- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 0/2] crypto: xor - fix template benchmarking
by Chen Ridong 30 Oct '24

30 Oct '24

crypto: xor - fix template benchmarking Bhaskar Chowdhury (1): crypto: xor - Fix typo of optimization Helge Deller (1): crypto: xor - fix template benchmarking crypto/xor.c | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) -- 2.34.1

2 3

[PATCH OLK-6.6 0/2] add vdpa support for x86 and enable vdpa migration.
by Jiang Dongxu 30 Oct '24

30 Oct '24

From: jiangdongxu <jiangdongxu1(a)huawei.com> Christoph Hellwig (1): virtio_blk: remove the broken zone revalidation support jiangdongxu (1): vdpa: add support for x86 and open vdpa migration build config arch/arm64/configs/openeuler_defconfig | 2 +- arch/x86/configs/openeuler_defconfig | 5 +++-- drivers/block/virtio_blk.c | 26 -------------------------- 3 files changed, 4 insertions(+), 29 deletions(-) -- 2.27.0

2 3

[openeuler:OLK-6.6 3971/15883] drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3976:43: warning: ', rx power: ' directive output may be truncated writing 12 bytes into a region of size between 1 and 512
by kernel test robot 30 Oct '24

30 Oct '24

Hi Zhou, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: 89f3b5ff06122cbf06bad6c710c9dab575deff33 commit: 9c1c9598010fbb9daa1e2a67d23830092fb6246a [3971/15883] net/hinic: Update Huawei Intelligent Network Card Driver: hinic config: x86_64-buildonly-randconfig-002-20241030 (https://download.01.org/0day-ci/archive/20241030/202410301153.q4SlheqM-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241030/202410301153.q4SlheqM-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410301153.q4SlheqM-lkp@intel.com/ All warnings (new ones prefixed by >>): drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:1061:5: warning: no previous prototype for 'hinic_msg_to_mgmt_no_ack' [-Wmissing-prototypes] 1061 | int hinic_msg_to_mgmt_no_ack(void *hwdev, enum hinic_mod_type mod, u8 cmd, | ^~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:1978:5: warning: no previous prototype for 'comm_pf_mbox_handler' [-Wmissing-prototypes] 1978 | int comm_pf_mbox_handler(void *handle, u16 vf_id, u8 cmd, void *buf_in, | ^~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:2749:5: warning: no previous prototype for 'hinic_ppf_ht_gpa_init' [-Wmissing-prototypes] 2749 | int hinic_ppf_ht_gpa_init(struct hinic_hwdev *hwdev) | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:2795:6: warning: no previous prototype for 'hinic_ppf_ht_gpa_deinit' [-Wmissing-prototypes] 2795 | void hinic_ppf_ht_gpa_deinit(struct hinic_hwdev *hwdev) | ^~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:2872:5: warning: no previous prototype for 'mqm_eqm_try_alloc_mem' [-Wmissing-prototypes] 2872 | int mqm_eqm_try_alloc_mem(struct hinic_hwdev *hwdev, u32 page_size, | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:2909:5: warning: no previous prototype for 'mqm_eqm_alloc_page_mem' [-Wmissing-prototypes] 2909 | int mqm_eqm_alloc_page_mem(struct hinic_hwdev *hwdev) | ^~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:2934:6: warning: no previous prototype for 'mqm_eqm_free_page_mem' [-Wmissing-prototypes] 2934 | void mqm_eqm_free_page_mem(struct hinic_hwdev *hwdev) | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:2950:5: warning: no previous prototype for 'mqm_eqm_set_cfg_2_hw' [-Wmissing-prototypes] 2950 | int mqm_eqm_set_cfg_2_hw(struct hinic_hwdev *hwdev, u32 valid) | ^~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:2975:5: warning: no previous prototype for 'mqm_eqm_set_page_2_hw' [-Wmissing-prototypes] 2975 | int mqm_eqm_set_page_2_hw(struct hinic_hwdev *hwdev) | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3053:5: warning: no previous prototype for 'mqm_eqm_init' [-Wmissing-prototypes] 3053 | int mqm_eqm_init(struct hinic_hwdev *hwdev) | ^~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3116:6: warning: no previous prototype for 'mqm_eqm_deinit' [-Wmissing-prototypes] 3116 | void mqm_eqm_deinit(struct hinic_hwdev *hwdev) | ^~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c: In function 'port_sfp_info_event': drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3719:13: warning: the comparison will always evaluate as 'true' for the address of 'rt_cmd' will never be NULL [-Waddress] 3719 | if (!chip_node->rt_cmd) | ^ In file included from drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:28: drivers/net/ethernet/huawei/hinic/hinic_hw.h:319:39: note: 'rt_cmd' declared here 319 | struct hinic_port_routine_cmd rt_cmd[HINIC_MAX_PORT_ID]; | ^~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c: In function 'port_sfp_abs_event': drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3748:13: warning: the comparison will always evaluate as 'true' for the address of 'rt_cmd' will never be NULL [-Waddress] 3748 | if (!chip_node->rt_cmd) | ^ drivers/net/ethernet/huawei/hinic/hinic_hw.h:319:39: note: 'rt_cmd' declared here 319 | struct hinic_port_routine_cmd rt_cmd[HINIC_MAX_PORT_ID]; | ^~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c: At top level: drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:4581:5: warning: no previous prototype for '_set_led_status' [-Wmissing-prototypes] 4581 | int _set_led_status(struct hinic_hwdev *hwdev, u8 port, | ^~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:4667:5: warning: no previous prototype for 'hinic_get_phy_init_status' [-Wmissing-prototypes] 4667 | int hinic_get_phy_init_status(void *hwdev, | ^~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c: In function '__print_cable_info.constprop': drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3959:23: warning: 'snprintf' argument 4 overlaps destination object 'tmp_str' [-Wrestrict] 3959 | err = snprintf(tmp_str, sizeof(tmp_str), | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3960 | "%s, %s, Temperature: %u", tmp_str, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3961 | info->sfp_type ? "SFP" : "QSFP", | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3962 | info->cable_temp); | ~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3914:14: note: destination object referenced by 'restrict'-qualified argument 1 was declared here 3914 | char tmp_str[CAP_INFO_MAC_LEN] = {0}; | ^~~~~~~ >> drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3976:43: warning: ', rx power: ' directive output may be truncated writing 12 bytes into a region of size between 1 and 512 [-Wformat-truncation=] 3976 | "%s, rx power: %uuw %uuW %uuW %uuW", | ^~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3975:31: note: 'snprintf' output between 28 and 575 bytes into a destination of size 512 3975 | err = snprintf(tmp_str, sizeof(tmp_str), | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3976 | "%s, rx power: %uuw %uuW %uuW %uuW", | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3977 | tmp_str, info->power[0], info->power[1], | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3978 | info->power[2], info->power[3]); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3975:31: warning: 'snprintf' argument 4 overlaps destination object 'tmp_str' [-Wrestrict] drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3914:14: note: destination object referenced by 'restrict'-qualified argument 1 was declared here 3914 | char tmp_str[CAP_INFO_MAC_LEN] = {0}; | ^~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3972:43: warning: ', rx power: ' directive output may be truncated writing 12 bytes into a region of size between 1 and 512 [-Wformat-truncation=] 3972 | "%s, rx power: %uuW, tx power: %uuW", | ^~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3971:31: