- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] bpf: Correct kabi breakage fixes for ext_mutex in struct bpf_prog_aux
by Tengda Wu 06 Feb '25

06 Feb '25

hulk inclusion category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBIADD CVE: CVE-2024-47794 -------------------------------- The size of ext_mutex can vary from 32 to 160 bytes, depending on the number of macros enabled. When it reaches 160 bytes, ext_mutex requires at least 20 reserved fields, which exceeds the existing 8 reserved fields available in the 'bpf_prog_aux' structure. Use the KABI_EXTEND instead, which has no field size limitation, to fix this issue. Fixes: 87db4635bc89 ("bpf: Fix kabi breakage in struct bpf_prog_aux") Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- include/linux/bpf.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 8853a032cd26..c44d2557b3f1 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -1544,17 +1544,14 @@ struct bpf_prog_aux { }; KABI_USE(1, u64 prog_array_member_cnt) /* counts how many times as member of prog_array */ -#ifdef __GENKSYMS__ KABI_RESERVE(2) KABI_RESERVE(3) KABI_RESERVE(4) KABI_RESERVE(5) -#else - struct mutex ext_mutex; /* mutex for is_extended and prog_array_member_cnt */ -#endif KABI_RESERVE(6) KABI_RESERVE(7) KABI_RESERVE(8) + KABI_EXTEND(struct mutex ext_mutex) /* mutex for is_extended and prog_array_member_cnt */ }; struct bpf_prog { -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()
by Zheng Zucheng 06 Feb '25

06 Feb '25

From: Biju Das <biju.das.jz(a)bp.renesas.com> stable inclusion from stable-v5.10.234 commit 49881fcef3d4b8733fcdcf76f1bc12ec291b74be category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBID2S CVE: CVE-2024-57887 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 81adbd3ff21c1182e06aa02c6be0bfd9ea02d8e8 ] The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241119192040.152657-2-biju.… Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpu/drm/bridge/adv7511/adv7511_drv.c [Context differences.] Signed-off-by: Zheng Zucheng <zhengzucheng(a)huawei.com> --- drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 5 ++++- drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 -- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index 31bce3a37b20..faf64f6c2a53 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1125,7 +1125,7 @@ static int adv7511_probe(struct i2c_client *i2c, const struct i2c_device_id *id) ret = adv7511_init_regulators(adv7511); if (ret) { dev_err(dev, "failed to init regulators\n"); - return ret; + goto err_of_node_put; } /* @@ -1235,6 +1235,8 @@ static int adv7511_probe(struct i2c_client *i2c, const struct i2c_device_id *id) i2c_unregister_device(adv7511->i2c_edid); uninit_regulators: adv7511_uninit_regulators(adv7511); +err_of_node_put: + of_node_put(adv7511->host_node); return ret; } @@ -1249,6 +1251,7 @@ static int adv7511_remove(struct i2c_client *i2c) if (adv7511->cec_clk) clk_disable_unprepare(adv7511->cec_clk); + of_node_put(adv7511->host_node); adv7511_uninit_regulators(adv7511); drm_bridge_remove(&adv7511->bridge); diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 185b6d842166..de0bd603baf1 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -210,8 +210,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV; - of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator"); -- 2.34.1

2 1

[PATCH OLK-6.6] drm/modes: Avoid divide by zero harder in drm_mode_vrefresh()
by Guo Mengqi 06 Feb '25

