From: Greg Kroah-Hartman Date: Mon, 6 Mar 2023 13:46:11 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v6.2.3~87 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ab6172b1233fa9fc2f50597c19a14ceccc906ac0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: f2fs-fix-information-leak-in-f2fs_move_inline_dirents.patch fs-hfsplus-fix-uaf-issue-in-hfsplus_put_super.patch hfs-fix-missing-hfs_bnode_get-in-__hfs_bnode_create.patch ocfs2-fix-defrag-path-triggering-jbd2-assert.patch ocfs2-fix-non-auto-defrag-path-not-working-issue.patch udf-do-not-bother-merging-very-long-extents.patch udf-do-not-update-file-length-for-failed-writes-to-inline-files.patch udf-fix-file-corruption-when-appending-just-after-end-of-preallocated-extent.patch udf-truncate-added-extents-on-failed-expansion.patch --- diff --git a/queue-4.19/f2fs-fix-information-leak-in-f2fs_move_inline_dirents.patch b/queue-4.19/f2fs-fix-information-leak-in-f2fs_move_inline_dirents.patch new file mode 100644 index 00000000000..7e3e0f79e08 --- /dev/null +++ b/queue-4.19/f2fs-fix-information-leak-in-f2fs_move_inline_dirents.patch @@ -0,0 +1,56 @@ +From 9a5571cff4ffcfc24847df9fd545cc5799ac0ee5 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 22 Jan 2023 23:04:14 -0800 +Subject: f2fs: fix information leak in f2fs_move_inline_dirents() + +From: Eric Biggers + +commit 9a5571cff4ffcfc24847df9fd545cc5799ac0ee5 upstream. + +When converting an inline directory to a regular one, f2fs is leaking +uninitialized memory to disk because it doesn't initialize the entire +directory block. Fix this by zero-initializing the block. + +This bug was introduced by commit 4ec17d688d74 ("f2fs: avoid unneeded +initializing when converting inline dentry"), which didn't consider the +security implications of leaking uninitialized memory to disk. + +This was found by running xfstest generic/435 on a KMSAN-enabled kernel. + +Fixes: 4ec17d688d74 ("f2fs: avoid unneeded initializing when converting inline dentry") +Cc: # v4.3+ +Signed-off-by: Eric Biggers +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inline.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -408,18 +408,17 @@ static int f2fs_move_inline_dirents(stru + + dentry_blk = page_address(page); + ++ /* ++ * Start by zeroing the full block, to ensure that all unused space is ++ * zeroed and no uninitialized memory is leaked to disk. ++ */ ++ memset(dentry_blk, 0, F2FS_BLKSIZE); ++ + make_dentry_ptr_inline(dir, &src, inline_dentry); + make_dentry_ptr_block(dir, &dst, dentry_blk); + + /* copy data from inline dentry block to new dentry block */ + memcpy(dst.bitmap, src.bitmap, src.nr_bitmap); +- memset(dst.bitmap + src.nr_bitmap, 0, dst.nr_bitmap - src.nr_bitmap); +- /* +- * we do not need to zero out remainder part of dentry and filename +- * field, since we have used bitmap for marking the usage status of +- * them, besides, we can also ignore copying/zeroing reserved space +- * of dentry block, because them haven't been used so far. +- */ + memcpy(dst.dentry, src.dentry, SIZE_OF_DIR_ENTRY * src.max); + memcpy(dst.filename, src.filename, src.max * F2FS_SLOT_LEN); + diff --git a/queue-4.19/fs-hfsplus-fix-uaf-issue-in-hfsplus_put_super.patch b/queue-4.19/fs-hfsplus-fix-uaf-issue-in-hfsplus_put_super.patch new file mode 100644 index 00000000000..a6392992ac1 --- /dev/null +++ b/queue-4.19/fs-hfsplus-fix-uaf-issue-in-hfsplus_put_super.patch @@ -0,0 +1,52 @@ +From 07db5e247ab5858439b14dd7cc1fe538b9efcf32 Mon Sep 17 