diff mbox series

[5.10,052/390] f2fs: fix to do sanity check on summary info

Message ID	20221024113024.853480982@linuxfoundation.org
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Wenqing Liu <wenqingliu0120@gmail.com>, Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org> Subject: [PATCH 5.10 052/390] f2fs: fix to do sanity check on summary info Date: Mon, 24 Oct 2022 13:27:29 +0200 Message-Id: <20221024113024.853480982@linuxfoundation.org> In-Reply-To: <20221024113022.510008560@linuxfoundation.org> References: <20221024113022.510008560@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| [5.10,002/390] ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() [5.10,003/390] ALSA: usb-audio: Fix potential memory leaks [5.10,004/390] ALSA: usb-audio: Fix NULL dererence at error path [5.10,005/390] ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530 [5.10,006/390] ALSA: hda/realtek: Correct pin configs for ASUS G533Z [5.10,007/390] ALSA: hda/realtek: Add quirk for ASUS GV601R laptop [5.10,008/390] ALSA: hda/realtek: Add Intel Reference SSID to support headset keys [5.10,009/390] mtd: rawnand: atmel: Unmap streaming DMA mappings [5.10,010/390] cifs: destage dirty pages before re-reading them for cache=none [5.10,011/390] cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message [5.10,012/390] iio: dac: ad5593r: Fix i2c read protocol requirements [5.10,013/390] iio: ltc2497: Fix reading conversion results [5.10,014/390] iio: adc: ad7923: fix channel readings for some variants [5.10,015/390] iio: pressure: dps310: Refactor startup procedure [5.10,016/390] iio: pressure: dps310: Reset chip after timeout [5.10,017/390] usb: add quirks for Lenovo OneLink+ Dock [5.10,018/390] can: kvaser_usb: Fix use of uninitialized completion [5.10,019/390] can: kvaser_usb_leaf: Fix overread with an invalid command [5.10,020/390] can: kvaser_usb_leaf: Fix TX queue out of sync after restart [5.10,021/390] can: kvaser_usb_leaf: Fix CAN state after restart [5.10,022/390] mmc: sdhci-sprd: Fix minimum clock limit [5.10,023/390] fs: dlm: fix race between test_bit() and queue_work() [5.10,024/390] fs: dlm: handle -EBUSY first in lock arg validation [5.10,025/390] HID: multitouch: Add memory barriers [5.10,026/390] quota: Check next/prev free block number after reading from quota file [5.10,027/390] platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure [5.10,028/390] ASoC: wcd9335: fix order of Slimbus unprepare/disable [5.10,029/390] ASoC: wcd934x: fix order of Slimbus unprepare/disable [5.10,030/390] hwmon: (gsc-hwmon) Call of_node_get() before of_find_xxx API [5.10,031/390] regulator: qcom_rpm: Fix circular deferral regression [5.10,032/390] RISC-V: Make port I/O string accessors actually work [5.10,033/390] parisc: fbdev/stifb: Align graphics memory size to 4MB [5.10,034/390] riscv: Allow PROT_WRITE-only mmap() [5.10,035/390] riscv: Make VM_WRITE imply VM_READ [5.10,036/390] riscv: Pass -mno-relax only on lld < 15.0.0 [5.10,037/390] UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK [5.10,038/390] nvme-pci: set min_align_mask before calculating max_hw_sectors [5.10,039/390] drm/virtio: Check whether transferred 2D BO is shmem [5.10,040/390] drm/udl: Restore display mode on resume [5.10,041/390] block: fix inflight statistics of part0 [5.10,042/390] mm/mmap: undo ->mmap() when arch_validate_flags() fails [5.10,043/390] PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge [5.10,044/390] serial: 8250: Let drivers request full 16550A feature probing [5.10,045/390] powercap: intel_rapl: Use standard Energy Unit for SPR Dram RAPL domain [5.10,046/390] powerpc/boot: Explicitly disable usage of SPE instructions [5.10,047/390] scsi: qedf: Populate sysfs attributes for vport [5.10,048/390] fbdev: smscufx: Fix use-after-free in ufx_ops_open() [5.10,049/390] btrfs: fix race between quota enable and quota rescan ioctl [5.10,050/390] f2fs: increase the limit for reserve_root [5.10,051/390] f2fs: fix to do sanity check on destination blkaddr during recovery [5.10,052/390] f2fs: fix to do sanity check on summary info [5.10,053/390] hardening: Clarify Kconfig text for auto-var-init [5.10,054/390] hardening: Avoid harmless Clang option under CONFIG_INIT_STACK_ALL_ZERO [5.10,055/390] hardening: Remove Clangs enable flag for -ftrivial-auto-var-init=zero [5.10,056/390] jbd2: wake up journal waiters in FIFO order, not LIFO [5.10,057/390] jbd2: fix potential buffer head reference count leak [5.10,058/390] jbd2: fix potential use-after-free in jbd2_fc_wait_bufs [5.10,059/390] jbd2: add miss release buffer head in fc_do_one_pass() [5.10,060/390] ext4: avoid crash when inline data creation follows DIO write [5.10,061/390] ext4: fix null-ptr-deref in ext4_write_info [5.10,062/390] ext4: make ext4_lazyinit_thread freezable [5.10,063/390] ext4: fix check for block being out of directory size [5.10,064/390] ext4: dont increase iversion counter for ea_inodes [5.10,065/390] ext4: ext4_read_bh_lock() should submit IO if the buffer isnt uptodate [5.10,066/390] ext4: place buffer head allocation before handle start [5.10,067/390] ext4: fix miss release buffer head in ext4_fc_write_inode [5.10,068/390] ext4: fix potential memory leak in ext4_fc_record_modified_inode() [5.10,069/390] ext4: fix potential memory leak in ext4_fc_record_regions() [5.10,070/390] ext4: update state->fc_regions_size after successful memory allocation [5.10,071/390] livepatch: fix race between fork and KLP transition [5.10,072/390] ftrace: Properly unset FTRACE_HASH_FL_MOD [5.10,073/390] ring-buffer: Allow splice to read previous partially read pages [5.10,074/390] ring-buffer: Have the shortest_full queue be the shortest not longest [5.10,075/390] ring-buffer: Check pending waiters when doing wake ups as well [5.10,076/390] ring-buffer: Add ring_buffer_wake_waiters() [5.10,077/390] ring-buffer: Fix race between reset page and reading page [5.10,078/390] tracing: Disable interrupt or preemption before acquiring arch_spinlock_t [5.10,079/390] thunderbolt: Explicitly enable lane adapter hotplug events at startup [5.10,080/390] efi: libstub: drop pointless get_memory_map() call [5.10,081/390] media: cedrus: Set the platform driver data earlier [5.10,082/390] KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility [5.10,083/390] KVM: nVMX: Unconditionally purge queued/injected events on nested "exit" [5.10,084/390] KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS [5.10,085/390] staging: greybus: audio_helper: remove unused and wrong debugfs usage [5.10,086/390] drm/nouveau/kms/nv140-: Disable interlacing [5.10,087/390] drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table() [5.10,088/390] drm/i915: Fix watermark calculations for gen12+ RC CCS modifier [5.10,089/390] drm/i915: Fix watermark calculations for gen12+ MC CCS modifier [5.10,090/390] smb3: must initialize two ACL struct fields to zero [5.10,091/390] selinux: use "grep -E" instead of "egrep" [5.10,092/390] userfaultfd: open userfaultfds with O_RDONLY [5.10,093/390] sh: machvec: Use char[] for section boundaries [5.10,094/390] MIPS: SGI-IP27: Free some unused memory [5.10,095/390] MIPS: SGI-IP27: Fix platform-device leak in bridge_platform_create() [5.10,096/390] ARM: 9244/1: dump: Fix wrong pg_level in walk_pmd() [5.10,097/390] ARM: 9247/1: mm: set readonly for MT_MEMORY_RO with ARM_LPAE [5.10,098/390] objtool: Preserve special st_shndx indexes in elf_update_symbol [5.10,099/390] nfsd: Fix a memory leak in an error handling path [5.10,100/390] wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() [5.10,101/390] leds: lm3601x: Dont use mutex after it was destroyed [5.10,102/390] wifi: mac80211: allow bw change during channel switch in mesh [5.10,103/390] bpftool: Fix a wrong type cast in btf_dumper_int [5.10,104/390] spi: mt7621: Fix an error message in mt7621_spi_probe() [5.10,105/390] x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch reg… [5.10,106/390] Bluetooth: btusb: Fine-tune mt7663 mechanism. [5.10,107/390] Bluetooth: btusb: fix excessive stack usage [5.10,108/390] Bluetooth: btusb: mediatek: fix WMT failure during runtime suspend [5.10,109/390] wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() [5.10,110/390] selftests/xsk: Avoid use-after-free on ctx [5.10,111/390] spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume() [5.10,112/390] spi: qup: add missing clk_disable_unprepare on error in spi_qup_pm_resume_runtime() [5.10,113/390] wifi: rtl8xxxu: Fix skb misuse in TX queue selection [5.10,114/390] spi: meson-spicc: do not rely on busy flag in pow2 clk ops [5.10,115/390] bpf: btf: fix truncated last_member_type_id in btf_struct_resolve [5.10,116/390] wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration [5.10,117/390] wifi: rtl8xxxu: Remove copy-paste leftover in gen2_update_rate_mask [5.10,118/390] net: fs_enet: Fix wrong check in do_pd_setup [5.10,119/390] bpf: Ensure correct locking around vulnerable function find_vpid() [5.10,120/390] Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure [5.10,121/390] wifi: ath11k: fix number of VHT beamformee spatial streams [5.10,122/390] x86/microcode/AMD: Track patch allocation size explicitly [5.10,123/390] x86/cpu: Include the header of init_ia32_feat_ctl()s prototype [5.10,124/390] spi: dw: Fix PM disable depth imbalance in dw_spi_bt1_probe [5.10,125/390] spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe [5.10,126/390] i2c: mlxbf: support lock mechanism [5.10,127/390] Bluetooth: hci_core: Fix not handling link timeouts propertly [5.10,128/390] netfilter: nft_fib: Fix for rpath check with VRF devices [5.10,129/390] spi: s3c64xx: Fix large transfers with DMA [5.10,130/390] wifi: rtl8xxxu: Fix AIFS written to REG_EDCA__PARAM [5.10,131/390] vhost/vsock: Use kvmalloc/kvfree for larger packets. [5.10,132/390] mISDN: fix use-after-free bugs in l1oip timer handlers [5.10,133/390] sctp: handle the error returned from sctp_auth_asoc_init_active_key [5.10,134/390] tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited [5.10,135/390] spi: Ensure that sg_table wont be used after being freed [5.10,136/390] net: rds: dont hold sock lock when cancelling work from rds_tcp_reset_callbacks() [5.10,137/390] bnx2x: fix potential memory leak in bnx2x_tpa_stop() [5.10,138/390] net/ieee802154: reject zero-sized raw_sendmsg() [5.10,139/390] once: add DO_ONCE_SLOW() for sleepable contexts [5.10,140/390] net: mvpp2: fix mvpp2 debugfs leak [5.10,141/390] drm: bridge: adv7511: fix CEC power down control register offset [5.10,142/390] drm/bridge: Avoid uninitialized variable warning [5.10,143/390] drm/mipi-dsi: Detach devices when removing the host [5.10,144/390] drm/bridge: parade-ps8640: Fix regulator supply order [5.10,145/390] drm/dp_mst: fix drm_dp_dpcd_read return value checks [5.10,146/390] drm:pl111: Add of_node_put() when breaking out of for_each_available_child_of_node() [5.10,147/390] platform/chrome: fix double-free in chromeos_laptop_prepare() [5.10,148/390] platform/chrome: fix memory corruption in ioctl [5.10,149/390] ASoC: tas2764: Allow mono streams [5.10,150/390] ASoC: tas2764: Drop conflicting set_bias_level power setting [5.10,151/390] ASoC: tas2764: Fix mute/unmute [5.10,152/390] platform/x86: msi-laptop: Fix old-ec check for backlight registering [5.10,153/390] platform/x86: msi-laptop: Fix resource cleanup [5.10,154/390] drm: fix drm_mipi_dbi build errors [5.10,155/390] drm/bridge: megachips: Fix a null pointer dereference bug [5.10,156/390] ASoC: rsnd: Add check for rsnd_mod_power_on [5.10,157/390] ALSA: hda: beep: Simplify keep-power-at-enable behavior [5.10,158/390] drm/omap: dss: Fix refcount leak bugs [5.10,159/390] mmc: au1xmmc: Fix an error handling path in au1xmmc_probe() [5.10,160/390] ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API [5.10,161/390] drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx [5.10,162/390] drm/msm/dp: correct 1.62G link rate at dp_catalog_ctrl_config_msa() [5.10,163/390] ASoC: da7219: Fix an error handling path in da7219_register_dai_clks() [5.10,164/390] ALSA: dmaengine: increment buffer pointer atomically [5.10,165/390] mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe() [5.10,166/390] ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe [5.10,167/390] ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe [5.10,168/390] ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe [5.10,169/390] ASoC: mt6660: Fix PM disable depth imbalance in mt6660_i2c_probe [5.10,170/390] ALSA: hda/hdmi: Dont skip notification handling during PM operation [5.10,171/390] memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe() [5.10,172/390] memory: of: Fix refcount leak bug in of_get_ddr_timings() [5.10,173/390] memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings() [5.10,174/390] soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() [5.10,175/390] soc: qcom: smem_state: Add refcounting for the state->of_node [5.10,176/390] ARM: dts: turris-omnia: Fix mpp26 pin name and comment [5.10,177/390] ARM: dts: kirkwood: lsxl: fix serial line [5.10,178/390] ARM: dts: kirkwood: lsxl: remove first ethernet port [5.10,179/390] ia64: export memory_add_physaddr_to_nid to fix cxl build error [5.10,180/390] soc/tegra: fuse: Drop Kconfig dependency on TEGRA20_APB_DMA [5.10,181/390] ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family [5.10,182/390] ARM: Drop CMDLINE_ dependency on ATAGS [5.10,183/390] arm64: ftrace: fix module PLTs with mcount [5.10,184/390] ARM: dts: exynos: fix polarity of VBUS GPIO of Origen [5.10,185/390] iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX [5.10,186/390] iio: adc: at91-sama5d2_adc: check return status for pressure and touch [5.10,187/390] iio: adc: at91-sama5d2_adc: lock around oversampling and sample freq [5.10,188/390] iio: adc: at91-sama5d2_adc: disable/prepare buffer on suspend/resume [5.10,189/390] iio: inkern: only release the device node when done with it [5.10,190/390] iio: ABI: Fix wrong format of differential capacitance channel ABI. [5.10,191/390] usb: ch9: Add USB 3.2 SSP