From: Greg Kroah-Hartman Date: Tue, 10 Jan 2023 15:57:54 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.15.87~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f45c88c7850af7d7286d84510261b8f58c8112fd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch hfs-hfsplus-use-warn_on-for-sanity-check.patch --- diff --git a/queue-4.14/hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch b/queue-4.14/hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch new file mode 100644 index 00000000000..5fedfcd1da0 --- /dev/null +++ b/queue-4.14/hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch @@ -0,0 +1,90 @@ +From cb7a95af78d29442b8294683eca4897544b8ef46 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 4 Jan 2023 11:06:28 -0800 +Subject: hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling + +From: Linus Torvalds + +commit cb7a95af78d29442b8294683eca4897544b8ef46 upstream. + +Commit 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check") fixed +a build warning by turning a comment into a WARN_ON(), but it turns out +that syzbot then complains because it can trigger said warning with a +corrupted hfs image. + +The warning actually does warn about a bad situation, but we are much +better off just handling it as the error it is. So rather than warn +about us doing bad things, stop doing the bad things and return -EIO. + +While at it, also fix a memory leak that was introduced by an earlier +fix for a similar syzbot warning situation, and add a check for one case +that historically wasn't handled at all (ie neither comment nor +subsequent WARN_ON). + +Reported-by: syzbot+7bb7cd3595533513a9e7@syzkaller.appspotmail.com +Fixes: 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check") +Fixes: 8d824e69d9f3 ("hfs: fix OOB Read in __hfs_brec_find") +Link: https://lore.kernel.org/lkml/000000000000dbce4e05f170f289@google.com/ +Tested-by: Michael Schmitz +Cc: Arnd Bergmann +Cc: Matthew Wilcox +Cc: Viacheslav Dubeyko +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfs/inode.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/fs/hfs/inode.c ++++ b/fs/hfs/inode.c +@@ -453,15 +453,16 @@ int hfs_write_inode(struct inode *inode, + /* panic? */ + return -EIO; + ++ res = -EIO; + if (HFS_I(main_inode)->cat_key.CName.len > HFS_NAMELEN) +- return -EIO; ++ goto out; + fd.search_key->cat = HFS_I(main_inode)->cat_key; + if (hfs_brec_find(&fd)) +- /* panic? */ + goto out; + + if (S_ISDIR(main_inode->i_mode)) { +- WARN_ON(fd.entrylength < sizeof(struct hfs_cat_dir)); ++ if (fd.entrylength < sizeof(struct hfs_cat_dir)) ++ goto out; + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_dir)); + if (rec.type != HFS_CDR_DIR || +@@ -474,6 +475,8 @@ int hfs_write_inode(struct inode *inode, + hfs_bnode_write(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_dir)); + } else if (HFS_IS_RSRC(inode)) { ++ if (fd.entrylength < sizeof(struct hfs_cat_file)) ++ goto out; + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + hfs_inode_write_fork(inode, rec.file.RExtRec, +@@ -481,7 +484,8 @@ int hfs_write_inode(struct inode *inode, + hfs_bnode_write(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + } else { +- WARN_ON(fd.entrylength < sizeof(struct hfs_cat_file)); ++ if (fd.entrylength < sizeof(struct hfs_cat_file)) ++ goto out; + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + if (rec.type != HFS_CDR_FIL || +@@ -498,9 +502,10 @@ int hfs_write_inode(struct inode *inode, + hfs_bnode_write(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + } ++ res = 0; + out: + hfs_find_exit(&fd); +- return 0; ++ return res; + } + + static struct dentry *hfs_file_lookup(struct inode *dir, struct dentry *dentry, diff --git a/queue-4.14/hfs-hfsplus-use-warn_on-for-sanity-check.patch b/queue-4.14/hfs-hfsplus-use-warn_on-for-sanity-check.patch new file mode 100644 index 00000000000..e5630fed88f --- /dev/null +++ b/queue-4.14/hfs-hfsplus-use-warn_on-for-sanity-check.patch @@ -0,0 +1,118 @@ +From 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 8 Nov 2021 18:35:04 -0800 +Subject: hfs/hfsplus: use WARN_ON for sanity check + +From: Arnd Bergmann + +commit 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb upstream. + +gcc warns about a couple of instances in which a sanity check exists but +the author wasn't sure how to react to it failing, which makes it look +like a possible