Commit 81e7cfa3 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'erofs-for-6.1-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs 

Pull erofs fixes from Gao Xiang:
 "Most patches randomly fix error paths or corner cases in fscache mode
  reported recently. One fixes an invalid access relating to fragments
  on crafted images.

  Summary:

   - Fix packed_inode invalid access when reading fragments on crafted
     images

   - Add a missing erofs_put_metabuf() in an error path in fscache mode

   - Fix incorrect `count' for unmapped extents in fscache mode

   - Fix use-after-free of fsid and domain_id string when remounting

   - Fix missing xas_retry() in fscache mode"

* tag 'erofs-for-6.1-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
  erofs: fix missing xas_retry() in fscache mode
  erofs: fix use-after-free of fsid and domain_id string
  erofs: get correct count for unmapped range in fscache mode
  erofs: put metabuf in error path in fscache mode
  erofs: fix general protection fault when reading fragment
parents 2632daeb 37020bbb

fs/erofs/fscache.c

+21 −14
Original line number Diff line number Diff line
@@ -75,11 +75,15 @@ static void erofs_fscache_rreq_unlock_folios(struct netfs_io_request *rreq) 


	rcu_read_lock();

	xas_for_each(&xas, folio, last_page) {

		unsigned int pgpos =

			(folio_index(folio) - start_page) * PAGE_SIZE;

		unsigned int pgend = pgpos + folio_size(folio);

		unsigned int pgpos, pgend;

		bool pg_failed = false;



		if (xas_retry(&xas, folio))

			continue;



		pgpos = (folio_index(folio) - start_page) * PAGE_SIZE;

		pgend = pgpos + folio_size(folio);



		for (;;) {

			if (!subreq) {

				pg_failed = true;
@@ -287,22 +291,25 @@ static int erofs_fscache_data_read(struct address_space *mapping, 
			return PTR_ERR(src);



		iov_iter_xarray(&iter, READ, &mapping->i_pages, pos, PAGE_SIZE);

		if (copy_to_iter(src + offset, size, &iter) != size)

		if (copy_to_iter(src + offset, size, &iter) != size) {

			erofs_put_metabuf(&buf);

			return -EFAULT;

		}

		iov_iter_zero(PAGE_SIZE - size, &iter);

		erofs_put_metabuf(&buf);

		return PAGE_SIZE;

	}



	count = min_t(size_t, map.m_llen - (pos - map.m_la), len);

	DBG_BUGON(!count || count % PAGE_SIZE);



	if (!(map.m_flags & EROFS_MAP_MAPPED)) {

		count = len;

		iov_iter_xarray(&iter, READ, &mapping->i_pages, pos, count);

		iov_iter_zero(count, &iter);

		return count;

	}



	count = min_t(size_t, map.m_llen - (pos - map.m_la), len);

	DBG_BUGON(!count || count % PAGE_SIZE);



	mdev = (struct erofs_map_dev) {

		.m_deviceid = map.m_deviceid,

		.m_pa = map.m_pa,
@@ -403,13 +410,13 @@ static void erofs_fscache_domain_put(struct erofs_domain *domain) 
static int erofs_fscache_register_volume(struct super_block *sb)

{

	struct erofs_sb_info *sbi = EROFS_SB(sb);

	char *domain_id = sbi->opt.domain_id;

	char *domain_id = sbi->domain_id;

	struct fscache_volume *volume;

	char *name;

	int ret = 0;



	name = kasprintf(GFP_KERNEL, "erofs,%s",

			 domain_id ? domain_id : sbi->opt.fsid);

			 domain_id ? domain_id : sbi->fsid);

	if (!name)

		return -ENOMEM;
@@ -435,7 +442,7 @@ static int erofs_fscache_init_domain(struct super_block *sb) 
	if (!domain)

		return -ENOMEM;



	domain->domain_id = kstrdup(sbi->opt.domain_id, GFP_KERNEL);

	domain->domain_id = kstrdup(sbi->domain_id, GFP_KERNEL);

	if (!domain->domain_id) {

		kfree(domain);

		return -ENOMEM;
@@ -472,7 +479,7 @@ static int erofs_fscache_register_domain(struct super_block *sb) 


	mutex_lock(&erofs_domain_list_lock);

	list_for_each_entry(domain, &erofs_domain_list, list) {

		if (!strcmp(domain->domain_id, sbi->opt.domain_id)) {

		if (!strcmp(domain->domain_id, sbi->domain_id)) {

			sbi->domain = domain;

			sbi->volume = domain->volume;

			refcount_inc(&domain->ref);
@@ -609,7 +616,7 @@ struct erofs_fscache *erofs_domain_register_cookie(struct super_block *sb, 
struct erofs_fscache *erofs_fscache_register_cookie(struct super_block *sb,

						    char *name, bool need_inode)

