From: Greg Kroah-Hartman Date: Mon, 12 Aug 2024 14:42:05 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.1.105~38 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a0201e115a3f56062b09399326c146e060946d50;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: xfs-fix-log-recovery-buffer-allocation-for-the-legacy-h_size-fixup.patch --- diff --git a/queue-5.15/series b/queue-5.15/series index cb83b4e8d79..a7b140eb8d9 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -484,3 +484,4 @@ selftests-mptcp-join-validate-backup-in-mpj.patch selftests-mptcp-join-check-backup-support-in-signal-endp.patch btrfs-fix-corruption-after-buffer-fault-in-during-direct-io-append-write.patch ipv6-fix-source-address-selection-with-route-leak.patch +xfs-fix-log-recovery-buffer-allocation-for-the-legacy-h_size-fixup.patch diff --git a/queue-5.15/xfs-fix-log-recovery-buffer-allocation-for-the-legacy-h_size-fixup.patch b/queue-5.15/xfs-fix-log-recovery-buffer-allocation-for-the-legacy-h_size-fixup.patch new file mode 100644 index 00000000000..fe0f157c99c --- /dev/null +++ b/queue-5.15/xfs-fix-log-recovery-buffer-allocation-for-the-legacy-h_size-fixup.patch @@ -0,0 +1,72 @@ +From 45cf976008ddef4a9c9a30310c9b4fb2a9a6602a Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Tue, 30 Apr 2024 06:07:55 +0200 +Subject: xfs: fix log recovery buffer allocation for the legacy h_size fixup + +From: Christoph Hellwig + +commit 45cf976008ddef4a9c9a30310c9b4fb2a9a6602a upstream. + +Commit a70f9fe52daa ("xfs: detect and handle invalid iclog size set by +mkfs") added a fixup for incorrect h_size values used for the initial +umount record in old xfsprogs versions. Later commit 0c771b99d6c9 +("xfs: clean up calculation of LR header blocks") cleaned up the log +reover buffer calculation, but stoped using the fixed up h_size value +to size the log recovery buffer, which can lead to an out of bounds +access when the incorrect h_size does not come from the old mkfs +tool, but a fuzzer. + +Fix this by open coding xlog_logrec_hblks and taking the fixed h_size +into account for this calculation. + +Fixes: 0c771b99d6c9 ("xfs: clean up calculation of LR header blocks") +Reported-by: Sam Sun +Signed-off-by: Christoph Hellwig +Reviewed-by: Brian Foster +Reviewed-by: "Darrick J. Wong" +Signed-off-by: Chandan Babu R +Signed-off-by: Kevin Berry +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_log_recover.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/fs/xfs/xfs_log_recover.c ++++ b/fs/xfs/xfs_log_recover.c +@@ -2972,7 +2972,7 @@ xlog_do_recovery_pass( + int error = 0, h_size, h_len; + int error2 = 0; + int bblks, split_bblks; +- int hblks, split_hblks, wrapped_hblks; ++ int hblks = 1, split_hblks, wrapped_hblks; + int i; + struct hlist_head rhash[XLOG_RHASH_SIZE]; + LIST_HEAD (buffer_list); +@@ -3028,14 +3028,22 @@ xlog_do_recovery_pass( + if (error) + goto bread_err1; + +- hblks = xlog_logrec_hblks(log, rhead); +- if (hblks != 1) { +- kmem_free(hbp); +- hbp = xlog_alloc_buffer(log, hblks); ++ /* ++ * This open codes xlog_logrec_hblks so that we can reuse the ++ * fixed up h_size value calculated above. Without that we'd ++ * still allocate the buffer based on the incorrect on-disk ++ * size. ++ */ ++ if (h_size > XLOG_HEADER_CYCLE_SIZE && ++ (rhead->h_version & cpu_to_be32(XLOG_VERSION_2))) { ++ hblks = DIV_ROUND_UP(h_size, XLOG_HEADER_CYCLE_SIZE); ++ if (hblks > 1) { ++ kmem_free(hbp); ++ hbp = xlog_alloc_buffer(log, hblks); ++ } + } + } else { + ASSERT(log->l_sectBBsize == 1); +- hblks = 1; + hbp = xlog_alloc_buffer(log, 1); + h_size = XLOG_BIG_RECORD_BSIZE; + }