NothingOSS/android_kernel_msm-6.1_nothing_sm7635
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_msm-6.1_noth.../fs
History
Ryusuke Konishi 8e63b1fd24 nilfs2: fix buffer corruption due to concurrent device reads 
commit 679bd7ebdd315bf457a4740b306ae99f1d0a403d upstream.

As a result of analysis of a syzbot report, it turned out that in three
cases where nilfs2 allocates block device buffers directly via sb_getblk,
concurrent reads to the device can corrupt the allocated buffers.

Nilfs2 uses sb_getblk for segment summary blocks, that make up a log
header, and the super root block, that is the trailer, and when moving and
writing the second super block after fs resize.

In any of these, since the uptodate flag is not set when storing metadata
to be written in the allocated buffers, the stored metadata will be
overwritten if a device read of the same block occurs concurrently before
the write.  This causes metadata corruption and misbehavior in the log
write itself, causing warnings in nilfs_btree_assign() as reported.

Fix these issues by setting an uptodate flag on the buffer head on the
first or before modifying each buffer obtained with sb_getblk, and
clearing the flag on failure.

When setting the uptodate flag, the lock_buffer/unlock_buffer pair is used
to perform necessary exclusive control, and the buffer is filled to ensure
that uninitialized bytes are not mixed into the data read from others.  As
for buffers for segment summary blocks, they are filled incrementally, so
if the uptodate flag was unset on their allocation, set the flag and zero
fill the buffer once at that point.

Also, regarding the superblock move routine, the starting point of the
memset call to zerofill the block is incorrectly specified, which can
cause a buffer overflow on file systems with block sizes greater than
4KiB.  In addition, if the superblock is moved within a large block, it is
necessary to assume the possibility that the data in the superblock will
be destroyed by zero-filling before copying.  So fix these potential
issues as well.

