Linux v4.17.14
This commit is contained in:
Justin M. Forbes
parent
95234a2661
commit
33fa022f32
|
|
@ -1,43 +0,0 @@
|
|||
From bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a Mon Sep 17 00:00:00 2001
|
||||
From: Eric Sandeen <sandeen@sandeen.net>
|
||||
Date: Fri, 8 Jun 2018 09:53:49 -0700
|
||||
Subject: [PATCH] xfs: don't call xfs_da_shrink_inode with NULL bp
|
||||
|
||||
xfs_attr3_leaf_create may have errored out before instantiating a buffer,
|
||||
for example if the blkno is out of range. In that case there is no work
|
||||
to do to remove it, and in fact xfs_da_shrink_inode will lead to an oops
|
||||
if we try.
|
||||
|
||||
This also seems to fix a flaw where the original error from
|
||||
xfs_attr3_leaf_create gets overwritten in the cleanup case, and it
|
||||
removes a pointless assignment to bp which isn't used after this.
|
||||
|
||||
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199969
|
||||
Reported-by: Xu, Wen <wen.xu@gatech.edu>
|
||||
Tested-by: Xu, Wen <wen.xu@gatech.edu>
|
||||
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
|
||||
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
---
|
||||
fs/xfs/libxfs/xfs_attr_leaf.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
|
||||
index 99e0f5749dba..76e90046731c 100644
|
||||
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
|
||||
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
|
||||
@@ -791,9 +791,8 @@ xfs_attr_shortform_to_leaf(
|
||||
ASSERT(blkno == 0);
|
||||
error = xfs_attr3_leaf_create(args, blkno, &bp);
|
||||
if (error) {
|
||||
- error = xfs_da_shrink_inode(args, 0, bp);
|
||||
- bp = NULL;
|
||||
- if (error)
|
||||
+ /* xfs_attr3_leaf_create may not have instantiated a block */
|
||||
+ if (bp && (xfs_da_shrink_inode(args, 0, bp) != 0))
|
||||
goto out;
|
||||
xfs_idata_realloc(dp, size, XFS_ATTR_FORK); /* try to put */
|
||||
memcpy(ifp->if_u1.if_data, tmpbuffer, size); /* it back */
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,155 +0,0 @@
|
|||
From afca6c5b2595fc44383919fba740c194b0b76aff Mon Sep 17 00:00:00 2001
|
||||
From: Dave Chinner <dchinner@redhat.com>
|
||||
Date: Tue, 17 Apr 2018 17:17:34 -0700
|
||||
Subject: [PATCH] xfs: validate cached inodes are free when allocated
|
||||
|
||||
A recent fuzzed filesystem image cached random dcache corruption
|
||||
when the reproducer was run. This often showed up as panics in
|
||||
lookup_slow() on a null inode->i_ops pointer when doing pathwalks.
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
|
||||
....
|
||||
Call Trace:
|
||||
lookup_slow+0x44/0x60
|
||||
walk_component+0x3dd/0x9f0
|
||||
link_path_walk+0x4a7/0x830
|
||||
path_lookupat+0xc1/0x470
|
||||
filename_lookup+0x129/0x270
|
||||
user_path_at_empty+0x36/0x40
|
||||
path_listxattr+0x98/0x110
|
||||
SyS_listxattr+0x13/0x20
|
||||
do_syscall_64+0xf5/0x280
|
||||
entry_SYSCALL_64_after_hwframe+0x42/0xb7
|
||||
|
||||
but had many different failure modes including deadlocks trying to
|
||||
lock the inode that was just allocated or KASAN reports of
|
||||
use-after-free violations.
|
||||
|
||||
The cause of the problem was a corrupt INOBT on a v4 fs where the
|
||||
root inode was marked as free in the inobt record. Hence when we
|
||||
allocated an inode, it chose the root inode to allocate, found it in
|
||||
the cache and re-initialised it.
|
||||
|
||||
We recently fixed a similar inode allocation issue caused by inobt
|
||||
record corruption problem in xfs_iget_cache_miss() in commit
|
||||
ee457001ed6c ("xfs: catch inode allocation state mismatch
|
||||
corruption"). This change adds similar checks to the cache-hit path
|
||||
to catch it, and turns the reproducer into a corruption shutdown
|
||||
situation.
|
||||
|
||||
Reported-by: Wen Xu <wen.xu@gatech.edu>
|
||||
Signed-Off-By: Dave Chinner <dchinner@redhat.com>
|
||||
Reviewed-by: Christoph Hellwig <hch@lst.de>
|
||||
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
|
||||
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
[darrick: fix typos in comment]
|
||||
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
|
||||
---
|
||||
fs/xfs/xfs_icache.c | 73 +++++++++++++++++++++++++++++----------------
|
||||
1 file changed, 48 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c
|
||||
index 9a18f69f6e96..817899961f48 100644
|
||||
--- a/fs/xfs/xfs_icache.c
|
||||
+++ b/fs/xfs/xfs_icache.c
|
||||
@@ -308,6 +308,46 @@ xfs_reinit_inode(
|
||||
return error;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * If we are allocating a new inode, then check what was returned is
|
||||
+ * actually a free, empty inode. If we are not allocating an inode,
|
||||
+ * then check we didn't find a free inode.
