From 9a2d1378ce688431002654bc00a6f51949b0b65d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 6 May 2023 16:00:05 +0900 Subject: [PATCH] 4.14-stable patches added patches: revert-ubifs-dirty_cow_znode-fix-memleak-in-error-handling-path.patch ubi-fix-return-value-overwrite-issue-in-try_write_vid_and_data.patch ubifs-free-memory-for-tmpfile-name.patch --- ...e-fix-memleak-in-error-handling-path.patch | 47 ++++++++++++++ queue-4.14/series | 3 + ...rite-issue-in-try_write_vid_and_data.patch | 63 +++++++++++++++++++ .../ubifs-free-memory-for-tmpfile-name.patch | 52 +++++++++++++++ 4 files changed, 165 insertions(+) create mode 100644 queue-4.14/revert-ubifs-dirty_cow_znode-fix-memleak-in-error-handling-path.patch create mode 100644 queue-4.14/ubi-fix-return-value-overwrite-issue-in-try_write_vid_and_data.patch create mode 100644 queue-4.14/ubifs-free-memory-for-tmpfile-name.patch diff --git a/queue-4.14/revert-ubifs-dirty_cow_znode-fix-memleak-in-error-handling-path.patch b/queue-4.14/revert-ubifs-dirty_cow_znode-fix-memleak-in-error-handling-path.patch new file mode 100644 index 00000000000..e4ee3415d37 --- /dev/null +++ b/queue-4.14/revert-ubifs-dirty_cow_znode-fix-memleak-in-error-handling-path.patch @@ -0,0 +1,47 @@ +From 7d01cb27f6aebc54efbe28d8961a973b8f795b13 Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Wed, 1 Mar 2023 20:29:18 +0800 +Subject: Revert "ubifs: dirty_cow_znode: Fix memleak in error handling path" + +From: Zhihao Cheng + +commit 7d01cb27f6aebc54efbe28d8961a973b8f795b13 upstream. + +This reverts commit 122deabfe1428 (ubifs: dirty_cow_znode: Fix memleak +in error handling path). +After commit 122deabfe1428 applied, if insert_old_idx() failed, old +index neither exists in TNC nor in old-index tree. Which means that +old index node could be overwritten in layout_leb_in_gaps(), then +ubifs image will be corrupted in power-cut. + +Fixes: 122deabfe1428 (ubifs: dirty_cow_znode: Fix memleak ... path) +Cc: stable@vger.kernel.org +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/ubifs/tnc.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/fs/ubifs/tnc.c ++++ b/fs/ubifs/tnc.c +@@ -279,18 +279,11 @@ static struct ubifs_znode *dirty_cow_zno + if (zbr->len) { + err = insert_old_idx(c, zbr->lnum, zbr->offs); + if (unlikely(err)) +- /* +- * Obsolete znodes will be freed by tnc_destroy_cnext() +- * or free_obsolete_znodes(), copied up znodes should +- * be added back to tnc and freed by +- * ubifs_destroy_tnc_subtree(). +- */ +- goto out; ++ return ERR_PTR(err); + err = add_idx_dirt(c, zbr->lnum, zbr->len); + } else + err = 0; + +-out: + zbr->znode = zn; + zbr->lnum = 0; + zbr->offs = 0; diff --git a/queue-4.14/series b/queue-4.14/series index f4bd698ee43..55287c90bd5 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -10,3 +10,6 @@ mips-fw-allow-firmware-to-pass-a-empty-env.patch ring-buffer-sync-irq-works-before-buffer-destruction.patch reiserfs-add-security-prefix-to-xattr-name-in-reiserfs_security_write.patch i2c-omap-fix-standard-mode-false-ack-readings.patch +revert-ubifs-dirty_cow_znode-fix-memleak-in-error-handling-path.patch +ubi-fix-return-value-overwrite-issue-in-try_write_vid_and_data.patch +ubifs-free-memory-for-tmpfile-name.patch diff --git a/queue-4.14/ubi-fix-return-value-overwrite-issue-in-try_write_vid_and_data.patch b/queue-4.14/ubi-fix-return-value-overwrite-issue-in-try_write_vid_and_data.patch new file mode 100644 index 00000000000..9b23682a9a8 --- /dev/null +++ b/queue-4.14/ubi-fix-return-value-overwrite-issue-in-try_write_vid_and_data.patch @@ -0,0 +1,63 @@ +From 31a149d5c13c4cbcf97de3435817263a2d8c9d6e Mon Sep 17 00:00:00 2001 +From: Wang YanQing +Date: Tue, 28 