note: 'snprintf' output between 31 and 560 bytes into a destination of size 512 3971 | err = snprintf(tmp_str, sizeof(tmp_str), | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3972 | "%s, rx power: %uuW, tx power: %uuW", | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3973 | tmp_str, info->power[0], info->power[1]); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3971:31: warning: 'snprintf' argument 4 overlaps destination object 'tmp_str' [-Wrestrict] drivers/net/ethernet/huawei/hinic/hinic_hwdev.c:3914:14: note: destination object referenced by 'restrict'-qualified argument 1 was declared here 3914 | char tmp_str[CAP_INFO_MAC_LEN] = {0}; | ^~~~~~~ -- >> drivers/net/ethernet/huawei/hinic/hinic_main.c:182:5: warning: no previous prototype for 'hinic_netdev_event' [-Wmissing-prototypes] 182 | int hinic_netdev_event(struct notifier_block *notifier, | ^~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic/hinic_main.c:3058:6: warning: no previous prototype for 'nic_event' [-Wmissing-prototypes] 3058 | void nic_event(struct hinic_lld_dev *lld_dev, void *adapter, | ^~~~~~~~~ vim +3976 drivers/net/ethernet/huawei/hinic/hinic_hwdev.c 3910 3911 static void __print_cable_info(struct hinic_hwdev *hwdev, 3912 struct hinic_link_info *info) 3913 { 3914 char tmp_str[CAP_INFO_MAC_LEN] = {0}; 3915 char tmp_vendor[VENDOR_MAX_LEN] = {0}; 3916 char *port_type = "Unknown port type"; 3917 int i; 3918 int err = 0; 3919 3920 if (info->cable_absent) { 3921 sdk_info(hwdev->dev_hdl, "Cable unpresent\n"); 3922 return; 3923 } 3924 3925 if (info->port_type < LINK_PORT_MAX_TYPE) 3926 port_type = __hw_to_char_port_type[info->port_type]; 3927 else 3928 sdk_info(hwdev->dev_hdl, "Unknown port type: %u\n", 3929 info->port_type); 3930 if (info->port_type == LINK_PORT_FIBRE) { 3931 if (info->port_sub_type == FIBRE_SUBTYPE_SR) 3932 port_type = "Fibre-SR"; 3933 else if (info->port_sub_type == FIBRE_SUBTYPE_LR) 3934 port_type = "Fibre-LR"; 3935 } 3936 3937 for (i = sizeof(info->vendor_name) - 1; i >= 0; i--) { 3938 if (info->vendor_name[i] == ' ') 3939 info->vendor_name[i] = '\0'; 3940 else 3941 break; 3942 } 3943 3944 memcpy(tmp_vendor, info->vendor_name, 3945 sizeof(info->vendor_name)); 3946 err = snprintf(tmp_str, sizeof(tmp_str), 3947 "Vendor: %s, %s, length: %um, max_speed: %uGbps", 3948 tmp_vendor, port_type, info->cable_length, 3949 info->cable_max_speed); 3950 if (err <= 0 || err >= CAP_INFO_MAC_LEN) { 3951 sdk_err(hwdev->dev_hdl, 3952 "Failed snprintf cable vendor info, function return(%d) and dest_len(%d)\n", 3953 err, CAP_INFO_MAC_LEN); 3954 return; 3955 } 3956 3957 if (info->port_type == LINK_PORT_FIBRE || 3958 info->port_type == LINK_PORT_AOC) { 3959 err = snprintf(tmp_str, sizeof(tmp_str), 3960 "%s, %s, Temperature: %u", tmp_str, 3961 info->sfp_type ? "SFP" : "QSFP", 3962 info->cable_temp); 3963 if (err <= 0 || err >= CAP_INFO_MAC_LEN) { 3964 sdk_err(hwdev->dev_hdl, 3965 "Failed snprintf cable Temp, function return(%d) and dest_len(%d)\n", 3966 err, CAP_INFO_MAC_LEN); 3967 return; 3968 } 3969 3970 if (info->sfp_type) { 3971 err = snprintf(tmp_str, sizeof(tmp_str), 3972 "%s, rx power: %uuW, tx power: %uuW", 3973 tmp_str, info->power[0], info->power[1]); 3974 } else { 3975 err = snprintf(tmp_str, sizeof(tmp_str), > 3976 "%s, rx power: %uuw %uuW %uuW %uuW", 3977 tmp_str, info->power[0], info->power[1], 3978 info->power[2], info->power[3]); 3979 } 3980 if (err <= 0 || err >= CAP_INFO_MAC_LEN) { 3981 sdk_err(hwdev->dev_hdl, 3982 "Failed snprintf power info, function return(%d) and dest_len(%d)\n", 3983 err, CAP_INFO_MAC_LEN); 3984 return; 3985 } 3986 } 3987 3988 sdk_info(hwdev->dev_hdl, "Cable information: %s\n", 3989 tmp_str); 3990 } 3991 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] ocfs2: reserve space for inline xattr before attaching reflink tree
by Yi Yang 30 Oct '24