{

	if (EROFS_SB(sb)->opt.domain_id)

	if (EROFS_SB(sb)->domain_id)

		return erofs_domain_register_cookie(sb, name, need_inode);

	return erofs_fscache_acquire_cookie(sb, name, need_inode);

}
@@ -641,7 +648,7 @@ int erofs_fscache_register_fs(struct super_block *sb) 
	struct erofs_sb_info *sbi = EROFS_SB(sb);

	struct erofs_fscache *fscache;



	if (sbi->opt.domain_id)

	if (sbi->domain_id)

		ret = erofs_fscache_register_domain(sb);

	else

		ret = erofs_fscache_register_volume(sb);
@@ -649,7 +656,7 @@ int erofs_fscache_register_fs(struct super_block *sb) 
		return ret;



	/* acquired domain/volume will be relinquished in kill_sb() on error */

	fscache = erofs_fscache_register_cookie(sb, sbi->opt.fsid, true);

	fscache = erofs_fscache_register_cookie(sb, sbi->fsid, true);

	if (IS_ERR(fscache))

		return PTR_ERR(fscache);

fs/erofs/internal.h

+4 −2
Original line number Diff line number Diff line
@@ -75,8 +75,6 @@ struct erofs_mount_opts { 
	unsigned int max_sync_decompress_pages;

#endif

	unsigned int mount_opt;

	char *fsid;

	char *domain_id;

};



struct erofs_dev_context {
@@ -89,6 +87,8 @@ struct erofs_dev_context { 
struct erofs_fs_context {

	struct erofs_mount_opts opt;

	struct erofs_dev_context *devs;

	char *fsid;

	char *domain_id;

};



/* all filesystem-wide lz4 configurations */
@@ -170,6 +170,8 @@ struct erofs_sb_info { 
	struct fscache_volume *volume;

	struct erofs_fscache *s_fscache;

	struct erofs_domain *domain;

	char *fsid;

	char *domain_id;

};



#define EROFS_SB(sb) ((struct erofs_sb_info *)(sb)->s_fs_info)

fs/erofs/super.c

+22 −17
Original line number Diff line number Diff line
@@ -579,9 +579,9 @@ static int erofs_fc_parse_param(struct fs_context *fc, 
		break;

	case Opt_fsid:

#ifdef CONFIG_EROFS_FS_ONDEMAND

		kfree(ctx->opt.fsid);

		ctx->opt.fsid = kstrdup(param->string, GFP_KERNEL);

		if (!ctx->opt.fsid)

		kfree(ctx->fsid);

		ctx->fsid = kstrdup(param->string, GFP_KERNEL);

		if (!ctx->fsid)

			return -ENOMEM;

#else

		errorfc(fc, "fsid option not supported");
@@ -589,9 +589,9 @@ static int erofs_fc_parse_param(struct fs_context *fc, 
		break;

	case Opt_domain_id:

#ifdef CONFIG_EROFS_FS_ONDEMAND

		kfree(ctx->opt.domain_id);

		ctx->opt.domain_id = kstrdup(param->string, GFP_KERNEL);

		if (!ctx->opt.domain_id)

		kfree(ctx->domain_id);

		ctx->domain_id = kstrdup(param->string, GFP_KERNEL);

		if (!ctx->domain_id)

			return -ENOMEM;

