5.10-stable patches

added patches:
	compiler_attributes.h-move-__compiletime_-error-warning.patch
	fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch

diff --git a/queue-5.10/compiler_attributes.h-move-__compiletime_-error-warning.patch b/queue-5.10/compiler_attributes.h-move-__compiletime_-error-warning.patch
new file mode 100644 (file)
index 0000000..dad40bf
--- /dev/null
+++ b/queue-5.10/compiler_attributes.h-move-__compiletime_-error-warning.patch
@@ -0,0 +1,113 @@
+From b83a908498d68fafca931e1276e145b339cac5fb Mon Sep 17 00:00:00 2001
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Mon, 2 Aug 2021 13:23:20 -0700
+Subject: compiler_attributes.h: move __compiletime_{error|warning}
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+commit b83a908498d68fafca931e1276e145b339cac5fb upstream.
+
+Clang 14 will add support for __attribute__((__error__(""))) and
+__attribute__((__warning__(""))). To make use of these in
+__compiletime_error and __compiletime_warning (as used by BUILD_BUG and
+friends) for newer clang and detect/fallback for older versions of
+clang, move these to compiler_attributes.h and guard them with
+__has_attribute preprocessor guards.
+
+Link: https://reviews.llvm.org/D106030
+Link: https://bugs.llvm.org/show_bug.cgi?id=16428
+Link: https://github.com/ClangBuiltLinux/linux/issues/1173
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+[Reworded, landed in Clang 14]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/compiler-gcc.h        |    3 ---
+ include/linux/compiler_attributes.h |   24 ++++++++++++++++++++++++
+ include/linux/compiler_types.h      |    6 ------
+ 3 files changed, 24 insertions(+), 9 deletions(-)
+
+--- a/include/linux/compiler-gcc.h
++++ b/include/linux/compiler-gcc.h
+@@ -54,9 +54,6 @@
+ 
+ #define __compiletime_object_size(obj) __builtin_object_size(obj, 0)
+ 
+-#define __compiletime_warning(message) __attribute__((__warning__(message)))
+-#define __compiletime_error(message) __attribute__((__error__(message)))
+-
+ #if defined(LATENT_ENTROPY_PLUGIN) && !defined(__CHECKER__)
+ #define __latent_entropy __attribute__((latent_entropy))
+ #endif
+--- a/include/linux/compiler_attributes.h
++++ b/include/linux/compiler_attributes.h
+@@ -30,6 +30,7 @@
+ # define __GCC4_has_attribute___assume_aligned__      (__GNUC_MINOR__ >= 9)
+ # define __GCC4_has_attribute___copy__                0
+ # define __GCC4_has_attribute___designated_init__     0
++# define __GCC4_has_attribute___error__               1
+ # define __GCC4_has_attribute___externally_visible__  1
+ # define __GCC4_has_attribute___no_caller_saved_registers__ 0
+ # define __GCC4_has_attribute___noclone__             1
+@@ -37,6 +38,7 @@
+ # define __GCC4_has_attribute___no_sanitize_address__ (__GNUC_MINOR__ >= 8)
+ # define __GCC4_has_attribute___no_sanitize_undefined__ (__GNUC_MINOR__ >= 9)
+ # define __GCC4_has_attribute___fallthrough__         0
++# define __GCC4_has_attribute___warning__             1
+ #endif
+ 
+ /*
+@@ -137,6 +139,17 @@
+ #endif
+ 
+ /*
++ * Optional: only supported since clang >= 14.0
++ *
++ *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-error-function-attribute
++ */
++#if __has_attribute(__error__)
++# define __compiletime_error(msg)       __attribute__((__error__(msg)))
++#else
++# define __compiletime_error(msg)
++#endif
++
++/*
+  * Optional: not supported by clang
+  *
+  *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-externally_005fvisible-function-attribute
+@@ -273,6 +286,17 @@
+ #define __used                          __attribute__((__used__))
+ 
+ /*
++ * Optional: only supported since clang >= 14.0
++ *
++ *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-warning-function-attribute
++ */
++#if __has_attribute(__warning__)
++# define __compiletime_warning(msg)     __attribute__((__warning__(msg)))
++#else
++# define __compiletime_warning(msg)
++#endif
++
++/*
+  *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-weak-function-attribute
+  *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-weak-variable-attribute
+  */
+--- a/include/linux/compiler_types.h
++++ b/include/linux/compiler_types.h
+@@ -281,12 +281,6 @@ struct ftrace_likely_data {
+ #ifndef __compiletime_object_size
+ # define __compiletime_object_size(obj) -1
+ #endif
+-#ifndef __compiletime_warning
+-# define __compiletime_warning(message)
+-#endif
+-#ifndef __compiletime_error
+-# define __compiletime_error(message)
+-#endif
+ 
+ #ifdef __OPTIMIZE__
+ # define __compiletime_assert(condition, msg, prefix, suffix)         \

diff --git a/queue-5.10/fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch b/queue-5.10/fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch
new file mode 100644 (file)
index 0000000..06abc39
--- /dev/null
+++ b/queue-5.10/fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch
@@ -0,0 +1,62 @@
+From 2e488f13755ffbb60f307e991b27024716a33b29 Mon Sep 17 00:00:00 2001
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+Date: Tue, 16 Aug 2022 12:08:58 +0800
+Subject: fs: fix UAF/GPF bug in nilfs_mdt_destroy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+commit 2e488f13755ffbb60f307e991b27024716a33b29 upstream.
+
+In alloc_inode, inode_init_always() could return -ENOMEM if
+security_inode_alloc() fails, which causes inode->i_private
+uninitialized. Then nilfs_is_metadata_file_inode() returns
+true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(),
+which frees the uninitialized inode->i_private
+and leads to crashes(e.g., UAF/GPF).
+
+Fix this by moving security_inode_alloc just prior to
+this_cpu_inc(nr_inodes)
+
+Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com
+Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
+Reported-by: Hao Sun <sunhao.th@gmail.com>
+Reported-by: Jiacheng Xu <stitch@zju.edu.cn>
+Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/inode.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -168,8 +168,6 @@ int inode_init_always(struct super_block
+       inode->i_wb_frn_history = 0;
+ #endif
+ 
+-      if (security_inode_alloc(inode))
+-              goto out;
+       spin_lock_init(&inode->i_lock);
+       lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
+ 
+@@ -202,11 +200,12 @@ int inode_init_always(struct super_block
+       inode->i_fsnotify_mask = 0;
+ #endif
+       inode->i_flctx = NULL;
++
++      if (unlikely(security_inode_alloc(inode)))
++              return -ENOMEM;
+       this_cpu_inc(nr_inodes);
+ 
+       return 0;
+-out:
+-      return -ENOMEM;
+ }
+ EXPORT_SYMBOL(inode_init_always);
+ 

diff --git a/queue-5.10/series b/queue-5.10/series
index 93badcde7aa0b02a4e4bab5817908035c61ea136..63127562e1610977c70a9d0402fd6d0da882c1b1 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -7,3 +7,5 @@ mm-gup-fix-the-fast-gup-race-against-thp-collapse.patch
 powerpc-64s-radix-don-t-need-to-broadcast-ipi-for-radix-pmd-collapse-flush.patch
 wait_on_bit-add-an-acquire-memory-barrier.patch
 provide-arch_test_bit_acquire-for-architectures-that-define-test_bit.patch
+fs-fix-uaf-gpf-bug-in-nilfs_mdt_destroy.patch
+compiler_attributes.h-move-__compiletime_-error-warning.patch