30 Oct '24

From: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> mainline inclusion from mainline-v6.12-rc1 commit 5ca60b86f57a4d9648f68418a725b3a7de2816b0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA7 CVE: CVE-2024-49958 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case up to 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Link: https://lkml.kernel.org/r/20240918063844.1830332-1-gautham.ananthakrishna@o… Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c index fc197e599e8c..9da1c9ca0cec 100644 --- a/fs/ocfs2/refcounttree.c +++ b/fs/ocfs2/refcounttree.c @@ -35,6 +35,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4192,8 +4193,9 @@ static int __ocfs2_reflink(struct dentry *old_dentry, int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4219,6 +4221,26 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data; + struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4226,7 +4248,7 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index c146e12a8601..58361f7b20e3 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -6525,16 +6525,7 @@ static int ocfs2_reflink_xattr_inline(struct ocfs2_xattr_reflink *args) } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); -- 2.25.1

2 1

[PATCH OLK-5.10] ocfs2: reserve space for inline xattr before attaching reflink tree
by Yi Yang 30 Oct '24

30 Oct '24

From: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> stable inclusion from stable-v5.10.227 commit aac31d654a0a31cb0d2fa36ae694f4e164a52707 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA7 CVE: CVE-2024-49958 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 5ca60b86f57a4d9648f68418a725b3a7de2816b0 upstream. One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case up to 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Link: https://lkml.kernel.org/r/20240918063844.1830332-1-gautham.ananthakrishna@o… Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c index 3b397fa9c9e8..85d25c211c87 100644 --- a/fs/ocfs2/refcounttree.c +++ b/fs/ocfs2/refcounttree.c @@ -27,6 +27,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4184,8 +4185,9 @@ static int __ocfs2_reflink(struct dentry *old_dentry, int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4211,6 +4213,26 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data; + struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4218,7 +4240,7 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 977a739d5448..00ede36aeec9 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -6526,16 +6526,7 @@ static int ocfs2_reflink_xattr_inline(struct ocfs2_xattr_reflink *args) } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); -- 2.25.1

2 1

[PATCH OLK-6.6] security/keys: fix slab-out-of-bounds in key_task_permission
by Yi Yang 30 Oct '24

30 Oct '24

From: Chen Ridong <chenridong(a)huawei.com> maillist inclusion category: Bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAU173 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/comm… ---------------------------------------------------------------------- KASAN reports an out of bounds read: BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 security/keys/permission.c:54 Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0x107/0x167 lib/dump_stack.c:123 print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 __kuid_val include/linux/uidgid.h:36 [inline] uid_eq include/linux/uidgid.h:63 [inline] key_task_permission+0x394/0x410 security/keys/permission.c:54 search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 This issue was also reported by syzbot. It can be reproduced by following these steps(more details [1]): 1. Obtain more than 32 inputs that have similar hashes, which ends with the pattern '0xxxxxxxe6'. 2. Reboot and add the keys obtained in step 1. The reproducer demonstrates how this issue happened: 1. In the search_nested_keyrings function, when it iterates through the slots in a node(below tag ascend_to_node), if the slot pointer is meta and node->back_pointer != NULL(it means a root), it will proceed to descend_to_node. However, there is an exception. If node is the root, and one of the slots points to a shortcut, it will be treated as a keyring. 2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function. However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as ASSOC_ARRAY_PTR_SUBTYPE_MASK. 3. When 32 keys with the similar hashes are added to the tree, the ROOT has keys with hashes that are not similar (e.g. slot 0) and it splits NODE A without using a shortcut. When NODE A is filled with keys that all hashes are xxe6, the keys are similar, NODE A will split with a shortcut. Finally, it forms the tree as shown below, where slot 6 points to a shortcut. NODE A +------>+---+ ROOT | | 0 | xxe6 +---+ | +---+ xxxx | 0 | shortcut : : xxe6 +---+ | +---+ xxe6 : : | | | xxe6 +---+ | +---+ | 6 |---+ : : xxe6 +---+ +---+ xxe6 : : | f | xxe6 +---+ +---+ xxe6 | f | +---+ 4. As mentioned above, If a slot(slot 6) of the root points to a shortcut, it may be mistakenly transferred to a key*, leading to a read out-of-bounds read. To fix this issue, one should jump to descend_to_node if the ptr is a shortcut, regardless of whether the node is root or not. [1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@h… [jarkko: tweaked the commit message a bit to have an appropriate closes tag.] Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") Reported-by: syzbot+5b415c07907a2990d1a3(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000cbb7860611f61147@google.com/T/ Signed-off-by: Chen Ridong <chenridong(a)huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- security/keys/keyring.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 4448758f643a..f331725d5a37 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -772,8 +772,11 @@ static bool search_nested_keyrings(struct key *keyring, for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { ptr = READ_ONCE(node->slots[slot]); - if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) - goto descend_to_node; + if (assoc_array_ptr_is_meta(ptr)) { + if (node->back_pointer || + assoc_array_ptr_is_shortcut(ptr)) + goto descend_to_node; + } if (!keyring_ptr_is_keyring(ptr)) continue; -- 2.25.1

