android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2f2fa9cf7c
android_kernel_xiaomi_sm8450/fs
History
Ryusuke Konishi 2f2fa9cf7c nilfs2: add missing check for inode numbers on directory entries 
commit bb76c6c274683c8570ad788f79d4b875bde0e458 upstream.

Syzbot reported that mounting and unmounting a specific pattern of
corrupted nilfs2 filesystem images causes a use-after-free of metadata
file inodes, which triggers a kernel bug in lru_add_fn().

As Jan Kara pointed out, this is because the link count of a metadata file
gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),
tries to delete that inode (ifile inode in this case).

The inconsistency occurs because directories containing the inode numbers
of these metadata files that should not be visible in the namespace are
read without checking.

Fix this issue by treating the inode numbers of these internal files as
errors in the sanity check helper when reading directory folios/pages.

Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer
analysis.

Link: https://lkml.kernel.org/r/20240623051135.4180-3-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
Reported-by: Jan Kara <jack@suse.cz>
Closes: https://lkml.kernel.org/r/20240617075758.wewhukbrjod5fp5o@quack3
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: Hillf Danton <hdanton@sina.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-07-18 13:05:42 +02:00
..
9p fs/9p: drop inodes immediately on non-.L too 2024-05-17 11:48:05 +02:00
adfs
affs affs: initialize fsdata in affs_truncate() 2023-02-01 08:23:11 +01:00
afs afs: Don't cross .backup mountpoint from backup volume 2024-06-16 13:32:30 +02:00
autofs file: Replace ksys_close with close_fd 2024-06-21 14:52:50 +02:00
befs
bfs bfs: don't use WARNING: string when it's just info. 2021-01-06 14:56:52 +01:00
btrfs btrfs: fix leak of qgroup extent records after transaction abort 2024-07-05 09:12:25 +02:00
cachefiles namei: introduce struct renamedata 2024-06-21 14:52:59 +02:00
ceph ceph: prevent use-after-free in encode_cap_msg() 2024-02-23 08:42:29 +01:00
cifs smb: client: fix deadlock in smb2_find_smb_tcon() 2024-07-05 09:12:45 +02:00
coda coda: Avoid partial allocation of sig_inputArgs 2023-03-11 16:39:51 +01:00
configfs Revert "configfs: fix a race in configfs_lookup()" 2023-09-21 09:45:15 +02:00
cramfs
crypto fscrypt: fix keyring memory leak on mount failure 2022-11-10 18:14:25 +01:00
debugfs debugfs: fix automount d_fsdata usage 2024-01-25 14:37:36 -08:00
devpts fsnotify: fix fsnotify hooks in pseudo filesystems 2022-02-01 17:25:39 +01:00
dlm dlm: fix plock lookup when using multiple lockspaces 2023-09-19 12:20:22 +02:00
ecryptfs namei: introduce struct renamedata 2024-06-21 14:52:59 +02:00
efivarfs efivarfs: force RO when remounting if SetVariable is not supported 2024-01-25 14:37:40 -08:00
efs
erofs erofs: fix lz4 inplace decompression 2024-03-01 13:16:48 +01:00
exfat exfat: support handle zero-size directory 2023-11-28 16:54:52 +00:00
exportfs exportfs: use pr_debug for unreachable debug statements 2024-06-21 14:54:05 +02:00
ext2 ext2: fix datatype of block number in ext2_xattr_set2() 2023-09-23 11:01:07 +02:00
ext4 ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() 2024-06-16 13:32:36 +02:00
f2fs f2fs: remove clear SB_INLINECRYPT flag in default_options 2024-07-05 09:12:36 +02:00
fat fat: fix uninitialized field in nostale filehandles 2024-04-13 12:58:08 +02:00
freevxfs
fscache fscache: Fix cookie key hashing 2021-09-18 13:40:15 +02:00
fuse fuse: don't unhash root 2024-04-13 12:58:19 +02:00
gfs2 gfs2: Fix "ignore unlock failures after withdraw" 2024-06-16 13:32:05 +02:00
hfs hfs: fix missing hfs_bnode_get() in __hfs_bnode_create 2023-03-11 16:39:55 +01:00
hfsplus fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() 2023-05-30 12:57:47 +01:00
hostfs hostfs: fix memory handling in follow_link() 2021-04-14 08:42:06 +02:00
hpfs
hugetlbfs mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE 2024-03-15 10:48:22 -04:00