Link: https://lkml.kernel.org/r/20230609035732.20426-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+31837fe952932efc8fb9@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/00000000000030000a05e981f475@google.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-06-28 11:12:22 +02:00
..
9p use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
adfs
affs affs: initialize fsdata in affs_truncate() 2023-02-01 08:34:08 +01:00
afs afs: Fix vlserver probe RTT handling 2023-06-21 16:01:02 +02:00
autofs autofs: remove unused ino field inode 2022-07-17 17:31:42 -07:00
befs befs: Convert befs_symlink_read_folio() to use a folio 2022-08-02 12:34:03 -04:00
bfs
btrfs btrfs: can_nocow_file_extent should pass down args->strict from callers 2023-06-21 16:00:55 +02:00
cachefiles cachefiles: use vfs_tmpfile_open() helper 2022-09-24 07:00:00 +02:00
ceph ceph: fix use-after-free bug for inodes when flushing capsnaps 2023-06-14 11:15:27 +02:00
cifs cifs: fix lease break oops in xfstest generic/098 2023-06-21 16:01:01 +02:00
coda coda: Avoid partial allocation of sig_inputArgs 2023-03-10 09:33:52 +01:00
configfs configfs: fix possible memory leak in configfs_create_dir() 2022-12-31 13:32:22 +01:00
cramfs fs/cramfs/inode.c: initialize file_ra_state 2023-03-10 09:34:09 +01:00
crypto blk-crypto: add a blk_crypto_config_supported_natively helper 2023-05-11 23:03:00 +09:00
debugfs debugfs: fix error when writing negative value to atomic_t debugfs file 2022-12-31 13:31:58 +01:00
devpts
dlm fs: dlm: fix race setting stop tx flag 2023-03-17 08:50:19 +01:00
ecryptfs whack-a-mole: constifying struct path * 2022-10-06 17:31:02 -07:00
efivarfs efi: efivars: Fix variable writes without query_variable_store() 2022-10-21 11:09:40 +02:00
efs
erofs erofs: fix potential overflow calculating xattr_isize 2023-05-11 23:03:07 +09:00
exfat exfat: fix inode->i_blocks for non-512 byte sector size device 2023-03-10 09:34:08 +01:00
exportfs Change calling conventions for filldir_t 2022-08-17 17:25:04 -04:00
ext2 ext2: Check block size validity during mount 2023-05-24 17:32:36 +01:00
ext4 ext4: drop the call to ext4_error() from ext4_get_group_info() 2023-06-21 16:01:01 +02:00
f2fs f2fs: fix to check readonly condition correctly 2023-05-24 17:32:38 +01:00
fat treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
freevxfs freevxfs: Convert vxfs_immed_read_folio() to use a folio 2022-08-02 12:34:03 -04:00
fscache fscache: Use clear_and_wake_up_bit() in fscache_create_volume_work() 2023-02-22 12:59:43 +01:00
fuse fuse: always revalidate rename target dentry 2023-04-26 14:28:42 +02:00
gfs2 gfs2: Don't deref jdesc in evict 2023-06-09 10:34:08 +02:00
hfs hfs: fix missing hfs_bnode_get() in __hfs_bnode_create 2023-03-10 09:34:07 +01:00
hfsplus fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() 2023-05-24 17:32:34 +01:00
hostfs hostfs: move from strlcpy with unused retval to strscpy 2022-09-19 22:46:25 +02:00
hpfs
hugetlbfs hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() 2022-12-31 13:33:05 +01:00
iomap iomap: add a tracepoint for mappings returned by map_blocks 2022-10-02 11:42:19 -07:00
isofs - hfs and hfsplus kmap API modernization from Fabio Francesco 2022-10-12 11:00:22 -07:00
jbd2 jdb2: Don't refuse invalidation of already invalidated buffers 2023-05-11 23:03:23 +09:00
jffs2 jffs2: correct logic when creating a hole in jffs2_write_begin 2023-03-22 13:33:53 +01:00
jfs fs/jfs: fix shift exponent db_agl2size negative 2023-03-11 13:55:16 +01:00
kernfs kernfs: Fix spurious lockdep warning in kernfs_find_and_get_node_by_id() 2022-11-10 19:03:42 +01:00
ksmbd ksmbd: validate session id and tree id in the compound request 2023-06-28 11:12:18 +02:00
lockd lockd: set file_lock start and end when decoding nlm4 testargs 2023-03-30 12:49:23 +02:00
minix vfs: open inside ->tmpfile() 2022-09-24 07:00:00 +02:00
netfs use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
nfs NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease 2023-05-11 23:03:34 +09:00
nfs_common
nfsd nfsd: fix double fget() bug in __write_ports_addfd() 2023-06-09 10:34:04 +02:00
nilfs2 nilfs2: fix buffer corruption due to concurrent device reads 2023-06-28 11:12:22 +02:00
nls
notify inotify: Avoid reporting event with invalid wd 2023-05-17 11:53:44 +02:00
ntfs - hfs and hfsplus kmap API modernization from Fabio Francesco 2022-10-12 11:00:22 -07:00
ntfs3 fs/ntfs3: Validate MFT flags before replaying logs 2023-06-09 10:34:28 +02:00
ocfs2 ocfs2: check new file size on fallocate call 2023-06-21 16:00:54 +02:00
omfs
openpromfs
orangefs use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
overlayfs ovl: Use "buf" flexible array for memcpy() destination 2023-02-09 11:28:26 +01:00
proc sysctl: clarify register_sysctl_init() base directory order 2023-05-17 11:53:46 +02:00
pstore pstore: Revert pmsg_lock back to a normal mutex 2023-05-11 23:03:27 +09:00
qnx4
qnx6 fs/qnx6: delete unnecessary checks before brelse() 2022-09-11 21:55:07 -07:00
quota ext4: fix bug_on in __es_tree_search caused by bad quota inode 2023-01-07 11:11:59 +01:00
ramfs tmpfile API change 2022-10-10 19:45:17 -07:00
reiserfs reiserfs: Add security prefix to xattr name in reiserfs_security_write() 2023-05-11 23:03:02 +09:00
romfs
smbfs_common smb3: define missing create contexts 2022-10-05 01:55:27 -05:00