2 1

[PATCH OLK-5.10] security/keys: fix slab-out-of-bounds in key_task_permission
by Yi Yang 30 Oct '24

30 Oct '24

From: Chen Ridong <chenridong(a)huawei.com> maillist inclusion category: Bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAU173 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/comm… ---------------------------------------------------------------------- KASAN reports an out of bounds read: BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 security/keys/permission.c:54 Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0x107/0x167 lib/dump_stack.c:123 print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 __kuid_val include/linux/uidgid.h:36 [inline] uid_eq include/linux/uidgid.h:63 [inline] key_task_permission+0x394/0x410 security/keys/permission.c:54 search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 This issue was also reported by syzbot. It can be reproduced by following these steps(more details [1]): 1. Obtain more than 32 inputs that have similar hashes, which ends with the pattern '0xxxxxxxe6'. 2. Reboot and add the keys obtained in step 1. The reproducer demonstrates how this issue happened: 1. In the search_nested_keyrings function, when it iterates through the slots in a node(below tag ascend_to_node), if the slot pointer is meta and node->back_pointer != NULL(it means a root), it will proceed to descend_to_node. However, there is an exception. If node is the root, and one of the slots points to a shortcut, it will be treated as a keyring. 2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function. However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as ASSOC_ARRAY_PTR_SUBTYPE_MASK. 3. When 32 keys with the similar hashes are added to the tree, the ROOT has keys with hashes that are not similar (e.g. slot 0) and it splits NODE A without using a shortcut. When NODE A is filled with keys that all hashes are xxe6, the keys are similar, NODE A will split with a shortcut. Finally, it forms the tree as shown below, where slot 6 points to a shortcut. NODE A +------>+---+ ROOT | | 0 | xxe6 +---+ | +---+ xxxx | 0 | shortcut : : xxe6 +---+ | +---+ xxe6 : : | | | xxe6 +---+ | +---+ | 6 |---+ : : xxe6 +---+ +---+ xxe6 : : | f | xxe6 +---+ +---+ xxe6 | f | +---+ 4. As mentioned above, If a slot(slot 6) of the root points to a shortcut, it may be mistakenly transferred to a key*, leading to a read out-of-bounds read. To fix this issue, one should jump to descend_to_node if the ptr is a shortcut, regardless of whether the node is root or not. [1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@h… [jarkko: tweaked the commit message a bit to have an appropriate closes tag.] Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") Reported-by: syzbot+5b415c07907a2990d1a3(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000cbb7860611f61147@google.com/T/ Signed-off-by: Chen Ridong <chenridong(a)huawei.com> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- security/keys/keyring.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/security/keys/keyring.c b/security/keys/keyring.c index 14abfe765b7e..9f0fc81a3a7b 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -772,8 +772,11 @@ static bool search_nested_keyrings(struct key *keyring, for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { ptr = READ_ONCE(node->slots[slot]); - if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) - goto descend_to_node; + if (assoc_array_ptr_is_meta(ptr)) { + if (node->back_pointer || + assoc_array_ptr_is_shortcut(ptr)) + goto descend_to_node; + } if (!keyring_ptr_is_keyring(ptr)) continue; -- 2.25.1

2 1

[PATCH OLK-6.6] scsi: sd: Fix off-by-one error in sd_read_block_characteristics()
by Zheng Qixing 30 Oct '24