Mar 2023 23:35:34 +0800 +Subject: ubi: Fix return value overwrite issue in try_write_vid_and_data() + +From: Wang YanQing + +commit 31a149d5c13c4cbcf97de3435817263a2d8c9d6e upstream. + +The commit 2d78aee426d8 ("UBI: simplify LEB write and atomic LEB change code") +adds helper function, try_write_vid_and_data(), to simplify the code, but this +helper function has bug, it will return 0 (success) when ubi_io_write_vid_hdr() +or the ubi_io_write_data() return error number (-EIO, etc), because the return +value of ubi_wl_put_peb() will overwrite the original return value. + +This issue will cause unexpected data loss issue, because the caller of this +function and UBIFS willn't know the data is lost. + +Fixes: 2d78aee426d8 ("UBI: simplify LEB write and atomic LEB change code") +Cc: stable@vger.kernel.org +Signed-off-by: Wang YanQing +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/ubi/eba.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/mtd/ubi/eba.c ++++ b/drivers/mtd/ubi/eba.c +@@ -943,7 +943,7 @@ static int try_write_vid_and_data(struct + int offset, int len) + { + struct ubi_device *ubi = vol->ubi; +- int pnum, opnum, err, vol_id = vol->vol_id; ++ int pnum, opnum, err, err2, vol_id = vol->vol_id; + + pnum = ubi_wl_get_peb(ubi); + if (pnum < 0) { +@@ -978,10 +978,19 @@ static int try_write_vid_and_data(struct + out_put: + up_read(&ubi->fm_eba_sem); + +- if (err && pnum >= 0) +- err = ubi_wl_put_peb(ubi, vol_id, lnum, pnum, 1); +- else if (!err && opnum >= 0) +- err = ubi_wl_put_peb(ubi, vol_id, lnum, opnum, 0); ++ if (err && pnum >= 0) { ++ err2 = ubi_wl_put_peb(ubi, vol_id, lnum, pnum, 1); ++ if (err2) { ++ ubi_warn(ubi, "failed to return physical eraseblock %d, error %d", ++ pnum, err2); ++ } ++ } else if (!err && opnum >= 0) { ++ err2 = ubi_wl_put_peb(ubi, vol_id, lnum, opnum, 0); ++ if (err2) { ++ ubi_warn(ubi, "failed to return physical eraseblock %d, error %d", ++ opnum, err2); ++ } ++ } + + return err; + } diff --git a/queue-4.14/ubifs-free-memory-for-tmpfile-name.patch b/queue-4.14/ubifs-free-memory-for-tmpfile-name.patch new file mode 100644 index 00000000000..297b1483997 --- /dev/null +++ b/queue-4.14/ubifs-free-memory-for-tmpfile-name.patch @@ -0,0 +1,52 @@ +From 1fb815b38bb31d6af9bd0540b8652a0d6fe6cfd3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?M=C3=A5rten=20Lindahl?= +Date: Thu, 30 Mar 2023 11:32:14 +0200 +Subject: ubifs: Free memory for tmpfile name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: MÃ¥rten Lindahl + +commit 1fb815b38bb31d6af9bd0540b8652a0d6fe6cfd3 upstream. + +When opening a ubifs tmpfile on an encrypted directory, function +fscrypt_setup_filename allocates memory for the name that is to be +stored in the directory entry, but after the name has been copied to the +directory entry inode, the memory is not freed. + +When running kmemleak on it we see that it is registered as a leak. The +report below is triggered by a simple program 'tmpfile' just opening a +tmpfile: + + unreferenced object 0xffff88810178f380 (size 32): + comm "tmpfile", pid 509, jiffies 4294934744 (age 1524.742s) + backtrace: + __kmem_cache_alloc_node + __kmalloc + fscrypt_setup_filename + ubifs_tmpfile + vfs_tmpfile + path_openat + +Free this memory after it has been copied to the inode. + +Signed-off-by: MÃ¥rten Lindahl +Reviewed-by: Zhihao Cheng +Cc: stable@vger.kernel.org +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman +--- + fs/ubifs/dir.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -462,6 +462,7 @@ static int do_tmpfile(struct inode *dir, + mutex_unlock(&dir_ui->ui_mutex); + + ubifs_release_budget(c, &req); ++ fscrypt_free_filename(&nm); + + return 0; + -- 2.47.3