00:00:00 2001 +From: Dongliang Mu +Date: Sun, 26 Feb 2023 20:49:47 +0800 +Subject: fs: hfsplus: fix UAF issue in hfsplus_put_super + +From: Dongliang Mu + +commit 07db5e247ab5858439b14dd7cc1fe538b9efcf32 upstream. + +The current hfsplus_put_super first calls hfs_btree_close on +sbi->ext_tree, then invokes iput on sbi->hidden_dir, resulting in an +use-after-free issue in hfsplus_release_folio. + +As shown in hfsplus_fill_super, the error handling code also calls iput +before hfs_btree_close. + +To fix this error, we move all iput calls before hfsplus_btree_close. + +Note that this patch is tested on Syzbot. + +Link: https://lkml.kernel.org/r/20230226124948.3175736-1-mudongliangabcd@gmail.com +Reported-by: syzbot+57e3e98f7e3b80f64d56@syzkaller.appspotmail.com +Tested-by: Dongliang Mu +Signed-off-by: Dongliang Mu +Cc: Bart Van Assche +Cc: Jens Axboe +Cc: Muchun Song +Cc: Roman Gushchin +Cc: "Theodore Ts'o" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfsplus/super.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -294,11 +294,11 @@ static void hfsplus_put_super(struct sup + hfsplus_sync_fs(sb, 1); + } + ++ iput(sbi->alloc_file); ++ iput(sbi->hidden_dir); + hfs_btree_close(sbi->attr_tree); + hfs_btree_close(sbi->cat_tree); + hfs_btree_close(sbi->ext_tree); +- iput(sbi->alloc_file); +- iput(sbi->hidden_dir); + kfree(sbi->s_vhdr_buf); + kfree(sbi->s_backup_vhdr_buf); + unload_nls(sbi->nls); diff --git a/queue-4.19/hfs-fix-missing-hfs_bnode_get-in-__hfs_bnode_create.patch b/queue-4.19/hfs-fix-missing-hfs_bnode_get-in-__hfs_bnode_create.patch new file mode 100644 index 00000000000..d18b0859bd1 --- /dev/null +++ b/queue-4.19/hfs-fix-missing-hfs_bnode_get-in-__hfs_bnode_create.patch @@ -0,0 +1,98 @@ +From a9dc087fd3c484fd1ed18c5efb290efaaf44ce03 Mon Sep 17 00:00:00 2001 +From: Liu Shixin +Date: Mon, 12 Dec 2022 10:16:27 +0800 +Subject: hfs: fix missing hfs_bnode_get() in __hfs_bnode_create + +From: Liu Shixin + +commit a9dc087fd3c484fd1ed18c5efb290efaaf44ce03 upstream. + +Syzbot found a kernel BUG in hfs_bnode_put(): + + kernel BUG at fs/hfs/bnode.c:466! + invalid opcode: 0000 [#1] PREEMPT SMP KASAN + CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 + Workqueue: writeback wb_workfn (flush-7:0) + RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466 + Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff <0f> 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56 + RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293 + RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1 + R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80 + R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00 + FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + hfs_write_inode+0x1bc/0xb40 + write_inode fs/fs-writeback.c:1440 [inline] + __writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652 + writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878 + __writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949 + wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054 + wb_check_start_all fs/fs-writeback.c:2176 [inline] + wb_do_writeback fs/fs-writeback.c:2202 [inline] + wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235 + process_one_work+0x877/0xdb0 kernel/workqueue.c:2289 + worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 + kthread+0x266/0x300 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + +The BUG_ON() is triggered at here: + +/* Dispose of resources used by a node */ +void hfs_bnode_put(struct hfs_bnode *node) +{ + if (node) { + + BUG_ON(!atomic_read(&node->refcnt)); <- we have issue here!!!! + + } +} + +By tracing the refcnt, I found the node is created by hfs_bmap_alloc() +with refcnt 1. Then the node is used by hfs_btree_write(). There is a +missing of hfs_bnode_get() after find the node. The issue happened in +following path: + + + hfs_bmap_alloc + hfs_bnode_find + __hfs_bnode_create <- allocate a new node with refcnt 1. + hfs_bnode_put <- decrease the refcnt + + + hfs_btree_write + hfs_bnode_find + __hfs_bnode_create + hfs_bnode_findhash <- find the node without refcnt increased. + hfs_bnode_put <- trigger the BUG_ON() since refcnt is 0. + +Link: https://lkml.kernel.org/r/20221212021627.3766829-1-liushixin2@huawei.com +Reported-by: syzbot+5b04b49a7ec7226c7426@syzkaller.appspotmail.com +Signed-off-by: Liu Shixin +Cc: Fabio M. De Francesco +Cc: Viacheslav Dubeyko +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfs/bnode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/hfs/bnode.c ++++ b/fs/hfs/bnode.c +@@ -281,6 +281,7 @@ static struct hfs_bnode *__hfs_bnode_cre + tree->node_hash[hash] = node; + tree->node_hash_cnt++; + } else { ++ hfs_bnode_get(node2); + spin_unlock(&tree->hash_lock); + kfree(node); + wait_event(node2->lock_wq, !test_bit(HFS_BNODE_NEW, &node2->flags)); diff --git a/queue-4.19/ocfs2-fix-defrag-path-triggering-jbd2-assert.patch b/queue-4.19/ocfs2-fix-defrag-path-triggering-jbd2-assert.patch new file mode 100644 index 00000000000..a2eaeae36d9 --- /dev/null +++ b/queue-4.19/ocfs2-fix-defrag-path-triggering-jbd2-assert.patch @@ -0,0 +1,100 @@ +From 60eed1e3d45045623e46944ebc7c42c30a4350f0 Mon Sep 17 00:00:00 2001 +From: Heming Zhao via Ocfs2-devel +Date: Fri, 17 Feb 2023 08:37:17 +0800 +Subject: ocfs2: fix defrag path triggering jbd2 ASSERT + +From: Heming Zhao via Ocfs2-devel + +commit 60eed1e3d45045623e46944ebc7c42c30a4350f0 upstream. + +code path: + +ocfs2_ioctl_move_extents + ocfs2_move_extents + ocfs2_defrag_extent + __ocfs2_move_extent + + ocfs2_journal_access_di + + ocfs2_split_extent //sub-paths call jbd2_journal_restart + + ocfs2_journal_dirty //crash by jbs2 ASSERT + +crash stacks: + +PID: 11297 TASK: ffff974a676dcd00 CPU: 67 COMMAND: "defragfs.ocfs2" + #0 [ffffb25d8dad3900] machine_kexec at ffffffff8386fe01 + #1 [ffffb25d8dad3958] __crash_kexec at ffffffff8395959d + #2 [ffffb25d8dad3a20] crash_kexec at ffffffff8395a45d + #3 [ffffb25d8dad3a38] oops_end at ffffffff83836d3f + #4 [ffffb25d8dad3a58] do_trap at ffffffff83833205 + #5 [ffffb25d8dad3aa0] do_invalid_op at ffffffff83833aa6 + #6 [ffffb25d8dad3ac0] invalid_op at ffffffff84200d18 + [exception RIP: jbd2_journal_dirty_metadata+0x2ba] + RIP: ffffffffc09ca54a RSP: ffffb25d8dad3b70 RFLAGS: 00010207 + RAX: 0000000000000000 RBX: ffff9706eedc5248 RCX: 0000000000000000 + RDX: 0000000000000001 RSI: ffff97337029ea28 RDI: ffff9706eedc5250 + RBP: ffff9703c3520200 R8: 000000000f46b0b2 R9: 0000000000000000 + R10: 0000000000000001 R11: 00000001000000fe R12: ffff97337029ea28 + R13: 0000000000000000 R14: ffff9703de59bf60 R15: ffff9706eedc5250 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #7 [ffffb25d8dad3ba8] ocfs2_journal_dirty at ffffffffc137fb95 [ocfs2] + #8 [ffffb25d8dad3be8] __ocfs2_move_extent at ffffffffc139a950 [ocfs2] + #9 [ffffb25d8dad3c80] ocfs2_defrag_extent at ffffffffc139b2d2 [ocfs2] + +Analysis + +This bug has the same root cause of 'commit 7f27ec978b0e ("ocfs2: call +ocfs2_journal_access_di() before ocfs2_journal_dirty() in +ocfs2_write_end_nolock()")'. For this bug, jbd2_journal_restart() is +called by ocfs2_split_extent() during defragmenting. + +How to fix + +For ocfs2_split_extent() can handle journal operations totally by itself. +Caller doesn't need to call journal access/dirty pair, and caller only +needs to call journal start/stop pair. The fix method is to remove +journal access/dirty from __ocfs2_move_extent(). + +The discussion for this patch: +https://oss.oracle.com/pipermail/ocfs2-devel/2023-February/000647.html + +Link: https://lkml.kernel.org/r/20230217003717.32469-1-heming.zhao@suse.com +Signed-off-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/move_extents.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/fs/ocfs2/move_extents.c ++++ b/fs/ocfs2/move_extents.c +@@ -115,14 +115,6 @@ static int __ocfs2_move_extent(handle_t + */ + replace_rec.e_flags = ext_flags & ~OCFS2_EXT_REFCOUNTED; + +- ret = ocfs2_journal_access_di(handle, INODE_CACHE(inode), +- context->et.et_root_bh, +- OCFS2_JOURNAL_ACCESS_WRITE); +- if (ret) { +- mlog_errno(ret); +- goto out; +- } +- + ret = ocfs2_split_extent(handle, &context->et, path, index, + &replace_rec, context->meta_ac, + &context->dealloc); +@@ -131,8 +123,6 @@ static int __ocfs2_move_extent(handle_t + goto out; + } + +- ocfs2_journal_dirty(handle, context->et.et_root_bh); +- + context->new_phys_cpos = new_p_cpos; + + /* diff --git a/queue-4.19/ocfs2-fix-non-auto-defrag-path-not-working-issue.patch b/queue-4.19/ocfs2-fix-non-auto-defrag-path-not-working-issue.patch new file mode 100644 index 00000000000..5efc049bf54 --- /dev/null +++ b/queue-4.19/ocfs2-fix-non-auto-defrag-path-not-working-issue.patch @@ -0,0 +1,91 @@ +From 236b9254f8d1edc273ad88b420aa85fbd84f492d Mon Sep 17 00:00:00 2001 +From: Heming Zhao via Ocfs2-devel +Date: Mon, 20 Feb 2023 13:05:26 +0800 +Subject: ocfs2: fix non-auto defrag path not working issue + +From: Heming Zhao via Ocfs2-devel + +commit 236b9254f8d1edc273ad88b420aa85fbd84f492d upstream. + +This fixes three issues on move extents ioctl without auto defrag: + +a) In ocfs2_find_victim_alloc_group(), we have to convert bits to block + first in case of global bitmap. + +b) In ocfs2_probe_alloc_group(), when finding enough bits in block + group bitmap, we have to back off move_len to start pos as well, + otherwise it may corrupt filesystem. + +c) In ocfs2_ioctl_move_extents(), set me_threshold both for non-auto + and auto defrag paths. Otherwise it will set move_max_hop to 0 and + finally cause unexpectedly ENOSPC error. + +Currently there are no tools triggering the above issues since +defragfs.ocfs2 enables auto defrag by default. Tested with manually +changing defragfs.ocfs2 to run non auto defrag path. + +Link: https://lkml.kernel.org/r/20230220050526.22020-1-heming.zhao@suse.com +Signed-off-by: Heming Zhao +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/move_extents.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/fs/ocfs2/move_extents.c ++++ b/fs/ocfs2/move_extents.c +@@ -444,7 +444,7 @@ static int ocfs2_find_victim_alloc_group + bg = (struct ocfs2_group_desc *)gd_bh->b_data; + + if (vict_blkno < (le64_to_cpu(bg->bg_blkno) + +- le16_to_cpu(bg->bg_bits))) { ++ (le16_to_cpu(bg->bg_bits) << bits_per_unit))) { + + *ret_bh = gd_bh; + *vict_bit = (vict_blkno - blkno) >> +@@ -559,6 +559,7 @@ static void ocfs2_probe_alloc_group(stru + last_free_bits++; + + if (last_free_bits == move_len) { ++ i -= move_len; + *goal_bit = i; + *phys_cpos = base_cpos + i; + break; +@@ -1030,18 +1031,19 @@ int ocfs2_ioctl_move_extents(struct file + + context->range = ⦥ + ++ /* ++ * ok, the default theshold for the defragmentation ++ * is 1M, since our maximum clustersize was 1M also. ++ * any thought? ++ */ ++ if (!range.me_threshold) ++ range.me_threshold = 1024 * 1024; ++ ++ if (range.me_threshold > i_size_read(inode)) ++ range.me_threshold = i_size_read(inode); ++ + if (range.me_flags & OCFS2_MOVE_EXT_FL_AUTO_DEFRAG) { + context->auto_defrag = 1; +- /* +- * ok, the default theshold for the defragmentation +- * is 1M, since our maximum clustersize was 1M also. +- * any thought? +- */ +- if (!range.me_threshold) +- range.me_threshold = 1024 * 1024; +- +- if (range.me_threshold > i_size_read(inode)) +- range.me_threshold = i_size_read(inode); + + if (range.me_flags & OCFS2_MOVE_EXT_FL_PART_DEFRAG) + context->partial = 1; diff --git a/queue-4.19/series b/queue-4.19/series index 06266a03a07..772c837e996 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -145,3 +145,12 @@ s390-discard-.interp-section.patch s390-kprobes-fix-irq-mask-clobbering-on-kprobe-reenter-from-post_handler.patch s390-kprobes-fix-current_kprobe-never-cleared-after-kprobes-reenter.patch arm-dts-exynos-correct-hdmi-phy-compatible-in-exynos4.patch +hfs-fix-missing-hfs_bnode_get-in-__hfs_bnode_create.patch +fs-hfsplus-fix-uaf-issue-in-hfsplus_put_super.patch +f2fs-fix-information-leak-in-f2fs_move_inline_dirents.patch +ocfs2-fix-defrag-path-triggering-jbd2-assert.patch +ocfs2-fix-non-auto-defrag-path-not-working-issue.patch +udf-truncate-added-extents-on-failed-expansion.patch +udf-do-not-bother-merging-very-long-extents.patch +udf-do-not-update-file-length-for-failed-writes-to-inline-files.patch +udf-fix-file-corruption-when-appending-just-after-end-of-preallocated-extent.patch diff --git a/queue-4.19/udf-do-not-bother-merging-very-long-extents.patch b/queue-4.19/udf-do-not-bother-merging-very-long-extents.patch new file mode 100644 index 00000000000..23cad48a443 --- /dev/null +++ b/queue-4.19/udf-do-not-bother-merging-very-long-extents.patch @@ -0,0 +1,52 @@ +From 53cafe1d6d8ef9f93318e5bfccc0d24f27d41ced Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 16 Dec 2022 12:37:51 +0100 +Subject: udf: Do not bother merging very long extents + +From: Jan Kara + +commit 53cafe1d6d8ef9f93318e5bfccc0d24f27d41ced upstream. + +When merging very long extents we try to push as much length as possible +to the first extent. However this is unnecessarily complicated and not +really worth the trouble. Furthermore there was a bug in the logic +resulting in corrupting extents in the file as syzbot reproducer shows. +So just don't bother with the merging of extents that are too long +together. + +CC: stable@vger.kernel.org +Reported-by: syzbot+60f291a24acecb3c2bd5@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/inode.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1089,23 +1089,8 @@ static void udf_merge_extents(struct ino + blocksize - 1) >> blocksize_bits)))) { + + if (((li->extLength & UDF_EXTENT_LENGTH_MASK) + +- (lip1->extLength & UDF_EXTENT_LENGTH_MASK) + +- blocksize - 1) & ~UDF_EXTENT_LENGTH_MASK) { +- lip1->extLength = (lip1->extLength - +- (li->extLength & +- UDF_EXTENT_LENGTH_MASK) + +- UDF_EXTENT_LENGTH_MASK) & +- ~(blocksize - 1); +- li->extLength = (li->extLength & +- UDF_EXTENT_FLAG_MASK) + +- (UDF_EXTENT_LENGTH_MASK + 