From: Greg Kroah-Hartman Date: Wed, 9 Oct 2019 13:27:06 +0000 (+0200) Subject: 5.3-stable patches X-Git-Tag: v4.14.149~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e67a4dc5be0ce830aa4febbe15e945a70e913098;p=thirdparty%2Fkernel%2Fstable-queue.git 5.3-stable patches added patches: staging-erofs-add-two-missing-erofs_workgroup_put-for-corrupted-images.patch staging-erofs-avoid-endless-loop-of-invalid-lookback-distance-0.patch staging-erofs-detect-potential-multiref-due-to-corrupted-images.patch staging-erofs-fix-an-error-handling-in-erofs_readdir.patch staging-erofs-some-compressed-cluster-should-be-submitted-for-corrupted-images.patch --- diff --git a/queue-5.3/series b/queue-5.3/series index a6d6c56c7a5..2dfb93418ee 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -140,3 +140,8 @@ perf-stat-reset-previous-counts-on-repeat-with-inter.patch riscv-avoid-interrupts-being-erroneously-enabled-in-.patch vfs-fix-eoverflow-testing-in-put_compat_statfs64.patch coresight-etm4x-use-explicit-barriers-on-enable-disable.patch +staging-erofs-fix-an-error-handling-in-erofs_readdir.patch +staging-erofs-some-compressed-cluster-should-be-submitted-for-corrupted-images.patch +staging-erofs-add-two-missing-erofs_workgroup_put-for-corrupted-images.patch +staging-erofs-avoid-endless-loop-of-invalid-lookback-distance-0.patch +staging-erofs-detect-potential-multiref-due-to-corrupted-images.patch diff --git a/queue-5.3/staging-erofs-add-two-missing-erofs_workgroup_put-for-corrupted-images.patch b/queue-5.3/staging-erofs-add-two-missing-erofs_workgroup_put-for-corrupted-images.patch new file mode 100644 index 00000000000..579576587e4 --- /dev/null +++ b/queue-5.3/staging-erofs-add-two-missing-erofs_workgroup_put-for-corrupted-images.patch @@ -0,0 +1,48 @@ +From foo@baz Wed 09 Oct 2019 03:24:16 PM CEST +From: Gao Xiang +Date: Wed, 9 Oct 2019 18:05:52 +0800 +Subject: staging: erofs: add two missing erofs_workgroup_put for corrupted images +To: Greg Kroah-Hartman , , Chao Yu +Cc: , Miao Xie , Gao Xiang +Message-ID: <20191009100554.165048-3-gaoxiang25@huawei.com> + +From: Gao Xiang + +commit 138e1a0990e80db486ab9f6c06bd5c01f9a97999 upstream. + +As reported by erofs-utils fuzzer, these error handling +path will be entered to handle corrupted images. + +Lack of erofs_workgroup_puts will cause unmounting +unsuccessfully. + +Fix these return values to EFSCORRUPTED as well. + +Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") +Cc: # 4.19+ +Signed-off-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20190819103426.87579-4-gaoxiang25@huawei.com +[ Gao Xiang: Older kernel versions don't have length validity check + and EFSCORRUPTED, thus backport pageofs check for now. ] +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/erofs/unzip_vle.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/staging/erofs/unzip_vle.c ++++ b/drivers/staging/erofs/unzip_vle.c +@@ -393,7 +393,11 @@ z_erofs_vle_work_lookup(const struct z_e + /* if multiref is disabled, `primary' is always true */ + primary = true; + +- DBG_BUGON(work->pageofs != f->pageofs); ++ if (work->pageofs != f->pageofs) { ++ DBG_BUGON(1); ++ erofs_workgroup_put(egrp); ++ return ERR_PTR(-EIO); ++ } + + /* + * lock must be taken first to avoid grp->next == NIL between diff --git a/queue-5.3/staging-erofs-avoid-endless-loop-of-invalid-lookback-distance-0.patch b/queue-5.3/staging-erofs-avoid-endless-loop-of-invalid-lookback-distance-0.patch new file mode 100644 index 00000000000..899026177bb --- /dev/null +++ b/queue-5.3/staging-erofs-avoid-endless-loop-of-invalid-lookback-distance-0.patch @@ -0,0 +1,44 @@ +From foo@baz Wed 09 Oct 2019 03:24:16 PM CEST +From: Gao Xiang +Date: Wed, 9 Oct 2019 18:05:53 +0800 +Subject: staging: erofs: avoid endless loop of invalid lookback distance 0 +To: Greg Kroah-Hartman , , Chao Yu +Cc: , Miao Xie , Gao Xiang +Message-ID: <20191009100554.165048-4-gaoxiang25@huawei.com> + +From: Gao Xiang + +commit 598bb8913d015150b7734b55443c0e53e7189fc7 upstream. + +As reported by erofs-utils fuzzer, Lookback distance should +be a positive number, so it should be actually looked back +rather than spinning. + +Fixes: 02827e1796b3 ("staging: erofs: add erofs_map_blocks_iter") +Cc: # 4.19+ +Signed-off-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20190819103426.87579-7-gaoxiang25@huawei.com +[ Gao Xiang: Since earlier kernels don't define EFSCORRUPTED, + let's use EIO instead. ] +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/erofs/zmap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/staging/erofs/zmap.c ++++ b/drivers/staging/erofs/zmap.c +@@ -350,6 +350,12 @@ static int vle_extent_lookback(struct z_ + + switch (m->type) { + case Z_EROFS_VLE_CLUSTER_TYPE_NONHEAD: ++ if (!m->delta[0]) { ++ errln("invalid lookback distance 0 at nid %llu", ++ vi->nid); ++ DBG_BUGON(1); ++ return -EIO; ++ } + return vle_extent_lookback(m, m->delta[0]); + case Z_EROFS_VLE_CLUSTER_TYPE_PLAIN: + map->m_flags &= ~EROFS_MAP_ZIPPED; diff --git a/queue-5.3/staging-erofs-detect-potential-multiref-due-to-corrupted-images.patch b/queue-5.3/staging-erofs-detect-potential-multiref-due-to-corrupted-images.patch new file mode 100644 index 00000000000..3510234f651 --- /dev/null +++ b/queue-5.3/staging-erofs-detect-potential-multiref-due-to-corrupted-images.patch @@ -0,0 +1,80 @@ +From foo@baz Wed 09 Oct 2019 03:24:16 PM CEST +From: Gao Xiang +Date: Wed, 9 Oct 2019 18:05:54 +0800 +Subject: staging: erofs: detect potential multiref due to corrupted images +To: Greg Kroah-Hartman , , Chao Yu +Cc: , Miao Xie , Gao Xiang +Message-ID: <20191009100554.165048-5-gaoxiang25@huawei.com> + +From: Gao Xiang + +commit e12a0ce2fa69798194f3a8628baf6edfbd5c548f upstream. + +As reported by erofs-utils fuzzer, currently, multiref +(ondisk deduplication) hasn't been supported for now, +we should forbid it properly. + +Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") +Cc: # 4.19+ +Signed-off-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20190821140152.229648-1-gaoxiang25@huawei.com +[ Gao Xiang: Since earlier kernels don't define EFSCORRUPTED, + let's use EIO instead. ] +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/erofs/unzip_vle.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/staging/erofs/unzip_vle.c ++++ b/drivers/staging/erofs/unzip_vle.c +@@ -943,6 +943,7 @@ repeat: + for (i = 0; i < nr_pages; ++i) + pages[i] = NULL; + ++ err = 0; + z_erofs_pagevec_ctor_init(&ctor, Z_EROFS_NR_INLINE_PAGEVECS, + work->pagevec, 0); + +@@ -964,8 +965,17 @@ repeat: + pagenr = z_erofs_onlinepage_index(page); + + DBG_BUGON(pagenr >= nr_pages); +- DBG_BUGON(pages[pagenr]); + ++ /* ++ * currently EROFS doesn't support multiref(dedup), ++ * so here erroring out one multiref page. ++ */ ++ if (pages[pagenr]) { ++ DBG_BUGON(1); ++ SetPageError(pages[pagenr]); ++ z_erofs_onlinepage_endio(pages[pagenr]); ++ err = -EIO; ++ } + pages[pagenr] = page; + } + sparsemem_pages = i; +@@ -975,7 +985,6 @@ repeat: + overlapped = false; + compressed_pages = grp->compressed_pages; + +- err = 0; + for (i = 0; i < clusterpages; ++i) { + unsigned int pagenr; + +@@ -999,7 +1008,12 @@ repeat: + pagenr = z_erofs_onlinepage_index(page); + + DBG_BUGON(pagenr >= nr_pages); +- DBG_BUGON(pages[pagenr]); ++ if (pages[pagenr]) { ++ DBG_BUGON(1); ++ SetPageError(pages[pagenr]); ++ z_erofs_onlinepage_endio(pages[pagenr]); ++ err = -EIO; ++ } + ++sparsemem_pages; + pages[pagenr] = page; + diff --git a/queue-5.3/staging-erofs-fix-an-error-handling-in-erofs_readdir.patch b/queue-5.3/staging-erofs-fix-an-error-handling-in-erofs_readdir.patch new file mode 100644 index 00000000000..4f5e5e7ec0b --- /dev/null +++ b/queue-5.3/staging-erofs-fix-an-error-handling-in-erofs_readdir.patch @@ -0,0 +1,57 @@ +From acb383f1dcb4f1e79b66d4be3a0b6f519a957b0d Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Sun, 