squashfs revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" 2023-02-22 12:59:50 +01:00
sysfs
sysv fs: sysv: Fix sysv_nblocks() returns wrong value 2022-12-31 13:32:00 +01:00
tracefs tracefs: Only clobber mode/uid/gid on remount if asked 2022-09-08 17:10:54 -04:00
ubifs ubifs: Fix memory leak in do_rename 2023-05-11 23:03:05 +09:00
udf udf: Fix off-by-one error when discarding preallocation 2023-03-17 08:50:19 +01:00
ufs ufs: replace ll_rw_block() 2022-09-11 20:26:07 -07:00
unicode
vboxsf
verity fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY 2023-04-06 12:10:34 +02:00
xfs xfs: verify buffer contents when we skip log replay 2023-06-09 10:34:29 +02:00
zonefs zonefs: Always invalidate last cached page on append write 2023-04-06 12:10:52 +02:00
aio.c aio: fix mremap after fork null-deref 2023-02-22 12:59:46 +01:00
anon_inodes.c dynamic_dname(): drop unused dentry argument 2022-08-20 11:34:04 -04:00
attr.c attr: use consistent sgid stripping checks 2023-03-03 11:52:25 +01:00
bad_inode.c vfs: open inside ->tmpfile() 2022-09-24 07:00:00 +02:00
binfmt_elf.c elfcore: Add a cprm parameter to elf_core_extra_{phdrs,data_size} 2023-01-18 11:58:12 +01:00
binfmt_elf_fdpic.c elfcore: Add a cprm parameter to elf_core_extra_{phdrs,data_size} 2023-01-18 11:58:12 +01:00
binfmt_elf_test.c
binfmt_flat.c
binfmt_misc.c binfmt_misc: fix shift-out-of-bounds in check_special_flags 2022-12-31 13:32:57 +01:00
binfmt_script.c
buffer.c - hfs and hfsplus kmap API modernization from Fabio Francesco 2022-10-12 11:00:22 -07:00
char_dev.c chardev: fix error handling in cdev_device_add() 2022-12-31 13:32:41 +01:00
compat_binfmt_elf.c
coredump.c coredump: Move dump_emit_page() to kill unused warning 2023-02-22 12:59:50 +01:00
d_path.c d_path.c: typo fix... 2022-08-20 11:34:33 -04:00
dax.c Merge branch 'for-6.0/dax' into libnvdimm-fixes 2022-09-24 18:14:12 -07:00
dcache.c tmpfile API change 2022-10-10 19:45:17 -07:00
direct-io.c block: remove PSI accounting from the bio layer 2022-09-20 08:24:38 -06:00
drop_caches.c
eventfd.c eventfd: provide a eventfd_signal_mask() helper 2023-01-04 11:28:48 +01:00
eventpoll.c epoll: ep_autoremove_wake_function should use list_del_init_careful 2023-06-21 16:00:54 +02:00
exec.c 23 hotfixes. 2022-10-29 17:49:33 -07:00
fcntl.c keep iocb_flags() result cached in struct file 2022-06-10 16:10:23 -04:00
fhandle.c do_sys_name_to_handle(): constify path 2022-09-01 17:36:39 -04:00
file.c fs: prevent out-of-bounds array speculation when closing a file descriptor 2023-03-17 08:50:13 +01:00
file_table.c locks: fix TOCTOU race when granting write lease 2022-08-16 10:59:54 -04:00
filesystems.c
fs-writeback.c writeback: fix call of incorrect macro 2023-05-17 11:53:33 +02:00
fs_context.c
fs_parser.c ext4: journal_path mount options should follow links 2023-01-07 11:11:59 +01:00
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c
init.c
inode.c attr: use consistent sgid stripping checks 2023-03-03 11:52:25 +01:00
internal.h attr: use consistent sgid stripping checks 2023-03-03 11:52:25 +01:00
ioctl.c
Kconfig hugetlb: make hugetlb depends on SYSFS or SYSCTL 2022-09-11 20:26:10 -07:00
Kconfig.binfmt Xtensa updates for v6.1 2022-10-10 14:21:11 -07:00
kernel_read_file.c fs/kernel_read_file: allow to read files up-to ssize_t 2022-06-16 19:58:21 -07:00
libfs.c libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value 2022-12-31 13:31:58 +01:00
locks.c filelocks: use mount idmapping for setlease permission check 2023-03-17 08:50:32 +01:00
Makefile fs: fix sysctls.c built 2023-05-11 23:03:01 +09:00
mbcache.c ext4: fix deadlock due to mbcache entry corruption 2023-01-07 11:12:02 +01:00
mount.h switch try_to_unlazy_next() to __legitimize_mnt() 2022-07-05 16:18:21 -04:00
mpage.c Folio changes for 6.0 2022-08-03 10:35:43 -07:00
namei.c vfs: vfs_tmpfile: ensure O_EXCL flag is enforced 2022-11-19 02:22:11 -05:00
namespace.c fs: drop peer group ids under namespace lock 2023-04-13 16:55:33 +02:00
no-block.c
nsfs.c dynamic_dname(): drop unused dentry argument 2022-08-20 11:34:04 -04:00
open.c open: return EINVAL for O_DIRECTORY | O_CREAT 2023-05-24 17:32:34 +01:00
pipe.c dynamic_dname(): drop unused dentry argument 2022-08-20 11:34:04 -04:00
pnode.c pnode: terminate at peers of source 2023-01-04 11:29:01 +01:00
pnode.h
posix_acl.c - Yu Zhao's Multi-Gen LRU patches are here. They've been under test in 2022-10-10 17:53:04 -07:00
proc_namespace.c vfs: escape hash as well 2022-06-28 13:58:05 -04:00
read_write.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
readdir.c Change calling conventions for filldir_t 2022-08-17 17:25:04 -04:00
remap_range.c - The usual batches of cleanups from Baoquan He, Muchun Song, Miaohe 2022-08-05 16:32:45 -07:00
select.c
seq_file.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
signalfd.c
splice.c use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
stack.c
stat.c vfs: support STATX_DIOALIGN on block devices 2022-09-11 19:47:12 -05:00
statfs.c statfs: enforce statfs[64] structure initialization 2023-05-24 17:32:51 +01:00
super.c fscrypt: destroy keyring after security_sb_delete() 2023-03-30 12:49:23 +02:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c Revert "userfaultfd: don't fail on unrecognized features" 2023-04-26 14:28:37 +02:00
utimes.c
xattr.c fs: don't audit the capability check in simple_xattr_list() 2022-12-31 13:31:55 +01:00