mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-06 00:39:48 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
Brian Foster 879427c02d xfs: fix attr leaf header freemap.size underflow 
[ Upstream commit 2a2b5932db ]

The leaf format xattr addition helper xfs_attr3_leaf_add_work()
adjusts the block freemap in a couple places. The first update drops
the size of the freemap that the caller had already selected to
place the xattr name/value data. Before the function returns, it
also checks whether the entries array has encroached on a freemap
range by virtue of the new entry addition. This is necessary because
the entries array grows from the start of the block (but end of the
block header) towards the end of the block while the name/value data
grows from the end of the block in the opposite direction. If the
associated freemap is already empty, however, size is zero and the
subtraction underflows the field and causes corruption.

This is reproduced rarely by generic/070. The observed behavior is
that a smaller sized freemap is aligned to the end of the entries
list, several subsequent xattr additions land in larger freemaps and
the entries list expands into the smaller freemap until it is fully
consumed and then underflows. Note that it is not otherwise a
corruption for the entries array to consume an empty freemap because
the nameval list (i.e. the firstused pointer in the xattr header)
starts beyond the end of the corrupted freemap.

Update the freemap size modification to account for the fact that
the freemap entry can be empty and thus stale.

Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-10-01 13:12:29 +02:00
..
9p 9p: Fix memory leak in v9fs_mount 2020-08-21 09:48:15 +02:00
adfs fs/adfs: super: fix use-after-free bug 2019-08-06 19:05:21 +02:00
affs affs: fix basic permission bits to actually work 2020-09-09 19:03:12 +02:00
afs afs: Fix some tracing details 2020-04-02 16:34:33 +02:00
autofs4 autofs: fix a leak in autofs_expire_indirect() 2019-12-17 20:37:24 +01:00
befs License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
bfs bfs: add sanity check at bfs_fill_super() 2018-12-01 09:42:51 +01:00
btrfs btrfs: fix wrong address when faulting in pages in the search ioctl 2020-09-23 10:46:30 +02:00
cachefiles cachefiles: Fix race between read_waiter and read_copier involving op->to_do 2020-06-03 08:17:53 +02:00
ceph ceph: don't allow setlease on cephfs 2020-09-09 19:03:06 +02:00
cifs smb3: warn on confusing error scenario with sec=krb5 2020-08-21 09:48:16 +02:00
coda coda: add error handling for fget 2019-08-06 19:05:23 +02:00
configfs configfs: fix config_item refcnt leak in configfs_rmdir() 2020-05-27 16:42:56 +02:00
cramfs Cramfs: fix abad comparison when wrap-arounds occur 2018-11-13 11:15:12 -08:00
crypto fscrypt: clean up some BUG_ON()s in block encryption/decryption 2019-07-31 07:28:22 +02:00
debugfs debugfs: fix use-after-free on symlink traversal 2019-05-08 07:20:49 +02:00
devpts fs/devpts: always delete dcache dentry-s in dput() 2019-03-23 14:35:21 +01:00
dlm dlm: Fix kobject memleak 2020-08-21 09:48:13 +02:00
ecryptfs ecryptfs: Fix up bad backport of fe2e082f5d 2020-03-11 18:02:51 +01:00
efivarfs
efs License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
exofs exofs_mount(): fix leaks on failure exits 2019-12-05 15:37:28 +01:00
exportfs exportfs: fix 'passing zero to ERR_PTR()' warning 2020-01-27 14:46:06 +01:00
ext2 ext2: fix missing percpu_counter_inc 2020-08-21 09:48:18 +02:00
ext4 fs: prevent BUG_ON in submit_bh_wbc() 2020-09-03 11:22:29 +02:00
f2fs f2fs: fix indefinite loop scanning for free nid 2020-09-23 10:46:34 +02:00
fat fat: don't allow to mount if the FAT length == 0 2020-06-20 10:25:05 +02:00
freevxfs
fscache fscache: fix race between enablement and dropping of object 2018-12-17 09:28:53 +01:00
fuse fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS 2020-07-22 09:22:27 +02:00
gfs2 gfs2: initialize transaction tr_ailX_lists earlier 2020-09-23 10:46:33 +02:00
