Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/ocfs2-pass-u64-to-ocfs2_truncate_inline-maybe-overfl.patch b/queue-4.19/ocfs2-pass-u64-to-ocfs2_truncate_inline-maybe-overfl.patch
new file mode 100644 (file)
index 0000000..a5fe51e
--- /dev/null
+++ b/queue-4.19/ocfs2-pass-u64-to-ocfs2_truncate_inline-maybe-overfl.patch
@@ -0,0 +1,60 @@
+From 3ecd6eca7a9c672645f92ee47f7bb4de0b84effe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 19:43:47 +0800
+Subject: ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit bc0a2f3a73fcdac651fca64df39306d1e5ebe3b0 ]
+
+Syzbot reported a kernel BUG in ocfs2_truncate_inline.  There are two
+reasons for this: first, the parameter value passed is greater than
+ocfs2_max_inline_data_with_xattr, second, the start and end parameters of
+ocfs2_truncate_inline are "unsigned int".
+
+So, we need to add a sanity check for byte_start and byte_len right before
+ocfs2_truncate_inline() in ocfs2_remove_inode_range(), if they are greater
+than ocfs2_max_inline_data_with_xattr return -EINVAL.
+
+Link: https://lkml.kernel.org/r/tencent_D48DB5122ADDAEDDD11918CFB68D93258C07@qq.com
+Fixes: 1afc32b95233 ("ocfs2: Write support for inline data")
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Reported-by: syzbot+81092778aac03460d6b7@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=81092778aac03460d6b7
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/file.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
+index a6f486f4138f5..3c71c05a0581b 100644
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -1795,6 +1795,14 @@ int ocfs2_remove_inode_range(struct inode *inode,
+               return 0;
+ 
+       if (OCFS2_I(inode)->ip_dyn_features & OCFS2_INLINE_DATA_FL) {
++              int id_count = ocfs2_max_inline_data_with_xattr(inode->i_sb, di);
++
++              if (byte_start > id_count || byte_start + byte_len > id_count) {
++                      ret = -EINVAL;
++                      mlog_errno(ret);
++                      goto out;
++              }
++
+               ret = ocfs2_truncate_inline(inode, di_bh, byte_start,
+                                           byte_start + byte_len, 0);
+               if (ret) {
+-- 
+2.43.0
+

diff --git a/queue-4.19/series b/queue-4.19/series
index cbe822685d26f3cc48ac264628dcda5f61270403..d6ca2d14cc222f189d6931b32c654be53f87888b 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -344,3 +344,4 @@ wifi-mac80211-do-not-pass-a-stopped-vif-to-the-driver-in-.get_txpower.patch
 wifi-ath10k-fix-memory-leak-in-management-tx.patch
 wifi-iwlegacy-clear-stale-interrupts-before-resuming-device.patch
 nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch
+ocfs2-pass-u64-to-ocfs2_truncate_inline-maybe-overfl.patch