linux-stable.git/fs/udf, branch v6.11 Linux kernel stable tree udf: prevent integer overflow in udf_bitmap_free_blocks() 2024-06-26T10:54:11+00:00 Roman Smirnov r.smirnov@omp.ru 2024-06-20T07:24:13+00:00 56e69e59751d20993f243fb7dd6991c4e522424c An overflow may occur if the function is called with the last block and an offset greater than zero. It is necessary to add a check to avoid this. Found by Linux Verification Center (linuxtesting.org) with Svace. [JK: Make test cover also unalloc table freeing] Link: https://patch.msgid.link/20240620072413.7448-1-r.smirnov@omp.ru Suggested-by: Jan Kara <jack@suse.com> Signed-off-by: Roman Smirnov <r.smirnov@omp.ru> Signed-off-by: Jan Kara <jack@suse.cz> 
An overflow may occur if the function is called with the last
block and an offset greater than zero. It is necessary to add
a check to avoid this.

Found by Linux Verification Center (linuxtesting.org) with Svace.

[JK: Make test cover also unalloc table freeing]

Link: https://patch.msgid.link/20240620072413.7448-1-r.smirnov@omp.ru
Suggested-by: Jan Kara <jack@suse.com>
Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
Signed-off-by: Jan Kara <jack@suse.cz>
udf: Avoid excessive partition lengths 2024-06-26T10:54:11+00:00 Jan Kara jack@suse.cz 2024-06-20T10:52:17+00:00 ebbe26fd54a9621994bc16b14f2ba8f84c089693 Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap. Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz Signed-off-by: Jan Kara <jack@suse.cz> 
Avoid mounting filesystems where the partition would overflow the
32-bits used for block number. Also refuse to mount filesystems where
the partition length is so large we cannot safely index bits in a
block bitmap.

Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
udf: Drop load_block_bitmap() wrapper 2024-06-26T10:54:11+00:00 Jan Kara jack@suse.cz 2024-06-17T15:41:53+00:00 8037da38d33cd354deafc41eee62da0fbcb5135c The wrapper is completely pointless as all the checks are already done in __load_block_bitmap(). Just drop it and rename __load_block_bitmap(). Link: https://patch.msgid.link/20240617154201.29512-3-jack@suse.cz Signed-off-by: Jan Kara <jack@suse.cz> 
The wrapper is completely pointless as all the checks are already done
in __load_block_bitmap(). Just drop it and rename __load_block_bitmap().

Link: https://patch.msgid.link/20240617154201.29512-3-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
udf: Avoid using corrupted block bitmap buffer 2024-06-26T10:54:08+00:00 Jan Kara jack@suse.cz 2024-06-17T15:41:52+00:00 a90d4471146de21745980cba51ce88e7926bcc4f When the filesystem block bitmap is corrupted, we detect the corruption while loading the bitmap and fail the allocation with error. However the next allocation from the same bitmap will notice the bitmap buffer is already loaded and tries to allocate from the bitmap with mixed results (depending on the exact nature of the bitmap corruption). Fix the problem by using BH_verified bit to indicate whether the bitmap is valid or not. Reported-by: syzbot+5f682cd029581f9edfd1@syzkaller.appspotmail.com CC: stable@vger.kernel.org Link: https://patch.msgid.link/20240617154201.29512-2-jack@suse.cz Fixes: 1e0d4adf17e7 ("udf: Check consistency of Space Bitmap Descriptor") Signed-off-by: Jan Kara <jack@suse.cz> 
When the filesystem block bitmap is corrupted, we detect the corruption
while loading the bitmap and fail the allocation with error. However the
next allocation from the same bitmap will notice the bitmap buffer is
already loaded and tries to allocate from the bitmap with mixed results
(depending on the exact nature of the bitmap corruption). Fix the
problem by using BH_verified bit to indicate whether the bitmap is valid
or not.

Reported-by: syzbot+5f682cd029581f9edfd1@syzkaller.appspotmail.com
CC: stable@vger.kernel.org
Link: https://patch.msgid.link/20240617154201.29512-2-jack@suse.cz
Fixes: 1e0d4adf17e7 ("udf: Check consistency of Space Bitmap Descriptor")
Signed-off-by: Jan Kara <jack@suse.cz>
udf: Fix bogus checksum computation in udf_rename() 2024-06-20T13:07:27+00:00 Jan Kara jack@suse.cz 2024-06-17T15:41:51+00:00 27ab33854873e6fb958cb074681a0107cc2ecc4c Syzbot reports uninitialized memory access in udf_rename() when updating checksum of '..' directory entry of a moved directory. This is indeed true as we pass on-stack diriter.fi to the udf_update_tag() and because that has only struct fileIdentDesc included in it and not the impUse or name fields, the checksumming function is going to checksum random stack contents beyond the end of the structure. This is actually harmless because the following udf_fiiter_write_fi() will recompute the checksum from on-disk buffers where everything is properly included. So all that is needed is just removing the bogus calculation. Fixes: e9109a92d2a9 ("udf: Convert udf_rename() to new directory iteration code") Link: https://lore.kernel.org/all/000000000000cf405f060d8f75a9@google.com/T/ Link: https://patch.msgid.link/20240617154201.29512-1-jack@suse.cz Reported-by: syzbot+d31185aa54170f7fc1f5@syzkaller.appspotmail.com Signed-off-by: Jan Kara <jack@suse.cz> 
Syzbot reports uninitialized memory access in udf_rename() when updating
checksum of '..' directory entry of a moved directory. This is indeed
true as we pass on-stack diriter.fi to the udf_update_tag() and because
that has only struct fileIdentDesc included in it and not the impUse or
name fields, the checksumming function is going to checksum random stack
contents beyond the end of the structure. This is actually harmless
because the following udf_fiiter_write_fi() will recompute the checksum
from on-disk buffers where everything is properly included. So all that
is needed is just removing the bogus calculation.

