From 05fa8f90da4caf5955a75792cfd0abf4b05589ac Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 10 Jan 2023 16:58:34 +0100 Subject: [PATCH] 4.19-stable patches added patches: hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch hfs-hfsplus-use-warn_on-for-sanity-check.patch --- ...nity-check-use-proper-error-handling.patch | 90 +++++++++++++ ...hfsplus-use-warn_on-for-sanity-check.patch | 118 ++++++++++++++++++ queue-4.19/series | 2 + 3 files changed, 210 insertions(+) create mode 100644 queue-4.19/hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch create mode 100644 queue-4.19/hfs-hfsplus-use-warn_on-for-sanity-check.patch diff --git a/queue-4.19/hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch b/queue-4.19/hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch new file mode 100644 index 00000000000..5fedfcd1da0 --- /dev/null +++ b/queue-4.19/hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch @@ -0,0 +1,90 @@ +From cb7a95af78d29442b8294683eca4897544b8ef46 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 4 Jan 2023 11:06:28 -0800 +Subject: hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling + +From: Linus Torvalds + +commit cb7a95af78d29442b8294683eca4897544b8ef46 upstream. + +Commit 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check") fixed +a build warning by turning a comment into a WARN_ON(), but it turns out +that syzbot then complains because it can trigger said warning with a +corrupted hfs image. + +The warning actually does warn about a bad situation, but we are much +better off just handling it as the error it is. So rather than warn +about us doing bad things, stop doing the bad things and return -EIO. + +While at it, also fix a memory leak that was introduced by an earlier +fix for a similar syzbot warning situation, and add a check for one case +that historically wasn't handled at all (ie neither comment nor +subsequent WARN_ON). + +Reported-by: syzbot+7bb7cd3595533513a9e7@syzkaller.appspotmail.com +Fixes: 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check") +Fixes: 8d824e69d9f3 ("hfs: fix OOB Read in __hfs_brec_find") +Link: https://lore.kernel.org/lkml/000000000000dbce4e05f170f289@google.com/ +Tested-by: Michael Schmitz +Cc: Arnd Bergmann +Cc: Matthew Wilcox +Cc: Viacheslav Dubeyko +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfs/inode.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/fs/hfs/inode.c ++++ b/fs/hfs/inode.c +@@ -453,15 +453,16 @@ int hfs_write_inode(struct inode *inode, + /* panic? */ + return -EIO; + ++ res = -EIO; + if (HFS_I(main_inode)->cat_key.CName.len > HFS_NAMELEN) +- return -EIO; ++ goto out; + fd.search_key->cat = HFS_I(main_inode)->cat_key; + if (hfs_brec_find(&fd)) +- /* panic? */ + goto out; + + if (S_ISDIR(main_inode->i_mode)) { +- WARN_ON(fd.entrylength < sizeof(struct hfs_cat_dir)); ++ if (fd.entrylength < sizeof(struct hfs_cat_dir)) ++ goto out; + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_dir)); + if (rec.type != HFS_CDR_DIR || +@@ -474,6 +475,8 @@ int hfs_write_inode(struct inode *inode, + hfs_bnode_write(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_dir)); + } else if (HFS_IS_RSRC(inode)) { ++ if (fd.entrylength < sizeof(struct hfs_cat_file)) ++ goto out; + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + hfs_inode_write_fork(inode, rec.file.RExtRec, +@@ -481,7 +484,8 @@ int hfs_write_inode(struct inode *inode, + hfs_bnode_write(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + } else { +- WARN_ON(fd.entrylength < sizeof(struct hfs_cat_file)); ++ if (fd.entrylength < sizeof(struct hfs_cat_file)) ++ goto out; + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + if (rec.type != HFS_CDR_FIL || +@@ -498,9 +502,10 @@ int hfs_write_inode(struct inode *inode, + hfs_bnode_write(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + } ++ res = 0; + out: + hfs_find_exit(&fd); +- return 0; ++ return res; + } + + static struct dentry *hfs_file_lookup(struct inode *dir, struct dentry *dentry, diff --git a/queue-4.19/hfs-hfsplus-use-warn_on-for-sanity-check.patch b/queue-4.19/hfs-hfsplus-use-warn_on-for-sanity-check.patch new file mode 100644 index 00000000000..19178df1e8f --- /dev/null +++ b/queue-4.19/hfs-hfsplus-use-warn_on-for-sanity-check.patch @@ -0,0 +1,118 @@ +From 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 8 Nov 2021 18:35:04 -0800 +Subject: hfs/hfsplus: use WARN_ON for sanity check + +From: Arnd Bergmann + +commit 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb