From 2f222e91f11f4ecc2cb1bebb12e94fc856d1b29c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 16 Jul 2024 15:30:40 +0200 Subject: [PATCH] 6.1-stable patches added patches: nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch --- ...rename-operation-of-broken-directory.patch | 78 +++++++++++++++++++ queue-6.1/series | 1 + 2 files changed, 79 insertions(+) create mode 100644 queue-6.1/nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch diff --git a/queue-6.1/nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch b/queue-6.1/nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch new file mode 100644 index 00000000000..ed46a3e48d8 --- /dev/null +++ b/queue-6.1/nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch @@ -0,0 +1,78 @@ +From a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Sat, 29 Jun 2024 01:51:07 +0900 +Subject: nilfs2: fix kernel bug on rename operation of broken directory + +From: Ryusuke Konishi + +commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 upstream. + +Syzbot reported that in rename directory operation on broken directory on +nilfs2, __block_write_begin_int() called to prepare block write may fail +BUG_ON check for access exceeding the folio/page size. + +This is because nilfs_dotdot(), which gets parent directory reference +entry ("..") of the directory to be moved or renamed, does not check +consistency enough, and may return location exceeding folio/page size for +broken directories. + +Fix this issue by checking required directory entries ("." and "..") in +the first chunk of the directory in nilfs_dotdot(). + +Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627 +Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/dir.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +--- a/fs/nilfs2/dir.c ++++ b/fs/nilfs2/dir.c +@@ -396,11 +396,39 @@ found: + + struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct page **p) + { +- struct nilfs_dir_entry *de = nilfs_get_page(dir, 0, p); ++ struct page *page; ++ struct nilfs_dir_entry *de, *next_de; ++ size_t limit; ++ char *msg; + ++ de = nilfs_get_page(dir, 0, &page); + if (IS_ERR(de)) + return NULL; +- return nilfs_next_entry(de); ++ ++ limit = nilfs_last_byte(dir, 0); /* is a multiple of chunk size */ ++ if (unlikely(!limit || le64_to_cpu(de->inode) != dir->i_ino || ++ !nilfs_match(1, ".", de))) { ++ msg = "missing '.'"; ++ goto fail; ++ } ++ ++ next_de = nilfs_next_entry(de); ++ /* ++ * If "next_de" has not reached the end of the chunk, there is ++ * at least one more record. Check whether it matches "..". ++ */ ++ if (unlikely((char *)next_de == (char *)de + nilfs_chunk_size(dir) || ++ !nilfs_match(2, "..", next_de))) { ++ msg = "missing '..'"; ++ goto fail; ++ } ++ *p = page; ++ return next_de; ++ ++fail: ++ nilfs_error(dir->i_sb, "directory #%lu %s", dir->i_ino, msg); ++ nilfs_put_page(page); ++ return NULL; + } + + ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr) diff --git a/queue-6.1/series b/queue-6.1/series index 0f364c30167..39f7e462b9b 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -80,3 +80,4 @@ misc-fastrpc-copy-the-complete-capability-structure-to-user.patch x86-retpoline-move-a-noendbr-annotation-to-the-srso-dummy-return-thunk.patch cifs-use-origin-fullpath-for-automounts.patch bpf-allow-reads-from-uninit-stack.patch +nilfs2-fix-kernel-bug-on-rename-operation-of-broken-directory.patch -- 2.47.3