|
||||
+ *
|
||||
+ * Returns:
|
||||
+ * 0 if the inode free state matches the lookup context
|
||||
+ * -ENOENT if the inode is free and we are not allocating
|
||||
+ * -EFSCORRUPTED if there is any state mismatch at all
|
||||
+ */
|
||||
+static int
|
||||
+xfs_iget_check_free_state(
|
||||
+ struct xfs_inode *ip,
|
||||
+ int flags)
|
||||
+{
|
||||
+ if (flags & XFS_IGET_CREATE) {
|
||||
+ /* should be a free inode */
|
||||
+ if (VFS_I(ip)->i_mode != 0) {
|
||||
+ xfs_warn(ip->i_mount,
|
||||
+"Corruption detected! Free inode 0x%llx not marked free! (mode 0x%x)",
|
||||
+ ip->i_ino, VFS_I(ip)->i_mode);
|
||||
+ return -EFSCORRUPTED;
|
||||
+ }
|
||||
+
|
||||
+ if (ip->i_d.di_nblocks != 0) {
|
||||
+ xfs_warn(ip->i_mount,
|
||||
+"Corruption detected! Free inode 0x%llx has blocks allocated!",
|
||||
+ ip->i_ino);
|
||||
+ return -EFSCORRUPTED;
|
||||
+ }
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* should be an allocated inode */
|
||||
+ if (VFS_I(ip)->i_mode == 0)
|
||||
+ return -ENOENT;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Check the validity of the inode we just found it the cache
|
||||
*/
|
||||
@@ -357,12 +397,12 @@ xfs_iget_cache_hit(
|
||||
}
|
||||
|
||||
/*
|
||||
- * If lookup is racing with unlink return an error immediately.
|
||||
+ * Check the inode free state is valid. This also detects lookup
|
||||
+ * racing with unlinks.
|
||||
*/
|
||||
- if (VFS_I(ip)->i_mode == 0 && !(flags & XFS_IGET_CREATE)) {
|
||||
- error = -ENOENT;
|
||||
+ error = xfs_iget_check_free_state(ip, flags);
|
||||
+ if (error)
|
||||
goto out_error;
|
||||
- }
|
||||
|
||||
/*
|
||||
* If IRECLAIMABLE is set, we've torn down the VFS inode already.
|
||||
@@ -485,29 +525,12 @@ xfs_iget_cache_miss(
|
||||
|
||||
|
||||
/*
|
||||
- * If we are allocating a new inode, then check what was returned is
|
||||
- * actually a free, empty inode. If we are not allocating an inode,
|
||||
- * the check we didn't find a free inode.
|
||||
+ * Check the inode free state is valid. This also detects lookup
|
||||
+ * racing with unlinks.
|
||||
*/
|
||||
- if (flags & XFS_IGET_CREATE) {
|
||||
- if (VFS_I(ip)->i_mode != 0) {
|
||||
- xfs_warn(mp,
|
||||
-"Corruption detected! Free inode 0x%llx not marked free on disk",
|
||||
- ino);
|
||||
- error = -EFSCORRUPTED;
|
||||
- goto out_destroy;
|
||||
- }
|
||||
- if (ip->i_d.di_nblocks != 0) {
|
||||
- xfs_warn(mp,
|
||||
-"Corruption detected! Free inode 0x%llx has blocks allocated!",
|
||||
- ino);
|
||||
- error = -EFSCORRUPTED;
|
||||
- goto out_destroy;
|
||||
- }
|
||||
- } else if (VFS_I(ip)->i_mode == 0) {
|
||||
- error = -ENOENT;
|
||||
+ error = xfs_iget_check_free_state(ip, flags);
|
||||
+ if (error)
|
||||
goto out_destroy;
|
||||
- }
|
||||
|
||||
/*
|
||||
* Preload the radix tree so we can insert safely under the
|
||||
--
|
||||
2.17.1
|
||||
|
||||
11
kernel.spec
11
kernel.spec
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 13
|
||||
%define stable_update 14
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
|
@ -659,12 +659,6 @@ Patch518: alarmtimer-prevent-overflow-for-relative-nanosleep.patch
|
|||
Patch519: 1-2-posix-timers-Make-forward-callback-return-s64.patch
|
||||
Patch520: 2-2-posix-timers-Sanitize-overrun-handling.patch
|
||||
|
||||
# CVE-2018-13093 rhbz 1597766 1597767
|
||||
Patch521: 0001-xfs-validate-cached-inodes-are-free-when-allocated.patch
|
||||
|
||||
# CVE-2018-13094 rhbz 1597771 1597772
|
||||
Patch522: 0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch
|
||||
|
||||
# CVE-2018-13095 rhbz 1597775 1597777
|
||||
Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch
|
||||
|
||||
|
|
@ -1920,6 +1914,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Aug 09 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.14-200
|
||||
- Linux v4.17.14
|
||||
|
||||
* Wed Aug 08 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.13-200
|
||||
- Linux v4.17.13
|
||||
|
||||
|
|
|
|||
2
sources
2
sources
|
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db
|
||||
SHA512 (patch-4.17.13.xz) = 8f77239c6c0393aa6e854f98d0ef0832e0a3e936251805ca1fcde2b5d24e0b086582f68e3f494a4a287b404573c26a867170958d53f3c1bf4c46c4c5697188b2
|
||||
SHA512 (patch-4.17.14.xz) = 99b76b9305868a93139d9e977ee244c02ada7e3966856a1c559c049dff4543cd39595b723d9fc9b8f27ffef9ff0e4b28bcfbdb28738d5e19342473336553eb27
|
||||
|
|
|
|||
Loading…
Reference in New Issue