From: Greg Kroah-Hartman Date: Tue, 2 Jul 2024 08:52:15 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v4.19.317~57 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff8363120149a8e259c7ac19ed290535572567b5;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: erofs-fix-null-dereference-of-dif-bdev_handle-in-fscache-mode.patch --- diff --git a/queue-6.6/erofs-fix-null-dereference-of-dif-bdev_handle-in-fscache-mode.patch b/queue-6.6/erofs-fix-null-dereference-of-dif-bdev_handle-in-fscache-mode.patch new file mode 100644 index 00000000000..d06336cd3d5 --- /dev/null +++ b/queue-6.6/erofs-fix-null-dereference-of-dif-bdev_handle-in-fscache-mode.patch @@ -0,0 +1,64 @@ +From 8bd90b6ae7856dd5000b75691d905b39b9ea5d6b Mon Sep 17 00:00:00 2001 +From: Jingbo Xu +Date: Tue, 14 Nov 2023 15:07:04 +0800 +Subject: erofs: fix NULL dereference of dif->bdev_handle in fscache mode + +From: Jingbo Xu + +commit 8bd90b6ae7856dd5000b75691d905b39b9ea5d6b upstream. + +Avoid NULL dereference of dif->bdev_handle, as dif->bdev_handle is NULL +in fscache mode. + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + RIP: 0010:erofs_map_dev+0xbd/0x1c0 + Call Trace: + + erofs_fscache_data_read_slice+0xa7/0x340 + erofs_fscache_data_read+0x11/0x30 + erofs_fscache_readahead+0xd9/0x100 + read_pages+0x47/0x1f0 + page_cache_ra_order+0x1e5/0x270 + filemap_get_pages+0xf2/0x5f0 + filemap_read+0xb8/0x2e0 + vfs_read+0x18d/0x2b0 + ksys_read+0x53/0xd0 + do_syscall_64+0x42/0xf0 + entry_SYSCALL_64_after_hwframe+0x6e/0x76 + +Reported-by: Yiqun Leng +Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=7245 +Fixes: 49845720080d ("erofs: Convert to use bdev_open_by_path()") +Signed-off-by: Jingbo Xu +Reviewed-by: Gao Xiang +Reviewed-by: Yue Hu +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20231114070704.23398-1-jefflexu@linux.alibaba.com +Signed-off-by: Gao Xiang +Signed-off-by: Hongbo Li +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/data.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/erofs/data.c ++++ b/fs/erofs/data.c +@@ -222,7 +222,7 @@ int erofs_map_dev(struct super_block *sb + up_read(&devs->rwsem); + return 0; + } +- map->m_bdev = dif->bdev_handle->bdev; ++ map->m_bdev = dif->bdev_handle ? dif->bdev_handle->bdev : NULL; + map->m_daxdev = dif->dax_dev; + map->m_dax_part_off = dif->dax_part_off; + map->m_fscache = dif->fscache; +@@ -240,7 +240,8 @@ int erofs_map_dev(struct super_block *sb + if (map->m_pa >= startoff && + map->m_pa < startoff + length) { + map->m_pa -= startoff; +- map->m_bdev = dif->bdev_handle->bdev; ++ map->m_bdev = dif->bdev_handle ? ++ dif->bdev_handle->bdev : NULL; + map->m_daxdev = dif->dax_dev; + map->m_dax_part_off = dif->dax_part_off; + map->m_fscache = dif->fscache; diff --git a/queue-6.6/series b/queue-6.6/series index b1a5cd55f44..f52777ebe15 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -147,3 +147,4 @@ ata-libata-core-fix-double-free-on-error.patch ftruncate-pass-a-signed-offset.patch syscalls-fix-compat_sys_io_pgetevents_time64-usage.patch syscalls-fix-sys_fanotify_mark-prototype.patch +erofs-fix-null-dereference-of-dif-bdev_handle-in-fscache-mode.patch