attributes [5.10,192/390] usb: common: Parse for USB SSP genXxY [5.10,193/390] usb: common: add function to get interval expressed in us unit [5.10,194/390] usb: common: move functions kerneldoc next to its definition [5.10,195/390] usb: common: debug: Check non-standard control requests [5.10,196/390] clk: meson: Hold reference returned by of_get_parent() [5.10,197/390] clk: oxnas: Hold reference returned by of_get_parent() [5.10,198/390] clk: qoriq: Hold reference returned by of_get_parent() [5.10,199/390] clk: berlin: Add of_node_put() for of_get_parent() [5.10,200/390] clk: sprd: Hold reference returned by of_get_parent() [5.10,201/390] clk: tegra: Fix refcount leak in tegra210_clock_init [5.10,202/390] clk: tegra: Fix refcount leak in tegra114_clock_init [5.10,203/390] clk: tegra20: Fix refcount leak in tegra20_clock_init [5.10,204/390] HSI: omap_ssi: Fix refcount leak in ssi_probe [5.10,205/390] HSI: omap_ssi_port: Fix dma_map_sg error check [5.10,206/390] media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop [5.10,207/390] tty: xilinx_uartps: Fix the ignore_status [5.10,208/390] media: meson: vdec: add missing clk_disable_unprepare on error in vdec_hevc_start() [5.10,209/390] media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init [5.10,210/390] RDMA/rxe: Fix "kernel NULL pointer dereference" error [5.10,211/390] RDMA/rxe: Fix the error caused by qp->sk [5.10,212/390] misc: ocxl: fix possible refcount leak in afu_ioctl() [5.10,213/390] fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() [5.10,214/390] dmaengine: hisilicon: Disable channels when unregister hisi_dma [5.10,215/390] dmaengine: hisilicon: Fix CQ head update [5.10,216/390] dmaengine: hisilicon: Add multi-thread support for a DMA channel [5.10,217/390] dyndbg: fix static_branch manipulation [5.10,218/390] dyndbg: fix module.dyndbg handling [5.10,219/390] dyndbg: let query-modname override actual module name [5.10,220/390] dyndbg: drop EXPORTed dynamic_debug_exec_queries [5.10,221/390] mtd: devices: docg3: check the return value of devm_ioremap() in the probe [5.10,222/390] mtd: rawnand: fsl_elbc: Fix none ECC mode [5.10,223/390] RDMA/siw: Always consume all skbuf data in sk_data_ready() upcall. [5.10,224/390] ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting() [5.10,225/390] ata: fix ata_id_has_devslp() [5.10,226/390] ata: fix ata_id_has_ncq_autosense() [5.10,227/390] ata: fix ata_id_has_dipm() [5.10,228/390] mtd: rawnand: meson: fix bit map use in meson_nfc_ecc_correct() [5.10,229/390] md: Replace snprintf with scnprintf [5.10,230/390] md/raid5: Ensure stripe_fill happens on non-read IO with journal [5.10,231/390] RDMA/cm: Use SLID in the work completion as the DLID in responder side [5.10,232/390] IB: Set IOVA/LENGTH on IB_MR in core/uverbs layers [5.10,233/390] xhci: Dont show warning for reinit on known broken suspend [5.10,234/390] usb: gadget: function: fix dangling pnp_string in f_printer.c [5.10,235/390] drivers: serial: jsm: fix some leaks in probe [5.10,236/390] serial: 8250: Add an empty line and remove some useless {} [5.10,237/390] serial: 8250: Toggle IER bits on only after irq has been set up [5.10,238/390] tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown [5.10,239/390] phy: qualcomm: call clk_disable_unprepare in the error handling [5.10,240/390] staging: vt6655: fix some erroneous memory clean-up loops [5.10,241/390] firmware: google: Test spinlock on panic path to avoid lockups [5.10,242/390] serial: 8250: Fix restoring termios speed after suspend [5.10,243/390] scsi: libsas: Fix use-after-free bug in smp_execute_task_sg() [5.10,244/390] scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername() [5.10,245/390] clk: qcom: apss-ipq6018: mark apcs_alias0_core_clk as critical [5.10,246/390] fsi: core: Check error number after calling ida_simple_get [5.10,247/390] mfd: intel_soc_pmic: Fix an error handling path in intel_soc_pmic_i2c_probe() [5.10,248/390] mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq() [5.10,249/390] mfd: lp8788: Fix an error handling path in lp8788_probe() [5.10,250/390] mfd: lp8788: Fix an error handling path in lp8788_irq_init() and lp8788_irq_init() [5.10,251/390] mfd: fsl-imx25: Fix check for platform_get_irq() errors [5.10,252/390] mfd: sm501: Add check for platform_driver_register() [5.10,253/390] clk: mediatek: mt8183: mfgcfg: Propagate rate changes to parent [5.10,254/390] dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup() [5.10,255/390] spmi: pmic-arb: correct duplicate APID to PPID mapping logic [5.10,256/390] clk: vc5: Fix 5P49V6901 outputs disabling when enabling FOD [5.10,257/390] clk: baikal-t1: Fix invalid xGMAC PTP clock divider [5.10,258/390] clk: baikal-t1: Add shared xGMAC ref/ptp clocks internal parent [5.10,259/390] clk: baikal-t1: Add SATA internal ref clock buffer [5.10,260/390] clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration [5.10,261/390] clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe [5.10,262/390] clk: ast2600: BCLK comes from EPLL [5.10,263/390] mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg [5.10,264/390] powerpc/math_emu/efp: Include module.h [5.10,265/390] powerpc/sysdev/fsl_msi: Add missing of_node_put() [5.10,266/390] powerpc/pci_dn: Add missing of_node_put() [5.10,267/390] powerpc/powernv: add missing of_node_put() in opal_export_attrs() [5.10,268/390] x86/hyperv: Fix struct hv_enlightened_vmcs definition [5.10,269/390] powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5 [5.10,270/390] powerpc: Fix SPE Power ISA properties for e500v1 platforms [5.10,271/390] crypto: sahara - dont sleep when in softirq [5.10,272/390] crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr [5.10,273/390] hwrng: imx-rngc - Moving IRQ handler registering after imx_rngc_irq_mask_clear() [5.10,274/390] cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset [5.10,275/390] iommu/omap: Fix buffer overflow in debugfs [5.10,276/390] crypto: akcipher - default implementation for setting a private key [5.10,277/390] crypto: ccp - Release dma channels before dmaengine unrgister [5.10,278/390] crypto: inside-secure - Change swab to swab32 [5.10,279/390] crypto: qat - fix use of dma_map_single [5.10,280/390] crypto: qat - use pre-allocated buffers in datapath [5.10,281/390] crypto: qat - fix DMA transfer direction [5.10,282/390] iommu/iova: Fix module config properly [5.10,283/390] tracing: kprobe: Fix kprobe event gen test module on exit [5.10,284/390] tracing: kprobe: Make gen test module work in arm and riscv [5.10,285/390] kbuild: remove the target in signal traps when interrupted [5.10,286/390] kbuild: rpm-pkg: fix breakage when V=1 is used [5.10,287/390] crypto: marvell/octeontx - prevent integer overflows [5.10,288/390] crypto: cavium - prevent integer overflow loading firmware [5.10,289/390] thermal/drivers/qcom/tsens-v0_1: Fix MSM8939 fourth sensor hw_id [5.10,290/390] ACPI: APEI: do not add task_work to kernel thread to avoid memory leak [5.10,291/390] f2fs: fix race condition on setting FI_NO_EXTENT flag [5.10,292/390] f2fs: fix to avoid REQ_TIME and CP_TIME collision [5.10,293/390] f2fs: fix to account FS_CP_DATA_IO correctly [5.10,294/390] selftest: tpm2: Add Client.__del__() to close /dev/tpm* handle [5.10,295/390] rcu: Back off upon fill_page_cache_func() allocation failure [5.10,296/390] rcu-tasks: Convert RCU_LOCKDEP_WARN() to WARN_ONCE() [5.10,297/390] ACPI: video: Add Toshiba Satellite/Portege Z830 quirk [5.10,298/390] MIPS: BCM47XX: Cast memcmp() of function to (void *) [5.10,299/390] powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue [5.10,300/390] thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash [5.10,301/390] ARM: decompressor: Include .data.rel.ro.local [5.10,302/390] x86/entry: Work around Clang __bdos() bug [5.10,303/390] NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data [5.10,304/390] NFSD: fix use-after-free on source server when doing inter-server copy [5.10,305/390] wifi: brcmfmac: fix invalid address access when enabling SCAN log level [5.10,306/390] bpftool: Clear errno after libcaps checks [5.10,307/390] openvswitch: Fix double reporting of drops in dropwatch [5.10,308/390] openvswitch: Fix overreporting of drops in dropwatch [5.10,309/390] tcp: annotate data-race around tcp_md5sig_pool_populated [5.10,310/390] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() [5.10,311/390] xfrm: Update ipcomp_scratches with NULL when freed [5.10,312/390] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() [5.10,313/390] regulator: core: Prevent integer underflow [5.10,314/390] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() [5.10,315/390] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times [5.10,316/390] can: bcm: check the result of can_send() in bcm_can_tx() [5.10,317/390] wifi: rt2x00: dont run Rt5592 IQ calibration on MT7620 [5.10,318/390] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 [5.10,319/390] wifi: rt2x00: set VGC gain for both chains of MT7620 [5.10,320/390] wifi: rt2x00: set SoC wmac clock register [5.10,321/390] wifi: rt2x00: correctly set BBP register 86 for MT7620 [5.10,322/390] net: If sock is dead dont access socks sk_wq in sk_stream_wait_memory [5.10,323/390] Bluetooth: L2CAP: Fix user-after-free [5.10,324/390] r8152: Rate limit overflow messages [5.10,325/390] drm/nouveau/nouveau_bo: fix potential