#else

		errorfc(fc, "domain_id option not supported");
@@ -728,10 +728,12 @@ static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc) 


	sb->s_fs_info = sbi;

	sbi->opt = ctx->opt;

	ctx->opt.fsid = NULL;

	ctx->opt.domain_id = NULL;

	sbi->devs = ctx->devs;

	ctx->devs = NULL;

	sbi->fsid = ctx->fsid;

	ctx->fsid = NULL;

	sbi->domain_id = ctx->domain_id;

	ctx->domain_id = NULL;



	if (erofs_is_fscache_mode(sb)) {

		sb->s_blocksize = EROFS_BLKSIZ;
@@ -820,7 +822,7 @@ static int erofs_fc_get_tree(struct fs_context *fc) 
{

	struct erofs_fs_context *ctx = fc->fs_private;



	if (IS_ENABLED(CONFIG_EROFS_FS_ONDEMAND) && ctx->opt.fsid)

	if (IS_ENABLED(CONFIG_EROFS_FS_ONDEMAND) && ctx->fsid)

		return get_tree_nodev(fc, erofs_fc_fill_super);



	return get_tree_bdev(fc, erofs_fc_fill_super);
@@ -834,6 +836,9 @@ static int erofs_fc_reconfigure(struct fs_context *fc) 


	DBG_BUGON(!sb_rdonly(sb));



	if (ctx->fsid || ctx->domain_id)

		erofs_info(sb, "ignoring reconfiguration for fsid|domain_id.");



	if (test_opt(&ctx->opt, POSIX_ACL))

		fc->sb_flags |= SB_POSIXACL;

	else
@@ -873,8 +878,8 @@ static void erofs_fc_free(struct fs_context *fc) 
	struct erofs_fs_context *ctx = fc->fs_private;



	erofs_free_dev_context(ctx->devs);

	kfree(ctx->opt.fsid);

	kfree(ctx->opt.domain_id);

	kfree(ctx->fsid);

	kfree(ctx->domain_id);

	kfree(ctx);

}
@@ -944,8 +949,8 @@ static void erofs_kill_sb(struct super_block *sb) 
	erofs_free_dev_context(sbi->devs);

	fs_put_dax(sbi->dax_dev, NULL);

	erofs_fscache_unregister_fs(sb);

	kfree(sbi->opt.fsid);

	kfree(sbi->opt.domain_id);

	kfree(sbi->fsid);

	kfree(sbi->domain_id);

	kfree(sbi);

	sb->s_fs_info = NULL;

}
@@ -1098,10 +1103,10 @@ static int erofs_show_options(struct seq_file *seq, struct dentry *root) 
	if (test_opt(opt, DAX_NEVER))

		seq_puts(seq, ",dax=never");

#ifdef CONFIG_EROFS_FS_ONDEMAND

	if (opt->fsid)

		seq_printf(seq, ",fsid=%s", opt->fsid);

	if (opt->domain_id)

		seq_printf(seq, ",domain_id=%s", opt->domain_id);

	if (sbi->fsid)

		seq_printf(seq, ",fsid=%s", sbi->fsid);

	if (sbi->domain_id)

		seq_printf(seq, ",domain_id=%s", sbi->domain_id);

#endif

	return 0;

}

fs/erofs/sysfs.c

+4 −4
Original line number Diff line number Diff line
@@ -210,14 +210,14 @@ int erofs_register_sysfs(struct super_block *sb) 
	int err;



	if (erofs_is_fscache_mode(sb)) {

		if (sbi->opt.domain_id) {

			str = kasprintf(GFP_KERNEL, "%s,%s", sbi->opt.domain_id,

					sbi->opt.fsid);

		if (sbi->domain_id) {

			str = kasprintf(GFP_KERNEL, "%s,%s", sbi->domain_id,

					sbi->fsid);

			if (!str)

				return -ENOMEM;

			name = str;

		} else {

			name = sbi->opt.fsid;

			name = sbi->fsid;

		}

	} else {

		name = sb->s_id;

fs/erofs/zdata.c

+3 −0
Original line number Diff line number Diff line
@@ -660,6 +660,9 @@ static int z_erofs_read_fragment(struct inode *inode, erofs_off_t pos, 
	u8 *src, *dst;

	unsigned int i, cnt;



	if (!packed_inode)

		return -EFSCORRUPTED;



	pos += EROFS_I(inode)->z_fragmentoff;

	for (i = 0; i < len; i += cnt) {

		cnt = min_t(unsigned int, len - i,