hfs fs/hfs/extent.c: fix array out of bounds read of array extent 2019-12-01 09:13:57 +01:00
hfsplus hfsplus: fix crash and filesystem corruption when deleting files 2020-04-24 08:00:45 +02:00
hostfs License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hpfs License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
hugetlbfs hugetlb: use same fault hash key for shared and private mappings 2019-05-31 06:47:12 -07:00
isofs isofs: reject hardware sector size > 2048 bytes 2018-10-03 17:00:57 -07:00
jbd2 jbd2: abort journal if free a async write error metadata buffer 2020-09-03 11:22:29 +02:00
jffs2 jffs2: fix UAF problem 2020-08-26 10:29:56 +02:00
jfs jfs: fix bogus variable self-initialization 2020-01-27 14:46:26 +01:00
kernfs kernfs: fix ino wrap-around detection 2019-12-17 20:38:50 +01:00
lockd lockd: fix decoding of TEST results 2019-12-17 20:38:15 +01:00
minix fs/minix: reject too-large maximum file size 2020-08-21 09:48:15 +02:00
ncpfs staging: ncpfs: memory corruption in ncp_read_kernel() 2018-03-28 18:24:43 +02:00
nfs NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation recall 2020-09-23 10:46:33 +02:00
nfs_common lockd: fix "list_add double add" caused by legacy signal interface 2018-02-03 17:39:08 +01:00
nfsd nfsd: apply umask on fs without ACL support 2020-07-09 09:36:31 +02:00
nilfs2 nilfs2: fix null pointer dereference at nilfs_segctor_do_construct() 2020-06-20 10:25:01 +02:00
nls License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
notify fs: avoid softlockups in s_inodes iterators 2020-01-12 12:11:59 +01:00
ntfs License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ocfs2 ocfs2: change slot number type s16 to u16 2020-08-21 09:48:19 +02:00
omfs License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
openpromfs
orangefs help_next should increase position index 2020-02-28 16:36:08 +01:00
overlayfs ovl: initialize error in ovl_copy_xattr 2020-06-20 10:25:04 +02:00
proc proc: Use new_inode not new_inode_pseudo 2020-06-20 10:25:04 +02:00
pstore pstore/ram: Write new dumps to start of recycled zones 2020-01-09 10:17:55 +01:00
qnx4 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
qnx6 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
quota fs: avoid softlockups in s_inodes iterators 2020-01-12 12:11:59 +01:00
ramfs
reiserfs reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() 2020-02-28 16:36:08 +01:00
romfs romfs: fix uninitialized memory leak in romfs_dev_read() 2020-08-26 10:29:54 +02:00
squashfs Squashfs: Compute expected length from inode size rather than block length 2018-09-05 09:26:32 +02:00
sysfs scsi: sysfs: Introduce sysfs_{un,}break_active_protection() 2018-09-05 09:26:41 +02:00
sysv sysv: return 'err' instead of 0 in __sysv_write_inode 2018-12-17 09:28:48 +01:00
tracefs
ubifs ubifs: don't trigger assertion on invalid no-key filename 2020-02-14 16:32:11 -05:00
udf udf: Fix free space reporting for metadata and virtual partitions 2020-02-28 16:36:02 +01:00
ufs fs/ufs: avoid potential u32 multiplication overflow 2020-08-21 09:48:22 +02:00
xfs xfs: fix attr leaf header freemap.size underflow 2020-10-01 13:12:29 +02:00
aio.c aio: fix spectre gadget in lookup_ioctx 2018-12-21 14:13:04 +01:00
anon_inodes.c
attr.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
bad_inode.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
binfmt_aout.c
binfmt_elf.c fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() 2020-06-03 08:18:03 +02:00
binfmt_elf_fdpic.c Merge branch 'work.set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-09-14 18:13:32 -07:00
binfmt_em86.c
binfmt_flat.c fs/binfmt_flat.c: make load_flat_shared_library() work 2019-07-03 13:15:59 +02:00
binfmt_misc.c fs/binfmt_misc.c: do not allow offset overflow 2018-06-26 08:06:33 +08:00
binfmt_script.c exec: load_script: Do not exec truncated interpreter path 2019-11-06 12:42:59 +01:00
block_dev.c block: Fix use-after-free in blkdev_get() 2020-06-25 15:41:58 +02:00
