From: Greg Kroah-Hartman Date: Mon, 20 Nov 2023 15:38:49 +0000 (+0100) Subject: drop queue-5.15/xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch X-Git-Tag: v4.14.331~139 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b329cb6bcd1c1cd31e56936d470a6a2050b6e943;p=thirdparty%2Fkernel%2Fstable-queue.git drop queue-5.15/xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch broke the build --- diff --git a/queue-5.15/series b/queue-5.15/series index 7bb56c6efbe..544cae80a7f 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -149,7 +149,6 @@ xfs-prevent-a-uaf-when-log-io-errors-race-with-unmou.patch xfs-flush-inode-gc-workqueue-before-clearing-agi-buc.patch xfs-fix-use-after-free-in-xattr-node-block-inactivat.patch xfs-don-t-leak-memory-when-attr-fork-loading-fails.patch -xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch xfs-fix-intermittent-hang-during-quotacheck.patch xfs-add-missing-cmap-br_state-xfs_ext_norm-update.patch xfs-fix-false-enospc-when-performing-direct-write-on.patch diff --git a/queue-5.15/xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch b/queue-5.15/xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch deleted file mode 100644 index 3dd2f2d8954..00000000000 --- a/queue-5.15/xfs-fix-null-pointer-dereference-in-xfs_getbmap.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 79cf525cf24d0528b8147c8c6b07b76b953f122f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Nov 2023 18:28:25 -0800 -Subject: xfs: fix NULL pointer dereference in xfs_getbmap() - -From: ChenXiaoSong - -[ Upstream commit 001c179c4e26d04db8c9f5e3fef9558b58356be6 ] - -Reproducer: - 1. fallocate -l 100M image - 2. mkfs.xfs -f image - 3. mount image /mnt - 4. setxattr("/mnt", "trusted.overlay.upper", NULL, 0, XATTR_CREATE) - 5. char arg[32] = "\x01\xff\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x08\x00\x00\x00\xc6\x2a\xf7"; - fd = open("/mnt", O_RDONLY|O_DIRECTORY); - ioctl(fd, _IOC(_IOC_READ|_IOC_WRITE, 0x58, 0x2c, 0x20), arg); - -NULL pointer dereference will occur when race happens between xfs_getbmap() -and xfs_bmap_set_attrforkoff(): - - ioctl | setxattr - ----------------------------|--------------------------- - xfs_getbmap | - xfs_ifork_ptr | - xfs_inode_has_attr_fork | - ip->i_forkoff == 0 | - return NULL | - ifp == NULL | - | xfs_bmap_set_attrforkoff - | ip->i_forkoff > 0 - xfs_inode_has_attr_fork | - ip->i_forkoff > 0 | - ifp == NULL | - ifp->if_format | - -Fix this by locking i_lock before xfs_ifork_ptr(). - -Fixes: abbf9e8a4507 ("xfs: rewrite getbmap using the xfs_iext_* helpers") -Signed-off-by: ChenXiaoSong -Signed-off-by: Guo Xuenan -Reviewed-by: Darrick J. Wong -[djwong: added fixes tag] -Signed-off-by: Darrick J. Wong -Signed-off-by: Leah Rumancik -Acked-by: Chandan Babu R -Signed-off-by: Sasha Levin ---- - fs/xfs/xfs_bmap_util.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c -index fd2ad6a3019ca..bea6cc26abf99 100644 ---- a/fs/xfs/xfs_bmap_util.c -+++ b/fs/xfs/xfs_bmap_util.c -@@ -439,29 +439,28 @@ xfs_getbmap( - whichfork = XFS_COW_FORK; - else - whichfork = XFS_DATA_FORK; -- ifp = XFS_IFORK_PTR(ip, whichfork); - - xfs_ilock(ip, XFS_IOLOCK_SHARED); - switch (whichfork) { - case XFS_ATTR_FORK: -+ lock = xfs_ilock_attr_map_shared(ip); - if (!XFS_IFORK_Q(ip)) -- goto out_unlock_iolock; -+ goto out_unlock_ilock; - - max_len = 1LL << 32; -- lock = xfs_ilock_attr_map_shared(ip); - break; - case XFS_COW_FORK: -+ lock = XFS_ILOCK_SHARED; -+ xfs_ilock(ip, lock); -+ - /* No CoW fork? Just return */ -- if (!ifp) -- goto out_unlock_iolock; -+ if (!XFS_IFORK_PTR(ip, whichfork)) -+ goto out_unlock_ilock; - - if (xfs_get_cowextsz_hint(ip)) - max_len = mp->m_super->s_maxbytes; - else - max_len = XFS_ISIZE(ip); -- -- lock = XFS_ILOCK_SHARED; -- xfs_ilock(ip, lock); - break; - case XFS_DATA_FORK: - if (!(iflags & BMV_IF_DELALLOC) && -@@ -491,6 +490,8 @@ xfs_getbmap( - break; - } - -+ ifp = XFS_IFORK_PTR(ip, whichfork); -+ - switch (ifp->if_format) { - case XFS_DINODE_FMT_EXTENTS: - case XFS_DINODE_FMT_BTREE: --- -2.42.0 -