From 24c5ca182f9d5a3895f9a195c724f927e341f271 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 9 Nov 2024 16:34:25 +0100 Subject: [PATCH] 5.15-stable patches added patches: btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch --- ...list-after-deleting-it-from-the-list.patch | 50 ++++++++++++++ ...san-warning-in-decode_getfattr_attrs.patch | 69 +++++++++++++++++++ queue-5.15/series | 2 + 3 files changed, 121 insertions(+) create mode 100644 queue-5.15/btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch create mode 100644 queue-5.15/nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch diff --git a/queue-5.15/btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch b/queue-5.15/btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch new file mode 100644 index 00000000000..15624c43fa3 --- /dev/null +++ b/queue-5.15/btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch @@ -0,0 +1,50 @@ +From c9a75ec45f1111ef530ab186c2a7684d0a0c9245 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 4 Nov 2024 12:11:15 +0000 +Subject: btrfs: reinitialize delayed ref list after deleting it from the list + +From: Filipe Manana + +commit c9a75ec45f1111ef530ab186c2a7684d0a0c9245 upstream. + +At insert_delayed_ref() if we need to update the action of an existing +ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's +ref_add_list using list_del(), which leaves the ref's add_list member +not reinitialized, as list_del() sets the next and prev members of the +list to LIST_POISON1 and LIST_POISON2, respectively. + +If later we end up calling drop_delayed_ref() against the ref, which can +happen during merging or when destroying delayed refs due to a transaction +abort, we can trigger a crash since at drop_delayed_ref() we call +list_empty() against the ref's add_list, which returns false since +the list was not reinitialized after the list_del() and as a consequence +we call list_del() again at drop_delayed_ref(). This results in an +invalid list access since the next and prev members are set to poison +pointers, resulting in a splat if CONFIG_LIST_HARDENED and +CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences +otherwise. + +So fix this by deleting from the list with list_del_init() instead. + +Fixes: 1d57ee941692 ("btrfs: improve delayed refs iterations") +CC: stable@vger.kernel.org # 4.19+ +Reviewed-by: Johannes Thumshirn +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/delayed-ref.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/delayed-ref.c ++++ b/fs/btrfs/delayed-ref.c +@@ -608,7 +608,7 @@ static int insert_delayed_ref(struct btr + &href->ref_add_list); + else if (ref->action == BTRFS_DROP_DELAYED_REF) { + ASSERT(!list_empty(&exist->add_list)); +- list_del(&exist->add_list); ++ list_del_init(&exist->add_list); + } else { + ASSERT(0); + } diff --git a/queue-5.15/nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch b/queue-5.15/nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch new file mode 100644 index 00000000000..08918eabee1 --- /dev/null +++ b/queue-5.15/nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch @@ -0,0 +1,69 @@ +From dc270d7159699ad6d11decadfce9633f0f71c1db Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Fri, 25 Oct 2024 16:03:27 +0200 +Subject: nfs: Fix KMSAN warning in decode_getfattr_attrs() + +From: Roberto Sassu + +commit dc270d7159699ad6d11decadfce9633f0f71c1db upstream. + +Fix the following KMSAN warning: + +CPU: 1 UID: 0 PID: 7651 Comm: cp Tainted: G B +Tainted: [B]=BAD_PAGE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009) +===================================================== +===================================================== +BUG: KMSAN: uninit-value in decode_getfattr_attrs+0x2d6d/0x2f90 + decode_getfattr_attrs+0x2d6d/0x2f90 + decode_getfattr_generic+0x806/0xb00 + nfs4_xdr_dec_getattr+0x1de/0x240 + rpcauth_unwrap_resp_decode+0xab/0x100 + rpcauth_unwrap_resp+0x95/0xc0 + call_decode+0x4ff/0xb50 + __rpc_execute+0x57b/0x19d0 + rpc_execute+0x368/0x5e0 + rpc_run_task+0xcfe/0xee0 + nfs4_proc_getattr+0x5b5/0x990 + __nfs_revalidate_inode+0x477/0xd00 + nfs_access_get_cached+0x1021/0x1cc0 + nfs_do_access+0x9f/0xae0 + nfs_permission+0x1e4/0x8c0 + inode_permission+0x356/0x6c0 + link_path_walk+0x958/0x1330 + path_lookupat+0xce/0x6b0 + filename_lookup+0x23e/0x770 + vfs_statx+0xe7/0x970 + vfs_fstatat+0x1f2/0x2c0 + __se_sys_newfstatat+0x67/0x880 + __x64_sys_newfstatat+0xbd/0x120 + x64_sys_call+0x1826/0x3cf0 + do_syscall_64+0xd0/0x1b0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The KMSAN warning is triggered in decode_getfattr_attrs(), when calling +decode_attr_mdsthreshold(). It appears that fattr->mdsthreshold is not +initialized. + +Fix the issue by initializing fattr->mdsthreshold to NULL in +nfs_fattr_init(). + +Cc: stable@vger.kernel.org # v3.5.x +Fixes: 88034c3d88c2 ("NFSv4.1 mdsthreshold attribute xdr") +Signed-off-by: Roberto Sassu +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1586,6 +1586,7 @@ void nfs_fattr_init(struct nfs_fattr *fa + fattr->gencount = nfs_inc_attr_generation_counter(); + fattr->owner_name = NULL; + fattr->group_name = NULL; ++ fattr->mdsthreshold = NULL; + } + EXPORT_SYMBOL_GPL(nfs_fattr_init); + diff --git a/queue-5.15/series b/queue-5.15/series index 9d99b2c5700..832bc8a9ec8 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -51,3 +51,5 @@ io_uring-rename-kiocb_end_write-local-helper.patch fs-create-kiocb_-start-end-_write-helpers.patch io_uring-use-kiocb_-start-end-_write-helpers.patch io_uring-rw-fix-missing-nowait-check-for-o_direct-st.patch +nfs-fix-kmsan-warning-in-decode_getfattr_attrs.patch +btrfs-reinitialize-delayed-ref-list-after-deleting-it-from-the-list.patch -- 2.47.2