diff options
| -rw-r--r-- | 0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch | 43 | ||||
| -rw-r--r-- | 0001-xfs-validate-cached-inodes-are-free-when-allocated.patch | 155 | ||||
| -rw-r--r-- | kernel.spec | 11 | ||||
| -rw-r--r-- | sources | 2 |
4 files changed, 5 insertions, 206 deletions
diff --git a/0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch b/0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch deleted file mode 100644 index 874536f24..000000000 --- a/0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch +++ /dev/null @@ -1,43 +0,0 @@ -From bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a Mon Sep 17 00:00:00 2001 -From: Eric Sandeen <sandeen@sandeen.net> -Date: Fri, 8 Jun 2018 09:53:49 -0700 -Subject: [PATCH] xfs: don't call xfs_da_shrink_inode with NULL bp - -xfs_attr3_leaf_create may have errored out before instantiating a buffer, -for example if the blkno is out of range. In that case there is no work -to do to remove it, and in fact xfs_da_shrink_inode will lead to an oops -if we try. - -This also seems to fix a flaw where the original error from -xfs_attr3_leaf_create gets overwritten in the cleanup case, and it -removes a pointless assignment to bp which isn't used after this. - -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199969 -Reported-by: Xu, Wen <wen.xu@gatech.edu> -Tested-by: Xu, Wen <wen.xu@gatech.edu> -Signed-off-by: Eric Sandeen <sandeen@redhat.com> -Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> -Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> ---- - fs/xfs/libxfs/xfs_attr_leaf.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c -index 99e0f5749dba..76e90046731c 100644 ---- a/fs/xfs/libxfs/xfs_attr_leaf.c -+++ b/fs/xfs/libxfs/xfs_attr_leaf.c -@@ -791,9 +791,8 @@ xfs_attr_shortform_to_leaf( - ASSERT(blkno == 0); - error = xfs_attr3_leaf_create(args, blkno, &bp); - if (error) { -- error = xfs_da_shrink_inode(args, 0, bp); -- bp = NULL; -- if (error) -+ /* xfs_attr3_leaf_create may not have instantiated a block */ -+ if (bp && (xfs_da_shrink_inode(args, 0, bp) != 0)) - goto out; - xfs_idata_realloc(dp, size, XFS_ATTR_FORK); /* try to put */ - memcpy(ifp->if_u1.if_data, tmpbuffer, size); /* it back */ --- -2.17.1 - diff --git a/0001-xfs-validate-cached-inodes-are-free-when-allocated.patch b/0001-xfs-validate-cached-inodes-are-free-when-allocated.patch deleted file mode 100644 index ce78bed80..000000000 --- a/0001-xfs-validate-cached-inodes-are-free-when-allocated.patch +++ /dev/null @@ -1,155 +0,0 @@ -From afca6c5b2595fc44383919fba740c194b0b76aff Mon Sep 17 00:00:00 2001 -From: Dave Chinner <dchinner@redhat.com> -Date: Tue, 17 Apr 2018 17:17:34 -0700 -Subject: [PATCH] xfs: validate cached inodes are free when allocated - -A recent fuzzed filesystem image cached random dcache corruption -when the reproducer was run. This often showed up as panics in -lookup_slow() on a null inode->i_ops pointer when doing pathwalks. - -BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 -.... -Call Trace: - lookup_slow+0x44/0x60 - walk_component+0x3dd/0x9f0 - link_path_walk+0x4a7/0x830 - path_lookupat+0xc1/0x470 - filename_lookup+0x129/0x270 - user_path_at_empty+0x36/0x40 - path_listxattr+0x98/0x110 - SyS_listxattr+0x13/0x20 - do_syscall_64+0xf5/0x280 - entry_SYSCALL_64_after_hwframe+0x42/0xb7 - -but had many different failure modes including deadlocks trying to -lock the inode that was just allocated or KASAN reports of -use-after-free violations. - -The cause of the problem was a corrupt INOBT on a v4 fs where the -root inode was marked as free in the inobt record. Hence when we -allocated an inode, it chose the root inode to allocate, found it in -the cache and re-initialised it. - -We recently fixed a similar inode allocation issue caused by inobt -record corruption problem in xfs_iget_cache_miss() in commit -ee457001ed6c ("xfs: catch inode allocation state mismatch -corruption"). This change adds similar checks to the cache-hit path -to catch it, and turns the reproducer into a corruption shutdown -situation. - -Reported-by: Wen Xu <wen.xu@gatech.edu> -Signed-Off-By: Dave Chinner <dchinner@redhat.com> -Reviewed-by: Christoph Hellwig <hch@lst.de> -Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com> -Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> -[darrick: fix typos in