From a472e527f3b04b9b1bf2fef513be253b8723455f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 12 Oct 2022 22:35:38 +0200 Subject: [PATCH] drop queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch --- ...-after-free-bug-of-struct-nilfs_root.patch | 68 ------------------- queue-4.9/series | 1 - 2 files changed, 69 deletions(-) delete mode 100644 queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch diff --git a/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch b/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch deleted file mode 100644 index bb50f39638a..00000000000 --- a/queue-4.9/nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch +++ /dev/null @@ -1,68 +0,0 @@ -From d325dc6eb763c10f591c239550b8c7e5466a5d09 Mon Sep 17 00:00:00 2001 -From: Ryusuke Konishi -Date: Tue, 4 Oct 2022 00:05:19 +0900 -Subject: nilfs2: fix use-after-free bug of struct nilfs_root - -From: Ryusuke Konishi - -commit d325dc6eb763c10f591c239550b8c7e5466a5d09 upstream. - -If the beginning of the inode bitmap area is corrupted on disk, an inode -with the same inode number as the root inode can be allocated and fail -soon after. In this case, the subsequent call to nilfs_clear_inode() on -that bogus root inode will wrongly decrement the reference counter of -struct nilfs_root, and this will erroneously free struct nilfs_root, -causing kernel oopses. - -This fixes the problem by changing nilfs_new_inode() to skip reserved -inode numbers while repairing the inode bitmap. - -Link: https://lkml.kernel.org/r/20221003150519.39789-1-konishi.ryusuke@gmail.com -Signed-off-by: Ryusuke Konishi -Reported-by: syzbot+b8c672b0e22615c80fe0@syzkaller.appspotmail.com -Reported-by: Khalid Masum -Tested-by: Ryusuke Konishi -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - fs/nilfs2/inode.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - ---- a/fs/nilfs2/inode.c -+++ b/fs/nilfs2/inode.c -@@ -344,6 +344,7 @@ struct inode *nilfs_new_inode(struct ino - struct inode *inode; - struct nilfs_inode_info *ii; - struct nilfs_root *root; -+ struct buffer_head *bh; - int err = -ENOMEM; - ino_t ino; - -@@ -359,11 +360,25 @@ struct inode *nilfs_new_inode(struct ino - ii->i_state = BIT(NILFS_I_NEW); - ii->i_root = root; - -- err = nilfs_ifile_create_inode(root->ifile, &ino, &ii->i_bh); -+ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); - if (unlikely(err)) - goto failed_ifile_create_inode; - /* reference count of i_bh inherits from nilfs_mdt_read_block() */ - -+ if (unlikely(ino < NILFS_USER_INO)) { -+ nilfs_warn(sb, -+ "inode bitmap is inconsistent for reserved inodes"); -+ do { -+ brelse(bh); -+ err = nilfs_ifile_create_inode(root->ifile, &ino, &bh); -+ if (unlikely(err)) -+ goto failed_ifile_create_inode; -+ } while (ino < NILFS_USER_INO); -+ -+ nilfs_info(sb, "repaired inode bitmap for reserved inodes"); -+ } -+ ii->i_bh = bh; -+ - atomic64_inc(&root->inodes_count); - inode_init_owner(inode, dir, mode); - inode->i_ino = ino; diff --git a/queue-4.9/series b/queue-4.9/series index 20fbdd9790c..7226696e7da 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -25,6 +25,5 @@ um-cleanup-compiler-warning-in-arch-x86-um-tls_32.c.patch usb-mon-make-mmapped-memory-read-only.patch usb-serial-ftdi_sio-fix-300-bps-rate-for-sio.patch nilfs2-fix-null-pointer-dereference-at-nilfs_bmap_lookup_at_level.patch -nilfs2-fix-use-after-free-bug-of-struct-nilfs_root.patch nilfs2-fix-leak-of-nilfs_root-in-case-of-writer-thread-creation-failure.patch nilfs2-replace-warn_ons-by-nilfs_error-for-checkpoint-acquisition-failure.patch -- 2.47.3