1) - +- blocksize; +- lip1->extLocation.logicalBlockNum = +- li->extLocation.logicalBlockNum + +- ((li->extLength & +- UDF_EXTENT_LENGTH_MASK) >> +- blocksize_bits); +- } else { ++ (lip1->extLength & UDF_EXTENT_LENGTH_MASK) + ++ blocksize - 1) <= UDF_EXTENT_LENGTH_MASK) { + li->extLength = lip1->extLength + + (((li->extLength & + UDF_EXTENT_LENGTH_MASK) + diff --git a/queue-4.19/udf-do-not-update-file-length-for-failed-writes-to-inline-files.patch b/queue-4.19/udf-do-not-update-file-length-for-failed-writes-to-inline-files.patch new file mode 100644 index 00000000000..ccea9079323 --- /dev/null +++ b/queue-4.19/udf-do-not-update-file-length-for-failed-writes-to-inline-files.patch @@ -0,0 +1,62 @@ +From 256fe4162f8b5a1625b8603ca5f7ff79725bfb47 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 2 Jan 2023 20:14:47 +0100 +Subject: udf: Do not update file length for failed writes to inline files + +From: Jan Kara + +commit 256fe4162f8b5a1625b8603ca5f7ff79725bfb47 upstream. + +When write to inline file fails (or happens only partly), we still +updated length of inline data as if the whole write succeeded. Fix the +update of length of inline data to happen only if the write succeeds. + +Reported-by: syzbot+0937935b993956ba28ab@syzkaller.appspotmail.com +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/file.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +--- a/fs/udf/file.c ++++ b/fs/udf/file.c +@@ -148,26 +148,24 @@ static ssize_t udf_file_write_iter(struc + goto out; + + down_write(&iinfo->i_data_sem); +- if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { +- loff_t end = iocb->ki_pos + iov_iter_count(from); +- +- if (inode->i_sb->s_blocksize < +- (udf_file_entry_alloc_offset(inode) + end)) { +- err = udf_expand_file_adinicb(inode); +- if (err) { +- inode_unlock(inode); +- udf_debug("udf_expand_adinicb: err=%d\n", err); +- return err; +- } +- } else { +- iinfo->i_lenAlloc = max(end, inode->i_size); +- up_write(&iinfo->i_data_sem); ++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB && ++ inode->i_sb->s_blocksize < (udf_file_entry_alloc_offset(inode) + ++ iocb->ki_pos + iov_iter_count(from))) { ++ err = udf_expand_file_adinicb(inode); ++ if (err) { ++ inode_unlock(inode); ++ udf_debug("udf_expand_adinicb: err=%d\n", err); ++ return err; + } + } else + up_write(&iinfo->i_data_sem); + + retval = __generic_file_write_iter(iocb, from); + out: ++ down_write(&iinfo->i_data_sem); ++ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB && retval > 0) ++ iinfo->i_lenAlloc = inode->i_size; ++ up_write(&iinfo->i_data_sem); + inode_unlock(inode); + + if (retval > 0) { diff --git a/queue-4.19/udf-fix-file-corruption-when-appending-just-after-end-of-preallocated-extent.patch b/queue-4.19/udf-fix-file-corruption-when-appending-just-after-end-of-preallocated-extent.patch new file mode 100644 index 00000000000..e4daf6a229c --- /dev/null +++ b/queue-4.19/udf-fix-file-corruption-when-appending-just-after-end-of-preallocated-extent.patch @@ -0,0 +1,63 @@ +From 36ec52ea038b18a53e198116ef7d7e70c87db046 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 23 Jan 2023 14:18:47 +0100 +Subject: udf: Fix file corruption when appending just after end of preallocated extent + +From: Jan Kara + +commit 36ec52ea038b18a53e198116ef7d7e70c87db046 upstream. + +When we append new block just after the end of preallocated extent, the +code in inode_getblk() wrongly determined we're going to use the +preallocated extent which