Fixes: e9109a92d2a9 ("udf: Convert udf_rename() to new directory iteration code")
Link: https://lore.kernel.org/all/000000000000cf405f060d8f75a9@google.com/T/
Link: https://patch.msgid.link/20240617154201.29512-1-jack@suse.cz
Reported-by: syzbot+d31185aa54170f7fc1f5@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
udf: Fix lock ordering in udf_evict_inode() 2024-06-05T08:36:46+00:00 Jan Kara jack@suse.cz 2024-05-20T13:23:37+00:00 8832fc1e502687869606bb0a7b79848ed3bf036f udf_evict_inode() calls udf_setsize() to truncate deleted inode. However inode deletion through udf_evict_inode() can happen from inode reclaim context and udf_setsize() grabs mapping->invalidate_lock which isn't generally safe to acquire from fs reclaim context since we allocate pages under mapping->invalidate_lock for example in a page fault path. This is however not a real deadlock possibility as by the time udf_evict_inode() is called, nobody can be accessing the inode, even less work with its page cache. So this is just a lockdep triggering false positive. Fix the problem by moving mapping->invalidate_lock locking outsize of udf_setsize() into udf_setattr() as grabbing mapping->invalidate_lock from udf_evict_inode() is pointless. Reported-by: syzbot+0333a6f4b88bcd68a62f@syzkaller.appspotmail.com Fixes: b9a861fd527a ("udf: Protect truncate and file type conversion with invalidate_lock") Signed-off-by: Jan Kara <jack@suse.cz> 
udf_evict_inode() calls udf_setsize() to truncate deleted inode.
However inode deletion through udf_evict_inode() can happen from inode
reclaim context and udf_setsize() grabs mapping->invalidate_lock which
isn't generally safe to acquire from fs reclaim context since we
allocate pages under mapping->invalidate_lock for example in a page
fault path.  This is however not a real deadlock possibility as by the
time udf_evict_inode() is called, nobody can be accessing the inode,
even less work with its page cache. So this is just a lockdep triggering
false positive. Fix the problem by moving mapping->invalidate_lock
locking outsize of udf_setsize() into udf_setattr() as grabbing
mapping->invalidate_lock from udf_evict_inode() is pointless.

Reported-by: syzbot+0333a6f4b88bcd68a62f@syzkaller.appspotmail.com
Fixes: b9a861fd527a ("udf: Protect truncate and file type conversion with invalidate_lock")
Signed-off-by: Jan Kara <jack@suse.cz>
udf: Drop pointless IS_IMMUTABLE and IS_APPEND check 2024-06-05T08:36:46+00:00 Jan Kara jack@suse.cz 2024-05-20T13:18:44+00:00 c1f1b25a6089eb93a11a147e8de766c0d6ad29ac udf_setsize() checks for IS_IMMUTABLE and IS_APPEND flags. This is however pointless as UDF does not have capability to store these flags and never allows to set them. Furthermore this is the only place in UDF code that was actually checking these flags. Remove the pointless check. Signed-off-by: Jan Kara <jack@suse.cz> 
udf_setsize() checks for IS_IMMUTABLE and IS_APPEND flags. This is
however pointless as UDF does not have capability to store these flags
and never allows to set them. Furthermore this is the only place in UDF
code that was actually checking these flags. Remove the pointless check.

Signed-off-by: Jan Kara <jack@suse.cz>
udf: Use a folio in udf_write_end() 2024-04-23T13:37:02+00:00 Matthew Wilcox (Oracle) willy@infradead.org 2024-04-17T15:04:13+00:00 e29741676fac5d4430b3d2b799a5ff671ea9f023 Convert the page to a folio and use the folio APIs. Replaces three calls to compound_head() with one. Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Signed-off-by: Jan Kara <jack@suse.cz> Message-Id: <20240417150416.752929-8-willy@infradead.org> 
Convert the page to a folio and use the folio APIs.  Replaces three
calls to compound_head() with one.

Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Message-Id: <20240417150416.752929-8-willy@infradead.org>
udf: Convert udf_page_mkwrite() to use a folio 2024-04-23T13:37:02+00:00 Matthew Wilcox (Oracle) willy@infradead.org 2024-04-17T15:04:12+00:00 f5985ef281f9efff3e8291123fdb8a748b506951 Convert the vm_fault page to a folio, then use it throughout. Replaces five calls to compound_head() with one. Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Signed-off-by: Jan Kara <jack@suse.cz> Message-Id: <20240417150416.752929-7-willy@infradead.org> 
Convert the vm_fault page to a folio, then use it throughout.
Replaces five calls to compound_head() with one.

Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Message-Id: <20240417150416.752929-7-willy@infradead.org>
udf: Convert udf_symlink_getattr() to use a folio 2024-04-23T13:37:02+00:00 Matthew Wilcox (Oracle) willy@infradead.org 2024-04-17T15:04:11+00:00 2f1c1bd7b18768377ff4a84974d77e6e8b371a67 We're getting this from the page cache, so it's definitely a folio. Saves a call to compound_head() hidden in put_page(). Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Signed-off-by: Jan Kara <jack@suse.cz> Message-Id: <20240417150416.752929-6-willy@infradead.org> 
We're getting this from the page cache, so it's definitely a folio.
Saves a call to compound_head() hidden in put_page().

Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Message-Id: <20240417150416.752929-6-willy@infradead.org>