--- /dev/null
+From b862676e371715456c9dade7990c8004996d0d9e Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Mon, 22 Mar 2021 19:47:30 +0800
+Subject: f2fs: fix to avoid out-of-bounds memory access
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit b862676e371715456c9dade7990c8004996d0d9e upstream.
+
+butt3rflyh4ck <butterflyhuangxx@gmail.com> reported a bug found by
+syzkaller fuzzer with custom modifications in 5.12.0-rc3+ [1]:
+
+ dump_stack+0xfa/0x151 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x82/0x32c mm/kasan/report.c:232
+ __kasan_report mm/kasan/report.c:399 [inline]
+ kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
+ f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
+ current_nat_addr fs/f2fs/node.h:213 [inline]
+ get_next_nat_page fs/f2fs/node.c:123 [inline]
+ __flush_nat_entry_set fs/f2fs/node.c:2888 [inline]
+ f2fs_flush_nat_entries+0x258e/0x2960 fs/f2fs/node.c:2991
+ f2fs_write_checkpoint+0x1372/0x6a70 fs/f2fs/checkpoint.c:1640
+ f2fs_issue_checkpoint+0x149/0x410 fs/f2fs/checkpoint.c:1807
+ f2fs_sync_fs+0x20f/0x420 fs/f2fs/super.c:1454
+ __sync_filesystem fs/sync.c:39 [inline]
+ sync_filesystem fs/sync.c:67 [inline]
+ sync_filesystem+0x1b5/0x260 fs/sync.c:48
+ generic_shutdown_super+0x70/0x370 fs/super.c:448
+ kill_block_super+0x97/0xf0 fs/super.c:1394
+
+The root cause is, if nat entry in checkpoint journal area is corrupted,
+e.g. nid of journalled nat entry exceeds max nid value, during checkpoint,
+once it tries to flush nat journal to NAT area, get_next_nat_page() may
+access out-of-bounds memory on nat_bitmap due to it uses wrong nid value
+as bitmap offset.
+
+[1] https://lore.kernel.org/lkml/CAFcO6XOMWdr8pObek6eN6-fs58KG9doRFadgJj-FnF-1x43s2g@mail.gmail.com/T/#u
+
+Reported-and-tested-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -2718,6 +2718,9 @@ static void remove_nats_in_journal(struc
+ struct f2fs_nat_entry raw_ne;
+ nid_t nid = le32_to_cpu(nid_in_journal(journal, i));
+
++ if (f2fs_check_nid_range(sbi, nid))
++ continue;
++
+ raw_ne = nat_in_journal(journal, i);
+
+ ne = __lookup_nat_cache(nm_i, nid);
--- /dev/null
+From 885480b084696331bea61a4f7eba10652999a9c1 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 28 Apr 2021 18:23:50 -0700
+Subject: Makefile: Move -Wno-unused-but-set-variable out of GCC only block
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 885480b084696331bea61a4f7eba10652999a9c1 upstream.
+
+Currently, -Wunused-but-set-variable is only supported by GCC so it is
+disabled unconditionally in a GCC only block (it is enabled with W=1).
+clang currently has its implementation for this warning in review so
+preemptively move this statement out of the GCC only block and wrap it
+with cc-disable-warning so that both compilers function the same.
+
+Cc: stable@vger.kernel.org
+Link: https://reviews.llvm.org/D100581
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -765,16 +765,16 @@ KBUILD_CFLAGS += -Wno-tautological-compa
+ KBUILD_CFLAGS += -mno-global-merge
+ else
+
+-# These warnings generated too much noise in a regular build.
+-# Use make W=1 to enable them (see scripts/Makefile.extrawarn)
+-KBUILD_CFLAGS += -Wno-unused-but-set-variable
+-
+ # Warn about unmarked fall-throughs in switch statement.
+ # Disabled for clang while comment to attribute conversion happens and
+ # https://github.com/ClangBuiltLinux/linux/issues/636 is discussed.
+ KBUILD_CFLAGS += $(call cc-option,-Wimplicit-fallthrough,)
+ endif
+
++# These warnings generated too much noise in a regular build.