06 Feb '25

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> stable inclusion from stable-v6.6.68 commit b39de5a71bac5641d0fda33d1cf5682d82cf1ae5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBISDQ CVE: CVE-2024-56369 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 9398332f23fab10c5ec57c168b44e72997d6318e upstream. drm_mode_vrefresh() is trying to avoid divide by zero by checking whether htotal or vtotal are zero. But we may still end up with a div-by-zero of vtotal*htotal*... Cc: stable(a)vger.kernel.org Reported-by: syzbot+622bba18029bcde672e1(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=622bba18029bcde672e1 Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241129042629.18280-2-ville.… Reviewed-by: Jani Nikula <jani.nikula(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/gpu/drm/drm_modes.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c index ac9a406250c5..9325b015c6c0 100644 --- a/drivers/gpu/drm/drm_modes.c +++ b/drivers/gpu/drm/drm_modes.c @@ -1285,14 +1285,11 @@ EXPORT_SYMBOL(drm_mode_set_name); */ int drm_mode_vrefresh(const struct drm_display_mode *mode) { - unsigned int num, den; + unsigned int num = 1, den = 1; if (mode->htotal == 0 || mode->vtotal == 0) return 0; - num = mode->clock; - den = mode->htotal * mode->vtotal; - if (mode->flags & DRM_MODE_FLAG_INTERLACE) num *= 2; if (mode->flags & DRM_MODE_FLAG_DBLSCAN) @@ -1300,6 +1297,12 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode) if (mode->vscan > 1) den *= mode->vscan; + if (check_mul_overflow(mode->clock, num, &num)) + return 0; + + if (check_mul_overflow(mode->htotal * mode->vtotal, den, &den)) + return 0; + return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den); } EXPORT_SYMBOL(drm_mode_vrefresh); -- 2.22.0

2 1

[PATCH OLK-6.6] platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it
by Guo Mengqi 06 Feb '25

06 Feb '25

From: "Maciej S. Szmigiero" <mail(a)maciej.szmigiero.name> stable inclusion from stable-v6.6.72 commit 5cc621085e2b7a9b1905a98f8e5a86bb4aea2016 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBIQOR CVE: CVE-2025-21645 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit dd410d784402c5775f66faf8b624e85e41c38aaf ] Wakeup for IRQ1 should be disabled only in cases where i8042 had actually enabled it, otherwise "wake_depth" for this IRQ will try to drop below zero and there will be an unpleasant WARN() logged: kernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug kernel: ------------[ cut here ]------------ kernel: Unbalanced IRQ 1 wake disable kernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0 The PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops which sets amd_pmc_suspend_handler() to the .suspend, .freeze, and .poweroff handlers. i8042_pm_suspend(), however, is only set as the .suspend handler. Fix the issue by call PMC suspend handler only from the same set of dev_pm_ops handlers as i8042_pm_suspend(), which currently means just the .suspend handler. To reproduce this issue try hibernating (S4) the machine after a fresh boot without putting it into s2idle first. Fixes: 8e60615e8932 ("platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN") Reviewed-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Maciej S. Szmigiero <mail(a)maciej.szmigiero.name> Link: https://lore.kernel.org/r/c8f28c002ca3c66fbeeb850904a1f43118e17200.17361846… [ij: edited the commit message.] Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: ZhangPeng <zhangpeng362(a)huawei.com> Signed-off-by: Guo Mengqi <guomengqi3(a)huawei.com> --- drivers/platform/x86/amd/pmc/pmc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/platform/x86/amd/pmc/pmc.c b/drivers/platform/x86/amd/pmc/pmc.c index f49b1bb258c7..70907e8f3ea9 100644 --- a/drivers/platform/x86/amd/pmc/pmc.c +++ b/drivers/platform/x86/amd/pmc/pmc.c @@ -878,6 +878,10 @@ static int amd_pmc_suspend_handler(struct device *dev) { struct amd_pmc_dev *pdev = dev_get_drvdata(dev); + /* + * Must be called only from the same set of dev_pm_ops handlers + * as i8042_pm_suspend() is called: currently just from .suspend. + */ if (pdev->disable_8042_wakeup && !disable_workarounds) { int rc = amd_pmc_wa_irq1(pdev); @@ -890,7 +894,9 @@ static int amd_pmc_suspend_handler(struct device *dev) return 0; } -static DEFINE_SIMPLE_DEV_PM_OPS(amd_pmc_pm, amd_pmc_suspend_handler, NULL); +static const struct dev_pm_ops amd_pmc_pm = { + .suspend = amd_pmc_suspend_handler, +}; static const struct pci_device_id pmc_pci_ids[] = { { PCI_DEVICE(PCI_VENDOR_ID_AMD, AMD_CPU_ID_PS) }, -- 2.22.0

2 1

[PATCH OLK-6.6] [Backport] misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling
by Lin Ruifeng 06 Feb '25