30 Oct '24

From: Martin Wilck <mwilck(a)suse.com> stable inclusion from stable-v6.6.54 commit 568c7c4c77eee6df7677bb861b7cee7398a3255d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPK3 CVE: CVE-2024-47682 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ------------------------------- commit f81eaf08385ddd474a2f41595a7757502870c0eb upstream. Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for example), sd_read_block_characteristics() may attempt an out-of-bounds memory access when accessing the zoned field at offset 8. Fixes: 7fb019c46eee ("scsi: sd: Switch to using scsi_device VPD pages") Cc: stable(a)vger.kernel.org Signed-off-by: Martin Wilck <mwilck(a)suse.com> Link: https://lore.kernel.org/r/20240912134308.282824-1-mwilck@suse.com Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- drivers/scsi/sd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 9ebf64a91586..11245bf46f85 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3118,7 +3118,7 @@ static void sd_read_block_characteristics(struct scsi_disk *sdkp) rcu_read_lock(); vpd = rcu_dereference(sdkp->device->vpd_pgb1); - if (!vpd || vpd->len < 8) { + if (!vpd || vpd->len <= 8) { rcu_read_unlock(); return; } -- 2.39.2

2 1

[openEuler-22.03-LTS-SP1] ocfs2: reserve space for inline xattr before attaching reflink tree
by Yi Yang 30 Oct '24

30 Oct '24

From: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> stable inclusion from stable-v5.10.227 commit aac31d654a0a31cb0d2fa36ae694f4e164a52707 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRA7 CVE: CVE-2024-49958 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 5ca60b86f57a4d9648f68418a725b3a7de2816b0 upstream. One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case up to 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Link: https://lkml.kernel.org/r/20240918063844.1830332-1-gautham.ananthakrishna@o… Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c index 3b397fa9c9e8..85d25c211c87 100644 --- a/fs/ocfs2/refcounttree.c +++ b/fs/ocfs2/refcounttree.c @@ -27,6 +27,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4184,8 +4185,9 @@ static int __ocfs2_reflink(struct dentry *old_dentry, int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4211,6 +4213,26 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data; + struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4218,7 +4240,7 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 495fb5b7a087..42368577786e 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -6526,16 +6526,7 @@ static int ocfs2_reflink_xattr_inline(struct ocfs2_xattr_reflink *args) } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); -- 2.25.1

1 0

[PATCH OLK-5.10] block: fix potential invalid pointer dereference in blk_add_partition
by Zheng Qixing 30 Oct '24

30 Oct '24

From: Riyan Dhiman <riyandhiman14(a)gmail.com> stable inclusion from stable-v5.10.227 commit 4bc4272e2506941c3f3d4fb8b0c659ee814dcf6f category: bugifx bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPJH CVE: CVE-2024-47705 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 26e197b7f9240a4ac301dd0ad520c0c697c2ea7d ] The blk_add_partition() function initially used a single if-condition (IS_ERR(part)) to check for errors when adding a partition. This was modified to handle the specific case of -ENXIO separately, allowing the function to proceed without logging the error in this case. However, this change unintentionally left a path where md_autodetect_dev() could be called without confirming that part is a valid pointer. This commit separates the error handling logic by splitting the initial if-condition, improving code readability and handling specific error scenarios explicitly. The function now distinguishes the general error case from -ENXIO without altering the existing behavior of md_autodetect_dev() calls. Fixes: b72053072c0b (block: allow partitions on host aware zone devices) Signed-off-by: Riyan Dhiman <riyandhiman14(a)gmail.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Link: https://lore.kernel.org/r/20240911132954.5874-1-riyandhiman14@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: block/partitions/core.c [Context inconsistency.] Signed-off-by: Zheng Qixing <zhengqixing(a)huawei.com> --- block/partitions/core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/block/partitions/core.c b/block/partitions/core.c index 8e0bddf0fa51..7e1fd93a5634 100644 --- a/block/partitions/core.c +++ b/block/partitions/core.c @@ -705,9 +705,11 @@ static bool blk_add_partition(struct gendisk *disk, struct block_device *bdev, part = add_partition(disk, p, from, size, state->parts[p].flags, &state->parts[p].info); - if (IS_ERR(part) && PTR_ERR(part) != -ENXIO) { - printk(KERN_ERR " %s: p%d could not be added: %ld\n", - disk->disk_name, p, -PTR_ERR(part)); + if (IS_ERR(part)) { + if (PTR_ERR(part) != -ENXIO) { + printk(KERN_ERR " %s: p%d could not be added: %ld\n", + disk->disk_name, p, -PTR_ERR(part)); + } return true; } -- 2.39.2

2 1