resulted in adding block into a wrong logical +offset in the file. Sequence like this manifests it: + +xfs_io -f -c "pwrite 0x2cacf 0xd122" -c "truncate 0x2dd6f" \ + -c "pwrite 0x27fd9 0x69a9" -c "pwrite 0x32981 0x7244" + +The code that determined the use of preallocated extent is actually +stale because udf_do_extend_file() does not create preallocation anymore +so after calling that function we are sure there's no usable +preallocation. Just remove the faulty condition. + +CC: stable@vger.kernel.org +Fixes: 16d055656814 ("udf: Discard preallocation before extending file with a hole") +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/inode.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -800,19 +800,17 @@ static sector_t inode_getblk(struct inod + c = 0; + offset = 0; + count += ret; +- /* We are not covered by a preallocated extent? */ +- if ((laarr[0].extLength & UDF_EXTENT_FLAG_MASK) != +- EXT_NOT_RECORDED_ALLOCATED) { +- /* Is there any real extent? - otherwise we overwrite +- * the fake one... */ +- if (count) +- c = !c; +- laarr[c].extLength = EXT_NOT_RECORDED_NOT_ALLOCATED | +- inode->i_sb->s_blocksize; +- memset(&laarr[c].extLocation, 0x00, +- sizeof(struct kernel_lb_addr)); +- count++; +- } ++ /* ++ * Is there any real extent? - otherwise we overwrite the fake ++ * one... ++ */ ++ if (count) ++ c = !c; ++ laarr[c].extLength = EXT_NOT_RECORDED_NOT_ALLOCATED | ++ inode->i_sb->s_blocksize; ++ memset(&laarr[c].extLocation, 0x00, ++ sizeof(struct kernel_lb_addr)); ++ count++; + endnum = c + 1; + lastblock = 1; + } else { diff --git a/queue-4.19/udf-truncate-added-extents-on-failed-expansion.patch b/queue-4.19/udf-truncate-added-extents-on-failed-expansion.patch new file mode 100644 index 00000000000..02259287b12 --- /dev/null +++ b/queue-4.19/udf-truncate-added-extents-on-failed-expansion.patch @@ -0,0 +1,65 @@ +From 70bfb3a8d661d4fdc742afc061b88a7f3fc9f500 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 15 Dec 2022 14:24:03 +0100 +Subject: udf: Truncate added extents on failed expansion + +From: Jan Kara + +commit 70bfb3a8d661d4fdc742afc061b88a7f3fc9f500 upstream. + +When a file expansion failed because we didn't have enough space for +indirect extents make sure we truncate extents created so far so that we +don't leave extents beyond EOF. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/inode.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -521,8 +521,10 @@ static int udf_do_extend_file(struct ino + } + + if (fake) { +- udf_add_aext(inode, last_pos, &last_ext->extLocation, +- last_ext->extLength, 1); ++ err = udf_add_aext(inode, last_pos, &last_ext->extLocation, ++ last_ext->extLength, 1); ++ if (err < 0) ++ goto out_err; + count++; + } else { + struct kernel_lb_addr tmploc; +@@ -556,7 +558,7 @@ static int udf_do_extend_file(struct ino + err = udf_add_aext(inode, last_pos, &last_ext->extLocation, + last_ext->extLength, 1); + if (err) +- return err; ++ goto out_err; + count++; + } + if (new_block_bytes) { +@@ -565,7 +567,7 @@ static int udf_do_extend_file(struct ino + err = udf_add_aext(inode, last_pos, &last_ext->extLocation, + last_ext->extLength, 1); + if (err) +- return err; ++ goto out_err; + count++; + } + +@@ -579,6 +581,11 @@ out: + return -EIO; + + return count; ++out_err: ++ /* Remove extents we've created so far */ ++ udf_clear_extent_cache(inode); ++ udf_truncate_extents(inode); ++ return err; + } + + /* Extend the final block of the file to final_block_len bytes */