iput-if-do_tmpfile-failed-in-rename-whiteout.patch
+ubifs-setflags-make-dirtied_ino_d-8-bytes-aligned.patch
+ubifs-rename_whiteout-correct-old_dir-size-computing.patch
diff --git a/queue-4.14/ubifs-add-missing-iput-if-do_tmpfile-failed-in-rename-whiteout.patch b/queue-4.14/ubifs-add-missing-iput-if-do_tmpfile-failed-in-rename-whiteout.patch
new file mode 100644
index 00000000000..7c23a1978a5
--- /dev/null
+++ b/queue-4.14/ubifs-add-missing-iput-if-do_tmpfile-failed-in-rename-whiteout.patch
@@ -0,0 +1,35 @@
+From 716b4573026bcbfa7b58ed19fe15554bac66b082 Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Mon, 27 Dec 2021 11:22:35 +0800
+Subject: ubifs: Add missing iput if do_tmpfile() failed in rename whiteout
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit 716b4573026bcbfa7b58ed19fe15554bac66b082 upstream.
+
+whiteout inode should be put when do_tmpfile() failed if inode has been
+initialized. Otherwise we will get following warning during umount:
+  UBIFS error (ubi0:0 pid 1494): ubifs_assert_failed [ubifs]: UBIFS
+  assert failed: c->bi.dd_growth == 0, in fs/ubifs/super.c:1930
+  VFS: Busy inodes after unmount of ubifs. Self-destruct in 5 seconds.
+
+Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Suggested-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/dir.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -468,6 +468,8 @@ out_inode:
+ 	make_bad_inode(inode);
+ 	if (!instantiated)
+ 		iput(inode);
++	else if (whiteout)
++		iput(*whiteout);
+ out_budg:
+ 	ubifs_release_budget(c, &req);
+ 	if (!instantiated)
diff --git a/queue-4.14/ubifs-rename_whiteout-correct-old_dir-size-computing.patch b/queue-4.14/ubifs-rename_whiteout-correct-old_dir-size-computing.patch
new file mode 100644
index 00000000000..f43af6dec7e
--- /dev/null
+++ b/queue-4.14/ubifs-rename_whiteout-correct-old_dir-size-computing.patch
@@ -0,0 +1,35 @@
+From 705757274599e2e064dd3054aabc74e8af31a095 Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Tue, 15 Feb 2022 12:07:36 +0800
+Subject: ubifs: rename_whiteout: correct old_dir size computing
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit 705757274599e2e064dd3054aabc74e8af31a095 upstream.
+
+When renaming the whiteout file, the old whiteout file is not deleted.
+Therefore, we add the old dentry size to the old dir like XFS.
+Otherwise, an error may be reported due to `fscki->calc_sz != fscki->size`
+in check_indes.
+
+Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT")
+Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/dir.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1452,6 +1452,9 @@ static int do_rename(struct inode *old_d
+ 			if (unlink)
+ 				drop_nlink(old_dir);
+ 		}
++
++		/* Add the old_dentry size to the old_dir size. */
++		old_sz -= CALC_DENT_SIZE(fname_len(&old_nm));
+ 	}
+ 
+ 	old_dir->i_size -= old_sz;
diff --git a/queue-4.14/ubifs-rename_whiteout-fix-double-free-for-whiteout_ui-data.patch b/queue-4.14/ubifs-rename_whiteout-fix-double-free-for-whiteout_ui-data.patch
new file mode 100644
index 00000000000..29f6b3ed00a
--- /dev/null
+++ b/queue-4.14/ubifs-rename_whiteout-fix-double-free-for-whiteout_ui-data.patch
@@ -0,0 +1,71 @@
+From 40a8f0d5e7b3999f096570edab71c345da812e3e Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Mon, 27 Dec 2021 11:22:32 +0800
+Subject: ubifs: rename_whiteout: Fix double free for whiteout_ui->data
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit 40a8f0d5e7b3999f096570edab71c345da812e3e upstream.