06 Feb '25

From: Rengarajan S <rengarajan.s(a)microchip.com> stable inclusion from stable-v6.6.72 commit 25692750c0259c5b65afec467d97201a485e8a00 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBIQWF CVE: CVE-2024-57916 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 194f9f94a5169547d682e9bbcc5ae6d18a564735 upstream. Resolve kernel panic caused by improper handling of IRQs while accessing GPIO values. This is done by replacing generic_handle_irq with handle_nested_irq. Fixes: 1f4d8ae231f4 ("misc: microchip: pci1xxxx: Add gpio irq handler and irq helper functions irq_ack, irq_mask, irq_unmask and irq_set_type of irq_chip.") Cc: stable <stable(a)kernel.org> Signed-off-by: Rengarajan S <rengarajan.s(a)microchip.com> Link: https://lore.kernel.org/r/20241205133626.1483499-2-rengarajan.s@microchip.c… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Lin Ruifeng <linruifeng4(a)huawei.com> --- drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c index e616e3ec2b42..558290bdb938 100644 --- a/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c +++ b/drivers/misc/mchp_pci1xxxx/mchp_pci1xxxx_gpio.c @@ -277,7 +277,7 @@ static irqreturn_t pci1xxxx_gpio_irq_handler(int irq, void *dev_id) writel(BIT(bit), priv->reg_base + INTR_STATUS_OFFSET(gpiobank)); spin_unlock_irqrestore(&priv->lock, flags); irq = irq_find_mapping(gc->irq.domain, (bit + (gpiobank * 32))); - generic_handle_irq(irq); + handle_nested_irq(irq); } } spin_lock_irqsave(&priv->lock, flags); -- 2.22.0

2 1

[PATCH openEuler-1.0-LTS] spi: mpc52xx: Add cancel_work_sync before module remove
by Zhang Kunbo 06 Feb '25

06 Feb '25

From: Pei Xiao <xiaopei01(a)kylinos.cn> stable inclusion from stable-v5.10.231 commit e0c6ce8424095c2da32a063d3fc027494c689817 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBJCM5 CVE: CVE-2024-50051 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 984836621aad98802d92c4a3047114cf518074c8 ] If we remove the module which will call mpc52xx_spi_remove it will free 'ms' through spi_unregister_controller. while the work ms->work will be used. The sequence of operations that may lead to a UAF bug. Fix it by ensuring that the work is canceled before proceeding with the cleanup in mpc52xx_spi_remove. Fixes: ca632f556697 ("spi: reorganize drivers") Signed-off-by: Pei Xiao <xiaopei01(a)kylinos.cn> Link: https://patch.msgid.link/1f16f8ae0e50ca9adb1dc849bf2ac65a40c9ceb9.173278300… Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/spi/spi-mpc52xx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c index 0e55784a3ad9..99eb2cee6f37 100644 --- a/drivers/spi/spi-mpc52xx.c +++ b/drivers/spi/spi-mpc52xx.c @@ -520,6 +520,7 @@ static int mpc52xx_spi_remove(struct platform_device *op) struct mpc52xx_spi *ms = spi_master_get_devdata(master); int i; + cancel_work_sync(&ms->work); free_irq(ms->irq0, ms); free_irq(ms->irq1, ms); -- 2.34.1

2 1

[PATCH OLK-6.6] spi: mpc52xx: Add cancel_work_sync before module remove
by Zhang Kunbo 06 Feb '25

06 Feb '25

From: Pei Xiao <xiaopei01(a)kylinos.cn> stable inclusion from stable-v6.6.66 commit f65d85bc1ffd8a2c194bb2cd65e35ed3648ddd59 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBJCM5 CVE: CVE-2024-50051 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 984836621aad98802d92c4a3047114cf518074c8 ] If we remove the module which will call mpc52xx_spi_remove it will free 'ms' through spi_unregister_controller. while the work ms->work will be used. The sequence of operations that may lead to a UAF bug. Fix it by ensuring that the work is canceled before proceeding with the cleanup in mpc52xx_spi_remove. Fixes: ca632f556697 ("spi: reorganize drivers") Signed-off-by: Pei Xiao <xiaopei01(a)kylinos.cn> Link: https://patch.msgid.link/1f16f8ae0e50ca9adb1dc849bf2ac65a40c9ceb9.173278300… Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/spi/spi-mpc52xx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c index ab7df5f64342..b8e2d9263fc8 100644 --- a/drivers/spi/spi-mpc52xx.c +++ b/drivers/spi/spi-mpc52xx.c @@ -519,6 +519,7 @@ static void mpc52xx_spi_remove(struct platform_device *op) struct mpc52xx_spi *ms = spi_master_get_devdata(master); int i; + cancel_work_sync(&ms->work); free_irq(ms->irq0, ms); free_irq(ms->irq1, ms); -- 2.34.1