iomap xfs: use current->journal_info for detecting transaction recursion 2022-07-07 17:52:19 +02:00
isofs isofs: handle CDs with bad root inode but good Joliet root directory 2024-04-13 12:59:46 +02:00
jbd2 jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint 2024-03-01 13:16:47 +01:00
jffs2 jffs2: Fix potential illegal address access in jffs2_free_inode 2024-07-18 13:05:41 +02:00
jfs jfs: xattr: fix buffer overflow for invalid xattr 2024-07-05 09:12:25 +02:00
kernfs fs/kernfs/dir: obey S_ISGID 2024-02-23 08:42:14 +01:00
lockd lockd: drop inappropriate svc_get() from locked_get() 2024-06-21 14:54:14 +02:00
minix minix: fix bug when opening a file with O_DIRECT 2022-04-13 21:01:01 +02:00
nfs nfs: Leave pages in the pagecache if readpage failed 2024-07-05 09:12:55 +02:00
nfs_common NFSD: Add an xdr_stream-based encoder for NFSv2/3 ACLs 2024-06-21 14:53:03 +02:00
nfsd nfsd: hold a lighter-weight client reference over CB_RECALL_ANY 2024-07-05 09:12:48 +02:00
nilfs2 nilfs2: add missing check for inode numbers on directory entries 2024-07-18 13:05:42 +02:00
nls fs/nls: make load_nls() take a const parameter 2023-09-19 12:20:04 +02:00
notify fanotify: Remove obsoleted fanotify_event_has_path() 2024-06-21 14:54:03 +02:00
ntfs ntfs: check overflow when iterating ATTR_RECORDs 2022-11-25 17:45:57 +01:00
ocfs2 ocfs2: fix DIO failure due to insufficient transaction credits 2024-07-05 09:12:51 +02:00
omfs
openpromfs openpromfs: finish conversion to the new mount API 2024-06-16 13:32:01 +02:00
orangefs orangefs: fix out-of-bounds fsid access 2024-07-18 13:05:40 +02:00
overlayfs namei: introduce struct renamedata 2024-06-21 14:52:59 +02:00
proc fs/proc: fix softlockup in __read_vmcore 2024-07-05 09:12:30 +02:00
pstore pstore/zone: Add a null pointer check to the psz_kmsg_read 2024-04-13 12:59:41 +02:00
qnx4 qnx4: work around gcc false positive warning bug 2021-09-30 10:11:08 +02:00
qnx6
quota quota: Fix rcu annotations of inode dquot pointers 2024-03-26 18:21:56 -04:00
ramfs shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs 2023-07-27 08:44:13 +02:00
reiserfs reiserfs: Check the return value from __getblk() 2023-09-19 12:20:06 +02:00
romfs
squashfs revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" 2023-02-22 12:55:56 +01:00
sysfs fs: sysfs: Fix reference leak in sysfs_break_active_protection() 2024-05-02 16:23:39 +02:00
sysv sysv: don't call sb_bread() with pointers_lock held 2024-04-13 12:59:45 +02:00
tracefs tracefs: Add missing lockdown check to tracefs_create_dir() 2023-09-23 11:01:10 +02:00
ubifs ubifs: Set page uptodate in the correct place 2024-04-13 12:58:09 +02:00
udf udf: udftime: prevent overflow in udf_disk_stamp_to_time() 2024-07-05 09:12:36 +02:00
ufs
unicode
vboxsf vboxsf: Avoid an spurious warning if load_nls_xxx() fails 2024-04-13 12:59:25 +02:00
verity fs: add file and path permissions helpers 2024-06-21 14:52:58 +02:00
xfs xfs: verify buffer contents when we skip log replay 2023-06-14 11:09:59 +02:00
zonefs zonefs: Improve error handling 2024-03-01 13:16:43 +01:00
aio.c fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion 2024-04-13 12:58:53 +02:00
anon_inodes.c
attr.c attr: block mode changes of symlinks 2023-09-23 11:01:09 +02:00
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c fs: binfmt_elf_efpic: fix personality for ELF-FDPIC 2023-10-10 21:53:35 +02:00
binfmt_elf.c fs/binfmt_elf: Fix memory leak in load_elf_binary() 2022-11-03 23:57:49 +09:00
binfmt_em86.c
binfmt_flat.c binfmt_flat: do not stop relocating GOT entries prematurely on riscv 2022-06-09 10:20:47 +02:00
binfmt_misc.c binfmt_misc: fix shift-out-of-bounds in check_special_flags 2023-01-14 10:16:13 +01:00
binfmt_script.c
block_dev.c block: Don't invalidate pagecache for invalid falloc modes 2024-01-15 18:48:03 +01:00
buffer.c mm: fs: initialize fsdata passed to write_begin/write_end interface 2022-11-25 17:45:56 +01:00
char_dev.c chardev: fix error handling in cdev_device_add() 2023-01-14 10:15:59 +01:00