buffer.c fs: prevent BUG_ON in submit_bh_wbc() 2020-09-03 11:22:29 +02:00
char_dev.c chardev: Avoid potential use-after-free in 'chrdev_open()' 2020-01-14 20:05:39 +01:00
compat.c
compat_binfmt_elf.c
compat_ioctl.c fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP 2020-01-09 10:17:58 +01:00
coredump.c coredump: fix crash when umh is disabled 2020-05-20 08:16:58 +02:00
dax.c dax: pass NOWAIT flag to iomap_apply 2020-03-11 18:02:43 +01:00
dcache.c fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb() 2019-02-06 17:31:34 +01:00
dcookies.c
direct-io.c iomap: report collisions between directio and buffered writes to userspace 2019-04-27 09:35:41 +02:00
drop_caches.c fs: avoid softlockups in s_inodes iterators 2020-01-12 12:11:59 +01:00
eventfd.c
eventpoll.c fix regression in "epoll: Keep a reference on files added to the check list" 2020-09-09 19:03:09 +02:00
exec.c exec: Move would_dump into flush_old_exec 2020-05-20 08:17:16 +02:00
fcntl.c fcntl: don't cap l_start and l_end values for F_GETLK64 in compat syscall 2017-12-17 15:07:59 +01:00
fhandle.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
file.c fix multiplication overflow in copy_fdtable() 2020-05-27 16:42:51 +02:00
file_table.c
filesystems.c fs/filesystems.c: downgrade user-reachable WARN_ONCE() to pr_warn_once() 2020-04-24 08:00:43 +02:00
fs-writeback.c writeback: Fix sync livelock due to b_dirty_time processing 2020-09-03 11:22:32 +02:00
fs_pin.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fs_struct.c
inode.c futex: Fix inode life-time issue 2020-04-02 16:34:21 +02:00
internal.h
ioctl.c vfs: swap names of {do,vfs}_clone_file_range() 2018-11-10 07:48:33 -08:00
iomap.c iomap: Fix pipe page leakage during splicing 2019-12-17 20:38:57 +01:00
Kconfig
Kconfig.binfmt
libfs.c libfs: fix infoleak in simple_attr_read() 2020-04-02 16:34:35 +02:00
locks.c locks: print unsigned ino in /proc/locks 2020-01-09 10:17:55 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mbcache.c mbcache: initialize entry->e_referenced in mb_cache_entry_create() 2018-02-22 15:42:25 +01:00
mount.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mpage.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
namei.c namei: only return -ECHILD from follow_dotdot_rcu() 2020-03-11 18:02:53 +01:00
namespace.c fs/namespace.c: fix mountpoint reference counter race 2020-05-02 17:24:20 +02:00
no-block.c
nsfs.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
open.c cifs_atomic_open(): fix double-put on late allocation failure 2020-03-20 10:54:16 +01:00
pipe.c fs: prevent page refcount overflow in pipe_buf_get 2019-05-04 09:15:18 +02:00
pnode.c propagate_one(): mnt_set_mountpoint() needs mount_lock 2020-05-02 17:24:47 +02:00
pnode.h
posix_acl.c
proc_namespace.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
read_write.c vfs: avoid problematic remapping requests into partial EOF block 2019-12-01 09:13:51 +01:00
readdir.c filldir[64]: remove WARN_ON_ONCE() for bad directory entries 2020-01-04 14:00:04 +01:00
select.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
seq_file.c seq_file: fix incomplete reset on read from zero offset 2018-02-22 15:42:28 +01:00
signalfd.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
splice.c fs: prevent page refcount overflow in pipe_buf_get 2019-05-04 09:15:18 +02:00
stack.c
stat.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
statfs.c vfs: Fix EOVERFLOW testing in put_compat_statfs64 2019-10-11 18:18:48 +02:00
super.c fs: don't scan the inode cache before SB_BORN is set 2018-05-30 07:51:47 +02:00
sync.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
timerfd.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
userfaultfd.c userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK 2020-01-04 13:59:58 +01:00
utimes.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xattr.c xattr: break delegations in {set,remove}xattr 2020-08-21 09:48:00 +02:00