From: Greg Kroah-Hartman Date: Wed, 4 Jan 2023 15:13:47 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v6.1.4~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=986631dd48068ef24a2b0fc618da0d3f1e15d17c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: ext4-allocate-extended-attribute-value-in-vmalloc-area.patch ext4-avoid-bug_on-when-creating-xattrs.patch ext4-avoid-unaccounted-block-allocation-when-expanding-inode.patch ext4-fix-error-code-return-to-user-space-in-ext4_get_branch.patch ext4-fix-inode-leak-in-ext4_xattr_inode_create-on-an-error-path.patch ext4-init-quota-for-old.inode-in-ext4_rename.patch ext4-initialize-quota-before-expanding-inode-in-setproject-ioctl.patch --- diff --git a/queue-4.14/ext4-allocate-extended-attribute-value-in-vmalloc-area.patch b/queue-4.14/ext4-allocate-extended-attribute-value-in-vmalloc-area.patch new file mode 100644 index 00000000000..288a6306e9c --- /dev/null +++ b/queue-4.14/ext4-allocate-extended-attribute-value-in-vmalloc-area.patch @@ -0,0 +1,45 @@ +From cc12a6f25e07ed05d5825a1664b67a970842b2ca Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Thu, 8 Dec 2022 10:32:31 +0800 +Subject: ext4: allocate extended attribute value in vmalloc area + +From: Ye Bin + +commit cc12a6f25e07ed05d5825a1664b67a970842b2ca upstream. + +Now, extended attribute value maximum length is 64K. The memory +requested here does not need continuous physical addresses, so it is +appropriate to use kvmalloc to request memory. At the same time, it +can also cope with the situation that the extended attribute will +become longer in the future. + +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20221208023233.1231330-3-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2569,7 +2569,7 @@ static int ext4_xattr_move_to_block(hand + + is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS); + bs = kzalloc(sizeof(struct ext4_xattr_block_find), GFP_NOFS); +- buffer = kmalloc(value_size, GFP_NOFS); ++ buffer = kvmalloc(value_size, GFP_NOFS); + b_entry_name = kmalloc(entry->e_name_len + 1, GFP_NOFS); + if (!is || !bs || !buffer || !b_entry_name) { + error = -ENOMEM; +@@ -2621,7 +2621,7 @@ static int ext4_xattr_move_to_block(hand + error = 0; + out: + kfree(b_entry_name); +- kfree(buffer); ++ kvfree(buffer); + if (is) + brelse(is->iloc.bh); + if (bs) diff --git a/queue-4.14/ext4-avoid-bug_on-when-creating-xattrs.patch b/queue-4.14/ext4-avoid-bug_on-when-creating-xattrs.patch new file mode 100644 index 00000000000..5abf620bee5 --- /dev/null +++ b/queue-4.14/ext4-avoid-bug_on-when-creating-xattrs.patch @@ -0,0 +1,53 @@ +From b40ebaf63851b3a401b0dc9263843538f64f5ce6 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 21 Nov 2022 14:09:29 +0100 +Subject: ext4: avoid BUG_ON when creating xattrs + +From: Jan Kara + +commit b40ebaf63851b3a401b0dc9263843538f64f5ce6 upstream. + +Commit fb0a387dcdcd ("ext4: limit block allocations for indirect-block +files to < 2^32") added code to try to allocate xattr block with 32-bit +block number for indirect block based files on the grounds that these +files cannot use larger block numbers. It also added BUG_ON when +allocated block could not fit into 32 bits. This is however bogus +reasoning because xattr block is stored in inode->i_file_acl and +inode->i_file_acl_hi and as such even indirect block based files can +happily use full 48 bits for xattr block number. The proper handling +seems to be there basically since 64-bit block number support was added. +So remove the bogus limitation and BUG_ON. + +Cc: Eric Sandeen +Fixes: fb0a387dcdcd ("ext4: limit block allocations for indirect-block files to < 2^32") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20221121130929.32031-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -2069,19 +2069,11 @@ inserted: + + goal = ext4_group_first_block_no(sb, + EXT4_I(inode)->i_block_group); +- +- /* non-extent files can't have physical blocks past 2^32 */ +- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) +- goal = goal & EXT4_MAX_BLOCK_FILE_PHYS; +- + block = ext4_new_meta_blocks(handle, inode, goal, 0, + NULL, &error); + if (error) + goto cleanup; + +- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))) +- BUG_ON(block > EXT4_MAX_BLOCK_FILE_PHYS); +- + ea_idebug(inode, "creating block %llu", + (unsigned long long)block); + diff --git a/queue-4.14/ext4-avoid-unaccounted-block-allocation-when-expanding-inode.patch b/queue-4.14/ext4-avoid-unaccounted-block-allocation-when-expanding-inode.patch new file mode 100644 index 00000000000..1003c2dc36f --- /dev/null +++ b/queue-4.14/ext4-avoid-unaccounted-block-allocation-when-expanding-inode.patch @@ -0,0 +1,42 @@ +From 8994d11395f8165b3deca1971946f549f0822630 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 7 Dec 2022 12:59:28 +0100 +Subject: ext4: avoid unaccounted block allocation when expanding inode + +From: Jan Kara + +commit 8994d11395f8165b3deca1971946f549f0822630 upstream. + +When expanding inode space in ext4_expand_extra_isize_ea() we may need +to allocate external xattr block. If quota is not initialized for the +inode, the block allocation will not be accounted into quota usage. Make +sure the quota is initialized before we try to expand inode space. + +Reported-by: Pengfei Xu +Link: https://lore.kernel.org/all/Y5BT+k6xWqthZc1P@xpf.sh.intel.com +Signed-off-by: Jan Kara +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20221207115937.26601-2-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5905,6 +5905,14 @@ static int __ext4_expand_extra_isize(str + return 0; + } + ++ /* ++ * We may need to allocate external xattr block so we need quotas ++ * initialized. Here we can be called with various locks held so we ++ * cannot affort to initialize quotas ourselves. So just bail. ++ */ ++ if (dquot_initialize_needed(inode)) ++ return -EAGAIN; ++ + /* try to expand with EAs present */ + error = ext4_expand_extra_isize_ea(inode, new_extra_isize, + raw_inode, handle); diff --git a/queue-4.14/ext4-fix-error-code-return-to-user-space-in-ext4_get_branch.patch b/queue-4.14/ext4-fix-error-code-return-to-user-space-in-ext4_get_branch.patch new file mode 100644 index 00000000000..7edcef03f65 --- /dev/null +++ b/queue-4.14/ext4-fix-error-code-return-to-user-space-in-ext4_get_branch.patch @@ -0,0 +1,51 @@ +From 26d75a16af285a70863ba6a81f85d81e7e65da50 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= +Date: Wed, 9 Nov 2022 18:14:45 +0000 +Subject: ext4: fix error code return to user-space in ext4_get_branch() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luís Henriques + +commit 26d75a16af285a70863ba6a81f85d81e7e65da50 upstream. + +If a block is out of range in ext4_get_branch(), -ENOMEM will be returned +to user-space. Obviously, this error code isn't really useful. This +patch fixes it by making sure the right error code (-EFSCORRUPTED) is +propagated to user-space. EUCLEAN is more informative than ENOMEM. + +Signed-off-by: Luís Henriques +Link: https://lore.kernel.org/r/20221109181445.17843-1-lhenriques@suse.de +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/indirect.