memory leak in nouveau_bo_alloc() [5.10,326/390] drm: Use size_t type for len variable in drm_copy_field() [5.10,327/390] drm: Prevent drm_copy_field() to attempt copying a NULL pointer [5.10,328/390] gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init() [5.10,329/390] drm/amd/display: fix overflow on MIN_I64 definition [5.10,330/390] udmabuf: Set ubuf->sg = NULL if the creation of sg table fails [5.10,331/390] drm: bridge: dw_hdmi: only trigger hotplug event on link change [5.10,332/390] drm/vc4: vec: Fix timings for VEC modes [5.10,333/390] drm: panel-orientation-quirks: Add quirk for Anbernic Win600 [5.10,334/390] platform/chrome: cros_ec: Notify the PM of wake events during resume [5.10,335/390] platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading [5.10,336/390] ASoC: SOF: pci: Change DMI match info to support all Chrome platforms [5.10,337/390] drm/amdgpu: fix initial connector audio value [5.10,338/390] drm/meson: explicitly remove aggregate driver at module unload time [5.10,339/390] mmc: sdhci-msm: add compatible string check for sdm670 [5.10,340/390] drm/dp: Dont rewrite link config when setting phy test pattern [5.10,341/390] drm/amd/display: Remove interface for periodic interrupt 1 [5.10,342/390] ARM: dts: imx7d-sdb: config the max pressure for tsc2046 [5.10,343/390] ARM: dts: imx6q: add missing properties for sram [5.10,344/390] ARM: dts: imx6dl: add missing properties for sram [5.10,345/390] ARM: dts: imx6qp: add missing properties for sram [5.10,346/390] ARM: dts: imx6sl: add missing properties for sram [5.10,347/390] ARM: dts: imx6sll: add missing properties for sram [5.10,348/390] ARM: dts: imx6sx: add missing properties for sram [5.10,349/390] kselftest/arm64: Fix validatation termination record after EXTRA_CONTEXT [5.10,350/390] arm64: dts: imx8mq-librem5: Add bq25895 as max17055s power supply [5.10,351/390] btrfs: scrub: try to fix super block errors [5.10,352/390] clk: zynqmp: Fix stack-out-of-bounds in strncpy` [5.10,353/390] media: cx88: Fix a null-ptr-deref bug in buffer_prepare() [5.10,354/390] clk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_rate [5.10,355/390] usb: host: xhci-plat: suspend and resume clocks [5.10,356/390] usb: host: xhci-plat: suspend/resume clks for brcm [5.10,357/390] scsi: 3w-9xxx: Avoid disabling device if failing to enable it [5.10,358/390] nbd: Fix hung when signal interrupts nbd_start_device_ioctl() [5.10,359/390] power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() [5.10,360/390] staging: vt6655: fix potential memory leak [5.10,361/390] blk-throttle: prevent overflow while calculating wait time [5.10,362/390] ata: libahci_platform: Sanity check the DT child nodes number [5.10,363/390] bcache: fix set_at_max_writeback_rate() for multiple attached devices [5.10,364/390] soundwire: cadence: Dont overwrite msg->buf during write commands [5.10,365/390] soundwire: intel: fix error handling on dai registration issues [5.10,366/390] HID: roccat: Fix use-after-free in roccat_read() [5.10,367/390] md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d [5.10,368/390] usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info() [5.10,369/390] usb: musb: Fix musb_gadget.c rxstate overflow bug [5.10,370/390] Revert "usb: storage: Add quirk for Samsung Fit flash" [5.10,371/390] staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv() [5.10,372/390] nvme: copy firmware_rev on each init [5.10,373/390] nvmet-tcp: add bounds check on Transfer Tag [5.10,374/390] usb: idmouse: fix an uninit-value in idmouse_open [5.10,375/390] clk: bcm2835: Make peripheral PLLC critical [5.10,376/390] perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc [5.10,377/390] arm64: topology: fix possible overflow in amu_fie_setup() [5.10,378/390] io_uring: correct pinned_vm accounting [5.10,379/390] io_uring/af_unix: defer registered files gc to io_uring release [5.10,380/390] mm: hugetlb: fix UAF in hugetlb_handle_userfault [5.10,381/390] net: ieee802154: return -EINVAL for unknown addr type [5.10,382/390] Revert "net/ieee802154: reject zero-sized raw_sendmsg()" [5.10,383/390] net/ieee802154: dont warn zero-sized raw_sendmsg() [5.10,384/390] Revert "drm/amdgpu: move nbio sdma_doorbell_range() into sdma code for vega" [5.10,385/390] Revert "drm/amdgpu: use dirty framebuffer helper" [5.10,386/390] ext4: continue to expand file system when the target size doesnt reach [5.10,387/390] inet: fully convert sk->sk_rx_dst to RCU rules [5.10,388/390] thermal: intel_powerclamp: Use first online CPU as control_cpu [5.10,389/390] f2fs: fix wrong condition to trigger background checkpoint correctly [5.10,390/390] gcov: support GCC 12.1 and newer compilers