2 1

[PATCH OLK-5.10] spi: mpc52xx: Add cancel_work_sync before module remove
by Zhang Kunbo 06 Feb '25

06 Feb '25

From: Pei Xiao <xiaopei01(a)kylinos.cn> stable inclusion from stable-v5.10.231 commit e0c6ce8424095c2da32a063d3fc027494c689817 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBJCM5 CVE: CVE-2024-50051 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 984836621aad98802d92c4a3047114cf518074c8 ] If we remove the module which will call mpc52xx_spi_remove it will free 'ms' through spi_unregister_controller. while the work ms->work will be used. The sequence of operations that may lead to a UAF bug. Fix it by ensuring that the work is canceled before proceeding with the cleanup in mpc52xx_spi_remove. Fixes: ca632f556697 ("spi: reorganize drivers") Signed-off-by: Pei Xiao <xiaopei01(a)kylinos.cn> Link: https://patch.msgid.link/1f16f8ae0e50ca9adb1dc849bf2ac65a40c9ceb9.173278300… Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/spi/spi-mpc52xx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c index ef2f24420460..be99efafabbc 100644 --- a/drivers/spi/spi-mpc52xx.c +++ b/drivers/spi/spi-mpc52xx.c @@ -519,6 +519,7 @@ static int mpc52xx_spi_remove(struct platform_device *op) struct mpc52xx_spi *ms = spi_master_get_devdata(master); int i; + cancel_work_sync(&ms->work); free_irq(ms->irq0, ms); free_irq(ms->irq1, ms); -- 2.34.1

2 1

[PATCH v2 OLK-5.10] nilfs2: prevent use of deleted inode
by Xiangwei Li 06 Feb '25

06 Feb '25

From: Edward Adam Davis <eadavis(a)qq.com> stable inclusion from stable-v5.10.233 commit 5d4ed71327b0b5f3b179a19dc3c06be9509ab3db category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBJC7J CVE: CVE-2024-53690 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 901ce9705fbb9f330ff1f19600e5daf9770b0175 upstream. syzbot reported a WARNING in nilfs_rmdir. [1] Because the inode bitmap is corrupted, an inode with an inode number that should exist as a ".nilfs" file was reassigned by nilfs_mkdir for "file0", causing an inode duplication during execution. And this causes an underflow of i_nlink in rmdir operations. The inode is used twice by the same task to unmount and remove directories ".nilfs" and "file0", it trigger warning in nilfs_rmdir. Avoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means that this inode has been deleted, and iput is executed to reclaim it. [1] WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407 ... Call Trace: <TASK> nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342 vfs_rmdir+0x3a3/0x510 fs/namei.c:4394 do_rmdir+0x3b5/0x580 fs/namei.c:4453 __do_sys_rmdir fs/namei.c:4472 [inline] __se_sys_rmdir fs/namei.c:4470 [inline] __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Link: https://lkml.kernel.org/r/20241209065759.6781-1-konishi.ryusuke@gmail.com Fixes: d25006523d0b ("nilfs2: pathname operations") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+9260555647a5132edd48(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9260555647a5132edd48 Tested-by: syzbot+9260555647a5132edd48(a)syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Xiangwei Li <liwei728(a)huawei.com> --- fs/nilfs2/inode.c | 8 +++++++- fs/nilfs2/namei.c | 5 +++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c index 06f4deb550c9..fe3f005d5d55 100644 --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -618,8 +618,14 @@ struct inode *nilfs_iget(struct super_block *sb, struct nilfs_root *root, inode = nilfs_iget_locked(sb, root, ino); if (unlikely(!inode)) return ERR_PTR(-ENOMEM); - if (!(inode->i_state & I_NEW)) + + if (!(inode->i_state & I_NEW)) { + if (!inode->i_nlink) { + iput(inode); + return ERR_PTR(-ESTALE); + } return inode; + } err = __nilfs_read_inode(sb, root, ino, inode); if (unlikely(err)) { diff --git a/fs/nilfs2/namei.c b/fs/nilfs2/namei.c index eeccd69cd797..446af9c21a29 100644 --- a/fs/nilfs2/namei.c +++ b/fs/nilfs2/namei.c @@ -67,6 +67,11 @@ nilfs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) inode = NULL; } else { inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino); + if (inode == ERR_PTR(-ESTALE)) { + nilfs_error(dir->i_sb, + "deleted inode referenced: %lu", ino); + return ERR_PTR(-EIO); + } } return d_splice_alias(inode, dentry); -- 2.25.1