++# Use make W=1 to enable them (see scripts/Makefile.extrawarn)
++KBUILD_CFLAGS += $(call cc-disable-warning, unused-but-set-variable)
++
+ KBUILD_CFLAGS += $(call cc-disable-warning, unused-const-variable)
+ ifdef CONFIG_FRAME_POINTER
+ KBUILD_CFLAGS += -fno-omit-frame-pointer -fno-optimize-sibling-calls
alsa-hda-realtek-add-quirk-for-intel-clevo-pcx0dx.patch
btrfs-fix-race-when-picking-most-recent-mod-log-oper.patch
arm64-vdso-discard-.note.gnu.property-sections-in-vd.patch
+makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch
+virtiofs-fix-memory-leak-in-virtio_fs_probe.patch
+ubifs-only-check-replay-with-inode-type-to-judge-if-inode-linked.patch
+f2fs-fix-to-avoid-out-of-bounds-memory-access.patch
--- /dev/null
+From 3e903315790baf4a966436e7f32e9c97864570ac Mon Sep 17 00:00:00 2001
+From: Guochun Mao <guochun.mao@mediatek.com>
+Date: Tue, 16 Mar 2021 16:52:14 +0800
+Subject: ubifs: Only check replay with inode type to judge if inode linked
+
+From: Guochun Mao <guochun.mao@mediatek.com>
+
+commit 3e903315790baf4a966436e7f32e9c97864570ac upstream.
+
+Conside the following case, it just write a big file into flash,
+when complete writing, delete the file, and then power off promptly.
+Next time power on, we'll get a replay list like:
+...
+LEB 1105:211344 len 4144 deletion 0 sqnum 428783 key type 1 inode 80
+LEB 15:233544 len 160 deletion 1 sqnum 428785 key type 0 inode 80
+LEB 1105:215488 len 4144 deletion 0 sqnum 428787 key type 1 inode 80
+...
+In the replay list, data nodes' deletion are 0, and the inode node's
+deletion is 1. In current logic, the file's dentry will be removed,
+but inode and the flash space it occupied will be reserved.
+User will see that much free space been disappeared.
+
+We only need to check the deletion value of the following inode type
+node of the replay entry.
+
+Fixes: e58725d51fa8 ("ubifs: Handle re-linking of inodes correctly while recovery")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guochun Mao <guochun.mao@mediatek.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ubifs/replay.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ubifs/replay.c
++++ b/fs/ubifs/replay.c
+@@ -223,7 +223,8 @@ static bool inode_still_linked(struct ub
+ */
+ list_for_each_entry_reverse(r, &c->replay_list, list) {
+ ubifs_assert(c, r->sqnum >= rino->sqnum);
+- if (key_inum(c, &r->key) == key_inum(c, &rino->key))
++ if (key_inum(c, &r->key) == key_inum(c, &rino->key) &&
++ key_type(c, &r->key) == UBIFS_INO_KEY)
+ return r->deletion == 0;
+
+ }
--- /dev/null
+From c79c5e0178922a9e092ec8fed026750f39dcaef4 Mon Sep 17 00:00:00 2001
+From: Luis Henriques <lhenriques@suse.de>
+Date: Wed, 17 Mar 2021 08:44:43 +0000
+Subject: virtiofs: fix memory leak in virtio_fs_probe()
+
+From: Luis Henriques <lhenriques@suse.de>
+
+commit c79c5e0178922a9e092ec8fed026750f39dcaef4 upstream.
+
+When accidentally passing twice the same tag to qemu, kmemleak ended up
+reporting a memory leak in virtiofs. Also, looking at the log I saw the
+following error (that's when I realised the duplicated tag):
+
+ virtiofs: probe of virtio5 failed with error -17
+
+Here's the kmemleak log for reference:
+
+unreferenced object 0xffff888103d47800 (size 1024):
+ comm "systemd-udevd", pid 118, jiffies 4294893780 (age 18.340s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
+ ff ff ff ff ff ff ff ff 80 90 02 a0 ff ff ff ff ................
+ backtrace:
+ [<000000000ebb87c1>] virtio_fs_probe+0x171/0x7ae [virtiofs]
+ [<00000000f8aca419>] virtio_dev_probe+0x15f/0x210
+ [<000000004d6baf3c>] really_probe+0xea/0x430
+ [<00000000a6ceeac8>] device_driver_attach+0xa8/0xb0
+ [<00000000196f47a7>] __driver_attach+0x98/0x140
+ [<000000000b20601d>] bus_for_each_dev+0x7b/0xc0
+ [<00000000399c7b7f>] bus_add_driver+0x11b/0x1f0
+ [<0000000032b09ba7>] driver_register+0x8f/0xe0
+ [<00000000cdd55998>] 0xffffffffa002c013
+ [<000000000ea196a2>] do_one_initcall+0x64/0x2e0
+ [<0000000008f727ce>] do_init_module+0x5c/0x260
+ [<000000003cdedab6>] __do_sys_finit_module+0xb5/0x120
+ [<00000000ad2f48c6>] do_syscall_64+0x33/0x40
+ [<00000000809526b5>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Luis Henriques <lhenriques@suse.de>
+Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem")
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/virtio_fs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -667,6 +667,7 @@ static int virtio_fs_probe(struct virtio
+ out_vqs:
+ vdev->config->reset(vdev);
+ virtio_fs_cleanup_vqs(vdev, fs);
++ kfree(fs->vqs);
+
+ out:
+ vdev->priv = NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