Commit Message

Greg KH Oct. 24, 2022, 11:27 a.m. UTC

  From: Chao Yu <chao@kernel.org>

commit c6ad7fd16657ebd34a87a97d9588195aae87597d upstream.

As Wenqing Liu reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=216456

BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs]
Read of size 4 at addr ffff8881464dcd80 by task mount/1013

CPU: 3 PID: 1013 Comm: mount Tainted: G        W          6.0.0-rc4 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
 dump_stack_lvl+0x45/0x5e
 print_report.cold+0xf3/0x68d
 kasan_report+0xa8/0x130
 recover_data+0x63ae/0x6ae0 [f2fs]
 f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs]
 f2fs_fill_super+0x4665/0x61e0 [f2fs]
 mount_bdev+0x2cf/0x3b0
 legacy_get_tree+0xed/0x1d0
 vfs_get_tree+0x81/0x2b0
 path_mount+0x47e/0x19d0
 do_mount+0xce/0xf0
 __x64_sys_mount+0x12c/0x1a0
 do_syscall_64+0x38/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The root cause is: in fuzzed image, SSA table is corrupted: ofs_in_node
is larger than ADDRS_PER_PAGE(), result in out-of-range access on 4k-size
page.

- recover_data
 - do_recover_data
  - check_index_in_prev_nodes
   - f2fs_data_blkaddr

This patch adds sanity check on summary info in recovery and GC flow
in where the flows rely on them.

After patch:
[   29.310883] F2FS-fs (loop0): Inconsistent ofs_in_node:65286 in summary, ino:0, nid:6, max:1018

Cc: stable@vger.kernel.org
Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/gc.c       |   10 +++++++++-
 fs/f2fs/recovery.c |   15 ++++++++++++---
 2 files changed, 21 insertions(+), 4 deletions(-)

Comments

Pavel Machek Oct. 24, 2022, 5:30 p.m. UTC | #1

Hi!

> From: Chao Yu <chao@kernel.org>
> 
> commit c6ad7fd16657ebd34a87a97d9588195aae87597d upstream.
> 
> As Wenqing Liu reported in bugzilla:
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=216456
> 
> BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs]
> Read of size 4 at addr ffff8881464dcd80 by task mount/1013

I believe this is missing put_page on the error path:

> +++ b/fs/f2fs/gc.c
> @@ -1003,6 +1003,14 @@ static bool is_alive(struct f2fs_sb_info
>  		return false;
>  	}
>  
> +	max_addrs = IS_INODE(node_page) ? DEF_ADDRS_PER_INODE :
> +						DEF_ADDRS_PER_BLOCK;
> +	if (ofs_in_node >= max_addrs) {
> +		f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, max:%u",
> +			ofs_in_node, dni->ino, dni->nid, max_addrs);
> +		return false;
> +	}
> +
>  	*nofs = ofs_of_node(node_page);
>  	source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node);
>  	f2fs_put_page(node_page, 1);

So something like this is needed. (Feel free to test/adapt/apply).

Signed-off-by: Pavel Machek <pavel@denx.de>

Best regards,
								Pavel

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index 4546e01b2ee0..dab794225cce 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1110,6 +1110,7 @@ static bool is_alive(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
 	if (ofs_in_node >= max_addrs) {
 		f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, max:%u",
 			ofs_in_node, dni->ino, dni->nid, max_addrs);
+		f2fs_put_page(node_page, 1);
 		return false;
 	}

Jaegeuk Kim Oct. 24, 2022, 6:08 p.m. UTC | #2

On 10/24, Pavel Machek wrote:
> Hi!
> 
> > From: Chao Yu <chao@kernel.org>
> > 
> > commit c6ad7fd16657ebd34a87a97d9588195aae87597d upstream.
> > 
> > As Wenqing Liu reported in bugzilla:
> > 
> > https://bugzilla.kernel.org/show_bug.cgi?id=216456
> > 
> > BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs]
> > Read of size 4 at addr ffff8881464dcd80 by task mount/1013
> 
> I believe this is missing put_page on the error path:
> 
> > +++ b/fs/f2fs/gc.c
> > @@ -1003,6 +1003,14 @@ static bool is_alive(struct f2fs_sb_info
> >  		return false;
> >  	}
> >  
> > +	max_addrs = IS_INODE(node_page) ? DEF_ADDRS_PER_INODE :
> > +						DEF_ADDRS_PER_BLOCK;
> > +	if (ofs_in_node >= max_addrs) {
> > +		f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, max:%u",
> > +			ofs_in_node, dni->ino, dni->nid, max_addrs);
> > +		return false;
> > +	}
> > +
> >  	*nofs = ofs_of_node(node_page);
> >  	source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node);
> >  	f2fs_put_page(node_page, 1);
> 
> So something like this is needed. (Feel free to test/adapt/apply).