bug: + + fs/hfsplus/inode.c: In function 'hfsplus_cat_read_inode': + fs/hfsplus/inode.c:503:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 503 | /* panic? */; + | ^ + fs/hfsplus/inode.c:524:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 524 | /* panic? */; + | ^ + fs/hfsplus/inode.c: In function 'hfsplus_cat_write_inode': + fs/hfsplus/inode.c:582:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 582 | /* panic? */; + | ^ + fs/hfsplus/inode.c:608:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 608 | /* panic? */; + | ^ + fs/hfs/inode.c: In function 'hfs_write_inode': + fs/hfs/inode.c:464:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 464 | /* panic? */; + | ^ + fs/hfs/inode.c:485:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body] + 485 | /* panic? */; + | ^ + +panic() is probably not the correct choice here, but a WARN_ON +seems appropriate and avoids the compile-time warning. + +Link: https://lkml.kernel.org/r/20210927102149.1809384-1-arnd@kernel.org +Link: https://lore.kernel.org/all/20210322223249.2632268-1-arnd@kernel.org/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Christian Brauner +Cc: Alexander Viro +Cc: Christian Brauner +Cc: Greg Kroah-Hartman +Cc: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfs/inode.c | 6 ++---- + fs/hfsplus/inode.c | 12 ++++-------- + 2 files changed, 6 insertions(+), 12 deletions(-) + +--- a/fs/hfs/inode.c ++++ b/fs/hfs/inode.c +@@ -461,8 +461,7 @@ int hfs_write_inode(struct inode *inode, + goto out; + + if (S_ISDIR(main_inode->i_mode)) { +- if (fd.entrylength < sizeof(struct hfs_cat_dir)) +- /* panic? */; ++ WARN_ON(fd.entrylength < sizeof(struct hfs_cat_dir)); + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_dir)); + if (rec.type != HFS_CDR_DIR || +@@ -482,8 +481,7 @@ int hfs_write_inode(struct inode *inode, + hfs_bnode_write(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + } else { +- if (fd.entrylength < sizeof(struct hfs_cat_file)) +- /* panic? */; ++ WARN_ON(fd.entrylength < sizeof(struct hfs_cat_file)); + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, + sizeof(struct hfs_cat_file)); + if (rec.type != HFS_CDR_FIL || +--- a/fs/hfsplus/inode.c ++++ b/fs/hfsplus/inode.c +@@ -488,8 +488,7 @@ int hfsplus_cat_read_inode(struct inode + if (type == HFSPLUS_FOLDER) { + struct hfsplus_cat_folder *folder = &entry.folder; + +- if (fd->entrylength < sizeof(struct hfsplus_cat_folder)) +- /* panic? */; ++ WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_folder)); + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset, + sizeof(struct hfsplus_cat_folder)); + hfsplus_get_perms(inode, &folder->permissions, 1); +@@ -509,8 +508,7 @@ int hfsplus_cat_read_inode(struct inode + } else if (type == HFSPLUS_FILE) { + struct hfsplus_cat_file *file = &entry.file; + +- if (fd->entrylength < sizeof(struct hfsplus_cat_file)) +- /* panic? */; ++ WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_file)); + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset, + sizeof(struct hfsplus_cat_file)); + +@@ -567,8 +565,7 @@ int hfsplus_cat_write_inode(struct inode + if (S_ISDIR(main_inode->i_mode)) { + struct hfsplus_cat_folder *folder = &entry.folder; + +- if (fd.entrylength < sizeof(struct hfsplus_cat_folder)) +- /* panic? */; ++ WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_folder)); + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + sizeof(struct hfsplus_cat_folder)); + /* simple node checks? */ +@@ -593,8 +590,7 @@ int hfsplus_cat_write_inode(struct inode + } else { + struct hfsplus_cat_file *file = &entry.file; + +- if (fd.entrylength < sizeof(struct hfsplus_cat_file)) +- /* panic? */; ++ WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_file)); + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + sizeof(struct hfsplus_cat_file)); + hfsplus_inode_write_fork(inode, &file->data_fork); diff --git a/queue-4.14/series b/queue-4.14/series index b7bb8f02021..35edd46b7f9 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -316,3 +316,5 @@ caif-fix-memory-leak-in-cfctrl_linkup_request.patch udf-fix-extension-of-the-last-extent-in-the-file.patch x86-bugs-flush-ibp-in-ib_prctl_set.patch nfsd-fix-handling-of-readdir-in-v4root-vs.-mount-upcall-timeout.patch +hfs-hfsplus-use-warn_on-for-sanity-check.patch +hfs-hfsplus-avoid-warn_on-for-sanity-check-use-proper-error-handling.patch