18 Aug 2019 20:54:57 +0800 +Subject: staging: erofs: fix an error handling in erofs_readdir() + +From: Gao Xiang + +commit acb383f1dcb4f1e79b66d4be3a0b6f519a957b0d upstream. + +Richard observed a forever loop of erofs_read_raw_page() [1] +which can be generated by forcely setting ->u.i_blkaddr +to 0xdeadbeef (as my understanding block layer can +handle access beyond end of device correctly). + +After digging into that, it seems the problem is highly +related with directories and then I found the root cause +is an improper error handling in erofs_readdir(). + +Let's fix it now. + +[1] https://lore.kernel.org/r/1163995781.68824.1566084358245.JavaMail.zimbra@nod.at/ + +Reported-by: Richard Weinberger +Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations") +Cc: # 4.19+ +Reviewed-by: Chao Yu +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20190818125457.25906-1-hsiangkao@aol.com +[ Gao Xiang: Since earlier kernels don't define EFSCORRUPTED, + let's use original error code instead. ] +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/erofs/dir.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/staging/erofs/dir.c ++++ b/drivers/staging/erofs/dir.c +@@ -99,8 +99,15 @@ static int erofs_readdir(struct file *f, + unsigned int nameoff, maxsize; + + dentry_page = read_mapping_page(mapping, i, NULL); +- if (IS_ERR(dentry_page)) +- continue; ++ if (dentry_page == ERR_PTR(-ENOMEM)) { ++ err = -ENOMEM; ++ break; ++ } else if (IS_ERR(dentry_page)) { ++ errln("fail to readdir of logical block %u of nid %llu", ++ i, EROFS_V(dir)->nid); ++ err = PTR_ERR(dentry_page); ++ break; ++ } + + de = (struct erofs_dirent *)kmap(dentry_page); + diff --git a/queue-5.3/staging-erofs-some-compressed-cluster-should-be-submitted-for-corrupted-images.patch b/queue-5.3/staging-erofs-some-compressed-cluster-should-be-submitted-for-corrupted-images.patch new file mode 100644 index 00000000000..7f19df5b8c1 --- /dev/null +++ b/queue-5.3/staging-erofs-some-compressed-cluster-should-be-submitted-for-corrupted-images.patch @@ -0,0 +1,61 @@ +From foo@baz Wed 09 Oct 2019 03:24:16 PM CEST +From: Gao Xiang +Date: Wed, 9 Oct 2019 18:05:51 +0800 +Subject: staging: erofs: some compressed cluster should be submitted for corrupted images +To: Greg Kroah-Hartman , , Chao Yu +Cc: , Miao Xie , Gao Xiang +Message-ID: <20191009100554.165048-2-gaoxiang25@huawei.com> + +From: Gao Xiang + +commit ee45197c807895e156b2be0abcaebdfc116487c8 upstream. + +As reported by erofs_utils fuzzer, a logical page can belong +to at most 2 compressed clusters, if one compressed cluster +is corrupted, but the other has been ready in submitting chain. + +The chain needs to submit anyway in order to keep the page +working properly (page unlocked with PG_error set, PG_uptodate +not set). + +Let's fix it now. + +Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") +Cc: # 4.19+ +Signed-off-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20190819103426.87579-2-gaoxiang25@huawei.com +[ Gao Xiang: Manually backport to v5.3.y stable. ] +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/erofs/unzip_vle.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/staging/erofs/unzip_vle.c ++++ b/drivers/staging/erofs/unzip_vle.c +@@ -1498,19 +1498,18 @@ static int z_erofs_vle_normalaccess_read + err = z_erofs_do_read_page(&f, page, &pagepool); + (void)z_erofs_vle_work_iter_end(&f.builder); + +- if (err) { ++ /* if some compressed cluster ready, need submit them anyway */ ++ z_erofs_submit_and_unzip(&f, &pagepool, true); ++ ++ if (err) + errln("%s, failed to read, err [%d]", __func__, err); +- goto out; +- } + +- z_erofs_submit_and_unzip(&f, &pagepool, true); +-out: + if (f.map.mpage) + put_page(f.map.mpage); + + /* clean up the remaining free pages */ + put_pages_list(&pagepool); +- return 0; ++ return err; + } + + static int z_erofs_vle_normalaccess_readpages(struct file *filp,