From: Chao Yu chao@kernel.org
stable inclusion from stable-v6.1.113 commit 26b07bd2e1f124b0e430c8d250023f7205c549c3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQSF CVE: CVE-2024-49859
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit bfe5c02654261bfb8bd9cb174a67f3279ea99e58 upstream.
Some f2fs ioctl interfaces like f2fs_ioc_set_pin_file(), f2fs_move_file_range(), and f2fs_defragment_range() missed to check atomic_write status, which may cause potential race issue, fix it.
Cc: stable@vger.kernel.org Signed-off-by: Chao Yu chao@kernel.org Signed-off-by: Jaegeuk Kim jaegeuk@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Conflicts: fs/f2fs/file.c [There is context conflicts due to commit d6dd477436957(f2fs: do not allow to defragment files have FI_COMPRESS_RELEASED) not merge in f2fs_defragment_range().] Signed-off-by: Gu Bowen gubowen5@huawei.com --- fs/f2fs/file.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index eff0b359f1a3..8c1ef827462c 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -2609,6 +2609,11 @@ static int f2fs_defragment_range(struct f2fs_sb_info *sbi,
inode_lock(inode);
+ if (f2fs_is_atomic_file(inode)) { + err = -EINVAL; + goto out; + } + /* writeback all dirty pages in the range */ err = filemap_write_and_wait_range(inode->i_mapping, range->start, range->start + range->len - 1); @@ -2821,6 +2826,11 @@ static int f2fs_move_file_range(struct file *file_in, loff_t pos_in, goto out_unlock; }
+ if (f2fs_is_atomic_file(src) || f2fs_is_atomic_file(dst)) { + ret = -EINVAL; + goto out_unlock; + } + ret = -EINVAL; if (pos_in + len > src->i_size || pos_in + len < pos_in) goto out_unlock; @@ -3268,6 +3278,11 @@ static int f2fs_ioc_set_pin_file(struct file *filp, unsigned long arg) goto out; }
+ if (f2fs_is_atomic_file(inode)) { + ret = -EINVAL; + goto out; + } + if (!pin) { clear_inode_flag(inode, FI_PIN_FILE); f2fs_i_gc_failures_write(inode, 0);