2 1

[PATCH v2 OLK-6.6] nilfs2: prevent use of deleted inode
by Xiangwei Li 06 Feb '25

06 Feb '25

From: Edward Adam Davis <eadavis(a)qq.com> stable inclusion from stable-v6.6.68 commit 284760b320a0bac411b18108316939707dccb12b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBJC7J CVE: CVE-2024-53690 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 901ce9705fbb9f330ff1f19600e5daf9770b0175 upstream. syzbot reported a WARNING in nilfs_rmdir. [1] Because the inode bitmap is corrupted, an inode with an inode number that should exist as a ".nilfs" file was reassigned by nilfs_mkdir for "file0", causing an inode duplication during execution. And this causes an underflow of i_nlink in rmdir operations. The inode is used twice by the same task to unmount and remove directories ".nilfs" and "file0", it trigger warning in nilfs_rmdir. Avoid to this issue, check i_nlink in nilfs_iget(), if it is 0, it means that this inode has been deleted, and iput is executed to reclaim it. [1] WARNING: CPU: 1 PID: 5824 at fs/inode.c:407 drop_nlink+0xc4/0x110 fs/inode.c:407 ... Call Trace: <TASK> nilfs_rmdir+0x1b0/0x250 fs/nilfs2/namei.c:342 vfs_rmdir+0x3a3/0x510 fs/namei.c:4394 do_rmdir+0x3b5/0x580 fs/namei.c:4453 __do_sys_rmdir fs/namei.c:4472 [inline] __se_sys_rmdir fs/namei.c:4470 [inline] __x64_sys_rmdir+0x47/0x50 fs/namei.c:4470 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Link: https://lkml.kernel.org/r/20241209065759.6781-1-konishi.ryusuke@gmail.com Fixes: d25006523d0b ("nilfs2: pathname operations") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+9260555647a5132edd48(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9260555647a5132edd48 Tested-by: syzbot+9260555647a5132edd48(a)syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Xiangwei Li <liwei728(a)huawei.com> --- fs/nilfs2/inode.c | 8 +++++++- fs/nilfs2/namei.c | 5 +++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c index 8e1afa39a62e..d8bf86ec6d8d 100644 --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -614,8 +614,14 @@ struct inode *nilfs_iget(struct super_block *sb, struct nilfs_root *root, inode = nilfs_iget_locked(sb, root, ino); if (unlikely(!inode)) return ERR_PTR(-ENOMEM); - if (!(inode->i_state & I_NEW)) + + if (!(inode->i_state & I_NEW)) { + if (!inode->i_nlink) { + iput(inode); + return ERR_PTR(-ESTALE); + } return inode; + } err = __nilfs_read_inode(sb, root, ino, inode); if (unlikely(err)) { diff --git a/fs/nilfs2/namei.c b/fs/nilfs2/namei.c index 7f71aa354f36..ac0adeb58e41 100644 --- a/fs/nilfs2/namei.c +++ b/fs/nilfs2/namei.c @@ -67,6 +67,11 @@ nilfs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) inode = NULL; } else { inode = nilfs_iget(dir->i_sb, NILFS_I(dir)->i_root, ino); + if (inode == ERR_PTR(-ESTALE)) { + nilfs_error(dir->i_sb, + "deleted inode referenced: %lu", ino); + return ERR_PTR(-EIO); + } } return d_splice_alias(inode, dentry); -- 2.25.1

2 1