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -148,6 +148,7 @@ static Indirect *ext4_get_branch(struct + struct super_block *sb = inode->i_sb; + Indirect *p = chain; + struct buffer_head *bh; ++ unsigned int key; + int ret = -EIO; + + *err = 0; +@@ -156,7 +157,13 @@ static Indirect *ext4_get_branch(struct + if (!p->key) + goto no_block; + while (--depth) { +- bh = sb_getblk(sb, le32_to_cpu(p->key)); ++ key = le32_to_cpu(p->key); ++ if (key > ext4_blocks_count(EXT4_SB(sb)->s_es)) { ++ /* the block was out of range */ ++ ret = -EFSCORRUPTED; ++ goto failure; ++ } ++ bh = sb_getblk(sb, key); + if (unlikely(!bh)) { + ret = -ENOMEM; + goto failure; diff --git a/queue-4.14/ext4-fix-inode-leak-in-ext4_xattr_inode_create-on-an-error-path.patch b/queue-4.14/ext4-fix-inode-leak-in-ext4_xattr_inode_create-on-an-error-path.patch new file mode 100644 index 00000000000..83dc8907f90 --- /dev/null +++ b/queue-4.14/ext4-fix-inode-leak-in-ext4_xattr_inode_create-on-an-error-path.patch @@ -0,0 +1,53 @@ +From e4db04f7d3dbbe16680e0ded27ea2a65b10f766a Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Thu, 8 Dec 2022 10:32:33 +0800 +Subject: ext4: fix inode leak in ext4_xattr_inode_create() on an error path + +From: Ye Bin + +commit e4db04f7d3dbbe16680e0ded27ea2a65b10f766a upstream. + +There is issue as follows when do setxattr with inject fault: + +[localhost]# fsck.ext4 -fn /dev/sda +e2fsck 1.46.6-rc1 (12-Sep-2022) +Pass 1: Checking inodes, blocks, and sizes +Pass 2: Checking directory structure +Pass 3: Checking directory connectivity +Pass 4: Checking reference counts +Unattached zero-length inode 15. Clear? no + +Unattached inode 15 +Connect to /lost+found? no + +Pass 5: Checking group summary information + +/dev/sda: ********** WARNING: Filesystem still has errors ********** + +/dev/sda: 15/655360 files (0.0% non-contiguous), 66755/2621440 blocks + +This occurs in 'ext4_xattr_inode_create()'. If 'ext4_mark_inode_dirty()' +fails, dropping i_nlink of the inode is needed. Or will lead to inode leak. + +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20221208023233.1231330-5-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1445,6 +1445,9 @@ static struct inode *ext4_xattr_inode_cr + if (!err) + err = ext4_inode_attach_jinode(ea_inode); + if (err) { ++ if (ext4_xattr_inode_dec_ref(handle, ea_inode)) ++ ext4_warning_inode(ea_inode, ++ "cleanup dec ref error %d", err); + iput(ea_inode); + return ERR_PTR(err); + } diff --git a/queue-4.14/ext4-init-quota-for-old.inode-in-ext4_rename.patch b/queue-4.14/ext4-init-quota-for-old.inode-in-ext4_rename.patch new file mode 100644 index 00000000000..d9d8d0efc8e --- /dev/null +++ b/queue-4.14/ext4-init-quota-for-old.inode-in-ext4_rename.patch @@ -0,0 +1,77 @@ +From fae381a3d79bb94aa2eb752170d47458d778b797 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Mon, 7 Nov 2022 09:53:35 +0800 +Subject: ext4: init quota for 'old.inode' in 'ext4_rename' + +From: Ye Bin + +commit fae381a3d79bb94aa2eb752170d47458d778b797 upstream. + +Syzbot found the following issue: +ext4_parse_param: s_want_extra_isize=128 +ext4_inode_info_init: s_want_extra_isize=32 +ext4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828 +__ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128 +__ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128 +ext4_xattr_block_set: inode=ffff88823869a2c8 +------------[ cut here ]------------ +WARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980 +Modules linked in: +RIP: 0010:ext4_xattr_block_set.cold+0x22/0x980 +RSP: 0018:ffff888227d3f3b0 EFLAGS: 00010202 +RAX: 0000000000000001 RBX: ffff88823007a000 RCX: 0000000000000000 +RDX: 0000000000000a03 RSI: 0000000000000040 RDI: ffff888230078178 +RBP: 0000000000000000 R08: 000000000000002c R09: ffffed1075c7df8e +R10: ffff8883ae3efc6b R11: ffffed1075c7df8d R12: 0000000000000000 +R13: ffff88823869a2c8 R14: ffff8881012e0460 R15: dffffc0000000000 +FS: 00007f350ac1f740(0000) GS:ffff8883ae200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f350a6ed6a0 CR3: 0000000237456000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ? ext4_xattr_set_entry+0x3b7/0x2320 + ? ext4_xattr_block_set+0x0/0x2020 + ? ext4_xattr_set_entry+0x0/0x2320 + ? ext4_xattr_check_entries+0x77/0x310 + ? ext4_xattr_ibody_set+0x23b/0x340 + ext4_xattr_move_to_block+0x594/0x720 + ext4_expand_extra_isize_ea+0x59a/0x10f0 + __ext4_expand_extra_isize+0x278/0x3f0 + __ext4_mark_inode_dirty.cold+0x347/0x410 + ext4_rename+0xed3/0x174f + vfs_rename+0x13a7/0x2510 + do_renameat2+0x55d/0x920 + __x64_sys_rename+0x7d/0xb0 + do_syscall_64+0x3b/0xa0 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +As 'ext4_rename' will modify 'old.inode' ctime and mark inode dirty, +which may trigger expand 'extra_isize' and allocate block. If inode +didn't init quota will lead to warning. To solve above issue, init +'old.inode' firstly in 'ext4_rename'. + +Reported-by: syzbot+98346927678ac3059c77@syzkaller.appspotmail.com +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20221107015335.2524319-1-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3901,6 +3901,9 @@ static int ext4_cross_rename(struct inod + retval = dquot_initialize(old.dir); + if (retval) + return retval; ++ retval = dquot_initialize(old.inode); ++ if (retval) ++ return retval; + retval = dquot_initialize(new.dir); + if (retval) + return retval; diff --git a/queue-4.14/ext4-initialize-quota-before-expanding-inode-in-setproject-ioctl.patch b/queue-4.14/ext4-initialize-quota-before-expanding-inode-in-setproject-ioctl.patch new file mode 100644 index 00000000000..157c02d32af --- /dev/null +++ b/queue-4.14/ext4-initialize-quota-before-expanding-inode-in-setproject-ioctl.patch @@ -0,0 +1,47 @@ +From 1485f726c6dec1a1f85438f2962feaa3d585526f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 7 Dec 2022 12:59:27 +0100 +Subject: ext4: initialize quota before expanding inode in setproject ioctl + +From: Jan Kara + +commit 1485f726c6dec1a1f85438f2962feaa3d585526f upstream. + +Make sure we initialize quotas before possibly expanding inode space +(and thus maybe needing to allocate external xattr block) in +ext4_ioctl_setproject(). This prevents not accounting the necessary +block allocation. + +Signed-off-by: Jan Kara +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20221207115937.26601-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ioctl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -390,6 +390,10 @@ static int ext4_ioctl_setproject(struct + if (ext4_is_quota_file(inode)) + return err; + ++ err = dquot_initialize(inode); ++ if (err) ++ return err; ++ + err = ext4_get_inode_loc(inode, &iloc); + if (err) + return err; +@@ -405,10 +409,6 @@ static int ext4_ioctl_setproject(struct + brelse(iloc.bh); + } + +- err = dquot_initialize(inode); +- if (err) +- return err; +- + handle = ext4_journal_start(inode, EXT4_HT_QUOTA, + EXT4_QUOTA_INIT_BLOCKS(sb) + + EXT4_QUOTA_DEL_BLOCKS(sb) + 3); diff --git a/queue-4.14/series b/queue-4.14/series index 23793d30b2c..e2165ff7d38 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -297,3 +297,10 @@ drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch ext4-add-inode-table-check-in-__ext4_get_inode_loc-to-aovid-possible-infinite-loop.patch ext4-fix-undefined-behavior-in-bit-shift-for-ext4_check_flag_values.patch ext4-fix-bug_on-in-__es_tree_search-caused-by-bad-boot-loader-inode.patch +ext4-init-quota-for-old.inode-in-ext4_rename.patch +ext4-fix-error-code-return-to-user-space-in-ext4_get_branch.patch +ext4-avoid-bug_on-when-creating-xattrs.patch +ext4-fix-inode-leak-in-ext4_xattr_inode_create-on-an-error-path.patch +ext4-initialize-quota-before-expanding-inode-in-setproject-ioctl.patch +ext4-avoid-unaccounted-block-allocation-when-expanding-inode.patch +ext4-allocate-extended-attribute-value-in-vmalloc-area.patch