compat_binfmt_elf.c
coredump.c exec: Simplify unshare_files 2024-06-21 14:52:47 +02:00
d_path.c
dax.c dax: fix cache flush on PMD-mapped pages 2022-06-09 10:21:16 +02:00
dcache.c fast_dput(): handle underflows gracefully 2024-02-23 08:42:10 +01:00
dcookies.c
direct-io.c fs: direct-io: fix missing sdio->boundary 2021-04-14 08:41:58 +02:00
drop_caches.c
eventfd.c eventfd: prevent underflow for eventfd semaphores 2023-09-19 12:20:06 +02:00
eventpoll.c epoll: ep_autoremove_wake_function should use list_del_init_careful 2023-06-21 15:45:37 +02:00
exec.c exec: Simplify unshare_files 2024-06-21 14:52:47 +02:00
fcntl.c fcntl: fix potential deadlocks for &fown_struct.lock 2022-10-30 09:41:18 +01:00
fhandle.c do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak 2024-03-26 18:21:47 -04:00
file_table.c SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() 2022-05-18 10:23:48 +02:00
file.c file: Rename __close_fd to close_fd and remove the files parameter 2024-06-21 14:52:49 +02:00
filesystems.c
fs_context.c fs: avoid empty option when generating legacy mount string 2023-07-27 08:44:13 +02:00
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c writeback: fix call of incorrect macro 2023-05-17 11:48:10 +02:00
fsopen.c
init.c fs: add file and path permissions helpers 2024-06-21 14:52:58 +02:00
inode.c fs: add ctime accessors infrastructure 2023-12-08 08:46:15 +01:00
internal.h fs: Establish locking order for unrelated directories 2023-07-27 08:44:13 +02:00
ioctl.c lsm: new security_file_ioctl_compat() hook 2024-02-23 08:41:53 +01:00
Kconfig NFSD: Remove CONFIG_NFSD_V3 2024-06-21 14:53:37 +02:00
Kconfig.binfmt
kernel_read_file.c vfs: check fd has read access in kernel_read_file_from_fd() 2021-10-27 09:56:51 +02:00
libfs.c libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value 2023-01-14 10:15:19 +01:00
locks.c filelock: add a new locks_inode_context accessor function 2024-06-21 14:54:04 +02:00
Makefile io_uring: import 5.15-stable io_uring 2023-01-04 11:39:23 +01:00
mbcache.c mbcache: Avoid nesting of cache->c_list_lock under bit locks 2023-01-14 10:16:50 +01:00
mount.h
mpage.c
namei.c namei: introduce struct renamedata 2024-06-21 14:52:59 +02:00
namespace.c fs: indicate request originates from old mount API 2024-01-25 14:37:42 -08:00
no-block.c
nsfs.c
open.c ftruncate: pass a signed offset 2024-07-05 09:12:55 +02:00
pipe.c pipe: wakeup wr_wait after setting max_usage 2024-02-23 08:42:00 +01:00
pnode.c pnode: terminate at peers of source 2023-01-14 10:16:27 +01:00
pnode.h mount: fix mounting of detached mounts onto targets that reside on shared mounts 2021-03-17 17:06:13 +01:00
posix_acl.c
proc_namespace.c proc mountinfo: make splice available again 2020-12-30 11:54:02 +01:00
read_write.c vfs: fix copy_file_range() averts filesystem freeze protection 2022-12-19 12:27:30 +01:00
readdir.c readdir: make sure to verify directory entry for legacy interfaces too 2021-04-21 13:00:54 +02:00
remap_range.c fs/remap: constrain dedupe of EOF blocks 2022-07-21 21:20:01 +02:00
select.c fs/select: rework stack allocation hack for clang 2024-03-26 18:21:47 -04:00
seq_file.c seq_file: disallow extremely large seq buffer allocations 2021-07-20 16:05:59 +02:00
signalfd.c io_uring: disable polling pollfree files 2022-09-05 10:28:58 +02:00
splice.c Revert "fs: check FMODE_LSEEK to control internal pipe splicing" 2022-10-17 17:26:07 +02:00
stack.c
stat.c stat: fix inconsistency between struct stat and struct compat_stat 2022-04-27 13:53:54 +02:00
statfs.c statfs: enforce statfs[64] structure initialization 2023-05-30 12:57:55 +01:00
super.c fs: Protect reconfiguration of sb read-write from racing writes 2023-08-11 11:57:54 +02:00
sync.c vfs: make sync_filesystem return errors from ->sync_fs 2022-08-31 17:15:14 +02:00
timerfd.c
userfaultfd.c userfaultfd: open userfaultfds with O_RDONLY 2022-10-26 13:25:17 +02:00
utimes.c
xattr.c fs: don't audit the capability check in simple_xattr_list() 2023-01-14 10:15:16 +01:00