[PATCH OLK-5.10 0/1] Fix CVE-2026-43262 - Kernel - mailweb.openeuler.org

newer
[PATCH OLK-6.6 0/1] Fix...

[PATCH OLK-5.10 0/1] Fix CVE-2026-43262

older
[PATCH OLK-6.6 00/36] perf...

Hongbo Li

9 May 2026 9 May '26

10:10 a.m.

Fix CVE-2026-43262. Andreas Gruenbacher (1): gfs2: fiemap page fault fix fs/gfs2/inode.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) -- 2.34.1

Reply

Sign in to reply online Use email software

Show replies by date

Hongbo Li

9 May 9 May

10:10 a.m.

New subject: [PATCH OLK-5.10 1/1] gfs2: fiemap page fault fix

From: Andreas Gruenbacher <agruenba@redhat.com> stable inclusion from stable-v6.6.128 commit e428670cfb2993d8c224effd076242ca6b0950de category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14806 CVE: CVE-2026-43262 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit e411d74cc5ba290f85d0dd5e4d1df8f1d6d975d2 ] In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode glock. This can lead to recursive glock taking if the fiemap buffer is memory mapped to the same inode and accessing it triggers a page fault. Fix by disabling page faults for iomap_fiemap() and faulting in the buffer by hand if necessary. Fixes xfstest generic/742. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Hongbo Li <lihongbo22@huawei.com> --- fs/gfs2/inode.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c index d75d56d9ea0c..726a1bde6919 100644 --- a/fs/gfs2/inode.c +++ b/fs/gfs2/inode.c @@ -2065,6 +2065,14 @@ static int gfs2_getattr(const struct path *path, struct kstat *stat, return 0; } +static bool fault_in_fiemap(struct fiemap_extent_info *fi) +{ + struct fiemap_extent __user *dest = fi->fi_extents_start; + size_t size = sizeof(*dest) * fi->fi_extents_max; + + return fault_in_safe_writeable((char __user *)dest, size) == 0; +} + static int gfs2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, u64 start, u64 len) { @@ -2074,14 +2082,22 @@ static int gfs2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, inode_lock_shared(inode); +retry: ret = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, 0, &gh); if (ret) goto out; + pagefault_disable(); ret = iomap_fiemap(inode, fieinfo, start, len, &gfs2_iomap_ops); + pagefault_enable(); gfs2_glock_dq_uninit(&gh); + if (ret == -EFAULT && fault_in_fiemap(fieinfo)) { + fieinfo->fi_extents_mapped = 0; + goto retry; + } + out: inode_unlock_shared(inode); return ret; -- 2.34.1

Reply

Sign in to reply online Use email software

patchwork bot

10:30 a.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://atomgit.com/openeuler/kernel/merge_requests/22261 邮件列表地址：https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/KLR... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/22261 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/KLR...

Reply

Sign in to reply online Use email software

0

Age (days ago)

0

Last active (days ago)

2 comments

2 participants

tags

participants (2)

Hongbo Li
patchwork bot