comment] -Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> ---- - fs/xfs/xfs_icache.c | 73 +++++++++++++++++++++++++++++---------------- - 1 file changed, 48 insertions(+), 25 deletions(-) - -diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c -index 9a18f69f6e96..817899961f48 100644 ---- a/fs/xfs/xfs_icache.c -+++ b/fs/xfs/xfs_icache.c -@@ -308,6 +308,46 @@ xfs_reinit_inode( - return error; - } - -+/* -+ * If we are allocating a new inode, then check what was returned is -+ * actually a free, empty inode. If we are not allocating an inode, -+ * then check we didn't find a free inode. -+ * -+ * Returns: -+ * 0 if the inode free state matches the lookup context -+ * -ENOENT if the inode is free and we are not allocating -+ * -EFSCORRUPTED if there is any state mismatch at all -+ */ -+static int -+xfs_iget_check_free_state( -+ struct xfs_inode *ip, -+ int flags) -+{ -+ if (flags & XFS_IGET_CREATE) { -+ /* should be a free inode */ -+ if (VFS_I(ip)->i_mode != 0) { -+ xfs_warn(ip->i_mount, -+"Corruption detected! Free inode 0x%llx not marked free! (mode 0x%x)", -+ ip->i_ino, VFS_I(ip)->i_mode); -+ return -EFSCORRUPTED; -+ } -+ -+ if (ip->i_d.di_nblocks != 0) { -+ xfs_warn(ip->i_mount, -+"Corruption detected! Free inode 0x%llx has blocks allocated!", -+ ip->i_ino); -+ return -EFSCORRUPTED; -+ } -+ return 0; -+ } -+ -+ /* should be an allocated inode */ -+ if (VFS_I(ip)->i_mode == 0) -+ return -ENOENT; -+ -+ return 0; -+} -+ - /* - * Check the validity of the inode we just found it the cache - */ -@@ -357,12 +397,12 @@ xfs_iget_cache_hit( - } - - /* -- * If lookup is racing with unlink return an error immediately. -+ * Check the inode free state is valid. This also detects lookup -+ * racing with unlinks. - */ -- if (VFS_I(ip)->i_mode == 0 && !(flags & XFS_IGET_CREATE)) { -- error = -ENOENT; -+ error = xfs_iget_check_free_state(ip, flags); -+ if (error) - goto out_error; -- } - - /* - * If IRECLAIMABLE is set, we've torn down the VFS inode already. -@@ -485,29 +525,12 @@ xfs_iget_cache_miss( - - - /* -- * If we are allocating a new inode, then check what was returned is -- * actually a free, empty inode. If we are not allocating an inode, -- * the check we didn't find a free inode. -+ * Check the inode free state is valid. This also detects lookup -+ * racing with unlinks. - */ -- if (flags & XFS_IGET_CREATE) { -- if (VFS_I(ip)->i_mode != 0) { -- xfs_warn(mp, --"Corruption detected! Free inode 0x%llx not marked free on disk", -- ino); -- error = -EFSCORRUPTED; -- goto out_destroy; -- } -- if (ip->i_d.di_nblocks != 0) { -- xfs_warn(mp, --"Corruption detected! Free inode 0x%llx has blocks allocated!", -- ino); -- error = -EFSCORRUPTED; -- goto out_destroy; -- } -- } else if (VFS_I(ip)->i_mode == 0) { -- error = -ENOENT; -+ error = xfs_iget_check_free_state(ip, flags); -+ if (error) - goto out_destroy; -- } - - /* - * Preload the radix tree so we can insert safely under the --- -2.17.1 - diff --git a/kernel.spec b/kernel.spec index 981a6581b..04eb70a9a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 13 +%define stable_update 14 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -659,12 +659,6 @@ Patch518: alarmtimer-prevent-overflow-for-relative-nanosleep.patch Patch519: 1-2-posix-timers-Make-forward-callback-return-s64.patch Patch520: 2-2-posix-timers-Sanitize-overrun-handling.patch -# CVE-2018-13093 rhbz 1597766 1597767 -Patch521: 0001-xfs-validate-cached-inodes-are-free-when-allocated.patch - -# CVE-2018-13094 rhbz 1597771 1597772 -Patch522: 0001-xfs-don-t-call-xfs_da_shrink_inode-with-NULL-bp.patch - # CVE-2018-13095 rhbz 1597775 1597777 Patch523: 0001-xfs-More-robust-inode-extent-count-validation.patch @@ -1920,6 +1914,9 @@ fi # # %changelog +* Thu Aug 09 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.14-200 +- Linux v4.17.14 + * Wed Aug 08 2018 Justin M. Forbes <jforbes@redhat.com> - 4.17.13-200 - Linux v4.17.13 @@ -1,2 +1,2 @@ SHA512 (linux-4.17.tar.xz) = 4d9de340a26155a89ea8773131c76220cc2057f2b5d031b467b60e8b14c1842518e2d60a863d8c695f0f7640f3f18d43826201984a238dade857b6cef79837db -SHA512 (patch-4.17.13.xz) = 8f77239c6c0393aa6e854f98d0ef0832e0a3e936251805ca1fcde2b5d24e0b086582f68e3f494a4a287b404573c26a867170958d53f3c1bf4c46c4c5697188b2 +SHA512 (patch-4.17.14.xz) = 99b76b9305868a93139d9e977ee244c02ada7e3966856a1c559c049dff4543cd39595b723d9fc9b8f27ffef9ff0e4b28bcfbdb28738d5e19342473336553eb27 |