upstream. + +gcc warns about a couple of instances in which a sanity check exists but +the author wasn't sure how to react to it failing, which makes it look +like a possible bug: + + fs/hfsplus/inode.c: In function 'hfsplus_cat_read_inode': + fs/hfsplus/inode.c:503:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 503 | /* panic? */; + | ^ + fs/hfsplus/inode.c:524:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 524 | /* panic? */; + | ^ + fs/hfsplus/inode.c: In function 'hfsplus_cat_write_inode': + fs/hfsplus/inode.c:582:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 582 | /* panic? */; + | ^ + fs/hfsplus/inode.c:608:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 608 | /* panic? */; + | ^ + fs/hfs/inode.c: In function 'hfs_write_inode': + fs/hfs/inode.c:464:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 464 | /* panic? */; + | ^ + fs/hfs/inode.c:485:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 485 | /* panic? */; + | ^ + +panic() is probably not the correct choice here, but a WARN_ON +seems appropriate and avoids the compile-time warning. + +Link: https://lkml.kernel.org/r/20210927102149.1809384-1-arnd@kernel.org +Link: https://lore.kernel.org/all/20210322223249.2632268-1-arnd@kernel.org/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Christian Brauner +Cc: Alexander Viro +Cc: Christian Brauner +Cc: Greg Kroah-Hartman +Cc: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfs/inode.c | 6 ++---- + fs/hfsplus/inode.c | 12 ++++-------- + 2 files changed, 6 insertions(+), 12 deletions(-) + +--- a/fs/hfs/inode.c ++++ b/fs/hfs/inode.c +@@ -461,8 +461,7 @@ int hfs_write_inode(struct inode *inode, + goto out; + + if (S_ISDIR(main_inode->i_mode)) { +- if (fd.entrylength < sizeof(struct hfs_cat_dir)) +- /* panic? */; ++ WARN_ON(fd.entrylength < sizeof(struct hfs_cat_dir)); + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_dir)); + if (rec.type != HFS_CDR_DIR || +@@ -482,8 +481,7 @@ int hfs_write_inode(struct inode *inode, + hfs_bnode_write(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + } else { +- if (fd.entrylength < sizeof(struct hfs_cat_file)) +- /* panic? */; ++ WARN_ON(fd.entrylength < sizeof(struct hfs_cat_file)); + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + if (rec.type != HFS_CDR_FIL || +--- a/fs/hfsplus/inode.c ++++ b/fs/hfsplus/inode.c +@@ -476,8 +476,7 @@ int hfsplus_cat_read_inode(struct inode + if (type == HFSPLUS_FOLDER) { + struct hfsplus_cat_folder *folder = &entry.folder; + +- if (fd->entrylength < sizeof(struct hfsplus_cat_folder)) +- /* panic? */; ++ WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_folder)); + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset, + sizeof(struct hfsplus_cat_folder)); + hfsplus_get_perms(inode, &folder->permissions, 1); +@@ -497,8 +496,7 @@ int hfsplus_cat_read_inode(struct inode + } else if (type == HFSPLUS_FILE) { + struct hfsplus_cat_file *file = &entry.file; + +- if (fd->entrylength < sizeof(struct hfsplus_cat_file)) +- /* panic? */; ++ WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_file)); + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset, + sizeof(struct hfsplus_cat_file)); + +@@ -555,8 +553,7 @@ int hfsplus_cat_write_inode(struct inode + if (S_ISDIR(main_inode->i_mode)) { + struct hfsplus_cat_folder *folder = &entry.folder; + +- if (fd.entrylength < sizeof(struct hfsplus_cat_folder)) +- /* panic? */; ++ WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_folder)); + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + sizeof(struct hfsplus_cat_folder)); + /* simple node checks? */ +@@ -581,8 +578,7 @@ int hfsplus_cat_write_inode(struct inode + } else { + struct hfsplus_cat_file *file = &entry.file; + +- if (fd.entrylength < sizeof(struct hfsplus_cat_file)) +- /* panic? */; ++ WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_file)); + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + sizeof(struct hfsplus_cat_file)); + hfsplus_inode_write_fork(inode, &file->data_fork); diff --git a/queue-4.19/series b/queue-4.19/series index 74542720787..39011e581a4 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -457,3 +457,5 @@ x86-bugs-flush-ibp-in-ib_prctl_set.patch nfsd-fix-handling-of-readdir-in-v4root-vs.-mount-upcall-timeout.patch riscv-uaccess-fix-type-of-0-variable-on-error-in-get_user.patch ext4-don-t-allow-journal-inode-to-have-encrypt-flag.patch +hfs-hfsplus-use-warn_on-for-sanity-check.patch +hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch -- 2.47.3