diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-05-05 10:34:57 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-05-05 10:34:57 +0200 |
| commit | 8b49bf4d3e8c9a30efe12b93a01f3619e567e5c7 (patch) | |
| tree | 9204e06b7a2650f1b5df40c69057161f3a8f09ec | |
| parent | 655fcd2a86ab057f91f3c09269513d4566f0ba77 (diff) | |
| download | stable-queue-8b49bf4d3e8c9a30efe12b93a01f3619e567e5c7.tar.gz | |
6.14-stable patches
added patches:
bcachefs-bch2_ioctl_subvolume_destroy-fixes.patch
bcachefs-remove-incorrect-__counted_by-annotation.patch
| -rw-r--r-- | queue-6.14/bcachefs-bch2_ioctl_subvolume_destroy-fixes.patch | 43 | ||||
| -rw-r--r-- | queue-6.14/bcachefs-remove-incorrect-__counted_by-annotation.patch | 45 | ||||
| -rw-r--r-- | queue-6.14/series | 2 |
3 files changed, 90 insertions, 0 deletions
diff --git a/queue-6.14/bcachefs-bch2_ioctl_subvolume_destroy-fixes.patch b/queue-6.14/bcachefs-bch2_ioctl_subvolume_destroy-fixes.patch new file mode 100644 index 00000000000..232031508ab --- /dev/null +++ b/queue-6.14/bcachefs-bch2_ioctl_subvolume_destroy-fixes.patch @@ -0,0 +1,43 @@ +From 02a22be3c0003af08df510cba3d79d00c6495b74 Mon Sep 17 00:00:00 2001 +From: Kent Overstreet <kent.overstreet@linux.dev> +Date: Sat, 29 Mar 2025 19:01:09 -0400 +Subject: bcachefs: bch2_ioctl_subvolume_destroy() fixes + +From: Kent Overstreet <kent.overstreet@linux.dev> + +[ Upstream commit 707549600c4a012ed71c0204a7992a679880bf33 ] + +bch2_evict_subvolume_inodes() was getting stuck - due to incorrectly +pruning the dcache. + +Also, fix missing permissions checks. + +Reported-by: Alexander Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/bcachefs/fs-ioctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/bcachefs/fs-ioctl.c b/fs/bcachefs/fs-ioctl.c +index 15725b4ce393..4d6193820483 100644 +--- a/fs/bcachefs/fs-ioctl.c ++++ b/fs/bcachefs/fs-ioctl.c +@@ -515,10 +515,12 @@ static long bch2_ioctl_subvolume_destroy(struct bch_fs *c, struct file *filp, + ret = -ENOENT; + goto err; + } +- ret = __bch2_unlink(dir, victim, true); ++ ++ ret = inode_permission(file_mnt_idmap(filp), d_inode(victim), MAY_WRITE) ?: ++ __bch2_unlink(dir, victim, true); + if (!ret) { + fsnotify_rmdir(dir, victim); +- d_delete(victim); ++ d_invalidate(victim); + } + err: + inode_unlock(dir); +-- +2.49.0 + diff --git a/queue-6.14/bcachefs-remove-incorrect-__counted_by-annotation.patch b/queue-6.14/bcachefs-remove-incorrect-__counted_by-annotation.patch new file mode 100644 index 00000000000..844dd967992 --- /dev/null +++ b/queue-6.14/bcachefs-remove-incorrect-__counted_by-annotation.patch @@ -0,0 +1,45 @@ +From 52b17bca7b20663e5df6dbfc24cc2030259b64b6 Mon Sep 17 00:00:00 2001 +From: Alan Huang <mmpgouride@gmail.com> +Date: Fri, 2 May 2025 04:01:31 +0800 +Subject: bcachefs: Remove incorrect __counted_by annotation + +From: Alan Huang <mmpgouride@gmail.com> + +commit 6846100b00d97d3d6f05766ae86a0d821d849e78 upstream. + +This actually reverts 86e92eeeb237 ("bcachefs: Annotate struct bch_xattr +with __counted_by()"). + +After the x_name, there is a value. According to the disscussion[1], +__counted_by assumes that the flexible array member contains exactly +the amount of elements that are specified. Now there are users came across +a false positive detection of an out of bounds write caused by +the __counted_by here[2], so revert that. + +[1] https://lore.kernel.org/lkml/Zv8VDKWN1GzLRT-_@archlinux/T/#m0ce9541c5070146320efd4f928cc1ff8de69e9b2 +[2] https://privatebin.net/?a0d4e97d590d71e1#9bLmp2Kb5NU6X6cZEucchDcu88HzUQwHUah8okKPReEt + +Signed-off-by: Alan Huang <mmpgouride@gmail.com> +Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/bcachefs/xattr_format.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/bcachefs/xattr_format.h ++++ b/fs/bcachefs/xattr_format.h +@@ -13,7 +13,13 @@ struct bch_xattr { + __u8 x_type; + __u8 x_name_len; + __le16 x_val_len; +- __u8 x_name[] __counted_by(x_name_len); ++ /* ++ * x_name contains the name and value counted by ++ * x_name_len + x_val_len. The introduction of ++ * __counted_by(x_name_len) caused a false positive ++ * detection of an out of bounds write. ++ */ ++ __u8 x_name[]; + } __packed __aligned(8); + + #endif /* _BCACHEFS_XATTR_FORMAT_H */ diff --git a/queue-6.14/series b/queue-6.14/series index 409b8771a45..cf4e41f64ee 100644 --- a/queue-6.14/series +++ b/queue-6.14/series @@ -44,3 +44,5 @@ smb-client-fix-zero-length-for-mkdir-posix-create-context.patch cpufreq-avoid-using-inconsistent-policy-min-and-policy-max.patch cpufreq-fix-setting-policy-limits-when-frequency-tables-are-used.patch tracing-fix-oob-write-in-trace_seq_to_buffer.patch +bcachefs-remove-incorrect-__counted_by-annotation.patch +bcachefs-bch2_ioctl_subvolume_destroy-fixes.patch |