+
+'whiteout_ui->data' will be freed twice if space budget fail for
+rename whiteout operation as following process:
+
+rename_whiteout
+  dev = kmalloc
+  whiteout_ui->data = dev
+  kfree(whiteout_ui->data)  // Free first time
+  iput(whiteout)
+    ubifs_free_inode
+      kfree(ui->data)	    // Double free!
+
+KASAN reports:
+==================================================================
+BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70
+Call Trace:
+  kfree+0x117/0x490
+  ubifs_free_inode+0x4f/0x70 [ubifs]
+  i_callback+0x30/0x60
+  rcu_do_batch+0x366/0xac0
+  __do_softirq+0x133/0x57f
+
+Allocated by task 1506:
+  kmem_cache_alloc_trace+0x3c2/0x7a0
+  do_rename+0x9b7/0x1150 [ubifs]
+  ubifs_rename+0x106/0x1f0 [ubifs]
+  do_syscall_64+0x35/0x80
+
+Freed by task 1506:
+  kfree+0x117/0x490
+  do_rename.cold+0x53/0x8a [ubifs]
+  ubifs_rename+0x106/0x1f0 [ubifs]
+  do_syscall_64+0x35/0x80
+
+The buggy address belongs to the object at ffff88810238bed8 which
+belongs to the cache kmalloc-8 of size 8
+==================================================================
+
+Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused
+assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode()
+-> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it
+(because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release',
+ and the nlink of whiteout inode is 0).
+
+Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/dir.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -1496,8 +1496,6 @@ static int do_rename(struct inode *old_d
+ 
+ 		err = ubifs_budget_space(c, &wht_req);
+ 		if (err) {
+-			kfree(whiteout_ui->data);
+-			whiteout_ui->data_len = 0;
+ 			iput(whiteout);
+ 			goto out_release;
+ 		}
diff --git a/queue-4.14/ubifs-setflags-make-dirtied_ino_d-8-bytes-aligned.patch b/queue-4.14/ubifs-setflags-make-dirtied_ino_d-8-bytes-aligned.patch
new file mode 100644
index 00000000000..574b0d90e4d
--- /dev/null
+++ b/queue-4.14/ubifs-setflags-make-dirtied_ino_d-8-bytes-aligned.patch
@@ -0,0 +1,38 @@
+From 1b83ec057db16b4d0697dc21ef7a9743b6041f72 Mon Sep 17 00:00:00 2001
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+Date: Mon, 27 Dec 2021 11:22:39 +0800
+Subject: ubifs: setflags: Make dirtied_ino_d 8 bytes aligned
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+commit 1b83ec057db16b4d0697dc21ef7a9743b6041f72 upstream.
+
+Make 'ui->data_len' aligned with 8 bytes before it is assigned to
+dirtied_ino_d. Since 8871d84c8f8b0c6b("ubifs: convert to fileattr")
+applied, 'setflags()' only affects regular files and directories, only
+xattr inode, symlink inode and special inode(pipe/char_dev/block_dev)
+have none- zero 'ui->data_len' field, so assertion
+'!(req->dirtied_ino_d & 7)' cannot fail in ubifs_budget_space().
+To avoid assertion fails in future evolution(eg. setflags can operate
+special inodes), it's better to make dirtied_ino_d 8 bytes aligned,
+after all aligned size is still zero for regular files.
+
+Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/ioctl.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ubifs/ioctl.c
++++ b/fs/ubifs/ioctl.c
+@@ -110,7 +110,7 @@ static int setflags(struct inode *inode,
+ 	struct ubifs_inode *ui = ubifs_inode(inode);
+ 	struct ubifs_info *c = inode->i_sb->s_fs_info;
+ 	struct ubifs_budget_req req = { .dirtied_ino = 1,
+-					.dirtied_ino_d = ui->data_len };
++			.dirtied_ino_d = ALIGN(ui->data_len, 8) };
+ 
+ 	err = ubifs_budget_space(c, &req);
+ 	if (err)