Urg.. thank you so much for pointing this out. Applied the change to the tree.

https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git/commit/?h=dev&id=a22aeafb3d3569aecf811dca1aceff656695cdb4

> 
> Signed-off-by: Pavel Machek <pavel@denx.de>
> 
> Best regards,
> 								Pavel
> 
> diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
> index 4546e01b2ee0..dab794225cce 100644
> --- a/fs/f2fs/gc.c
> +++ b/fs/f2fs/gc.c
> @@ -1110,6 +1110,7 @@ static bool is_alive(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
>  	if (ofs_in_node >= max_addrs) {
>  		f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, max:%u",
>  			ofs_in_node, dni->ino, dni->nid, max_addrs);
> +		f2fs_put_page(node_page, 1);
>  		return false;
>  	}
>  
> 
> -- 
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Chao Yu Oct. 25, 2022, 2:53 a.m. UTC | #3

On 2022/10/25 1:30, Pavel Machek wrote:
> Hi!
> 
>> From: Chao Yu <chao@kernel.org>
>>
>> commit c6ad7fd16657ebd34a87a97d9588195aae87597d upstream.
>>
>> As Wenqing Liu reported in bugzilla:
>>
>> https://bugzilla.kernel.org/show_bug.cgi?id=216456
>>
>> BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs]
>> Read of size 4 at addr ffff8881464dcd80 by task mount/1013
> 
> I believe this is missing put_page on the error path:
> 
>> +++ b/fs/f2fs/gc.c
>> @@ -1003,6 +1003,14 @@ static bool is_alive(struct f2fs_sb_info
>>   		return false;
>>   	}
>>   
>> +	max_addrs = IS_INODE(node_page) ? DEF_ADDRS_PER_INODE :
>> +						DEF_ADDRS_PER_BLOCK;
>> +	if (ofs_in_node >= max_addrs) {
>> +		f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, max:%u",
>> +			ofs_in_node, dni->ino, dni->nid, max_addrs);
>> +		return false;
>> +	}
>> +
>>   	*nofs = ofs_of_node(node_page);
>>   	source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node);
>>   	f2fs_put_page(node_page, 1);
> 
> So something like this is needed. (Feel free to test/adapt/apply).
> 
> Signed-off-by: Pavel Machek <pavel@denx.de>
> 
> Best regards,
> 								Pavel
> 
> diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
> index 4546e01b2ee0..dab794225cce 100644
> --- a/fs/f2fs/gc.c
> +++ b/fs/f2fs/gc.c
> @@ -1110,6 +1110,7 @@ static bool is_alive(struct f2fs_sb_info *sbi, struct f2fs_summary *sum,
>   	if (ofs_in_node >= max_addrs) {
>   		f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, max:%u",
>   			ofs_in_node, dni->ino, dni->nid, max_addrs);
> +		f2fs_put_page(node_page, 1);
>   		return false;
>   	}

My bad, thanks for fixing this.

Reviewed-by: Chao Yu <chao@kernel.org>

Thanks,

>   
>

diff mbox series

Patch

--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -977,7 +977,7 @@  static bool is_alive(struct f2fs_sb_info
 {
 	struct page *node_page;
 	nid_t nid;
-	unsigned int ofs_in_node;
+	unsigned int ofs_in_node, max_addrs;
 	block_t source_blkaddr;
 
 	nid = le32_to_cpu(sum->nid);
@@ -1003,6 +1003,14 @@  static bool is_alive(struct f2fs_sb_info
 		return false;
 	}
 
+	max_addrs = IS_INODE(node_page) ? DEF_ADDRS_PER_INODE :
+						DEF_ADDRS_PER_BLOCK;
+	if (ofs_in_node >= max_addrs) {
+		f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, max:%u",
+			ofs_in_node, dni->ino, dni->nid, max_addrs);
+		return false;
+	}
+
 	*nofs = ofs_of_node(node_page);
 	source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node);
 	f2fs_put_page(node_page, 1);
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -437,7 +437,7 @@  static int check_index_in_prev_nodes(str
 	struct dnode_of_data tdn = *dn;
 	nid_t ino, nid;
 	struct inode *inode;
-	unsigned int offset;
+	unsigned int offset, ofs_in_node, max_addrs;
 	block_t bidx;
 	int i;
 
@@ -463,15 +463,24 @@  static int check_index_in_prev_nodes(str
 got_it:
 	/* Use the locked dnode page and inode */
 	nid = le32_to_cpu(sum.nid);
+	ofs_in_node = le16_to_cpu(sum.ofs_in_node);
+
+	max_addrs = ADDRS_PER_PAGE(dn->node_page, dn->inode);
+	if (ofs_in_node >= max_addrs) {
+		f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%lu, nid:%u, max:%u",
+			ofs_in_node, dn->inode->i_ino, nid, max_addrs);
+		return -EFSCORRUPTED;
+	}
+
 	if (dn->inode->i_ino == nid) {
 		tdn.nid = nid;
 		if (!dn->inode_page_locked)
 			lock_page(dn->inode_page);
 		tdn.node_page = dn->inode_page;
-		tdn.ofs_in_node = le16_to_cpu(sum.ofs_in_node);
+		tdn.ofs_in_node = ofs_in_node;
 		goto truncate_out;
 	} else if (dn->nid == nid) {
-		tdn.ofs_in_node = le16_to_cpu(sum.ofs_in_node);
+		tdn.ofs_in_node = ofs_in_node;
 		goto truncate_out;
 	}